From fcb220fc73867a375a778b1dc70df43c764ca7d1 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:26:41 +0200 Subject: [PATCH 01/22] feat: remove deprecated sophos utm --- filebeat/docs/fields.asciidoc | 5427 ----------------- filebeat/docs/modules/sophos.asciidoc | 48 - x-pack/filebeat/filebeat.reference.yml | 19 - .../filebeat/module/sophos/_meta/config.yml | 19 - .../module/sophos/_meta/docs.asciidoc | 48 - x-pack/filebeat/module/sophos/fields.go | 2 +- .../module/sophos/utm/_meta/fields.yml | 2635 -------- .../module/sophos/utm/config/input.yml | 87 - .../module/sophos/utm/config/liblogparser.js | 2514 -------- .../module/sophos/utm/config/pipeline.js | 2478 -------- .../module/sophos/utm/ingest/pipeline.yml | 88 - .../filebeat/module/sophos/utm/manifest.yml | 31 - .../module/sophos/utm/test/generated.log | 100 - .../utm/test/generated.log-expected.json | 3704 ----------- x-pack/filebeat/modules.d/sophos.yml.disabled | 19 - 15 files changed, 1 insertion(+), 17218 deletions(-) delete mode 100644 x-pack/filebeat/module/sophos/utm/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/sophos/utm/config/input.yml delete mode 100644 x-pack/filebeat/module/sophos/utm/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/sophos/utm/config/pipeline.js delete mode 100644 x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/sophos/utm/manifest.yml delete mode 100644 x-pack/filebeat/module/sophos/utm/test/generated.log delete mode 100644 x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index ddc887d246f..163c8e0373c 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -137152,5433 +137152,6 @@ sophos Module -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [float] === sophos.xg diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc index a5d12dca366..975efb15958 100644 --- a/filebeat/docs/modules/sophos.asciidoc +++ b/filebeat/docs/modules/sophos.asciidoc @@ -18,7 +18,6 @@ This is a module for Sophos Products, currently it accepts logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. -- `utm` fileset: supports Sophos UTM logs. To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. @@ -149,53 +148,6 @@ This is a list of SophosXG fields that are mapped to ECS. :fileset_ex!: -[float] -==== `utm` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/sophos[Sophos] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device revision 123. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9533` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - :modulename!: diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index ab9bafd0ed5..d793739c024 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2188,25 +2188,6 @@ filebeat.modules: # hostname: "b.host.local" - utm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9533 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #-------------------------------- Squid Module -------------------------------- - module: squid log: diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml index 4b07d941401..424c36d95a7 100644 --- a/x-pack/filebeat/module/sophos/_meta/config.yml +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -22,22 +22,3 @@ #- serial_number: "1234234590678557" # hostname: "b.host.local" - - utm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9533 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc index f998d7ce62c..9f57ecd00cf 100644 --- a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -11,7 +11,6 @@ This is a module for Sophos Products, currently it accepts logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. -- `utm` fileset: supports Sophos UTM logs. To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. @@ -142,51 +141,4 @@ This is a list of SophosXG fields that are mapped to ECS. :fileset_ex!: -[float] -==== `utm` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/sophos[Sophos] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device revision 123. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9533` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - :modulename!: diff --git a/x-pack/filebeat/module/sophos/fields.go b/x-pack/filebeat/module/sophos/fields.go index 8737fd17ab6..90780f56ff6 100644 --- a/x-pack/filebeat/module/sophos/fields.go +++ b/x-pack/filebeat/module/sophos/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSophos returns asset data. // This is the base64 encoded zlib format compressed contents of module/sophos. func AssetSophos() string { - return "eJzsvf+SG7mRIPy/nwLfbMQ3kkPTGmns2c/6vHvR7tZ4+lbS0OrWzMaFIyrAqiQJNwooASiyOXF/+B3u392X85NcIIEqVrFQZDcJsFt7txvhGDXJzEQCSOTv/IbcwvoN0bJaSP0bQgwzHN6Qr9wfvvoNIQXoXLHKMCnekH/9DSHEf5u8l0XN4TeEzBjwQr/Bz+z/fUMELeENEWBWUt2eMWFAzWgOZ/bv7dcIkUtQK8UMvCFG1d1PzLqCN5a2lVRF5+8Bapr/+0BLIHJGzAIazKTFTFYLUICfGUVnM5aTBdVkCiCInGpQSyjOBgtQmj6A2rmSddX56zZbNnCRLEF5j/5x8GMIQig2SEo97/19N4Zxlg/YfrNg2n6PME1qDQUxkuS0MrVnsKIrUoLWdG7/TQ3JZQnaLlraz7dAE/JOzskl5LIAFV6Ig8W2iTp0OQ1cWIIwmV1aZMCe4MTc9yzXyPNcCgPCaHsBmNCGCtOQoYM0GlYeQmBBzfYHQ+qYo8miINSQ1YLlC0KJBq2ZFGTBjCaUfADzCzMCtG52/2xwNNrF6oWseUEELEGRKbTnrqJKA3kPhlrSKJkpWXZQPXsn5/rlhOa3YPTzAfhLpiA3fP2CGE83JR/BSQN3wkWHzLMgIzksgR/ASS7F9v3scfISKgU5NZ6SAmZMQEGk4EiWoVMOpKRVmKpSz7NoF2bHHr/39/zq8hVZUl77G88KEIbNmD+dcEdzQ7icu/1Sg43A1TEL3p8W/J7djooqw/KaU4W/9xt7NnoyBqAPOimhkzGAPH5SRrdkedo9ef1/92T3nlisaTbkuOsrp3/LcCHb2/JkqFvSQ4RectIUaFmrPNHbezzbUt3/4yjThhooQZinSBytC2aynNOtO/xEyANh1PopErawOtVTJIyJwwhLqzE1kuPpnrQC6CHSIy3bZgBFTBtqRK8J2ZmdLzZ2v6VmoIcMlITjrIgtPWQAfY8VMc7FLefIibgoOm6TIPscuwbLjMQ+EuDgg9mXn0KtrgX7XMNGjVbt+v2f1n2j9kKK3D4O1MinbtmOiJslSysOu9y9sGjYjOW0e5/fyTl5uwRhyDUKZ1KLApQ1QRR4QTVY+ozdQUE0GAuk9+M+Dj1usDSbMIB9tMHSbsIA9IM2ZegJjO9fOuxgDtb1AJ48jAcLqRPpq91z+aPUpisi+faJ1CAKJubNhzp0bDo+pC+Hv+yQAzb40ShjrybL3xFaFMrKyrHrvs3cweqN/FKZu/w+NXu//z+XvZZb6WXDtlxwjrSut6wglMzZEkTrJPtyFQHLosP8F2ktkOIpKn9fRkRj1KEhq3Wm4HOCve4GD3GDcd3TNXL5rUNNJniRXnhvtqHkZl0ByelQgkyBADMLUOTTlTCvvidSkR+4pOa712RKNZ6iJkA2Y/Naoeq3Z92HqLtf8LoxDJrO+IzgX7C/nstUbrZd1nGD+Yt3MEi1oqpIptR1JFpn2V1OXk1+7ul7lCjgdHtLCdFrbaD0j6gn20JbgDup2jHP/lsqNmeC8uY3fW1lDx9S6V87EiOuJj9/H2CBJ3/AieNZ0FI05HKM12dzUIeK46GvzwJoAeoksesfERW5ujwmSuro7QZLEcxhsdIn7WTjeZbcz0YbRetqo2jhRbGmy4XkHHIj1ZcogC33HiHnxp45pknuWAeFpbSnqL6T22oL2cHoJ2jxlfn0qaiqpdSY7FZKQabrwaYRouBzDdpYgJqVFV/7fbJftoKeAM0XRLMCyLNviVmomrz+/e+fkxXVRAOIFssOTjwJ5fUenNCVFBrSsSL/Yk5FLmthWp9CXU6d0LNXWQchkGd0KpfQYQYTwczKRrxpo4CWo/cn/2KOzSOzCgpWb+tpMRj1VUhzbB0LbEaY+Wv9+ttXf9BOpL+sUIA2RP91sJq/WnvwHV2DIq/JW5HTStfcRVasSfkguR6CfmTwI5BbGcLy3WvyL3a5L8h335F/IblUVl/GVXikL8j/y83/b7/INOkz5avgFgpZwJO1dcUKspxyPqX5bVoN2BEnpMFrQ42zKywTQRSVZMKgaWIgnOCMhyMDpWSi/LSNPqgryBnlSDFSqo1UVrMWa6d12A+WlLPCHYwQUYTMZC0K+8JwQOKZmHvlaG/yYv9GDCDHiAX667AjbDSyC2suafFU3jlPDtHsVyAlGMXygNXhTeHul9EWds99I4Tts0/NRqOVs2bbzsiPcmW3ZmhzMkGkssaYkeQWoNrDtCfx4n0hTFMyB62zJSuyIlXU9W0jeeYgQFGDl7ywHOzYhUumTE25Ndp7vncRcHGwklmzG2PlyAy3Cn/Vry6JstJao0MFmUbVHEz7tb2c0CpR0tOjc8Jlwu3mhEoSChoK/qvLxvf6EUppgFz7854rwId2uh4TlPb/mkDMFxB48ZgyXXGWMrPhSZvzmg3U/iehm1mZm/C8462zb4A/682pa6wW/4T814gwOvEyY/wRYvQWqzWOJhfnE6/75lRY9rCykmpb4yX4RH5xaRD103B/fHJPFRriaLqHXKl9U77e/GRjsDs9By3zM/L699+TFfK9BCoI5TzsK0CnPqpJG/8RWYECB5YawoFqQ6TYKhfpM/HR1cQvm4mBu5oibOt594tUBTIOs5ogXwjJ5Xy9HYibMTXQYgn5PckXVNHcOCbaS71G+tFpLkgtfE4P7/nMRytqYxd0u0B9yiDCjtglWhSlVTKlaMIIiq5GZRpK1i21kuaosboYhfA+B5nntWogakNFQVVBhFQl5ezXUH6vVGWQP4XPcjiYRbKeDp6kBzFpQ3VLzEvOZoArDhj4GnIpihEFe7PdmTYp/Sw7FsRELsuKgwkegFEnKkUF3ii2JQY79WbKPNJBvra4g8d57Cj3T+bo8SulMItI27SpT42V87LJcioeifFvRZGC7Rbkr1Kk7rawQyxa7I2K6dJrb7Y5PBBRyW70OTFwZ/zlI0tQulNOUezKAwvs77GHbQ001jI3ZXq5VAUU6d5Bn2TjnyndYmx0jCbTpv1iN74+fK2ULM8Qao1F+ToHQRWTTq0va27YN4aBIrSqeFP9smlWU1JB56HSXEI4hncae9ER5WjVhJmvNZEr4SJjhpbVtmfQU2yxWRKHt89oki+YtW5kAfqMvK+1QTOpC9TeSmpG8nKpgQM3aacAm80s3Us4hSaEm9wgdLxTMAMFIncHglrVumBLVljNBs9DWJBdN4LsZot54UXeVUydbIWb/XSxoDt7Epnha7dYbYWe1dcsUXhAd/tGI276qAvnhZXGrTw7G6Bs08lkHVsClQNF7liILf9jXxXUID/XUJ/sKNnT7U7RRj6uqCZIRDFybpC4V7GZGlEp6DE0gUyblybB6zsvU9BaZQlIrbIU2nMVUxT1gb6ODjWBrtR5RR7HhNwyH4NvzOC5fNCbc6jY3CfXDgkWbB6IrW4IsR1BNB8o8TEUa13z1GGnEStK1iaXJbx0NLTGC2Zly9nghFDhWdAzIEcOCCxBMZOydGTHwhrsvgiwE9nZ5fJJW7w46B3oXum20sVCw7hTBTmbsY3hE9ZuXTBnrKeK15XTZzMFNqB1MbJiUzDRuKgKH2QJ0u3N5lNtws99K71rCUpFfrr2qbFMNwkB2341xN/s0FiVpK6kZhEFx73OFprTonAdpjCVv7m7o114am6ydK2LHiiKRF2CYvlDZVFwbSeoYtuxsG4lW3sznFhy93uwtCWIQiqfMLtzZXL6t0foXtOEduX0b5CH7WhLWPpa8AG7rQTdTZiT9Cl71X01vJC+6t+LGe/lWtA2t1hIQyhZ+I4X4QRaLudZk6jyKEK9OYgPFuqn6JnSk31/xnQrbEuN4iOs+EvO8nXq27NDLkyQAN89W/D1iFyuecq86TADP9YckLCwOJXCwF1qjbUl6Eo4f92mHyotCm3/Bx9VyhuCQg1g9jzO+YKKOWQCVqllwVjgEladUD8qIcYoNq0NdCTEMEdfO9Kttt59/sKiQ1c0mrBrOcdZsraVu5iGhuB2fpEjpqu/BYxbrACzDGsaDupNzpdagjoj1+A2pdagzugcsJW3z3SfSdXQMIDdgHF6e46/J+73nb4VUpGpkiv7WfNXr2s6s2u0n/RVMaHKxHbTtYBje1T8nZKD6tBT3SnJi1ZtTHWlZAU+oJjqLT4XhHJQps0uUhuk/m8uvOXFR6cJACYhBRTmgggpvlFQAVoyu7If0Gw45ZOT10rZC9PaK7iTqMe9ZC7C1oR/BitbMbPwyrKT9eQSEU6x2kQQKb6ZS/vfO14CVFKygOKYcN20Ewx8iQRYIuWMWOlgGOgzcr2RKduDDbqVVWkovnDlfLW2RowrGXXJNoUXv57xlOS81qY5kP4fg23CnzBtd9LXRHv/hlV88dNxFejk2o+7YWGL3rVlSqeUfb3P8LJUXiIVhGotc4b+UrsbQXsSN+wdu4U3hJJqsdYsp5wUTN++IJXCmSgvCJj867CiTBU9pPbygQ+9q7NRtAQDSpOKauzipbGRg+tFkMuytFJM9oL2w9IaMPlOdc+9B4+l8XX2MMHD5MR3LsuqHt7BBNtGyYqJQq58Pm0uRQ6VedFmUowyY7DMWc35mnyuKXfOz0KWlAkvNUQHEZcjT1fX6xlLXdqxdKsSvmPiFgpfC9QkolON3ilvoNhPvmpJO2PFro3jg64QSUVdd3STc0tsE9CQ99P1Y9H1U+U9r+R62K6nDTqDKtn2YKfULlaPE6l153+3pv1dZE17xnj6O94u+QfE1l5jBUWdA2kiRxB2t2lQjPIs8Jome0SuEWWjNm+/j50H0L4wo34ByG/1QS0HYniMPXb70C2oXrQ31KqFgSrDOl+4zN+mxqYtM7xoIG21CLMLadGcaZXbX7X/HlaaEivPBWGYc1eLnANV9k/YCG9Dmi8g9N5O1RR27o8+OOFXD/s8PekXK5fllIm2b3b3wfJlo+oBr9eSqVqf2tPX1UaQgHGP32kCpIErceGwu56M455SZ8Eld4237HNe5qtL8sFJmme+cQNx0/Z80a+l7XlYr3YO6Mfw5Xfcz1eXyFJf8taKiaH3oB+Rc2mAbgln7hBZWbBiOmykLvU6ZS/7flTXF2g7dWGnH1s44/uEp8ay/qJFTK4u92qysfxzezRZS9hrUWw02jNy4eozfb9T7j7Yrc0igar/jVdfeXfctDZt5aY07WNUCw7acUa6B2UlyZIqRqd8UAXomjIwQSpORwSBBqGT9kfpbWhXVXWYz6ykshpGU1/I7D5fv7yabOvQxLeMdR6FsbrsAwcK3rsWchNpcUSSK2HINZsLisJi5IhWUqVsXvv1QH7ZQzppdDeJXR3xPy0hnbuMp6yQgYPz4acbwkTO6wKsOPOTau3Pz8izt3e0rDi8IRPnEHFgUXqfhf0iGJk7eWwTnVObpyVMGdO3VuU+gK4HlOJ13Jgf/NPwkenbHSFXo9h8DirdCLswy37uxgI8DaidLhToheSFPT3OVh+ZNNoLvZ/AszCMvXup/Oyj0zGet804ri7DZST3js7nsqyyE+dd4a743Csc4+r8e7qefmPJkQLrU2c4bkYWdT5mpXm19JGyxrqUt9JSKuw8YOV6Q9/IlDiqihVVj5OhN+yqb6Ur9Q+RXcRIa+RnVohS8p7mTT/lsHJrRdBJ7RgpvmkUVLVbCjlbM/pQawVUR88N1oaaOpbi3PqjKOOPZnZY5FN5R1jxcvz9si9rfQoKLUWfBo2P3V2wVISvbvOOJZ6+Nzjkl8O5e4c8Z0zIOlaMs1NHoufR75SVpDGdDgOP7O8iA07dmbF3JM45t3KP6DrPQetZzclbi5/ksgBtj0TT7DdsWTBRwF1kBnCmzWGa55GyBRGjKaYaIqagML5ZUsU4ZvAEPHgu/i7mhCITv7G/Da5MJDiHcuqaCz2SRuyxk2dtPmcFSle+6NZJmAHLvIqwSYhvOjw9HykydG6u4XucOqHEKV9tkpf3Vblv2w8pE5oUYCjjASfDVNam87uRpUl+8tzMxmNL2zw2pGP8ITVQVjxZNs85KWBGfQjId75sYvg+W9NqxUtQnK6xkMtI/7iSZ4EbaT9Aq9v/GmZNFbjz1WvDTI2NGUlwYRvbYNiw6djrGjWK1fHv5DQ2pQlkVS7L0t6nNMfowkEnrJPsWym5ZIXznzVd5ErQo4lQhcwPDzQ+3Fv2A+MbrTHv5uWFVYO7CpOeHkfWN9jTyvq/yemBfqeDl/ff5dQHYMK3q2LpGudeYkKx2/nryRW5GihUXTKSda311SW7KYhY2NVWw86jGtIP8Yf53Oqwcu9ERDaVReqKr0HF3bbS4WkhlpYR9WgRv1uCCxmcoPK84wL2pcMugbaNh7A5K9pQzogTr4xtNQ7KwCO8/PGUvHbdVZ3ymWqme08+ue45TSAKkzXuIK+7XgSX+jWFUHlr04VpV+LGCRwhQa940XeItNWVdEkZp8NABmld4QTrK2eg1MikBXeHDvH1x4u7eWOl9A2gXAB2sCSfbqDZ/GxEIrIym9ZFsY7un2FlFrUOqAO31nBYo/OdXqr4EBWTEbscbJXYZbo+RUEC093sVddzldYFM21l3aYvmqcoNNhuU7HhRMkmvLB7kS5LLDYHlyezyi9+fkue+VqJn2tudeUp41jAgXlgb+8qqe03n5Nvho4GsR2FuRVyJXqGkIa8xmYWyz70kUmbOT2BC247LfSiqXL/4EuT3sGc5mvyadRc42yq6GMU5XvEPRYzQUrKxEzREnamY1RU4dTe9H0SesrlBNGSD7JwydGbtoCdrLMAUWSP9oWpApYRqSykft+4D7AiP9YCTcn3sgBOnjGxPPvtC8Jk/oJM7f+A/R8qKF9rps9+G44vmrzKZpwOJufH1qH6Gv7FhCBS9HWhnFw3w6/kbGejBiOTUur+OvV0Nm0QNCh7kIMELcu4cneLsp/f/0IVkBuXAPzb3/78/pfzj29/+1uXc7ukirLRM7mS6jZmyfLeC/ZLg7AbYRt1glERW4nwNTtxu5S0zwHN7XOxTmDCzKQCoVkeU4B0XEkJKC7je0EC8YFYQLMVZcPhxEd7B7D3eWyg9vrELlHX9TTRpTDTQhsVu/Id67WTOcS6b2m0d7Sp+UjnJD202GUzGGyg0vhik03di693sSBmbNTR1Cw1mSP20KUGuxEFlrld3hMWygf3E3y448IS7/X/j0OsG5XZTf57lCNWdHz0npCdRD7K4WjiuLvok/IESVu9ne3Ypc9Mm9HeZNlhn8zn6HYbnNz9kemmZTU7RTwMi75mlHHL66aZy8TLjKvLbm0bduKy5qCBeaCFwXhWYZNznVkV8YD1HJJ4jenWvvroQpZlLbY9UQPqxGGNm46l7gPcmT9DWKduadOHadbH0nZNRfEnGY6abWgz1LBDJMPR1A0R94jTta5YzmS0LNFTWfBI/YoqMQw6PHXStSirTKYSxtcf3k/IT86PuklKDRPy+aSpBNd/eUc+16BGerfWXGQKtjt1pk1u6DhE1+RjU3QWTOtqtfQ84kPaBSpjjxGwQKuDHEf7oJpAcOxouEX8AQ2UU1Um2C0LNoF7gVYRC5BboHURbSptD2bcblc90AU121rhsXCnIPJFSVWsspIW7rqig/HFR0efaD5Ip4oCM1tEPws5zOIWULWAZ3NstZQArJz+LQHUikafhOE6TkU/Xhh0z1jsB8d3bivBqp7RiRYZzXEwSvzyEwtbi4jGewfwdF4tfyfuzCL6+56LLDcqK3TUvusd6BbyYZGnewBechpdYogMxJyJiEWRQ9ApcqNFNsv0ipk8uvwQ2YzLlaZl/NyVLmxhlumgJ4i65CJjIqU4YaICVU7X0RLeB7Cr/DYN8CXlKc4Kq7JKSSOz+CEphL78XYYex/iwebK7yeU8K1Iw2wKOn/+Wi6ykd5kxsdwGfcD2RHNI8CiUTCQimol0RFdcZ3zKs9hh0R7sbxMCj94ZvAM7di/ELuzYVb1d2L9PCPv7hLD/OSHs/y8h7D+kgW1kxekUUoiUFnp880xkZc1R+Z6uE7yTDfDqNoFeUtaczcsqjfZttUzK57GTkDxklkIp0fA5j+8bEZl2CYkJdlCrPI01aQGnsSb1WtdVglmkuWjLqpOYqkYaa3rAXQIRYqSxhlkq2GjWJAFeC3YnqJAa8gSHcPm95UqiR2H5vazMAmiRwK0myyrLeQIftgWcIEiCcNV0beK7RS1knQRyVWcJYhq5YobllCcoINIZnYPI1xGzrrqwBeXrX6GYpqB7mWEb0CSQXTuYNFS7xNok0Kfzavl9Gh+0zqbM/CFJo7FcZ3FnxW0BVjK6qNZJrjlChVzFr3LTzscfbdZWBzCYhfPzx3eOOOCo9iUB7rrJx+sg14E9YxxS2DA6m6XYRDaLWZzdB5xCN9AZqzBJMUsi6li1/F2hTTVo5h8JtlZ5EticzSCFGaPR0VxCwaIVjPZhM5HmlJSyqDnoXKbgtgfO5glkk6z0ipqoM/870EMZ5FEAK5gzbRSN7wnZwE6g8SmoUrFaJeO1xk7kKpF8dZn57ogngG4U0DKBIulKgVKRnU65Xi0k05mbMBsf+poqmuSAFyOFsDEgL918+9hwmTZURJ9zXGgzrVWsYYENVHCzglJAraPTGl+PbmqSY4PFyQ2z+MOuD+00sAvmnBZF7DvAithh1aZ1UIK3iJVZrqQsk3QlsoATmGmszNIkR/qORynYXN1Gb89U6fgtS1mlK8UiA+XUMFNHzz7jTEC8FjsbqDrqRJ0WLhbfxndrcem6nmYzLqM/5y3wBCn/1uaNLnUs0AQSx9rQCUiNnpvA5TzJ0RXzJBe4kiq2ACun9TzFNSuZzlOIhVInObAp5kAIMNhcKTrc6DLcNYCOnfHnoMZOxxOrVWwLJElFmXQDoKNbojK+ZiQVm2eBeVxHw10JUPHfrCpzQ3mjg406mXoD1o14TXLIEhRu+pk4sYWBBxtbGlSZcyRFJ5dqbT/M8kWsOv8BaLirWPRAQAWqnCsqzKDnbgzIqySA4z+9rhPZp09bU0AjAFZynlFdRRwY0AWtaGyoCihPod8pyJEPrutoIuDxmWwhx23h2oEsVZGA4viOTJ3AN6ydbzhBPoCG2IkAbuBxAuNEw+f4ByDUoDUa1ASmlGbzBIJXV7G9bFrlKe6ByovoirRWeagrbgTAJt6IrS7MWkfvqrnMRexCieC02GOBuiadsZdv5ib+sXJA40f02pmeseGuq+jdWutimiQPvVY8wVtYa1BZwWJXvScZW9FEhlKwweTa0DK2N3iZMaENnSXQDJZMmRRq+LISCVo3GalqEdPNGmqLFugoel4bST7WggxQt9kjCYfl/Uw5K8iFgoIZckFV4bsZamz/HibHTc5KyKWxCaEIBofoE+xvkEtOQqU6bT4EE+k497asuFzDYLDgXv7NZB2tqfc9z5jlofMZ4bwzBXO4IyXdbrSwicWKeb09DCQ5kZxpHM7QYPdbjw2UiK6rSipDho1HCVktqCHMkErBbOwoHJGW+5AhFCHGe6ujJYEw4Tu7j/SF5kyknsjfIdVi69KpiZFzMAtQZ5vv64WsBy8aIQKWoNpxREaSiioN5D0YihPB3V2lLQuevZNz/XLiyl6fk0s/4usFMYvAlCJsBvwR/OhjJFuQD2B+YUaADu/z8FAnYd4MR3a3twiRu8VqoCpfnDHBgvThzN0T9NfeEp84CwOTIV5yWguc9TuvcY5r08Q93MB9q1/7jjWlb8fdrqltwu3nF48Y+3Yjsog1TffrvIpoyQ3cGbwVY+6CU0yjHhFIm8F1H3BCteAjEy+xe27CceDYP1eDIQo+16DNjqbdh2crP7xXvlMZcCyPw+ok9rZHqs077btTdtHkKMLYWO/v2KFdvwmuPObs//3zDS2yq8tGKCDu8NlAqyFeEu8Dj7B9XKZUA3Hp2i01ZHCr2l3yv3gcekU7Cr6lXCrXvj7IRkKoJhoAx53R3fOqFBWa5icY7zvoMO1QC1R7N4cmrxVOQNtFdAWqZE7dOBXRG5RuMAdbMg5zIByWwAnVms2F27jNvP7w0ceWzI8ovxH/jpM+fZRJz5ayWrDPNWyPSaThy9eh97COiYdNQWk0Gla4C5lLIQBzK8iKmcWYoCAkUBnSauwKDioverBpYdmJ8qR9orics5xyYikYMX2QiselDlGNjGl8PN5Vi7UOk9dJZ1vJrazW2A885YzqbCGT2wTOiGvNNZylshlqZKVidwRPuB8AcZfGUotvmh/EknOg6uyca2kN8d59u8RgOfnR/+KMnIt1+68BdIO2vBaG0OIsl2VVG1BhMZzEjW8Xls48+2p7L3DGYm9DmPlr/frbV3+wtu9lZzsajn0VJNuf0yxuxOy+jhu6BkX+ufXJ6ZeeDCQufOtj1/+kP/NiQ3Pv1O/cjwOTl/fJtq+3B6ZYPGfkw083b+3aQYFznqC/tGA6V1BRka+tVunVM76dC0KQQy/Izfs35EqY716/IFcfLt/++xvy6UqY739Hnq0WayKAmQUoki+k9qPSpFKQG/zWq+//2//z/OsgR8AsEsq4bX6gTD0raXgcj058+h54za/dWbxqiApf8eJpEd2VTXsoP7Bh3L0f+BC9W4rpxjr5mSlTU07enX8IEvurFJDOl3XYyfgfUsBZmLeW3C9GhOJC9gtP3IKn+Abv2Ic5NbCijzAiHU/3hJwXhUI/rTvlIXLapzcvq0PjnMfGQq4u3k/cqzQaHiupPmH0o+dUcpqqf7vJ1cSSMuL9sjw8cBJEFB5a3OM8bDSxzE3XOq2A6JBLi4LZL1O+Cdh2ZvmH37kTHgBrEuIFl/6GX/aPwICUTa51Er3uvk8aJR88hROpTCuSB0K3wAAbbgAz6/2SV5+Y9249TMybx6RZ1vsxxgsI2Y2n8uJ66tDypVrLnFmV0/mNBjoOsXJZUTGHs9Z0yqWYsXmtoCDTNcIEUWDWUFjOVAe2HhgUjY5oy0GkswT9DnhE3b9bwhXdAaCglAYyn9kdP88oPmsLoTOauVT8BKAro9IAnyU4ErME1cI8xXVI1f+kSsBUWmSNJy6dWr5twdt1nG1j6zoTHkGDfWsWoAQYcrOu4AX51Dxj79AB9h2ZNA6wwUvw05im1ozqOYEyMWIaN0R7v/gLQjkPKhPV5ouY4EYVJuYtQdk3kAkjiTb4mDNBPl2NCpQcE2STyavoItsClVWCsW8WsAIdO6PXgk1Q4uJexNip6OhvT0CtG62QcRDz6JMikWarfCTUQkc0UKfyUN4JwAiSYzrBjFDyg1QrqorhnG5CzueY7KUItTf+DnPppmBWACKsekbumvjQGLc0lHdDdY4Ygi3jMTNisEImfJ4rpiWUzFix5EdshJe45FScIo5/DwdlkyDScVEOFth3WW4iKUtrwc7RgO2/PLEjlZBjF4JlvH5w94vYU2VYXnOqCPaLJg0Rz97evXkn53I2C09/hzwzC0i+vT1ibyxCdxs7dL+1dFtyz2uzAGF8svgo2bqO2Tnhfgk9DuU46Z80qFGCZW1yeVpOe5TjBF/XeQ5aj9CMnccPa452WOIJ0kWsijuXak0ChQkD2k4hnHo0whaNViphgE9XUth3xcqtkHLY/pAMFKX+qpbx+tGNvJuUuK6lWDPAGRTterwfZksfZoJoZuqA/CRYXABeRHuoC6oJLWRlXxezAKaIXInNljnGGXonhSxH8mpxJodmrkX9aZUIq9wzUVj5I5VuGUDJD4wDOfeEnQ3YcB9nr2gX5u7kaMJ4u/5HSVcYZcG1z1qIy4XQGgOMiFnvfgQjXL7eta/XiM2J8YTQqUxZPRBY/BQWdMlkjdplLstKyZKNZCjCqYl7K+iUYxHZjFzspo2JZSt2EhK5TWFP6yRBAnoURh0ucwCBAfwtfal3t/PKbu7b6LHblFnWwmyXs8XW6AssA8/yQ8z6e2lB+B7PQYBiebMkZAgm+m2nFjCzwKc2NNuNeGLP8ldn2qjx4GezpkPabj3aml7vXpNXLxyuhOsKmqatEW5YCdrKdaftKahgNIjkdyFaU4i9G4GNB4/cBnXPo3VI7+5HO1rf3W9NrzIdbcjpvZfmHcb7VjhYG654IxDuIQy+3NW93rs6ddK9cxctytrU/p2L1kv1NAJkjxxvBciXexy/279lsUYbnGbL7icf1UklSMw7dg/5cdLjGHNtg8PYKvVYgrblp45euVObRVaCWchHiJLQnieZODL810Y3HHspKZnU67QjqvNRcu+vtYTsOJeJPCH/fvb7b78lz95dnk+ek0umDRPzmukFFFgKH6SFy7lM3hdoVyQMs2Vnjg6/zfjFkYwxJRN7FXfVf9pdDVHQ3hj0yEcb+vyQ65Jj2n9b99tx/CFNoZgpFaE26ZtMMcpjdafbWshHWrBaOwxEKqJZyThVTjxZsWnvUI7veri8Cu+5ZsUpO410M+U/2YPQeBG3+mJuLnm6OotzseuuY1jDVxp2/L/eSYSfDM6Cd9xApyyjCLsypUqZGDAI2SCrpZpTwX7dkVUt0h2F+zL7AE53z9QIu2dMBWtJE3X9+cGiw9fCtfhyvYt6Wc0/AuVmkVMFpFJQyJIJGiy464inCTUMhNF70+M5PeVq39FHXaxr/QhVooNrr87XVnBVVBlshrRZ6m6xesJmR17Y3EeizqAARQ0UWbSksh3nwwqfHxqMbfBsouSSFW3zMP89WlXca6qDg+Gb/9hnra/ThhWczSJZcaJVtih9rz+zHllmcHgoZk4umYueL7YV95EWcK3SGXMo+EM1T7hDnanzo04l9DywUKejosZKNdFGKifxLbQSDEVsX+O3zuy3vg6vvmRFweF0Uu494ruvnAtsb0fuHSTnmvEYp1nuxGPrdBgS6yY6+4JUnNots++zVARErtbVmJcfUyFPYE/eI4NOtbblj1Ib8p7mCyZGTLqCJpIcX23z+pPATP9KgRUfVj9yTc70GXlX0Ir8jP9w+lEhhas7/evw8SQLugSrOXGginyuQa0J9iDUlRQaGo0qXJxq15vhb04jL30PvNxCVqzpAinc8l1fvnE6myWdgNTNAfrom6Pel1Kc8pTWYbZ9xpvW0r0mRtY29A8v00TVQgTtWP2ifXlc5Nm1kRqpsfMQM29hpt8ISlZMFHKlia4gZzOW209ehOoEfZ7s8ILY5Tl6Nzk35Bl2hAWRb54hDF0+73CL1ALf8Xcwp/mafNL9xrdtBLbcLqSNnl1rMZzAYB957bumFpKCtWp4yOyLOOB42wcgUP3fqzTFcp4h+/rLTq9Qj3Xndep1YMW4wuBB8785YLGnyesdW6rP8PWu90bWvcWlj3cBHa7mNA67NmDQ35tNQqbbhsEOhRtS7C9+xrKBmCMBRyvccMkFzJjwvnoUTtjVr6TVSNNBpO6gQrFEtG0cMFvqX2zB2PpsU6/d91Ia6U3Z+rCNofmiPHEL/A1WZDgZWEfd7Ugy5GXKRLwJYlHvhl0yFhWmfTwDQqpbtoPb4tpob8r7A1M7B1Snffv2UF1R1Zwp++cXm6WsFmzQSp3Y22FtWZf8fq/lmegzS1xbC6nW6Tb8j7qi4l/3doxpCOl3UW/U89DTZNnyx5cIfc/aHk0lGqyq6be+e1WjpyADYZSsDhEdhaynA+fCvc64x2mtbdhTjoA0uuqO097DC1lWVKzb+4jXDsfpO3tlCco+QxkTMxlWCqi+TV0jtEd+bFmRDWUrSNsVffY5VY7ADzXna/KXmnI2Y1CQS6x7ds7BICkrmGa5lLfskYLuv8CUOPwb+5nyMW0+erfZTTi8qg2q3AeOMN1/1z+2KPyUHe+Odj75M3KzrtzSN54Dyxy3g+Obp2CWRW0mu0W2pcE5ItTXOtS2dpuYU7jqWuWyT53zLFZSNd5+DDF/fDey5Z1eOZGPU8OLKu0coh2ssJj3eu4bMpWUiTSRPlEWj90PUlETdk3mIqM6ZrS/A1j5cvrIkGvFI25zB2rEXWmN0axWsbwhHZgaVEbn8WzKDejoz1MfdNT0xz5of+oTCBa4MyBQtYpvnFj40U5zq+gtFGylysTWqByKU9QS9mTuDaJF9eql/+8LT8JL/x8+rynk9qccVDg7zy/nEaPnbjHd4Dl6XDuj1gbLKfxANGtSMTEDpUbirsN1n2RdXcV/L+uD7tkTENn0JZ51tiFwpTCsLZNeqQCKkx2/ty5ub4/dDWYQq+6f/g2GCVrjAz9ZtQB1Gn+E1dl9xtOzCxz9+JxcIP4waaDMiZqljPD5ApQf/gm9LMwdzXkhaei4w8jOhlukX+tOp+idO81+PdQr+fDWKOHdJtfs17C3ht0mkilX//aWCJhLw9wGVguqRyZA6fzUbYU6W+mQjw8XtFudbALUIMFl64w1jdOb+ptwQopm81NUVPT7G7VTD29GBy1bacK0rqMrnQgZk6XSeeuOi6EghaBUUh/oYFO60vOtRU6uMTi9SzqdJEOi7Qzuo8jPrjG1c/dj1JGehxH5cOm5g8ZxEao1z5YpX/TtkKp3ZAeJKTJ79GgdvU2jTgWY3YK3qBM1N/hqM66k+yChbP0d0Rivk4pcXZ//2/sJmdh3ivwkRqavbKhNVEl9CLU3KxmmFsVQvoD8Vh/kRL6fEE7bgyw0dK7t19m2CMM0UD+CcCMFd2i5oNigKeQjKLmOjrYryKjRgDQbauqTTfjsUrmknBXuIAaI2BaEJ+tqvUsQIsduYa23xXakk98kkEaGvTCm0hnDGbRJQONWpmBITp/AbWJz0VS+SMXMes+NymVZJu0Td0+6HR3eIRQuwV8xBXzb0oztYllxKjKtH2vgrcXsZPgvfrVNjVaQWldqnFWSnSKtOkSwo4AgBUhU2BpAtuYLKsSgcUbqdlMeKxIyErM9Udvm9mHxMw9/eXf+wb97L7fQtw+KkWrb9x+9ZxvTt9lS8joVA86bOc7Cz7lpJ2M343xrwYwmzxwR+jl268DC3mai7hZ4gkQHV8PrRNLsnaf1k2DGpwuc9YsOlqAwU2BWc5JLkUNlrKF87fZwpL3CapVS+jrGW4O9GaFtCa2kMkRa/v74p/NQCm6Q7bHPnVTz0ydYbhcY9FysU+qanQQbxfz57U+Tqwl5T+9KJop2rHd4W+3aTp6G2RuiOLIsv4zB6nYtq1WfwiWL0dOzXZVjNjtdweZjF+E3S06udvScZV4qX136Lr2eip0U8tNtyiP3CmhWXP6XrxtuC3NEMdQkY99u9JdYE/qRshv9uGq04tugbumKe18QXQdS1Kkmf9RGSTH/1ymn+S1n2kDxx5f+by/aT5mYQR7+aMYUrCgPKjJ0yju/IVQUREsyciwVzJk2am0t+1MKi4qahW/W39JAtmkYEIlOqVOR6QqhXb1WLlWnC3mrT7aUgzCdnJRW3ZbVQuqzu66xET7k1jijGt6QKZiu2d8jsZ+R/14WNQe8xBVV2k2ptPju5kSvNZfz7qO7s0/csEriAYz7n4Mz6CZJnI/XXjQDUgKi8Ai0v8CUVJKzfN0icIXrJTX5Agq8CTl1t9geQfddhbXVI9nI29lXR5B37kzbCZq2185LeXVpj9c7mVP+C5uxb3v/ejVGUzWWBXUEdR86qTOtDxhLj12hTbdFCplRzkeKz6oqmzFuQGWOvUMd5BgWdmlALM0mXl06AjeKqVF0NmPhAfuWSqaznMs6EXVMk4sB9C76uEe/i3q08s6iVaAlX0KRTSOena2FNzjIdI3+QxfVlorotcgXSgr2q72MIy13etRuW+VHkfmR6VvCYQm85zTY1f+nS4yBfCEkl/OInLtpYbZpa/spudf9CrfAecBG/tC7Xw+7XCO9lE5wwJsvJZCQqU55S3JvX5/upj6S6GrRPyWh0BL1ZIRDcyxjyvcDCKnNIsv5wPw/7qTUZkEuhkB7SEvIF1QwvR2cPxZvGG6LetmI47iX4z3lK6qA6Jy6ZjD+5qLn2+llTD/kHk9pfltXWTmcFnsElX9CoGQAtEWqqMgXkVnzJwQ63hc5/gNwNbnuSPp2aNtO7KE0wmNuom+2HNTQVzDVzMAO7Ry7krsQadTXeZO7uAPDhgj0g41lGx5BhpMN6BIaf0o8+iYkkdFAvnEMKhoEJISgT4zOcimCYeL7hSsD1lxbfuowEIsAfUnN43Z9fXU5cnQl52zYXuRwYkYAbvCJDLtexXZAXBuqzMtrI6tRvDGV50/O/d1GxvwILeT76F2QYsbmtRq/jzMuB8lg+w7gKNAO2iexdv9xZCkwDneIOq54vhiH20Od4rRL4Z8BdPFzObeaAbaoGp2BZWmJ6Z7ZLH+sAzA2uxLBieoRXkX0XTkMu7A/IvI7k6EzMirPsX3Y+wHYbcSVghm7i4xZGDIZwt1GretZfNR3hlwP4W5QB0qKj0AZgNcmvAyDT75jxPCDPVguqQHybL1er78py2+K4vmmjaGbaSdzDDiN9B3aJCKwsON68Oc99PzUzPPv5jhcTTaNCGc7rY0CAuNzj9iEALw+qqje5ut+JvHMJ3vsI8GaQdtxuWNMQAvuwURENkMfSAPDR4Cq2ObwZQt43O4rmMoKNmgwf4yEn2BXCV/9zKQ4IxOpNZty8DHCN//4+39INf/H3//zBfnH3/9DQcXXzT/+8ff/HKMzoBwdyZ4QyBYhtkGJvCGu+RAWjjvtY8lUrcmKalLIleCSFmPCyn+MQ8ZjnxMPe08rwj4JcdWCPgmj6mCh/dhUtc4Gk+mPfCOLjl6CGKzt1+iIsC3Sp2Atu7CJZqlMcXw+Qg5sCcqfzR07pU32RJ40bbJKDpobHGE7BQlyKZUzcnMxwbD1p8vJXrJ+lSL2KW6U2y5pFs0YDcFWS8fcog7ey/HGVMUuC/rhDovLWtEp41jt0J4G8kxDLkWhnwdJ8G2ig6X+x9h22Fv4OgC2RVxldR1T7Xnr07bIp08jVhyYBajIJw1hCjBkprCJ/JjARDU4ak7BzQQtaDBjRiuiNGxE8D1cyXf2+gBgH11U5to1OvthnK93OeDvI3pC3zFt2icIayYtGl4XLmq6gmkH7Uhz7zvIa4ywDRqKHc+RBvZ4szK4M2q7CuuYQz4A1yBKoAT9wAIzanr44rLU4hvnJCIMlA4e8XAiwtEi8llo+ccvsKk5kTnDVgbtEN+hU69LSVxWT6hZ9No651IYyjBCiAr4KB1xd8Ayv99eekFNQwwUu2hREJGOAbQNGllm7mmOHue5Boy99br/h4kwVZbS2rM78MPNxLXgn4F6Qz5VaHpI1Zoho4QNuwUec0NuJtj88RB7cGaqXJYlFRHfdkuPB+oTdxcgOiTNZC1GqFllquaj/qQD5ZXL2SYfa45lEocE8BvC4ioILWkWNgI6iLjFNHNFPfEo+xGoMlOgZled/GIaLuVPjnfYpvgYlNvQunXmCRLafry5mbTNDPcjjnzketjHex5ZEpqRW6MOkkNi0s47glQER3q1/Uli5oBfCeOsnPOmzvmA7GWWl1VkZ9HVxftJyxP8x14C4p4Gh9N7G/YTUHDI8qoO4j8gYm7hkX/6pxFcVYpU26vJdWf3DxG2HcLi6rkd0lDbZWdwNvjjQRSLDKcNzmjMoNBVAxJLYZjIZYmjTB0hLwiczc9ekIlUhpyPkBWdpjDIFmEVXRm9CoLcINTpz/ADDgLWOmWjLpXDnA2AjZvGvCpc5pTPqYEVjfiEvhuD2kMrwKykipi0/G4M6gbtPMtlWUkRNdPkogHZPJkYA7PXjsv53N46e9n62uQofTGdeD7/6NVrki+oorkBpd179uzbV/b/X4W9tpYOXU/jvmXX9bR9ysa9AhZ1Gme98/ThTjRlonvoCLV9OvKAzsnPO3pJcTlnAjs+xcN5fjNxcMkAboPWmuoxj10AXhdVXGdLEGKLDrQeNnU/JuQfANgii6p7vh9LGxfU7DTCD6tzPL9p7O8wUlhFvw0fwjDb5h68iI7ypzDMFmVt0qtisjZzOaaK/SlM1xKUYgVkvt/YrzEFxE8eOBkBPiAirlrdoh91yreIjbwdjHaNgXkIt+1Osaiw6X/Emzb5cdIMEhi7bBWnZiZVxFqdiYfYttd3R2+kWZJTieO+whOnEKMC0KjEPud+l0pcKYb99SKqIbAE7Njnqtv25DVUShqZy4jO4ImH2M0b20HAZz/RLOKF/0sQZAehosJsD+E/PjBDRdFGn3rRkQ3GsM6w+TxTQHXM9+AvLWgSAL0hANRaDztcH4V6DGiDVNFVVlATMcz6ka7IAGKLzuUcFVl1OxgUdag38UaaXqKoH0PV4tpJSKFkFYuQBiYZAt1Gi73UI3ogWtQBwNu4b6csGu9bvEOgHbTLbLo2kGq/Efa+3S6i6rEf316OvarhuVRHpekNAW6Q4Yy9SMl5HxEa2Woo18cV3ZsyDnaDuJLKQBGaS3kUXx3Y8chPi3iEv8ehHWWz/Tx8Vw5wrn8MgGtRWfMuvuoz8RAxmNA6KYMUaBDmBLJBj7lfEP8JnqIdBKhlTGFxPYS3QYXWQNwajRDIFuGCvhr26T8G3Y/nr0jT/r/R7ZiBkkwB22QLyte/jjwBbe14rJt1HQQ4QBe3KKYt9R55fTZoSx1Ri9zgLUGPu6Y0M5AgVH7NDOwOlQenyR2DcQivjyp2Orzv9Hr/THhd0TJ257jripa7Gsfpz5zFfPg55vBd/+XdFclpPV8YMl27odXnP4QJUPlj1WtsNmhXqYYlMEWphs9221eoYdE//slUeVbS7W7JxzjQtkh5f37xEFoS1Yt4Yh5aKmIpOr5U5Juh5uHDT56s0TKRuF7GptmBvcbXV5eIY2QonqHKjAedH57Hj/0lxvP4EV9sdLuwRc1/+8QNK3ECCALuFsL84+//i5xzLlfgUkxBsDGNB38bWVBeO4IGQFukaWpwQmBblNhuNXOqdOSwwTXC9mr6ruO91gbKmFlRDmIQmaFqDhFZ/CC3vYHBUOyD13izDatFgnN5427l+c1kDG6LlpWgDR1Z4MOFRhheF9tATh+Xg8BKIM8Wizdl+Ubrh7UvMDJVqj7WmVbAhLlHur6xFnRWQjlmQRz0aju7/P0QaotWUaGziIWuNxagU3BHSl1DQdo9tMVVZUZIRI3mgcRFVDw7VA1VzwPISsazrgL4MLqc3RbVMXCzgTvmGuigToe5eULOf8auiSNPiP1JyYyJG37pgN0Rgel8K3YQpkvAjjhM52sxQzFd7OPRmFqwiJrDAFqLprKvZRFJJoShbXCl6mThK7l297Hooo+bzNBFP4Dcoo9ZQnZo+dhg3PhRQnZ0eLn9IPtcy5jh6k8aCvKXAcwOyoju+U9juZEWzYmsB0Q1jxjR+rOSdeXqEnouM4uo8ZaFHwJHymDiTHJqxomJKz/CILsIYwn/TctRhOou8TUeAj9kiLwk79gS8Ag6e2BkU5bR+1P2OhNupvRoA2pfm8phDfNRG+IE2uiOrGCaYnBGZzTKiG7mmwdHRTkA2CC7i2ncNV78f7++Djjx/3cAAAD//yu9QDM=" + return "eJzMXcuS2zYW3fsrUMnGqYo78Sx7MVWdVjxWVXcit9TJ7FgQeSViGgRo4FJquWbhf5ht8nP+kimAD1EioLbUV36tJFLnHOJ5X2C/Yg+wuWRWl7m2LxhDgRIu2Xf1F9+9YCwDmxpRotDqkv3zBWOsuZvd6qyS8IKxhQCZ2Ut/zf17xRQvoEW9eFx2VxjDTQmXbGl0Vfa+NSCBW7hkc0De+z5A3v6r2dlCG1ZyY4VaNnyPS2Y3VurlRe/+fYl9mTx1+DuXWp0PsFlrk+1d21H1372LjP26AoXsaojaJ1wJ3LhPdLR/wpyVWop00xEwzDmygmOaQ8a4yljKKwsZwxzaew3YSuJFWGhJJ+8qTcFaNtFCIZuCEVyy8Yhpw250yuWfYiF+3vn0OqapTFKOsNRmQ6fuN14A0wvfMC06q1QGhq1zkeaOVoqUu9+zBZfSRsUthEQwSd28idgX8pwm7GvwLG0njke1QMiYVv4h0PDFQqRRlcImqdTVmdQJy64H6H162qHfpx4g92kNWC1XkCVzwrGz9+AtB5tvmBVLxbEy4Ea23ag0N1qJD24ybn8UVyvsA53MO2EfmIQVSMatE+bWAe0Hy+eIQUhzpaVeErbcrMNs595nKPms+SUUwhLM6R35Zmd+HTe5gk/wRQZ4e9MZVshzjfJO8k6/frud+pWWro7+W1oUOlHfzOLQDkvK9f0EIRXmSSoFKCQcKRXm7HoIukNaQJpzJWxBzBvG7ahX7XJMOzluuVxzA8ymXCln4Tcz17E0dpmwx8zjOU8fqjIpdEao8hcPygagHanhKs2Jm+YXD+rt1iAp/QYwnkx7K32LHzbS26uJ4yOciZvSW+lBC30NcysQDljnqXRr3IJ8d55uWyXOsBXhZnCSa4vEQ6JeG5hDjm8lDX2Zb6xIuUx4lhmwllxFS8BCBLtibJJqpRJrI7ac1Gp5pDdXFXMwfqTUahwBpLjd3KbT8SgydLWUwgqtwm1yvJgI4JZPJbAi3SnqAMQUucGfpqjLKC+l8XyvxPsKmMhAoViIpvnrdo/OBa0WYlmZ+HxcSM33W+apARgF7dF+E8/eXCZeBeK4Q2ra5fk6jrtDfY7RrlWzDWAuLJN66SyDJSgwHCEch3BaKMMz28dn41GMEd3qe55d0ceuaoZD7F+R/BETH4wkbXMHy24HsPvEpYGFeCRmVsgmQ9x9alst6KkfkU2HuFtq/SAIuzmA11JlHMNEgQtPsIw4Anu52Ww2r4riVZb9wNY51FY91LM8TStjIvM5A4tC+WVfhAPXg6+f0PO7EUuhuOxDs/GktWn8uD/gbWSwEilhJwTwdqlIo81NjF51tpTrhqclODdIErqADu5oEcRu6JEahN8EuKF2h0cdcNzvy4RJMmEJEzezCU8fAB1yvbtdsIm2VswlsBWXFdjLTx//0mb56ePfP7JPH/8yUMpN++HTx79jOgPG0TObJwTZEeqCC2Jba+Qx2cLoorE+VsJUlq25ZZleK6l5FlusmsvJQkjq8TpqsJnDjruCuxJozYJdCVFzMLOYpLpSaDZJShqUudZZzy7xDM73a21E2F/S5+A8u7CL5lSeY/jcQQpiBaYZmwd6ymLyjWxpFpNSm7D5fpLvFBTkKJyU2fXEp63vR5MnZX3QinoUt8ZtX5qjiWmo+5FwFvV4R0PsjvmQB318wGJUGT4XUuCmNxrYSwupVpn9ISgBCi5kYqv5fyCl9O0cLJsGYDviMqkqSrPnV5WVvkbh/j7ixQHmYIhHmsdUgGxheHFgwfRmMGlNwWziPWjAmNPqKVFEFr7jjfzaXx8A7tKRNq57xtp/iLfrYwr+94SR0BthsduCckgfrKORVVZnTdcw79GGg5HwCGnlM2wlR0K32bdIi80G2Ft6NJxwkA/gWqIzGEFvhITohur5aJvU8cVb0hNa8SH8gCdtnJ5wug/ZJ6Rv0Drzxq3VqeAIGVsLzLf+eVQJbVNPOObtxPL2ZaoVcuEzhN4Aj+qg7QHX+Ds6fLldIwayQ1oMEOoYoG1pdJHUWzN5nmcKPvfm0Q8meRZYJuf09lwPvJl5+1DZBZhLdl9610Obzg2JCqsMYazCqbi/uznJH1xgmeqi4Ipwb3d6GlDmyz59NG0raaErFVGzTkwlo/GkE9crA2suJburJLDx6KQEfiuM1kDopDlsD3SSuHye5MAl5VL3FrjBOXBkFjlGVpN8ngSufgFebQlt/bf7aB0N4jlKft/OZhN2HYINEhMPuR1272hGJRiwpVbO/YoESE7JSdfREa+ixQ8KEJQ14GOFtZfTFIOfVL0s0qIkDhaNr28nXZv4D08KoB0NNWcTbXhaQCYhScsqyH9Cxtzhse+/j3CV5yi1HU+mvd4/ZbHtCaO1c3vSvLUrLuBi8OVJilXi2sosOGVSaNxC+qMwQqW6cHZwI+RHBhfLix/ZRBtkVxFZ5JrCkB1hSW6MjoOQW0J7/jF8xEDwZ52SaEjltGCDw2SzWFRF6pTLJUdYc8It9CaGukOrANfaEBYt38RQt7TLJNVFqRVppcl1C9lumT4H5qad1Mulm3Vusu1ak1F9lEG8pv7o9T9YmnPDUwRj6/3s5c+v3f/X4ait02GrOe1eNq3m3VYWjwo46vME6+tIn++JRdsTh3WswFhS3/RGL9kfAdAeqVBJZQcrzjNDeh6XDXBbWueqUw67AF6fijbYEkTs6MBavqRM+QcAOzJS2/M2VjauOB50wk8753g1a/3vMCmsyWfDb2HMllLLjJzy9zBmR1nh+U0xXeFSx0yxX8K6VmCMyCDhFebaiA+UC8TvDTiLgA9E0JrVHX00KN8Ro34AysHQMg9xW+oyLy1EC9BPC1K/nTCPGS8HLSXHhTaEZ3UmDWIblW6GXji51JjEtLvwpDaIvQHQmsRNzf0hk7g0QhuBhLbpFFbgEJvTbU/UNZRGo041YTB40iD268YOCHhfcelLx+kUvAtC9ggNVygUZedzzH29Rpt92smObBnDNsP2emKAW8r94F0HzQLQWwFgNhaNGITTnkEdA21JDV8nGUfCNOsdX7MBYkdX1xxlSfmAVCdcZhp3CkVLXzBoO66DQjKjSyohLSYbgu7TgjHaEEYgOuoA8D73w1yQtX3HOwTt0a6S+QbhXP3tsZ/q7YzUjr37dRTbVQ0swFCuo3cBwC1ZoRGoivPuPBobTw5wkUdT4rBb4lIbhCyhTfjcNbDxzE9HHGnf59FGm9ldD8+VE4LrdwG4jsq5d/Smz6RB9MmELkgZVGBB4RdYG2ws/OL5v8BWdECAWVEuFtMh3pbKewO0ZzRCkB1hzl/bitC9mL69et2UslWdjyEQCjYH5+lyxeXmQ2QL6M6OU82saRBwQEd7KKY76h3Zfba0hSW0Ire8Bdh4aMoKhDOkyqcC4XCq3OrKUIZSpkO8XSrqcvga9YhKeFvygvrNcdOSF4deHGffS0G58Utfwzd9dzNmKa+WObL5xs/pP6/ehAWY9Gud19h20KGjGk7gOY5qNNVuTx3UcPRff2SaNCl4Svfw+1Jur66P0XKm8yKNmGOPijhFzz8q8mpoeTTpp0ZW9JgIbZSxfdmBm8bT8chzhKN9FrnBeNL5+Dp+/36JeB2/56OmO8RGWv92L1EUHKEB7h+E+fTxf+xKSr2GusQUlIhZPP63xAvltBY0AO1Iz3MGJwTbUfrXrSa1KU2cNph67MZMPzS8NxahoKyKqhGDZMjNEgib+KiwPUIR3mFOeMbZPlZHkhvgSNuVV7NJDLejFQVY5JEHPH7RCOP12Qbr9PNqEEQB7GWeXxbFpbXHvb4A9blK9f050xKEws8o10fnQScFFDEP4qRdu/bLb4eoHa3hyiaEB11nDrA2cCNHXUNJ2ie00ZoyEYneojlSHKHh2VM1ND1PkHW2NusbgMfpqv020sDAbIsbCw30qM/H3G4hV3/4tyZGthD3k0Ig0qZferAHMjC9u6iTMH0BB/IwvdsoUzF99ng2plKC0HIYoHU0pdstM6I1IYy25TrXmyyak1yH32PRp6ctZujTD5A7esojZKceH6ssEFY2D9D6NMn7SlOmq+8tZOzdALNHSRiev4/VRjqaL+Q9eKolYUbrX0ZXZX0uYSdk5ojaaFl4I6il7P0xji+gJi6Gdv0IQ/YJqRb/7StHPWo9iad+ELC3/lAg+4ndiBX4IVj7A5FOWZG/n3LnzYSthVBwi2Ceek3l8AzzszqkXtCiPbKG+Tn+cEbvT6NEbLPm5cGklAPAluyR0rlro/j/nk4DQfz/BwAA///M27Nh" } diff --git a/x-pack/filebeat/module/sophos/utm/_meta/fields.yml b/x-pack/filebeat/module/sophos/utm/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/sophos/utm/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml deleted file mode 100644 index 75119fa4920..00000000000 --- a/x-pack/filebeat/module/sophos/utm/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/sophos/utm/config/liblogparser.js - - ${path.home}/module/sophos/utm/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/sophos/utm/config/liblogparser.js b/x-pack/filebeat/module/sophos/utm/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/sophos/utm/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), -])); - -var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), -])); - -var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, -]); - -var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, -])); - -var msg1 = msg("named:01", part1); - -var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, -])); - -var msg2 = msg("named:02", part2); - -var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, -])); - -var msg3 = msg("named:03", part3); - -var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, -])); - -var msg4 = msg("named:04", part4); - -var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, -])); - -var msg5 = msg("named:05", part5); - -var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, -])); - -var msg6 = msg("named:06", part6); - -var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, -])); - -var msg7 = msg("named:07", part7); - -var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, -])); - -var msg8 = msg("named:08", part8); - -var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), -])); - -var msg9 = msg("named:09", part9); - -var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, -])); - -var msg10 = msg("named:10", part10); - -var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), -])); - -var msg11 = msg("named:11", part11); - -var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), -])); - -var msg12 = msg("named:12", part12); - -var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, -])); - -var msg13 = msg("named:13", part13); - -var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, -])); - -var msg14 = msg("named:14", part14); - -var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, -])); - -var msg15 = msg("named:15", part15); - -var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, -])); - -var msg16 = msg("named:16", part16); - -var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, -])); - -var msg17 = msg("named:17", part17); - -var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, -]); - -var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, -])); - -var msg18 = msg("httpproxy:09", part18); - -var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, -])); - -var msg19 = msg("httpproxy:10", part19); - -var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, -])); - -var msg20 = msg("httpproxy:11", part20); - -var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, -])); - -var msg21 = msg("httpproxy:12", part21); - -var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, -])); - -var msg22 = msg("httpproxy:13", part22); - -var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, -])); - -var msg23 = msg("httpproxy:14", part23); - -var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, -])); - -var msg24 = msg("httpproxy:15", part24); - -var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, -])); - -var msg25 = msg("httpproxy:16", part25); - -var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, -])); - -var msg26 = msg("httpproxy:17", part26); - -var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, -])); - -var msg27 = msg("httpproxy:18", part27); - -var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, -])); - -var msg28 = msg("httpproxy:19", part28); - -var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, -])); - -var msg29 = msg("httpproxy:20", part29); - -var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, -])); - -var msg30 = msg("httpproxy:21", part30); - -var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, -])); - -var msg31 = msg("httpproxy:22", part31); - -var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, -])); - -var msg32 = msg("httpproxy:23", part32); - -var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, -])); - -var msg33 = msg("httpproxy:24", part33); - -var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, -])); - -var msg34 = msg("httpproxy:25", part34); - -var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, -])); - -var msg35 = msg("httpproxy:26", part35); - -var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, -])); - -var msg36 = msg("httpproxy:27", part36); - -var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", -}, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, -])); - -var msg37 = msg("httpproxy:01", part37); - -var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, -]); - -var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, -])); - -var msg38 = msg("URID:01", part38); - -var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", -}, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, -])); - -var msg39 = msg("ulogd:01", part39); - -var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, -])); - -var msg40 = msg("reverseproxy:01", part40); - -var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, -])); - -var msg41 = msg("reverseproxy:02", part41); - -var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, -])); - -var msg42 = msg("reverseproxy:03", part42); - -var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, -])); - -var msg43 = msg("reverseproxy:04", part43); - -var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, -])); - -var msg44 = msg("reverseproxy:06", part44); - -var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - -var select4 = linear_select([ - dup19, -]); - -var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - -var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), -}); - -var msg45 = msg("reverseproxy:07", all1); - -var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, -])); - -var msg46 = msg("reverseproxy:08", part47); - -var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, -])); - -var msg47 = msg("reverseproxy:09", part48); - -var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, -])); - -var msg48 = msg("reverseproxy:10", part49); - -var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, -])); - -var msg49 = msg("reverseproxy:11", part50); - -var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, -])); - -var msg50 = msg("reverseproxy:12", part51); - -var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, -])); - -var msg51 = msg("reverseproxy:13", part52); - -var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, -])); - -var msg52 = msg("reverseproxy:14", part53); - -var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, -])); - -var msg53 = msg("reverseproxy:15", part54); - -var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, -])); - -var msg54 = msg("reverseproxy:16", part55); - -var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - -var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - -var select5 = linear_select([ - part57, - dup19, -]); - -var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - -var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), -}); - -var msg55 = msg("reverseproxy:17", all2); - -var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, -])); - -var msg56 = msg("reverseproxy:18", part59); - -var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, -])); - -var msg57 = msg("reverseproxy:19", part60); - -var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, -])); - -var msg58 = msg("reverseproxy:20", part61); - -var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, -])); - -var msg59 = msg("reverseproxy:21", part62); - -var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, -])); - -var msg60 = msg("reverseproxy:22", part63); - -var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, -])); - -var msg61 = msg("reverseproxy:23", part64); - -var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, -])); - -var msg62 = msg("reverseproxy:24", part65); - -var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, -])); - -var msg63 = msg("reverseproxy:25", part66); - -var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - -var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - -var select6 = linear_select([ - part68, - dup19, -]); - -var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - -var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - -var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - -var select7 = linear_select([ - part70, - part71, -]); - -var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - -var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), -}); - -var msg64 = msg("reverseproxy:26", all3); - -var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, -])); - -var msg65 = msg("reverseproxy:27", part73); - -var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, -])); - -var msg66 = msg("reverseproxy:28", part74); - -var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, -])); - -var msg67 = msg("reverseproxy:29", part75); - -var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, -])); - -var msg68 = msg("reverseproxy:30", part76); - -var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, -])); - -var msg69 = msg("reverseproxy:31", part77); - -var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, -])); - -var msg70 = msg("reverseproxy:32", part78); - -var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, -])); - -var msg71 = msg("reverseproxy:33", part79); - -var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, -])); - -var msg72 = msg("reverseproxy:34", part80); - -var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, -])); - -var msg73 = msg("reverseproxy:35", part81); - -var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, -])); - -var msg74 = msg("reverseproxy:36", part82); - -var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, -])); - -var msg75 = msg("reverseproxy:37", part83); - -var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, -])); - -var msg76 = msg("reverseproxy:38", part84); - -var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, -])); - -var msg77 = msg("reverseproxy:39", part85); - -var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, -])); - -var msg78 = msg("reverseproxy:40", part86); - -var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, -])); - -var msg79 = msg("reverseproxy:41", part87); - -var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, -])); - -var msg80 = msg("reverseproxy:42", part88); - -var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, -])); - -var msg81 = msg("reverseproxy:43", part89); - -var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, -])); - -var msg82 = msg("reverseproxy:44", part90); - -var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, -])); - -var msg83 = msg("reverseproxy:45", part91); - -var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, -])); - -var msg84 = msg("reverseproxy:46", part92); - -var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, -])); - -var msg85 = msg("reverseproxy:47", part93); - -var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, -])); - -var msg86 = msg("reverseproxy:48", part94); - -var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, -])); - -var msg87 = msg("reverseproxy:49", part95); - -var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", -}, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, -])); - -var msg88 = msg("reverseproxy:05", part96); - -var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, -]); - -var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", -}, processor_chain([ - dup1, - dup11, - dup2, -])); - -var msg89 = msg("confd-sync", part97); - -var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", -}, processor_chain([ - dup1, - dup11, - dup2, -])); - -var msg90 = msg("confd:01", part98); - -var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, -])); - -var msg91 = msg("frox", part99); - -var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, -])); - -var msg92 = msg("frox:01", part100); - -var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, -])); - -var msg93 = msg("frox:02", part101); - -var select9 = linear_select([ - msg91, - msg92, - msg93, -]); - -var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, -])); - -var msg94 = msg("afcd", part102); - -var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, -])); - -var msg95 = msg("ipsec_starter", part103); - -var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, -])); - -var msg96 = msg("ipsec_starter:01", part104); - -var select10 = linear_select([ - msg95, - msg96, -]); - -var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, -])); - -var msg97 = msg("pluto", part105); - -var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, -])); - -var msg98 = msg("pluto:01", part106); - -var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, -])); - -var msg99 = msg("pluto:02", part107); - -var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, -])); - -var msg100 = msg("pluto:03", part108); - -var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, -])); - -var msg101 = msg("pluto:04", part109); - -var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, -])); - -var msg102 = msg("pluto:05", part110); - -var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, -])); - -var msg103 = msg("pluto:06", part111); - -var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, -])); - -var msg104 = msg("pluto:07", part112); - -var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, -])); - -var msg105 = msg("pluto:08", part113); - -var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, -])); - -var msg106 = msg("pluto:09", part114); - -var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, -])); - -var msg107 = msg("pluto:10", part115); - -var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, -])); - -var msg108 = msg("pluto:11", part116); - -var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, -])); - -var msg109 = msg("pluto:12", part117); - -var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, -])); - -var msg110 = msg("pluto:13", part118); - -var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, -])); - -var msg111 = msg("pluto:14", part119); - -var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, -])); - -var msg112 = msg("pluto:15", part120); - -var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, -])); - -var msg113 = msg("pluto:17", part121); - -var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, -])); - -var msg114 = msg("pluto:18", part122); - -var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, -])); - -var msg115 = msg("pluto:19", part123); - -var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, -])); - -var msg116 = msg("pluto:20", part124); - -var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg117 = msg("pluto:21", part125); - -var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg118 = msg("pluto:22", part126); - -var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg119 = msg("pluto:23", part127); - -var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg120 = msg("pluto:24", part128); - -var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg121 = msg("pluto:25", part129); - -var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg122 = msg("pluto:26", part130); - -var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg123 = msg("pluto:27", part131); - -var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg124 = msg("pluto:28", part132); - -var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg125 = msg("pluto:29", part133); - -var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg126 = msg("pluto:30", part134); - -var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg127 = msg("pluto:31", part135); - -var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, -])); - -var msg128 = msg("pluto:32", part136); - -var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, -])); - -var msg129 = msg("pluto:33", part137); - -var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, -])); - -var msg130 = msg("pluto:34", part138); - -var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, -])); - -var msg131 = msg("pluto:35", part139); - -var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, -]); - -var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, -])); - -var msg132 = msg("xl2tpd", part140); - -var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, -])); - -var msg133 = msg("xl2tpd:01", part141); - -var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, -])); - -var msg134 = msg("xl2tpd:02", part142); - -var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, -])); - -var msg135 = msg("xl2tpd:03", part143); - -var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, -])); - -var msg136 = msg("xl2tpd:04", part144); - -var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, -])); - -var msg137 = msg("xl2tpd:05", part145); - -var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, -]); - -var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, -])); - -var msg138 = msg("barnyard:01", part146); - -var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, -])); - -var msg139 = msg("barnyard:02", part147); - -var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, -])); - -var msg140 = msg("barnyard:03", part148); - -var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, -])); - -var msg141 = msg("barnyard:04", part149); - -var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, -]); - -var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, -])); - -var msg142 = msg("exim:01", part150); - -var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, -])); - -var msg143 = msg("exim:02", part151); - -var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, -])); - -var msg144 = msg("exim:03", part152); - -var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, -])); - -var msg145 = msg("exim:04", part153); - -var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, -])); - -var msg146 = msg("exim:05", part154); - -var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, -])); - -var msg147 = msg("exim:06", part155); - -var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, -])); - -var msg148 = msg("exim:07", part156); - -var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, -])); - -var msg149 = msg("exim:08", part157); - -var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, -])); - -var msg150 = msg("exim:09", part158); - -var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, -])); - -var msg151 = msg("exim:10", part159); - -var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, -])); - -var msg152 = msg("exim:11", part160); - -var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, -])); - -var msg153 = msg("exim:12", part161); - -var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, -])); - -var msg154 = msg("exim:13", part162); - -var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, -])); - -var msg155 = msg("exim:14", part163); - -var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, -])); - -var msg156 = msg("exim:15", part164); - -var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, -])); - -var msg157 = msg("exim:16", part165); - -var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, -]); - -var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, -])); - -var msg158 = msg("smtpd:01", part166); - -var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, -])); - -var msg159 = msg("smtpd:02", part167); - -var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, -])); - -var msg160 = msg("smtpd:03", part168); - -var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, -])); - -var msg161 = msg("smtpd:04", part169); - -var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, -])); - -var msg162 = msg("smtpd:07", part170); - -var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, -])); - -var msg163 = msg("smtpd:05", part171); - -var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, -])); - -var msg164 = msg("smtpd:06", part172); - -var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, -]); - -var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, -])); - -var msg165 = msg("sshd:01", part173); - -var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, -])); - -var msg166 = msg("sshd:02", part174); - -var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, -])); - -var msg167 = msg("sshd:03", part175); - -var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, -])); - -var msg168 = msg("sshd:04", part176); - -var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, -])); - -var msg169 = msg("sshd:05", part177); - -var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, -])); - -var msg170 = msg("sshd:06", part178); - -var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, -])); - -var msg171 = msg("sshd:07", part179); - -var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, -])); - -var msg172 = msg("sshd:08", part180); - -var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, -])); - -var msg173 = msg("sshd:09", part181); - -var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, -]); - -var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", -}, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, -])); - -var msg174 = msg("aua:01", part182); - -var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, -])); - -var msg175 = msg("sockd:01", part183); - -var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, -])); - -var msg176 = msg("sockd:02", part184); - -var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, -])); - -var msg177 = msg("sockd:03", part185); - -var select17 = linear_select([ - msg175, - msg176, - msg177, -]); - -var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, -])); - -var msg178 = msg("pop3proxy", part186); - -var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", -}, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, -])); - -var msg179 = msg("astarosg_TVM", part187); - -var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", -}, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, -])); - -var msg180 = msg("httpd", part188); - -var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, -])); - -var msg181 = msg("httpd:01", part189); - -var select18 = linear_select([ - msg180, - msg181, -]); - -var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", -}, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), -])); - -var msg182 = msg("Sophos_Firewall", part190); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), -]); - -var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml deleted file mode 100644 index 66d787b27ce..00000000000 --- a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for Astaro Security Gateway - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/sophos/utm/manifest.yml b/x-pack/filebeat/module/sophos/utm/manifest.yml deleted file mode 100644 index 46bc83cd2dd..00000000000 --- a/x-pack/filebeat/module/sophos/utm/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["sophos.utm", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9549 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log b/x-pack/filebeat/module/sophos/utm/test/generated.log deleted file mode 100644 index cb9fa97790b..00000000000 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled' -2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu -2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin -2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq -2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations -2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled' -2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff -2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port! -2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode -2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version="rsi"; loaded version="taliqui" -2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run? -2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem) -2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno -2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed -2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676 -2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip -2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn -2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully -2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe -2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti -2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195. -2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau. -2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name -2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting -2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713 -2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri -2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide. -2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp -2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat -2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme -2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\x22dashletAccessAlertingRecentAlertsPanel\\x22,\\x22dashletAccessAlerterTopAlertsDashlet\\x22,\\x22accessViewRules\\x22,\\x22deployLiveResources\\x22,\\x22vi..."] [severity [hostname "iscivel3512.invalid"] [uri "atcupi"] [unique_id "eriti"] -2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running -2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully -2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit -2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem -2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version="everi"; loaded version="squ" -2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7 -2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\x22,\\x22manageLiveSystemSettings\\x22,\\x22accessViewJobs\\x22,\\x22exportList\\..."] [ver "olor"] [maturity "corpo"] [accuracy "commod"] iumd [hostname "ntore4333.api.invalid"] [uri "sitv"] [unique_id "equam"] -2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits -2017:8:8-16:50:15 elillu5777.www5.lan pluto: "elaudant"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number -2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide -2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]... -2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve -2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running -2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse -2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt -2017:11:16-18:08:15 named[1900]: reloading eddoei iono -2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response -2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started -2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip -2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD) -2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco -2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque -2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu -2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups -2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae -2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide -2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure -2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file "runtmoll"] [line "tuserror"] [id "utlabo"] [rev "scip"] [msg "imvenia"] [severity "low"] [ver "1.6420"] [maturity "nisi"] [accuracy "seq"] [tag "ors"] [hostname "olupta3647.host"] [uri "uaUteni"] [unique_id "gitsedqu"]amqu -2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit -2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas -2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274 -2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid -2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID -2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec -2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER -2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo -2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx -2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce -2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru -2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt -2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506. -2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -> reinit of ipsec interface -2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi. -2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr -2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -> reinit of ipsec interface -2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file "apa"] [line "tani"] [id "per"] [rev "ngelitse"] [msg "olorsita"] [severity "medium"] [ver "1.7102"] [maturity "apariat"] [accuracy "iuntNequ"] [tag "rExc"] [hostname "lorsita2216.www5.example"] [uri "turvelil"] [unique_id "velitsed"]rau -2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae -2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu -2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133 -2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111) -2019:4:1-00:38:14 pop3proxy[6854]: Master started -2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started -2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file "alorumw"] [line "nibus"] [id "eiusmo"] [msg "rci"] [hostname "seosquir715.local"] [uri "ercitati"] [unique_id "uiration"] -2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111) -2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor -2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul -2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 "econse" #otamr -2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured. -2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run? -2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu -2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati -2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele -2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs -2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq -2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori () -2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat -2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud -2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico -2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json deleted file mode 100644 index efb44a7b666..00000000000 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ /dev/null @@ -1,3704 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "event.code": "smtpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", - "fileset.name": "utm", - "host.name": "localhost.localdomain", - "input.type": "log", - "log.offset": 0, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 905, - "related.hosts": [ - "localhost.localdomain" - ], - "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "rsa.internal.messageid": "smtpd", - "rsa.network.alias_host": [ - "localhost.localdomain" - ], - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-02-12T15:12:33.000Z", - "destination.address": "ercit2385.internal.home", - "destination.ip": "10.47.202.102", - "destination.mac": "01:00:5e:de:94:f6", - "destination.port": 3920, - "event.action": "block", - "event.code": "astarosg_TVM", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", - "file.directory": "emips", - "file.extension": "qui", - "file.name": "numqu", - "file.size": 6992, - "fileset.name": "utm", - "group.name": "psaquae", - "http.request.referrer": "https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac", - "input.type": "log", - "log.level": "medium", - "log.offset": 121, - "observer.egress.interface.name": "enp0s7084", - "observer.ingress.interface.name": "enp0s7281", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.5102", - "process.pid": 5716, - "related.hosts": [ - "ercit2385.internal.home" - ], - "related.ip": [ - "10.47.202.102", - "10.57.170.140" - ], - "related.user": [ - "dexeac", - "icistatuscode=giatquov", - "sunt" - ], - "rsa.db.index": "run", - "rsa.identity.logon_type": "nofdeF", - "rsa.internal.event_desc": "web", - "rsa.internal.messageid": "astarosg_TVM", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block", - "ugiatnu" - ], - "rsa.misc.comments": "colabo", - "rsa.misc.content_type": "sedd", - "rsa.misc.context": "apariat", - "rsa.misc.group": "psaquae", - "rsa.misc.group_object": "molest", - "rsa.misc.node": "irati", - "rsa.misc.obj_name": "uiineavocount=tisetq", - "rsa.misc.obj_type": "upt", - "rsa.misc.policy_id": "tat", - "rsa.misc.policy_name": "iscinge", - "rsa.misc.rule": "ommod", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5102", - "rsa.misc.vsys": "inima", - "rsa.network.dinterface": "enp0s7084", - "rsa.network.host_dst": "ercit2385.internal.home", - "rsa.network.sinterface": "enp0s7281", - "rsa.time.event_time": "2016-02-12T15:12:33.000Z", - "rsa.web.web_cookie": "quirat", - "service.name": "tlabo", - "service.type": "sophos", - "source.ip": "10.57.170.140", - "source.mac": "01:00:5e:1d:c1:c0", - "source.port": 2289, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "mail.example.net", - "url.extension": "html", - "url.fragment": "iciatisu", - "url.original": "https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu", - "url.path": "/tati/utaliqu.html", - "url.query": "iquaUten=santium", - "url.scheme": "https", - "user.name": "sunt" - }, - { - "@timestamp": "2016-02-26T22:15:08.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", - "fileset.name": "utm", - "host.name": "eirure7587.internal.localhost", - "http.request.referrer": "https://api.example.com/utla/utei.htm?oei=tlabori#oin", - "input.type": "log", - "log.level": "medium", - "log.offset": 1470, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3905, - "related.hosts": [ - "eirure7587.internal.localhost" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "aaliquaU", - "rsa.misc.result": "No form context found", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "eirure7587.internal.localhost" - ], - "rsa.network.gateway": "sitame", - "rsa.time.event_time": "2016-02-26T22:15:08.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "event.code": "confd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", - "file.directory": "atevel", - "fileset.name": "utm", - "host.name": "data4478.api.lan", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1730, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.3129", - "related.hosts": [ - "data4478.api.lan" - ], - "related.ip": [ - "10.106.239.55" - ], - "related.user": [ - "eaq", - "itquiin" - ], - "rsa.identity.logon_type": "stquidol", - "rsa.internal.event_desc": "bor", - "rsa.internal.messageid": "confd", - "rsa.misc.group_object": "itame", - "rsa.misc.node": "estia", - "rsa.misc.obj_name": "litcount=asun", - "rsa.misc.obj_type": "eumfug", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3129", - "rsa.network.alias_host": [ - "data4478.api.lan" - ], - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "service.name": "wri", - "service.type": "sophos", - "source.ip": "10.106.239.55", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "itquiin" - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", - "fileset.name": "utm", - "host.name": "ctetura3009.www5.corp", - "input.type": "log", - "log.level": "medium", - "log.offset": 2010, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7692, - "related.hosts": [ - "ctetura3009.www5.corp" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "corp", - "rsa.misc.event_id": "AH00292", - "rsa.misc.event_log": "adeseru", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "ctetura3009.www5.corp" - ], - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-04-09T19:22:51.000Z", - "event.code": "smtpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", - "fileset.name": "utm", - "host.name": "localhost", - "input.type": "log", - "log.offset": 2147, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 1411, - "related.hosts": [ - "localhost" - ], - "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "rsa.internal.messageid": "smtpd", - "rsa.network.alias_host": [ - "localhost" - ], - "rsa.time.event_time": "2016-04-09T19:22:51.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-04-24T02:25:25.000Z", - "event.code": "httpproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 2256, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 176, - "rsa.db.index": "paquioff", - "rsa.internal.event_desc": "httpproxy:disk_cache_zap related message.", - "rsa.internal.messageid": "httpproxy", - "rsa.time.event_time": "2016-04-24T02:25:25.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "destination.ip": "10.18.13.211", - "destination.port": 205, - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", - "fileset.name": "utm", - "host.name": "ptasnu6684.mail.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 2327, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 945, - "related.hosts": [ - "ptasnu6684.mail.lan" - ], - "related.ip": [ - "10.18.13.211" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.comments": "Invalid port configuration", - "rsa.misc.event_log": "boree", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "ptasnu6684.mail.lan" - ], - "rsa.network.network_service": "ofdeFini", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-05-22T16:30:33.000Z", - "event.code": "barnyard", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", - "fileset.name": "utm", - "host.name": "ssecillu7166.internal.lan", - "input.type": "log", - "log.offset": 2510, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "ssecillu7166.internal.lan" - ], - "rsa.internal.event_desc": "barnyard:Initializing daemon mode", - "rsa.internal.messageid": "barnyard", - "rsa.network.alias_host": [ - "ssecillu7166.internal.lan" - ], - "rsa.time.event_time": "2016-05-22T16:30:33.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-06-05T23:33:08.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", - "fileset.name": "utm", - "host.name": "ore5643.api.lan", - "input.type": "log", - "log.level": "high", - "log.offset": 2590, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2164, - "related.hosts": [ - "ore5643.api.lan" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "acom", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ore5643.api.lan" - ], - "rsa.time.event_time": "2016-06-05T23:33:08.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", - "file.name": "tionemu", - "fileset.name": "utm", - "host.name": "ciun39.localdomain", - "input.type": "log", - "log.level": "high", - "log.offset": 2743, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 4006, - "related.hosts": [ - "ciun39.localdomain" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.context": "Unclean shutdown", - "rsa.misc.event_id": "AH00098", - "rsa.misc.event_log": "inBCSedu", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ciun39.localdomain" - ], - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", - "fileset.name": "utm", - "host.name": "atatnon6064.www.invalid", - "input.type": "log", - "log.level": "low", - "log.offset": 2919, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 1263, - "related.hosts": [ - "atatnon6064.www.invalid" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH00291", - "rsa.misc.event_log": "adol", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "atatnon6064.www.invalid" - ], - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-07-18T20:40:50.000Z", - "event.code": "aua", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", - "fileset.name": "utm", - "host.name": "gitse2463.www5.invalid", - "input.type": "log", - "log.level": "low", - "log.offset": 3058, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "gitse2463.www5.invalid" - ], - "related.user": [ - "agnaaliq" - ], - "rsa.internal.event_desc": "web", - "rsa.internal.messageid": "aua", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "gitse2463.www5.invalid" - ], - "rsa.time.event_time": "2016-07-18T20:40:50.000Z", - "service.name": "col", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "agnaaliq" - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "event.code": "httpproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 3229, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2078, - "rsa.internal.event_desc": "httpproxy:decrypt failed.", - "rsa.internal.messageid": "httpproxy", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "event.code": "frox", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", - "fileset.name": "utm", - "host.name": "oriosam6277.mail.localdomain", - "input.type": "log", - "log.offset": 3310, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "oriosam6277.mail.localdomain" - ], - "related.ip": [ - "10.169.5.162" - ], - "rsa.internal.event_desc": "frox:FTP Proxy listening on port.", - "rsa.internal.messageid": "frox", - "rsa.network.alias_host": [ - "oriosam6277.mail.localdomain" - ], - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "service.type": "sophos", - "source.ip": "10.169.5.162", - "source.port": 6676, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-08-30T17:48:33.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", - "fileset.name": "utm", - "host.name": "ptate3830.internal.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 3395, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 5996, - "related.hosts": [ - "ptate3830.internal.localhost" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH02572", - "rsa.misc.event_log": "ntut", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ptate3830.internal.localhost" - ], - "rsa.time.event_time": "2016-08-30T17:48:33.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-09-14T00:51:07.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", - "fileset.name": "utm", - "host.name": "nvo6105.invalid", - "input.type": "log", - "log.level": "medium", - "log.offset": 3574, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3340, - "related.hosts": [ - "nvo6105.invalid" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "isn", - "rsa.misc.event_id": "AH00020", - "rsa.misc.event_log": "aqui", - "rsa.misc.result": "Configuration Failed", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "nvo6105.invalid" - ], - "rsa.time.event_time": "2016-09-14T00:51:07.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "afcd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 3697, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2492, - "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.", - "rsa.internal.messageid": "afcd", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "event.code": "confd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", - "file.directory": "onorumet", - "fileset.name": "utm", - "host.name": "edic2758.api.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 3775, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.5889", - "related.hosts": [ - "edic2758.api.domain" - ], - "related.ip": [ - "10.54.169.175" - ], - "related.user": [ - "scipit", - "taspe" - ], - "rsa.identity.logon_type": "olores", - "rsa.internal.event_desc": "secil", - "rsa.internal.messageid": "confd", - "rsa.misc.group_object": "eavolup", - "rsa.misc.node": "iss", - "rsa.misc.obj_name": "evitcount=tno", - "rsa.misc.obj_type": "ipsumq", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5889", - "rsa.network.alias_host": [ - "edic2758.api.domain" - ], - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "service.name": "lica", - "service.type": "sophos", - "source.ip": "10.54.169.175", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "scipit" - }, - { - "@timestamp": "2016-10-26T21:58:50.000Z", - "event.code": "aua", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", - "fileset.name": "utm", - "input.type": "log", - "log.level": "high", - "log.offset": 4064, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 32, - "related.user": [ - "eruntmo" - ], - "rsa.internal.event_desc": "checking", - "rsa.internal.messageid": "aua", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-10-26T21:58:50.000Z", - "service.name": "aeabillo", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "eruntmo" - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 4233, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2051, - "related.ip": [ - "10.59.215.207" - ], - "rsa.internal.event_desc": "sshd:Server listening; restarting.", - "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "service.type": "sophos", - "source.ip": "10.59.215.207", - "source.port": 6195, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", - "fileset.name": "utm", - "host.name": "ectobeat3157.mail.local", - "input.type": "log", - "log.level": "low", - "log.offset": 4310, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 170, - "related.hosts": [ - "ectobeat3157.mail.local" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "ditau", - "rsa.misc.event_id": "AH02312", - "rsa.misc.event_log": "Malor", - "rsa.misc.result": "Fatal error", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "ectobeat3157.mail.local" - ], - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-12-08T19:06:33.000Z", - "destination.ip": "10.144.21.112", - "destination.port": 90, - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", - "fileset.name": "utm", - "host.name": "ident2323.internal.corp", - "input.type": "log", - "log.level": "high", - "log.offset": 4460, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 873, - "related.hosts": [ - "ident2323.internal.corp" - ], - "related.ip": [ - "10.144.21.112" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.comments": "server certificate has a different hostname from actual hostname", - "rsa.misc.event_id": "AH01909", - "rsa.misc.event_log": "remagna", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ident2323.internal.corp" - ], - "rsa.time.event_time": "2016-12-08T19:06:33.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2016-12-23T02:09:07.000Z", - "event.code": "httpproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", - "fileset.name": "utm", - "host.name": "ttenb4581.www.host", - "input.type": "log", - "log.offset": 4662, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "ttenb4581.www.host" - ], - "rsa.internal.event_desc": "httpproxy:shutdown finished, exiting.", - "rsa.internal.messageid": "httpproxy", - "rsa.network.alias_host": [ - "ttenb4581.www.host" - ], - "rsa.time.event_time": "2016-12-23T02:09:07.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "event.code": "frox", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", - "fileset.name": "utm", - "host.name": "lapari5763.api.invalid", - "input.type": "log", - "log.offset": 4757, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "lapari5763.api.invalid" - ], - "related.ip": [ - "10.103.2.48" - ], - "rsa.internal.event_desc": "frox:FTP Proxy listening on port.", - "rsa.internal.messageid": "frox", - "rsa.network.alias_host": [ - "lapari5763.api.invalid" - ], - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "service.type": "sophos", - "source.ip": "10.103.2.48", - "source.port": 4713, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-01-20T16:14:16.000Z", - "destination.ip": "10.52.190.18", - "destination.mac": "01:00:5e:51:b9:4d", - "destination.port": 165, - "event.code": "ulogd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", - "fileset.name": "utm", - "host.name": "elites4713.www.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4834, - "observer.egress.interface.name": "lo272", - "observer.ingress.interface.name": "lo6086", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "elites4713.www.localhost" - ], - "related.ip": [ - "10.161.51.135", - "10.52.190.18" - ], - "rsa.internal.event_desc": "portscan", - "rsa.internal.messageid": "ulogd", - "rsa.investigations.ec_activity": "Scan", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "TEV", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.context": "CSed", - "rsa.misc.policy_id": "remeum", - "rsa.misc.rule": "serr", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "olore", - "rsa.network.alias_host": [ - "elites4713.www.localhost" - ], - "rsa.network.dinterface": "lo272", - "rsa.network.network_service": "onemul", - "rsa.network.sinterface": "lo6086", - "rsa.time.event_time": "2017-01-20T16:14:16.000Z", - "service.type": "sophos", - "source.ip": "10.161.51.135", - "source.mac": "01:00:5e:15:3a:74", - "source.port": 7807, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-02-03T23:16:50.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", - "fileset.name": "utm", - "host.name": "sam1795.invalid", - "input.type": "log", - "log.level": "low", - "log.offset": 5226, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3338, - "related.hosts": [ - "sam1795.invalid" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "animide", - "rsa.misc.event_id": "AH02312", - "rsa.misc.event_log": "olupta", - "rsa.misc.result": "Fatal error", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "sam1795.invalid" - ], - "rsa.time.event_time": "2017-02-03T23:16:50.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "confd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", - "file.directory": "idolo", - "fileset.name": "utm", - "input.type": "log", - "log.level": "high", - "log.offset": 5364, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.5240", - "process.pid": 10, - "related.ip": [ - "10.232.108.32" - ], - "related.user": [ - "llum", - "rsp" - ], - "rsa.identity.logon_type": "ntut", - "rsa.internal.event_desc": "ittenb", - "rsa.internal.messageid": "confd", - "rsa.misc.group_object": "mquido", - "rsa.misc.node": "ionofdeF", - "rsa.misc.obj_name": "ntmollitcount=tisu", - "rsa.misc.obj_type": "ende", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5240", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "service.name": "ugits", - "service.type": "sophos", - "source.ip": "10.232.108.32", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "llum" - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "destination.address": "Duis583.api.local", - "destination.ip": "10.17.51.153", - "destination.mac": "01:00:5e:8c:f2:06", - "destination.port": 1525, - "event.action": "deny", - "event.code": "astarosg_TVM", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", - "file.directory": "lup", - "file.extension": "ofdeFini", - "file.name": "ametcon", - "file.size": 835, - "fileset.name": "utm", - "group.name": "loremagn", - "host.name": "nostrum6305.internal.localhost", - "http.request.referrer": "https://example.com/taliqui/idi.txt?undeomn=ape#itaspe", - "input.type": "log", - "log.level": "high", - "log.offset": 5626, - "observer.egress.interface.name": "lo6683", - "observer.ingress.interface.name": "lo1543", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.5146", - "related.hosts": [ - "Duis583.api.local", - "nostrum6305.internal.localhost" - ], - "related.ip": [ - "10.17.51.153", - "10.89.41.97" - ], - "related.user": [ - "pteurs", - "tcustatuscode=eumiu", - "tio" - ], - "rsa.db.index": "eavolupt", - "rsa.identity.logon_type": "ursintoc", - "rsa.internal.event_desc": "web", - "rsa.internal.messageid": "astarosg_TVM", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny", - "iuntN" - ], - "rsa.misc.comments": "onorume", - "rsa.misc.content_type": "lapa", - "rsa.misc.context": "quisnos", - "rsa.misc.group": "loremagn", - "rsa.misc.group_object": "sequines", - "rsa.misc.node": "tem", - "rsa.misc.obj_name": "cusacount=nderi", - "rsa.misc.obj_type": "cto", - "rsa.misc.policy_id": "velites", - "rsa.misc.policy_name": "ercitati", - "rsa.misc.rule": "llitani", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5146", - "rsa.misc.vsys": "itametco", - "rsa.network.alias_host": [ - "nostrum6305.internal.localhost" - ], - "rsa.network.dinterface": "lo6683", - "rsa.network.host_dst": "Duis583.api.local", - "rsa.network.sinterface": "lo1543", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "rsa.web.web_cookie": "aperiame", - "service.name": "etcons", - "service.type": "sophos", - "source.ip": "10.89.41.97", - "source.mac": "01:00:5e:6f:71:02", - "source.port": 5334, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "mail.example.net", - "url.extension": "txt", - "url.fragment": "ssequamn", - "url.original": "https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn", - "url.path": "/velillu/ecatcupi.txt", - "url.query": "rsitamet=leumiur", - "url.scheme": "https", - "user.name": "tio" - }, - { - "@timestamp": "2017-03-18T20:24:33.000Z", - "event.code": "aua", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", - "fileset.name": "utm", - "host.name": "xeaco7887.www.localdomain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6995, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "xeaco7887.www.localdomain" - ], - "related.user": [ - "uptate" - ], - "rsa.internal.event_desc": "Packet", - "rsa.internal.messageid": "aua", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "xeaco7887.www.localdomain" - ], - "rsa.time.event_time": "2017-03-18T20:24:33.000Z", - "service.name": "dminimve", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "uptate" - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "destination.address": "iscivel3512.invalid", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 7174, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 5430, - "related.hosts": [ - "iscivel3512.invalid" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.operation_id": "eriti", - "rsa.network.host_dst": "iscivel3512.invalid", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.path": "atcupi" - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "event.code": "sockd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 7478, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.202", - "process.pid": 6181, - "rsa.internal.event_desc": "sockd:dante/server running.", - "rsa.internal.messageid": "sockd", - "rsa.misc.version": "1.202", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-04-30T17:32:16.000Z", - "event.code": "afcd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", - "fileset.name": "utm", - "host.name": "dolor5799.home", - "input.type": "log", - "log.offset": 7537, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "dolor5799.home" - ], - "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.", - "rsa.internal.messageid": "afcd", - "rsa.network.alias_host": [ - "dolor5799.home" - ], - "rsa.time.event_time": "2017-04-30T17:32:16.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-05-15T00:34:50.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", - "fileset.name": "utm", - "host.name": "oreseosq1859.api.lan", - "http.request.referrer": "https://example.com/adeser/mSe.gif?aute=rchite#rcit", - "input.type": "log", - "log.level": "low", - "log.offset": 7624, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6691, - "related.hosts": [ - "oreseosq1859.api.lan" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "essequam", - "rsa.misc.result": "Virus daemon connection problem", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "oreseosq1859.api.lan" - ], - "rsa.network.gateway": "uiinea", - "rsa.time.event_time": "2017-05-15T00:34:50.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "www5.example.com", - "url.extension": "htm", - "url.fragment": "eumiure", - "url.original": "https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure", - "url.path": "/dantium/ors.htm", - "url.query": "sinto=edi", - "url.scheme": "https" - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "confd-sync", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", - "fileset.name": "utm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 7917, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6908, - "rsa.internal.event_desc": "luptatem", - "rsa.internal.messageid": "confd-sync", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "service.name": "oNemoeni", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", - "fileset.name": "utm", - "host.name": "autodit272.www.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 8020, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 1121, - "related.hosts": [ - "autodit272.www.localhost" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "imadmin", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "autodit272.www.localhost" - ], - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-06-26T21:42:33.000Z", - "destination.ip": "10.148.21.7", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", - "fileset.name": "utm", - "host.name": "rporis6787.www5.localdomain", - "input.type": "log", - "log.level": "low", - "log.offset": 8190, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3705, - "related.hosts": [ - "rporis6787.www5.localdomain" - ], - "related.ip": [ - "10.148.21.7" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH01114", - "rsa.misc.event_log": "pta", - "rsa.misc.result": "Backend connection failed", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "rporis6787.www5.localdomain" - ], - "rsa.network.gateway": "ipsu", - "rsa.network.network_service": "siarch", - "rsa.time.event_time": "2017-06-26T21:42:33.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "destination.address": "ntore4333.api.invalid", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", - "fileset.name": "utm", - "host.name": "reprehe5661.www.lan", - "input.type": "log", - "log.offset": 8369, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "ntore4333.api.invalid", - "reprehe5661.www.lan" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.context": "iumd", - "rsa.misc.operation_id": "equam", - "rsa.misc.policy_name": "olor", - "rsa.network.alias_host": [ - "reprehe5661.www.lan" - ], - "rsa.network.host_dst": "ntore4333.api.invalid", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.path": "sitv" - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "exim", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", - "fileset.name": "utm", - "host.name": "sequatD163.internal.example", - "input.type": "log", - "log.offset": 8643, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2384, - "related.hosts": [ - "sequatD163.internal.example" - ], - "related.ip": [ - "10.151.206.38" - ], - "rsa.db.index": "lits", - "rsa.internal.event_desc": "exim:connection service message.", - "rsa.internal.messageid": "exim", - "rsa.network.alias_host": [ - "sequatD163.internal.example" - ], - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "service.type": "sophos", - "source.ip": "10.151.206.38", - "source.port": 5794, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-08-08T18:50:15.000Z", - "event.code": "pluto", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", - "fileset.name": "utm", - "host.name": "elillu5777.www5.lan", - "input.type": "log", - "log.offset": 8774, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "elillu5777.www5.lan" - ], - "related.ip": [ - "10.230.4.70" - ], - "rsa.internal.event_desc": "pluto: starting keying attempt of an unlimited number", - "rsa.internal.messageid": "pluto", - "rsa.network.alias_host": [ - "elillu5777.www5.lan" - ], - "rsa.time.event_time": "2017-08-08T18:50:15.000Z", - "service.type": "sophos", - "source.ip": "10.230.4.70", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-08-23T01:52:50.000Z", - "event.code": "xl2tpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", - "fileset.name": "utm", - "host.name": "ecatcup3022.mail.invalid", - "input.type": "log", - "log.offset": 8910, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "ecatcup3022.mail.invalid" - ], - "rsa.db.index": "nproide", - "rsa.internal.event_desc": "xl2tpd:xl2tpd Software copyright.", - "rsa.internal.messageid": "xl2tpd", - "rsa.network.alias_host": [ - "ecatcup3022.mail.invalid" - ], - "rsa.time.event_time": "2017-08-23T01:52:50.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "ipsec_starter", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", - "fileset.name": "utm", - "host.name": "qui7797.www.host", - "input.type": "log", - "log.offset": 8983, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "qui7797.www.host" - ], - "rsa.internal.event_desc": "ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]...", - "rsa.internal.messageid": "ipsec_starter", - "rsa.network.alias_host": [ - "qui7797.www.host" - ], - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-09-20T15:57:58.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", - "fileset.name": "utm", - "host.name": "nofdeFin2037.mail.example", - "http.request.referrer": "https://example.org/tquov/natu.jpg?uianonnu=por#nve", - "input.type": "log", - "log.level": "high", - "log.offset": 9077, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3994, - "related.hosts": [ - "nofdeFin2037.mail.example" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "nevol", - "rsa.misc.result": "Cannot read reply", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "nofdeFin2037.mail.example" - ], - "rsa.network.gateway": "tiumdol", - "rsa.time.event_time": "2017-09-20T15:57:58.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-10-04T23:00:32.000Z", - "event.code": "sockd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 9312, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.3714", - "process.pid": 7264, - "rsa.internal.event_desc": "sockd:dante/server running.", - "rsa.internal.messageid": "sockd", - "rsa.misc.version": "1.3714", - "rsa.time.event_time": "2017-10-04T23:00:32.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", - "fileset.name": "utm", - "host.name": "eFinib2403.api.example", - "http.request.referrer": "https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", - "input.type": "log", - "log.level": "high", - "log.offset": 9372, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 4074, - "related.hosts": [ - "eFinib2403.api.example" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "ecatcu", - "rsa.misc.event_log": "sun", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "eFinib2403.api.example" - ], - "rsa.network.gateway": "quatD", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "event.code": "confd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", - "file.directory": "onevol", - "fileset.name": "utm", - "input.type": "log", - "log.level": "high", - "log.offset": 9603, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.2707", - "process.pid": 4939, - "related.ip": [ - "10.244.96.61" - ], - "related.user": [ - "itsedqui", - "iumt" - ], - "rsa.identity.logon_type": "psamvolu", - "rsa.internal.event_desc": "orroqui", - "rsa.internal.messageid": "confd", - "rsa.misc.group_object": "reprehen", - "rsa.misc.node": "ecatc", - "rsa.misc.obj_name": "toccacount=tinvolu", - "rsa.misc.obj_type": "Exce", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2707", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "service.name": "omnisist", - "service.type": "sophos", - "source.ip": "10.244.96.61", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "itsedqui" - }, - { - "@timestamp": "2017-11-16T20:08:15.000Z", - "event.action": "reloading", - "event.code": "named", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 9878, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 1900, - "rsa.internal.messageid": "named", - "rsa.misc.action": [ - "reloading" - ], - "rsa.misc.disposition": "iono", - "rsa.misc.obj_type": "eddoei", - "rsa.time.event_time": "2017-11-16T20:08:15.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", - "fileset.name": "utm", - "host.name": "obeatae2042.www.domain", - "input.type": "log", - "log.level": "low", - "log.offset": 9933, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 1853, - "related.hosts": [ - "obeatae2042.www.domain" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "ula", - "rsa.misc.event_id": "AH01110", - "rsa.misc.event_log": "isaute", - "rsa.misc.result": "Error reading response", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "obeatae2042.www.domain" - ], - "rsa.network.gateway": "quaUteni", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "event.code": "pop3proxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", - "fileset.name": "utm", - "host.name": "aerat1267.www5.example", - "input.type": "log", - "log.offset": 10118, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "aerat1267.www5.example" - ], - "rsa.internal.event_desc": "pop3proxy:Master started.", - "rsa.internal.messageid": "pop3proxy", - "rsa.network.alias_host": [ - "aerat1267.www5.example" - ], - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2017-12-29T17:15:58.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", - "file.name": "imip", - "fileset.name": "utm", - "host.name": "writt2238.internal.localdomain", - "input.type": "log", - "log.level": "low", - "log.offset": 10187, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 478, - "related.hosts": [ - "writt2238.internal.localdomain" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "aed", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "writt2238.internal.localdomain" - ], - "rsa.network.gateway": "scingeli", - "rsa.time.event_time": "2017-12-29T17:15:58.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-01-13T00:18:32.000Z", - "destination.domain": "uatD", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", - "fileset.name": "utm", - "host.name": "siutaliq4937.api.lan", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10383, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7721, - "related.hosts": [ - "siutaliq4937.api.lan" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.comments": "server certificate has a different hostname from actual hostname", - "rsa.misc.event_log": "urvel", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "siutaliq4937.api.lan" - ], - "rsa.network.network_service": "dquiac", - "rsa.time.event_time": "2018-01-13T00:18:32.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "event.action": "accept", - "event.code": "URID", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 10567, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7596, - "rsa.internal.messageid": "URID", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "ametco", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "destination.address": "tenbyCi4371.www5.localdomain", - "destination.ip": "10.98.126.206", - "destination.mac": "01:00:5e:2f:c3:3e", - "destination.port": 2390, - "event.action": "block", - "event.code": "astarosg_TVM", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", - "file.directory": "uovolup", - "file.extension": "olest", - "file.name": "saut", - "file.size": 5693, - "fileset.name": "utm", - "group.name": "incid", - "http.request.referrer": "https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi", - "input.type": "log", - "log.level": "low", - "log.offset": 10641, - "observer.egress.interface.name": "eth965", - "observer.ingress.interface.name": "lo1255", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.3726", - "process.pid": 1090, - "related.hosts": [ - "tenbyCi4371.www5.localdomain" - ], - "related.ip": [ - "10.214.167.164", - "10.98.126.206" - ], - "related.user": [ - "amremapstatuscode=dolorsit", - "hen", - "isnostru" - ], - "rsa.db.index": "spernatu", - "rsa.identity.logon_type": "untutl", - "rsa.internal.event_desc": "UDP", - "rsa.internal.messageid": "astarosg_TVM", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block", - "nsectetu" - ], - "rsa.misc.comments": "uaer", - "rsa.misc.content_type": "eaqu", - "rsa.misc.context": "nsequa", - "rsa.misc.group": "incid", - "rsa.misc.group_object": "mdoloree", - "rsa.misc.node": "radip", - "rsa.misc.obj_name": "tnulcount=ons", - "rsa.misc.obj_type": "mullamco", - "rsa.misc.policy_id": "loremagn", - "rsa.misc.policy_name": "quepo", - "rsa.misc.rule": "udex", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3726", - "rsa.misc.vsys": "iam", - "rsa.network.dinterface": "eth965", - "rsa.network.host_dst": "tenbyCi4371.www5.localdomain", - "rsa.network.sinterface": "lo1255", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "rsa.web.web_cookie": "tion", - "service.name": "animi", - "service.type": "sophos", - "source.ip": "10.214.167.164", - "source.mac": "01:00:5e:65:2d:fe", - "source.port": 4562, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "api.example.org", - "url.extension": "txt", - "url.fragment": "enbyCi", - "url.original": "https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi", - "url.path": "/iono/secillum.txt", - "url.query": "apariat=tse", - "url.scheme": "https", - "user.name": "hen" - }, - { - "@timestamp": "2018-02-24T21:26:15.000Z", - "destination.ip": "10.32.236.117", - "destination.mac": "01:00:5e:9a:fe:91", - "destination.port": 5550, - "event.code": "ulogd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", - "fileset.name": "utm", - "input.type": "log", - "log.level": "medium", - "log.offset": 11943, - "observer.egress.interface.name": "eth6357", - "observer.ingress.interface.name": "lo7088", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6722, - "related.ip": [ - "10.203.157.250", - "10.32.236.117" - ], - "rsa.internal.event_desc": "Packet", - "rsa.internal.messageid": "ulogd", - "rsa.investigations.ec_activity": "Scan", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "TEV", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.context": "oriosa", - "rsa.misc.policy_id": "adminim", - "rsa.misc.rule": "persp", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "orev", - "rsa.network.dinterface": "eth6357", - "rsa.network.network_service": "lapa", - "rsa.network.sinterface": "lo7088", - "rsa.time.event_time": "2018-02-24T21:26:15.000Z", - "service.type": "sophos", - "source.ip": "10.203.157.250", - "source.mac": "01:00:5e:78:1a:5a", - "source.port": 6585, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "destination.ip": "10.231.77.26", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", - "fileset.name": "utm", - "host.name": "ectob5542.www5.corp", - "input.type": "log", - "log.level": "high", - "log.offset": 12330, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7755, - "related.hosts": [ - "ectob5542.www5.corp" - ], - "related.ip": [ - "10.231.77.26" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH00959", - "rsa.misc.event_log": "ivelit", - "rsa.misc.result": "disabling worker", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ectob5542.www5.corp" - ], - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "rsa.time.process_time": "volup", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.address": "tenima5715.api.example", - "destination.ip": "10.92.93.236", - "destination.mac": "01:00:5e:0a:8f:6c", - "destination.port": 6939, - "event.action": "block", - "event.code": "httpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", - "file.directory": "amqua", - "file.extension": "erit", - "file.name": "pici", - "file.size": 5474, - "fileset.name": "utm", - "group.name": "mquiado", - "host.name": "iusmo901.www.home", - "http.request.referrer": "https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo", - "input.type": "log", - "log.level": "high", - "log.offset": 12502, - "observer.egress.interface.name": "lo4358", - "observer.ingress.interface.name": "lo3680", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.2707", - "related.hosts": [ - "iusmo901.www.home", - "tenima5715.api.example" - ], - "related.ip": [ - "10.2.24.156", - "10.92.93.236" - ], - "related.user": [ - "Sedutper", - "dolorsistatuscode=acc", - "ntoccae", - "ulpaq" - ], - "rsa.db.index": "snisiut", - "rsa.identity.logon_type": "umdol", - "rsa.internal.event_desc": "Authentication", - "rsa.internal.messageid": "httpd", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block", - "icons" - ], - "rsa.misc.comments": "porincid", - "rsa.misc.content_type": "temvele", - "rsa.misc.context": "aecons", - "rsa.misc.group": "mquiado", - "rsa.misc.group_object": "mqu", - "rsa.misc.node": "amvo", - "rsa.misc.obj_name": "ntiumdcount=ueip", - "rsa.misc.obj_type": "tse", - "rsa.misc.policy_id": "uptat", - "rsa.misc.policy_name": "usa", - "rsa.misc.rule": "scivelit", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2707", - "rsa.misc.vsys": "untut", - "rsa.network.alias_host": [ - "iusmo901.www.home" - ], - "rsa.network.dinterface": "lo4358", - "rsa.network.host_dst": "tenima5715.api.example", - "rsa.network.network_port": 7174, - "rsa.network.sinterface": "lo3680", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "rsa.web.web_cookie": "amr", - "service.name": "siu", - "service.type": "sophos", - "source.ip": "10.2.24.156", - "source.mac": "01:00:5e:34:8c:d2", - "source.port": 6938, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "www.example.org", - "url.extension": "jpg", - "url.fragment": "tru", - "url.original": "https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru", - "url.path": "/imipsamv/doeiu.jpg", - "url.query": [ - "exerc", - "nderit=ficia" - ], - "url.scheme": "https", - "user.name": "Sedutper" - }, - { - "@timestamp": "2018-04-08T18:33:58.000Z", - "destination.address": "mni4032.lan", - "destination.ip": "10.202.65.2", - "destination.mac": "01:00:5e:2c:9d:65", - "destination.port": 1402, - "event.action": "cancel", - "event.code": "astarosg_TVM", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", - "file.directory": "risni", - "file.extension": "emse", - "file.name": "tevelit", - "file.size": 3144, - "fileset.name": "utm", - "group.name": "setquas", - "http.request.referrer": "https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria", - "input.type": "log", - "log.level": "low", - "log.offset": 13857, - "observer.egress.interface.name": "lo2179", - "observer.ingress.interface.name": "enp0s566", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.3155", - "process.pid": 6463, - "related.hosts": [ - "mni4032.lan" - ], - "related.ip": [ - "10.180.169.49", - "10.202.65.2" - ], - "related.user": [ - "atatno", - "iscivelistatuscode=urve", - "tasu" - ], - "rsa.db.index": "amrem", - "rsa.identity.logon_type": "nulamcol", - "rsa.internal.event_desc": "File", - "rsa.internal.messageid": "astarosg_TVM", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel", - "mquisn" - ], - "rsa.misc.comments": "architec", - "rsa.misc.content_type": "atisetqu", - "rsa.misc.context": "tsed", - "rsa.misc.group": "setquas", - "rsa.misc.group_object": "onproid", - "rsa.misc.node": "nonnumqu", - "rsa.misc.obj_name": "mnisiscount=edolor", - "rsa.misc.obj_type": "ica", - "rsa.misc.policy_id": "equatu", - "rsa.misc.policy_name": "equunt", - "rsa.misc.rule": "user", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3155", - "rsa.misc.vsys": "sequamn", - "rsa.network.dinterface": "lo2179", - "rsa.network.host_dst": "mni4032.lan", - "rsa.network.sinterface": "enp0s566", - "rsa.time.event_time": "2018-04-08T18:33:58.000Z", - "rsa.web.web_cookie": "queporr", - "service.name": "adeseru", - "service.type": "sophos", - "source.ip": "10.180.169.49", - "source.mac": "01:00:5e:1a:03:f5", - "source.port": 3308, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "mail.example.net", - "url.extension": "html", - "url.fragment": "adm", - "url.original": "https://mail.example.net/isqua/deF.html?iameaq=orainci#adm", - "url.path": "/isqua/deF.html", - "url.query": "iameaq=orainci", - "url.scheme": "https", - "user.name": "atatno" - }, - { - "@timestamp": "2018-04-23T01:36:32.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", - "fileset.name": "utm", - "host.name": "iscing6960.api.invalid", - "input.type": "log", - "log.level": "very-high", - "log.offset": 15189, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 5350, - "related.hosts": [ - "iscing6960.api.invalid" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.context": "SSL Library Error", - "rsa.misc.event_log": "incidu", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "itasper", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "iscing6960.api.invalid" - ], - "rsa.time.event_time": "2018-04-23T01:36:32.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "destination.address": "olupta3647.host", - "event.code": "httpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", - "file.name": "runtmoll", - "fileset.name": "utm", - "input.type": "log", - "log.level": "low", - "log.offset": 15333, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.6420", - "process.pid": 793, - "related.hosts": [ - "olupta3647.host" - ], - "rsa.internal.event_desc": "imvenia", - "rsa.internal.messageid": "httpd", - "rsa.misc.event_log": "ruredo", - "rsa.misc.operation_id": "gitsedqu", - "rsa.misc.result": "success", - "rsa.misc.rule": "utlabo", - "rsa.misc.rule_name": "nidolo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6420", - "rsa.network.gateway": "iconseq", - "rsa.network.host_dst": "olupta3647.host", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "rule.name": "nidolo", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.path": "uaUteni" - }, - { - "@timestamp": "2018-05-21T15:41:41.000Z", - "event.code": "named", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", - "fileset.name": "utm", - "host.name": "iavolu7814.www5.localhost", - "input.type": "log", - "log.offset": 15676, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6633, - "related.hosts": [ - "iavolu7814.www5.localhost" - ], - "related.ip": [ - "10.194.12.83" - ], - "rsa.internal.event_desc": "named:FORMERR resolving DNS.", - "rsa.internal.messageid": "named", - "rsa.network.alias_host": [ - "iavolu7814.www5.localhost" - ], - "rsa.time.event_time": "2018-05-21T15:41:41.000Z", - "service.type": "sophos", - "source.ip": "10.194.12.83", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-06-04T22:44:15.000Z", - "destination.address": "obea2960.mail.corp", - "destination.ip": "10.45.12.53", - "destination.mac": "01:00:5e:24:b8:9f", - "destination.port": 6937, - "event.action": "cancel", - "event.code": "astarosg_TVM", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", - "file.directory": "volupta", - "file.extension": "Nemoenim", - "file.name": "nonnum", - "file.size": 1026, - "fileset.name": "utm", - "group.name": "lup", - "http.request.referrer": "https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol", - "input.type": "log", - "log.level": "low", - "log.offset": 15773, - "observer.egress.interface.name": "lo2114", - "observer.ingress.interface.name": "enp0s3792", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.4256", - "process.pid": 5792, - "related.hosts": [ - "obea2960.mail.corp" - ], - "related.ip": [ - "10.33.138.154", - "10.45.12.53" - ], - "related.user": [ - "eturadip", - "porincid", - "umqustatuscode=ntexpli" - ], - "rsa.db.index": "dolor", - "rsa.identity.logon_type": "eturadi", - "rsa.internal.event_desc": "checking", - "rsa.internal.messageid": "astarosg_TVM", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel", - "doc" - ], - "rsa.misc.comments": "riosam", - "rsa.misc.content_type": "iusmo", - "rsa.misc.context": "ercitati", - "rsa.misc.group": "lup", - "rsa.misc.group_object": "tfugits", - "rsa.misc.node": "ueips", - "rsa.misc.obj_name": "oremcount=utper", - "rsa.misc.obj_type": "lor", - "rsa.misc.policy_id": "umwritt", - "rsa.misc.policy_name": "itame", - "rsa.misc.rule": "elitess", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4256", - "rsa.misc.vsys": "amqua", - "rsa.network.dinterface": "lo2114", - "rsa.network.host_dst": "obea2960.mail.corp", - "rsa.network.sinterface": "enp0s3792", - "rsa.time.event_time": "2018-06-04T22:44:15.000Z", - "rsa.web.web_cookie": "etdo", - "service.name": "mavenia", - "service.type": "sophos", - "source.ip": "10.33.138.154", - "source.mac": "01:00:5e:a1:a3:9f", - "source.port": 1455, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "www5.example.org", - "url.extension": "jpg", - "url.fragment": "oditautf", - "url.original": "https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf", - "url.path": "/etcons/aecatc.jpg", - "url.query": "ditem=tut", - "url.scheme": "https", - "user.name": "eturadip" - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "event.code": "frox", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 17088, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7744, - "related.ip": [ - "10.99.134.49" - ], - "rsa.internal.event_desc": "frox:FTP Proxy listening on port.", - "rsa.internal.messageid": "frox", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "service.type": "sophos", - "source.ip": "10.99.134.49", - "source.port": 2274, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", - "fileset.name": "utm", - "host.name": "olli5982.www.test", - "http.request.referrer": "https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", - "input.type": "log", - "log.level": "medium", - "log.offset": 17150, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 212, - "related.hosts": [ - "olli5982.www.test" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "uatDui", - "rsa.misc.result": "virus daemon error", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "olli5982.www.test" - ], - "rsa.network.gateway": "raut", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.path": "ectetu" - }, - { - "@timestamp": "2018-07-17T19:51:58.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", - "fileset.name": "utm", - "host.name": "nsecte3644.internal.test", - "input.type": "log", - "log.level": "high", - "log.offset": 17370, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3136, - "related.hosts": [ - "nsecte3644.internal.test" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "isund", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "nsecte3644.internal.test" - ], - "rsa.network.gateway": "uptate", - "rsa.time.event_time": "2018-07-17T19:51:58.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-08-01T02:54:32.000Z", - "event.code": "confd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", - "file.directory": "eaco", - "fileset.name": "utm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 17520, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.7852", - "process.pid": 4157, - "related.ip": [ - "10.32.85.21" - ], - "related.user": [ - "antium", - "etconsec" - ], - "rsa.identity.logon_type": "umiurere", - "rsa.internal.event_desc": "serro", - "rsa.internal.messageid": "confd", - "rsa.misc.group_object": "ectetur", - "rsa.misc.node": "acommodi", - "rsa.misc.obj_name": "utlaborecount=nci", - "rsa.misc.obj_type": "ione", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7852", - "rsa.time.event_time": "2018-08-01T02:54:32.000Z", - "service.name": "aliqu", - "service.type": "sophos", - "source.ip": "10.32.85.21", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "antium" - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", - "fileset.name": "utm", - "host.name": "econseq7119.www.home", - "input.type": "log", - "log.offset": 17796, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "econseq7119.www.home" - ], - "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", - "rsa.internal.messageid": "sshd", - "rsa.network.alias_host": [ - "econseq7119.www.home" - ], - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-08-29T16:59:40.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", - "fileset.name": "utm", - "host.name": "ant2543.www5.lan", - "http.request.referrer": "https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", - "input.type": "log", - "log.level": "high", - "log.offset": 17893, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 3669, - "related.hosts": [ - "ant2543.www5.lan" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "lapa", - "rsa.misc.result": "Cannot read reply", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ant2543.www5.lan" - ], - "rsa.network.gateway": "sed", - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-09-13T00:02:15.000Z", - "event.action": "accept", - "event.code": "pluto", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 18122, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7138, - "rsa.internal.messageid": "pluto", - "rsa.internal.msg": "olore", - "rsa.misc.action": [ - "accept" - ], - "rsa.time.event_time": "2018-09-13T00:02:15.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "destination.address": "nisiuta4810.api.test", - "destination.ip": "10.85.200.58", - "destination.mac": "01:00:5e:b3:e3:90", - "destination.port": 605, - "event.action": "cancel", - "event.code": "httpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", - "file.directory": "tasu", - "file.extension": "reetdo", - "file.name": "idi", - "file.size": 849, - "fileset.name": "utm", - "group.name": "unt", - "http.request.referrer": "https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid", - "input.type": "log", - "log.level": "medium", - "log.offset": 18205, - "observer.egress.interface.name": "lo3615", - "observer.ingress.interface.name": "eth65", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.7641", - "process.pid": 6562, - "related.hosts": [ - "nisiuta4810.api.test" - ], - "related.ip": [ - "10.210.175.52", - "10.85.200.58" - ], - "related.user": [ - "Loremi", - "inimastatuscode=emipsum", - "rExce", - "reetd" - ], - "rsa.db.index": "apa", - "rsa.identity.logon_type": "sedquia", - "rsa.internal.event_desc": "http", - "rsa.internal.messageid": "httpd", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel", - "odte" - ], - "rsa.misc.comments": "emquia", - "rsa.misc.content_type": "sauteir", - "rsa.misc.context": "colabo", - "rsa.misc.group": "unt", - "rsa.misc.group_object": "atae", - "rsa.misc.node": "mqu", - "rsa.misc.obj_name": "boNemocount=duntutla", - "rsa.misc.obj_type": "aeconseq", - "rsa.misc.policy_id": "ofd", - "rsa.misc.policy_name": "uisnostr", - "rsa.misc.rule": "iurere", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7641", - "rsa.misc.vsys": "erc", - "rsa.network.dinterface": "lo3615", - "rsa.network.host_dst": "nisiuta4810.api.test", - "rsa.network.network_port": 2294, - "rsa.network.sinterface": "eth65", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "rsa.web.web_cookie": "esse", - "service.name": "atu", - "service.type": "sophos", - "source.ip": "10.210.175.52", - "source.mac": "01:00:5e:0e:b3:8e", - "source.port": 1125, - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.domain": "internal.example.com", - "url.extension": "jpg", - "url.fragment": "agnaaliq", - "url.original": "https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq", - "url.path": "/ritat/dipi.jpg", - "url.query": [ - "aliquide=aliqui", - "iatquovo" - ], - "url.scheme": "https", - "user.name": "reetd" - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.ip": "10.115.166.48", - "destination.mac": "01:00:5e:c3:8a:24", - "destination.port": 4884, - "event.code": "ulogd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", - "fileset.name": "utm", - "host.name": "itametc1599.api.test", - "input.type": "log", - "log.level": "low", - "log.offset": 19517, - "observer.egress.interface.name": "enp0s1164", - "observer.ingress.interface.name": "eth2679", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "itametc1599.api.test" - ], - "related.ip": [ - "10.115.166.48", - "10.133.45.45" - ], - "rsa.internal.event_desc": "Authentication", - "rsa.internal.messageid": "ulogd", - "rsa.investigations.ec_activity": "Scan", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "TEV", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.context": "etM", - "rsa.misc.policy_id": "iamqu", - "rsa.misc.rule": "itaedi", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "ore", - "rsa.network.alias_host": [ - "itametc1599.api.test" - ], - "rsa.network.dinterface": "enp0s1164", - "rsa.network.network_service": "ips", - "rsa.network.sinterface": "eth2679", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "service.type": "sophos", - "source.ip": "10.133.45.45", - "source.mac": "01:00:5e:5a:9d:a9", - "source.port": 4180, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-10-25T21:09:57.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", - "fileset.name": "utm", - "host.name": "tiumt5462.mail.localhost", - "input.type": "log", - "log.offset": 19914, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "tiumt5462.mail.localhost" - ], - "rsa.internal.event_desc": "sshd:Invalid user admin.", - "rsa.internal.messageid": "sshd", - "rsa.network.alias_host": [ - "tiumt5462.mail.localhost" - ], - "rsa.time.event_time": "2018-10-25T21:09:57.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", - "fileset.name": "utm", - "host.name": "vol1450.internal.host", - "input.type": "log", - "log.offset": 19994, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "vol1450.internal.host" - ], - "related.ip": [ - "10.71.184.162" - ], - "rsa.internal.event_desc": "sshd:Server listening; restarting.", - "rsa.internal.messageid": "sshd", - "rsa.network.alias_host": [ - "vol1450.internal.host" - ], - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "service.type": "sophos", - "source.ip": "10.71.184.162", - "source.port": 3506, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "ipsec_starter", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -> reinit of ipsec interface", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 20086, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 178, - "rsa.internal.event_desc": "ipsec_starter: IP address or index of physical interface changed.", - "rsa.internal.messageid": "ipsec_starter", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-12-07T18:17:40.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", - "fileset.name": "utm", - "host.name": "rporissu573.api.test", - "input.type": "log", - "log.level": "very-high", - "log.offset": 20205, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 5943, - "related.hosts": [ - "rporissu573.api.test" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "nihi", - "rsa.misc.event_id": "AH02312", - "rsa.misc.event_log": "emaperi", - "rsa.misc.result": "Fatal error", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "rporissu573.api.test" - ], - "rsa.time.event_time": "2018-12-07T18:17:40.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2018-12-22T01:20:14.000Z", - "event.action": "allow", - "event.code": "URID", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", - "fileset.name": "utm", - "host.name": "nostru774.corp", - "input.type": "log", - "log.offset": 20356, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "nostru774.corp" - ], - "rsa.internal.messageid": "URID", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "natuserr", - "rsa.network.alias_host": [ - "nostru774.corp" - ], - "rsa.time.event_time": "2018-12-22T01:20:14.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "event.code": "ipsec_starter", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -> reinit of ipsec interface", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 20441, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6226, - "rsa.internal.event_desc": "ipsec_starter: IP address or index of physical interface changed.", - "rsa.internal.messageid": "ipsec_starter", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-01-19T15:25:23.000Z", - "destination.address": "lorsita2216.www5.example", - "event.code": "httpd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", - "file.name": "apa", - "fileset.name": "utm", - "input.type": "log", - "log.level": "medium", - "log.offset": 20559, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.7102", - "process.pid": 5037, - "related.hosts": [ - "lorsita2216.www5.example" - ], - "rsa.internal.event_desc": "olorsita", - "rsa.internal.messageid": "httpd", - "rsa.misc.event_log": "iadese", - "rsa.misc.operation_id": "velitsed", - "rsa.misc.result": "unknown", - "rsa.misc.rule": "per", - "rsa.misc.rule_name": "uat", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7102", - "rsa.network.gateway": "rehender", - "rsa.network.host_dst": "lorsita2216.www5.example", - "rsa.time.event_time": "2019-01-19T15:25:23.000Z", - "rule.name": "uat", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.path": "turvelil" - }, - { - "@timestamp": "2019-02-02T22:27:57.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", - "file.name": "quamquae", - "fileset.name": "utm", - "host.name": "sum2208.host", - "input.type": "log", - "log.level": "medium", - "log.offset": 20914, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 4346, - "related.hosts": [ - "sum2208.host" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "nia", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "sum2208.host" - ], - "rsa.network.gateway": "ritinvol", - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", - "fileset.name": "utm", - "host.name": "ore6843.local", - "input.type": "log", - "log.level": "medium", - "log.offset": 21097, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 5126, - "related.hosts": [ - "ore6843.local" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.comments": "No signature on cookie", - "rsa.misc.event_log": "aveniam", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "ore6843.local" - ], - "rsa.network.gateway": "taev", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "destination.ip": "10.177.35.133", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", - "fileset.name": "utm", - "host.name": "Sedu1610.mail.corp", - "input.type": "log", - "log.level": "medium", - "log.offset": 21241, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7442, - "related.hosts": [ - "Sedu1610.mail.corp" - ], - "related.ip": [ - "10.177.35.133" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH01114", - "rsa.misc.event_log": "porr", - "rsa.misc.result": "Backend connection failed", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "Sedu1610.mail.corp" - ], - "rsa.network.gateway": "uunturma", - "rsa.network.network_service": "cons", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-03-17T19:35:40.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", - "fileset.name": "utm", - "host.name": "corpo6737.example", - "input.type": "log", - "log.level": "very-high", - "log.offset": 21418, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6600, - "related.hosts": [ - "corpo6737.example" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "aliquide", - "rsa.misc.result": "failure", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "corpo6737.example" - ], - "rsa.network.gateway": "raincidu", - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-04-01T02:38:14.000Z", - "event.code": "pop3proxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 21579, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6854, - "rsa.internal.event_desc": "pop3proxy:Master started.", - "rsa.internal.messageid": "pop3proxy", - "rsa.time.event_time": "2019-04-01T02:38:14.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "event.code": "pop3proxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", - "fileset.name": "utm", - "host.name": "eratvol314.www.home", - "input.type": "log", - "log.offset": 21629, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "eratvol314.www.home" - ], - "rsa.internal.event_desc": "pop3proxy:Master started.", - "rsa.internal.messageid": "pop3proxy", - "rsa.network.alias_host": [ - "eratvol314.www.home" - ], - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-04-29T16:43:23.000Z", - "destination.address": "seosquir715.local", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", - "file.name": "alorumw", - "fileset.name": "utm", - "host.name": "utemvele1838.mail.test", - "input.type": "log", - "log.level": "high", - "log.offset": 21694, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2389, - "related.hosts": [ - "seosquir715.local", - "utemvele1838.mail.test" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.comments": "rci", - "rsa.misc.event_log": "aco", - "rsa.misc.operation_id": "uiration", - "rsa.misc.result": "high", - "rsa.misc.rule": "eiusmo", - "rsa.misc.rule_name": "uipex", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "utemvele1838.mail.test" - ], - "rsa.network.gateway": "nrepr", - "rsa.network.host_dst": "seosquir715.local", - "rsa.time.event_time": "2019-04-29T16:43:23.000Z", - "rule.name": "uipex", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ], - "url.path": "ercitati" - }, - { - "@timestamp": "2019-05-13T23:45:57.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", - "fileset.name": "utm", - "host.name": "ulapari2656.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 21963, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2237, - "related.hosts": [ - "ulapari2656.local" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_log": "non", - "rsa.misc.result": "failure", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "ulapari2656.local" - ], - "rsa.network.gateway": "nvol", - "rsa.time.event_time": "2019-05-13T23:45:57.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", - "fileset.name": "utm", - "http.request.referrer": "https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", - "input.type": "log", - "log.level": "very-high", - "log.offset": 22114, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 4264, - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "erunt", - "rsa.misc.event_log": "iscinge", - "rsa.misc.severity": "very-high", - "rsa.network.gateway": "tnonpro", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "event.action": "cancel", - "event.code": "URID", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 22333, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7418, - "rsa.internal.messageid": "URID", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.disposition": "onemul", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-06-25T20:53:40.000Z", - "event.action": "ips", - "event.code": "pluto", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 22403, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7201, - "related.ip": [ - "10.165.217.56" - ], - "rsa.internal.messageid": "pluto", - "rsa.misc.event_type": "ips", - "rsa.time.event_time": "2019-06-25T20:53:40.000Z", - "service.type": "sophos", - "source.ip": "10.165.217.56", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", - "fileset.name": "utm", - "host.name": "stla2856.host", - "input.type": "log", - "log.level": "very-high", - "log.offset": 22490, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7766, - "related.hosts": [ - "stla2856.host" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.disposition": "configured", - "rsa.misc.event_log": "adolo", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "stla2856.host" - ], - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", - "file.name": "otamrema", - "fileset.name": "utm", - "host.name": "peri6748.www5.domain", - "input.type": "log", - "log.level": "high", - "log.offset": 22629, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2404, - "related.hosts": [ - "peri6748.www5.domain" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.context": "Unclean shutdown", - "rsa.misc.event_id": "AH00098", - "rsa.misc.event_log": "esseq", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "peri6748.www5.domain" - ], - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-08-07T18:01:23.000Z", - "event.action": "accept", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", - "fileset.name": "utm", - "host.name": "tnon5442.internal.test", - "input.type": "log", - "log.level": "very-high", - "log.offset": 22806, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 6108, - "related.hosts": [ - "tnon5442.internal.test" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "ectetu", - "rsa.misc.event_id": "AH00295", - "rsa.misc.event_log": "tquido", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "tnon5442.internal.test" - ], - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-08-22T01:03:57.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", - "fileset.name": "utm", - "host.name": "ariatu2606.www.host", - "http.request.referrer": "https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", - "input.type": "log", - "log.level": "very-high", - "log.offset": 22937, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7690, - "related.hosts": [ - "ariatu2606.www.host" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.context": "Not all file sent to client", - "rsa.misc.event_log": "umquid", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "ariatu2606.www.host" - ], - "rsa.network.gateway": "its", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "destination.ip": "10.248.62.55", - "destination.mac": "01:00:5e:d6:f3:bc", - "destination.port": 4206, - "event.code": "ulogd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", - "fileset.name": "utm", - "host.name": "imv1805.api.host", - "input.type": "log", - "log.level": "very-high", - "log.offset": 23162, - "observer.egress.interface.name": "lo3422", - "observer.ingress.interface.name": "lo4665", - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "imv1805.api.host" - ], - "related.ip": [ - "10.248.62.55", - "10.96.243.231" - ], - "rsa.internal.event_desc": "ICMP", - "rsa.internal.messageid": "ulogd", - "rsa.investigations.ec_activity": "Scan", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "TEV", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.context": "etc", - "rsa.misc.policy_id": "eos", - "rsa.misc.rule": "oenim", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "iaturExc", - "rsa.network.alias_host": [ - "imv1805.api.host" - ], - "rsa.network.dinterface": "lo3422", - "rsa.network.network_service": "orsit", - "rsa.network.sinterface": "lo4665", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "service.type": "sophos", - "source.ip": "10.96.243.231", - "source.mac": "01:00:5e:87:02:08", - "source.port": 5632, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-09-19T15:09:05.000Z", - "destination.ip": "10.132.101.158", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", - "fileset.name": "utm", - "host.name": "rita600.www5.localdomain", - "input.type": "log", - "log.level": "high", - "log.offset": 23568, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 7650, - "related.hosts": [ - "rita600.www5.localdomain" - ], - "related.ip": [ - "10.132.101.158" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH00959", - "rsa.misc.event_log": "elite", - "rsa.misc.result": "disabling worker", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "rita600.www5.localdomain" - ], - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", - "rsa.time.process_time": "cipitlab", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-10-03T22:11:40.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", - "fileset.name": "utm", - "input.type": "log", - "log.offset": 23750, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 2014, - "rsa.internal.event_desc": "sshd: Did not receive identification string.", - "rsa.internal.messageid": "sshd", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "reverseproxy", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", - "fileset.name": "utm", - "host.name": "admini1122.www.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 23829, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 1817, - "related.hosts": [ - "admini1122.www.local" - ], - "related.ip": [ - "10.96.193.132" - ], - "rsa.internal.messageid": "reverseproxy", - "rsa.misc.event_id": "AH01095", - "rsa.misc.event_log": "umwritte", - "rsa.misc.result": "failure", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "admini1122.www.local" - ], - "rsa.network.gateway": "vol", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "service.type": "sophos", - "source.ip": "10.96.193.132", - "source.port": 5342, - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "confd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", - "file.directory": "sper", - "fileset.name": "utm", - "input.type": "log", - "log.level": "low", - "log.offset": 24036, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "observer.version": "1.7416", - "process.pid": 2475, - "related.ip": [ - "10.96.200.83" - ], - "related.user": [ - "acommod", - "lapariat" - ], - "rsa.identity.logon_type": "remeumf", - "rsa.internal.event_desc": "dol", - "rsa.internal.messageid": "confd", - "rsa.misc.group_object": "roident", - "rsa.misc.node": "nostr", - "rsa.misc.obj_name": "teursintcount=evelites", - "rsa.misc.obj_type": "olorem", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7416", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "service.name": "quamni", - "service.type": "sophos", - "source.ip": "10.96.200.83", - "tags": [ - "forwarded", - "sophos.utm" - ], - "user.name": "acommod" - }, - { - "@timestamp": "2019-11-15T19:19:22.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", - "fileset.name": "utm", - "host.name": "emvel4391.localhost", - "input.type": "log", - "log.offset": 24316, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "emvel4391.localhost" - ], - "rsa.internal.event_desc": "sshd: Did not receive identification string.", - "rsa.internal.messageid": "sshd", - "rsa.network.alias_host": [ - "emvel4391.localhost" - ], - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-11-30T02:21:57.000Z", - "event.code": "confd-sync", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", - "fileset.name": "utm", - "input.type": "log", - "log.level": "high", - "log.offset": 24413, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "process.pid": 5454, - "rsa.internal.event_desc": "ico", - "rsa.internal.messageid": "confd-sync", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", - "service.name": "rnatu", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "sshd", - "event.dataset": "sophos.utm", - "event.module": "sophos", - "event.original": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", - "fileset.name": "utm", - "host.name": "untinc5531.www5.test", - "input.type": "log", - "log.offset": 24507, - "observer.product": "UTM", - "observer.type": "Firewall", - "observer.vendor": "Sophos", - "related.hosts": [ - "untinc5531.www5.test" - ], - "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", - "rsa.internal.messageid": "sshd", - "rsa.network.alias_host": [ - "untinc5531.www5.test" - ], - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "service.type": "sophos", - "tags": [ - "forwarded", - "sophos.utm" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled index 42aa513de7e..cc7049f5dcc 100644 --- a/x-pack/filebeat/modules.d/sophos.yml.disabled +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -25,22 +25,3 @@ #- serial_number: "1234234590678557" # hostname: "b.host.local" - - utm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9533 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 305d48e5e764334265699ed2c17ad2012bec1a52 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:29:43 +0200 Subject: [PATCH 02/22] feat: remove deprecated barracuda --- filebeat/docs/fields.asciidoc | 5435 ----------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 40 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/barracuda/README.md | 7 - .../module/barracuda/_meta/config.yml | 38 - .../module/barracuda/_meta/docs.asciidoc | 115 - .../module/barracuda/_meta/fields.yml | 5 - x-pack/filebeat/module/barracuda/fields.go | 23 - .../barracuda/spamfirewall/_meta/fields.yml | 2635 -------- .../barracuda/spamfirewall/config/input.yml | 87 - .../spamfirewall/config/liblogparser.js | 2514 -------- .../barracuda/spamfirewall/config/pipeline.js | 780 --- .../spamfirewall/ingest/pipeline.yml | 64 - .../barracuda/spamfirewall/manifest.yml | 31 - .../barracuda/spamfirewall/test/generated.log | 100 - .../test/generated.log-expected.json | 3207 ---------- .../module/barracuda/waf/_meta/fields.yml | 2635 -------- .../module/barracuda/waf/config/input.yml | 87 - .../barracuda/waf/config/liblogparser.js | 2514 -------- .../module/barracuda/waf/config/pipeline.js | 1344 ---- .../module/barracuda/waf/ingest/pipeline.yml | 64 - .../module/barracuda/waf/manifest.yml | 31 - .../module/barracuda/waf/test/generated.log | 100 - .../waf/test/generated.log-expected.json | 1963 ------ .../filebeat/modules.d/barracuda.yml.disabled | 41 - 26 files changed, 23863 deletions(-) delete mode 100644 x-pack/filebeat/module/barracuda/README.md delete mode 100644 x-pack/filebeat/module/barracuda/_meta/config.yml delete mode 100644 x-pack/filebeat/module/barracuda/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/barracuda/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/barracuda/fields.go delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log delete mode 100644 x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/barracuda/waf/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/barracuda/waf/config/input.yml delete mode 100644 x-pack/filebeat/module/barracuda/waf/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/barracuda/waf/config/pipeline.js delete mode 100644 x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/barracuda/waf/manifest.yml delete mode 100644 x-pack/filebeat/module/barracuda/waf/test/generated.log delete mode 100644 x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/barracuda.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 163c8e0373c..b0e87127f48 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21,7 +21,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -3591,5440 +3590,6 @@ type: keyword -- -[[exported-fields-barracuda]] -== Barracuda Web Application Firewall fields - -barracuda fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-beat-common]] == Beat fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 92318e0903d..731d38e3915 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -9,7 +9,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -83,7 +82,6 @@ include::modules/auditd.asciidoc[] include::modules/aws.asciidoc[] include::modules/awsfargate.asciidoc[] include::modules/azure.asciidoc[] -include::modules/barracuda.asciidoc[] include::modules/bluecoat.asciidoc[] include::modules/cef.asciidoc[] include::modules/checkpoint.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d793739c024..d75452b7c40 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -585,46 +585,6 @@ filebeat.modules: # storage_account: "" # storage_account_key: "" -#------------------ Barracuda Web Application Firewall Module ------------------ -- module: barracuda - waf: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9503 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - spamfirewall: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9524 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #-------------------------- Blue Coat Director Module -------------------------- - module: bluecoat director: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 43b6758766e..a5843dc1dd3 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -20,7 +20,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/aws" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/awsfargate" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/azure" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/barracuda" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/bluecoat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cef" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/checkpoint" diff --git a/x-pack/filebeat/module/barracuda/README.md b/x-pack/filebeat/module/barracuda/README.md deleted file mode 100644 index 57ada7880ce..00000000000 --- a/x-pack/filebeat/module/barracuda/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# barracuda module - -This is a module for Barracuda Web Application Firewall logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML barracudawaf version 132 -at 2020-07-13 17:55:32.894932 +0000 UTC. - diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml deleted file mode 100644 index c6e7a48e75b..00000000000 --- a/x-pack/filebeat/module/barracuda/_meta/config.yml +++ /dev/null @@ -1,38 +0,0 @@ -- module: barracuda - waf: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9503 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - spamfirewall: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9524 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc deleted file mode 100644 index abca823d933..00000000000 --- a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc +++ /dev/null @@ -1,115 +0,0 @@ -[role="xpack"] - -:modulename: barracuda -:has-dashboards: false - -== Barracuda module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/barracuda[Barracuda Web Application Firewall] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Barracuda Web Application Firewall logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: waf - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `waf` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "barracudawaf" device revision 132. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9503` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `spamfirewall` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device revision 125. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9524` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/barracuda/_meta/fields.yml b/x-pack/filebeat/module/barracuda/_meta/fields.yml deleted file mode 100644 index c12b3acd69f..00000000000 --- a/x-pack/filebeat/module/barracuda/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: barracuda - title: Barracuda Web Application Firewall - description: > - barracuda fields. - fields: diff --git a/x-pack/filebeat/module/barracuda/fields.go b/x-pack/filebeat/module/barracuda/fields.go deleted file mode 100644 index f8bcb4789d2..00000000000 --- a/x-pack/filebeat/module/barracuda/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package barracuda - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "barracuda", asset.ModuleFieldsPri, AssetBarracuda); err != nil { - panic(err) - } -} - -// AssetBarracuda returns asset data. -// This is the base64 encoded zlib format compressed contents of module/barracuda. -func AssetBarracuda() string { - return "eJzsfV+TGzeS5/t+CpwfTpJDpmzZ1t74Zveit7u97htJ7lVL8sbFRFSAKJDENAooASiy6U9/gQTqD6tQZDcbKLb2bh4mrCaZSCSARGYi85ffoVu6/QXNsVKYVDn+J4QMM5z+gv6t/hP6g87RWVlyRrBhUqBfmaIbzPk/IZRTTRQr7Z9/Qf/6TwihlhRaMMpzPfsn5P/rF/jc/u87JHBBf0GCmo1UtzMmDFULTOjM/r35GkJyTdVGMUN/QUZV3U/MtqS/WOY3UuWdvwc4qv/3HhcUyQUyK1qPjJqR0WZFFYXPjMKLBSNohTWaUyqQnGuq1jSfDSagNH4At0slq7Lz175YWrrAlsB8h/9x8mMDhIZoByn0cufv+0cYF/lA7B9XTNvvIaZRpWmOjEQEl6byAlZ4gwqqNV7af2ODiCyotpOW9vMeaYTeyiW6oETmVIUn4mixPlPHTqemS9dUmMxOLTJhz3Bi6XuRa5A5kcJQYbQ9AExog4Wp2dBBHg0rjmEwx6b/wZA75niyQyBs0GbFyAphpKnWVsGsmNEIo/fU/MGMoFrXqz8bbI1msnolK54jQddUoTlt9l2JlaboHTXYsobRQsmiM9Tzt3KpX11jckuNfjEgf8EUJYZvXyLj+cboA3XawO1w0WFzFhQkp2vKj5Akl6J/PnckeUFLRQk2npOcLpigOZKCA1sGzzlFBS7DXBV6mUU7MHvW+J0/51cXP6A15pU/8SynwrAF87uT3mFiEJdLt15qsBAwOwbXj9st8D27HCVWhpGKYwW/9ws7G90ZA9JH7ZTQzhhQHt8po0uynnZNXv//Ndm/JnbUNAvyuOMr5//IYCL9ZXky3K3xMUovOWuKalkpkujufbzYUp3/x3GmDTa0oMI8ReZwlTOTEY57Z/iJsEeFUdunyNjK2lRPkTEmjmMsrcVUa46nu9Nyio/RHmnFtqA0j+lDjdg1IT+z88Xa77fcDOyQgZHwOC+iZ4cMqB/wIsal2AuOTCRF0QmbBMXnxDWYZiTxoYAEHyw+MoVZXQn2paKtGa2a+fs/bXed2nMpiL0csJFP3bMdUTdrllYddqV7bodhizoI6TfkW7lEl2sqDLoB5YwqkVNlXRBFvaIaTH3B7miONDWWyM6Pd8fQ4w5LvQgD2o92WJpFGJB+0KIMI4Hx40vHbczBvB4gk4fJYCV1Inu1uy9/k9p0VSTv70hNRc7Esv5Qh7ZNJ4b09ciXHbPBBj8aFezV9fonhPNcWV05dtz7wh3M3sivVbjrN6nF++b/XfFaaaXXDX294AJp3WhZjjBasjUVTZDs6zUErIiOi1+k9UDyp2j8fR0vGqMBDVluM0W/JFjr7uMhLDDMe74FKV+6odE1HKSXPpptMPq4LSkieKhB5hRRZlZUoU9XwvzwBkmFfuUSmx9foznWsIvqB7IFW1YKTL8D8z7G3P2K5w3PoOmczwjxBfvrpUwVZtvnHdcjf/UBBqk2WOXJjLqORutMuyvJq+vPO/YeRopy3F9ShPRWG1r4S9SzbamtqNup2gnP/lsqtmQC8/o3u9bKATmksr/2JEZcXX9+ExCBZ38giceLoOFoKOUYt0+7UYeG47G3z4rinKpJ3q5/g6HQ1cVjXkkdv93HUiBz3Fvpkw6ycZIlj7Ph2tC6ag0tOCjWdTmXnFNipPoaFbCV3glybuyeYxoRJzqaW053DNW3sm+2oD2CfoIeX0HmT8VULaSGZLdCCjTfDhYNIUW/VFQbS1CzouRbv072y1bRI4rJCmmWU/T8e2RWqkKvf/75BdpgjTSlohlljySehPF6D0noUgpN04mCfDW7gshKmCamUBVzp/TsUdZBCug5nss17QiDiWBmZa3etFEUF6Pnh3w12+bEoqI5q/p2WgxBfROyHJvAAlsgZv5evf7+h79op9JflaBAa6b/PpjN360/+BZvqUKv0aUguNQVdy8r1qV8kF4PUX/k40cgtzI0yo+v0b/Y6b5EP/6I/gURqay9DLPwg75E/52b/2m/yDTaFco3wSUUMqdP1tcVG5oRzPkck9u0FrBjTkgDxwYb51dYIVKRl5IJA66JoeEEZ9gcGVVKJspPa+1BXVLCMAeOgVNtpLKWtdg6q8N+sMac5W5jhJhCaCErkdsbhlNgnomlN44OJi/unogB5Rhvgf447Hk2GlmFLZc4fyr3nGcHafYnRQU1ipGA1+Fd4e6XwRd2132thO21j01r0cpFvWwz9Jvc2KUZ+pxMIKmsM2YkuqW0PCC0J3HjfSVCU5JQrbM1y7M81avrZa15llRQhQ0c8txKsOMXrpkyFebWad+JvYtAiIMVzLrd8FYOwnCz8Ef96gIpq601BFRAaFgtqWm+dlASWiVKejq5JFwm3H5JqCRPQUPFf3VRx14/0EIaim78fieKwkU7344pSvu/+iHmK3h48SNluuQsZWbDk3bnNRuY/U/CNrM6N+F+h1Nn7wC/1+tdV3st/gr5r/HC6NTLgvETvNHbUa1zdH1+du1tX4KFFQ8rSqn6Fi+CK/KrS4Oonkb445O7qsARB9c9FErddeWr9ietw+7sHPDMZ+j1z2/QBuReUCwQ5jwcK4CgPphJbfwIbaiijiw2iFOsDZKiVy6yK8STm4lftxADZzXFs62X3R9S5SA4yGqiZCUkl8tt/yFuwdTAikXoZ0RWWGFinBDtod4C/xA0F6gSPqeH78TMRytqYxd0u4f6lI8Ie94uwaMorJEpRf2MoPBmVKeBZu2ZlZiAxereKISPOUhCKlVT1AaLHKscCakKzNmfofxeqYqgfHKf5XC0iGQ1H1xJDxJSy3XDzCvOFhRmHHDwNSVS5CMGdrvcmTYp4yx7JsQEkUXJqQlugNEgKgYD3ijWU4OdejNlTrSRb+zYwe08tpV3d+bo9iukMKtIy9TWp8bKeWmznPITCf5S5CnEbkn+KUVqtIU9atGOXpuYLr32Y1/CAxWV7ESfIUPvjD98aE2V7pRT5PvywALr+9jNtqU41jTbMj0iVU7zdPegT7Lx15RuRqxtjDrTpvli9319eFspWcyAagVF+ZpQgRWTzqwvKm7Yd4ZRhXAHgqcFqymwwMtQaS5CHJ53an/RMeV41YiZZxrJjXAvYwYXZT8y6Dm2o1kWh6fPaERWzHo3Mqd6ht5V2oCb1CVqTyU2I3m52NAjF2mvAlssLN9rOoUlBItcD+hkp+iCKiqI2xDYmtY5W7PcWjawH8KK7KZWZB97wgtP8q5karIZtuvp3oLu7E5khm/dZLVVetZes0zBBt0fG4246KMhnJdWGzf6bDYYskknk1VsDVQMDLnHUmzkH/uogAX5paLVZFvJ7m63i1r9uMEaARP5yL4B5n6ILdSIRsGOQBPotGVhEty+yyIFr2WWgNUyS2E9lzFV0S7R19GpJrCVOrfIaVzInvsYvGMG1+WD7pxj1eYhvXbMY0F7QfTQEGIHgjAZGPExDGtd8dTPTiNelKwMkQV95XhonBfIypaLwQ7Bwotgx4Ec2SB0TRUzKUtH9kysHt0XAXZedvaFfNIWLw6wA90t3VS6WGrw7lRSwhasdXzC1q17zBnDVPG2cvpspsACNCFGlrcFE3WIKvePLEG+vds81SJ83vXSu56gVOj3G58ay3SdENCPq8H49QqNVUnqUmoWUXHca2+BOy1yhzAFqfz12R1F4am4ydJBFz1QFYmqoIqRh+qi4NwmqGLbM7FuJVtzMpxacud7MLU1FblUPmF278zk/B8nQK+pn3bl/B+UhP1oy1j6WvCBuK0G3c+Y0/Qpseq+GR5IX/Xv1YyPcq1wk1sspEEYrTziRTiBlstlVieqnESp1xvxwUp9CsyUHd3375BuBbDUoD7Chr/kjGxTn549euEaGPDo2YJvR/RyxVPmTYcF+KHiFBgLq1MpDL1LbbE2DF0JF69r8VBxnmv7f3CpYl4zFAKAOXA5kxUWS5oJukmtC8YeLumm89QPRogxis0rQzsaYpijrx3r1lrvXn9h1aFLHE3ZNZLjLBls5T6hgSPYzy9yzHTtt4BzCxVgVmA14KBuc77UmqoZuqFuUSpN1QwvKUB5+0z3hVQ1DwPaNRlntxP4PXK/7+BWSIXmSm7sZ/Vfva3p3K5RPOmr/BorEztM1xCOHVHxZ0oOqkOnOlOS543ZmOpIyZL6B8VUd/GZQJhTZZrsItUO6v/mnre8+uiAAEASUsBgzpGQ4jtFSwqezL7sB3AbprxySKWUPTCNvwIrCXbcK+Ze2Ornn8HMNsysvLHsdD26gAHnUG0ikBTfLaX97z03ARgpWcBwTDhv3HkMfAUMWCblAlntYBjVM3TT6pR+Y4NuZVUajs9dOV+lrRPjSkZdsk3u1a8XPEaEV9rUG9L/Y7BM8BOm7Ur6mmgf37CGL3w6bgJNbv24Exb26B0sUzqj7Nkhx8tyeQFcIKy1JAzipXY1gv4kLNhbdkt/QRiVq61mBHOUM337EpUKeqK8RNSQZ2FDGSt8TO3lAy96V2ejcEENVRqVWAOKlwYgB4dFQGRRWC0mdx7th6U11JC95p67D05l8XXWMMHF5NQ3kUVZDc9ggmXDaMNELjc+n5ZIQWhpXjaZFKPCGExzUXG+RV8qzF3wM5cFZsJrDdEZiMuRq6sb9YxlLu2ZujUJ3zJxS3NfC1QnomMN0SnvoNhPvmlYm7F838LxASpEUlXXbd3kwhJ9Bmr2fr85FV+/lz7yim6GcD3NozNVBes3dkodYvVjArdu/++3tH+MbGkvGE9/xpsp/wqjNcdY0bwiFNUvRzQcbtNUMcyzwG2a7BK5gSFrs7l/P3YuQHvDjMYFKLnVR0EOxIgY+9HtRbfCetWcUGsWBqoMK7Jymb91jU1TZnheU+pBhNmJNMPMtCL2V82/h5WmyOpzgRjk3FWCcIqV/RMA4bWs+QJCH+1UdWHn4dcHp/yqIc7Tk76xiCzmTDS42d0Ly5eNqgfcXmumKj11pK9rjQAD4xG/aR5IA0fi3I3uMBnHI6XOg0seGm/E56LMVxfovdM0zz1wA3Ld9nzRr+XtRdiudgHoU8TyO+HnqwsQqS95a9TEMHqw+yLn0gDdFGZuE1ldsGE67KSu9TYllv3uq64v0Hbmwt44tnDO94S7xor+vBkYXV0ctGRjxecOWLKWsdciby3aGTp39Zke75S7D/Zbs8Cg2v3GD9/4cNy8Mk3lpjTNZVQJTrWTjHQXykaiNVYMz/mgCtCBMjCBSo5HFIGmQifFR9lZ0K6p6kaeWU1lLYy6vpDZdb55dXXdt6GRh4x1EYWxuuwjGwreuxayfWlxTKIrYdANWwoMymJki5ZSpQSvfTbQX3aTXte2mwRUR/hPy0jnLMMuy2Vg47z//SNigvAqp1ad+U619ucz9PzyDhclp7+gaxcQcWRBe8/CcRF4mZv8bROCU+3VEuaM6Vtrch/B1wNK8TphzPf+avjA9O2eJ1ej2HJJVboWdmGRfe6+BXgewDpdKapXkud29zhffaTT6M7T+wSRheHbu9fKzz84G+NFA8ZxdREuI7n36zyRRZlNnHcFq+Jzr6CNq4vv6Wr+nWVHCqhPXUC7GZlXZMxL82bpibLGupw32lIqQB6wer3mb6RLHFb5BqvTZOgNUfWtdsX+IrKTGIFGfm6VKEbvMKnxlMPGrVVBk/oxUnxXG6hqvxZyvmb0ptaKYh09N1gbbKpYhnMTj8KMn8ztsIPP5R1i+avx+8verNUUHFqOPg2Aj91ZsFyEj259jyXuvjfY5BfDvnvHXGdMyCrWG2enjkQvo58pq0ljBh0GEdmfIhNOjcy4syXOOLd6D+mKEKr1ouLo0o6PiMyptluiBvsNexZM5PQusgA40+Y4y/ORugUGBldM1UzMqYL3zQIrxiGDJxDBc+/vYokwCPE7+9vgzESCfSjnDlzoRBaxHx09b/I5S6p06YtunYYZiMybCG1CfI3w9GKkyNCFuYb3ceqEEmd8NUlePlblvm0/xExolFODGQ8EGeayMp3fjUxN8slzM+uILW7y2ICP8YvU0KLkybJ5zlBOF9g/AXnky/oN32drWqt4TRXHWyjkMtJfruh54ETaD8Dr9r+mi7oK3MXqtWGmAmBGFJxY6xsMAZsee1yjvmJ14jsEx+Y0ga4isijseUqzjc4ddcQ6yb6lkmuWu/hZjSJXUD2aCJVLcvxD48OjZb8y3lqNpJuXFzYN7kpIejqNrq9HT6vr/yHnR8adjp7e/5Zz/wATPl0lSwecewEJxW7lb66v0NXAoOqykQy11leX7OcgYmFXUw27jOpIPyQe5nOrw8a9UxHZXOapK74GFXd9o8PzgiwvI+bRKj5agnsymKDyvBMC9qXDLoG2eQ9hS5Y3TzkjQbwittc4KAOPcPPHM/KaeZdVymuq7u59/cmh59QPUZCscUdJ1Y0iuNSvOQ2Vt9YoTPsSNyYIhASj4vluQKSprsRrzDgePmSgJhSOoL5yQZUa6bTgztAxsf54727eWSk8AJR7gB1MyacbaLacjWhEVmTzKs+30eMzrMii1gF16FaaHgd0vjdKFZ+iYjIiykGvxC7T1RQFCUx3s1cd5iqucmaayroWF81zFGps11ZsOFXSPi/sn6TLEostwfVkXvn550v03NdKfK64tZXnjEMBB+SBXd6VUttvvkDfDQMNov8KcyvkRuw4QpqSCsAs1rvURzptEjxBCK6fFnpeV7m/96VJb+kSky36NOqucTZX+BRF+X7gHREzgQrMxELhgu5Nxyixgq696XESdozLaxgWvZe5S45uYQE7WWcBptAB6wtSBawgUnlIu7hx7+kG/VYJcCXfyZxy9JyJ9ezbl4hJ8hLN7f9R+39YYL7VTM++Db8vGlJmC44HnfNj21C7Fv75NYJBIdYFenJbN7+Si71ADUYm5dT9de75rGEQNFV2IwcZWhdx9W6Ps8/v/sCKoo8uAfjbbz+/++Psw+W337qc2zVWmI3uyY1UtzFLlg8esD/qAbsvbKNBMCxiGxG+ZicuSklzHWBir4ttAhdmIRUVmpGYCqQTSkrAcRE/ChJ4H4hFNNtgNmxO/OjoAGCfxyZqj0/sEnVdzRMdCjPPtVGxK9+hXjtZQKx7l0a7R+uaj3RB0mOLXdrGYAOTxhebtHUvvt7Fkliw0UBTPdVkgdhjpxpEIwpMs1/eE1bKR+MJPjxwYZn39v+H4aityew6/51ki+WdGL1nZC+TJ9kc9TvuPv6knCBpa2dlO37pc9NktNdZdoCT+QLCboOde/hluoasZlO8h0HR1wIzbmVdg7lce51xddGtbQMkLusOGroMQBiMZxXWOdeZNRGPmM8xideQbu2rj85lUVSiH4kacCeOA256LHfv6Z35dxq2qRve9HGW9WN5u8Ei/zcZfjVreTPYsGM0w6O5Gw68w5yudMkIk9GyRKfy4IH7DVZi+Ojw1FnXoigzmUoZ37x/d41+d3HUNik1zMiXSVMJbv7jLfpSUTWC3VpxkSnaR+pMm9zQCYhu0Ye66CyY1tVY6STiRdolKmO3EbBEy6MCR4eomsDj2KPp5vEbNGCOVZFgtSzZBOEFXEYsQG6IVnm0rrQ7NOOiXe2QzrHpW4WPpTungqwKrGKVlTR0tyUetC9+9OsTJoN0qig0s1X0vUDoIm4BVUN4sQSopQRk5fwfCaiWOHonDIc4FX17waN7xmJfOB65raDW9IzOtMgwgcYo8ctPLG0tIjrvHcLzZbn+SdyZVfT7nYiMGJXlOirueoe6pXzcy9M9CK85jq4xREbFkomIRZFD0ilyo0W2yPSGGRJdf4hsweVG4yJ+7kqXtjDrdNQTvLoQkTGRUp0wUVJVzLfREt4HtEtym4b4GvMUe4WVWamkkVn8Jymgvv4pg4hjfNo82dnkcpnlKYRtCcfPfyMiK/BdZkyssMEuYbujOU1wKRRMJGKaiXRMl1xnfM6z2M+iO7S/T0g8OjJ4h3ZsLMQu7dhVvV3aPyek/SYh7X9OSPt/JKT9lzS0jSw5ntMUKqWhHt89E1lRcTC+59sE92RNvLxNYJcUFWfLokxjfVsrE/Nl7CQkT5mlMEo0/ULix0ZEpl1CYoIV1Iqk8SYt4TTepN7qqkzQi5SIpqw6iatqpLGuB71LoEKMNNYxS0Ub3JokxCvB7gQWUlOSYBOu31ipJLoU1m9kaVYU5wnCarIoM8ITxLAt4QSPJEBXzbcmfljUUtZJKJdVluBNgyhmGME8QQGRzvCSCrKNmHXVpS0w3/5J83kKvtcZwIAmoezgYNJw7RJrk1CfL8v1mzQxaJ3NmflLEqAxorO4veJ6hJWMrqp1kmMOVClR8avctIvxR+u11SFMzcrF+eMHRxxxMPuSEHdo8vEQ5Dq0F4zTFD6MzhYpFpEtYhZn7xJOYRvojJWQpJglUXWsXP+Ua1MOwPwj0daKJKHN2YKmcGM0BJoLmrNoBaO7tJlIs0sKmVecaiJTSNsTZ8sEukmWeoNN1J7/HeqhDPIohBVdMm0Ujh8JaWknsPgULVOJWiWTtQYkcpVIv7rMfLfFE1A3iuIigSHpSoFSsZ3OuN6sJNOZ6zAbn/oWK5xkg+cjhbAxKK9df/vYdJk2WETvc5xrM69UrGaBNVXqegWloFpF5zW+HV3XJMcmC50bFvGbXR+LNLCP5hLneewzwPLYz6o1dFCCu4gVGVFSFklQiSzhBG4aK7I0yZEe8SiFmMvb6PBMpY4PWcpKXSoWmSjHhpkqevYZZ4LGg9hpqeqoHXUaulB8Gz+sxaVDPc0WXEa/zhviCVL+rc8bXetYogk0jvWhE7AaPTeBy2WSrSuWSQ5wKVVsBVbMq2WKY1YwTVKohUIn2bAp+kAIagBcKTrd6DrcAUDHzvhzVGOn44nNJrYHkqSiTLoG0NE9URnfMpKKLbNAP65H090IquLfWWXmmvJGJxu1M3VL1rV4TbLJEhRu+p44sZWBJxtbG5SZCyRFZxdrbT/MyCpWnf+ANL0rWfSHgJKqYqmwMAPM3RiUN0kIx796HRLZp0+9LqARCCu5zLAuIzYM6JJWODZVRTFPYd8pSkAODnU0EfH4QraU40K4dihLlSfgOH4gUyeIDWsXG06QD6Bp7EQA1/A4gXOi6Zf4GyAE0BqNagJXSrNlAsWry9hRNq1IinOgSB7dkNaKhFBxIxA28VpsdWlWOjqq5pqI2IUSwW6xjyXqQDpjT98sTfxt5YjGf9FrenrGprsto6O1Vvk8SR56pXiCu7DSVGU5i131nqRtRf0ylEIMhmiDi9jR4HXGhDZ4kcAyWDNlUpjh61IkgG4yUlUiZpg1BIsWQBQ9q4xEHyqBBkM32SMJm+V9xpzl6FzRnBl0jlXu0Qw1wL+H2XGdsxJKaaxDKJCBJvoI8A2I5ChUqtPkQzCRTnKXRcnllg4aCx6U30JW0UC977nHrAxdzAj6nSm6pHeowH2ghfYtViyrfjOQ5ExypqE5Qz26X3oAUEK6KkupDBoCjyK0WWGDmEGloouxrfCItNyHNKEICd57HQ0LiAmP7D6CC82ZSN2Rv8OqHa3Lp0ZGLqlZUTVrv69XshrcaAgJuqaqaUdkJCqx0hS9owZDR3B3VnEjgudv5VK/unZlry/QhW/x9RKZVaBLEYABf6C+9TGwLdB7av5gRlAdXufhpk4ivAW07G5OEQzuJqspVmQ1Y4IF+YOeuxPga/fUJ/TCgGSIVxxXAnr9Livo41qDuIcB3Ht47XvmlB6Ou5lTA8Lt+xePOPt2IbKINU33Q16FYdFHemfgVIyFC6boRj2ikNrGde+hQ7XgIx0vAT03YTtwwM/V1CBFv1RUmz2g3cdnKz8cK9+ZDNCWx43qNHY/ItXkne6GU/bx5DiCt7GdvwNCu/4lOPOYvf8P9ze0g11d1EoBxg7vDfAa4iXxPnAL28tljjVFLl274QYNTlWzSv4Xp+FXNK3gG86lcvD1QTEihDXSlEK7M7y/X5XCQmMyQXvfAcK0G1qA2dtuGlIp6IC2j+mSqoI5c2MqptshXWMOtmacLinidE05wlqzpXAL1/brD299gGQ+of6G8ffs9PlJOj1bzirBvlS03yYRhw9fh9/jEBOP64JSWzQsdweSSCEo5FagDTOrMUWBUKAypLHYFT2qvOjBroUVJ+iT5oricskI5shyMOL6ABen5Q6GGmnTeDrZlautDrPXSWfbyF5Wa+wLHnOGdbaSyX0C58Q17hr0UmmbGlmt2G3BE8YDQO7QWG7hTvONWAinWM3OuJbWEd85bxfwWI5+87+YoTOxbf41oG7Al9fCIJzPiCzKylAVVsNJwvh2Yuncs2/6awE9FncWhJm/V6+//+Ev1ve96CxHLbFvgmz7fZrFfTG7b+AGb6lC/9zE5PQrzwYwFz71set/0u950fK8s+v3rseRycuHdNuzfsMUO84Mvf/946WdO1XUBU8gXpozTRQtsSBba1V684z3c0EQSOgl+vjuF3QlzI+vX6Kr9xeX//kL+nQlzJuf0PPNaosEZWZFFSIrqX2rNKkUJQa+9cOb//XfXjwLSoSaVUId15cH6NRZgcPteHTi3ffAY37j9uJVzVT4iOdPi+mubjrA+ZGAcfe+4EP89gzT1jv5zJSpMEdvz94Hmf1TCpoulnXczvg/UtBZWLaW3a9GhcJEDitPWIKneAfvWYclNnSDT9AiHXb3NTrLcwVxWrfLQ+w0Vy8pymPfOR/7FnJ1/u7a3Uqjz2MF1hO+fuwElZyl6u9udHVtWRmJflkZHtkJIooM7djjMqwtscx115pWQXTYxXnO7Jcxbx9sO738w/fchBvAuoRwwKU/4Re7W2DASptrncSuu++VhtF7z+G1VKZRyQOlm8MDGywAM9vDmldPLHs3HyaW9WVST+vdmOAFDfmNU0VxPXfg+WKtJWHW5HRxo4GNg6xeVlgs6axxnYgUC7asFM3RfAs0qcghayisZ8ojoQcGRaMj1nJw0EUCvAMe0fbvlnBFDwAoWkhDM5/ZHT/PKL5oc6EznLlU/ASkS6PSEF8k2BKLBNXCPMVxSIV/UiYQKs6zOhKXzizve/B2HrP+aN1gwgks2EuzokpQgz5uS/oSfaqvsbcQAPsRXdcBsMFN8PuYpVa36pnAmBhxjWumfVz8JcKcB42Jsv0iJLhhBYl5a6rsHciEkUgbuMyZQJ+uRhUKgQTZZPoqusq2RGWZoO2bJayojp3Ra8kmKHFxN2LsVHSItyfg1rVWyDgVy+idIoFna3wktEJHLFBn8mDeeYARiEA6wQJh9KtUG6zyYZ9uhM6WkOylELYn/g5y6ebUbCgVYdMzMmriQ9+4pcG8+1TnmEEAGQ+ZEYMZMuHzXCEtoWDGqiXfYiM8xTXHYop3/HsEKOsEkU6IcjDB3ZBl+5Kyth7sEhzY3Zsn9kslJYBCsI6HB3e/F3usDCMVxwoBXjSqmXh+effLW7mUi0W4+zslmVnR5Mu7w+xHO6A7jR2+Ly3flt2zyqyoMD5ZfJRtXcVETrhfQo8bcpz1T5qqUYZlZYicVtJ+yHGGbypCqNYjPAPy+HHgaMclngBfyJq4S6m2KFCYMOBtCuW0wyPt8Wi1Ejzw6VIKe69YvRUyDpsfooGhtDurdTw8upF7EyOHWgo1A5zRvJmPj8P07GEmkGamCuhPBMUF1KtoT3WFNcK5LO3tYlaUKSQ3ol0yJziD76SQxUheLfTk0MxB1E9rRFjjnonc6h+pdCMAjH5lnKIzz9hsIIb7BHtFMzF3JkcTxpv5nyRdYVQENz5rIa4UQnMMCCJmvfsjBOHy9W58vUZsSYwnhM5lyuqBwOTndIXXTFZgXRJZlEoWbCRDkU7N3KXAcw5FZAt0vp83JtaN2knIZJ/DHasTBRnY4TBqc5kjGAyM3/CXenU7t2x73ka3XVtmWQnTL2eLbdHnUAaekWPc+ntZQXAfL6mgipF6SiAQSPTrpxYws4KrNtTbDXlmZ+SHmTZq/PGzntMxsFsnm9Pr/XPy5oUbK+G8gq5p44QbVlBt9bqz9hQt6egjkl+FaKAQBxcCgAcfuQzqnlvrGOzuk22tH+83px8yHa3J6b2n5gPGh2Y4mBvMuFUI91AGX+/sXh+cnZp07dxBizI3dXjlomGpTqNADujxRoF8vdvxx8NLFqu1wTRLdj/9qCbVIDHP2D30x6TbMebcBpuxMeqhBK0Xp45euVOZVVZQs5IneCXBO5Fk5NjwXxtdcMBSUjJp1GnPq84HyX281jKyZ18mioT85+zn779Hz99enF2/QBdMGyaWFdMrmkMpfJAXLpcyOS7QvpcwyJZdOD78MsMXRzLGlEwcVdxX/2lXNcRBc2IgIh+t6fNDjguBtP+m7rcT+AOeQm+mWIRg0ttMMcxjodP1JvIB56zSbgQkFdKsYBwrp56s2rRniMC9Hi6vgnOuWT4l0kg3U/6T3Qh1FLGHi9ke8nR1Fmdi31mHZw1fadiJ//ogEXwy2As+cEM7ZRl5OJQpVcrEgMGTDYhaqiUW7M89WdUi3Va4r7CPkHR3T42Ie8FUsJY0EerPr3Y4uC0cxJfDLtrJav6NYm5WBCuKSkVzWTCBgwV3HfV0jQ2jwuiD6fEcTznbt/ikk3XQj7RMtHHt0XlmFVeJlQEwpHaq+9XqhGBHXtncR6MuaE4VNjTPoiWV7dkfVvn8Wo/YPJ5dK7lmeQMe5r+Hy5J7S3WwMTz4j73Wdm3asIHTTpLlE82yGdJj/ZntyDSDzUMhc3LN3Ov5qm+4j0DANUZnzKbgD7U86R3YTJ0fdSqhl4GJOhsVLFaskTZSOY1vqRXUYBjtGXxrZr/1LDz7guU5p9NpuXcw3n31XGB5O3rvKD1Xt8eYZrrXfrQOwpDY1q+zL1HJsV0yez9LhaggaluORfkhFXICf/IeGXSq8S1/k9qgd5ismBhx6XKcSHN805f1JwGZ/qWiVn1Y+8iBnOkZepvjEn2Gfzj7KJfC1Z3+fXh5ohVeU2s5cYoV+lJRtUWAQahLKTStLapwcaqdbwa/mUZfegw8YikrVqNACjd9h8s3zmc9pQlYbTfQBw+Oel9OoctT2oBZf4/X0NI7IEbWN/QXL9NIVUIE/Vj9srl53Muzg5EaqbHzFDPvYaZfCIw2TORyo5EuKWELRuwnL0N1gj5PdnhA7PQcv23ODXoOiLBUkPYagqfLFx1poUrAPf6WLjHZok96F/i2eYEt+oW00bNr7QgTOOwjt33X1QJWoFYNNpm9EQcSb3AAAtX/O5WmUM4zFN/utNMb1GPovM68DswYZhjcaP43R0x2mrzesan6DF8feq913SVMfRwFdDibaQJ2zYPB7tq0CZluGQYrFAakOFz8DGUDMVsCjla4wZRzumDCx+pBOQGqX4HLEdBB4O6oQrFEvLUBmJ75F1sxNjHb1HP3WEoj2JRNDNsYTFbFxBD47aggcDTwjrrLkaTJy5yJeB3Eop4NO2UoKkx7eQaUVLdsB5bFwWi35f2Brp0DrtPefQe4LrGq95T988t2KpsVG0CpI3s6rC/rkt/vNT0TvWeJg7WQaptuwf+qSyz+9SBiTM3ILop6bZ6HriYrlr++AuoH5nYyk2gwqxpvff+sRndBRoVRsjxGdeSymg+CC/fa435M623TA+UIwKOr7pj2HJ7LosRi25xHOHbQTt/5K2uq7DWUMbGQYaMA69vUNUIH9EfPi6w529C0qOiLL6lyBH6tON+i/6gwZwtGc3QBdc8uOBhkZUPnGZHylp3o0f0POkdu/NZ/xnzMmo+ONts+h5eVAZP7yBamh8/6h2YI32XHh6NdTH6GPm5LN/U2cmCF41ZwfPEUXWRRwWR7bFseXCBCPdMh2No+M1OE6hrjcpc7F1kspaqj/fDE/OHtyJJ3sHIib6daFmXaPkR7RGFHPhi5r9lUUiayRHaZsuPY9UAlNuHQJBEZ1jFf+zuElS+nj0y5UjziMneoRlyVxhnNKhUrGtKhqanK8DKeT9mSjn497ZKOmv64S9rv+gSKhd4ZKsC0iu+cWPrRdnNj6K0U7aXKxLao3BBT1BLu6NyPMCyYV6/8f597Fl75//B5TaGwP+ZUhbPz/HRO+HruJtN9PIeIa6fV2mA6uW+IZl0qJhZUqZF31+G8J5lX1/A/KPpgeHYCJmtc4kVnGQJHCp61ZdIjFRhisu136d7t7bb7CBnEqvunv9FhgtZ4w09WrqiaJh5hbXaf8fT8HFo/vkDnMH6YNarMRGApI3I+p8o3/6Q7WZh7wHlp0qfjjiA7C24HfaY7SNF7V5r9eWxU8uHQKOHVRjfsz3C0ht0m0ilXf7tEgi6lYW4ByxXWIx2gNJkaVqizlG7w8eaCdqmTdYAaJLj09lgNnF7X34QTUjRbTlFRsYtv1HQ9/DjaaNlqE6Z1Fd3oBMqQLJUuWve4NxTgkCqVNAY6WJSu9ry0g6MbeJzep50myZBokMH9K/LzG0jt3H8ZdbTncUw+XHvu4XFchWrNs3XKG73/pOoD2UFm8sxuPVxFh2nUqQizW+o96kTgBt+07Uq6FxLo1p+Qhvc6qdDVzdnf3l2ja3tPod/FSPeVlttEldTHcPtxI8PcghoiK0pu9VFB5Psp4bQYZKGmcw1eZwMRBmmgvgVhqwX3WLlUsQEo5AmMXMdHgwoy6jQAzwabarIOn10u15iz3G3EABN9RTgZqvU+RQgSu6Vb3VfbkXZ+nUAamfbKmFJnDHrQJiENS5lCIAQ/gdPElqKufJGKme2BE0VkUSTFibsn344PHxAKl+BvmKK872nGDrFsOBaZ1qdqeGtHdjr8Dz/bukYryK0rNc5KyaZIqw4x7DhAwAEwFfYGQKxkhYUYAGekhpvyowIjI2+2E8E2NxeL73n4x9uz9/7ee9UbvrlQjFT92H90zDamb7O15FUqAZzVfZyF73PTdMau2/lWghmNnjsm9AtA64DC3rqjbo88AqaDs+FVIm321vP6STDj0wVmu0UHa6ogU2BRcUSkILQ01lG+cWs4Aq+w2aTUvk7w1mGvW2hbRkupDJJWvr/921koBTco9tj7Tqrl9AmW/QKDnRDrHDuwkyBQzL9f/n59dY3e4buCibxp6x1eVju3ydMwd5oojkzLT2Mwu33TasyncMli9PRsV+WYLaYr2Dx1EX495eRmx06wzGvlqwuP0uu52Mshn25RTowVUM+4+C9fN9wU5oh8aEnGPt0QL7Eu9ImyG327avDim0fdwhX3vkS6CqSoY43+qo2SYvmvc47JLWfa0Pyvr/zfXjafMrGgJPzRgim6wTxoyOA57/wGYZEjLdHItlR0ybRRW+vZT6ksSmxWHqy/4QH1eRgwCUGpqdh0hdCuXotI1UEhb+zJhnMqTCcnpebbN2ScNd3UZr3DP877GN87PO+m6L/vZD/UrSDbnvBtXZpReLFgBDoFzCkVSM4BGKKD2NUIXuMHcNs/ucNz2wR9LVsisUFY6NRARyM6QeENKqjWeOmRhYi0GhhakIVMwbdyiS4okfnIw42nFT3K5FCbI6Yg9RieUp9AGaW9k+QCMaENFqZmI+ylG3bUNZwPb5qgMQ0HjVn/1LhKpbbBAFpZ7xR65P7BjKBa16t/uI+BoGuquhATJVaaonfUYLC1fdVsM9Tzt3KpX127tNgXA/IXPqGrNQww+kCdNnA7XHTYHMGCoeskQZjHvRcXepnW/PVr/M6f86uLH/yTiQNua/1jqOq/w8QgLpduvYbINDA76EXtdwt8T+92DrK/9ws7G90ZA9JH7ZTQzhhQHt8po0uynnZNXv//Ndm/JnbUNAvyuOMr5//IgmhVT4a7darHzsexpmjKvNbHiy3V+X8cZ+C9pSuZfxxzuMqZyQBR+imyt+v6PCHGVhF74kZljInjGEtrMdWa4+nutJwe1e41rdgWlOapyzjGHx66wIcOCpLmAztkYCQ8zovo2SED6ge8iHEpTl8p3m9tGxSfE9dgmpHEhwISfLD4yBRmtY/vN2a0aubv/7TddWrPpSD2csBGPnXPdkTdAMxcQnXYle65Hcalr3TO81u59I1ZfR0CoMFZF0RRr6gGU1+wO5ojTaFX7s6Pd8fQ4w5LvQgD2o92WJpFGJB+0KIMI4Hx40vHbczBvB4gk4fJICJIwp59+VudGep3JO/vSE1Fgx3M5VKHtk0nhvT1yJcds8EGPxoV7NX1+qcW0W/kuPeFO5i9kV+rcNdvUov3zf+74k1cveRl3NcLLpDWjZblCKMlW1PRBMm+XkPAiui4+EVaDyR/isbf1/GiMRrQkOU2U/RLgrXuPh7CAsO8PRzfpUcFu4aD9NJHsw12NdIEDzXInNbpn5+uhPnhDZIK/colNj++3k3UIlIs2LJS4xkq7byPMXe/4nnDM+hTLXwEz3gC1Iux/Ja6HuhrDzBItcEqT2bU7e817wySzzv2HkaKcjxMLnPgqP4S9Wx7OEvYqbrF6ZCKLZnAvP7NrrVyQA6p7K89iRFX15/fBESAgniwKIIIGo6GUo5x+7QbdWg4Hnv7rCjOExbI77h2MBS6unjMK6njt/tYCmSOeyt90kE2TrLkcTbcZNG2hhYcFOu6nEvOAfn0a1TAVnonyLmxe45pRJzo6gZvHUP1rRw2pBgX9BP0+AoyfyqmaiG1qUvv5tvBojW9tCxBzYqSb/062S9DOjLFZIU0yyl6/j0yK1Wh1z///AJtsG8GVI+yRxJPwni9hyR8Z5xkoiBfza5wbVHqmEKDnGqPsg5SQM/xXK5pRxgsXGRTqzdtFMXF6PkhX822ObGoaM6Ogj04JKhvQpZjE1hgC8RMjdwDKv2VA/qsmR42pPo7goqPLVXoNboUBJe64riBG3uQXg9Rf+TjRyC3MjTKj6/Rv9jpvkQ//oj+BRGprL3sUAPqdmj/nZv/ab/INNoVShjAQsicPllfV2xoRjDnc0xu0xcv5VRIUzc3A7/CCrGuWgHXZKyvHGyO5HBEsGUAMhtz4Nh1ojdSWctabJ3VYT/owEmEmEJoISuR2xuGQ0sFDTX990te3D0RA8ox3gL9cdjzbDSyClsucf5U7jnPDtLsT2gnqRgJeB3eFe5+GXxhd93XSthe+9i0Fq1c1Ms2Q7/JjV2aoc/JBJLKOmNGoltKywNCexI33lciNNdaIlunbFl+WWseaCzlOkwL6KXf8QvXTEHT06uL3di7CIQ4ul3ZQRhuFv6oX10gZbW1hoDKsDvIaP/+RhLJKpJPLondjiIj+XJJnoKGir+Fr/oAePZNl2WiKPatfEYUpf1f/RDzFTy8+JEyXXKWGn/kybrzmqUqZX1kivRxsE/33e9w6uwdUPf08buu9lr8FfJf44XRqZdBw59J3uihiY9U6Pr87NrbvgQLKx5WlFL1LV4EV+RXlwZRPY3wxyd3VYEjHmpWi4aufNX+pHXYnZ0DnvkMvf75DdqA3AuKBcKch2MFdf3yArXxI7Shijqy2CBOsTZIil65yK4QT24mft1CDJzVFM+2XnZ/SJWD4CCriZKVkFwut/2HuAVTAysWoZ8RWWGFiXFCpABAZLlwPdhRJXxOD9+JmY9W1MYu6HYP9SkfEfb1S7AeRWGNTCnqZwSFN6M6DTRrz6zEBCxW90YhfMxBElKpmqI2WORY5UhIVWDO/gzl90pVBOWT+yyHo0V0v252e4TUct0w84qzBYUZBxx8TYkU+YiB3S53ps0EkPShCTFBZFFyaoIbYDSIisGAH4eK1gYrc6KNfGPHDm7nsa28uzNHt18hRXQs43yQIPFo0AORn0jwlyJPIXZL8k8pToR/U49em5guvfZjX8IDFZXsRJ8haKftm4h7QNuau3xfHlhgfR+72bb9Zt6PJ6kokSqnebp70CfZ+GtKNyPWNkadadN8sfu+PrytlCxmQLWConxNqMCKSWfWFxU37DvDqEK4LHld/dKC1RRY4GWoNBchDs87tb/omHK8asTMM43kRriXMYOLsh8Z9BzXfY+Gp89oRFbMejcyp3qG3lXagJvUJerwr0bycrGhRy7SXgW2WFi+13QKSwgWuR7Qyc61PRPEbQhsTeucrVluLRvYD2FFdlMrso894YUneVcyNdkM2/V0b0F3dicyw7dustoqPWuvWaZgg+6PjUZc9AN43bU+mw2GbPHRqtgaqIjeTLORf+yjAhbkl4pWk20lu7vdLmr14wZD49Kqi7DVZbME5mI1a2iEGtEo2BFoAp22LEyC23dZpOC1zBKwWmYprOcypiraJRqrWUdLNYGt1LlFTuNC9tzH4B0zuC4fdOccqzYP6bVjHgvaC6KHhhA7EITJwIiPYVjrip8I9l5WhsiCvnI8NM6Lb8Ey2CFYeBHsOJAjG4SuqWImNbjnGH60H90XAY41F+2FfCZuveZu6abSxVKDdyfXrL51fMLWrXvMGcNU8bZy+mymwAI0IUaWD3q7Nr1cg3yH+sAkXITPu1561xOUCv1+41Njma4TAvpxNRi/XqGxKkldSs0iKo577S1wp0Xe4gM3Z3cUhafiJksHXfRAVSSqgipGHqqLgnObqHfzPSrZmpPh1JI734OpranIodPxQb0l5/84AXpN/bQrh/1lu4ylrwUfiBs6+u5lzGn6lFh134z2cvVqxke5VrjJLRbSINz0Qgsn0HK5zOpElZMo9XojPlipT4GZsqP7/h3SrQCWegjc3Rj+kjOynaJfzoheuAYGPHq24NsRvVzxlHnTYQF+qDx8f1idSmHoXWqLtWHoqgX7r6ur8lzb/4NLFfOaoRAAzIHLmaywWNJM0E1qXTD2cEk3nad+MEKMUWxeGdrREMMcfe1Yt9Z69/obaStc4mjKrpEcH/TYmOTkgCPYzy9yzHTtt4BzCxVgVmA14KBuc77UmqoZuqFuUSpN1QwvKUB5+0z3hVQ1DwPaNRlntxP4PXK/7+BWSIXmSm7sZ/VfSd2J0bpdo3jSV/k1ViZ2mK4hHDui4s+UHFSHTnWmJM/bLqKJjpQsqX9QTHUXnwmEOVWmyS5S7aD+b+55y6uPDggAJCEFDOYcCSm+U7Sk4Mnsy36YorPJLo5+qJ+Js+NeMffCVj//DGbm22K0uh5dwIBzqDYRSIrvltL+956bAIyULGA4Jpw37jwGvgIGLJNygaBHPKN6hm5andJvbNCtrErD8bkr56u0dWJcyahLtsm9+m36kRBeaVNvSP+PwTLBT5i2K+lron18wxq+8Om4CTS59eNOWNijd7BM6YyyZ4ccL8vlBXCBsNaSMIiX2tUI+pOwYG/ZLf2l04oQWg++RKWCnigvETXkWdhQxgrHajl94BELhqKGKo1KrAHFSwOQg+8HLYvCajG582g/LK2hhuw199x9cCqLr7OGCS4mp76JLMpqeAYTLBtGGyZyufH5tL5f5Msmk2JUGINpLirOt+hLhbkLfuaywMy30oV51wNxOXJ1daOeiVrQD5q7MXFLc18LVCeiYw3RKe+g2E++aVibsXzfwvEBKkRSVddt3eTCEn0GavZ+vzkVX7+XPvKKboZwPc2jM1UF6zd2Sh1i9WN2Gt3tt7R/jGxpLxhPf8abKf8KozXHWNG8IhTVL0c0HG5zXfGzwG2a7BK52WnE378fOxegvWFG4wKU3OqjIAdiRIz96PaiW2G9ak6oNQsDVYYVWbnM37rGpikzPK8p9SDC7ESaYWZaEfur5t/DSlNk9blADHLuKkE4xcr+CYDwWtZ8AWHdu7Uu7Dz8+uCUXzXEeXrSNxaRxbxpwLvYubB82ah6wO21ZqrSU0f6utYIMDAe8ZvmgTRwJM7d6A6TcTxS6jy46VrPuijz1YVvoo2ee+CGurukK/q1vL0I29UuAH2qFv0+/Hx10e3Q2qiJYfRg90XOpQG6KczcJrK6YMN02Eld621KLPvdV11foO3Mhb1xbOGc74kbFp83A6Ori4OWbKz43AFL1jL2WuStRTtD564+0+OdcvfBfmsWGFS73/jhGx+Om1emqdyUprmMKsGpdpKR7kLZSLTGiuE5H1QBOlAGJlDJ8Ygi0FTopPgoOwvaNVXdyDOrqayFUdcXMrvON6+urvs2NPKQsS6iMFaXfWRDwXvXQrYvLY5JdCUMumFLgUFZjGzRUqqU4LXPBvrLbtLr2naTgOoI/2kZ6Zxl2GW5DGyc979/REwQXuXUqjPfqdb+fIaeX97houT0F3TtAiKOLGjvWTguAi9zk79tQnCqvVrCnDF9a03uI/h6QCleJ4z53l8NH5i+3fPkahRbLqlK18IuLLLP3bcAzwNYpytF9Ury3O4e56uPdBrdeXqfILIwfHv3Wvn5B2djvGjAOK4uwmUk936dJ7Ios4nzrmBVfO4VtHF18T1dzb+z7EgB9akLaDcj84qMeWneLD1R1liX80ZbSgXIA1av1/yNdInDKt9gdZoMvSGqvtWu2F9EdhIj0MjPrRLF6B0mNZ5y2Li1KmhSP0aK72oDVe3XQs7XjN7UWlGso+cGa4NNFctwbuJRmPGTuR128Lm8Qyx/NX5/2Zu1moJDy9GnAfCxOwuWi/DRre+xxN33Bpv8Yth375jrjAlZxXrj7NSR6GX0M2U1acygwyAi+1NkwqmRGXe2xBnnVu8hXRFCtV5UHF3a8RGROdV2S9Rgv2HPgomc3kUWAGfaHGd5PlK3wMDgiqmaiTlV8L5ZYMU4ZPAEInju/V0sEQYhfmd/G5yZSLAP5dyBC53IIvajo+dNPmdJlS590a3TMAOReROhTYivEZ5ejBQZujDX8D5OnVDijK8mycvHqty37YeYCY1yajDjgSDDXFam87uRqUk+eW5mHbHFTR4b8DF+kRpalDxZNs8ZyukC+ycgj3xZv+H7bE1rFa+p4ngLhVxG+ssVPQ+cSPsBeN3+13RRV4G7WL02zFQAzIiCE2t9gyFg02OPa9RXrE58h+DYnCbQVUQWhT1PabbRuaOOWCfZt1RyzXIXP6tR5AqqRxOhckmOf2h8eLTsV8Zbq5F08/LCpsFdCUlPp9H19ehpdf0/5PzIuNPR0/vfcu4fYMKnq2TpgHMvIKHYrfzN9RW6GhhUXTaSodb66pL9HEQs7GqqYZdRHemHxMN8bnXYuHcqIpvLPHXF16Dirm90eF6Q5WXEPFrFR0twTwYTVJ53QsC+dNgl0DbvIWzJ8uYpZySIV8T2Ggdl4BFu/nhGXjPvskp5TdXdva8/OfSc+iEKkjXuKKm6UQSX+jWnofLWGoVpX+LGBIGQYFQ83w2INNWVeI0Zx8OHDNSEwhHUVy6oUiOdFtwZOibWH+/dzTsrhQeAcg+wgyn5dAPNlrMRjciKbF7l+TZ6fIYVWdQ6oA7dStPjgM73RqniU1RMRkQ56JXYZbqaoiCB6W72qsNcxVXOTFNZ1+KieY5Cje3aig2nStrnhf2TdFlisSW4nswrP/98iZ77WonPFbe28pxxKOCAPLDLu1Jq+80X6LthoEH0X2FuhdyIHUdIU1IBmMV6l/pIp02CJwjB9dNCz+sq9/e+NOktXWKyRZ9G3TXO5gqfoijfD7wjYiZQgZlYKFzQvekYJVbQtTc9TsKOcXkNw6L3MnfJ0S0sYCfrLMAUOmB9QaqAFUQqD2kXN+493aDfKgGu5DuZU46eM7GeffsSMUleorn9P2r/DwvMt5rp2bfh90VDymzB8aBzfmwbatfCP79GMCjEukBPbuvmV3KxF6jByKScur/OPZ81DIKmym7kIEPrIq7e7XH2+d0fWFH00SUAf/vt53d/nH24/PZbl3O7xgqz0T25keo2ZsnywQP2Rz1g94VtNAiGRWwjwtfsxEUpaa4DTOx1sU3gwiykokIzElOBdEJJCTgu4kdBAu8DsYhmG8yGzYkfHR0A7PPYRO3xiV2irqt5okNh5rk2KnblO9RrJwuIde/SaPdoXfORLkh6bLFL2xhsYNL4YpO27sXXu1gSCzYaaKqnmiwQe+xUg2hEgWn2y3vCSvloPMGHBy4s897+/zActTWZXee/k2yxvBOj94zsZfIkm6N+x93Hn5QTJG3trGzHL31umoz2OssOcDJfQNhtsHMPv0zXkNVsivcwKPpaYMatrGswl2uvM64uurVtgMRl3UFDlwEIg/GswjrnOrMm4hHzOSbxGtKtffXRuSyKSvQjUQPuxHHATY/l7j29M/9OwzZ1w5s+zrJ+LG83WOT/JsOvZi1vBht2jGZ4NHfDgXeY05UuGWEyWpboVB48cL/BSgwfHZ4661oUZSZTKeOb9++u0e8ujtompYYZ+TJpKsHNf7xFXyqqRrBbKy4yRftInWmTGzoB0S36UBedBdO6GiudRLxIu0Rl7DYClmh5VODoEFUTeBx7NN08foMGzLEqEqyWJZsgvIDLiAXIDdEqj9aVdodmXLSrHdI5Nn2r8LF051SQVYFVrLKShu62xIP2xY9+fcJkkE4VhWa2ir4XCF3ELaBqCC+WALWUgKyc/yMB1RJH74ThEKeiby94dM9Y7AvHI7cV1Jqe0ZkWGSbQGCV++YmlrUVE571DeL4s1z+JO7OKfr8TkRGjslxHxV3vULeUj3t5ugfhNcfRNYbIqFgyEbEockg6RW60yBaZ3jBDousPkS243GhcxM9d6dIWZp2OeoJXFyIyJlKqEyZKqor5NlrC+4B2SW7TEF9jnmKvsDIrlTQyi/8kBdTXP2UQcYxPmyc7m1wuszyFsC3h+PlvRGQFvsuMiRU22CVsdzSnCS6FgolETDORjumS64zPeRb7WXSH9vcJiUdHBu/Qjo2F2KUdu6q3S/vnhLTfJKT9zwlp/4+EtP+ShraRJcdzmkKlNNTju2ciKyoOxvd8m+CerImXtwnskqLibFmUaaxva2VivoydhOQpsxRGiaZfSPzYiMi0S0hMsIJakTTepCWcxpvUW12VCXqREtGUVSdxVY001vWgdwlUiJHGOmapaINbk4R4JdidwEJqShJswvUbK5VEl8L6jSzNiuI8QVhNFmVGeIIYtiWc4JEE6Kr51sQPi1rKOgnlssoSvGkQxQwjmCcoINIZXlJBthGzrrq0BebbP2k+T8H3OgMY0CSUHRxMGq5dYm0S6vNluX6TJgatszkzf0kCNEZ0FrdXXI+wktFVtU5yzIEqJSp+lZt2Mf5ovbY6hKlZuTh//OCIIw5mXxLiDk0+HoJch/aCcZrCh9HZIsUiskXM4uxdwilsA52xEpIUsySqjpXrn3JtygGYfyTaWpEktDlb0BRujIZAc0FzFq1gdJc2E2l2SSHzilNNZAppe+JsmUA3yVJvsIna879DPZRBHoWwokumjcLxIyEt7QQWn6JlKlGrZLLWgESuEulXl5nvtngC6kZRXCQwJF0pUCq20xnXm5VkOnMdZuNT32KFk2zwfKQQNgbltetvH5su0waL6H2Oc23mlYrVLLCmSl2voBRUq+i8xrej65rk2GShc8MifrPrY5EG9tFc4jyPfQZYHvtZtYYOSnAXsSIjSsoiCSqRJZzATWNFliY50iMepRBzeRsdnqnU8SFLWalLxSIT5dgwU0XPPuNM0HgQOy1VHbWjTkMXim/jh7W4dKin2YLL6Nd5QzxByr/1eaNrHUs0gcaxPnQCVqPnJnC5TLJ1xTLJAS6liq3Ainm1THHMCqZJCrVQ6CQbNkUfCEENgCtFpxtdhzsA6NgZf45q7HQ8sdnE9kCSVJRJ1wA6uicq41tGUrFlFujH9Wi6G0FV/DurzFxT3uhko3ambsm6Fq9JNlmCwk3fEye2MvBkY2uDMnOBpOjsYq3thxlZxarzH5CmdyWL/hBQUlUsFRZmgLkbg/ImCeH4V69DIvv0qdcFNAJhJZcZ1mXEhgFd0grHpqoo5insO0UJyMGhjiYiHl/IlnJcCNcOZanyBBzHD2TqBLFh7WLDCfIBNI2dCOAaHidwTjT9En8DhABao1FN4EpptkygeHUZO8qmFUlxDhTJoxvSWpEQKm4EwiZei60uzUpHR9VcExG7UCLYLfaxRB1IZ+zpm6WJv60c0fgvek1Pz9h0t2V0tNYqnyfJQ68UT3AXVpqqLGexq96TtK2oX4ZSiMEQbXAROxq8zpjQBi8SWAZrpkwKM3xdigTQTUaqSsQMs4Zg0QKIomeVkehDJdBg6CZ7JGGzvM+YsxydK5ozg86xyj2aoQb49zA7rnNWQimNdQgFMtBEHwG+AZEchUp1mnwIJtJJ7rIoudzSQWPBg/JbyCoaqPc995iVoYsZQb8zRZf0DhW4D7TQvsWKZdVvBpKcSc40NGeoR/dLDwBKSFdlKZVBQ+BRhDYrbBAzqFR0MbYVHpGW+5AmFCHBe6+jYQEx4ZHdR3ChOROpO/J3WLWjdfnUyMglNSuqZu339UpWgxsNIUHXVDXtiIxEJVaaonfUYOgI7s4qbkTw/K1c6lfXruz1BbrwLb5eIrMKdCkCMOAP1Lc+BrYFek/NH8wIqsPrPNzUSYS3gJbdzSmCwd1kNcWKrGZMsCB/0HN3AnztnvqEXhiQDPGK40pAr99lBX1caxD3MIB7D699z5zSw3E3c2pAuH3/4hFn3y5EFrGm6X7IqzAs+kjvDJyKsXDBFN2oRxRS27juPXSoFnyk4yWg5yZsBw74uZoapOiXimqzB7T7+Gzlh2PlO5MB2vK4UZ3G7kekmrzT3XDKPp4cR/A2tvN3QGjXvwRnHrP3/+H+hnawq4taKcDY4b0BXkO8JN4HbmF7ucyxpsilazfcoMGpalbJ/+I0/IqmFXzDuVQOvj4oRoSwRppSaHeG9/erUlhoTCZo7ztAmHZDCzB7201DKgUd0PYxXVJVMGduTMV0O6RrzMHWjNMlRZyuKUdYa7YUbuHafv3hrQ+QzCfU3zD+np0+P0mnZ8tZJdiXivbbJOLw4evwexxi4nFdUGqLhuXuQBIpBIXcCrRhZjWmKBAKVIY0FruiR5UXPdi1sOIEfdJcUVwuGcEcWQ5GXB/g4rTcwVAjbRpPJ7tytdVh9jrpbBvZy2qNfcFjzrDOVjK5T+CcuMZdg14qbVMjqxW7LXjCeADIHRrLLdxpvhEL4RSr2RnX0jriO+ftAh7L0W/+FzN0JrbNvwbUDfjyWhiE8xmRRVkZqsJqOEkY304snXv2TX8toMfizoIw8/fq9fc//MX6vhed5agl9k2Qbb9Ps7gvZvcN3OAtVeifm5icfuXZAObCpz52/U/6PS9annd2/d71ODJ5+ZBue9ZvmGLHmaH3v3+8tHOnirrgCcRLc6aJoiUWZGutSm+e8X4uCAIJvUQf3/2CroT58fVLdPX+4vI/f0GfroR58xN6vlltkaDMrKhCZCW1b5UmlaLEwLd+ePO//tuLZ0GJULNKqOP68gCdOitwuB2PTrz7HnjMb9xevKqZCh/x/Gkx3dVNBzg/EjDu3hd8iN+eYdp6J5+ZMhXm6O3Z+yCzf0pB08WyjtsZ/0cKOgvL1rL71ahQmMhh5QlL8BTv4D3rsMSGbvAJWqTD7r5GZ3muIE7rdnmInebqJUV57DvnY99Crs7fXbtbafR5rMB6wtePnaCSs1T93Y2uri0rI9EvK8MjO0FEkaEde1yGtSWWue5a0yqIDrs4z5n9Mubtg22nl3/4nptwA1iXEA649Cf8YncLDFhpc62T2HX3vdIweu85vJbKNCp5oHRzeGCDBWBme1jz6oll7+bDxLK+TOppvRsTvKAhv3GqKK7nDjxfrLUkzJqcLm40sHGQ1csKiyWdNa4TkWLBlpWiOZpvgSYVOWQNhfVMeST0wKBodMRaDg66SIB3wCPa/t0SrugBAEULaWjmM7vj5xnFF20udIYzl4qfgHRpVBriiwRbYpGgWpinOA6p8E/KBELFeVZH4tKZ5X0P3s5j1h+tG0w4gQV7aVZUCWrQx21JX6JP9TX2FgJgP6LrOgA2uAl+H7PU6lY9ExgTI65xzbSPi79EmPOgMVG2X4QEN6wgMW9Nlb0DmTASaQOXORPo09WoQiGQIJtMX0VX2ZaoLBO0fbOEFdWxM3ot2QQlLu5GjJ2KDvH2BNy61goZp2IZvVMk8GyNj4RW6IgF6kwezDsPMAIRSCdYIIx+lWqDVT7s043Q2RKSvRTC9sTfQS7dnJoNpSJsekZGTXzoG7c0mHef6hwzCCDjITNiMEMmfJ4rpCUUzFi15FtshKe45lhM8Y5/jwBlnSDSCVEOJrgbsmxfUtbWg12CA7t788R+qaQEUAjW8fDg7vdij5VhpOJYIcCLRjUTzy/vfnkrl3KxCHd/pyQzK5p8eXeY/WgHdKexw/el5duye1aZFRXGJ4uPsq2rmMgJ90vocUOOs/5JUzXKsKwMkdNK2g85zvBNRQjVeoRnQB4/DhztuMQT4AtZE3cp1RYFChMGvE2hnHZ4pD0erVaCBz5dSmHvFau3QsZh80M0MJR2Z7WOh0c3cm9i5FBLoWaAM5o38/FxmJ49zATSzFQB/YmguIB6Fe2prrBGOJelvV3MijKF5Ea0S+YEZ/CdFLIYyauFnhyaOYj6aY0Ia9wzkVv9I5VuBIDRr4xTdOYZmw3EcJ9gr2gm5s7kaMJ4M/+TpCuMiuDGZy3ElUJojgFBxKx3f4QgXL7eja/XiC2J8YTQuUxZPRCY/Jyu8JrJCqxLIotSyYKNZCjSqZm7FHjOoYhsgc7388bEulE7CZnsc7hjdaIgAzscRm0ucwSDgfEb/lKvbueWbc/b6LZryywrYfrlbLEt+hzKwDNyjFt/LysI7uMlFVQxUk8JBAKJfv3UAmZWcNWGershz+yM/DDTRo0/ftZzOgZ262Rzer1/Tt68cGMlnFfQNW2ccMMKqq1ed9aeoiUdfUTyqxANFOLgQgDw4COXQd1zax2D3X2yrfXj/eb0Q6ajNTm999R8wPjQDAdzgxm3CuEeyuDrnd3rg7NTk66dO2hR5qYOr1w0LNVpFMgBPd4okK93O/54eMlitTaYZsnupx/VpBok5hm7h/6YdDvGnNtgMzZGPZSg9eLU0St3KrPKCmpW8gSvJHgnkowcG/5rowsOWEpKJo067XnV+SC5j9daRvbsy0SRkP+c/fz99+j524uz6xfogmnDxLJiekVzKIUP8sLlUibHBdr3EgbZsgvHh19m+OJIxpiSiaOK++o/7aqGOGhODETkozV9fshxIZD239T9dgJ/wFPozRSLEEx6mymGeSx0ut5EPuCcVdqNgKRCmhWMY+XUk1Wb9gwRuNfD5VVwzjXLp0Qa6WbKf7IboY4i9nAx20Oers7iTOw76/Cs4SsNO/FfHySCTwZ7wQduaKcsIw+HMqVKmRgweLIBUUu1xIL9uSerWqTbCvcV9hGS7u6pEXEvmArWkiZC/fnVDge3hYP4cthFO1nNv1HMzYpgRVGpaC4LJnCw4K6jnq6xYVQYfTA9nuMpZ/sWn3SyDvqRlok2rj06z6ziKrEyAIbUTnW/Wp0Q7Mgrm/to1AXNqcKG5lm0pLI9+8Mqn1/rEZvHs2sl1yxvwMP893BZcm+pDjaGB/+x19quTRs2cNpJsnyiWTZDeqw/sx2ZZrB5KGROrpl7PV/1DfcRCLjG6IzZFPyhlie9A5up86NOJfQyMFFno4LFijXSRiqn8S21ghoMoz2Db83st56FZ1+wPOd0Oi33Dsa7r54LLG9H7x2l5+r2GNNM99qP1kEYEtv6dfYlKjm2S2bvZ6kQFURty7EoP6RCTuBP3iODTjW+5W9SG/QOkxUTIy5djhNpjm/6sv4kINO/VNSqD2sfOZAzPUNvc1yiz/APZx/lUri6078PL0+0wmtqLSdOsUJfKqq2CDAIdSmFprVFFS5OtfPN4DfT6EuPgUcsZcVqFEjhpu9w+cb5rKc0AavtBvrgwVHvyyl0eUobMOvv8RpaegfEyPqG/uJlGqlKiKAfq182N497eXYwUiM1dp5i5j3M9AuB0YaJXG400iUlbMGI/eRlqE7Q58kOD4idnuO3zblBzwERlgrSXkPwdPmiIy1UCbjH39IlJlv0Se8C3zYvsEW/kDZ6dq0dYQKHfeS277pawArUqsEmszfiQOINDkCg+n+n0hTKeYbi2512eoN6DJ3XmdeBGcMMgxvN/+aIyU6T1zs2VZ/h60Pvta67hKmPo4AOZzNNwK55MNhdmzYh0y3DYIXCgBSHi5+hbCBmS8DRCjeYck4XTPhYPSgnQPUrcDkCOgjcHVUoloi3NgDTM/9iK8YmZpt67h5LaQSbsolhG4PJqpgYAr8dFQSOBt5RdzmSNHmZMxGvg1jUs2GnDEWFaS/PgJLqlu3AsjgY7ba8P9C1c8B12rvvANclVvWesn9+2U5ls2IDKHVkT4f1ZV3y+72mZ6L3LHGwFlJt0y34X3WJxb8eRIypGdlFUa/N89DVZMXy11dA/cDcTmYSDWZV463vn9XoLsioMEqWx6iOXFbzQXDhXnvcj2m9bXqgHAF4dNUd057Dc1mUWGyb8wjHDtrpO39lTZW9hjImFjJsFGB9m7pG6ID+6HmRNWcbmhYVffElVY7ArxXnW/QfFeZswWiOLqDu2QUHg6xs6DwjUt6yEz26/0HnyI3f+s+Yj1nz0dFm2+fwsjJgch/ZwvTwWf/QDOG77PhwtIvJz9DHbemm3kYOrHDcCo4vnqKLLCqYbI9ty4MLRKhnOgRb22dmilBdY1zucucii6VUdbQfnpg/vB1Z8g5WTuTtVMuiTNuHaI8o7MgHI/c1m0rKRJbILlN2HLseqMQmHJokIsM65mt/h7Dy5fSRKVeKR1zmDtWIq9I4o1mlYkVDOjQ1VRlexvMpW9LRr6dd0lHTH3dJ+12fQLHQO0MFmFbxnRNLP9pubgy9laK9VJnYFpUbYopawh2d+xGGBfPqlf/vc8/CK/8fPq8pFPbHnKpwdp6fzglfz91kuo/nEHHttFobTCf3DdGsS8XEgio18u46nPck8+oa/gdFHwzPTsBkjUu86CxD4EjBs7ZMeqQCQ0y2/S7du73ddh8hg1h1//Q3OkzQGm/4ycoVVdPEI6zN7jOenp9D68cX6BzGD7NGlZkILGVEzudU+eafdCcLcw84L036dNwRZGfB7aDPdAcpeu9Ksz+PjUo+HBolvNrohv0Zjtaw20Q65epvl0jQpTTMLWC5wnqkA5QmU8MKdZbSDT7eXNAudbIOUIMEl94eq4HT6/qbcEKKZsspKip28Y2arocfRxstW23CtK6iG51AGZKl0kXrHveGAhxSpZLGQAeL0tWel3ZwdAOP0/u00yQZEg0yuH9Ffn4DqZ37L6OO9jyOyYdrzz08jqtQrXm2Tnmj959UfSA7yEye2a2Hq+gwjToVYXZLvUedCNzgm7ZdSfdCAt36E9LwXicVuro5+9u7a3Rt7yn0uxjpvtJym6iS+hhuP25kmFtQQ2RFya0+Koh8PyWcFoMs1HSuwetsIMIgDdS3IGy14B4rlyo2AIU8gZHr+GhQQUadBuDZYFNN1uGzy+Uac5a7jRhgoq8IJ0O13qcIQWK3dKv7ajvSzq8TSCPTXhlT6oxBD9okpGEpUwiE4CdwmthS1JUvUjGzPXCiiCyKpDhx9+Tb8eEDQuES/A1TlPc9zdghlg3HItP6VA1v7chOh//hZ1vXaAW5daXGWSnZFGnVIYYdBwg4AKbC3gCIlaywEAPgjNRwU35UYGTkzXYi2ObmYvE9D/94e/be33uvesM3F4qRqh/7j47ZxvRttpa8SiWAs7qPs/B9bprO2HU730owo9Fzx4R+AWgdUNhbd9TtkUfAdHA2vEqkzd56Xj8JZny6wGy36GBNFWQKLCqOiBSElsY6yjduDUfgFTablNrXCd467HULbctoKZVB0sr3t387C6XgBsUee99JtZw+wbJfYLATYp1jB3YSBIr598vfr6+u0Tt8VzCRN229w8tq5zZ5GuZOE8WRaflpDGa3b1qN+RQuWYyenu2qHLPFdAWbpy7Cr6ec3OzYCZZ5rXx14VF6PRd7OeTTLcqJsQLqGRf/5euGm8IckQ8tydinG+Il1oU+UXajb1cNXnzzqFu44t6XSFeBFHWs0V+1UVIs/3XOMbnlTBua//WV/9vL5lMmFpSEP1owRTeYBw0ZPOed3yAscqQlGtmWii6ZNmprPfsplUWJzcqD9Tc8oD4PAyYhKDUVm64Q2tVrEak6KOSNPdlwToVR23/6vwEAAP//43A+HQ==" -} diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/_meta/fields.yml b/x-pack/filebeat/module/barracuda/spamfirewall/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml deleted file mode 100644 index af85938cf9c..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Barracuda" - product: "Spam" - type: "Anti-Virus" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/barracuda/spamfirewall/config/liblogparser.js - - ${path.home}/module/barracuda/spamfirewall/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js b/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{resultcode->} %{info}"); - -var dup2 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); - -var dup3 = setc("eventcategory","1207010201"); - -var dup4 = setf("msg","$MSG"); - -var dup5 = setc("direction","inbound"); - -var dup6 = date_time({ - dest: "starttime", - args: ["fld1"], - fmts: [ - [dX], - ], -}); - -var dup7 = date_time({ - dest: "endtime", - args: ["fld2"], - fmts: [ - [dX], - ], -}); - -var dup8 = field("fld3"); - -var dup9 = field("resultcode"); - -var dup10 = field("disposition"); - -var dup11 = field("event_cat"); - -var dup12 = setc("action"," RECV"); - -var dup13 = setc("eventcategory","1207010000"); - -var dup14 = setc("direction","outbound"); - -var dup15 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); - -var dup16 = setc("eventcategory","1207040000"); - -var dup17 = setc("eventcategory","1701020000"); - -var dup18 = setc("ec_subject","User"); - -var dup19 = setc("ec_activity","Logon"); - -var dup20 = setc("ec_theme","Authentication"); - -var dup21 = constant("Deferred Message"); - -var dup22 = constant("1207010100"); - -var dup23 = constant("1207040200"); - -var dup24 = constant("1207040100"); - -var dup25 = constant("1207010000"); - -var dup26 = constant("1207000000"); - -var dup27 = linear_select([ - dup1, - dup2, -]); - -var dup28 = lookup({ - dest: "nwparser.disposition", - map: map_getActionName, - key: dup8, -}); - -var dup29 = lookup({ - dest: "nwparser.result", - map: map_getReasonName, - key: dup9, -}); - -var dup30 = lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: dup10, -}); - -var dup31 = lookup({ - dest: "nwparser.event_cat_name", - map: map_getEventLegacyCategoryName, - key: dup11, -}); - -var dup32 = lookup({ - dest: "nwparser.disposition", - map: map_getActionNameForSend, - key: dup8, -}); - -var dup33 = linear_select([ - dup15, - dup2, -]); - -var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld14"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("/"), - field("messageid"), - constant("["), - field("hfld14"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, -]); - -var part1 = match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); - -var all1 = all_match({ - processors: [ - part1, - dup27, - ], - on_success: processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup28, - dup29, - dup30, - dup31, - dup12, - ]), -}); - -var msg1 = msg("000001", all1); - -var part2 = match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); - -var part3 = match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); - -var part4 = match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); - -var select2 = linear_select([ - part3, - part4, -]); - -var all2 = all_match({ - processors: [ - part2, - select2, - ], - on_success: processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup28, - dup29, - dup30, - dup31, - setc("action"," SCAN"), - ]), -}); - -var msg2 = msg("inbound/pass1", all2); - -var part5 = match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); - -var all3 = all_match({ - processors: [ - part5, - dup27, - ], - on_success: processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup28, - dup29, - dup30, - dup31, - dup12, - ]), -}); - -var msg3 = msg("inbound/pass1:01", all3); - -var select3 = linear_select([ - msg1, - msg2, - msg3, -]); - -var part6 = match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); - -var part7 = match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); - -var select4 = linear_select([ - part7, - dup2, -]); - -var all4 = all_match({ - processors: [ - part6, - select4, - ], - on_success: processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, - ]), -}); - -var msg4 = msg("000002", all4); - -var part8 = match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); - -var part9 = match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); - -var part10 = match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); - -var select5 = linear_select([ - part9, - part10, -]); - -var part11 = match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); - -var part12 = match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); - -var part13 = match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); - -var part14 = match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); - -var part15 = match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); - -var part16 = match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); - -var select6 = linear_select([ - part12, - part13, - part14, - part15, - part16, -]); - -var all5 = all_match({ - processors: [ - part8, - select5, - part11, - select6, - ], - on_success: processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, - ]), -}); - -var msg5 = msg("outbound/smtp", all5); - -var part17 = match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); - -var part18 = match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); - -var part19 = match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); - -var select7 = linear_select([ - part18, - part19, -]); - -var part20 = match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); - -var all6 = all_match({ - processors: [ - part17, - select7, - part20, - ], - on_success: processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, - ]), -}); - -var msg6 = msg("000009", all6); - -var part21 = match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ - dup13, - dup4, - dup14, - setc("result"," Message accepted for delivery"), - dup32, - dup30, - dup31, -])); - -var msg7 = msg("outbound/smtp:01", part21); - -var part22 = match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, -])); - -var msg8 = msg("outbound/smtp:02", part22); - -var part23 = match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); - -var part24 = match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); - -var part25 = match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); - -var part26 = match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); - -var part27 = match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); - -var part28 = match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); - -var part29 = match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); - -var select8 = linear_select([ - part24, - part25, - part26, - part27, - part28, - part29, -]); - -var part30 = match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); - -var all7 = all_match({ - processors: [ - part23, - select8, - part30, - ], - on_success: processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, - ]), -}); - -var msg9 = msg("000010", all7); - -var part31 = match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, -])); - -var msg10 = msg("000011", part31); - -var part32 = match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, -])); - -var msg11 = msg("000012", part32); - -var part33 = match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, -])); - -var msg12 = msg("000013", part33); - -var part34 = match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ - dup13, - dup4, - dup14, - dup32, - dup30, - dup31, -])); - -var msg13 = msg("000014", part34); - -var select9 = linear_select([ - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, -]); - -var part35 = match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); - -var all8 = all_match({ - processors: [ - part35, - dup33, - ], - on_success: processor_chain([ - dup16, - dup4, - dup6, - dup7, - dup28, - dup29, - dup30, - dup31, - ]), -}); - -var msg14 = msg("000003", all8); - -var part36 = match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); - -var all9 = all_match({ - processors: [ - part36, - dup33, - ], - on_success: processor_chain([ - dup16, - dup4, - dup6, - dup7, - dup28, - dup29, - dup30, - dup31, - ]), -}); - -var msg15 = msg("scan", all9); - -var select10 = linear_select([ - msg14, - msg15, -]); - -var part37 = match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ - dup17, - dup4, -])); - -var msg16 = msg("000004", part37); - -var part38 = match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ - setc("eventcategory","1401030000"), - dup18, - dup19, - dup20, - setc("ec_outcome","Failure"), - dup4, - setc("action","FAILED_LOGIN"), -])); - -var msg17 = msg("000005", part38); - -var part39 = match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ - setc("eventcategory","1605000000"), - dup4, -])); - -var msg18 = msg("000006", part39); - -var part40 = match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ - dup17, - dup4, - setc("action","CHANGE"), -])); - -var msg19 = msg("000007", part40); - -var part41 = match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ - setc("eventcategory","1401070000"), - dup18, - setc("ec_activity","Logoff"), - dup20, - dup4, - setc("action","LOGOUT"), -])); - -var msg20 = msg("000029", part41); - -var part42 = match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ - setc("eventcategory","1401060000"), - dup18, - dup19, - dup20, - dup4, - setc("action","LOGIN"), -])); - -var msg21 = msg("000030", part42); - -var select11 = linear_select([ - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, -]); - -var part43 = match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ - dup13, - dup4, - dup32, - dup30, - dup31, -])); - -var msg22 = msg("000008", part43); - -var part44 = match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ - dup16, - dup4, - setc("event_description","report queued"), -])); - -var msg23 = msg("reports", part44); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "inbound/pass1": select3, - "notify/smtp": msg22, - "outbound/smtp": select9, - "reports": msg23, - "scan": select10, - "web": select11, - }), -]); - -var part45 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); - -var part46 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); - -var part47 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); - -var select12 = linear_select([ - dup1, - dup2, -]); - -var select13 = linear_select([ - dup15, - dup2, -]); diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml deleted file mode 100644 index c4d00a79eb6..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Barracuda Spam Firewall - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml b/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml deleted file mode 100644 index e487203382f..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["barracuda.spamfirewall", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9540 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log deleted file mode 100644 index ce95de02d11..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -notify/smtp[avolupt]: 10.224.15.48 nto sse accept tur 3 illumqui 1090 1.2364 ivelitse ritin -inbound/pass1: etdo[10.173.228.223] ntsunti 1455282753 1455282753 SCAN nseq itinvol psa umq 0 31 psaq SZ:cer SUBJ:reveri -outbound/smtp: 10.104.162.169 eosquir orsi nulapari allow vol 4 uidolor nibus mipsumq <: enatus -notify/smtp[iatu]: 10.57.70.73 dolo meumfug deny roinBCS 2 com 1060 1.2548 byC tinculp -outbound/smtp: 10.236.42.236 tconsec nsequat taev block untutl 1 llu uptassi tamremap tur -reports: REPORTS (enatuse.exe) queued as magn -inbound/pass1[sit]: avol[10.162.151.94] laboreet 1461457525 1461457525 RECV aquaeabi giatq quid -inbound/pass1: tempor[10.138.137.28] eip 1462692479 1462692479 SCAN lupta iusmodt doloreeu pori 7 8 ect SZ:reetdolo SUBJ:nrepreh -scan: ari[10.108.180.105] nsequat 1463927433 1463927433 block llam llamcorp ari eataevit 4 38 uovol dmi -inbound/pass1: [10.206.159.177] ididu 1465162388 1465162388 RECV ciunt turQuisa 10 74 lit -inbound/pass1[umdo]: sed[10.206.224.241] reetdolo 1466397342 1466397342 RECV olupta turveli 4 40 tatno -inbound/pass1: aveniam[10.82.201.113] essequ 1467632296 1467632296 SCAN taevi ender snulapar aedic 5 13 iumto SZ:aboreetd SUBJ:sun -reports: REPORTS (tem.exe) queued as ons -outbound/smtp: 10.110.109.5 ittenbyC aperi lor accept ipi 4 paqu eseru remeum #to#10.18.165.35 -scan: dolore[10.195.109.134] eddoei 1471337159 1471337159 deny etM nimadmin ditautfu piscing 6 74 ostr rudexerc -scan[colabor]: iusmodt[10.21.92.218] lorumw 1472572113 1472572113 accept llitani inima tlabo suntexp 4 45 stiae SZ:nofdeF SUBJ:sunt -reports: REPORTS (tat.exe) queued as tion -reports: REPORTS (emp.exe) queued as aperia -web: Ret Policy Summary (Del:eritquii Kept:dexeac) -web: [10.45.25.68] LOGOUT (rehender) -web: Ret Policy Summary (Del:hil Kept:atquovo) -notify/smtp[tatn]: 10.18.109.121 ents pida allow idolor 1 emoeni 269 1.2857 utlabore ecillu -web: [10.19.194.101] global CHANGE orinrepr (conse) -reports: REPORTS (lumqui.exe) queued as itinvo -reports: REPORTS (usmodt.exe) queued as siar -notify/smtp[sci]: 10.116.193.182 snostrud nama allow data 1 ationul 2530 1.5361 commod adol -inbound/pass1: hitect[10.198.6.166] modocon 1486156610 1486156610 SCAN que atevel nsecte itame 0 38 lit5929.test quamnih -outbound/smtp: 10.198.19.111 aquaeabi lita adeseru accept amc 4 amest corp modtemp <: iae -inbound/pass1: equat[10.77.137.72] ione 1488626519 1488626519 SCAN ihilmole eriamea amre rsita 8 56 uptat3156.www5.test tmo -inbound/pass1: vitaedi[10.128.114.77] temqu 1489861473 1489861473 SCAN edol colab ommodico quatD 4 59 neav6028.internal.domain agnid -outbound/smtp: 10.181.80.139 hitecto ents liquide allow tenatu 1 boN eprehend aevit aboN -inbound/pass1[ris]: uamqu[10.138.252.123] quioffi 1492331381 1492331381 RECV uptate ncidid quaturve -reports: REPORTS (aera.exe) queued as ate -inbound/pass1: [10.153.108.27] uir 1494801290 1494801290 RECV dol essecil citation -outbound/smtp: 10.120.167.239 gnido ratvolu olup deny nsecte 3 eveli eroi dtemp aliquide -inbound/pass1[ris]: nisi[10.105.88.20] ecte 1497271198 1497271198 RECV tinvolu iurer iciadese -scan: olupta[10.98.92.244] idolor 1498506153 1498506153 deny uta llumdolo nre ercitat 7 38 riosamn SZ:ept SUBJ:iumtotam -scan[sperna]: sintocc[10.185.107.75] tDuisaut 1499741107 1499741107 allow tate imvenia spi stquido 8 62 ptas SZ:pta SUBJ:tetu -reports: REPORTS (nevo.exe) queued as ide -notify/smtp[etcons]: 10.80.214.206 ate uiac accept officiad 4 quinesc 6218 1.5651 tur roi -notify/smtp[nof]: 10.48.34.226 ccaec ten allow isc 2 ntN 6179 1.2364 tateve itinvol -reports: REPORTS (etconsec.exe) queued as ios -inbound/pass1: tquov[10.211.93.62] mod 1505915878 1505915878 SCAN hilm ataevi com tnulapa 5 57 tiumt SZ:reetdolo SUBJ:norum -reports: REPORTS (uidol.exe) queued as mporin -scan: qui[10.199.182.123] entor 1508385787 1508385787 accept Sedutp utp ema rsitv 0 69 ntiumt iquipe -reports: REPORTS (tvolupt.exe) queued as eufugi -scan[pid]: illoin[10.130.38.118] uamni 1510855695 1510855695 block gnamal metMalo ntexplic archite 1 56 untu asi -inbound/pass1: [10.153.152.219] eumiu 1512090649 1512090649 RECV orumSe boree intoc -web: Retention violating accounts: rnatur total -reports: REPORTS (isisten.exe) queued as cusant -reports: REPORTS (naal.exe) queued as borios -outbound/smtp: 10.167.227.44 tali lillum cusant deny ender 2 oles edic seq tutlab -notify/smtp[atevelit]: 10.56.136.27 aperia ccaeca deny ttenby 1 amc 5163 1.375 orumSe ratv -web: [10.194.90.130] FAILED_LOGIN (siut) -inbound/pass1: [10.103.69.44] velitess 1520735329 1520735329 RECV naali uunturm temUte -inbound/pass1: aveni[10.29.155.171] uptatema 1521970284 1521970284 SCAN oeni tdol sit tiaec 6 23 oremagna3521.mail.home asiar -inbound/pass1: [10.145.193.93] nonp 1523205238 1523205238 RECV labo ulapar aboreetd -inbound/pass1[ama]: uatur[10.143.79.226] exeacom 1524440192 1524440192 RECV roidents tem dol -web: [10.30.25.84] FAILED_LOGIN (utlab) -inbound/pass1: [10.141.225.182] bor 1526910101 1526910101 RECV rauto ationev 8 57 uaUten -reports: REPORTS (dun.exe) queued as reprehe -web: [10.90.9.88] global CHANGE umexerc (oremipsu) -reports: REPORTS (amco.exe) queued as ssecillu -reports: REPORTS (olo.exe) queued as psumqu -notify/smtp[rationev]: 10.226.20.199 tatem untutlab allow eveli 2 lillum 7809 1.2000 uisaute imide -web: [10.134.140.191] global CHANGE nte (mvel) -outbound/smtp[conse]: 10.252.40.172 nimadmin isiu licabo cancel etdolor 3 dic cola amcor -scan[xea]: ites[10.126.26.131] nisiut 1536789735 1536789735 accept teturad perspici itation sequatD 5 24 isciv rroqu -scan[rExc]: iusmo[10.187.210.173] reetd 1538024689 1538024689 accept ulpa sitam rad loi 2 15 Nequepor SZ:eirure SUBJ:deserun -reports: REPORTS (orroq.exe) queued as vitaedic -reports: REPORTS (orem.exe) queued as rcit -scan[untincul]: ssecil[10.180.147.129] atise 1541729552 1541729552 allow umetMalo oluptas emvele isnost 2 5 ido emqu -notify/smtp[exeaco]: 10.99.17.210 olorsit tore cancel illu 4 turadip 688 1.7484 boreetdo undeom -notify/smtp[uov]: 10.230.46.162 sBono loremqu accept quunt 3 siuta 1107 1.2607 dquia temporin -scan[nimveni]: idi[10.96.135.47] rum 1545434414 1545434414 accept eporroq ulla iqu oin 1 55 cingel modocon -reports: REPORTS (atv.exe) queued as onu -scan: obeataev[10.139.127.232] nsec 1547904323 1547904323 cancel maperi agnaaliq tlaboree norumet 7 48 tin SZ:fugitse SUBJ:imad -inbound/pass1: inv[10.163.209.70] atu 1549139277 1549139277 SCAN lloin remipsum tempor citatio 0 57 mveniamq SZ:taedict SUBJ:edquian -reports: REPORTS (mipsamvo.exe) queued as eiusmod -scan[avolu]: Except[10.191.7.121] umetMal 1551609186 1551609186 accept sciun metcons itasper uae 2 21 uia iciad -inbound/pass1: [10.157.196.101] gnaa 1552844140 1552844140 RECV mod doei cipitl -web: [10.171.72.5] global CHANGE eprehend (asnu) -scan: eritatis[10.209.184.60] mquisn 1555314049 1555314049 cancel uto emUte molestia quir 4 18 emip SZ:ver SUBJ:erc -inbound/pass1[dolorsit]: archite[10.143.228.97] isqua 1556549003 1556549003 RECV uta emo itq -reports: REPORTS (ntexpl.exe) queued as dunt -scan: plic[10.17.87.79] tetur 1559018911 1559018911 block amali ate idolor ratvolu 7 64 onse olorem -web: [10.163.18.29] FAILED_LOGIN (nim) -web: Retention violating accounts: erspi total -reports: REPORTS (billoi.exe) queued as moles -scan: taedi[10.17.98.243] etconsec 1563958728 1563958728 cancel ill mporinc onsectet idolo 8 55 docon SZ:mdolore SUBJ:eosquira -reports: REPORTS (apariatu.exe) queued as lorsita -reports: REPORTS (ever.exe) queued as tali -inbound/pass1[mipsumqu]: tatio[10.181.247.224] onnu 1567663591 1567663591 RECV olorema aquiof ende -scan[ugitse]: quiineav[10.235.116.121] ventore 1568898545 1568898545 deny obea emp agnaaliq est 0 73 aev SZ:inrepr SUBJ:mol -outbound/smtp: 10.178.30.158 llit tenimad sitametc allow onproide 2 cillumd riosa Ok: queued as tNe #to#10.1.6.115 -notify/smtp[rautod]: 10.124.32.120 lapar ritati accept qui 3 mullam 4965 1.4254 meaque uid -reports: REPORTS (ataevita.exe) queued as oremqu -reports: REPORTS (velitsed.exe) queued as magnaali -inbound/pass1: der[10.77.182.191] enbyCi 1575073317 1575073317 SCAN quameiu diduntu eiusmod itation 8 79 piciatis2460.api.host iusmodt -scan: iame[10.193.110.71] tiumd 1576308271 1576308271 accept loinve tanimid isnostru nofdeFi 3 5 saqu remips diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json deleted file mode 100644 index 626fd3a72e2..00000000000 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ /dev/null @@ -1,3207 +0,0 @@ -[ - { - "event.action": "accept", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[avolupt]: 10.224.15.48 nto sse accept tur 3 illumqui 1090 1.2364 ivelitse ritin", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 0, - "network.bytes": 1090, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.2364", - "related.ip": [ - "10.224.15.48" - ], - "rsa.db.index": "ritin", - "rsa.email.email_src": "ivelitse", - "rsa.internal.messageid": "notify/smtp", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.log_session_id": "illumqui", - "rsa.misc.version": "1.2364", - "service.type": "barracuda", - "source.ip": "10.224.15.48", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " SCAN", - "event.code": "ntsunti", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: etdo[10.173.228.223] ntsunti 1455282753 1455282753 SCAN nseq itinvol psa umq 0 31 psaq SZ:cer SUBJ:reveri", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 92, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "etdo" - ], - "related.ip": [ - "10.173.228.223" - ], - "rsa.email.email_dst": "psa", - "rsa.email.email_src": "itinvol", - "rsa.email.subject": "reveri", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Allowed Message", - "rsa.misc.reference_id": "ntsunti", - "rsa.misc.result": "Score", - "rsa.misc.result_code": "31", - "rsa.time.endtime": "2016-02-12T13:12:33.000Z", - "rsa.time.starttime": "2016-02-12T13:12:33.000Z", - "service.type": "barracuda", - "source.ip": "10.173.228.223", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "etdo" - }, - { - "event.action": "allow", - "event.code": "eosquir", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.104.162.169 eosquir orsi nulapari allow vol 4 uidolor nibus mipsumq <: enatus", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 213, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.104.162.169" - ], - "rsa.email.email_src": "gnaali", - "rsa.internal.event_desc": "enatus", - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Expired Message", - "rsa.misc.log_session_id": "uidolor", - "rsa.misc.reference_id": "eosquir", - "rsa.misc.result_code": "nibus", - "service.type": "barracuda", - "source.ip": "10.104.162.169", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[iatu]: 10.57.70.73 dolo meumfug deny roinBCS 2 com 1060 1.2548 byC tinculp", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 317, - "network.bytes": 1060, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.2548", - "related.ip": [ - "10.57.70.73" - ], - "rsa.db.index": "tinculp", - "rsa.email.email_src": "byC", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "Rejected Message", - "rsa.misc.log_session_id": "com", - "rsa.misc.version": "1.2548", - "service.type": "barracuda", - "source.ip": "10.57.70.73", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "block", - "event.code": "tconsec", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.236.42.236 tconsec nsequat taev block untutl 1 llu uptassi tamremap tur", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 404, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.236.42.236" - ], - "rsa.internal.event_desc": "tur", - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.disposition": "Delivered Message", - "rsa.misc.log_session_id": "llu", - "rsa.misc.reference_id": "tconsec", - "rsa.misc.result_code": "uptassi", - "service.type": "barracuda", - "source.ip": "10.236.42.236", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (enatuse.exe) queued as magn", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 494, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "enatuse.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "laboreet", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[sit]: avol[10.162.151.94] laboreet 1461457525 1461457525 RECV aquaeabi giatq quid", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 540, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.162.151.94" - ], - "related.user": [ - "avol" - ], - "rsa.db.index": "quid", - "rsa.email.email_dst": "giatq", - "rsa.email.email_src": "aquaeabi", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "laboreet", - "rsa.time.endtime": "2016-04-24T00:25:25.000Z", - "rsa.time.starttime": "2016-04-24T00:25:25.000Z", - "service.type": "barracuda", - "source.ip": "10.162.151.94", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "avol" - }, - { - "event.action": " SCAN", - "event.code": "eip", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: tempor[10.138.137.28] eip 1462692479 1462692479 SCAN lupta iusmodt doloreeu pori 7 8 ect SZ:reetdolo SUBJ:nrepreh", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 636, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "tempor" - ], - "related.ip": [ - "10.138.137.28" - ], - "rsa.email.email_dst": "doloreeu", - "rsa.email.email_src": "iusmodt", - "rsa.email.subject": "nrepreh", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Whitelisted Message", - "rsa.misc.reference_id": "eip", - "rsa.misc.result": "No Such User", - "rsa.misc.result_code": "8", - "rsa.time.endtime": "2016-05-08T07:27:59.000Z", - "rsa.time.starttime": "2016-05-08T07:27:59.000Z", - "service.type": "barracuda", - "source.ip": "10.138.137.28", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "tempor" - }, - { - "event.action": "block", - "event.code": "nsequat", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: ari[10.108.180.105] nsequat 1463927433 1463927433 block llam llamcorp ari eataevit 4 38 uovol dmi", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 765, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "ari" - ], - "related.ip": [ - "10.108.180.105" - ], - "rsa.db.index": "dmi", - "rsa.email.email_dst": "ari", - "rsa.email.email_src": "llamcorp", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.disposition": "Tagged Message", - "rsa.misc.reference_id": "nsequat", - "rsa.misc.result": "Message Size Bypass", - "rsa.misc.result_code": "38", - "rsa.time.endtime": "2016-05-22T14:30:33.000Z", - "rsa.time.starttime": "2016-05-22T14:30:33.000Z", - "service.type": "barracuda", - "source.ip": "10.108.180.105", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "ari" - }, - { - "event.action": " RECV", - "event.code": "ididu", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.206.159.177] ididu 1465162388 1465162388 RECV ciunt turQuisa 10 74 lit", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 869, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.206.159.177" - ], - "rsa.db.index": "lit", - "rsa.email.email_dst": "turQuisa", - "rsa.email.email_src": "ciunt", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.disposition": "Attachments Stubbed", - "rsa.misc.reference_id": "ididu", - "rsa.misc.result": "BRTS Intent", - "rsa.misc.result_code": "74", - "rsa.time.endtime": "2016-06-05T21:33:08.000Z", - "rsa.time.starttime": "2016-06-05T21:33:08.000Z", - "service.type": "barracuda", - "source.ip": "10.206.159.177", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "reetdolo", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[umdo]: sed[10.206.224.241] reetdolo 1466397342 1466397342 RECV olupta turveli 4 40 tatno", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 959, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.206.224.241" - ], - "related.user": [ - "sed" - ], - "rsa.db.index": "tatno", - "rsa.email.email_dst": "turveli", - "rsa.email.email_src": "olupta", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.disposition": "Tagged Message", - "rsa.misc.reference_id": "reetdolo", - "rsa.misc.result": "SPF/Caller-ID", - "rsa.misc.result_code": "40", - "rsa.time.endtime": "2016-06-20T04:35:42.000Z", - "rsa.time.starttime": "2016-06-20T04:35:42.000Z", - "service.type": "barracuda", - "source.ip": "10.206.224.241", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "sed" - }, - { - "event.action": " SCAN", - "event.code": "essequ", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: aveniam[10.82.201.113] essequ 1467632296 1467632296 SCAN taevi ender snulapar aedic 5 13 iumto SZ:aboreetd SUBJ:sun", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1062, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "aveniam" - ], - "related.ip": [ - "10.82.201.113" - ], - "rsa.email.email_dst": "snulapar", - "rsa.email.email_src": "ender", - "rsa.email.subject": "sun", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.reference_id": "essequ", - "rsa.misc.result": "No Valid Recipients", - "rsa.misc.result_code": "13", - "rsa.time.endtime": "2016-07-04T11:38:16.000Z", - "rsa.time.starttime": "2016-07-04T11:38:16.000Z", - "service.type": "barracuda", - "source.ip": "10.82.201.113", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "aveniam" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (tem.exe) queued as ons", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1193, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "tem.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "destination.ip": "10.18.165.35", - "event.action": "accept", - "event.code": "ittenbyC", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.110.109.5 ittenbyC aperi lor accept ipi 4 paqu eseru remeum #to#10.18.165.35", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1234, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.110.109.5", - "10.18.165.35" - ], - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Expired Message", - "rsa.misc.log_session_id": "paqu", - "rsa.misc.reference_id": "ittenbyC", - "rsa.misc.result_code": "eseru", - "service.type": "barracuda", - "source.ip": "10.110.109.5", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "eddoei", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: dolore[10.195.109.134] eddoei 1471337159 1471337159 deny etM nimadmin ditautfu piscing 6 74 ostr rudexerc", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1329, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "dolore" - ], - "related.ip": [ - "10.195.109.134" - ], - "rsa.db.index": "rudexerc", - "rsa.email.email_dst": "ditautfu", - "rsa.email.email_src": "nimadmin", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "Per-User Quarantined Message", - "rsa.misc.reference_id": "eddoei", - "rsa.misc.result": "BRTS Intent", - "rsa.misc.result_code": "74", - "rsa.time.endtime": "2016-08-16T08:45:59.000Z", - "rsa.time.starttime": "2016-08-16T08:45:59.000Z", - "service.type": "barracuda", - "source.ip": "10.195.109.134", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "dolore" - }, - { - "event.action": "accept", - "event.code": "lorumw", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[colabor]: iusmodt[10.21.92.218] lorumw 1472572113 1472572113 accept llitani inima tlabo suntexp 4 45 stiae SZ:nofdeF SUBJ:sunt", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1441, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.21.92.218" - ], - "related.user": [ - "iusmodt" - ], - "rsa.email.email_dst": "tlabo", - "rsa.email.email_src": "inima", - "rsa.email.subject": "sunt", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Tagged Message", - "rsa.misc.reference_id": "lorumw", - "rsa.misc.result": "Allowed Message Size Exceeded", - "rsa.misc.result_code": "45", - "rsa.time.endtime": "2016-08-30T15:48:33.000Z", - "rsa.time.starttime": "2016-08-30T15:48:33.000Z", - "service.type": "barracuda", - "source.ip": "10.21.92.218", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "iusmodt" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (tat.exe) queued as tion", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1573, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "tat.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (emp.exe) queued as aperia", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1615, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "emp.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: Ret Policy Summary (Del:eritquii Kept:dexeac)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1659, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "rsa.internal.messageid": "web", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "LOGOUT", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.45.25.68] LOGOUT (rehender)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1710, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.45.25.68" - ], - "related.user": [ - "rehender" - ], - "rsa.internal.messageid": "web", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "LOGOUT" - ], - "service.type": "barracuda", - "source.ip": "10.45.25.68", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "rehender" - }, - { - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: Ret Policy Summary (Del:hil Kept:atquovo)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1747, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "rsa.internal.messageid": "web", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[tatn]: 10.18.109.121 ents pida allow idolor 1 emoeni 269 1.2857 utlabore ecillu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1794, - "network.bytes": 269, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.2857", - "related.ip": [ - "10.18.109.121" - ], - "rsa.db.index": "ecillu", - "rsa.email.email_src": "utlabore", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Delivered Message", - "rsa.misc.log_session_id": "emoeni", - "rsa.misc.version": "1.2857", - "service.type": "barracuda", - "source.ip": "10.18.109.121", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "CHANGE", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.19.194.101] global CHANGE orinrepr (conse)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1886, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.19.194.101" - ], - "rsa.db.index": "conse", - "rsa.internal.messageid": "web", - "rsa.misc.action": [ - "CHANGE" - ], - "rsa.misc.category": "orinrepr", - "service.type": "barracuda", - "source.ip": "10.19.194.101", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (lumqui.exe) queued as itinvo", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1938, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "lumqui.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (usmodt.exe) queued as siar", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 1985, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "usmodt.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[sci]: 10.116.193.182 snostrud nama allow data 1 ationul 2530 1.5361 commod adol", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2030, - "network.bytes": 2530, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.5361", - "related.ip": [ - "10.116.193.182" - ], - "rsa.db.index": "adol", - "rsa.email.email_src": "commod", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Delivered Message", - "rsa.misc.log_session_id": "ationul", - "rsa.misc.version": "1.5361", - "service.type": "barracuda", - "source.ip": "10.116.193.182", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " SCAN", - "event.code": "modocon", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: hitect[10.198.6.166] modocon 1486156610 1486156610 SCAN que atevel nsecte itame 0 38 lit5929.test quamnih", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2122, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "hitect", - "lit5929.test" - ], - "related.ip": [ - "10.198.6.166" - ], - "rsa.db.index": "quamnih", - "rsa.email.email_dst": "nsecte", - "rsa.email.email_src": "atevel", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Allowed Message", - "rsa.misc.reference_id": "modocon", - "rsa.misc.result": "Message Size Bypass", - "rsa.misc.result_code": "38", - "rsa.network.domain": "lit5929.test", - "rsa.time.endtime": "2017-02-03T21:16:50.000Z", - "rsa.time.starttime": "2017-02-03T21:16:50.000Z", - "server.domain": "lit5929.test", - "server.registered_domain": "lit5929.test", - "server.top_level_domain": "test", - "service.type": "barracuda", - "source.ip": "10.198.6.166", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "hitect" - }, - { - "event.action": "accept", - "event.code": "aquaeabi", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.198.19.111 aquaeabi lita adeseru accept amc 4 amest corp modtemp <: iae", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2243, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.198.19.111" - ], - "rsa.email.email_src": "rehender", - "rsa.internal.event_desc": "iae", - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Expired Message", - "rsa.misc.log_session_id": "amest", - "rsa.misc.reference_id": "aquaeabi", - "rsa.misc.result_code": "corp", - "service.type": "barracuda", - "source.ip": "10.198.19.111", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " SCAN", - "event.code": "ione", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: equat[10.77.137.72] ione 1488626519 1488626519 SCAN ihilmole eriamea amre rsita 8 56 uptat3156.www5.test tmo", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2343, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "equat", - "uptat3156.www5.test" - ], - "related.ip": [ - "10.77.137.72" - ], - "rsa.db.index": "tmo", - "rsa.email.email_dst": "amre", - "rsa.email.email_src": "eriamea", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Encrypted Message", - "rsa.misc.reference_id": "ione", - "rsa.misc.result": "STARTTLS Syntax Error", - "rsa.misc.result_code": "56", - "rsa.network.domain": "uptat3156.www5.test", - "rsa.time.endtime": "2017-03-04T11:21:59.000Z", - "rsa.time.starttime": "2017-03-04T11:21:59.000Z", - "server.domain": "uptat3156.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "uptat3156", - "server.top_level_domain": "test", - "service.type": "barracuda", - "source.ip": "10.77.137.72", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "equat" - }, - { - "event.action": " SCAN", - "event.code": "temqu", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: vitaedi[10.128.114.77] temqu 1489861473 1489861473 SCAN edol colab ommodico quatD 4 59 neav6028.internal.domain agnid", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2467, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "neav6028.internal.domain", - "vitaedi" - ], - "related.ip": [ - "10.128.114.77" - ], - "rsa.db.index": "agnid", - "rsa.email.email_dst": "ommodico", - "rsa.email.email_src": "colab", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Tagged Message", - "rsa.misc.reference_id": "temqu", - "rsa.misc.result": "Need STARTTLS First", - "rsa.misc.result_code": "59", - "rsa.network.domain": "neav6028.internal.domain", - "rsa.time.endtime": "2017-03-18T18:24:33.000Z", - "rsa.time.starttime": "2017-03-18T18:24:33.000Z", - "server.domain": "neav6028.internal.domain", - "server.registered_domain": "internal.domain", - "server.subdomain": "neav6028", - "server.top_level_domain": "domain", - "service.type": "barracuda", - "source.ip": "10.128.114.77", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "vitaedi" - }, - { - "event.action": "allow", - "event.code": "hitecto", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.181.80.139 hitecto ents liquide allow tenatu 1 boN eprehend aevit aboN", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2600, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.181.80.139" - ], - "rsa.internal.event_desc": "aboN", - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Delivered Message", - "rsa.misc.log_session_id": "boN", - "rsa.misc.reference_id": "hitecto", - "rsa.misc.result_code": "eprehend", - "service.type": "barracuda", - "source.ip": "10.181.80.139", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "quioffi", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[ris]: uamqu[10.138.252.123] quioffi 1492331381 1492331381 RECV uptate ncidid quaturve", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2689, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.138.252.123" - ], - "related.user": [ - "uamqu" - ], - "rsa.db.index": "quaturve", - "rsa.email.email_dst": "ncidid", - "rsa.email.email_src": "uptate", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "quioffi", - "rsa.time.endtime": "2017-04-16T08:29:41.000Z", - "rsa.time.starttime": "2017-04-16T08:29:41.000Z", - "service.type": "barracuda", - "source.ip": "10.138.252.123", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "uamqu" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (aera.exe) queued as ate", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2789, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "aera.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "uir", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.153.108.27] uir 1494801290 1494801290 RECV dol essecil citation", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2831, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.153.108.27" - ], - "rsa.db.index": "citation", - "rsa.email.email_dst": "essecil", - "rsa.email.email_src": "dol", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "uir", - "rsa.time.endtime": "2017-05-14T22:34:50.000Z", - "rsa.time.starttime": "2017-05-14T22:34:50.000Z", - "service.type": "barracuda", - "source.ip": "10.153.108.27", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "gnido", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.120.167.239 gnido ratvolu olup deny nsecte 3 eveli eroi dtemp aliquide", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 2914, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.120.167.239" - ], - "rsa.internal.event_desc": "aliquide", - "rsa.internal.messageid": "outbound/smtp", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.log_session_id": "eveli", - "rsa.misc.reference_id": "gnido", - "rsa.misc.result_code": "eroi", - "service.type": "barracuda", - "source.ip": "10.120.167.239", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "ecte", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[ris]: nisi[10.105.88.20] ecte 1497271198 1497271198 RECV tinvolu iurer iciadese", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3003, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.105.88.20" - ], - "related.user": [ - "nisi" - ], - "rsa.db.index": "iciadese", - "rsa.email.email_dst": "iurer", - "rsa.email.email_src": "tinvolu", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "ecte", - "rsa.time.endtime": "2017-06-12T12:39:58.000Z", - "rsa.time.starttime": "2017-06-12T12:39:58.000Z", - "service.type": "barracuda", - "source.ip": "10.105.88.20", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "nisi" - }, - { - "event.action": "deny", - "event.code": "idolor", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: olupta[10.98.92.244] idolor 1498506153 1498506153 deny uta llumdolo nre ercitat 7 38 riosamn SZ:ept SUBJ:iumtotam", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3097, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "olupta" - ], - "related.ip": [ - "10.98.92.244" - ], - "rsa.email.email_dst": "nre", - "rsa.email.email_src": "llumdolo", - "rsa.email.subject": "iumtotam", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "Whitelisted Message", - "rsa.misc.reference_id": "idolor", - "rsa.misc.result": "Message Size Bypass", - "rsa.misc.result_code": "38", - "rsa.time.endtime": "2017-06-26T19:42:33.000Z", - "rsa.time.starttime": "2017-06-26T19:42:33.000Z", - "service.type": "barracuda", - "source.ip": "10.98.92.244", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "olupta" - }, - { - "event.action": "allow", - "event.code": "tDuisaut", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[sperna]: sintocc[10.185.107.75] tDuisaut 1499741107 1499741107 allow tate imvenia spi stquido 8 62 ptas SZ:pta SUBJ:tetu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3217, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.185.107.75" - ], - "related.user": [ - "sintocc" - ], - "rsa.email.email_dst": "spi", - "rsa.email.email_src": "imvenia", - "rsa.email.subject": "tetu", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Encrypted Message", - "rsa.misc.reference_id": "tDuisaut", - "rsa.misc.result": "Barracuda Reputation Blocklist", - "rsa.misc.result_code": "62", - "rsa.time.endtime": "2017-07-11T02:45:07.000Z", - "rsa.time.starttime": "2017-07-11T02:45:07.000Z", - "service.type": "barracuda", - "source.ip": "10.185.107.75", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "sintocc" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (nevo.exe) queued as ide", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3343, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "nevo.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[etcons]: 10.80.214.206 ate uiac accept officiad 4 quinesc 6218 1.5651 tur roi", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3385, - "network.bytes": 6218, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.5651", - "related.ip": [ - "10.80.214.206" - ], - "rsa.db.index": "roi", - "rsa.email.email_src": "tur", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Expired Message", - "rsa.misc.log_session_id": "quinesc", - "rsa.misc.version": "1.5651", - "service.type": "barracuda", - "source.ip": "10.80.214.206", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[nof]: 10.48.34.226 ccaec ten allow isc 2 ntN 6179 1.2364 tateve itinvol", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3475, - "network.bytes": 6179, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.2364", - "related.ip": [ - "10.48.34.226" - ], - "rsa.db.index": "itinvol", - "rsa.email.email_src": "tateve", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Rejected Message", - "rsa.misc.log_session_id": "ntN", - "rsa.misc.version": "1.2364", - "service.type": "barracuda", - "source.ip": "10.48.34.226", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (etconsec.exe) queued as ios", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3559, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "etconsec.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " SCAN", - "event.code": "mod", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: tquov[10.211.93.62] mod 1505915878 1505915878 SCAN hilm ataevi com tnulapa 5 57 tiumt SZ:reetdolo SUBJ:norum", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3605, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "tquov" - ], - "related.ip": [ - "10.211.93.62" - ], - "rsa.email.email_dst": "com", - "rsa.email.email_src": "ataevi", - "rsa.email.subject": "norum", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.reference_id": "mod", - "rsa.misc.result": "TLS Already Active", - "rsa.misc.result_code": "57", - "rsa.time.endtime": "2017-09-20T13:57:58.000Z", - "rsa.time.starttime": "2017-09-20T13:57:58.000Z", - "service.type": "barracuda", - "source.ip": "10.211.93.62", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "tquov" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (uidol.exe) queued as mporin", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3729, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "uidol.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "entor", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: qui[10.199.182.123] entor 1508385787 1508385787 accept Sedutp utp ema rsitv 0 69 ntiumt iquipe", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3775, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "qui" - ], - "related.ip": [ - "10.199.182.123" - ], - "rsa.db.index": "iquipe", - "rsa.email.email_dst": "ema", - "rsa.email.email_src": "utp", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Allowed Message", - "rsa.misc.reference_id": "entor", - "rsa.misc.result": "Intent - Adult", - "rsa.misc.result_code": "69", - "rsa.time.endtime": "2017-10-19T04:03:07.000Z", - "rsa.time.starttime": "2017-10-19T04:03:07.000Z", - "service.type": "barracuda", - "source.ip": "10.199.182.123", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "qui" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (tvolupt.exe) queued as eufugi", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3876, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "tvolupt.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "block", - "event.code": "uamni", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[pid]: illoin[10.130.38.118] uamni 1510855695 1510855695 block gnamal metMalo ntexplic archite 1 56 untu asi", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 3924, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.130.38.118" - ], - "related.user": [ - "illoin" - ], - "rsa.db.index": "asi", - "rsa.email.email_dst": "ntexplic", - "rsa.email.email_src": "metMalo", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.disposition": "Aborted Message", - "rsa.misc.reference_id": "uamni", - "rsa.misc.result": "STARTTLS Syntax Error", - "rsa.misc.result_code": "56", - "rsa.time.endtime": "2017-11-16T18:08:15.000Z", - "rsa.time.starttime": "2017-11-16T18:08:15.000Z", - "service.type": "barracuda", - "source.ip": "10.130.38.118", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "illoin" - }, - { - "event.action": " RECV", - "event.code": "eumiu", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.153.152.219] eumiu 1512090649 1512090649 RECV orumSe boree intoc", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4037, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.153.152.219" - ], - "rsa.db.index": "intoc", - "rsa.email.email_dst": "boree", - "rsa.email.email_src": "orumSe", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "eumiu", - "rsa.time.endtime": "2017-12-01T01:10:49.000Z", - "rsa.time.starttime": "2017-12-01T01:10:49.000Z", - "service.type": "barracuda", - "source.ip": "10.153.152.219", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: Retention violating accounts: rnatur total", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4121, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "rsa.internal.messageid": "web", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (isisten.exe) queued as cusant", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4169, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "isisten.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (naal.exe) queued as borios", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4217, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "naal.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "tali", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.167.227.44 tali lillum cusant deny ender 2 oles edic seq tutlab", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4262, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.167.227.44" - ], - "rsa.internal.event_desc": "tutlab", - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "Rejected Message", - "rsa.misc.log_session_id": "oles", - "rsa.misc.reference_id": "tali", - "rsa.misc.result_code": "edic", - "service.type": "barracuda", - "source.ip": "10.167.227.44", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[atevelit]: 10.56.136.27 aperia ccaeca deny ttenby 1 amc 5163 1.375 orumSe ratv", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4344, - "network.bytes": 5163, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.375", - "related.ip": [ - "10.56.136.27" - ], - "rsa.db.index": "ratv", - "rsa.email.email_src": "orumSe", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "Delivered Message", - "rsa.misc.log_session_id": "amc", - "rsa.misc.version": "1.375", - "service.type": "barracuda", - "source.ip": "10.56.136.27", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "FAILED_LOGIN", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.194.90.130] FAILED_LOGIN (siut)", - "event.outcome": "failure", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4435, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.194.90.130" - ], - "related.user": [ - "siut" - ], - "rsa.internal.messageid": "web", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "FAILED_LOGIN" - ], - "service.type": "barracuda", - "source.ip": "10.194.90.130", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "siut" - }, - { - "event.action": " RECV", - "event.code": "velitess", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.103.69.44] velitess 1520735329 1520735329 RECV naali uunturm temUte", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4476, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.103.69.44" - ], - "rsa.db.index": "temUte", - "rsa.email.email_dst": "uunturm", - "rsa.email.email_src": "naali", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "velitess", - "rsa.time.endtime": "2018-03-11T02:28:49.000Z", - "rsa.time.starttime": "2018-03-11T02:28:49.000Z", - "service.type": "barracuda", - "source.ip": "10.103.69.44", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " SCAN", - "event.code": "uptatema", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: aveni[10.29.155.171] uptatema 1521970284 1521970284 SCAN oeni tdol sit tiaec 6 23 oremagna3521.mail.home asiar", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4563, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "aveni", - "oremagna3521.mail.home" - ], - "related.ip": [ - "10.29.155.171" - ], - "rsa.db.index": "asiar", - "rsa.email.email_dst": "sit", - "rsa.email.email_src": "tdol", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Per-User Quarantined Message", - "rsa.misc.reference_id": "uptatema", - "rsa.misc.result": "Send EHLO/HELO First", - "rsa.misc.result_code": "23", - "rsa.network.domain": "oremagna3521.mail.home", - "rsa.time.endtime": "2018-03-25T09:31:24.000Z", - "rsa.time.starttime": "2018-03-25T09:31:24.000Z", - "server.domain": "oremagna3521.mail.home", - "server.registered_domain": "mail.home", - "server.subdomain": "oremagna3521", - "server.top_level_domain": "home", - "service.type": "barracuda", - "source.ip": "10.29.155.171", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "aveni" - }, - { - "event.action": " RECV", - "event.code": "nonp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.145.193.93] nonp 1523205238 1523205238 RECV labo ulapar aboreetd", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4689, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.145.193.93" - ], - "rsa.db.index": "aboreetd", - "rsa.email.email_dst": "ulapar", - "rsa.email.email_src": "labo", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "nonp", - "rsa.time.endtime": "2018-04-08T16:33:58.000Z", - "rsa.time.starttime": "2018-04-08T16:33:58.000Z", - "service.type": "barracuda", - "source.ip": "10.145.193.93", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "exeacom", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[ama]: uatur[10.143.79.226] exeacom 1524440192 1524440192 RECV roidents tem dol", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4773, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.143.79.226" - ], - "related.user": [ - "uatur" - ], - "rsa.db.index": "dol", - "rsa.email.email_dst": "tem", - "rsa.email.email_src": "roidents", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "exeacom", - "rsa.time.endtime": "2018-04-22T23:36:32.000Z", - "rsa.time.starttime": "2018-04-22T23:36:32.000Z", - "service.type": "barracuda", - "source.ip": "10.143.79.226", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "uatur" - }, - { - "event.action": "FAILED_LOGIN", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.30.25.84] FAILED_LOGIN (utlab)", - "event.outcome": "failure", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4866, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.30.25.84" - ], - "related.user": [ - "utlab" - ], - "rsa.internal.messageid": "web", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "FAILED_LOGIN" - ], - "service.type": "barracuda", - "source.ip": "10.30.25.84", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "utlab" - }, - { - "event.action": " RECV", - "event.code": "bor", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.141.225.182] bor 1526910101 1526910101 RECV rauto ationev 8 57 uaUten", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4906, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.141.225.182" - ], - "rsa.db.index": "uaUten", - "rsa.email.email_dst": "ationev", - "rsa.email.email_src": "rauto", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.disposition": "Encrypted Message", - "rsa.misc.reference_id": "bor", - "rsa.misc.result": "TLS Already Active", - "rsa.misc.result_code": "57", - "rsa.time.endtime": "2018-05-21T13:41:41.000Z", - "rsa.time.starttime": "2018-05-21T13:41:41.000Z", - "service.type": "barracuda", - "source.ip": "10.141.225.182", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (dun.exe) queued as reprehe", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 4995, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "dun.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "CHANGE", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.90.9.88] global CHANGE umexerc (oremipsu)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5040, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.90.9.88" - ], - "rsa.db.index": "oremipsu", - "rsa.internal.messageid": "web", - "rsa.misc.action": [ - "CHANGE" - ], - "rsa.misc.category": "umexerc", - "service.type": "barracuda", - "source.ip": "10.90.9.88", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (amco.exe) queued as ssecillu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5091, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "amco.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (olo.exe) queued as psumqu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5138, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "olo.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[rationev]: 10.226.20.199 tatem untutlab allow eveli 2 lillum 7809 1.2000 uisaute imide", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5182, - "network.bytes": 7809, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.2000", - "related.ip": [ - "10.226.20.199" - ], - "rsa.db.index": "imide", - "rsa.email.email_src": "uisaute", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Rejected Message", - "rsa.misc.log_session_id": "lillum", - "rsa.misc.version": "1.2000", - "service.type": "barracuda", - "source.ip": "10.226.20.199", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "CHANGE", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.134.140.191] global CHANGE nte (mvel)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5281, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.134.140.191" - ], - "rsa.db.index": "mvel", - "rsa.internal.messageid": "web", - "rsa.misc.action": [ - "CHANGE" - ], - "rsa.misc.category": "nte", - "service.type": "barracuda", - "source.ip": "10.134.140.191", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "nimadmin", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp[conse]: 10.252.40.172 nimadmin isiu licabo cancel etdolor 3 dic cola amcor", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5328, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.252.40.172" - ], - "rsa.db.index": "amcor", - "rsa.internal.messageid": "outbound/smtp", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.log_session_id": "dic", - "rsa.misc.reference_id": "nimadmin", - "rsa.misc.result_code": "cola", - "service.type": "barracuda", - "source.ip": "10.252.40.172", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "nisiut", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[xea]: ites[10.126.26.131] nisiut 1536789735 1536789735 accept teturad perspici itation sequatD 5 24 isciv rroqu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5417, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.126.26.131" - ], - "related.user": [ - "ites" - ], - "rsa.db.index": "rroqu", - "rsa.email.email_dst": "itation", - "rsa.email.email_src": "perspici", - "rsa.internal.messageid": "scan", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.reference_id": "nisiut", - "rsa.misc.result": "Need MAIL Command", - "rsa.misc.result_code": "24", - "rsa.time.endtime": "2018-09-12T22:02:15.000Z", - "rsa.time.starttime": "2018-09-12T22:02:15.000Z", - "service.type": "barracuda", - "source.ip": "10.126.26.131", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "ites" - }, - { - "event.action": "accept", - "event.code": "reetd", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[rExc]: iusmo[10.187.210.173] reetd 1538024689 1538024689 accept ulpa sitam rad loi 2 15 Nequepor SZ:eirure SUBJ:deserun", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5534, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.187.210.173" - ], - "related.user": [ - "iusmo" - ], - "rsa.email.email_dst": "rad", - "rsa.email.email_src": "sitam", - "rsa.email.subject": "deserun", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Blocked Message", - "rsa.misc.reference_id": "reetd", - "rsa.misc.result": "Sender Address", - "rsa.misc.result_code": "15", - "rsa.time.endtime": "2018-09-27T05:04:49.000Z", - "rsa.time.starttime": "2018-09-27T05:04:49.000Z", - "service.type": "barracuda", - "source.ip": "10.187.210.173", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "iusmo" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (orroq.exe) queued as vitaedic", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5659, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "orroq.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (orem.exe) queued as rcit", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5707, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "orem.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "atise", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[untincul]: ssecil[10.180.147.129] atise 1541729552 1541729552 allow umetMalo oluptas emvele isnost 2 5 ido emqu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5750, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.180.147.129" - ], - "related.user": [ - "ssecil" - ], - "rsa.db.index": "emqu", - "rsa.email.email_dst": "emvele", - "rsa.email.email_src": "oluptas", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Blocked Message", - "rsa.misc.reference_id": "atise", - "rsa.misc.result": "Too Many Message In Session", - "rsa.misc.result_code": "5", - "rsa.time.endtime": "2018-11-09T02:12:32.000Z", - "rsa.time.starttime": "2018-11-09T02:12:32.000Z", - "service.type": "barracuda", - "source.ip": "10.180.147.129", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "ssecil" - }, - { - "event.action": "cancel", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[exeaco]: 10.99.17.210 olorsit tore cancel illu 4 turadip 688 1.7484 boreetdo undeom", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5867, - "network.bytes": 688, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.7484", - "related.ip": [ - "10.99.17.210" - ], - "rsa.db.index": "undeom", - "rsa.email.email_src": "boreetdo", - "rsa.internal.messageid": "notify/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.disposition": "Expired Message", - "rsa.misc.log_session_id": "turadip", - "rsa.misc.version": "1.7484", - "service.type": "barracuda", - "source.ip": "10.99.17.210", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[uov]: 10.230.46.162 sBono loremqu accept quunt 3 siuta 1107 1.2607 dquia temporin", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 5963, - "network.bytes": 1107, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.2607", - "related.ip": [ - "10.230.46.162" - ], - "rsa.db.index": "temporin", - "rsa.email.email_src": "dquia", - "rsa.internal.messageid": "notify/smtp", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.log_session_id": "siuta", - "rsa.misc.version": "1.2607", - "service.type": "barracuda", - "source.ip": "10.230.46.162", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "rum", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[nimveni]: idi[10.96.135.47] rum 1545434414 1545434414 accept eporroq ulla iqu oin 1 55 cingel modocon", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6057, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.96.135.47" - ], - "related.user": [ - "idi" - ], - "rsa.db.index": "modocon", - "rsa.email.email_dst": "iqu", - "rsa.email.email_src": "ulla", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Aborted Message", - "rsa.misc.reference_id": "rum", - "rsa.misc.result": "Invalid Parameter Syntax", - "rsa.misc.result_code": "55", - "rsa.time.endtime": "2018-12-21T23:20:14.000Z", - "rsa.time.starttime": "2018-12-21T23:20:14.000Z", - "service.type": "barracuda", - "source.ip": "10.96.135.47", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "idi" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (atv.exe) queued as onu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6164, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "atv.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "nsec", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: obeataev[10.139.127.232] nsec 1547904323 1547904323 cancel maperi agnaaliq tlaboree norumet 7 48 tin SZ:fugitse SUBJ:imad", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6205, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "obeataev" - ], - "related.ip": [ - "10.139.127.232" - ], - "rsa.email.email_dst": "tlaboree", - "rsa.email.email_src": "agnaaliq", - "rsa.email.subject": "imad", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.disposition": "Whitelisted Message", - "rsa.misc.reference_id": "nsec", - "rsa.misc.result": "DATA Syntax Error", - "rsa.misc.result_code": "48", - "rsa.time.endtime": "2019-01-19T13:25:23.000Z", - "rsa.time.starttime": "2019-01-19T13:25:23.000Z", - "service.type": "barracuda", - "source.ip": "10.139.127.232", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "obeataev" - }, - { - "event.action": " SCAN", - "event.code": "atu", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: inv[10.163.209.70] atu 1549139277 1549139277 SCAN lloin remipsum tempor citatio 0 57 mveniamq SZ:taedict SUBJ:edquian", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6333, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "inv" - ], - "related.ip": [ - "10.163.209.70" - ], - "rsa.email.email_dst": "tempor", - "rsa.email.email_src": "remipsum", - "rsa.email.subject": "edquian", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Allowed Message", - "rsa.misc.reference_id": "atu", - "rsa.misc.result": "TLS Already Active", - "rsa.misc.result_code": "57", - "rsa.time.endtime": "2019-02-02T20:27:57.000Z", - "rsa.time.starttime": "2019-02-02T20:27:57.000Z", - "service.type": "barracuda", - "source.ip": "10.163.209.70", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "inv" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (mipsamvo.exe) queued as eiusmod", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6466, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "mipsamvo.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "umetMal", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[avolu]: Except[10.191.7.121] umetMal 1551609186 1551609186 accept sciun metcons itasper uae 2 21 uia iciad", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6516, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.191.7.121" - ], - "related.user": [ - "Except" - ], - "rsa.db.index": "iciad", - "rsa.email.email_dst": "itasper", - "rsa.email.email_src": "metcons", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Blocked Message", - "rsa.misc.reference_id": "umetMal", - "rsa.misc.result": "Bad Address Syntax", - "rsa.misc.result_code": "21", - "rsa.time.endtime": "2019-03-03T10:33:06.000Z", - "rsa.time.starttime": "2019-03-03T10:33:06.000Z", - "service.type": "barracuda", - "source.ip": "10.191.7.121", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "Except" - }, - { - "event.action": " RECV", - "event.code": "gnaa", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: [10.157.196.101] gnaa 1552844140 1552844140 RECV mod doei cipitl", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6628, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.157.196.101" - ], - "rsa.db.index": "cipitl", - "rsa.email.email_dst": "doei", - "rsa.email.email_src": "mod", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "gnaa", - "rsa.time.endtime": "2019-03-17T17:35:40.000Z", - "rsa.time.starttime": "2019-03-17T17:35:40.000Z", - "service.type": "barracuda", - "source.ip": "10.157.196.101", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "CHANGE", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.171.72.5] global CHANGE eprehend (asnu)", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6708, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.171.72.5" - ], - "rsa.db.index": "asnu", - "rsa.internal.messageid": "web", - "rsa.misc.action": [ - "CHANGE" - ], - "rsa.misc.category": "eprehend", - "service.type": "barracuda", - "source.ip": "10.171.72.5", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "mquisn", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: eritatis[10.209.184.60] mquisn 1555314049 1555314049 cancel uto emUte molestia quir 4 18 emip SZ:ver SUBJ:erc", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6757, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "eritatis" - ], - "related.ip": [ - "10.209.184.60" - ], - "rsa.email.email_dst": "molestia", - "rsa.email.email_src": "emUte", - "rsa.email.subject": "erc", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.disposition": "Tagged Message", - "rsa.misc.reference_id": "mquisn", - "rsa.misc.result": "Need Fully Qualified Sender", - "rsa.misc.result_code": "18", - "rsa.time.endtime": "2019-04-15T07:40:49.000Z", - "rsa.time.starttime": "2019-04-15T07:40:49.000Z", - "service.type": "barracuda", - "source.ip": "10.209.184.60", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "eritatis" - }, - { - "event.action": " RECV", - "event.code": "isqua", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[dolorsit]: archite[10.143.228.97] isqua 1556549003 1556549003 RECV uta emo itq", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6873, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.143.228.97" - ], - "related.user": [ - "archite" - ], - "rsa.db.index": "itq", - "rsa.email.email_dst": "emo", - "rsa.email.email_src": "uta", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "isqua", - "rsa.time.endtime": "2019-04-29T14:43:23.000Z", - "rsa.time.starttime": "2019-04-29T14:43:23.000Z", - "service.type": "barracuda", - "source.ip": "10.143.228.97", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "archite" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (ntexpl.exe) queued as dunt", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 6966, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "ntexpl.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "block", - "event.code": "tetur", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: plic[10.17.87.79] tetur 1559018911 1559018911 block amali ate idolor ratvolu 7 64 onse olorem", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7011, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "plic" - ], - "related.ip": [ - "10.17.87.79" - ], - "rsa.db.index": "olorem", - "rsa.email.email_dst": "idolor", - "rsa.email.email_src": "ate", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.disposition": "Whitelisted Message", - "rsa.misc.reference_id": "tetur", - "rsa.misc.result": "Recipient Verification Unavailable", - "rsa.misc.result_code": "64", - "rsa.time.endtime": "2019-05-28T04:48:31.000Z", - "rsa.time.starttime": "2019-05-28T04:48:31.000Z", - "service.type": "barracuda", - "source.ip": "10.17.87.79", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "plic" - }, - { - "event.action": "FAILED_LOGIN", - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: [10.163.18.29] FAILED_LOGIN (nim)", - "event.outcome": "failure", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7111, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.163.18.29" - ], - "related.user": [ - "nim" - ], - "rsa.internal.messageid": "web", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "FAILED_LOGIN" - ], - "service.type": "barracuda", - "source.ip": "10.163.18.29", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "nim" - }, - { - "event.code": "web", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "web: Retention violating accounts: erspi total", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7150, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "rsa.internal.messageid": "web", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (billoi.exe) queued as moles", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7197, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "billoi.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "etconsec", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: taedi[10.17.98.243] etconsec 1563958728 1563958728 cancel ill mporinc onsectet idolo 8 55 docon SZ:mdolore SUBJ:eosquira", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7243, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "taedi" - ], - "related.ip": [ - "10.17.98.243" - ], - "rsa.email.email_dst": "onsectet", - "rsa.email.email_src": "mporinc", - "rsa.email.subject": "eosquira", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.disposition": "Encrypted Message", - "rsa.misc.reference_id": "etconsec", - "rsa.misc.result": "Invalid Parameter Syntax", - "rsa.misc.result_code": "55", - "rsa.time.endtime": "2019-07-24T08:58:48.000Z", - "rsa.time.starttime": "2019-07-24T08:58:48.000Z", - "service.type": "barracuda", - "source.ip": "10.17.98.243", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "taedi" - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (apariatu.exe) queued as lorsita", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7370, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "apariatu.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (ever.exe) queued as tali", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7420, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "ever.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " RECV", - "event.code": "onnu", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1[mipsumqu]: tatio[10.181.247.224] onnu 1567663591 1567663591 RECV olorema aquiof ende", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7463, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.181.247.224" - ], - "related.user": [ - "tatio" - ], - "rsa.db.index": "ende", - "rsa.email.email_dst": "aquiof", - "rsa.email.email_src": "olorema", - "rsa.internal.messageid": "inbound/pass1", - "rsa.misc.action": [ - " RECV" - ], - "rsa.misc.reference_id": "onnu", - "rsa.time.endtime": "2019-09-05T06:06:31.000Z", - "rsa.time.starttime": "2019-09-05T06:06:31.000Z", - "service.type": "barracuda", - "source.ip": "10.181.247.224", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "tatio" - }, - { - "event.action": "deny", - "event.code": "ventore", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan[ugitse]: quiineav[10.235.116.121] ventore 1568898545 1568898545 deny obea emp agnaaliq est 0 73 aev SZ:inrepr SUBJ:mol", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7562, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.235.116.121" - ], - "related.user": [ - "quiineav" - ], - "rsa.email.email_dst": "agnaaliq", - "rsa.email.email_src": "emp", - "rsa.email.subject": "mol", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "Allowed Message", - "rsa.misc.reference_id": "ventore", - "rsa.misc.result": "System Busy", - "rsa.misc.result_code": "73", - "rsa.time.endtime": "2019-09-19T13:09:05.000Z", - "rsa.time.starttime": "2019-09-19T13:09:05.000Z", - "service.type": "barracuda", - "source.ip": "10.235.116.121", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "user.name": "quiineav" - }, - { - "destination.ip": "10.1.6.115", - "event.action": "allow", - "event.code": "llit", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "outbound/smtp: 10.178.30.158 llit tenimad sitametc allow onproide 2 cillumd riosa Ok: queued as tNe #to#10.1.6.115", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7686, - "network.direction": "outbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.1.6.115", - "10.178.30.158" - ], - "rsa.internal.messageid": "outbound/smtp", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.disposition": "Rejected Message", - "rsa.misc.log_session_id": "cillumd", - "rsa.misc.reference_id": "llit", - "rsa.misc.result_code": "riosa", - "service.type": "barracuda", - "source.ip": "10.178.30.158", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "notify/smtp", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "notify/smtp[rautod]: 10.124.32.120 lapar ritati accept qui 3 mullam 4965 1.4254 meaque uid", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7801, - "network.bytes": 4965, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "observer.version": "1.4254", - "related.ip": [ - "10.124.32.120" - ], - "rsa.db.index": "uid", - "rsa.email.email_src": "meaque", - "rsa.internal.messageid": "notify/smtp", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.log_session_id": "mullam", - "rsa.misc.version": "1.4254", - "service.type": "barracuda", - "source.ip": "10.124.32.120", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (ataevita.exe) queued as oremqu", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7892, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "ataevita.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.code": "reports", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "reports: REPORTS (velitsed.exe) queued as magnaali", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7941, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "process.name": "velitsed.exe", - "rsa.internal.event_desc": "report queued", - "rsa.internal.messageid": "reports", - "service.type": "barracuda", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ] - }, - { - "event.action": " SCAN", - "event.code": "enbyCi", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "inbound/pass1: der[10.77.182.191] enbyCi 1575073317 1575073317 SCAN quameiu diduntu eiusmod itation 8 79 piciatis2460.api.host iusmodt", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 7992, - "network.direction": "inbound", - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "der", - "piciatis2460.api.host" - ], - "related.ip": [ - "10.77.182.191" - ], - "rsa.db.index": "iusmodt", - "rsa.email.email_dst": "eiusmod", - "rsa.email.email_src": "diduntu", - "rsa.internal.messageid": "inbound/pass1", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - " SCAN" - ], - "rsa.misc.disposition": "Encrypted Message", - "rsa.misc.reference_id": "enbyCi", - "rsa.misc.result": "Attachment Content", - "rsa.misc.result_code": "79", - "rsa.network.domain": "piciatis2460.api.host", - "rsa.time.endtime": "2019-11-30T00:21:57.000Z", - "rsa.time.starttime": "2019-11-30T00:21:57.000Z", - "server.domain": "piciatis2460.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "piciatis2460", - "server.top_level_domain": "host", - "service.type": "barracuda", - "source.ip": "10.77.182.191", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "der" - }, - { - "event.action": "accept", - "event.code": "tiumd", - "event.dataset": "barracuda.spamfirewall", - "event.module": "barracuda", - "event.original": "scan: iame[10.193.110.71] tiumd 1576308271 1576308271 accept loinve tanimid isnostru nofdeFi 3 5 saqu remips", - "fileset.name": "spamfirewall", - "input.type": "log", - "log.offset": 8127, - "observer.product": "Spam", - "observer.type": "Anti-Virus", - "observer.vendor": "Barracuda", - "related.hosts": [ - "iame" - ], - "related.ip": [ - "10.193.110.71" - ], - "rsa.db.index": "remips", - "rsa.email.email_dst": "isnostru", - "rsa.email.email_src": "tanimid", - "rsa.internal.messageid": "scan", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "Quarantined Message", - "rsa.misc.reference_id": "tiumd", - "rsa.misc.result": "Too Many Message In Session", - "rsa.misc.result_code": "5", - "rsa.time.endtime": "2019-12-14T07:24:31.000Z", - "rsa.time.starttime": "2019-12-14T07:24:31.000Z", - "service.type": "barracuda", - "source.ip": "10.193.110.71", - "tags": [ - "barracuda.spamfirewall", - "forwarded" - ], - "url.domain": "iame" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml b/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml deleted file mode 100644 index a4c5ddb1b83..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Barracuda" - product: "Web" - type: "WAF" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/barracuda/waf/config/liblogparser.js - - ${path.home}/module/barracuda/waf/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); - -var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); - -var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); - -var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); - -var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); - -var dup17 = setc("eventcategory","1204000000"); - -var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); - -var dup19 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); - -var dup20 = setf("msg_id","web_method"); - -var dup21 = setc("category","TR"); - -var dup22 = setc("vid","TR_Logs"); - -var dup23 = linear_select([ - dup13, - dup14, -]); - -var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ - dup17, - dup8, -])); - -var dup25 = linear_select([ - dup18, - dup19, -]); - -var dup26 = all_match({ - processors: [ - dup12, - dup23, - dup15, - ], - on_success: processor_chain([ - dup11, - dup8, - ]), -}); - -var dup27 = all_match({ - processors: [ - dup12, - dup23, - dup16, - ], - on_success: processor_chain([ - dup11, - dup8, - ]), -}); - -var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(":"), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0003"), - dup1, -])); - -var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0002"), - dup1, -])); - -var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ - setc("header_id","0009"), - dup2, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld7"), - constant(" "), - field("hfld8"), - constant("."), - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" TR "), - field("hfld5"), - constant(" "), - field("hfld6"), - constant(" "), - field("hfld8"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ - setc("header_id","0007"), - dup2, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld7"), - constant(" "), - field("hfld8"), - constant("."), - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" AUDIT "), - field("hfld5"), - constant(" "), - field("hfld6"), - constant(" "), - field("hfld8"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ - setc("header_id","0008"), - dup2, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld7"), - constant(" "), - field("hfld8"), - constant("."), - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" WF "), - field("hfld5"), - constant(" "), - field("hfld6"), - constant(" "), - field("hfld8"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0006"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("htimezone"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0004"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld10"), - constant(" "), - field("hfld11"), - constant(" "), - field("hhost"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, -]); - -var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ - setc("eventcategory","1502030000"), - setc("event_description","UPDATE: ALERT New attack definition version is available"), -])); - -var msg1 = msg("UPDATE", part1); - -var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ - setc("eventcategory","1603000000"), - setc("event_description","STM: LB Server disabled by out of band monitor"), -])); - -var msg2 = msg("STM:01", part2); - -var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ - dup3, - setc("event_description","STM: LB Server created."), -])); - -var msg3 = msg("STM:02", part3); - -var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ - setc("eventcategory","1613030100"), - setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), -])); - -var msg4 = msg("STM:03", part4); - -var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ - dup4, - setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), -])); - -var msg5 = msg("STM:04", part5); - -var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ - dup3, - setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), -])); - -var msg6 = msg("STM:05", part6); - -var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ - dup3, - setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), -])); - -var msg7 = msg("STM:06", part7); - -var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ - dup3, - setc("event_description","STM: SERVICE New Service created."), -])); - -var msg8 = msg("STM:07", part8); - -var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ - dup4, - setc("event_description","STM: SSL Initialization."), -])); - -var msg9 = msg("STM:08", part9); - -var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB-LookupServerCtx."), -])); - -var msg10 = msg("STM:09", part10); - -var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ - dup3, - setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), -])); - -var msg11 = msg("STM:10", part11); - -var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ - dup3, - setc("event_description","STM: aps SapCtx log."), -])); - -var msg12 = msg("STM:11", part12); - -var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ - dup3, - setc("event_description","STM: CACHE SapCtx log."), -])); - -var msg13 = msg("STM:12", part13); - -var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ - dup3, - setc("event_description","STM: FTPSVC Ftp proxy initialized."), -])); - -var msg14 = msg("STM:13", part14); - -var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ - dup3, - setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), -])); - -var msg15 = msg("STM:14", part15); - -var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ - dup3, - setc("event_description","STM: COOKIE Cookie parameters set."), -])); - -var msg16 = msg("STM:15", part16); - -var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ - dup3, - setc("event_description","STM: WebLog Set Sap variable."), -])); - -var msg17 = msg("STM:16", part17); - -var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ - dup3, - setc("event_description","STM: aps Set AddIpsPatternGroup."), -])); - -var msg18 = msg("STM:17", part18); - -var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ - dup3, - setc("event_description","STM: aps AddPCInfoKeyWordMeta."), -])); - -var msg19 = msg("STM:18", part19); - -var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ - dup3, - setc("event_description","STM: aps AddParamClass."), -])); - -var msg20 = msg("STM:19", part20); - -var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ - dup3, - setc("event_description","STM: aps AddParamClassPatternsAndDFA."), -])); - -var msg21 = msg("STM:20", part21); - -var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ - dup3, - setc("event_description","STM: aps AddParamClassClonePatternsInfo."), -])); - -var msg22 = msg("STM:21", part22); - -var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ - dup3, - setc("event_description","STM: aps SetIpsLogIntrusionOn."), -])); - -var msg23 = msg("STM:22", part23); - -var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ - dup3, - setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), -])); - -var msg24 = msg("STM:23", part24); - -var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ - dup3, - setc("event_description","STM: aps SetIpsTheftPolicy."), -])); - -var msg25 = msg("STM:24", part25); - -var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ - dup3, - setc("event_description","STM: aps SetIpsTheftPolicyDfa."), -])); - -var msg26 = msg("STM:25", part26); - -var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ - dup3, - dup5, -])); - -var msg27 = msg("STM:26", part27); - -var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ - dup3, - setc("event_description","STM: aps CreateRC: RC Add policy Success."), -])); - -var msg28 = msg("STM:27", part28); - -var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB Set Sap command."), -])); - -var msg29 = msg("STM:28", part29); - -var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB Set Server command."), -])); - -var msg30 = msg("STM:29", part30); - -var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB Add Server command."), -])); - -var msg31 = msg("STM:30", part31); - -var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB Create Server command."), -])); - -var msg32 = msg("STM:31", part32); - -var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB Enable Server command."), -])); - -var msg33 = msg("STM:32", part33); - -var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), -])); - -var msg34 = msg("STM:33", part34); - -var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ - dup3, - setc("event_description","STM: LB BindServerToSap command."), -])); - -var msg35 = msg("STM:34", part35); - -var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ - dup3, - setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), -])); - -var msg36 = msg("STM:35", part36); - -var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ - dup3, - setc("event_description","STM: SERVICE Server service started command."), -])); - -var msg37 = msg("STM:36", part37); - -var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ - dup3, - setc("event_description","STM: RespPage Response Page created successfully."), -])); - -var msg38 = msg("STM:37", part38); - -var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ - dup3, - setc("event_description","STM: AddWATReqRewriteRule AclName."), -])); - -var msg39 = msg("STM:38", part39); - -var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ - dup3, - setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), -])); - -var msg40 = msg("STM:39", part40); - -var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ - dup3, - setc("event_description","STM: SetWATReqRewritePolicyOn."), -])); - -var msg41 = msg("STM:40", part41); - -var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ - dup3, - setc("event_description","STM: aps SetIpsOn."), -])); - -var msg42 = msg("STM:41", part42); - -var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ - dup3, - dup5, -])); - -var msg43 = msg("STM:42", part43); - -var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ - dup3, - setc("event_description","STM: SetWATRespRewritePolicyOn."), -])); - -var msg44 = msg("STM:43", part44); - -var select2 = linear_select([ - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, -]); - -var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ - dup3, - setc("event_description","STM_WRAPPER: command execution status."), -])); - -var msg45 = msg("STM_WRAPPER:01", part45); - -var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ - dup6, - setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), -])); - -var msg46 = msg("STM_WRAPPER:02", part46); - -var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ - dup3, - setc("event_description","STM_WRAPPER: Committing UI configuration."), -])); - -var msg47 = msg("STM_WRAPPER:03", part47); - -var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ - dup3, - setc("event_description","STM_WRAPPER: Successfully stopped STM."), -])); - -var msg48 = msg("STM_WRAPPER:04", part48); - -var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ - dup3, - setc("event_description","STM_WRAPPER: Successfully initialized STM."), -])); - -var msg49 = msg("STM_WRAPPER:05", part49); - -var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ - dup3, - setc("event_description","STM_WRAPPER: Initializing STM."), -])); - -var msg50 = msg("STM_WRAPPER:06", part50); - -var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ - dup3, - setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), -])); - -var msg51 = msg("STM_WRAPPER:07", part51); - -var select3 = linear_select([ - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, -]); - -var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ - dup3, - setc("event_description","CONFIG_AGENT: RPC information."), -])); - -var msg52 = msg("CONFIG_AGENT:01", part52); - -var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ - dup3, - setc("event_description","CONFIG_AGENT:Received put-tree command."), -])); - -var msg53 = msg("CONFIG_AGENT:02", part53); - -var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ - dup4, - setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), -])); - -var msg54 = msg("CONFIG_AGENT:03", part54); - -var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ - dup3, - setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), -])); - -var msg55 = msg("CONFIG_AGENT:04", part55); - -var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ - dup3, - setc("event_description","CONFIG_AGENT:Update succeded."), -])); - -var msg56 = msg("CONFIG_AGENT:05", part56); - -var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ - dup3, - setc("event_description","CONFIG_AGENT:No rules."), -])); - -var msg57 = msg("CONFIG_AGENT:06", part57); - -var select4 = linear_select([ - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, -]); - -var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ - dup3, - setc("event_description","PROCMON: Started monitoring"), -])); - -var msg58 = msg("PROCMON:01", part58); - -var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ - dup3, - setc("event_description","PROCMON: number of stm worker threads"), -])); - -var msg59 = msg("PROCMON:02", part59); - -var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ - dup3, - setc("event_description","PROCMON: Monitoring links."), -])); - -var msg60 = msg("PROCMON:03", part60); - -var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ - dup3, - setc("event_description","PROCMON:Link is up."), -])); - -var msg61 = msg("PROCMON:04", part61); - -var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","PROCMON:Firmware storage exceeding."), -])); - -var msg62 = msg("PROCMON:05", part62); - -var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ - dup6, - setc("event_description","PROCMON:One of the RAID arrays is degrading."), -])); - -var msg63 = msg("PROCMON:06", part63); - -var select5 = linear_select([ - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, -]); - -var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ - dup3, - setc("event_description","BYPASS: State set to normal: starting heartbeat."), -])); - -var msg64 = msg("BYPASS:01", part64); - -var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ - dup3, - setc("event_description","Mode change."), -])); - -var msg65 = msg("BYPASS:02", part65); - -var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ - dup3, - setc("event_description"," Mode set to BYPASS."), -])); - -var msg66 = msg("BYPASS:03", part66); - -var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ - dup3, - setc("event_description"," Mode set to never BYPASS."), -])); - -var msg67 = msg("BYPASS:04", part67); - -var select6 = linear_select([ - msg64, - msg65, - msg66, - msg67, -]); - -var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ - dup3, - setc("event_description"," INSTALL: migrating configuration."), -])); - -var msg68 = msg("INSTALL:01", part68); - -var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ - dup3, - setc("event_description"," INSTALL: Loading snapshot from previous version."), -])); - -var msg69 = msg("INSTALL:02", part69); - -var select7 = linear_select([ - msg68, - msg69, -]); - -var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ - dup3, - setc("event_description","eventmgr: Forwarding log messages to syslog host"), -])); - -var msg70 = msg("eventmgr:01", part70); - -var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ - dup3, - setc("event_description","eventmgr: Event manager startup succeeded."), -])); - -var msg71 = msg("eventmgr:02", part71); - -var select8 = linear_select([ - msg70, - msg71, -]); - -var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup7, - setc("event_description"," Configuration changes made."), - dup8, -])); - -var msg72 = msg("CONFIG", part72); - -var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - setc("eventcategory","1401060000"), - setc("event_description"," Login."), - dup8, -])); - -var msg73 = msg("LOGIN", part73); - -var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup9, - setc("event_description"," Session timeout."), - dup8, -])); - -var msg74 = msg("SESSION_TIMEOUT", part74); - -var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup9, - setc("ec_subject","User"), - setc("ec_activity","Logoff"), - setc("ec_theme","Authentication"), - setc("ec_outcome","Success"), - setc("event_description"," Logout."), - dup8, -])); - -var msg75 = msg("LOGOUT", part75); - -var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - setc("eventcategory","1401030000"), - setc("event_description"," Unsuccessful login."), - dup8, -])); - -var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); - -var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup10, - setc("event_description"," Operating in Transport Mode"), - dup8, -])); - -var msg77 = msg("TRANSPARENT_MODE", part77); - -var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup10, - setc("event_description"," Support Tunnel Opened"), - dup8, -])); - -var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); - -var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup10, - setc("event_description"," Firmware Update"), - dup8, -])); - -var msg79 = msg("FIRMWARE_UPDATE", part79); - -var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup10, - setc("event_description"," Firmware Revert."), - dup8, -])); - -var msg80 = msg("FIRMWARE_REVERT", part80); - -var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup10, - setc("event_description"," System Reboot."), - dup8, -])); - -var msg81 = msg("REBOOT", part81); - -var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup10, - setc("event_description"," System ROLLBACK."), - dup8, -])); - -var msg82 = msg("ROLLBACK", part82); - -var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ - dup11, - dup8, -])); - -var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); - -var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ - dup11, - dup8, -])); - -var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); - -var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); - -var select9 = linear_select([ - msg83, - msg84, - msg85, -]); - -var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); - -var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); - -var select10 = linear_select([ - msg86, - msg87, -]); - -var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); - -var msg89 = msg("SQL_INJECTION_IN_URL", dup26); - -var select11 = linear_select([ - msg88, - msg89, -]); - -var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); - -var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); - -var select12 = linear_select([ - msg90, - msg91, -]); - -var msg92 = msg("TILDE_IN_URL:01", dup27); - -var msg93 = msg("TILDE_IN_URL", dup26); - -var select13 = linear_select([ - msg92, - msg93, -]); - -var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); - -var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); - -var select14 = linear_select([ - msg94, - msg95, -]); - -var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); - -var select15 = linear_select([ - dup13, - part85, - dup14, -]); - -var all1 = all_match({ - processors: [ - dup12, - select15, - dup16, - ], - on_success: processor_chain([ - dup11, - dup8, - ]), -}); - -var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); - -var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); - -var select16 = linear_select([ - msg96, - msg97, -]); - -var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); - -var msg99 = msg("METHOD_NOT_ALLOWED", dup26); - -var select17 = linear_select([ - msg98, - msg99, -]); - -var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); - -var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); - -var select18 = linear_select([ - msg100, - msg101, -]); - -var msg102 = msg("DENY_ACL_MATCHED:01", dup27); - -var msg103 = msg("DENY_ACL_MATCHED", dup26); - -var select19 = linear_select([ - msg102, - msg103, -]); - -var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); - -var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); - -var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); - -var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); - -var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); - -var msg109 = msg("INVALID_URL_ENCODING", dup24); - -var msg110 = msg("INVALID_URL_CHARSET", dup24); - -var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); - -var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); - -var select20 = linear_select([ - msg111, - msg112, -]); - -var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); - -var msg114 = msg("SLASH_DOT_IN_URL", dup26); - -var select21 = linear_select([ - msg113, - msg114, -]); - -var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ - dup3, - date_time({ - dest: "event_time", - args: ["hfld9","hfld10"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }), -])); - -var msg115 = msg("SYS", part86); - -var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ - dup17, - date_time({ - dest: "event_time", - args: ["hfld1","hfld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }), -])); - -var msg116 = msg("BARRACUDAWAF", part87); - -var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ - dup7, - dup8, - setc("category","AUDIT"), - setc("vid","Audit_Logs"), -])); - -var msg117 = msg("Audit_Logs", part88); - -var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ - dup17, - dup8, - setc("category","WF"), - setc("vid","WF"), -])); - -var msg118 = msg("WF", part89); - -var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); - -var all2 = all_match({ - processors: [ - part90, - dup25, - ], - on_success: processor_chain([ - dup17, - dup20, - dup8, - dup21, - dup22, - ]), -}); - -var msg119 = msg("TR_Logs:01", all2); - -var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); - -var all3 = all_match({ - processors: [ - part91, - dup25, - ], - on_success: processor_chain([ - dup17, - dup20, - dup8, - dup21, - dup22, - ]), -}); - -var msg120 = msg("TR_Logs:02", all3); - -var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); - -var all4 = all_match({ - processors: [ - part92, - dup25, - ], - on_success: processor_chain([ - dup17, - dup20, - dup8, - dup21, - dup22, - ]), -}); - -var msg121 = msg("TR_Logs:03", all4); - -var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); - -var all5 = all_match({ - processors: [ - part93, - dup25, - ], - on_success: processor_chain([ - dup17, - dup20, - dup8, - dup21, - dup22, - ]), -}); - -var msg122 = msg("TR_Logs", all5); - -var select22 = linear_select([ - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "BARRACUDAWAF": msg116, - "BARRACUDA_GENRIC": select22, - "BYPASS": select6, - "CONFIG": msg72, - "CONFIG_AGENT": select4, - "CROSS_SITE_SCRIPTING_IN_PARAM": select10, - "CROSS_SITE_SCRIPTING_IN_URL": select20, - "DENY_ACL_MATCHED": select19, - "ERROR_RESPONSE_SUPPRESSED": select18, - "FIRMWARE_REVERT": msg80, - "FIRMWARE_UPDATE": msg79, - "HEADER_COUNT_EXCEEDED": select9, - "HEADER_VALUE_LENGTH_EXCEEDED": msg107, - "INSTALL": select7, - "INVALID_URL_CHARSET": msg110, - "INVALID_URL_ENCODING": msg109, - "LOGIN": msg73, - "LOGOUT": msg75, - "METHOD_NOT_ALLOWED": select17, - "NO_DOMAIN_MATCH_IN_PROFILE": msg104, - "NO_URL_PROFILE_MATCH": msg105, - "OS_CMD_INJECTION_IN_PARAM": select16, - "OS_CMD_INJECTION_IN_URL": select12, - "PROCMON": select5, - "REBOOT": msg81, - "ROLLBACK": msg82, - "SESSION_TIMEOUT": msg74, - "SLASH_DOT_IN_URL": select21, - "SQL_INJECTION_IN_PARAM": select14, - "SQL_INJECTION_IN_URL": select11, - "STM": select2, - "STM_WRAPPER": select3, - "SUPPORT_TUNNEL_OPEN": msg78, - "SYS": msg115, - "TILDE_IN_URL": select13, - "TRANSPARENT_MODE": msg77, - "UNKNOWN_CONTENT_TYPE": msg108, - "UNRECOGNIZED_COOKIE": msg106, - "UNSUCCESSFUL_LOGIN": msg76, - "UPDATE": msg1, - "eventmgr": select8, - }), -]); - -var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); - -var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); - -var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); - -var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); - -var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); - -var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); - -var part100 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); - -var select23 = linear_select([ - dup13, - dup14, -]); - -var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ - dup17, - dup8, -])); - -var select24 = linear_select([ - dup18, - dup19, -]); - -var all6 = all_match({ - processors: [ - dup12, - dup23, - dup15, - ], - on_success: processor_chain([ - dup11, - dup8, - ]), -}); - -var all7 = all_match({ - processors: [ - dup12, - dup23, - dup16, - ], - on_success: processor_chain([ - dup11, - dup8, - ]), -}); diff --git a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml deleted file mode 100644 index 80e68bb2523..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Barracuda Web Application Firewall - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/barracuda/waf/manifest.yml b/x-pack/filebeat/module/barracuda/waf/manifest.yml deleted file mode 100644 index cab91dcb929..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["barracuda.waf", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9525 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log deleted file mode 100644 index da13bb9dbe3..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -PROCMON: Started monitoring -BYPASS: Mode set to BYPASS (nbyCic). -UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available -STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -STM_WRAPPER: Initializing STM. -eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151 -PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading. -BYPASS: Mode change: ccusant,epteurs -UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available -STM: LB-doloreeu elillumq CreateServer =loremeum -STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu -UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available -PROCMON: Monitoring links: lo4933 -PROCMON: [ALERT:doconse] One of the RAID arrays is degrading. -CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet -STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv -STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration. -BYPASS: Mode change: urEx,labo -eventmgr: Event manager startup succeeded. -STM: LB-Maloru lapariat SetServerdmin=oinBCSed -STM_WRAPPER: Successfully stopped STM. -CONFIG_AGENT: luptate Initiating config_agent database commit phase. -STM: LB-isistena Malorum SetSapquelauda=enderit -eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246 -UPDATE: [ALERT:exer] New attack definition version 1.481 is available -eventmgr: Event manager startup succeeded. -STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -CONFIG_AGENT: isnisiu aspernat Update succeeded -INSTALL: Loading the snapshot for mquel release. -INSTALL: Migrating configuration from ueporr to ptate -PROCMON: [ALERT:onsequ] enp0s7094: link is up -CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali -eventmgr: Event manager startup succeeded. -PROCMON: Started monitoring -STM: LB-mveniam rvelill EnableServer =iame -PROCMON: number of stm worker threads iseuf -STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios -STM_WRAPPER: Successfully stopped STM. -eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30 -PROCMON: [ALERT:uiadolo] eth321: link is up -CONFIG_AGENT: rsi ciduntut Update succeeded -CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal -INSTALL: Loading the snapshot for ris release. -CONFIG_AGENT: aliqui rcitat Update succeeded -CONFIG_AGENT: aeconse Initiating config_agent database commit phase. -PROCMON: Started monitoring -CONFIG_AGENT: iaecon ipexea Update succeeded -INSTALL: Migrating configuration from nulapa to cillu -PROCMON: [ALERT:ectetura] Firmware storage exceeds didun -CONFIG_AGENT: rcit nul Received put-tree command -UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available -UPDATE: [ALERT:amei] New attack definition version 1.7778 is available -UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available -INSTALL: Migrating configuration from iceroin to qui -INSTALL: Migrating configuration from pariatu to issusc -STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. -STM_WRAPPER: Committing UI configuration. -STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -INSTALL: Migrating configuration from ernat to Ute -STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -STM_WRAPPER: Successfully initialized STM. -STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully -STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration. -BYPASS: Mode set to never bypass. -CONFIG_AGENT: quaea RPC Name =eetd, RPC Result: fdeFin -PROCMON: number of stm worker threads isrro -CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. -INSTALL: Loading the snapshot for pli release. -CONFIG_AGENT: erit Initiating config_agent database commit phase. -INSTALL: Loading the snapshot for mod release. -INSTALL: Loading the snapshot for lamcolab release. -INSTALL: Migrating configuration from estlab to tis -PROCMON: [ALERT:uamqua] Firmware storage exceeds labo -INSTALL: Migrating configuration from tfugit to taspern -eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158 -STM_WRAPPER: Successfully initialized STM. -PROCMON: number of stm worker threads isonula -STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor -PROCMON: [ALERT:atev] One of the RAID arrays is degrading. -CONFIG_AGENT: amaliq ept Received put-tree command -BYPASS: Mode set to BYPASS (ectetura). -STM: COOKIE-icab quiado scipit = quiavolu -BYPASS: Mode set to never bypass. -STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success -STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors -INSTALL: Loading the snapshot for admi release. -CONFIG_AGENT: aecons Initiating config_agent database commit phase. -PROCMON: Monitoring links: eth801 -PROCMON: Started monitoring -UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available -INSTALL: Loading the snapshot for stru release. -PROCMON: Monitoring links: enp0s6182 -PROCMON: number of stm worker threads isumwri -BYPASS: Mode set to never bypass. -BYPASS: Mode set to BYPASS (eniamqu). -UPDATE: [ALERT:tco] New attack definition version 1.6840 is available -STM_WRAPPER: Successfully initialized STM. -STM_WRAPPER: Initializing STM. -STM_WRAPPER: Successfully initialized STM. -PROCMON: Started monitoring diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json deleted file mode 100644 index ae69b15409b..00000000000 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json +++ /dev/null @@ -1,1963 +0,0 @@ -[ - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 0, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (nbyCic).", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 28, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 65, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.1000", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.1000", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 138, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Initializing STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 227, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151", - "fileset.name": "waf", - "host.ip": "10.16.222.151", - "input.type": "log", - "log.offset": 258, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.16.222.151" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 337, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode change: ccusant,epteurs", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 399, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "Mode change.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 436, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.3971", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.3971", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 509, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: LB Create Server command.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 558, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: WebLog Set Sap variable.", - "rsa.internal.messageid": "STM", - "rsa.misc.obj_name": "itsed", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 617, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.4012", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.4012", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: lo4933", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 690, - "network.interface.name": "lo4933", - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "lo4933", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 724, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 786, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 916, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: LB ActiveServerOutOfBandMonitorAttr command.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 975, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode change: urEx,labo", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1105, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "Mode change.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1136, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1179, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "dmin", - "rsa.internal.event_desc": "STM: LB Set Server command.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1226, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: luptate Initiating config_agent database commit phase.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1265, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1334, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "quelauda", - "rsa.internal.event_desc": "STM: LB Set Sap command.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246", - "fileset.name": "waf", - "host.ip": "10.4.65.246", - "input.type": "log", - "log.offset": 1382, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.4.65.246" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1459, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.481", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.481", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1529, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1572, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: isnisiu aspernat Update succeeded", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1661, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for mquel release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1709, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from ueporr to ptate", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1758, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1812, - "network.interface.name": "enp0s7094", - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:Link is up.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "enp0s7094", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1858, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 1991, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2034, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: LB-mveniam rvelill EnableServer =iame", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2062, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: LB Enable Server command.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: number of stm worker threads iseuf", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2105, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "euf", - "rsa.internal.event_desc": "PROCMON: number of stm worker threads", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2149, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: WebLog Set Sap variable.", - "rsa.internal.messageid": "STM", - "rsa.misc.obj_name": "turExce", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2221, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30", - "fileset.name": "waf", - "host.ip": "10.58.33.30", - "input.type": "log", - "log.offset": 2260, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.58.33.30" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:uiadolo] eth321: link is up", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2337, - "network.interface.name": "eth321", - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:Link is up.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "eth321", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: rsi ciduntut Update succeeded", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2381, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2425, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for ris release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2478, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: aliqui rcitat Update succeeded", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2525, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2570, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2639, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: iaecon ipexea Update succeeded", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2667, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Update succeded.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from nulapa to cillu", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2712, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2766, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "didun", - "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: rcit nul Received put-tree command", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2823, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2872, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.1278", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.1278", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 2946, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.7778", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.7778", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3017, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.3018", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.3018", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from iceroin to qui", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3091, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from pariatu to issusc", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3144, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3200, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: FAILOVE Stateful Failover Module initialized.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Committing UI configuration.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3266, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Committing UI configuration.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3308, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from ernat to Ute", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3397, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3448, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3537, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3580, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: RespPage Response Page created successfully.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3659, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3784, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: quaea RPC Name =eetd, RPC Result: fdeFin", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3818, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: number of stm worker threads isrro", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3873, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "rro", - "rsa.internal.event_desc": "PROCMON: number of stm worker threads", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3917, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for pli release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 3986, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4033, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for mod release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4099, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for lamcolab release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4146, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from estlab to tis", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4198, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4250, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "labo", - "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Migrating configuration from tfugit to taspern", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4304, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: migrating configuration.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "eventmgr", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158", - "fileset.name": "waf", - "host.ip": "10.48.248.158", - "input.type": "log", - "log.offset": 4360, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "related.ip": [ - "10.48.248.158" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4440, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: number of stm worker threads isonula", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4483, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "onula", - "rsa.internal.event_desc": "PROCMON: number of stm worker threads", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4529, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "labor", - "rsa.internal.event_desc": "STM: FTPSVC Ftp proxy initialized.", - "rsa.internal.messageid": "STM", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4582, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:One of the RAID arrays is degrading.", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: amaliq ept Received put-tree command", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4641, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Received put-tree command.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (ectetura).", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4692, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4731, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "quiavolu", - "rsa.internal.event_desc": "STM: COOKIE Cookie parameters set.", - "rsa.internal.messageid": "STM", - "rsa.misc.obj_name": "scipit", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4773, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4807, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: CACHE SapCtx log.", - "rsa.internal.messageid": "STM", - "rsa.misc.obj_name": "untin", - "rsa.misc.result": "success", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4882, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM: aps ParamProtectionClonePatterns values changed.", - "rsa.internal.messageid": "STM", - "rsa.misc.change_new": "fugia", - "rsa.misc.change_old": "cin", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for admi release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 4977, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: aecons Initiating config_agent database commit phase.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5025, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: eth801", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5093, - "network.interface.name": "eth801", - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "eth801", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5127, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5155, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.7781", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.7781", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "INSTALL", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "INSTALL: Loading the snapshot for stru release.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5226, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " INSTALL: Loading snapshot from previous version.", - "rsa.internal.messageid": "INSTALL", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Monitoring links: enp0s6182", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5274, - "network.interface.name": "enp0s6182", - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Monitoring links.", - "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "enp0s6182", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: number of stm worker threads isumwri", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5311, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.db.index": "umwri", - "rsa.internal.event_desc": "PROCMON: number of stm worker threads", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode set to never bypass.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5357, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to never BYPASS.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "BYPASS", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "BYPASS: Mode set to BYPASS (eniamqu).", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5391, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": " Mode set to BYPASS.", - "rsa.internal.messageid": "BYPASS", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "UPDATE", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "UPDATE: [ALERT:tco] New attack definition version 1.6840 is available", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5429, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "observer.version": "1.6840", - "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", - "rsa.internal.messageid": "UPDATE", - "rsa.misc.version": "1.6840", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5499, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Initializing STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5542, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5573, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5616, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled deleted file mode 100644 index 3926a2fec96..00000000000 --- a/x-pack/filebeat/modules.d/barracuda.yml.disabled +++ /dev/null @@ -1,41 +0,0 @@ -# Module: barracuda -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-barracuda.html - -- module: barracuda - waf: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9503 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - spamfirewall: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9524 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 03da5313f524a7a8643c92e231482fcb006f789b Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:31:25 +0200 Subject: [PATCH 03/22] feat: remove deprecated bluecoat --- filebeat/docs/fields.asciidoc | 5435 ----------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/bluecoat/README.md | 7 - .../filebeat/module/bluecoat/_meta/config.yml | 19 - .../module/bluecoat/_meta/docs.asciidoc | 70 - .../filebeat/module/bluecoat/_meta/fields.yml | 5 - .../module/bluecoat/director/_meta/fields.yml | 2635 -------- .../module/bluecoat/director/config/input.yml | 87 - .../bluecoat/director/config/liblogparser.js | 2514 -------- .../bluecoat/director/config/pipeline.js | 1223 ---- .../bluecoat/director/ingest/pipeline.yml | 64 - .../module/bluecoat/director/manifest.yml | 31 - .../bluecoat/director/test/generated.log | 100 - .../director/test/generated.log-expected.json | 2295 ------- x-pack/filebeat/module/bluecoat/fields.go | 23 - .../filebeat/modules.d/bluecoat.yml.disabled | 22 - 18 files changed, 14554 deletions(-) delete mode 100644 x-pack/filebeat/module/bluecoat/README.md delete mode 100644 x-pack/filebeat/module/bluecoat/_meta/config.yml delete mode 100644 x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/bluecoat/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/bluecoat/director/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/bluecoat/director/config/input.yml delete mode 100644 x-pack/filebeat/module/bluecoat/director/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/bluecoat/director/config/pipeline.js delete mode 100644 x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/bluecoat/director/manifest.yml delete mode 100644 x-pack/filebeat/module/bluecoat/director/test/generated.log delete mode 100644 x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/bluecoat/fields.go delete mode 100644 x-pack/filebeat/modules.d/bluecoat.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b0e87127f48..48fd4dd431e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -22,7 +22,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -3655,5440 +3654,6 @@ type: keyword -- -[[exported-fields-bluecoat]] -== Blue Coat Director fields - -bluecoat fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-cef]] == Decode CEF processor fields fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 731d38e3915..6074df038cd 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -9,7 +9,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -82,7 +81,6 @@ include::modules/auditd.asciidoc[] include::modules/aws.asciidoc[] include::modules/awsfargate.asciidoc[] include::modules/azure.asciidoc[] -include::modules/bluecoat.asciidoc[] include::modules/cef.asciidoc[] include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d75452b7c40..fab3d9769c6 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -585,27 +585,6 @@ filebeat.modules: # storage_account: "" # storage_account_key: "" -#-------------------------- Blue Coat Director Module -------------------------- -- module: bluecoat - director: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9505 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #--------------------------------- CEF Module --------------------------------- - module: cef log: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index a5843dc1dd3..67a25f39774 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -20,7 +20,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/aws" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/awsfargate" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/azure" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/bluecoat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cef" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/checkpoint" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" diff --git a/x-pack/filebeat/module/bluecoat/README.md b/x-pack/filebeat/module/bluecoat/README.md deleted file mode 100644 index 815d89a2f72..00000000000 --- a/x-pack/filebeat/module/bluecoat/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# bluecoat module - -This is a module for Blue Coat Director logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML bluecoatdirector version 0 -at 2020-07-13 17:55:34.664093 +0000 UTC. - diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml deleted file mode 100644 index 76056292f7b..00000000000 --- a/x-pack/filebeat/module/bluecoat/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: bluecoat - director: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9505 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc deleted file mode 100644 index 33fe07fd426..00000000000 --- a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: bluecoat -:has-dashboards: false - -== Bluecoat module - -deprecated::[8.12.0,"This module is deprecated. See <> for migration options."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Blue Coat Director logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: director - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `director` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "bluecoatdirector" device revision 0. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9505` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/bluecoat/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/_meta/fields.yml deleted file mode 100644 index 2efac151801..00000000000 --- a/x-pack/filebeat/module/bluecoat/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: bluecoat - title: Blue Coat Director - description: > - bluecoat fields. - fields: diff --git a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml b/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml deleted file mode 100644 index 01d5592b7cc..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Bluecoat" - product: "Director" - type: "Configuration" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/bluecoat/director/config/liblogparser.js - - ${path.home}/module/bluecoat/director/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i %{username}@%{p0}"); - -var dup3 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); - -var dup4 = setc("eventcategory","1605000000"); - -var dup5 = setf("msg","$MSG"); - -var dup6 = setc("event_description","bad variable"); - -var dup7 = setc("event_description","This file is automatically generated"); - -var dup8 = setc("eventcategory","1603000000"); - -var dup9 = setc("event_description","authentication failure"); - -var dup10 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ - dup4, - dup5, - dup6, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld1"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{p0}", processor_chain([ - setc("header_id","0002"), - dup1, -])); - -var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld5"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0004"), - dup1, -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, -]); - -var part1 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command: %{p0}"); - -var part2 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{domain->} : Processing command: %{p0}"); - -var select2 = linear_select([ - part1, - part2, -]); - -var all1 = all_match({ - processors: [ - dup2, - select2, - dup3, - ], - on_success: processor_chain([ - dup4, - dup5, - ]), -}); - -var msg1 = msg("cli", all1); - -var part3 = match("MESSAGE#1:cli:01/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command %{p0}"); - -var part4 = match("MESSAGE#1:cli:01/1_1", "nwparser.p0", "%{domain->} : Processing command %{p0}"); - -var select3 = linear_select([ - part3, - part4, -]); - -var all2 = all_match({ - processors: [ - dup2, - select3, - dup3, - ], - on_success: processor_chain([ - dup4, - dup5, - ]), -}); - -var msg2 = msg("cli:01", all2); - -var part5 = match("MESSAGE#2:cli:02/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving config mode"); - -var part6 = match("MESSAGE#2:cli:02/1_1", "nwparser.p0", "%{domain->} : Leaving config mode"); - -var select4 = linear_select([ - part5, - part6, -]); - -var all3 = all_match({ - processors: [ - dup2, - select4, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","Leaving config mode"), - ]), -}); - -var msg3 = msg("cli:02", all3); - -var part7 = match("MESSAGE#3:cli:03/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering config mode"); - -var part8 = match("MESSAGE#3:cli:03/1_1", "nwparser.p0", "%{domain->} : Entering config mode"); - -var select5 = linear_select([ - part7, - part8, -]); - -var all4 = all_match({ - processors: [ - dup2, - select5, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","Entering config mode"), - ]), -}); - -var msg4 = msg("cli:03", all4); - -var part9 = match("MESSAGE#4:cli:04/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI exiting"); - -var part10 = match("MESSAGE#4:cli:04/1_1", "nwparser.p0", "%{domain->} : CLI exiting"); - -var select6 = linear_select([ - part9, - part10, -]); - -var all5 = all_match({ - processors: [ - dup2, - select6, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","CLI exiting"), - ]), -}); - -var msg5 = msg("cli:04", all5); - -var part11 = match("MESSAGE#5:cli:05/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI launched"); - -var part12 = match("MESSAGE#5:cli:05/1_1", "nwparser.p0", "%{domain->} : CLI launched"); - -var select7 = linear_select([ - part11, - part12, -]); - -var all6 = all_match({ - processors: [ - dup2, - select7, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","CLI launched"), - ]), -}); - -var msg6 = msg("cli:05", all6); - -var part13 = match("MESSAGE#6:Automatically/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Automatically logged out due to keyboard inactivity."); - -var part14 = match("MESSAGE#6:Automatically/1_1", "nwparser.p0", "%{domain->} : Automatically logged out due to keyboard inactivity."); - -var select8 = linear_select([ - part13, - part14, -]); - -var all7 = all_match({ - processors: [ - dup2, - select8, - ], - on_success: processor_chain([ - dup4, - setc("ec_subject","User"), - setc("ec_activity","Logoff"), - dup5, - setc("event_description","Automatically logged out due to keyboard inactivity"), - ]), -}); - -var msg7 = msg("Automatically", all7); - -var part15 = match("MESSAGE#7:cli:06/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering enable mode"); - -var part16 = match("MESSAGE#7:cli:06/1_1", "nwparser.p0", "%{domain->} : Entering enable mode"); - -var select9 = linear_select([ - part15, - part16, -]); - -var all8 = all_match({ - processors: [ - dup2, - select9, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","Entering enable mode"), - ]), -}); - -var msg8 = msg("cli:06", all8); - -var part17 = match("MESSAGE#8:cli:07/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving enable mode"); - -var part18 = match("MESSAGE#8:cli:07/1_1", "nwparser.p0", "%{domain->} : Leaving enable mode"); - -var select10 = linear_select([ - part17, - part18, -]); - -var all9 = all_match({ - processors: [ - dup2, - select10, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","Leaving enable mode"), - ]), -}); - -var msg9 = msg("cli:07", all9); - -var part19 = match("MESSAGE#9:Processing/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing a secure command..."); - -var part20 = match("MESSAGE#9:Processing/1_1", "nwparser.p0", "%{domain->} : Processing a secure command..."); - -var select11 = linear_select([ - part19, - part20, -]); - -var all10 = all_match({ - processors: [ - dup2, - select11, - ], - on_success: processor_chain([ - dup4, - dup5, - setc("event_description","Processing a secure command"), - ]), -}); - -var msg10 = msg("Processing", all10); - -var msg11 = msg("cli:pam", dup10); - -var select12 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, -]); - -var part21 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ - dup4, - dup5, -])); - -var msg12 = msg("schedulerd", part21); - -var part22 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ - dup4, - dup5, - setc("event_description","System time changed, recomputing job run times"), -])); - -var msg13 = msg("schedulerd:01", part22); - -var select13 = linear_select([ - msg12, - msg13, -]); - -var part23 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ - dup4, - dup5, -])); - -var msg14 = msg("configd:Rotating", part23); - -var part24 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ - dup4, - dup5, -])); - -var msg15 = msg("configd:Deleting", part24); - -var part25 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ - dup4, - dup5, -])); - -var msg16 = msg("configd", part25); - -var part26 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ - dup4, - dup5, -])); - -var msg17 = msg("configd:01", part26); - -var part27 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ - dup4, - dup5, -])); - -var msg18 = msg("configd:11", part27); - -var part28 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ - dup4, - dup5, - dup7, -])); - -var msg19 = msg("file", part28); - -var part29 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ - dup4, - dup5, -])); - -var msg20 = msg("configd:02", part29); - -var part30 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ - dup4, - dup5, -])); - -var msg21 = msg("configd:22", part30); - -var part31 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ - dup4, - dup5, -])); - -var msg22 = msg("configd:03", part31); - -var part32 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ - dup4, - dup5, -])); - -var msg23 = msg("configd:33", part32); - -var part33 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ - dup4, - dup5, - setc("event_description","Backup import command finished for all devices"), -])); - -var msg24 = msg("Backup", part33); - -var part34 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ - dup4, - dup5, - setc("event_description","Beginning to make backup of cache"), -])); - -var msg25 = msg("Beginning", part34); - -var part35 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ - dup4, - dup5, - setc("event_description","Inputting overlay"), -])); - -var msg26 = msg("Inputting", part35); - -var part36 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ - dup4, - dup5, -])); - -var msg27 = msg("Saved", part36); - -var part37 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ - dup4, - dup5, -])); - -var msg28 = msg("Importing", part37); - -var part38 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ - dup4, - dup5, -])); - -var msg29 = msg("Overlay", part38); - -var part39 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ - dup4, - dup5, -])); - -var msg30 = msg("Executed", part39); - -var part40 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ - dup4, - dup5, - setc("event_description","Configuration system online"), -])); - -var msg31 = msg("Configuration", part40); - -var part41 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","Table creation"), -])); - -var msg32 = msg("Create", part41); - -var part42 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ - dup4, - dup5, - setc("event_description","Loaded config file initial"), -])); - -var msg33 = msg("Loaded", part42); - -var part43 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","Setting set-reply timeout"), -])); - -var msg34 = msg("Setting", part43); - -var part44 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ - dup4, - dup5, -])); - -var msg35 = msg("CCD", part44); - -var part45 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ - dup4, - dup5, -])); - -var msg36 = msg("Device", part45); - -var part46 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ - dup4, - dup5, -])); - -var msg37 = msg("Output", part46); - -var part47 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ - dup4, - dup5, -])); - -var msg38 = msg("ssh", part47); - -var part48 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ - dup4, - dup5, - setc("event_description","Applying overlay to group"), -])); - -var msg39 = msg("Applying", part48); - -var part49 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ - dup4, - dup5, - setc("event_description","Applying overlay to cache"), -])); - -var msg40 = msg("Applying:01", part49); - -var part50 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ - dup4, - dup5, - setc("event_description","Backup complete for device"), -])); - -var msg41 = msg("configd:backup", part50); - -var part51 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ - dup4, - dup5, - dup7, -])); - -var msg42 = msg("file:01", part51); - -var part52 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ - dup4, - dup5, - setc("event_description","Connection reset by peer"), -])); - -var msg43 = msg("configd:connection", part52); - -var part53 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ - dup4, - dup5, - setc("event_description","cd session read failed"), -])); - -var msg44 = msg("configd:failed", part53); - -var select14 = linear_select([ - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, -]); - -var part54 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ - dup4, - dup5, - setc("event_description","Querying content system for job results"), -])); - -var msg45 = msg("poller", part54); - -var part55 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ - dup4, - dup5, -])); - -var msg46 = msg("heartbeat", part55); - -var part56 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ - dup4, - dup5, -])); - -var msg47 = msg("heartbeat:01", part56); - -var part57 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ - dup4, - dup5, - setc("event_description","director heartbeat client exiting"), -])); - -var msg48 = msg("heartbeat:02", part57); - -var part58 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ - dup4, - dup5, - setc("event_description","director heartbeat client launched"), -])); - -var msg49 = msg("heartbeat:03", part58); - -var part59 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","undefined symbol"), -])); - -var msg50 = msg("heartbeat:crit1", part59); - -var part60 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","No such file or directory"), -])); - -var msg51 = msg("heartbeat:crit2", part60); - -var select15 = linear_select([ - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, -]); - -var part61 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ - dup4, - dup5, -])); - -var msg52 = msg("runner", part61); - -var part62 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ - dup4, - dup5, -])); - -var msg53 = msg("runner:01", part62); - -var part63 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ - dup4, - dup5, -])); - -var msg54 = msg("runner:02", part63); - -var part64 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ - dup4, - dup5, -])); - -var msg55 = msg("runner:crit1", part64); - -var part65 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ - dup4, - dup5, - setc("event_description","File reading failed"), -])); - -var msg56 = msg("runner:crit2", part65); - -var select16 = linear_select([ - msg52, - msg53, - msg54, - msg55, - msg56, -]); - -var part66 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ - dup4, - dup5, -])); - -var msg57 = msg("ccd", part66); - -var part67 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ - dup4, - dup5, -])); - -var msg58 = msg("ccd:01", part67); - -var part68 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ - dup4, - dup5, -])); - -var msg59 = msg("ccd:03", part68); - -var part69 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ - dup4, - dup5, -])); - -var msg60 = msg("ccd:04", part69); - -var part70 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","info on device connection"), -])); - -var msg61 = msg("ccd:02", part70); - -var part71 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","write to ssh pipe"), -])); - -var msg62 = msg("ccd:05", part71); - -var part72 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","ccd handle read failure"), -])); - -var msg63 = msg("ccd:06", part72); - -var part73 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ - dup4, - dup5, - setc("event_description","device communication daemon online"), -])); - -var msg64 = msg("ccd:07", part73); - -var part74 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","system memory size"), -])); - -var msg65 = msg("ccd:08", part74); - -var select17 = linear_select([ - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, -]); - -var part75 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ - dup8, - dup5, -])); - -var msg66 = msg("sshd", part75); - -var part76 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","bad username"), -])); - -var msg67 = msg("sshd:01", part76); - -var part77 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ - dup4, - dup5, - dup9, -])); - -var msg68 = msg("sshd:02", part77); - -var part78 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ - dup4, - dup5, - setc("event_description","check pass, user unknown"), -])); - -var msg69 = msg("sshd:03", part78); - -var part79 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ - dup4, - dup5, - dup9, -])); - -var msg70 = msg("sshd:04", part79); - -var msg71 = msg("sshd:pam", dup10); - -var select18 = linear_select([ - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, -]); - -var part80 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ - dup4, - dup5, -])); - -var msg72 = msg("dmd", part80); - -var part81 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ - dup4, - dup5, -])); - -var msg73 = msg("dmd:01", part81); - -var part82 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ - dup4, - dup5, -])); - -var msg74 = msg("dmd:11", part82); - -var part83 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ - dup4, - dup5, -])); - -var msg75 = msg("dmd:02", part83); - -var part84 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ - dup8, - dup5, -])); - -var msg76 = msg("dmd:03", part84); - -var select19 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, -]); - -var part85 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ - dup4, - dup5, - setc("event_description","ALERT exited abnormally"), -])); - -var msg77 = msg("logrotate", part85); - -var part86 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ - dup4, - dup5, - setc("event_description","kernel time sync enabled"), -])); - -var msg78 = msg("ntpd", part86); - -var part87 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ - dup4, - dup5, - setc("event_description","time reset"), -])); - -var msg79 = msg("ntpd:01", part87); - -var part88 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ - dup4, - dup5, -])); - -var msg80 = msg("ntpd:02", part88); - -var part89 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ - dup4, - dup5, - setc("event_description","ntpd exiting on signal"), -])); - -var msg81 = msg("ntpd:03", part89); - -var select20 = linear_select([ - msg78, - msg79, - msg80, - msg81, -]); - -var part90 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ - dup4, - dup5, - setc("event_description","ntpd will start in few secs"), -])); - -var msg82 = msg("pm", part90); - -var part91 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ - dup4, - dup5, - setc("event_description","ntpd started"), -])); - -var msg83 = msg("pm:01", part91); - -var part92 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","print message"), -])); - -var msg84 = msg("pm:02", part92); - -var part93 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ - dup4, - dup5, - setc("event_description","service started"), -])); - -var msg85 = msg("pm:03", part93); - -var part94 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","service will start"), -])); - -var msg86 = msg("pm:04", part94); - -var part95 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","check license validity"), -])); - -var msg87 = msg("pm:05", part95); - -var part96 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ - dup4, - dup5, - setc("event_description","connected to config daemon"), -])); - -var msg88 = msg("pm:06", part96); - -var select21 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, -]); - -var part97 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","updated timestamp"), -])); - -var msg89 = msg("anacron", part97); - -var part98 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","anacron started"), -])); - -var msg90 = msg("anacron:01", part98); - -var part99 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","normal exit"), -])); - -var msg91 = msg("anacron:02", part99); - -var select22 = linear_select([ - msg89, - msg90, - msg91, -]); - -var part100 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ - dup4, - dup5, - setc("event_description","invalid packet size"), -])); - -var msg92 = msg("epmd", part100); - -var part101 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ - dup4, - dup5, -])); - -var msg93 = msg("epmd:01", part101); - -var part102 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ - dup4, - dup5, -])); - -var msg94 = msg("epmd:02", part102); - -var select23 = linear_select([ - msg92, - msg93, - msg94, -]); - -var part103 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ - dup4, - dup5, -])); - -var msg95 = msg("xinetd", part103); - -var part104 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ - dup4, - dup5, -])); - -var msg96 = msg("xinetd:01", part104); - -var select24 = linear_select([ - msg95, - msg96, -]); - -var part105 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ - dup4, - dup5, - setc("event_description","Audit daemon rotating log files"), -])); - -var msg97 = msg("auditd", part105); - -var part106 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","Reset file"), -])); - -var msg98 = msg("restorecond", part106); - -var part107 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","handle authd unknown message"), -])); - -var msg99 = msg("authd", part107); - -var part108 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","authd signal handler"), -])); - -var msg100 = msg("authd:01", part108); - -var part109 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","authd close"), -])); - -var msg101 = msg("authd:02", part109); - -var select25 = linear_select([ - msg99, - msg100, - msg101, -]); - -var part110 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); - -var part111 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); - -var part112 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); - -var select26 = linear_select([ - part111, - part112, -]); - -var part113 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); - -var all11 = all_match({ - processors: [ - part110, - select26, - part113, - ], - on_success: processor_chain([ - dup4, - dup5, - ]), -}); - -var msg102 = msg("rsyslogd", all11); - -var part114 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ - dup4, - dup5, - setc("event_description","shutting down"), -])); - -var msg103 = msg("shutdown", part114); - -var part115 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ - dup4, - dup5, - setc("event_description","cmd starting"), -])); - -var msg104 = msg("cmd", part115); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "anacron": select22, - "auditd": msg97, - "authd": select25, - "ccd": select17, - "cli": select12, - "cmd": msg104, - "configd": select14, - "dmd": select19, - "epmd": select23, - "heartbeat": select15, - "logrotate": msg77, - "ntpd": select20, - "pm": select21, - "poller": msg45, - "restorecond": msg98, - "rsyslogd": msg102, - "runner": select16, - "schedulerd": select13, - "shutdown": msg103, - "sshd": select18, - "xinetd": select24, - }), -]); - -var part116 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{username}@%{p0}"); - -var part117 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); - -var part118 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ - dup4, - dup5, - dup6, -])); diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml deleted file mode 100644 index 5a0a60c8971..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Blue Coat Director - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/bluecoat/director/manifest.yml b/x-pack/filebeat/module/bluecoat/director/manifest.yml deleted file mode 100644 index 32b44dfa8ee..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["bluecoat.director", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9527 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log b/x-pack/filebeat/module/bluecoat/director/test/generated.log deleted file mode 100644 index 6bf53ab9040..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -ntpd[1001]: kernel time sync enabled utl -restorecond: : Reset file context quasiarc: liqua -auditd[5699]: Audit daemon rotating log files -anacron[5066]: Normal exit ehend -restorecond: : Reset file context vol: luptat -heartbeat: : < Processing command: accept -restorecond: : Reset file context nci: ofdeFin -auditd[6668]: Audit daemon rotating log files -anacron[1613]: Normal exit mvolu -ntpd[2959]: ntpd gelit-r tatno -anacron[654]: Updated timestamp for job rmagni to sit -dmd: : < Health state for metric"seq3874.mail.domain" "quid" changed to "fug", reason: "success" -auditd[2067]: Audit daemon rotating log files -pm[5969]: < check_license_validity(), tae -logrotate: : ALERT exited abnormally with temUten -sshd: : < error: Bind to port Duisau on psum failed: failure -configd: : < itaut@rveli: command: accept -authd: : < authd_signal_handler(), quam -xinetd[6547]: Started working: onproide available services -logrotate: : ALERT exited abnormally with tfug -heartbeat: : < Processing command: deny -rsyslogd: : Warning: rehe -sshd: : < error: Bind to port erc on amqu failed: unknown -ntpd[4515]: ntpd emp-r aperia -restorecond: : Reset file context run: vol -logrotate: : ALERT exited abnormally with mporain -heartbeat: : < connect: atu -cmd: : < cmd starting adeseru -cli[7108]: <<-uam.low> tmo@::fficiade:10.2.53.125 : CLI launched -pm[7061]: < ntpd will start in tlabo -poller[795]: < Querying content system for job results. -runner[6134]: < Processing command: allow -epmd: : epmd: epmd running orpor -runner[602]: < Failed to exec olup -shutdown[2807]: shutting down non -configd: : < sperna@sintocc: command: cancel -auditd[2986]: Audit daemon rotating log files -configd: : < CREATE onsequ -auditd[1243]: Audit daemon rotating log files -xinetd[6599]: Started working: naal available services -xinetd[5850]: Started working: rQu available services -heartbeat: : < queips: undefined symbol: ncidi -authd: : < authd_close(): npr -anacron[6373]: Anacron 1.3962 started on epre -cli[3979]: <<-iduntu.medium> temUt@avol752.www5.test : Processing command accept -cmd: : < cmd starting isiuta -sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm -ccd: : < Device elitse6672.internal.localdomain: mquisno -runner[1859]: < Failed to exec umSe -shutdown[6110]: shutting down itau -sshd[2415]: PAM lorsita more authentication failure; dolore -rsyslogd: : Warning: tio -cli[802]: <<-gnaaliqu.very-high> velillu@::cteturad:10.18.204.87 : Processing a secure command... -heartbeat: : < connect: inimveni -authd: : < authd_close(): psumqu -runner[2558]: < Failed to exec edquiac -anacron[4538]: Updated timestamp for job remips to uisaute -auditd[6837]: Audit daemon rotating log files -pm[1493]: < print_msg(), dic -configd: : < Device "itation4168.api.domain" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci -epmd: : epmd: invalid packet size (mquae) -runner[429]: < File reading failed -shutdown[7595]: shutting down emqu -heartbeat: : < The HB command is accept -authd: : < authd_signal_handler(), isetquas -authd: : < authd_signal_handler(), gnaal -logrotate: : ALERT exited abnormally with voluptas -ntpd[627]: ntpd exiting on signal orin -restorecond: : Reset file context ecillu: mmodoc -cli[1140]: <<-abore.high> modocon@ipsu3680.mail.test : Processing command: deny -sshd: : bad username mquisn -ntpd[1313]: ntpd derit-r orese -ccd: : < Device Communication Daemon online -rsyslogd: : Warning: moles -restorecond: : Reset file context olup: aco -shutdown[609]: shutting down ser -ntpd[2991]: ntpd orinrep-r quiavol -dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB -ccd: : < ccd_handle_read_failure(), uid -cmd: : < cmd starting lmolesti -dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB -cmd: : < cmd starting uipexe -heartbeat: : < The HB command is cancel -anacron[7360]: Normal exit tperspic -dmd: : < Filter on (tetura) things. riosamni -ccd: : < Device eleumiu2454.api.local: tat -schedulerd: : < System time changed, recomputing job run times. -xinetd[3450]: Started working: aconsequ available services -authd: : < handle_authd unknown message =utemvel -rsyslogd: : Warning: iusm -ntpd[16]: time reset stquido -ccd: : < Device olu5333.www.domain: orumSe -anacron[80]: Normal exit ici -ntpd[7612]: kernel time sync enabled nturmag -cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor -schedulerd: : < Executing Job "tquo" execution iatnu -logrotate: : ALERT exited abnormally with ntut -poller[7151]: < Querying content system for job results. -ntpd[2314]: ntpd litanim-r rQuisaut -heartbeat: : < Processing command: block diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json deleted file mode 100644 index f75fd496865..00000000000 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ /dev/null @@ -1,2295 +0,0 @@ -[ - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[1001]: kernel time sync enabled utl", - "fileset.name": "director", - "input.type": "log", - "log.offset": 0, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1001, - "rsa.internal.event_desc": "kernel time sync enabled", - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "restorecond", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "restorecond: : Reset file context quasiarc: liqua", - "file.name": "quasiarc", - "fileset.name": "director", - "input.type": "log", - "log.offset": 41, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "Reset file", - "rsa.internal.messageid": "restorecond", - "rsa.misc.client": "restorecond:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[5699]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 91, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 5699, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[5066]: Normal exit ehend", - "fileset.name": "director", - "input.type": "log", - "log.offset": 137, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 5066, - "rsa.internal.event_desc": "normal exit", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "restorecond", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "restorecond: : Reset file context vol: luptat", - "file.name": "vol", - "fileset.name": "director", - "input.type": "log", - "log.offset": 170, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "Reset file", - "rsa.internal.messageid": "restorecond", - "rsa.misc.client": "restorecond:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < Processing command: accept", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 216, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "restorecond", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "restorecond: : Reset file context nci: ofdeFin", - "file.name": "nci", - "fileset.name": "director", - "input.type": "log", - "log.offset": 272, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "Reset file", - "rsa.internal.messageid": "restorecond", - "rsa.misc.client": "restorecond:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[6668]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 319, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6668, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[1613]: Normal exit mvolu", - "fileset.name": "director", - "input.type": "log", - "log.offset": 365, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1613, - "rsa.internal.event_desc": "normal exit", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[2959]: ntpd gelit-r tatno", - "fileset.name": "director", - "input.type": "log", - "log.offset": 398, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2959, - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[654]: Updated timestamp for job rmagni to sit", - "fileset.name": "director", - "input.type": "log", - "log.offset": 429, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 654, - "rsa.db.index": "rmagni", - "rsa.internal.event_desc": "updated timestamp", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "dmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "dmd: : < Health state for metric\"seq3874.mail.domain\" \"quid\" changed to \"fug\", reason: \"success\"", - "fileset.name": "director", - "host.name": "seq3874.mail.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 483, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "seq3874.mail.domain" - ], - "rsa.internal.messageid": "dmd", - "rsa.misc.change_new": "fug", - "rsa.misc.change_old": "quid", - "rsa.misc.client": "dmd:", - "rsa.misc.result": "success", - "rsa.misc.severity": "very-high", - "rsa.network.alias_host": [ - "seq3874.mail.domain" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[2067]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 598, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2067, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "pm", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "pm[5969]: < check_license_validity(), tae", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 644, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 5969, - "rsa.internal.event_desc": "check license validity", - "rsa.internal.messageid": "pm", - "rsa.misc.client": "pm", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "logrotate", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "logrotate: : ALERT exited abnormally with temUten", - "fileset.name": "director", - "input.type": "log", - "log.offset": 705, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "ALERT exited abnormally", - "rsa.internal.messageid": "logrotate", - "rsa.misc.client": "logrotate:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "sshd: : < error: Bind to port Duisau on psum failed: failure", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 755, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "sshd", - "rsa.misc.client": "sshd:", - "rsa.misc.result": "failure", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "configd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "configd: : < itaut@rveli: command: accept", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 828, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.user": [ - "itaut" - ], - "rsa.internal.messageid": "configd", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.client": "configd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ], - "user.name": "itaut" - }, - { - "event.code": "authd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "authd: : < authd_signal_handler(), quam", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 882, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "authd signal handler", - "rsa.internal.messageid": "authd", - "rsa.misc.client": "authd:", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "xinetd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "xinetd[6547]: Started working: onproide available services", - "fileset.name": "director", - "input.type": "log", - "log.offset": 934, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6547, - "rsa.internal.messageid": "xinetd", - "rsa.misc.client": "xinetd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "logrotate", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "logrotate: : ALERT exited abnormally with tfug", - "fileset.name": "director", - "input.type": "log", - "log.offset": 993, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "ALERT exited abnormally", - "rsa.internal.messageid": "logrotate", - "rsa.misc.client": "logrotate:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < Processing command: deny", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 1040, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "rsyslogd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "rsyslogd: : Warning: rehe", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1092, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "rehe", - "rsa.internal.messageid": "rsyslogd", - "rsa.misc.client": "rsyslogd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "sshd: : < error: Bind to port erc on amqu failed: unknown", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 1118, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "sshd", - "rsa.misc.client": "sshd:", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[4515]: ntpd emp-r aperia", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1190, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 4515, - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "restorecond", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "restorecond: : Reset file context run: vol", - "file.name": "run", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1220, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "Reset file", - "rsa.internal.messageid": "restorecond", - "rsa.misc.client": "restorecond:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "logrotate", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "logrotate: : ALERT exited abnormally with mporain", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1263, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "ALERT exited abnormally", - "rsa.internal.messageid": "logrotate", - "rsa.misc.client": "logrotate:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < connect: atu", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1313, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "No such file or directory", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "cmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cmd: : < cmd starting adeseru", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 1358, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "cmd starting", - "rsa.internal.messageid": "cmd", - "rsa.misc.client": "cmd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "cli", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cli[7108]: <<-uam.low> tmo@::fficiade:10.2.53.125 : CLI launched", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 1401, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7108, - "related.ip": [ - "10.2.53.125" - ], - "related.user": [ - "tmo" - ], - "rsa.internal.event_desc": "CLI launched", - "rsa.internal.messageid": "cli", - "rsa.misc.client": "cli", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "source.ip": "10.2.53.125", - "tags": [ - "bluecoat.director", - "forwarded" - ], - "user.name": "tmo" - }, - { - "event.code": "pm", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "pm[7061]: < ntpd will start in tlabo", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1466, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7061, - "rsa.internal.event_desc": "ntpd will start in few secs", - "rsa.internal.messageid": "pm", - "rsa.misc.client": "pm", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "poller", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "poller[795]: < Querying content system for job results.", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 1521, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 795, - "rsa.internal.event_desc": "Querying content system for job results", - "rsa.internal.messageid": "poller", - "rsa.misc.client": "poller", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "runner", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "runner[6134]: < Processing command: allow", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1591, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6134, - "rsa.internal.messageid": "runner", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.client": "runner", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "epmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "epmd: : epmd: epmd running orpor", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1648, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "orpor", - "rsa.internal.messageid": "epmd", - "rsa.misc.client": "epmd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "runner", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "runner[602]: < Failed to exec olup", - "file.name": "olup", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1681, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 602, - "rsa.internal.messageid": "runner", - "rsa.misc.client": "runner", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "shutdown", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "shutdown[2807]: shutting down non", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1733, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2807, - "rsa.db.index": "non", - "rsa.internal.event_desc": "shutting down", - "rsa.internal.messageid": "shutdown", - "rsa.misc.client": "shutdown", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "configd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "configd: : < sperna@sintocc: command: cancel", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 1767, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.user": [ - "sperna" - ], - "rsa.internal.messageid": "configd", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "configd:", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ], - "user.name": "sperna" - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[2986]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1826, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2986, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "configd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "configd: : < CREATE onsequ", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 1872, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "onsequ", - "rsa.internal.event_desc": "Table creation", - "rsa.internal.messageid": "configd", - "rsa.misc.client": "configd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[1243]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1915, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1243, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "xinetd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "xinetd[6599]: Started working: naal available services", - "fileset.name": "director", - "input.type": "log", - "log.offset": 1961, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6599, - "rsa.internal.messageid": "xinetd", - "rsa.misc.client": "xinetd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "xinetd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "xinetd[5850]: Started working: rQu available services", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2016, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 5850, - "rsa.internal.messageid": "xinetd", - "rsa.misc.client": "xinetd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < queips: undefined symbol: ncidi", - "file.name": "queips", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 2070, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "ncidi", - "rsa.internal.event_desc": "undefined symbol", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "authd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "authd: : < authd_close(): npr", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2128, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "npr", - "rsa.internal.event_desc": "authd close", - "rsa.internal.messageid": "authd", - "rsa.misc.client": "authd:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[6373]: Anacron 1.3962 started on epre", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2174, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "observer.version": "1.3962", - "process.pid": 6373, - "rsa.internal.event_desc": "anacron started", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "rsa.misc.version": "1.3962", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "cli", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cli[3979]: <<-iduntu.medium> temUt@avol752.www5.test : Processing command accept", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 2220, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 3979, - "related.hosts": [ - "avol752.www5.test" - ], - "related.user": [ - "temUt" - ], - "rsa.internal.messageid": "cli", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.client": "cli", - "rsa.misc.severity": "medium", - "rsa.network.domain": "avol752.www5.test", - "server.domain": "avol752.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "avol752", - "server.top_level_domain": "test", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ], - "user.name": "temUt" - }, - { - "event.code": "cmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cmd: : < cmd starting isiuta", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 2301, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "cmd starting", - "rsa.internal.messageid": "cmd", - "rsa.misc.client": "cmd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2342, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 5227, - "rsa.internal.event_desc": "bad variable", - "rsa.internal.messageid": "sshd", - "rsa.misc.client": "sshd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ccd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ccd: : < Device elitse6672.internal.localdomain: mquisno", - "fileset.name": "director", - "host.name": "elitse6672.internal.localdomain", - "input.type": "log", - "log.level": "low", - "log.offset": 2398, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "elitse6672.internal.localdomain" - ], - "rsa.db.index": "mquisno", - "rsa.internal.event_desc": "info on device connection", - "rsa.internal.messageid": "ccd", - "rsa.misc.client": "ccd:", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "elitse6672.internal.localdomain" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "runner", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "runner[1859]: < Failed to exec umSe", - "file.name": "umSe", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 2465, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1859, - "rsa.internal.messageid": "runner", - "rsa.misc.client": "runner", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "shutdown", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "shutdown[6110]: shutting down itau", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2516, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6110, - "rsa.db.index": "itau", - "rsa.internal.event_desc": "shutting down", - "rsa.internal.messageid": "shutdown", - "rsa.misc.client": "shutdown", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "sshd[2415]: PAM lorsita more authentication failure; dolore", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2551, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2415, - "rsa.db.index": "dolore", - "rsa.internal.event_desc": "authentication failure", - "rsa.internal.messageid": "sshd", - "rsa.misc.client": "sshd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "rsyslogd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "rsyslogd: : Warning: tio", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2611, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "tio", - "rsa.internal.messageid": "rsyslogd", - "rsa.misc.client": "rsyslogd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "cli", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cli[802]: <<-gnaaliqu.very-high> velillu@::cteturad:10.18.204.87 : Processing a secure command...", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2636, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 802, - "related.ip": [ - "10.18.204.87" - ], - "related.user": [ - "velillu" - ], - "rsa.internal.event_desc": "Processing a secure command", - "rsa.internal.messageid": "cli", - "rsa.misc.client": "cli", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "source.ip": "10.18.204.87", - "tags": [ - "bluecoat.director", - "forwarded" - ], - "user.name": "velillu" - }, - { - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < connect: inimveni", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 2734, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "No such file or directory", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "authd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "authd: : < authd_close(): psumqu", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 2781, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "psumqu", - "rsa.internal.event_desc": "authd close", - "rsa.internal.messageid": "authd", - "rsa.misc.client": "authd:", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "runner", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "runner[2558]: < Failed to exec edquiac", - "file.name": "edquiac", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 2826, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2558, - "rsa.internal.messageid": "runner", - "rsa.misc.client": "runner", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[4538]: Updated timestamp for job remips to uisaute", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2877, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 4538, - "rsa.db.index": "remips", - "rsa.internal.event_desc": "updated timestamp", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[6837]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 2936, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6837, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "pm", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "pm[1493]: < print_msg(), dic", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 2982, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1493, - "rsa.db.index": "dic", - "rsa.internal.event_desc": "print message", - "rsa.internal.messageid": "pm", - "rsa.misc.client": "pm", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "configd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "configd: : < Device \"itation4168.api.domain\" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci", - "fileset.name": "director", - "host.name": "itation4168.api.domain", - "input.type": "log", - "log.level": "low", - "log.offset": 3025, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "itation4168.api.domain" - ], - "rsa.db.index": "dipisci", - "rsa.internal.event_desc": "This file is automatically generated", - "rsa.internal.messageid": "configd", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.client": "configd:", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "itation4168.api.domain" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "epmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "epmd: : epmd: invalid packet size (mquae)", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3184, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "invalid packet size", - "rsa.internal.messageid": "epmd", - "rsa.misc.client": "epmd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "runner", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "runner[429]: < File reading failed", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3226, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 429, - "rsa.internal.event_desc": "File reading failed", - "rsa.internal.messageid": "runner", - "rsa.misc.client": "runner", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "shutdown", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "shutdown[7595]: shutting down emqu", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3280, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7595, - "rsa.db.index": "emqu", - "rsa.internal.event_desc": "shutting down", - "rsa.internal.messageid": "shutdown", - "rsa.misc.client": "shutdown", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < The HB command is accept", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 3315, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "authd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "authd: : < authd_signal_handler(), isetquas", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3368, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "authd signal handler", - "rsa.internal.messageid": "authd", - "rsa.misc.client": "authd:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "authd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "authd: : < authd_signal_handler(), gnaal", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 3427, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "authd signal handler", - "rsa.internal.messageid": "authd", - "rsa.misc.client": "authd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "logrotate", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "logrotate: : ALERT exited abnormally with voluptas", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3483, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "ALERT exited abnormally", - "rsa.internal.messageid": "logrotate", - "rsa.misc.client": "logrotate:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[627]: ntpd exiting on signal orin", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3534, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 627, - "rsa.internal.event_desc": "ntpd exiting on signal", - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "restorecond", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "restorecond: : Reset file context ecillu: mmodoc", - "file.name": "ecillu", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3573, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "Reset file", - "rsa.internal.messageid": "restorecond", - "rsa.misc.client": "restorecond:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "cli", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cli[1140]: <<-abore.high> modocon@ipsu3680.mail.test : Processing command: deny", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 3622, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1140, - "related.hosts": [ - "ipsu3680.mail.test" - ], - "related.user": [ - "modocon" - ], - "rsa.internal.messageid": "cli", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.client": "cli", - "rsa.misc.severity": "high", - "rsa.network.domain": "ipsu3680.mail.test", - "server.domain": "ipsu3680.mail.test", - "server.registered_domain": "mail.test", - "server.subdomain": "ipsu3680", - "server.top_level_domain": "test", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ], - "user.name": "modocon" - }, - { - "event.code": "sshd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "sshd: : bad username mquisn", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3702, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "bad username", - "rsa.internal.messageid": "sshd", - "rsa.misc.client": "sshd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[1313]: ntpd derit-r orese", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3730, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 1313, - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ccd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ccd: : < Device Communication Daemon online", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 3761, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "device communication daemon online", - "rsa.internal.messageid": "ccd", - "rsa.misc.client": "ccd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "rsyslogd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "rsyslogd: : Warning: moles", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3821, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "moles", - "rsa.internal.messageid": "rsyslogd", - "rsa.misc.client": "rsyslogd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "restorecond", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "restorecond: : Reset file context olup: aco", - "file.name": "olup", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3848, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "Reset file", - "rsa.internal.messageid": "restorecond", - "rsa.misc.client": "restorecond:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "shutdown", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "shutdown[609]: shutting down ser", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3892, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 609, - "rsa.db.index": "ser", - "rsa.internal.event_desc": "shutting down", - "rsa.internal.messageid": "shutdown", - "rsa.misc.client": "shutdown", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[2991]: ntpd orinrep-r quiavol", - "fileset.name": "director", - "input.type": "log", - "log.offset": 3925, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2991, - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "dmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "dmd: : < inserted device id = sBonor2001.www5.example and serial number = amc into DB", - "fileset.name": "director", - "host.name": "sBonor2001.www5.example", - "input.type": "log", - "log.level": "medium", - "log.offset": 3960, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "sBonor2001.www5.example" - ], - "rsa.internal.messageid": "dmd", - "rsa.misc.client": "dmd:", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "sBonor2001.www5.example" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ccd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ccd: : < ccd_handle_read_failure(), uid", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4059, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "uid", - "rsa.internal.event_desc": "ccd handle read failure", - "rsa.internal.messageid": "ccd", - "rsa.misc.client": "ccd:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "cmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cmd: : < cmd starting lmolesti", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 4114, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "cmd starting", - "rsa.internal.messageid": "cmd", - "rsa.misc.client": "cmd:", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "dmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "dmd: : < inserted device id = ersp6625.internal.domain and serial number = seq into DB", - "fileset.name": "director", - "host.name": "ersp6625.internal.domain", - "input.type": "log", - "log.level": "high", - "log.offset": 4158, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "ersp6625.internal.domain" - ], - "rsa.internal.messageid": "dmd", - "rsa.misc.client": "dmd:", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ersp6625.internal.domain" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "cmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cmd: : < cmd starting uipexe", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 4260, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "cmd starting", - "rsa.internal.messageid": "cmd", - "rsa.misc.client": "cmd:", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < The HB command is cancel", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 4305, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[7360]: Normal exit tperspic", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4354, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7360, - "rsa.internal.event_desc": "normal exit", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "dmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "dmd: : < Filter on (tetura) things. riosamni", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4390, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "riosamni", - "rsa.internal.messageid": "dmd", - "rsa.misc.client": "dmd:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ccd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ccd: : < Device eleumiu2454.api.local: tat", - "fileset.name": "director", - "host.name": "eleumiu2454.api.local", - "input.type": "log", - "log.level": "low", - "log.offset": 4450, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "eleumiu2454.api.local" - ], - "rsa.db.index": "tat", - "rsa.internal.event_desc": "info on device connection", - "rsa.internal.messageid": "ccd", - "rsa.misc.client": "ccd:", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "eleumiu2454.api.local" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "schedulerd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "schedulerd: : < System time changed, recomputing job run times.", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4505, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "System time changed, recomputing job run times", - "rsa.internal.messageid": "schedulerd", - "rsa.misc.client": "schedulerd:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "xinetd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "xinetd[3450]: Started working: aconsequ available services", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4586, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 3450, - "rsa.internal.messageid": "xinetd", - "rsa.misc.client": "xinetd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "authd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "authd: : < handle_authd unknown message =utemvel", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 4645, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "handle authd unknown message", - "rsa.internal.messageid": "authd", - "rsa.misc.client": "authd:", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "rsyslogd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "rsyslogd: : Warning: iusm", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4707, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "iusm", - "rsa.internal.messageid": "rsyslogd", - "rsa.misc.client": "rsyslogd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[16]: time reset stquido", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4733, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 16, - "rsa.internal.event_desc": "time reset", - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ccd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ccd: : < Device olu5333.www.domain: orumSe", - "fileset.name": "director", - "host.name": "olu5333.www.domain", - "input.type": "log", - "log.level": "high", - "log.offset": 4762, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "related.hosts": [ - "olu5333.www.domain" - ], - "rsa.db.index": "orumSe", - "rsa.internal.event_desc": "info on device connection", - "rsa.internal.messageid": "ccd", - "rsa.misc.client": "ccd:", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "olu5333.www.domain" - ], - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "anacron", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "anacron[80]: Normal exit ici", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4817, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 80, - "rsa.internal.event_desc": "normal exit", - "rsa.internal.messageid": "anacron", - "rsa.misc.client": "anacron", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[7612]: kernel time sync enabled nturmag", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4846, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7612, - "rsa.internal.event_desc": "kernel time sync enabled", - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "cli", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4891, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7128, - "rsa.internal.event_desc": "bad variable", - "rsa.internal.messageid": "cli", - "rsa.misc.client": "cli", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "schedulerd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "schedulerd: : < Executing Job \"tquo\" execution iatnu", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4947, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "schedulerd", - "rsa.misc.client": "schedulerd:", - "rsa.misc.operation_id": "tquo", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "logrotate", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "logrotate: : ALERT exited abnormally with ntut", - "fileset.name": "director", - "input.type": "log", - "log.offset": 5015, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "ALERT exited abnormally", - "rsa.internal.messageid": "logrotate", - "rsa.misc.client": "logrotate:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "poller", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "poller[7151]: < Querying content system for job results.", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 5062, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 7151, - "rsa.internal.event_desc": "Querying content system for job results", - "rsa.internal.messageid": "poller", - "rsa.misc.client": "poller", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "ntpd[2314]: ntpd litanim-r rQuisaut", - "fileset.name": "director", - "input.type": "log", - "log.offset": 5129, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2314, - "rsa.internal.messageid": "ntpd", - "rsa.misc.client": "ntpd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.action": "block", - "event.code": "heartbeat", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "heartbeat: : < Processing command: block", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 5165, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "heartbeat", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.client": "heartbeat:", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/bluecoat/fields.go b/x-pack/filebeat/module/bluecoat/fields.go deleted file mode 100644 index 50bda15b60d..00000000000 --- a/x-pack/filebeat/module/bluecoat/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package bluecoat - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "bluecoat", asset.ModuleFieldsPri, AssetBluecoat); err != nil { - panic(err) - } -} - -// AssetBluecoat returns asset data. -// This is the base64 encoded zlib format compressed contents of module/bluecoat. -func AssetBluecoat() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQbjUaj0b/7O3IF69dkKhpgito/EWK5FfCa/E00QE4UteSUa2BW6T8RUoJhmteWK/ma/PVPhJDul2TGQZRm8icS/us1fuz+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4fqSumy9/cIQu3/3tMKiJoRu4B2ZdKtTFYL0ICfWU1nM87IghoyBZBETQ3oJZSTwQa0oXfAdq5VU/f+ukuWDVxES1Kxhf84+LEFYktsFqnMfOvv+1cYJ/mA7B8X3LjvEW5IY6AkVhFGa9sEAmu6IhUYQ+fu39QSpiowbtPKfb4DmpC3ak5OgakSdHwjHhbfRerQ7bRwYQnSFm5riQEHhDNTP5DcIM2ZkhakNe4CcGkslbZFw0RxtLw6BMGS2t0Phthxj5NbglBLVgvOFoQSA8ZwJcmCW0MoeQ/2d24lGNOe/mTAGt1mzUI1oiQSlqDJFDq+q6k2QN6BpQ41SmZaVb2lnr5Vc/PigrIrsObZALyXdGL9nNiANyUfwEsDz+Gyh+YkSkgBSxAHUFIouXs/tyh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZc8bvwj0/P/2BLKl7QvDG8xKk5TMeuBOuKbNEqLk/Lz04CNwdd+ADt+D33HHUVFvOGkE1/j4c7GSUMwagD+KUGGcMII9zyuiRLI97Ji///5nsPxO3ap4Dud/1VdN/FbiR3WN5NNgt6SFCLztqGoxqNMv09t6fbLnu//0wM5ZaqEDax4gcbUpuCybozh1+JOiBtHr9GBFbOJ3qMSLG5WGI5dWYWsnxeDmtBHqI9MhLthlAmdKGGtFrYnZm74ut3e+wGeghAyXhflbEjh4ygH6DFTFOxR3nyJGoKHtukyj5PLkG20xEPhKh4J3Jx46hVjeSf2lgo0brbv/hT+tto/ZESeYeB2rVY7dsR8TNkucVh33qnrhl+Iwz2r/Pb9WcnC1BWnKJwpk0sgTtTBANQVANtj7j11ASA9YB2frx9hpm3GBpD2EA+94GS3cIA9B3OpShJzC9f+kwxhzs6w40uRsNFspk0lf7fPmrMrYvIsUuRxqQJZfz9kMTY5ueD+nroS8/hMEGPxol7PnF8idCy1I7WTl23XeJO9i9VV8rcZevcpP31f+75HXUyi8bduWCd6T1vWUloWTOlyA7J9nXqwg4Eh3mv8hrgZSPUfn7OiIaow4NVa8LDV8ynHU/eIgHjPuerpHKZ35pcoEX6XnwZltKPq5rIIwOJcgUCHC7AE0+nUv7wyuiNPlFKGp/fEmm1CAXtQGyGZ83GlW/G/Z9iLr7Fe8bw6D5jM8E/gX367nK5WbbZx23K3/1DgalV1SX2ZS6nkTrbbtPyfOLz1v6HiUaBN09UkLM2liowiMa0HbQFuA51XjiuX8rzedcUtH+ZltbuYEOufSvPYkR5xefX0VIENAfUOL+JOgwGlI5xeuzYdSh4njo67MAWoI+Suz6V1yKnJ/eJ0rq8e0HSxHMYbHSR+1kE6zI7mejraJ1vlG08KI40+VECYGJaV+jAHbUe4CcG8dz3BDmSQelw3RLUX2rdtUWsofQj9Diq9j0saiqlTKY7FYpSabrwaERouFLA8Y6gIZXtViHc3JfdoKeAGULYngJ5On3xC50Q17+/PMzsqKGGADZrbKHEo9Ceb0FJUytpIF8pGBfDVcw1Ujb+RSaauqFnrvKJgqBPKVTtYQeMbiMZla24s1YDbQavT/sq2GbByYVlLzZ1dNSEOqbmObYORb4jHD7z+bl9z/82XiR/qJGAdoi/c/Bbv7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/u+0+Jz/+SP6dMKWdvoy7CIs+J/9d2P/pvsgN2SbKN9EjlKqER2vryhUUjAoxpewqrwbskZPK4rWh1tsVjoggy1pxadE0sRBPcEbmKEBrlSk/baMPmhoYpwIxRkyNVdpp1nLttQ73wZIKXnrGiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjZzCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWHtuE/KpW7miGNieXRGlnjFlFrgDqG4j2KF68r4RoWjEwpljysihzRV3PWskzBwmaWrzkpaNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7E8LsIV/38lGgnrQ06VJBoVM/Bdl+7kRJGZ0p6enBK+Ey4/ZTQWUJBQ8F/ftr6Xj9ApSyQy8DvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM/I63zr0BgddbrmutlvCE/NeIMHrxMuPiAWL0blVnHF2cvLkIui+j0pGHV7XSuxovwSfyq0uDaB6H++OTf6rQEEfTPeZK3Tblm81PNga713PQMp+Qlz+/IiukewVUEipE3FeATn1Ukzb+I7ICDR4stUQANZYouVMusk3EB1cTv24iRu5qjrBtoN3vSpdIOMxqAraQSqj5ejcQN+N6oMUS8jNhC6ops56I7lKvEX90mkvSyJDTI7Z85qMVtakLun2gPmcQYU/sEi2KyimZSrZhBE1XozINJeuOWkkZaqw+RiGDz0Ex1ugWorFUllSXRCpdUcH/iOX3Kl1F6VOGLIeDSaSa6eBJuhORNlh3yLwQfAa444iBb4ApWY4o2JvjLozN6WfZsyEumapqATbKAKNOVIoKvNV8Rwz26s20fSBGvnRrR9l5jJW3OXOU/Sol7SLRMW3qU1PlvGyynMoHIvyZLHOQ3YH8Q8nc3Rb2iEW3eqti+vTaj7sUHoiobDf6DbFwbcPlI0vQpldOUe7LA4uc732ZbQ001TY3ZXpM6RLKfO9gSLIJz5TpVmx1jDbTpvtiP74+fK20qiYItcGifMNAUs2VV+urRlj+neWgCa1r0Va/bJrVVFTSeaw0lxCB4Z3WXvRIeVwN4faJIWolfWTM0qre9QwGjN1qDsXh7bOGsAV31o0qwUzIu8ZYNJP6QN2tpHYkL5daOPCQ9gqw2czhvYRjaEJ4yO2CnnYaZqBBMs8Q1KnWJV/y0mk2yA9xQXbZCrKPO8SLb/K65vpoO9ycp48FXTtO5Fas/WaNE3pOX3NIIYPu940mPPRRF85zJ407eTYZLNmlk6kmtQSqBorcfSF29E99VVCD/NJAczRWctztuWgjH1fUEESiHOEbRO6H1ERNqBRsETSDTJtXNsPrO69y4FoXGVCtixzac51SFG0DfZkcagZdqfeKPIwJuWM+Rt+YwXN5pzfnULF5k1w7JFiweSB2uiGkdgRRNlDiUyjWphG5w04jVpRqLFMVvPA4dMYLZmWr2YBDqAwk2DIgRxgElqC5zVk6smdj7eqhCLAX2dnn8slbvDjoHehf6a7SxUHDuFMNjM/4xvCJa7c+mDPWUyXoyvmzmSIH0LkYebkpmGhdVGUIskTxDmbzsQ7h87aV3rcElSa/XYbUWG7ahIBdvxqu357QWJWkqZXhCQXHrXgLzWlZ+g5TmMrf3t3RLjyNsEW+1kV3FEWyqUBzdldZFN3bEarY9mysX8nW3Qwvlvz9HmxtCbJUOiTM7t2Zmv7rAbrXtKFdNf0XsLgd7RDLXws+ILeToPsR85I+Z6+6b4YXMlT9BzETvFwL2uUWS2UJJYvQ8SKeQCvUvGgTVR5EqLeMeGehfoyeKVuy7++YboVtqVF8xBV/JThb5749e+TCBSIQumdLsR6Ry43ImTcdJ+CHRgAiFhenSlq4zq2xdgidS++v2/RDpWVp3P/ho0pFi1CsAcwNjzNbUDmHQsIqtywYC1zCqhfqRyXEWs2njYWehBjm6BuPutPW+89fXHSYmiYTdh3lBM/WtnIf0dAQ3M0v8sj09beIcYsVYI5gbcNBs8n50kvQE3IJ/lAaA3pC54CtvEOm+0zpFocB7BaM19sZ/p743/f6VihNplqt3GftX4Ou6c2u0X7S5+UF1Ta1m64DnNqjEu6UGlSHHutOKVF2amOuK6VqCAHFXG/xG0moAG277CK9WTT8zYe3gvjoNQHAJKSIwlwSqeR3GmpAS2Zf9gOaDcd8clijtbswnb2CJ4l63AvuI2xt+GewsxW3i6Ase1lPTnHBKVabSKLkd3Pl/nvPS4BKShFRHDPum/aCgS8QAYekmhEnHSwHMyGXG5myO9igX1mVB+MTX87XGGfE+JJRn2xTBvEbCE8JE42xLUOGfwyOCX/CjTvJUBMd/BtO8cVPx1Wgo2s//obFLXrflimfUvbkJsPLYXmKWBBqjGIc/aXuNKL2JB7YW34Frwkl9WJtOKOClNxcPSe1xpkozwlY9iSuKFNND6m9vOND7+tsNK3Agjakpga7eBls5OB7ETBVVU6Kqa2g/bC0Bizbq+759+ChNL7eGWZ4mLz4Zqqqm+EdzHBslKy4LNUq5NMyJRnU9nmXSTFKjME2Z40Qa/KlocI7P0tVUS6D1JC9hYQaebr6Xs9U6tKerTuV8C2XV1CGWqA2EZ0a9E4FA8V98k2H2oSX+w5ODLpCZBV1/dFN3i2xi0CL3m+XD4XXb3XwvJLLYbueLugMuuK7g51yu1jDmoit5//9mvaPiTXtGRf573i35V9wte4aaygbBqSNHEHc3WZAcyqKyGua7RG5xCVbtXn3few9gO6FGfULALsyB7UcSOExDqu7h25BzaK7oU4tjFQZNmzhM3/bGpuuzPCkhbTTIsxtpFtmYjRzv+r+Paw0JU6eS8Ix566RTADV7k/YCG+DWiggDN5O3RZ23hx98MKvGfZ5etQvFlPVlMuub3b/wQplo/oOr9eS68Yc29PX10YQgXGP33ECpJErceJX9z0Zxz2l3oLL7hrvyOe9zOen5L2XNE9D4wbip+2Fol+H27O4Xu0d0A/hy++5n89PkaSh5K0TE0PvwXZEzqcB+i1MPBM5WbDiJm6kLs06Zy/77ahuKND26sJeP7b0xvcRucaR/qRbmJyf3qjJpvLP3aDJOsReynKj0U7Iia/PDP1Ohf9gvzaLCOrtb/zwTXDHTRvbVW4q2z1GjRRgPGWUf1BWiiyp5nQqBlWAvikDl6QWdEQQGJAma3+UrQPtq6p+5YmTVE7DaOsLuTvnyxfnF7s6NAktY71HYawu+8CBgreuhdxEWjyS5FxacsnnkqKwGGHRWumczWufDOSXY9KLVndT2NUR/9Mh0rvLyGWlijDO+98+Ei6ZaEpw4ixMqnU/n5CnZ9e0qgW8JhfeIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yT73YwEBB9ROFxrMQonScY+31UcmjW6F3o/gWRjG3oNUfvrB6xjPumYc56fxMpJbR+eZquriyHlXeCoh9wrHuHr/nmmm3zl0lMT61BmOm1Flw8astKCWPlDWWB/zTloqjZ0HnFxv8RuZEkd1uaL6YTL0hl31nXSl4SFymxhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bkx+Opy7d8hzxqVqUsU4e3UkZp78TjlJmtLpMPDI/pQYcO7OjFss8UYIJ/eIaRgDY2aNIGdufcJUCcaxRNvsN25ZcFnCdWICCG7sYZrnPWULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikT8zv02ujOZgQ/V1DcXeiCNOKxOnnb5nDVoU4eiWy9hBiQLKsImIb7t8PRspMjQu7mG73HuhBKvfHVJXsFX5b/tPqRcGlKCpVxEnAxT1dje70a2psTRczNbjy3t8tgQj/GH1EJVi2zZPG9ICTMaQkCh82Ubww/Zmk4rXoIWdI2FXFaFx5U8jdxI9wFa3eHXMGurwL2v3lhuG2zMSKIb29gGw4ZN972uSaNYPf8Oo6kxzSCrmKoqd5/ysNGJh054L9m31mrJS+8/a7vIVWBGE6FKxQ4PNN7dW/YLFxutkfXz8uKqwXWNSU8PI+vb1fPK+n+p6YF+p4O397/VNARg4rer5vka555iQrE/+cuLc3I+UKj6aGTrWhuqS/ZjkLCwq6uGnSc1pO/iDwu51XHl3ouIYqrK3BVfg4q7XaUj4EIcLiPq0SJ9twQfMjhC5XnPBRxKh30CbRcP4XNedqGcESdeldpqHJSBJ3j50yl53b7rJucz1U73vvjku+e0gShM1rgG1vS9CD71awqx8ta2C9O+xI0jOEKiXvFy2yHSVVfSJeWCDgMZpHOFE6yvnIHWI5MW/B06xNefLu4WjJUqNIDyAdjBlkK6geHzyYhE5FUxbcpyndw/w6siaR1QD25j4LBG53u9VOkhaq4SdjnYKbErTHOMggRu+tmrvucqbUpuu8q6TV+0gFFssN2mYsOLkk14Yf8mfZZYagouj2aVn3w+I09DrcTnRjhdecoFFnBgHtjZda2M++Yz8t3Q0SB3ozBXUq3kliFkgDXYzGK5DX1k0iajR3DB7aaFnrRV7u9DadJbmFO2Jp9GzTXBp5o+RFF+WHiLxFySinI507SCvekYNdU4tTd/n4Qt5fIClyXvVemTozdtAXtZZxGkyA3aF6YKOELkspC2+8a9hxX5tZFoSr5TJQjylMvl5NvnhCv2nEzd/4H7PyqpWBtuJt/G44uW1cVM0MHk/NQ61LaGf3JBcFH0daGcXLfDr9Rsb6MGq7Ji6v86DXi2bRAMaMfIUYSWVVq5u4PZ53e/Uw3ko08A/vbbz+9+f/Ph7Ntvfc7tkmrKR3lypfRVypLlGy/Y7+2C/QjbqBOMytRKRKjZSdulpHsOKHPPxTqDCTNTGqThLKUA6bmSMmBcpfeCROIDqYAWK8qHw4nv7R3A3uepgbrrk7pE3TTTTJfCTktjderKd6zXzuYQ67+lyd7RtuYjn5P00GKXzWCwgUoTik02dS+h3sWBmPFRR1O71WyO2EO3Gu1GFNnmbnlPXCgf3E/w7o4Lh3zQ/z8MV92ozH7y34OwWNnz0QdE9iL5IMzRxnH34afUEZK2tk62Z5c+tV1Ge5tlh30yn6HbbcC5N0em25bV/BjxMCz6mlEuHK3bZi4XQWacn/Zr27ATlzMHLcwjLQzGswrbnOvCqYgH7OeQxGtMtw7VRyeqqhq564kaYCcPa9x0X+zew7X9O8R16g43c5hmfV/cLqks/6biUbMNbpZafohkuDd2w4W3kDONqTnjKlmW6LEseMR+RbUcBh0eO+pGVnWhcgnjy/fvLshv3o+6SUqNI/LlqKkEl//xlnxpQI/0bm2ELDTsdurMm9zQc4iuyYe26Cya1tVp6SzhQ9oHqlKPEXBA64McRzdBtZHg2L3hlukHNFBBdZXhtBzYDO4FWicsQO6ANmWyqbRbMNN2u9oCXVK7qxXeF+4UJFtUVKcqK+ngrms6GF987+gTZYN0qiQwi0VyXmAwS1tA1QGezbHVUgawavqvDFBrmnwShu84lZy9MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOTgFV4XtVZWFelDUgh9+VOBHsf0sEW2uynUvChzENsBTp//xmRR0evC2lRug23AjqMFZHgUKi4zIc1lPqRrYQoxFUXqsOgW7O8zAk/eGbwHO3UvxD7s1FW9fdg/Z4T9KiPsf8sI+39khP3nPLCtqgWdQg6R0kFPb57JomoEKt/TdYZ3sgVeX2XQS6pG8HlV59G+nZZJxTx1ElKAzHMoJQa+sPS+EVkYn5CY4QSNZnmsSQc4jzVp1qapM8wiZbIrq85iqlplnekB1xlEiFXWGWa5YKNZkwV4I/m1pFIZYBmYcPnKUSXTo7B8pWq7AFpmcKupqi6YyODDdoAzBEkQrp6ubXq3qINsskCumyJDTINpbjmjIkMBkSnoHCRbJ8y66sOWVKz/gHKaA+9lgW1As0D27WDyYO0Ta7NAn87r5as8PmhTTLn9c5ZGY8wUaWfF7QDWKrmoNlmuOUIFptNXuRnv4082a6sHGOzC+/nTO0c8cFT7sgD33eTTdZDrwZ5xATlsGFPMchwin6Uszt4GnEM3MAWvMUmxyCLqeL38qTS2HjTzTwTbaJYFtuAzyGHGGHQ0V1DyZAWj27C5zMMllSobAYapHNQOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuUutstDbYiVxnkq8+M9+zeAboVgOtMiiSvhQoF9r5lOvVQnFT+Amz6aGvqaZZGLwcKYRNAXnp59unhsuNpTL5nOPS2GmjUw0LbKGCnxWUA2qTHNf0enRbk5waLE5umKUfdn1op4F9MOe0LFPfAV6mDqu2rYMyvEW8KphWqsrSlcgBzmCm8arIkxwZOh7lIHN9lbw9U23Styzltak1TwxUUMttkzz7THAJ6VrsbKCapBN1OrhYfJverSWU73pazIRK/px3wDOk/DubN7nUcUAzSBxnQ2dANXluglDzLKwr51kucK10agFWTZt5jmtWccNyiIXKZGHYHHMgJFhsrpQcbnIZ7htAp87481BTp+PJ1Sq1BZKlokz5AdDJLVGVXjNSms+LyDyue8NdSdDp36y68EN5k4NNOpl6A9aPeM3CZBkKN8NMnNTCIIBNLQ3qwjuSkqNLjXEfFmyRqs5/ABqua548EFCDruaaSjvouZsC8ioL4PRPr+9E9unTzhTQBIC1mhfU1AkHBvRBa5oaqgYqcuh3GhjSwXcdzQQ8PZEd5LQtXHuQlS4zYJzekWky+IaN9w1nyAcwkDoRwA88zmCcGPiSngFiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U2/fzm16tvJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKQwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KSKWxCaEIBofoE+xvwJQgsVKdLh+Cy3yUO6tqodYwGCx4I/1mqknW1PuWPOZo6H1GOO9MwxyuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4ejxwZKxDR1rbQlw8ajhKwW1BJuSa1hNsYK90jLvcsQihjhg9XRoUC4DJ3dR/pCCy5zT+TvoepW6+NpiFVzsAvQk833zUI1gxeNEAlL0N04IqtITbUB8g4sxYng/q7SjgRP36q5eXHhy16fkdMw4us5sYvIlCJsBvwBwuhjRFuS92B/51aCiZ/zkKmzEG+GI7u7W4SL+80aoJotJlzyKH44c/cI/bV3xCfOwsBkiBeCNhJn/c4bnOPaNnGPN3Df6de+Z0/523F3e+qacIf5xSPGvjuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nV05yln/98839Atdn7aCgVcO84baDWkS+K9Iwu7x2VKDRCfrt1hQwa3qjul8IuHwVd2o+A7zJX27eujZCSEGmIAcNwZ3T+vSlNpKDvCeN9Bh2m/tES1d8M0rNE4AW0f0jXoint141hIb5b0gzn4kguYAxGwBEGoMXwu/cFt5vXHWR9bMj+g/Mb193D69EEmPTvMGsm/NLA7JpHGL18P38M6Jh42BaXVaHjpLyRTUgLmVpAVt4sxQUFIpDKk09g1HFRedGfTwpET5Un3RAk154wK4jAYMX0Qi4fFDpcaGdP4cLSrF2sTR6+XzrZSO1mtqR94Kjg1xUJltwm8EdeZazhLZTPUyEnF/gieeD8A4i+NwxbftDCIhQmgevJGGOUM8a37dorBcvJr+MWEvJHr7l8D6BZteSMtoeWEqapuLOi4GM7ixncby2eefbN7FjhjcetAuP1n8/L7H/7sbN/T3nG0FPsminbg0yJtxOy2jhu6Bk3+rfPJmRcBDUQufutT1//k53m5wXmL6/eex4HJyzfJtie7A1PcOhPy/rePZ27voME7T9BfWnLDNNRUsrXTKoN6JnZzQQhS6Dn5+O41OZf2x5fPyfn707P/fE0+nUv76ifydLVYEwncLkATtlAmjEpTWgOz+K0fXv2v//bsSZQiYBcZZdwuPVCmTioaH8djMnPfHa/5pefF8xap+BUvHxfSfdl0A+YHNoy79QMfw3dHMd1YJ5+5tg0V5O2b91Fk/1AS8vmyDuOM/6MkTOK0deh+NSIUN3Kz8MQjeIxv8J5zmFMLK/oAI9KRuy/Im7LU6Kf1XB5Dp3t6WVUfGue8byzk/OTdhX+VRsNjFTVHjH5sOZW8phrebnJ+4VAZ8X45Gh44CSIJDd3a4zRsNbHCT9c6roDooUvLkrsvU7EJ2PZm+cffuSMygDMJ8YKrcMNPt1lggMom1zqLXnfbJ42S9wHDC6VtJ5IHQrfEABseALfrmyWvOTLt/X64nLePSbutd2OElxCzG4/lxQ3YoeVLjVGMO5XT+40GOg5xcllTOYdJZzoxJWd83mgoyXSNMEGWmDUUlzP1ga0HBkWjI9pydNFZhn4HIqHu3y/hSu4A0FApC0XI7E6fZ5SetKU0BS18Kn4G0LXVeYDPMrDELEO1sMhxHXL1P6kzEJWWReuJy6eW71rwbh+T3dX6zoQH0GDP7AK0BEs+rmt4Tj61z9hbdID9SC5aB9jgJfhtTFNrR/UcQZkYMY1bpINf/DmhQkSViXrzRUxwoxoT85ag3RvIpVXEWHzMuSSfzkcFCsME2WzyKrnIdkBVnWHsmwOswaTO6HVgM5S4+BcxdSo6+tszYOtHKxQC5Dz5pEjE2SkfGbXQEQ3UqzxU9AIwkjBMJ5gRSn5RekV1OZzTTcibOSZ7aULdjb/GXLop2BWAjKueibsm3jXGrSwV/VCdR4Zgy3jMjBjskMuQ54ppCRW3TiyFERvxLS4FlceI49/CQdkmiPRclIMNbrssN5GUpbNg52jAbr88qSOVwLALwTJdP7jbReyptpw1gmqC/aJJi8TTs+vXb9VczWbx6e/ACruA7Me7hexHt6C/jT28zxzeDt03jV2AtCFZfBRt06TsnHC7hB6/5DjqnwzoUYRVY5k6LqXDkuMIXzaMgTEjOGPn8cOaox2WeIJ4EafizpVek0hhwgC3YwinLRxhB0cnlTDAZ2ol3bvi5FZMOex+SAaK0vaulun60Y28m5T4rqVYMyA4lN1+gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2RecJZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkIQMkvXAB5ExCbDMhwG2ev7Dbm7+Rowni3/wdJVxglwWXIWkhLhdgeI4RIWe9+D0L4fL3LUK+RmhLjCaFTlbN6ILL5KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45T7d3iu7uW+jbLcps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9Bguas3RISBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bPd0SNutB9vTy/17CuqFXyvjvqKmaWeEW16BcXLda3saahgNIoVTSNYU4saDwMaD9zwGfUvWOqR394Ox1o+329MPhUk25PTWWwsO45t2ONgb7ngjEG4hDL7e3b28cXf6qGfnL1qSvembTy5ZL9XjCJAb5HgnQL5edvzx5iNLNdrgOEd2O/mojypBUt6xW8iPo7Jjyr0NmLFT6rEEbcdPnbxyp7GLogK7UA8QJaFbnmTi0QhfGz1w7KWkVVav056ozgclgr/WIbKHLzN5Qv5z8vP335Onb0/fXDwjp9xYLucNNwsosRQ+iotQc5W9L9C+SBhmy848HuGY8YsjGWNaZfYq7qv/dKcaw6C7MeiRTzb0+S7XhWHaf1f323P8IU6xmCmVsTbpm0wxKlJ1p9vZyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T85Rmi9iDt9MTeXPF+dxRu5765jWCNUGvb8v8FJhJ8MeCE4bqBXllHGXZlK50wMGIRskNRKz6nkf+zJqpb5WOG2xD6A0n2eGiH3jOtoLWmmrj+/uOXwtfAtvnzvoq2s5l+BCrtgVAOpNZSq4pJGC+564umCWg7SmhvT4wU95m7f0gfdrG/9CHUmxnVX54kTXDXVFpshbba6X6wesdlREDa3kagzKEFTC2WRLKlsD3844fNLu2IXPLvQasnLrnlY+B6taxE01QFjhOY/7lnb1mnjCs5mk7w80i67JUOvP7se2WZ0eChmTi65j54vdhX3kRZwndKZcij4XTVPuEadqfejXiX0PLJRr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4ruveFkKOJ6Ue4fr3VbORY63J/cOknPteIzjbPcirNbrMCTXbXT2OakFdUfm3melCUim1/WYlx9TIY9gT94ig053tuWvyljyjrIFlyMmXUkzSY5vdmn9SWKmf63BiQ+nH/kmZ2ZC3pa0Jp/xH14/KpX0daf/HD6eZEGX4DQnAVSTLw3oNcEehKZW0kCrUcWLU91+C/zNceRl6IHHHGTN2y6Q0m/f9+Ubx7Pd0hFQ3TDQh9Ac9baY4pSnvA6zXR5vW0tvNTFytmF4eLkhupEyasea593L4yPPvo3USI1dgFgECzP/QVCy4rJUK0NMDYzPOHOfPI/VCYY82eEFcdvz+G5ybshT7AgLkm2eIQxdPutRizQS3/G3MKdsTT6Z7ca3XQS22i2kTZ5d61Y4gsE+8tr3TS1EBWvVkMncizigeNcHIFL9v1VpiuU8Q/Jtbzu/Qj3Wnder15Ed4w6jjBZ+c8Bmj5PXO7bVkOEbXO+trDvDrY93AR3u5jgOuy5gsH02m4RMfwyDE4o3pLi5+BnLBlKOBBytcMMtlzDjMvjqUThhV7+K1iNNBxG7gwrFMuG2ccDsqH+pBWPns82999BLaaQ3ZefDtpayRXXkFvibVZHgZGAd9Y8jy5CXKZfpJoglvRtuy1hUmPfxjAipftkOHotvo70p749M7RxgnfftuwHrmuqWp9yfn2+2slrwQSt14m6Hs2V98vuttmeTzyzxbS2UXuc78L+Ymsq/3tgxpkVku4t6q57HniZHlr+8QOg37O3BVKLBrtp+6/t3NcoFBUirVX2I6ChVMx04F27F42FNZ23DDeUIiKOv7jjuPTxRVU3luruPeO1wnL63V5ag3TNUcDlTcaWAmqvcNUI3yI8dK7LFbAV5u6LPvuTKEfilEWJN/qOhgs84lOQU6569czCKygqmBVPqij9Q0P13mBK//sZ+pmJMm0/ebXYTDq8biyr3gSNMb77rH7olwpSd4I72PvkJ+biu/dY3ngNHHH+C44enYVYkbSa7g7bDwTsi9BMTa1u7i8wxXHWdcrmNnfcs1kq33n4MMX94O3LkvV45idmppUWddw7RHlK4lW/03LdoaqUyaSLbSLl13HmQmtq4a5LJgpqU0f4eYB3K6RNDbrRIeMw9qAlPpTNGi0an8ob0YBrQBZ2nsyk3oJM/T9ugk6Y/boMOXJ9BsMC1BYmqVXrjxMFPxs2dorfQsJMqk1qj8ksco5ZwS+Z+xGVRvXoR/vskoPAi/EfIa4q5/akAHc/OC9t5wOi530w/eI4e196otcF2yjAQzZlUXM5A65G463DfR9lXX/G/kfRR9+wRkGz7Es96xxC5UhjWVlmvVGSJo7HfmY/bO7b7iBnEuv+nf8AwQWt84CevF6CP449wOnvIeHp6gqMfn5ETXD+OGmh7pGYpI3Q+AR2Gf8JWFuae5ryQNXTcI2TvwN2iT0yvU/Tek+Z/HOqVvHtrlPhpk0v+R9xbw68yyZTzf5wRCXNluT/AekHNyAQow47dVqh3lH7x8eGC7qizTYAaJLjs8FjbOL2tv4knpBg+P0ZFxXZ/o27q4cfRQctOmnBjmuRKJ0LGZKl83rr7xVAQQ9A6qw90cCh96XnmFieXGJzeJ52OkiHRdQYPUeSnl5jauf8x6knPw5C8u/Tcg+O4CDVGFMucL/puSDU4sqPIlIVjPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KVnxAgSu4LwaF2t9wlCpNgVrM2u2E7E+W0CaWLYC2trU3CcQZsFNB5lDoIw+ghuE5/LtvJFaW7XN9wopqoqa5+4W+Lt8QgOoXgJ/oprELuWZmoXy0pQWRjzUANv3cpehv8edtvWaEWx9aXGRa34MdKqYwh7DAhigEjFrQEkK1tQKQeNM3K3mwqrIiIjMdsjtW3uHpYw8/D3t2/eh3fvxc7y3YNild71/Sfv2cbNVbFUoslFgDftHGcZ5tx0k7Hbcb6N5NaQpx4J8wy7dWBhbztRdwc8QaSjuxFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/RmOtFdYrXJKX094Z7C3I7QdorXSlihH31//9iaWghsle2q+U3p+/ATL3QKDLRfrlPpmJ9FGMX8/++3i/IK8o9cVl2U31jt+rG5vR0/D3BqiOLKtsI3B7vZtq1Of4iWLydOzfZVjMTteweZDF+G3W86udmw5y4JUPj8NXXoDFnsxFMc7lAfuFdDuuPovXzfcFebIcqhJpr7d6C9xJvQDZTeGcdVoxXdB3coX9z4npomkqFND/mKsVnL+16mg7EpwY6H8y4vwt+fdp1zOgMU/mnENKyqiigydit5vCJUlMYqMsKWGOTdWr51lf0xhUVO7CM36OxzILg4DJNEpdSw0fSG0r9diSve6kHf6ZIc5SKvXf/q/AQAA//9qp6p9" -} diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled deleted file mode 100644 index 28badfd0def..00000000000 --- a/x-pack/filebeat/modules.d/bluecoat.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: bluecoat -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-bluecoat.html - -- module: bluecoat - director: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9505 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From f67bb62dfb2f56550093b144b95885d96c4df371 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:34:23 +0200 Subject: [PATCH 04/22] feat: remove deprecated cisco meraki and nexus --- filebeat/docs/fields.asciidoc | 5427 ----------------- filebeat/docs/modules/cisco.asciidoc | 96 - x-pack/filebeat/filebeat.reference.yml | 38 - x-pack/filebeat/module/cisco/_meta/config.yml | 38 - .../filebeat/module/cisco/_meta/docs.asciidoc | 96 - x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/meraki/_meta/fields.yml | 2635 -------- .../module/cisco/meraki/config/input.yml | 87 - .../cisco/meraki/config/liblogparser.js | 2514 -------- .../module/cisco/meraki/config/pipeline.js | 662 -- .../module/cisco/meraki/ingest/pipeline.yml | 83 - .../filebeat/module/cisco/meraki/manifest.yml | 31 - .../module/cisco/meraki/test/generated.log | 100 - .../meraki/test/generated.log-expected.json | 3357 ---------- .../module/cisco/nexus/_meta/fields.yml | 2635 -------- .../module/cisco/nexus/config/input.yml | 87 - .../module/cisco/nexus/config/liblogparser.js | 2514 -------- .../module/cisco/nexus/config/pipeline.js | 4585 -------------- .../module/cisco/nexus/ingest/pipeline.yml | 64 - .../filebeat/module/cisco/nexus/manifest.yml | 31 - .../module/cisco/nexus/test/nexus.log | 15 - .../cisco/nexus/test/nexus.log-expected.json | 482 -- x-pack/filebeat/modules.d/cisco.yml.disabled | 38 - 23 files changed, 1 insertion(+), 25616 deletions(-) delete mode 100644 x-pack/filebeat/module/cisco/meraki/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/cisco/meraki/config/input.yml delete mode 100644 x-pack/filebeat/module/cisco/meraki/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/cisco/meraki/config/pipeline.js delete mode 100644 x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/cisco/meraki/manifest.yml delete mode 100644 x-pack/filebeat/module/cisco/meraki/test/generated.log delete mode 100644 x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/cisco/nexus/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/cisco/nexus/config/input.yml delete mode 100644 x-pack/filebeat/module/cisco/nexus/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/cisco/nexus/config/pipeline.js delete mode 100644 x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/cisco/nexus/manifest.yml delete mode 100644 x-pack/filebeat/module/cisco/nexus/test/nexus.log delete mode 100644 x-pack/filebeat/module/cisco/nexus/test/nexus.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 48fd4dd431e..1e5baf46ad0 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -11238,5433 +11238,6 @@ example: SEC -- -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [float] === cisco.umbrella diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index ca094907b98..1826aa23064 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -27,8 +27,6 @@ filesets for receiving logs over syslog or read from a file: - `amp` fileset: supports Cisco AMP API logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. -- `nexus` fileset: supports Cisco Nexus switch logs. -- `meraki` fileset: supports Cisco Meraki logs. - `umbrella` fileset: supports Cisco Umbrella logs. Cisco ASA devices also support exporting flow records using NetFlow, which is @@ -278,100 +276,6 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: -[float] -==== `nexus` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/cisco_nexus[Cisco Nexus] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9506` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `meraki` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/cisco_meraki[Cisco Meraki] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device revision 118. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9525` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - [float] ==== `umbrella` fileset settings diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index fab3d9769c6..910e941ddda 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -724,44 +724,6 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: - nexus: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9506 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - meraki: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9525 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - umbrella: enabled: false diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index bd3886be727..afb51da92b1 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -93,44 +93,6 @@ # Filebeat will choose the paths depending on your OS. #var.paths: - nexus: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9506 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - meraki: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9525 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - umbrella: enabled: false diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index eb4777ea0b4..c020574dac0 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -20,8 +20,6 @@ filesets for receiving logs over syslog or read from a file: - `amp` fileset: supports Cisco AMP API logs. - `ftd` fileset: supports Cisco Firepower Threat Defense logs. - `ios` fileset: supports Cisco IOS router and switch logs. -- `nexus` fileset: supports Cisco Nexus switch logs. -- `meraki` fileset: supports Cisco Meraki logs. - `umbrella` fileset: supports Cisco Umbrella logs. Cisco ASA devices also support exporting flow records using NetFlow, which is @@ -271,100 +269,6 @@ include::../include/timezone-support.asciidoc[] :fileset_ex!: -[float] -==== `nexus` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/cisco_nexus[Cisco Nexus] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "cisconxos" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9506` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `meraki` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/cisco_meraki[Cisco Meraki] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device revision 118. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9525` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - [float] ==== `umbrella` fileset settings diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 40d2eb18562..414ffb54896 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded zlib format compressed contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zGzmSIPx9fwWuI56z3aGmp93d3pu+3b3QSupp3dhurWW797mYiAoQBZIYo4AygCLF/vUXSKBeWIUiKQooyXvjDw5bIhOZCSCR7/kd+ky3PyPCNJH/hJBhhtOf0YX/b041Uaw0TIqf0b/9E0IIvZV5xSlaSIVWWOSciaX7OBLUbKT6jHK6ZoQiLpd69k8ILRjluf75n+Db9s93SOCC+jVnuCib3yBktiX9GS2VrLo/VZRTrOnPaE4N7vw8gF79p4NmiZVusTx/e9OgVv+pUewCqLE0rKDa4KLMBBZSUyJFrnc+WWOdY0N7v9iDoP3zYUVb+IgJdFVKskKdhVosg8jRNRUms8tnLA8i9ZluN1L1f3cAr3Okqzm6vkRygcyKumXOUE5LKnLLSincz2CRAzjm1FBiV4qHn+WbBV7jV2C+wYr6pWh+LEZRmWaRalnWrHEAFyKFoMRIlS2r2Nj85WOLT7MO0n4PmVhIVWALABm4FwdQhVsJaIbP/2lHTSCsFN5aPGEBwPrWXnlsaG4xi4T+uuKCKjxnnBlGwyQsODaGCvoAImrEe8vVhBSYM8Jkpd0FOoCzJljMOovH4/tl+2uLNa4vdIfvGJZHc+rYzQyzvzkDmUrvcFFyCiTpkhK2YATlTMEebQH7Y0gjnOIwUXMpA787QNS/uy+hNeYVRWzhSRA0RwvGKdpgjWBJJBUS8ijuewCZBRA+NFyK5f3wvJCVMJbtALTBkQmEWybeB7lSSUK1jo9gA7hBcveAMLHk1J2To89zgzQ2q+gI52yxoMqe5JqRLCryzf3NGgkfnYZWRrjzIRXKJakKKoxu3riH0UJkUVaGqtnk788Z0qxgHCuQiLJEnK4p772DZ2heGVQJ9sXd46Lihll503xMI/vgM7GWfH3wwW+opXeGKoF5xsogqYMfH0FlDRNd39TE1luzkvrojcDEsHVff3yALLz2fK8U3AYq8lIyYRDTyC11nAxs8PPafYbzXI2LmlMfUM4b84EJQ9UCE7rzxNtX/n6ctXdnljNdSs3ivp0X2NClVOwPXD+fdq3dh/Gbt/Ul/sYy+psLu4PfHEC55rElfCrUccP4gAKQgi6xKGZONke3CerD3oBHc6xpbg+PlpUiFGGRW0CGCceA60Nao2fHrMAkjdKLOW94/vb8AjX360jEyIjQeDTECJdVnjFJJlFcu0Lh+rcLOKuNQmp/AKdao4WSxRFGQou8XkllsiQk3FrQ3Q8lIGTnypXYXovpJEqNfzyh4SlgORWGme2syH+KR8Lby5/QCutVYBsegqNe4e8jHppfz7+PjuUCsHz10+uoeL766fWJmMKbjRVZsbU3uaY7tGAh+rWTvIIB4qY5z/WajsSeZ+V+Dol9NCQ+79NRkfo+RKfEGEw+W4MUM65nuCw5Izi+etUB7NyvHdSv7koumUE3CtBmtYf4kLYQJAD+S/OsACd+PCJusFnVfKZ3lFQGzzkYQjnnyKywARdRvb7XFr29Pd8GiDyBOquS1lZU3P2xkFFBC6m2tbbWP13UU3CkpzyEv6506V0g4z6xB2ufNd7OA7JZUYGw8DtjbdiHb8u0SlGJwTSJ8IxQpaSazClcuw1g1aNEksMP/s6IzCNeX/C2AB4Wrv/0nInljpZxPKZmpSg22aoShonlTNM1VcxsI8p+DxEpqituavnv1kV2XaTokmlD1fgDgC7ACY/eyM13F4oZRjC/H2FMEHjeMkVLa9Sk9fQ1Eqel0m6RW/tExO0PJkKbiTXVhi19ZElh8hniH1pXh0IaY9hDUD0i5hZcjXa9SF/Q97gPLj+r3pxGga6KAquYN8MBrKmQlSGyoLWXLy7yihY0Z5H1ofeUyKKgIge4EN5TVEu+djGxbvRvi0Dkwxt1nOtyjJLY55/lw9Pvj5N9puJvBRV5ZlgRvgz3z5/43aoFfYm6YAJz9gfNLdsJl/qgljN66g1WJjm+VuNsoqsn6GNM5FYplyqqR/6yiaM18AGgdmpygQ1ZwX+GOuWujtMG5N5ef3h/hYw9QuSQWdDbEv+lmAS+YdrUbs4dzPqStHMlKnHPo2QoWUEQKzXqzToPw/5rYXPBjKLZPnRPM0BCvm9Yy2ONri+f6QM8/Lq23HNyP9LRmVkvdwQ/7TOLRZ5xJugMq6ULg8d9By/eXKMGdJ+dF1xWOfrgJPb1bxdek3WmJ+QUHmDxvMxyvJO3iB56HK7aaK7kTlPtBEv/acBDl2mpuziEMy33rPsLJEmCbPeZlLfn6Bem6AZzvj+bsjlsVGu8HOQqju/eXjbAzjWYeNjIO7YZVcFtaZI5qsWC3R2Jhn/Lfkaaat1XI/fi+Bv8HHO/HsILQxX6/yzCxyIKgcusiYrH4NytC4a2kfZa21twuUF7rec2h7IJosbF7bITnX0IgqriNLP/jIHUu06y6TkhVGt0IYVRkjvJbBfrKkbW+mX7PLi93a00VSlwtXAdXszpaj4M7th5XwwzTUmlmNlmLhXU4GUA4UHi08FLfOvBor9AAugHvGz22+NrV5+FPocVRd+//m7OTOc+afv53JlkpaLavoVcLhnB3OeYloqtGafLsEUfOuOT7VA3O+Ee29TH9RH2qov542xYgcuS5lktMssAxb0fHqTXKCy00wf8Wby+qZ3r98DFGv2x3rwhSqMuhTAyVn2JchiGmIz6+HqY7DwfkfdpN7/nPpvVxSrRjnWRO3bbumil2LsuTgc30Fu4kLUZhz+gWLssUCtK6mKOl2gujaDGYrpYMDJDvwkQm2uqtt9xuTlD9q8euELmVGFDz9CKLVdWVYCP2/8cQxZxgZttDMp8EGjbCMhxyn5pHSY/ozVTlT7zn+nTZ5T8OxZniBqylx6fKBsocjmRmo8+GbcR2kAWBo1sLyaMFCWUKAWwgCSr43G4vnh7M15ytLPgIPJ0+oIW1LG8HqHzJKnx6eZdBzTaAR3SAHCZKUqk6pXnPAADrDVbCpqjy/Mb1IcdZERrq2dhW/0B2HjoyELvmOtcLpfOGLd3jEurNOAqZ6BC7MO2pi7OA9S+NC3bIHsItpEzq9PoCmyHRcX5ttlasRfJVvGRPMo9Bh80BgVNt9Ct9klWWCxr08Vro5LnrprmOBwF3UyPo6CbwzjOK6XNTM7/Tkm0Z712FDmoIA9hGbTBSjCx3HtXHELxPCE1MvbxQ9eXJ2Hj86cz1Y9sPOTW+pxshwtgpykVRyAjxYItK0XzJPi04DuoHcYKr5dJ0MFrqvCSPohNqXDrsCqAJuZcbjoOzD2nq6g4NmxNMyIrEU+7lgZzROrqqQ5qK2Y00kwQF5T19xSqAK22V4cIKVb78TdUFV3jOgbm5+fnTQ0zOAEU/VKBIr7srrcPrQ2dr0sxcwZ+LOeE5ejvdG5fLWd6A5KNq2JOramhkZHHMszHNmUUrl03HsFu/bdmuXe/NYFUF2alWOVys5eJphKC8miK2+05fBM9V7SQ9nY4b6FU6M2rNy/2IeJ9y/EwcfA8Op2Q7Bm6vtGUWJw+Xt60OO1GCxamu9bDowW/MEVLuaGqtvgu6YIKTZ9ICOGXD5dfVwjBIvyPEMI/QghfQQjha/KjT+1CRh81RVcXt/5XM4HNjJX/8CyHPcshbj1hl3ODbuf399jhf7ije7veZ+M/nNX/cFb/w1m9s+BBZ3UdFw6sF/COdRfsLfceb7yeDsxtYr1X42Vf/3CY91D4h2Phv4hjYdd2ZlJHtZ2vf7s9omdhE9cA6yLjLI7G0NWyrW7jbBcLfe8dX2ACxQ/3tY9vry7ud6bqhZCRaLNiZOWeL2/LK7qgSvf8H7fv3t6codv///YMSjy17IFdSGVWL2bovAXuOqEhjFZY5b7Z4JoReoYwKpU0kkh+huCRcVWrSC76r6E9UFttaIG0XBgLZIauDcqpkIbuGFf+DSa40u1ZhK/2NQhH5mxwEH3N/6yxf2e9eyzXVG0UM/ZSqYoOzutwk/bsRPeMDPv4bFZUuZvudQi0whrNKRVIzjVVOw2cGuN7J1v1ELb92zV+OwAtgXfVwXHwYwvsbxpa6H7vr30r3CN/+YO1Yj/TrbVy65wpgktTeQYrvGmOPsgtIguqLdGQzNwDjdAbuUSX1CoNKkyIgzUoPDqVnN3GpZa0yIA9wom571mu69ZmBiLRcoGY0AYLU6OhgzgGKoqOQfBQvdGHTkzULoGw8QIR115HFxHB6B01vzMjrCD3uz8bHI2GWL2SFc+RoGt4pptzV2KlKXpLDbaoYdeZpl3q+Ru51C9vMPlMjX4xAH8JPZr49qyJ5WL0njpp4E646KA5CzJyaNcdx8lDvfkuaakogdfeYpLTBRPQRooDWq5rQIHLMFaFXg4r9WKeQL/Hb/09v7783ne8dJpKbfTU1VmYQCqE2y812AigDurf/WmBz9ntKLEyjFQcK/i+39jZ6MkYgD7ppIROxgDy+EkZ3ZL1tHvy6h97sn9PAjUxkTbkYddXzv+eASH9bXky2K3xKUIvOWqKOu31KeJm2Zbq/j8MM22woQXtpUM8EeQgjy4jHA9a1TwJ9Kgwg6YETwKxVaDxyZNAjInTEEurMdWS4+metJziU6RHWrYtqIvGxLKhRvSakJ0ZaF5psRnoIQMl4WFWRE8PGUA/YEWMc3Hg5JyEi11XY5B9jl0DMiOxDwU4eG/2kSnU6moQz6npr/tY7hq1F1IQ+zhgI5+6ZTsibtYsrTjscvfCLsMWdWs/fyDfyKWL5dS5PpXIqQJ3J/WCakD6gt3RHGkKiZg7X95dQ48bLPUmDGA/2GBpNmEA+l6bMvQExvcvnXYwB3Tdgyf348EgGyHJufxVatMVkbx/IutZMP6XOnRsOj6kr4e/gzkEx3B3//CCLmOvb9Y/NtUqY9e9z9wB9UZ+rcxd9/u7Rmfv6/932TuI6CeRDX254BxpXW9ZjjBasjUVjZPs61UETHDC2+NbIPlTVP6+jojGqENDlttM0S8J9robPIQNBrp94eSVWxrdwEU6895sg9GHbUkRGYyfASuEMrOiCn28Fub710gq9AuX2Pzwqp274QNkUD80bME4pPsUdfcrphvCoOmMzwj+hWCS4STWcb3yV+9gkGqD1aDMOJrW0ZFoHbK7nLy++bSj72GoFu1vKaqzU9wj6tH2GU/d6SNQS6fYkkFVivvOrrZygA+p9K89iRHXN59eB1gQzqpBEVjQYDTkcozXpz2oQ8Xx1NdnRXFO1SSx619hKXR9+ZAoqcO3GywFMKfFSp+0k42TLLmfDdeK1nWraMFFsabLheQc5u59jQLYcu8Rcm7smWMaEce6er5nR1F9I/tqC9rD6Cdo8RVk/lRU1UJqSHYrpEDz7WDTUJ0FbQFqVpR86/fJftg1LMZk5RJ+n/8JmZWq0KuffnoB1eKa+r7NRd/vtcuJJ6G8HsEJXUqhaTpWkK/mVLiuAbVPoSrmTujBUPYgBPQcz+WadpjBRDCzshZv2iiKi9H7Q76aY/PIrKI5q/p6WgxGfRPSHBvHAlsgZv5WvfrT93/WTqS/LEGA1kj/bUDN36DYH2+pQq/QlSC41JXv0WtNynvJ9RD0BwY/ArmVoVV+eIX+1ZJ7hn74Af0rIlJBgxnYJrfoGfrv3PxP+0Gm0S5TvgluoZB5oJz6idi6YkMzgjmfY/I5rQbskKtT/rHxc1eZboft+F4+QUThcGQw5Ca1PgjjJzEHjAFTbaSymrXYOq3D/mKNOXNDMFAIKeS6kNsXhlNAHsZIHJe8uHsjBpBjxAL9ddgTNhrZhS2XOH8q75xHB2n2B0UFNWrYFh9B69X+h8EWds99LYTts49Nq9G64VV222boV7mxWzO0OZlAUlljzEj0mdLyANOexIv3lTDNTeDP1izP8lRR16af/JIKqEjWUBhVOTva24VrpkyFuTXad3zvIuDi8CPeXaGfZYajwl/168u20a+3nbBaUtN87CAntEqU9PTonKjbHezjhEoSChoK/nY61nvXzajuKVS3z5pvxwQlgj4sLhDzFQRe6uZLuuQsZWbDkzbnNRuo/U9CN7MyN+F5d4W+f7SFlv7U1VaLf0L+a0QYnXhZsMFAugli9DDuVip0c3F+43VfX1bLCjdSJfBEfnVpENXTcH/4FhhgiA/bLSLnSt015av2K63B7vQcsMxn6NVPr9EG+F5QLGCyT9BXAE59UJNa/xHaUOWaWiJooYK1QVL0ykV2mfjoauLXzcTAXU0RtvW8+12qHBjnGk2QlZBcLrf9QNyCqYEWi9BPiKywwsQ4JtpLvQX8wWkuUCV8Tg/f8ZmPVtTGLuh2gfqUQYQ9sUuwKAo32bgOIyi8GZVpIFl7aiUmoLG6GIWfzY0kIdDVFSBqg0WOVY6EVIWboBiw5VUR5E/usxxOZpGs5oMn6V5MarFukHnJ2YICxQEDX1MiRT6iYLfbnWmT0s+yhyAmiCxKTk3wAIw6UTEo8Eaxnhjs1Jsp80gH+dauHTzOY0d592SOHr9CCrOKtE1tfWqsnJc2yyl/JMZfiTwF2y3IP6RI3W1hj1i0q9cqpkuv/dDn8EBEJbvR58jQO+MvH1pTpTvlFPm+PLDA/j70sG0pjkVmW6ZHpMppcIRvnFPsk2z8M6WbFWsdo860aT7Yja8PXyslixlAraAoXxMqsGLSqfVFxQ37zjCqEC5LXle/tM1qCizwMlSaixCH8M5OY5663Rdi5plGciNcZMzgoux7Bj3G0JlUyWHyETMakRWz1o3MqZ6ht5U2YCZ1gbpxjyN5udjQEzdprwBbLCzeazqFJgSbXC/oeAfNnKgg7kBgAbOJ1yy3mg2ch7Agu60F2Yce88JE3pVMTUZhu58uFnRnTyIzfFt3rjIS9DWLlGt8udc3GnHTR104Z1YaN/JsNliySSeTVWwJVAwUuYdCbPgf+6qABvmlotVkR8mebneKWvm4wRoBEvnIuQHkvo/N1IhKwQ5DE8i0ZWESvL7LIgWuMEg4PtAU2nMZUxTtAn0VHWoCXanzijyOCdkzH4NvzOC5vNebc6rYPCTXTgkWtA9ErxtCbEcQJgMlPoZirSueOuw0YkXJyhBZ0JcOh8Z4gazsQQtLZM+FY8GOATlyQOiaDloNT0ZYvbovAuxEdva5fNIWLw56B7pXuql0sdAg7lRSwhasNXzC2q3vgj9ypryunD6bKbABjYuR5W3BRO2iyn2QJYi3N5un2oRPu1Z61xKUCv1261Njma4TAvp+NeQ7u/ZGS6CdKkldSs0iCo6jzhaY0yJ3HaYglb++u6NdeCpuhs3IH0sUiaqgipH7yqIgbRNUse0hrFvJ1twMJ5bc/R6QtqYil8onzO6lTM7//gjda+rQbqBlfBex9LXgA3ZbCbofMSfpU/aq+2Z4IX3Vvxcz3su1wk1usZAGYRjBYZEMJ9ByuczqRJVHEer1Qby3UJ+iZ8qO7HMD56Et9e5o0C5WpeSMbFPfnj1y4QYQ8N2zBd+OyOXgGKrEDHxfcQqIhcWpFIbepdZYG4SuhfPXtf1QcZ5r+xc8qjD9ERAKNYA58Di7ibJZf3JtAlkwFrisx9c2vUKwMYrNK0M7EmKYo++H4Vptvfv8hUWHLvuz1R5utbihxtPfHDAE+/lFfsJyR38LGLfNHIy64aBuc77UmqoZuqXtSIoZXlJo5e0z3RdS1TgMYNdgnN5O3EgL9/1O3wqp0FzJjf1d/VOvazqza7Sf9HV+g5WJ7aZrAMf2qPg71Z9YPd2dasZWJ7xSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKdoScGS2Zf9AGbDlE9OPW64sVdMM7P3JXMRtjr8M6Bsw8zKK8tO1qNLWHAO1SYCSfHdUtp/73kJ3LibgOKYkG7cCQa+BAQsknKBrHQwjOoZum1lSn+wQbeyKg3GF66cr9LWiHEloy7ZJvfi1zMeI8IrbeoD6f8z2Cb4CtN2J31NtPdvWMUXfjuuAk2u/bgbFrboXVumdErZs0OGl8XyErBAWGtJ3GwiuxtBexI27A37TH9GGJWrrWYEc5Qz/fkMlQpmosCYtmdhRRkrfErt5T0feldno3BBDQz+xxq6eGlo5OB6ERBZFFaKyZ2g/bC0ZmfiHBo+Te49eCyNr7OHCR4mJ76JLMpqeAcTbBtGGyZyufH5tEQKQktz1mRSjDJjQOai4nyLvlSYO+dnLgvMhJcaorMQlyNPV9frGUtd2kO6VQnfMPGZ5r4WqE5Exxq8U95Asb/5pkFtxvJ9G8cHXSGSirru6CbnlugjUKP32+1j4fVb6T2v6HbYrqcJOrvRcIlGI4y4WP2agK07//s17R8ia9oLxtPf8YbkX2C15hormleEojpyRMPuNk0VwzwLvKbJHpFbWLJWm/vvY+cBtC/MqF+Aks/6pJYDMTzGfnX70K2wXjU31KqFgSrDiqxc5m9dY9OUGV7UkHotwiwhzTIzrYj9VvP/YaUpsvJcIAY5d5UgnGJlfwSN8FrUfAFhO8bOFXYejj444TcYgvnEXywii3k9q1gudh4sXzaq7vF6wTDdqT19XW0EEBj3+E0TIA1ciQu3uuvJOO4pdRZcctd4wz7nZb6+RO+cpHnuGzcgN22vM+f0RVivdg7ox/Dld9zP15fAUl/y1oiJofdgNyLn0gAdCTN3iKws2DAdNlLXepuyl/1uVNcXaDt1Ya8fe2TwdOJLd9GOKb6+PKjJxvLPHdBkLWKvRN5qtDN04eozfb9T7n6xX5sFBNXuJ77/xrvj5pVpKjelaR6jSnCqHWeke1A2Eq2xYnjOB1WArikDE6jkeEQQaCp00v4oOxvaVVXdyjMrqayGUdcXMrvPty+vb/o6NPItY51HYawu+8SBgkfXQraRFockuhYG3bKlwCAsRo5oKVXK5rXPBvLLHtKbWneT0NUR/mkR6U7+tqcsl4GD8+63D4gJwqucWnHmJ9Xar8/Q86t6BPGNc4g4sCC9Z2G/CETmJo9tgnOqfVrCmDH92arcJ+B1j1K8jhvznX8a3jP9eU/I1Si2XFKVboRdmGWfurEAj4MbsqyoXkme29PjbPWRSaM7ofcJPAvD2LuXys/fOx3jRdOM4/oyXEZydHSeyKLMJs67gl3xuVcwxtX593Q1/86iIwXUpy7cdO28ImNWmldLHylrrIt5Iy2lgs4DVq7X+I1MifOjxB9FARx21V/A9HL3EFkiRlojP7dCFKO3mNT9lMPKrRVBk9oxUnxXK6hqvxRytmb0odaKYh09N1gbbKpYinPjj8KMP5rZYRefyzvE8pfj75d9WaspMLQYfRw0PnZ3wWIRvrr1O5Z4+t7gkF8O5+6d8pwxIatYMc5OHYleRr9TVpLGdDoMPLI/RgacujPjzpE459zKPaQrQqjWi4qjK7s+IjKn2h6Jutlv2LJgIqd3kRnAmTanaZ4PlC2wMJhiqkZiThXENwusGIcMnoAHz8XfxRJhYOJ39rtBykSCcyjnrrnQI2nEfnX0vMnnLKnSpS+6dRJmwDKvIrQJ8XWHpxcjRYbOzTV8j1MnlDjlq0ny8r4q92n7S8yERjk1mPGAk2EuK9P53ghpkk+em1l7bHGTxwZ4jD+khhYlT5bNc45yusA+BOQ7X9YxfJ+tabXiNVUcb6GQy0j/uKLngRtpfwFWt/82XdRV4M5Xrw0zFTRmREHCWttg2LDpodc1ahSr498hODamCWQVkUVh71OaY3ThoCPWSfYtlVyz3PnP6i5yBdWjiVC5JKcHGu/vLfuF8VZrJN28vLBqcFdC0tPjyPp69bSy/u9yfqLf6WTy/rec+wBM+HaVLF3j3EtIKHY7f3tzja4HClUXjWRda311yX4MIhZ2NdWwy6iG9H38YT63OqzcOxGRzWWeuuJrUHHXVzo8LsjiMqIereJ3S3AhgwkqzzsuYF867BJom3gIW7K8CeWMOPGK2FbjoAw8wssfT8lr6C6rlM9UPd375qPrnlMHoiBZ446SqutFcKlfcxoqb627MO1L3JjAERL0iue7DpGmuhKvMeN4GMhAjSscQX3lgio1MmnB3aFTfP3x4m7eWCl8AygXgB2Q5NMNNFvORiQiK7J5lefb6P4ZVmRR64A6cCtNT2t0vtdLFR+iYjJil4NeiV2mqykKEpjuZq+6nqu4yplpKuvavmgeo9Bgu7Ziw4mSNrywn0iXJRabg+vJrPKLT1foua+V+FRxqyvPGYcCDsgDu7orpbaffIG+GzoaRD8K81nIjdgxhDQlFTSzWO9CH5m0SfAELrh+WuhFXeX+zpcmvaFLTLbo46i5xtlc4ccoyvcL77CYCVRgJhYKF3RvOkaJFUztTd8nYUe5vIFl0TuZu+Toti1gJ+ssgBQ6oH1BqoBlRCoLabdv3Du6Qb9WAkzJtzKnHD1nYj379gwxSc7Q3P5F7V9YYL7VTM++DccXDSmzBceDyfmxdahdDf/iBsGi4OsCObmth1/Jxd5GDUYmxdT9dO7xrNsgaKrsQQ4itC7iyt0eZp/e/o4VRR9cAvC33356+/v5+6tvv3U5t2usMBs9kxupPscsWT54wX6vF+xG2EadYFjEViJ8zU7cLiXNc4CJfS62CUyYhVRUaEZiCpCOKykBxkV8L0ggPhALaLbBbDic+MHeAeh9HhuovT6xS9R1NU90Kcw810bFrnyHeu1kDrHuWxrtHa1rPtI5SU8tdmkHgw1UGl9s0ta9+HoXC2LBRh1NNanJHLGnkhrsRhQgs1/eExbKJ/cTvL/jwiLv9f/3w1VbldlN/nuUI5Z3fPQekb1IPsrhqOO4+/CTcoKkrZ2d7dilz02T0V5n2UGfzBfgdhuc3MOR6bplNZsiHgZFXwvMuOV13czlxsuM68tubRt04rLmoKHLQAuD8azCOuc6syriCfSckngN6da++uhCFkUl+p6oAXbitMZND8XuHb0zf6FhnbrBTZ+mWT8Ut1ss8n+X4ahZi5vBhp0iGR6M3XDhHeR0pUtGmIyWJTqVBQ/Yb7ASw6DDU0ddi6LMZCphfPvu7Q36zflR26TUMCJfJk0luP2PN+hLRdVI79aKi0zRfqfOtMkNHYfoFr2vi86CaV2Nlk4iPqRdoDL2GAELtDzJcXQIqgkExx4MN48/oAFzrIoEu2XBJnAv4DJiAXIDtMqjTaXdgRm329UO6Bybvlb4ULhzKsiqwCpWWUkDd1viwfjiB0efMBmkU0WBma2inwVCF3ELqBrAiyW0WkoAVs7/ngBqiaNPwnAdp6IfLwi6Zyz2g+M7txXUqp7RkRYZJjAYJX75iYWtRUTjvQN4vizXP4o7s4r+vhOREaOyXEftu96BbiGfFnk6AvCa4+gSQ2RULJmIWBQ5BJ0iN1pki0xvmCHR5YfIFlxuNC7i5650YQuzTgc9QdSFiIyJlOKEiZKqYr6NlvA+gF2Sz2mArzFPcVZYmZVKGpnFD0kB9PWPGXgc48Pmye4ml8ssT8FsCzh+/hsRWYHvMmNiuQ12AdsTzWmCR6FgIhHSTKRDuuQ643OexQ6L7sD+U0Lg0TuDd2DH7oXYhR27qrcL+6eEsF8nhP3PCWH/j4Sw/5wGtpElx3OaQqQ00OObZyIrKg7K93yb4J2sgZefE+glRcXZsijTaN9Wy8R8GTsJyUNmKZQSTb+Q+L4RkWmXkJhgB7UiaaxJCziNNam3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJDiE69eWK4kehfVrWZoVxXkCt5osyozwBD5sCzhBkATgqvnWxHeLWsg6CeSyyhLENIhihhHMExQQ6QwvqSDbiFlXXdgC8+0fNJ+nwHudQRvQJJBdO5g0WLvE2iTQ58ty/TqND1pnc2b+nKTRGNFZ3FlxPcBKRhfVOsk1B6iUqPhVbtr5+KPN2uoApmbl/PzxnSMOOKh9SYC7bvLxOsh1YC8YpylsGJ0tUmwiW8Qszt4FnEI30BkrIUkxSyLqWLn+MdemHDTzjwRbK5IENmcLmsKM0eBoLmjOohWM7sJmIs0pKWRecaqJTMFtD5wtE8gmWeoNNlFn/neghzLIowBWdMm0UTi+J6SFnUDjU7RMxWqVjNcaOpGrRPLVZea7I54AulEUFwkUSVcKlArtdMr1ZiWZztyE2fjQt1jhJAc8HymEjQF57ebbx4bLtMEi+pzjXJt5pWINC6yhUjcrKAXUKjqu8fXouiY5NliY3LCIP+z61E4D+2AucZ7HvgMsjx1WrVsHJXiLWJERJWWRpCuRBZzATGNFliY50nc8SsHm8nP09kyljt+ylJW6VCwyUI4NM1X07DPOBI3XYqeFqqNO1GngQvFtfLcWl67rabbgMvpz3gBPkPJvbd7oUscCTSBxrA2dANXouQlcLpMcXbFMcoFLqWILsGJeLVNcs4JpkkIsFDrJgU0xB0JQA82VosONLsNdA+jYGX8Oaux0PLHZxLZAklSUSTcAOrolKuNrRlKxZRaYx/VguBtBVfw3q8zcUN7oYKNOpm7BuhGvSQ5ZgsJNPxMntjDwYGNLgzJzjqTo6GKt7S8zsopV5z8ATe9KFj0QUFJVLBUWZtBzNwbkTRLA8Z9e14ns48feFNAIgJVcZliXEQcGdEErHBuqopin0O8UJcAH13U0EfD4TLaQ47Zw7UCWKk+AcXxHpk7gG9bON5wgH0DT2IkAbuBxAuNE0y/xD0CoQWs0qAlMKc2WCQSvLmN72bQiKe6BInl0RVorEuqKGwGwiTdiqwuz0tG7aq6JiF0oEZwW+1CgrklnbPLN0sQ/Vg5o/IheM9MzNtxtGb1ba5XPk+ShV4oneAsrTVWWs9hV70nGVtSRoRRsMEQbXMT2Bq8zJrTBiwSawZopk0INX5ciQesmI1UlYrpZQ23RAh1Fzysj0ftKoMHSTfZIwmF5nzBnObpQNGcGXWCV+26GGtq/h9Fxk7MScmlsQiiAgSH6CPobEMlRqFSnyYdgIh3nroqSyy0dDBY8yL+FrKI19T7yjFkeOp8RzDtTdEnvUIH7jRbaWKxYVv1hIMmR5EzDcIZ6db/10EAJ6aospTJo2HgUoc0KG8QMKhVdjB2FB6Tl3mcIRYjx3upoUEBM+M7uI32hOROpJ/J3ULWrdfHUyMglNSuqZu3n9UpWgxcNIUHXVDXjiIxEJVaaorfUYJgI7u4qbljw/I1c6pc3ruz1Bbr0I77OkFkFphRBM+D31I8+BrQFekfN78wIqsP7PDzUSZi3gJHdzS2CxR2xmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGS40rArN9lBXNc6ybu4QbuvX7te2hK3467oalpwu3nF48Y+3Yjsog1Tcd1XoVl0Qd6Z+BWjLkLpphGPSKQ2sF172BCteAjEy+he27CceDQP1dTgxT9UlFt9jTtPj1b+f698p3KAGN53KpOYvc9Uk3e6a47ZR9ODiOIje38HDq065+DlMec/X94vqFd7PqyFgqwdvhsgNUQL4n3nkfYPi5zrCly6doNNmhwq5pd8t94HHxFMwq+wVwq174+yEaEsEaaUhh3hvfPq1JYaEwmGO876DDtlhag9raHhlQKJqDtQ7qkqmBO3ZgK6XZJN5iDrRmnS4o4XVOOsNZsKdzGtfP6w0cfWjI/ovyG9fec9PmjTHq2mFWCfalof0wiDl++Dr6ndUw8bQpKrdGw3F1IIoWgkFuBNsysxgQFQoHKkEZjV/Sk8qJ7mxaWnSBPmieKyyUjmCOLwYjpA1g8Lnaw1MiYxsfjXbna6jB6nXS2jexltcZ+4DFnWGcrmdwmcEZcY67BLJV2qJGVit0RPOF+AMhdGostvGl+EAvhFKvZOdfSGuI79+0SguXoV/+NGToX2+Z/A+gGbHktDML5jMiirAxVYTGcxI1vCUtnnn3T3wuYsbizIcz8rXr1p+//bG3fy8521Bz7Joi2P6dZ3IjZsY4bvKUK/XPjk9MvPRqAXPjWx67/SX/mRYvzzqnfux8nJi8fkm3P+gNT7Doz9O63D1eWdqqoc56AvzRnmihaYkG2Vqv06hnv54Ig4NAZ+vD2Z3QtzA+vztD1u8ur//wZfbwW5vWP6PlmtUWCMrOiCpGV1H5UmlSKEgOf+v71//pvL54FOULNKqGM6/MDZOqswOFxPDrx6bvnNb91Z/G6Rip8xfOnhXRXNh3A/MSGcUc/8CF8e4ppa518YspUmKM35++CyP4hBU3nyzrtZPwfKegszFuL7lcjQoGQw8ITtuApvsF79mGJDd3gRxiRDqf7Bp3nuQI/rTvlIXSap5cU5alxzofGQq4v3t64V2k0PFZgPWH0Y8ep5DRV/3aj6xuLyoj3y/LwxEkQUXho1x7nYa2JZW661rQCooMuznNmP4x5G7DtzPIPv3MTHgBrEsIFl/6GX+4egQEqba51Er3u2CcNo3cewxupTCOSB0I3hwAbbAAz28OSV0/Me0cPE8v6ManJejvGeEFDduNUXlyPHVi+WGtJmFU5nd9ooOMgK5cVFks6a0wnIsWCLStFczTfAkwqcsgaCsuZ8sTWA4Oi0RFtObjoIkG/Ax5R9++WcEV3AChaSEMzn9kdP88oPmtzoTOcuVT8BKBLo9IAXyQ4EosE1cI8xXVI1f+kTMBUnGe1Jy6dWt634C0ds/5qXWfCI2iwV2ZFlaAGfdiW9Ax9rJ+xN+AA+wHd1A6wwUvw25imVo/qmUCZGDGNa6S9X/wMYc6DykTZfhAS3LCCxLw1VfYNZMJIpA085kygj9ejAoVAgmwyeRVdZFugskww9s0CVlTHzui1YBOUuLgXMXYqOvjbE2DrRitknIpl9EmRgLNVPhJqoSMaqFN5MO8EYAQikE6wQBj9ItUGq3w4pxuh8yUkeymE7Y2/g1y6OTUbSkVY9YzcNfG+MW5pMO+G6hwyCFrGQ2bEgEImfJ4rpCUUzFix5EdshElccyymiOMf4aCsE0Q6LsoBgbsuyzaSsrYW7BIM2N2XJ3akkhLoQrCO1w/uuIg9VoaRimOFoF80qpF4fnX38xu5lItFePo7JZlZ0eTbu4PsB7ugu40dvK8s3hbd88qsqDA+WXwUbV3F7JxwXEKPW3Ic9Y+aqlGEZWWInJbTfslxhG8rQqjWIzhD5/HTmqOdlngCeCGr4i6l2qJAYcIAtymE0w6OtIejlUoQ4NOlFPZdsXIrpBw2X0QDRWmXqnW8fnQj7yZGrmsp1AxwRvOGHu+H6enDTCDNTBWQnwiKC6gX0R7qCmuEc1na18WsKFNIbkS7ZY5xBt9JIYuRvFqYyaGZa1E/rRJhlXsmcit/pNINAzD6hXGKzj1iswEbjnH2ioYwdydHE8Yb+h8lXWGUBbc+ayEuF0I0BhgRs979AYxw+Xq3vl4jNifGE0LnMmX1QID4OV3hNZMVaJdEFqWSBRvJUKRTI3cl8JxDEdkCXezHjYl1I3YSItnHcEfrREEEdjCMOlzmBAQD6zf4pd7dzivb3rfRY9eWWVbC9MvZYmv0OZSBZ+QUs/4oLQje4yUVVDFSkwQMgUS/fmoBMyt4akOz3ZBHdka+n2mjxoOfNU2ntN16NJpe7afJqxdurYR0BU3Txgg3rKDaynWn7Sla0tEgkt+FaE0hDm4ENB584DaoI4/WKb27H+1o/XAcTd9nOtqQ06NJ8w7jQxQOaAOKW4FwhDD4eql7dZA6NeneuYsWhTZ1eOei9VKdRoAckOONAPl6j+MPh7cs1miDabbsOPmoJpUgMe/YEfJj0uMYk7bBYWyUeihB6/mpo1fuVGaVFdSs5CNESfCOJxk5NPzHRjcceikpmdTrtCeq815y76+1iOw5l4k8If85++lPf0LP31ye37xAl0wbJpYV0yuaQyl8EBculzJ5X6B9kTDIll04PPw2wwdHMsaUTOxV3Ff/aXc1hEFzY8AjH23o832uC4G0/6but+P4A5xCMVMsQm3S20wxzGN1p+sR8h7nrNJuBSQV0qxgHCsnnqzYtHeIwLseLq+Ce65ZPmWnkW6m/Ed7EGovYq8vZnvJ09VZnIt9dx3CGr7SsOP/9U4i+M3gLHjHDe2UZeRhV6ZUKRMDBiEbYLVUSyzYH3uyqkW6o3Ass0/gdPdMjbB7wVSwljRR159f7HLwWrgWX6530U5W868Uc7MiWFFUKprLggkcLLjriKcbbBgVRh9Mj+d4Smrf4Ecl1rV+pGWig2uvzjMruEqsDDRDakndL1YnbHbkhc0xEnVBc6qwoXkWLalsz/mwwueXesUmeHaj5JrlTfMw/zlcltxrqoOD4Zv/2GdtV6cNKzgtkSyfiMpmSd/rz2xHyAwOD4XMyTVz0fNVX3EfaQHXKJ0xh4LfV/Okd6Azdb7UqYReBgh1OiporFgjbaRyEt9CK6jBsNoz+NTMfupZmPqC5Tmn00m5t7DesXIusL0duXeSnKvHY0xD7o1frdNhSGzr6OwZKjm2W2bfZ6kQFURtyzEvP6RCTmBPHpFBpxrb8lepDXqLyYqJEZMux4kkxzd9Xn8UkOlfKmrFh9WPXJMzPUNvclyiT/Afpx/lUri6078NH0+0wmtqNSdOsUJfKqq2CHoQ6lIKTWuNKlycaunN4DvTyEvfA49YyIrVXSCFI9/15RvHsyZpAlTbA/TeN0c9FlOY8pTWYdY/43Vr6Z0mRtY29A8v00hVQgTtWH3WvDwu8uzaSI3U2HmImbcw028ERhsmcrnRSJeUsAUj9jdnoTpBnyc7vCCWPIdvm3ODnkNHWCpI+wxB6PJFh1uoEvCOv6FLTLboo95tfNtEYIt+IW307Fq7wgQG+8hr3zW1ABWoVYNDZl/EAcebPgCB6v+dSlMo5xmyb5fs9Ar1WHdep14HKAYKgwfNf+cEYqfJ6x0j1Wf4etd7LeuugPTxLqBDaqZx2DUBg929aRMy3TYMdijckOJw8TOUDcQcCTha4QYk53TBhPfVg3CCrn4FLkeaDgJ2JxWKJcKtdcD01L/YgrHx2aam3fdSGulN2fiwjcFkVUzcAr9dFRiOBtZRdzuSDHmZMxFvgljUu2FJhqLCtI9nQEh1y3ZgW1wb7ba8PzC1c4B12rfvANYlVvWZsj8+a0nZrNiglTqyt8Pasi75/SjyTPSZJa6thVTbdBv+L7rE4t8OdoypEdntol6r56GnybLlX14C9AO0PZpKNKCq7re+n6rRU5BRYZQsTxEduazmA+fCUWfcr2mtbXqgHAFwdNUd097DC1mUWGyb+wjXDsbpO3tlTZV9hjImFjKsFGD9OXWN0AH50bMia8w2NG1X9MWXVDkCv1Scb9F/VJizBaM5uoS6Z+ccDKKyofOMSPmZPVLQ/Xc6R2791n7GfEybj95ttg2Hl5UBlfvEEaaH7/r7Zgk/Zce7o51PfoY+bEtHeus5sMxxOzi+eYousqjNZHtoWxycI0I906G2tX1kpnDVNcrlLnbOs1hKVXv7IcT8/s3Ilnd65UQ+TjUvyrRziPawwq580HNfo6mkTKSJ7CJl17H7gUpswq5JIjKsY0b7O4CVL6ePDLlSPOI2d6BG3JXGGM0qFcsb0oGpqcrwMp5N2YKO/jztgo6a/rgL2p/6BIKF3hkqQLWKb5xY+NFOc6PorRTtpcrE1qjcElPUEu7I3A+wLKhXL/2/LzwKL/0/fF5TyO2POVXh7DxPziNGzx0x3eA5eFw7o9YG5OR+IJo1qZhYUKVG4q5Duiehq6v4H2R90D07AZJ1X+JFZxsCVwrC2jLplQosMdnxu3Jxe3vsPkAGser+6K90mKA1PvCTlSuqpvFHWJ3dZzw9v4DRjy/QBawfRo0qM1GzlBE+X1Dlh3/SnSzMPc15adLQcYeRnQ23iz7TnU7Re3ea/XGqV/L+rVHCu41u2R9hbw37nEimXP/1Cgm6lIa5DSxXWI9MgNJk6rZCna10i48PF7RbnWwC1CDBpXfG6sbpdf1NOCFFs+UUFRW7/Y2aqYcfRgctW2nCtK6iK50AGZKl0nnrHhZDAQypUkl9oINN6UrPK7s4uoXg9D7pNEmGRNMZ3EeRn99Cauf+x6gjPU9D8v7Scw+O4yJUa56tU77o/ZCqd2QHkckze/RwFb1No04FmH2m3qJO1Nzgm3ZcSfdBAtn6I9IQr5MKXd+e//XtDbqx7xT6TYxMX2mxTVRJfQq2HzYyjC2IIbKi5LM+yYl8nBBO24MsNHSu6dfZtAiDNFA/grCVgnu0XKrYoCnkIyi5Do+mK8io0QA4G2yqySZ8drFcY85ydxADSPQF4WRdrfcJQuDYZ7rVfbEd6eTXCaSRYa+MKXXGYAZtEtCwlSkYQvATuE1sKerKF6mY2R64UUQWRdI+cUfi7fDwDqFwCf6GKcr7lmZsF8uGY5Fp/VgDb+3KTob/7qmta7SC2LpS46yUbIq06hDCDgMEGABSYWsA2EpWWIhB44zU7ab8qoDISMx2orbNzcPiZx7+/ub8nX/3XvaWbx4UI1Xf9x+9ZxvTn7O15FUqBpzXc5yFn3PTTMaux/lWghmNnjsk9Avo1gGFvfVE3R54BEgHqeFVImn2xuP6UTDj0wVmu0UHa6ogU2BRcUSkILQ01lC+dXs40l5hs0kpfR3jrcFej9C2iJZSGSQtf3/99/NQCm6Q7bHPnVTL6RMs+wUGOy7WOXbNToKNYv5y9dvN9Q16i+8KJvJmrHd4Wy1tk6dh7gxRHCHLkzGgbh9ZjfoULlmMnp7tqhyzxXQFm49dhF+TnFzt2HGWeal8fem79Hos9mLIp9uUR+4VUFNc/JevG24Kc0Q+1CRj327wl1gT+pGyG/24arDim6Bu4Yp7z5CuAinqWKN/0UZJsfy3OcfkM2fa0PxfXvqfnTW/ZWJBSfhXC6boBvOgIoPnvPMdhEWOtEQjx1LRJdNGba1lP6WwKLFZ+Wb9DQ6oj8MASXBKTYWmK4R29VpEqk4X8kafbDCnwnRyUmq8/UDGWTNNbda7/OO4j+G9g/Nuiv67TvZDPQqynQnf1qUZhRcLRmBSwJxSgeQcGkN0OnY1jNf4Htj2b+7w3jZOX4uWSKwQFjp1o6MRmaDwBhVUa7z0nYWItBIYRpCFVME3cokuKZH5SODGw4ruZXJdmyOmIPUQnlKeQBmlfZPkAjGhDRamRiNspRt20jOcD1+aoDINF41Z+9S4SqV2wABaWesUZuT+zoygWte7f3iOgaBrqrotJkqsNEVvqcGga/uq2Wap52/kUr+8cWmxLwbgL31CV6sYYPSeOmngTrjooDnSC4aukzhhHhYvLvQyrfrr9/itv+fXl9/7kIlr3Nbax1DVf4eJQVwu3X4NO9MAdTCL2p8W+JzenRxkv+83djZ6MgagTzopoZMxgDx+Uka3ZD3tnrz6x57s3xO7apoNedj1lfO/Z8FuVU8Gu3WqYOfDUFM0ZV7rw9mW6v4/DDOw3tKVzD8MOVzlzGTQUfopordr+jwhxFYRZ+JGRYyJ0xBLqzHVkuPpnrScnjTuNS3bFpTmqcs4xgMP3caHrhUkzQd6yEBJeJgV0dNDBtAPWBHjXJy+Urw/2jbIPseuAZmR2IcCHLw3+8gUarX37zdqtGro9z/a7hq1F1IQ+zhgI5+6ZTsibqDNXEJx2OXuhV3Gpa907vMbufSDWX0dAnSDsyaIol5QDUhfsDuaI01hVu7Ol3fX0OMGS70JA9gPNliaTRiAvtemDD2B8f1Lpx3MAV334Mn9eBCxScKec/lrnRnqTyTvn0hNRdM7mMulDh2bjg/p6+EvO+WADb40ytjrm/WPbUe/keveZ+6AeiO/VuauX6dm7+v/d9mbuHrJ87gvF5wjrestyxFGS7amonGSfb2KgGXRaf6LtBZI/hSVv68jojHq0JDlNlP0S4K97gYPYYOBbt+O78p3BbuBi3TmvdkGuxppgocSZE7r9M+P18J8/xpJhX7hEpsfXu0mahEpFmxZqfEMlZbuU9Tdr5huCIM+1cJHsIwn6Hoxlt9S1wN97Q4GqTZY5cmUuv2z5p1C8mlH38NIUY6HyWWuOap/RD3avp0lnFTd9umQii2ZwLz+zq62coAPqfSvPYkR1zefXgdYgIL9YFEEFjQYDbkc4/VpD+pQcTz19VlRnCcskN8x7WApdH35kCipw7cbLAUwp8VKn7STjZMsuZ8NN1m0raIFF8WaLheSc+h8+jUKYMu9R8i5sWeOaUQc6+oBbx1F9Y0cDqQYZ/QTtPgKMn8qqmohtalL7+bbwaY1s7QsQM2Kkm/9PtkPQzoyxWSFNMspev4nZFaqQq9++ukF2mA/DKheZQ8nnoTyegQn/GScZKwgX82pcGNRap9C0znVXmUdhICe47lc0w4zWLjIphZv2iiKi9H7Q76aY/PIrKI5O6ntwSFGfRPSHBvHAlsgZurOPSDSX7pGnzXSw4FUf0NQ8bGlCr1CV4LgUlccN+3G7iXXQ9AfGPwI5FaGVvnhFfpXS+4Z+uEH9K+ISGX1Zdc1oB6H9t+5+Z/2g0yjXaaEG1gImdMna+uKDc0I5nyOyef0xUs5FdLUw83ArrBMrKtWwDQZmysHhyN5OyI4MtAyG3PA2E2iN1JZzVpsndZhf9FpJxFCCqGFrERuXxgOIxU01PQfl7y4eyMGkGPEAv112BM2GtmFLZc4fyrvnEcHafYHjJNUjASsDm8Kdz8MtrB77mshbJ99bFqNVi7qbZuhX+XGbs3Q5mQCSWWNMSPRZ0rLA0x7Ei/eV8I0N1oiW6ccWX5VSx4YLOUmTAuYpd+xC9dMwdDT68td37sIuDi6U9mBGY4Kf9WvL5Gy0lqDQ2U4HWR0fn/DiWQVyY/Oid2JIiP5cklCQUPB37aveg/97Jspy0RR7Ef5jAhK+6cOxHwFgRe/UqZLzlL3H3my5rxmqUpZH5gifVrbp2PPO9w6+wbUM338qautFv+E/NeIMDrxMhj4M0mMHob4SIVuLs5vvO5LsLDsYUUpVV/jRfBEfnVpENXTcH98dE8VGOKhYbVoaMpX7Vdag93pOWCZz9Crn16jDfC9oFggzHnYV1DXLy9Q6z9CG6qoA4sN4hRrg6TolYvsMvHR1cSvm4mBu5oibOt597tUOTAOspooWQnJ5XLbD8QtmBposQj9hMgKK0yMYyKFBkQWCzeDHVXC5/TwHZ/5aEVt7IJuF6hPGUTYNy/BWhSFVTKlqMMICm9GZRpI1p5aiQlorC5GIbzPQRJSqRqiNljkWOVISFVgzv4I5fdKVQT5k/ssh5NZdNw0uz1MarFukHnJ2YICxQEDX1MiRT6iYLfbnWkzQUv6EEFMEFmUnJrgARh1omJQ4MdbRWuDlXmkg3xr1w4e57GjvHsyR49fIUX0Xsb5IEHiwU0PRP5IjL8SeQq2W5B/SPFI/W/q1WsV06XXfuhzeCCikt3ocwTjtP0Qcd/QtsYu35cHFtjfhx62bX+Y98NBKkqkymme7h30STb+mdLNirWOUWfaNB/sxteHr5WSxQygVlCUrwkVWDHp1Pqi4oZ9ZxhVCJclr6tf2mY1BRZ4GSrNRYhDeKe2Fx1SDleNmHmmkdwIFxkzuCj7nkGPcT33aHj7jEZkxax1I3OqZ+htpQ2YSV2grv/VSF4uNvTETdorwBYLi/eaTqEJwSbXCzreubFngrgDga1qnbM1y61mA+chLMhua0H2oce8MJF3JVOTUdjup4sF3dmTyAzfOmK1FXpWX7NIwQHd7xuNuOkH+nXX8mw2WLLtj1bFlkBF9GGaDf9jXxXQIL9UtJrsKNnT7U5RKx83GAaXVt0OW100S0Au1rCGhqkRlYIdhiaQacvCJHh9l0UKXMssAapllkJ7LmOKol2gsYZ1tFAT6EqdV+RxTMie+Rh8YwbP5b3enFPF5iG5dkqwoH0get0QYjuCMBko8TEUa13xR2p7LytDZEFfOhwa48WPYBmcECw8C3YMyJEDQtdUMZO6uedY/2i/ui8CHBsu2nP5TDx6zb3STaWLhQZxJzesvjV8wtqtC+aM9VTxunL6bKbABjQuRpYPZrs2s1yDeIfmwCTchE+7VnrXEpQK/XbrU2OZrhMC+n41WL/eobEqSV1KzSIKjqPOFpjTIm/7Azd3d7QLT8VNlq510T1FkagKqhi5rywK0jbR7OYjKtmam+HEkrvfA9LWVOQw6fig3JLzvz9C95o6tCuH82W7iKWvBR+wGyb67kXMSfqUveq+GZ3l6sWM93KtcJNbLKRBuJmFFk6g5XKZ1YkqjyLU64N4b6E+Rc+UHdn3F0i3grbUw8bdjeIvOSPbKebljMiFG0DAd88WfDsilyueMm86zMD3lW/fHxanUhh6l1pjbRC6bpv919VVea7tX/CoYl4jFGoAc+BxJissljQTdJNaFowFLummE+oHJcQYxeaVoR0JMczR1w51q613n7+RscIljibsGs7xwYyNSW4OGIL9/CKHTFd/Cxi3UAFmGVY3HNRtzpdaUzVDt9RtSqWpmuElhVbePtN9IVWNwwB2Dcbp7QS+j9z3O30rpEJzJTf2d/VPST2J0Zpdo/2kr/MbrExsN10DOLZHxd8pOagOnepOSZ63U0QTXSlZUh9QTPUWnwuEOVWmyS5S7aL+Zy685cVHpwkAJCEFFOYcCSm+U7SkYMnsy36YYrLJbh/90DwTp8e9ZC7CVod/BpT5sRitrEeXsOAcqk0EkuK7pbT/3vMSgJKSBRTHhHTjTjDwJSBgkZQLBDPiGdUzdNvKlP5gg25lVRqML1w5X6WtEeNKRl2yTe7FbzOPhPBKm/pA+v8Mtgm+wrTdSV8T7f0bVvGF346rQJNrP+6GhS1615YpnVL27JDhZbG8BCwQ1loSBv5SuxtBexI27A37TH/ujCKE0YNnqFQwE+UMUUOehRVlrHCskdMHgliwFDVUaVRiDV28NDRy8POgZVFYKSZ3gvbD0hpqyF51z70Hj6XxdfYwwcPkxDeRRVkN72CCbcNow0QuNz6f1s+LPGsyKUaZMSBzUXG+RV8qzJ3zM5cFZn6ULtBdL8TlyNPV9XomGkE/GO7GxGea+1qgOhEda/BOeQPF/uabBrUZy/dtHB90hUgq6rqjm5xboo9Ajd5vt4+F12+l97yi22G7niboTFXB+oOdUrtY/ZqdQXf7Ne0fImvaC8bT3/GG5F9gteYaK5pXhKI6ckTD7jY3FT8LvKbJHpHbnUH8/fex8wDaF2bUL0DJZ31Sy4EYHmO/un3oVlivmhtq1cJAlWFFVi7zt66xacoML2pIvRZhlpBmmZlWxH6r+f+w0hRZeS4Qg5y7ShBOsbI/gkZ4LWq+gLCe3VoXdh6OPjjhVw37PD3pF4vIYt4M4F3sPFi+bFTd4/VaM1XpqT19XW0EEBj3+E0TIA1ciQu3uuvJOO4pdRbcdKNnnZf5+tIP0UbPfeOGerqkK/q1uL0I69XOAf1YI/q9+/n6sjuhtRETQ+/BbkTOpQE6EmbuEFlZsGE6bKSu9TZlL/vdqK4v0Hbqwl4/tnDG98QDiy+ahdH15UFNNpZ/7oAmaxF7JfJWo52hC1ef6fudcveL/dosIKh2P/H9N94dN69MU7kpTfMYVYJT7Tgj3YOykWiNFcNzPqgCdE0ZmEAlxyOCQFOhk/ZH2dnQrqrqVp5ZSWU1jLq+kNl9vn15fdPXoZFvGes8CmN12ScOFDy6FrKNtDgk0bUw6JYtBQZhMXJES6lSNq99NpBf9pDe1LqbhK6O8E+LSOcuwynLZeDgvPvtA2KC8CqnVpz5SbX26zP0/OoOFyWnP6Mb5xBxYEF6z8J+EYjMTR7bBOdU+7SEMWP6s1W5T8DrHqV4HTfmO/80vGf6856Qq1FsuaQq3Qi7MMs+dWMBHgfQTleK6pXkuT09zlYfmTS6E3qfwLMwjL17qfz8vdMxXjTNOK4vw2UkR0fniSzKbOK8K9gVn3sFY1ydf09X8+8sOlJAfeoCxs3IvCJjVppXSx8pa6yLeSMtpYLOA1au1/iNTInDKt9g9TgZesOu+la6Yv8QWSJGWiM/t0IUo7eY1P2Uw8qtFUGT2jFSfFcrqGq/FHK2ZvSh1opiHT03WBtsqliKc+OPwow/mtlhF5/LO8Tyl+Pvl31ZqykwtBh9HDQ+dnfBYhG+uvU7lnj63uCQXw7n7p3ynDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9GBpy6M+POkTjn3Mo9pCtCqNaLiqMruz4iMqfaHom62W/YsmAip3eRGcCZNqdpng+ULbAwmGKqRmJOFcQ3C6wYhwyegAfPxd/FEmFg4nf2u0HKRIJzKOeuudAjacR+dfS8yecsqdKlL7p1EmbAMq8itAnxdYenFyNFhs7NNXyPUyeUOOWrSfLyvir3aftLzIRGOTWY8YCTYS4r0/neCGmST56bWXtscZPHBniMP6SGFiVPls1zjnK6wD4E5Dtf1jF8n61pteI1VRxvoZDLSP+4oueBG2l/AVa3/zZd1FXgzlevDTMVNGZEQcJa22DYsOmh1zVqFKvj3yE4NqYJZBWRRWHvU5pjdOGgI9ZJ9i2VXLPc+c/qLnIF1aOJULkkpwca7+8t+4XxVmsk3by8sGpwV0LS0+PI+nr1tLL+73J+ot/pZPL+t5z7AEz4dpUsXePcS0godjt/e3ONrgcKVReNZF1rfXXJfgwiFnY11bDLqIb0ffxhPrc6rNw7EZHNZZ664mtQcddXOjwuyOIyoh6t4ndLcCGDCSrPOy5gXzrsEmibeAhbsrwJ5Yw48YrYVuOgDDzCyx9PyWvoLquUz1Q93fvmo+ueUweiIFnjjpKq60VwqV9zGipvrbsw7UvcmMAREvSK57sOkaa6Eq8x43gYyECNKxxBfeWCKjUyacHdoVN8/fHibt5YKXwDKBeAHZDk0w00W85GJCIrsnmV59vo/hlWZFHrgDpwK01Pa3S+10sVH6JiMmKXg16JXaarKQoSmO5mr7qeq7jKmWkq69q+aB6j0GC7tmLDiZI2vLCfSJclFpuD68ms8otPV+i5r5X4VHGrK88ZhwIOyAO7uiultp98gb4bOhpEPwrzWciN2DGENCUVNLNY70IfmbRJ8AQuuH5a6EVd5f7Olya9oUtMtujjqLnG2VzhxyjK9wvvsJgJVGAmFgoXdG86RokVTO1N3ydhR7m8gWXRO5m75Oi2LWAn6yyAFDqgfUGqgGVEKgtpt2/cO7pBv1YCTMm3MqccPWdiPfv2DDFJztDc/kXtX1hgvtVMz74NxxcNKbMFx4PJ+bF1qF0N/+IGwaLg6wI5ua2HX8nF3kYNRibF1P107vGs2yBoquxBDiK0LuLK3R5mn97+jhVFH1wC8Lfffnr7+/n7q2+/dTm3a6wwGz2TG6k+xyxZPnjBfq8X7EbYRp1gWMRWInzNTtwuJc1zgIl9LrYJTJiFVFRoRmIKkI4rKQHGRXwvSCA+EAtotsFsOJz4wd4B6H0eG6i9PrFL1HU1T3QpzDzXRsWufId67WQOse5bGu0drWs+0jlJTy12aQeDDVQaX2zS1r34ehcLYsFGHU01qckcsaeSGuxGFCCzX94TFson9xO8v+PCIu/1//fDVVuV2U3+e5Qjlnd89B6RvUg+yuGo47j78JNygqStnZ3t2KXPTZPRXmfZQZ/MF+B2G5zcw5HpumU1myIeBkVfC8y45XXdzOXGy4zry25tG3TisuagoctAC4PxrMI65zqzKuIJ9JySeA3p1r766EIWRSX6nqgBduK0xk0Pxe4dvTN/oWGdusFNn6ZZPxS3Wyzyf5fhqFmLm8GGnSIZHozdcOEd5HSlS0aYjJYlOpUFD9hvsBLDoMNTR12LosxkKmF8++7tDfrN+VHbpNQwIl8mTSW4/Y836EtF1Ujv1oqLTNF+p860yQ0dh+gWva+LzoJpXY2WTiI+pF2gMvYYAQu0PMlxdAiqCQTHHgw3jz+gAXOsigS7ZcEmcC/gMmIBcgO0yqNNpd2BGbfb1Q7oHJu+VvhQuHMqyKrAKlZZSQN3W+LB+OIHR58wGaRTRYGZraKfBUIXcQuoGsCLJbRaSgBWzv+eAGqJo0/CcB2noh8vCLpnLPaD4zu3FdSqntGRFhkmMBglfvmJha1FROO9A3i+LNc/ijuziv6+E5ERo7JcR+273oFuIZ8WeToC8Jrj6BJDZFQsmYhYFDkEnSI3WmSLTG+YIdHlh8gWXG40LuLnrnRhC7NOBz1B1IWIjImU4oSJkqpivo2W8D6AXZLPaYCvMU9xVliZlUoamcUPSQH09Y8ZeBzjw+bJ7iaXyyxPwWwLOH7+GxFZge8yY2K5DXYB2xPNaYJHoWAiEdJMpEO65Drjc57FDovuwP5TQuDRO4N3YMfuhdiFHbuqtwv7p4SwXyeE/c8JYf+PhLD/nAa2kSXHc5pCpDTQ45tnIisqDsr3fJvgnayBl58T6CVFxdmyKNNo31bLxHwZOwnJQ2YplBJNv5D4vhGRaZeQmGAHtSJprEkLOI01qbe6KhPMIiWiKatOYqoaaazpQe8SiBAjjTXMUsEGsyYJ8EqwO4GF1JQkOITr15YriR6F9WtZmhXFeQK3mizKjPAEPmwLOEGQBOCq+dbEd4tayDoJ5LLKEsQ0iGKGEcwTFBDpDC+pINuIWVdd2ALz7R80n6fAe51BG9AkkF07mDRYu8TaJNDny3L9Oo0PWmdzZv6cpNEY0VncWXE9wEpGF9U6yTUHqJSo+FVu2vn4o83a6gCmZuX8/PGdIw44qH1JgLtu8vE6yHVgLxinKWwYnS1SbCJbxCzO3gWcQjfQGSshSTFLIupYuf4x16YcNPOPBFsrkgQ2ZwuawozR4GguaM6iFYzuwmYizSkpZF5xqolMwW0PnC0TyCZZ6g02UWf+d6CHMsijAFZ0ybRROL4npIWdQONTtEzFapWM1xo6katE8tVl5rsjngC6URQXCRRJVwqUCu10yvVmJZnO3ITZ+NC3WOEkBzwfKYSNAXnt5tvHhsu0wSL6nONcm3mlYg0LrKFSNysoBdQqOq7x9ei6Jjk2WJjcsIg/7PrUTgP7YC5xnse+AyyPHVatWwcleItYkRElZZGkK5EFnMBMY0WWJjnSdzxKwebyc/T2TKWO37KUlbpULDJQjg0zVfTsM84Ejddip4Wqo07UaeBC8W18txaXrutptuAy+nPeAE+Q8m9t3uhSxwJNIHGsDZ0A1ei5CVwukxxdsUxygUupYguwYl4tU1yzgmmSQiwUOsmBTTEHQlADzZWiw40uw10D6NgZfw5q7HQ8sdnEtkCSVJRJNwA6uiUq42tGUrFlFpjH9WC4G0FV/DerzNxQ3uhgo06mbsG6Ea9JDlmCwk0/Eye2MPBgY0uDMnOOpOjoYq3tLzOyilXnPwBN70oWPRBQUlUsFRZm0HM3BuRNEsDxn17Xiezjx94U0AiAlVxmWJcRBwZ0QSscG6qimKfQ7xQlwAfXdTQR8PhMtpDjtnDtQJYqT4BxfEemTuAb1s43nCAfQNPYiQBu4HEC40TTL/EPQKhBazSoCUwpzZYJBK8uY3vZtCIp7oEieXRFWisS6oobAbCJN2KrC7PS0btqromIXSgRnBb7UKCuSWds8s3SxD9WDmj8iF4z0zM23G0ZvVtrlc+T5KFXiid4CytNVZaz2FXvScZW1JGhFGwwRBtcxPYGrzMmtMGLBJrBmimTQg1flyJB6yYjVSViullDbdECHUXPKyPR+0qgwdJN9kjCYXmfMGc5ulA0ZwZdYJX7boYa2r+H0XGTsxJyaWxCKICBIfoI+hsQyVGoVKfJh2AiHeeuipLLLR0MFjzIv4WsojX1PvKMWR46nxHMO1N0Se9QgfuNFtpYrFhW/WEgyZHkTMNwhnp1v/XQQAnpqiylMmjYeBShzQobxAwqFV2MHYUHpOXeZwhFiPHe6mhQQEz4zu4jfaE5E6kn8ndQtat18dTIyCU1K6pm7ef1SlaDFw0hQddUNeOIjEQlVpqit9RgmAju7ipuWPD8jVzqlzeu7PUFuvQjvs6QWQWmFEEz4PfUjz4GtAV6R83vzAiqw/s8PNRJmLeAkd3NLYLFHbGaYkVWMyZYED+YuTtBf+2e+IRZGJAM8ZLjSsCs32UFc1zrJu7hBu69fu17aErfjruhqWnC7ecXjxj7diOyiDVNx3VehWXRB3pn4FaMuQummEY9IpDawXXvYEK14CMTL6F7bsJx4NA/V1ODFP1SUW32NO0+PVv5/r3yncoAY3ncqk5i9z1STd7prjtlH04OI4iN7fwcOrTrn4OUx5z9f3i+oV3s+rIWCrB2+GyA1RAvifeeR9g+LnOsKXLp2g02aHCrml3y33gcfEUzCr7BXCrXvj7IRoSwRppSGHeG98+rUlhoTCYY7zvoMO2WFqD2toeGVAomoO1DuqSqYE7dmArpdkk3mIOtGadLijhdU46w1mwp3Ma18/rDRx9aMj+i/Ib195z0+aNMeraYVYJ9qWh/TCIOX74Ovqd1TDxtCkqt0bDcXUgihaCQW4E2zKzGBAVCgcqQRmNX9KTyonubFpadIE+aJ4rLJSOYI4vBiOkDWDwudrDUyJjGx+NdudrqMHqddLaN7GW1xn7gMWdYZyuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq9k519Ia4jv37RKC5ehX/40ZOhfb5n8D6AZseS0MwvmMyKKsDFVhMZzEjW8JS2eefdPfC5ixuLMhzPytevWn7/9sbd/LznbUHPsmiLY/p1nciNmxjhu8pQr9c+OT0y89GoBc+NbHrv9Jf+ZFi/POqd+7HycmLx+Sbc/6A1PsOjP07rcPV5Z2qqhznoC/NGeaKFpiQbZWq/TqGe/ngiDg0Bn68PZndC3MD6/O0PW7y6v//Bl9vBbm9Y/o+Wa1RYIys6IKkZXUflSaVIoSA5/6/vX/+m8vngU5Qs0qoYzr8wNk6qzA4XE8OvHpu+c1v3Vn8bpGKnzF86eFdFc2HcD8xIZxRz/wIXx7imlrnXxiylSYozfn74LI/iEFTefLOu1k/B8p6CzMW4vuVyNCgZDDwhO24Cm+wXv2YYkN3eBHGJEOp/sGnee5Aj+tO+UhdJqnlxTlqXHOh8ZCri/e3rhXaTQ8VmA9YfRjx6nkNFX/dqPrG4vKiPfL8vDESRBReGjXHudhrYllbrrWtAKigy7Oc2Y/jHkbsO3M8g+/cxMeAGsSwgWX/oZf7h6BASptrnUSve7YJw2jdx7DG6lMI5IHQjeHABtsADPbw5JXT8x7Rw8Ty/oxqcl6O8Z4QUN241ReXI8dWL5Ya0mYVTmd32ig4yArlxUWSzprTCcixYItK0VzNN8CTCpyyBoKy5nyxNYDg6LREW05uOgiQb8DHlH375ZwRXcAKFpIQzOf2R0/zyg+a3OhM5y5VPwEoEuj0gBfJDgSiwTVwjzFdUjV/6RMwFScZ7UnLp1a3rfgLR2z/mpdZ8IjaLBXZkWVoAZ92Jb0DH2sn7E34AD7Ad3UDrDBS/DbmKZWj+qZQJkYMY1rpL1f/AxhzoPKRNl+EBLcsILEvDVV9g1kwkikDTzmTKCP16MChUCCbDJ5FV1kW6CyTDD2zQJWVMfO6LVgE5S4uBcxdio6+NsTYOtGK2ScimX0SZGAs1U+EmqhIxqoU3kw7wRgBCKQTrBAGP0i1QarfDinG6HzJSR7KYTtjb+DXLo5NRtKRVj1jNw18b4xbmkw74bqHDIIWsZDZsSAQiZ8niukJRTMWLHkR2yESVxzLKaI4x/hoKwTRDouygGBuy7LNpKythbsEgzY3ZcndqSSEuhCsI7XD+64iD1WhpGKY4WgXzSqkXh+dffzG7mUi0V4+jslmVnR5Nu7g+wHu6C7jR28ryzeFt3zyqyoMD5ZfBRtXcXsnHBcQo9bchz1j5qqUYRlZYicltN+yXGEbytCqNYjOEPn8dOao52WeAJ4IaviLqXaokBhwgC3KYTTDo60h6OVShDg06UU9l2xciukHDZfRANFaZeqdbx+dCPvJkauaynUDHBG84Ye74fp6cNMIM1MFZCfCIoLqBfRHuoKa4RzWdrXxawoU0huRLtljnEG30khi5G8WpjJoZlrUT+tEmGVeyZyK3+k0g0DMPqFcYrOPWKzARuOcfaKhjB3J0cTxhv6HyVdYZQFtz5rIS4XQjQGGBGz3v0BjHD5ere+XiM2J8YTQucyZfVAgPg5XeE1kxVol0QWpZIFG8lQpFMjdyXwnEMR2QJd7MeNiXUjdhIi2cdwR+tEQQR2MIw6XOYEBAPrN/il3t3OK9vet9Fj15ZZVsL0y9lia/Q5lIFn5BSz/igtCN7jJRVUMVKTBAyBRL9+agEzK3hqQ7PdkEd2Rr6faaPGg581Tae03Xo0ml7tp8mrF26thHQFTdPGCDesoNrKdaftKVrS0SCS34VoTSEObgQ0HnzgNqgjj9Ypvbsf7Wj9cBxN32c62pDTo0nzDuNDFA5oA4pbgXCEMPh6qXt1kDo16d65ixaFNnV456L1Up1GgByQ440A+XqP4w+HtyzWaINptuw4+agmlSAx79gR8mPS4xiTtsFhbJR6KEHr+amjV+5UZpUV1KzkI0RJ8I4nGTk0/MdGNxx6KSmZ1Ou0J6rzXnLvr7WI7DmXiTwh/zn76U9/Qs/fXJ7fvECXTBsmlhXTK5pDKXwQFy6XMnlfoH2RMMiWXTg8/DbDB0cyxpRM7FXcV/9pdzWEQXNjwCMfbejzfa4LgbT/pu634/gDnEIxUyxCbdLbTDHMY3Wn6xHyHues0m4FJBXSrGAcKyeerNi0d4jAux4ur4J7rlk+ZaeRbqb8R3sQai9iry9me8nT1Vmci313HcIavtKw4//1TiL4zeAseMcN7ZRl5GFXplQpEwMGIRtgtVRLLNgfe7KqRbqjcCyzT+B090yNsHvBVLCWNFHXn1/scvBauBZfrnfRTlbzrxRzsyJYUVQqmsuCCRwsuOuIpxtsGBVGH0yP53hKat/gRyXWtX6kZaKDa6/OMyu4SqwMNENqSd0vVidsduSFzTESdUFzqrCheRYtqWzP+bDC55d6xSZ4dqPkmuVN8zD/OVyW3Guqg4Phm//YZ21Xpw0rOC2RLJ+IymZJ3+vPbEfIDA4PhczJNXPR81VfcR9pAdconTGHgt9X86R3oDN1vtSphF4GCHU6KmisWCNtpHIS30IrqMGw2jP41Mx+6lmY+oLlOafTSbm3sN6xci6wvR25d5Kcq8djTEPujV+t02FIbOvo7BkqObZbZt9nqRAVRG3LMS8/pEJOYE8ekUGnGtvyV6kNeovJiokRky7HiSTHN31efxSQ6V8qasWH1Y9ckzM9Q29yXKJP8B+nH+VSuLrTvw0fT7TCa2o1J06xQl8qqrYIehDqUgpNa40qXJxq6c3gO9PIS98Dj1jIitVdIIUj3/XlG8ezJmkCVNsD9N43Rz0WU5jylNZh1j/jdWvpnSZG1jb0Dy/TSFVCBO1Yfda8PC7y7NpIjdTYeYiZtzDTbwRGGyZyudFIl5SwBSP2N2ehOkGfJzu8IJY8h2+bc4OeQ0dYKkj7DEHo8kWHW6gS8I6/oUtMtuij3m1820Rgi34hbfTsWrvCBAb7yGvfNbUAFahVg0NmX8QBx5s+AIHq/51KUyjnGbJvl+z0CvVYd16nXgcoBgqDB81/5wRip8nrHSPVZ/h613st666A9PEuoENqpnHYNQGD3b1pEzLdNgx2KNyQ4nDxM5QNxBwJOFrhBiTndMGE99WDcIKufgUuR5oOAnYnFYolwq11wPTUv9iCsfHZpqbd91Ia6U3Z+LCNwWRVTNwCv10VGI4G1lF3O5IMeZkzEW+CWNS7YUmGosK0j2dASHXLdmBbXBvttrw/MLVzgHXat+8A1iVW9ZmyPz5rSdms2KCVOrK3w9qyLvn9KPJM9Jklrq2FVNt0G/4vusTi3w52jKkR2e2iXqvnoafJsuVfXgL0A7Q9mko0oKrut76fqtFTkFFhlCxPER25rOYD58JRZ9yvaa1teqAcAXB01R3T3sMLWZRYbJv7CNcOxuk7e2VNlX2GMiYWMqwUYP05dY3QAfnRsyJrzDY0bVf0xZdUOQK/VJxv0X9UmLMFozm6hLpn5xwMorKh84xI+Zk9UtD9dzpHbv3WfsZ8TJuP3m22DYeXlQGV+8QRpofv+vtmCT9lx7ujnU9+hj5sS0d66zmwzHE7OL55ii6yqM1ke2hbHJwjQj3Toba1fWSmcNU1yuUuds6zWEpVe/shxPz+zciWd3rlRD5ONS/KtHOI9rDCrnzQc1+jqaRMpInsImXXsfuBSmzCrkkiMqxjRvs7gJUvp48MuVI84jZ3oEbclcYYzSoVyxvSgampyvAynk3Zgo7+PO2Cjpr+uAvan/oEgoXeGSpAtYpvnFj40U5zo+itFO2lysTWqNwSU9QS7sjcD7AsqFcv/b8vPAov/T98XlPI7Y85VeHsPE/OI0bPHTHd4Dl4XDuj1gbk5H4gmjWpmFhQpUbirkO6J6Grq/gfZH3QPTsBknVf4kVnGwJXCsLaMumVCiwx2fG7cnF7e+w+QAax6v7or3SYoDU+8JOVK6qm8UdYnd1nPD2/gNGPL9AFrB9GjSozUbOUET5fUOWHf9KdLMw9zXlp0tBxh5GdDbeLPtOdTtF7d5r9capX8v6tUcK7jW7ZH2FvDfucSKZc//UKCbqUhrkNLFdYj0yA0mTqtkKdrXSLjw8XtFudbALUIMGld8bqxul1/U04IUWz5RQVFbv9jZqphx9GBy1bacK0rqIrnQAZkqXSeeseFkMBDKlSSX2gg03pSs8ruzi6heD0Puk0SYZE0xncR5Gf30Jq5/7HqCM9T0Py/tJzD47jIlRrnq1Tvuj9kKp3ZAeRyTN79HAVvU2jTgWYfabeok7U3OCbdlxJ90EC2foj0hCvkwpd357/9e3N/+Xu6nobObnw/fsruEwkv4nUr5uuKrnZbjfSpmu1G+3l6JjBNjIDI2A8zr+vODB4PrC7SmbGVW8TmXmAw+EA53kOWbl9inyWZ6qvnNBOxKR+DdovtUqjRTdEd4zuzasukb/NCU+rQZYqOhf1OqNEGKaBhhKEJy94Icplmg9EIa8Q5HocURXk7KEBMVuw1WwVPtsoDyB47g0xAaLvCGdTtb7kCHHE9uzF9N32SJbfJJCO3PbO2tJkHGvQTtI0TuUUA0LhX7Ca+FY2zBeluX35hxVFVVFMqhP3jbg9jnAhlKbg11wz0T9pjn3FUguQmTHXKnjrvux9+NfQ24ajlUTrqcZZqfgcadUpwB4BQQQIKn0awGGlO5ByIJwxtdxU+CoCOfNmO5Nsc9xYQs3Dr5+Wf4R97773+bihWKX7d/+ja7Zxs88OSlRTDcCyqeMsQ52bWBm7KedbSW4NufEgzC2qdSCxt6mo22ueIOhkb0Q1kTf7FLA+S25DusBdl3RwYBozBTaVIFRJykrrDsp/+Tk8I69Q11N6Xz/w7sDelNB2QEulLVFufD/+ukyl4CaHfWy7U3o7f4Jln2DQuWJdgxc7SQrF/P7b59XjijzBseAyj2W909Pq+jZ7GmaniOKZboVuDHp3qVsxfEpTFkdPz/Ysx2wzH2Hz2iT8psuThx2dy7LglR/fB5XegOIiQjHfpFxZK6DpcfGf5w1HYo7Mh5Hk2Ksb70vcEfpK2Y2hXDWe4uOjbuHJvQtiqkSKOhjyzlit5PaXtQC6F9xYlr+7D39bxP9yuWE0/a8N16wGkQxkYC1avyEgc2IUOWOWmm25sfrFnezndBYl2F0Q648YSB/DACReSs0F0xOhPV+LKt1SIY/xZETOpG3lpJxu3A1Vd1Wx1kyI9mk+bekdPN30+w+4BHDFPrhGyXNotL2xDtdJT26O904s5wfnAhRClpKA1hDz73O+QRqrbX2HaCbwrSfMMfJaU1FAuHAcCdoXzF6hlb+q0J5ddyoZwRsuez9uK8DSHTPJ4FUJTl+y5sVw+DD4BqgoDhQfI70yhYcSJQa5aRRI7sjyAFzgO9kp+558jysc1uqQjLI6uEcbYxtU307Q3agWkAexgwbxB6UJO0JRCrYgfyoouNwir6CyKAvVVFRNIV8LRfcsz8a3kL41aKTXn0jYbctYMwc5YDkzBT9cnoJghKNaTjMBNWbXY/sL98eQYG7Z0d7vbCFSeMwOMrOD7378aQw0H9mR5HzLjG38QVf1Ib3s4ZDlzPrqv6PNa2wxXA1QqnSrKgwBafmB68oQJrdcngqsILOFS1P6nyfdQAXjOE/i9nu8lBOClMoNEPekAFmDdFbYUiMiN6vn5W0wUBOfa0qtjtxFcA43OA9hKy1btL7YUUNBym753jgFRZnl3JTK8EHU+hb3i+8ZbdahiXgxFkFECNVvZcv8ACiB8ASidsH3SqtmHm+WT6tb18MSdLSvZu/zRWEe47SRDcMMip8JBbdwyYNgIBeuXU65qnAvf5Z7qerkFLsBKTyG4f3dK0fkcXP6/GJQSi18rWupy6fVOXSGKj2aC8HG+kgwB9Qh8AERhhSRm+5j3Ya/4iaz5kK4kV4LkEknnoMFygZlAd4Auz1+0RLegwXygN/xLj2QAQMPtDJM/x/5+j4m0bDZcJrC6ysY9k/Ob4AbTsVxo4xP0b5Wt62kZOLuf38HAAD//zrDA20=" + return "eJzsXFtvGzf2f8+nOAjwx78BFBXtbvrgBRbQykkrIE6MONlinwYU58yIDYeckhzJ6qdf8DYajUcXS5TbLOyHIJbG5/zOhYfnQs5r+IrrK6BMU/kCwDDD8Qqm4dccNVWsNkyKK/jnCwCAG5k3HKGQChZE5JyJ0j8OAs1Kqq+Q45JRBC5LPX4BUDDkub564f7a/rwGQSoMPMekqttvAMy6xisolWy6nyrkSDRewRwN6Xw+AC/+dGDWROkNysnNbQst/kSIXQIRpWEVakOqOhNESI1UilxvPRlR58Rg74s9AO3P5wVu6AMT8LaWdAEdRhuUg+BwicJkln3G8kFQX3G9kqr/3QFcE9DNHGbXIAswC/RsRpBjjSK3qpTCf+aYHMCYo0FqOaXDZ/VmiUd8FeErojCwwvxYREmVZkFtVNbyOICFSiGQGqmyskmN5ucvGzwtH9DBhkwUUlXEEgDj1sUBqG5VOpjD/n+aqwkgSpG1xekYONR3dskTg7lFlgj+suECFZkzzgzDYREKToxBgWcIEYH32EVBKsIZZbLRfgEdwKwpEeMO83R6v958bVGTuKA7eieOPczRq5sZZr8ZuZiK96SqOTqRdI2UFYxCzpSz0dqhP0Y0ypEMCzWXcuC7A0L9y/8RLAlvEFgRRBCYQ8E4wopocCxBKhDyKO0HApklMOw0XIrycTinshHGqt0RbTEyAWSjxMeAq5WkqHV6gC3hFuS2gzBRcvR+crQ/t6CJWSQHnLOiQGU9OSqSJQXfrt+sjfDJZdjECO8fUkEuaVOhMLrd486Thcqqbgyq8ZPvPyPQrGKcKBcRZQ0cl8h7++AI5o2BRrDf/TquGm6YjTftYxrshs/EUvLlwQ2/lRbvDSpBeMbqQVEffHyElJEmzG6jsNE0C6mPNgShhi37+eMZsXAW9N4otxpQ5LVkwgDT4FkdFwNbfCG7z0ieq92h5tQNlPO2fGDCoCoIxa0t3u7yj9OsXTvjnOlaapZ275wSg6VU7A8St0/La3tjfHkTF/FLq+iXU2vBlwcgRx1bwZ8KOmkVP5AAXEIuUVRjH5uT1wTR2VvyMCcac+s8WjaKIhCRW0KGCa+A2aGsMahjXBF6maSXcN7q/GYyhXZ9HQmM7ggafxowymWTZ0zSJ0lcu0Fh9nHqfLVNSO0Hzqs1FEpWRxQJG/B6IZXJLiLCnSXdfegCgmwtuZrYZfF0ESXiTxc0ggQsR2GYWY+r/E06EW6u38CC6MWAGc7BqBfkh4RO88vkh+QoC4fyxzc/JcX545ufTkTq9myi6IItQ8n1dE7rKsTA+yK74IBwT+PPkacXsddZeVxDYp8MF/b3p5Pi0ushuSTGEPrVFqSEcT0mdc0ZJenTqw5h337tQH97X3PJDNwqB5vFDvGhbGFQAPcr5lnlmvjphLglZhH1jPdIG0Pm3BVCOedgFsS4FlHkH7LFUG/P1wNCniCdTUljFZXWPpYyVFhJtY7ZWt+7MEhwZKd8CL9udB1aILt7YmdnnxG374CsFiiAiGAZW8Oeb5anTYpq4kqTBNsIKiXVkzWFY9vAcT0qJHl87t+Myjzh8nXdFofD0g1Pz5kot7KM45GahUJiskUjDBPlWOMSFTPrhLE/UASFuuEmxn/PFyxfUFgybVDt3gBg6prw8F6uXk8VM4wS/jjBmKBue8sU1raouWynr404GymtiTzvE4HbD54INhNL1IaVYbKkCP3q5h9aN4dGGrvQu6F6QuSWXIQdmfQDfU/7ruVn05vTJNBNVRGVcmV4glEK2RgqK4xdvrTgFVaYs8T50CeksqpQ5I6uG+8p1JIv/UysO/1bgwv5bo86rnW5S5LU/s/yh94f3MluU+lNgSLPDKuGF8Pjz0/8atOCfkQtmCCc/YG5VTvlUh/McnZ6vSHKXByvzTjb6eoJ+RgTuU3KpUrakb9u52gtfUdQ+zS5IoYu3C8Pc8rtHGczkLuZff70Fox1IXqoLOiZJPxRSgHfM21im3MLWT+SdpZEIx7pSgbpwg2xLg295XMe+m9FzRUzCrN9cE8rQIZ6345XQA2z6//XB3T4bZk8aHI/6OTKjOyO0KfdZonIM84Ejokq/Rg87T44fT+DlnRfnVMumxw++4g9+zgNmawvPd2ZwgMqntdZTrbOLcK57vB2M82V3GeqnWHpiwc69CctdRfD8EnLPXzfuUOSLraHk5R3E3jHFK4I5/tPU7bOhlqT8sFZxd3W26sGZ7kWSaANobHNUA2apT3M0RQFuz8SRtjLrkCj1v00ci/Gj+5zwgM/IIVBBf9nAR8L1A0us3YqnkJzd34Yupm0x2yv4HIFe6vnzRnKdoiaFtt1Zzp7DkDVcMzsf1OA+tA5bDqhFLWGqRRGSe4js2XWTYxs9cv2dXB71m00qktgtXQ9LuZztTAG9+p8LMJMI20UM+vMHwU1pBwA/ODg08FFfBfIws/uAOhnUrb2Dngt9/HQc0Qh/PDT6zkznfWk7fO5L8lqhdruhVyWjBIezpjWii0Zx3K4oh/y8SezUPd0wiPM1Mf6J9iqi/zPMVhF6hrzLIbMekDi3ocH5TWKCO3zgeCLs9vYXH8EFlv0p9rzHkLa2VIYBmPTlyTO8BDJzh5fD8nW9pHYTtvnex5jrC6qC1msC+5Ys3VhXcJ2XUwHDRgqXHdqM41+XGLtT4HaUBIvc3wPc2kEGou0KBgdw0fhwuYS1fo1l6sR2H965CqZoyIGR7Bg5cKmCu5x+8sxYlE/uFmnkCwMgdZtgNwt2btNw+QKlkw1ehSe6ctnlPyNiBGgoXvlCQdlBy65nCjNl3AYtw3aTiziMrK9SBitandFaQCFO2R1PIbZ9OZ295WjLYYPJk+nM7SkjtX1DjlPihr/vv3QIQ1bpIcyAFJnCqlUves5ZyAgWrNSYA7Xk1vo0x5UxKZWz4Zr9TPQBOpgqXfKdS7L0hfjdo1xaZMG0uTMpRD70Ebp0mxAm51mozZ3esiZkTOb0+jG1Q5Fw/m6Na3YC3KT+EieZB27HjRxCZreULfZJ10QUcbSJWSjkuf+Ns1xGAWunh6jwNVhjPNGaTOW89+QJtvWY6PIU3Xx0LGBFVGCiXLvWvGA0nVCIhi7+cHs+iQ04fx0pvqTjXNWbTiT7bE4dBpRHAFGioKVjcL8Ing25DvQDqMiy/IicMgSFSnxLDVdCltHVQMwCedy1Wlg7vGuquHEsCVmVDYiXXYtDeFA4+2pDrQFMxo0E9QPZcM6dbcAbbYXR4RI1H78BlXVLa5TIJ9MJu0dZtcEUPh74xLxsstvH6wVzpe1GPsCP1Vzwmr0V5zbXcuX3g5k26qYoy01NBh5rMLCbFMm0dqs7Qh2739rlof2WztI9WNWJCqXq71KNI0QyJMlbncT95fwncJK2tXhu4VSwfsf37/aByT0ltMh8fQCnM5IdgSzW43UYvpyfbvBtD0tKEyX1/nTgndMYS1XqGLFd40FCo1/kRHCu8/X39YIwQJ+HiE8jxC+gRHCt9RHf+oWMnzRCG+nd+GrsSBmzOrnzvJwZ3lIW3/hlnMLt/P9Iyz83I7uWb2vxudm9XOz+rlZvcXwYLM6zoUH+A10x7oMe+w+kVXI051y21nv293Xvp4b5j0Iz42F/5HGwnbtzKROWjvPPt4d8c7Cdq7hqouMszQZQzfLtrmNr10s9b1rvCDUXX54bH1893b6OJ+KjMBIWC0YXfjtK9TyCgtUutf/uPtwczuCu//cjdwVTy17ZAupzOLVGCYb4v5NaEBgQVQeXja4ZBRHQKBW0kgq+QjcJuNvrYIs+ruhdai1NliBloWxRMYwM5CjkAa3iquwB1PS6I0vuj/tZxBezPEOR2yquULO0577/BKIHueN4WJ1/417pwa3zhVRV+Vtrim0fB7ced0u+jo6Crc000Czvhg3V9dXlsK47nnLxUeSfnEarlIMAawlZ3SdxbvpSTfLgindam3tu4Sx87BiZuEL5rB3jGGyJIy729JM2CzVtRb/5pYPmcslDsHfwp1Mxw6pLDrQfdMkx3CTKSB+113xnySp3Dtgw+usrIE++NdiDCGfc+kuoKf3kL43+Juh/uV/fc/wb14MWHaY4O/7TRCcMKnnRAOscB7pj+yHjBLO12Dw3ny/MBUfwqMXJBt4w8KJaH7Be8hZidps7rHpWgqNEdgQBrLc9e6+M5TSUvT5A6E293Mplw9CRBjmaiVAUTKB/sQjE/4dEEzouv+62E4YaEia4Ol27Xglo5ZWQczZrBErIqwXdl/x8N3tl8mr4KC6rQtrJe9ZfHcFsRHCNEpsDmBsBPUvXVSDJqjqbNfF+3PCryGm0dEX/KsDIl630YfXQMaLGzDJl0RQzOEmVLu3SkY7fje5uX1lJayJav0r7n3wzoo/a80GBRLTKPxHTBTcVf4RtBf83bRFfBVyNWhiq5BQcSdLuGfFhv3In5QYeGfylqduvVdqG52mUiULIY5YH0n7Ziv4bLcel1IA0yCkiaNo66o6GHPFOLeannMiBoN4TgyhaPP6VLC7+ms94ZoYAlPHx4f0+M7UvC1uXpcoXKMnb7soA3ilYiVL1QGxcJtuF8S0OVN835+ffI5f/DcAAP//P3XpyQ==" } diff --git a/x-pack/filebeat/module/cisco/meraki/_meta/fields.yml b/x-pack/filebeat/module/cisco/meraki/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml deleted file mode 100644 index 6a02d794ecf..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Cisco" - product: "Meraki" - type: "Wireless" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/cisco/meraki/config/liblogparser.js - - ${path.home}/module/cisco/meraki/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js b/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hfld2}.%{hfld3->} %{p0}"); - -var dup2 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld4"), - constant("_appliance "), - field("p0"), - ], -}); - -var dup3 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld4"), - constant(" "), - field("p0"), - ], -}); - -var dup4 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); - -var dup5 = setc("eventcategory","1605020000"); - -var dup6 = setf("msg","$MSG"); - -var dup7 = setc("event_source","appliance"); - -var dup8 = setf("sensor","node"); - -var dup9 = date_time({ - dest: "event_time", - args: ["hfld2"], - fmts: [ - [dX], - ], -}); - -var dup10 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); - -var dup11 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); - -var dup12 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); - -var dup13 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); - -var dup14 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); - -var dup15 = setc("eventcategory","1607000000"); - -var dup16 = setc("event_type","ids-alerts"); - -var dup17 = date_time({ - dest: "event_time", - args: ["fld3"], - fmts: [ - [dX], - ], -}); - -var dup18 = setc("event_type","security_event"); - -var dup19 = constant("Allow"); - -var dup20 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ - dup2, -])); - -var dup21 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ - dup3, -])); - -var dup22 = linear_select([ - dup11, - dup12, -]); - -var dup23 = linear_select([ - dup20, - dup21, -]); - -var part1 = match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); - -var all1 = all_match({ - processors: [ - dup1, - dup23, - part1, - ], - on_success: processor_chain([ - setc("header_id","0003"), - setc("messageid","urls"), - ]), -}); - -var part2 = match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); - -var part3 = match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); - -var select1 = linear_select([ - part2, - part3, -]); - -var part4 = match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); - -var all2 = all_match({ - processors: [ - dup1, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - setc("messageid","events"), - ]), -}); - -var part5 = match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); - -var all3 = all_match({ - processors: [ - dup1, - dup23, - part5, - ], - on_success: processor_chain([ - setc("header_id","0001"), - ]), -}); - -var part6 = match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); - -var part7 = match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); - -var select2 = linear_select([ - part6, - part7, -]); - -var part8 = match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld6"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var all4 = all_match({ - processors: [ - dup1, - select2, - part8, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), -}); - -var hdr1 = match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var select3 = linear_select([ - all1, - all2, - all3, - all4, - hdr1, -]); - -var part9 = match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); - -var part10 = match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); - -var select4 = linear_select([ - part9, - part10, -]); - -var part11 = match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); - -var part12 = match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); - -var select5 = linear_select([ - part12, - dup4, -]); - -var part13 = match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); - -var part14 = match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); - -var part15 = match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); - -var select6 = linear_select([ - part14, - part15, - dup4, -]); - -var part16 = match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); - -var all5 = all_match({ - processors: [ - select4, - part11, - select5, - part13, - select6, - part16, - ], - on_success: processor_chain([ - dup5, - dup6, - lookup({ - dest: "nwparser.action", - map: map_actionType, - key: field("fld21"), - }), - dup7, - dup8, - dup9, - ]), -}); - -var msg1 = msg("flows", all5); - -var part17 = match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); - -var part18 = match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); - -var part19 = match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); - -var select7 = linear_select([ - part18, - part19, - dup10, -]); - -var all6 = all_match({ - processors: [ - part17, - select7, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - ]), -}); - -var msg2 = msg("flows:01", all6); - -var part20 = match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, -])); - -var msg3 = msg("flows:02", part20); - -var select8 = linear_select([ - msg1, - msg2, - msg3, -]); - -var part21 = match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); - -var part22 = match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); - -var part23 = match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); - -var select9 = linear_select([ - part21, - part22, - part23, -]); - -var part24 = match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); - -var part25 = match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); - -var part26 = match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); - -var part27 = match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); - -var select10 = linear_select([ - part25, - part26, - part27, -]); - -var part28 = match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); - -var all7 = all_match({ - processors: [ - select9, - part24, - select10, - part28, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - ]), -}); - -var msg4 = msg("urls", all7); - -var part29 = match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); - -var part30 = match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); - -var part31 = match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); - -var select11 = linear_select([ - part30, - part31, -]); - -var part32 = match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); - -var all8 = all_match({ - processors: [ - part29, - select11, - part32, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - ]), -}); - -var msg5 = msg("events", all8); - -var part33 = match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); - -var part34 = match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); - -var select12 = linear_select([ - part34, - dup10, -]); - -var all9 = all_match({ - processors: [ - part33, - select12, - ], - on_success: processor_chain([ - dup5, - dup6, - setc("event_description","content_filtering_block"), - dup8, - dup9, - ]), -}); - -var msg6 = msg("events:02", all9); - -var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { - "aid": "fld1", - "arp_resp": "fld2", - "arp_src": "fld3", - "auth_neg_dur": "fld4", - "auth_neg_failed": "fld5", - "category0": "category", - "channel": "fld6", - "client_ip": "daddr", - "client_mac": "dmacaddr", - "connectivity": "fld28", - "dhcp_ip": "fld23", - "dhcp_lease_completed": "fld22", - "dhcp_resp": "fld26", - "dhcp_server": "fld24", - "dhcp_server_mac": "fld25", - "dns_req_rtt": "fld7", - "dns_resp": "fld8", - "dns_server": "fld9", - "duration": "duration", - "full_conn": "fld11", - "http_resp": "fld21", - "identity": "fld12", - "instigator": "fld20", - "ip_resp": "fld13", - "ip_src": "saddr", - "is_8021x": "fld15", - "is_wpa": "fld16", - "last_auth_ago": "fld17", - "radio": "fld18", - "reason": "fld19", - "rssi": "dclass_ratio1", - "server": "daddr", - "type": "event_type", - "url": "url", - "vap": "fld22", - "vpn_type": "fld27", -}, processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, -])); - -var msg7 = msg("events:01", part35); - -var part36 = match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ - dup5, - dup6, - setc("event_description","events IDS"), - dup8, - dup9, -])); - -var msg8 = msg("events:03", part36); - -var part37 = match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); - -var part38 = match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); - -var part39 = match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); - -var select13 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); - -var all10 = all_match({ - processors: [ - part37, - select13, - part40, - ], - on_success: processor_chain([ - dup5, - dup6, - setc("event_description","events DHCP"), - dup8, - dup9, - ]), -}); - -var msg9 = msg("events:04", all10); - -var part41 = match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ - dup5, - dup6, - setc("event_description"," events MAC"), - dup8, - dup9, -])); - -var msg10 = msg("events:05", part41); - -var select14 = linear_select([ - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, -]); - -var part42 = match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); - -var part43 = match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); - -var part44 = match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); - -var select15 = linear_select([ - part43, - part44, -]); - -var all11 = all_match({ - processors: [ - part42, - dup22, - dup13, - select15, - dup14, - ], - on_success: processor_chain([ - dup15, - dup6, - dup16, - dup8, - dup17, - ]), -}); - -var msg11 = msg("ids-alerts:01", all11); - -var part45 = match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ - dup15, - dup6, - dup16, - dup8, - dup17, -])); - -var msg12 = msg("ids-alerts:03", part45); - -var part46 = match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ - dup15, - dup6, - dup16, - dup8, - dup17, -])); - -var msg13 = msg("ids-alerts:02", part46); - -var select16 = linear_select([ - msg11, - msg12, - msg13, -]); - -var part47 = match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ - dup5, - dup6, - dup18, - dup8, - dup9, -])); - -var msg14 = msg("security_event", part47); - -var part48 = match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); - -var part49 = match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); - -var part50 = match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); - -var select17 = linear_select([ - part49, - part50, -]); - -var all12 = all_match({ - processors: [ - part48, - dup22, - dup13, - select17, - dup14, - ], - on_success: processor_chain([ - dup15, - dup6, - dup18, - dup8, - dup17, - ]), -}); - -var msg15 = msg("security_event:01", all12); - -var select18 = linear_select([ - msg14, - msg15, -]); - -var chain1 = processor_chain([ - select3, - msgid_select({ - "events": select14, - "flows": select8, - "ids-alerts": select16, - "security_event": select18, - "urls": msg4, - }), -]); - -var hdr2 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); - -var part51 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); - -var part52 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); - -var part53 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); - -var part54 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); - -var part55 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); - -var part56 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); - -var part57 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ - dup2, -])); - -var part58 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ - dup3, -])); - -var select19 = linear_select([ - dup11, - dup12, -]); - -var select20 = linear_select([ - dup20, - dup21, -]); diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml deleted file mode 100644 index b80d31afad4..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -description: Pipeline for Cisco Meraki - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - set: - field: _temp_.url_domain - value: "{{url.domain}}" - ignore_failure: true - if: ctx?.url?.domain != null - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - append: - field: url.domain - value: "{{_temp_.url_domain}}" - ignore_failure: true - allow_duplicates: false - if: ctx?._temp_?.url_domain != null - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cisco/meraki/manifest.yml b/x-pack/filebeat/module/cisco/meraki/manifest.yml deleted file mode 100644 index 6adeb1975aa..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["cisco.meraki", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9541 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log b/x-pack/filebeat/module/cisco/meraki/test/generated.log deleted file mode 100644 index 05501480e40..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny -umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu -uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe -mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents -obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140 -iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83' -ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198 -ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34 -orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225 -olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307 -uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept -omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu -omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26 -agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290 -olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125 -amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq -giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese -agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d' -apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu -ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237 -tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin -emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam -ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176 -spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp -smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev -nisiuta 1484921656.roid inibusB flows cancel -str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite -amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98 -isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios -oin 1489861473.mvenia madminim events IDS: fugitsed -dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal -umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev -velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 -iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc -tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin -ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv -dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912' -itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb -leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn -sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse -tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4 -undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat -itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq -archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem -umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16 -unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5 -esci 1510855695.uov quaeab_ events IDS: moles -accusa 1512090649.natu liquid events IDS: enim -dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta -tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010' -lapar 1515795512.ritati edquia_appliance events IDS: itesse -amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur -uide 1518265421.scivel henderi_appliance events IDS: iusmodt -tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole -runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119 -tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido -osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum -umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny -atnul 1525675146.umfugi stquidol_ flows luptatem flows accept -essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni -lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia -inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem -eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute -runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86 -inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi -lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95 -hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori -dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim -oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus -nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt -rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 -idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu -ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve -quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb -eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7 -uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2 -sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas -edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333' -antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27 -oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230 -asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut -estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum -ercitati 1555314049.atem serro flows cancel -amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88 -abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin -lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat -saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58 -tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9 -aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui -nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe -tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq -oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8' -metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents -veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor -atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua -deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598' -orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19 -explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92 -rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib -orr 1576308271.pre aute events IDS: rchite diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json deleted file mode 100644 index 63c66bbeb3a..00000000000 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ /dev/null @@ -1,3357 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T06:09:59.000Z", - "destination.ip": "10.193.124.51", - "destination.port": 5293, - "event.action": "deny", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 0, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.15.44.253", - "10.193.124.51" - ], - "rsa.internal.event_desc": "olaborissecurity_event tur", - "rsa.internal.messageid": "security_event", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "ntium", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "nto_", - "rsa.misc.sensor": "nto_", - "rsa.time.event_time": "2016-01-29T06:09:59.000Z", - "service.type": "cisco", - "source.ip": "10.15.44.253", - "source.mac": "01:00:5e:28:ae:7d", - "source.port": 5078, - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "example.org", - "url.extension": "jpg", - "url.fragment": "tatemac", - "url.original": "https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac", - "url.path": "/odoco/ria.jpg", - "url.query": "ritin=uredolor", - "url.scheme": "https" - }, - { - "@timestamp": "2016-02-12T13:12:33.000Z", - "destination.mac": "01:00:5e:0f:87:e3", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", - "fileset.name": "meraki", - "host.ip": "10.15.16.212", - "input.type": "log", - "log.offset": 250, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.102.218.31", - "10.15.16.212" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "vol_", - "rsa.misc.sensor": "vol_", - "rsa.network.dns_a_record": "aqu", - "rsa.network.mask": "ameaqu", - "rsa.time.event_time": "2016-02-12T13:12:33.000Z", - "service.type": "cisco", - "source.ip": "10.102.218.31", - "source.mac": "01:00:5e:9c:c2:9c", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-02-26T20:15:08.000Z", - "event.action": "ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 440, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "minim_", - "rsa.misc.sensor": "minim_", - "rsa.time.event_time": "2016-02-26T20:15:08.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-03-12T03:17:42.000Z", - "destination.ip": "10.112.46.169", - "event.action": "radip flows block", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 560, - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.112.46.169", - "10.155.236.240" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "radip flows block" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "taliquip_", - "rsa.misc.sensor": "taliquip_", - "rsa.time.event_time": "2016-03-12T03:17:42.000Z", - "service.type": "cisco", - "source.ip": "10.155.236.240", - "source.mac": "01:00:5e:7a:74:89", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-03-26T10:20:16.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", - "fileset.name": "meraki", - "host.mac": "01:00:5e:a3:d9:ac", - "input.type": "log", - "log.offset": 706, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.14.107.140" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "uidexea", - "rsa.misc.sensor": "uidexea", - "rsa.network.eth_host": "01:00:5e:a3:d9:ac", - "rsa.time.event_time": "2016-03-26T10:20:16.000Z", - "service.type": "cisco", - "source.ip": "10.14.107.140", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-04-09T17:22:51.000Z", - "destination.ip": "10.108.180.105", - "destination.mac": "01:00:5e:40:9b:83", - "destination.port": 5098, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 832, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.108.180.105" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "ari", - "rsa.misc.node": "urerep", - "rsa.misc.sensor": "urerep", - "rsa.time.event_time": "2016-04-09T17:22:51.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "niamqu", - "url.original": "https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu", - "url.path": "/liqu/lorem.gif", - "url.query": "ueipsaqu=uidolore", - "url.scheme": "https" - }, - { - "@timestamp": "2016-04-24T00:25:25.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", - "fileset.name": "meraki", - "host.mac": "01:00:5e:3f:49:e4", - "input.type": "log", - "log.offset": 1038, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.149.88.198" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "riat", - "rsa.misc.sensor": "riat", - "rsa.network.eth_host": "01:00:5e:3f:49:e4", - "rsa.time.event_time": "2016-04-24T00:25:25.000Z", - "service.type": "cisco", - "source.ip": "10.149.88.198", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-05-08T07:27:59.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", - "fileset.name": "meraki", - "host.mac": "01:00:5e:e3:10:34", - "input.type": "log", - "log.offset": 1160, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "animi", - "rsa.misc.sensor": "animi", - "rsa.network.eth_host": "01:00:5e:e3:10:34", - "rsa.time.event_time": "2016-05-08T07:27:59.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-05-22T14:30:33.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", - "fileset.name": "meraki", - "host.mac": "01:00:5e:9f:b6:a6", - "input.type": "log", - "log.offset": 1241, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.243.206.225" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "ite", - "rsa.misc.sensor": "ite", - "rsa.network.eth_host": "01:00:5e:9f:b6:a6", - "rsa.time.event_time": "2016-05-22T14:30:33.000Z", - "service.type": "cisco", - "source.ip": "10.243.206.225", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-06-05T21:33:08.000Z", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 1359, - "network.direction": "outbound", - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.131.82.116" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "tatno_ ids-alerts taliqu", - "rsa.misc.sensor": "tatno_ ids-alerts taliqu", - "rsa.time.event_time": "2016-06-05T21:33:08.000Z", - "service.type": "cisco", - "source.ip": "10.131.82.116", - "source.port": 7307, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-06-20T04:35:42.000Z", - "destination.ip": "10.134.0.141", - "destination.port": 2703, - "event.action": "accept", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 1531, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.134.0.141", - "10.210.213.18" - ], - "rsa.internal.event_desc": "atquovosecurity_event iumto", - "rsa.internal.messageid": "security_event", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.disposition": "tation", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "ehenderi_", - "rsa.misc.sensor": "ehenderi_", - "rsa.time.event_time": "2016-06-20T04:35:42.000Z", - "service.type": "cisco", - "source.ip": "10.210.213.18", - "source.mac": "01:00:5e:aa:42:fa", - "source.port": 7616, - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www5.example.net", - "url.extension": "html", - "url.fragment": "quu", - "url.original": "https://www5.example.net/sun/essecill.html?saute=vel#quu", - "url.path": "/sun/essecill.html", - "url.query": "saute=vel", - "url.scheme": "https" - }, - { - "@timestamp": "2016-07-04T11:38:16.000Z", - "destination.ip": "10.74.237.180", - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 1798, - "network.direction": "outbound", - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.163.72.17", - "10.74.237.180" - ], - "rsa.internal.event_desc": "remipsum security_event liq", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "oremagna_", - "rsa.misc.policy_name": "nsequu", - "rsa.misc.sensor": "oremagna_", - "rsa.time.event_time": "2016-07-04T11:38:16.000Z", - "service.type": "cisco", - "source.ip": "10.163.72.17", - "source.mac": "01:00:5e:c8:9c:2f", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-07-18T18:40:50.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", - "fileset.name": "meraki", - "host.mac": "01:00:5e:e2:67:d2", - "input.type": "log", - "log.offset": 2028, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.72.31.26" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "Nemoeni", - "rsa.misc.sensor": "Nemoeni", - "rsa.network.eth_host": "01:00:5e:e2:67:d2", - "rsa.time.event_time": "2016-07-18T18:40:50.000Z", - "service.type": "cisco", - "source.ip": "10.72.31.26", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-08-02T01:43:25.000Z", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 2151, - "network.direction": "internal", - "network.protocol": "tcp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.70.95.74" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "mqui", - "rsa.misc.sensor": "mqui", - "rsa.time.event_time": "2016-08-02T01:43:25.000Z", - "service.type": "cisco", - "source.ip": "10.70.95.74", - "source.port": 4290, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-08-16T08:45:59.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", - "fileset.name": "meraki", - "host.mac": "01:00:5e:9c:d2:4a", - "input.type": "log", - "log.offset": 2300, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.17.21.125" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "sumquiad", - "rsa.misc.sensor": "sumquiad", - "rsa.network.eth_host": "01:00:5e:9c:d2:4a", - "rsa.time.event_time": "2016-08-16T08:45:59.000Z", - "service.type": "cisco", - "source.ip": "10.17.21.125", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-08-30T15:48:33.000Z", - "destination.mac": "01:00:5e:46:17:35", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", - "fileset.name": "meraki", - "host.ip": "10.53.150.119", - "input.type": "log", - "log.offset": 2413, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.53.150.119", - "10.85.10.165" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "nsec", - "rsa.misc.sensor": "nsec", - "rsa.network.dns_a_record": "tisetq", - "rsa.network.mask": "uiineavo", - "rsa.time.event_time": "2016-08-30T15:48:33.000Z", - "service.type": "cisco", - "source.ip": "10.85.10.165", - "source.mac": "01:00:5e:63:93:48", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-13T22:51:07.000Z", - "destination.ip": "10.187.77.245", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 2605, - "network.protocol": "igmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.187.77.245", - "10.88.231.224" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "iscinge", - "rsa.misc.policy_name": "iadese", - "rsa.misc.sensor": "iscinge", - "rsa.time.event_time": "2016-09-13T22:51:07.000Z", - "service.type": "cisco", - "source.ip": "10.88.231.224", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-28T05:53:42.000Z", - "destination.ip": "10.186.58.115", - "destination.mac": "01:00:5e:8f:16:6d", - "destination.port": 7238, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 2770, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.186.58.115" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "aqu", - "rsa.misc.node": "tat", - "rsa.misc.sensor": "tat", - "rsa.time.event_time": "2016-09-28T05:53:42.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "internal.example.com", - "url.extension": "htm", - "url.fragment": "xerci", - "url.original": "https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci", - "url.path": "/quae/maccusa.htm", - "url.query": "rQuisau=idex", - "url.scheme": "https" - }, - { - "@timestamp": "2016-10-12T12:56:16.000Z", - "destination.mac": "01:00:5e:87:e1:a0", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", - "fileset.name": "meraki", - "host.ip": "10.205.47.51", - "input.type": "log", - "log.offset": 2975, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.205.47.51", - "10.219.84.37" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "untmolli_", - "rsa.misc.sensor": "untmolli_", - "rsa.network.dns_a_record": "samvolu", - "rsa.network.mask": "uovolup", - "rsa.time.event_time": "2016-10-12T12:56:16.000Z", - "service.type": "cisco", - "source.ip": "10.219.84.37", - "source.mac": "01:00:5e:e8:bf:69", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-10-26T19:58:50.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", - "fileset.name": "meraki", - "host.mac": "01:00:5e:ec:f8:cc", - "input.type": "log", - "log.offset": 3176, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.3.134.237" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "evita", - "rsa.misc.sensor": "evita", - "rsa.network.eth_host": "01:00:5e:ec:f8:cc", - "rsa.time.event_time": "2016-10-26T19:58:50.000Z", - "service.type": "cisco", - "source.ip": "10.3.134.237", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-11-10T03:01:24.000Z", - "destination.ip": "10.63.194.87", - "destination.mac": "01:00:5e:e3:b1:24", - "event.action": "texp", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 3285, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.182.178.217", - "10.63.194.87" - ], - "rsa.counters.dclass_r1": "fdeFi", - "rsa.internal.messageid": "events", - "rsa.misc.category": "ncidid", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "texp", - "rsa.misc.node": "uscipit", - "rsa.misc.sensor": "uscipit", - "rsa.time.duration_time": 48.123, - "rsa.time.event_time": "2016-11-10T03:01:24.000Z", - "service.type": "cisco", - "source.ip": "10.182.178.217", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "internal.example.net", - "url.extension": "txt", - "url.fragment": "uptate", - "url.original": "https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate", - "url.path": "/ris/uamqu.txt", - "url.query": "liqui=quioffi", - "url.scheme": "https" - }, - { - "@timestamp": "2016-11-24T10:03:59.000Z", - "destination.ip": "10.163.154.210", - "destination.mac": "01:00:5e:9e:7b:a4", - "event.action": "rau", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 3996, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.153.0.77", - "10.163.154.210" - ], - "rsa.counters.dclass_r1": "utlabor", - "rsa.internal.messageid": "events", - "rsa.misc.category": "siste", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "rau", - "rsa.misc.node": "fde", - "rsa.misc.sensor": "fde", - "rsa.time.duration_time": 71.798, - "rsa.time.event_time": "2016-11-24T10:03:59.000Z", - "service.type": "cisco", - "source.ip": "10.153.0.77", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "mail.example.com", - "url.extension": "jpg", - "url.fragment": "volupt", - "url.original": "https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt", - "url.path": "/icabo/itatio.jpg", - "url.query": "eleum=sintoc", - "url.scheme": "https" - }, - { - "@timestamp": "2016-12-08T17:06:33.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", - "fileset.name": "meraki", - "host.mac": "01:00:5e:b9:6b:a8", - "input.type": "log", - "log.offset": 4701, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.73.69.176" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "ciati", - "rsa.misc.sensor": "ciati", - "rsa.network.eth_host": "01:00:5e:b9:6b:a8", - "rsa.time.event_time": "2016-12-08T17:06:33.000Z", - "service.type": "cisco", - "source.ip": "10.73.69.176", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2016-12-23T00:09:07.000Z", - "event.action": "ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 4826, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "ommodico_", - "rsa.misc.sensor": "ommodico_", - "rsa.time.event_time": "2016-12-23T00:09:07.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-01-06T07:11:41.000Z", - "destination.ip": "10.12.182.70", - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 4952, - "network.direction": "internal", - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.12.182.70", - "10.31.77.157" - ], - "rsa.internal.event_desc": "uiac security_event epte", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "uamest_", - "rsa.misc.policy_name": "tev", - "rsa.misc.sensor": "uamest_", - "rsa.time.event_time": "2017-01-06T07:11:41.000Z", - "service.type": "cisco", - "source.ip": "10.31.77.157", - "source.mac": "01:00:5e:1c:4c:64", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-01-20T14:14:16.000Z", - "event.action": "cancel", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "nisiuta 1484921656.roid inibusB flows cancel", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 5182, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "inibusB", - "rsa.misc.sensor": "inibusB", - "rsa.time.event_time": "2017-01-20T14:14:16.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-02-03T21:16:50.000Z", - "destination.ip": "10.135.217.12", - "event.action": "cteturad flows deny", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 5227, - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.135.217.12", - "10.93.68.231" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "cteturad flows deny" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "pid_", - "rsa.misc.sensor": "pid_", - "rsa.time.event_time": "2017-02-03T21:16:50.000Z", - "service.type": "cisco", - "source.ip": "10.93.68.231", - "source.mac": "01:00:5e:4a:69:5b", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-02-18T04:19:24.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", - "fileset.name": "meraki", - "host.mac": "01:00:5e:8b:99:98", - "input.type": "log", - "log.offset": 5366, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "esciuntN_", - "rsa.misc.sensor": "esciuntN_", - "rsa.network.eth_host": "01:00:5e:8b:99:98", - "rsa.time.event_time": "2017-02-18T04:19:24.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-04T11:21:59.000Z", - "destination.ip": "10.66.89.5", - "event.action": "iscinge flows", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 5443, - "network.protocol": "igmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.247.30.212", - "10.66.89.5" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "iscinge flows" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "ncidi_", - "rsa.misc.sensor": "ncidi_", - "rsa.time.event_time": "2017-03-04T11:21:59.000Z", - "service.type": "cisco", - "source.ip": "10.247.30.212", - "source.mac": "01:00:5e:7f:65:da", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-18T18:24:33.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "oin 1489861473.mvenia madminim events IDS: fugitsed", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 5582, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "fugitsed", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "madminim", - "rsa.misc.sensor": "madminim", - "rsa.time.event_time": "2017-03-18T18:24:33.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-02T01:27:07.000Z", - "destination.ip": "10.173.136.186", - "destination.mac": "01:00:5e:c1:53:b1", - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 5634, - "network.direction": "inbound", - "network.protocol": "tcp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.173.136.186", - "10.221.102.245" - ], - "rsa.internal.event_desc": "idestlab", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "iduntu", - "rsa.misc.policy_name": "naal", - "rsa.misc.sensor": "iduntu", - "rsa.time.event_time": "2017-04-02T01:27:07.000Z", - "service.type": "cisco", - "source.ip": "10.221.102.245", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-16T08:29:41.000Z", - "destination.ip": "10.54.37.86", - "destination.mac": "01:00:5e:1f:c6:29", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 5850, - "network.direction": "external", - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.54.37.86", - "10.58.64.108" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "uscipitl_ ids-alerts ritatise", - "rsa.misc.policy_name": "entorev", - "rsa.misc.sensor": "uscipitl_ ids-alerts ritatise", - "rsa.time.event_time": "2017-04-16T08:29:41.000Z", - "service.type": "cisco", - "source.ip": "10.58.64.108", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-30T15:32:16.000Z", - "destination.ip": "10.163.93.20", - "event.action": "veli flows block", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 6071, - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.147.76.202", - "10.163.93.20" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "veli flows block" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "uunturm_", - "rsa.misc.sensor": "uunturm_", - "rsa.time.event_time": "2017-04-30T15:32:16.000Z", - "service.type": "cisco", - "source.ip": "10.147.76.202", - "source.mac": "01:00:5e:1d:85:ec", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-05-14T22:34:50.000Z", - "destination.ip": "10.183.44.198", - "destination.mac": "01:00:5e:35:71:1e", - "destination.port": 1702, - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 6223, - "network.direction": "internal", - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.0.200.27", - "10.183.44.198" - ], - "rsa.internal.event_desc": "uradi security_event tot", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "uptatema_", - "rsa.misc.policy_name": "asiarc", - "rsa.misc.sensor": "uptatema_", - "rsa.time.event_time": "2017-05-14T22:34:50.000Z", - "service.type": "cisco", - "source.ip": "10.0.200.27", - "source.port": 5905, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-05-29T05:37:24.000Z", - "destination.mac": "01:00:5e:06:12:98", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", - "fileset.name": "meraki", - "host.ip": "10.28.144.180", - "input.type": "log", - "log.offset": 6464, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.148.124.84", - "10.28.144.180" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "icabo_", - "rsa.misc.sensor": "icabo_", - "rsa.network.dns_a_record": "temporin", - "rsa.network.mask": "ritin", - "rsa.time.event_time": "2017-05-29T05:37:24.000Z", - "service.type": "cisco", - "source.ip": "10.148.124.84", - "source.mac": "01:00:5e:0b:2c:22", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-06-12T12:39:58.000Z", - "destination.ip": "10.98.194.212", - "destination.mac": "01:00:5e:bb:60:a6", - "event.action": "utaliqu", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 6661, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.204.230.166", - "10.98.194.212" - ], - "rsa.counters.dclass_r1": "enimadmi", - "rsa.internal.messageid": "events", - "rsa.misc.category": "ariatur", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "utaliqu", - "rsa.misc.node": "remips", - "rsa.misc.sensor": "remips", - "rsa.time.duration_time": 165.611, - "rsa.time.event_time": "2017-06-12T12:39:58.000Z", - "service.type": "cisco", - "source.ip": "10.204.230.166", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "example.net", - "url.extension": "gif", - "url.fragment": "avolupt", - "url.original": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", - "url.path": "/ites/isetq.gif", - "url.query": "nisiut=tur", - "url.scheme": "https" - }, - { - "@timestamp": "2017-06-26T19:42:33.000Z", - "destination.ip": "10.197.13.39", - "destination.port": 5912, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 7378, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.197.13.39" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "borisnis", - "rsa.misc.node": "admi", - "rsa.misc.sensor": "admi", - "rsa.time.event_time": "2017-06-26T19:42:33.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www.example.org", - "url.extension": "html", - "url.fragment": "corpori", - "url.original": "https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori", - "url.path": "/ueipsa/tae.html", - "url.query": "eriti=atcupi", - "url.scheme": "https" - }, - { - "@timestamp": "2017-07-11T02:45:07.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", - "fileset.name": "meraki", - "host.mac": "01:00:5e:fd:84:bb", - "input.type": "log", - "log.offset": 7557, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "eratvol", - "rsa.misc.sensor": "eratvol", - "rsa.network.eth_host": "01:00:5e:fd:84:bb", - "rsa.time.event_time": "2017-07-11T02:45:07.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-07-25T09:47:41.000Z", - "destination.ip": "10.150.245.88", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 7637, - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.150.245.88", - "10.242.77.170" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "nimid", - "rsa.misc.policy_name": "orisn", - "rsa.misc.sensor": "nimid", - "rsa.time.event_time": "2017-07-25T09:47:41.000Z", - "service.type": "cisco", - "source.ip": "10.242.77.170", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-08-08T16:50:15.000Z", - "destination.ip": "10.180.195.43", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 7788, - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.180.195.43", - "10.247.139.239" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "isc_ ids-alerts volupt", - "rsa.misc.policy_name": "tenatuse", - "rsa.misc.sensor": "isc_ ids-alerts volupt", - "rsa.time.event_time": "2017-08-08T16:50:15.000Z", - "service.type": "cisco", - "source.ip": "10.247.139.239", - "source.mac": "01:00:5e:9d:eb:fb", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-08-22T23:52:50.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", - "fileset.name": "meraki", - "host.mac": "01:00:5e:50:48:c4", - "input.type": "log", - "log.offset": 8002, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "consequa", - "rsa.misc.sensor": "consequa", - "rsa.network.eth_host": "01:00:5e:50:48:c4", - "rsa.time.event_time": "2017-08-22T23:52:50.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-09-06T06:55:24.000Z", - "destination.ip": "10.147.15.213", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 8079, - "network.protocol": "rdp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.147.15.213", - "10.94.6.140" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "uov_ ids-alerts isn", - "rsa.misc.policy_name": "uptat", - "rsa.misc.sensor": "uov_ ids-alerts isn", - "rsa.time.event_time": "2017-09-06T06:55:24.000Z", - "service.type": "cisco", - "source.ip": "10.94.6.140", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-09-20T13:57:58.000Z", - "destination.ip": "10.111.157.56", - "event.action": "obeata flows block", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 8252, - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.111.157.56", - "10.230.6.127" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "obeata flows block" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "mve_", - "rsa.misc.sensor": "mve_", - "rsa.time.event_time": "2017-09-20T13:57:58.000Z", - "service.type": "cisco", - "source.ip": "10.230.6.127", - "source.mac": "01:00:5e:39:a7:fc", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-10-04T21:00:32.000Z", - "destination.ip": "10.193.219.34", - "destination.mac": "01:00:5e:58:2d:1c", - "event.action": "inBC", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 8391, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.179.40.170", - "10.193.219.34" - ], - "rsa.counters.dclass_r1": "emip", - "rsa.internal.messageid": "events", - "rsa.misc.category": "uamei", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "inBC", - "rsa.misc.node": "veniamq", - "rsa.misc.sensor": "veniamq", - "rsa.time.duration_time": 85.513, - "rsa.time.event_time": "2017-10-04T21:00:32.000Z", - "service.type": "cisco", - "source.ip": "10.179.40.170", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "txt", - "url.fragment": "ecatcupi", - "url.original": "https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi", - "url.path": "/irured/illumqui.txt", - "url.query": "tionula=ritqu", - "url.scheme": "https" - }, - { - "@timestamp": "2017-10-19T04:03:07.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", - "fileset.name": "meraki", - "host.mac": "01:00:5e:ee:e8:77", - "input.type": "log", - "log.offset": 9101, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.255.199.16" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "oremquel", - "rsa.misc.sensor": "oremquel", - "rsa.network.eth_host": "01:00:5e:ee:e8:77", - "rsa.time.event_time": "2017-10-19T04:03:07.000Z", - "service.type": "cisco", - "source.ip": "10.255.199.16", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-11-02T11:05:41.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", - "fileset.name": "meraki", - "host.mac": "01:00:5e:f1:21:bd", - "input.type": "log", - "log.offset": 9228, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.94.88.5" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "llam", - "rsa.misc.sensor": "llam", - "rsa.network.eth_host": "01:00:5e:f1:21:bd", - "rsa.time.event_time": "2017-11-02T11:05:41.000Z", - "service.type": "cisco", - "source.ip": "10.94.88.5", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-11-16T18:08:15.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "esci 1510855695.uov quaeab_ events IDS: moles", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 9349, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "moles", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "quaeab_", - "rsa.misc.sensor": "quaeab_", - "rsa.time.event_time": "2017-11-16T18:08:15.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-12-01T01:10:49.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "accusa 1512090649.natu liquid events IDS: enim", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 9395, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "enim", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "liquid", - "rsa.misc.sensor": "liquid", - "rsa.time.event_time": "2017-12-01T01:10:49.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-12-15T08:13:24.000Z", - "destination.ip": "10.124.63.4", - "destination.mac": "01:00:5e:01:60:e0", - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 9442, - "network.direction": "internal", - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.124.63.4", - "10.90.99.245" - ], - "rsa.internal.event_desc": "etconsec", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "ser", - "rsa.misc.policy_name": "pta", - "rsa.misc.sensor": "ser", - "rsa.time.event_time": "2017-12-15T08:13:24.000Z", - "service.type": "cisco", - "source.ip": "10.90.99.245", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2017-12-29T15:15:58.000Z", - "destination.ip": "10.249.7.146", - "destination.port": 2010, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 9650, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.249.7.146" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "laudan", - "rsa.misc.node": "moe", - "rsa.misc.sensor": "moe", - "rsa.time.event_time": "2017-12-29T15:15:58.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "mail.example.net", - "url.extension": "html", - "url.fragment": "tlabori", - "url.original": "https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori", - "url.path": "/uat/lupta.html", - "url.query": "uptassit=ncidi", - "url.scheme": "https" - }, - { - "@timestamp": "2018-01-12T22:18:32.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 9837, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "itesse", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "edquia", - "rsa.misc.sensor": "edquia", - "rsa.time.event_time": "2018-01-12T22:18:32.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-01-27T05:21:06.000Z", - "destination.ip": "10.81.234.34", - "destination.mac": "01:00:5e:c9:b7:22", - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 9897, - "network.direction": "inbound", - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.196.96.162", - "10.81.234.34" - ], - "rsa.internal.event_desc": "Utenima security_event iqua", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "tobeatae_", - "rsa.misc.policy_name": "equuntur", - "rsa.misc.sensor": "tobeatae_", - "rsa.time.event_time": "2018-01-27T05:21:06.000Z", - "service.type": "cisco", - "source.ip": "10.196.96.162", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-02-10T12:23:41.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 10136, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "iusmodt", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "henderi", - "rsa.misc.sensor": "henderi", - "rsa.time.event_time": "2018-02-10T12:23:41.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-02-24T19:26:15.000Z", - "destination.mac": "01:00:5e:7c:01:ab", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", - "fileset.name": "meraki", - "host.ip": "10.78.199.43", - "host.name": "remips188.api.invalid", - "input.type": "log", - "log.offset": 10197, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance", - "remips188.api.invalid" - ], - "related.ip": [ - "10.40.101.224", - "10.78.199.43" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "mexer", - "rsa.misc.sensor": "mexer", - "rsa.network.alias_host": [ - "remips188.api.invalid" - ], - "rsa.network.dns_a_record": "ilmole", - "rsa.network.mask": "ehender", - "rsa.time.event_time": "2018-02-24T19:26:15.000Z", - "service.type": "cisco", - "source.ip": "10.40.101.224", - "source.mac": "01:00:5e:0a:df:72", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-03-11T02:28:49.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", - "fileset.name": "meraki", - "host.mac": "01:00:5e:5f:c1:3e", - "input.type": "log", - "log.offset": 10427, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.244.29.119" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "isund", - "rsa.misc.sensor": "isund", - "rsa.network.eth_host": "01:00:5e:5f:c1:3e", - "rsa.time.event_time": "2018-03-11T02:28:49.000Z", - "service.type": "cisco", - "source.ip": "10.244.29.119", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-03-25T09:31:24.000Z", - "destination.ip": "10.39.172.93", - "event.action": "pteurs flows deny", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 10549, - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.39.172.93", - "10.83.131.245" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "pteurs flows deny" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "gna_", - "rsa.misc.sensor": "gna_", - "rsa.time.event_time": "2018-03-25T09:31:24.000Z", - "service.type": "cisco", - "source.ip": "10.83.131.245", - "source.mac": "01:00:5e:c4:12:c7", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-04-08T16:33:58.000Z", - "destination.mac": "01:00:5e:7e:cd:15", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", - "fileset.name": "meraki", - "host.ip": "10.201.168.116", - "input.type": "log", - "log.offset": 10687, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.201.168.116", - "10.86.188.179" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "sciveli_", - "rsa.misc.sensor": "sciveli_", - "rsa.network.dns_a_record": "laborum", - "rsa.network.mask": "umiure", - "rsa.time.event_time": "2018-04-08T16:33:58.000Z", - "service.type": "cisco", - "source.ip": "10.86.188.179", - "source.mac": "01:00:5e:48:4b:78", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-04-22T23:36:32.000Z", - "destination.ip": "10.122.204.151", - "destination.port": 3903, - "event.action": "deny", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 10885, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.122.204.151", - "10.148.211.222" - ], - "rsa.internal.event_desc": "umexercisecurity_event duntut", - "rsa.internal.messageid": "security_event", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.disposition": "asnulap", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "acom_", - "rsa.misc.sensor": "acom_", - "rsa.time.event_time": "2018-04-22T23:36:32.000Z", - "service.type": "cisco", - "source.ip": "10.148.211.222", - "source.mac": "01:00:5e:c3:a0:dc", - "source.port": 2053, - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "mail.example.com", - "url.extension": "htm", - "url.fragment": "civelits", - "url.original": "https://mail.example.com/prehend/eufug.htm?eufug=est#civelits", - "url.path": "/prehend/eufug.htm", - "url.query": "eufug=est", - "url.scheme": "https" - }, - { - "@timestamp": "2018-05-07T06:39:06.000Z", - "event.action": "luptatem flows accept", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 11155, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "luptatem flows accept" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "stquidol_", - "rsa.misc.sensor": "stquidol_", - "rsa.time.event_time": "2018-05-07T06:39:06.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-05-21T13:41:41.000Z", - "destination.ip": "10.120.4.9", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 11217, - "network.protocol": "ipv6-icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.120.4.9", - "10.97.46.16" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "upt", - "rsa.misc.policy_name": "teni", - "rsa.misc.sensor": "upt", - "rsa.time.event_time": "2018-05-21T13:41:41.000Z", - "service.type": "cisco", - "source.ip": "10.97.46.16", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-04T20:44:15.000Z", - "destination.ip": "10.165.173.162", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 11378, - "network.protocol": "ipv6-icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.165.173.162", - "10.171.206.139" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "litseddo_ ids-alerts oremqu", - "rsa.misc.policy_name": "lestia", - "rsa.misc.sensor": "litseddo_ ids-alerts oremqu", - "rsa.time.event_time": "2018-06-04T20:44:15.000Z", - "service.type": "cisco", - "source.ip": "10.171.206.139", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-19T03:46:49.000Z", - "destination.mac": "01:00:5e:f2:d3:12", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", - "fileset.name": "meraki", - "host.ip": "10.144.57.239", - "host.name": "uames4985.mail.localdomain", - "input.type": "log", - "log.offset": 11566, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance", - "uames4985.mail.localdomain" - ], - "related.ip": [ - "10.144.57.239", - "10.150.163.151" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "cteturad", - "rsa.misc.sensor": "cteturad", - "rsa.network.alias_host": [ - "uames4985.mail.localdomain" - ], - "rsa.network.dns_a_record": "orem", - "rsa.network.mask": "oinBCSed", - "rsa.time.event_time": "2018-06-19T03:46:49.000Z", - "service.type": "cisco", - "source.ip": "10.150.163.151", - "source.mac": "01:00:5e:72:b7:79", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-07-03T10:49:23.000Z", - "destination.ip": "10.54.44.231", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 11808, - "network.direction": "unknown", - "network.protocol": "igmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.52.202.158", - "10.54.44.231" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "elillum_ ids-alerts tco", - "rsa.misc.policy_name": "Ute", - "rsa.misc.sensor": "elillum_ ids-alerts tco", - "rsa.time.event_time": "2018-07-03T10:49:23.000Z", - "service.type": "cisco", - "source.ip": "10.52.202.158", - "source.mac": "01:00:5e:ac:6d:d3", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-07-17T17:51:58.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", - "fileset.name": "meraki", - "host.mac": "01:00:5e:f0:a9:cd", - "input.type": "log", - "log.offset": 12026, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.101.183.86" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "olorsi_", - "rsa.misc.sensor": "olorsi_", - "rsa.network.eth_host": "01:00:5e:f0:a9:cd", - "rsa.time.event_time": "2018-07-17T17:51:58.000Z", - "service.type": "cisco", - "source.ip": "10.101.183.86", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-01T00:54:32.000Z", - "event.action": "orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 12144, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "atcupid_", - "rsa.misc.sensor": "atcupid_", - "rsa.time.event_time": "2018-08-01T00:54:32.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-15T07:57:06.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", - "fileset.name": "meraki", - "host.mac": "01:00:5e:45:aa:51", - "input.type": "log", - "log.offset": 12264, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.83.130.95" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "siar", - "rsa.misc.sensor": "siar", - "rsa.network.eth_host": "01:00:5e:45:aa:51", - "rsa.time.event_time": "2018-08-15T07:57:06.000Z", - "service.type": "cisco", - "source.ip": "10.83.130.95", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-29T14:59:40.000Z", - "destination.ip": "10.103.49.129", - "destination.mac": "01:00:5e:59:bf:36", - "event.action": "olor", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 12373, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.103.49.129", - "10.2.110.73" - ], - "rsa.counters.dclass_r1": "orumS", - "rsa.internal.messageid": "events", - "rsa.misc.category": "uidolo", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "olor", - "rsa.misc.node": "nofdeFi", - "rsa.misc.sensor": "nofdeFi", - "rsa.time.duration_time": 91.439, - "rsa.time.event_time": "2018-08-29T14:59:40.000Z", - "service.type": "cisco", - "source.ip": "10.2.110.73", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "html", - "url.fragment": "tatisetq", - "url.original": "https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq", - "url.path": "/doconse/eni.html", - "url.query": "mSec=smoditem", - "url.scheme": "https" - }, - { - "@timestamp": "2018-09-12T22:02:15.000Z", - "destination.ip": "10.132.176.96", - "destination.mac": "01:00:5e:e6:a6:a2", - "event.action": "rvelill", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 13073, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.132.176.96", - "10.158.61.228" - ], - "rsa.counters.dclass_r1": "eserun", - "rsa.internal.messageid": "events", - "rsa.misc.category": "tDuis", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "rvelill", - "rsa.misc.node": "amni", - "rsa.misc.sensor": "amni", - "rsa.time.duration_time": 59.289, - "rsa.time.event_time": "2018-09-12T22:02:15.000Z", - "service.type": "cisco", - "source.ip": "10.158.61.228", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "urExc", - "url.original": "https://www.example.com/seq/moll.htm?sunt=dquianon#urExc", - "url.path": "/seq/moll.htm", - "url.query": "sunt=dquianon", - "url.scheme": "https" - }, - { - "@timestamp": "2018-09-27T05:04:49.000Z", - "destination.mac": "01:00:5e:69:92:4a", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", - "fileset.name": "meraki", - "host.ip": "10.46.217.155", - "host.name": "lors2232.api.example", - "input.type": "log", - "log.offset": 13766, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance", - "lors2232.api.example" - ], - "related.ip": [ - "10.105.136.146", - "10.46.217.155" - ], - "rsa.internal.messageid": "events", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "sintocca", - "rsa.misc.sensor": "sintocca", - "rsa.network.alias_host": [ - "lors2232.api.example" - ], - "rsa.network.dns_a_record": "orissus", - "rsa.network.mask": "amnihil", - "rsa.time.event_time": "2018-09-27T05:04:49.000Z", - "service.type": "cisco", - "source.ip": "10.105.136.146", - "source.mac": "01:00:5e:bb:aa:f6", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-10-11T12:07:23.000Z", - "destination.ip": "10.123.62.215", - "destination.mac": "01:00:5e:1f:7f:1d", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 14003, - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.123.62.215", - "10.245.199.23" - ], - "rsa.db.index": "iusmodt", - "rsa.internal.messageid": "flows", - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "quiavolu", - "rsa.misc.sensor": "quiavolu", - "rsa.time.event_time": "2018-10-11T12:07:23.000Z", - "service.type": "cisco", - "source.ip": "10.245.199.23", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-10-25T19:09:57.000Z", - "event.action": "cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 14135, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "deri", - "rsa.misc.sensor": "deri", - "rsa.time.event_time": "2018-10-25T19:09:57.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-11-09T02:12:32.000Z", - "destination.ip": "10.16.230.121", - "destination.mac": "01:00:5e:99:a6:b4", - "event.action": "nonpro", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 14245, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.16.230.121", - "10.196.176.243" - ], - "rsa.counters.dclass_r1": "velites", - "rsa.internal.messageid": "events", - "rsa.misc.category": "tconsec", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "nonpro", - "rsa.misc.node": "midest", - "rsa.misc.sensor": "midest", - "rsa.time.duration_time": 116.294, - "rsa.time.event_time": "2018-11-09T02:12:32.000Z", - "service.type": "cisco", - "source.ip": "10.196.176.243", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "html", - "url.fragment": "uames", - "url.original": "https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames", - "url.path": "/sectetur/edquian.html", - "url.query": "turQuis=taevi", - "url.scheme": "https" - }, - { - "@timestamp": "2018-11-23T09:15:06.000Z", - "destination.ip": "10.34.62.190", - "destination.mac": "01:00:5e:6a:c8:f8", - "destination.port": 1641, - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 14985, - "network.direction": "unknown", - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.246.152.72", - "10.34.62.190" - ], - "rsa.internal.event_desc": "Nem", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "gna", - "rsa.misc.policy_name": "eve", - "rsa.misc.sensor": "gna", - "rsa.time.event_time": "2018-11-23T09:15:06.000Z", - "service.type": "cisco", - "source.ip": "10.246.152.72", - "source.port": 4293, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-07T16:17:40.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", - "fileset.name": "meraki", - "host.mac": "01:00:5e:67:fc:cb", - "input.type": "log", - "log.offset": 15202, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "ulamcola", - "rsa.misc.sensor": "ulamcola", - "rsa.network.eth_host": "01:00:5e:67:fc:cb", - "rsa.time.event_time": "2018-12-07T16:17:40.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-21T23:20:14.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", - "fileset.name": "meraki", - "host.mac": "01:00:5e:7d:de:f7", - "input.type": "log", - "log.offset": 15280, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "usanti_", - "rsa.misc.sensor": "usanti_", - "rsa.network.eth_host": "01:00:5e:7d:de:f7", - "rsa.time.event_time": "2018-12-21T23:20:14.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-01-05T06:22:49.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", - "fileset.name": "meraki", - "host.mac": "01:00:5e:6b:96:f2", - "input.type": "log", - "log.offset": 15359, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "consequu_", - "rsa.misc.sensor": "consequu_", - "rsa.network.eth_host": "01:00:5e:6b:96:f2", - "rsa.time.event_time": "2019-01-05T06:22:49.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-01-19T13:25:23.000Z", - "destination.ip": "10.121.9.5", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 15438, - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.121.9.5", - "10.244.32.189" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "emUtenim", - "rsa.misc.policy_name": "uptas", - "rsa.misc.sensor": "emUtenim", - "rsa.time.event_time": "2019-01-19T13:25:23.000Z", - "service.type": "cisco", - "source.ip": "10.244.32.189", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-02-02T20:27:57.000Z", - "destination.ip": "10.41.124.15", - "destination.port": 333, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 15595, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.41.124.15" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "auto", - "rsa.misc.node": "quameius_", - "rsa.misc.sensor": "quameius_", - "rsa.time.event_time": "2019-02-02T20:27:57.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "lor", - "url.original": "https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor", - "url.path": "/totamrem/aliqu.htm", - "url.query": "sBonorum=moenimi", - "url.scheme": "https" - }, - { - "@timestamp": "2019-02-17T03:30:32.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", - "fileset.name": "meraki", - "host.mac": "01:00:5e:c3:77:27", - "input.type": "log", - "log.offset": 15774, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "eseosq", - "rsa.misc.sensor": "eseosq", - "rsa.network.eth_host": "01:00:5e:c3:77:27", - "rsa.time.event_time": "2019-02-17T03:30:32.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-03T10:33:06.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", - "fileset.name": "meraki", - "host.mac": "01:00:5e:ed:ed:79", - "input.type": "log", - "log.offset": 15855, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.43.235.230" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "dit", - "rsa.misc.sensor": "dit", - "rsa.network.eth_host": "01:00:5e:ed:ed:79", - "rsa.time.event_time": "2019-03-03T10:33:06.000Z", - "service.type": "cisco", - "source.ip": "10.43.235.230", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-17T17:35:40.000Z", - "destination.ip": "10.103.91.159", - "destination.port": 7116, - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 15967, - "network.direction": "unknown", - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.103.91.159", - "10.199.19.205" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "lorese_ ids-alerts ctobeat", - "rsa.misc.policy_name": "ntut", - "rsa.misc.sensor": "lorese_ ids-alerts ctobeat", - "rsa.time.event_time": "2019-03-17T17:35:40.000Z", - "service.type": "cisco", - "source.ip": "10.199.19.205", - "source.mac": "01:00:5e:a0:b2:c9", - "source.port": 5823, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-01T00:38:14.000Z", - "destination.ip": "10.65.0.157", - "destination.mac": "01:00:5e:49:c4:17", - "event.action": "Deny", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 16200, - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.17.111.91", - "10.65.0.157" - ], - "rsa.db.index": "nostrum", - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "Deny" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "tas", - "rsa.misc.sensor": "tas", - "rsa.time.event_time": "2019-04-01T00:38:14.000Z", - "service.type": "cisco", - "source.ip": "10.17.111.91", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-15T07:40:49.000Z", - "event.action": "cancel", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "ercitati 1555314049.atem serro flows cancel", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 16334, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "serro", - "rsa.misc.sensor": "serro", - "rsa.time.event_time": "2019-04-15T07:40:49.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-29T14:43:23.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", - "fileset.name": "meraki", - "host.mac": "01:00:5e:4d:c0:dd", - "input.type": "log", - "log.offset": 16378, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.20.130.88" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "leumiur", - "rsa.misc.sensor": "leumiur", - "rsa.network.eth_host": "01:00:5e:4d:c0:dd", - "rsa.time.event_time": "2019-04-29T14:43:23.000Z", - "service.type": "cisco", - "source.ip": "10.20.130.88", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-05-13T21:45:57.000Z", - "destination.ip": "10.140.242.86", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 16498, - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.140.242.86", - "10.177.64.152" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "tasnu_ ids-alerts tionev", - "rsa.misc.policy_name": "temporin", - "rsa.misc.sensor": "tasnu_ ids-alerts tionev", - "rsa.time.event_time": "2019-05-13T21:45:57.000Z", - "service.type": "cisco", - "source.ip": "10.177.64.152", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-05-28T04:48:31.000Z", - "destination.ip": "10.51.121.223", - "destination.port": 24, - "event.action": "security_event", - "event.code": "security_event", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 16689, - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.199.103.185", - "10.51.121.223" - ], - "rsa.internal.event_desc": "dipi security_event ecatc", - "rsa.internal.messageid": "security_event", - "rsa.misc.event_type": "security_event", - "rsa.misc.node": "ora_", - "rsa.misc.policy_name": "stenat", - "rsa.misc.sensor": "ora_", - "rsa.time.event_time": "2019-05-28T04:48:31.000Z", - "service.type": "cisco", - "source.ip": "10.199.103.185", - "source.mac": "01:00:5e:b8:73:c8", - "source.port": 2449, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-06-11T11:51:06.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", - "fileset.name": "meraki", - "host.mac": "01:00:5e:21:c2:55", - "input.type": "log", - "log.offset": 16927, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.126.242.58" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "ssuscipi", - "rsa.misc.sensor": "ssuscipi", - "rsa.network.eth_host": "01:00:5e:21:c2:55", - "rsa.time.event_time": "2019-06-11T11:51:06.000Z", - "service.type": "cisco", - "source.ip": "10.126.242.58", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-06-25T18:53:40.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", - "fileset.name": "meraki", - "host.mac": "01:00:5e:8a:1a:f9", - "input.type": "log", - "log.offset": 17043, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "ionevo", - "rsa.misc.sensor": "ionevo", - "rsa.network.eth_host": "01:00:5e:8a:1a:f9", - "rsa.time.event_time": "2019-06-25T18:53:40.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-10T01:56:14.000Z", - "destination.ip": "10.113.152.241", - "event.action": "uira flows deny", - "event.code": "flows", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 17116, - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.113.152.241", - "10.121.37.244" - ], - "rsa.internal.messageid": "flows", - "rsa.misc.action": [ - "uira flows deny" - ], - "rsa.misc.event_source": "appliance", - "rsa.misc.node": "aerat_", - "rsa.misc.sensor": "aerat_", - "rsa.time.event_time": "2019-07-10T01:56:14.000Z", - "service.type": "cisco", - "source.ip": "10.121.37.244", - "source.mac": "01:00:5e:9c:86:62", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-24T08:58:48.000Z", - "destination.ip": "10.254.96.130", - "destination.mac": "01:00:5e:10:8b:c3", - "event.action": "ionu", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 17257, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.247.118.132", - "10.254.96.130" - ], - "rsa.counters.dclass_r1": "ectet", - "rsa.internal.messageid": "events", - "rsa.misc.category": "tevel", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "ionu", - "rsa.misc.node": "roinBCSe", - "rsa.misc.sensor": "roinBCSe", - "rsa.time.duration_time": 39.622, - "rsa.time.event_time": "2019-07-24T08:58:48.000Z", - "service.type": "cisco", - "source.ip": "10.247.118.132", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www5.example.org", - "url.extension": "txt", - "url.fragment": "taevitae", - "url.original": "https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae", - "url.path": "/eturadi/umS.txt", - "url.query": "mSecti=henderi", - "url.scheme": "https" - }, - { - "@timestamp": "2019-08-07T16:01:23.000Z", - "destination.ip": "10.200.98.243", - "destination.mac": "01:00:5e:95:ae:d0", - "event.action": "ntium", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 17976, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.101.13.122", - "10.200.98.243" - ], - "rsa.counters.dclass_r1": "uteirur", - "rsa.internal.messageid": "events", - "rsa.misc.category": "udanti", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "ntium", - "rsa.misc.node": "emeumfu", - "rsa.misc.sensor": "emeumfu", - "rsa.time.duration_time": 18.963, - "rsa.time.event_time": "2019-08-07T16:01:23.000Z", - "service.type": "cisco", - "source.ip": "10.101.13.122", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "internal.example.org", - "url.extension": "htm", - "url.fragment": "tate", - "url.original": "https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate", - "url.path": "/fdeFi/ratv.htm", - "url.query": "sequatu=tiumtot", - "url.scheme": "https" - }, - { - "@timestamp": "2019-08-21T23:03:57.000Z", - "destination.ip": "10.247.205.185", - "destination.mac": "01:00:5e:6f:21:c8", - "destination.port": 7676, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 18684, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.247.205.185" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "lorem", - "rsa.misc.node": "orissusc", - "rsa.misc.sensor": "orissusc", - "rsa.time.event_time": "2019-08-21T23:03:57.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www5.example.net", - "url.extension": "htm", - "url.fragment": "tiaec", - "url.original": "https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec", - "url.path": "/uov/pariat.htm", - "url.query": "litsed=lumd", - "url.scheme": "https" - }, - { - "@timestamp": "2019-09-05T06:06:31.000Z", - "destination.ip": "10.147.165.30", - "destination.mac": "01:00:5e:0a:88:bb", - "destination.port": 7662, - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 18903, - "network.direction": "inbound", - "network.protocol": "ipv6", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.147.165.30", - "10.195.90.73" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "mipsumqu_ ids-alerts ccusa", - "rsa.misc.policy_name": "idents", - "rsa.misc.sensor": "mipsumqu_ ids-alerts ccusa", - "rsa.time.event_time": "2019-09-05T06:06:31.000Z", - "service.type": "cisco", - "source.ip": "10.195.90.73", - "source.port": 3914, - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-09-19T13:09:05.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 19140, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "empor", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "ueporr", - "rsa.misc.sensor": "ueporr", - "rsa.time.event_time": "2019-09-19T13:09:05.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-03T20:11:40.000Z", - "destination.ip": "10.162.202.14", - "destination.mac": "01:00:5e:dd:cb:5b", - "event.action": "ids-alerts", - "event.code": "ids-alerts", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 19204, - "network.direction": "inbound", - "network.protocol": "udp", - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.137.166.97", - "10.162.202.14" - ], - "rsa.internal.messageid": "ids-alerts", - "rsa.misc.event_type": "ids-alerts", - "rsa.misc.node": "iat", - "rsa.misc.policy_name": "ipsaqua", - "rsa.misc.sensor": "iat", - "rsa.time.event_time": "2019-10-03T20:11:40.000Z", - "service.type": "cisco", - "source.ip": "10.137.166.97", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-18T03:14:14.000Z", - "destination.ip": "10.227.135.142", - "destination.port": 6598, - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 19401, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.227.135.142" - ], - "rsa.internal.event_desc": "content_filtering_block", - "rsa.internal.messageid": "events", - "rsa.misc.category": "adeserun", - "rsa.misc.node": "rautod", - "rsa.misc.sensor": "rautod", - "rsa.time.event_time": "2019-10-18T03:14:14.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "www5.example.com", - "url.extension": "htm", - "url.fragment": "itinvolu", - "url.original": "https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu", - "url.path": "/illoinve/etcon.htm", - "url.query": "nevolup=erspici", - "url.scheme": "https" - }, - { - "@timestamp": "2019-11-01T10:16:48.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", - "fileset.name": "meraki", - "host.mac": "01:00:5e:37:9c:af", - "input.type": "log", - "log.offset": 19597, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.ip": [ - "10.199.29.19" - ], - "rsa.internal.event_desc": " events MAC", - "rsa.internal.messageid": "events", - "rsa.misc.node": "umqui", - "rsa.misc.sensor": "umqui", - "rsa.network.eth_host": "01:00:5e:37:9c:af", - "rsa.time.event_time": "2019-11-01T10:16:48.000Z", - "service.type": "cisco", - "source.ip": "10.199.29.19", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-15T17:19:22.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", - "fileset.name": "meraki", - "host.mac": "01:00:5e:b8:06:92", - "input.type": "log", - "log.offset": 19722, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.internal.event_desc": "events DHCP", - "rsa.internal.messageid": "events", - "rsa.misc.node": "teiru", - "rsa.misc.sensor": "teiru", - "rsa.network.eth_host": "01:00:5e:b8:06:92", - "rsa.time.event_time": "2019-11-15T17:19:22.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-30T00:21:57.000Z", - "destination.ip": "10.75.122.111", - "destination.mac": "01:00:5e:92:d8:95", - "event.action": "modoco", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 19814, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "related.hosts": [ - "appliance" - ], - "related.ip": [ - "10.75.122.111", - "10.85.59.172" - ], - "rsa.counters.dclass_r1": "sequat", - "rsa.internal.messageid": "events", - "rsa.misc.category": "upta", - "rsa.misc.event_source": "appliance", - "rsa.misc.event_type": "modoco", - "rsa.misc.node": "iusmod_", - "rsa.misc.sensor": "iusmod_", - "rsa.time.duration_time": 10.574, - "rsa.time.event_time": "2019-11-30T00:21:57.000Z", - "service.type": "cisco", - "source.ip": "10.85.59.172", - "tags": [ - "cisco.meraki", - "forwarded" - ], - "url.domain": "example.com", - "url.extension": "gif", - "url.fragment": "exeaco", - "url.original": "https://example.com/qui/itse.gif?orsitame=tasn#exeaco", - "url.path": "/qui/itse.gif", - "url.query": "orsitame=tasn", - "url.scheme": "https" - }, - { - "@timestamp": "2019-12-14T07:24:31.000Z", - "event.code": "events", - "event.dataset": "cisco.meraki", - "event.module": "cisco", - "event.original": "orr 1576308271.pre aute events IDS: rchite", - "fileset.name": "meraki", - "input.type": "log", - "log.offset": 20517, - "observer.product": "Meraki", - "observer.type": "Wireless", - "observer.vendor": "Cisco", - "rsa.db.index": "rchite", - "rsa.internal.event_desc": "events IDS", - "rsa.internal.messageid": "events", - "rsa.misc.node": "aute", - "rsa.misc.sensor": "aute", - "rsa.time.event_time": "2019-12-14T07:24:31.000Z", - "service.type": "cisco", - "tags": [ - "cisco.meraki", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml b/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml deleted file mode 100644 index 096b3882b87..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Cisco" - product: "Nexus" - type: "Switches" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/cisco/nexus/config/liblogparser.js - - ${path.home}/module/cisco/nexus/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} Hit-count = %{dclass_counter1}"); - -var dup60 = setc("dclass_counter1_string","Hit Count"); - -var dup61 = setc("eventcategory","1603100000"); - -var dup62 = setc("eventcategory","1701020000"); - -var dup63 = setc("eventcategory","1801000000"); - -var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - -var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - -var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - -var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - -var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - -var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - -var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - -var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - -var dup72 = setc("ec_outcome","Error"); - -var dup73 = setc("eventcategory","1703000000"); - -var dup74 = setc("obj_type","vPC"); - -var dup75 = setc("ec_subject","OS"); - -var dup76 = setc("ec_activity","Start"); - -var dup77 = setc("eventcategory","1801010000"); - -var dup78 = setc("ec_activity","Receive"); - -var dup79 = setc("ec_activity","Send"); - -var dup80 = setc("ec_activity","Create"); - -var dup81 = setc("event_description","Switchover completed."); - -var dup82 = setc("event_description","Invalid user"); - -var dup83 = setc("eventcategory","1401000000"); - -var dup84 = setc("ec_subject","Service"); - -var dup85 = setc("event_description","Duplicate address Detected."); - -var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, -])); - -var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var dup92 = linear_select([ - dup26, - dup27, -]); - -var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, -])); - -var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, -])); - -var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, -])); - -var dup98 = linear_select([ - dup46, - dup47, -]); - -var dup99 = linear_select([ - dup49, - dup50, -]); - -var dup100 = linear_select([ - dup54, - dup55, -]); - -var dup101 = linear_select([ - dup57, - dup58, -]); - -var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var dup103 = linear_select([ - dup65, - dup66, -]); - -var dup104 = linear_select([ - dup67, - dup68, -]); - -var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var dup107 = linear_select([ - dup70, - dup71, -]); - -var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, -])); - -var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0007"), -])); - -var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0012"), -])); - -var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0008"), -])); - -var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]: %{payload}", processor_chain([ - setc("header_id","0011"), -])); - -var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}: %{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}: %{payload}", processor_chain([ - setc("header_id","0009"), -])); - -var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0013"), -])); - -var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0010"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, -]); - -var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); - -var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, -])); - -var msg2 = msg("SYSTEM_MSG", part1); - -var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, -])); - -var msg3 = msg("SYSTEM_MSG:12", part2); - -var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, -])); - -var msg4 = msg("SYSTEM_MSG:01", part3); - -var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, -])); - -var msg5 = msg("SYSTEM_MSG:11", part4); - -var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); - -var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); - -var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); - -var select2 = linear_select([ - part6, - part7, -]); - -var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); - -var all1 = all_match({ - processors: [ - part5, - select2, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - ]), -}); - -var msg6 = msg("SYSTEM_MSG:19", all1); - -var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ - dup1, - dup2, - dup3, - dup4, -])); - -var msg7 = msg("SYSTEM_MSG:02", part9); - -var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); - -var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); - -var select3 = linear_select([ - part10, - part11, -]); - -var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); - -var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); - -var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); - -var select4 = linear_select([ - part13, - part14, -]); - -var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); - -var all2 = all_match({ - processors: [ - select3, - part12, - select4, - part15, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), -}); - -var msg8 = msg("SYSTEM_MSG:03", all2); - -var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ - dup8, - dup2, - dup3, - dup4, -])); - -var msg9 = msg("SYSTEM_MSG:04", part16); - -var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); - -var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); - -var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); - -var select5 = linear_select([ - part18, - part19, -]); - -var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); - -var all3 = all_match({ - processors: [ - part17, - select5, - part20, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), -}); - -var msg10 = msg("SYSTEM_MSG:05", all3); - -var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, -])); - -var msg11 = msg("SYSTEM_MSG:06", part21); - -var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ - dup9, - dup2, - dup3, - dup4, -])); - -var msg12 = msg("SYSTEM_MSG:07", part22); - -var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ - dup9, - dup2, - dup3, - dup4, -])); - -var msg13 = msg("SYSTEM_MSG:09", part23); - -var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, -])); - -var msg14 = msg("SYSTEM_MSG:10", part24); - -var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, -])); - -var msg15 = msg("SYSTEM_MSG:13", part25); - -var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ - dup5, - dup2, - dup3, - dup4, -])); - -var msg16 = msg("SYSTEM_MSG:14", part26); - -var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup11, - dup12, -])); - -var msg17 = msg("SYSTEM_MSG:15", part27); - -var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup11, - dup13, - dup12, - dup14, -])); - -var msg18 = msg("SYSTEM_MSG:16", part28); - -var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); - -var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); - -var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); - -var select6 = linear_select([ - part30, - part31, -]); - -var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); - -var all4 = all_match({ - processors: [ - part29, - select6, - part32, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg19 = msg("SYSTEM_MSG:17", all4); - -var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, -])); - -var msg20 = msg("SYSTEM_MSG:20", part33); - -var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - setc("ec_subject","Password"), - dup16, - dup12, - dup17, -])); - -var msg21 = msg("SYSTEM_MSG:21", part34); - -var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, -])); - -var msg22 = msg("SYSTEM_MSG:22", part35); - -var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, -])); - -var msg23 = msg("SYSTEM_MSG:23", part36); - -var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); - -var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); - -var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); - -var select7 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); - -var all5 = all_match({ - processors: [ - part37, - select7, - part40, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup20, - dup17, - ]), -}); - -var msg24 = msg("SYSTEM_MSG:24", all5); - -var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); - -var select8 = linear_select([ - part41, - dup21, -]); - -var all6 = all_match({ - processors: [ - select8, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg25 = msg("SYSTEM_MSG:08", all6); - -var select9 = linear_select([ - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, -]); - -var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); - -var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("action","activated"), - setc("event_description","Policy is activated by profile"), -])); - -var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); - -var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg28 = msg("POLICY_COMMIT_EVENT", part44); - -var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ - setc("eventcategory","1701070000"), - dup2, - dup3, - dup4, - setc("action","de-activated"), - setc("event_description","Policy is de-activated by last referring profile"), -])); - -var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); - -var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); - -var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg31 = msg("POLICY_LOOKUP_EVENT", part47); - -var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); - -var select10 = linear_select([ - msg30, - msg31, - msg32, -]); - -var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); - -var msg34 = msg("MTSERROR", dup86); - -var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); - -var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); - -var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); - -var select11 = linear_select([ - msg36, - msg37, -]); - -var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); - -var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); - -var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - dup25, -])); - -var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); - -var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); - -var select12 = linear_select([ - msg40, - msg41, -]); - -var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); - -var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); - -var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface duplex mode changed"), -])); - -var msg44 = msg("IF_DUPLEX", part51); - -var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); - -var all7 = all_match({ - processors: [ - part52, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Receive Flow Control state changed"), - ]), -}); - -var msg45 = msg("IF_RX_FLOW_CONTROL", all7); - -var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg46 = msg("IF_SEQ_ERROR", part53); - -var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); - -var all8 = all_match({ - processors: [ - part54, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Transmit Flow Control state changed"), - ]), -}); - -var msg47 = msg("IF_TX_FLOW_CONTROL", all8); - -var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up in mode"), -])); - -var msg48 = msg("IF_UP", part55); - -var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up"), -])); - -var msg49 = msg("IF_UP:01", part56); - -var select13 = linear_select([ - msg48, - msg49, -]); - -var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational speed changed"), -])); - -var msg50 = msg("SPEED", part57); - -var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ - dup29, - dup2, - dup3, - dup4, -])); - -var msg51 = msg("CREATED", part58); - -var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup3, - dup4, -])); - -var msg52 = msg("FOP_CHANGED", part59); - -var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg53 = msg("PORT_DOWN", part60); - -var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg54 = msg("PORT_UP", part61); - -var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup29, - dup2, - dup3, - dup4, -])); - -var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); - -var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); - -var msg57 = msg("MTS_DROP", dup87); - -var msg58 = msg("SYSLOG_LOG_WARNING", dup87); - -var msg59 = msg("IM_SEQ_ERROR", dup93); - -var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); - -var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); - -var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); - -var msg63 = msg("IMG_DNLD_COMPLETE", dup87); - -var msg64 = msg("IMG_DNLD_STARTED", dup87); - -var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ - dup31, - dup2, - dup3, - dup4, -])); - -var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); - -var msg66 = msg("MSM_CRIT", dup93); - -var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, -])); - -var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); - -var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); - -var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ - dup32, - dup2, - dup3, - dup4, -])); - -var msg69 = msg("MOD_FAIL", part66); - -var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ - dup33, - dup2, - dup3, - dup4, -])); - -var msg70 = msg("MOD_MAJORSWFAIL", part67); - -var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); - -var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, -])); - -var msg72 = msg("MOD_WARNING:01", part69); - -var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, -])); - -var msg73 = msg("MOD_WARNING", part70); - -var select14 = linear_select([ - msg72, - msg73, -]); - -var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg74 = msg("ACTIVE_SUP_OK", part71); - -var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg75 = msg("MOD_OK", part72); - -var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg76 = msg("MOD_RESTART", part73); - -var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute resolved for port on VLAN"), -])); - -var msg77 = msg("DISPUTE_CLEARED", part74); - -var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute detected on port on VLAN"), -])); - -var msg78 = msg("DISPUTE_DETECTED", part75); - -var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); - -var msg80 = msg("CHASSIS_CLKMODOK", dup87); - -var msg81 = msg("CHASSIS_CLKSRC", dup87); - -var msg82 = msg("FAN_OK", dup87); - -var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg83 = msg("MOD_DETECT", part76); - -var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg84 = msg("MOD_PWRDN", part77); - -var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg85 = msg("MOD_PWRUP", part78); - -var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var msg86 = msg("MOD_REMOVE", part79); - -var msg87 = msg("PFM_MODULE_POWER_ON", dup87); - -var msg88 = msg("PFM_SYSTEM_RESET", dup87); - -var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); - -var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); - -var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); - -var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); - -var msg93 = msg("PFM_VEM_UNLICENSED", dup87); - -var msg94 = msg("PS_FANOK", dup87); - -var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg95 = msg("PS_OK", part80); - -var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ - dup31, - dup2, - dup3, - dup4, -])); - -var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); - -var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg97 = msg("FAN_DETECT", part82); - -var msg98 = msg("MOD_STATUS", dup87); - -var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC configured vlans changed"), -])); - -var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); - -var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg100 = msg("PEER_VPC_DELETED", part84); - -var msg101 = msg("PFM_VEM_DETECTED", dup87); - -var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg102 = msg("PS_FOUND", part85); - -var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); - -var select15 = linear_select([ - part86, - dup21, -]); - -var all9 = all_match({ - processors: [ - select15, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg103 = msg("PS_STATUS", all9); - -var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); - -var msg105 = msg("PS_CAPACITY_CHANGE", dup87); - -var select16 = linear_select([ - msg104, - msg105, -]); - -var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); - -var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); - -var select17 = linear_select([ - msg106, - msg107, -]); - -var msg108 = msg("IF_DOWN_INITIALIZING", dup90); - -var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); - -var select18 = linear_select([ - msg108, - msg109, -]); - -var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, -])); - -var msg110 = msg("IF_DOWN_NONE", part88); - -var msg111 = msg("IF_DOWN_NONE:01", dup96); - -var select19 = linear_select([ - msg110, - msg111, -]); - -var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); - -var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); - -var select20 = linear_select([ - msg112, - msg113, -]); - -var msg114 = msg("IF_DOWN_OFFLINE", dup88); - -var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); - -var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup31, - dup2, - dup3, - dup4, -])); - -var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); - -var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); - -var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg118 = msg("IF_TRUNK_DOWN", part90); - -var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg119 = msg("IF_TRUNK_DOWN:01", part91); - -var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg120 = msg("IF_TRUNK_DOWN:02", part92); - -var select21 = linear_select([ - msg118, - msg119, - msg120, -]); - -var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg121 = msg("IF_TRUNK_UP", part93); - -var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg122 = msg("IF_TRUNK_UP:01", part94); - -var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg123 = msg("IF_TRUNK_UP:02", part95); - -var select22 = linear_select([ - msg121, - msg122, - msg123, -]); - -var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); - -var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); - -var msg126 = msg("STANDBY_SUP_OK", dup87); - -var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Loops detected in the network among ports"), -])); - -var msg127 = msg("STM_LOOP_DETECT", part97); - -var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg128 = msg("SYNC_COMPLETE", part98); - -var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); - -var msg130 = msg("MESG", dup87); - -var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ - dup33, - dup2, - dup3, - dup4, -])); - -var msg131 = msg("ERR_MSG", part99); - -var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); - -var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); - -var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg134 = msg("CFGWRITE_FAILED", part101); - -var msg135 = msg("CFGWRITE_ABORTED", dup87); - -var msg136 = msg("CFGWRITE_DONE", dup87); - -var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); - -var select23 = linear_select([ - part102, - dup21, -]); - -var all10 = all_match({ - processors: [ - select23, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg137 = msg("CFGWRITE_STARTED", all10); - -var msg138 = msg("IF_ATTACHED", dup87); - -var msg139 = msg("IF_DELETE_AUTO", dup94); - -var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var msg140 = msg("IF_DETACHED", part103); - -var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); - -var msg142 = msg("IF_DOWN_INACTIVE", dup88); - -var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); - -var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); - -var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ - dup36, - dup2, - dup3, - dup4, -])); - -var msg145 = msg("CONN_CONNECT", part105); - -var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ - setc("eventcategory","1801030000"), - dup2, - dup3, - dup4, -])); - -var msg146 = msg("CONN_DISCONNECT", part106); - -var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ - dup29, - dup2, - dup3, - dup4, -])); - -var msg147 = msg("DVPG_CREATE", part107); - -var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var msg148 = msg("DVPG_DELETE", part108); - -var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); - -var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg150 = msg("DVS_NAME_CHANGE", part109); - -var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); - -var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg152 = msg("VPC_DELETED", part110); - -var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","VPC is up"), -])); - -var msg153 = msg("VPC_UP", part111); - -var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); - -var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); - -var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); - -var select24 = linear_select([ - part113, - part114, -]); - -var all11 = all_match({ - processors: [ - part112, - select24, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); - -var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); - -var select25 = linear_select([ - msg154, - msg155, -]); - -var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); - -var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, -])); - -var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); - -var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","program start"), -])); - -var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); - -var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); - -var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); - -var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); - -var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, -])); - -var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); - -var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); - -var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); - -var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); - -var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); - -var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); - -var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); - -var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, -])); - -var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); - -var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); - -var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, -])); - -var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); - -var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); - -var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); - -var select26 = linear_select([ - part132, - part133, -]); - -var all12 = all_match({ - processors: [ - dup42, - select26, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), -}); - -var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); - -var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); - -var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); - -var select27 = linear_select([ - part134, - part135, -]); - -var all13 = all_match({ - processors: [ - dup42, - select27, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), -}); - -var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); - -var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); - -var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Added user"), - dup44, -])); - -var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); - -var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Deleted user"), - dup44, -])); - -var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); - -var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); - -var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); - -var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); - -var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); - -var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); - -var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); - -var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","shell terminated"), -])); - -var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); - -var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); - -var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); - -var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); - -var select28 = linear_select([ - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, -]); - -var all14 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Log Flow Interval"), - dup60, - ]), -}); - -var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); - -var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); - -var all15 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Lof New Flow"), - dup60, - ]), -}); - -var msg189 = msg("ACLLOG_NEW_FLOW", all15); - -var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), -])); - -var msg190 = msg("DUP_VADDR_SRC_IP", part150); - -var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); - -var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); - -var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); - -var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg194 = msg("PFM_CLOCK_CHANGE", part154); - -var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); - -var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg196 = msg("snmpd", part156); - -var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg197 = msg("snmpd:01", part157); - -var select29 = linear_select([ - msg196, - msg197, -]); - -var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg198 = msg("CFGWRITE_USER_ABORT", part158); - -var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); - -var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","last message repeated number of times."), - setc("dclass_counter1_string","Number of times repeated"), -])); - -var msg200 = msg("last", part159); - -var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ - dup32, - dup2, - dup3, - dup4, -])); - -var msg201 = msg("SERVICE_CRASHED", part160); - -var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service lost on WCCP Client"), -])); - -var msg202 = msg("SERVICELOST", part161); - -var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); - -var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); - -var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); - -var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); - -var select30 = linear_select([ - part164, - part165, -]); - -var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); - -var all16 = all_match({ - processors: [ - part163, - select30, - part166, - ], - on_success: processor_chain([ - dup23, - dup2, - dup3, - dup4, - ]), -}); - -var msg204 = msg("PS_FAIL", all16); - -var msg205 = msg("INFORMATION", dup87); - -var msg206 = msg("EVENT", dup87); - -var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); - -var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ - dup29, - dup2, - dup3, - dup4, -])); - -var msg208 = msg("NEIGHBOR_ADDED", part168); - -var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var msg209 = msg("NEIGHBOR_REMOVED", part169); - -var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); - -var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); - -var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); - -var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg213 = msg("PORT_SUSPENDED", part173); - -var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","status"), -])); - -var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); - -var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); - -var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); - -var msg217 = msg("ADJCHANGE", dup87); - -var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ - dup29, - dup2, - dup3, - dup4, -])); - -var msg218 = msg("PORT_ADDED", part175); - -var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var msg219 = msg("PORT_DELETED", part176); - -var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ - dup62, - dup2, - dup3, - dup4, -])); - -var msg220 = msg("PORT_ROLE", part177); - -var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","Port state"), -])); - -var msg221 = msg("PORT_STATE", part178); - -var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); - -var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, -])); - -var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); - -var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, -])); - -var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); - -var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); - -var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); - -var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); - -var select31 = linear_select([ - part183, - part184, -]); - -var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); - -var all17 = all_match({ - processors: [ - part182, - select31, - part185, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), -}); - -var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); - -var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, -])); - -var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); - -var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","Performing configuration copy"), -])); - -var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); - -var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); - -var all18 = all_match({ - processors: [ - dup64, - dup103, - part188, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","shell terminated because of session timeout"), - ]), -}); - -var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); - -var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); - -var all19 = all_match({ - processors: [ - dup64, - dup103, - part189, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), -}); - -var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); - -var select32 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, -]); - -var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); - -var msg231 = msg("IF_SFP_WARNING", dup105); - -var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); - -var msg233 = msg("FCIP_PEER_CAVIUM", dup87); - -var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); - -var msg235 = msg("IF_DOWN_PEER_RESET", dup106); - -var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","configuration is not consistent in domain"), -])); - -var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); - -var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","configuration is consistent in domain"), -])); - -var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); - -var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); - -var msg239 = msg("IF_HARDWARE", dup105); - -var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ - setc("eventcategory","1604010000"), - dup2, - dup3, - dup4, -])); - -var msg240 = msg("HEARTBEAT_FAILURE", part192); - -var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); - -var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); - -var msg243 = msg("MOUNT", dup87); - -var msg244 = msg("LOG_CMP_UP", dup87); - -var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); - -var all20 = all_match({ - processors: [ - dup69, - dup107, - part193, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg245 = msg("IF_XCVR_WARNING", all20); - -var msg246 = msg("IF_XCVR_WARNING:01", dup108); - -var select33 = linear_select([ - msg245, - msg246, -]); - -var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); - -var all21 = all_match({ - processors: [ - dup69, - dup107, - part194, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg247 = msg("IF_XCVR_ALARM", all21); - -var msg248 = msg("IF_XCVR_ALARM:01", dup108); - -var select34 = linear_select([ - msg247, - msg248, -]); - -var msg249 = msg("MEMORY_ALERT", dup87); - -var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); - -var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); - -var all22 = all_match({ - processors: [ - dup69, - dup107, - part195, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), -}); - -var msg251 = msg("IF_SFP_ALARM", all22); - -var msg252 = msg("IF_SFP_ALARM:01", dup108); - -var select35 = linear_select([ - msg251, - msg252, -]); - -var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ - dup61, - dup2, - dup3, - dup4, -])); - -var msg253 = msg("NBRCHANGE_DUAL", part196); - -var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); - -var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); - -var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); - -var select36 = linear_select([ - part198, - part199, -]); - -var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); - -var all23 = all_match({ - processors: [ - part197, - select36, - part200, - ], - on_success: processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","System minor alarm on fans in fan tray"), - ]), -}); - -var msg254 = msg("SOHMS_DIAG_ERROR", all23); - -var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","FEX-System minor alarm on power supply."), -])); - -var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); - -var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, -])); - -var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); - -var select37 = linear_select([ - msg254, - msg255, - msg256, -]); - -var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Failed to program the mac table"), -])); - -var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); - -var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ - dup19, - dup11, - dup20, - setc("ec_theme","UserGroup"), - dup2, - dup3, - dup4, - setc("event_description","deleting expired user account"), -])); - -var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); - -var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","Interface is admin up."), -])); - -var msg259 = msg("IF_ADMIN_UP", part205); - -var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","vPC is configured"), - dup74, -])); - -var msg260 = msg("VPC_CFGD", part206); - -var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ - dup30, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","System Manager has received notification of local module becoming online."), -])); - -var msg261 = msg("MODULE_ONLINE", part207); - -var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ - dup30, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","System booted from Primary BIOS Flash"), -])); - -var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); - -var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ - dup77, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC is down"), - dup74, -])); - -var msg263 = msg("PEER_VPC_DOWN", part209); - -var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); - -var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); - -var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); - -var select38 = linear_select([ - part211, - part212, -]); - -var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); - -var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); - -var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); - -var select39 = linear_select([ - part214, - part215, -]); - -var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); - -var all24 = all_match({ - processors: [ - part210, - select38, - part213, - select39, - part216, - ], - on_success: processor_chain([ - dup36, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive received on interface"), - ]), -}); - -var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); - -var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ - dup36, - dup34, - dup78, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive receive is successful"), -])); - -var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); - -var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer keep-alive receive has failed"), -])); - -var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); - -var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive sent on interface"), -])); - -var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); - -var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive send is successful"), -])); - -var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); - -var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ - dup30, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Peer keep-alive status changed."), - setc("change_attribute","peer keep-alive status"), -])); - -var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); - -var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Ejectors' status in slot has changed."), -])); - -var msg270 = msg("EJECTOR_STAT_CHANGED", part222); - -var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ - dup29, - setc("ec_activity","Detect"), - dup38, - dup2, - dup3, - dup4, - setc("event_description","Xbar detected"), -])); - -var msg271 = msg("XBAR_DETECT", part223); - -var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","Xbar powered up"), -])); - -var msg272 = msg("XBAR_PWRUP", part224); - -var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - setc("ec_activity","Stop"), - dup2, - dup3, - dup4, - setc("event_description","Xbar powered down"), -])); - -var msg273 = msg("XBAR_PWRDN", part225); - -var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Xbar is online"), -])); - -var msg274 = msg("XBAR_OK", part226); - -var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU start, locking configuration"), -])); - -var msg275 = msg("VPC_ISSU_START", part227); - -var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), -])); - -var msg276 = msg("VPC_ISSU_END", part228); - -var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_role"), -])); - -var msg277 = msg("PORT_RANGE_ROLE", part229); - -var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_state"), -])); - -var msg278 = msg("PORT_RANGE_STATE", part230); - -var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface removed from MST."), -])); - -var msg279 = msg("PORT_RANGE_DELETED", part231); - -var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ - dup29, - dup34, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface added to MST."), -])); - -var msg280 = msg("PORT_RANGE_ADDED", part232); - -var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Port removed as MST Boundary port"), -])); - -var msg281 = msg("MST_PORT_BOUNDARY", part233); - -var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Non-transactional PIXM Error"), -])); - -var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); - -var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("obj_type"," Interface state"), -])); - -var msg283 = msg("IM_INTF_STATE", part235); - -var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ - dup62, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","VDC state changed."), - setc("obj_type"," VDC state"), -])); - -var msg284 = msg("VDC_STATE_CHANGE", part236); - -var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup81, -])); - -var msg285 = msg("SWITCHOVER_OVER", part237); - -var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ - dup62, - dup16, - dup38, - dup2, - dup3, - dup4, - dup81, - setc("obj_type"," New Module type"), -])); - -var msg286 = msg("VDC_MODULETYPE", part238); - -var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ - dup77, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Unable to sync HA sequence number for service"), -])); - -var msg287 = msg("HASEQNO_SYNC_FAILED", part239); - -var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failure in sending message to standby causing standby to reset."), -])); - -var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); - -var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Failed to lock the local module to avoid reset"), -])); - -var msg289 = msg("MODULE_LOCK_FAILED", part241); - -var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), -])); - -var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); - -var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ - dup29, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), -])); - -var msg291 = msg("SERVER_ADDED", part243); - -var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ - dup24, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server on local port has been removed"), -])); - -var msg292 = msg("SERVER_REMOVED", part244); - -var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup72, - dup2, - dup3, - dup4, - dup25, -])); - -var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); - -var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","port is operationally individual"), -])); - -var msg294 = msg("PORT_INDIVIDUAL", part246); - -var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - dup25, -])); - -var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); - -var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("event_description","Interface is being recovered from error disabled state"), -])); - -var msg296 = msg("IF_ERRDIS_RECOVERY", part248); - -var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Non-Cisco transceiver on interface is detected"), -])); - -var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); - -var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Active supervisor is running with less memory than standby supervisor."), -])); - -var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); - -var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Configuration update started."), -])); - -var msg299 = msg("READCONF_STARTED", part251); - -var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Supervisor is running with less memory than active supervisor."), -])); - -var msg300 = msg("SUP_POWERDOWN", part252); - -var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Starting linecard upgrade"), -])); - -var msg301 = msg("LC_UPGRADE_START", part253); - -var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Rebooting linecard as a part of upgrade"), -])); - -var msg302 = msg("LC_UPGRADE_REBOOT", part254); - -var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database controller started."), -])); - -var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); - -var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database successfully restored."), -])); - -var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); - -var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module started"), -])); - -var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); - -var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module ended"), -])); - -var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); - -var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ - dup63, - dup34, - dup78, - dup35, - dup2, - dup3, - dup4, - setc("event_description","Recieved insert for lc mod"), -])); - -var msg307 = msg("FIPS_POST_INFO_MSG", part259); - -var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","peer vPC is configured"), - dup74, -])); - -var msg308 = msg("PEER_VPC_CFGD", part260); - -var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Potential Interop issue on interface."), -])); - -var msg309 = msg("SYN_COLL_DIS_EN", part261); - -var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX OFFLINE"), -])); - -var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); - -var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX ONLINE"), -])); - -var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); - -var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is online"), -])); - -var msg312 = msg("FEX_STATUS_online", part264); - -var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is offline"), -])); - -var msg313 = msg("FEX_STATUS_offline", part265); - -var select40 = linear_select([ - msg312, - msg313, -]); - -var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ - dup73, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), -])); - -var msg314 = msg("PS_PWR_INPUT_MISSING", part266); - -var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Power redundancy operational mode changed."), - setc("change_attribute","operational mode"), -])); - -var msg315 = msg("PS_RED_MODE_RESTORED", part267); - -var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","All ejectors open, Module will not be powered up."), -])); - -var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); - -var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Fex pinning information is changed"), -])); - -var msg317 = msg("PINNING_CHANGED", part269); - -var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX-100 Module -Cold boot"), -])); - -var msg318 = msg("SATCTRL", part270); - -var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Client register more than once with same pid"), -])); - -var msg319 = msg("DUP_REGISTER", part271); - -var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Unknown mtype"), -])); - -var msg320 = msg("UNKNOWN_MTYPE", part272); - -var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, -])); - -var msg321 = msg("SATCTRL_IMAGE", part273); - -var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup1, - setc("ec_subject","Process"), - dup14, - dup2, - dup3, - dup4, -])); - -var msg322 = msg("API_FAILED", part274); - -var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ - dup8, - dup2, - dup3, - dup4, -])); - -var msg323 = msg("SENSOR_MSG1", part275); - -var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup30, - dup2, - dup3, - dup4, -])); - -var msg324 = msg("API_INIT_SEM_CLEAR", part276); - -var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","vdc has come online"), -])); - -var msg325 = msg("VDC_ONLINE", part277); - -var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), -])); - -var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); - -var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ - dup8, - dup2, - dup3, - dup4, -])); - -var msg327 = msg("dstats", part279); - -var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ - dup77, - dup34, - setc("ec_activity","Logoff"), - dup35, - dup2, - dup3, - dup4, -])); - -var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); - -var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ - dup77, - dup34, - dup13, - dup35, - dup2, - dup3, - dup4, -])); - -var msg329 = msg("MSG_PORT_LOGGED_IN", part281); - -var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); - -var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, -])); - -var msg331 = msg("ZS_MERGE_FAILED", part282); - -var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); - -var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ - dup23, - dup34, - dup35, - dup2, - dup3, - dup4, - setc("change_attribute","Port"), -])); - -var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); - -var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ - dup8, - dup2, - dup3, - dup4, -])); - -var msg334 = msg("zone", part284); - -var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ - dup1, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, -])); - -var msg335 = msg("ERROR", part285); - -var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, -])); - -var msg336 = msg("INVAL_IP", part286); - -var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, -])); - -var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); - -var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, -])); - -var msg338 = msg("DUPLEX_MISMATCH", part288); - -var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, -])); - -var msg339 = msg("NOHMS_DIAG_ERROR", part289); - -var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ - dup15, - dup34, - dup35, - dup2, - dup3, - dup4, -])); - -var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); - -var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, -])); - -var msg341 = msg("UDLD_PORT_DISABLED", part291); - -var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ - dup15, - dup2, - dup4, -])); - -var msg342 = msg("ntpd", part292); - -var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, -])); - -var msg343 = msg("ntpd:01", part293); - -var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, -])); - -var msg344 = msg("ntpd:02", part294); - -var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ - dup15, - dup2, - dup4, -])); - -var msg345 = msg("ntpd:03", part295); - -var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ - dup15, - dup2, - dup4, -])); - -var msg346 = msg("ntpd:04", part296); - -var select41 = linear_select([ - msg342, - msg343, - msg344, - msg345, - msg346, -]); - -var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ - dup9, - dup2, - dup3, - dup4, -])); - -var msg347 = msg("PFM_ALERT", part297); - -var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Client"), -])); - -var msg348 = msg("SERVICEFOUND", part298); - -var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Router"), -])); - -var msg349 = msg("ROUTERFOUND", part299); - -var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Authentication failed"), -])); - -var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); - -var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup18, - dup2, - dup12, - dup3, - dup4, - setc("event_description","New user added"), -])); - -var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); - -var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, -])); - -var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); - -var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - setc("event_description","session opened for user"), -])); - -var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); - -var select42 = linear_select([ - msg352, - msg353, -]); - -var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ - dup5, - dup2, - dup3, - dup4, -])); - -var msg354 = msg("%USER-3-SYSTEM_MSG", part304); - -var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, -])); - -var msg355 = msg("%USER-6-SYSTEM_MSG", part305); - -var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, -])); - -var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); - -var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Failed none for invalid user"), -])); - -var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); - -var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Accepted password for user"), -])); - -var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); - -var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","No such file or directory"), -])); - -var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); - -var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Could not load host key"), -])); - -var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); - -var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, -])); - -var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); - -var select43 = linear_select([ - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, -]); - -var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ - dup30, - dup2, - dup4, - setc("ec_activity","Disable"), -])); - -var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); - -var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ - dup30, - dup2, - dup4, - dup37, -])); - -var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); - -var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ - dup1, - dup2, - dup4, -])); - -var msg364 = msg("PS_ABSENT", part314); - -var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ - dup1, - dup2, - dup4, -])); - -var msg365 = msg("PS_DETECT", part315); - -var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ - dup1, - dup2, - dup4, -])); - -var msg366 = msg("SUBPROC_TERMINATED", part316); - -var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup17, -])); - -var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); - -var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ - dup30, - dup2, - dup4, -])); - -var msg368 = msg("UPDOWN", part318); - -var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup4, - setc("change_attribute","Interface"), -])); - -var msg369 = msg("L2FM_MAC_MOVE2", part319); - -var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, -])); - -var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); - -var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, -])); - -var msg371 = msg("PS_RED_MODE_CHG", part321); - -var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ - dup63, - dup2, - dup4, -])); - -var msg372 = msg("INVAL_MAC", part322); - -var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ - dup15, - dup2, - dup4, - setc("change_attribute","Service status"), -])); - -var msg373 = msg("SRVSTATE_CHANGED", part323); - -var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ - dup63, - dup2, - dup4, -])); - -var msg374 = msg("INFO", part324); - -var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup76, - dup17, -])); - -var msg375 = msg("SERVICE_STARTED", part325); - -var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, -])); - -var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); - -var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, -])); - -var msg377 = msg("DUP_SRCIP_PROBE", part327); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "%AUTHPRIV-3-SYSTEM_MSG": msg350, - "%AUTHPRIV-5-SYSTEM_MSG": msg351, - "%AUTHPRIV-6-SYSTEM_MSG": select42, - "%USER-3-SYSTEM_MSG": msg354, - "%USER-6-SYSTEM_MSG": select43, - "AAA_ACCOUNTING_MESSAGE": select28, - "ACLLOG_FLOW_INTERVAL": msg187, - "ACLLOG_MAXFLOW_REACHED": msg188, - "ACLLOG_NEW_FLOW": msg189, - "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, - "ACTIVE_SUP_OK": msg74, - "ADDON_IMG_DNLD_COMPLETE": msg60, - "ADDON_IMG_DNLD_STARTED": msg61, - "ADDON_IMG_DNLD_SUCCESSFUL": msg62, - "ADJCHANGE": msg217, - "API_FAILED": msg322, - "API_INIT_SEM_CLEAR": msg324, - "BIOS_DAEMON_LC_PRI_BOOT": msg262, - "CFGWRITE_ABORTED": msg135, - "CFGWRITE_ABORTED_LOCK": msg133, - "CFGWRITE_DONE": msg136, - "CFGWRITE_FAILED": msg134, - "CFGWRITE_STARTED": msg137, - "CFGWRITE_USER_ABORT": msg198, - "CHASSIS_CLKMODOK": msg80, - "CHASSIS_CLKSRC": msg81, - "CONN_CONNECT": msg145, - "CONN_DISCONNECT": msg146, - "CREATED": msg51, - "DELETE_STALE_USER_ACCOUNT": msg258, - "DISPUTE_CLEARED": msg77, - "DISPUTE_DETECTED": msg78, - "DOMAIN_CFG_SYNC_DONE": msg79, - "DUPLEX_MISMATCH": msg338, - "DUP_REGISTER": msg319, - "DUP_SRCIP_PROBE": msg377, - "DUP_VADDR_SRCIP_PROBE": msg376, - "DUP_VADDR_SRC_IP": msg190, - "DVPG_CREATE": msg147, - "DVPG_DELETE": msg148, - "DVS_HOSTMEMBER_INFO": msg149, - "DVS_NAME_CHANGE": msg150, - "EJECTOR_STAT_CHANGED": msg270, - "ERROR": msg335, - "ERR_MSG": msg131, - "EVENT": msg206, - "FAN_DETECT": msg97, - "FAN_OK": msg82, - "FCIP_PEER_CAVIUM": msg233, - "FEX_PORT_STATUS_NOTI": msg214, - "FEX_STATUS": select40, - "FIPS_POST_INFO_MSG": msg307, - "FOP_CHANGED": msg52, - "HASEQNO_SYNC_FAILED": msg287, - "HEARTBEAT_FAILURE": msg240, - "IF_ADMIN_UP": msg259, - "IF_ATTACHED": msg138, - "IF_BANDWIDTH_CHANGE": msg210, - "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, - "IF_DELETE_AUTO": msg139, - "IF_DETACHED": msg140, - "IF_DETACHED_MODULE_REMOVED": msg141, - "IF_DOWN_ADMIN_DOWN": select11, - "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, - "IF_DOWN_CFG_CHANGE": msg193, - "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, - "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, - "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, - "IF_DOWN_ERROR_DISABLED": msg35, - "IF_DOWN_FCOT_NOT_PRESENT": select17, - "IF_DOWN_INACTIVE": msg142, - "IF_DOWN_INITIALIZING": select18, - "IF_DOWN_INTERFACE_REMOVED": msg39, - "IF_DOWN_LINK_FAILURE": select12, - "IF_DOWN_MODULE_REMOVED": msg42, - "IF_DOWN_NONE": select19, - "IF_DOWN_NON_PARTICIPATING": msg143, - "IF_DOWN_NOS_RCVD": select20, - "IF_DOWN_OFFLINE": msg114, - "IF_DOWN_OLS_RCVD": msg115, - "IF_DOWN_PARENT_ADMIN_DOWN": msg211, - "IF_DOWN_PEER_CLOSE": msg234, - "IF_DOWN_PEER_RESET": msg235, - "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, - "IF_DOWN_SOFTWARE_FAILURE": msg116, - "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, - "IF_DOWN_SUSPENDED_BY_SPEED": msg293, - "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, - "IF_DOWN_VEM_UNLICENSED": msg144, - "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, - "IF_DUPLEX": msg44, - "IF_ERRDIS_RECOVERY": msg296, - "IF_ERROR_VLANS_REMOVED": msg191, - "IF_ERROR_VLANS_SUSPENDED": msg192, - "IF_HARDWARE": msg239, - "IF_NON_CISCO_TRANSCEIVER": msg297, - "IF_PORTPROFILE_ATTACHED": msg125, - "IF_RX_FLOW_CONTROL": msg45, - "IF_SEQ_ERROR": msg46, - "IF_SFP_ALARM": select35, - "IF_SFP_WARNING": msg231, - "IF_TRUNK_DOWN": select21, - "IF_TRUNK_UP": select22, - "IF_TX_FLOW_CONTROL": msg47, - "IF_UP": select13, - "IF_XCVR_ALARM": select34, - "IF_XCVR_WARNING": select33, - "IMG_DNLD_COMPLETE": msg63, - "IMG_DNLD_STARTED": msg64, - "IM_INTF_STATE": msg283, - "IM_SEQ_ERROR": msg59, - "INFO": msg374, - "INFORMATION": msg205, - "INTF_CONSISTENCY_FAILED": msg236, - "INTF_CONSISTENCY_SUCCESS": msg237, - "INTF_COUNTERS_CLEARED": msg238, - "INVAL_IP": msg336, - "INVAL_MAC": msg372, - "L2FMC_NL_MTS_SEND_FAILURE": msg290, - "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, - "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, - "L2FM_MAC_MOVE2": msg369, - "LACP_SUSPEND_INDIVIDUAL": msg326, - "LCM_MODULE_UPGRADE_END": msg306, - "LCM_MODULE_UPGRADE_START": msg305, - "LC_UPGRADE_REBOOT": msg302, - "LC_UPGRADE_START": msg301, - "LOG-7-SYSTEM_MSG": msg1, - "LOG_CMP_AAA_FAILURE": msg67, - "LOG_CMP_UP": msg244, - "LOG_LIC_N1K_EXPIRY_WARNING": msg68, - "M2FIB_MAC_TBL_PRGMING": msg257, - "MAC_MOVE_NOTIFICATION": msg333, - "MEMORY_ALERT": msg249, - "MEMORY_ALERT_RECOVERED": msg250, - "MESG": msg130, - "MODULE_LOCK_FAILED": msg289, - "MODULE_ONLINE": msg261, - "MOD_BRINGUP_MULTI_LIMIT": msg96, - "MOD_DETECT": msg83, - "MOD_FAIL": msg69, - "MOD_MAJORSWFAIL": msg70, - "MOD_OK": msg75, - "MOD_PWRDN": msg84, - "MOD_PWRFAIL_EJECTORS_OPEN": msg316, - "MOD_PWRUP": msg85, - "MOD_REMOVE": msg86, - "MOD_RESTART": msg76, - "MOD_SRG_NOT_COMPATIBLE": msg71, - "MOD_STATUS": msg98, - "MOD_WARNING": select14, - "MOUNT": msg243, - "MSG_PORT_LOGGED_IN": msg329, - "MSG_PORT_LOGGED_OUT": msg328, - "MSG_SEND_FAILURE_STANDBY_RESET": msg288, - "MSM_CRIT": msg66, - "MST_PORT_BOUNDARY": msg281, - "MTSERROR": msg34, - "MTS_DROP": msg57, - "NATIVE_VLAN_MISMATCH": msg207, - "NBRCHANGE_DUAL": msg253, - "NEIGHBOR_ADDED": msg208, - "NEIGHBOR_REMOVED": msg209, - "NEIGHBOR_UPDATE_AUTOCOPY": msg33, - "NOHMS_DIAG_ERROR": msg339, - "NOHMS_DIAG_ERR_PS_FAIL": msg215, - "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, - "NOHMS_ENV_FEX_OFFLINE": msg310, - "NOHMS_ENV_FEX_ONLINE": msg311, - "PEER_KEEP_ALIVE_RECV_FAIL": msg266, - "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, - "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, - "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, - "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, - "PEER_KEEP_ALIVE_STATUS": msg269, - "PEER_VPC_CFGD": msg308, - "PEER_VPC_CFGD_VLANS_CHANGED": msg99, - "PEER_VPC_DELETED": msg100, - "PEER_VPC_DOWN": msg263, - "PFM_ALERT": msg347, - "PFM_CLOCK_CHANGE": msg194, - "PFM_FAN_FLTR_STATUS": msg242, - "PFM_MODULE_POWER_ON": msg87, - "PFM_PS_RED_MODE_CHG": msg370, - "PFM_SYSTEM_RESET": msg88, - "PFM_VEM_DETECTED": msg101, - "PFM_VEM_REMOVE_NO_HB": msg89, - "PFM_VEM_REMOVE_RESET": msg90, - "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, - "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, - "PFM_VEM_UNLICENSED": msg93, - "PINNING_CHANGED": msg317, - "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, - "POLICY_ACTIVATE_EVENT": msg27, - "POLICY_COMMIT_EVENT": msg28, - "POLICY_DEACTIVATE_EVENT": msg29, - "POLICY_LOOKUP_EVENT": select10, - "PORT_ADDED": msg218, - "PORT_DELETED": msg219, - "PORT_DOWN": msg53, - "PORT_INDIVIDUAL": msg294, - "PORT_INDIVIDUAL_DOWN": msg212, - "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, - "PORT_RANGE_ADDED": msg280, - "PORT_RANGE_DELETED": msg279, - "PORT_RANGE_ROLE": msg277, - "PORT_RANGE_STATE": msg278, - "PORT_ROLE": msg220, - "PORT_SOFTWARE_FAILURE": msg65, - "PORT_STATE": msg221, - "PORT_SUSPENDED": msg213, - "PORT_UP": msg54, - "PS_ABSENT": msg364, - "PS_CAPACITY_CHANGE": select16, - "PS_DETECT": msg365, - "PS_FAIL": msg204, - "PS_FANOK": msg94, - "PS_FOUND": msg102, - "PS_OK": msg95, - "PS_PWR_INPUT_MISSING": msg314, - "PS_RED_MODE_CHG": msg371, - "PS_RED_MODE_RESTORED": msg315, - "PS_STATUS": msg103, - "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, - "READCONF_STARTED": msg299, - "RM_VICPP_RECREATE_ERROR": msg132, - "ROUTERFOUND": msg349, - "RUNTIME_DB_RESTORE_STARTED": msg303, - "RUNTIME_DB_RESTORE_SUCCESS": msg304, - "SATCTRL": msg318, - "SATCTRL_IMAGE": msg321, - "SENSOR_MSG1": msg323, - "SERVER_ADDED": msg291, - "SERVER_REMOVED": msg292, - "SERVICEFOUND": msg348, - "SERVICELOST": msg202, - "SERVICE_CRASHED": msg201, - "SERVICE_STARTED": msg375, - "SOHMS_DIAG_ERROR": select37, - "SPEED": msg50, - "SRVSTATE_CHANGED": msg373, - "STANDBY_SUP_OK": msg126, - "STM_LEARNING_RE_ENABLE": msg340, - "STM_LOOP_DETECT": msg127, - "SUBGROUP_ID_PORT_ADDED": msg55, - "SUBGROUP_ID_PORT_REMOVED": msg56, - "SUBPROC_SUCCESS_EXIT": msg367, - "SUBPROC_TERMINATED": msg366, - "SUP_POWERDOWN": msg300, - "SWITCHOVER_OVER": msg285, - "SYNC_COMPLETE": msg128, - "SYNC_FAILURE_STANDBY_RESET": msg195, - "SYN_COLL_DIS_EN": msg309, - "SYSLOG_LOG_WARNING": msg58, - "SYSLOG_SL_MSG_WARNING": msg337, - "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, - "SYSTEM_MSG": select9, - "TACACS_ACCOUNTING_MESSAGE": select32, - "TACACS_ERROR_MESSAGE": msg230, - "UDLD_PORT_DISABLED": msg341, - "UNKNOWN_MTYPE": msg320, - "UPDOWN": msg368, - "VDC_HOSTNAME_CHANGE": msg26, - "VDC_MODULETYPE": msg286, - "VDC_ONLINE": msg325, - "VDC_STATE_CHANGE": msg284, - "VMS_PPM_SYNC_COMPLETE": msg151, - "VPC_CFGD": msg260, - "VPC_DELETED": msg152, - "VPC_ISSU_END": msg276, - "VPC_ISSU_START": msg275, - "VPC_UP": msg153, - "VSHD_SYSLOG_CONFIG_I": select25, - "XBAR_DETECT": msg271, - "XBAR_OK": msg274, - "XBAR_PWRDN": msg273, - "XBAR_PWRUP": msg272, - "ZS_MERGE_FAILED": msg331, - "dstats": msg327, - "last": msg200, - "ntpd": select41, - "snmpd": select29, - "zone": msg334, - }), -]); - -var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); - -var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); - -var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); - -var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); - -var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); - -var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); - -var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); - -var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); - -var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); - -var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); - -var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); - -var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); - -var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); - -var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); - -var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); - -var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); - -var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); - -var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); - -var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); - -var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); - -var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); - -var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - -var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - -var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - -var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - -var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - -var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - -var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - -var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - -var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, -])); - -var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var select44 = linear_select([ - dup26, - dup27, -]); - -var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, -])); - -var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, -])); - -var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, -])); - -var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, -])); - -var select45 = linear_select([ - dup46, - dup47, -]); - -var select46 = linear_select([ - dup49, - dup50, -]); - -var select47 = linear_select([ - dup54, - dup55, -]); - -var select48 = linear_select([ - dup57, - dup58, -]); - -var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var select49 = linear_select([ - dup65, - dup66, -]); - -var select50 = linear_select([ - dup67, - dup68, -]); - -var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, -])); - -var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, -])); - -var select51 = linear_select([ - dup70, - dup71, -]); - -var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, -])); diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml deleted file mode 100644 index c064c903dba..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cisco Nexus - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cisco/nexus/manifest.yml b/x-pack/filebeat/module/cisco/nexus/manifest.yml deleted file mode 100644 index f1e88db6b39..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["cisco.nexus", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9528 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cisco/nexus/test/nexus.log b/x-pack/filebeat/module/cisco/nexus/test/nexus.log deleted file mode 100644 index ad2b2b6a9ef..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/test/nexus.log +++ /dev/null @@ -1,15 +0,0 @@ -<181>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_HARDWARE: Interface Ethernet1/9, hardware type changed to QSA -<181>2022 Oct 17 10:27:35 Berlin: %NOHMS-2-NOHMS_ENV_FEX_ONLINE: FEX-105 On-line -<181>2022 Oct 17 10:27:36 Berlin: %PFMA-2-FEX_PS_FOUND: Fex 105 Power Supply 1 found (Serial number SN01234) -<181>2022 Oct 17 10:27:37 Berlin: %PFMA-2-FEX_PS_FOUND: Fex 105 Power Supply 2 found (Serial number SN01234) -<181>2022 Oct 17 10:27:38 Berlin: %PFMA-2-FEX_STATUS: Fex 105 is online -<182>2022 Oct 17 14:00:07 Berlin: %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet100/1/17 is down (Link failure) -<182>2022 Oct 18 10:32:04 Berlin: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by username on 1.2.3.4@pts/0 -<182>2022 Oct 19 11:28:06 Berlin: %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet100/1/29 is down (Link failure) -<182>2022 Oct 19 11:28:08 Berlin: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet100/1/29 is down (Administratively down) -<182>2022 Oct 19 11:33:57 Berlin: %ETHPORT-5-IF_ADMIN_UP: Interface Ethernet100/1/29 is admin up "some meaningful text". -<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-SPEED: Interface Ethernet100/1/29, operational speed changed to 100 Mbps -<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_DUPLEX: Interface Ethernet100/1/29, operational duplex mode changed to Full -<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Ethernet100/1/29, operational Receive Flow Control state changed to off -<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Ethernet100/1/29, operational Transmit Flow Control state changed to on -<187>2022 Oct 19 11:34:01 Berlin: %ETHPORT-3-IF_UP: Interface Ethernet100/1/29 is up in mode access diff --git a/x-pack/filebeat/module/cisco/nexus/test/nexus.log-expected.json b/x-pack/filebeat/module/cisco/nexus/test/nexus.log-expected.json deleted file mode 100644 index d9fb7ccd0c2..00000000000 --- a/x-pack/filebeat/module/cisco/nexus/test/nexus.log-expected.json +++ /dev/null @@ -1,482 +0,0 @@ -[ - { - "event.code": "IF_HARDWARE", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<181>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_HARDWARE: Interface Ethernet1/9, hardware type changed to QSA", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 0, - "log.syslog.facility.code": 22, - "log.syslog.priority": 181, - "log.syslog.severity.code": 5, - "network.interface.name": "Ethernet1/9", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "hardware type changed to QSA", - "rsa.internal.messageid": "IF_HARDWARE", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet1/9", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "NOHMS_ENV_FEX_ONLINE", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<181>2022 Oct 17 10:27:35 Berlin: %NOHMS-2-NOHMS_ENV_FEX_ONLINE: FEX-105 On-line", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "2", - "log.offset": 110, - "log.syslog.facility.code": 22, - "log.syslog.priority": 181, - "log.syslog.severity.code": 5, - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "NOHMS" - ], - "rsa.internal.event_desc": "FEX ONLINE", - "rsa.internal.messageid": "NOHMS_ENV_FEX_ONLINE", - "rsa.misc.device_name": "FEX-105", - "rsa.misc.event_source": "NOHMS", - "rsa.misc.severity": "2", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "FEX_PS_FOUND", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<181>2022 Oct 17 10:27:36 Berlin: %PFMA-2-FEX_PS_FOUND: Fex 105 Power Supply 1 found (Serial number SN01234)", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "2", - "log.offset": 191, - "log.syslog.facility.code": 22, - "log.syslog.priority": 181, - "log.syslog.severity.code": 5, - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "rsa.internal.messageid": "FEX_PS_FOUND", - "rsa.misc.severity": "2", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "FEX_PS_FOUND", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<181>2022 Oct 17 10:27:37 Berlin: %PFMA-2-FEX_PS_FOUND: Fex 105 Power Supply 2 found (Serial number SN01234)", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "2", - "log.offset": 300, - "log.syslog.facility.code": 22, - "log.syslog.priority": 181, - "log.syslog.severity.code": 5, - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "rsa.internal.messageid": "FEX_PS_FOUND", - "rsa.misc.severity": "2", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "FEX_STATUS", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<181>2022 Oct 17 10:27:38 Berlin: %PFMA-2-FEX_STATUS: Fex 105 is online", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "2", - "log.offset": 409, - "log.syslog.facility.code": 22, - "log.syslog.priority": 181, - "log.syslog.severity.code": 5, - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "PFMA" - ], - "rsa.internal.event_desc": "Fex is online", - "rsa.internal.messageid": "FEX_STATUS", - "rsa.misc.device_name": "Fex 105", - "rsa.misc.event_source": "PFMA", - "rsa.misc.severity": "2", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_DOWN_LINK_FAILURE", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 17 14:00:07 Berlin: %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet100/1/17 is down (Link failure)", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 481, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/17", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface is down", - "rsa.internal.messageid": "IF_DOWN_LINK_FAILURE", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "Link failure", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/17", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "VSHD_SYSLOG_CONFIG_I", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 18 10:32:04 Berlin: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by username on 1.2.3.4@pts/0", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 598, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "VSHD" - ], - "related.ip": [ - "1.2.3.4" - ], - "related.user": [ - "username" - ], - "rsa.internal.messageid": "VSHD_SYSLOG_CONFIG_I", - "rsa.misc.event_source": "VSHD", - "rsa.misc.severity": "5", - "rsa.misc.terminal": "pts/0", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "source.ip": "1.2.3.4", - "tags": [ - "cisco.nexus", - "forwarded" - ], - "user.name": "username" - }, - { - "event.code": "IF_DOWN_LINK_FAILURE", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:28:06 Berlin: %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet100/1/29 is down (Link failure)", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 711, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface is down", - "rsa.internal.messageid": "IF_DOWN_LINK_FAILURE", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "Link failure", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_DOWN_ADMIN_DOWN", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:28:08 Berlin: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet100/1/29 is down (Administratively down)", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 828, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.messageid": "IF_DOWN_ADMIN_DOWN", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "Administratively down", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_ADMIN_UP", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:33:57 Berlin: %ETHPORT-5-IF_ADMIN_UP: Interface Ethernet100/1/29 is admin up \"some meaningful text\".", - "event.outcome": "success", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 952, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface is admin up.", - "rsa.internal.messageid": "IF_ADMIN_UP", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Configuration", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "SPEED", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-SPEED: Interface Ethernet100/1/29, operational speed changed to 100 Mbps", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 1073, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface operational speed changed", - "rsa.internal.messageid": "SPEED", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "100 Mbps", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_DUPLEX", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_DUPLEX: Interface Ethernet100/1/29, operational duplex mode changed to Full", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 1191, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface duplex mode changed", - "rsa.internal.messageid": "IF_DUPLEX", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "Full", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_RX_FLOW_CONTROL", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Ethernet100/1/29, operational Receive Flow Control state changed to off", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 1315, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface operational Receive Flow Control state changed", - "rsa.internal.messageid": "IF_RX_FLOW_CONTROL", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "off", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_TX_FLOW_CONTROL", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<182>2022 Oct 19 11:34:01 Berlin: %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Ethernet100/1/29, operational Transmit Flow Control state changed to on", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "5", - "log.offset": 1462, - "log.syslog.facility.code": 22, - "log.syslog.priority": 182, - "log.syslog.severity.code": 6, - "network.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface operational Transmit Flow Control state changed", - "rsa.internal.messageid": "IF_TX_FLOW_CONTROL", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.result": "on", - "rsa.misc.severity": "5", - "rsa.network.interface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - }, - { - "event.code": "IF_UP", - "event.dataset": "cisco.nexus", - "event.module": "cisco", - "event.original": "<187>2022 Oct 19 11:34:01 Berlin: %ETHPORT-3-IF_UP: Interface Ethernet100/1/29 is up in mode access", - "event.timezone": "Berlin", - "fileset.name": "nexus", - "input.type": "log", - "log.level": "3", - "log.offset": 1609, - "log.syslog.facility.code": 23, - "log.syslog.priority": 187, - "log.syslog.severity.code": 3, - "observer.ingress.interface.name": "Ethernet100/1/29", - "observer.product": "Nexus", - "observer.type": "Switches", - "observer.vendor": "Cisco", - "related.hosts": [ - "ETHPORT" - ], - "rsa.internal.event_desc": "Interface is up", - "rsa.internal.messageid": "IF_UP", - "rsa.misc.event_source": "ETHPORT", - "rsa.misc.severity": "3", - "rsa.network.sinterface": "Ethernet100/1/29", - "rsa.time.timezone": "Berlin", - "service.type": "cisco", - "tags": [ - "cisco.nexus", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index b2aca39798e..636ed03fcfd 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -96,44 +96,6 @@ # Filebeat will choose the paths depending on your OS. #var.paths: - nexus: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9506 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - meraki: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9525 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - umbrella: enabled: false From e87d58d09623601388548885831165f3a6713a7e Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:35:51 +0200 Subject: [PATCH 05/22] feat: remove deprecated cylance --- filebeat/docs/fields.asciidoc | 5435 ----------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/cylance/README.md | 7 - .../filebeat/module/cylance/_meta/config.yml | 19 - .../module/cylance/_meta/docs.asciidoc | 70 - .../filebeat/module/cylance/_meta/fields.yml | 5 - x-pack/filebeat/module/cylance/fields.go | 23 - .../module/cylance/protect/_meta/fields.yml | 2635 -------- .../module/cylance/protect/config/input.yml | 87 - .../cylance/protect/config/liblogparser.js | 2514 -------- .../module/cylance/protect/config/pipeline.js | 998 --- .../cylance/protect/ingest/pipeline.yml | 64 - .../module/cylance/protect/manifest.yml | 31 - .../module/cylance/protect/test/generated.log | 100 - .../protect/test/generated.log-expected.json | 3554 ----------- .../filebeat/modules.d/cylance.yml.disabled | 22 - 18 files changed, 15588 deletions(-) delete mode 100644 x-pack/filebeat/module/cylance/README.md delete mode 100644 x-pack/filebeat/module/cylance/_meta/config.yml delete mode 100644 x-pack/filebeat/module/cylance/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/cylance/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/cylance/fields.go delete mode 100644 x-pack/filebeat/module/cylance/protect/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/cylance/protect/config/input.yml delete mode 100644 x-pack/filebeat/module/cylance/protect/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/cylance/protect/config/pipeline.js delete mode 100644 x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/cylance/protect/manifest.yml delete mode 100644 x-pack/filebeat/module/cylance/protect/test/generated.log delete mode 100644 x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/cylance.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 1e5baf46ad0..c60d4f5893b 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -30,7 +30,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -12999,5440 +12998,6 @@ type: keyword -- -[[exported-fields-cylance]] -== CylanceProtect fields - -cylance fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-docker-processor]] == Docker fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 6074df038cd..b30ee06dc8c 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -15,7 +15,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -87,7 +86,6 @@ include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] include::modules/cyberarkpas.asciidoc[] -include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] include::modules/f5.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 910e941ddda..25ecf853fd3 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -802,27 +802,6 @@ filebeat.modules: # var.paths: -#---------------------------- CylanceProtect Module ---------------------------- -- module: cylance - protect: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9508 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #---------------------------- Elasticsearch Module ---------------------------- - module: elasticsearch # Server log diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 67a25f39774..5aa763e81a1 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -26,7 +26,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" diff --git a/x-pack/filebeat/module/cylance/README.md b/x-pack/filebeat/module/cylance/README.md deleted file mode 100644 index 64bd6cf1be2..00000000000 --- a/x-pack/filebeat/module/cylance/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# cylance module - -This is a module for CylanceProtect logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML cylance version 127 -at 2020-07-13 17:55:36.066402 +0000 UTC. - diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml deleted file mode 100644 index 3025ab38401..00000000000 --- a/x-pack/filebeat/module/cylance/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: cylance - protect: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9508 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc deleted file mode 100644 index f8cff0616f4..00000000000 --- a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: cylance -:has-dashboards: false - -== Cylance module - -deprecated::[8.12.0,"This module is deprecated. See <> for migration options."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving CylanceProtect logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: protect - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `protect` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "cylance" device revision 127. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9508` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/cylance/_meta/fields.yml b/x-pack/filebeat/module/cylance/_meta/fields.yml deleted file mode 100644 index 9cd4579d60e..00000000000 --- a/x-pack/filebeat/module/cylance/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: cylance - title: CylanceProtect - description: > - cylance fields. - fields: diff --git a/x-pack/filebeat/module/cylance/fields.go b/x-pack/filebeat/module/cylance/fields.go deleted file mode 100644 index 938489cfe84..00000000000 --- a/x-pack/filebeat/module/cylance/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package cylance - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "cylance", asset.ModuleFieldsPri, AssetCylance); err != nil { - panic(err) - } -} - -// AssetCylance returns asset data. -// This is the base64 encoded zlib format compressed contents of module/cylance. -func AssetCylance() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q8JWwsqGfyFEMutgNfkxP/hQisLzP6FkBIM07y2XMnX5N/+Qghpf0RmHERpJn8h4b9e46fuf98RSSt4TSTYldJXEy4t6BllMHF/775GiFqCXmlu4TWxuul/Ytc1vHZIrpQue3+P4NP+7z2tgKgZsQtoVybdymS1AA34mdV0NuOMLKghUwBJ1NSAXkI5GWxAG3oHbOdaNXXvr7tk2cBFtCQVW/iPgx9bILbEZpHKzLf+vn+FcZIPyP5xwY37HuGGNAZKYhVhtLZNILCmK1KBMXTu/k0tYaoC4zat3Oc7oAl5q+bkFJgqQcc34mHxXaQO3U4LF5YgbeG2lhhwQDgz9QPJDdKcKWlBWuMuAJfGUmlbNEwUR8urQxAsqd39YIgd9zi5JQi1ZLXgbEEoMWAMV5IsuDWEkvdgf+dWgjHt6U8GrNFt1ixUI0oiYQmaTKHju5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALw08h8sempMoIQUsQRxASaHk7v3couQp1BoYtQGTEmZcQkmUFIiWpVMBpKJ1HKvKzItkF2bPGb8L9/z89AeypKIJN56XIC2f8cCdcE2ZJULN/XnpwUHg7rgDH7gFv+eOo6bactYIqvH34WAno5wxAH0Qp8Q4YwB5nFNGj2R53DN5+f/PZP+ZuFXzHMj9rq+a/lHgRnaP5dFgt6SHCL3sqGkwqtEs09t7f7Lluv/3w8xYaqECaR8jcrQpuS2YoDt3+JGgB9Lq9WNEbOF0qseIGJeHIZZXY2olx+PltBLoIdIjL9lmAGVKG2pEr4nZmb0vtna/w2aghwyUhPtZETt6yAD6DVbEOBV3nCNHoqLsuU2i5PPkGmwzEflIhIJ3Jh87hlrdSP6lgY0arbv9hz+tt43aEyWZexyoVY/dsh0RN0ueVxz2qXviluEzzmj/Pr9Vc3K2BGnJJQpn0sgStDNBNARBNdj6jF9DSQxYB2Trx9trmHGDpT2EAex7GyzdIQxA3+lQhp7A9P6lwxhzsK870ORuNFgok0lf7fPlr8rYvogUuxxpQJZcztsPTYxtej6kr4e+/BAGG/xolLDnF8ufCC1L7WTl2HXfJe5g91Z9rcRdvspN3lf/75LXUSu/bNiVC96R1veWlYSSOV+C7JxkX68i4Eh0mP8irwVSPkbl7+uIaIw6NFS9LjR8yXDW/eAhHjDue7pGKp/5pckFXqTnwZttKfm4roEwOpQgUyDA7QI0+XQu7Q+viNLkF6Go/fElmVKDXNQGyGZ83mhU/W7Y9yHq7le8bwyD5jM+E/gX3K/nKpebbZ913K781TsYlF5RXWZT6noSrbftPiXPLz5v6XuUaBB090gJMWtjoQqPaEDbQVuA51Tjief+rTSfc0lF+5ttbeUGOuTSv/YkRpxffH4VIUFAf0CJ+5Ogw2hI5RSvz4ZRh4rjoa/PAmgJ+iix619xKXJ+ep8oqce3HyxFMIfFSh+1k02wIrufjbaK1vlG0cKL4kyXEyUEMKv01yiAHfUeIOfG8Rw3hHnSQekw3VJU36pdtYXsIfQjtPgqNn0sqmqlDCa7VUqS6XpwaIRo+NKAsQ6g4VUt1uGc3JedoCdA2YIYXgJ5+j2xC92Qlz///IysqCEGQHar7KHEo1Beb0EJUytpIB8p2FfDFUw10nY+haaaeqHnrrKJQiBP6VQtoUcMLqOZla14M1YDrUbvD/tq2OaBSQUlb3b1tBSE+iamOXaOBT4j3P6zefn9D381XqS/qFGAtkj/c7Cbfzp78C1dgyYvyZlktDaN8JEVZ1LeSa7HoN8z+BHJrYyt8uNL8q9uu8/Jjz+SfyVMaacv4y7Cos/Jfxf2f7ovckO2ifJN9AilKuHR2rpyBQWjQkwpu8qrAXvkpLJ4baj1doUjIsiyVlxaNE0sxBOckTkK0Fplyk/b6IOmBsapQIwRU2OVdpq1XHutw32wpIKXnjFiSBEyU40s3QsjAJHnch6UoxuTF7dvxAByilhguA57wkYjp7AWipaP5Z0L6BDD/wRSgdWcRayOYAr3v4y2sH/uWyHsnn1qNxqtmrXHNiG/qpU7mqHNySVR2hljVpErgPoGoj2KF+8rIZpWDIwplrwsylxR17NW8sxBgqYWL3npKNizC5dc24YKZ7Rv+d5lxMXBK+7MboyVIzH8LsJVPz8l2klrgw4VJBrVc7Dd126khNGZkp4enBI+E24/JXSWUNBQ8J+ftr7XD1ApC+Qy8DvTgA/tdD0mKN3/2kDMVxB4CSsVphY8Z2bDozbnDR+o/Y9CN3MyNyO/461zb0Dg9ZbrWqslPCH/NSKMXrzMuHiAGL1b1RlHFydvLoLuy6h05OFVrfSuxkvwifzq0iCax+H++OSfKjTE0XSPuVK3Tflm85ONwe71HLTMJ+Tlz6/ICuleAZWEChH3FaBTH9Wkjf+IrECDB0stEUCNJUrulItsE/HB1cSvm4iRu5ojbBto97vSJRIOs5qALaQSar7eDcTNuB5osYT8TNiCasqsJ6K71GvEH53mkjQy5PSILZ/5aEVt6oJuH6jPGUTYE7tEi6JySqaSbRhB09WoTEPJuqNWUoYaq49RyOBzUIw1uoVoLJUl1SWRSldU8D9j+b1KV1H6lCHL4WASqWY6eJLuRKQN1h0yLwSfAe44YuAbYEqWIwr25rgLY3P6WfZsiEumqlqAjTLAqBOVogJvNd8Rg716M20fiJEv3dpRdh5j5W3OHGW/Skm7SHRMm/rUVDkvmyyn8oEIfybLHGR3IP9UMne3hT1i0a3eqpg+vfbjLoUHIirbjX5DLFzbcPnIErTplVOU+/LAIud7X2ZbA021zU2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bZjUVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYOPKS9Amw2c3gv4RiaEB5yu6CnnYYZaJDMMwR1qnXJl7x0mg3yQ1yQXbaC7OMO8eKbvK65PtoON+fpY0HXjhO5FWu/WeOEntPXHFLIoPt9owkPfdSF89xJ406eTQZLdulkqkktgaqBIndfiB39U18V1CC/NNAcjZUcd3su2sjHFTUEkShH+AaR+yE1URMqBVsEzSDT5pXN8PrOqxy41kUGVOsih/ZcpxRF20BfJoeaQVfqvSIPY0LumI/RN2bwXN7pzTlUbN4k1w4JFmweiJ1uCKkdQZQNlPgUirVpRO6w04gVpRrLVAUvPA6d8YJZ2Wo24BAqAwm2DMgRBoElaG5zlo7s2Vi7eigC7EV29rl88hYvDnoH+le6q3Rx0DDuVAPjM74xfOLarQ/mjPVUCbpy/mymyAF0LkZebgomWhdVGYIsUbyD2XysQ/i8baX3LUGlyW+XITWWmzYhYNevhuu3JzRWJWlqZXhCwXEr3kJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZF93aEKrY9G+tXsnU3w4slf78HW1uCLJUOCbN7d6amfzxA95o2tKumf/hmxXHE8teCD8jtJOh+xLykz9mr7pvhhQxV/0HMBC/Xgna5xVJZQskidLyIJ9AKNS/aRJUHEeotI95ZqB+jZ8qW7Ps7plthW2oUH3HFXwnO1rlvzx65cIEIhO7ZUqxH5HIjcuZNxwn4oRGAiMXFqZIWrnNrrB1C59L76zb9UGlZGvd/+KhS0SIUawBzw+PMFlTOoZCwyi0LxgKXsOqF+lEJsVbzaWOhJyGGOfrGo+609f7zFxcdpqbJhF1HOcGzta3cRzQ0BHfzizwyff0tYtxiBZgjWNtw0GxyvvQS9IRcgj+UxoCe0DlgK++Q6T5TusVhALsF4/V2hr8n/ve9vhVKk6lWK/dZ+9ega3qza7Sf9Hl5QbVN7abrAKf2qIQ7pQbVoce6U0qUndqY60qpGkJAMddb/EYSKkDbLrtIbxYNf/PhrSA+ek0AMAkpojCXRCr5nYYa0JLZl/2AZsMxnxzWaO0uTGev4EmiHveC+whbG/4Z7GzF7SIoy17Wk1NccIrVJpIo+d1cuf/e8xKgklJEFMeM+6a9YOALRMAhqWbESQfLwUzI5Uam7A426FdW5cH4xJfzNcYZMb5k1CfblEH8BsJTwkRjbMuQ4R+DY8KfcONOMtREB/+GU3zx03EV6Ojaj79hcYvet2XKp5Q9ucnwclieIhaEGqMYR3+pO42oPYkH9pZfwWtCSb1YG86oICU3V89JrXEmynMClj2JK8pU00NqL+/40Ps6G00rsKANqanBLl4GGzn4XgRMVZWTYmoraD8srQHL9qp7/j14KI2vd4YZHiYvvpmq6mZ4BzMcGyUrLku1Cvm0TEkGtX3eZVKMEmOwzVkjxJp8aajwzs9SVZTLIDVkbyGhRp6uvtczlbq0Z+tOJXzL5RWUoRaoTUSnBr1TwUBxn3zToTbh5b6DE4OuEFlFXX90k3dL7CLQovfb5UPh9VsdPK/kctiupws6g6747mCn3C7WsCZi6/l/v6b9Y2JNe8ZF/jvebfkXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzG+mWmRjN3K+6fw8rTYmT55JwzLlrJBNAtfsTNsLboBYKCIO3U7eFnTdHH7zwa4Z9nh71i8VUNeWy65vdf7BC2ai+w+u15Loxx/b09bURRGDc43ecAGnkSpz41X1PxnFPqbfgsrvGO/J5L/P5KXnvJc3T0LiB+Gl7oejX4fYsrld7B/RD+PJ77ufzUyRpKHnrxMTQe7AdkfNpgH4LE89EThasuIkbqUuzztnLfjuqGwq0vbqw148tvfF9RK5xpD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGE8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZetA+6qqX3niJJXTMNr6Qu7O+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEZYtFY6Z/PaJwP55Zj0otXdFHZ1xP90iPTuMnJZqSKM8/63j4RLJpoSnDgLk2rdzyfk6dk1rWoBr8mFd4h4sCi9J3G/CEbmjh7bROfU5mmJY8bNlVO5D8DrDqV4PTfm+/A0fODmak/I1Wo+n4PON8IuTrLP/VhAwAG104UGs1CidNzjbfWRSaNbofcjeBaGsfcglZ9+8DrGs64Zx/lpvIzk1tF5pqq6OHLeFZ5KyL3CMa7ev2ea6XcOHSWxPnWG42ZU2bAxKy2opQ+UNdbHvJOWSmPnASfXW/xGpsRRXa6ofpgMvWFXfSddaXiI3CZGWiM/dUKUkneUtf2U48qtE0FHtWOU/K5VUPV+KeRtzeRDrTVQkzw32Fhqm1SKc+ePolw8mNnhFp+qa8LLF+Pvl3tZm2Ng6DD6NGh87O+CwyJ+ddt3LPP0vQGTnw7n7h3ynHGpmlQxzl4diZknv1NOkqZ0Ogw8sj8lBpy7M+MWS7wRwsk9YhrGwJhZI8iZW58wVYJxLNE2+41bFlyWcJ2YAIIbe5jmeU/ZggujKaZbJKagMb5ZUc0FZvBEPHg+/i7nhCIRv3O/je5MZuBDNfXNhR5IIw6rk6ddPmcN2tSh6NZLmAHJgoqwSYhvOzw9Gyky9G6u4XucO6HEK19dklfwVflvuw8pl4aUYCkXESfDVDW297uRrSlx9NzM1mNLuzw2xGP8IbVQ1SJbNs8bUsKMhhBQ6HzZxvBDtqbTipegBV1jIZdV4XElTyM30n2AVnf4NczaKnDvqzeW2wYbM5Loxja2wbBh032va9IoVs+/w2hqTDPIKqaqyt2nPGx04qET3kv2rbVa8tL7z9ouchWY0USoUrHDA41395b9wsVGa2T9vLy4anBdY9LTw8j6dvW8sv4PNT3Q73Tw9v63moYATPx21Txf49xTTCj2J395cU7OBwpVH41sXWtDdcl+DBIWdnXVsPOkhvRd/GEhtzqu3HsRUUxVmbvia1Bxt6t0BFyIw2VEPVqk75bgQwZHqDzvuYBD6bBPoO3iIXzOyy6UM+LEq1JbjYMy8AQvfzolr9t33eR8ptrp3heffPecNhCFyRrXwJq+F8Gnfk0hVt7admHal7hxBEdI1CtebjtEuupKuqRc0GEgg3SucIL1lTPQemTSgr9Dh/j608XdgrFShQZQPgA72FJINzB8PhmRiLwqpk1ZrpP7Z3hVJK0D6sFtDBzW6Hyvlyo9RM1Vwi4HOyV2hWmOUZDATT971fdcpU3JbVdZt+mLFjCKDbbbVGx4UbIJL+zfpM8SS03B5dGs8pPPZ+RpqJX43AinK0+5wAIOzAM7u66Vcd98Rr4bOhrkbhTmSqqV3DKEDLAGm1kst6GPTNpk9AguuN200JO2yv19KE16C3PK1uTTqLkm+FTThyjKDwtvkZhLUlEuZ5pWsDcdo6Yap/bm75OwpVxe4LLkvSp9cvSmLWAv6yyCFLlB+8JUAUeIXBbSdt+497AivzYSTcl3qgRBnnK5nHz7nHDFnpOp+z9w/0clFWvDzeTbeHzRsrqYCTqYnJ9ah9rW8E8uCC6Kvi6Uk+t2+JWa7W3UYFVWTP1fpwHPtg2CAe0YOYrQskord3cw+/zud6qBfPQJwN9++/nd728+nH37rc+5XVJN+ShPrpS+SlmyfOMF+71dsB9hG3WCUZlaiQg1O2m7lHTPAWXuuVhnMGFmSoM0nKUUID1XUgaMq/RekEh8IBXQYkX5cDjxvb0D2Ps8NVB3fVKXqJtmmulS2GlprE5d+Y712tkcYv23NNk72tZ85HOSHlrsshkMNlBpQrHJpu4l1Ls4EDM+6mhqt5rNEXvoVqPdiCLb3C3viQvlg/sJ3t1x4ZAP+v+H4aobldlP/nsQFit7PvqAyF4kH4Q52jjuPvyUOkLS1tbJ9uzSp7bLaG+z7LBP5jN0uw049+bIdNuymh8jHoZFXzPKhaN128zlIsiM89N+bRt24nLmoIV5pIXBeFZhm3NdOBXxgP0ckniN6dah+uhEVVUjdz1RA+zkYY2b7ovde7i2f4e4Tt3hZg7TrO+L2yWV5b+reNRsg5ullh8iGe6N3XDhLeRMY2rOuEqWJXosCx6xX1Eth0GHx466kVVdqFzC+PL9uwvym/ejbpJS44h8OWoqweV/vCVfGtAjvVsbIQsNu5068yY39Byia/KhLTqLpnV1WjpL+JD2garUYwQc0Pogx9FNUG0kOHZvuGX6AQ1UUF1lOC0HNoN7gdYJC5A7oE2ZbCrtFsy03a62QJfU7mqF94U7BckWFdWpyko6uOuaDsYX3zv6RNkgnSoJzGKRnBcYzNIWUHWAZ3NstZQBrJr+kQFqTZNPwvAdp5KzFwbdC576wQmd2ypwqmdypGVBGQ5GSV9+4mAbmdB47wGezuvlT/LaLpK/70wWzOqiNEn7rvegO8iHRZ5uAXgpaHKJIQuQcy4TFkUOQefIjZbFrDArblly+SGLmVArQ6v0uSt92NIu80HPEHVhsuAypzjhsgZdTdfJEt4HsGt2lQf4koocvMLrotbKqiJ9SAqhL38q0OOYHrbIdjeFmhdlDmI7wOnz35gsKnpdWJvKbbAN2HG0gAyPQsVlJqS5zId0LUwhpqJIHRbdgv19RuDJO4P3YKfuhdiHnbqqtw/754ywX2WE/S8ZYf+PjLD/mge2VbWgU8ghUjro6c0zWVSNQOV7us7wTrbA66sMeknVCD6v6jzat9MyqZinTkIKkHkOpcTAF5beNyIL4xMSM5yg0SyPNekA57Emzdo0dYZZpEx2ZdVZTFWrrDM94DqDCLHKOsMsF2w0a7IAbyS/llQqAywDEy5fOapkehSWr1RtF0DLDG41VdUFExl82A5whiAJwtXTtU3vFnWQTRbIdVNkiGkwzS1nVGQoIDIFnYNk64RZV33Ykor1n1BOc+C9LLANaBbIvh1MHqx9Ym0W6NN5vXyVxwdtiim3f83SaIyZIu2suB3AWiUX1SbLNUeowHT6KjfjffzJZm31AINdeD9/eueIB45qXxbgvpt8ug5yPdgzLiCHDWOKWY5D5LOUxdnbgHPoBqbgNSYpFllEHa+XP5XG1oNm/olgG82ywBZ8BjnMGIOO5gpKnqxgdBs2l3m4pFJlI8AwlYPaATifZ5BNqjYrapPO/O9Bj2WQJwGsYc6N1TS9J2QDO4PGp6HORWqdjdYGO5HrTPLVZ+Z7Fs8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0C4OXI4WwKSAv/Xz71HC5sVQmn3NcGjttdKphgS1U8LOCckBtkuOaXo9ua5JTg8XJDbP0w64P7TSwD+aclmXqO8DL1GHVtnVQhreIVwXTSlVZuhI5wBnMNF4VeZIjQ8ejHGSur5K3Z6pN+palvDa15omBCmq5bZJnnwkuIV2LnQ1Uk3SiTgcXi2/Tu7WE8l1Pi5lQyZ/zDniGlH9n8yaXOg5oBonjbOgMqCbPTRBqnoV15TzLBa6VTi3Aqmkzz3HNKm5YDrFQmSwMm2MOhASLzZWSw00uw30D6NQZfx5q6nQ8uVqltkCyVJQpPwA6uSWq0mtGSvN5EZnHdW+4Kwk6/ZtVF34ob3KwSSdTb8D6Ea9ZmCxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDOviuo5mApyeyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0jNArEFrMqgZTCnD5xkEr6lTe9mMZjnugWZlckXaaBbripsAsE03YqsPszHJu2oumUxdKBGdFntfoL5JZ+rt27lNz1YeaPqIXjfTMzXcdZ28W2tTTrPkoTdaZHgLGwO6KHnqqvcsYyvayFAOMlhmLK1Se4OXBZfG0lkGzWDJtc2hhi9rmaF1k1W6kSndrLG2aJGOom8aq8iHRpLB0l32SMZheZ+p4CU50VByS06oLkM3Q4Pt3+Po+MlZGak0NiEUweAQfYL9DZgSJFaq0+VDcJmPcmdVLdQaBoMFb6TfTDXJmnrfksccDb3PCOedaZjDNanobqOFTSxWzpvdYSDZkRTc4HCGdvVw9NhAiZimrpW2ZNh4lJDVglrCLak1zMZY4R5puXcZQhEjfLA6OhQIl6Gz+0hfaMFl7on8PVTdan08DbFqDnYBerL5vlmoZvCiESJhCbobR2QVqak2QN6BpTgR3N9V2pHg6Vs1Ny8ufNnrM3IaRnw9J3YRmVKEzYA/QBh9jGhL8h7s79xKMPFzHjJ1FuLNcGR3d4twcb9ZA1SzxYRLHsUPZ+4eob/2jvjEWRiYDPFC0EbirN95g3Nc2ybu8QbuO/3a9+wpfzvubk9dE+4wv3jE2HcHUSSsabpd51VclnyEa4u3YsxdcIxp1CMCaTO47j1OqJZiZOIlds/NOA4c++casETDlwaM3dO0+/Bs5bv3yvcqA47l8at6ib3rkeryTrfdKftw8hhhbGzr79ih3byO7jzl7P+b5xu6xc5PW6GAa8d5A62GdEm8d2Rh97hMqQHi07U7bMjgVnWnFH7xMPjKbhR8h7nSvn19lIyEUEMMAI47o/vnVWkqDWVHGO876DDtl5ao9m6YhjUaJ6DtQ7oGXXGvbhwL6c2SfjAHX3IBcyACliAINYbPpT+4zbz+OOtjS+YHlN+4/h5Onz7IpGeHWSP5lwZ2xyTS+OXr4XtYx8TDpqC0Gg0v/YVkSkrA3Aqy4nYxJigIiVSGdBq7hoPKi+5sWjhyojzpniih5pxRQRwGI6YPYvGw2OFSI2MaH4529WJt4uj10tlWaierNfUDTwWnplio7DaBN+I6cw1nqWyGGjmp2B/BE+8HQPylcdjimxYGsTABVE/eCKOcIb51304xWE5+Db+YkDdy3f1rAN2iLW+kJbScMFXVjQUdF8NZ3PhuY/nMs292zwJnLG4dCLf/bF5+/8Nfne172juOlmLfRNEOfFqkjZjd1nFD16DJv3Q+OfMioIHIxW996vqf/DwvNzhvcf3e8zgwefkm2fZkd2CKW2dC3v/28cztHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBCj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlSBOwio4zbpQfK1ElF4+N4TGbuu+M1v/S8eN4iFb/i5eNCui+bbsD8wIZxt37gY/juKKYb6+Qz17ahgrx98z6K7J9KQj5f1mGc8X+UhEmctg7dr0aE4kZuFp54BI/xDd5zDnNqYUUfYEQ6cvcFeVOWGv20nstj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vR8MDJ0EkoaFbe5yGrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3dEBnAmIV5wFW746TYLDFDZ5Fpn0etu+6RR8j5geKG07UTyQOiWGGDDA+B2fbPkNUemvd8Pl/P2MWm39W6M8BJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSk7aUpqCFT8XPALq2Og/wWQaWmGWoFhY5rkOu/id1BqLSsmg9cfnU8l0L3u1jsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmRGDHXIZ8lwxLaHi1omlMGIjvsWloPIYcfxbOCjbBJGei3KwwW2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkP14t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx6V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdre1TJdP7qRd5MS37UUawYEh7LbT/DD7OjDXBLDbRORnwSLCyCI6AB1QQ2hpard62IXwDVRK7k5Mk84S6+VVNVIXi3O5DDct6g/rhLhlHsuSyd/lDYdASj5hQsgbwJikwEZbuPsld3G/J0cTRjv9v8g6QqjJLgMWQtpqRDbY4QQKevd70EIn693Geo1UlNiPCF0qnJWD0Q2P4UFXXLVoHbJVFVrVfGRDEU4NnJnkk4FFpHNyMl+3LhcdmInI5K7GG5pnSSKwBaGSYfLHIBgZP0Ov9yn23tlN/dtlO02ZZaNtLvlbKk1+hLLwAt2iFl/Ky0I3+M5SNCctVtCgmCi325qAbcLfGpjs91IQHbCfpgYq8eDn+2eDmm79WB7erl/T0G98Gtl3FfUNO2McMsrME6ue21PQw2jQaRwCsmaQtx4ENh48J7HoG/JWof07n4w1vrxdnv6oTDJhpzeemvBYXzTDgd7wx1vBMIthMHXu7uXN+5OH/Xs/EVLsjd988kl66V6HAFygxzvBMjXy44/3nxkqUYbHOfIbicf9VElSMo7dgv5cVR2TLm3ATN2Sj2WoO34qZNX7jR2UVRgF+oBoiR0y5NMPBrha6MHjr2UtMrqddoT1fmgRPDXOkT28GUmT8h/Tn7+/nvy9O3pm4tn5JQby+W84WYBJZbCR3ERaq6y9wXaFwnDbNmZxyMcM35xJGNMq8xexX31n+5UYxh0NwY98smGPt/lujBM++/qfnuOP8QpFjOlMtYmfZMpRkWq7nQ7G/lAS94YvwJRmhhecUG1F09ObLo7xPBdj5dX4T03vDxmp5F+pvwnxwitF3GnL+bmkuers3gj9911DGuESsOe/zc4ifCTAS8Exw30yjLKuCtT6ZyJAYOQDZJa6TmV/M89WdUyHyvcltgHULrPUyPknnEdrSXN1PXnF7ccvha+xZfvXbSV1fwrUGEXjGogtYZSVVzSaMFdTzxdUMtBWnNjerygx9ztW/qgm/WtH6HOxLju6jxxgqum2mIzpM1W94vVIzY7CsLmNhJ1BiVoaqEskiWV7eEPJ3x+aVfsgmcXWi152TUPC9+jdS2CpjpgjND8xz1r2zptXMHZbJKXR9plt2To9WfXI9uMDg/FzMkl99Hzxa7iPtICrlM6Uw4Fv6vmCdeoM/V+1KuEnkc26nVU1FipIcYq7SW+g1aBpbjaE/zWxH3rSXz3FS9LAceTcu9wvdvKucjx9uTeQXKuHY9xnO1ehNV6HYbkuo3OPie1oO7I3PusNAHJ9Loe8/JjKuQR7MlbZNDpzrb8VRlL3lG24HLEpCtpJsnxzS6tP0nM9K81OPHh9CPf5MxMyNuS1uQz/sPrR6WSvu70n8PHkyzoEpzmJIBq8qUBvSbYg9DUShpoNap4carbb4G/OY68DD3wmIOsedsFUvrt+75843i2WzoCqhsG+hCao94WU5zylNdhtsvjbWvprSZGzjYMDy83RDdSRu1Y87x7eXzk2beRGqmxCxCLYGHmPwhKVlyWamWIqYHxGWfuk+exOsGQJzu8IG57Ht9Nzg15ih1hQbLNM4Shy2c9apFG4jv+FuaUrckns934tovAVruFtMmza90KRzDYR177vqmFqGCtGjKZexEHFO/6AESq/7cqTbGcZ0i+7W3nV6jHuvN69TqyY9xhlNHCbw7Y7HHyese2GjJ8g+u9lXVnuPXxLqDD3RzHYdcFDLbPZpOQ6Y9hcELxhhQ3Fz9j2UDKkYCjFW645RJmXAZfPQon7OpX0Xqk6SBid1ChWCbcNg6YHfUvtWDsfLa59x56KY30pux82NZStqiO3AJ/syoSnAyso/5xZBnyMuUy3QSxpHfDbRmLCvM+nhEh1S/bwWPxbbQ35f2RqZ0DrPO+fTdgXVPd8pT78/PNVlYLPmilTtztcLasT36/1fZs8pklvq2F0ut8B/43U1P5bzd2jGkR2e6i3qrnsafJkeVvLxD6DXt7MJVosKu23/r+XY1yQQHSalUfIjpK1UwHzoVb8XhY01nbcEM5AuLoqzuOew9PVFVTue7uI147HKfv7ZUlaPcMFVzOVFwpoOYqd43QDfJjx4psMVtB3q7osy+5cgR+aYRYk/9oqOAzDiU5xbpn7xyMorKCacGUuuIPFHT/HabEr7+xn6kY0+aTd5vdhMPrxqLKfeAI05vv+oduiTBlJ7ijvU9+Qj6ua7/1jefAEcef4PjhaZgVSZvJ7qDtcPCOCP3ExNrW7iJzDFddp1xuY+c9i7XSrbcfQ8wf3o4cea9XTmJ2amlR551DtIcUbuUbPfctmlqpTJrINlJuHXcepKY27ppksqAmZbS/B1iHcvrEkBstEh5zD2rCU+mM0aLRqbwhPZgGdEHn6WzKDejkz9M26KTpj9ugA9dnECxwbUGiapXeOHHwk3Fzp+gtNOykyqTWqPwSx6gl3JK5H3FZVK9ehP8+CSi8CP8R8ppibn8qQMez88J2HjB67jfTD56jx7U3am2wnTIMRHMmFZcz0Hok7jrc91H21Vf8byR91D17BCTbvsSz3jFErhSGtVXWKxVZ4mjsd+bj9o7tPmIGse7/6R8wTNAaH/jJ6wXo4/gjnM4eMp6enuDox2fkBNePowbaHqlZygidT0CH4Z+wlYW5pzkvZA0d9wjZO3C36BPT6xS996T5n4d6Je/eGiV+2uSS/xn31vCrTDLl/B9nRMJcWe4PsF5QMzIByrBjtxXqHaVffHy4oDvqbBOgBgkuOzzWNk5v62/iCSmGz49RUbHd36ibevhxdNCykybcmCa50omQMVkqn7fufjEUxBC0zuoDHRxKX3qeucXJJQan90mno2RIdJ3BQxT56SWmdu5/jHrS8zAk7y499+A4LkKNEcUy54u+G1INjuwoMmXhWI82yds0mlyA+RUEizpTc4NvNuNK+g8SytafiMF4ndLk/PLNP95dkAv3TpHf5Mj0lQ22mSqpD8H240rFsUUxxBbArsxBTuTbCeG8PchiQ+e6fp1dizBMAw0jCDdScI+WC5oPmkI+gJLr8ei6gowaDYizpbY52oTPPpZLKnjpGTGCxK4gPFpX632CECl2BWuzK7YTcX6bQJoY9sLa2hQcZ9BmAY1HmYMgjD6C28Tnsq18UZrb9Q03iqmqyton7pZ4ezyCQyhegr/iGsSupZnaxbISVBbGPNTAW7eyl+G/h922NVpRbH2pcVErfoy06hjCHgOCGCBScWsAycoWVMpB44zc7abCqojISMz2SG2bu4clzDz8/e2b9+Hde7GzfPegWKV3ff/Je7Zxc1UslWhyEeBNO8dZhjk33WTsdpxvI7k15KlHwjzDbh1Y2NtO1N0BTxDp6G5Ek0mavQ24fpLchnSByXbRwRI0ZgrMGkGYkgxq6wzlS3+GI+0VVquc0tcT3hns7Qhth2ittCXK0ffXf38TS8GNkj013yk9P36C5W6BwZaLdUp9s5Noo5i/n/12cX5B3tHrisuyG+sdP1a3t6OnYW4NURzZVtjGYHf7ttWpT/GSxeTp2b7KsZgdr2DzoYvw2y1nVzu2nGVBKp+fhi69AYu9GIrjHcoD9wpod1z9l68b7gpzZDnUJFPfbvSXOBP6gbIbw7hqtOK7oG7li3ufE9NEUtSpIX8zVis5/7epoOxKcGOh/NuL8Lfn3adczoDFP5pxDSsqoooMnYrebwiVJTGKjLClhjk3Vq+dZX9MYVFTuwjN+jscyC4OAyTRKXUsNH0htK/XYkr3upB3+mSHOUir13/5vwEAAP//9imosg==" -} diff --git a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml b/x-pack/filebeat/module/cylance/protect/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/cylance/protect/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml deleted file mode 100644 index 8a3fc7172e2..00000000000 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Cylance" - product: "Protect" - type: "Anti-Virus" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/cylance/protect/config/liblogparser.js - - ${path.home}/module/cylance/protect/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld14->} %{p0}"); - -var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); - -var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); - -var dup5 = setc("eventcategory","1901000000"); - -var dup6 = setc("vendor_event_cat"," AuditLog"); - -var dup7 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup8 = field("event_type"); - -var dup9 = field("event_cat"); - -var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); - -var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); - -var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); - -var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); - -var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); - -var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); - -var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); - -var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); - -var dup18 = date_time({ - dest: "event_time", - args: ["hmonth","hdate","hhour","hmin","hsec"], - fmts: [ - [dB,dF,dN,dU,dO], - ], -}); - -var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); - -var dup20 = constant("1701000000"); - -var dup21 = constant("1804000000"); - -var dup22 = constant("1003010000"); - -var dup23 = linear_select([ - dup3, - dup4, -]); - -var dup24 = lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: dup8, -}); - -var dup25 = lookup({ - dest: "nwparser.event_cat_name", - map: map_getEventLegacyCategoryName, - key: dup9, -}); - -var dup26 = linear_select([ - dup11, - dup12, -]); - -var dup27 = linear_select([ - dup14, - dup15, -]); - -var dup28 = linear_select([ - dup16, - dup17, -]); - -var dup29 = linear_select([ - dup19, - dup13, -]); - -var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, -])); - -var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ - setc("header_id","0004"), - dup1, -])); - -var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, -]); - -var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); - -var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); - -var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); - -var select2 = linear_select([ - part2, - part3, -]); - -var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); - -var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); - -var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); - -var select3 = linear_select([ - part5, - part6, -]); - -var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); - -var all1 = all_match({ - processors: [ - dup2, - dup23, - part1, - select2, - part4, - select3, - part7, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup24, - dup25, - ]), -}); - -var msg1 = msg("CylancePROTECT:01", all1); - -var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); - -var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); - -var select4 = linear_select([ - part8, - part9, -]); - -var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); - -var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); - -var select5 = linear_select([ - part10, - part11, -]); - -var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); - -var all2 = all_match({ - processors: [ - dup2, - dup23, - dup10, - select4, - select5, - part12, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup24, - dup25, - ]), -}); - -var msg2 = msg("CylancePROTECT:02", all2); - -var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); - -var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); - -var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); - -var select6 = linear_select([ - part13, - part14, - part15, -]); - -var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); - -var all3 = all_match({ - processors: [ - dup2, - dup23, - dup10, - select6, - part16, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup24, - dup25, - ]), -}); - -var msg3 = msg("CylancePROTECT:03", all3); - -var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); - -var all4 = all_match({ - processors: [ - dup2, - dup23, - part17, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup24, - dup25, - ]), -}); - -var msg4 = msg("CylancePROTECT:04", all4); - -var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); - -var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); - -var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); - -var select7 = linear_select([ - part18, - part19, - part20, -]); - -var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); - -var all5 = all_match({ - processors: [ - dup2, - dup23, - dup10, - select7, - part21, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup24, - dup25, - ]), -}); - -var msg5 = msg("CylancePROTECT:05", all5); - -var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); - -var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); - -var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); - -var select8 = linear_select([ - part23, - part24, -]); - -var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); - -var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); - -var select9 = linear_select([ - part25, - part26, -]); - -var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); - -var all6 = all_match({ - processors: [ - dup2, - dup23, - part22, - select8, - select9, - part27, - ], - on_success: processor_chain([ - dup5, - dup6, - dup7, - dup24, - dup25, - ]), -}); - -var msg6 = msg("CylancePROTECT:06", all6); - -var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); - -var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); - -var select10 = linear_select([ - part28, - part29, -]); - -var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); - -var all7 = all_match({ - processors: [ - dup2, - select10, - part30, - ], - on_success: processor_chain([ - dup5, - setc("vendor_event_cat"," ExploitAttempt"), - dup7, - dup24, - dup25, - ]), -}); - -var msg7 = msg("CylancePROTECT:07", all7); - -var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); - -var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); - -var select11 = linear_select([ - part31, - part32, -]); - -var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); - -var all8 = all_match({ - processors: [ - dup2, - select11, - part33, - ], - on_success: processor_chain([ - dup5, - setc("vendor_event_cat"," DeviceControl"), - dup7, - dup24, - dup25, - ]), -}); - -var msg8 = msg("CylancePROTECT:08", all8); - -var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); - -var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); - -var select12 = linear_select([ - part35, - dup13, -]); - -var all9 = all_match({ - processors: [ - dup2, - dup26, - part34, - select12, - ], - on_success: processor_chain([ - dup5, - setc("vendor_event_cat"," ScriptControl"), - dup7, - dup24, - dup25, - ]), -}); - -var msg9 = msg("CylancePROTECT:09", all9); - -var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); - -var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); - -var select13 = linear_select([ - part36, - part37, -]); - -var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); - -var all10 = all_match({ - processors: [ - dup2, - select13, - part38, - ], - on_success: processor_chain([ - dup5, - setc("vendor_event_cat"," Threat"), - dup7, - dup24, - dup25, - ]), -}); - -var msg10 = msg("CylancePROTECT:10", all10); - -var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); - -var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); - -var select14 = linear_select([ - part39, - part40, -]); - -var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); - -var all11 = all_match({ - processors: [ - dup2, - select14, - part41, - ], - on_success: processor_chain([ - dup5, - setc("vendor_event_cat"," AppControl"), - dup24, - dup25, - ]), -}); - -var msg11 = msg("CylancePROTECT:11", all11); - -var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); - -var all12 = all_match({ - processors: [ - dup2, - dup27, - part42, - ], - on_success: processor_chain([ - dup5, - dup7, - dup24, - dup25, - ]), -}); - -var msg12 = msg("CylancePROTECT:15", all12); - -var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); - -var all13 = all_match({ - processors: [ - dup2, - dup27, - part43, - ], - on_success: processor_chain([ - dup5, - dup7, - dup24, - dup25, - ]), -}); - -var msg13 = msg("CylancePROTECT:14", all13); - -var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); - -var all14 = all_match({ - processors: [ - dup2, - dup27, - part44, - dup28, - ], - on_success: processor_chain([ - dup5, - dup7, - dup24, - dup25, - ]), -}); - -var msg14 = msg("CylancePROTECT:13", all14); - -var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); - -var all15 = all_match({ - processors: [ - dup2, - dup27, - part45, - dup28, - ], - on_success: processor_chain([ - dup5, - dup7, - dup24, - dup25, - ]), -}); - -var msg15 = msg("CylancePROTECT:16", all15); - -var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); - -var all16 = all_match({ - processors: [ - dup2, - dup26, - part46, - ], - on_success: processor_chain([ - dup5, - dup7, - dup24, - dup25, - ]), -}); - -var msg16 = msg("CylancePROTECT:25", all16); - -var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); - -var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); - -var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); - -var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); - -var select15 = linear_select([ - part48, - part49, - part50, -]); - -var all17 = all_match({ - processors: [ - dup2, - dup27, - part47, - select15, - ], - on_success: processor_chain([ - dup5, - dup7, - dup24, - dup25, - ]), -}); - -var msg17 = msg("CylancePROTECT:12", all17); - -var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); - -var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); - -var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); - -var select16 = linear_select([ - part52, - part53, -]); - -var all18 = all_match({ - processors: [ - part51, - select16, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg18 = msg("CylancePROTECT:17", all18); - -var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ - dup5, - dup18, - dup24, - dup25, -])); - -var msg19 = msg("CylancePROTECT:18", part54); - -var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); - -var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); - -var select17 = linear_select([ - part56, - dup13, -]); - -var all19 = all_match({ - processors: [ - part55, - select17, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg20 = msg("CylancePROTECT:19", all19); - -var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); - -var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); - -var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); - -var select18 = linear_select([ - part58, - part59, -]); - -var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); - -var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); - -var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); - -var select19 = linear_select([ - part61, - part62, -]); - -var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); - -var all20 = all_match({ - processors: [ - part57, - select18, - part60, - select19, - part63, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg21 = msg("CylancePROTECT:20", all20); - -var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ - dup5, - dup18, - dup24, - dup25, - date_time({ - dest: "effective_time", - args: ["fld51"], - fmts: [ - [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], - ], - }), -])); - -var msg22 = msg("CylancePROTECT:21", part64); - -var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); - -var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); - -var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); - -var select20 = linear_select([ - part66, - part67, -]); - -var all21 = all_match({ - processors: [ - part65, - select20, - dup29, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg23 = msg("CylancePROTECT:22", all21); - -var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ - dup5, - dup18, - dup24, - dup25, -])); - -var msg24 = msg("CylancePROTECT:23", part68); - -var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); - -var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); - -var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); - -var select21 = linear_select([ - part70, - part71, -]); - -var all22 = all_match({ - processors: [ - part69, - select21, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg25 = msg("CylancePROTECT:24", all22); - -var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); - -var all23 = all_match({ - processors: [ - part72, - dup29, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg26 = msg("CylancePROTECT:26", all23); - -var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); - -var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); - -var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); - -var select22 = linear_select([ - part74, - part75, -]); - -var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); - -var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); - -var select23 = linear_select([ - part77, - dup13, -]); - -var all24 = all_match({ - processors: [ - part73, - select22, - part76, - select23, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg27 = msg("CylancePROTECT:27", all24); - -var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); - -var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); - -var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); - -var select24 = linear_select([ - part79, - part80, -]); - -var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); - -var all25 = all_match({ - processors: [ - part78, - select24, - part81, - ], - on_success: processor_chain([ - dup5, - dup18, - dup24, - dup25, - ]), -}); - -var msg28 = msg("CylancePROTECT:28", all25); - -var select25 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "CylancePROTECT": select25, - }), -]); - -var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); - -var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); - -var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); - -var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); - -var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); - -var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); - -var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); - -var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); - -var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); - -var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); - -var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); - -var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); - -var select26 = linear_select([ - dup3, - dup4, -]); - -var select27 = linear_select([ - dup11, - dup12, -]); - -var select28 = linear_select([ - dup14, - dup15, -]); - -var select29 = linear_select([ - dup16, - dup17, -]); - -var select30 = linear_select([ - dup19, - dup13, -]); diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml deleted file mode 100644 index a3b09859d58..00000000000 --- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for CylanceProtect - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cylance/protect/manifest.yml b/x-pack/filebeat/module/cylance/protect/manifest.yml deleted file mode 100644 index 58c1bc077be..00000000000 --- a/x-pack/filebeat/module/cylance/protect/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["cylance.protect", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9529 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log deleted file mode 100644 index 2649c0b66f4..00000000000 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) -2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) -26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: ),lupt (tia oloremqu Zone Names: temvel Device Id: iatu -2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) -2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) -uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo -24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: ),urerep (aquaeab liqu Zone Names: lorem Device Id: emq -ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: )dmi (olab mquisnos -22-May-2016 14:30:33 medium tvol457.internal.local inim <roinBCSe 2016-5-22T2:30:33.onse tae1382.mail.localhost CylancePROTECT oluptate ofdeF tion Event Type: orsitame, Event Name: threat_quarantined, Threat Class: lit, Threat Subclass: iam, SHA256: qua, MD5: umdo -2016-6-5T9:33:08.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan -olo 2016-6-20T4:35:42.uaera sitas4259.mail.corp CylancePROTECT atquovo iumto aboreetd Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: dun; Policy: enim; Value: saute, User: vel quu (undeo) -2016-7-4T11:38:16.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc -cup 2016-7-18T6:40:50.boNemoen uid7309.api.domain CylancePROTECT uradi aborumSe luptat Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: antiumto, User: strude ctetura (usmod) -2-Aug-2016 1:43:25 high fugit7668.www5.invalid lupt <qua 2T01:43:25.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu -2016-8-16T8:45:59.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute -eomnisis 2016-8-30T3:48:33.mqui civeli370.www5.local CylancePROTECT sunt stl tdolorem Event Type: AuditLog, Event Name: Alert, Message: The Device: picia was auto assigned to the Zone: IP Address: Fake Devices, User: mUtenima emaperi ()tame -September 2016/09/13 22:51:07 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc -olupt 2016-9-28T5:53:42.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend -2016-10-12T12:56:16.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd -ipitla 2016-10-26T7:58:50.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib -10-Nov-2016 3:01:24 low eav3687.internal.local siar <iamquis 10T03:01:24.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae -Nov 24 10:03:59 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit -8-December-2016 17:06:33 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-12-8T5:06:33.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat -ihilmole 2016-12-23T12:09:07.eriamea amre146.mail.host CylancePROTECT pisciv iquidex radipisc Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Policy: nti; SHA256: abi; Category: sectetur, User: )uioffi (oru temqu -ommodico 2017-1-6T7:11:41.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi -Jan 20 2:14:16 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam -3-Feb-2017 9:16:50 very-high reme622.mail.example isnisiu <tsu 3T21:16:50.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: ),idata (rumwritt magnid Zone Names: enderit Device Id: untex -paquioff 2017-2-18T4:19:24.mquisnos maven3758.www.invalid CylancePROTECT labor didunt uptatema Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: udan, IP Address: (10.74.104.215), Action: cancel, Process ID: 7410, Process Name: mveleu.exe, User Name: nofdeFin, Violation Type: sequam, Zone Names: temvel -4-Mar-2017 11:21:59 medium tvolu3997.mail.home eiu <autfu 4T11:21:59.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum -Mar 18 6:24:33 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur -2-April-2017 01:27:07 very-high orem6702.invalid tev <ntocca 2017-4-2T1:27:07.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame -16-Apr-2017 8:29:41 high tobea2364.internal.localhost itinvol <fugiatn 16T08:29:41.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame -2017-4-30T3:32:16.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) -uamni 2017-5-14T10:34:50.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) -2017-5-29T5:37:24.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser ()oin -12-June-2017 12:39:58 medium meius3932.internal.example ccaeca <uptate 2017-6-12T12:39:58.amc cusant1701.api.localdomain CylancePROTECT siutaliq dutp psaquaea Event Type: taevita, Event Name: DeviceRemove, Device Name: siut, Agent Version: tconsect, IP Address: (10.190.175.158), MAC Address: (01:00:5e:45:8b:97), Logged On Users: (ditemp), OS: edqui -26-June-2017 19:42:33 very-high rnatu2805.www.home enderi <odoconse 2017-6-26T7:42:33.quamqua eacommod1930.internal.lan CylancePROTECT tpersp stla uptatema Event Type: AuditLog, Event Name: fullaccess, Message: Device: uradi; SHA256: tot; Category: llamco, User: )nea (psum tasnulap -2017-7-11T2:45:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: )ccaeca (niamq lapariat -uat 2017-7-25T9:47:41.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu -Aug 8 4:50:15 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 -2017-8-22T11:52:50.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel nof Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices, User: ()xce -6-September-2017 06:55:24 high isiu5733.api.domain etdolor <xeaco 2017-9-6T6:55:24.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) -eri 2017-9-20T1:57:58.quunt olori416.api.test CylancePROTECT elit cidunt plica Event Type: ExploitAttempt, Event Name: Alert, Device Name: exeaco, IP Address: (10.31.190.145), Action: cancel, Process ID: 5530, Process Name: accusant.exe, User Name: onse, Violation Type: admin, Zone Names: stenatu -4-Oct-2017 9:00:32 high nvol6269.internal.local tla <nimid 4T21:00:32.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq -19-October-2017 04:03:07 medium toccaec7645.www5.home psaqua <itationu 2017-10-19T4:03:07.proident maliquam2147.internal.home CylancePROTECT lores ritati orisni Event Type: DeviceControl, Event Name: PolicyAdd, Device Name: estl, External Device Type: sitam, External Device Vendor ID: orem, External Device Name: rcit, External Device Product ID: llamco, External Device Serial Number: atu, Zone Names: untincul -iuntNe 2017-11-2T11:05:41.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom -2017-11-16T6:08:15.uov itlab6956.mail.local CylancePROTECT loremqu tetur amvo Event Type: siuta, Event Name: threat_changed, Device Name: ommodo, Agent Version: uptat, IP Address: (10.105.46.101, tatione), MAC Address: (01:00:5e:de:32:2c, ori), Logged On Users: (tconsect), OS: rum -2017-12-1T1:10:49.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte -ria 2017-12-15T8:13:24.atDu nsec923.internal.local CylancePROTECT agnaaliq tlaboree norumet Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: mod, IP Address: (10.28.120.149), Action: deny, Process ID: 3916, Process Name: tinvolup.exe, User Name: tsed, Violation Type: inv, Zone Names: rroq -2017-12-29T3:15:58.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: )dol (sciun metcons -12-January-2018 22:18:32 high asnu3806.api.lan tamet <ationul 2018/01/12T22:18:32.mquisn queips4947.mail.example CylancePROTECT molestia quir eavolup Event Type: AppControl, Event Name: Registration, Device Name: labore, IP Address: (10.165.16.231), Action: accept, Action Type: uto, File Path: iuntNequ, SHA256: esseq, Zone Names: aincidun -27-January-2018 05:21:06 low oloreseo5039.test derit <dolor 2018-1-27T5:21:06.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid -ree 2018-2-10T12:23:41.saquaea ation6657.www.home CylancePROTECT iatqu lorsi repreh Event Type: AuditLog, Event Name: Registration, Message: sitamet, User: utlabo tetur (tionula) -24-Feb-2018 7:26:15 very-high idolor3916.www5.home tas <tasun 24T19:26:15.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo -llam 2018-3-11T2:28:49.cti aparia1179.www.localdomain CylancePROTECT rever ore offici Event Type: AuditLog, Event Name: DeviceEdit, Message: Devices: metco, User: acom ceroinB (nim) -25-March-2018 09:31:24 medium taliqui5348.mail.localdomain loremag <iatqu 2018-3-25T9:31:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni -liquid 2018-4-8T4:33:58.enim Finibus1411.www5.corp CylancePROTECT xea taed umdolo Event Type: AuditLog, Event Name: fullaccess, Message: Policy Assigned:rroqu; Devices: dquiaco , User: nibus vitaed (ser) -Apr 22 11:36:32 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu -May 2018/05/07 06:39:06 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute -2018-5-21T1:41:41.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea -4-Jun-2018 8:44:15 high uptatem4483.localhost inrepr <umdolors 4T20:44:15.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide -riosa 2018-6-19T3:46:49.tNe pisc3553.internal.home CylancePROTECT rautod olest eataev Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: ritati, IP Address: (10.43.110.203), Action: allow, Process ID: 1359, Process Name: nim.exe, User Name: ame, Violation Type: amvolu, Zone Names: mip -3-July-2018 10:49:23 medium iame4937.local tiumd <mexer 2018/07/03T10:49:23.estla uipexe7153.api.corp CylancePROTECT saqu remips illoi Event Type: AppControl, Event Name: ZoneAdd, Device Name: abori, IP Address: (10.127.20.244), Action: block, Action Type: uelauda, File Path: ema, SHA256: odi, Zone Names: ptatems -nde 2018-7-17T5:51:58.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita -Aug 1 12:54:32 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema -15-August-2018 07:57:06 low tperspic7591.www.lan ict <tem 2018-8-15T7:57:06.mestq ura675.mail.localdomain CylancePROTECT eleumiu uei Nequepo Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: seddo, External Device Type: uam, External Device Vendor ID: orumSec, External Device Name: nisiuta, External Device Product ID: stiaecon, External Device Serial Number: dol, Zone Names: sumquiad -29-August-2018 14:59:40 high oeni179.api.localhost gna <lumqu 2018-8-29T2:59:40.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm -12-September-2018 22:02:15 medium mnihilm1903.internal.host ditautf <ori 2018-9-12T10:02:15.uamqu olori4584.mail.domain CylancePROTECT sunt autfugit emUte Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: nturmag; Policy: tura; Value: osquirat, User: equat aliquid (usantiu) -27-Sep-2018 5:04:49 very-high trudex4443.www5.localhost lor <eseruntm 27T05:04:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau -hend 2018-10-11T12:07:23.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai -ostr 2018-10-25T7:09:57.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici -Nov 9 2:12:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud -Nov 23 9:15:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat -bore 2018-12-7T4:17:40.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) -Dec 21 11:20:14 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse -Jan 5 6:22:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: ),nvo (iamqui tassita Zone Names: colabori Device Id: imidestl -2019-1-19T1:25:23.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: ()ever -quiav 2019-2-2T8:27:57.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum -Feb 17 3:30:32 nvolupta126.www.domain CylancePROTECT Event Type:quas, Event Name:threat_found, Device Name:orp, File Path:ender, Interpreter:dico, Interpreter Version:1.5848, Zone Names:Utenima, User Name: olore -3-March-2019 10:33:06 medium radip4253.www.corp gna <quamnih 2019-3-3T10:33:06.asnulap yCiceroi5998.mail.home CylancePROTECT inc tect uiad Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: roinBCSe, External Device Type: maperiam, External Device Vendor ID: mSec, External Device Name: smoditem, External Device Product ID: tatisetq, External Device Serial Number: uidolo, Zone Names: umdolore -2019-3-17T5:35:40.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) -iosamni 2019-4-1T12:38:14.idu sis3986.internal.lan CylancePROTECT tsedquia its umdolor Event Type: isiu, Event Name: Device Policy Assigned, Device Name: mmodi, Agent Version: snostr, IP Address: (10.232.90.3), MAC Address: (01:00:5e:e6:a6:a2), Logged On Users: (midestl), OS: nci -hilmole 2019-4-15T7:40:49.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido -2019-4-29T2:43:23.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) -2019-5-13T9:45:57.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun -onorumet 2019-5-28T4:48:31.ptatema eavolup6981.www5.example CylancePROTECT psaquaea rchit psumq Event Type: DeviceControl, Event Name: threat_changed, Device Name: lum, External Device Type: xerc, External Device Vendor ID: ctetura, External Device Name: msequ, External Device Product ID: nvol, External Device Serial Number: enimadmi, Zone Names: tateveli -2019-6-11T11:51:06.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui -25-June-2019 18:53:40 high tnulapa7580.www.domain adeser <doeiu 2019-6-25T6:53:40.onsectet dentsunt6061.www5.home CylancePROTECT tobeata imven onnumqua Event Type: quioff, Event Name: SyslogSettingsSave, Device Names: (upt), Policy Name: atatnonp, User: nvol dtemp (mquis) -10-July-2019 01:56:14 medium midest133.www5.example tocca <ntor 2019-7-10T1:56:14.oinBCSed oid218.api.invalid CylancePROTECT roquisqu ariat midestl Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: mcorpori, User: mqu pteursi (orsitam) -totamre 2019-7-24T8:58:48.rpo velites4233.internal.home CylancePROTECT uisaute uun end Event Type: odocons, Event Name: Alert, Threat Class: asp, Threat Subclass: dexercit, SHA256: amn, MD5: itessequ -7-August-2019 16:01:23 low sumd3215.test aUtenima <taevi 2019-8-7T4:01:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati -21-Aug-2019 11:03:57 high oeiusmo5035.api.local tconse <tseddoei 21T23:03:57.teursint etMa3452.www5.test CylancePROTECT Event Name:threat_found, Device Name:nturmag, File Path:uredol, Interpreter:maliqua, Interpreter Version:1.4613, Zone Names:mquia, User Name: omnisi, Device Id: etMalor, Policy Name: mco -5-September-2019 06:06:31 high taspe1205.mail.domain cti <nse 2019-9-5T6:06:31.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) -edqu 2019-9-19T1:09:05.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine -3-Oct-2019 8:11:40 low ditaut33.mail.localhost iumdo <mea 3T20:11:40.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo -18-October-2019 03:14:14 high porissus1225.www5.corp ddoe <ured 2019-10-18T3:14:14.ctetu oreeu6419.www.corp CylancePROTECT cul iinea snos Event Type: AuditLog, Event Name: PolicyAdd, Message: Device: moenimip; User: uames tium (ianonn) -2019-11-1T10:16:48.tiset sci333.mail.home CylancePROTECT doloreeu lors eumfu Event Type: docons, Event Name: PolicyAdd, Device Names: (eumf), Policy Name: roquisq, User: uasi maveniam (uis) -imi 2019-11-15T5:19:22.animi edutpers6452.api.host CylancePROTECT ntiumt sumquia vento Event Type: sitv, Event Name: LoginSuccess, Threat Class: com, Threat Subclass: rep, SHA256: mveni, MD5: aquae -30-November-2019 00:21:57 low iaturE3103.api.domain aturve <iatu 2019/11/30T00:21:57.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia -2019-12-14T7:24:31.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json deleted file mode 100644 index 1ea82991135..00000000000 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ /dev/null @@ -1,3554 +0,0 @@ -[ - { - "event.action": "ZoneAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", - "fileset.name": "protect", - "host.name": "nostrud4819.mail.test", - "input.type": "log", - "log.offset": 0, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "nostrud4819.mail.test" - ], - "rsa.identity.firstname": "uii", - "rsa.identity.lastname": "umexe", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "estlabo", - "rsa.misc.node": "pisciv", - "rsa.misc.policy_name": "orev", - "rsa.network.alias_host": [ - "nostrud4819.mail.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", - "fileset.name": "protect", - "host.name": "volup208.invalid", - "input.type": "log", - "log.offset": 271, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "volup208.invalid" - ], - "rsa.identity.firstname": "luptat", - "rsa.identity.lastname": "isiutal", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "moenimi", - "rsa.misc.node": "vol", - "rsa.network.alias_host": [ - "volup208.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: ),lupt (tia oloremqu Zone Names: temvel Device Id: iatu", - "fileset.name": "protect", - "host.name": "eius6159.www5.localhost", - "input.type": "log", - "log.offset": 453, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "eius6159.www5.localhost" - ], - "rsa.db.index": "temvel", - "rsa.identity.firstname": "oloremqu", - "rsa.identity.lastname": "tia", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.device_name": "aer", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "lupt", - "rsa.network.alias_host": [ - "eius6159.www5.localhost" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", - "fileset.name": "protect", - "host.name": "ratvolup497.www.corp", - "input.type": "log", - "log.offset": 690, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ratvolup497.www.corp" - ], - "rsa.db.index": "ommodic", - "rsa.identity.firstname": "mipsu", - "rsa.identity.lastname": "consec", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "taliquip", - "rsa.network.alias_host": [ - "ratvolup497.www.corp" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", - "fileset.name": "protect", - "host.name": "tatno5625.api.local", - "input.type": "log", - "log.offset": 869, - "observer.product": "taliqu", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tatno5625.api.local" - ], - "rsa.identity.firstname": "tur", - "rsa.identity.lastname": "aperi", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "ommod", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "iveli", - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "tatno5625.api.local" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", - "fileset.name": "protect", - "host.mac": "01:00:5e:dc:bb:8b", - "host.name": "maveniam1399.mail.lan", - "input.type": "log", - "log.offset": 1075, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "maveniam1399.mail.lan" - ], - "related.ip": [ - "10.124.61.119" - ], - "related.user": [ - "occ" - ], - "rsa.db.index": "reetdolo", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": "omnis", - "rsa.misc.OS": "ect", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "eip", - "rsa.network.alias_host": [ - "maveniam1399.mail.lan" - ], - "rsa.network.eth_host": "01:00:5e:dc:bb:8b", - "service.type": "cylance", - "source.ip": "10.124.61.119", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "occ" - }, - { - "event.action": "Device Policy Assigned", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: ),urerep (aquaeab liqu Zone Names: lorem Device Id: emq", - "fileset.name": "protect", - "host.name": "nimadmin6499.local", - "input.type": "log", - "log.offset": 1370, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "nimadmin6499.local" - ], - "rsa.db.index": "lorem", - "rsa.identity.firstname": "liqu", - "rsa.identity.lastname": "aquaeab", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.device_name": "dexe", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "urerep", - "rsa.network.alias_host": [ - "nimadmin6499.local" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ThreatUpdated", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: )dmi (olab mquisnos", - "fileset.name": "protect", - "host.name": "suntinc4934.www5.test", - "input.type": "log", - "log.offset": 1612, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "suntinc4934.www5.test" - ], - "rsa.identity.firstname": "mquisnos", - "rsa.identity.lastname": "olab", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "uovol", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "dmi", - "rsa.misc.policy_name": "uptatev", - "rsa.network.alias_host": [ - "suntinc4934.www5.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_quarantined", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "22-May-2016 14:30:33 medium tvol457.internal.local inim <roinBCSe 2016-5-22T2:30:33.onse tae1382.mail.localhost CylancePROTECT oluptate ofdeF tion Event Type: orsitame, Event Name: threat_quarantined, Threat Class: lit, Threat Subclass: iam, SHA256: qua, MD5: umdo", - "fileset.name": "protect", - "host.name": "tae1382.mail.localhost", - "input.type": "log", - "log.offset": 1814, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tae1382.mail.localhost" - ], - "rsa.crypto.sig_type": "lit", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "orsitame", - "rsa.misc.checksum": "qua", - "rsa.misc.event_type": "threat_quarantined", - "rsa.network.alias_host": [ - "tae1382.mail.localhost" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-6-5T9:33:08.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", - "file.directory": "aspern", - "fileset.name": "protect", - "host.name": "reetdolo2451.www.example", - "input.type": "log", - "log.offset": 2084, - "network.application": "itlabori", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.2344", - "related.hosts": [ - "reetdolo2451.www.example" - ], - "related.user": [ - "usan" - ], - "rsa.db.index": "ollit", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "llam", - "rsa.misc.version": "1.2344", - "rsa.network.alias_host": [ - "reetdolo2451.www.example" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "usan" - }, - { - "event.action": "ZoneAddDevice", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "olo 2016-6-20T4:35:42.uaera sitas4259.mail.corp CylancePROTECT atquovo iumto aboreetd Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: dun; Policy: enim; Value: saute, User: vel quu (undeo)", - "fileset.name": "protect", - "host.name": "sitas4259.mail.corp", - "input.type": "log", - "log.offset": 2343, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sitas4259.mail.corp" - ], - "rsa.db.index": "dun", - "rsa.identity.firstname": "vel", - "rsa.identity.lastname": "quu", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "undeo", - "rsa.misc.policy_name": "enim", - "rsa.network.alias_host": [ - "sitas4259.mail.corp" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Registration", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-7-4T11:38:16.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", - "fileset.name": "protect", - "host.name": "uis7612.www5.domain", - "input.type": "log", - "log.offset": 2548, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "uis7612.www5.domain" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "emeumfug", - "rsa.misc.event_type": "Registration", - "rsa.network.alias_host": [ - "uis7612.www5.domain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "cup 2016-7-18T6:40:50.boNemoen uid7309.api.domain CylancePROTECT uradi aborumSe luptat Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: antiumto, User: strude ctetura (usmod)", - "fileset.name": "protect", - "host.name": "uid7309.api.domain", - "input.type": "log", - "log.offset": 2685, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "uid7309.api.domain" - ], - "rsa.identity.firstname": "strude", - "rsa.identity.lastname": "ctetura", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "usmod", - "rsa.misc.policy_name": "antiumto", - "rsa.network.alias_host": [ - "uid7309.api.domain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2-Aug-2016 1:43:25 high fugit7668.www5.invalid lupt <qua 2T01:43:25.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", - "fileset.name": "protect", - "host.name": "admi3749.api.lan", - "input.type": "log", - "log.offset": 2882, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "admi3749.api.lan" - ], - "rsa.db.index": "nimadmin", - "rsa.identity.firstname": "iqui", - "rsa.identity.lastname": "etc", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.misc.device_name": "tinvol", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.mail_id": "etM", - "rsa.network.alias_host": [ - "admi3749.api.lan" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "fullaccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-8-16T8:45:59.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", - "file.directory": "Nemoen", - "fileset.name": "protect", - "host.name": "rudexerc703.internal.host", - "input.type": "log", - "log.offset": 3157, - "network.application": "tfug", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.5383", - "related.hosts": [ - "rudexerc703.internal.host" - ], - "related.user": [ - "isaute" - ], - "rsa.db.index": "urE", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "onproide", - "rsa.misc.version": "1.5383", - "rsa.network.alias_host": [ - "rudexerc703.internal.host" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "isaute" - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "eomnisis 2016-8-30T3:48:33.mqui civeli370.www5.local CylancePROTECT sunt stl tdolorem Event Type: AuditLog, Event Name: Alert, Message: The Device: picia was auto assigned to the Zone: IP Address: Fake Devices, User: mUtenima emaperi ()tame", - "fileset.name": "protect", - "host.name": "civeli370.www5.local", - "input.type": "log", - "log.offset": 3424, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "civeli370.www5.local" - ], - "rsa.db.index": "The Device: picia was auto assigned to the Zone: IP Address: Fake Devices", - "rsa.identity.firstname": "mUtenima", - "rsa.identity.lastname": "emaperi", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Alert", - "rsa.network.alias_host": [ - "civeli370.www5.local" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "September 2016/09/13 22:51:07 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", - "file.directory": "Lor", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 3665, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.199.98.186" - ], - "rsa.db.index": "erc", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.checksum": "itecto", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "sequatur", - "service.type": "cylance", - "source.ip": "10.199.98.186", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "olupt 2016-9-28T5:53:42.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", - "file.directory": "giatquov", - "file.name": "ici", - "file.type": "tati", - "fileset.name": "protect", - "host.name": "estqu1709.internal.example", - "input.type": "log", - "log.offset": 3963, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "estqu1709.internal.example" - ], - "related.ip": [ - "10.64.70.5" - ], - "rsa.crypto.sig_type": "eprehend", - "rsa.db.index": "iadese", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "dexeac", - "rsa.misc.event_state": "atvol", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "uasia", - "rsa.network.alias_host": [ - "estqu1709.internal.example" - ], - "rsa.web.reputation_num": 145.898, - "service.type": "cylance", - "source.ip": "10.64.70.5", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2016-10-12T12:56:16.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", - "fileset.name": "protect", - "host.mac": "01:00:5e:93:1c:9f", - "host.name": "xeac7155.www.localdomain", - "input.type": "log", - "log.offset": 4480, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "xeac7155.www.localdomain" - ], - "related.ip": [ - "10.143.239.210" - ], - "related.user": [ - "oinBCSe" - ], - "rsa.db.index": "sedd", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "pida", - "rsa.misc.OS": "mnisist", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "idolor", - "rsa.network.alias_host": [ - "xeac7155.www.localdomain" - ], - "rsa.network.eth_host": "01:00:5e:93:1c:9f", - "service.type": "cylance", - "source.ip": "10.143.239.210", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "oinBCSe" - }, - { - "event.action": "accept", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ipitla 2016-10-26T7:58:50.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", - "fileset.name": "protect", - "host.name": "maccusa5126.api.domain", - "input.type": "log", - "log.offset": 4773, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "process.name": "aliqu.exe", - "process.pid": 2289, - "related.hosts": [ - "maccusa5126.api.domain" - ], - "related.ip": [ - "10.32.143.134" - ], - "related.user": [ - "olupta" - ], - "rsa.db.index": "eFinib", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "olorema", - "rsa.misc.policy_name": "mipsumd", - "rsa.network.alias_host": [ - "maccusa5126.api.domain" - ], - "service.type": "cylance", - "source.ip": "10.32.143.134", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "olupta" - }, - { - "event.action": "DeviceEdit", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "10-Nov-2016 3:01:24 low eav3687.internal.local siar <iamquis 10T03:01:24.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", - "fileset.name": "protect", - "host.name": "llu4718.localhost", - "input.type": "log", - "log.offset": 5079, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "llu4718.localhost" - ], - "rsa.db.index": "psaquae", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "oidentsu", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "conseq", - "rsa.misc.serial_number": "ern", - "rsa.network.alias_host": [ - "llu4718.localhost" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Nov 24 10:03:59 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 5423, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "ari", - "rsa.identity.firstname": "rinrepre", - "rsa.identity.lastname": "etconse", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "stquidol", - "rsa.misc.device_name": "leumiu", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.mail_id": "tincu", - "rsa.misc.policy_name": "taevit", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAddDevice", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "8-December-2016 17:06:33 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-12-8T5:06:33.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", - "fileset.name": "protect", - "host.name": "eaq908.api.home", - "input.type": "log", - "log.offset": 5657, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "eaq908.api.home" - ], - "rsa.db.index": "equat", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "tNequepo", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.node": "luptasn", - "rsa.network.alias_host": [ - "eaq908.api.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAddDevice", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ihilmole 2016-12-23T12:09:07.eriamea amre146.mail.host CylancePROTECT pisciv iquidex radipisc Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Policy: nti; SHA256: abi; Category: sectetur, User: )uioffi (oru temqu", - "fileset.name": "protect", - "host.name": "amre146.mail.host", - "input.type": "log", - "log.offset": 5909, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "amre146.mail.host" - ], - "rsa.identity.firstname": "temqu", - "rsa.identity.lastname": "oru", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "sectetur", - "rsa.misc.checksum": "abi", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "uioffi", - "rsa.misc.policy_name": "nti", - "rsa.network.alias_host": [ - "amre146.mail.host" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ommodico 2017-1-6T7:11:41.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", - "file.directory": "olor", - "fileset.name": "protect", - "host.name": "mcolab379.internal.home", - "input.type": "log", - "log.offset": 6132, - "network.application": "Neque", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.4129", - "related.hosts": [ - "mcolab379.internal.home" - ], - "related.user": [ - "fdeFi" - ], - "rsa.db.index": "iutali", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "tper", - "rsa.misc.version": "1.4129", - "rsa.network.alias_host": [ - "mcolab379.internal.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "fdeFi" - }, - { - "event.action": "threat_quarantined", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Jan 20 2:14:16 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", - "fileset.name": "protect", - "host.mac": "01:00:5e:3f:c4:6c", - "input.type": "log", - "log.offset": 6407, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.237.205.140" - ], - "related.user": [ - "uames" - ], - "rsa.db.index": "veniam", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "boN", - "rsa.misc.OS": "iduntu", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "ectio", - "rsa.network.eth_host": "01:00:5e:3f:c4:6c", - "service.type": "cylance", - "source.ip": "10.237.205.140", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "uames" - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "3-Feb-2017 9:16:50 very-high reme622.mail.example isnisiu <tsu 3T21:16:50.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: ),idata (rumwritt magnid Zone Names: enderit Device Id: untex", - "fileset.name": "protect", - "host.name": "sciun4694.api.lan", - "input.type": "log", - "log.offset": 6666, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sciun4694.api.lan" - ], - "rsa.db.index": "enderit", - "rsa.identity.firstname": "magnid", - "rsa.identity.lastname": "rumwritt", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.device_name": "nsect", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "idata", - "rsa.network.alias_host": [ - "sciun4694.api.lan" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "paquioff 2017-2-18T4:19:24.mquisnos maven3758.www.invalid CylancePROTECT labor didunt uptatema Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: udan, IP Address: (10.74.104.215), Action: cancel, Process ID: 7410, Process Name: mveleu.exe, User Name: nofdeFin, Violation Type: sequam, Zone Names: temvel", - "fileset.name": "protect", - "host.name": "maven3758.www.invalid", - "input.type": "log", - "log.offset": 6908, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "process.name": "mveleu.exe", - "process.pid": 7410, - "related.hosts": [ - "maven3758.www.invalid" - ], - "related.ip": [ - "10.74.104.215" - ], - "related.user": [ - "nofdeFin" - ], - "rsa.db.index": "temvel", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "udan", - "rsa.misc.policy_name": "sequam", - "rsa.network.alias_host": [ - "maven3758.www.invalid" - ], - "service.type": "cylance", - "source.ip": "10.74.104.215", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "nofdeFin" - }, - { - "event.action": "pechange", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "4-Mar-2017 11:21:59 medium tvolu3997.mail.home eiu <autfu 4T11:21:59.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", - "fileset.name": "protect", - "host.name": "mni7200.mail.localdomain", - "input.type": "log", - "log.offset": 7227, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "mni7200.mail.localdomain" - ], - "rsa.db.index": "uisau", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "pechange", - "rsa.misc.node": "idolor", - "rsa.network.alias_host": [ - "mni7200.mail.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Device Policy Assigned", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Mar 18 6:24:33 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 7429, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.identity.firstname": "tur", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "officiad", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "quinesc", - "rsa.network.zone": "madmi", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2-April-2017 01:27:07 very-high orem6702.invalid tev <ntocca 2017-4-2T1:27:07.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", - "file.directory": "orro", - "fileset.name": "protect", - "host.name": "ntoccae1705.internal.invalid", - "input.type": "log", - "log.offset": 7604, - "network.application": "tae", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.3212", - "related.hosts": [ - "ntoccae1705.internal.invalid" - ], - "related.user": [ - "aperiame" - ], - "rsa.db.index": "tlab", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "sBon", - "rsa.misc.version": "1.3212", - "rsa.network.alias_host": [ - "ntoccae1705.internal.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "aperiame" - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "16-Apr-2017 8:29:41 high tobea2364.internal.localhost itinvol <fugiatn 16T08:29:41.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", - "fileset.name": "protect", - "host.name": "etconsec6708.internal.invalid", - "input.type": "log", - "log.offset": 7929, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "etconsec6708.internal.invalid" - ], - "rsa.db.index": "mquame", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.misc.device_name": "tquov", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "ersp", - "rsa.misc.serial_number": "tes", - "rsa.network.alias_host": [ - "etconsec6708.internal.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-4-30T3:32:16.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", - "fileset.name": "protect", - "host.name": "Sedutp7428.internal.home", - "input.type": "log", - "log.offset": 8293, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "Sedutp7428.internal.home" - ], - "rsa.db.index": "iquipe", - "rsa.identity.firstname": "upida", - "rsa.identity.lastname": "tvolupt", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "eufugi", - "rsa.misc.policy_name": "itempor", - "rsa.network.alias_host": [ - "Sedutp7428.internal.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "uamni 2017-5-14T10:34:50.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", - "fileset.name": "protect", - "host.name": "ati4639.www5.home", - "input.type": "log", - "log.offset": 8512, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ati4639.www5.home" - ], - "rsa.identity.firstname": "con", - "rsa.identity.lastname": "nisist", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "usmodte", - "rsa.misc.node": "ven", - "rsa.network.alias_host": [ - "ati4639.www5.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-5-29T5:37:24.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser ()oin", - "fileset.name": "protect", - "host.name": "torever662.www5.home", - "input.type": "log", - "log.offset": 8687, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "torever662.www5.home" - ], - "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", - "rsa.identity.firstname": "amcol", - "rsa.identity.lastname": "adeser", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.network.alias_host": [ - "torever662.www5.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "12-June-2017 12:39:58 medium meius3932.internal.example ccaeca <uptate 2017-6-12T12:39:58.amc cusant1701.api.localdomain CylancePROTECT siutaliq dutp psaquaea Event Type: taevita, Event Name: DeviceRemove, Device Name: siut, Agent Version: tconsect, IP Address: (10.190.175.158), MAC Address: (01:00:5e:45:8b:97), Logged On Users: (ditemp), OS: edqui", - "fileset.name": "protect", - "host.mac": "01:00:5e:45:8b:97", - "host.name": "cusant1701.api.localdomain", - "input.type": "log", - "log.offset": 8928, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "cusant1701.api.localdomain" - ], - "related.ip": [ - "10.190.175.158" - ], - "related.user": [ - "ditemp" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "taevita", - "rsa.misc.OS": "edqui", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "siut", - "rsa.network.alias_host": [ - "cusant1701.api.localdomain" - ], - "rsa.network.eth_host": "01:00:5e:45:8b:97", - "service.type": "cylance", - "source.ip": "10.190.175.158", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "ditemp" - }, - { - "event.action": "fullaccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "26-June-2017 19:42:33 very-high rnatu2805.www.home enderi <odoconse 2017-6-26T7:42:33.quamqua eacommod1930.internal.lan CylancePROTECT tpersp stla uptatema Event Type: AuditLog, Event Name: fullaccess, Message: Device: uradi; SHA256: tot; Category: llamco, User: )nea (psum tasnulap", - "fileset.name": "protect", - "host.name": "eacommod1930.internal.lan", - "input.type": "log", - "log.offset": 9287, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "eacommod1930.internal.lan" - ], - "rsa.identity.firstname": "tasnulap", - "rsa.identity.lastname": "psum", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "llamco", - "rsa.misc.checksum": "tot", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.mail_id": "nea", - "rsa.misc.node": "uradi", - "rsa.network.alias_host": [ - "eacommod1930.internal.lan" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-7-11T2:45:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: )ccaeca (niamq lapariat", - "fileset.name": "protect", - "host.name": "emeumfug4387.internal.lan", - "input.type": "log", - "log.offset": 9579, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "emeumfug4387.internal.lan" - ], - "rsa.identity.firstname": "lapariat", - "rsa.identity.lastname": "niamq", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "iduntu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "ccaeca", - "rsa.misc.node": "untincul", - "rsa.network.alias_host": [ - "emeumfug4387.internal.lan" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "uat 2017-7-25T9:47:41.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", - "fileset.name": "protect", - "host.name": "rumwrit764.www5.local", - "input.type": "log", - "log.offset": 9784, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "rumwrit764.www5.local" - ], - "rsa.db.index": "miu", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "etMal", - "rsa.misc.serial_number": "onula", - "rsa.network.alias_host": [ - "rumwrit764.www5.local" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Aug 8 4:50:15 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 10125, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.13.66.97" - ], - "rsa.identity.firstname": "dicta", - "rsa.identity.lastname": "taedicta", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "luptat", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "ritt", - "service.type": "cylance", - "source.ip": "10.13.66.97", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceEdit", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-8-22T11:52:50.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel nof Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices, User: ()xce", - "fileset.name": "protect", - "host.name": "veniamqu7284.mail.invalid", - "input.type": "log", - "log.offset": 10300, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "veniamqu7284.mail.invalid" - ], - "rsa.db.index": "The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "xce", - "rsa.misc.node": "tetur", - "rsa.network.alias_host": [ - "veniamqu7284.mail.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_quarantined", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "6-September-2017 06:55:24 high isiu5733.api.domain etdolor <xeaco 2017-9-6T6:55:24.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", - "fileset.name": "protect", - "host.name": "oremi1485.api.localhost", - "input.type": "log", - "log.offset": 10524, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "oremi1485.api.localhost" - ], - "rsa.identity.firstname": "atisund", - "rsa.identity.lastname": "xea", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "amvolupt", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.mail_id": "ites", - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "oremi1485.api.localhost" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "cancel", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "eri 2017-9-20T1:57:58.quunt olori416.api.test CylancePROTECT elit cidunt plica Event Type: ExploitAttempt, Event Name: Alert, Device Name: exeaco, IP Address: (10.31.190.145), Action: cancel, Process ID: 5530, Process Name: accusant.exe, User Name: onse, Violation Type: admin, Zone Names: stenatu", - "fileset.name": "protect", - "host.name": "olori416.api.test", - "input.type": "log", - "log.offset": 10806, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "process.name": "accusant.exe", - "process.pid": 5530, - "related.hosts": [ - "olori416.api.test" - ], - "related.ip": [ - "10.31.190.145" - ], - "related.user": [ - "onse" - ], - "rsa.db.index": "stenatu", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "exeaco", - "rsa.misc.policy_name": "admin", - "rsa.network.alias_host": [ - "olori416.api.test" - ], - "service.type": "cylance", - "source.ip": "10.31.190.145", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "onse" - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "4-Oct-2017 9:00:32 high nvol6269.internal.local tla <nimid 4T21:00:32.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", - "fileset.name": "protect", - "host.name": "periam126.api.host", - "input.type": "log", - "log.offset": 11104, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "periam126.api.host" - ], - "rsa.crypto.sig_type": "rExc", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.checksum": "tame", - "rsa.misc.event_type": "threat_found", - "rsa.network.alias_host": [ - "periam126.api.host" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "19-October-2017 04:03:07 medium toccaec7645.www5.home psaqua <itationu 2017-10-19T4:03:07.proident maliquam2147.internal.home CylancePROTECT lores ritati orisni Event Type: DeviceControl, Event Name: PolicyAdd, Device Name: estl, External Device Type: sitam, External Device Vendor ID: orem, External Device Name: rcit, External Device Product ID: llamco, External Device Serial Number: atu, Zone Names: untincul", - "fileset.name": "protect", - "host.name": "maliquam2147.internal.home", - "input.type": "log", - "log.offset": 11309, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "maliquam2147.internal.home" - ], - "rsa.db.index": "untincul", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "estl", - "rsa.misc.serial_number": "atu", - "rsa.network.alias_host": [ - "maliquam2147.internal.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "iuntNe 2017-11-2T11:05:41.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", - "file.directory": "sit", - "file.name": "iquamqua", - "file.type": "olorsit", - "fileset.name": "protect", - "host.name": "tate6578.api.localdomain", - "input.type": "log", - "log.offset": 11732, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tate6578.api.localdomain" - ], - "related.ip": [ - "10.252.165.146" - ], - "rsa.crypto.sig_type": "undeom", - "rsa.db.index": "turadip", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "ita", - "rsa.misc.event_state": "exeaco", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "yCiceroi", - "rsa.network.alias_host": [ - "tate6578.api.localdomain" - ], - "rsa.web.reputation_num": 51.523, - "service.type": "cylance", - "source.ip": "10.252.165.146", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_changed", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-11-16T6:08:15.uov itlab6956.mail.local CylancePROTECT loremqu tetur amvo Event Type: siuta, Event Name: threat_changed, Device Name: ommodo, Agent Version: uptat, IP Address: (10.105.46.101, tatione), MAC Address: (01:00:5e:de:32:2c, ori), Logged On Users: (tconsect), OS: rum", - "fileset.name": "protect", - "host.mac": "01:00:5e:de:32:2c", - "host.name": "itlab6956.mail.local", - "input.type": "log", - "log.offset": 12244, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "itlab6956.mail.local" - ], - "related.ip": [ - "10.105.46.101" - ], - "related.user": [ - "tconsect" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "siuta", - "rsa.misc.OS": "rum", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "ommodo", - "rsa.network.alias_host": [ - "itlab6956.mail.local" - ], - "rsa.network.eth_host": "01:00:5e:de:32:2c", - "service.type": "cylance", - "source.ip": "10.105.46.101", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "tconsect" - }, - { - "event.action": "Device Policy Assigned", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-12-1T1:10:49.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", - "fileset.name": "protect", - "host.mac": "01:00:5e:f9:78:c2", - "host.name": "midestl1919.host", - "input.type": "log", - "log.offset": 12526, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "midestl1919.host" - ], - "related.ip": [ - "10.124.88.222" - ], - "related.user": [ - "onu" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "ntNeq", - "rsa.misc.OS": "liquaUte", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "aUt", - "rsa.network.alias_host": [ - "midestl1919.host" - ], - "rsa.network.eth_host": "01:00:5e:f9:78:c2", - "service.type": "cylance", - "source.ip": "10.124.88.222", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "onu" - }, - { - "event.action": "deny", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ria 2017-12-15T8:13:24.atDu nsec923.internal.local CylancePROTECT agnaaliq tlaboree norumet Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: mod, IP Address: (10.28.120.149), Action: deny, Process ID: 3916, Process Name: tinvolup.exe, User Name: tsed, Violation Type: inv, Zone Names: rroq", - "fileset.name": "protect", - "host.name": "nsec923.internal.local", - "input.type": "log", - "log.offset": 12800, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "process.name": "tinvolup.exe", - "process.pid": 3916, - "related.hosts": [ - "nsec923.internal.local" - ], - "related.ip": [ - "10.28.120.149" - ], - "related.user": [ - "tsed" - ], - "rsa.db.index": "rroq", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "mod", - "rsa.misc.policy_name": "inv", - "rsa.network.alias_host": [ - "nsec923.internal.local" - ], - "service.type": "cylance", - "source.ip": "10.28.120.149", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "tsed" - }, - { - "event.action": "ZoneAddDevice", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2017-12-29T3:15:58.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: )dol (sciun metcons", - "fileset.name": "protect", - "host.name": "eiusmod3517.internal.invalid", - "input.type": "log", - "log.offset": 13106, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "eiusmod3517.internal.invalid" - ], - "rsa.identity.firstname": "metcons", - "rsa.identity.lastname": "sciun", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "labor", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "dol", - "rsa.misc.node": "olup", - "rsa.network.alias_host": [ - "eiusmod3517.internal.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "12-January-2018 22:18:32 high asnu3806.api.lan tamet <ationul 2018/01/12T22:18:32.mquisn queips4947.mail.example CylancePROTECT molestia quir eavolup Event Type: AppControl, Event Name: Registration, Device Name: labore, IP Address: (10.165.16.231), Action: accept, Action Type: uto, File Path: iuntNequ, SHA256: esseq, Zone Names: aincidun", - "file.directory": "iuntNequ", - "fileset.name": "protect", - "host.name": "queips4947.mail.example", - "input.type": "log", - "log.offset": 13316, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "queips4947.mail.example" - ], - "related.ip": [ - "10.165.16.231" - ], - "rsa.db.index": "aincidun", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.checksum": "esseq", - "rsa.misc.event_type": "Registration", - "rsa.misc.node": "labore", - "rsa.network.alias_host": [ - "queips4947.mail.example" - ], - "service.type": "cylance", - "source.ip": "10.165.16.231", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "27-January-2018 05:21:06 low oloreseo5039.test derit <dolor 2018-1-27T5:21:06.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", - "fileset.name": "protect", - "host.mac": "01:00:5e:54:ab:3f", - "host.name": "ntexpl3889.www.home", - "input.type": "log", - "log.offset": 13667, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ntexpl3889.www.home" - ], - "related.ip": [ - "10.156.34.19" - ], - "related.user": [ - "imveni" - ], - "rsa.db.index": "stquid", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "Cic", - "rsa.misc.OS": "ariaturE", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "saqu", - "rsa.network.alias_host": [ - "ntexpl3889.www.home" - ], - "rsa.network.eth_host": "01:00:5e:54:ab:3f", - "service.type": "cylance", - "source.ip": "10.156.34.19", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "imveni" - }, - { - "event.action": "Registration", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ree 2018-2-10T12:23:41.saquaea ation6657.www.home CylancePROTECT iatqu lorsi repreh Event Type: AuditLog, Event Name: Registration, Message: sitamet, User: utlabo tetur (tionula)", - "fileset.name": "protect", - "host.name": "ation6657.www.home", - "input.type": "log", - "log.offset": 14019, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ation6657.www.home" - ], - "rsa.db.index": "sitamet", - "rsa.identity.firstname": "utlabo", - "rsa.identity.lastname": "tetur", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "Registration", - "rsa.misc.mail_id": "tionula", - "rsa.network.alias_host": [ - "ation6657.www.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "24-Feb-2018 7:26:15 very-high idolor3916.www5.home tas <tasun 24T19:26:15.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", - "fileset.name": "protect", - "host.mac": "01:00:5e:ee:e8:77", - "host.name": "ntium4450.www5.localdomain", - "input.type": "log", - "log.offset": 14198, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ntium4450.www5.localdomain" - ], - "related.ip": [ - "10.22.94.10" - ], - "related.user": [ - "ssusci" - ], - "rsa.db.index": "mpo", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.misc.OS": "animid", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "vol", - "rsa.network.alias_host": [ - "ntium4450.www5.localdomain" - ], - "rsa.network.eth_host": "01:00:5e:ee:e8:77", - "service.type": "cylance", - "source.ip": "10.22.94.10", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "ssusci" - }, - { - "event.action": "DeviceEdit", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "llam 2018-3-11T2:28:49.cti aparia1179.www.localdomain CylancePROTECT rever ore offici Event Type: AuditLog, Event Name: DeviceEdit, Message: Devices: metco, User: acom ceroinB (nim)", - "fileset.name": "protect", - "host.name": "aparia1179.www.localdomain", - "input.type": "log", - "log.offset": 14512, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "aparia1179.www.localdomain" - ], - "rsa.identity.firstname": "acom", - "rsa.identity.lastname": "ceroinB", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "nim", - "rsa.misc.node": "metco", - "rsa.network.alias_host": [ - "aparia1179.www.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "25-March-2018 09:31:24 medium taliqui5348.mail.localdomain loremag <iatqu 2018-3-25T9:31:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", - "fileset.name": "protect", - "host.name": "erspi5757.local", - "input.type": "log", - "log.offset": 14694, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "erspi5757.local" - ], - "rsa.db.index": "undeomni", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "uov", - "rsa.misc.serial_number": "quaU", - "rsa.network.alias_host": [ - "erspi5757.local" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "fullaccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "liquid 2018-4-8T4:33:58.enim Finibus1411.www5.corp CylancePROTECT xea taed umdolo Event Type: AuditLog, Event Name: fullaccess, Message: Policy Assigned:rroqu; Devices: dquiaco , User: nibus vitaed (ser)", - "fileset.name": "protect", - "host.name": "Finibus1411.www5.corp", - "input.type": "log", - "log.offset": 15109, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "Finibus1411.www5.corp" - ], - "rsa.identity.firstname": "nibus", - "rsa.identity.lastname": "vitaed", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.mail_id": "ser", - "rsa.misc.node": "dquiaco", - "rsa.misc.policy_name": "rroqu", - "rsa.network.alias_host": [ - "Finibus1411.www5.corp" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Apr 22 11:36:32 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 15313, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "lmolesti", - "rsa.identity.firstname": "uptate", - "rsa.identity.lastname": "lloinven", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "idolo", - "rsa.misc.device_name": "edolo", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "econs", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "May 2018/05/07 06:39:06 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", - "file.directory": "isi", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 15555, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.ip": [ - "10.153.34.43" - ], - "rsa.db.index": "saute", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.checksum": "culpaq", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "fugits", - "service.type": "cylance", - "source.ip": "10.153.34.43", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-5-21T1:41:41.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", - "fileset.name": "protect", - "host.name": "magnid3343.home", - "input.type": "log", - "log.offset": 15842, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "magnid3343.home" - ], - "rsa.db.index": "obea", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "gitse", - "rsa.misc.serial_number": "col", - "rsa.network.alias_host": [ - "magnid3343.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ThreatUpdated", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "4-Jun-2018 8:44:15 high uptatem4483.localhost inrepr <umdolors 4T20:44:15.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", - "fileset.name": "protect", - "host.name": "asperna7623.www.home", - "input.type": "log", - "log.offset": 16175, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "asperna7623.www.home" - ], - "rsa.identity.firstname": "onproide", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "dexe", - "rsa.network.alias_host": [ - "asperna7623.www.home" - ], - "rsa.network.zone": "tat", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "riosa 2018-6-19T3:46:49.tNe pisc3553.internal.home CylancePROTECT rautod olest eataev Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: ritati, IP Address: (10.43.110.203), Action: allow, Process ID: 1359, Process Name: nim.exe, User Name: ame, Violation Type: amvolu, Zone Names: mip", - "fileset.name": "protect", - "host.name": "pisc3553.internal.home", - "input.type": "log", - "log.offset": 16388, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "process.name": "nim.exe", - "process.pid": 1359, - "related.hosts": [ - "pisc3553.internal.home" - ], - "related.ip": [ - "10.43.110.203" - ], - "related.user": [ - "ame" - ], - "rsa.db.index": "mip", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "ritati", - "rsa.misc.policy_name": "amvolu", - "rsa.network.alias_host": [ - "pisc3553.internal.home" - ], - "service.type": "cylance", - "source.ip": "10.43.110.203", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "ame" - }, - { - "event.action": "block", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "3-July-2018 10:49:23 medium iame4937.local tiumd <mexer 2018/07/03T10:49:23.estla uipexe7153.api.corp CylancePROTECT saqu remips illoi Event Type: AppControl, Event Name: ZoneAdd, Device Name: abori, IP Address: (10.127.20.244), Action: block, Action Type: uelauda, File Path: ema, SHA256: odi, Zone Names: ptatems", - "file.directory": "ema", - "fileset.name": "protect", - "host.name": "uipexe7153.api.corp", - "input.type": "log", - "log.offset": 16688, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "uipexe7153.api.corp" - ], - "related.ip": [ - "10.127.20.244" - ], - "rsa.db.index": "ptatems", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.checksum": "odi", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.node": "abori", - "rsa.network.alias_host": [ - "uipexe7153.api.corp" - ], - "service.type": "cylance", - "source.ip": "10.127.20.244", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "nde 2018-7-17T5:51:58.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", - "file.directory": "seddoeiu", - "fileset.name": "protect", - "host.name": "undeom845.www5.example", - "input.type": "log", - "log.offset": 17011, - "network.application": "nse", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.3421", - "related.hosts": [ - "undeom845.www5.example" - ], - "related.user": [ - "tassita" - ], - "rsa.db.index": "quira", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "liq", - "rsa.misc.version": "1.3421", - "rsa.network.alias_host": [ - "undeom845.www5.example" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "tassita" - }, - { - "event.action": "threat_changed", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Aug 1 12:54:32 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 17274, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.identity.firstname": "tatema", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "nisiut", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "quira", - "rsa.network.zone": "rror", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "15-August-2018 07:57:06 low tperspic7591.www.lan ict <tem 2018-8-15T7:57:06.mestq ura675.mail.localdomain CylancePROTECT eleumiu uei Nequepo Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: seddo, External Device Type: uam, External Device Vendor ID: orumSec, External Device Name: nisiuta, External Device Product ID: stiaecon, External Device Serial Number: dol, Zone Names: sumquiad", - "fileset.name": "protect", - "host.name": "ura675.mail.localdomain", - "input.type": "log", - "log.offset": 17441, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ura675.mail.localdomain" - ], - "rsa.db.index": "sumquiad", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "seddo", - "rsa.misc.serial_number": "dol", - "rsa.network.alias_host": [ - "ura675.mail.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_quarantined", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "29-August-2018 14:59:40 high oeni179.api.localhost gna <lumqu 2018-8-29T2:59:40.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", - "file.directory": "nculpaq", - "file.name": "psa", - "file.type": "iame", - "fileset.name": "protect", - "host.name": "ons5050.mail.test", - "input.type": "log", - "log.offset": 17854, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ons5050.mail.test" - ], - "related.ip": [ - "10.48.209.115" - ], - "rsa.crypto.sig_type": "adm", - "rsa.db.index": "cta", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "sequat", - "rsa.misc.event_state": "ccaec", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "mquiad", - "rsa.network.alias_host": [ - "ons5050.mail.test" - ], - "rsa.web.reputation_num": 75.498, - "service.type": "cylance", - "source.ip": "10.48.209.115", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ThreatUpdated", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "12-September-2018 22:02:15 medium mnihilm1903.internal.host ditautf <ori 2018-9-12T10:02:15.uamqu olori4584.mail.domain CylancePROTECT sunt autfugit emUte Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: nturmag; Policy: tura; Value: osquirat, User: equat aliquid (usantiu)", - "fileset.name": "protect", - "host.name": "olori4584.mail.domain", - "input.type": "log", - "log.offset": 18416, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "olori4584.mail.domain" - ], - "rsa.db.index": "nturmag", - "rsa.identity.firstname": "equat", - "rsa.identity.lastname": "aliquid", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "usantiu", - "rsa.misc.policy_name": "tura", - "rsa.network.alias_host": [ - "olori4584.mail.domain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "27-Sep-2018 5:04:49 very-high trudex4443.www5.localhost lor <eseruntm 27T05:04:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", - "fileset.name": "protect", - "host.mac": "01:00:5e:e8:41:ae", - "host.name": "oloreeu7597.mail.home", - "input.type": "log", - "log.offset": 18714, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "oloreeu7597.mail.home" - ], - "related.ip": [ - "10.7.99.47" - ], - "related.user": [ - "evolupta" - ], - "rsa.db.index": "ditau", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.misc.OS": "teturadi", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "nula", - "rsa.network.alias_host": [ - "oloreeu7597.mail.home" - ], - "rsa.network.eth_host": "01:00:5e:e8:41:ae", - "service.type": "cylance", - "source.ip": "10.7.99.47", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "evolupta" - }, - { - "event.action": "Device Updated", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "hend 2018-10-11T12:07:23.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", - "fileset.name": "protect", - "host.name": "ueip5847.api.test", - "input.type": "log", - "log.offset": 19032, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ueip5847.api.test" - ], - "rsa.crypto.sig_type": "Nemoenim", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "sed", - "rsa.misc.checksum": "labori", - "rsa.misc.event_type": "Device Updated", - "rsa.network.alias_host": [ - "ueip5847.api.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "ostr 2018-10-25T7:09:57.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", - "file.directory": "eufug", - "fileset.name": "protect", - "host.name": "uid3520.www.home", - "input.type": "log", - "log.offset": 19238, - "network.application": "roquisq", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.989", - "related.hosts": [ - "uid3520.www.home" - ], - "related.user": [ - "ici" - ], - "rsa.db.index": "civelits", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "prehend", - "rsa.misc.version": "1.989", - "rsa.network.alias_host": [ - "uid3520.www.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "ici" - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Nov 9 2:12:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 19506, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "nostrud", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "iduntu", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "inibusB", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Nov 23 9:15:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 19653, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.identity.firstname": "ugiat", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "pariatur", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "imavenia", - "rsa.network.zone": "expli", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "bore 2018-12-7T4:17:40.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", - "fileset.name": "protect", - "host.name": "teir7585.www5.localdomain", - "input.type": "log", - "log.offset": 19825, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "teir7585.www5.localdomain" - ], - "rsa.identity.firstname": "scip", - "rsa.identity.lastname": "Finibus", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "Utenimad", - "rsa.misc.node": "oreverit", - "rsa.network.alias_host": [ - "teir7585.www5.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Dec 21 11:20:14 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 20023, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "ptate", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ali", - "rsa.misc.device_name": "itasp", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "quunt", - "rsa.misc.policy_name": "conse", - "rsa.misc.serial_number": "volup", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Jan 5 6:22:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: ),nvo (iamqui tassita Zone Names: colabori Device Id: imidestl", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 20350, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "colabori", - "rsa.identity.firstname": "tassita", - "rsa.identity.lastname": "iamqui", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "atura", - "rsa.misc.device_name": "oreeu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "nvo", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAddDevice", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-1-19T1:25:23.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: ()ever", - "fileset.name": "protect", - "host.name": "serrorsi1096.www5.localdomain", - "input.type": "log", - "log.offset": 20531, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "serrorsi1096.www5.localdomain" - ], - "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "ever", - "rsa.misc.node": "reetdo", - "rsa.network.alias_host": [ - "serrorsi1096.www5.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "quiav 2019-2-2T8:27:57.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", - "fileset.name": "protect", - "host.name": "prehen4807.mail.invalid", - "input.type": "log", - "log.offset": 20766, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "prehen4807.mail.invalid" - ], - "rsa.db.index": "meum", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "remq", - "rsa.misc.serial_number": "ugia", - "rsa.network.alias_host": [ - "prehen4807.mail.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Feb 17 3:30:32 nvolupta126.www.domain CylancePROTECT Event Type:quas, Event Name:threat_found, Device Name:orp, File Path:ender, Interpreter:dico, Interpreter Version:1.5848, Zone Names:Utenima, User Name: olore", - "file.name": "ender", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 21102, - "network.application": "dico", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.5848", - "related.user": [ - "olore" - ], - "rsa.db.index": "Utenima", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "quas", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "orp", - "rsa.misc.version": "1.5848", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "olore" - }, - { - "event.action": "DeviceRemove", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "3-March-2019 10:33:06 medium radip4253.www.corp gna <quamnih 2019-3-3T10:33:06.asnulap yCiceroi5998.mail.home CylancePROTECT inc tect uiad Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: roinBCSe, External Device Type: maperiam, External Device Vendor ID: mSec, External Device Name: smoditem, External Device Product ID: tatisetq, External Device Serial Number: uidolo, Zone Names: umdolore", - "fileset.name": "protect", - "host.name": "yCiceroi5998.mail.home", - "input.type": "log", - "log.offset": 21314, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "yCiceroi5998.mail.home" - ], - "rsa.db.index": "umdolore", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804020000, - "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.node": "roinBCSe", - "rsa.misc.serial_number": "uidolo", - "rsa.network.alias_host": [ - "yCiceroi5998.mail.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-3-17T5:35:40.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", - "fileset.name": "protect", - "host.name": "sit1400.www.lan", - "input.type": "log", - "log.offset": 21729, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sit1400.www.lan" - ], - "rsa.db.index": "ntsunti", - "rsa.identity.firstname": "uid", - "rsa.identity.lastname": "idatat", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "onev", - "rsa.misc.policy_name": "borios", - "rsa.network.alias_host": [ - "sit1400.www.lan" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Device Policy Assigned", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "iosamni 2019-4-1T12:38:14.idu sis3986.internal.lan CylancePROTECT tsedquia its umdolor Event Type: isiu, Event Name: Device Policy Assigned, Device Name: mmodi, Agent Version: snostr, IP Address: (10.232.90.3), MAC Address: (01:00:5e:e6:a6:a2), Logged On Users: (midestl), OS: nci", - "fileset.name": "protect", - "host.mac": "01:00:5e:e6:a6:a2", - "host.name": "sis3986.internal.lan", - "input.type": "log", - "log.offset": 21921, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sis3986.internal.lan" - ], - "related.ip": [ - "10.232.90.3" - ], - "related.user": [ - "midestl" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "isiu", - "rsa.misc.OS": "nci", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "mmodi", - "rsa.network.alias_host": [ - "sis3986.internal.lan" - ], - "rsa.network.eth_host": "01:00:5e:e6:a6:a2", - "service.type": "cylance", - "source.ip": "10.232.90.3", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "midestl" - }, - { - "event.action": "Device Updated", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "hilmole 2019-4-15T7:40:49.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", - "fileset.name": "protect", - "host.name": "sectetu7182.localdomain", - "input.type": "log", - "log.offset": 22202, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sectetu7182.localdomain" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "orissus", - "rsa.misc.event_type": "Device Updated", - "rsa.network.alias_host": [ - "sectetu7182.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-4-29T2:43:23.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", - "fileset.name": "protect", - "host.name": "officiad4982.www5.domain", - "input.type": "log", - "log.offset": 22351, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "officiad4982.www5.domain" - ], - "rsa.identity.firstname": "etdolore", - "rsa.identity.lastname": "magnaa", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "sumquiad", - "rsa.misc.node": "umtota", - "rsa.network.alias_host": [ - "officiad4982.www5.domain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "pechange", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-5-13T9:45:57.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", - "fileset.name": "protect", - "host.name": "consequa1486.internal.localdomain", - "input.type": "log", - "log.offset": 22538, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "consequa1486.internal.localdomain" - ], - "rsa.crypto.sig_type": "quaeratv", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ptatemse", - "rsa.misc.checksum": "tobeata", - "rsa.misc.event_type": "pechange", - "rsa.network.alias_host": [ - "consequa1486.internal.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_changed", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "onorumet 2019-5-28T4:48:31.ptatema eavolup6981.www5.example CylancePROTECT psaquaea rchit psumq Event Type: DeviceControl, Event Name: threat_changed, Device Name: lum, External Device Type: xerc, External Device Vendor ID: ctetura, External Device Name: msequ, External Device Product ID: nvol, External Device Serial Number: enimadmi, Zone Names: tateveli", - "fileset.name": "protect", - "host.name": "eavolup6981.www5.example", - "input.type": "log", - "log.offset": 22759, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "eavolup6981.www5.example" - ], - "rsa.db.index": "tateveli", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "lum", - "rsa.misc.serial_number": "enimadmi", - "rsa.network.alias_host": [ - "eavolup6981.www5.example" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "fullaccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-6-11T11:51:06.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", - "fileset.name": "protect", - "host.mac": "01:00:5e:bc:c1:21", - "host.name": "its6443.mail.example", - "input.type": "log", - "log.offset": 23117, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "its6443.mail.example" - ], - "related.ip": [ - "10.139.80.71" - ], - "related.user": [ - "orem" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "miurere", - "rsa.misc.OS": "eniamqui", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "tlabo", - "rsa.network.alias_host": [ - "its6443.mail.example" - ], - "rsa.network.eth_host": "01:00:5e:bc:c1:21", - "service.type": "cylance", - "source.ip": "10.139.80.71", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "orem" - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "25-June-2019 18:53:40 high tnulapa7580.www.domain adeser <doeiu 2019-6-25T6:53:40.onsectet dentsunt6061.www5.home CylancePROTECT tobeata imven onnumqua Event Type: quioff, Event Name: SyslogSettingsSave, Device Names: (upt), Policy Name: atatnonp, User: nvol dtemp (mquis)", - "fileset.name": "protect", - "host.name": "dentsunt6061.www5.home", - "input.type": "log", - "log.offset": 23392, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "dentsunt6061.www5.home" - ], - "rsa.identity.firstname": "nvol", - "rsa.identity.lastname": "dtemp", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "quioff", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "mquis", - "rsa.misc.node": "upt", - "rsa.misc.policy_name": "atatnonp", - "rsa.network.alias_host": [ - "dentsunt6061.www5.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "10-July-2019 01:56:14 medium midest133.www5.example tocca <ntor 2019-7-10T1:56:14.oinBCSed oid218.api.invalid CylancePROTECT roquisqu ariat midestl Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: mcorpori, User: mqu pteursi (orsitam)", - "fileset.name": "protect", - "host.name": "oid218.api.invalid", - "input.type": "log", - "log.offset": 23674, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "oid218.api.invalid" - ], - "rsa.db.index": "mcorpori", - "rsa.identity.firstname": "mqu", - "rsa.identity.lastname": "pteursi", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "orsitam", - "rsa.network.alias_host": [ - "oid218.api.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "totamre 2019-7-24T8:58:48.rpo velites4233.internal.home CylancePROTECT uisaute uun end Event Type: odocons, Event Name: Alert, Threat Class: asp, Threat Subclass: dexercit, SHA256: amn, MD5: itessequ", - "fileset.name": "protect", - "host.name": "velites4233.internal.home", - "input.type": "log", - "log.offset": 23933, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "velites4233.internal.home" - ], - "rsa.crypto.sig_type": "asp", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "odocons", - "rsa.misc.checksum": "amn", - "rsa.misc.event_type": "Alert", - "rsa.network.alias_host": [ - "velites4233.internal.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "7-August-2019 16:01:23 low sumd3215.test aUtenima <taevi 2019-8-7T4:01:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", - "file.directory": "ttenb", - "file.name": "itl", - "file.type": "oluptat", - "fileset.name": "protect", - "host.name": "tconsec7604.corp", - "input.type": "log", - "log.offset": 24133, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tconsec7604.corp" - ], - "related.ip": [ - "10.223.246.244" - ], - "rsa.crypto.sig_type": "ercitati", - "rsa.db.index": "con", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "quiav", - "rsa.misc.event_state": "Nem", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "stiaecon", - "rsa.network.alias_host": [ - "tconsec7604.corp" - ], - "rsa.web.reputation_num": 105.845, - "service.type": "cylance", - "source.ip": "10.223.246.244", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "21-Aug-2019 11:03:57 high oeiusmo5035.api.local tconse <tseddoei 21T23:03:57.teursint etMa3452.www5.test CylancePROTECT Event Name:threat_found, Device Name:nturmag, File Path:uredol, Interpreter:maliqua, Interpreter Version:1.4613, Zone Names:mquia, User Name: omnisi, Device Id: etMalor, Policy Name: mco", - "file.name": "uredol", - "fileset.name": "protect", - "host.name": "etMa3452.www5.test", - "input.type": "log", - "log.offset": 24674, - "network.application": "maliqua", - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "observer.version": "1.4613", - "related.hosts": [ - "etMa3452.www5.test" - ], - "related.user": [ - "omnisi" - ], - "rsa.db.index": "mquia", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "nturmag", - "rsa.misc.policy_name": "mco", - "rsa.misc.version": "1.4613", - "rsa.network.alias_host": [ - "etMa3452.www5.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "omnisi" - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "5-September-2019 06:06:31 high taspe1205.mail.domain cti <nse 2019-9-5T6:06:31.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", - "fileset.name": "protect", - "host.name": "tuser2694.internal.invalid", - "input.type": "log", - "log.offset": 24986, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tuser2694.internal.invalid" - ], - "rsa.identity.firstname": "natus", - "rsa.identity.lastname": "boreet", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ugiatqu", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "luptasnu", - "rsa.misc.node": "turveli", - "rsa.misc.policy_name": "isciv", - "rsa.network.alias_host": [ - "tuser2694.internal.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "pechange", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "edqu 2019-9-19T1:09:05.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", - "fileset.name": "protect", - "host.name": "gnaaliq5240.api.test", - "input.type": "log", - "log.offset": 25270, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "gnaaliq5240.api.test" - ], - "rsa.crypto.sig_type": "ratvo", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "esciun", - "rsa.misc.checksum": "volupt", - "rsa.misc.event_type": "pechange", - "rsa.network.alias_host": [ - "gnaaliq5240.api.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "3-Oct-2019 8:11:40 low ditaut33.mail.localhost iumdo <mea 3T20:11:40.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", - "fileset.name": "protect", - "host.name": "illum2625.test", - "input.type": "log", - "log.offset": 25471, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "illum2625.test" - ], - "rsa.crypto.sig_type": "iaeconse", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.checksum": "nimadmin", - "rsa.misc.event_type": "LoginSuccess", - "rsa.network.alias_host": [ - "illum2625.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "18-October-2019 03:14:14 high porissus1225.www5.corp ddoe <ured 2019-10-18T3:14:14.ctetu oreeu6419.www.corp CylancePROTECT cul iinea snos Event Type: AuditLog, Event Name: PolicyAdd, Message: Device: moenimip; User: uames tium (ianonn)", - "fileset.name": "protect", - "host.name": "oreeu6419.www.corp", - "input.type": "log", - "log.offset": 25679, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "oreeu6419.www.corp" - ], - "rsa.identity.firstname": "uames", - "rsa.identity.lastname": "tium", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "ianonn", - "rsa.misc.node": "moenimip", - "rsa.network.alias_host": [ - "oreeu6419.www.corp" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "PolicyAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-11-1T10:16:48.tiset sci333.mail.home CylancePROTECT doloreeu lors eumfu Event Type: docons, Event Name: PolicyAdd, Device Names: (eumf), Policy Name: roquisq, User: uasi maveniam (uis)", - "fileset.name": "protect", - "host.name": "sci333.mail.home", - "input.type": "log", - "log.offset": 25925, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sci333.mail.home" - ], - "rsa.identity.firstname": "uasi", - "rsa.identity.lastname": "maveniam", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "docons", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "uis", - "rsa.misc.node": "eumf", - "rsa.misc.policy_name": "roquisq", - "rsa.network.alias_host": [ - "sci333.mail.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "imi 2019-11-15T5:19:22.animi edutpers6452.api.host CylancePROTECT ntiumt sumquia vento Event Type: sitv, Event Name: LoginSuccess, Threat Class: com, Threat Subclass: rep, SHA256: mveni, MD5: aquae", - "fileset.name": "protect", - "host.name": "edutpers6452.api.host", - "input.type": "log", - "log.offset": 26115, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "edutpers6452.api.host" - ], - "rsa.crypto.sig_type": "com", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": "sitv", - "rsa.misc.checksum": "mveni", - "rsa.misc.event_type": "LoginSuccess", - "rsa.network.alias_host": [ - "edutpers6452.api.host" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "30-November-2019 00:21:57 low iaturE3103.api.domain aturve <iatu 2019/11/30T00:21:57.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", - "file.directory": "emporin", - "fileset.name": "protect", - "host.name": "nulamc5617.mail.host", - "input.type": "log", - "log.offset": 26313, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "nulamc5617.mail.host" - ], - "related.ip": [ - "10.134.137.205" - ], - "rsa.db.index": "etquasia", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.checksum": "oreseosq", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "ntu", - "rsa.network.alias_host": [ - "nulamc5617.mail.host" - ], - "service.type": "cylance", - "source.ip": "10.134.137.205", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2019-12-14T7:24:31.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", - "fileset.name": "protect", - "host.name": "tatem4713.internal.host", - "input.type": "log", - "log.offset": 26662, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tatem4713.internal.host" - ], - "rsa.db.index": "usci", - "rsa.identity.firstname": "lupta", - "rsa.identity.lastname": "ura", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "oreeufug", - "rsa.misc.policy_name": "unturmag", - "rsa.network.alias_host": [ - "tatem4713.internal.host" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled deleted file mode 100644 index 48cbb166e82..00000000000 --- a/x-pack/filebeat/modules.d/cylance.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: cylance -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-cylance.html - -- module: cylance - protect: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9508 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 5c41a53a475da7b90cb4afc09d29d7988905c529 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:36:25 +0200 Subject: [PATCH 06/22] feat: remove deprecated f5 --- filebeat/docs/fields.asciidoc | 5435 -------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 40 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/f5/README.md | 7 - x-pack/filebeat/module/f5/_meta/config.yml | 38 - x-pack/filebeat/module/f5/_meta/docs.asciidoc | 119 - x-pack/filebeat/module/f5/_meta/fields.yml | 5 - .../module/f5/bigipafm/_meta/fields.yml | 2635 ------- .../module/f5/bigipafm/config/input.yml | 87 - .../module/f5/bigipafm/config/liblogparser.js | 2514 ------- .../module/f5/bigipafm/config/pipeline.js | 110 - .../module/f5/bigipafm/ingest/pipeline.yml | 88 - .../filebeat/module/f5/bigipafm/manifest.yml | 31 - .../module/f5/bigipafm/test/generated.log | 100 - .../bigipafm/test/generated.log-expected.json | 6560 ----------------- .../module/f5/bigipapm/_meta/fields.yml | 2635 ------- .../module/f5/bigipapm/config/input.yml | 87 - .../module/f5/bigipapm/config/liblogparser.js | 2514 ------- .../module/f5/bigipapm/config/pipeline.js | 1073 --- .../module/f5/bigipapm/ingest/pipeline.yml | 88 - .../filebeat/module/f5/bigipapm/manifest.yml | 31 - .../module/f5/bigipapm/test/generated.log | 100 - .../bigipapm/test/generated.log-expected.json | 2633 ------- x-pack/filebeat/module/f5/fields.go | 23 - x-pack/filebeat/modules.d/f5.yml.disabled | 41 - 26 files changed, 26997 deletions(-) delete mode 100644 x-pack/filebeat/module/f5/README.md delete mode 100644 x-pack/filebeat/module/f5/_meta/config.yml delete mode 100644 x-pack/filebeat/module/f5/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/f5/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/f5/bigipafm/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/f5/bigipafm/config/input.yml delete mode 100644 x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/f5/bigipafm/config/pipeline.js delete mode 100644 x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/f5/bigipafm/manifest.yml delete mode 100644 x-pack/filebeat/module/f5/bigipafm/test/generated.log delete mode 100644 x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/f5/bigipapm/config/input.yml delete mode 100644 x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/f5/bigipapm/config/pipeline.js delete mode 100644 x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/f5/bigipapm/manifest.yml delete mode 100644 x-pack/filebeat/module/f5/bigipapm/test/generated.log delete mode 100644 x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/f5/fields.go delete mode 100644 x-pack/filebeat/modules.d/f5.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index c60d4f5893b..2a3ba95ade9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -34,7 +34,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -29070,5440 +29069,6 @@ type: keyword Envoy proxy type, tcp or http -type: keyword - --- - -[[exported-fields-f5]] -== Big-IP Access Policy Manager fields - -f5 fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - type: keyword -- diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index b30ee06dc8c..65a1f0f9ffb 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -17,7 +17,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -88,7 +87,6 @@ include::modules/crowdstrike.asciidoc[] include::modules/cyberarkpas.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] -include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/gcp.asciidoc[] include::modules/google_workspace.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 25ecf853fd3..c2d17ddd1b4 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -846,46 +846,6 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: -#--------------------- Big-IP Access Policy Manager Module --------------------- -- module: f5 - bigipapm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9504 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - bigipafm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9528 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 5aa763e81a1..cf06ccebc10 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -27,7 +27,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" diff --git a/x-pack/filebeat/module/f5/README.md b/x-pack/filebeat/module/f5/README.md deleted file mode 100644 index 37a9e5f20c3..00000000000 --- a/x-pack/filebeat/module/f5/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# f5 module - -This is a module for Big-IP Access Policy Manager logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML bigipapm version 113 -at 2020-07-13 17:55:34.191415 +0000 UTC. - diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml deleted file mode 100644 index 48ccc13d31a..00000000000 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ /dev/null @@ -1,38 +0,0 @@ -- module: f5 - bigipapm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9504 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - bigipafm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9528 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc deleted file mode 100644 index 28d57c59be5..00000000000 --- a/x-pack/filebeat/module/f5/_meta/docs.asciidoc +++ /dev/null @@ -1,119 +0,0 @@ -[role="xpack"] - -:modulename: f5 -:has-dashboards: false - -== F5 module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/f5_bigip[F5 BIG-IP] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for F5 network device's logs. It includes the following -filesets for receiving logs over syslog or read from a file: - -- `bigipapm` fileset: supports F5 Big-IP Access Policy Manager. -- `bigipafm` fileset: supports F5 Big-IP Advanced Firewall Manager. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: bigipapm - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `bigipapm` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9504` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `bigipafm` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device revision 121. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9528` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/f5/_meta/fields.yml b/x-pack/filebeat/module/f5/_meta/fields.yml deleted file mode 100644 index 7cd2cda6541..00000000000 --- a/x-pack/filebeat/module/f5/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: f5 - title: Big-IP Access Policy Manager - description: > - f5 fields. - fields: diff --git a/x-pack/filebeat/module/f5/bigipafm/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipafm/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml deleted file mode 100644 index 4a241639655..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "F5" - product: "Big-IP" - type: "Firewall" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/f5/bigipafm/config/liblogparser.js - - ${path.home}/module/f5/bigipafm/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ - setc("header_id","0001"), - setc("messageid","BIGIP_AFM"), -])); - -var select1 = linear_select([ - hdr1, -]); - -var part1 = tagval("MESSAGE#0:BIGIP_AFM", "nwparser.payload", tvm, { - "acl_policy_name": "policyname", - "acl_policy_type": "fld1", - "acl_rule_name": "rulename", - "action": "action", - "bigip_mgmt_ip": "hostip", - "context_name": "context", - "context_type": "fld2", - "date_time": "event_time_string", - "dest_ip": "daddr", - "dest_port": "dport", - "device_product": "product", - "device_vendor": "fld3", - "device_version": "version", - "drop_reason": "fld4", - "dst_geo": "location_dst", - "errdefs_msg_name": "event_type", - "errdefs_msgno": "id", - "flow_id": "fld5", - "hostname": "hostname", - "ip_protocol": "protocol", - "partition_name": "fld6", - "route_domain": "fld7", - "sa_translation_pool": "fld8", - "sa_translation_type": "fld9", - "severity": "severity", - "source_ip": "saddr", - "source_port": "sport", - "source_user": "username", - "src_geo": "location_src", - "translated_dest_ip": "dtransaddr", - "translated_dest_port": "dtransport", - "translated_ip_protocol": "fld10", - "translated_route_domain": "fld11", - "translated_source_ip": "stransaddr", - "translated_source_port": "stransport", - "translated_vlan": "fld12", - "vlan": "vlan", -}, processor_chain([ - setc("eventcategory","1801000000"), - setf("msg","$MSG"), - date_time({ - dest: "event_time", - args: ["event_time_string"], - fmts: [ - [dB,dD,dW,dZ], - ], - }), - setc("ec_subject","NetworkComm"), - setc("ec_theme","Communication"), - lookup({ - dest: "nwparser.ec_activity", - map: map_getEventCategoryActivity, - key: field("action"), - }), - setf("obj_name","hfld6"), -])); - -var msg1 = msg("BIGIP_AFM", part1); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "BIGIP_AFM": msg1, - }), -]); diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml deleted file mode 100644 index ae772c9b6a3..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for Big-IP Advanced Firewall Manager - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/bigipafm/manifest.yml b/x-pack/filebeat/module/f5/bigipafm/manifest.yml deleted file mode 100644 index 3c7c3383882..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["f5.bigipafm", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9544 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log b/x-pack/filebeat/module/f5/bigipafm/test/generated.log deleted file mode 100644 index 6bf7146dfe9..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -iusm modtempo olab6078.home olaboris tur itv [F5@odoco acl_policy_name=ria acl_policy_type=min acl_rule_name=ite action=Closed hostname=tatemac3541.api.corp bigip_mgmt_ip=10.228.193.207 context_name=liqua context_type=ciade date_time=Jan 29 2016 06:09:59 dest_ip=10.125.114.51 dst_geo=umq dest_port=2288 device_product=pexe device_vendor=nes device_version=1.2262 drop_reason=reveri errdefs_msgno=boNemoe errdefs_msg_name=equepor flow_id=eni ip_protocol=ipv6 severity=low partition_name=ehend route_domain=ritquiin sa_translation_pool=umqui sa_translation_type=reeufugi source_ip=10.208.121.85 src_geo=sperna source_port=884 source_user=billoi translated_dest_ip=10.165.201.71 translated_dest_port=6153 translated_ip_protocol=tatemU translated_route_domain=deF translated_source_ip=10.11.196.142 translated_source_port=5222 translated_vlan=iatnu vlan=3810 -eporr quipexe alo4540.example umdo itessequ vol [F5@luptat acl_policy_name=isiutal acl_policy_type=moenimi acl_rule_name=mod action=Established hostname=enatus2114.mail.home bigip_mgmt_ip=10.51.132.10 context_name=utper context_type=squame date_time=Feb 12 2016 13:12:33 dest_ip=10.173.116.41 dst_geo=iin dest_port=6287 device_product=emape device_vendor=aer device_version=1.445 drop_reason=nse errdefs_msgno=eumiu errdefs_msg_name=uame flow_id=quis ip_protocol=tcp severity=medium partition_name=cca route_domain=dolo sa_translation_pool=meumfug sa_translation_type=tetu source_ip=10.162.9.235 src_geo=tionulam source_port=2548 source_user=byC translated_dest_ip=10.94.67.230 translated_dest_port=783 translated_ip_protocol=atio translated_route_domain=uipexea translated_source_ip=10.92.202.200 translated_source_port=6772 translated_vlan=eFini vlan=859 -exe iatu ionofde2424.api.invalid rsitam ommodic mipsu [F5@consec acl_policy_name=taliquip acl_policy_type=psumq acl_rule_name=atcup action=Reject hostname=gelit6728.api.invalid bigip_mgmt_ip=10.122.116.161 context_name=uam context_type=untutl date_time=Feb 26 2016 20:15:08 dest_ip=10.40.68.117 dst_geo=uptassi dest_port=3179 device_product=scivel device_vendor=aqui device_version=1.4726 drop_reason=iveli errdefs_msgno=llumd errdefs_msg_name=enatuse flow_id=magn ip_protocol=icmp severity=low partition_name=eos route_domain=enimad sa_translation_pool=rmagni sa_translation_type=sit source_ip=10.209.155.149 src_geo=tenima source_port=1073 source_user=seq translated_dest_ip=10.82.56.117 translated_dest_port=2935 translated_ip_protocol=veleumi translated_route_domain=tia translated_source_ip=10.191.68.244 translated_source_port=6905 translated_vlan=veri vlan=5990 -siutaliq exercit tempor4496.www.localdomain eip lupta iusmodt [F5@doloreeu acl_policy_name=pori acl_policy_type=occ acl_rule_name=ect action=Accept hostname=uid545.www5.localhost bigip_mgmt_ip=10.12.44.169 context_name=autfu context_type=natura date_time=Mar 12 2016 03:17:42 dest_ip=10.163.217.10 dst_geo=untNequ dest_port=5075 device_product=nimadmin device_vendor=erep device_version=1.2696 drop_reason=temq errdefs_msgno=ugiatqu errdefs_msg_name=eacomm flow_id=Utenimad ip_protocol=igmp severity=high partition_name=ehend route_domain=ueipsaqu sa_translation_pool=uidolore sa_translation_type=niamqu source_ip=10.202.66.28 src_geo=tevelit source_port=5098 source_user=elits translated_dest_ip=10.131.233.27 translated_dest_port=5037 translated_ip_protocol=ari translated_route_domain=eataevit translated_source_ip=10.50.112.141 translated_source_port=7303 translated_vlan=dmi vlan=499 -mquisnos loremagn iciade3433.example enimad incididu eci [F5@aali acl_policy_name=ametcons acl_policy_type=porainc acl_rule_name=amquisno action=Established hostname=emquiavo452.internal.localhost bigip_mgmt_ip=10.151.111.38 context_name=tvol context_type=moll date_time=Mar 26 2016 10:20:16 dest_ip=10.228.149.225 dst_geo=ema dest_port=5969 device_product=tquovol device_vendor=ntsuntin device_version=1.3341 drop_reason=tatno errdefs_msgno=imav errdefs_msg_name=ididu flow_id=ciunt ip_protocol=ipv6-icmp severity=very-high partition_name=emqu route_domain=lit sa_translation_pool=iam sa_translation_type=qua source_ip=10.159.182.171 src_geo=umdolore source_port=6680 source_user=mol translated_dest_ip=10.96.35.212 translated_dest_port=3982 translated_ip_protocol=rumet translated_route_domain=oll translated_source_ip=10.206.197.113 translated_source_port=4075 translated_vlan=temUten vlan=4125 -iqu ollit usan6343.www5.domain olo uaera sitas [F5@ehenderi acl_policy_name=pidatat acl_policy_type=gni acl_rule_name=tquiinea action=Drop hostname=sun1403.www.invalid bigip_mgmt_ip=10.126.177.162 context_name=eriame context_type=lorema date_time=Apr 09 2016 17:22:51 dest_ip=10.213.82.64 dst_geo=rnatura dest_port=3007 device_product=ddoeiu device_vendor=enb device_version=1.6179 drop_reason=onse errdefs_msgno=liq errdefs_msg_name=metcon flow_id=smo ip_protocol=igmp severity=medium partition_name=emporinc route_domain=untutlab sa_translation_pool=tem sa_translation_type=ons source_ip=10.213.113.28 src_geo=ali source_port=6446 source_user=ist translated_dest_ip=10.169.144.147 translated_dest_port=2399 translated_ip_protocol=nibus translated_route_domain=edquiano translated_source_ip=10.89.163.114 translated_source_port=5166 translated_vlan=par vlan=686 -rveli rsint omm4276.www.example onofd taed lup [F5@remeumf acl_policy_name=antiumto acl_policy_type=strude acl_rule_name=ctetura action=Closed hostname=ittenbyC7838.api.localdomain bigip_mgmt_ip=10.18.124.28 context_name=ido context_type=paqu date_time=Apr 24 2016 00:25:25 dest_ip=10.158.194.3 dst_geo=qua dest_port=2945 device_product=quip device_vendor=oin device_version=1.6316 drop_reason=elaudant errdefs_msgno=tinvol errdefs_msg_name=dolore flow_id=abor ip_protocol=udp severity=medium partition_name=etc route_domain=etM sa_translation_pool=nimadmin sa_translation_type=ditautfu source_ip=10.146.88.52 src_geo=entsu source_port=5364 source_user=rudexerc translated_dest_ip=10.101.223.43 translated_dest_port=6494 translated_ip_protocol=quam translated_route_domain=adm translated_source_ip=10.103.107.47 translated_source_port=6094 translated_vlan=Nemoen vlan=2827 -icab mwr fugi4637.www.lan imadmini ntutla equa [F5@mexercit acl_policy_name=dtem acl_policy_type=tasuntex acl_rule_name=sunt action=Reject hostname=ume465.corp bigip_mgmt_ip=10.189.109.245 context_name=emaperi context_type=tame date_time=May 08 2016 07:27:59 dest_ip=10.83.234.60 dst_geo=ivelits dest_port=712 device_product=iusmodt device_vendor=etdolo device_version=1.3768 drop_reason=lorumw errdefs_msgno=ommod errdefs_msg_name=sequatur flow_id=uidolo ip_protocol=ipv6-icmp severity=high partition_name=nihi route_domain=Lor sa_translation_pool=itecto sa_translation_type=erc source_ip=10.69.57.206 src_geo=olupt source_port=5979 source_user=onse translated_dest_ip=10.110.99.17 translated_dest_port=6888 translated_ip_protocol=ostrume translated_route_domain=molest translated_source_ip=10.150.220.75 translated_source_port=1298 translated_vlan=tisetq vlan=5372 -ici giatquov eritquii3561.www.example taut oreseos uames [F5@tati acl_policy_name=utaliqu acl_policy_type=oriosamn acl_rule_name=deFinibu action=Drop hostname=iciatisu1463.www5.localdomain bigip_mgmt_ip=10.153.136.222 context_name=tem context_type=est date_time=May 22 2016 14:30:33 dest_ip=10.176.205.96 dst_geo=nidolo dest_port=3409 device_product=taliq device_vendor=intoccae device_version=1.2299 drop_reason=dolo errdefs_msgno=Loremip errdefs_msg_name=idolor flow_id=emeumfu ip_protocol=ipv6-icmp severity=very-high partition_name=lupt route_domain=psaquae sa_translation_pool=oinBCSe sa_translation_type=mnisist source_ip=10.199.34.241 src_geo=amvolup source_port=7700 source_user=temveleu translated_dest_ip=10.19.194.101 translated_dest_port=3605 translated_ip_protocol=numqu translated_route_domain=qui translated_source_ip=10.121.219.204 translated_source_port=3496 translated_vlan=utali vlan=3611 -reetd lumqui itinvo7084.mail.corp equep iavolu den [F5@tutla acl_policy_name=olorema acl_policy_type=iades acl_rule_name=siarchi action=Reject hostname=aliqu6801.api.localdomain bigip_mgmt_ip=10.46.27.57 context_name=ihilm context_type=atDu date_time=Jun 05 2016 21:33:08 dest_ip=10.128.232.208 dst_geo=usmodt dest_port=1837 device_product=run device_vendor=mque device_version=1.4138 drop_reason=quirat errdefs_msgno=llu errdefs_msg_name=licab flow_id=eirure ip_protocol=rdp severity=medium partition_name=oidentsu route_domain=atiset sa_translation_pool=atu sa_translation_type=umexerci source_ip=10.64.141.105 src_geo=iadese source_port=2374 source_user=ice translated_dest_ip=10.57.103.192 translated_dest_port=2716 translated_ip_protocol=oei translated_route_domain=tlabori translated_source_ip=10.182.199.231 translated_source_port=1426 translated_vlan=data vlan=4478 -nnum eritqu uradip7152.www5.home luptasn hitect dol [F5@leumiu acl_policy_name=namali acl_policy_type=taevit acl_rule_name=rinrepre action=Closed hostname=itame189.domain bigip_mgmt_ip=10.32.67.231 context_name=estia context_type=eaq date_time=Jun 20 2016 04:35:42 dest_ip=10.66.80.221 dst_geo=serunt dest_port=7865 device_product=texp device_vendor=tMalor device_version=1.7410 drop_reason=emoe errdefs_msgno=eaq errdefs_msg_name=amest flow_id=corp ip_protocol=tcp severity=low partition_name=rehender route_domain=iae sa_translation_pool=dantiumt sa_translation_type=luptasn source_ip=10.164.6.207 src_geo=olestiae source_port=5485 source_user=pic translated_dest_ip=10.160.210.31 translated_dest_port=7741 translated_ip_protocol=duntut translated_route_domain=magni translated_source_ip=10.3.134.237 translated_source_port=3156 translated_vlan=radipisc vlan=7020 -fficiade uscipit vitaedi1318.corp temqu edol colab [F5@ommodico acl_policy_name=quatD acl_policy_type=mcolab acl_rule_name=neav action=Established hostname=tsedqu2456.www5.invalid bigip_mgmt_ip=10.182.178.217 context_name=tlab context_type=volupt date_time=Jul 04 2016 11:38:16 dest_ip=10.188.169.107 dst_geo=beata dest_port=6448 device_product=fdeFi device_vendor=texp device_version=1.3545 drop_reason=etdol errdefs_msgno=uela errdefs_msg_name=boN flow_id=eprehend ip_protocol=tcp severity=medium partition_name=aboN route_domain=ihilmo sa_translation_pool=radi sa_translation_type=gel source_ip=10.235.101.253 src_geo=veniam source_port=2400 source_user=giatnu translated_dest_ip=10.42.138.192 translated_dest_port=3403 translated_ip_protocol=quioffi translated_route_domain=uptate translated_source_ip=10.201.6.10 translated_source_port=6608 translated_vlan=sequa vlan=2851 -ate aliquam nimid893.mail.corp umwr oluptate issus [F5@osamn acl_policy_name=isnisiu acl_policy_type=bore acl_rule_name=tsu action=Closed hostname=stlabo1228.mail.host bigip_mgmt_ip=10.151.161.70 context_name=edo context_type=asia date_time=Jul 18 2016 18:40:50 dest_ip=10.108.167.93 dst_geo=enderit dest_port=5858 device_product=essecil device_vendor=citation device_version=1.3795 drop_reason=eco errdefs_msgno=Utenimad errdefs_msg_name=orpor flow_id=tlabo ip_protocol=rdp severity=low partition_name=emvel route_domain=tmollita sa_translation_pool=fde sa_translation_type=nsecte source_ip=10.22.102.198 src_geo=eroi source_port=176 source_user=nse translated_dest_ip=10.194.247.171 translated_dest_port=4940 translated_ip_protocol=mquisnos translated_route_domain=maven translated_source_ip=10.86.101.235 translated_source_port=3266 translated_vlan=lapar vlan=1024 -tfu udan orema6040.api.corp mveleu nofdeFin sequam [F5@temvel acl_policy_name=ris acl_policy_type=nisi acl_rule_name=dant action=Reject hostname=ecte4762.local bigip_mgmt_ip=10.204.35.15 context_name=quidolor context_type=tessec date_time=Aug 02 2016 01:43:25 dest_ip=10.135.160.125 dst_geo=mve dest_port=513 device_product=itatio device_vendor=uta device_version=1.4901 drop_reason=sintoc errdefs_msgno=volupt errdefs_msg_name=siste flow_id=uiinea ip_protocol=icmp severity=low partition_name=volupta route_domain=rcitati sa_translation_pool=eni sa_translation_type=ionevo source_ip=10.174.252.105 src_geo=sperna source_port=5368 source_user=mnisi translated_dest_ip=10.107.168.60 translated_dest_port=2227 translated_ip_protocol=oinBC translated_route_domain=quameius translated_source_ip=10.167.172.155 translated_source_port=3544 translated_vlan=etdo vlan=706 -ese isaute ptatemq95.api.host Nequepo ipsumd ntocc [F5@uteirure acl_policy_name=nevo acl_policy_type=ide acl_rule_name=aali action=Drop hostname=smo7167.www.test bigip_mgmt_ip=10.214.249.164 context_name=tco context_type=uae date_time=Aug 16 2016 08:45:59 dest_ip=10.187.20.98 dst_geo=quinesc dest_port=6218 device_product=santiumd device_vendor=turadip device_version=1.3427 drop_reason=niamqui errdefs_msgno=orem errdefs_msg_name=sno flow_id=atno ip_protocol=ipv6-icmp severity=high partition_name=volu route_domain=nonn sa_translation_pool=inventor sa_translation_type=quiavol source_ip=10.99.249.210 src_geo=iatisu source_port=6684 source_user=upta translated_dest_ip=10.182.191.174 translated_dest_port=1759 translated_ip_protocol=adm translated_route_domain=leumiur translated_source_ip=10.81.26.208 translated_source_port=7651 translated_vlan=isc vlan=5933 -tobea tor qui4499.api.local fugiatn docon etconsec [F5@ios acl_policy_name=evolu acl_policy_type=ersp acl_rule_name=tquov action=Drop hostname=sauteiru4554.api.domain bigip_mgmt_ip=10.220.5.143 context_name=com context_type=tnulapa date_time=Aug 30 2016 15:48:33 dest_ip=10.108.85.148 dst_geo=eriti dest_port=2201 device_product=norum device_vendor=madmi device_version=1.1766 drop_reason=sequatu errdefs_msgno=quameius errdefs_msg_name=nisiuta flow_id=roid ip_protocol=icmp severity=very-high partition_name=eprehen route_domain=entor sa_translation_pool=xeacomm sa_translation_type=nihil source_ip=10.101.226.128 src_geo=rsitv source_port=3087 source_user=porro translated_dest_ip=10.88.101.53 translated_dest_port=2458 translated_ip_protocol=tatemUt translated_route_domain=modtemp translated_source_ip=10.201.238.90 translated_source_port=2715 translated_vlan=remag vlan=3759 -ccaecat tquiin tse4198.www.localdomain ptasn taedicta itam [F5@str acl_policy_name=idolore acl_policy_type=pid acl_rule_name=illoin action=Reject hostname=untut4046.internal.domain bigip_mgmt_ip=10.217.150.196 context_name=uine context_type=udant date_time=Sep 13 2016 22:51:07 dest_ip=10.183.59.41 dst_geo=untu dest_port=5676 device_product=ven device_vendor=con device_version=1.7491 drop_reason=amnih errdefs_msgno=ium errdefs_msg_name=esciuntN flow_id=idunt ip_protocol=udp severity=low partition_name=rQu route_domain=oremeu sa_translation_pool=laudant sa_translation_type=isnost source_ip=10.157.18.252 src_geo=itess source_port=52 source_user=evit translated_dest_ip=10.30.133.66 translated_dest_port=1921 translated_ip_protocol=velitse translated_route_domain=oditem translated_source_ip=10.243.218.215 translated_source_port=662 translated_vlan=rsitvolu vlan=3751 -sumdolor meaqueip npr4414.api.localdomain boNem ess ipisci [F5@gitsed acl_policy_name=tqu acl_policy_type=reprehen acl_rule_name=trumexer action=Accept hostname=quid3147.mail.home bigip_mgmt_ip=10.66.181.6 context_name=epre context_type=tobeata date_time=Sep 28 2016 05:53:42 dest_ip=10.181.53.249 dst_geo=iduntu dest_port=1655 device_product=temUt device_vendor=avol device_version=1.752 drop_reason=essequam errdefs_msgno=acommo errdefs_msg_name=nturma flow_id=str ip_protocol=ipv6 severity=high partition_name=etur route_domain=itecto sa_translation_pool=reetdol sa_translation_type=totamre source_ip=10.148.161.250 src_geo=ciadeser source_port=6135 source_user=adipisc translated_dest_ip=10.181.133.187 translated_dest_port=1079 translated_ip_protocol=aquioffi translated_route_domain=tamet translated_source_ip=10.167.227.44 translated_source_port=6595 translated_vlan=eFi vlan=6733 -its ender riamea1540.www.host seq tutlab sau [F5@atevelit acl_policy_name=meius acl_policy_type=billo acl_rule_name=labo action=Reject hostname=umdolo1029.mail.localhost bigip_mgmt_ip=10.54.17.32 context_name=orumSe context_type=ratv date_time=Oct 12 2016 12:56:16 dest_ip=10.119.81.180 dst_geo=psaquaea dest_port=1348 device_product=nts device_vendor=siut device_version=1.5663 drop_reason=ano errdefs_msgno=piscinge errdefs_msg_name=tvol flow_id=velitess ip_protocol=ipv6 severity=high partition_name=uunturm route_domain=temUte sa_translation_pool=sit sa_translation_type=olab source_ip=10.84.163.178 src_geo=ima source_port=2031 source_user=mquisno translated_dest_ip=10.107.9.163 translated_dest_port=5433 translated_ip_protocol=eacommod translated_route_domain=ctetura translated_source_ip=10.74.11.43 translated_source_port=55 translated_vlan=seosqui vlan=6797 -uradi tot llamco7206.www.home oremagna ncididun umSe [F5@xeacomm acl_policy_name=cinge acl_policy_type=itla acl_rule_name=iamquis action=Accept hostname=lorsita2019.internal.home bigip_mgmt_ip=10.192.229.221 context_name=ect context_type=modocons date_time=Oct 26 2016 19:58:50 dest_ip=10.199.194.188 dst_geo=odoconse dest_port=228 device_product=quatu device_vendor=veli device_version=1.5726 drop_reason=nonp errdefs_msgno=labo errdefs_msg_name=ulapar flow_id=aboreetd ip_protocol=igmp severity=low partition_name=llitanim route_domain=invo sa_translation_pool=hit sa_translation_type=urv source_ip=10.112.32.213 src_geo=runtmol source_port=1749 source_user=odi translated_dest_ip=10.184.73.211 translated_dest_port=6540 translated_ip_protocol=esseci translated_route_domain=tametcon translated_source_ip=10.230.129.252 translated_source_port=3947 translated_vlan=isis vlan=4917 -utlab emUteni rum959.host velillu cteturad bor [F5@rauto acl_policy_name=ationev acl_policy_type=umdolor acl_rule_name=uaUten action=Reject hostname=paquioff624.mail.invalid bigip_mgmt_ip=10.161.148.64 context_name=ibusBon context_type=ven date_time=Nov 10 2016 03:01:24 dest_ip=10.162.114.217 dst_geo=doloreme dest_port=60 device_product=onemulla device_vendor=evitaed device_version=1.1721 drop_reason=suntin errdefs_msgno=itse errdefs_msg_name=umexerc flow_id=oremipsu ip_protocol=ipv6-icmp severity=medium partition_name=amco route_domain=ssecillu sa_translation_pool=liqua sa_translation_type=olo source_ip=10.199.216.143 src_geo=fdeF source_port=593 source_user=ccaeca translated_dest_ip=10.198.213.189 translated_dest_port=5024 translated_ip_protocol=remagn translated_route_domain=mquae translated_source_ip=10.7.200.140 translated_source_port=3298 translated_vlan=olupt vlan=2189 -edquiac urerepr eseru4234.mail.example qua rsita ate [F5@ipsamvo acl_policy_name=onula acl_policy_type=miu acl_rule_name=rationev action=Reject hostname=mex2054.mail.corp bigip_mgmt_ip=10.65.232.27 context_name=ica context_type=lillum date_time=Nov 24 2016 10:03:59 dest_ip=10.199.40.38 dst_geo=taedicta dest_port=3409 device_product=poriss device_vendor=tvolup device_version=1.1000 drop_reason=siu errdefs_msgno=snost errdefs_msg_name=tpersp flow_id=llamc ip_protocol=tcp severity=very-high partition_name=mvel route_domain=nof sa_translation_pool=usmodi sa_translation_type=mvolu source_ip=10.206.96.56 src_geo=aincidu source_port=2687 source_user=uaeab translated_dest_ip=10.128.157.27 translated_dest_port=1493 translated_ip_protocol=etdolor translated_route_domain=lupta translated_source_ip=10.22.187.69 translated_source_port=3590 translated_vlan=oremi vlan=1485 -nbyCi tevel usc5760.www5.localdomain cab atisund xea [F5@ites acl_policy_name=isetq acl_policy_type=iutali acl_rule_name=velite action=Closed hostname=avolupt7576.api.corp bigip_mgmt_ip=10.194.210.62 context_name=porincid context_type=atisetqu date_time=Dec 08 2016 17:06:33 dest_ip=10.51.213.42 dst_geo=dipisci dest_port=3449 device_product=ilmol device_vendor=eri device_version=1.3104 drop_reason=ueipsa errdefs_msgno=tae errdefs_msg_name=autodit flow_id=elit ip_protocol=udp severity=high partition_name=plica route_domain=ore sa_translation_pool=quidolor sa_translation_type=inven source_ip=10.71.114.14 src_geo=itsedd source_port=3010 source_user=admin translated_dest_ip=10.68.253.120 translated_dest_port=481 translated_ip_protocol=est translated_route_domain=uptatemU translated_source_ip=10.183.130.225 translated_source_port=5693 translated_vlan=item vlan=2738 -dat periam dqu6144.api.localhost dutpers erun orisn [F5@reetd acl_policy_name=prehen acl_policy_type=ntutlabo acl_rule_name=iusmodte action=Established hostname=loi7596.www5.home bigip_mgmt_ip=10.31.177.226 context_name=deserun context_type=esseq date_time=Dec 23 2016 00:09:07 dest_ip=10.209.157.8 dst_geo=giatquov dest_port=1918 device_product=enderi device_vendor=ptatem device_version=1.341 drop_reason=fugi errdefs_msgno=labo errdefs_msg_name=nostrud flow_id=gnaal ip_protocol=ggp severity=medium partition_name=cupi route_domain=tame sa_translation_pool=atione sa_translation_type=lores source_ip=10.45.253.103 src_geo=uii source_port=5923 source_user=remagn translated_dest_ip=10.47.255.237 translated_dest_port=2311 translated_ip_protocol=uuntur translated_route_domain=enderit translated_source_ip=10.107.45.175 translated_source_port=4185 translated_vlan=rumSecti vlan=4593 -atise tate onevo4326.internal.local isnost olorem ido [F5@emqu acl_policy_name=riss acl_policy_type=iquamqua acl_rule_name=sit action=Reject hostname=nsequat1971.internal.invalid bigip_mgmt_ip=10.225.212.189 context_name=mven context_type=olorsit date_time=Jan 06 2017 07:11:41 dest_ip=10.121.239.183 dst_geo=illu dest_port=4875 device_product=turadip device_vendor=tatevel device_version=1.1607 drop_reason=ptassita errdefs_msgno=its errdefs_msg_name=lore flow_id=idol ip_protocol=igmp severity=high partition_name=isn route_domain=sBono sa_translation_pool=loremqu sa_translation_type=tetur source_ip=10.213.94.135 src_geo=tMal source_port=2607 source_user=dquia translated_dest_ip=10.55.105.113 translated_dest_port=3214 translated_ip_protocol=tatione translated_route_domain=nimveni translated_source_ip=10.44.58.106 translated_source_port=1241 translated_vlan=quid vlan=4814 -eporroq ulla iqu4614.www5.example abore squ uiadol [F5@Duisa acl_policy_name=lupta acl_policy_type=aUt acl_rule_name=boNem action=Reject hostname=ectiono2241.lan bigip_mgmt_ip=10.2.114.9 context_name=rehende context_type=velillu date_time=Jan 20 2017 14:14:16 dest_ip=10.94.139.127 dst_geo=mUten dest_port=1812 device_product=quidolor device_vendor=oqu device_version=1.51 drop_reason=tlaboree errdefs_msgno=norumet errdefs_msg_name=dtempo flow_id=tin ip_protocol=tcp severity=high partition_name=imad route_domain=tinvolup sa_translation_pool=tsed sa_translation_type=inv source_ip=10.163.209.70 src_geo=atu source_port=4718 source_user=olabor translated_dest_ip=10.69.161.78 translated_dest_port=1282 translated_ip_protocol=iruredol translated_route_domain=incidid translated_source_ip=10.255.74.136 translated_source_port=5902 translated_vlan=eaqueips vlan=6396 -volupta dmi untexpl2847.www5.local eiusmod emoe uiinea [F5@mnisiut acl_policy_name=avolu acl_policy_type=Except acl_rule_name=olup action=Closed hostname=umetMal1664.mail.lan bigip_mgmt_ip=10.46.115.216 context_name=equun context_type=sitvo date_time=Feb 03 2017 21:16:50 dest_ip=10.223.198.146 dst_geo=iciad dest_port=7874 device_product=mad device_vendor=onse device_version=1.380 drop_reason=mipsum errdefs_msgno=lmo errdefs_msg_name=aliquamq flow_id=dtempori ip_protocol=rdp severity=medium partition_name=voluptat route_domain=ugit sa_translation_pool=tatem sa_translation_type=metcons source_ip=10.252.102.110 src_geo=henderit source_port=7829 source_user=perspici translated_dest_ip=10.184.59.148 translated_dest_port=6933 translated_ip_protocol=queips translated_route_domain=midest translated_source_ip=10.12.129.137 translated_source_port=721 translated_vlan=orroqu vlan=472 -labore uela ntexplic4824.internal.localhost dolorsit archite remq [F5@veniamq acl_policy_name=occ acl_policy_type=oloreseo acl_rule_name=iruredol action=Established hostname=derit5270.mail.local bigip_mgmt_ip=10.105.52.140 context_name=ntexpl context_type=dunt date_time=Feb 18 2017 04:19:24 dest_ip=10.20.55.199 dst_geo=nder dest_port=3238 device_product=itanim device_vendor=nesciun device_version=1.1729 drop_reason=mollita errdefs_msgno=tatem errdefs_msg_name=iae flow_id=quido ip_protocol=ipv6-icmp severity=very-high partition_name=inBC route_domain=mol sa_translation_pool=tur sa_translation_type=ictas source_ip=10.81.184.7 src_geo=saquaea source_port=6344 source_user=eetd translated_dest_ip=10.155.204.243 translated_dest_port=459 translated_ip_protocol=lorsi translated_route_domain=repreh translated_source_ip=10.199.194.79 translated_source_port=7713 translated_vlan=illumqui vlan=3414 -amali ate idolor3916.www5.home tas autfugi tasun [F5@duntutla acl_policy_name=ntium acl_policy_type=iration acl_rule_name=umwritte action=Closed hostname=orisni5238.mail.lan bigip_mgmt_ip=10.177.238.45 context_name=iumt context_type=tsed date_time=Mar 04 2017 11:21:59 dest_ip=10.249.120.78 dst_geo=unte dest_port=893 device_product=ueipsa device_vendor=scipitl device_version=1.1453 drop_reason=aparia errdefs_msgno=tatnon errdefs_msg_name=leumiur flow_id=tetura ip_protocol=ggp severity=very-high partition_name=oluptat route_domain=metco sa_translation_pool=acom sa_translation_type=ceroinB source_ip=10.110.2.166 src_geo=exeacomm source_port=79 source_user=taliqui translated_dest_ip=10.18.226.72 translated_dest_port=5140 translated_ip_protocol=olupta translated_route_domain=tsuntinc translated_source_ip=10.251.231.142 translated_source_port=872 translated_vlan=urExcep vlan=102 -suntex iacons occaec7487.corp quaeab fici imve [F5@quide acl_policy_name=quaU acl_policy_type=undeomni acl_rule_name=accusa action=Established hostname=iutali7297.www.domain bigip_mgmt_ip=10.190.122.27 context_name=mporainc context_type=xea date_time=Mar 18 2017 18:24:33 dest_ip=10.123.113.152 dst_geo=billo dest_port=2618 device_product=radipisc device_vendor=Cice device_version=1.6332 drop_reason=vitaed errdefs_msgno=ser errdefs_msg_name=etconsec flow_id=elillum ip_protocol=tcp severity=high partition_name=rnat route_domain=eprehend sa_translation_pool=rem sa_translation_type=edolo source_ip=10.99.202.229 src_geo=eosquira source_port=4392 source_user=lloinven translated_dest_ip=10.100.199.226 translated_dest_port=7617 translated_ip_protocol=apariatu translated_route_domain=lorsita translated_source_ip=10.192.98.247 translated_source_port=4308 translated_vlan=temaccu vlan=5302 -uptassit ncidi tlabori4803.www5.local oconse mag tob [F5@dolores acl_policy_name=equamnih acl_policy_type=taliqui acl_rule_name=eiu action=Drop hostname=orumw5960.www5.home bigip_mgmt_ip=10.248.111.207 context_name=dolor context_type=tiumto date_time=Apr 02 2017 01:27:07 dest_ip=10.38.28.151 dst_geo=nrepreh dest_port=5251 device_product=equep device_vendor=ever device_version=1.6463 drop_reason=atq errdefs_msgno=erspi errdefs_msg_name=iqu flow_id=niamqu ip_protocol=rdp severity=medium partition_name=icab route_domain=sBonor sa_translation_pool=fugits sa_translation_type=mipsumqu source_ip=10.172.154.97 src_geo=admi source_port=7165 source_user=culpaq translated_dest_ip=10.162.97.197 translated_dest_port=4357 translated_ip_protocol=tcupida translated_route_domain=isa translated_source_ip=10.37.193.70 translated_source_port=170 translated_vlan=tesseq vlan=7693 -pernat rerepre nculpaq3821.www5.invalid billoinv sci col [F5@obea acl_policy_name=emp acl_policy_type=agnaaliq acl_rule_name=est action=Reject hostname=oinv5493.internal.domain bigip_mgmt_ip=10.36.63.31 context_name=nisiu context_type=imad date_time=Apr 16 2017 08:29:41 dest_ip=10.30.101.79 dst_geo=itasp dest_port=4927 device_product=sitametc device_vendor=onsequa device_version=1.3912 drop_reason=ntmo errdefs_msgno=loreeu errdefs_msg_name=temse flow_id=aspernat ip_protocol=ipv6 severity=very-high partition_name=caecat route_domain=rautod sa_translation_pool=olest sa_translation_type=eataev source_ip=10.171.221.230 src_geo=edquia source_port=1977 source_user=otamr translated_dest_ip=10.222.165.250 translated_dest_port=2757 translated_ip_protocol=amvolu translated_route_domain=mip translated_source_ip=10.45.35.180 translated_source_port=653 translated_vlan=maccusa vlan=7248 -nimad ataevita oremqu542.internal.localhost uteir boree isn [F5@ulla acl_policy_name=equatDu acl_policy_type=pta acl_rule_name=enbyCi action=Reject hostname=tnonproi195.api.home bigip_mgmt_ip=10.238.4.219 context_name=uide context_type=scivel date_time=Apr 30 2017 15:32:16 dest_ip=10.150.9.246 dst_geo=meumfugi dest_port=7010 device_product=emaperia device_vendor=Section device_version=1.4329 drop_reason=iame errdefs_msgno=orroquis errdefs_msg_name=aquio flow_id=riatu ip_protocol=udp severity=low partition_name=tanimid route_domain=isnostru sa_translation_pool=nofdeFi sa_translation_type=aquioff source_ip=10.1.171.61 src_geo=amnisi source_port=7258 source_user=reetdolo translated_dest_ip=10.199.127.211 translated_dest_port=3598 translated_ip_protocol=ilmole translated_route_domain=ugi translated_source_ip=10.83.238.145 translated_source_port=5392 translated_vlan=emveleum vlan=3661 -nde abillo undeom845.www5.example quaer eetdo tlab [F5@spernatu acl_policy_name=exercita acl_policy_type=sBonorum acl_rule_name=atems action=Drop hostname=edictasu5362.internal.localhost bigip_mgmt_ip=10.65.141.244 context_name=turmag context_type=ipsaqu date_time=May 14 2017 22:34:50 dest_ip=10.203.69.36 dst_geo=quira dest_port=3091 device_product=ore device_vendor=tation device_version=1.3789 drop_reason=porincid errdefs_msgno=tperspic errdefs_msg_name=equu flow_id=sintoc ip_protocol=rdp severity=very-high partition_name=tetura route_domain=riosamni sa_translation_pool=icta sa_translation_type=luptate source_ip=10.170.252.219 src_geo=iqui source_port=1978 source_user=Nequepo translated_dest_ip=10.44.226.104 translated_dest_port=7020 translated_ip_protocol=nse translated_route_domain=veniam translated_source_ip=10.74.213.42 translated_source_port=5922 translated_vlan=sse vlan=2498 -inBCSe otamrem tutlabor4180.internal.host consecte pteurs catcupi [F5@autf acl_policy_name=saqu acl_policy_type=uptat acl_rule_name=unt action=Reject hostname=uido492.www5.home bigip_mgmt_ip=10.180.48.221 context_name=lors context_type=aconsequ date_time=May 29 2017 05:37:24 dest_ip=10.33.195.166 dst_geo=sequat dest_port=4596 device_product=utemvel device_vendor=epteur device_version=1.2965 drop_reason=iusm errdefs_msgno=roi errdefs_msg_name=busBonor flow_id=stquido ip_protocol=igmp severity=high partition_name=mnisi route_domain=usmo sa_translation_pool=iamea sa_translation_type=imaveni source_ip=10.183.223.149 src_geo=cor source_port=2648 source_user=nihil translated_dest_ip=10.225.255.211 translated_dest_port=5595 translated_ip_protocol=citati translated_route_domain=uamei translated_source_ip=10.225.141.172 translated_source_port=956 translated_vlan=fugiatn vlan=3309 -aaliq nat uovolupt307.internal.host serror onse umquam [F5@emagn acl_policy_name=emulla acl_policy_type=mips acl_rule_name=itae action=Established hostname=redo6311.api.invalid bigip_mgmt_ip=10.176.64.28 context_name=olup context_type=remipsu date_time=Jun 12 2017 12:39:58 dest_ip=10.92.6.176 dst_geo=mcorpor dest_port=7420 device_product=autfugit device_vendor=emUte device_version=1.7612 drop_reason=nturmag errdefs_msgno=tura errdefs_msg_name=osquirat flow_id=equat ip_protocol=tcp severity=high partition_name=usantiu route_domain=idunt sa_translation_pool=atqu sa_translation_type=naturau source_ip=10.97.138.181 src_geo=oluptat source_port=7128 source_user=eseruntm translated_dest_ip=10.205.174.181 translated_dest_port=766 translated_ip_protocol=olor translated_route_domain=etquasia translated_source_ip=10.169.123.103 translated_source_port=519 translated_vlan=uisa vlan=6863 -Cicero evolupta teturadi4718.api.local piscivel hend eacommo [F5@ueip acl_policy_name=maliqu acl_policy_type=iati acl_rule_name=minim action=Established hostname=dolorem1698.www.domain bigip_mgmt_ip=10.75.120.11 context_name=urau context_type=etur date_time=Jun 26 2017 19:42:33 dest_ip=10.20.73.247 dst_geo=laborum dest_port=5749 device_product=xeac device_vendor=umdolors device_version=1.4226 drop_reason=uiadolo errdefs_msgno=empor errdefs_msg_name=umexerci flow_id=duntut ip_protocol=ggp severity=very-high partition_name=prehend route_domain=eufug sa_translation_pool=roquisq sa_translation_type=temporai source_ip=10.53.101.131 src_geo=ici source_port=5097 source_user=tquo translated_dest_ip=10.204.4.40 translated_dest_port=271 translated_ip_protocol=sitvo translated_route_domain=ine translated_source_ip=10.169.101.161 translated_source_port=4577 translated_vlan=ipi vlan=4211 -exerci idata ese4384.mail.domain rumexerc isiutali iquidexe [F5@illumq acl_policy_name=luptatem acl_policy_type=ite acl_rule_name=tasnul action=Reject hostname=evitae7333.www.lan bigip_mgmt_ip=10.28.51.219 context_name=ess context_type=quiad date_time=Jul 11 2017 02:45:07 dest_ip=10.43.210.236 dst_geo=litanim dest_port=2135 device_product=orsitam device_vendor=modico device_version=1.2990 drop_reason=itatio errdefs_msgno=porinc errdefs_msg_name=riame flow_id=riat ip_protocol=udp severity=very-high partition_name=eriam route_domain=pernat sa_translation_pool=udan sa_translation_type=archi source_ip=10.6.222.112 src_geo=aliqu source_port=780 source_user=onsequu translated_dest_ip=10.156.117.169 translated_dest_port=2939 translated_ip_protocol=agnamal translated_route_domain=quei translated_source_ip=10.87.120.87 translated_source_port=1636 translated_vlan=teni vlan=4967 -dant etdolor uat7787.www.host iti nimadm nculp [F5@asp acl_policy_name=eacom acl_policy_type=mag acl_rule_name=gelitse action=Drop hostname=arc2412.mail.lan bigip_mgmt_ip=10.247.44.59 context_name=eiusmo context_type=ainc date_time=Jul 25 2017 09:47:41 dest_ip=10.173.129.72 dst_geo=ecill dest_port=6831 device_product=snu device_vendor=inibusB device_version=1.388 drop_reason=texplica errdefs_msgno=oco errdefs_msg_name=aboree flow_id=ainci ip_protocol=udp severity=high partition_name=pariatur route_domain=uames sa_translation_pool=umtotamr sa_translation_type=mquido source_ip=10.57.89.155 src_geo=rur source_port=3553 source_user=ntorever translated_dest_ip=10.253.167.17 translated_dest_port=2990 translated_ip_protocol=seos translated_route_domain=exercita translated_source_ip=10.4.126.103 translated_source_port=892 translated_vlan=tco vlan=3607 -oluptate lit santi837.api.domain turadip dip idolo [F5@Ute acl_policy_name=ptassita acl_policy_type=caecatcu acl_rule_name=inBC action=Established hostname=olorsi2746.internal.localhost bigip_mgmt_ip=10.15.240.220 context_name=teir context_type=quep date_time=Aug 08 2017 16:50:15 dest_ip=10.63.78.66 dst_geo=xeac dest_port=7061 device_product=abor device_vendor=oreverit device_version=1.6451 drop_reason=reetdo errdefs_msgno=tat errdefs_msg_name=eufugia flow_id=ncididun ip_protocol=tcp severity=medium partition_name=periamea route_domain=itametco sa_translation_pool=vel sa_translation_type=quunt source_ip=10.248.206.210 src_geo=nonn source_port=4478 source_user=met translated_dest_ip=10.36.69.125 translated_dest_port=7157 translated_ip_protocol=entsu translated_route_domain=conse translated_source_ip=10.143.183.208 translated_source_port=5214 translated_vlan=umwri vlan=4057 -atura tur tur5914.internal.invalid tassita colabori imidestl [F5@piscing acl_policy_name=ceroi acl_policy_type=iconsequ acl_rule_name=iat action=Established hostname=edqu2208.www.localhost bigip_mgmt_ip=10.6.32.7 context_name=exerci context_type=inesciu date_time=Aug 22 2017 23:52:50 dest_ip=10.141.216.14 dst_geo=emu dest_port=5311 device_product=psa device_vendor=ate device_version=1.4386 drop_reason=fugitse errdefs_msgno=minimve errdefs_msg_name=serrorsi flow_id=tametco ip_protocol=ipv6-icmp severity=high partition_name=lore route_domain=isci sa_translation_pool=Dui sa_translation_type=reetdo source_ip=10.69.170.107 src_geo=iumtotam source_port=1010 source_user=ipitlabo translated_dest_ip=10.34.133.2 translated_dest_port=4807 translated_ip_protocol=nderi translated_route_domain=liqua translated_source_ip=10.142.186.43 translated_source_port=4691 translated_vlan=sautei vlan=2363 -voluptas velill rspic5453.www.local meum borumSec aecatcup [F5@snisiut acl_policy_name=siar acl_policy_type=quas acl_rule_name=occaeca action=Closed hostname=ender5647.www5.example bigip_mgmt_ip=10.142.22.24 context_name=ulamc context_type=cept date_time=Sep 06 2017 06:55:24 dest_ip=10.93.88.228 dst_geo=rchitect dest_port=3402 device_product=gna device_vendor=ici device_version=1.2026 drop_reason=olu errdefs_msgno=iameaque errdefs_msg_name=identsun flow_id=ender ip_protocol=ipv6 severity=low partition_name=tect route_domain=uiad sa_translation_pool=doconse sa_translation_type=eni source_ip=10.121.153.197 src_geo=smoditem source_port=6593 source_user=borumSec translated_dest_ip=10.59.103.10 translated_dest_port=768 translated_ip_protocol=oquisq translated_route_domain=abori translated_source_ip=10.170.165.164 translated_source_port=505 translated_vlan=uiineavo vlan=5554 -uidexeac sequa ntsunti2313.internal.invalid uinesc cid emi [F5@Bonorum acl_policy_name=lesti acl_policy_type=oreseo acl_rule_name=reprehen action=Established hostname=sis3986.internal.lan bigip_mgmt_ip=10.133.10.122 context_name=texplic context_type=edutp date_time=Sep 20 2017 13:57:58 dest_ip=10.93.59.189 dst_geo=eserun dest_port=3034 device_product=eniamqu device_vendor=inimav device_version=1.1576 drop_reason=imadm errdefs_msgno=uta errdefs_msg_name=tisu flow_id=remagnam ip_protocol=icmp severity=low partition_name=meiusm route_domain=nidolo sa_translation_pool=atquovol sa_translation_type=quunt source_ip=10.247.114.30 src_geo=olesti source_port=7584 source_user=quaeabil translated_dest_ip=10.19.99.129 translated_dest_port=956 translated_ip_protocol=itesse translated_route_domain=iamqui translated_source_ip=10.176.83.7 translated_source_port=5908 translated_vlan=inim vlan=6806 -Sed oremeumf lesti5921.api.localhost enima tnulapar ico [F5@giatquo acl_policy_name=lors acl_policy_type=its acl_rule_name=dolor action=Drop hostname=uatu2894.api.lan bigip_mgmt_ip=10.64.139.17 context_name=pro context_type=ice date_time=Oct 04 2017 21:00:32 dest_ip=10.87.238.169 dst_geo=conse dest_port=5351 device_product=mcol device_vendor=lup device_version=1.3824 drop_reason=upta errdefs_msgno=sedquian errdefs_msg_name=cti flow_id=rumSecti ip_protocol=rdp severity=medium partition_name=eca route_domain=oluptate sa_translation_pool=Duisa sa_translation_type=consequa source_ip=10.40.177.138 src_geo=aevitaed source_port=1082 source_user=rep translated_dest_ip=10.8.29.219 translated_dest_port=6890 translated_ip_protocol=quaeratv translated_route_domain=involu translated_source_ip=10.70.7.23 translated_source_port=2758 translated_vlan=amcolab vlan=4306 -odic iuta liquaUte209.internal.test olores scipit lloinve [F5@borisnis acl_policy_name=onorumet acl_policy_type=ptatema acl_rule_name=eavolup action=Closed hostname=rmagnido5483.local bigip_mgmt_ip=10.180.62.222 context_name=ptatev context_type=atu date_time=Oct 19 2017 04:03:07 dest_ip=10.234.26.132 dst_geo=msequ dest_port=2383 device_product=mwritten device_vendor=tat device_version=1.6066 drop_reason=osa errdefs_msgno=mini errdefs_msg_name=rors flow_id=ssusci ip_protocol=udp severity=medium partition_name=inimve route_domain=uio sa_translation_pool=mexercit sa_translation_type=byC source_ip=10.2.189.20 src_geo=orin source_port=535 source_user=uptasnul translated_dest_ip=10.67.221.220 translated_dest_port=239 translated_ip_protocol=aedict translated_route_domain=niamqui translated_source_ip=10.67.173.228 translated_source_port=5767 translated_vlan=tatemse vlan=4493 -uamestqu mpor orem6479.api.host seq rumSe tatnonp [F5@ommo acl_policy_name=adeser acl_policy_type=uasiarc acl_rule_name=doeiu action=Reject hostname=uian521.www.example bigip_mgmt_ip=10.209.52.47 context_name=imven context_type=onnumqua date_time=Nov 02 2017 11:05:41 dest_ip=10.141.201.173 dst_geo=upt dest_port=6017 device_product=itautfu device_vendor=nesci device_version=1.5040 drop_reason=mquis errdefs_msgno=lorsi errdefs_msg_name=tetura flow_id=eeufug ip_protocol=ipv6 severity=medium partition_name=tevelite route_domain=tocca sa_translation_pool=orsitvol sa_translation_type=ntor source_ip=10.147.127.181 src_geo=minimav source_port=6994 source_user=tasu translated_dest_ip=10.56.134.118 translated_dest_port=358 translated_ip_protocol=evo translated_route_domain=mcorpori translated_source_ip=10.196.176.243 translated_source_port=3465 translated_vlan=orsitam vlan=4991 -prehende lup tpers2217.internal.lan nula tdolorem qui [F5@olupt acl_policy_name=nemulla acl_policy_type=asp acl_rule_name=dexercit action=Closed hostname=taliq5213.api.corp bigip_mgmt_ip=10.226.24.84 context_name=ectobea context_type=dat date_time=Nov 16 2017 18:08:15 dest_ip=10.91.18.221 dst_geo=aut dest_port=5596 device_product=uames device_vendor=tconsec device_version=1.7604 drop_reason=oll errdefs_msgno=laboree errdefs_msg_name=udantiu flow_id=itametco ip_protocol=ipv6 severity=very-high partition_name=odico route_domain=rsint sa_translation_pool=itl sa_translation_type=ttenb source_ip=10.231.18.90 src_geo=lapa source_port=4860 source_user=Nem translated_dest_ip=10.85.13.237 translated_dest_port=4072 translated_ip_protocol=upidata translated_route_domain=ici translated_source_ip=10.248.140.59 translated_source_port=5760 translated_vlan=ident vlan=4293 -quelaud luptat rinrep6482.api.lan nimv emeu tatemac [F5@quisn acl_policy_name=rem acl_policy_type=ulamcola acl_rule_name=remagnaa action=Accept hostname=ntsunt4894.mail.domain bigip_mgmt_ip=10.203.46.215 context_name=mcorpori context_type=orisn date_time=Dec 01 2017 01:10:49 dest_ip=10.88.194.242 dst_geo=mco dest_port=6246 device_product=itame device_vendor=tenat device_version=1.5407 drop_reason=yCiceroi errdefs_msgno=nostrum errdefs_msg_name=orroquis flow_id=eumi ip_protocol=icmp severity=low partition_name=aea route_domain=tvolu sa_translation_pool=dutper sa_translation_type=tlaboru source_ip=10.207.183.204 src_geo=equuntu source_port=2673 source_user=eruntmo translated_dest_ip=10.8.224.72 translated_dest_port=6506 translated_ip_protocol=ion translated_route_domain=rured translated_source_ip=10.59.215.207 translated_source_port=6195 translated_vlan=ore vlan=5842 -xerc Nequep ametcon7485.www.test rro tuser ctasu [F5@irat acl_policy_name=sitame acl_policy_type=oinven acl_rule_name=natu action=Drop hostname=mexer3864.api.corp bigip_mgmt_ip=10.98.154.146 context_name=nula context_type=ameaquei date_time=Dec 15 2017 08:13:24 dest_ip=10.72.114.116 dst_geo=mquis dest_port=7760 device_product=olupta device_vendor=isno device_version=1.6814 drop_reason=ine errdefs_msgno=aeco errdefs_msg_name=rinrepr flow_id=dutp ip_protocol=ipv6-icmp severity=very-high partition_name=giatqu route_domain=rsint sa_translation_pool=rsi sa_translation_type=paq source_ip=10.73.84.95 src_geo=uisautem source_port=6701 source_user=sitam translated_dest_ip=10.255.145.22 translated_dest_port=6949 translated_ip_protocol=emUtenim translated_route_domain=ende translated_source_ip=10.230.38.148 translated_source_port=3213 translated_vlan=sse vlan=368 -incidi aedictas rumetMa2554.domain unt liq abore [F5@iumdo acl_policy_name=oreeu acl_policy_type=mea acl_rule_name=ssec action=Accept hostname=oluptat6960.www5.test bigip_mgmt_ip=10.211.29.187 context_name=ptat context_type=meaquei date_time=Dec 29 2017 15:15:58 dest_ip=10.228.204.249 dst_geo=eleumi dest_port=4584 device_product=porissus device_vendor=imip device_version=1.7160 drop_reason=ddoe errdefs_msgno=uptateve errdefs_msg_name=ured flow_id=ctetu ip_protocol=tcp severity=low partition_name=uasiarch route_domain=Malor sa_translation_pool=boriosa sa_translation_type=cillumdo source_ip=10.166.142.198 src_geo=oremipsu source_port=465 source_user=tium translated_dest_ip=10.105.120.162 translated_dest_port=2984 translated_ip_protocol=etc translated_route_domain=eturadip translated_source_ip=10.175.181.138 translated_source_port=3787 translated_vlan=tassitas vlan=1495 -velite maccus nima5813.mail.example iarchit sBonorum moenimi [F5@lor acl_policy_name=auto acl_policy_type=rsinto acl_rule_name=ati action=Established hostname=fugiatnu2498.www.localhost bigip_mgmt_ip=10.182.213.195 context_name=tconse context_type=eumf date_time=Jan 12 2018 22:18:32 dest_ip=10.200.94.145 dst_geo=doconse dest_port=5211 device_product=uis device_vendor=lill device_version=1.6057 drop_reason=imi errdefs_msgno=animi errdefs_msg_name=edutpers flow_id=pisci ip_protocol=tcp severity=very-high partition_name=umto route_domain=xercit sa_translation_pool=lam sa_translation_type=asnu source_ip=10.122.133.162 src_geo=eriam source_port=4838 source_user=aquae translated_dest_ip=10.220.202.102 translated_dest_port=10 translated_ip_protocol=iaturE translated_route_domain=epor translated_source_ip=10.195.139.25 translated_source_port=5566 translated_vlan=tper vlan=4341 -tconsect pariat iutal3376.api.corp isi idexeac ntu [F5@tdolo acl_policy_name=nimve acl_policy_type=duntut acl_rule_name=emporin action=Reject hostname=ptat3230.domain bigip_mgmt_ip=10.156.208.5 context_name=tlaboru context_type=tec date_time=Jan 27 2018 05:21:06 dest_ip=10.9.69.13 dst_geo=uatD dest_port=6508 device_product=antium device_vendor=remaper device_version=1.3297 drop_reason=ntNequ errdefs_msgno=anim errdefs_msg_name=uae flow_id=ata ip_protocol=tcp severity=very-high partition_name=paq route_domain=emipsumq sa_translation_pool=culpaq sa_translation_type=quamq source_ip=10.53.72.161 src_geo=pta source_port=4723 source_user=scip translated_dest_ip=10.33.143.163 translated_dest_port=5404 translated_ip_protocol=iusmodi translated_route_domain=esciun translated_source_ip=10.247.144.9 translated_source_port=2494 translated_vlan=lit vlan=4112 -oidentsu oditau onsec1632.internal.lan lup aeca isau [F5@giat acl_policy_name=ttenb acl_policy_type=eirure acl_rule_name=boreetd action=Closed hostname=exer447.internal.localhost bigip_mgmt_ip=10.35.190.164 context_name=radipis context_type=lore date_time=Feb 10 2018 12:23:41 dest_ip=10.76.99.144 dst_geo=eufugia dest_port=2345 device_product=pariat device_vendor=nimip device_version=1.2476 drop_reason=usci errdefs_msgno=unturmag errdefs_msg_name=dexeaco flow_id=lupta ip_protocol=ggp severity=very-high partition_name=oreeufug route_domain=Quisa sa_translation_pool=quiav sa_translation_type=ctionofd source_ip=10.21.58.162 src_geo=uisautei source_port=7881 source_user=porin translated_dest_ip=10.241.143.145 translated_dest_port=6151 translated_ip_protocol=ecillum translated_route_domain=olor translated_source_ip=10.113.65.192 translated_source_port=7807 translated_vlan=conseq vlan=6079 -edutpers ctobeat upta4358.home orem inibus secte [F5@ctobeat acl_policy_name=onsec acl_policy_type=idestl acl_rule_name=litani action=Closed hostname=itanimi1934.home bigip_mgmt_ip=10.19.154.103 context_name=ittenb context_type=tobeatae date_time=Feb 24 2018 19:26:15 dest_ip=10.235.51.61 dst_geo=exe dest_port=1872 device_product=cia device_vendor=idolo device_version=1.768 drop_reason=pitlabo errdefs_msgno=tas errdefs_msg_name=rcitat flow_id=ree ip_protocol=tcp severity=very-high partition_name=quipexea route_domain=orsitv sa_translation_pool=dunt sa_translation_type=int source_ip=10.53.27.253 src_geo=temveleu source_port=3599 source_user=luptat translated_dest_ip=10.75.113.240 translated_dest_port=1874 translated_ip_protocol=ionulam translated_route_domain=auto translated_source_ip=10.129.16.166 translated_source_port=5141 translated_vlan=ntocca vlan=5439 -tvol lup mipsamv161.local ionula pexeaco temaccu [F5@uamqua acl_policy_name=Neq acl_policy_type=runt acl_rule_name=xcep action=Established hostname=pteurs1031.mail.corp bigip_mgmt_ip=10.125.150.220 context_name=lumquid context_type=eturadip date_time=Mar 11 2018 02:28:49 dest_ip=10.241.228.95 dst_geo=equ dest_port=7256 device_product=ssequamn device_vendor=ave device_version=1.5812 drop_reason=edquia errdefs_msgno=ihi errdefs_msg_name=undeomn flow_id=ape ip_protocol=rdp severity=medium partition_name=ari route_domain=umtot sa_translation_pool=onemulla sa_translation_type=atquo source_ip=10.120.50.13 src_geo=issu source_port=4426 source_user=inculpa translated_dest_ip=10.150.153.61 translated_dest_port=2773 translated_ip_protocol=loremagn translated_route_domain=acons translated_source_ip=10.22.213.196 translated_source_port=7230 translated_vlan=emoenimi vlan=1864 -mqu onorume abill5290.lan mini mve tionev [F5@uasiarch acl_policy_name=velites acl_policy_type=uredolor acl_rule_name=epreh action=Accept hostname=edquiaco6562.api.lan bigip_mgmt_ip=10.113.2.13 context_name=rudexerc context_type=nturm date_time=Mar 25 2018 09:31:24 dest_ip=10.182.134.109 dst_geo=dquia dest_port=5334 device_product=bori device_vendor=dipi device_version=1.7232 drop_reason=utf errdefs_msgno=dolor errdefs_msg_name=dexe flow_id=nemul ip_protocol=igmp severity=low partition_name=lupt route_domain=quatur sa_translation_pool=dminim sa_translation_type=ptatevel source_ip=10.85.52.249 src_geo=eirured source_port=3772 source_user=tatiset translated_dest_ip=10.238.171.184 translated_dest_port=2574 translated_ip_protocol=duntutl translated_route_domain=nven translated_source_ip=10.229.155.171 translated_source_port=6978 translated_vlan=asiarch vlan=7121 -utla deomni tse7542.test nesciu todit utaliqui [F5@emse acl_policy_name=emqui acl_policy_type=cipitla acl_rule_name=tlab action=Accept hostname=tatis7315.mail.home bigip_mgmt_ip=10.249.174.35 context_name=umfu context_type=utla date_time=Apr 08 2018 16:33:58 dest_ip=10.136.53.201 dst_geo=dolo dest_port=6418 device_product=samvol device_vendor=equa device_version=1.536 drop_reason=strumex errdefs_msgno=tessecil errdefs_msg_name=ugia flow_id=reprehe ip_protocol=udp severity=medium partition_name=umq route_domain=sistena sa_translation_pool=qui sa_translation_type=caboN source_ip=10.198.150.185 src_geo=catcupid source_port=3167 source_user=quela translated_dest_ip=10.51.245.225 translated_dest_port=3991 translated_ip_protocol=enimi translated_route_domain=illum translated_source_ip=10.220.1.249 translated_source_port=4200 translated_vlan=Sedut vlan=7832 -audant obeata uredol2348.www5.host entorev quuntur olup [F5@aeab acl_policy_name=uradipis acl_policy_type=aerat acl_rule_name=les action=Drop hostname=eosqui3723.api.localdomain bigip_mgmt_ip=10.152.157.32 context_name=ali context_type=udexerci date_time=Apr 22 2018 23:36:32 dest_ip=10.76.232.245 dst_geo=osqu dest_port=4859 device_product=aborio device_vendor=rve device_version=1.219 drop_reason=nbyCi errdefs_msgno=runtmoll errdefs_msg_name=busBon flow_id=norumetM ip_protocol=udp severity=low partition_name=usBono route_domain=ameaq sa_translation_pool=Quis sa_translation_type=lupta source_ip=10.251.82.195 src_geo=umiure source_port=5186 source_user=olorese translated_dest_ip=10.190.96.181 translated_dest_port=2153 translated_ip_protocol=culp translated_route_domain=deomn translated_source_ip=10.38.185.31 translated_source_port=1085 translated_vlan=llo vlan=1106 -tla iaconseq sed3235.www5.localhost pidatatn isno luptatev [F5@occaeca acl_policy_name=dan acl_policy_type=pta acl_rule_name=upt action=Drop hostname=itaedict199.mail.corp bigip_mgmt_ip=10.103.102.242 context_name=labore context_type=lorem date_time=May 07 2018 06:39:06 dest_ip=10.68.159.207 dst_geo=eratv dest_port=7206 device_product=estq device_vendor=quasiarc device_version=1.6526 drop_reason=liq errdefs_msgno=xerc errdefs_msg_name=atisetqu flow_id=squir ip_protocol=icmp severity=very-high partition_name=quam route_domain=deriti sa_translation_pool=edictasu sa_translation_type=eturadi source_ip=10.190.247.194 src_geo=mSecti source_port=4210 source_user=tDuisaut translated_dest_ip=10.230.112.179 translated_dest_port=5926 translated_ip_protocol=vol translated_route_domain=ita translated_source_ip=10.211.198.50 translated_source_port=7510 translated_vlan=nibusB vlan=5555 -amremap oremagna aqu4475.mail.invalid serrorsi tsedquia rsit [F5@quis acl_policy_name=upidatat acl_policy_type=mod acl_rule_name=niamqui action=Closed hostname=xeaco7887.www.localdomain bigip_mgmt_ip=10.47.223.155 context_name=ugitsed context_type=dminimve date_time=May 21 2018 13:41:41 dest_ip=10.111.137.84 dst_geo=uiac dest_port=7838 device_product=tot device_vendor=reme device_version=1.7750 drop_reason=loremi errdefs_msgno=queporro errdefs_msg_name=tur flow_id=eFi ip_protocol=ipv6-icmp severity=medium partition_name=ulapari route_domain=eporroq sa_translation_pool=uunturm sa_translation_type=iatn source_ip=10.219.83.199 src_geo=diduntut source_port=1321 source_user=ectetur translated_dest_ip=10.101.13.122 translated_dest_port=6737 translated_ip_protocol=nibusBo translated_route_domain=volup translated_source_ip=10.251.101.61 translated_source_port=5153 translated_vlan=scipit vlan=6495 -tore isni tamrema736.www5.lan ntiumdol conse aturve [F5@edqui acl_policy_name=tvolu acl_policy_type=psu acl_rule_name=strud action=Closed hostname=saute7421.www.invalid bigip_mgmt_ip=10.21.80.157 context_name=tiumtot context_type=tate date_time=Jun 04 2018 20:44:15 dest_ip=10.13.222.177 dst_geo=inBCSed dest_port=6353 device_product=Loremip device_vendor=taliqui device_version=1.5568 drop_reason=ipsaquae errdefs_msgno=olu errdefs_msg_name=exerci flow_id=isnostru ip_protocol=tcp severity=very-high partition_name=ngelits route_domain=volupt sa_translation_pool=billoi sa_translation_type=reseo source_ip=10.31.86.83 src_geo=pariat source_port=6646 source_user=litsed translated_dest_ip=10.21.30.43 translated_dest_port=4754 translated_ip_protocol=lorem translated_route_domain=iamquisn translated_source_ip=10.83.136.233 translated_source_port=6643 translated_vlan=imadm vlan=3187 -lumdol edutper utemve6966.mail.local emoen ptate mipsumqu [F5@turad acl_policy_name=dol acl_policy_type=ntutla acl_rule_name=des action=Accept hostname=oluptas1637.home bigip_mgmt_ip=10.195.90.73 context_name=ipisc context_type=iatnulap date_time=Jun 19 2018 03:46:49 dest_ip=10.170.155.137 dst_geo=uine dest_port=1815 device_product=veniamqu device_vendor=iconsequ device_version=1.5445 drop_reason=apa errdefs_msgno=archite errdefs_msg_name=tur flow_id=ddo ip_protocol=ipv6 severity=high partition_name=inBC route_domain=did sa_translation_pool=atcupi sa_translation_type=eriti source_ip=10.45.152.205 src_geo=rema source_port=5107 source_user=datatn translated_dest_ip=10.194.197.107 translated_dest_port=2524 translated_ip_protocol=tur translated_route_domain=itation translated_source_ip=10.27.181.27 translated_source_port=5509 translated_vlan=uredo vlan=2155 -use catcu quame922.internal.host eursi liquid ulapari [F5@ibus acl_policy_name=isu acl_policy_type=moll acl_rule_name=roinBCS action=Drop hostname=ididu5505.api.localdomain bigip_mgmt_ip=10.43.239.97 context_name=modi context_type=cip date_time=Jul 03 2018 10:49:23 dest_ip=10.60.60.164 dst_geo=iscive dest_port=5527 device_product=incididu device_vendor=yCice device_version=1.508 drop_reason=ionem errdefs_msgno=taevitae errdefs_msg_name=dminimv flow_id=quam ip_protocol=tcp severity=low partition_name=umdol route_domain=rerepr sa_translation_pool=ipiscin sa_translation_type=trudexe source_ip=10.222.2.132 src_geo=umdo source_port=6187 source_user=aedicta translated_dest_ip=10.129.161.18 translated_dest_port=782 translated_ip_protocol=umquiad translated_route_domain=porinc translated_source_ip=10.183.90.25 translated_source_port=5038 translated_vlan=conse vlan=2563 -dolo reeufu umexe5208.local suntex uptatema uteiru [F5@rcitati acl_policy_name=siutali acl_policy_type=uiratio acl_rule_name=ficia action=Closed hostname=mqui1099.api.corp bigip_mgmt_ip=10.231.167.171 context_name=onorumet context_type=illoinve date_time=Jul 17 2018 17:51:58 dest_ip=10.188.254.168 dst_geo=nevolup dest_port=3706 device_product=lor device_vendor=ica device_version=1.4479 drop_reason=sumd errdefs_msgno=elitse errdefs_msg_name=olu flow_id=temqu ip_protocol=rdp severity=very-high partition_name=nesci route_domain=meaquei sa_translation_pool=snisiu sa_translation_type=atem source_ip=10.189.162.131 src_geo=litsed source_port=6019 source_user=sedquia translated_dest_ip=10.67.129.100 translated_dest_port=7106 translated_ip_protocol=mmodicon translated_route_domain=eosquir translated_source_ip=10.248.156.138 translated_source_port=2125 translated_vlan=smodit vlan=3090 -dun xce dol5403.www.localhost asiar eiu maliquam [F5@gnama acl_policy_name=ursintoc acl_policy_type=minimve acl_rule_name=eprehe action=Reject hostname=siuta2155.lan bigip_mgmt_ip=10.63.103.30 context_name=ill context_type=imveniam date_time=Aug 01 2018 00:54:32 dest_ip=10.36.29.127 dst_geo=umqui dest_port=1757 device_product=sci device_vendor=isquames device_version=1.2927 drop_reason=tlabor errdefs_msgno=itecto errdefs_msg_name=loreeuf flow_id=orainci ip_protocol=icmp severity=low partition_name=aev route_domain=uelaudan sa_translation_pool=lab sa_translation_type=sequa source_ip=10.6.146.184 src_geo=rrorsi source_port=7247 source_user=sequu translated_dest_ip=10.185.107.27 translated_dest_port=2257 translated_ip_protocol=mips translated_route_domain=iduntutl translated_source_ip=10.142.106.66 translated_source_port=3790 translated_vlan=quelauda vlan=289 -dolo ulamc doe344.www5.local toreve squirat llum [F5@dol acl_policy_name=niam acl_policy_type=atio acl_rule_name=sno action=Established hostname=tatiset4191.localdomain bigip_mgmt_ip=10.214.93.200 context_name=dtempor context_type=rroquisq date_time=Aug 15 2018 07:57:06 dest_ip=10.215.63.248 dst_geo=uidex dest_port=1203 device_product=lloi device_vendor=nseq device_version=1.4023 drop_reason=isetqua errdefs_msgno=ianonn errdefs_msg_name=oluptas flow_id=doe ip_protocol=udp severity=very-high partition_name=rchitect route_domain=orsitame sa_translation_pool=tasn sa_translation_type=exeaco source_ip=10.93.39.237 src_geo=aincidu source_port=232 source_user=tionofd translated_dest_ip=10.0.202.9 translated_dest_port=7451 translated_ip_protocol=nvolup translated_route_domain=ommodic translated_source_ip=10.119.179.182 translated_source_port=7255 translated_vlan=undeo vlan=7696 -uiinea uianonn eavolupt784.www5.example liquam sinto edi [F5@eumiure acl_policy_name=ore acl_policy_type=adeser acl_rule_name=mSe action=Drop hostname=aute2433.mail.lan bigip_mgmt_ip=10.252.204.162 context_name=tiae context_type=giat date_time=Aug 29 2018 14:59:40 dest_ip=10.115.77.51 dst_geo=mcorpor dest_port=2433 device_product=ostru device_vendor=mea device_version=1.5939 drop_reason=iquipex errdefs_msgno=byCice errdefs_msg_name=deritq flow_id=boreetdo ip_protocol=ipv6-icmp severity=medium partition_name=iin route_domain=nostr sa_translation_pool=luptatem sa_translation_type=tNequepo source_ip=10.28.145.163 src_geo=sper source_port=72 source_user=imadmin translated_dest_ip=10.123.154.140 translated_dest_port=2551 translated_ip_protocol=mSect translated_route_domain=iure translated_source_ip=10.30.189.166 translated_source_port=2749 translated_vlan=aer vlan=3422 -roquis mremape ude2977.www.corp rmagnido exeaco dqu [F5@ccaec acl_policy_name=repreh acl_policy_type=imven acl_rule_name=usan action=Accept hostname=idolo6535.internal.example bigip_mgmt_ip=10.46.162.198 context_name=snulap context_type=onsequat date_time=Sep 12 2018 22:02:15 dest_ip=10.166.128.248 dst_geo=pariatur dest_port=7435 device_product=tura device_vendor=equuntur device_version=1.6564 drop_reason=uaera errdefs_msgno=mqua errdefs_msg_name=xer flow_id=utlabore ip_protocol=ipv6-icmp severity=very-high partition_name=beataevi route_domain=amquisn sa_translation_pool=itquii sa_translation_type=imaven source_ip=10.145.128.250 src_geo=nder source_port=5641 source_user=eni translated_dest_ip=10.79.49.3 translated_dest_port=7794 translated_ip_protocol=psamvolu translated_route_domain=teturad translated_source_ip=10.29.122.183 translated_source_port=6166 translated_vlan=tla vlan=6146 -modtempo edict nost3250.internal.localdomain nibu quatur isiutali [F5@mdolo acl_policy_name=nof acl_policy_type=usantiu acl_rule_name=periam action=Closed hostname=one7728.api.localdomain bigip_mgmt_ip=10.177.232.136 context_name=obe context_type=niamqu date_time=Sep 27 2018 05:04:49 dest_ip=10.140.59.161 dst_geo=smoditem dest_port=575 device_product=tev device_vendor=oNemoeni device_version=1.3341 drop_reason=elillumq errdefs_msgno=loremeum errdefs_msg_name=luptatem flow_id=ing ip_protocol=tcp severity=very-high partition_name=riameaqu route_domain=etd sa_translation_pool=omnisi sa_translation_type=dolor source_ip=10.166.169.167 src_geo=ati source_port=1544 source_user=olors translated_dest_ip=10.65.174.196 translated_dest_port=472 translated_ip_protocol=iin translated_route_domain=uteiru translated_source_ip=10.142.235.217 translated_source_port=5846 translated_vlan=orain vlan=2663 -llu quaUt labor7147.internal.host ten vitae tse [F5@gni acl_policy_name=per acl_policy_type=tione acl_rule_name=nibus action=Established hostname=uptatem4446.internal.localhost bigip_mgmt_ip=10.29.217.44 context_name=eacommod context_type=tali date_time=Oct 11 2018 12:07:23 dest_ip=10.131.223.198 dst_geo=orisnisi dest_port=4342 device_product=eritquii device_vendor=atevelit device_version=1.325 drop_reason=enat errdefs_msgno=ionula errdefs_msg_name=itaed flow_id=invol ip_protocol=rdp severity=low partition_name=cidun route_domain=tassitas sa_translation_pool=nimadmi sa_translation_type=dipisci source_ip=10.215.184.154 src_geo=nor source_port=3306 source_user=iarc translated_dest_ip=10.191.78.86 translated_dest_port=6355 translated_ip_protocol=uiac translated_route_domain=squ translated_source_ip=10.53.188.140 translated_source_port=6455 translated_vlan=ten vlan=2937 -isciveli ntutlab sitamet452.domain nsequ ing ollita [F5@dipisci acl_policy_name=amnisiu acl_policy_type=ptat acl_rule_name=epr action=Drop hostname=emq2514.api.localhost bigip_mgmt_ip=10.135.77.156 context_name=uraut context_type=non date_time=Oct 25 2018 19:09:57 dest_ip=10.248.182.188 dst_geo=turad dest_port=2537 device_product=nBCSe device_vendor=ollita device_version=1.3567 drop_reason=eni errdefs_msgno=quipe errdefs_msg_name=oluptat flow_id=stenatus ip_protocol=ggp severity=very-high partition_name=iaecon route_domain=ect sa_translation_pool=tquid sa_translation_type=seru source_ip=10.76.148.147 src_geo=remagna source_port=1121 source_user=urve translated_dest_ip=10.46.222.149 translated_dest_port=3304 translated_ip_protocol=squ translated_route_domain=emagnaal translated_source_ip=10.74.74.129 translated_source_port=5904 translated_vlan=itati vlan=3497 -rinc tno meumf4052.invalid pitlabo riamea Malorumw [F5@consect acl_policy_name=issu acl_policy_type=tconsect acl_rule_name=tationem action=Drop hostname=agna5654.www.corp bigip_mgmt_ip=10.96.200.223 context_name=iatisun context_type=cto date_time=Nov 09 2018 02:12:32 dest_ip=10.3.228.220 dst_geo=imadmini dest_port=3791 device_product=oeiusm device_vendor=aUtenim device_version=1.1186 drop_reason=isu errdefs_msgno=ute errdefs_msg_name=tdolore flow_id=madminim ip_protocol=igmp severity=very-high partition_name=prehen route_domain=ate sa_translation_pool=ull sa_translation_type=enimipsa source_ip=10.130.203.37 src_geo=quisnos source_port=2132 source_user=mvele translated_dest_ip=10.11.146.253 translated_dest_port=3581 translated_ip_protocol=remeum translated_route_domain=temseq translated_source_ip=10.145.49.29 translated_source_port=2464 translated_vlan=sedquia vlan=4912 -ntmo aliqu iqu4429.www5.lan doconse volupta ptat [F5@oreverit acl_policy_name=nimides acl_policy_type=remipsum acl_rule_name=elit action=Drop hostname=ipi4827.mail.lan bigip_mgmt_ip=10.162.78.48 context_name=lab context_type=sedqui date_time=Nov 23 2018 09:15:06 dest_ip=10.243.157.94 dst_geo=epteu dest_port=5744 device_product=tura device_vendor=mquiavol device_version=1.6845 drop_reason=eabil errdefs_msgno=ibusB errdefs_msg_name=rporis flow_id=etco ip_protocol=ipv6 severity=very-high partition_name=ereprehe route_domain=olu sa_translation_pool=nofdeF sa_translation_type=riaturEx source_ip=10.24.23.209 src_geo=itautfu source_port=1503 source_user=rumwr translated_dest_ip=10.162.2.180 translated_dest_port=3889 translated_ip_protocol=mporain translated_route_domain=ectetur translated_source_ip=10.48.75.140 translated_source_port=1837 translated_vlan=ineavol vlan=5182 -onproid sitv equam3114.test mcorp uelaud aperiam [F5@ngelit acl_policy_name=quiano acl_policy_type=sund acl_rule_name=iaconse action=Drop hostname=sequatD163.internal.example bigip_mgmt_ip=10.151.206.38 context_name=oloremi context_type=luptate date_time=Dec 07 2018 16:17:40 dest_ip=10.38.57.217 dst_geo=rur dest_port=5543 device_product=imidest device_vendor=oeiusmod device_version=1.419 drop_reason=psumqui errdefs_msgno=eddoeiu errdefs_msg_name=oinvento flow_id=mips ip_protocol=udp severity=medium partition_name=corpor route_domain=amvolu sa_translation_pool=ent sa_translation_type=ionemu source_ip=10.66.92.83 src_geo=orinrep source_port=2549 source_user=nproide translated_dest_ip=10.119.12.186 translated_dest_port=5674 translated_ip_protocol=qui translated_route_domain=nemullam translated_source_ip=10.97.105.115 translated_source_port=3576 translated_vlan=squir vlan=3987 -umqu umet psaquaea5284.internal.example upt giatquo toccaec [F5@nihilmo acl_policy_name=atquo acl_policy_type=umetMa acl_rule_name=ngelitse action=Accept hostname=itamet1303.invalid bigip_mgmt_ip=10.12.148.73 context_name=eius context_type=evo date_time=Dec 21 2018 23:20:14 dest_ip=10.10.44.34 dst_geo=volupt dest_port=61 device_product=eosqu device_vendor=reetdolo device_version=1.7551 drop_reason=sten errdefs_msgno=enderi errdefs_msg_name=labore flow_id=uasiarch ip_protocol=igmp severity=very-high partition_name=magnama route_domain=reprehe sa_translation_pool=citatio sa_translation_type=dolo source_ip=10.201.132.114 src_geo=eetd source_port=6058 source_user=borisnis translated_dest_ip=10.64.76.142 translated_dest_port=7083 translated_ip_protocol=temse translated_route_domain=samvo translated_source_ip=10.169.139.250 translated_source_port=1374 translated_vlan=nostrume vlan=5035 -tatevel itin tam942.api.host iut leumiur deser [F5@boris acl_policy_name=ris acl_policy_type=nisiuta acl_rule_name=utper action=Drop hostname=epr3512.internal.domain bigip_mgmt_ip=10.9.236.18 context_name=iumdo context_type=exe date_time=Jan 05 2019 06:22:49 dest_ip=10.152.7.48 dst_geo=giatnula dest_port=71 device_product=enimadmi device_vendor=qui device_version=1.5292 drop_reason=aecon errdefs_msgno=sedq errdefs_msg_name=olo flow_id=sperna ip_protocol=udp severity=very-high partition_name=conseq route_domain=upta sa_translation_pool=eturadi sa_translation_type=cinge source_ip=10.111.128.11 src_geo=niamq source_port=5336 source_user=umfug translated_dest_ip=10.35.38.185 translated_dest_port=7077 translated_ip_protocol=labor translated_route_domain=Sec translated_source_ip=10.200.116.191 translated_source_port=3068 translated_vlan=nsecte vlan=5790 -uianonnu por nve894.lan turadip ataev eFinib [F5@atione acl_policy_name=xcepte acl_policy_type=gnaa acl_rule_name=tio action=Reject hostname=uredol2174.home bigip_mgmt_ip=10.191.27.182 context_name=tMalo context_type=urautod date_time=Jan 19 2019 13:25:23 dest_ip=10.114.60.159 dst_geo=rese dest_port=5302 device_product=rissusci device_vendor=quaturve device_version=1.5991 drop_reason=tisunde errdefs_msgno=ende errdefs_msg_name=quidolor flow_id=lloin ip_protocol=igmp severity=high partition_name=proiden route_domain=moenimip sa_translation_pool=tat sa_translation_type=tate source_ip=10.236.67.227 src_geo=ern source_port=881 source_user=tlabo translated_dest_ip=10.134.238.8 translated_dest_port=2976 translated_ip_protocol=aqua translated_route_domain=edquiac translated_source_ip=10.240.62.238 translated_source_port=1251 translated_vlan=olo vlan=5926 -ali Nequepor aUten4127.internal.lan apariatu mnisis onsequa [F5@sunt acl_policy_name=orumSe acl_policy_type=olupta acl_rule_name=emveleum action=Drop hostname=ididunt7607.mail.localhost bigip_mgmt_ip=10.165.66.92 context_name=isq context_type=eacommo date_time=Feb 02 2019 20:27:57 dest_ip=10.244.171.198 dst_geo=nimad dest_port=7814 device_product=asi device_vendor=tobe device_version=1.6837 drop_reason=Lore errdefs_msgno=oin errdefs_msg_name=eritquii flow_id=taliqui ip_protocol=ipv6-icmp severity=very-high partition_name=entoreve route_domain=ion sa_translation_pool=exeaco sa_translation_type=tate source_ip=10.109.14.142 src_geo=sitas source_port=6036 source_user=perna translated_dest_ip=10.65.35.64 translated_dest_port=2748 translated_ip_protocol=irur translated_route_domain=risnisiu translated_source_ip=10.22.231.91 translated_source_port=2652 translated_vlan=equepor vlan=897 -ugiatn utpe hend1170.www5.lan ptateve aliqua officiad [F5@nimadmin acl_policy_name=iavol acl_policy_type=roq acl_rule_name=iumtota action=Reject hostname=inimav5557.www5.test bigip_mgmt_ip=10.71.112.86 context_name=olor context_type=emoenim date_time=Feb 17 2019 03:30:32 dest_ip=10.57.64.102 dst_geo=rume dest_port=7667 device_product=inibusBo device_vendor=tqui device_version=1.99 drop_reason=citat errdefs_msgno=prehende errdefs_msg_name=vitaedic flow_id=remip ip_protocol=ggp severity=high partition_name=rehe route_domain=aper sa_translation_pool=gnaa sa_translation_type=tam source_ip=10.64.161.215 src_geo=modi source_port=4869 source_user=rnatur translated_dest_ip=10.29.230.203 translated_dest_port=6579 translated_ip_protocol=abi translated_route_domain=inimaven translated_source_ip=10.89.221.90 translated_source_port=5835 translated_vlan=entoreve vlan=4612 -roqu dquia ommod142.www.home ptate oloreeu imipsa [F5@iscinge acl_policy_name=ora acl_policy_type=meumfug acl_rule_name=inimve action=Closed hostname=nonn1650.www.test bigip_mgmt_ip=10.88.226.76 context_name=ptas context_type=iadolo date_time=Mar 03 2019 10:33:06 dest_ip=10.217.197.29 dst_geo=aliquide dest_port=7187 device_product=tinv device_vendor=iar device_version=1.5232 drop_reason=mquela errdefs_msgno=urm errdefs_msg_name=con flow_id=aeabil ip_protocol=udp severity=low partition_name=edicta route_domain=itaspern sa_translation_pool=tau sa_translation_type=rcit source_ip=10.79.208.135 src_geo=rehende source_port=3688 source_user=erspic translated_dest_ip=10.221.199.137 translated_dest_port=6430 translated_ip_protocol=quipe translated_route_domain=evita translated_source_ip=10.140.118.182 translated_source_port=4566 translated_vlan=nia vlan=7548 -npro boriosa sundeo3076.internal.test Nequepor turQ tod [F5@rsitame acl_policy_name=nsectetu acl_policy_type=untexpli acl_rule_name=smo action=Reject hostname=acons3940.api.lan bigip_mgmt_ip=10.133.48.55 context_name=lab context_type=ela date_time=Mar 17 2019 17:35:40 dest_ip=10.134.141.37 dst_geo=oreve dest_port=2538 device_product=tali device_vendor=quamnih device_version=1.2492 drop_reason=reprehen errdefs_msgno=Exce errdefs_msg_name=tocca flow_id=tinvolu ip_protocol=ipv6 severity=low partition_name=iumt route_domain=mad sa_translation_pool=mpor sa_translation_type=eddoei source_ip=10.35.73.208 src_geo=dolo source_port=6552 source_user=tia translated_dest_ip=10.126.61.230 translated_dest_port=2068 translated_ip_protocol=dolor translated_route_domain=emUteni translated_source_ip=10.189.244.22 translated_source_port=734 translated_vlan=rinre vlan=6425 -ident uatur dquiaco2756.home uiine mve dolorema [F5@ditautf acl_policy_name=uisnostr acl_policy_type=oditautf acl_rule_name=nula action=Established hostname=suscipit587.www.localhost bigip_mgmt_ip=10.81.154.115 context_name=ita context_type=aeratvol date_time=Apr 01 2019 00:38:14 dest_ip=10.194.94.1 dst_geo=ostr dest_port=575 device_product=boreetd device_vendor=ueporro device_version=1.4044 drop_reason=oluptat errdefs_msgno=olors errdefs_msg_name=mSecti flow_id=ius ip_protocol=icmp severity=very-high partition_name=xerci route_domain=qua sa_translation_pool=iaecons sa_translation_type=pteurs source_ip=10.35.65.72 src_geo=veni source_port=3387 source_user=reseo translated_dest_ip=10.239.194.105 translated_dest_port=3629 translated_ip_protocol=isnos translated_route_domain=ntin translated_source_ip=10.240.94.109 translated_source_port=5437 translated_vlan=ono vlan=573 -consequ ine hend3901.www.localdomain nsecte miurere tat [F5@pitlabor acl_policy_name=upi acl_policy_type=olupta acl_rule_name=ape action=Established hostname=mnisiut6146.internal.local bigip_mgmt_ip=10.52.70.192 context_name=empor context_type=ate date_time=Apr 15 2019 07:40:49 dest_ip=10.234.254.96 dst_geo=obeatae dest_port=2042 device_product=orem device_vendor=dquian device_version=1.2307 drop_reason=uis errdefs_msgno=emagnaal errdefs_msg_name=uunturm flow_id=nonnumq ip_protocol=ggp severity=very-high partition_name=ntocca route_domain=emquelau sa_translation_pool=adolorsi sa_translation_type=lupt source_ip=10.38.253.213 src_geo=ncidu source_port=3369 source_user=ionem translated_dest_ip=10.248.72.104 translated_dest_port=7485 translated_ip_protocol=cusan translated_route_domain=ivelit translated_source_ip=10.150.56.227 translated_source_port=4686 translated_vlan=isnost vlan=4697 -urQu idol fici312.api.host eri pitlab riosamn [F5@Malo acl_policy_name=onse acl_policy_type=enatuse acl_rule_name=veritat action=Reject hostname=borios1067.www5.home bigip_mgmt_ip=10.218.15.164 context_name=ntNeque context_type=magnidol date_time=Apr 29 2019 14:43:23 dest_ip=10.56.60.3 dst_geo=aaliq dest_port=2143 device_product=gel device_vendor=modt device_version=1.2031 drop_reason=mvolu errdefs_msgno=agn errdefs_msg_name=eritinvo flow_id=aliq ip_protocol=rdp severity=very-high partition_name=uisautei route_domain=labor sa_translation_pool=ihilmol sa_translation_type=scinge source_ip=10.62.218.239 src_geo=yCiceroi source_port=166 source_user=reh translated_dest_ip=10.73.172.186 translated_dest_port=3510 translated_ip_protocol=itte translated_route_domain=niamquis translated_source_ip=10.203.193.134 translated_source_port=6251 translated_vlan=riosa vlan=7445 -ore ptatema poriss2289.localdomain luptat ficiad saquaea [F5@archi acl_policy_name=caboNe acl_policy_type=ptate acl_rule_name=enimips action=Established hostname=msequ323.www.example bigip_mgmt_ip=10.60.20.76 context_name=seq context_type=uae date_time=May 13 2019 21:45:57 dest_ip=10.244.241.67 dst_geo=quaeabi dest_port=5701 device_product=ost device_vendor=mave device_version=1.2555 drop_reason=aev errdefs_msgno=uovolup errdefs_msg_name=tMaloru flow_id=rum ip_protocol=ipv6-icmp severity=very-high partition_name=ptassita route_domain=ionemul sa_translation_pool=orema sa_translation_type=its source_ip=10.10.46.43 src_geo=stiaec source_port=7346 source_user=nev translated_dest_ip=10.136.211.234 translated_dest_port=4126 translated_ip_protocol=lamcor translated_route_domain=rorsitv translated_source_ip=10.131.127.113 translated_source_port=853 translated_vlan=iamqu vlan=1324 -mwrit dminimve madminim5473.mail.example reeuf orinrepr tinvo [F5@oru acl_policy_name=ainc acl_policy_type=aeab acl_rule_name=iat action=Closed hostname=tdolorem813.internal.host bigip_mgmt_ip=10.50.177.151 context_name=rsitam context_type=aliqui date_time=May 28 2019 04:48:31 dest_ip=10.206.65.159 dst_geo=fdeFini dest_port=1295 device_product=eetdolo device_vendor=issuscip device_version=1.3291 drop_reason=tqu errdefs_msgno=rinc errdefs_msg_name=hender flow_id=sBonor ip_protocol=rdp severity=high partition_name=ercitati route_domain=lapa sa_translation_pool=enia sa_translation_type=atis source_ip=10.233.181.250 src_geo=isiuta source_port=2868 source_user=ugiatq translated_dest_ip=10.187.237.220 translated_dest_port=7744 translated_ip_protocol=eumfu translated_route_domain=remap translated_source_ip=10.248.0.74 translated_source_port=6349 translated_vlan=tru vlan=2520 -isautem eiusm assit1598.www5.invalid archite eruntm iades [F5@mremape acl_policy_name=nimad acl_policy_type=ionemu acl_rule_name=nul action=Established hostname=volupt4626.internal.test bigip_mgmt_ip=10.189.43.11 context_name=asper context_type=eeu date_time=Jun 11 2019 11:51:06 dest_ip=10.193.169.102 dst_geo=olab dest_port=629 device_product=olore device_vendor=mSecti device_version=1.2859 drop_reason=idid errdefs_msgno=ela errdefs_msg_name=fugits flow_id=litseddo ip_protocol=igmp severity=medium partition_name=ptasn route_domain=amrem sa_translation_pool=umdolor sa_translation_type=iamq source_ip=10.248.248.120 src_geo=ationemu source_port=1282 source_user=iatn translated_dest_ip=10.96.223.46 translated_dest_port=3654 translated_ip_protocol=pern translated_route_domain=ptasn translated_source_ip=10.80.129.81 translated_source_port=4827 translated_vlan=tat vlan=5084 -eruntmo lumdolo urmagnid2749.api.host imip taspe siutaliq [F5@turadipi acl_policy_name=tMalo acl_policy_type=veni acl_rule_name=rspi action=Closed hostname=ntium5103.www5.localhost bigip_mgmt_ip=10.66.106.186 context_name=uatD context_type=reh date_time=Jun 25 2019 18:53:40 dest_ip=10.36.14.238 dst_geo=metco dest_port=4740 device_product=ilmoles device_vendor=xeaco device_version=1.1910 drop_reason=ccaecat errdefs_msgno=radip errdefs_msg_name=secil flow_id=totamr ip_protocol=udp severity=very-high partition_name=iciat route_domain=uira sa_translation_pool=orio sa_translation_type=mseq source_ip=10.102.109.199 src_geo=iono source_port=2061 source_user=tNequ translated_dest_ip=10.173.114.63 translated_dest_port=5877 translated_ip_protocol=tatisetq translated_route_domain=eabilloi translated_source_ip=10.91.115.139 translated_source_port=412 translated_vlan=eroi vlan=2077 -riatur amrema illum2978.internal.home rumetMa entor urere [F5@involu acl_policy_name=qui acl_policy_type=aliqu acl_rule_name=sita action=Drop hostname=orpori3334.www.local bigip_mgmt_ip=10.198.157.122 context_name=ncu context_type=quatu date_time=Jul 10 2019 01:56:14 dest_ip=10.239.90.72 dst_geo=iratio dest_port=7700 device_product=its device_vendor=agn device_version=1.3690 drop_reason=ntmo errdefs_msgno=iur errdefs_msg_name=aboNemo flow_id=tsedquia ip_protocol=udp severity=very-high partition_name=tatiset route_domain=enim sa_translation_pool=gnido sa_translation_type=iamq source_ip=10.159.155.88 src_geo=uisa source_port=7034 source_user=iquipex translated_dest_ip=10.0.175.17 translated_dest_port=5236 translated_ip_protocol=tempori translated_route_domain=sedquian translated_source_ip=10.221.223.127 translated_source_port=2687 translated_vlan=ira vlan=3007 -idolor umdo sequatu7142.internal.corp ipsaqu asun rsitam [F5@magn acl_policy_name=amcola acl_policy_type=eumiurer acl_rule_name=umf action=Established hostname=equu7361.www5.localdomain bigip_mgmt_ip=10.30.20.187 context_name=rsinto context_type=nonnumqu date_time=Jul 24 2019 08:58:48 dest_ip=10.103.47.100 dst_geo=chitect dest_port=5316 device_product=fug device_vendor=ulpaq device_version=1.6302 drop_reason=piscivel errdefs_msgno=ueporr errdefs_msg_name=udex flow_id=ipexeac ip_protocol=tcp severity=low partition_name=isci route_domain=archi sa_translation_pool=rsitame sa_translation_type=qui source_ip=10.7.212.201 src_geo=ion source_port=949 source_user=ugiat translated_dest_ip=10.252.136.130 translated_dest_port=5601 translated_ip_protocol=expl translated_route_domain=animi translated_source_ip=10.189.70.237 translated_source_port=1457 translated_vlan=tnul vlan=24 -radip amremap dolorsit64.www.local uredo uamni nisi [F5@onsecte acl_policy_name=iono acl_policy_type=secillum acl_rule_name=sequatD action=Established hostname=tse2979.internal.localhost bigip_mgmt_ip=10.242.121.165 context_name=aut context_type=eriti date_time=Aug 07 2019 16:01:23 dest_ip=10.88.229.78 dst_geo=imadmi dest_port=2642 device_product=tevelite device_vendor=cto device_version=1.2037 drop_reason=mquiado errdefs_msgno=agn errdefs_msg_name=dip flow_id=urmag ip_protocol=tcp severity=high partition_name=laboreet route_domain=tutlabo sa_translation_pool=incid sa_translation_type=der source_ip=10.83.105.69 src_geo=usm source_port=2153 source_user=mni translated_dest_ip=10.102.109.194 translated_dest_port=2324 translated_ip_protocol=nor translated_route_domain=saut translated_source_ip=10.60.224.93 translated_source_port=1508 translated_vlan=deomnis vlan=354 -tla nimve edutpe1255.internal.lan nimadm cepte paquioff [F5@ictasun acl_policy_name=iumto acl_policy_type=ciun acl_rule_name=prehe action=Accept hostname=uisnostr2390.mail.domain bigip_mgmt_ip=10.251.167.219 context_name=eaco context_type=oremeu date_time=Aug 21 2019 23:03:57 dest_ip=10.14.251.18 dst_geo=tenbyCi dest_port=4371 device_product=citation device_vendor=spernatu device_version=1.7314 drop_reason=giatq errdefs_msgno=tion errdefs_msg_name=tNeque flow_id=uidolore ip_protocol=rdp severity=medium partition_name=usB route_domain=magnaali sa_translation_pool=istenatu sa_translation_type=roqui source_ip=10.17.20.93 src_geo=eritqu source_port=4368 source_user=Uteni translated_dest_ip=10.181.134.69 translated_dest_port=551 translated_ip_protocol=norum translated_route_domain=emUten translated_source_ip=10.219.174.45 translated_source_port=4055 translated_vlan=idolo vlan=968 -mmodicon nisis edquia4523.www.host remap ntium veniamqu [F5@equat acl_policy_name=reeu acl_policy_type=atemacc acl_rule_name=rsitvolu action=Accept hostname=luptate4811.mail.example bigip_mgmt_ip=10.30.117.82 context_name=destlabo context_type=fficia date_time=Sep 05 2019 06:06:31 dest_ip=10.245.75.229 dst_geo=elaud dest_port=4916 device_product=eaqueip device_vendor=emUten device_version=1.596 drop_reason=itseddoe errdefs_msgno=iti errdefs_msg_name=evitaedi flow_id=ionulamc ip_protocol=tcp severity=high partition_name=culp route_domain=Ciceroin sa_translation_pool=aeco sa_translation_type=olores source_ip=10.223.99.90 src_geo=adminim source_port=4324 source_user=numqua translated_dest_ip=10.28.233.253 translated_dest_port=1159 translated_ip_protocol=mUten translated_route_domain=eursint translated_source_ip=10.37.14.20 translated_source_port=6531 translated_vlan=teurs vlan=4919 -aaliq nos uaUteni562.www.test deF dutpe tseddoei [F5@byCi acl_policy_name=odic acl_policy_type=chitecto acl_rule_name=nimadm action=Closed hostname=lites1614.www.corp bigip_mgmt_ip=10.125.20.22 context_name=olu context_type=ectet date_time=Sep 19 2019 13:09:05 dest_ip=10.121.189.113 dst_geo=tess dest_port=4686 device_product=xeacom device_vendor=adminim device_version=1.95 drop_reason=henderi errdefs_msgno=rainc errdefs_msg_name=dminim flow_id=sse ip_protocol=tcp severity=high partition_name=umexe route_domain=Sedu sa_translation_pool=tetur sa_translation_type=ern source_ip=10.50.61.114 src_geo=nvento source_port=649 source_user=qua translated_dest_ip=10.57.85.113 translated_dest_port=1024 translated_ip_protocol=itquii translated_route_domain=psu translated_source_ip=10.8.32.17 translated_source_port=3788 translated_vlan=nem vlan=5883 -sitasper agni ivelit1640.internal.lan iscive prehende volup [F5@nimi acl_policy_name=niamqu acl_policy_type=uioffi acl_rule_name=suntin action=Closed hostname=lorinrep7686.mail.corp bigip_mgmt_ip=10.200.28.55 context_name=ineavol context_type=abor date_time=Oct 03 2019 20:11:40 dest_ip=10.232.122.152 dst_geo=voluptat dest_port=1549 device_product=ipi device_vendor=lamcor device_version=1.3064 drop_reason=litesse errdefs_msgno=tam errdefs_msg_name=uovo flow_id=scivelit ip_protocol=icmp severity=low partition_name=empo route_domain=apa sa_translation_pool=colab sa_translation_type=sistenat source_ip=10.215.224.27 src_geo=Sedutper source_port=6726 source_user=ficiade translated_dest_ip=10.113.78.101 translated_dest_port=2707 translated_ip_protocol=amqua translated_route_domain=nsequatu translated_source_ip=10.181.63.82 translated_source_port=168 translated_vlan=tse vlan=4029 -ueip amvo dolorsi306.www5.local tten erit asiarch [F5@tob acl_policy_name=tiae acl_policy_type=imipsamv acl_rule_name=doeiu action=Established hostname=nderit6272.mail.example bigip_mgmt_ip=10.177.14.106 context_name=natuser context_type=olupt date_time=Oct 18 2019 03:14:14 dest_ip=10.239.142.115 dst_geo=nsec dest_port=6720 device_product=siarchi device_vendor=etq device_version=1.4522 drop_reason=archit errdefs_msgno=nde errdefs_msg_name=tNequepo flow_id=byCicer ip_protocol=ipv6 severity=medium partition_name=ipit route_domain=tdolorem sa_translation_pool=nderitin sa_translation_type=mquiado source_ip=10.169.95.128 src_geo=reeufugi source_port=7737 source_user=ofd translated_dest_ip=10.139.20.223 translated_dest_port=114 translated_ip_protocol=porincid translated_route_domain=tisetqu translated_source_ip=10.243.43.168 translated_source_port=2110 translated_vlan=ehenderi vlan=2215 -ipsu iden oreseo1541.mail.domain boriosam lites col [F5@litsedd acl_policy_name=mnis acl_policy_type=ainci acl_rule_name=aturve action=Established hostname=ntu1279.mail.lan bigip_mgmt_ip=10.92.168.198 context_name=rume context_type=uptate date_time=Nov 01 2019 10:16:48 dest_ip=10.115.225.57 dst_geo=orsit dest_port=3315 device_product=mnis device_vendor=tametco device_version=1.7456 drop_reason=inc errdefs_msgno=rroqui errdefs_msg_name=amr flow_id=mfug ip_protocol=tcp severity=low partition_name=mid route_domain=henderi sa_translation_pool=consec sa_translation_type=dquia source_ip=10.90.93.4 src_geo=rehe source_port=3382 source_user=adminima translated_dest_ip=10.39.100.88 translated_dest_port=5195 translated_ip_protocol=lup translated_route_domain=rsi translated_source_ip=10.18.176.44 translated_source_port=7284 translated_vlan=Utenimad vlan=4305 -Bon amquisno mullam6505.www.localhost siarch oloremi ididu [F5@uov acl_policy_name=ncidid acl_policy_type=audantiu acl_rule_name=lmolest action=Reject hostname=essequam1161.domain bigip_mgmt_ip=10.49.68.8 context_name=temUte context_type=idest date_time=Nov 15 2019 17:19:22 dest_ip=10.8.247.249 dst_geo=enimip dest_port=3957 device_product=ataevit device_vendor=ficiad device_version=1.2909 drop_reason=taspe errdefs_msgno=empori errdefs_msg_name=mipsum flow_id=tium ip_protocol=tcp severity=very-high partition_name=ota route_domain=boriosa sa_translation_pool=eprehen sa_translation_type=rehen source_ip=10.163.203.191 src_geo=exeacom source_port=2599 source_user=tlab translated_dest_ip=10.193.43.135 translated_dest_port=4650 translated_ip_protocol=iaeconse translated_route_domain=onevol translated_source_ip=10.173.13.179 translated_source_port=1211 translated_vlan=ptasn vlan=3791 -ctetur amqui itatise2264.invalid lup cipitla niam [F5@mullamc acl_policy_name=umtota acl_policy_type=ssecil acl_rule_name=xplic action=Closed hostname=cipitl2184.localdomain bigip_mgmt_ip=10.240.47.113 context_name=uisnost context_type=snul date_time=Nov 30 2019 00:21:57 dest_ip=10.191.241.249 dst_geo=Loremips dest_port=4361 device_product=tiset device_vendor=ciade device_version=1.7726 drop_reason=equ errdefs_msgno=rror errdefs_msg_name=Exce flow_id=uae ip_protocol=ggp severity=high partition_name=umdol route_domain=nseq sa_translation_pool=autodita sa_translation_type=loreme source_ip=10.84.64.28 src_geo=par source_port=3938 source_user=ull translated_dest_ip=10.209.226.7 translated_dest_port=7745 translated_ip_protocol=aeabi translated_route_domain=ore translated_source_ip=10.31.147.51 translated_source_port=7780 translated_vlan=ptate vlan=3154 -fugit dantiu ntutla1447.invalid strude rautodi Loremips [F5@mestqui acl_policy_name=tect acl_policy_type=odtem acl_rule_name=ite action=Closed hostname=item3647.home bigip_mgmt_ip=10.32.20.4 context_name=olupta context_type=dents date_time=Dec 14 2019 07:24:31 dest_ip=10.166.40.137 dst_geo=oremipsu dest_port=5644 device_product=idolor device_vendor=tionem device_version=1.292 drop_reason=oinB errdefs_msgno=tateve errdefs_msg_name=rsitvo flow_id=enatuser ip_protocol=tcp severity=high partition_name=sistena route_domain=reetdolo sa_translation_pool=psam sa_translation_type=litseddo source_ip=10.225.189.229 src_geo=odtem source_port=2287 source_user=odtemp translated_dest_ip=10.86.1.244 translated_dest_port=7101 translated_ip_protocol=rinci translated_route_domain=uamestqu translated_source_ip=10.52.13.192 translated_source_port=4714 translated_vlan=remagna vlan=439 diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json deleted file mode 100644 index 22b44de3e36..00000000000 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ /dev/null @@ -1,6560 +0,0 @@ -[ - { - "destination.geo.country_name": "umq", - "destination.nat.ip": "10.165.201.71", - "destination.nat.port": 6153, - "destination.port": 2288, - "event.action": "Closed", - "event.code": "boNemoe", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "iusm modtempo olab6078.home olaboris tur itv [F5@odoco acl_policy_name=ria acl_policy_type=min acl_rule_name=ite action=Closed hostname=tatemac3541.api.corp bigip_mgmt_ip=10.228.193.207 context_name=liqua context_type=ciade date_time=Jan 29 2016 06:09:59 dest_ip=10.125.114.51 dst_geo=umq dest_port=2288 device_product=pexe device_vendor=nes device_version=1.2262 drop_reason=reveri errdefs_msgno=boNemoe errdefs_msg_name=equepor flow_id=eni ip_protocol=ipv6 severity=low partition_name=ehend route_domain=ritquiin sa_translation_pool=umqui sa_translation_type=reeufugi source_ip=10.208.121.85 src_geo=sperna source_port=884 source_user=billoi translated_dest_ip=10.165.201.71 translated_dest_port=6153 translated_ip_protocol=tatemU translated_route_domain=deF translated_source_ip=10.11.196.142 translated_source_port=5222 translated_vlan=iatnu vlan=3810", - "fileset.name": "bigipafm", - "host.ip": "10.228.193.207", - "host.name": "tatemac3541.api.corp", - "input.type": "log", - "log.level": "low", - "log.offset": 0, - "network.protocol": "ipv6", - "observer.product": "pexe", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2262", - "related.hosts": [ - "tatemac3541.api.corp" - ], - "related.ip": [ - "10.11.196.142", - "10.165.201.71", - "10.208.121.85", - "10.228.193.207" - ], - "related.user": [ - "billoi" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "liqua", - "rsa.misc.event_type": "equepor", - "rsa.misc.obj_name": "odoco", - "rsa.misc.policy_name": "ria", - "rsa.misc.reference_id": "boNemoe", - "rsa.misc.rule_name": "ite", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2262", - "rsa.network.alias_host": [ - "tatemac3541.api.corp" - ], - "rsa.network.vlan": 3810, - "rsa.time.event_time_str": "Jan", - "rule.name": "ite", - "service.type": "f5", - "source.geo.country_name": "sperna", - "source.ip": "10.208.121.85", - "source.nat.ip": "10.11.196.142", - "source.nat.port": 5222, - "source.port": 884, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "billoi" - }, - { - "destination.geo.country_name": "iin", - "destination.nat.ip": "10.94.67.230", - "destination.nat.port": 783, - "destination.port": 6287, - "event.action": "Established", - "event.code": "eumiu", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "eporr quipexe alo4540.example umdo itessequ vol [F5@luptat acl_policy_name=isiutal acl_policy_type=moenimi acl_rule_name=mod action=Established hostname=enatus2114.mail.home bigip_mgmt_ip=10.51.132.10 context_name=utper context_type=squame date_time=Feb 12 2016 13:12:33 dest_ip=10.173.116.41 dst_geo=iin dest_port=6287 device_product=emape device_vendor=aer device_version=1.445 drop_reason=nse errdefs_msgno=eumiu errdefs_msg_name=uame flow_id=quis ip_protocol=tcp severity=medium partition_name=cca route_domain=dolo sa_translation_pool=meumfug sa_translation_type=tetu source_ip=10.162.9.235 src_geo=tionulam source_port=2548 source_user=byC translated_dest_ip=10.94.67.230 translated_dest_port=783 translated_ip_protocol=atio translated_route_domain=uipexea translated_source_ip=10.92.202.200 translated_source_port=6772 translated_vlan=eFini vlan=859", - "fileset.name": "bigipafm", - "host.ip": "10.51.132.10", - "host.name": "enatus2114.mail.home", - "input.type": "log", - "log.level": "medium", - "log.offset": 856, - "network.protocol": "tcp", - "observer.product": "emape", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.445", - "related.hosts": [ - "enatus2114.mail.home" - ], - "related.ip": [ - "10.162.9.235", - "10.51.132.10", - "10.92.202.200", - "10.94.67.230" - ], - "related.user": [ - "byC" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "utper", - "rsa.misc.event_type": "uame", - "rsa.misc.obj_name": "luptat", - "rsa.misc.policy_name": "isiutal", - "rsa.misc.reference_id": "eumiu", - "rsa.misc.rule_name": "mod", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.445", - "rsa.network.alias_host": [ - "enatus2114.mail.home" - ], - "rsa.network.vlan": 859, - "rsa.time.event_time_str": "Feb", - "rule.name": "mod", - "service.type": "f5", - "source.geo.country_name": "tionulam", - "source.ip": "10.162.9.235", - "source.nat.ip": "10.92.202.200", - "source.nat.port": 6772, - "source.port": 2548, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "byC" - }, - { - "destination.geo.country_name": "uptassi", - "destination.nat.ip": "10.82.56.117", - "destination.nat.port": 2935, - "destination.port": 3179, - "event.action": "Reject", - "event.code": "llumd", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "exe iatu ionofde2424.api.invalid rsitam ommodic mipsu [F5@consec acl_policy_name=taliquip acl_policy_type=psumq acl_rule_name=atcup action=Reject hostname=gelit6728.api.invalid bigip_mgmt_ip=10.122.116.161 context_name=uam context_type=untutl date_time=Feb 26 2016 20:15:08 dest_ip=10.40.68.117 dst_geo=uptassi dest_port=3179 device_product=scivel device_vendor=aqui device_version=1.4726 drop_reason=iveli errdefs_msgno=llumd errdefs_msg_name=enatuse flow_id=magn ip_protocol=icmp severity=low partition_name=eos route_domain=enimad sa_translation_pool=rmagni sa_translation_type=sit source_ip=10.209.155.149 src_geo=tenima source_port=1073 source_user=seq translated_dest_ip=10.82.56.117 translated_dest_port=2935 translated_ip_protocol=veleumi translated_route_domain=tia translated_source_ip=10.191.68.244 translated_source_port=6905 translated_vlan=veri vlan=5990", - "fileset.name": "bigipafm", - "host.ip": "10.122.116.161", - "host.name": "gelit6728.api.invalid", - "input.type": "log", - "log.level": "low", - "log.offset": 1713, - "network.protocol": "icmp", - "observer.product": "scivel", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4726", - "related.hosts": [ - "gelit6728.api.invalid" - ], - "related.ip": [ - "10.122.116.161", - "10.191.68.244", - "10.209.155.149", - "10.82.56.117" - ], - "related.user": [ - "seq" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "uam", - "rsa.misc.event_type": "enatuse", - "rsa.misc.obj_name": "consec", - "rsa.misc.policy_name": "taliquip", - "rsa.misc.reference_id": "llumd", - "rsa.misc.rule_name": "atcup", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4726", - "rsa.network.alias_host": [ - "gelit6728.api.invalid" - ], - "rsa.network.vlan": 5990, - "rsa.time.event_time_str": "Feb", - "rule.name": "atcup", - "service.type": "f5", - "source.geo.country_name": "tenima", - "source.ip": "10.209.155.149", - "source.nat.ip": "10.191.68.244", - "source.nat.port": 6905, - "source.port": 1073, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "seq" - }, - { - "destination.geo.country_name": "untNequ", - "destination.nat.ip": "10.131.233.27", - "destination.nat.port": 5037, - "destination.port": 5075, - "event.action": "Accept", - "event.code": "ugiatqu", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "siutaliq exercit tempor4496.www.localdomain eip lupta iusmodt [F5@doloreeu acl_policy_name=pori acl_policy_type=occ acl_rule_name=ect action=Accept hostname=uid545.www5.localhost bigip_mgmt_ip=10.12.44.169 context_name=autfu context_type=natura date_time=Mar 12 2016 03:17:42 dest_ip=10.163.217.10 dst_geo=untNequ dest_port=5075 device_product=nimadmin device_vendor=erep device_version=1.2696 drop_reason=temq errdefs_msgno=ugiatqu errdefs_msg_name=eacomm flow_id=Utenimad ip_protocol=igmp severity=high partition_name=ehend route_domain=ueipsaqu sa_translation_pool=uidolore sa_translation_type=niamqu source_ip=10.202.66.28 src_geo=tevelit source_port=5098 source_user=elits translated_dest_ip=10.131.233.27 translated_dest_port=5037 translated_ip_protocol=ari translated_route_domain=eataevit translated_source_ip=10.50.112.141 translated_source_port=7303 translated_vlan=dmi vlan=499", - "fileset.name": "bigipafm", - "host.ip": "10.12.44.169", - "host.name": "uid545.www5.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 2582, - "network.protocol": "igmp", - "observer.product": "nimadmin", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2696", - "related.hosts": [ - "uid545.www5.localhost" - ], - "related.ip": [ - "10.12.44.169", - "10.131.233.27", - "10.202.66.28", - "10.50.112.141" - ], - "related.user": [ - "elits" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "autfu", - "rsa.misc.event_type": "eacomm", - "rsa.misc.obj_name": "doloreeu", - "rsa.misc.policy_name": "pori", - "rsa.misc.reference_id": "ugiatqu", - "rsa.misc.rule_name": "ect", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2696", - "rsa.network.alias_host": [ - "uid545.www5.localhost" - ], - "rsa.network.vlan": 499, - "rsa.time.event_time_str": "Mar", - "rule.name": "ect", - "service.type": "f5", - "source.geo.country_name": "tevelit", - "source.ip": "10.202.66.28", - "source.nat.ip": "10.50.112.141", - "source.nat.port": 7303, - "source.port": 5098, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "elits" - }, - { - "destination.geo.country_name": "ema", - "destination.nat.ip": "10.96.35.212", - "destination.nat.port": 3982, - "destination.port": 5969, - "event.action": "Established", - "event.code": "imav", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "mquisnos loremagn iciade3433.example enimad incididu eci [F5@aali acl_policy_name=ametcons acl_policy_type=porainc acl_rule_name=amquisno action=Established hostname=emquiavo452.internal.localhost bigip_mgmt_ip=10.151.111.38 context_name=tvol context_type=moll date_time=Mar 26 2016 10:20:16 dest_ip=10.228.149.225 dst_geo=ema dest_port=5969 device_product=tquovol device_vendor=ntsuntin device_version=1.3341 drop_reason=tatno errdefs_msgno=imav errdefs_msg_name=ididu flow_id=ciunt ip_protocol=ipv6-icmp severity=very-high partition_name=emqu route_domain=lit sa_translation_pool=iam sa_translation_type=qua source_ip=10.159.182.171 src_geo=umdolore source_port=6680 source_user=mol translated_dest_ip=10.96.35.212 translated_dest_port=3982 translated_ip_protocol=rumet translated_route_domain=oll translated_source_ip=10.206.197.113 translated_source_port=4075 translated_vlan=temUten vlan=4125", - "fileset.name": "bigipafm", - "host.ip": "10.151.111.38", - "host.name": "emquiavo452.internal.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3471, - "network.protocol": "ipv6-icmp", - "observer.product": "tquovol", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3341", - "related.hosts": [ - "emquiavo452.internal.localhost" - ], - "related.ip": [ - "10.151.111.38", - "10.159.182.171", - "10.206.197.113", - "10.96.35.212" - ], - "related.user": [ - "mol" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "tvol", - "rsa.misc.event_type": "ididu", - "rsa.misc.obj_name": "aali", - "rsa.misc.policy_name": "ametcons", - "rsa.misc.reference_id": "imav", - "rsa.misc.rule_name": "amquisno", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3341", - "rsa.network.alias_host": [ - "emquiavo452.internal.localhost" - ], - "rsa.network.vlan": 4125, - "rsa.time.event_time_str": "Mar", - "rule.name": "amquisno", - "service.type": "f5", - "source.geo.country_name": "umdolore", - "source.ip": "10.159.182.171", - "source.nat.ip": "10.206.197.113", - "source.nat.port": 4075, - "source.port": 6680, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "mol" - }, - { - "destination.geo.country_name": "rnatura", - "destination.nat.ip": "10.169.144.147", - "destination.nat.port": 2399, - "destination.port": 3007, - "event.action": "Drop", - "event.code": "liq", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "iqu ollit usan6343.www5.domain olo uaera sitas [F5@ehenderi acl_policy_name=pidatat acl_policy_type=gni acl_rule_name=tquiinea action=Drop hostname=sun1403.www.invalid bigip_mgmt_ip=10.126.177.162 context_name=eriame context_type=lorema date_time=Apr 09 2016 17:22:51 dest_ip=10.213.82.64 dst_geo=rnatura dest_port=3007 device_product=ddoeiu device_vendor=enb device_version=1.6179 drop_reason=onse errdefs_msgno=liq errdefs_msg_name=metcon flow_id=smo ip_protocol=igmp severity=medium partition_name=emporinc route_domain=untutlab sa_translation_pool=tem sa_translation_type=ons source_ip=10.213.113.28 src_geo=ali source_port=6446 source_user=ist translated_dest_ip=10.169.144.147 translated_dest_port=2399 translated_ip_protocol=nibus translated_route_domain=edquiano translated_source_ip=10.89.163.114 translated_source_port=5166 translated_vlan=par vlan=686", - "fileset.name": "bigipafm", - "host.ip": "10.126.177.162", - "host.name": "sun1403.www.invalid", - "input.type": "log", - "log.level": "medium", - "log.offset": 4369, - "network.protocol": "igmp", - "observer.product": "ddoeiu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6179", - "related.hosts": [ - "sun1403.www.invalid" - ], - "related.ip": [ - "10.126.177.162", - "10.169.144.147", - "10.213.113.28", - "10.89.163.114" - ], - "related.user": [ - "ist" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "eriame", - "rsa.misc.event_type": "metcon", - "rsa.misc.obj_name": "ehenderi", - "rsa.misc.policy_name": "pidatat", - "rsa.misc.reference_id": "liq", - "rsa.misc.rule_name": "tquiinea", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6179", - "rsa.network.alias_host": [ - "sun1403.www.invalid" - ], - "rsa.network.vlan": 686, - "rsa.time.event_time_str": "Apr", - "rule.name": "tquiinea", - "service.type": "f5", - "source.geo.country_name": "ali", - "source.ip": "10.213.113.28", - "source.nat.ip": "10.89.163.114", - "source.nat.port": 5166, - "source.port": 6446, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ist" - }, - { - "destination.geo.country_name": "qua", - "destination.nat.ip": "10.101.223.43", - "destination.nat.port": 6494, - "destination.port": 2945, - "event.action": "Closed", - "event.code": "tinvol", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "rveli rsint omm4276.www.example onofd taed lup [F5@remeumf acl_policy_name=antiumto acl_policy_type=strude acl_rule_name=ctetura action=Closed hostname=ittenbyC7838.api.localdomain bigip_mgmt_ip=10.18.124.28 context_name=ido context_type=paqu date_time=Apr 24 2016 00:25:25 dest_ip=10.158.194.3 dst_geo=qua dest_port=2945 device_product=quip device_vendor=oin device_version=1.6316 drop_reason=elaudant errdefs_msgno=tinvol errdefs_msg_name=dolore flow_id=abor ip_protocol=udp severity=medium partition_name=etc route_domain=etM sa_translation_pool=nimadmin sa_translation_type=ditautfu source_ip=10.146.88.52 src_geo=entsu source_port=5364 source_user=rudexerc translated_dest_ip=10.101.223.43 translated_dest_port=6494 translated_ip_protocol=quam translated_route_domain=adm translated_source_ip=10.103.107.47 translated_source_port=6094 translated_vlan=Nemoen vlan=2827", - "fileset.name": "bigipafm", - "host.ip": "10.18.124.28", - "host.name": "ittenbyC7838.api.localdomain", - "input.type": "log", - "log.level": "medium", - "log.offset": 5232, - "network.protocol": "udp", - "observer.product": "quip", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6316", - "related.hosts": [ - "ittenbyC7838.api.localdomain" - ], - "related.ip": [ - "10.101.223.43", - "10.103.107.47", - "10.146.88.52", - "10.18.124.28" - ], - "related.user": [ - "rudexerc" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ido", - "rsa.misc.event_type": "dolore", - "rsa.misc.obj_name": "remeumf", - "rsa.misc.policy_name": "antiumto", - "rsa.misc.reference_id": "tinvol", - "rsa.misc.rule_name": "ctetura", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6316", - "rsa.network.alias_host": [ - "ittenbyC7838.api.localdomain" - ], - "rsa.network.vlan": 2827, - "rsa.time.event_time_str": "Apr", - "rule.name": "ctetura", - "service.type": "f5", - "source.geo.country_name": "entsu", - "source.ip": "10.146.88.52", - "source.nat.ip": "10.103.107.47", - "source.nat.port": 6094, - "source.port": 5364, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "rudexerc" - }, - { - "destination.geo.country_name": "ivelits", - "destination.nat.ip": "10.110.99.17", - "destination.nat.port": 6888, - "destination.port": 712, - "event.action": "Reject", - "event.code": "ommod", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "icab mwr fugi4637.www.lan imadmini ntutla equa [F5@mexercit acl_policy_name=dtem acl_policy_type=tasuntex acl_rule_name=sunt action=Reject hostname=ume465.corp bigip_mgmt_ip=10.189.109.245 context_name=emaperi context_type=tame date_time=May 08 2016 07:27:59 dest_ip=10.83.234.60 dst_geo=ivelits dest_port=712 device_product=iusmodt device_vendor=etdolo device_version=1.3768 drop_reason=lorumw errdefs_msgno=ommod errdefs_msg_name=sequatur flow_id=uidolo ip_protocol=ipv6-icmp severity=high partition_name=nihi route_domain=Lor sa_translation_pool=itecto sa_translation_type=erc source_ip=10.69.57.206 src_geo=olupt source_port=5979 source_user=onse translated_dest_ip=10.110.99.17 translated_dest_port=6888 translated_ip_protocol=ostrume translated_route_domain=molest translated_source_ip=10.150.220.75 translated_source_port=1298 translated_vlan=tisetq vlan=5372", - "fileset.name": "bigipafm", - "host.ip": "10.189.109.245", - "host.name": "ume465.corp", - "input.type": "log", - "log.level": "high", - "log.offset": 6105, - "network.protocol": "ipv6-icmp", - "observer.product": "iusmodt", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3768", - "related.hosts": [ - "ume465.corp" - ], - "related.ip": [ - "10.110.99.17", - "10.150.220.75", - "10.189.109.245", - "10.69.57.206" - ], - "related.user": [ - "onse" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "emaperi", - "rsa.misc.event_type": "sequatur", - "rsa.misc.obj_name": "mexercit", - "rsa.misc.policy_name": "dtem", - "rsa.misc.reference_id": "ommod", - "rsa.misc.rule_name": "sunt", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3768", - "rsa.network.alias_host": [ - "ume465.corp" - ], - "rsa.network.vlan": 5372, - "rsa.time.event_time_str": "May", - "rule.name": "sunt", - "service.type": "f5", - "source.geo.country_name": "olupt", - "source.ip": "10.69.57.206", - "source.nat.ip": "10.150.220.75", - "source.nat.port": 1298, - "source.port": 5979, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "onse" - }, - { - "destination.geo.country_name": "nidolo", - "destination.nat.ip": "10.19.194.101", - "destination.nat.port": 3605, - "destination.port": 3409, - "event.action": "Drop", - "event.code": "Loremip", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ici giatquov eritquii3561.www.example taut oreseos uames [F5@tati acl_policy_name=utaliqu acl_policy_type=oriosamn acl_rule_name=deFinibu action=Drop hostname=iciatisu1463.www5.localdomain bigip_mgmt_ip=10.153.136.222 context_name=tem context_type=est date_time=May 22 2016 14:30:33 dest_ip=10.176.205.96 dst_geo=nidolo dest_port=3409 device_product=taliq device_vendor=intoccae device_version=1.2299 drop_reason=dolo errdefs_msgno=Loremip errdefs_msg_name=idolor flow_id=emeumfu ip_protocol=ipv6-icmp severity=very-high partition_name=lupt route_domain=psaquae sa_translation_pool=oinBCSe sa_translation_type=mnisist source_ip=10.199.34.241 src_geo=amvolup source_port=7700 source_user=temveleu translated_dest_ip=10.19.194.101 translated_dest_port=3605 translated_ip_protocol=numqu translated_route_domain=qui translated_source_ip=10.121.219.204 translated_source_port=3496 translated_vlan=utali vlan=3611", - "fileset.name": "bigipafm", - "host.ip": "10.153.136.222", - "host.name": "iciatisu1463.www5.localdomain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6972, - "network.protocol": "ipv6-icmp", - "observer.product": "taliq", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2299", - "related.hosts": [ - "iciatisu1463.www5.localdomain" - ], - "related.ip": [ - "10.121.219.204", - "10.153.136.222", - "10.19.194.101", - "10.199.34.241" - ], - "related.user": [ - "temveleu" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "tem", - "rsa.misc.event_type": "idolor", - "rsa.misc.obj_name": "tati", - "rsa.misc.policy_name": "utaliqu", - "rsa.misc.reference_id": "Loremip", - "rsa.misc.rule_name": "deFinibu", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2299", - "rsa.network.alias_host": [ - "iciatisu1463.www5.localdomain" - ], - "rsa.network.vlan": 3611, - "rsa.time.event_time_str": "May", - "rule.name": "deFinibu", - "service.type": "f5", - "source.geo.country_name": "amvolup", - "source.ip": "10.199.34.241", - "source.nat.ip": "10.121.219.204", - "source.nat.port": 3496, - "source.port": 7700, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "temveleu" - }, - { - "destination.geo.country_name": "usmodt", - "destination.nat.ip": "10.57.103.192", - "destination.nat.port": 2716, - "destination.port": 1837, - "event.action": "Reject", - "event.code": "llu", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "reetd lumqui itinvo7084.mail.corp equep iavolu den [F5@tutla acl_policy_name=olorema acl_policy_type=iades acl_rule_name=siarchi action=Reject hostname=aliqu6801.api.localdomain bigip_mgmt_ip=10.46.27.57 context_name=ihilm context_type=atDu date_time=Jun 05 2016 21:33:08 dest_ip=10.128.232.208 dst_geo=usmodt dest_port=1837 device_product=run device_vendor=mque device_version=1.4138 drop_reason=quirat errdefs_msgno=llu errdefs_msg_name=licab flow_id=eirure ip_protocol=rdp severity=medium partition_name=oidentsu route_domain=atiset sa_translation_pool=atu sa_translation_type=umexerci source_ip=10.64.141.105 src_geo=iadese source_port=2374 source_user=ice translated_dest_ip=10.57.103.192 translated_dest_port=2716 translated_ip_protocol=oei translated_route_domain=tlabori translated_source_ip=10.182.199.231 translated_source_port=1426 translated_vlan=data vlan=4478", - "fileset.name": "bigipafm", - "host.ip": "10.46.27.57", - "host.name": "aliqu6801.api.localdomain", - "input.type": "log", - "log.level": "medium", - "log.offset": 7880, - "network.protocol": "rdp", - "observer.product": "run", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4138", - "related.hosts": [ - "aliqu6801.api.localdomain" - ], - "related.ip": [ - "10.182.199.231", - "10.46.27.57", - "10.57.103.192", - "10.64.141.105" - ], - "related.user": [ - "ice" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "ihilm", - "rsa.misc.event_type": "licab", - "rsa.misc.obj_name": "tutla", - "rsa.misc.policy_name": "olorema", - "rsa.misc.reference_id": "llu", - "rsa.misc.rule_name": "siarchi", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.4138", - "rsa.network.alias_host": [ - "aliqu6801.api.localdomain" - ], - "rsa.network.vlan": 4478, - "rsa.time.event_time_str": "Jun", - "rule.name": "siarchi", - "service.type": "f5", - "source.geo.country_name": "iadese", - "source.ip": "10.64.141.105", - "source.nat.ip": "10.182.199.231", - "source.nat.port": 1426, - "source.port": 2374, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ice" - }, - { - "destination.geo.country_name": "serunt", - "destination.nat.ip": "10.160.210.31", - "destination.nat.port": 7741, - "destination.port": 7865, - "event.action": "Closed", - "event.code": "eaq", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "nnum eritqu uradip7152.www5.home luptasn hitect dol [F5@leumiu acl_policy_name=namali acl_policy_type=taevit acl_rule_name=rinrepre action=Closed hostname=itame189.domain bigip_mgmt_ip=10.32.67.231 context_name=estia context_type=eaq date_time=Jun 20 2016 04:35:42 dest_ip=10.66.80.221 dst_geo=serunt dest_port=7865 device_product=texp device_vendor=tMalor device_version=1.7410 drop_reason=emoe errdefs_msgno=eaq errdefs_msg_name=amest flow_id=corp ip_protocol=tcp severity=low partition_name=rehender route_domain=iae sa_translation_pool=dantiumt sa_translation_type=luptasn source_ip=10.164.6.207 src_geo=olestiae source_port=5485 source_user=pic translated_dest_ip=10.160.210.31 translated_dest_port=7741 translated_ip_protocol=duntut translated_route_domain=magni translated_source_ip=10.3.134.237 translated_source_port=3156 translated_vlan=radipisc vlan=7020", - "fileset.name": "bigipafm", - "host.ip": "10.32.67.231", - "host.name": "itame189.domain", - "input.type": "log", - "log.level": "low", - "log.offset": 8754, - "network.protocol": "tcp", - "observer.product": "texp", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7410", - "related.hosts": [ - "itame189.domain" - ], - "related.ip": [ - "10.160.210.31", - "10.164.6.207", - "10.3.134.237", - "10.32.67.231" - ], - "related.user": [ - "pic" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "estia", - "rsa.misc.event_type": "amest", - "rsa.misc.obj_name": "leumiu", - "rsa.misc.policy_name": "namali", - "rsa.misc.reference_id": "eaq", - "rsa.misc.rule_name": "rinrepre", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7410", - "rsa.network.alias_host": [ - "itame189.domain" - ], - "rsa.network.vlan": 7020, - "rsa.time.event_time_str": "Jun", - "rule.name": "rinrepre", - "service.type": "f5", - "source.geo.country_name": "olestiae", - "source.ip": "10.164.6.207", - "source.nat.ip": "10.3.134.237", - "source.nat.port": 3156, - "source.port": 5485, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "pic" - }, - { - "destination.geo.country_name": "beata", - "destination.nat.ip": "10.42.138.192", - "destination.nat.port": 3403, - "destination.port": 6448, - "event.action": "Established", - "event.code": "uela", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "fficiade uscipit vitaedi1318.corp temqu edol colab [F5@ommodico acl_policy_name=quatD acl_policy_type=mcolab acl_rule_name=neav action=Established hostname=tsedqu2456.www5.invalid bigip_mgmt_ip=10.182.178.217 context_name=tlab context_type=volupt date_time=Jul 04 2016 11:38:16 dest_ip=10.188.169.107 dst_geo=beata dest_port=6448 device_product=fdeFi device_vendor=texp device_version=1.3545 drop_reason=etdol errdefs_msgno=uela errdefs_msg_name=boN flow_id=eprehend ip_protocol=tcp severity=medium partition_name=aboN route_domain=ihilmo sa_translation_pool=radi sa_translation_type=gel source_ip=10.235.101.253 src_geo=veniam source_port=2400 source_user=giatnu translated_dest_ip=10.42.138.192 translated_dest_port=3403 translated_ip_protocol=quioffi translated_route_domain=uptate translated_source_ip=10.201.6.10 translated_source_port=6608 translated_vlan=sequa vlan=2851", - "fileset.name": "bigipafm", - "host.ip": "10.182.178.217", - "host.name": "tsedqu2456.www5.invalid", - "input.type": "log", - "log.level": "medium", - "log.offset": 9620, - "network.protocol": "tcp", - "observer.product": "fdeFi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3545", - "related.hosts": [ - "tsedqu2456.www5.invalid" - ], - "related.ip": [ - "10.182.178.217", - "10.201.6.10", - "10.235.101.253", - "10.42.138.192" - ], - "related.user": [ - "giatnu" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "tlab", - "rsa.misc.event_type": "boN", - "rsa.misc.obj_name": "ommodico", - "rsa.misc.policy_name": "quatD", - "rsa.misc.reference_id": "uela", - "rsa.misc.rule_name": "neav", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3545", - "rsa.network.alias_host": [ - "tsedqu2456.www5.invalid" - ], - "rsa.network.vlan": 2851, - "rsa.time.event_time_str": "Jul", - "rule.name": "neav", - "service.type": "f5", - "source.geo.country_name": "veniam", - "source.ip": "10.235.101.253", - "source.nat.ip": "10.201.6.10", - "source.nat.port": 6608, - "source.port": 2400, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "giatnu" - }, - { - "destination.geo.country_name": "enderit", - "destination.nat.ip": "10.194.247.171", - "destination.nat.port": 4940, - "destination.port": 5858, - "event.action": "Closed", - "event.code": "Utenimad", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ate aliquam nimid893.mail.corp umwr oluptate issus [F5@osamn acl_policy_name=isnisiu acl_policy_type=bore acl_rule_name=tsu action=Closed hostname=stlabo1228.mail.host bigip_mgmt_ip=10.151.161.70 context_name=edo context_type=asia date_time=Jul 18 2016 18:40:50 dest_ip=10.108.167.93 dst_geo=enderit dest_port=5858 device_product=essecil device_vendor=citation device_version=1.3795 drop_reason=eco errdefs_msgno=Utenimad errdefs_msg_name=orpor flow_id=tlabo ip_protocol=rdp severity=low partition_name=emvel route_domain=tmollita sa_translation_pool=fde sa_translation_type=nsecte source_ip=10.22.102.198 src_geo=eroi source_port=176 source_user=nse translated_dest_ip=10.194.247.171 translated_dest_port=4940 translated_ip_protocol=mquisnos translated_route_domain=maven translated_source_ip=10.86.101.235 translated_source_port=3266 translated_vlan=lapar vlan=1024", - "fileset.name": "bigipafm", - "host.ip": "10.151.161.70", - "host.name": "stlabo1228.mail.host", - "input.type": "log", - "log.level": "low", - "log.offset": 10498, - "network.protocol": "rdp", - "observer.product": "essecil", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3795", - "related.hosts": [ - "stlabo1228.mail.host" - ], - "related.ip": [ - "10.151.161.70", - "10.194.247.171", - "10.22.102.198", - "10.86.101.235" - ], - "related.user": [ - "nse" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "edo", - "rsa.misc.event_type": "orpor", - "rsa.misc.obj_name": "osamn", - "rsa.misc.policy_name": "isnisiu", - "rsa.misc.reference_id": "Utenimad", - "rsa.misc.rule_name": "tsu", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3795", - "rsa.network.alias_host": [ - "stlabo1228.mail.host" - ], - "rsa.network.vlan": 1024, - "rsa.time.event_time_str": "Jul", - "rule.name": "tsu", - "service.type": "f5", - "source.geo.country_name": "eroi", - "source.ip": "10.22.102.198", - "source.nat.ip": "10.86.101.235", - "source.nat.port": 3266, - "source.port": 176, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "nse" - }, - { - "destination.geo.country_name": "mve", - "destination.nat.ip": "10.107.168.60", - "destination.nat.port": 2227, - "destination.port": 513, - "event.action": "Reject", - "event.code": "volupt", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tfu udan orema6040.api.corp mveleu nofdeFin sequam [F5@temvel acl_policy_name=ris acl_policy_type=nisi acl_rule_name=dant action=Reject hostname=ecte4762.local bigip_mgmt_ip=10.204.35.15 context_name=quidolor context_type=tessec date_time=Aug 02 2016 01:43:25 dest_ip=10.135.160.125 dst_geo=mve dest_port=513 device_product=itatio device_vendor=uta device_version=1.4901 drop_reason=sintoc errdefs_msgno=volupt errdefs_msg_name=siste flow_id=uiinea ip_protocol=icmp severity=low partition_name=volupta route_domain=rcitati sa_translation_pool=eni sa_translation_type=ionevo source_ip=10.174.252.105 src_geo=sperna source_port=5368 source_user=mnisi translated_dest_ip=10.107.168.60 translated_dest_port=2227 translated_ip_protocol=oinBC translated_route_domain=quameius translated_source_ip=10.167.172.155 translated_source_port=3544 translated_vlan=etdo vlan=706", - "fileset.name": "bigipafm", - "host.ip": "10.204.35.15", - "host.name": "ecte4762.local", - "input.type": "log", - "log.level": "low", - "log.offset": 11366, - "network.protocol": "icmp", - "observer.product": "itatio", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4901", - "related.hosts": [ - "ecte4762.local" - ], - "related.ip": [ - "10.107.168.60", - "10.167.172.155", - "10.174.252.105", - "10.204.35.15" - ], - "related.user": [ - "mnisi" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "quidolor", - "rsa.misc.event_type": "siste", - "rsa.misc.obj_name": "temvel", - "rsa.misc.policy_name": "ris", - "rsa.misc.reference_id": "volupt", - "rsa.misc.rule_name": "dant", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4901", - "rsa.network.alias_host": [ - "ecte4762.local" - ], - "rsa.network.vlan": 706, - "rsa.time.event_time_str": "Aug", - "rule.name": "dant", - "service.type": "f5", - "source.geo.country_name": "sperna", - "source.ip": "10.174.252.105", - "source.nat.ip": "10.167.172.155", - "source.nat.port": 3544, - "source.port": 5368, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "mnisi" - }, - { - "destination.geo.country_name": "quinesc", - "destination.nat.ip": "10.182.191.174", - "destination.nat.port": 1759, - "destination.port": 6218, - "event.action": "Drop", - "event.code": "orem", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ese isaute ptatemq95.api.host Nequepo ipsumd ntocc [F5@uteirure acl_policy_name=nevo acl_policy_type=ide acl_rule_name=aali action=Drop hostname=smo7167.www.test bigip_mgmt_ip=10.214.249.164 context_name=tco context_type=uae date_time=Aug 16 2016 08:45:59 dest_ip=10.187.20.98 dst_geo=quinesc dest_port=6218 device_product=santiumd device_vendor=turadip device_version=1.3427 drop_reason=niamqui errdefs_msgno=orem errdefs_msg_name=sno flow_id=atno ip_protocol=ipv6-icmp severity=high partition_name=volu route_domain=nonn sa_translation_pool=inventor sa_translation_type=quiavol source_ip=10.99.249.210 src_geo=iatisu source_port=6684 source_user=upta translated_dest_ip=10.182.191.174 translated_dest_port=1759 translated_ip_protocol=adm translated_route_domain=leumiur translated_source_ip=10.81.26.208 translated_source_port=7651 translated_vlan=isc vlan=5933", - "fileset.name": "bigipafm", - "host.ip": "10.214.249.164", - "host.name": "smo7167.www.test", - "input.type": "log", - "log.level": "high", - "log.offset": 12230, - "network.protocol": "ipv6-icmp", - "observer.product": "santiumd", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3427", - "related.hosts": [ - "smo7167.www.test" - ], - "related.ip": [ - "10.182.191.174", - "10.214.249.164", - "10.81.26.208", - "10.99.249.210" - ], - "related.user": [ - "upta" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "tco", - "rsa.misc.event_type": "sno", - "rsa.misc.obj_name": "uteirure", - "rsa.misc.policy_name": "nevo", - "rsa.misc.reference_id": "orem", - "rsa.misc.rule_name": "aali", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3427", - "rsa.network.alias_host": [ - "smo7167.www.test" - ], - "rsa.network.vlan": 5933, - "rsa.time.event_time_str": "Aug", - "rule.name": "aali", - "service.type": "f5", - "source.geo.country_name": "iatisu", - "source.ip": "10.99.249.210", - "source.nat.ip": "10.81.26.208", - "source.nat.port": 7651, - "source.port": 6684, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "upta" - }, - { - "destination.geo.country_name": "eriti", - "destination.nat.ip": "10.88.101.53", - "destination.nat.port": 2458, - "destination.port": 2201, - "event.action": "Drop", - "event.code": "quameius", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tobea tor qui4499.api.local fugiatn docon etconsec [F5@ios acl_policy_name=evolu acl_policy_type=ersp acl_rule_name=tquov action=Drop hostname=sauteiru4554.api.domain bigip_mgmt_ip=10.220.5.143 context_name=com context_type=tnulapa date_time=Aug 30 2016 15:48:33 dest_ip=10.108.85.148 dst_geo=eriti dest_port=2201 device_product=norum device_vendor=madmi device_version=1.1766 drop_reason=sequatu errdefs_msgno=quameius errdefs_msg_name=nisiuta flow_id=roid ip_protocol=icmp severity=very-high partition_name=eprehen route_domain=entor sa_translation_pool=xeacomm sa_translation_type=nihil source_ip=10.101.226.128 src_geo=rsitv source_port=3087 source_user=porro translated_dest_ip=10.88.101.53 translated_dest_port=2458 translated_ip_protocol=tatemUt translated_route_domain=modtemp translated_source_ip=10.201.238.90 translated_source_port=2715 translated_vlan=remag vlan=3759", - "fileset.name": "bigipafm", - "host.ip": "10.220.5.143", - "host.name": "sauteiru4554.api.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 13094, - "network.protocol": "icmp", - "observer.product": "norum", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1766", - "related.hosts": [ - "sauteiru4554.api.domain" - ], - "related.ip": [ - "10.101.226.128", - "10.201.238.90", - "10.220.5.143", - "10.88.101.53" - ], - "related.user": [ - "porro" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "com", - "rsa.misc.event_type": "nisiuta", - "rsa.misc.obj_name": "ios", - "rsa.misc.policy_name": "evolu", - "rsa.misc.reference_id": "quameius", - "rsa.misc.rule_name": "tquov", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1766", - "rsa.network.alias_host": [ - "sauteiru4554.api.domain" - ], - "rsa.network.vlan": 3759, - "rsa.time.event_time_str": "Aug", - "rule.name": "tquov", - "service.type": "f5", - "source.geo.country_name": "rsitv", - "source.ip": "10.101.226.128", - "source.nat.ip": "10.201.238.90", - "source.nat.port": 2715, - "source.port": 3087, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "porro" - }, - { - "destination.geo.country_name": "untu", - "destination.nat.ip": "10.30.133.66", - "destination.nat.port": 1921, - "destination.port": 5676, - "event.action": "Reject", - "event.code": "ium", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ccaecat tquiin tse4198.www.localdomain ptasn taedicta itam [F5@str acl_policy_name=idolore acl_policy_type=pid acl_rule_name=illoin action=Reject hostname=untut4046.internal.domain bigip_mgmt_ip=10.217.150.196 context_name=uine context_type=udant date_time=Sep 13 2016 22:51:07 dest_ip=10.183.59.41 dst_geo=untu dest_port=5676 device_product=ven device_vendor=con device_version=1.7491 drop_reason=amnih errdefs_msgno=ium errdefs_msg_name=esciuntN flow_id=idunt ip_protocol=udp severity=low partition_name=rQu route_domain=oremeu sa_translation_pool=laudant sa_translation_type=isnost source_ip=10.157.18.252 src_geo=itess source_port=52 source_user=evit translated_dest_ip=10.30.133.66 translated_dest_port=1921 translated_ip_protocol=velitse translated_route_domain=oditem translated_source_ip=10.243.218.215 translated_source_port=662 translated_vlan=rsitvolu vlan=3751", - "fileset.name": "bigipafm", - "host.ip": "10.217.150.196", - "host.name": "untut4046.internal.domain", - "input.type": "log", - "log.level": "low", - "log.offset": 13974, - "network.protocol": "udp", - "observer.product": "ven", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7491", - "related.hosts": [ - "untut4046.internal.domain" - ], - "related.ip": [ - "10.157.18.252", - "10.217.150.196", - "10.243.218.215", - "10.30.133.66" - ], - "related.user": [ - "evit" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "uine", - "rsa.misc.event_type": "esciuntN", - "rsa.misc.obj_name": "str", - "rsa.misc.policy_name": "idolore", - "rsa.misc.reference_id": "ium", - "rsa.misc.rule_name": "illoin", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7491", - "rsa.network.alias_host": [ - "untut4046.internal.domain" - ], - "rsa.network.vlan": 3751, - "rsa.time.event_time_str": "Sep", - "rule.name": "illoin", - "service.type": "f5", - "source.geo.country_name": "itess", - "source.ip": "10.157.18.252", - "source.nat.ip": "10.243.218.215", - "source.nat.port": 662, - "source.port": 52, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "evit" - }, - { - "destination.geo.country_name": "iduntu", - "destination.nat.ip": "10.181.133.187", - "destination.nat.port": 1079, - "destination.port": 1655, - "event.action": "Accept", - "event.code": "acommo", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "sumdolor meaqueip npr4414.api.localdomain boNem ess ipisci [F5@gitsed acl_policy_name=tqu acl_policy_type=reprehen acl_rule_name=trumexer action=Accept hostname=quid3147.mail.home bigip_mgmt_ip=10.66.181.6 context_name=epre context_type=tobeata date_time=Sep 28 2016 05:53:42 dest_ip=10.181.53.249 dst_geo=iduntu dest_port=1655 device_product=temUt device_vendor=avol device_version=1.752 drop_reason=essequam errdefs_msgno=acommo errdefs_msg_name=nturma flow_id=str ip_protocol=ipv6 severity=high partition_name=etur route_domain=itecto sa_translation_pool=reetdol sa_translation_type=totamre source_ip=10.148.161.250 src_geo=ciadeser source_port=6135 source_user=adipisc translated_dest_ip=10.181.133.187 translated_dest_port=1079 translated_ip_protocol=aquioffi translated_route_domain=tamet translated_source_ip=10.167.227.44 translated_source_port=6595 translated_vlan=eFi vlan=6733", - "fileset.name": "bigipafm", - "host.ip": "10.66.181.6", - "host.name": "quid3147.mail.home", - "input.type": "log", - "log.level": "high", - "log.offset": 14847, - "network.protocol": "ipv6", - "observer.product": "temUt", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.752", - "related.hosts": [ - "quid3147.mail.home" - ], - "related.ip": [ - "10.148.161.250", - "10.167.227.44", - "10.181.133.187", - "10.66.181.6" - ], - "related.user": [ - "adipisc" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "epre", - "rsa.misc.event_type": "nturma", - "rsa.misc.obj_name": "gitsed", - "rsa.misc.policy_name": "tqu", - "rsa.misc.reference_id": "acommo", - "rsa.misc.rule_name": "trumexer", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.752", - "rsa.network.alias_host": [ - "quid3147.mail.home" - ], - "rsa.network.vlan": 6733, - "rsa.time.event_time_str": "Sep", - "rule.name": "trumexer", - "service.type": "f5", - "source.geo.country_name": "ciadeser", - "source.ip": "10.148.161.250", - "source.nat.ip": "10.167.227.44", - "source.nat.port": 6595, - "source.port": 6135, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "adipisc" - }, - { - "destination.geo.country_name": "psaquaea", - "destination.nat.ip": "10.107.9.163", - "destination.nat.port": 5433, - "destination.port": 1348, - "event.action": "Reject", - "event.code": "piscinge", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "its ender riamea1540.www.host seq tutlab sau [F5@atevelit acl_policy_name=meius acl_policy_type=billo acl_rule_name=labo action=Reject hostname=umdolo1029.mail.localhost bigip_mgmt_ip=10.54.17.32 context_name=orumSe context_type=ratv date_time=Oct 12 2016 12:56:16 dest_ip=10.119.81.180 dst_geo=psaquaea dest_port=1348 device_product=nts device_vendor=siut device_version=1.5663 drop_reason=ano errdefs_msgno=piscinge errdefs_msg_name=tvol flow_id=velitess ip_protocol=ipv6 severity=high partition_name=uunturm route_domain=temUte sa_translation_pool=sit sa_translation_type=olab source_ip=10.84.163.178 src_geo=ima source_port=2031 source_user=mquisno translated_dest_ip=10.107.9.163 translated_dest_port=5433 translated_ip_protocol=eacommod translated_route_domain=ctetura translated_source_ip=10.74.11.43 translated_source_port=55 translated_vlan=seosqui vlan=6797", - "fileset.name": "bigipafm", - "host.ip": "10.54.17.32", - "host.name": "umdolo1029.mail.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 15735, - "network.protocol": "ipv6", - "observer.product": "nts", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5663", - "related.hosts": [ - "umdolo1029.mail.localhost" - ], - "related.ip": [ - "10.107.9.163", - "10.54.17.32", - "10.74.11.43", - "10.84.163.178" - ], - "related.user": [ - "mquisno" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "orumSe", - "rsa.misc.event_type": "tvol", - "rsa.misc.obj_name": "atevelit", - "rsa.misc.policy_name": "meius", - "rsa.misc.reference_id": "piscinge", - "rsa.misc.rule_name": "labo", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5663", - "rsa.network.alias_host": [ - "umdolo1029.mail.localhost" - ], - "rsa.network.vlan": 6797, - "rsa.time.event_time_str": "Oct", - "rule.name": "labo", - "service.type": "f5", - "source.geo.country_name": "ima", - "source.ip": "10.84.163.178", - "source.nat.ip": "10.74.11.43", - "source.nat.port": 55, - "source.port": 2031, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "mquisno" - }, - { - "destination.geo.country_name": "odoconse", - "destination.nat.ip": "10.184.73.211", - "destination.nat.port": 6540, - "destination.port": 228, - "event.action": "Accept", - "event.code": "labo", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "uradi tot llamco7206.www.home oremagna ncididun umSe [F5@xeacomm acl_policy_name=cinge acl_policy_type=itla acl_rule_name=iamquis action=Accept hostname=lorsita2019.internal.home bigip_mgmt_ip=10.192.229.221 context_name=ect context_type=modocons date_time=Oct 26 2016 19:58:50 dest_ip=10.199.194.188 dst_geo=odoconse dest_port=228 device_product=quatu device_vendor=veli device_version=1.5726 drop_reason=nonp errdefs_msgno=labo errdefs_msg_name=ulapar flow_id=aboreetd ip_protocol=igmp severity=low partition_name=llitanim route_domain=invo sa_translation_pool=hit sa_translation_type=urv source_ip=10.112.32.213 src_geo=runtmol source_port=1749 source_user=odi translated_dest_ip=10.184.73.211 translated_dest_port=6540 translated_ip_protocol=esseci translated_route_domain=tametcon translated_source_ip=10.230.129.252 translated_source_port=3947 translated_vlan=isis vlan=4917", - "fileset.name": "bigipafm", - "host.ip": "10.192.229.221", - "host.name": "lorsita2019.internal.home", - "input.type": "log", - "log.level": "low", - "log.offset": 16603, - "network.protocol": "igmp", - "observer.product": "quatu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5726", - "related.hosts": [ - "lorsita2019.internal.home" - ], - "related.ip": [ - "10.112.32.213", - "10.184.73.211", - "10.192.229.221", - "10.230.129.252" - ], - "related.user": [ - "odi" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "ect", - "rsa.misc.event_type": "ulapar", - "rsa.misc.obj_name": "xeacomm", - "rsa.misc.policy_name": "cinge", - "rsa.misc.reference_id": "labo", - "rsa.misc.rule_name": "iamquis", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5726", - "rsa.network.alias_host": [ - "lorsita2019.internal.home" - ], - "rsa.network.vlan": 4917, - "rsa.time.event_time_str": "Oct", - "rule.name": "iamquis", - "service.type": "f5", - "source.geo.country_name": "runtmol", - "source.ip": "10.112.32.213", - "source.nat.ip": "10.230.129.252", - "source.nat.port": 3947, - "source.port": 1749, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "odi" - }, - { - "destination.geo.country_name": "doloreme", - "destination.nat.ip": "10.198.213.189", - "destination.nat.port": 5024, - "destination.port": 60, - "event.action": "Reject", - "event.code": "itse", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "utlab emUteni rum959.host velillu cteturad bor [F5@rauto acl_policy_name=ationev acl_policy_type=umdolor acl_rule_name=uaUten action=Reject hostname=paquioff624.mail.invalid bigip_mgmt_ip=10.161.148.64 context_name=ibusBon context_type=ven date_time=Nov 10 2016 03:01:24 dest_ip=10.162.114.217 dst_geo=doloreme dest_port=60 device_product=onemulla device_vendor=evitaed device_version=1.1721 drop_reason=suntin errdefs_msgno=itse errdefs_msg_name=umexerc flow_id=oremipsu ip_protocol=ipv6-icmp severity=medium partition_name=amco route_domain=ssecillu sa_translation_pool=liqua sa_translation_type=olo source_ip=10.199.216.143 src_geo=fdeF source_port=593 source_user=ccaeca translated_dest_ip=10.198.213.189 translated_dest_port=5024 translated_ip_protocol=remagn translated_route_domain=mquae translated_source_ip=10.7.200.140 translated_source_port=3298 translated_vlan=olupt vlan=2189", - "fileset.name": "bigipafm", - "host.ip": "10.161.148.64", - "host.name": "paquioff624.mail.invalid", - "input.type": "log", - "log.level": "medium", - "log.offset": 17484, - "network.protocol": "ipv6-icmp", - "observer.product": "onemulla", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1721", - "related.hosts": [ - "paquioff624.mail.invalid" - ], - "related.ip": [ - "10.161.148.64", - "10.198.213.189", - "10.199.216.143", - "10.7.200.140" - ], - "related.user": [ - "ccaeca" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "ibusBon", - "rsa.misc.event_type": "umexerc", - "rsa.misc.obj_name": "rauto", - "rsa.misc.policy_name": "ationev", - "rsa.misc.reference_id": "itse", - "rsa.misc.rule_name": "uaUten", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1721", - "rsa.network.alias_host": [ - "paquioff624.mail.invalid" - ], - "rsa.network.vlan": 2189, - "rsa.time.event_time_str": "Nov", - "rule.name": "uaUten", - "service.type": "f5", - "source.geo.country_name": "fdeF", - "source.ip": "10.199.216.143", - "source.nat.ip": "10.7.200.140", - "source.nat.port": 3298, - "source.port": 593, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ccaeca" - }, - { - "destination.geo.country_name": "taedicta", - "destination.nat.ip": "10.128.157.27", - "destination.nat.port": 1493, - "destination.port": 3409, - "event.action": "Reject", - "event.code": "snost", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "edquiac urerepr eseru4234.mail.example qua rsita ate [F5@ipsamvo acl_policy_name=onula acl_policy_type=miu acl_rule_name=rationev action=Reject hostname=mex2054.mail.corp bigip_mgmt_ip=10.65.232.27 context_name=ica context_type=lillum date_time=Nov 24 2016 10:03:59 dest_ip=10.199.40.38 dst_geo=taedicta dest_port=3409 device_product=poriss device_vendor=tvolup device_version=1.1000 drop_reason=siu errdefs_msgno=snost errdefs_msg_name=tpersp flow_id=llamc ip_protocol=tcp severity=very-high partition_name=mvel route_domain=nof sa_translation_pool=usmodi sa_translation_type=mvolu source_ip=10.206.96.56 src_geo=aincidu source_port=2687 source_user=uaeab translated_dest_ip=10.128.157.27 translated_dest_port=1493 translated_ip_protocol=etdolor translated_route_domain=lupta translated_source_ip=10.22.187.69 translated_source_port=3590 translated_vlan=oremi vlan=1485", - "fileset.name": "bigipafm", - "host.ip": "10.65.232.27", - "host.name": "mex2054.mail.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 18373, - "network.protocol": "tcp", - "observer.product": "poriss", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1000", - "related.hosts": [ - "mex2054.mail.corp" - ], - "related.ip": [ - "10.128.157.27", - "10.206.96.56", - "10.22.187.69", - "10.65.232.27" - ], - "related.user": [ - "uaeab" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "ica", - "rsa.misc.event_type": "tpersp", - "rsa.misc.obj_name": "ipsamvo", - "rsa.misc.policy_name": "onula", - "rsa.misc.reference_id": "snost", - "rsa.misc.rule_name": "rationev", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1000", - "rsa.network.alias_host": [ - "mex2054.mail.corp" - ], - "rsa.network.vlan": 1485, - "rsa.time.event_time_str": "Nov", - "rule.name": "rationev", - "service.type": "f5", - "source.geo.country_name": "aincidu", - "source.ip": "10.206.96.56", - "source.nat.ip": "10.22.187.69", - "source.nat.port": 3590, - "source.port": 2687, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "uaeab" - }, - { - "destination.geo.country_name": "dipisci", - "destination.nat.ip": "10.68.253.120", - "destination.nat.port": 481, - "destination.port": 3449, - "event.action": "Closed", - "event.code": "tae", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "nbyCi tevel usc5760.www5.localdomain cab atisund xea [F5@ites acl_policy_name=isetq acl_policy_type=iutali acl_rule_name=velite action=Closed hostname=avolupt7576.api.corp bigip_mgmt_ip=10.194.210.62 context_name=porincid context_type=atisetqu date_time=Dec 08 2016 17:06:33 dest_ip=10.51.213.42 dst_geo=dipisci dest_port=3449 device_product=ilmol device_vendor=eri device_version=1.3104 drop_reason=ueipsa errdefs_msgno=tae errdefs_msg_name=autodit flow_id=elit ip_protocol=udp severity=high partition_name=plica route_domain=ore sa_translation_pool=quidolor sa_translation_type=inven source_ip=10.71.114.14 src_geo=itsedd source_port=3010 source_user=admin translated_dest_ip=10.68.253.120 translated_dest_port=481 translated_ip_protocol=est translated_route_domain=uptatemU translated_source_ip=10.183.130.225 translated_source_port=5693 translated_vlan=item vlan=2738", - "fileset.name": "bigipafm", - "host.ip": "10.194.210.62", - "host.name": "avolupt7576.api.corp", - "input.type": "log", - "log.level": "high", - "log.offset": 19244, - "network.protocol": "udp", - "observer.product": "ilmol", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3104", - "related.hosts": [ - "avolupt7576.api.corp" - ], - "related.ip": [ - "10.183.130.225", - "10.194.210.62", - "10.68.253.120", - "10.71.114.14" - ], - "related.user": [ - "admin" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "porincid", - "rsa.misc.event_type": "autodit", - "rsa.misc.obj_name": "ites", - "rsa.misc.policy_name": "isetq", - "rsa.misc.reference_id": "tae", - "rsa.misc.rule_name": "velite", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3104", - "rsa.network.alias_host": [ - "avolupt7576.api.corp" - ], - "rsa.network.vlan": 2738, - "rsa.time.event_time_str": "Dec", - "rule.name": "velite", - "service.type": "f5", - "source.geo.country_name": "itsedd", - "source.ip": "10.71.114.14", - "source.nat.ip": "10.183.130.225", - "source.nat.port": 5693, - "source.port": 3010, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "admin" - }, - { - "destination.geo.country_name": "giatquov", - "destination.nat.ip": "10.47.255.237", - "destination.nat.port": 2311, - "destination.port": 1918, - "event.action": "Established", - "event.code": "labo", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "dat periam dqu6144.api.localhost dutpers erun orisn [F5@reetd acl_policy_name=prehen acl_policy_type=ntutlabo acl_rule_name=iusmodte action=Established hostname=loi7596.www5.home bigip_mgmt_ip=10.31.177.226 context_name=deserun context_type=esseq date_time=Dec 23 2016 00:09:07 dest_ip=10.209.157.8 dst_geo=giatquov dest_port=1918 device_product=enderi device_vendor=ptatem device_version=1.341 drop_reason=fugi errdefs_msgno=labo errdefs_msg_name=nostrud flow_id=gnaal ip_protocol=ggp severity=medium partition_name=cupi route_domain=tame sa_translation_pool=atione sa_translation_type=lores source_ip=10.45.253.103 src_geo=uii source_port=5923 source_user=remagn translated_dest_ip=10.47.255.237 translated_dest_port=2311 translated_ip_protocol=uuntur translated_route_domain=enderit translated_source_ip=10.107.45.175 translated_source_port=4185 translated_vlan=rumSecti vlan=4593", - "fileset.name": "bigipafm", - "host.ip": "10.31.177.226", - "host.name": "loi7596.www5.home", - "input.type": "log", - "log.level": "medium", - "log.offset": 20116, - "network.protocol": "ggp", - "observer.product": "enderi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.341", - "related.hosts": [ - "loi7596.www5.home" - ], - "related.ip": [ - "10.107.45.175", - "10.31.177.226", - "10.45.253.103", - "10.47.255.237" - ], - "related.user": [ - "remagn" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "deserun", - "rsa.misc.event_type": "nostrud", - "rsa.misc.obj_name": "reetd", - "rsa.misc.policy_name": "prehen", - "rsa.misc.reference_id": "labo", - "rsa.misc.rule_name": "iusmodte", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.341", - "rsa.network.alias_host": [ - "loi7596.www5.home" - ], - "rsa.network.vlan": 4593, - "rsa.time.event_time_str": "Dec", - "rule.name": "iusmodte", - "service.type": "f5", - "source.geo.country_name": "uii", - "source.ip": "10.45.253.103", - "source.nat.ip": "10.107.45.175", - "source.nat.port": 4185, - "source.port": 5923, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "remagn" - }, - { - "destination.geo.country_name": "illu", - "destination.nat.ip": "10.55.105.113", - "destination.nat.port": 3214, - "destination.port": 4875, - "event.action": "Reject", - "event.code": "its", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "atise tate onevo4326.internal.local isnost olorem ido [F5@emqu acl_policy_name=riss acl_policy_type=iquamqua acl_rule_name=sit action=Reject hostname=nsequat1971.internal.invalid bigip_mgmt_ip=10.225.212.189 context_name=mven context_type=olorsit date_time=Jan 06 2017 07:11:41 dest_ip=10.121.239.183 dst_geo=illu dest_port=4875 device_product=turadip device_vendor=tatevel device_version=1.1607 drop_reason=ptassita errdefs_msgno=its errdefs_msg_name=lore flow_id=idol ip_protocol=igmp severity=high partition_name=isn route_domain=sBono sa_translation_pool=loremqu sa_translation_type=tetur source_ip=10.213.94.135 src_geo=tMal source_port=2607 source_user=dquia translated_dest_ip=10.55.105.113 translated_dest_port=3214 translated_ip_protocol=tatione translated_route_domain=nimveni translated_source_ip=10.44.58.106 translated_source_port=1241 translated_vlan=quid vlan=4814", - "fileset.name": "bigipafm", - "host.ip": "10.225.212.189", - "host.name": "nsequat1971.internal.invalid", - "input.type": "log", - "log.level": "high", - "log.offset": 21000, - "network.protocol": "igmp", - "observer.product": "turadip", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1607", - "related.hosts": [ - "nsequat1971.internal.invalid" - ], - "related.ip": [ - "10.213.94.135", - "10.225.212.189", - "10.44.58.106", - "10.55.105.113" - ], - "related.user": [ - "dquia" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "mven", - "rsa.misc.event_type": "lore", - "rsa.misc.obj_name": "emqu", - "rsa.misc.policy_name": "riss", - "rsa.misc.reference_id": "its", - "rsa.misc.rule_name": "sit", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1607", - "rsa.network.alias_host": [ - "nsequat1971.internal.invalid" - ], - "rsa.network.vlan": 4814, - "rsa.time.event_time_str": "Jan", - "rule.name": "sit", - "service.type": "f5", - "source.geo.country_name": "tMal", - "source.ip": "10.213.94.135", - "source.nat.ip": "10.44.58.106", - "source.nat.port": 1241, - "source.port": 2607, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "dquia" - }, - { - "destination.geo.country_name": "mUten", - "destination.nat.ip": "10.69.161.78", - "destination.nat.port": 1282, - "destination.port": 1812, - "event.action": "Reject", - "event.code": "norumet", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "eporroq ulla iqu4614.www5.example abore squ uiadol [F5@Duisa acl_policy_name=lupta acl_policy_type=aUt acl_rule_name=boNem action=Reject hostname=ectiono2241.lan bigip_mgmt_ip=10.2.114.9 context_name=rehende context_type=velillu date_time=Jan 20 2017 14:14:16 dest_ip=10.94.139.127 dst_geo=mUten dest_port=1812 device_product=quidolor device_vendor=oqu device_version=1.51 drop_reason=tlaboree errdefs_msgno=norumet errdefs_msg_name=dtempo flow_id=tin ip_protocol=tcp severity=high partition_name=imad route_domain=tinvolup sa_translation_pool=tsed sa_translation_type=inv source_ip=10.163.209.70 src_geo=atu source_port=4718 source_user=olabor translated_dest_ip=10.69.161.78 translated_dest_port=1282 translated_ip_protocol=iruredol translated_route_domain=incidid translated_source_ip=10.255.74.136 translated_source_port=5902 translated_vlan=eaqueips vlan=6396", - "fileset.name": "bigipafm", - "host.ip": "10.2.114.9", - "host.name": "ectiono2241.lan", - "input.type": "log", - "log.level": "high", - "log.offset": 21880, - "network.protocol": "tcp", - "observer.product": "quidolor", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.51", - "related.hosts": [ - "ectiono2241.lan" - ], - "related.ip": [ - "10.163.209.70", - "10.2.114.9", - "10.255.74.136", - "10.69.161.78" - ], - "related.user": [ - "olabor" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "rehende", - "rsa.misc.event_type": "dtempo", - "rsa.misc.obj_name": "Duisa", - "rsa.misc.policy_name": "lupta", - "rsa.misc.reference_id": "norumet", - "rsa.misc.rule_name": "boNem", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.51", - "rsa.network.alias_host": [ - "ectiono2241.lan" - ], - "rsa.network.vlan": 6396, - "rsa.time.event_time_str": "Jan", - "rule.name": "boNem", - "service.type": "f5", - "source.geo.country_name": "atu", - "source.ip": "10.163.209.70", - "source.nat.ip": "10.255.74.136", - "source.nat.port": 5902, - "source.port": 4718, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "olabor" - }, - { - "destination.geo.country_name": "iciad", - "destination.nat.ip": "10.184.59.148", - "destination.nat.port": 6933, - "destination.port": 7874, - "event.action": "Closed", - "event.code": "lmo", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "volupta dmi untexpl2847.www5.local eiusmod emoe uiinea [F5@mnisiut acl_policy_name=avolu acl_policy_type=Except acl_rule_name=olup action=Closed hostname=umetMal1664.mail.lan bigip_mgmt_ip=10.46.115.216 context_name=equun context_type=sitvo date_time=Feb 03 2017 21:16:50 dest_ip=10.223.198.146 dst_geo=iciad dest_port=7874 device_product=mad device_vendor=onse device_version=1.380 drop_reason=mipsum errdefs_msgno=lmo errdefs_msg_name=aliquamq flow_id=dtempori ip_protocol=rdp severity=medium partition_name=voluptat route_domain=ugit sa_translation_pool=tatem sa_translation_type=metcons source_ip=10.252.102.110 src_geo=henderit source_port=7829 source_user=perspici translated_dest_ip=10.184.59.148 translated_dest_port=6933 translated_ip_protocol=queips translated_route_domain=midest translated_source_ip=10.12.129.137 translated_source_port=721 translated_vlan=orroqu vlan=472", - "fileset.name": "bigipafm", - "host.ip": "10.46.115.216", - "host.name": "umetMal1664.mail.lan", - "input.type": "log", - "log.level": "medium", - "log.offset": 22745, - "network.protocol": "rdp", - "observer.product": "mad", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.380", - "related.hosts": [ - "umetMal1664.mail.lan" - ], - "related.ip": [ - "10.12.129.137", - "10.184.59.148", - "10.252.102.110", - "10.46.115.216" - ], - "related.user": [ - "perspici" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "equun", - "rsa.misc.event_type": "aliquamq", - "rsa.misc.obj_name": "mnisiut", - "rsa.misc.policy_name": "avolu", - "rsa.misc.reference_id": "lmo", - "rsa.misc.rule_name": "olup", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.380", - "rsa.network.alias_host": [ - "umetMal1664.mail.lan" - ], - "rsa.network.vlan": 472, - "rsa.time.event_time_str": "Feb", - "rule.name": "olup", - "service.type": "f5", - "source.geo.country_name": "henderit", - "source.ip": "10.252.102.110", - "source.nat.ip": "10.12.129.137", - "source.nat.port": 721, - "source.port": 7829, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "perspici" - }, - { - "destination.geo.country_name": "nder", - "destination.nat.ip": "10.155.204.243", - "destination.nat.port": 459, - "destination.port": 3238, - "event.action": "Established", - "event.code": "tatem", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "labore uela ntexplic4824.internal.localhost dolorsit archite remq [F5@veniamq acl_policy_name=occ acl_policy_type=oloreseo acl_rule_name=iruredol action=Established hostname=derit5270.mail.local bigip_mgmt_ip=10.105.52.140 context_name=ntexpl context_type=dunt date_time=Feb 18 2017 04:19:24 dest_ip=10.20.55.199 dst_geo=nder dest_port=3238 device_product=itanim device_vendor=nesciun device_version=1.1729 drop_reason=mollita errdefs_msgno=tatem errdefs_msg_name=iae flow_id=quido ip_protocol=ipv6-icmp severity=very-high partition_name=inBC route_domain=mol sa_translation_pool=tur sa_translation_type=ictas source_ip=10.81.184.7 src_geo=saquaea source_port=6344 source_user=eetd translated_dest_ip=10.155.204.243 translated_dest_port=459 translated_ip_protocol=lorsi translated_route_domain=repreh translated_source_ip=10.199.194.79 translated_source_port=7713 translated_vlan=illumqui vlan=3414", - "fileset.name": "bigipafm", - "host.ip": "10.105.52.140", - "host.name": "derit5270.mail.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 23630, - "network.protocol": "ipv6-icmp", - "observer.product": "itanim", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1729", - "related.hosts": [ - "derit5270.mail.local" - ], - "related.ip": [ - "10.105.52.140", - "10.155.204.243", - "10.199.194.79", - "10.81.184.7" - ], - "related.user": [ - "eetd" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "ntexpl", - "rsa.misc.event_type": "iae", - "rsa.misc.obj_name": "veniamq", - "rsa.misc.policy_name": "occ", - "rsa.misc.reference_id": "tatem", - "rsa.misc.rule_name": "iruredol", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1729", - "rsa.network.alias_host": [ - "derit5270.mail.local" - ], - "rsa.network.vlan": 3414, - "rsa.time.event_time_str": "Feb", - "rule.name": "iruredol", - "service.type": "f5", - "source.geo.country_name": "saquaea", - "source.ip": "10.81.184.7", - "source.nat.ip": "10.199.194.79", - "source.nat.port": 7713, - "source.port": 6344, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "eetd" - }, - { - "destination.geo.country_name": "unte", - "destination.nat.ip": "10.18.226.72", - "destination.nat.port": 5140, - "destination.port": 893, - "event.action": "Closed", - "event.code": "tatnon", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "amali ate idolor3916.www5.home tas autfugi tasun [F5@duntutla acl_policy_name=ntium acl_policy_type=iration acl_rule_name=umwritte action=Closed hostname=orisni5238.mail.lan bigip_mgmt_ip=10.177.238.45 context_name=iumt context_type=tsed date_time=Mar 04 2017 11:21:59 dest_ip=10.249.120.78 dst_geo=unte dest_port=893 device_product=ueipsa device_vendor=scipitl device_version=1.1453 drop_reason=aparia errdefs_msgno=tatnon errdefs_msg_name=leumiur flow_id=tetura ip_protocol=ggp severity=very-high partition_name=oluptat route_domain=metco sa_translation_pool=acom sa_translation_type=ceroinB source_ip=10.110.2.166 src_geo=exeacomm source_port=79 source_user=taliqui translated_dest_ip=10.18.226.72 translated_dest_port=5140 translated_ip_protocol=olupta translated_route_domain=tsuntinc translated_source_ip=10.251.231.142 translated_source_port=872 translated_vlan=urExcep vlan=102", - "fileset.name": "bigipafm", - "host.ip": "10.177.238.45", - "host.name": "orisni5238.mail.lan", - "input.type": "log", - "log.level": "very-high", - "log.offset": 24529, - "network.protocol": "ggp", - "observer.product": "ueipsa", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1453", - "related.hosts": [ - "orisni5238.mail.lan" - ], - "related.ip": [ - "10.110.2.166", - "10.177.238.45", - "10.18.226.72", - "10.251.231.142" - ], - "related.user": [ - "taliqui" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "iumt", - "rsa.misc.event_type": "leumiur", - "rsa.misc.obj_name": "duntutla", - "rsa.misc.policy_name": "ntium", - "rsa.misc.reference_id": "tatnon", - "rsa.misc.rule_name": "umwritte", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1453", - "rsa.network.alias_host": [ - "orisni5238.mail.lan" - ], - "rsa.network.vlan": 102, - "rsa.time.event_time_str": "Mar", - "rule.name": "umwritte", - "service.type": "f5", - "source.geo.country_name": "exeacomm", - "source.ip": "10.110.2.166", - "source.nat.ip": "10.251.231.142", - "source.nat.port": 872, - "source.port": 79, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "taliqui" - }, - { - "destination.geo.country_name": "billo", - "destination.nat.ip": "10.100.199.226", - "destination.nat.port": 7617, - "destination.port": 2618, - "event.action": "Established", - "event.code": "ser", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "suntex iacons occaec7487.corp quaeab fici imve [F5@quide acl_policy_name=quaU acl_policy_type=undeomni acl_rule_name=accusa action=Established hostname=iutali7297.www.domain bigip_mgmt_ip=10.190.122.27 context_name=mporainc context_type=xea date_time=Mar 18 2017 18:24:33 dest_ip=10.123.113.152 dst_geo=billo dest_port=2618 device_product=radipisc device_vendor=Cice device_version=1.6332 drop_reason=vitaed errdefs_msgno=ser errdefs_msg_name=etconsec flow_id=elillum ip_protocol=tcp severity=high partition_name=rnat route_domain=eprehend sa_translation_pool=rem sa_translation_type=edolo source_ip=10.99.202.229 src_geo=eosquira source_port=4392 source_user=lloinven translated_dest_ip=10.100.199.226 translated_dest_port=7617 translated_ip_protocol=apariatu translated_route_domain=lorsita translated_source_ip=10.192.98.247 translated_source_port=4308 translated_vlan=temaccu vlan=5302", - "fileset.name": "bigipafm", - "host.ip": "10.190.122.27", - "host.name": "iutali7297.www.domain", - "input.type": "log", - "log.level": "high", - "log.offset": 25415, - "network.protocol": "tcp", - "observer.product": "radipisc", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6332", - "related.hosts": [ - "iutali7297.www.domain" - ], - "related.ip": [ - "10.100.199.226", - "10.190.122.27", - "10.192.98.247", - "10.99.202.229" - ], - "related.user": [ - "lloinven" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "mporainc", - "rsa.misc.event_type": "etconsec", - "rsa.misc.obj_name": "quide", - "rsa.misc.policy_name": "quaU", - "rsa.misc.reference_id": "ser", - "rsa.misc.rule_name": "accusa", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6332", - "rsa.network.alias_host": [ - "iutali7297.www.domain" - ], - "rsa.network.vlan": 5302, - "rsa.time.event_time_str": "Mar", - "rule.name": "accusa", - "service.type": "f5", - "source.geo.country_name": "eosquira", - "source.ip": "10.99.202.229", - "source.nat.ip": "10.192.98.247", - "source.nat.port": 4308, - "source.port": 4392, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "lloinven" - }, - { - "destination.geo.country_name": "nrepreh", - "destination.nat.ip": "10.162.97.197", - "destination.nat.port": 4357, - "destination.port": 5251, - "event.action": "Drop", - "event.code": "erspi", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "uptassit ncidi tlabori4803.www5.local oconse mag tob [F5@dolores acl_policy_name=equamnih acl_policy_type=taliqui acl_rule_name=eiu action=Drop hostname=orumw5960.www5.home bigip_mgmt_ip=10.248.111.207 context_name=dolor context_type=tiumto date_time=Apr 02 2017 01:27:07 dest_ip=10.38.28.151 dst_geo=nrepreh dest_port=5251 device_product=equep device_vendor=ever device_version=1.6463 drop_reason=atq errdefs_msgno=erspi errdefs_msg_name=iqu flow_id=niamqu ip_protocol=rdp severity=medium partition_name=icab route_domain=sBonor sa_translation_pool=fugits sa_translation_type=mipsumqu source_ip=10.172.154.97 src_geo=admi source_port=7165 source_user=culpaq translated_dest_ip=10.162.97.197 translated_dest_port=4357 translated_ip_protocol=tcupida translated_route_domain=isa translated_source_ip=10.37.193.70 translated_source_port=170 translated_vlan=tesseq vlan=7693", - "fileset.name": "bigipafm", - "host.ip": "10.248.111.207", - "host.name": "orumw5960.www5.home", - "input.type": "log", - "log.level": "medium", - "log.offset": 26305, - "network.protocol": "rdp", - "observer.product": "equep", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6463", - "related.hosts": [ - "orumw5960.www5.home" - ], - "related.ip": [ - "10.162.97.197", - "10.172.154.97", - "10.248.111.207", - "10.37.193.70" - ], - "related.user": [ - "culpaq" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "dolor", - "rsa.misc.event_type": "iqu", - "rsa.misc.obj_name": "dolores", - "rsa.misc.policy_name": "equamnih", - "rsa.misc.reference_id": "erspi", - "rsa.misc.rule_name": "eiu", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6463", - "rsa.network.alias_host": [ - "orumw5960.www5.home" - ], - "rsa.network.vlan": 7693, - "rsa.time.event_time_str": "Apr", - "rule.name": "eiu", - "service.type": "f5", - "source.geo.country_name": "admi", - "source.ip": "10.172.154.97", - "source.nat.ip": "10.37.193.70", - "source.nat.port": 170, - "source.port": 7165, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "culpaq" - }, - { - "destination.geo.country_name": "itasp", - "destination.nat.ip": "10.222.165.250", - "destination.nat.port": 2757, - "destination.port": 4927, - "event.action": "Reject", - "event.code": "loreeu", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "pernat rerepre nculpaq3821.www5.invalid billoinv sci col [F5@obea acl_policy_name=emp acl_policy_type=agnaaliq acl_rule_name=est action=Reject hostname=oinv5493.internal.domain bigip_mgmt_ip=10.36.63.31 context_name=nisiu context_type=imad date_time=Apr 16 2017 08:29:41 dest_ip=10.30.101.79 dst_geo=itasp dest_port=4927 device_product=sitametc device_vendor=onsequa device_version=1.3912 drop_reason=ntmo errdefs_msgno=loreeu errdefs_msg_name=temse flow_id=aspernat ip_protocol=ipv6 severity=very-high partition_name=caecat route_domain=rautod sa_translation_pool=olest sa_translation_type=eataev source_ip=10.171.221.230 src_geo=edquia source_port=1977 source_user=otamr translated_dest_ip=10.222.165.250 translated_dest_port=2757 translated_ip_protocol=amvolu translated_route_domain=mip translated_source_ip=10.45.35.180 translated_source_port=653 translated_vlan=maccusa vlan=7248", - "fileset.name": "bigipafm", - "host.ip": "10.36.63.31", - "host.name": "oinv5493.internal.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 27176, - "network.protocol": "ipv6", - "observer.product": "sitametc", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3912", - "related.hosts": [ - "oinv5493.internal.domain" - ], - "related.ip": [ - "10.171.221.230", - "10.222.165.250", - "10.36.63.31", - "10.45.35.180" - ], - "related.user": [ - "otamr" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "nisiu", - "rsa.misc.event_type": "temse", - "rsa.misc.obj_name": "obea", - "rsa.misc.policy_name": "emp", - "rsa.misc.reference_id": "loreeu", - "rsa.misc.rule_name": "est", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3912", - "rsa.network.alias_host": [ - "oinv5493.internal.domain" - ], - "rsa.network.vlan": 7248, - "rsa.time.event_time_str": "Apr", - "rule.name": "est", - "service.type": "f5", - "source.geo.country_name": "edquia", - "source.ip": "10.171.221.230", - "source.nat.ip": "10.45.35.180", - "source.nat.port": 653, - "source.port": 1977, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "otamr" - }, - { - "destination.geo.country_name": "meumfugi", - "destination.nat.ip": "10.199.127.211", - "destination.nat.port": 3598, - "destination.port": 7010, - "event.action": "Reject", - "event.code": "orroquis", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "nimad ataevita oremqu542.internal.localhost uteir boree isn [F5@ulla acl_policy_name=equatDu acl_policy_type=pta acl_rule_name=enbyCi action=Reject hostname=tnonproi195.api.home bigip_mgmt_ip=10.238.4.219 context_name=uide context_type=scivel date_time=Apr 30 2017 15:32:16 dest_ip=10.150.9.246 dst_geo=meumfugi dest_port=7010 device_product=emaperia device_vendor=Section device_version=1.4329 drop_reason=iame errdefs_msgno=orroquis errdefs_msg_name=aquio flow_id=riatu ip_protocol=udp severity=low partition_name=tanimid route_domain=isnostru sa_translation_pool=nofdeFi sa_translation_type=aquioff source_ip=10.1.171.61 src_geo=amnisi source_port=7258 source_user=reetdolo translated_dest_ip=10.199.127.211 translated_dest_port=3598 translated_ip_protocol=ilmole translated_route_domain=ugi translated_source_ip=10.83.238.145 translated_source_port=5392 translated_vlan=emveleum vlan=3661", - "fileset.name": "bigipafm", - "host.ip": "10.238.4.219", - "host.name": "tnonproi195.api.home", - "input.type": "log", - "log.level": "low", - "log.offset": 28062, - "network.protocol": "udp", - "observer.product": "emaperia", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4329", - "related.hosts": [ - "tnonproi195.api.home" - ], - "related.ip": [ - "10.1.171.61", - "10.199.127.211", - "10.238.4.219", - "10.83.238.145" - ], - "related.user": [ - "reetdolo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "uide", - "rsa.misc.event_type": "aquio", - "rsa.misc.obj_name": "ulla", - "rsa.misc.policy_name": "equatDu", - "rsa.misc.reference_id": "orroquis", - "rsa.misc.rule_name": "enbyCi", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4329", - "rsa.network.alias_host": [ - "tnonproi195.api.home" - ], - "rsa.network.vlan": 3661, - "rsa.time.event_time_str": "Apr", - "rule.name": "enbyCi", - "service.type": "f5", - "source.geo.country_name": "amnisi", - "source.ip": "10.1.171.61", - "source.nat.ip": "10.83.238.145", - "source.nat.port": 5392, - "source.port": 7258, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "reetdolo" - }, - { - "destination.geo.country_name": "quira", - "destination.nat.ip": "10.44.226.104", - "destination.nat.port": 7020, - "destination.port": 3091, - "event.action": "Drop", - "event.code": "tperspic", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "nde abillo undeom845.www5.example quaer eetdo tlab [F5@spernatu acl_policy_name=exercita acl_policy_type=sBonorum acl_rule_name=atems action=Drop hostname=edictasu5362.internal.localhost bigip_mgmt_ip=10.65.141.244 context_name=turmag context_type=ipsaqu date_time=May 14 2017 22:34:50 dest_ip=10.203.69.36 dst_geo=quira dest_port=3091 device_product=ore device_vendor=tation device_version=1.3789 drop_reason=porincid errdefs_msgno=tperspic errdefs_msg_name=equu flow_id=sintoc ip_protocol=rdp severity=very-high partition_name=tetura route_domain=riosamni sa_translation_pool=icta sa_translation_type=luptate source_ip=10.170.252.219 src_geo=iqui source_port=1978 source_user=Nequepo translated_dest_ip=10.44.226.104 translated_dest_port=7020 translated_ip_protocol=nse translated_route_domain=veniam translated_source_ip=10.74.213.42 translated_source_port=5922 translated_vlan=sse vlan=2498", - "fileset.name": "bigipafm", - "host.ip": "10.65.141.244", - "host.name": "edictasu5362.internal.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28955, - "network.protocol": "rdp", - "observer.product": "ore", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3789", - "related.hosts": [ - "edictasu5362.internal.localhost" - ], - "related.ip": [ - "10.170.252.219", - "10.44.226.104", - "10.65.141.244", - "10.74.213.42" - ], - "related.user": [ - "Nequepo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "turmag", - "rsa.misc.event_type": "equu", - "rsa.misc.obj_name": "spernatu", - "rsa.misc.policy_name": "exercita", - "rsa.misc.reference_id": "tperspic", - "rsa.misc.rule_name": "atems", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3789", - "rsa.network.alias_host": [ - "edictasu5362.internal.localhost" - ], - "rsa.network.vlan": 2498, - "rsa.time.event_time_str": "May", - "rule.name": "atems", - "service.type": "f5", - "source.geo.country_name": "iqui", - "source.ip": "10.170.252.219", - "source.nat.ip": "10.74.213.42", - "source.nat.port": 5922, - "source.port": 1978, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "Nequepo" - }, - { - "destination.geo.country_name": "sequat", - "destination.nat.ip": "10.225.255.211", - "destination.nat.port": 5595, - "destination.port": 4596, - "event.action": "Reject", - "event.code": "roi", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "inBCSe otamrem tutlabor4180.internal.host consecte pteurs catcupi [F5@autf acl_policy_name=saqu acl_policy_type=uptat acl_rule_name=unt action=Reject hostname=uido492.www5.home bigip_mgmt_ip=10.180.48.221 context_name=lors context_type=aconsequ date_time=May 29 2017 05:37:24 dest_ip=10.33.195.166 dst_geo=sequat dest_port=4596 device_product=utemvel device_vendor=epteur device_version=1.2965 drop_reason=iusm errdefs_msgno=roi errdefs_msg_name=busBonor flow_id=stquido ip_protocol=igmp severity=high partition_name=mnisi route_domain=usmo sa_translation_pool=iamea sa_translation_type=imaveni source_ip=10.183.223.149 src_geo=cor source_port=2648 source_user=nihil translated_dest_ip=10.225.255.211 translated_dest_port=5595 translated_ip_protocol=citati translated_route_domain=uamei translated_source_ip=10.225.141.172 translated_source_port=956 translated_vlan=fugiatn vlan=3309", - "fileset.name": "bigipafm", - "host.ip": "10.180.48.221", - "host.name": "uido492.www5.home", - "input.type": "log", - "log.level": "high", - "log.offset": 29850, - "network.protocol": "igmp", - "observer.product": "utemvel", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2965", - "related.hosts": [ - "uido492.www5.home" - ], - "related.ip": [ - "10.180.48.221", - "10.183.223.149", - "10.225.141.172", - "10.225.255.211" - ], - "related.user": [ - "nihil" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "lors", - "rsa.misc.event_type": "busBonor", - "rsa.misc.obj_name": "autf", - "rsa.misc.policy_name": "saqu", - "rsa.misc.reference_id": "roi", - "rsa.misc.rule_name": "unt", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2965", - "rsa.network.alias_host": [ - "uido492.www5.home" - ], - "rsa.network.vlan": 3309, - "rsa.time.event_time_str": "May", - "rule.name": "unt", - "service.type": "f5", - "source.geo.country_name": "cor", - "source.ip": "10.183.223.149", - "source.nat.ip": "10.225.141.172", - "source.nat.port": 956, - "source.port": 2648, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "nihil" - }, - { - "destination.geo.country_name": "mcorpor", - "destination.nat.ip": "10.205.174.181", - "destination.nat.port": 766, - "destination.port": 7420, - "event.action": "Established", - "event.code": "tura", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "aaliq nat uovolupt307.internal.host serror onse umquam [F5@emagn acl_policy_name=emulla acl_policy_type=mips acl_rule_name=itae action=Established hostname=redo6311.api.invalid bigip_mgmt_ip=10.176.64.28 context_name=olup context_type=remipsu date_time=Jun 12 2017 12:39:58 dest_ip=10.92.6.176 dst_geo=mcorpor dest_port=7420 device_product=autfugit device_vendor=emUte device_version=1.7612 drop_reason=nturmag errdefs_msgno=tura errdefs_msg_name=osquirat flow_id=equat ip_protocol=tcp severity=high partition_name=usantiu route_domain=idunt sa_translation_pool=atqu sa_translation_type=naturau source_ip=10.97.138.181 src_geo=oluptat source_port=7128 source_user=eseruntm translated_dest_ip=10.205.174.181 translated_dest_port=766 translated_ip_protocol=olor translated_route_domain=etquasia translated_source_ip=10.169.123.103 translated_source_port=519 translated_vlan=uisa vlan=6863", - "fileset.name": "bigipafm", - "host.ip": "10.176.64.28", - "host.name": "redo6311.api.invalid", - "input.type": "log", - "log.level": "high", - "log.offset": 30734, - "network.protocol": "tcp", - "observer.product": "autfugit", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7612", - "related.hosts": [ - "redo6311.api.invalid" - ], - "related.ip": [ - "10.169.123.103", - "10.176.64.28", - "10.205.174.181", - "10.97.138.181" - ], - "related.user": [ - "eseruntm" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "olup", - "rsa.misc.event_type": "osquirat", - "rsa.misc.obj_name": "emagn", - "rsa.misc.policy_name": "emulla", - "rsa.misc.reference_id": "tura", - "rsa.misc.rule_name": "itae", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.7612", - "rsa.network.alias_host": [ - "redo6311.api.invalid" - ], - "rsa.network.vlan": 6863, - "rsa.time.event_time_str": "Jun", - "rule.name": "itae", - "service.type": "f5", - "source.geo.country_name": "oluptat", - "source.ip": "10.97.138.181", - "source.nat.ip": "10.169.123.103", - "source.nat.port": 519, - "source.port": 7128, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "eseruntm" - }, - { - "destination.geo.country_name": "laborum", - "destination.nat.ip": "10.204.4.40", - "destination.nat.port": 271, - "destination.port": 5749, - "event.action": "Established", - "event.code": "empor", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "Cicero evolupta teturadi4718.api.local piscivel hend eacommo [F5@ueip acl_policy_name=maliqu acl_policy_type=iati acl_rule_name=minim action=Established hostname=dolorem1698.www.domain bigip_mgmt_ip=10.75.120.11 context_name=urau context_type=etur date_time=Jun 26 2017 19:42:33 dest_ip=10.20.73.247 dst_geo=laborum dest_port=5749 device_product=xeac device_vendor=umdolors device_version=1.4226 drop_reason=uiadolo errdefs_msgno=empor errdefs_msg_name=umexerci flow_id=duntut ip_protocol=ggp severity=very-high partition_name=prehend route_domain=eufug sa_translation_pool=roquisq sa_translation_type=temporai source_ip=10.53.101.131 src_geo=ici source_port=5097 source_user=tquo translated_dest_ip=10.204.4.40 translated_dest_port=271 translated_ip_protocol=sitvo translated_route_domain=ine translated_source_ip=10.169.101.161 translated_source_port=4577 translated_vlan=ipi vlan=4211", - "fileset.name": "bigipafm", - "host.ip": "10.75.120.11", - "host.name": "dolorem1698.www.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 31621, - "network.protocol": "ggp", - "observer.product": "xeac", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4226", - "related.hosts": [ - "dolorem1698.www.domain" - ], - "related.ip": [ - "10.169.101.161", - "10.204.4.40", - "10.53.101.131", - "10.75.120.11" - ], - "related.user": [ - "tquo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "urau", - "rsa.misc.event_type": "umexerci", - "rsa.misc.obj_name": "ueip", - "rsa.misc.policy_name": "maliqu", - "rsa.misc.reference_id": "empor", - "rsa.misc.rule_name": "minim", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4226", - "rsa.network.alias_host": [ - "dolorem1698.www.domain" - ], - "rsa.network.vlan": 4211, - "rsa.time.event_time_str": "Jun", - "rule.name": "minim", - "service.type": "f5", - "source.geo.country_name": "ici", - "source.ip": "10.53.101.131", - "source.nat.ip": "10.169.101.161", - "source.nat.port": 4577, - "source.port": 5097, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tquo" - }, - { - "destination.geo.country_name": "litanim", - "destination.nat.ip": "10.156.117.169", - "destination.nat.port": 2939, - "destination.port": 2135, - "event.action": "Reject", - "event.code": "porinc", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "exerci idata ese4384.mail.domain rumexerc isiutali iquidexe [F5@illumq acl_policy_name=luptatem acl_policy_type=ite acl_rule_name=tasnul action=Reject hostname=evitae7333.www.lan bigip_mgmt_ip=10.28.51.219 context_name=ess context_type=quiad date_time=Jul 11 2017 02:45:07 dest_ip=10.43.210.236 dst_geo=litanim dest_port=2135 device_product=orsitam device_vendor=modico device_version=1.2990 drop_reason=itatio errdefs_msgno=porinc errdefs_msg_name=riame flow_id=riat ip_protocol=udp severity=very-high partition_name=eriam route_domain=pernat sa_translation_pool=udan sa_translation_type=archi source_ip=10.6.222.112 src_geo=aliqu source_port=780 source_user=onsequu translated_dest_ip=10.156.117.169 translated_dest_port=2939 translated_ip_protocol=agnamal translated_route_domain=quei translated_source_ip=10.87.120.87 translated_source_port=1636 translated_vlan=teni vlan=4967", - "fileset.name": "bigipafm", - "host.ip": "10.28.51.219", - "host.name": "evitae7333.www.lan", - "input.type": "log", - "log.level": "very-high", - "log.offset": 32509, - "network.protocol": "udp", - "observer.product": "orsitam", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2990", - "related.hosts": [ - "evitae7333.www.lan" - ], - "related.ip": [ - "10.156.117.169", - "10.28.51.219", - "10.6.222.112", - "10.87.120.87" - ], - "related.user": [ - "onsequu" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "ess", - "rsa.misc.event_type": "riame", - "rsa.misc.obj_name": "illumq", - "rsa.misc.policy_name": "luptatem", - "rsa.misc.reference_id": "porinc", - "rsa.misc.rule_name": "tasnul", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2990", - "rsa.network.alias_host": [ - "evitae7333.www.lan" - ], - "rsa.network.vlan": 4967, - "rsa.time.event_time_str": "Jul", - "rule.name": "tasnul", - "service.type": "f5", - "source.geo.country_name": "aliqu", - "source.ip": "10.6.222.112", - "source.nat.ip": "10.87.120.87", - "source.nat.port": 1636, - "source.port": 780, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "onsequu" - }, - { - "destination.geo.country_name": "ecill", - "destination.nat.ip": "10.253.167.17", - "destination.nat.port": 2990, - "destination.port": 6831, - "event.action": "Drop", - "event.code": "oco", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "dant etdolor uat7787.www.host iti nimadm nculp [F5@asp acl_policy_name=eacom acl_policy_type=mag acl_rule_name=gelitse action=Drop hostname=arc2412.mail.lan bigip_mgmt_ip=10.247.44.59 context_name=eiusmo context_type=ainc date_time=Jul 25 2017 09:47:41 dest_ip=10.173.129.72 dst_geo=ecill dest_port=6831 device_product=snu device_vendor=inibusB device_version=1.388 drop_reason=texplica errdefs_msgno=oco errdefs_msg_name=aboree flow_id=ainci ip_protocol=udp severity=high partition_name=pariatur route_domain=uames sa_translation_pool=umtotamr sa_translation_type=mquido source_ip=10.57.89.155 src_geo=rur source_port=3553 source_user=ntorever translated_dest_ip=10.253.167.17 translated_dest_port=2990 translated_ip_protocol=seos translated_route_domain=exercita translated_source_ip=10.4.126.103 translated_source_port=892 translated_vlan=tco vlan=3607", - "fileset.name": "bigipafm", - "host.ip": "10.247.44.59", - "host.name": "arc2412.mail.lan", - "input.type": "log", - "log.level": "high", - "log.offset": 33390, - "network.protocol": "udp", - "observer.product": "snu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.388", - "related.hosts": [ - "arc2412.mail.lan" - ], - "related.ip": [ - "10.247.44.59", - "10.253.167.17", - "10.4.126.103", - "10.57.89.155" - ], - "related.user": [ - "ntorever" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "eiusmo", - "rsa.misc.event_type": "aboree", - "rsa.misc.obj_name": "asp", - "rsa.misc.policy_name": "eacom", - "rsa.misc.reference_id": "oco", - "rsa.misc.rule_name": "gelitse", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.388", - "rsa.network.alias_host": [ - "arc2412.mail.lan" - ], - "rsa.network.vlan": 3607, - "rsa.time.event_time_str": "Jul", - "rule.name": "gelitse", - "service.type": "f5", - "source.geo.country_name": "rur", - "source.ip": "10.57.89.155", - "source.nat.ip": "10.4.126.103", - "source.nat.port": 892, - "source.port": 3553, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ntorever" - }, - { - "destination.geo.country_name": "xeac", - "destination.nat.ip": "10.36.69.125", - "destination.nat.port": 7157, - "destination.port": 7061, - "event.action": "Established", - "event.code": "tat", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "oluptate lit santi837.api.domain turadip dip idolo [F5@Ute acl_policy_name=ptassita acl_policy_type=caecatcu acl_rule_name=inBC action=Established hostname=olorsi2746.internal.localhost bigip_mgmt_ip=10.15.240.220 context_name=teir context_type=quep date_time=Aug 08 2017 16:50:15 dest_ip=10.63.78.66 dst_geo=xeac dest_port=7061 device_product=abor device_vendor=oreverit device_version=1.6451 drop_reason=reetdo errdefs_msgno=tat errdefs_msg_name=eufugia flow_id=ncididun ip_protocol=tcp severity=medium partition_name=periamea route_domain=itametco sa_translation_pool=vel sa_translation_type=quunt source_ip=10.248.206.210 src_geo=nonn source_port=4478 source_user=met translated_dest_ip=10.36.69.125 translated_dest_port=7157 translated_ip_protocol=entsu translated_route_domain=conse translated_source_ip=10.143.183.208 translated_source_port=5214 translated_vlan=umwri vlan=4057", - "fileset.name": "bigipafm", - "host.ip": "10.15.240.220", - "host.name": "olorsi2746.internal.localhost", - "input.type": "log", - "log.level": "medium", - "log.offset": 34246, - "network.protocol": "tcp", - "observer.product": "abor", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6451", - "related.hosts": [ - "olorsi2746.internal.localhost" - ], - "related.ip": [ - "10.143.183.208", - "10.15.240.220", - "10.248.206.210", - "10.36.69.125" - ], - "related.user": [ - "met" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "teir", - "rsa.misc.event_type": "eufugia", - "rsa.misc.obj_name": "Ute", - "rsa.misc.policy_name": "ptassita", - "rsa.misc.reference_id": "tat", - "rsa.misc.rule_name": "inBC", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6451", - "rsa.network.alias_host": [ - "olorsi2746.internal.localhost" - ], - "rsa.network.vlan": 4057, - "rsa.time.event_time_str": "Aug", - "rule.name": "inBC", - "service.type": "f5", - "source.geo.country_name": "nonn", - "source.ip": "10.248.206.210", - "source.nat.ip": "10.143.183.208", - "source.nat.port": 5214, - "source.port": 4478, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "met" - }, - { - "destination.geo.country_name": "emu", - "destination.nat.ip": "10.34.133.2", - "destination.nat.port": 4807, - "destination.port": 5311, - "event.action": "Established", - "event.code": "minimve", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "atura tur tur5914.internal.invalid tassita colabori imidestl [F5@piscing acl_policy_name=ceroi acl_policy_type=iconsequ acl_rule_name=iat action=Established hostname=edqu2208.www.localhost bigip_mgmt_ip=10.6.32.7 context_name=exerci context_type=inesciu date_time=Aug 22 2017 23:52:50 dest_ip=10.141.216.14 dst_geo=emu dest_port=5311 device_product=psa device_vendor=ate device_version=1.4386 drop_reason=fugitse errdefs_msgno=minimve errdefs_msg_name=serrorsi flow_id=tametco ip_protocol=ipv6-icmp severity=high partition_name=lore route_domain=isci sa_translation_pool=Dui sa_translation_type=reetdo source_ip=10.69.170.107 src_geo=iumtotam source_port=1010 source_user=ipitlabo translated_dest_ip=10.34.133.2 translated_dest_port=4807 translated_ip_protocol=nderi translated_route_domain=liqua translated_source_ip=10.142.186.43 translated_source_port=4691 translated_vlan=sautei vlan=2363", - "fileset.name": "bigipafm", - "host.ip": "10.6.32.7", - "host.name": "edqu2208.www.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 35131, - "network.protocol": "ipv6-icmp", - "observer.product": "psa", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4386", - "related.hosts": [ - "edqu2208.www.localhost" - ], - "related.ip": [ - "10.142.186.43", - "10.34.133.2", - "10.6.32.7", - "10.69.170.107" - ], - "related.user": [ - "ipitlabo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "exerci", - "rsa.misc.event_type": "serrorsi", - "rsa.misc.obj_name": "piscing", - "rsa.misc.policy_name": "ceroi", - "rsa.misc.reference_id": "minimve", - "rsa.misc.rule_name": "iat", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4386", - "rsa.network.alias_host": [ - "edqu2208.www.localhost" - ], - "rsa.network.vlan": 2363, - "rsa.time.event_time_str": "Aug", - "rule.name": "iat", - "service.type": "f5", - "source.geo.country_name": "iumtotam", - "source.ip": "10.69.170.107", - "source.nat.ip": "10.142.186.43", - "source.nat.port": 4691, - "source.port": 1010, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ipitlabo" - }, - { - "destination.geo.country_name": "rchitect", - "destination.nat.ip": "10.59.103.10", - "destination.nat.port": 768, - "destination.port": 3402, - "event.action": "Closed", - "event.code": "iameaque", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "voluptas velill rspic5453.www.local meum borumSec aecatcup [F5@snisiut acl_policy_name=siar acl_policy_type=quas acl_rule_name=occaeca action=Closed hostname=ender5647.www5.example bigip_mgmt_ip=10.142.22.24 context_name=ulamc context_type=cept date_time=Sep 06 2017 06:55:24 dest_ip=10.93.88.228 dst_geo=rchitect dest_port=3402 device_product=gna device_vendor=ici device_version=1.2026 drop_reason=olu errdefs_msgno=iameaque errdefs_msg_name=identsun flow_id=ender ip_protocol=ipv6 severity=low partition_name=tect route_domain=uiad sa_translation_pool=doconse sa_translation_type=eni source_ip=10.121.153.197 src_geo=smoditem source_port=6593 source_user=borumSec translated_dest_ip=10.59.103.10 translated_dest_port=768 translated_ip_protocol=oquisq translated_route_domain=abori translated_source_ip=10.170.165.164 translated_source_port=505 translated_vlan=uiineavo vlan=5554", - "fileset.name": "bigipafm", - "host.ip": "10.142.22.24", - "host.name": "ender5647.www5.example", - "input.type": "log", - "log.level": "low", - "log.offset": 36024, - "network.protocol": "ipv6", - "observer.product": "gna", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2026", - "related.hosts": [ - "ender5647.www5.example" - ], - "related.ip": [ - "10.121.153.197", - "10.142.22.24", - "10.170.165.164", - "10.59.103.10" - ], - "related.user": [ - "borumSec" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ulamc", - "rsa.misc.event_type": "identsun", - "rsa.misc.obj_name": "snisiut", - "rsa.misc.policy_name": "siar", - "rsa.misc.reference_id": "iameaque", - "rsa.misc.rule_name": "occaeca", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2026", - "rsa.network.alias_host": [ - "ender5647.www5.example" - ], - "rsa.network.vlan": 5554, - "rsa.time.event_time_str": "Sep", - "rule.name": "occaeca", - "service.type": "f5", - "source.geo.country_name": "smoditem", - "source.ip": "10.121.153.197", - "source.nat.ip": "10.170.165.164", - "source.nat.port": 505, - "source.port": 6593, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "borumSec" - }, - { - "destination.geo.country_name": "eserun", - "destination.nat.ip": "10.19.99.129", - "destination.nat.port": 956, - "destination.port": 3034, - "event.action": "Established", - "event.code": "uta", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "uidexeac sequa ntsunti2313.internal.invalid uinesc cid emi [F5@Bonorum acl_policy_name=lesti acl_policy_type=oreseo acl_rule_name=reprehen action=Established hostname=sis3986.internal.lan bigip_mgmt_ip=10.133.10.122 context_name=texplic context_type=edutp date_time=Sep 20 2017 13:57:58 dest_ip=10.93.59.189 dst_geo=eserun dest_port=3034 device_product=eniamqu device_vendor=inimav device_version=1.1576 drop_reason=imadm errdefs_msgno=uta errdefs_msg_name=tisu flow_id=remagnam ip_protocol=icmp severity=low partition_name=meiusm route_domain=nidolo sa_translation_pool=atquovol sa_translation_type=quunt source_ip=10.247.114.30 src_geo=olesti source_port=7584 source_user=quaeabil translated_dest_ip=10.19.99.129 translated_dest_port=956 translated_ip_protocol=itesse translated_route_domain=iamqui translated_source_ip=10.176.83.7 translated_source_port=5908 translated_vlan=inim vlan=6806", - "fileset.name": "bigipafm", - "host.ip": "10.133.10.122", - "host.name": "sis3986.internal.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 36906, - "network.protocol": "icmp", - "observer.product": "eniamqu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1576", - "related.hosts": [ - "sis3986.internal.lan" - ], - "related.ip": [ - "10.133.10.122", - "10.176.83.7", - "10.19.99.129", - "10.247.114.30" - ], - "related.user": [ - "quaeabil" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "texplic", - "rsa.misc.event_type": "tisu", - "rsa.misc.obj_name": "Bonorum", - "rsa.misc.policy_name": "lesti", - "rsa.misc.reference_id": "uta", - "rsa.misc.rule_name": "reprehen", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1576", - "rsa.network.alias_host": [ - "sis3986.internal.lan" - ], - "rsa.network.vlan": 6806, - "rsa.time.event_time_str": "Sep", - "rule.name": "reprehen", - "service.type": "f5", - "source.geo.country_name": "olesti", - "source.ip": "10.247.114.30", - "source.nat.ip": "10.176.83.7", - "source.nat.port": 5908, - "source.port": 7584, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "quaeabil" - }, - { - "destination.geo.country_name": "conse", - "destination.nat.ip": "10.8.29.219", - "destination.nat.port": 6890, - "destination.port": 5351, - "event.action": "Drop", - "event.code": "sedquian", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "Sed oremeumf lesti5921.api.localhost enima tnulapar ico [F5@giatquo acl_policy_name=lors acl_policy_type=its acl_rule_name=dolor action=Drop hostname=uatu2894.api.lan bigip_mgmt_ip=10.64.139.17 context_name=pro context_type=ice date_time=Oct 04 2017 21:00:32 dest_ip=10.87.238.169 dst_geo=conse dest_port=5351 device_product=mcol device_vendor=lup device_version=1.3824 drop_reason=upta errdefs_msgno=sedquian errdefs_msg_name=cti flow_id=rumSecti ip_protocol=rdp severity=medium partition_name=eca route_domain=oluptate sa_translation_pool=Duisa sa_translation_type=consequa source_ip=10.40.177.138 src_geo=aevitaed source_port=1082 source_user=rep translated_dest_ip=10.8.29.219 translated_dest_port=6890 translated_ip_protocol=quaeratv translated_route_domain=involu translated_source_ip=10.70.7.23 translated_source_port=2758 translated_vlan=amcolab vlan=4306", - "fileset.name": "bigipafm", - "host.ip": "10.64.139.17", - "host.name": "uatu2894.api.lan", - "input.type": "log", - "log.level": "medium", - "log.offset": 37799, - "network.protocol": "rdp", - "observer.product": "mcol", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3824", - "related.hosts": [ - "uatu2894.api.lan" - ], - "related.ip": [ - "10.40.177.138", - "10.64.139.17", - "10.70.7.23", - "10.8.29.219" - ], - "related.user": [ - "rep" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "pro", - "rsa.misc.event_type": "cti", - "rsa.misc.obj_name": "giatquo", - "rsa.misc.policy_name": "lors", - "rsa.misc.reference_id": "sedquian", - "rsa.misc.rule_name": "dolor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3824", - "rsa.network.alias_host": [ - "uatu2894.api.lan" - ], - "rsa.network.vlan": 4306, - "rsa.time.event_time_str": "Oct", - "rule.name": "dolor", - "service.type": "f5", - "source.geo.country_name": "aevitaed", - "source.ip": "10.40.177.138", - "source.nat.ip": "10.70.7.23", - "source.nat.port": 2758, - "source.port": 1082, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "rep" - }, - { - "destination.geo.country_name": "msequ", - "destination.nat.ip": "10.67.221.220", - "destination.nat.port": 239, - "destination.port": 2383, - "event.action": "Closed", - "event.code": "mini", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "odic iuta liquaUte209.internal.test olores scipit lloinve [F5@borisnis acl_policy_name=onorumet acl_policy_type=ptatema acl_rule_name=eavolup action=Closed hostname=rmagnido5483.local bigip_mgmt_ip=10.180.62.222 context_name=ptatev context_type=atu date_time=Oct 19 2017 04:03:07 dest_ip=10.234.26.132 dst_geo=msequ dest_port=2383 device_product=mwritten device_vendor=tat device_version=1.6066 drop_reason=osa errdefs_msgno=mini errdefs_msg_name=rors flow_id=ssusci ip_protocol=udp severity=medium partition_name=inimve route_domain=uio sa_translation_pool=mexercit sa_translation_type=byC source_ip=10.2.189.20 src_geo=orin source_port=535 source_user=uptasnul translated_dest_ip=10.67.221.220 translated_dest_port=239 translated_ip_protocol=aedict translated_route_domain=niamqui translated_source_ip=10.67.173.228 translated_source_port=5767 translated_vlan=tatemse vlan=4493", - "fileset.name": "bigipafm", - "host.ip": "10.180.62.222", - "host.name": "rmagnido5483.local", - "input.type": "log", - "log.level": "medium", - "log.offset": 38663, - "network.protocol": "udp", - "observer.product": "mwritten", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6066", - "related.hosts": [ - "rmagnido5483.local" - ], - "related.ip": [ - "10.180.62.222", - "10.2.189.20", - "10.67.173.228", - "10.67.221.220" - ], - "related.user": [ - "uptasnul" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ptatev", - "rsa.misc.event_type": "rors", - "rsa.misc.obj_name": "borisnis", - "rsa.misc.policy_name": "onorumet", - "rsa.misc.reference_id": "mini", - "rsa.misc.rule_name": "eavolup", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6066", - "rsa.network.alias_host": [ - "rmagnido5483.local" - ], - "rsa.network.vlan": 4493, - "rsa.time.event_time_str": "Oct", - "rule.name": "eavolup", - "service.type": "f5", - "source.geo.country_name": "orin", - "source.ip": "10.2.189.20", - "source.nat.ip": "10.67.173.228", - "source.nat.port": 5767, - "source.port": 535, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "uptasnul" - }, - { - "destination.geo.country_name": "upt", - "destination.nat.ip": "10.56.134.118", - "destination.nat.port": 358, - "destination.port": 6017, - "event.action": "Reject", - "event.code": "lorsi", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "uamestqu mpor orem6479.api.host seq rumSe tatnonp [F5@ommo acl_policy_name=adeser acl_policy_type=uasiarc acl_rule_name=doeiu action=Reject hostname=uian521.www.example bigip_mgmt_ip=10.209.52.47 context_name=imven context_type=onnumqua date_time=Nov 02 2017 11:05:41 dest_ip=10.141.201.173 dst_geo=upt dest_port=6017 device_product=itautfu device_vendor=nesci device_version=1.5040 drop_reason=mquis errdefs_msgno=lorsi errdefs_msg_name=tetura flow_id=eeufug ip_protocol=ipv6 severity=medium partition_name=tevelite route_domain=tocca sa_translation_pool=orsitvol sa_translation_type=ntor source_ip=10.147.127.181 src_geo=minimav source_port=6994 source_user=tasu translated_dest_ip=10.56.134.118 translated_dest_port=358 translated_ip_protocol=evo translated_route_domain=mcorpori translated_source_ip=10.196.176.243 translated_source_port=3465 translated_vlan=orsitam vlan=4991", - "fileset.name": "bigipafm", - "host.ip": "10.209.52.47", - "host.name": "uian521.www.example", - "input.type": "log", - "log.level": "medium", - "log.offset": 39543, - "network.protocol": "ipv6", - "observer.product": "itautfu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5040", - "related.hosts": [ - "uian521.www.example" - ], - "related.ip": [ - "10.147.127.181", - "10.196.176.243", - "10.209.52.47", - "10.56.134.118" - ], - "related.user": [ - "tasu" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "imven", - "rsa.misc.event_type": "tetura", - "rsa.misc.obj_name": "ommo", - "rsa.misc.policy_name": "adeser", - "rsa.misc.reference_id": "lorsi", - "rsa.misc.rule_name": "doeiu", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5040", - "rsa.network.alias_host": [ - "uian521.www.example" - ], - "rsa.network.vlan": 4991, - "rsa.time.event_time_str": "Nov", - "rule.name": "doeiu", - "service.type": "f5", - "source.geo.country_name": "minimav", - "source.ip": "10.147.127.181", - "source.nat.ip": "10.196.176.243", - "source.nat.port": 3465, - "source.port": 6994, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tasu" - }, - { - "destination.geo.country_name": "aut", - "destination.nat.ip": "10.85.13.237", - "destination.nat.port": 4072, - "destination.port": 5596, - "event.action": "Closed", - "event.code": "laboree", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "prehende lup tpers2217.internal.lan nula tdolorem qui [F5@olupt acl_policy_name=nemulla acl_policy_type=asp acl_rule_name=dexercit action=Closed hostname=taliq5213.api.corp bigip_mgmt_ip=10.226.24.84 context_name=ectobea context_type=dat date_time=Nov 16 2017 18:08:15 dest_ip=10.91.18.221 dst_geo=aut dest_port=5596 device_product=uames device_vendor=tconsec device_version=1.7604 drop_reason=oll errdefs_msgno=laboree errdefs_msg_name=udantiu flow_id=itametco ip_protocol=ipv6 severity=very-high partition_name=odico route_domain=rsint sa_translation_pool=itl sa_translation_type=ttenb source_ip=10.231.18.90 src_geo=lapa source_port=4860 source_user=Nem translated_dest_ip=10.85.13.237 translated_dest_port=4072 translated_ip_protocol=upidata translated_route_domain=ici translated_source_ip=10.248.140.59 translated_source_port=5760 translated_vlan=ident vlan=4293", - "fileset.name": "bigipafm", - "host.ip": "10.226.24.84", - "host.name": "taliq5213.api.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 40424, - "network.protocol": "ipv6", - "observer.product": "uames", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7604", - "related.hosts": [ - "taliq5213.api.corp" - ], - "related.ip": [ - "10.226.24.84", - "10.231.18.90", - "10.248.140.59", - "10.85.13.237" - ], - "related.user": [ - "Nem" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ectobea", - "rsa.misc.event_type": "udantiu", - "rsa.misc.obj_name": "olupt", - "rsa.misc.policy_name": "nemulla", - "rsa.misc.reference_id": "laboree", - "rsa.misc.rule_name": "dexercit", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7604", - "rsa.network.alias_host": [ - "taliq5213.api.corp" - ], - "rsa.network.vlan": 4293, - "rsa.time.event_time_str": "Nov", - "rule.name": "dexercit", - "service.type": "f5", - "source.geo.country_name": "lapa", - "source.ip": "10.231.18.90", - "source.nat.ip": "10.248.140.59", - "source.nat.port": 5760, - "source.port": 4860, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "Nem" - }, - { - "destination.geo.country_name": "mco", - "destination.nat.ip": "10.8.224.72", - "destination.nat.port": 6506, - "destination.port": 6246, - "event.action": "Accept", - "event.code": "nostrum", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "quelaud luptat rinrep6482.api.lan nimv emeu tatemac [F5@quisn acl_policy_name=rem acl_policy_type=ulamcola acl_rule_name=remagnaa action=Accept hostname=ntsunt4894.mail.domain bigip_mgmt_ip=10.203.46.215 context_name=mcorpori context_type=orisn date_time=Dec 01 2017 01:10:49 dest_ip=10.88.194.242 dst_geo=mco dest_port=6246 device_product=itame device_vendor=tenat device_version=1.5407 drop_reason=yCiceroi errdefs_msgno=nostrum errdefs_msg_name=orroquis flow_id=eumi ip_protocol=icmp severity=low partition_name=aea route_domain=tvolu sa_translation_pool=dutper sa_translation_type=tlaboru source_ip=10.207.183.204 src_geo=equuntu source_port=2673 source_user=eruntmo translated_dest_ip=10.8.224.72 translated_dest_port=6506 translated_ip_protocol=ion translated_route_domain=rured translated_source_ip=10.59.215.207 translated_source_port=6195 translated_vlan=ore vlan=5842", - "fileset.name": "bigipafm", - "host.ip": "10.203.46.215", - "host.name": "ntsunt4894.mail.domain", - "input.type": "log", - "log.level": "low", - "log.offset": 41293, - "network.protocol": "icmp", - "observer.product": "itame", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5407", - "related.hosts": [ - "ntsunt4894.mail.domain" - ], - "related.ip": [ - "10.203.46.215", - "10.207.183.204", - "10.59.215.207", - "10.8.224.72" - ], - "related.user": [ - "eruntmo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "mcorpori", - "rsa.misc.event_type": "orroquis", - "rsa.misc.obj_name": "quisn", - "rsa.misc.policy_name": "rem", - "rsa.misc.reference_id": "nostrum", - "rsa.misc.rule_name": "remagnaa", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5407", - "rsa.network.alias_host": [ - "ntsunt4894.mail.domain" - ], - "rsa.network.vlan": 5842, - "rsa.time.event_time_str": "Dec", - "rule.name": "remagnaa", - "service.type": "f5", - "source.geo.country_name": "equuntu", - "source.ip": "10.207.183.204", - "source.nat.ip": "10.59.215.207", - "source.nat.port": 6195, - "source.port": 2673, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "eruntmo" - }, - { - "destination.geo.country_name": "mquis", - "destination.nat.ip": "10.255.145.22", - "destination.nat.port": 6949, - "destination.port": 7760, - "event.action": "Drop", - "event.code": "aeco", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "xerc Nequep ametcon7485.www.test rro tuser ctasu [F5@irat acl_policy_name=sitame acl_policy_type=oinven acl_rule_name=natu action=Drop hostname=mexer3864.api.corp bigip_mgmt_ip=10.98.154.146 context_name=nula context_type=ameaquei date_time=Dec 15 2017 08:13:24 dest_ip=10.72.114.116 dst_geo=mquis dest_port=7760 device_product=olupta device_vendor=isno device_version=1.6814 drop_reason=ine errdefs_msgno=aeco errdefs_msg_name=rinrepr flow_id=dutp ip_protocol=ipv6-icmp severity=very-high partition_name=giatqu route_domain=rsint sa_translation_pool=rsi sa_translation_type=paq source_ip=10.73.84.95 src_geo=uisautem source_port=6701 source_user=sitam translated_dest_ip=10.255.145.22 translated_dest_port=6949 translated_ip_protocol=emUtenim translated_route_domain=ende translated_source_ip=10.230.38.148 translated_source_port=3213 translated_vlan=sse vlan=368", - "fileset.name": "bigipafm", - "host.ip": "10.98.154.146", - "host.name": "mexer3864.api.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 42171, - "network.protocol": "ipv6-icmp", - "observer.product": "olupta", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6814", - "related.hosts": [ - "mexer3864.api.corp" - ], - "related.ip": [ - "10.230.38.148", - "10.255.145.22", - "10.73.84.95", - "10.98.154.146" - ], - "related.user": [ - "sitam" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "nula", - "rsa.misc.event_type": "rinrepr", - "rsa.misc.obj_name": "irat", - "rsa.misc.policy_name": "sitame", - "rsa.misc.reference_id": "aeco", - "rsa.misc.rule_name": "natu", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6814", - "rsa.network.alias_host": [ - "mexer3864.api.corp" - ], - "rsa.network.vlan": 368, - "rsa.time.event_time_str": "Dec", - "rule.name": "natu", - "service.type": "f5", - "source.geo.country_name": "uisautem", - "source.ip": "10.73.84.95", - "source.nat.ip": "10.230.38.148", - "source.nat.port": 3213, - "source.port": 6701, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "sitam" - }, - { - "destination.geo.country_name": "eleumi", - "destination.nat.ip": "10.105.120.162", - "destination.nat.port": 2984, - "destination.port": 4584, - "event.action": "Accept", - "event.code": "uptateve", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "incidi aedictas rumetMa2554.domain unt liq abore [F5@iumdo acl_policy_name=oreeu acl_policy_type=mea acl_rule_name=ssec action=Accept hostname=oluptat6960.www5.test bigip_mgmt_ip=10.211.29.187 context_name=ptat context_type=meaquei date_time=Dec 29 2017 15:15:58 dest_ip=10.228.204.249 dst_geo=eleumi dest_port=4584 device_product=porissus device_vendor=imip device_version=1.7160 drop_reason=ddoe errdefs_msgno=uptateve errdefs_msg_name=ured flow_id=ctetu ip_protocol=tcp severity=low partition_name=uasiarch route_domain=Malor sa_translation_pool=boriosa sa_translation_type=cillumdo source_ip=10.166.142.198 src_geo=oremipsu source_port=465 source_user=tium translated_dest_ip=10.105.120.162 translated_dest_port=2984 translated_ip_protocol=etc translated_route_domain=eturadip translated_source_ip=10.175.181.138 translated_source_port=3787 translated_vlan=tassitas vlan=1495", - "fileset.name": "bigipafm", - "host.ip": "10.211.29.187", - "host.name": "oluptat6960.www5.test", - "input.type": "log", - "log.level": "low", - "log.offset": 43036, - "network.protocol": "tcp", - "observer.product": "porissus", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7160", - "related.hosts": [ - "oluptat6960.www5.test" - ], - "related.ip": [ - "10.105.120.162", - "10.166.142.198", - "10.175.181.138", - "10.211.29.187" - ], - "related.user": [ - "tium" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "ptat", - "rsa.misc.event_type": "ured", - "rsa.misc.obj_name": "iumdo", - "rsa.misc.policy_name": "oreeu", - "rsa.misc.reference_id": "uptateve", - "rsa.misc.rule_name": "ssec", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7160", - "rsa.network.alias_host": [ - "oluptat6960.www5.test" - ], - "rsa.network.vlan": 1495, - "rsa.time.event_time_str": "Dec", - "rule.name": "ssec", - "service.type": "f5", - "source.geo.country_name": "oremipsu", - "source.ip": "10.166.142.198", - "source.nat.ip": "10.175.181.138", - "source.nat.port": 3787, - "source.port": 465, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tium" - }, - { - "destination.geo.country_name": "doconse", - "destination.nat.ip": "10.220.202.102", - "destination.nat.port": 10, - "destination.port": 5211, - "event.action": "Established", - "event.code": "animi", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "velite maccus nima5813.mail.example iarchit sBonorum moenimi [F5@lor acl_policy_name=auto acl_policy_type=rsinto acl_rule_name=ati action=Established hostname=fugiatnu2498.www.localhost bigip_mgmt_ip=10.182.213.195 context_name=tconse context_type=eumf date_time=Jan 12 2018 22:18:32 dest_ip=10.200.94.145 dst_geo=doconse dest_port=5211 device_product=uis device_vendor=lill device_version=1.6057 drop_reason=imi errdefs_msgno=animi errdefs_msg_name=edutpers flow_id=pisci ip_protocol=tcp severity=very-high partition_name=umto route_domain=xercit sa_translation_pool=lam sa_translation_type=asnu source_ip=10.122.133.162 src_geo=eriam source_port=4838 source_user=aquae translated_dest_ip=10.220.202.102 translated_dest_port=10 translated_ip_protocol=iaturE translated_route_domain=epor translated_source_ip=10.195.139.25 translated_source_port=5566 translated_vlan=tper vlan=4341", - "fileset.name": "bigipafm", - "host.ip": "10.182.213.195", - "host.name": "fugiatnu2498.www.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 43916, - "network.protocol": "tcp", - "observer.product": "uis", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6057", - "related.hosts": [ - "fugiatnu2498.www.localhost" - ], - "related.ip": [ - "10.122.133.162", - "10.182.213.195", - "10.195.139.25", - "10.220.202.102" - ], - "related.user": [ - "aquae" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "tconse", - "rsa.misc.event_type": "edutpers", - "rsa.misc.obj_name": "lor", - "rsa.misc.policy_name": "auto", - "rsa.misc.reference_id": "animi", - "rsa.misc.rule_name": "ati", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6057", - "rsa.network.alias_host": [ - "fugiatnu2498.www.localhost" - ], - "rsa.network.vlan": 4341, - "rsa.time.event_time_str": "Jan", - "rule.name": "ati", - "service.type": "f5", - "source.geo.country_name": "eriam", - "source.ip": "10.122.133.162", - "source.nat.ip": "10.195.139.25", - "source.nat.port": 5566, - "source.port": 4838, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "aquae" - }, - { - "destination.geo.country_name": "uatD", - "destination.nat.ip": "10.33.143.163", - "destination.nat.port": 5404, - "destination.port": 6508, - "event.action": "Reject", - "event.code": "anim", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tconsect pariat iutal3376.api.corp isi idexeac ntu [F5@tdolo acl_policy_name=nimve acl_policy_type=duntut acl_rule_name=emporin action=Reject hostname=ptat3230.domain bigip_mgmt_ip=10.156.208.5 context_name=tlaboru context_type=tec date_time=Jan 27 2018 05:21:06 dest_ip=10.9.69.13 dst_geo=uatD dest_port=6508 device_product=antium device_vendor=remaper device_version=1.3297 drop_reason=ntNequ errdefs_msgno=anim errdefs_msg_name=uae flow_id=ata ip_protocol=tcp severity=very-high partition_name=paq route_domain=emipsumq sa_translation_pool=culpaq sa_translation_type=quamq source_ip=10.53.72.161 src_geo=pta source_port=4723 source_user=scip translated_dest_ip=10.33.143.163 translated_dest_port=5404 translated_ip_protocol=iusmodi translated_route_domain=esciun translated_source_ip=10.247.144.9 translated_source_port=2494 translated_vlan=lit vlan=4112", - "fileset.name": "bigipafm", - "host.ip": "10.156.208.5", - "host.name": "ptat3230.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 44798, - "network.protocol": "tcp", - "observer.product": "antium", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3297", - "related.hosts": [ - "ptat3230.domain" - ], - "related.ip": [ - "10.156.208.5", - "10.247.144.9", - "10.33.143.163", - "10.53.72.161" - ], - "related.user": [ - "scip" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "tlaboru", - "rsa.misc.event_type": "uae", - "rsa.misc.obj_name": "tdolo", - "rsa.misc.policy_name": "nimve", - "rsa.misc.reference_id": "anim", - "rsa.misc.rule_name": "emporin", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3297", - "rsa.network.alias_host": [ - "ptat3230.domain" - ], - "rsa.network.vlan": 4112, - "rsa.time.event_time_str": "Jan", - "rule.name": "emporin", - "service.type": "f5", - "source.geo.country_name": "pta", - "source.ip": "10.53.72.161", - "source.nat.ip": "10.247.144.9", - "source.nat.port": 2494, - "source.port": 4723, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "scip" - }, - { - "destination.geo.country_name": "eufugia", - "destination.nat.ip": "10.241.143.145", - "destination.nat.port": 6151, - "destination.port": 2345, - "event.action": "Closed", - "event.code": "unturmag", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "oidentsu oditau onsec1632.internal.lan lup aeca isau [F5@giat acl_policy_name=ttenb acl_policy_type=eirure acl_rule_name=boreetd action=Closed hostname=exer447.internal.localhost bigip_mgmt_ip=10.35.190.164 context_name=radipis context_type=lore date_time=Feb 10 2018 12:23:41 dest_ip=10.76.99.144 dst_geo=eufugia dest_port=2345 device_product=pariat device_vendor=nimip device_version=1.2476 drop_reason=usci errdefs_msgno=unturmag errdefs_msg_name=dexeaco flow_id=lupta ip_protocol=ggp severity=very-high partition_name=oreeufug route_domain=Quisa sa_translation_pool=quiav sa_translation_type=ctionofd source_ip=10.21.58.162 src_geo=uisautei source_port=7881 source_user=porin translated_dest_ip=10.241.143.145 translated_dest_port=6151 translated_ip_protocol=ecillum translated_route_domain=olor translated_source_ip=10.113.65.192 translated_source_port=7807 translated_vlan=conseq vlan=6079", - "fileset.name": "bigipafm", - "host.ip": "10.35.190.164", - "host.name": "exer447.internal.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 45656, - "network.protocol": "ggp", - "observer.product": "pariat", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2476", - "related.hosts": [ - "exer447.internal.localhost" - ], - "related.ip": [ - "10.113.65.192", - "10.21.58.162", - "10.241.143.145", - "10.35.190.164" - ], - "related.user": [ - "porin" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "radipis", - "rsa.misc.event_type": "dexeaco", - "rsa.misc.obj_name": "giat", - "rsa.misc.policy_name": "ttenb", - "rsa.misc.reference_id": "unturmag", - "rsa.misc.rule_name": "boreetd", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2476", - "rsa.network.alias_host": [ - "exer447.internal.localhost" - ], - "rsa.network.vlan": 6079, - "rsa.time.event_time_str": "Feb", - "rule.name": "boreetd", - "service.type": "f5", - "source.geo.country_name": "uisautei", - "source.ip": "10.21.58.162", - "source.nat.ip": "10.113.65.192", - "source.nat.port": 7807, - "source.port": 7881, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "porin" - }, - { - "destination.geo.country_name": "exe", - "destination.nat.ip": "10.75.113.240", - "destination.nat.port": 1874, - "destination.port": 1872, - "event.action": "Closed", - "event.code": "tas", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "edutpers ctobeat upta4358.home orem inibus secte [F5@ctobeat acl_policy_name=onsec acl_policy_type=idestl acl_rule_name=litani action=Closed hostname=itanimi1934.home bigip_mgmt_ip=10.19.154.103 context_name=ittenb context_type=tobeatae date_time=Feb 24 2018 19:26:15 dest_ip=10.235.51.61 dst_geo=exe dest_port=1872 device_product=cia device_vendor=idolo device_version=1.768 drop_reason=pitlabo errdefs_msgno=tas errdefs_msg_name=rcitat flow_id=ree ip_protocol=tcp severity=very-high partition_name=quipexea route_domain=orsitv sa_translation_pool=dunt sa_translation_type=int source_ip=10.53.27.253 src_geo=temveleu source_port=3599 source_user=luptat translated_dest_ip=10.75.113.240 translated_dest_port=1874 translated_ip_protocol=ionulam translated_route_domain=auto translated_source_ip=10.129.16.166 translated_source_port=5141 translated_vlan=ntocca vlan=5439", - "fileset.name": "bigipafm", - "host.ip": "10.19.154.103", - "host.name": "itanimi1934.home", - "input.type": "log", - "log.level": "very-high", - "log.offset": 46552, - "network.protocol": "tcp", - "observer.product": "cia", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.768", - "related.hosts": [ - "itanimi1934.home" - ], - "related.ip": [ - "10.129.16.166", - "10.19.154.103", - "10.53.27.253", - "10.75.113.240" - ], - "related.user": [ - "luptat" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ittenb", - "rsa.misc.event_type": "rcitat", - "rsa.misc.obj_name": "ctobeat", - "rsa.misc.policy_name": "onsec", - "rsa.misc.reference_id": "tas", - "rsa.misc.rule_name": "litani", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.768", - "rsa.network.alias_host": [ - "itanimi1934.home" - ], - "rsa.network.vlan": 5439, - "rsa.time.event_time_str": "Feb", - "rule.name": "litani", - "service.type": "f5", - "source.geo.country_name": "temveleu", - "source.ip": "10.53.27.253", - "source.nat.ip": "10.129.16.166", - "source.nat.port": 5141, - "source.port": 3599, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "luptat" - }, - { - "destination.geo.country_name": "equ", - "destination.nat.ip": "10.150.153.61", - "destination.nat.port": 2773, - "destination.port": 7256, - "event.action": "Established", - "event.code": "ihi", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tvol lup mipsamv161.local ionula pexeaco temaccu [F5@uamqua acl_policy_name=Neq acl_policy_type=runt acl_rule_name=xcep action=Established hostname=pteurs1031.mail.corp bigip_mgmt_ip=10.125.150.220 context_name=lumquid context_type=eturadip date_time=Mar 11 2018 02:28:49 dest_ip=10.241.228.95 dst_geo=equ dest_port=7256 device_product=ssequamn device_vendor=ave device_version=1.5812 drop_reason=edquia errdefs_msgno=ihi errdefs_msg_name=undeomn flow_id=ape ip_protocol=rdp severity=medium partition_name=ari route_domain=umtot sa_translation_pool=onemulla sa_translation_type=atquo source_ip=10.120.50.13 src_geo=issu source_port=4426 source_user=inculpa translated_dest_ip=10.150.153.61 translated_dest_port=2773 translated_ip_protocol=loremagn translated_route_domain=acons translated_source_ip=10.22.213.196 translated_source_port=7230 translated_vlan=emoenimi vlan=1864", - "fileset.name": "bigipafm", - "host.ip": "10.125.150.220", - "host.name": "pteurs1031.mail.corp", - "input.type": "log", - "log.level": "medium", - "log.offset": 47421, - "network.protocol": "rdp", - "observer.product": "ssequamn", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5812", - "related.hosts": [ - "pteurs1031.mail.corp" - ], - "related.ip": [ - "10.120.50.13", - "10.125.150.220", - "10.150.153.61", - "10.22.213.196" - ], - "related.user": [ - "inculpa" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "lumquid", - "rsa.misc.event_type": "undeomn", - "rsa.misc.obj_name": "uamqua", - "rsa.misc.policy_name": "Neq", - "rsa.misc.reference_id": "ihi", - "rsa.misc.rule_name": "xcep", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5812", - "rsa.network.alias_host": [ - "pteurs1031.mail.corp" - ], - "rsa.network.vlan": 1864, - "rsa.time.event_time_str": "Mar", - "rule.name": "xcep", - "service.type": "f5", - "source.geo.country_name": "issu", - "source.ip": "10.120.50.13", - "source.nat.ip": "10.22.213.196", - "source.nat.port": 7230, - "source.port": 4426, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "inculpa" - }, - { - "destination.geo.country_name": "dquia", - "destination.nat.ip": "10.238.171.184", - "destination.nat.port": 2574, - "destination.port": 5334, - "event.action": "Accept", - "event.code": "dolor", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "mqu onorume abill5290.lan mini mve tionev [F5@uasiarch acl_policy_name=velites acl_policy_type=uredolor acl_rule_name=epreh action=Accept hostname=edquiaco6562.api.lan bigip_mgmt_ip=10.113.2.13 context_name=rudexerc context_type=nturm date_time=Mar 25 2018 09:31:24 dest_ip=10.182.134.109 dst_geo=dquia dest_port=5334 device_product=bori device_vendor=dipi device_version=1.7232 drop_reason=utf errdefs_msgno=dolor errdefs_msg_name=dexe flow_id=nemul ip_protocol=igmp severity=low partition_name=lupt route_domain=quatur sa_translation_pool=dminim sa_translation_type=ptatevel source_ip=10.85.52.249 src_geo=eirured source_port=3772 source_user=tatiset translated_dest_ip=10.238.171.184 translated_dest_port=2574 translated_ip_protocol=duntutl translated_route_domain=nven translated_source_ip=10.229.155.171 translated_source_port=6978 translated_vlan=asiarch vlan=7121", - "fileset.name": "bigipafm", - "host.ip": "10.113.2.13", - "host.name": "edquiaco6562.api.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 48297, - "network.protocol": "igmp", - "observer.product": "bori", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7232", - "related.hosts": [ - "edquiaco6562.api.lan" - ], - "related.ip": [ - "10.113.2.13", - "10.229.155.171", - "10.238.171.184", - "10.85.52.249" - ], - "related.user": [ - "tatiset" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "rudexerc", - "rsa.misc.event_type": "dexe", - "rsa.misc.obj_name": "uasiarch", - "rsa.misc.policy_name": "velites", - "rsa.misc.reference_id": "dolor", - "rsa.misc.rule_name": "epreh", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7232", - "rsa.network.alias_host": [ - "edquiaco6562.api.lan" - ], - "rsa.network.vlan": 7121, - "rsa.time.event_time_str": "Mar", - "rule.name": "epreh", - "service.type": "f5", - "source.geo.country_name": "eirured", - "source.ip": "10.85.52.249", - "source.nat.ip": "10.229.155.171", - "source.nat.port": 6978, - "source.port": 3772, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tatiset" - }, - { - "destination.geo.country_name": "dolo", - "destination.nat.ip": "10.51.245.225", - "destination.nat.port": 3991, - "destination.port": 6418, - "event.action": "Accept", - "event.code": "tessecil", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "utla deomni tse7542.test nesciu todit utaliqui [F5@emse acl_policy_name=emqui acl_policy_type=cipitla acl_rule_name=tlab action=Accept hostname=tatis7315.mail.home bigip_mgmt_ip=10.249.174.35 context_name=umfu context_type=utla date_time=Apr 08 2018 16:33:58 dest_ip=10.136.53.201 dst_geo=dolo dest_port=6418 device_product=samvol device_vendor=equa device_version=1.536 drop_reason=strumex errdefs_msgno=tessecil errdefs_msg_name=ugia flow_id=reprehe ip_protocol=udp severity=medium partition_name=umq route_domain=sistena sa_translation_pool=qui sa_translation_type=caboN source_ip=10.198.150.185 src_geo=catcupid source_port=3167 source_user=quela translated_dest_ip=10.51.245.225 translated_dest_port=3991 translated_ip_protocol=enimi translated_route_domain=illum translated_source_ip=10.220.1.249 translated_source_port=4200 translated_vlan=Sedut vlan=7832", - "fileset.name": "bigipafm", - "host.ip": "10.249.174.35", - "host.name": "tatis7315.mail.home", - "input.type": "log", - "log.level": "medium", - "log.offset": 49168, - "network.protocol": "udp", - "observer.product": "samvol", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.536", - "related.hosts": [ - "tatis7315.mail.home" - ], - "related.ip": [ - "10.198.150.185", - "10.220.1.249", - "10.249.174.35", - "10.51.245.225" - ], - "related.user": [ - "quela" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "umfu", - "rsa.misc.event_type": "ugia", - "rsa.misc.obj_name": "emse", - "rsa.misc.policy_name": "emqui", - "rsa.misc.reference_id": "tessecil", - "rsa.misc.rule_name": "tlab", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.536", - "rsa.network.alias_host": [ - "tatis7315.mail.home" - ], - "rsa.network.vlan": 7832, - "rsa.time.event_time_str": "Apr", - "rule.name": "tlab", - "service.type": "f5", - "source.geo.country_name": "catcupid", - "source.ip": "10.198.150.185", - "source.nat.ip": "10.220.1.249", - "source.nat.port": 4200, - "source.port": 3167, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "quela" - }, - { - "destination.geo.country_name": "osqu", - "destination.nat.ip": "10.190.96.181", - "destination.nat.port": 2153, - "destination.port": 4859, - "event.action": "Drop", - "event.code": "runtmoll", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "audant obeata uredol2348.www5.host entorev quuntur olup [F5@aeab acl_policy_name=uradipis acl_policy_type=aerat acl_rule_name=les action=Drop hostname=eosqui3723.api.localdomain bigip_mgmt_ip=10.152.157.32 context_name=ali context_type=udexerci date_time=Apr 22 2018 23:36:32 dest_ip=10.76.232.245 dst_geo=osqu dest_port=4859 device_product=aborio device_vendor=rve device_version=1.219 drop_reason=nbyCi errdefs_msgno=runtmoll errdefs_msg_name=busBon flow_id=norumetM ip_protocol=udp severity=low partition_name=usBono route_domain=ameaq sa_translation_pool=Quis sa_translation_type=lupta source_ip=10.251.82.195 src_geo=umiure source_port=5186 source_user=olorese translated_dest_ip=10.190.96.181 translated_dest_port=2153 translated_ip_protocol=culp translated_route_domain=deomn translated_source_ip=10.38.185.31 translated_source_port=1085 translated_vlan=llo vlan=1106", - "fileset.name": "bigipafm", - "host.ip": "10.152.157.32", - "host.name": "eosqui3723.api.localdomain", - "input.type": "log", - "log.level": "low", - "log.offset": 50031, - "network.protocol": "udp", - "observer.product": "aborio", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.219", - "related.hosts": [ - "eosqui3723.api.localdomain" - ], - "related.ip": [ - "10.152.157.32", - "10.190.96.181", - "10.251.82.195", - "10.38.185.31" - ], - "related.user": [ - "olorese" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "ali", - "rsa.misc.event_type": "busBon", - "rsa.misc.obj_name": "aeab", - "rsa.misc.policy_name": "uradipis", - "rsa.misc.reference_id": "runtmoll", - "rsa.misc.rule_name": "les", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.219", - "rsa.network.alias_host": [ - "eosqui3723.api.localdomain" - ], - "rsa.network.vlan": 1106, - "rsa.time.event_time_str": "Apr", - "rule.name": "les", - "service.type": "f5", - "source.geo.country_name": "umiure", - "source.ip": "10.251.82.195", - "source.nat.ip": "10.38.185.31", - "source.nat.port": 1085, - "source.port": 5186, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "olorese" - }, - { - "destination.geo.country_name": "eratv", - "destination.nat.ip": "10.230.112.179", - "destination.nat.port": 5926, - "destination.port": 7206, - "event.action": "Drop", - "event.code": "xerc", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tla iaconseq sed3235.www5.localhost pidatatn isno luptatev [F5@occaeca acl_policy_name=dan acl_policy_type=pta acl_rule_name=upt action=Drop hostname=itaedict199.mail.corp bigip_mgmt_ip=10.103.102.242 context_name=labore context_type=lorem date_time=May 07 2018 06:39:06 dest_ip=10.68.159.207 dst_geo=eratv dest_port=7206 device_product=estq device_vendor=quasiarc device_version=1.6526 drop_reason=liq errdefs_msgno=xerc errdefs_msg_name=atisetqu flow_id=squir ip_protocol=icmp severity=very-high partition_name=quam route_domain=deriti sa_translation_pool=edictasu sa_translation_type=eturadi source_ip=10.190.247.194 src_geo=mSecti source_port=4210 source_user=tDuisaut translated_dest_ip=10.230.112.179 translated_dest_port=5926 translated_ip_protocol=vol translated_route_domain=ita translated_source_ip=10.211.198.50 translated_source_port=7510 translated_vlan=nibusB vlan=5555", - "fileset.name": "bigipafm", - "host.ip": "10.103.102.242", - "host.name": "itaedict199.mail.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 50906, - "network.protocol": "icmp", - "observer.product": "estq", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6526", - "related.hosts": [ - "itaedict199.mail.corp" - ], - "related.ip": [ - "10.103.102.242", - "10.190.247.194", - "10.211.198.50", - "10.230.112.179" - ], - "related.user": [ - "tDuisaut" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "labore", - "rsa.misc.event_type": "atisetqu", - "rsa.misc.obj_name": "occaeca", - "rsa.misc.policy_name": "dan", - "rsa.misc.reference_id": "xerc", - "rsa.misc.rule_name": "upt", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6526", - "rsa.network.alias_host": [ - "itaedict199.mail.corp" - ], - "rsa.network.vlan": 5555, - "rsa.time.event_time_str": "May", - "rule.name": "upt", - "service.type": "f5", - "source.geo.country_name": "mSecti", - "source.ip": "10.190.247.194", - "source.nat.ip": "10.211.198.50", - "source.nat.port": 7510, - "source.port": 4210, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tDuisaut" - }, - { - "destination.geo.country_name": "uiac", - "destination.nat.ip": "10.101.13.122", - "destination.nat.port": 6737, - "destination.port": 7838, - "event.action": "Closed", - "event.code": "queporro", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "amremap oremagna aqu4475.mail.invalid serrorsi tsedquia rsit [F5@quis acl_policy_name=upidatat acl_policy_type=mod acl_rule_name=niamqui action=Closed hostname=xeaco7887.www.localdomain bigip_mgmt_ip=10.47.223.155 context_name=ugitsed context_type=dminimve date_time=May 21 2018 13:41:41 dest_ip=10.111.137.84 dst_geo=uiac dest_port=7838 device_product=tot device_vendor=reme device_version=1.7750 drop_reason=loremi errdefs_msgno=queporro errdefs_msg_name=tur flow_id=eFi ip_protocol=ipv6-icmp severity=medium partition_name=ulapari route_domain=eporroq sa_translation_pool=uunturm sa_translation_type=iatn source_ip=10.219.83.199 src_geo=diduntut source_port=1321 source_user=ectetur translated_dest_ip=10.101.13.122 translated_dest_port=6737 translated_ip_protocol=nibusBo translated_route_domain=volup translated_source_ip=10.251.101.61 translated_source_port=5153 translated_vlan=scipit vlan=6495", - "fileset.name": "bigipafm", - "host.ip": "10.47.223.155", - "host.name": "xeaco7887.www.localdomain", - "input.type": "log", - "log.level": "medium", - "log.offset": 51790, - "network.protocol": "ipv6-icmp", - "observer.product": "tot", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7750", - "related.hosts": [ - "xeaco7887.www.localdomain" - ], - "related.ip": [ - "10.101.13.122", - "10.219.83.199", - "10.251.101.61", - "10.47.223.155" - ], - "related.user": [ - "ectetur" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ugitsed", - "rsa.misc.event_type": "tur", - "rsa.misc.obj_name": "quis", - "rsa.misc.policy_name": "upidatat", - "rsa.misc.reference_id": "queporro", - "rsa.misc.rule_name": "niamqui", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7750", - "rsa.network.alias_host": [ - "xeaco7887.www.localdomain" - ], - "rsa.network.vlan": 6495, - "rsa.time.event_time_str": "May", - "rule.name": "niamqui", - "service.type": "f5", - "source.geo.country_name": "diduntut", - "source.ip": "10.219.83.199", - "source.nat.ip": "10.251.101.61", - "source.nat.port": 5153, - "source.port": 1321, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ectetur" - }, - { - "destination.geo.country_name": "inBCSed", - "destination.nat.ip": "10.21.30.43", - "destination.nat.port": 4754, - "destination.port": 6353, - "event.action": "Closed", - "event.code": "olu", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tore isni tamrema736.www5.lan ntiumdol conse aturve [F5@edqui acl_policy_name=tvolu acl_policy_type=psu acl_rule_name=strud action=Closed hostname=saute7421.www.invalid bigip_mgmt_ip=10.21.80.157 context_name=tiumtot context_type=tate date_time=Jun 04 2018 20:44:15 dest_ip=10.13.222.177 dst_geo=inBCSed dest_port=6353 device_product=Loremip device_vendor=taliqui device_version=1.5568 drop_reason=ipsaquae errdefs_msgno=olu errdefs_msg_name=exerci flow_id=isnostru ip_protocol=tcp severity=very-high partition_name=ngelits route_domain=volupt sa_translation_pool=billoi sa_translation_type=reseo source_ip=10.31.86.83 src_geo=pariat source_port=6646 source_user=litsed translated_dest_ip=10.21.30.43 translated_dest_port=4754 translated_ip_protocol=lorem translated_route_domain=iamquisn translated_source_ip=10.83.136.233 translated_source_port=6643 translated_vlan=imadm vlan=3187", - "fileset.name": "bigipafm", - "host.ip": "10.21.80.157", - "host.name": "saute7421.www.invalid", - "input.type": "log", - "log.level": "very-high", - "log.offset": 52692, - "network.protocol": "tcp", - "observer.product": "Loremip", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5568", - "related.hosts": [ - "saute7421.www.invalid" - ], - "related.ip": [ - "10.21.30.43", - "10.21.80.157", - "10.31.86.83", - "10.83.136.233" - ], - "related.user": [ - "litsed" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "tiumtot", - "rsa.misc.event_type": "exerci", - "rsa.misc.obj_name": "edqui", - "rsa.misc.policy_name": "tvolu", - "rsa.misc.reference_id": "olu", - "rsa.misc.rule_name": "strud", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5568", - "rsa.network.alias_host": [ - "saute7421.www.invalid" - ], - "rsa.network.vlan": 3187, - "rsa.time.event_time_str": "Jun", - "rule.name": "strud", - "service.type": "f5", - "source.geo.country_name": "pariat", - "source.ip": "10.31.86.83", - "source.nat.ip": "10.83.136.233", - "source.nat.port": 6643, - "source.port": 6646, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "litsed" - }, - { - "destination.geo.country_name": "uine", - "destination.nat.ip": "10.194.197.107", - "destination.nat.port": 2524, - "destination.port": 1815, - "event.action": "Accept", - "event.code": "archite", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "lumdol edutper utemve6966.mail.local emoen ptate mipsumqu [F5@turad acl_policy_name=dol acl_policy_type=ntutla acl_rule_name=des action=Accept hostname=oluptas1637.home bigip_mgmt_ip=10.195.90.73 context_name=ipisc context_type=iatnulap date_time=Jun 19 2018 03:46:49 dest_ip=10.170.155.137 dst_geo=uine dest_port=1815 device_product=veniamqu device_vendor=iconsequ device_version=1.5445 drop_reason=apa errdefs_msgno=archite errdefs_msg_name=tur flow_id=ddo ip_protocol=ipv6 severity=high partition_name=inBC route_domain=did sa_translation_pool=atcupi sa_translation_type=eriti source_ip=10.45.152.205 src_geo=rema source_port=5107 source_user=datatn translated_dest_ip=10.194.197.107 translated_dest_port=2524 translated_ip_protocol=tur translated_route_domain=itation translated_source_ip=10.27.181.27 translated_source_port=5509 translated_vlan=uredo vlan=2155", - "fileset.name": "bigipafm", - "host.ip": "10.195.90.73", - "host.name": "oluptas1637.home", - "input.type": "log", - "log.level": "high", - "log.offset": 53576, - "network.protocol": "ipv6", - "observer.product": "veniamqu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5445", - "related.hosts": [ - "oluptas1637.home" - ], - "related.ip": [ - "10.194.197.107", - "10.195.90.73", - "10.27.181.27", - "10.45.152.205" - ], - "related.user": [ - "datatn" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "ipisc", - "rsa.misc.event_type": "tur", - "rsa.misc.obj_name": "turad", - "rsa.misc.policy_name": "dol", - "rsa.misc.reference_id": "archite", - "rsa.misc.rule_name": "des", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5445", - "rsa.network.alias_host": [ - "oluptas1637.home" - ], - "rsa.network.vlan": 2155, - "rsa.time.event_time_str": "Jun", - "rule.name": "des", - "service.type": "f5", - "source.geo.country_name": "rema", - "source.ip": "10.45.152.205", - "source.nat.ip": "10.27.181.27", - "source.nat.port": 5509, - "source.port": 5107, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "datatn" - }, - { - "destination.geo.country_name": "iscive", - "destination.nat.ip": "10.129.161.18", - "destination.nat.port": 782, - "destination.port": 5527, - "event.action": "Drop", - "event.code": "taevitae", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "use catcu quame922.internal.host eursi liquid ulapari [F5@ibus acl_policy_name=isu acl_policy_type=moll acl_rule_name=roinBCS action=Drop hostname=ididu5505.api.localdomain bigip_mgmt_ip=10.43.239.97 context_name=modi context_type=cip date_time=Jul 03 2018 10:49:23 dest_ip=10.60.60.164 dst_geo=iscive dest_port=5527 device_product=incididu device_vendor=yCice device_version=1.508 drop_reason=ionem errdefs_msgno=taevitae errdefs_msg_name=dminimv flow_id=quam ip_protocol=tcp severity=low partition_name=umdol route_domain=rerepr sa_translation_pool=ipiscin sa_translation_type=trudexe source_ip=10.222.2.132 src_geo=umdo source_port=6187 source_user=aedicta translated_dest_ip=10.129.161.18 translated_dest_port=782 translated_ip_protocol=umquiad translated_route_domain=porinc translated_source_ip=10.183.90.25 translated_source_port=5038 translated_vlan=conse vlan=2563", - "fileset.name": "bigipafm", - "host.ip": "10.43.239.97", - "host.name": "ididu5505.api.localdomain", - "input.type": "log", - "log.level": "low", - "log.offset": 54442, - "network.protocol": "tcp", - "observer.product": "incididu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.508", - "related.hosts": [ - "ididu5505.api.localdomain" - ], - "related.ip": [ - "10.129.161.18", - "10.183.90.25", - "10.222.2.132", - "10.43.239.97" - ], - "related.user": [ - "aedicta" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "modi", - "rsa.misc.event_type": "dminimv", - "rsa.misc.obj_name": "ibus", - "rsa.misc.policy_name": "isu", - "rsa.misc.reference_id": "taevitae", - "rsa.misc.rule_name": "roinBCS", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.508", - "rsa.network.alias_host": [ - "ididu5505.api.localdomain" - ], - "rsa.network.vlan": 2563, - "rsa.time.event_time_str": "Jul", - "rule.name": "roinBCS", - "service.type": "f5", - "source.geo.country_name": "umdo", - "source.ip": "10.222.2.132", - "source.nat.ip": "10.183.90.25", - "source.nat.port": 5038, - "source.port": 6187, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "aedicta" - }, - { - "destination.geo.country_name": "nevolup", - "destination.nat.ip": "10.67.129.100", - "destination.nat.port": 7106, - "destination.port": 3706, - "event.action": "Closed", - "event.code": "elitse", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "dolo reeufu umexe5208.local suntex uptatema uteiru [F5@rcitati acl_policy_name=siutali acl_policy_type=uiratio acl_rule_name=ficia action=Closed hostname=mqui1099.api.corp bigip_mgmt_ip=10.231.167.171 context_name=onorumet context_type=illoinve date_time=Jul 17 2018 17:51:58 dest_ip=10.188.254.168 dst_geo=nevolup dest_port=3706 device_product=lor device_vendor=ica device_version=1.4479 drop_reason=sumd errdefs_msgno=elitse errdefs_msg_name=olu flow_id=temqu ip_protocol=rdp severity=very-high partition_name=nesci route_domain=meaquei sa_translation_pool=snisiu sa_translation_type=atem source_ip=10.189.162.131 src_geo=litsed source_port=6019 source_user=sedquia translated_dest_ip=10.67.129.100 translated_dest_port=7106 translated_ip_protocol=mmodicon translated_route_domain=eosquir translated_source_ip=10.248.156.138 translated_source_port=2125 translated_vlan=smodit vlan=3090", - "fileset.name": "bigipafm", - "host.ip": "10.231.167.171", - "host.name": "mqui1099.api.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 55316, - "network.protocol": "rdp", - "observer.product": "lor", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4479", - "related.hosts": [ - "mqui1099.api.corp" - ], - "related.ip": [ - "10.189.162.131", - "10.231.167.171", - "10.248.156.138", - "10.67.129.100" - ], - "related.user": [ - "sedquia" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "onorumet", - "rsa.misc.event_type": "olu", - "rsa.misc.obj_name": "rcitati", - "rsa.misc.policy_name": "siutali", - "rsa.misc.reference_id": "elitse", - "rsa.misc.rule_name": "ficia", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4479", - "rsa.network.alias_host": [ - "mqui1099.api.corp" - ], - "rsa.network.vlan": 3090, - "rsa.time.event_time_str": "Jul", - "rule.name": "ficia", - "service.type": "f5", - "source.geo.country_name": "litsed", - "source.ip": "10.189.162.131", - "source.nat.ip": "10.248.156.138", - "source.nat.port": 2125, - "source.port": 6019, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "sedquia" - }, - { - "destination.geo.country_name": "umqui", - "destination.nat.ip": "10.185.107.27", - "destination.nat.port": 2257, - "destination.port": 1757, - "event.action": "Reject", - "event.code": "itecto", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "dun xce dol5403.www.localhost asiar eiu maliquam [F5@gnama acl_policy_name=ursintoc acl_policy_type=minimve acl_rule_name=eprehe action=Reject hostname=siuta2155.lan bigip_mgmt_ip=10.63.103.30 context_name=ill context_type=imveniam date_time=Aug 01 2018 00:54:32 dest_ip=10.36.29.127 dst_geo=umqui dest_port=1757 device_product=sci device_vendor=isquames device_version=1.2927 drop_reason=tlabor errdefs_msgno=itecto errdefs_msg_name=loreeuf flow_id=orainci ip_protocol=icmp severity=low partition_name=aev route_domain=uelaudan sa_translation_pool=lab sa_translation_type=sequa source_ip=10.6.146.184 src_geo=rrorsi source_port=7247 source_user=sequu translated_dest_ip=10.185.107.27 translated_dest_port=2257 translated_ip_protocol=mips translated_route_domain=iduntutl translated_source_ip=10.142.106.66 translated_source_port=3790 translated_vlan=quelauda vlan=289", - "fileset.name": "bigipafm", - "host.ip": "10.63.103.30", - "host.name": "siuta2155.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 56204, - "network.protocol": "icmp", - "observer.product": "sci", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2927", - "related.hosts": [ - "siuta2155.lan" - ], - "related.ip": [ - "10.142.106.66", - "10.185.107.27", - "10.6.146.184", - "10.63.103.30" - ], - "related.user": [ - "sequu" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "ill", - "rsa.misc.event_type": "loreeuf", - "rsa.misc.obj_name": "gnama", - "rsa.misc.policy_name": "ursintoc", - "rsa.misc.reference_id": "itecto", - "rsa.misc.rule_name": "eprehe", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2927", - "rsa.network.alias_host": [ - "siuta2155.lan" - ], - "rsa.network.vlan": 289, - "rsa.time.event_time_str": "Aug", - "rule.name": "eprehe", - "service.type": "f5", - "source.geo.country_name": "rrorsi", - "source.ip": "10.6.146.184", - "source.nat.ip": "10.142.106.66", - "source.nat.port": 3790, - "source.port": 7247, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "sequu" - }, - { - "destination.geo.country_name": "uidex", - "destination.nat.ip": "10.0.202.9", - "destination.nat.port": 7451, - "destination.port": 1203, - "event.action": "Established", - "event.code": "ianonn", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "dolo ulamc doe344.www5.local toreve squirat llum [F5@dol acl_policy_name=niam acl_policy_type=atio acl_rule_name=sno action=Established hostname=tatiset4191.localdomain bigip_mgmt_ip=10.214.93.200 context_name=dtempor context_type=rroquisq date_time=Aug 15 2018 07:57:06 dest_ip=10.215.63.248 dst_geo=uidex dest_port=1203 device_product=lloi device_vendor=nseq device_version=1.4023 drop_reason=isetqua errdefs_msgno=ianonn errdefs_msg_name=oluptas flow_id=doe ip_protocol=udp severity=very-high partition_name=rchitect route_domain=orsitame sa_translation_pool=tasn sa_translation_type=exeaco source_ip=10.93.39.237 src_geo=aincidu source_port=232 source_user=tionofd translated_dest_ip=10.0.202.9 translated_dest_port=7451 translated_ip_protocol=nvolup translated_route_domain=ommodic translated_source_ip=10.119.179.182 translated_source_port=7255 translated_vlan=undeo vlan=7696", - "fileset.name": "bigipafm", - "host.ip": "10.214.93.200", - "host.name": "tatiset4191.localdomain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 57073, - "network.protocol": "udp", - "observer.product": "lloi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4023", - "related.hosts": [ - "tatiset4191.localdomain" - ], - "related.ip": [ - "10.0.202.9", - "10.119.179.182", - "10.214.93.200", - "10.93.39.237" - ], - "related.user": [ - "tionofd" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "dtempor", - "rsa.misc.event_type": "oluptas", - "rsa.misc.obj_name": "dol", - "rsa.misc.policy_name": "niam", - "rsa.misc.reference_id": "ianonn", - "rsa.misc.rule_name": "sno", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4023", - "rsa.network.alias_host": [ - "tatiset4191.localdomain" - ], - "rsa.network.vlan": 7696, - "rsa.time.event_time_str": "Aug", - "rule.name": "sno", - "service.type": "f5", - "source.geo.country_name": "aincidu", - "source.ip": "10.93.39.237", - "source.nat.ip": "10.119.179.182", - "source.nat.port": 7255, - "source.port": 232, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tionofd" - }, - { - "destination.geo.country_name": "mcorpor", - "destination.nat.ip": "10.123.154.140", - "destination.nat.port": 2551, - "destination.port": 2433, - "event.action": "Drop", - "event.code": "byCice", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "uiinea uianonn eavolupt784.www5.example liquam sinto edi [F5@eumiure acl_policy_name=ore acl_policy_type=adeser acl_rule_name=mSe action=Drop hostname=aute2433.mail.lan bigip_mgmt_ip=10.252.204.162 context_name=tiae context_type=giat date_time=Aug 29 2018 14:59:40 dest_ip=10.115.77.51 dst_geo=mcorpor dest_port=2433 device_product=ostru device_vendor=mea device_version=1.5939 drop_reason=iquipex errdefs_msgno=byCice errdefs_msg_name=deritq flow_id=boreetdo ip_protocol=ipv6-icmp severity=medium partition_name=iin route_domain=nostr sa_translation_pool=luptatem sa_translation_type=tNequepo source_ip=10.28.145.163 src_geo=sper source_port=72 source_user=imadmin translated_dest_ip=10.123.154.140 translated_dest_port=2551 translated_ip_protocol=mSect translated_route_domain=iure translated_source_ip=10.30.189.166 translated_source_port=2749 translated_vlan=aer vlan=3422", - "fileset.name": "bigipafm", - "host.ip": "10.252.204.162", - "host.name": "aute2433.mail.lan", - "input.type": "log", - "log.level": "medium", - "log.offset": 57956, - "network.protocol": "ipv6-icmp", - "observer.product": "ostru", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5939", - "related.hosts": [ - "aute2433.mail.lan" - ], - "related.ip": [ - "10.123.154.140", - "10.252.204.162", - "10.28.145.163", - "10.30.189.166" - ], - "related.user": [ - "imadmin" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "tiae", - "rsa.misc.event_type": "deritq", - "rsa.misc.obj_name": "eumiure", - "rsa.misc.policy_name": "ore", - "rsa.misc.reference_id": "byCice", - "rsa.misc.rule_name": "mSe", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5939", - "rsa.network.alias_host": [ - "aute2433.mail.lan" - ], - "rsa.network.vlan": 3422, - "rsa.time.event_time_str": "Aug", - "rule.name": "mSe", - "service.type": "f5", - "source.geo.country_name": "sper", - "source.ip": "10.28.145.163", - "source.nat.ip": "10.30.189.166", - "source.nat.port": 2749, - "source.port": 72, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "imadmin" - }, - { - "destination.geo.country_name": "pariatur", - "destination.nat.ip": "10.79.49.3", - "destination.nat.port": 7794, - "destination.port": 7435, - "event.action": "Accept", - "event.code": "mqua", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "roquis mremape ude2977.www.corp rmagnido exeaco dqu [F5@ccaec acl_policy_name=repreh acl_policy_type=imven acl_rule_name=usan action=Accept hostname=idolo6535.internal.example bigip_mgmt_ip=10.46.162.198 context_name=snulap context_type=onsequat date_time=Sep 12 2018 22:02:15 dest_ip=10.166.128.248 dst_geo=pariatur dest_port=7435 device_product=tura device_vendor=equuntur device_version=1.6564 drop_reason=uaera errdefs_msgno=mqua errdefs_msg_name=xer flow_id=utlabore ip_protocol=ipv6-icmp severity=very-high partition_name=beataevi route_domain=amquisn sa_translation_pool=itquii sa_translation_type=imaven source_ip=10.145.128.250 src_geo=nder source_port=5641 source_user=eni translated_dest_ip=10.79.49.3 translated_dest_port=7794 translated_ip_protocol=psamvolu translated_route_domain=teturad translated_source_ip=10.29.122.183 translated_source_port=6166 translated_vlan=tla vlan=6146", - "fileset.name": "bigipafm", - "host.ip": "10.46.162.198", - "host.name": "idolo6535.internal.example", - "input.type": "log", - "log.level": "very-high", - "log.offset": 58833, - "network.protocol": "ipv6-icmp", - "observer.product": "tura", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6564", - "related.hosts": [ - "idolo6535.internal.example" - ], - "related.ip": [ - "10.145.128.250", - "10.29.122.183", - "10.46.162.198", - "10.79.49.3" - ], - "related.user": [ - "eni" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "snulap", - "rsa.misc.event_type": "xer", - "rsa.misc.obj_name": "ccaec", - "rsa.misc.policy_name": "repreh", - "rsa.misc.reference_id": "mqua", - "rsa.misc.rule_name": "usan", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6564", - "rsa.network.alias_host": [ - "idolo6535.internal.example" - ], - "rsa.network.vlan": 6146, - "rsa.time.event_time_str": "Sep", - "rule.name": "usan", - "service.type": "f5", - "source.geo.country_name": "nder", - "source.ip": "10.145.128.250", - "source.nat.ip": "10.29.122.183", - "source.nat.port": 6166, - "source.port": 5641, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "eni" - }, - { - "destination.geo.country_name": "smoditem", - "destination.nat.ip": "10.65.174.196", - "destination.nat.port": 472, - "destination.port": 575, - "event.action": "Closed", - "event.code": "loremeum", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "modtempo edict nost3250.internal.localdomain nibu quatur isiutali [F5@mdolo acl_policy_name=nof acl_policy_type=usantiu acl_rule_name=periam action=Closed hostname=one7728.api.localdomain bigip_mgmt_ip=10.177.232.136 context_name=obe context_type=niamqu date_time=Sep 27 2018 05:04:49 dest_ip=10.140.59.161 dst_geo=smoditem dest_port=575 device_product=tev device_vendor=oNemoeni device_version=1.3341 drop_reason=elillumq errdefs_msgno=loremeum errdefs_msg_name=luptatem flow_id=ing ip_protocol=tcp severity=very-high partition_name=riameaqu route_domain=etd sa_translation_pool=omnisi sa_translation_type=dolor source_ip=10.166.169.167 src_geo=ati source_port=1544 source_user=olors translated_dest_ip=10.65.174.196 translated_dest_port=472 translated_ip_protocol=iin translated_route_domain=uteiru translated_source_ip=10.142.235.217 translated_source_port=5846 translated_vlan=orain vlan=2663", - "fileset.name": "bigipafm", - "host.ip": "10.177.232.136", - "host.name": "one7728.api.localdomain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 59729, - "network.protocol": "tcp", - "observer.product": "tev", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3341", - "related.hosts": [ - "one7728.api.localdomain" - ], - "related.ip": [ - "10.142.235.217", - "10.166.169.167", - "10.177.232.136", - "10.65.174.196" - ], - "related.user": [ - "olors" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "obe", - "rsa.misc.event_type": "luptatem", - "rsa.misc.obj_name": "mdolo", - "rsa.misc.policy_name": "nof", - "rsa.misc.reference_id": "loremeum", - "rsa.misc.rule_name": "periam", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3341", - "rsa.network.alias_host": [ - "one7728.api.localdomain" - ], - "rsa.network.vlan": 2663, - "rsa.time.event_time_str": "Sep", - "rule.name": "periam", - "service.type": "f5", - "source.geo.country_name": "ati", - "source.ip": "10.166.169.167", - "source.nat.ip": "10.142.235.217", - "source.nat.port": 5846, - "source.port": 1544, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "olors" - }, - { - "destination.geo.country_name": "orisnisi", - "destination.nat.ip": "10.191.78.86", - "destination.nat.port": 6355, - "destination.port": 4342, - "event.action": "Established", - "event.code": "ionula", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "llu quaUt labor7147.internal.host ten vitae tse [F5@gni acl_policy_name=per acl_policy_type=tione acl_rule_name=nibus action=Established hostname=uptatem4446.internal.localhost bigip_mgmt_ip=10.29.217.44 context_name=eacommod context_type=tali date_time=Oct 11 2018 12:07:23 dest_ip=10.131.223.198 dst_geo=orisnisi dest_port=4342 device_product=eritquii device_vendor=atevelit device_version=1.325 drop_reason=enat errdefs_msgno=ionula errdefs_msg_name=itaed flow_id=invol ip_protocol=rdp severity=low partition_name=cidun route_domain=tassitas sa_translation_pool=nimadmi sa_translation_type=dipisci source_ip=10.215.184.154 src_geo=nor source_port=3306 source_user=iarc translated_dest_ip=10.191.78.86 translated_dest_port=6355 translated_ip_protocol=uiac translated_route_domain=squ translated_source_ip=10.53.188.140 translated_source_port=6455 translated_vlan=ten vlan=2937", - "fileset.name": "bigipafm", - "host.ip": "10.29.217.44", - "host.name": "uptatem4446.internal.localhost", - "input.type": "log", - "log.level": "low", - "log.offset": 60626, - "network.protocol": "rdp", - "observer.product": "eritquii", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.325", - "related.hosts": [ - "uptatem4446.internal.localhost" - ], - "related.ip": [ - "10.191.78.86", - "10.215.184.154", - "10.29.217.44", - "10.53.188.140" - ], - "related.user": [ - "iarc" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "eacommod", - "rsa.misc.event_type": "itaed", - "rsa.misc.obj_name": "gni", - "rsa.misc.policy_name": "per", - "rsa.misc.reference_id": "ionula", - "rsa.misc.rule_name": "nibus", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.325", - "rsa.network.alias_host": [ - "uptatem4446.internal.localhost" - ], - "rsa.network.vlan": 2937, - "rsa.time.event_time_str": "Oct", - "rule.name": "nibus", - "service.type": "f5", - "source.geo.country_name": "nor", - "source.ip": "10.215.184.154", - "source.nat.ip": "10.53.188.140", - "source.nat.port": 6455, - "source.port": 3306, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "iarc" - }, - { - "destination.geo.country_name": "turad", - "destination.nat.ip": "10.46.222.149", - "destination.nat.port": 3304, - "destination.port": 2537, - "event.action": "Drop", - "event.code": "quipe", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "isciveli ntutlab sitamet452.domain nsequ ing ollita [F5@dipisci acl_policy_name=amnisiu acl_policy_type=ptat acl_rule_name=epr action=Drop hostname=emq2514.api.localhost bigip_mgmt_ip=10.135.77.156 context_name=uraut context_type=non date_time=Oct 25 2018 19:09:57 dest_ip=10.248.182.188 dst_geo=turad dest_port=2537 device_product=nBCSe device_vendor=ollita device_version=1.3567 drop_reason=eni errdefs_msgno=quipe errdefs_msg_name=oluptat flow_id=stenatus ip_protocol=ggp severity=very-high partition_name=iaecon route_domain=ect sa_translation_pool=tquid sa_translation_type=seru source_ip=10.76.148.147 src_geo=remagna source_port=1121 source_user=urve translated_dest_ip=10.46.222.149 translated_dest_port=3304 translated_ip_protocol=squ translated_route_domain=emagnaal translated_source_ip=10.74.74.129 translated_source_port=5904 translated_vlan=itati vlan=3497", - "fileset.name": "bigipafm", - "host.ip": "10.135.77.156", - "host.name": "emq2514.api.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 61505, - "network.protocol": "ggp", - "observer.product": "nBCSe", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3567", - "related.hosts": [ - "emq2514.api.localhost" - ], - "related.ip": [ - "10.135.77.156", - "10.46.222.149", - "10.74.74.129", - "10.76.148.147" - ], - "related.user": [ - "urve" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "uraut", - "rsa.misc.event_type": "oluptat", - "rsa.misc.obj_name": "dipisci", - "rsa.misc.policy_name": "amnisiu", - "rsa.misc.reference_id": "quipe", - "rsa.misc.rule_name": "epr", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3567", - "rsa.network.alias_host": [ - "emq2514.api.localhost" - ], - "rsa.network.vlan": 3497, - "rsa.time.event_time_str": "Oct", - "rule.name": "epr", - "service.type": "f5", - "source.geo.country_name": "remagna", - "source.ip": "10.76.148.147", - "source.nat.ip": "10.74.74.129", - "source.nat.port": 5904, - "source.port": 1121, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "urve" - }, - { - "destination.geo.country_name": "imadmini", - "destination.nat.ip": "10.11.146.253", - "destination.nat.port": 3581, - "destination.port": 3791, - "event.action": "Drop", - "event.code": "ute", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "rinc tno meumf4052.invalid pitlabo riamea Malorumw [F5@consect acl_policy_name=issu acl_policy_type=tconsect acl_rule_name=tationem action=Drop hostname=agna5654.www.corp bigip_mgmt_ip=10.96.200.223 context_name=iatisun context_type=cto date_time=Nov 09 2018 02:12:32 dest_ip=10.3.228.220 dst_geo=imadmini dest_port=3791 device_product=oeiusm device_vendor=aUtenim device_version=1.1186 drop_reason=isu errdefs_msgno=ute errdefs_msg_name=tdolore flow_id=madminim ip_protocol=igmp severity=very-high partition_name=prehen route_domain=ate sa_translation_pool=ull sa_translation_type=enimipsa source_ip=10.130.203.37 src_geo=quisnos source_port=2132 source_user=mvele translated_dest_ip=10.11.146.253 translated_dest_port=3581 translated_ip_protocol=remeum translated_route_domain=temseq translated_source_ip=10.145.49.29 translated_source_port=2464 translated_vlan=sedquia vlan=4912", - "fileset.name": "bigipafm", - "host.ip": "10.96.200.223", - "host.name": "agna5654.www.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 62376, - "network.protocol": "igmp", - "observer.product": "oeiusm", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1186", - "related.hosts": [ - "agna5654.www.corp" - ], - "related.ip": [ - "10.11.146.253", - "10.130.203.37", - "10.145.49.29", - "10.96.200.223" - ], - "related.user": [ - "mvele" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "iatisun", - "rsa.misc.event_type": "tdolore", - "rsa.misc.obj_name": "consect", - "rsa.misc.policy_name": "issu", - "rsa.misc.reference_id": "ute", - "rsa.misc.rule_name": "tationem", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1186", - "rsa.network.alias_host": [ - "agna5654.www.corp" - ], - "rsa.network.vlan": 4912, - "rsa.time.event_time_str": "Nov", - "rule.name": "tationem", - "service.type": "f5", - "source.geo.country_name": "quisnos", - "source.ip": "10.130.203.37", - "source.nat.ip": "10.145.49.29", - "source.nat.port": 2464, - "source.port": 2132, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "mvele" - }, - { - "destination.geo.country_name": "epteu", - "destination.nat.ip": "10.162.2.180", - "destination.nat.port": 3889, - "destination.port": 5744, - "event.action": "Drop", - "event.code": "ibusB", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ntmo aliqu iqu4429.www5.lan doconse volupta ptat [F5@oreverit acl_policy_name=nimides acl_policy_type=remipsum acl_rule_name=elit action=Drop hostname=ipi4827.mail.lan bigip_mgmt_ip=10.162.78.48 context_name=lab context_type=sedqui date_time=Nov 23 2018 09:15:06 dest_ip=10.243.157.94 dst_geo=epteu dest_port=5744 device_product=tura device_vendor=mquiavol device_version=1.6845 drop_reason=eabil errdefs_msgno=ibusB errdefs_msg_name=rporis flow_id=etco ip_protocol=ipv6 severity=very-high partition_name=ereprehe route_domain=olu sa_translation_pool=nofdeF sa_translation_type=riaturEx source_ip=10.24.23.209 src_geo=itautfu source_port=1503 source_user=rumwr translated_dest_ip=10.162.2.180 translated_dest_port=3889 translated_ip_protocol=mporain translated_route_domain=ectetur translated_source_ip=10.48.75.140 translated_source_port=1837 translated_vlan=ineavol vlan=5182", - "fileset.name": "bigipafm", - "host.ip": "10.162.78.48", - "host.name": "ipi4827.mail.lan", - "input.type": "log", - "log.level": "very-high", - "log.offset": 63258, - "network.protocol": "ipv6", - "observer.product": "tura", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6845", - "related.hosts": [ - "ipi4827.mail.lan" - ], - "related.ip": [ - "10.162.2.180", - "10.162.78.48", - "10.24.23.209", - "10.48.75.140" - ], - "related.user": [ - "rumwr" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "lab", - "rsa.misc.event_type": "rporis", - "rsa.misc.obj_name": "oreverit", - "rsa.misc.policy_name": "nimides", - "rsa.misc.reference_id": "ibusB", - "rsa.misc.rule_name": "elit", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6845", - "rsa.network.alias_host": [ - "ipi4827.mail.lan" - ], - "rsa.network.vlan": 5182, - "rsa.time.event_time_str": "Nov", - "rule.name": "elit", - "service.type": "f5", - "source.geo.country_name": "itautfu", - "source.ip": "10.24.23.209", - "source.nat.ip": "10.48.75.140", - "source.nat.port": 1837, - "source.port": 1503, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "rumwr" - }, - { - "destination.geo.country_name": "rur", - "destination.nat.ip": "10.119.12.186", - "destination.nat.port": 5674, - "destination.port": 5543, - "event.action": "Drop", - "event.code": "eddoeiu", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "onproid sitv equam3114.test mcorp uelaud aperiam [F5@ngelit acl_policy_name=quiano acl_policy_type=sund acl_rule_name=iaconse action=Drop hostname=sequatD163.internal.example bigip_mgmt_ip=10.151.206.38 context_name=oloremi context_type=luptate date_time=Dec 07 2018 16:17:40 dest_ip=10.38.57.217 dst_geo=rur dest_port=5543 device_product=imidest device_vendor=oeiusmod device_version=1.419 drop_reason=psumqui errdefs_msgno=eddoeiu errdefs_msg_name=oinvento flow_id=mips ip_protocol=udp severity=medium partition_name=corpor route_domain=amvolu sa_translation_pool=ent sa_translation_type=ionemu source_ip=10.66.92.83 src_geo=orinrep source_port=2549 source_user=nproide translated_dest_ip=10.119.12.186 translated_dest_port=5674 translated_ip_protocol=qui translated_route_domain=nemullam translated_source_ip=10.97.105.115 translated_source_port=3576 translated_vlan=squir vlan=3987", - "fileset.name": "bigipafm", - "host.ip": "10.151.206.38", - "host.name": "sequatD163.internal.example", - "input.type": "log", - "log.level": "medium", - "log.offset": 64136, - "network.protocol": "udp", - "observer.product": "imidest", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.419", - "related.hosts": [ - "sequatD163.internal.example" - ], - "related.ip": [ - "10.119.12.186", - "10.151.206.38", - "10.66.92.83", - "10.97.105.115" - ], - "related.user": [ - "nproide" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "oloremi", - "rsa.misc.event_type": "oinvento", - "rsa.misc.obj_name": "ngelit", - "rsa.misc.policy_name": "quiano", - "rsa.misc.reference_id": "eddoeiu", - "rsa.misc.rule_name": "iaconse", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.419", - "rsa.network.alias_host": [ - "sequatD163.internal.example" - ], - "rsa.network.vlan": 3987, - "rsa.time.event_time_str": "Dec", - "rule.name": "iaconse", - "service.type": "f5", - "source.geo.country_name": "orinrep", - "source.ip": "10.66.92.83", - "source.nat.ip": "10.97.105.115", - "source.nat.port": 3576, - "source.port": 2549, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "nproide" - }, - { - "destination.geo.country_name": "volupt", - "destination.nat.ip": "10.64.76.142", - "destination.nat.port": 7083, - "destination.port": 61, - "event.action": "Accept", - "event.code": "enderi", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "umqu umet psaquaea5284.internal.example upt giatquo toccaec [F5@nihilmo acl_policy_name=atquo acl_policy_type=umetMa acl_rule_name=ngelitse action=Accept hostname=itamet1303.invalid bigip_mgmt_ip=10.12.148.73 context_name=eius context_type=evo date_time=Dec 21 2018 23:20:14 dest_ip=10.10.44.34 dst_geo=volupt dest_port=61 device_product=eosqu device_vendor=reetdolo device_version=1.7551 drop_reason=sten errdefs_msgno=enderi errdefs_msg_name=labore flow_id=uasiarch ip_protocol=igmp severity=very-high partition_name=magnama route_domain=reprehe sa_translation_pool=citatio sa_translation_type=dolo source_ip=10.201.132.114 src_geo=eetd source_port=6058 source_user=borisnis translated_dest_ip=10.64.76.142 translated_dest_port=7083 translated_ip_protocol=temse translated_route_domain=samvo translated_source_ip=10.169.139.250 translated_source_port=1374 translated_vlan=nostrume vlan=5035", - "fileset.name": "bigipafm", - "host.ip": "10.12.148.73", - "host.name": "itamet1303.invalid", - "input.type": "log", - "log.level": "very-high", - "log.offset": 65022, - "network.protocol": "igmp", - "observer.product": "eosqu", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7551", - "related.hosts": [ - "itamet1303.invalid" - ], - "related.ip": [ - "10.12.148.73", - "10.169.139.250", - "10.201.132.114", - "10.64.76.142" - ], - "related.user": [ - "borisnis" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "eius", - "rsa.misc.event_type": "labore", - "rsa.misc.obj_name": "nihilmo", - "rsa.misc.policy_name": "atquo", - "rsa.misc.reference_id": "enderi", - "rsa.misc.rule_name": "ngelitse", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7551", - "rsa.network.alias_host": [ - "itamet1303.invalid" - ], - "rsa.network.vlan": 5035, - "rsa.time.event_time_str": "Dec", - "rule.name": "ngelitse", - "service.type": "f5", - "source.geo.country_name": "eetd", - "source.ip": "10.201.132.114", - "source.nat.ip": "10.169.139.250", - "source.nat.port": 1374, - "source.port": 6058, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "borisnis" - }, - { - "destination.geo.country_name": "giatnula", - "destination.nat.ip": "10.35.38.185", - "destination.nat.port": 7077, - "destination.port": 71, - "event.action": "Drop", - "event.code": "sedq", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tatevel itin tam942.api.host iut leumiur deser [F5@boris acl_policy_name=ris acl_policy_type=nisiuta acl_rule_name=utper action=Drop hostname=epr3512.internal.domain bigip_mgmt_ip=10.9.236.18 context_name=iumdo context_type=exe date_time=Jan 05 2019 06:22:49 dest_ip=10.152.7.48 dst_geo=giatnula dest_port=71 device_product=enimadmi device_vendor=qui device_version=1.5292 drop_reason=aecon errdefs_msgno=sedq errdefs_msg_name=olo flow_id=sperna ip_protocol=udp severity=very-high partition_name=conseq route_domain=upta sa_translation_pool=eturadi sa_translation_type=cinge source_ip=10.111.128.11 src_geo=niamq source_port=5336 source_user=umfug translated_dest_ip=10.35.38.185 translated_dest_port=7077 translated_ip_protocol=labor translated_route_domain=Sec translated_source_ip=10.200.116.191 translated_source_port=3068 translated_vlan=nsecte vlan=5790", - "fileset.name": "bigipafm", - "host.ip": "10.9.236.18", - "host.name": "epr3512.internal.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 65915, - "network.protocol": "udp", - "observer.product": "enimadmi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5292", - "related.hosts": [ - "epr3512.internal.domain" - ], - "related.ip": [ - "10.111.128.11", - "10.200.116.191", - "10.35.38.185", - "10.9.236.18" - ], - "related.user": [ - "umfug" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "iumdo", - "rsa.misc.event_type": "olo", - "rsa.misc.obj_name": "boris", - "rsa.misc.policy_name": "ris", - "rsa.misc.reference_id": "sedq", - "rsa.misc.rule_name": "utper", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5292", - "rsa.network.alias_host": [ - "epr3512.internal.domain" - ], - "rsa.network.vlan": 5790, - "rsa.time.event_time_str": "Jan", - "rule.name": "utper", - "service.type": "f5", - "source.geo.country_name": "niamq", - "source.ip": "10.111.128.11", - "source.nat.ip": "10.200.116.191", - "source.nat.port": 3068, - "source.port": 5336, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "umfug" - }, - { - "destination.geo.country_name": "rese", - "destination.nat.ip": "10.134.238.8", - "destination.nat.port": 2976, - "destination.port": 5302, - "event.action": "Reject", - "event.code": "ende", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "uianonnu por nve894.lan turadip ataev eFinib [F5@atione acl_policy_name=xcepte acl_policy_type=gnaa acl_rule_name=tio action=Reject hostname=uredol2174.home bigip_mgmt_ip=10.191.27.182 context_name=tMalo context_type=urautod date_time=Jan 19 2019 13:25:23 dest_ip=10.114.60.159 dst_geo=rese dest_port=5302 device_product=rissusci device_vendor=quaturve device_version=1.5991 drop_reason=tisunde errdefs_msgno=ende errdefs_msg_name=quidolor flow_id=lloin ip_protocol=igmp severity=high partition_name=proiden route_domain=moenimip sa_translation_pool=tat sa_translation_type=tate source_ip=10.236.67.227 src_geo=ern source_port=881 source_user=tlabo translated_dest_ip=10.134.238.8 translated_dest_port=2976 translated_ip_protocol=aqua translated_route_domain=edquiac translated_source_ip=10.240.62.238 translated_source_port=1251 translated_vlan=olo vlan=5926", - "fileset.name": "bigipafm", - "host.ip": "10.191.27.182", - "host.name": "uredol2174.home", - "input.type": "log", - "log.level": "high", - "log.offset": 66775, - "network.protocol": "igmp", - "observer.product": "rissusci", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5991", - "related.hosts": [ - "uredol2174.home" - ], - "related.ip": [ - "10.134.238.8", - "10.191.27.182", - "10.236.67.227", - "10.240.62.238" - ], - "related.user": [ - "tlabo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "tMalo", - "rsa.misc.event_type": "quidolor", - "rsa.misc.obj_name": "atione", - "rsa.misc.policy_name": "xcepte", - "rsa.misc.reference_id": "ende", - "rsa.misc.rule_name": "tio", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5991", - "rsa.network.alias_host": [ - "uredol2174.home" - ], - "rsa.network.vlan": 5926, - "rsa.time.event_time_str": "Jan", - "rule.name": "tio", - "service.type": "f5", - "source.geo.country_name": "ern", - "source.ip": "10.236.67.227", - "source.nat.ip": "10.240.62.238", - "source.nat.port": 1251, - "source.port": 881, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tlabo" - }, - { - "destination.geo.country_name": "nimad", - "destination.nat.ip": "10.65.35.64", - "destination.nat.port": 2748, - "destination.port": 7814, - "event.action": "Drop", - "event.code": "oin", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ali Nequepor aUten4127.internal.lan apariatu mnisis onsequa [F5@sunt acl_policy_name=orumSe acl_policy_type=olupta acl_rule_name=emveleum action=Drop hostname=ididunt7607.mail.localhost bigip_mgmt_ip=10.165.66.92 context_name=isq context_type=eacommo date_time=Feb 02 2019 20:27:57 dest_ip=10.244.171.198 dst_geo=nimad dest_port=7814 device_product=asi device_vendor=tobe device_version=1.6837 drop_reason=Lore errdefs_msgno=oin errdefs_msg_name=eritquii flow_id=taliqui ip_protocol=ipv6-icmp severity=very-high partition_name=entoreve route_domain=ion sa_translation_pool=exeaco sa_translation_type=tate source_ip=10.109.14.142 src_geo=sitas source_port=6036 source_user=perna translated_dest_ip=10.65.35.64 translated_dest_port=2748 translated_ip_protocol=irur translated_route_domain=risnisiu translated_source_ip=10.22.231.91 translated_source_port=2652 translated_vlan=equepor vlan=897", - "fileset.name": "bigipafm", - "host.ip": "10.165.66.92", - "host.name": "ididunt7607.mail.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 67635, - "network.protocol": "ipv6-icmp", - "observer.product": "asi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6837", - "related.hosts": [ - "ididunt7607.mail.localhost" - ], - "related.ip": [ - "10.109.14.142", - "10.165.66.92", - "10.22.231.91", - "10.65.35.64" - ], - "related.user": [ - "perna" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "isq", - "rsa.misc.event_type": "eritquii", - "rsa.misc.obj_name": "sunt", - "rsa.misc.policy_name": "orumSe", - "rsa.misc.reference_id": "oin", - "rsa.misc.rule_name": "emveleum", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6837", - "rsa.network.alias_host": [ - "ididunt7607.mail.localhost" - ], - "rsa.network.vlan": 897, - "rsa.time.event_time_str": "Feb", - "rule.name": "emveleum", - "service.type": "f5", - "source.geo.country_name": "sitas", - "source.ip": "10.109.14.142", - "source.nat.ip": "10.22.231.91", - "source.nat.port": 2652, - "source.port": 6036, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "perna" - }, - { - "destination.geo.country_name": "rume", - "destination.nat.ip": "10.29.230.203", - "destination.nat.port": 6579, - "destination.port": 7667, - "event.action": "Reject", - "event.code": "prehende", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ugiatn utpe hend1170.www5.lan ptateve aliqua officiad [F5@nimadmin acl_policy_name=iavol acl_policy_type=roq acl_rule_name=iumtota action=Reject hostname=inimav5557.www5.test bigip_mgmt_ip=10.71.112.86 context_name=olor context_type=emoenim date_time=Feb 17 2019 03:30:32 dest_ip=10.57.64.102 dst_geo=rume dest_port=7667 device_product=inibusBo device_vendor=tqui device_version=1.99 drop_reason=citat errdefs_msgno=prehende errdefs_msg_name=vitaedic flow_id=remip ip_protocol=ggp severity=high partition_name=rehe route_domain=aper sa_translation_pool=gnaa sa_translation_type=tam source_ip=10.64.161.215 src_geo=modi source_port=4869 source_user=rnatur translated_dest_ip=10.29.230.203 translated_dest_port=6579 translated_ip_protocol=abi translated_route_domain=inimaven translated_source_ip=10.89.221.90 translated_source_port=5835 translated_vlan=entoreve vlan=4612", - "fileset.name": "bigipafm", - "host.ip": "10.71.112.86", - "host.name": "inimav5557.www5.test", - "input.type": "log", - "log.level": "high", - "log.offset": 68526, - "network.protocol": "ggp", - "observer.product": "inibusBo", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.99", - "related.hosts": [ - "inimav5557.www5.test" - ], - "related.ip": [ - "10.29.230.203", - "10.64.161.215", - "10.71.112.86", - "10.89.221.90" - ], - "related.user": [ - "rnatur" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "olor", - "rsa.misc.event_type": "vitaedic", - "rsa.misc.obj_name": "nimadmin", - "rsa.misc.policy_name": "iavol", - "rsa.misc.reference_id": "prehende", - "rsa.misc.rule_name": "iumtota", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.99", - "rsa.network.alias_host": [ - "inimav5557.www5.test" - ], - "rsa.network.vlan": 4612, - "rsa.time.event_time_str": "Feb", - "rule.name": "iumtota", - "service.type": "f5", - "source.geo.country_name": "modi", - "source.ip": "10.64.161.215", - "source.nat.ip": "10.89.221.90", - "source.nat.port": 5835, - "source.port": 4869, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "rnatur" - }, - { - "destination.geo.country_name": "aliquide", - "destination.nat.ip": "10.221.199.137", - "destination.nat.port": 6430, - "destination.port": 7187, - "event.action": "Closed", - "event.code": "urm", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "roqu dquia ommod142.www.home ptate oloreeu imipsa [F5@iscinge acl_policy_name=ora acl_policy_type=meumfug acl_rule_name=inimve action=Closed hostname=nonn1650.www.test bigip_mgmt_ip=10.88.226.76 context_name=ptas context_type=iadolo date_time=Mar 03 2019 10:33:06 dest_ip=10.217.197.29 dst_geo=aliquide dest_port=7187 device_product=tinv device_vendor=iar device_version=1.5232 drop_reason=mquela errdefs_msgno=urm errdefs_msg_name=con flow_id=aeabil ip_protocol=udp severity=low partition_name=edicta route_domain=itaspern sa_translation_pool=tau sa_translation_type=rcit source_ip=10.79.208.135 src_geo=rehende source_port=3688 source_user=erspic translated_dest_ip=10.221.199.137 translated_dest_port=6430 translated_ip_protocol=quipe translated_route_domain=evita translated_source_ip=10.140.118.182 translated_source_port=4566 translated_vlan=nia vlan=7548", - "fileset.name": "bigipafm", - "host.ip": "10.88.226.76", - "host.name": "nonn1650.www.test", - "input.type": "log", - "log.level": "low", - "log.offset": 69397, - "network.protocol": "udp", - "observer.product": "tinv", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.5232", - "related.hosts": [ - "nonn1650.www.test" - ], - "related.ip": [ - "10.140.118.182", - "10.221.199.137", - "10.79.208.135", - "10.88.226.76" - ], - "related.user": [ - "erspic" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ptas", - "rsa.misc.event_type": "con", - "rsa.misc.obj_name": "iscinge", - "rsa.misc.policy_name": "ora", - "rsa.misc.reference_id": "urm", - "rsa.misc.rule_name": "inimve", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5232", - "rsa.network.alias_host": [ - "nonn1650.www.test" - ], - "rsa.network.vlan": 7548, - "rsa.time.event_time_str": "Mar", - "rule.name": "inimve", - "service.type": "f5", - "source.geo.country_name": "rehende", - "source.ip": "10.79.208.135", - "source.nat.ip": "10.140.118.182", - "source.nat.port": 4566, - "source.port": 3688, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "erspic" - }, - { - "destination.geo.country_name": "oreve", - "destination.nat.ip": "10.126.61.230", - "destination.nat.port": 2068, - "destination.port": 2538, - "event.action": "Reject", - "event.code": "Exce", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "npro boriosa sundeo3076.internal.test Nequepor turQ tod [F5@rsitame acl_policy_name=nsectetu acl_policy_type=untexpli acl_rule_name=smo action=Reject hostname=acons3940.api.lan bigip_mgmt_ip=10.133.48.55 context_name=lab context_type=ela date_time=Mar 17 2019 17:35:40 dest_ip=10.134.141.37 dst_geo=oreve dest_port=2538 device_product=tali device_vendor=quamnih device_version=1.2492 drop_reason=reprehen errdefs_msgno=Exce errdefs_msg_name=tocca flow_id=tinvolu ip_protocol=ipv6 severity=low partition_name=iumt route_domain=mad sa_translation_pool=mpor sa_translation_type=eddoei source_ip=10.35.73.208 src_geo=dolo source_port=6552 source_user=tia translated_dest_ip=10.126.61.230 translated_dest_port=2068 translated_ip_protocol=dolor translated_route_domain=emUteni translated_source_ip=10.189.244.22 translated_source_port=734 translated_vlan=rinre vlan=6425", - "fileset.name": "bigipafm", - "host.ip": "10.133.48.55", - "host.name": "acons3940.api.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 70259, - "network.protocol": "ipv6", - "observer.product": "tali", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2492", - "related.hosts": [ - "acons3940.api.lan" - ], - "related.ip": [ - "10.126.61.230", - "10.133.48.55", - "10.189.244.22", - "10.35.73.208" - ], - "related.user": [ - "tia" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "lab", - "rsa.misc.event_type": "tocca", - "rsa.misc.obj_name": "rsitame", - "rsa.misc.policy_name": "nsectetu", - "rsa.misc.reference_id": "Exce", - "rsa.misc.rule_name": "smo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2492", - "rsa.network.alias_host": [ - "acons3940.api.lan" - ], - "rsa.network.vlan": 6425, - "rsa.time.event_time_str": "Mar", - "rule.name": "smo", - "service.type": "f5", - "source.geo.country_name": "dolo", - "source.ip": "10.35.73.208", - "source.nat.ip": "10.189.244.22", - "source.nat.port": 734, - "source.port": 6552, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tia" - }, - { - "destination.geo.country_name": "ostr", - "destination.nat.ip": "10.239.194.105", - "destination.nat.port": 3629, - "destination.port": 575, - "event.action": "Established", - "event.code": "olors", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ident uatur dquiaco2756.home uiine mve dolorema [F5@ditautf acl_policy_name=uisnostr acl_policy_type=oditautf acl_rule_name=nula action=Established hostname=suscipit587.www.localhost bigip_mgmt_ip=10.81.154.115 context_name=ita context_type=aeratvol date_time=Apr 01 2019 00:38:14 dest_ip=10.194.94.1 dst_geo=ostr dest_port=575 device_product=boreetd device_vendor=ueporro device_version=1.4044 drop_reason=oluptat errdefs_msgno=olors errdefs_msg_name=mSecti flow_id=ius ip_protocol=icmp severity=very-high partition_name=xerci route_domain=qua sa_translation_pool=iaecons sa_translation_type=pteurs source_ip=10.35.65.72 src_geo=veni source_port=3387 source_user=reseo translated_dest_ip=10.239.194.105 translated_dest_port=3629 translated_ip_protocol=isnos translated_route_domain=ntin translated_source_ip=10.240.94.109 translated_source_port=5437 translated_vlan=ono vlan=573", - "fileset.name": "bigipafm", - "host.ip": "10.81.154.115", - "host.name": "suscipit587.www.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 71124, - "network.protocol": "icmp", - "observer.product": "boreetd", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4044", - "related.hosts": [ - "suscipit587.www.localhost" - ], - "related.ip": [ - "10.239.194.105", - "10.240.94.109", - "10.35.65.72", - "10.81.154.115" - ], - "related.user": [ - "reseo" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "ita", - "rsa.misc.event_type": "mSecti", - "rsa.misc.obj_name": "ditautf", - "rsa.misc.policy_name": "uisnostr", - "rsa.misc.reference_id": "olors", - "rsa.misc.rule_name": "nula", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4044", - "rsa.network.alias_host": [ - "suscipit587.www.localhost" - ], - "rsa.network.vlan": 573, - "rsa.time.event_time_str": "Apr", - "rule.name": "nula", - "service.type": "f5", - "source.geo.country_name": "veni", - "source.ip": "10.35.65.72", - "source.nat.ip": "10.240.94.109", - "source.nat.port": 5437, - "source.port": 3387, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "reseo" - }, - { - "destination.geo.country_name": "obeatae", - "destination.nat.ip": "10.248.72.104", - "destination.nat.port": 7485, - "destination.port": 2042, - "event.action": "Established", - "event.code": "emagnaal", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "consequ ine hend3901.www.localdomain nsecte miurere tat [F5@pitlabor acl_policy_name=upi acl_policy_type=olupta acl_rule_name=ape action=Established hostname=mnisiut6146.internal.local bigip_mgmt_ip=10.52.70.192 context_name=empor context_type=ate date_time=Apr 15 2019 07:40:49 dest_ip=10.234.254.96 dst_geo=obeatae dest_port=2042 device_product=orem device_vendor=dquian device_version=1.2307 drop_reason=uis errdefs_msgno=emagnaal errdefs_msg_name=uunturm flow_id=nonnumq ip_protocol=ggp severity=very-high partition_name=ntocca route_domain=emquelau sa_translation_pool=adolorsi sa_translation_type=lupt source_ip=10.38.253.213 src_geo=ncidu source_port=3369 source_user=ionem translated_dest_ip=10.248.72.104 translated_dest_port=7485 translated_ip_protocol=cusan translated_route_domain=ivelit translated_source_ip=10.150.56.227 translated_source_port=4686 translated_vlan=isnost vlan=4697", - "fileset.name": "bigipafm", - "host.ip": "10.52.70.192", - "host.name": "mnisiut6146.internal.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 72004, - "network.protocol": "ggp", - "observer.product": "orem", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2307", - "related.hosts": [ - "mnisiut6146.internal.local" - ], - "related.ip": [ - "10.150.56.227", - "10.248.72.104", - "10.38.253.213", - "10.52.70.192" - ], - "related.user": [ - "ionem" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "empor", - "rsa.misc.event_type": "uunturm", - "rsa.misc.obj_name": "pitlabor", - "rsa.misc.policy_name": "upi", - "rsa.misc.reference_id": "emagnaal", - "rsa.misc.rule_name": "ape", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2307", - "rsa.network.alias_host": [ - "mnisiut6146.internal.local" - ], - "rsa.network.vlan": 4697, - "rsa.time.event_time_str": "Apr", - "rule.name": "ape", - "service.type": "f5", - "source.geo.country_name": "ncidu", - "source.ip": "10.38.253.213", - "source.nat.ip": "10.150.56.227", - "source.nat.port": 4686, - "source.port": 3369, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ionem" - }, - { - "destination.geo.country_name": "aaliq", - "destination.nat.ip": "10.73.172.186", - "destination.nat.port": 3510, - "destination.port": 2143, - "event.action": "Reject", - "event.code": "agn", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "urQu idol fici312.api.host eri pitlab riosamn [F5@Malo acl_policy_name=onse acl_policy_type=enatuse acl_rule_name=veritat action=Reject hostname=borios1067.www5.home bigip_mgmt_ip=10.218.15.164 context_name=ntNeque context_type=magnidol date_time=Apr 29 2019 14:43:23 dest_ip=10.56.60.3 dst_geo=aaliq dest_port=2143 device_product=gel device_vendor=modt device_version=1.2031 drop_reason=mvolu errdefs_msgno=agn errdefs_msg_name=eritinvo flow_id=aliq ip_protocol=rdp severity=very-high partition_name=uisautei route_domain=labor sa_translation_pool=ihilmol sa_translation_type=scinge source_ip=10.62.218.239 src_geo=yCiceroi source_port=166 source_user=reh translated_dest_ip=10.73.172.186 translated_dest_port=3510 translated_ip_protocol=itte translated_route_domain=niamquis translated_source_ip=10.203.193.134 translated_source_port=6251 translated_vlan=riosa vlan=7445", - "fileset.name": "bigipafm", - "host.ip": "10.218.15.164", - "host.name": "borios1067.www5.home", - "input.type": "log", - "log.level": "very-high", - "log.offset": 72900, - "network.protocol": "rdp", - "observer.product": "gel", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2031", - "related.hosts": [ - "borios1067.www5.home" - ], - "related.ip": [ - "10.203.193.134", - "10.218.15.164", - "10.62.218.239", - "10.73.172.186" - ], - "related.user": [ - "reh" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "ntNeque", - "rsa.misc.event_type": "eritinvo", - "rsa.misc.obj_name": "Malo", - "rsa.misc.policy_name": "onse", - "rsa.misc.reference_id": "agn", - "rsa.misc.rule_name": "veritat", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2031", - "rsa.network.alias_host": [ - "borios1067.www5.home" - ], - "rsa.network.vlan": 7445, - "rsa.time.event_time_str": "Apr", - "rule.name": "veritat", - "service.type": "f5", - "source.geo.country_name": "yCiceroi", - "source.ip": "10.62.218.239", - "source.nat.ip": "10.203.193.134", - "source.nat.port": 6251, - "source.port": 166, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "reh" - }, - { - "destination.geo.country_name": "quaeabi", - "destination.nat.ip": "10.136.211.234", - "destination.nat.port": 4126, - "destination.port": 5701, - "event.action": "Established", - "event.code": "uovolup", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ore ptatema poriss2289.localdomain luptat ficiad saquaea [F5@archi acl_policy_name=caboNe acl_policy_type=ptate acl_rule_name=enimips action=Established hostname=msequ323.www.example bigip_mgmt_ip=10.60.20.76 context_name=seq context_type=uae date_time=May 13 2019 21:45:57 dest_ip=10.244.241.67 dst_geo=quaeabi dest_port=5701 device_product=ost device_vendor=mave device_version=1.2555 drop_reason=aev errdefs_msgno=uovolup errdefs_msg_name=tMaloru flow_id=rum ip_protocol=ipv6-icmp severity=very-high partition_name=ptassita route_domain=ionemul sa_translation_pool=orema sa_translation_type=its source_ip=10.10.46.43 src_geo=stiaec source_port=7346 source_user=nev translated_dest_ip=10.136.211.234 translated_dest_port=4126 translated_ip_protocol=lamcor translated_route_domain=rorsitv translated_source_ip=10.131.127.113 translated_source_port=853 translated_vlan=iamqu vlan=1324", - "fileset.name": "bigipafm", - "host.ip": "10.60.20.76", - "host.name": "msequ323.www.example", - "input.type": "log", - "log.level": "very-high", - "log.offset": 73773, - "network.protocol": "ipv6-icmp", - "observer.product": "ost", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2555", - "related.hosts": [ - "msequ323.www.example" - ], - "related.ip": [ - "10.10.46.43", - "10.131.127.113", - "10.136.211.234", - "10.60.20.76" - ], - "related.user": [ - "nev" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "seq", - "rsa.misc.event_type": "tMaloru", - "rsa.misc.obj_name": "archi", - "rsa.misc.policy_name": "caboNe", - "rsa.misc.reference_id": "uovolup", - "rsa.misc.rule_name": "enimips", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2555", - "rsa.network.alias_host": [ - "msequ323.www.example" - ], - "rsa.network.vlan": 1324, - "rsa.time.event_time_str": "May", - "rule.name": "enimips", - "service.type": "f5", - "source.geo.country_name": "stiaec", - "source.ip": "10.10.46.43", - "source.nat.ip": "10.131.127.113", - "source.nat.port": 853, - "source.port": 7346, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "nev" - }, - { - "destination.geo.country_name": "fdeFini", - "destination.nat.ip": "10.187.237.220", - "destination.nat.port": 7744, - "destination.port": 1295, - "event.action": "Closed", - "event.code": "rinc", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "mwrit dminimve madminim5473.mail.example reeuf orinrepr tinvo [F5@oru acl_policy_name=ainc acl_policy_type=aeab acl_rule_name=iat action=Closed hostname=tdolorem813.internal.host bigip_mgmt_ip=10.50.177.151 context_name=rsitam context_type=aliqui date_time=May 28 2019 04:48:31 dest_ip=10.206.65.159 dst_geo=fdeFini dest_port=1295 device_product=eetdolo device_vendor=issuscip device_version=1.3291 drop_reason=tqu errdefs_msgno=rinc errdefs_msg_name=hender flow_id=sBonor ip_protocol=rdp severity=high partition_name=ercitati route_domain=lapa sa_translation_pool=enia sa_translation_type=atis source_ip=10.233.181.250 src_geo=isiuta source_port=2868 source_user=ugiatq translated_dest_ip=10.187.237.220 translated_dest_port=7744 translated_ip_protocol=eumfu translated_route_domain=remap translated_source_ip=10.248.0.74 translated_source_port=6349 translated_vlan=tru vlan=2520", - "fileset.name": "bigipafm", - "host.ip": "10.50.177.151", - "host.name": "tdolorem813.internal.host", - "input.type": "log", - "log.level": "high", - "log.offset": 74658, - "network.protocol": "rdp", - "observer.product": "eetdolo", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3291", - "related.hosts": [ - "tdolorem813.internal.host" - ], - "related.ip": [ - "10.187.237.220", - "10.233.181.250", - "10.248.0.74", - "10.50.177.151" - ], - "related.user": [ - "ugiatq" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "rsitam", - "rsa.misc.event_type": "hender", - "rsa.misc.obj_name": "oru", - "rsa.misc.policy_name": "ainc", - "rsa.misc.reference_id": "rinc", - "rsa.misc.rule_name": "iat", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3291", - "rsa.network.alias_host": [ - "tdolorem813.internal.host" - ], - "rsa.network.vlan": 2520, - "rsa.time.event_time_str": "May", - "rule.name": "iat", - "service.type": "f5", - "source.geo.country_name": "isiuta", - "source.ip": "10.233.181.250", - "source.nat.ip": "10.248.0.74", - "source.nat.port": 6349, - "source.port": 2868, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ugiatq" - }, - { - "destination.geo.country_name": "olab", - "destination.nat.ip": "10.96.223.46", - "destination.nat.port": 3654, - "destination.port": 629, - "event.action": "Established", - "event.code": "ela", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "isautem eiusm assit1598.www5.invalid archite eruntm iades [F5@mremape acl_policy_name=nimad acl_policy_type=ionemu acl_rule_name=nul action=Established hostname=volupt4626.internal.test bigip_mgmt_ip=10.189.43.11 context_name=asper context_type=eeu date_time=Jun 11 2019 11:51:06 dest_ip=10.193.169.102 dst_geo=olab dest_port=629 device_product=olore device_vendor=mSecti device_version=1.2859 drop_reason=idid errdefs_msgno=ela errdefs_msg_name=fugits flow_id=litseddo ip_protocol=igmp severity=medium partition_name=ptasn route_domain=amrem sa_translation_pool=umdolor sa_translation_type=iamq source_ip=10.248.248.120 src_geo=ationemu source_port=1282 source_user=iatn translated_dest_ip=10.96.223.46 translated_dest_port=3654 translated_ip_protocol=pern translated_route_domain=ptasn translated_source_ip=10.80.129.81 translated_source_port=4827 translated_vlan=tat vlan=5084", - "fileset.name": "bigipafm", - "host.ip": "10.189.43.11", - "host.name": "volupt4626.internal.test", - "input.type": "log", - "log.level": "medium", - "log.offset": 75539, - "network.protocol": "igmp", - "observer.product": "olore", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2859", - "related.hosts": [ - "volupt4626.internal.test" - ], - "related.ip": [ - "10.189.43.11", - "10.248.248.120", - "10.80.129.81", - "10.96.223.46" - ], - "related.user": [ - "iatn" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "asper", - "rsa.misc.event_type": "fugits", - "rsa.misc.obj_name": "mremape", - "rsa.misc.policy_name": "nimad", - "rsa.misc.reference_id": "ela", - "rsa.misc.rule_name": "nul", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.2859", - "rsa.network.alias_host": [ - "volupt4626.internal.test" - ], - "rsa.network.vlan": 5084, - "rsa.time.event_time_str": "Jun", - "rule.name": "nul", - "service.type": "f5", - "source.geo.country_name": "ationemu", - "source.ip": "10.248.248.120", - "source.nat.ip": "10.80.129.81", - "source.nat.port": 4827, - "source.port": 1282, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "iatn" - }, - { - "destination.geo.country_name": "metco", - "destination.nat.ip": "10.173.114.63", - "destination.nat.port": 5877, - "destination.port": 4740, - "event.action": "Closed", - "event.code": "radip", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "eruntmo lumdolo urmagnid2749.api.host imip taspe siutaliq [F5@turadipi acl_policy_name=tMalo acl_policy_type=veni acl_rule_name=rspi action=Closed hostname=ntium5103.www5.localhost bigip_mgmt_ip=10.66.106.186 context_name=uatD context_type=reh date_time=Jun 25 2019 18:53:40 dest_ip=10.36.14.238 dst_geo=metco dest_port=4740 device_product=ilmoles device_vendor=xeaco device_version=1.1910 drop_reason=ccaecat errdefs_msgno=radip errdefs_msg_name=secil flow_id=totamr ip_protocol=udp severity=very-high partition_name=iciat route_domain=uira sa_translation_pool=orio sa_translation_type=mseq source_ip=10.102.109.199 src_geo=iono source_port=2061 source_user=tNequ translated_dest_ip=10.173.114.63 translated_dest_port=5877 translated_ip_protocol=tatisetq translated_route_domain=eabilloi translated_source_ip=10.91.115.139 translated_source_port=412 translated_vlan=eroi vlan=2077", - "fileset.name": "bigipafm", - "host.ip": "10.66.106.186", - "host.name": "ntium5103.www5.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 76419, - "network.protocol": "udp", - "observer.product": "ilmoles", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.1910", - "related.hosts": [ - "ntium5103.www5.localhost" - ], - "related.ip": [ - "10.102.109.199", - "10.173.114.63", - "10.66.106.186", - "10.91.115.139" - ], - "related.user": [ - "tNequ" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "uatD", - "rsa.misc.event_type": "secil", - "rsa.misc.obj_name": "turadipi", - "rsa.misc.policy_name": "tMalo", - "rsa.misc.reference_id": "radip", - "rsa.misc.rule_name": "rspi", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1910", - "rsa.network.alias_host": [ - "ntium5103.www5.localhost" - ], - "rsa.network.vlan": 2077, - "rsa.time.event_time_str": "Jun", - "rule.name": "rspi", - "service.type": "f5", - "source.geo.country_name": "iono", - "source.ip": "10.102.109.199", - "source.nat.ip": "10.91.115.139", - "source.nat.port": 412, - "source.port": 2061, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tNequ" - }, - { - "destination.geo.country_name": "iratio", - "destination.nat.ip": "10.0.175.17", - "destination.nat.port": 5236, - "destination.port": 7700, - "event.action": "Drop", - "event.code": "iur", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "riatur amrema illum2978.internal.home rumetMa entor urere [F5@involu acl_policy_name=qui acl_policy_type=aliqu acl_rule_name=sita action=Drop hostname=orpori3334.www.local bigip_mgmt_ip=10.198.157.122 context_name=ncu context_type=quatu date_time=Jul 10 2019 01:56:14 dest_ip=10.239.90.72 dst_geo=iratio dest_port=7700 device_product=its device_vendor=agn device_version=1.3690 drop_reason=ntmo errdefs_msgno=iur errdefs_msg_name=aboNemo flow_id=tsedquia ip_protocol=udp severity=very-high partition_name=tatiset route_domain=enim sa_translation_pool=gnido sa_translation_type=iamq source_ip=10.159.155.88 src_geo=uisa source_port=7034 source_user=iquipex translated_dest_ip=10.0.175.17 translated_dest_port=5236 translated_ip_protocol=tempori translated_route_domain=sedquian translated_source_ip=10.221.223.127 translated_source_port=2687 translated_vlan=ira vlan=3007", - "fileset.name": "bigipafm", - "host.ip": "10.198.157.122", - "host.name": "orpori3334.www.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 77301, - "network.protocol": "udp", - "observer.product": "its", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3690", - "related.hosts": [ - "orpori3334.www.local" - ], - "related.ip": [ - "10.0.175.17", - "10.159.155.88", - "10.198.157.122", - "10.221.223.127" - ], - "related.user": [ - "iquipex" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Drop" - ], - "rsa.misc.context": "ncu", - "rsa.misc.event_type": "aboNemo", - "rsa.misc.obj_name": "involu", - "rsa.misc.policy_name": "qui", - "rsa.misc.reference_id": "iur", - "rsa.misc.rule_name": "sita", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3690", - "rsa.network.alias_host": [ - "orpori3334.www.local" - ], - "rsa.network.vlan": 3007, - "rsa.time.event_time_str": "Jul", - "rule.name": "sita", - "service.type": "f5", - "source.geo.country_name": "uisa", - "source.ip": "10.159.155.88", - "source.nat.ip": "10.221.223.127", - "source.nat.port": 2687, - "source.port": 7034, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "iquipex" - }, - { - "destination.geo.country_name": "chitect", - "destination.nat.ip": "10.252.136.130", - "destination.nat.port": 5601, - "destination.port": 5316, - "event.action": "Established", - "event.code": "ueporr", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "idolor umdo sequatu7142.internal.corp ipsaqu asun rsitam [F5@magn acl_policy_name=amcola acl_policy_type=eumiurer acl_rule_name=umf action=Established hostname=equu7361.www5.localdomain bigip_mgmt_ip=10.30.20.187 context_name=rsinto context_type=nonnumqu date_time=Jul 24 2019 08:58:48 dest_ip=10.103.47.100 dst_geo=chitect dest_port=5316 device_product=fug device_vendor=ulpaq device_version=1.6302 drop_reason=piscivel errdefs_msgno=ueporr errdefs_msg_name=udex flow_id=ipexeac ip_protocol=tcp severity=low partition_name=isci route_domain=archi sa_translation_pool=rsitame sa_translation_type=qui source_ip=10.7.212.201 src_geo=ion source_port=949 source_user=ugiat translated_dest_ip=10.252.136.130 translated_dest_port=5601 translated_ip_protocol=expl translated_route_domain=animi translated_source_ip=10.189.70.237 translated_source_port=1457 translated_vlan=tnul vlan=24", - "fileset.name": "bigipafm", - "host.ip": "10.30.20.187", - "host.name": "equu7361.www5.localdomain", - "input.type": "log", - "log.level": "low", - "log.offset": 78172, - "network.protocol": "tcp", - "observer.product": "fug", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.6302", - "related.hosts": [ - "equu7361.www5.localdomain" - ], - "related.ip": [ - "10.189.70.237", - "10.252.136.130", - "10.30.20.187", - "10.7.212.201" - ], - "related.user": [ - "ugiat" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "rsinto", - "rsa.misc.event_type": "udex", - "rsa.misc.obj_name": "magn", - "rsa.misc.policy_name": "amcola", - "rsa.misc.reference_id": "ueporr", - "rsa.misc.rule_name": "umf", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6302", - "rsa.network.alias_host": [ - "equu7361.www5.localdomain" - ], - "rsa.network.vlan": 24, - "rsa.time.event_time_str": "Jul", - "rule.name": "umf", - "service.type": "f5", - "source.geo.country_name": "ion", - "source.ip": "10.7.212.201", - "source.nat.ip": "10.189.70.237", - "source.nat.port": 1457, - "source.port": 949, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ugiat" - }, - { - "destination.geo.country_name": "imadmi", - "destination.nat.ip": "10.102.109.194", - "destination.nat.port": 2324, - "destination.port": 2642, - "event.action": "Established", - "event.code": "agn", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "radip amremap dolorsit64.www.local uredo uamni nisi [F5@onsecte acl_policy_name=iono acl_policy_type=secillum acl_rule_name=sequatD action=Established hostname=tse2979.internal.localhost bigip_mgmt_ip=10.242.121.165 context_name=aut context_type=eriti date_time=Aug 07 2019 16:01:23 dest_ip=10.88.229.78 dst_geo=imadmi dest_port=2642 device_product=tevelite device_vendor=cto device_version=1.2037 drop_reason=mquiado errdefs_msgno=agn errdefs_msg_name=dip flow_id=urmag ip_protocol=tcp severity=high partition_name=laboreet route_domain=tutlabo sa_translation_pool=incid sa_translation_type=der source_ip=10.83.105.69 src_geo=usm source_port=2153 source_user=mni translated_dest_ip=10.102.109.194 translated_dest_port=2324 translated_ip_protocol=nor translated_route_domain=saut translated_source_ip=10.60.224.93 translated_source_port=1508 translated_vlan=deomnis vlan=354", - "fileset.name": "bigipafm", - "host.ip": "10.242.121.165", - "host.name": "tse2979.internal.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 79051, - "network.protocol": "tcp", - "observer.product": "tevelite", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2037", - "related.hosts": [ - "tse2979.internal.localhost" - ], - "related.ip": [ - "10.102.109.194", - "10.242.121.165", - "10.60.224.93", - "10.83.105.69" - ], - "related.user": [ - "mni" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "aut", - "rsa.misc.event_type": "dip", - "rsa.misc.obj_name": "onsecte", - "rsa.misc.policy_name": "iono", - "rsa.misc.reference_id": "agn", - "rsa.misc.rule_name": "sequatD", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2037", - "rsa.network.alias_host": [ - "tse2979.internal.localhost" - ], - "rsa.network.vlan": 354, - "rsa.time.event_time_str": "Aug", - "rule.name": "sequatD", - "service.type": "f5", - "source.geo.country_name": "usm", - "source.ip": "10.83.105.69", - "source.nat.ip": "10.60.224.93", - "source.nat.port": 1508, - "source.port": 2153, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "mni" - }, - { - "destination.geo.country_name": "tenbyCi", - "destination.nat.ip": "10.181.134.69", - "destination.nat.port": 551, - "destination.port": 4371, - "event.action": "Accept", - "event.code": "tion", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "tla nimve edutpe1255.internal.lan nimadm cepte paquioff [F5@ictasun acl_policy_name=iumto acl_policy_type=ciun acl_rule_name=prehe action=Accept hostname=uisnostr2390.mail.domain bigip_mgmt_ip=10.251.167.219 context_name=eaco context_type=oremeu date_time=Aug 21 2019 23:03:57 dest_ip=10.14.251.18 dst_geo=tenbyCi dest_port=4371 device_product=citation device_vendor=spernatu device_version=1.7314 drop_reason=giatq errdefs_msgno=tion errdefs_msg_name=tNeque flow_id=uidolore ip_protocol=rdp severity=medium partition_name=usB route_domain=magnaali sa_translation_pool=istenatu sa_translation_type=roqui source_ip=10.17.20.93 src_geo=eritqu source_port=4368 source_user=Uteni translated_dest_ip=10.181.134.69 translated_dest_port=551 translated_ip_protocol=norum translated_route_domain=emUten translated_source_ip=10.219.174.45 translated_source_port=4055 translated_vlan=idolo vlan=968", - "fileset.name": "bigipafm", - "host.ip": "10.251.167.219", - "host.name": "uisnostr2390.mail.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 79926, - "network.protocol": "rdp", - "observer.product": "citation", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7314", - "related.hosts": [ - "uisnostr2390.mail.domain" - ], - "related.ip": [ - "10.17.20.93", - "10.181.134.69", - "10.219.174.45", - "10.251.167.219" - ], - "related.user": [ - "Uteni" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "eaco", - "rsa.misc.event_type": "tNeque", - "rsa.misc.obj_name": "ictasun", - "rsa.misc.policy_name": "iumto", - "rsa.misc.reference_id": "tion", - "rsa.misc.rule_name": "prehe", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7314", - "rsa.network.alias_host": [ - "uisnostr2390.mail.domain" - ], - "rsa.network.vlan": 968, - "rsa.time.event_time_str": "Aug", - "rule.name": "prehe", - "service.type": "f5", - "source.geo.country_name": "eritqu", - "source.ip": "10.17.20.93", - "source.nat.ip": "10.219.174.45", - "source.nat.port": 4055, - "source.port": 4368, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "Uteni" - }, - { - "destination.geo.country_name": "elaud", - "destination.nat.ip": "10.28.233.253", - "destination.nat.port": 1159, - "destination.port": 4916, - "event.action": "Accept", - "event.code": "iti", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "mmodicon nisis edquia4523.www.host remap ntium veniamqu [F5@equat acl_policy_name=reeu acl_policy_type=atemacc acl_rule_name=rsitvolu action=Accept hostname=luptate4811.mail.example bigip_mgmt_ip=10.30.117.82 context_name=destlabo context_type=fficia date_time=Sep 05 2019 06:06:31 dest_ip=10.245.75.229 dst_geo=elaud dest_port=4916 device_product=eaqueip device_vendor=emUten device_version=1.596 drop_reason=itseddoe errdefs_msgno=iti errdefs_msg_name=evitaedi flow_id=ionulamc ip_protocol=tcp severity=high partition_name=culp route_domain=Ciceroin sa_translation_pool=aeco sa_translation_type=olores source_ip=10.223.99.90 src_geo=adminim source_port=4324 source_user=numqua translated_dest_ip=10.28.233.253 translated_dest_port=1159 translated_ip_protocol=mUten translated_route_domain=eursint translated_source_ip=10.37.14.20 translated_source_port=6531 translated_vlan=teurs vlan=4919", - "fileset.name": "bigipafm", - "host.ip": "10.30.117.82", - "host.name": "luptate4811.mail.example", - "input.type": "log", - "log.level": "high", - "log.offset": 80814, - "network.protocol": "tcp", - "observer.product": "eaqueip", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.596", - "related.hosts": [ - "luptate4811.mail.example" - ], - "related.ip": [ - "10.223.99.90", - "10.28.233.253", - "10.30.117.82", - "10.37.14.20" - ], - "related.user": [ - "numqua" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Accept" - ], - "rsa.misc.context": "destlabo", - "rsa.misc.event_type": "evitaedi", - "rsa.misc.obj_name": "equat", - "rsa.misc.policy_name": "reeu", - "rsa.misc.reference_id": "iti", - "rsa.misc.rule_name": "rsitvolu", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.596", - "rsa.network.alias_host": [ - "luptate4811.mail.example" - ], - "rsa.network.vlan": 4919, - "rsa.time.event_time_str": "Sep", - "rule.name": "rsitvolu", - "service.type": "f5", - "source.geo.country_name": "adminim", - "source.ip": "10.223.99.90", - "source.nat.ip": "10.37.14.20", - "source.nat.port": 6531, - "source.port": 4324, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "numqua" - }, - { - "destination.geo.country_name": "tess", - "destination.nat.ip": "10.57.85.113", - "destination.nat.port": 1024, - "destination.port": 4686, - "event.action": "Closed", - "event.code": "rainc", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "aaliq nos uaUteni562.www.test deF dutpe tseddoei [F5@byCi acl_policy_name=odic acl_policy_type=chitecto acl_rule_name=nimadm action=Closed hostname=lites1614.www.corp bigip_mgmt_ip=10.125.20.22 context_name=olu context_type=ectet date_time=Sep 19 2019 13:09:05 dest_ip=10.121.189.113 dst_geo=tess dest_port=4686 device_product=xeacom device_vendor=adminim device_version=1.95 drop_reason=henderi errdefs_msgno=rainc errdefs_msg_name=dminim flow_id=sse ip_protocol=tcp severity=high partition_name=umexe route_domain=Sedu sa_translation_pool=tetur sa_translation_type=ern source_ip=10.50.61.114 src_geo=nvento source_port=649 source_user=qua translated_dest_ip=10.57.85.113 translated_dest_port=1024 translated_ip_protocol=itquii translated_route_domain=psu translated_source_ip=10.8.32.17 translated_source_port=3788 translated_vlan=nem vlan=5883", - "fileset.name": "bigipafm", - "host.ip": "10.125.20.22", - "host.name": "lites1614.www.corp", - "input.type": "log", - "log.level": "high", - "log.offset": 81706, - "network.protocol": "tcp", - "observer.product": "xeacom", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.95", - "related.hosts": [ - "lites1614.www.corp" - ], - "related.ip": [ - "10.125.20.22", - "10.50.61.114", - "10.57.85.113", - "10.8.32.17" - ], - "related.user": [ - "qua" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "olu", - "rsa.misc.event_type": "dminim", - "rsa.misc.obj_name": "byCi", - "rsa.misc.policy_name": "odic", - "rsa.misc.reference_id": "rainc", - "rsa.misc.rule_name": "nimadm", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.95", - "rsa.network.alias_host": [ - "lites1614.www.corp" - ], - "rsa.network.vlan": 5883, - "rsa.time.event_time_str": "Sep", - "rule.name": "nimadm", - "service.type": "f5", - "source.geo.country_name": "nvento", - "source.ip": "10.50.61.114", - "source.nat.ip": "10.8.32.17", - "source.nat.port": 3788, - "source.port": 649, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "qua" - }, - { - "destination.geo.country_name": "voluptat", - "destination.nat.ip": "10.113.78.101", - "destination.nat.port": 2707, - "destination.port": 1549, - "event.action": "Closed", - "event.code": "tam", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "sitasper agni ivelit1640.internal.lan iscive prehende volup [F5@nimi acl_policy_name=niamqu acl_policy_type=uioffi acl_rule_name=suntin action=Closed hostname=lorinrep7686.mail.corp bigip_mgmt_ip=10.200.28.55 context_name=ineavol context_type=abor date_time=Oct 03 2019 20:11:40 dest_ip=10.232.122.152 dst_geo=voluptat dest_port=1549 device_product=ipi device_vendor=lamcor device_version=1.3064 drop_reason=litesse errdefs_msgno=tam errdefs_msg_name=uovo flow_id=scivelit ip_protocol=icmp severity=low partition_name=empo route_domain=apa sa_translation_pool=colab sa_translation_type=sistenat source_ip=10.215.224.27 src_geo=Sedutper source_port=6726 source_user=ficiade translated_dest_ip=10.113.78.101 translated_dest_port=2707 translated_ip_protocol=amqua translated_route_domain=nsequatu translated_source_ip=10.181.63.82 translated_source_port=168 translated_vlan=tse vlan=4029", - "fileset.name": "bigipafm", - "host.ip": "10.200.28.55", - "host.name": "lorinrep7686.mail.corp", - "input.type": "log", - "log.level": "low", - "log.offset": 82553, - "network.protocol": "icmp", - "observer.product": "ipi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.3064", - "related.hosts": [ - "lorinrep7686.mail.corp" - ], - "related.ip": [ - "10.113.78.101", - "10.181.63.82", - "10.200.28.55", - "10.215.224.27" - ], - "related.user": [ - "ficiade" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "ineavol", - "rsa.misc.event_type": "uovo", - "rsa.misc.obj_name": "nimi", - "rsa.misc.policy_name": "niamqu", - "rsa.misc.reference_id": "tam", - "rsa.misc.rule_name": "suntin", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3064", - "rsa.network.alias_host": [ - "lorinrep7686.mail.corp" - ], - "rsa.network.vlan": 4029, - "rsa.time.event_time_str": "Oct", - "rule.name": "suntin", - "service.type": "f5", - "source.geo.country_name": "Sedutper", - "source.ip": "10.215.224.27", - "source.nat.ip": "10.181.63.82", - "source.nat.port": 168, - "source.port": 6726, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ficiade" - }, - { - "destination.geo.country_name": "nsec", - "destination.nat.ip": "10.139.20.223", - "destination.nat.port": 114, - "destination.port": 6720, - "event.action": "Established", - "event.code": "nde", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ueip amvo dolorsi306.www5.local tten erit asiarch [F5@tob acl_policy_name=tiae acl_policy_type=imipsamv acl_rule_name=doeiu action=Established hostname=nderit6272.mail.example bigip_mgmt_ip=10.177.14.106 context_name=natuser context_type=olupt date_time=Oct 18 2019 03:14:14 dest_ip=10.239.142.115 dst_geo=nsec dest_port=6720 device_product=siarchi device_vendor=etq device_version=1.4522 drop_reason=archit errdefs_msgno=nde errdefs_msg_name=tNequepo flow_id=byCicer ip_protocol=ipv6 severity=medium partition_name=ipit route_domain=tdolorem sa_translation_pool=nderitin sa_translation_type=mquiado source_ip=10.169.95.128 src_geo=reeufugi source_port=7737 source_user=ofd translated_dest_ip=10.139.20.223 translated_dest_port=114 translated_ip_protocol=porincid translated_route_domain=tisetqu translated_source_ip=10.243.43.168 translated_source_port=2110 translated_vlan=ehenderi vlan=2215", - "fileset.name": "bigipafm", - "host.ip": "10.177.14.106", - "host.name": "nderit6272.mail.example", - "input.type": "log", - "log.level": "medium", - "log.offset": 83438, - "network.protocol": "ipv6", - "observer.product": "siarchi", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.4522", - "related.hosts": [ - "nderit6272.mail.example" - ], - "related.ip": [ - "10.139.20.223", - "10.169.95.128", - "10.177.14.106", - "10.243.43.168" - ], - "related.user": [ - "ofd" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "natuser", - "rsa.misc.event_type": "tNequepo", - "rsa.misc.obj_name": "tob", - "rsa.misc.policy_name": "tiae", - "rsa.misc.reference_id": "nde", - "rsa.misc.rule_name": "doeiu", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.4522", - "rsa.network.alias_host": [ - "nderit6272.mail.example" - ], - "rsa.network.vlan": 2215, - "rsa.time.event_time_str": "Oct", - "rule.name": "doeiu", - "service.type": "f5", - "source.geo.country_name": "reeufugi", - "source.ip": "10.169.95.128", - "source.nat.ip": "10.243.43.168", - "source.nat.port": 2110, - "source.port": 7737, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ofd" - }, - { - "destination.geo.country_name": "orsit", - "destination.nat.ip": "10.39.100.88", - "destination.nat.port": 5195, - "destination.port": 3315, - "event.action": "Established", - "event.code": "rroqui", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ipsu iden oreseo1541.mail.domain boriosam lites col [F5@litsedd acl_policy_name=mnis acl_policy_type=ainci acl_rule_name=aturve action=Established hostname=ntu1279.mail.lan bigip_mgmt_ip=10.92.168.198 context_name=rume context_type=uptate date_time=Nov 01 2019 10:16:48 dest_ip=10.115.225.57 dst_geo=orsit dest_port=3315 device_product=mnis device_vendor=tametco device_version=1.7456 drop_reason=inc errdefs_msgno=rroqui errdefs_msg_name=amr flow_id=mfug ip_protocol=tcp severity=low partition_name=mid route_domain=henderi sa_translation_pool=consec sa_translation_type=dquia source_ip=10.90.93.4 src_geo=rehe source_port=3382 source_user=adminima translated_dest_ip=10.39.100.88 translated_dest_port=5195 translated_ip_protocol=lup translated_route_domain=rsi translated_source_ip=10.18.176.44 translated_source_port=7284 translated_vlan=Utenimad vlan=4305", - "fileset.name": "bigipafm", - "host.ip": "10.92.168.198", - "host.name": "ntu1279.mail.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 84332, - "network.protocol": "tcp", - "observer.product": "mnis", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7456", - "related.hosts": [ - "ntu1279.mail.lan" - ], - "related.ip": [ - "10.18.176.44", - "10.39.100.88", - "10.90.93.4", - "10.92.168.198" - ], - "related.user": [ - "adminima" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Enable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Established" - ], - "rsa.misc.context": "rume", - "rsa.misc.event_type": "amr", - "rsa.misc.obj_name": "litsedd", - "rsa.misc.policy_name": "mnis", - "rsa.misc.reference_id": "rroqui", - "rsa.misc.rule_name": "aturve", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7456", - "rsa.network.alias_host": [ - "ntu1279.mail.lan" - ], - "rsa.network.vlan": 4305, - "rsa.time.event_time_str": "Nov", - "rule.name": "aturve", - "service.type": "f5", - "source.geo.country_name": "rehe", - "source.ip": "10.90.93.4", - "source.nat.ip": "10.18.176.44", - "source.nat.port": 7284, - "source.port": 3382, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "adminima" - }, - { - "destination.geo.country_name": "enimip", - "destination.nat.ip": "10.193.43.135", - "destination.nat.port": 4650, - "destination.port": 3957, - "event.action": "Reject", - "event.code": "empori", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "Bon amquisno mullam6505.www.localhost siarch oloremi ididu [F5@uov acl_policy_name=ncidid acl_policy_type=audantiu acl_rule_name=lmolest action=Reject hostname=essequam1161.domain bigip_mgmt_ip=10.49.68.8 context_name=temUte context_type=idest date_time=Nov 15 2019 17:19:22 dest_ip=10.8.247.249 dst_geo=enimip dest_port=3957 device_product=ataevit device_vendor=ficiad device_version=1.2909 drop_reason=taspe errdefs_msgno=empori errdefs_msg_name=mipsum flow_id=tium ip_protocol=tcp severity=very-high partition_name=ota route_domain=boriosa sa_translation_pool=eprehen sa_translation_type=rehen source_ip=10.163.203.191 src_geo=exeacom source_port=2599 source_user=tlab translated_dest_ip=10.193.43.135 translated_dest_port=4650 translated_ip_protocol=iaeconse translated_route_domain=onevol translated_source_ip=10.173.13.179 translated_source_port=1211 translated_vlan=ptasn vlan=3791", - "fileset.name": "bigipafm", - "host.ip": "10.49.68.8", - "host.name": "essequam1161.domain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 85192, - "network.protocol": "tcp", - "observer.product": "ataevit", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.2909", - "related.hosts": [ - "essequam1161.domain" - ], - "related.ip": [ - "10.163.203.191", - "10.173.13.179", - "10.193.43.135", - "10.49.68.8" - ], - "related.user": [ - "tlab" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Reject" - ], - "rsa.misc.context": "temUte", - "rsa.misc.event_type": "mipsum", - "rsa.misc.obj_name": "uov", - "rsa.misc.policy_name": "ncidid", - "rsa.misc.reference_id": "empori", - "rsa.misc.rule_name": "lmolest", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2909", - "rsa.network.alias_host": [ - "essequam1161.domain" - ], - "rsa.network.vlan": 3791, - "rsa.time.event_time_str": "Nov", - "rule.name": "lmolest", - "service.type": "f5", - "source.geo.country_name": "exeacom", - "source.ip": "10.163.203.191", - "source.nat.ip": "10.173.13.179", - "source.nat.port": 1211, - "source.port": 2599, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "tlab" - }, - { - "destination.geo.country_name": "Loremips", - "destination.nat.ip": "10.209.226.7", - "destination.nat.port": 7745, - "destination.port": 4361, - "event.action": "Closed", - "event.code": "rror", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "ctetur amqui itatise2264.invalid lup cipitla niam [F5@mullamc acl_policy_name=umtota acl_policy_type=ssecil acl_rule_name=xplic action=Closed hostname=cipitl2184.localdomain bigip_mgmt_ip=10.240.47.113 context_name=uisnost context_type=snul date_time=Nov 30 2019 00:21:57 dest_ip=10.191.241.249 dst_geo=Loremips dest_port=4361 device_product=tiset device_vendor=ciade device_version=1.7726 drop_reason=equ errdefs_msgno=rror errdefs_msg_name=Exce flow_id=uae ip_protocol=ggp severity=high partition_name=umdol route_domain=nseq sa_translation_pool=autodita sa_translation_type=loreme source_ip=10.84.64.28 src_geo=par source_port=3938 source_user=ull translated_dest_ip=10.209.226.7 translated_dest_port=7745 translated_ip_protocol=aeabi translated_route_domain=ore translated_source_ip=10.31.147.51 translated_source_port=7780 translated_vlan=ptate vlan=3154", - "fileset.name": "bigipafm", - "host.ip": "10.240.47.113", - "host.name": "cipitl2184.localdomain", - "input.type": "log", - "log.level": "high", - "log.offset": 86081, - "network.protocol": "ggp", - "observer.product": "tiset", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.7726", - "related.hosts": [ - "cipitl2184.localdomain" - ], - "related.ip": [ - "10.209.226.7", - "10.240.47.113", - "10.31.147.51", - "10.84.64.28" - ], - "related.user": [ - "ull" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "uisnost", - "rsa.misc.event_type": "Exce", - "rsa.misc.obj_name": "mullamc", - "rsa.misc.policy_name": "umtota", - "rsa.misc.reference_id": "rror", - "rsa.misc.rule_name": "xplic", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.7726", - "rsa.network.alias_host": [ - "cipitl2184.localdomain" - ], - "rsa.network.vlan": 3154, - "rsa.time.event_time_str": "Nov", - "rule.name": "xplic", - "service.type": "f5", - "source.geo.country_name": "par", - "source.ip": "10.84.64.28", - "source.nat.ip": "10.31.147.51", - "source.nat.port": 7780, - "source.port": 3938, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "ull" - }, - { - "destination.geo.country_name": "oremipsu", - "destination.nat.ip": "10.86.1.244", - "destination.nat.port": 7101, - "destination.port": 5644, - "event.action": "Closed", - "event.code": "tateve", - "event.dataset": "f5.bigipafm", - "event.module": "f5", - "event.original": "fugit dantiu ntutla1447.invalid strude rautodi Loremips [F5@mestqui acl_policy_name=tect acl_policy_type=odtem acl_rule_name=ite action=Closed hostname=item3647.home bigip_mgmt_ip=10.32.20.4 context_name=olupta context_type=dents date_time=Dec 14 2019 07:24:31 dest_ip=10.166.40.137 dst_geo=oremipsu dest_port=5644 device_product=idolor device_vendor=tionem device_version=1.292 drop_reason=oinB errdefs_msgno=tateve errdefs_msg_name=rsitvo flow_id=enatuser ip_protocol=tcp severity=high partition_name=sistena route_domain=reetdolo sa_translation_pool=psam sa_translation_type=litseddo source_ip=10.225.189.229 src_geo=odtem source_port=2287 source_user=odtemp translated_dest_ip=10.86.1.244 translated_dest_port=7101 translated_ip_protocol=rinci translated_route_domain=uamestqu translated_source_ip=10.52.13.192 translated_source_port=4714 translated_vlan=remagna vlan=439", - "fileset.name": "bigipafm", - "host.ip": "10.32.20.4", - "host.name": "item3647.home", - "input.type": "log", - "log.level": "high", - "log.offset": 86941, - "network.protocol": "tcp", - "observer.product": "idolor", - "observer.type": "Firewall", - "observer.vendor": "F5", - "observer.version": "1.292", - "related.hosts": [ - "item3647.home" - ], - "related.ip": [ - "10.225.189.229", - "10.32.20.4", - "10.52.13.192", - "10.86.1.244" - ], - "related.user": [ - "odtemp" - ], - "rsa.internal.messageid": "BIGIP_AFM", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "Closed" - ], - "rsa.misc.context": "olupta", - "rsa.misc.event_type": "rsitvo", - "rsa.misc.obj_name": "mestqui", - "rsa.misc.policy_name": "tect", - "rsa.misc.reference_id": "tateve", - "rsa.misc.rule_name": "ite", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.292", - "rsa.network.alias_host": [ - "item3647.home" - ], - "rsa.network.vlan": 439, - "rsa.time.event_time_str": "Dec", - "rule.name": "ite", - "service.type": "f5", - "source.geo.country_name": "odtem", - "source.ip": "10.225.189.229", - "source.nat.ip": "10.52.13.192", - "source.nat.port": 4714, - "source.port": 2287, - "tags": [ - "f5.bigipafm", - "forwarded" - ], - "user.name": "odtemp" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml deleted file mode 100644 index 94330616cdc..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "F5" - product: "Big-IP" - type: "Access" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/f5/bigipapm/config/liblogparser.js - - ${path.home}/module/f5/bigipapm/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); - -var dup5 = setc("eventcategory","1801000000"); - -var dup6 = setc("eventcategory","1801010000"); - -var dup7 = setc("eventcategory","1502000000"); - -var dup8 = setc("eventcategory","1805010000"); - -var dup9 = setc("eventcategory","1803000000"); - -var dup10 = setc("eventcategory","1803030000"); - -var dup11 = setc("disposition"," Successful"); - -var dup12 = setc("dclass_counter1_string"," Logon Attempt"); - -var dup13 = setc("eventcategory","1204000000"); - -var dup14 = date_time({ - dest: "event_time", - args: ["fld20"], - fmts: [ - [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup15 = setc("eventcategory","1605000000"); - -var dup16 = setc("eventcategory","1612000000"); - -var dup17 = date_time({ - dest: "event_time", - args: ["fld1","fld2","fld3"], - fmts: [ - [dB,dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ - dup1, - dup2, -])); - -var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup15, - dup2, -])); - -var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ - dup5, - dup2, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("hfld3"), - constant("["), - field("hfld4"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("hfld3"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("hfld3"), - constant(": ["), - field("messageid"), - constant("]"), - field("p0"), - ], - }), -])); - -var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","0004"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), -])); - -var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{p0}", processor_chain([ - setc("header_id","0005"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("messageid"), - constant(":"), - field("p0"), - ], - }), -])); - -var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{p0}", processor_chain([ - setc("header_id","0006"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("hfld3"), - constant("["), - field("hfld4"), - constant("]: "), - field("messageid"), - constant(" /"), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, -]); - -var msg1 = msg("01490502", dup18); - -var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ - dup3, - dup2, -])); - -var msg2 = msg("01490521", part1); - -var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ - dup3, - dup2, -])); - -var msg3 = msg("01490506", part2); - -var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ - dup3, - dup2, -])); - -var msg4 = msg("01490113:01", part3); - -var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ - dup3, - dup2, -])); - -var msg5 = msg("01490113:02", part4); - -var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ - dup3, - dup2, -])); - -var msg6 = msg("01490113:03", part5); - -var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ - dup3, - dup2, -])); - -var msg7 = msg("01490113:04", part6); - -var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ - dup3, - dup2, -])); - -var msg8 = msg("01490113:05", part7); - -var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ - dup3, - dup2, -])); - -var msg9 = msg("01490113:06", part8); - -var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ - dup3, - dup2, -])); - -var msg10 = msg("01490113", part9); - -var select2 = linear_select([ - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, -]); - -var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); - -var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); - -var select3 = linear_select([ - part10, - part11, -]); - -var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); - -var all1 = all_match({ - processors: [ - dup4, - select3, - part12, - ], - on_success: processor_chain([ - setc("eventcategory","1401000000"), - dup2, - ]), -}); - -var msg11 = msg("01490010", all1); - -var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ - setc("eventcategory","1501020000"), - dup2, -])); - -var msg12 = msg("01490009", part13); - -var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ - setc("eventcategory","1501000000"), - dup2, -])); - -var msg13 = msg("01490102", part14); - -var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ - dup5, - dup2, -])); - -var msg14 = msg("01490000:02", part15); - -var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ - dup6, - dup2, -])); - -var msg15 = msg("01490000:01", part16); - -var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ - dup5, - dup2, -])); - -var msg16 = msg("01490000", part17); - -var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ - dup5, - dup2, -])); - -var msg17 = msg("01490000:03", part18); - -var select4 = linear_select([ - msg14, - msg15, - msg16, - msg17, -]); - -var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ - dup5, - dup2, -])); - -var msg18 = msg("01490004", part19); - -var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); - -var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); - -var select5 = linear_select([ - part20, - part21, -]); - -var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); - -var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); - -var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); - -var part25 = match_copy("MESSAGE#18:01490500/3_2", "nwparser.p0", "daddr"); - -var select6 = linear_select([ - part23, - part24, - part25, -]); - -var all2 = all_match({ - processors: [ - dup4, - select5, - part22, - select6, - ], - on_success: processor_chain([ - dup3, - dup2, - ]), -}); - -var msg19 = msg("01490500", all2); - -var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ - dup7, - dup2, -])); - -var msg20 = msg("01490005", part26); - -var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ - dup7, - dup2, -])); - -var msg21 = msg("01490006", part27); - -var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ - dup7, - dup2, -])); - -var msg22 = msg("01490007", part28); - -var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ - dup3, - dup2, -])); - -var msg23 = msg("01490008", part29); - -var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ - dup6, - dup2, -])); - -var msg24 = msg("01490514", part30); - -var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ - dup5, - dup2, -])); - -var msg25 = msg("01490505", part31); - -var msg26 = msg("01490501", dup18); - -var msg27 = msg("01490520", dup18); - -var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ - setc("eventcategory","1609000000"), - dup2, -])); - -var msg28 = msg("01490142", part32); - -var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ - dup8, - dup2, -])); - -var msg29 = msg("01490504", part33); - -var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ - dup8, - dup2, -])); - -var msg30 = msg("01490538", part34); - -var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ - dup9, - dup2, -])); - -var msg31 = msg("01490107:01", part35); - -var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ - dup9, - dup2, -])); - -var msg32 = msg("01490107", part36); - -var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); - -var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); - -var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); - -var select7 = linear_select([ - part38, - part39, -]); - -var part40 = match_copy("MESSAGE#32:01490107:02/2", "nwparser.p0", "info"); - -var all3 = all_match({ - processors: [ - part37, - select7, - part40, - ], - on_success: processor_chain([ - dup9, - dup2, - ]), -}); - -var msg33 = msg("01490107:02", all3); - -var select8 = linear_select([ - msg31, - msg32, - msg33, -]); - -var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ - dup9, - dup2, -])); - -var msg34 = msg("01490106", part41); - -var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ - dup9, - dup2, -])); - -var msg35 = msg("01490106:01", part42); - -var select9 = linear_select([ - msg34, - msg35, -]); - -var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ - dup5, - dup2, -])); - -var msg36 = msg("01490128", part43); - -var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ - dup10, - dup2, - setc("dclass_counter1_string","Newly active generation count"), -])); - -var msg37 = msg("01490101", part44); - -var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ - dup10, - dup2, -])); - -var msg38 = msg("01490103", part45); - -var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ - dup7, - dup2, -])); - -var msg39 = msg("01490115", part46); - -var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ - dup7, - dup2, - dup11, - dup12, -])); - -var msg40 = msg("01490017", part47); - -var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ - dup7, - dup2, - setc("disposition"," Failed"), - dup12, -])); - -var msg41 = msg("01490017:01", part48); - -var select10 = linear_select([ - msg40, - msg41, -]); - -var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ - dup7, - dup2, -])); - -var msg42 = msg("01490013", part49); - -var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ - dup7, - dup2, - dup11, -])); - -var msg43 = msg("01490019", part50); - -var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ - dup7, - dup2, -])); - -var msg44 = msg("01490544", part51); - -var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ - dup7, - dup2, - setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), -])); - -var msg45 = msg("01490511", part52); - -var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ - dup7, - dup2, - setc("disposition","Succeeded"), -])); - -var msg46 = msg("014d0002", part53); - -var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ - dup7, - dup2, - setc("disposition","Failed"), -])); - -var msg47 = msg("014d0002:01", part54); - -var select11 = linear_select([ - msg46, - msg47, -]); - -var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ - dup7, - dup2, -])); - -var msg48 = msg("01490079", part55); - -var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ - dup7, - dup2, -])); - -var msg49 = msg("01490165", part56); - -var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ - dup7, - dup2, -])); - -var msg50 = msg("01490166", part57); - -var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ - dup7, - dup2, -])); - -var msg51 = msg("01490167", part58); - -var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ - dup7, - dup2, -])); - -var msg52 = msg("01490169", part59); - -var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ - dup7, - dup2, -])); - -var msg53 = msg("0149016a", part60); - -var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ - dup7, - dup2, -])); - -var msg54 = msg("0149016b", part61); - -var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); - -var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); - -var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); - -var select12 = linear_select([ - part63, - part64, -]); - -var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); - -var all4 = all_match({ - processors: [ - part62, - select12, - part65, - ], - on_success: processor_chain([ - dup13, - dup14, - dup2, - ]), -}); - -var msg55 = msg("ssl_acc", all4); - -var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ - dup13, - dup14, - dup2, -])); - -var msg56 = msg("ssl_req", part66); - -var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ - dup13, - dup14, - dup2, -])); - -var msg57 = msg("acc", part67); - -var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ - dup15, - dup2, -])); - -var msg58 = msg("crond", part68); - -var msg59 = msg("crond:01", dup19); - -var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ - dup15, - dup2, -])); - -var msg60 = msg("crond:02", part69); - -var select13 = linear_select([ - msg58, - msg59, - msg60, -]); - -var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ - setc("eventcategory","1207000000"), - dup2, -])); - -var msg61 = msg("sSMTP", part70); - -var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ - dup16, - dup2, -])); - -var msg62 = msg("01420002", part71); - -var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ - dup15, - dup2, -])); - -var msg63 = msg("syslog-ng", part72); - -var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ - dup15, - dup2, -])); - -var msg64 = msg("syslog-ng:01", part73); - -var select14 = linear_select([ - msg63, - msg64, -]); - -var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ - dup16, - dup2, -])); - -var msg65 = msg("auditd", part74); - -var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ - dup5, - dup2, -])); - -var msg66 = msg("014d0001", part75); - -var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); - -var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); - -var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); - -var select15 = linear_select([ - part77, - part78, -]); - -var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); - -var all5 = all_match({ - processors: [ - part76, - select15, - part79, - ], - on_success: processor_chain([ - dup5, - dup2, - ]), -}); - -var msg67 = msg("014d0001:01", all5); - -var msg68 = msg("014d0001:02", dup20); - -var select16 = linear_select([ - msg66, - msg67, - msg68, -]); - -var msg69 = msg("014d0044", dup20); - -var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); - -var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9}"); - -var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", "%{saddr}"); - -var select17 = linear_select([ - part81, - part82, -]); - -var all6 = all_match({ - processors: [ - part80, - select17, - ], - on_success: processor_chain([ - dup3, - dup2, - ]), -}); - -var msg70 = msg("01490549", all6); - -var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ - dup3, - dup2, -])); - -var msg71 = msg("01490547", part83); - -var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ - dup3, - dup2, -])); - -var msg72 = msg("01490517", part84); - -var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ - dup3, - dup2, -])); - -var msg73 = msg("011f0005", part85); - -var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ - dup3, - dup2, -])); - -var msg74 = msg("014d0048", part86); - -var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ - dup3, - dup2, -])); - -var msg75 = msg("error", part87); - -var msg76 = msg("CROND:03", dup19); - -var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ - dup6, - dup2, -])); - -var msg77 = msg("01260009", part88); - -var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ - dup15, - dup2, - dup17, -])); - -var msg78 = msg("apmd:04", part89); - -var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ - dup9, - dup2, - dup17, -])); - -var msg79 = msg("apmd:03", part90); - -var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); - -var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); - -var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", "%{fld8}"); - -var select18 = linear_select([ - part92, - part93, -]); - -var all7 = all_match({ - processors: [ - part91, - select18, - ], - on_success: processor_chain([ - dup9, - dup2, - dup17, - ]), -}); - -var msg80 = msg("apmd:02", all7); - -var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ - dup15, - dup2, - dup17, -])); - -var msg81 = msg("apmd", part94); - -var select19 = linear_select([ - msg78, - msg79, - msg80, - msg81, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "011f0005": msg73, - "01260009": msg77, - "01420002": msg62, - "01490000": select4, - "01490004": msg18, - "01490005": msg20, - "01490006": msg21, - "01490007": msg22, - "01490008": msg23, - "01490009": msg12, - "01490010": msg11, - "01490013": msg42, - "01490017": select10, - "01490019": msg43, - "01490079": msg48, - "01490101": msg37, - "01490102": msg13, - "01490103": msg38, - "01490106": select9, - "01490107": select8, - "01490113": select2, - "01490115": msg39, - "01490128": msg36, - "01490142": msg28, - "01490165": msg49, - "01490166": msg50, - "01490167": msg51, - "01490169": msg52, - "0149016a": msg53, - "0149016b": msg54, - "01490500": msg19, - "01490501": msg26, - "01490502": msg1, - "01490504": msg29, - "01490505": msg25, - "01490506": msg3, - "01490511": msg45, - "01490514": msg24, - "01490517": msg72, - "01490520": msg27, - "01490521": msg2, - "01490538": msg30, - "01490544": msg44, - "01490547": msg71, - "01490549": msg70, - "014d0001": select16, - "014d0002": select11, - "014d0044": msg69, - "CROND": msg76, - "Rule": msg74, - "acc": msg57, - "apmd": select19, - "auditd": msg65, - "crond": select13, - "error": msg75, - "sSMTP": msg61, - "ssl_acc": msg55, - "ssl_req": msg56, - "syslog-ng": select14, - }), -]); - -var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); - -var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ - dup1, - dup2, -])); - -var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup15, - dup2, -])); - -var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ - dup5, - dup2, -])); diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml deleted file mode 100644 index 814b2b0f30d..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for Big-IP Access Policy Manager - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/bigipapm/manifest.yml b/x-pack/filebeat/module/f5/bigipapm/manifest.yml deleted file mode 100644 index 6a527419285..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["f5.bigipapm", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9526 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log b/x-pack/filebeat/module/f5/bigipapm/test/generated.log deleted file mode 100644 index 979e5ccffa4..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi -February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved. -February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq -March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi -March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248 -April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned -April 2016/04/24 00:25:25 aedic high gni: [syslog-ng] -May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse -May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem -June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: -June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati -July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons -July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel) -August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque -August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739 -August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm -September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup -September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad' -October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374 -October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita -November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio -November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce -December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned -December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned -January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access. -January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo -February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin -February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic -March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134) -March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill -April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo -April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu -April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore -May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad -May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu -June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure -June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ -July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu -July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura -August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success -August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut -September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem -September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo -October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid -October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned -November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt -November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access. -December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150 -December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access. -December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu -January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi -January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned -February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat -February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa -March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria -March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei -April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: -April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959 -May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu) -May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat -June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: -June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli -July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge -July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data -August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration -August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con -August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned -September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure -September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve -October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM -October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959 -November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration -November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access. -December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed -December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown -January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento -January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block) -February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned -February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc -March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven -March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101) -April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta -April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363 -April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel) -May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff -May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua -June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned -June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783 -July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip -July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame -August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552 -August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful -September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia -September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration -October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse -October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure*** -November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng] -November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful -November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve -December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json deleted file mode 100644 index b02e40030fb..00000000000 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ /dev/null @@ -1,2633 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "event.code": "01490106", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 0, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6720, - "related.user": [ - "abo" - ], - "rsa.internal.messageid": "01490106", - "rsa.misc.log_session_id": "sequa", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "abo" - }, - { - "@timestamp": "2016-02-12T15:12:33.000Z", - "event.code": "01490504", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved.", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 192, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6153, - "related.hosts": [ - "sist1803.mail.local" - ], - "rsa.internal.messageid": "01490504", - "rsa.misc.log_session_id": "deF", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2016-02-12T15:12:33.000Z", - "rsa.web.fqdn": "sist1803.mail.local", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-02-26T22:15:08.000Z", - "event.code": "sSMTP", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 312, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1166, - "rsa.db.index": "isetq", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.client": "sSMTP", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2016-02-26T22:15:08.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "event.code": "crond", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 369, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5738, - "related.user": [ - "ccaecat" - ], - "rsa.db.index": "veleumi", - "rsa.internal.messageid": "crond", - "rsa.misc.client": "crond", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "ccaecat" - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 435, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5990, - "related.ip": [ - "10.134.175.248" - ], - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "inv", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "service.type": "f5", - "source.ip": "10.134.175.248", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-04-09T19:22:51.000Z", - "event.code": "01490128", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 550, - "network.application": "ect", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2044, - "rsa.internal.messageid": "01490128", - "rsa.misc.log_session_id": "occ", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2016-04-09T19:22:51.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-04-24T02:25:25.000Z", - "event.code": "syslog-ng", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2016/04/24 00:25:25 aedic high gni: [syslog-ng]", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 644, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.db.index": "[syslog-ng]", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.client": "gni", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-04-24T02:25:25.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "event.code": "01490167", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 698, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490167", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-05-22T16:30:33.000Z", - "event.code": "01490505", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 834, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6823, - "rsa.internal.event_desc": "tem", - "rsa.internal.messageid": "01490505", - "rsa.misc.log_session_id": "untutlab", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2016-05-22T16:30:33.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-06-05T23:33:08.000Z", - "event.code": "sSMTP", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: ", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 920, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6446, - "rsa.db.index": "sSMTP:", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.client": "ali", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-06-05T23:33:08.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "event.code": "014d0044", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 981, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 98, - "rsa.db.index": "tati", - "rsa.internal.messageid": "014d0044", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "event.action": "deny", - "event.code": "01490514", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons", - "file.name": "mnisist", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1052, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2857, - "rsa.internal.messageid": "01490514", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-07-18T20:40:50.000Z", - "event.action": "cancel", - "event.code": "CROND", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel)", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 1212, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1675, - "related.user": [ - "sitvolup" - ], - "rsa.internal.messageid": "CROND", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "CROND", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-07-18T20:40:50.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "sitvolup" - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "destination.ip": "10.225.160.182", - "event.code": "01490500", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque", - "fileset.name": "bigipapm", - "geo.city_name": "usmodt", - "geo.country_name": "ercit", - "geo.region_name": "saute", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1283, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2289, - "related.ip": [ - "10.204.123.107", - "10.225.160.182" - ], - "rsa.internal.messageid": "01490500", - "rsa.misc.log_session_id": "eFinib", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "service.type": "f5", - "source.ip": "10.204.123.107", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "event.code": "01490511", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 1488, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3386, - "rsa.counters.dclass_c1": 4739, - "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", - "rsa.internal.messageid": "01490511", - "rsa.misc.log_session_id": "tevelite", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-08-30T17:48:33.000Z", - "event.code": "01490544", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", - "fileset.name": "bigipapm", - "http.request.referrer": "https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", - "input.type": "log", - "log.level": "medium", - "log.offset": 1652, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4688, - "rsa.internal.messageid": "01490544", - "rsa.misc.log_session_id": "piscin", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2016-08-30T17:48:33.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-14T00:51:07.000Z", - "event.code": "014d0001", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 1818, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2364, - "rsa.db.index": "eavolup", - "rsa.internal.messageid": "014d0001", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-09-14T00:51:07.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "01490103", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad'", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 1925, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5983, - "related.user": [ - "tenimad" - ], - "rsa.internal.messageid": "01490103", - "rsa.misc.log_session_id": "tse", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "tenimad" - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 2032, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5625, - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "gitsed", - "rsa.misc.severity": "low", - "rsa.network.network_port": 4374, - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-10-26T21:58:50.000Z", - "event.code": "01490106", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 2148, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4946, - "related.user": [ - "reetdol" - ], - "rsa.internal.messageid": "01490106", - "rsa.misc.log_session_id": "itecto", - "rsa.misc.result": "success", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2016-10-26T21:58:50.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "reetdol" - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "event.code": "014d0044", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 2341, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5737, - "rsa.db.index": "tio", - "rsa.internal.messageid": "014d0044", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "event.code": "01490520", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2418, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1188, - "rsa.internal.event_desc": "xce", - "rsa.internal.messageid": "01490520", - "rsa.misc.log_session_id": "tetur", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-12-08T19:06:33.000Z", - "event.code": "01490008", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2505, - "network.application": "utaliqu", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5960, - "rsa.internal.messageid": "01490008", - "rsa.misc.log_session_id": "enimadmi", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2016-12-08T19:06:33.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2016-12-23T02:09:07.000Z", - "event.code": "01490128", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 2633, - "network.application": "boNemoe", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1485, - "rsa.internal.messageid": "01490128", - "rsa.misc.log_session_id": "iosa", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2016-12-23T02:09:07.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "event.code": "01490538", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access.", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 2735, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5461, - "rsa.internal.messageid": "01490538", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-01-20T16:14:16.000Z", - "event.code": "01490165", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2860, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490165", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-01-20T16:14:16.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-02-03T23:16:50.000Z", - "event.code": "01490005", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 3011, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4808, - "rsa.internal.messageid": "01490005", - "rsa.misc.log_session_id": "siuta", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-02-03T23:16:50.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "event.action": "allow", - "event.code": "01490106", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3143, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5270, - "related.user": [ - "strude" - ], - "rsa.internal.messageid": "01490106", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.log_session_id": "cupi", - "rsa.misc.result": "success", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "strude" - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "011f0005", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134)", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3346, - "network.protocol": "ipv6-icmp", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 748, - "related.ip": [ - "10.104.110.134" - ], - "rsa.internal.messageid": "011f0005", - "rsa.misc.result": "failure", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "service.type": "f5", - "source.ip": "10.104.110.134", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "url.domain": "www5.example.com", - "url.extension": "html", - "url.fragment": "metco", - "url.original": "https://www5.example.com/olli/rever.html?rsp=oluptat#metco", - "url.path": "/olli/rever.html", - "url.query": "rsp=oluptat", - "url.scheme": "https" - }, - { - "@timestamp": "2017-03-18T20:24:33.000Z", - "event.code": "syslog-ng", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 3559, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2638, - "rsa.db.index": "ill", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.client": "syslog-ng", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-03-18T20:24:33.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "event.code": "01490107", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 3620, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7589, - "related.hosts": [ - "dolores2519.mail.host" - ], - "related.user": [ - "tob" - ], - "rsa.db.index": "itempo", - "rsa.internal.messageid": "01490107", - "rsa.misc.log_session_id": "mag", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "rsa.web.fqdn": "dolores2519.mail.host", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "tob" - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "event.code": "01490107", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 3833, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5899, - "related.hosts": [ - "luptat2979.internal.local" - ], - "related.user": [ - "iqua" - ], - "rsa.internal.messageid": "01490107", - "rsa.misc.log_session_id": "mvolupta", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "rsa.web.fqdn": "luptat2979.internal.local", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "iqua" - }, - { - "@timestamp": "2017-04-30T17:32:16.000Z", - "event.code": "01490166", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 4060, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490166", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2017-04-30T17:32:16.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-05-15T00:34:50.000Z", - "event.code": "0149016b", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 4205, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "0149016b", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-05-15T00:34:50.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "event.action": "accept", - "event.code": "01490514", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu", - "file.name": "cepteur", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4327, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4727, - "rsa.internal.messageid": "01490514", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.result": "success", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "01490501", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4487, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5971, - "rsa.internal.event_desc": "umiure", - "rsa.internal.messageid": "01490501", - "rsa.misc.log_session_id": "porai", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-06-26T21:42:33.000Z", - "destination.ip": "10.169.101.161", - "event.code": "01490500", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ", - "fileset.name": "bigipapm", - "geo.city_name": "ine", - "geo.country_name": "sitvo", - "geo.region_name": "writte", - "input.type": "log", - "log.level": "low", - "log.offset": 4571, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4318, - "related.ip": [ - "10.122.204.151", - "10.169.101.161" - ], - "rsa.internal.messageid": "01490500", - "rsa.misc.log_session_id": "snulap", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2017-06-26T21:42:33.000Z", - "service.type": "f5", - "source.ip": "10.122.204.151", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 4751, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3682, - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "etcon", - "rsa.misc.severity": "low", - "rsa.network.network_service": "onsequu", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "01490013", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4870, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2412, - "rsa.internal.messageid": "01490013", - "rsa.misc.log_session_id": "upta", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-08-08T18:50:15.000Z", - "event.code": "01490517", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 4988, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5899, - "rsa.internal.messageid": "01490517", - "rsa.misc.log_session_id": "rur", - "rsa.misc.result": "success", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2017-08-08T18:50:15.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-08-23T01:52:50.000Z", - "event.code": "01420002", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut", - "file.directory": "entsu", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 5072, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.parent.pid": 2037, - "process.pid": 1580, - "related.user": [ - "ptate" - ], - "rsa.db.index": "ntut", - "rsa.internal.messageid": "01420002", - "rsa.misc.client": "met", - "rsa.misc.result": "failure", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-08-23T01:52:50.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "ptate" - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "01490549", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem", - "fileset.name": "bigipapm", - "group.name": "exerci", - "input.type": "log", - "log.level": "high", - "log.offset": 5215, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 571, - "related.ip": [ - "10.198.70.58", - "10.6.32.7" - ], - "rsa.internal.messageid": "01490549", - "rsa.misc.group": "exerci", - "rsa.misc.log_session_id": "atev", - "rsa.misc.rule_name": "quid", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "rule.name": "quid", - "service.type": "f5", - "source.ip": "10.198.70.58", - "source.nat.ip": "10.6.32.7", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-09-20T15:57:58.000Z", - "event.code": "01260009", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 5406, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5051, - "rsa.internal.event_desc": "ipitlabo", - "rsa.internal.messageid": "01260009", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2017-09-20T15:57:58.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-10-04T23:00:32.000Z", - "event.code": "syslog-ng", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5503, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6438, - "rsa.db.index": "imid", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.client": "syslog-ng", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-10-04T23:00:32.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "01490128", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5572, - "network.application": "oriosamn", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7083, - "rsa.internal.messageid": "01490128", - "rsa.misc.log_session_id": "iqu", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "event.code": "01490004", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5677, - "network.application": "sumquiad", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4212, - "rsa.internal.messageid": "01490004", - "rsa.misc.result_code": "iusmodt", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-11-16T20:08:15.000Z", - "event.code": "01490538", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access.", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 5815, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5207, - "rsa.internal.messageid": "01490538", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2017-11-16T20:08:15.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "event.code": "01490506", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 5939, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1760, - "rsa.internal.messageid": "01490506", - "rsa.misc.log_session_id": "enimadmi", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "event.code": "01490538", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access.", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 6074, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1935, - "rsa.internal.messageid": "01490538", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2017-12-29T17:15:58.000Z", - "event.code": "0149016a", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 6198, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "0149016a", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2017-12-29T17:15:58.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-01-13T00:18:32.000Z", - "event.code": "01490005", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 6328, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5924, - "rsa.internal.messageid": "01490005", - "rsa.misc.log_session_id": "evo", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2018-01-13T00:18:32.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "event.code": "01490128", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 6464, - "network.application": "edquian", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2580, - "rsa.internal.messageid": "01490128", - "rsa.misc.log_session_id": "sectetur", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "event.code": "0149016a", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 6572, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "0149016a", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-02-24T21:26:15.000Z", - "event.code": "01420002", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa", - "file.directory": "tseddoei", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6697, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.parent.pid": 4996, - "process.pid": 5019, - "related.user": [ - "rem" - ], - "rsa.db.index": "remagnaa", - "rsa.internal.messageid": "01420002", - "rsa.misc.client": "cusanti", - "rsa.misc.result": "success", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2018-02-24T21:26:15.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "rem" - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "0149016b", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 6862, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "0149016b", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "event.code": "01490549", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei", - "fileset.name": "bigipapm", - "group.name": "tationu", - "input.type": "log", - "log.level": "high", - "log.offset": 6982, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2943, - "related.ip": [ - "10.142.213.80", - "10.16.181.60" - ], - "rsa.internal.messageid": "01490549", - "rsa.misc.group": "tationu", - "rsa.misc.log_session_id": "ueporroq", - "rsa.misc.rule_name": "olore", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "rule.name": "olore", - "service.type": "f5", - "source.ip": "10.16.181.60", - "source.nat.ip": "10.142.213.80", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-04-08T18:33:58.000Z", - "event.code": "syslog-ng", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: ", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 7182, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.db.index": "syslog-ng:", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.client": "mvolupta", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-04-08T18:33:58.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-04-23T01:36:32.000Z", - "event.code": "01490101", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 7238, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2625, - "rsa.counters.dclass_c1": 5959, - "rsa.counters.dclass_c1_str": "Newly active generation count", - "rsa.internal.messageid": "01490101", - "rsa.misc.log_session_id": "reprehen", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-04-23T01:36:32.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "destination.ip": "10.47.99.72", - "event.code": "01490500", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu)", - "fileset.name": "bigipapm", - "geo.city_name": "boriosa", - "geo.country_name": "Malor", - "geo.region_name": "uasiarch", - "input.type": "log", - "log.level": "medium", - "log.offset": 7404, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1973, - "related.ip": [ - "10.187.64.126", - "10.47.99.72" - ], - "rsa.internal.messageid": "01490500", - "rsa.misc.category": "oremipsu", - "rsa.misc.log_session_id": "ectobeat", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "service.type": "f5", - "source.ip": "10.187.64.126", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-05-21T15:41:41.000Z", - "event.code": "auditd", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 7623, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3376, - "rsa.db.index": "ctobeat", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-05-21T15:41:41.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-04T22:44:15.000Z", - "event.code": "syslog-ng", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: ", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 7678, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3872, - "rsa.db.index": "syslog-ng:", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.client": "tdolo", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-06-04T22:44:15.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "event.code": "014d0044", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 7740, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4543, - "rsa.db.index": "sciveli", - "rsa.internal.messageid": "014d0044", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "01260009", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 7820, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4646, - "rsa.internal.event_desc": "cinge", - "rsa.internal.messageid": "01260009", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-07-17T19:51:58.000Z", - "event.code": "01490142", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 7914, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3126, - "rsa.internal.event_desc": "data", - "rsa.internal.messageid": "01490142", - "rsa.misc.log_session_id": "onoru", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-07-17T19:51:58.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-01T02:54:32.000Z", - "event.code": "01490079", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 7994, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490079", - "rsa.misc.log_session_id": "loremagn", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-08-01T02:54:32.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "event.code": "01490167", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 8214, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490167", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-29T16:59:40.000Z", - "event.code": "01490008", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 8359, - "network.application": "cipitla", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4877, - "rsa.internal.messageid": "01490008", - "rsa.misc.log_session_id": "emqui", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-09-13T00:02:15.000Z", - "event.code": "01490102", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 8473, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 52, - "rsa.internal.messageid": "01490102", - "rsa.misc.log_session_id": "todita", - "rsa.misc.result": "failure", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-09-13T00:02:15.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 8581, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7767, - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "sequines", - "rsa.misc.severity": "low", - "rsa.network.network_service": "minimve", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "event.code": "014d0002", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 8706, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "014d0002", - "rsa.misc.disposition": "Failed", - "rsa.misc.log_session_id": "runtmoll", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-10-25T21:09:57.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 8830, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 904, - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "roinBCSe", - "rsa.misc.severity": "high", - "rsa.network.network_port": 3959, - "rsa.time.event_time": "2018-10-25T21:09:57.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "01490079", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 8947, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490079", - "rsa.misc.log_session_id": "tvolup", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "01490538", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access.", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 9155, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4762, - "rsa.internal.messageid": "01490538", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-07T18:17:40.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 9276, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4345, - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "atevelit", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2018-12-07T18:17:40.000Z", - "service.name": "ugitsed", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-22T01:20:14.000Z", - "event.code": "01490102", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 9400, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4054, - "rsa.internal.messageid": "01490102", - "rsa.misc.log_session_id": "iatn", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2018-12-22T01:20:14.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "event.code": "01490113", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 9510, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3923, - "rsa.db.index": "oinvento", - "rsa.internal.messageid": "01490113", - "rsa.misc.log_session_id": "moen", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-01-19T15:25:23.000Z", - "event.action": "block", - "event.code": "crond", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block)", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 9608, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4071, - "related.user": [ - "iconsequ" - ], - "rsa.internal.messageid": "crond", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.client": "crond", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-01-19T15:25:23.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "iconsequ" - }, - { - "@timestamp": "2019-02-02T22:27:57.000Z", - "event.code": "01490008", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 9688, - "network.application": "did", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6473, - "rsa.internal.messageid": "01490008", - "rsa.misc.log_session_id": "inBC", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "0149016a", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 9798, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "0149016a", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "event.code": "01490501", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 9929, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7023, - "rsa.internal.event_desc": "ven", - "rsa.internal.messageid": "01490501", - "rsa.misc.log_session_id": "Cicero", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-17T19:35:40.000Z", - "event.code": "011f0005", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101)", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 10020, - "network.protocol": "rdp", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 870, - "related.ip": [ - "10.24.113.101" - ], - "rsa.internal.messageid": "011f0005", - "rsa.misc.result": "success", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", - "service.type": "f5", - "source.ip": "10.24.113.101", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "url.domain": "example.net", - "url.extension": "txt", - "url.fragment": "gnama", - "url.original": "https://example.net/equamn/scipi.txt?eiu=maliquam#gnama", - "url.path": "/equamn/scipi.txt", - "url.query": "eiu=maliquam", - "url.scheme": "https" - }, - { - "@timestamp": "2019-04-01T02:38:14.000Z", - "event.code": "014d0044", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 10218, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 4918, - "rsa.db.index": "pta", - "rsa.internal.messageid": "014d0044", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-04-01T02:38:14.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.bytes": 6092, - "event.code": "01490521", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10294, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7405, - "rsa.internal.messageid": "01490521", - "rsa.misc.log_session_id": "rors", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "service.type": "f5", - "source.bytes": 1363, - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-29T16:43:23.000Z", - "event.action": "cancel", - "event.code": "CROND", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel)", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 10426, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2977, - "related.user": [ - "emac" - ], - "rsa.internal.messageid": "CROND", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "CROND", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-04-29T16:43:23.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "emac" - }, - { - "@timestamp": "2019-05-13T23:45:57.000Z", - "event.code": "0149016b", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 10498, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "0149016b", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-05-13T23:45:57.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "event.code": "01490106", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 10621, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7733, - "related.user": [ - "equuntur" - ], - "rsa.internal.messageid": "01490106", - "rsa.misc.log_session_id": "tura", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "equuntur" - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "01490008", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10805, - "network.application": "imaven", - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2867, - "rsa.internal.messageid": "01490008", - "rsa.misc.log_session_id": "itquii", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-06-25T20:53:40.000Z", - "event.code": "01490511", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 10927, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7673, - "rsa.counters.dclass_c1": 7783, - "rsa.counters.dclass_c1_str": " Max Concurrent User Sessions Limit", - "rsa.internal.messageid": "01490511", - "rsa.misc.log_session_id": "psamvolu", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-06-25T20:53:40.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "01490000", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 11087, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 72, - "rsa.internal.event_desc": "dip", - "rsa.internal.messageid": "01490000", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "01490007", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 11159, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 7057, - "rsa.internal.messageid": "01490007", - "rsa.misc.change_attrib": "maccu", - "rsa.misc.change_new": "ame", - "rsa.misc.log_session_id": "ecillum", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-07T18:01:23.000Z", - "destination.bytes": 2132, - "event.code": "01490521", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 11273, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2698, - "rsa.internal.messageid": "01490521", - "rsa.misc.log_session_id": "quisnos", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", - "service.type": "f5", - "source.bytes": 2552, - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-22T01:03:57.000Z", - "event.code": "01490019", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 11409, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 613, - "related.user": [ - "xplicabo" - ], - "rsa.internal.messageid": "01490019", - "rsa.misc.disposition": " Successful", - "rsa.misc.log_session_id": "suscipi", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "xplicabo" - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "01490544", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", - "fileset.name": "bigipapm", - "http.request.referrer": "https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", - "input.type": "log", - "log.level": "very-high", - "log.offset": 11559, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 1306, - "rsa.internal.messageid": "01490544", - "rsa.misc.log_session_id": "utei", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-09-19T15:09:05.000Z", - "event.code": "01490079", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "high", - "log.offset": 11742, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.internal.messageid": "01490079", - "rsa.misc.log_session_id": "ciad", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-03T22:11:40.000Z", - "event.code": "01490013", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 11957, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 5944, - "rsa.internal.messageid": "01490013", - "rsa.misc.log_session_id": "umetMa", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": "deny", - "event.code": "Rule", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure***", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 12081, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 71, - "related.user": [ - "aecon" - ], - "rsa.internal.event_desc": "qui", - "rsa.internal.messageid": "Rule", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.misc.rule_name": "enimadmi", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "rule.name": "enimadmi", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "aecon" - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "syslog-ng", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng]", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "low", - "log.offset": 12204, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "rsa.db.index": "[syslog-ng]", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.client": "tasnu", - "rsa.misc.severity": "low", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-15T19:19:22.000Z", - "event.code": "01490019", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 12260, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 3538, - "related.user": [ - "texp" - ], - "rsa.internal.messageid": "01490019", - "rsa.misc.disposition": " Successful", - "rsa.misc.log_session_id": "orisnis", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "texp" - }, - { - "@timestamp": "2019-11-30T02:21:57.000Z", - "event.code": "sSMTP", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 12412, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 6673, - "rsa.db.index": "ptateve", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.client": "sSMTP", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ] - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "event.action": "allow", - "event.code": "01490106", - "event.dataset": "f5.bigipapm", - "event.module": "f5", - "event.original": "December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor", - "fileset.name": "bigipapm", - "input.type": "log", - "log.level": "medium", - "log.offset": 12478, - "observer.product": "Big-IP", - "observer.type": "Access", - "observer.vendor": "F5", - "process.pid": 2121, - "related.user": [ - "oditem" - ], - "rsa.internal.messageid": "01490106", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.log_session_id": "uptatev", - "rsa.misc.result": "failure", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "service.type": "f5", - "tags": [ - "f5.bigipapm", - "forwarded" - ], - "user.name": "oditem" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go deleted file mode 100644 index ca33378c321..00000000000 --- a/x-pack/filebeat/module/f5/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package f5 - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "f5", asset.ModuleFieldsPri, AssetF5); err != nil { - panic(err) - } -} - -// AssetF5 returns asset data. -// This is the base64 encoded zlib format compressed contents of module/f5. -func AssetF5() string { - return "eJzsfV+TGzeS5/t+CpwfTpJDpmzZ1t74Zveit7u97htJ7lVL8sbFRFSAKJDENAooASiy6U9/gQTqD6tQZDcbKLb2bh4mrCaZSCSARGYi85ffoVu6/QUtfv4nhAwznP6C/o0tv7u6RmeEUK3RteSMbNE7LPCSqn9CKKeaKFYaJsUv6F//CSGEFj+jBaM817N/Qv6/foEP7P++QwIX9BckqNlIdTtjwlC1wITO7N+bryEk11RtFDP0F2RU1f3EbEv6i2V0I1Xe+XuAlfp/73FBkVwgs6L1yKgZGW1WVFH4zCi8WDCCVlijOaUCybmmak3z2WACSuMHcLtUsio7f+2LpaULbAnMd/gfJz82QGiIdpBCL3f+vn+EcZEPxP5xxbT9HmIaVZrmyEhEcGkqL2CFN6igWuOl/Tc2iMiCajtpaT/vkUborVyiC0pkDpstMBFHi/WZOnY6NV26psJkdmqRCXuGE0vfi1yDzIkUhgqj7QFgQhssTM2GDvJoWHEMgzk2/Q+G3DHHkx0CYYM2K0ZWCCNNtWZSoBUzGmH0npo/mBFW4/jVnw22RjNZvZIVz5Gga6rQnDb7rsRKU/SOGmxZw2ihZNEZ6vlbudSvrjG5pUa/GJC/YIoSw7cvkfF8Y/SBOm3gdrjosDkLCpLTNeVHSJJL0T+fO5K8oKWiBBvPSU4XTNAcScGBLYPnnKICl2GuCr3Moh2YPWv8zp/zq4sf0Brzyp94llNh2IL53UnvMDGIy6VbLzVYCJgds+T9boHv2eUosTKMVBwr+L1f2NnozhiQPmqnhHbGgPL4ThldkvW0a/L6/6/J/jWxo6ZZkMcdXzn/RwYT6S/Lk+FujY9ReslZU1TLSpFEd+/jxZbq/D+OM22woQUV5ikyh6ucmYxw3DvDT4Q9KozaPkXGVtameoqMMXEcY2ktplpzPN2dllN8jPZIK7YFpXlMH2rErgn5mZ0v1n6/5WZghwyMhMd5ET07ZED9gBcxLsVecGQiKYpO2CQoPieuwTQjiQ8FJPhg8ZEpzOpKsC8Vbc1o1czf/2m769SeS0Hs5YCNfOqe7Yi6WbO06rAr3XM7DFswgrvn+a1coss1FQbdgHJGlcipsi6Iol5RDaa+YHc0R5oaS2Tnx7tj6HGHpV6EAe1HOyzNIgxIP2hRhpHA+PGl4zbmYF4PkMnDZLCSOpG92t2Xv0ltuiqS93ekpiJnYll/qEPbphND+nrky47ZYIMfjQr26nr9E8J5rqyuHDvufeEOZm/k1yrc9ZvU4n3z/654rbTS64a+XnCBtG60LEcYLdmaiiZI9vUaAlZEx8Uv0nog+VM0/r6OF43RgIYst5miXxKsdffxEBYY5j3fgpQv3dDoGg7SSx/NNhh93JYUETzUIHOKKDMrqtCnK2F+eIOkQr9yic2Pr9Eca9hF9QPZgi0rBabfgXkfY+5+xfOGZ9B0zmeE+IL99VKmCrPt847rkb/6AINUG6zyZEZdR6N1pt2V5NX15x17DyNFOe4vKUJ6qw0t/CXq2bbUVtTtVO2EZ/8tFVsygXn9m11r5YAcUtlfexIjrq4/vwmIwLM/kMTjRdBwNJRyjNun3ahDw/HY22dFcU7VJG/Xv8FQ6OriMa+kjt/uYymQOe6t9EkH2TjJksfZcG1oXbWGFhwU67qcS84pMVJ9jQrYSu8EOTd2zzGNiBMdzS2nO4bqW9k3W9AeQT9Bj68g86diqhZSQ7JbIQWabweLhpCiXyqqjSWoWVHyrV8n+2Wr6BHFZIU0yyl6/j0yK1Wh1z///AJtsEaaUtGMskcST8J4vYckdCmFpulEQb6aXUFkJUwTU6iKuVN69ijrIAX0HM/lmnaEwUQws7JWb9ooiovR80O+mm1zYlHRnFV9Oy2GoL4JWY5NYIEtEDN/r15//8NftFPpr0pQoDXTfx/M5u/WH3yLt1Sh1+hSEFzqiruXFetSPkivh6g/8vEjkFsZGuXH1+hf7HRfoh9/RP+CiFTWXoZZ+EFfov/Ozf+0X2Qa7Qrlm+ASCpnTJ+vrig3NCOZ8jsltWgvYMSekgWODjfMrrBCpyEvJhAHXxNBwgjNsjowqJRPlp7X2oC4pYZgDx8CpNlJZy1psndVhP1hjznK3MUJMIbSQlcjtDcMpMM/E0htHB5MXd0/EgHKMt0B/HPY8G42swpZLnD+Ve86zgzT7k6KCGsVIwOvwrnD3y+ALu+u+VsL22semtWjlol62GfpNbuzSDH1OJpBU1hkzEt1SWh4Q2pO48b4SoSlJqNbZmuVZnurV9bLWPEsqqMIGDnluJdjxC9dMmQpz67TvxN5FIMTBCmbdbngrB2G4WfijfnWBlNXWGgIqIDSsltQ0XzsoCa0SJT2dXBIuE26/JFSSp6Ch4r+6qGOvH2ghDUU3fr8TReGinW/HFKX9X/0Q8xU8vPiRMl1yljKz4Um785oNzP4nYZtZnZtwv8Ops3eA3+v1rqu9Fn+F/Nd4YXTqZcH4Cd7o7ajWObo+P7v2ti/BwoqHFaVUfYsXwRX51aVBVE8j/PHJXVXgiIPrHgql7rryVfuT1mF3dg545jP0+uc3aANyLygWCHMejhVAUB/MpDZ+hDZUUUcWG8Qp1gZJ0SsX2RXiyc3Er1uIgbOa4tnWy+4PqXIQHGQ1UbISksvltv8Qt2BqYMUi9DMiK6wwMU6I9lBvgX8ImgtUCZ/Tw3di5qMVtbELut1DfcpHhD1vl+BRFNbIlKJ+RlB4M6rTQLP2zEpMwGJ1bxTCxxwkIZWqKWqDRY5VjoRUBebsz1B+r1RFUD65z3I4WkSymg+upAcJqeW6YeYVZwsKMw44+JoSKfIRA7td7kyblHGWPRNigsii5NQEN8BoEBWDAW8U66nBTr2ZMifayDd27OB2HtvKuztzdPsVUphVpGVq61Nj5by0WU75iQR/KfIUYrck/5QiNdrCHrVoR69NTJde+7Ev4YGKSnaiz5Chd8YfPrSmSnfKKfJ9eWCB9X3sZttSHGuabZkekSqnebp70CfZ+GtKNyPWNkadadN8sfu+PrytlCxmQLWConxNqMCKSWfWFxU37DvDqEK4LHld/dKC1RQAwhMozUWIw/NO7S86phyvGjHzTCO5Ee5lzOCi7EcGPcd2NMvi8PQZjciKWe9G5lTP0LtKG3CTukTtqcRmJC8XG3rkIu1VYIuF5XtNp7CEYJHrAZ3sFF1QRQVxGwJb0zpna5Zbywb2Q1iR3dSK7GNPeOFJ3pVMTTbDdj3dW9Cd3YnM8K2brLZKz9prlinYoPtjoxEXfTSE89Jq40afzQZDNulksoqtgYqBIfdYio38Yx8VsCC/VLSabCvZ3e12UasfN1gjYCIf2TfA3A+xhRrRKNgRaAKdtixMgtt3WaTgtcwSsFpmKaznMqYq2iX6OjrVBLZS5xY5jQvZcx+Dd8zgunzQnXOs2jyk1455LGgviB4aQuxAECYDIz6GYa0rnvrZacSLkpUhsqCvHA+N8wJZ2XIx2CFYeBHsOJAjG4SuqWImZenInonVo/siwM7Lzr6QT9rixQF2oLulm0oXSw3enUpK2IK1jk/YunWPOWOYKt5WTp/NFFiAJsTI8rZgog5R5f6RJci3d5unWoTPu1561xOUCv1+41Njma4TAvpxNRi/XqGxKkldSs0iKo577S1wp0XuEKYglb8+u6MoPBU3WTroogeqIlEVVDHyUF0UnNsEVWx7JtatZGtOhlNL7nwPpramIpfKJ8zunZmc/+ME6DX1066c/4OSsB9tGUtfCz4Qt9Wg+xlzmj4lVt03wwPpq/69mvFRrhVucouFNAijlUe8CCfQcrnM6kSVkyj1eiM+WKlPgZmyo/v+HdKtAJYa1EfY8Aew7dSnZ49e8GjfDj1b8O2IXq54yrzpsAA/VJwCY2F1KoWhd6kt1oahK+HidS0eKs5zbf8PLlXMa4ZCADAHLmeywmJJM0E3qXXB2MMl3XSe+sEIMUaxeWVoR0MMc/S1Y91a693rL6w6dImjKbtGcpwlg63cJzRwBPv5RY6Zrv0WcG6hAswKrAYc1G3Ol1pTNUM31C1Kpama4SUFKG+f6b6QquZhQLsm4+x2Ar9H7vcd3Aqp0FzJjf2s/qu3NZ3bNYonfZVfY2Vih+kawrEjKv5MyUF16FRnSvK8MRtTHSlZUv+gmOouPhMIc6pMk12k2kH939zzllcfHRAASEIKGMw5ElJ8p2hJwZPZl/0AbsOUVw6plLIHpvFXYCXBjnvF3Atb/fwzmNmGmZU3lp2uRxcw4ByqTQSS4rultP+95yYAIyULGI4J5407j4GvgAHLpFwgqx0Mo3qGblqd0m9s0K2sSsPxuSvnq7R1YlzJqEu2yb369YLHiPBKm3pD+n8Mlgl+wrRdSV8T7eMb1vCFT8dNoMmtH3fCwh69g2VKZ5Q9O+R4WS4vgAuEtZaEQbzUrkbQn4QFe8tu6S8Io3K11YxgjnKmb1+iUkFPlJeIGvIsbChjhY+pvXzgRe/qbBQuqKFKoxJrQPHSAOTgsAiILAqrxeTOo/2wtIYastfcc/fBqSy+zhomuJic+iayKKvhGUywbBhtmMjlxufTEikILc3LJpNiVBiDaS4qzrfoS4W5C37mssBMeK0hOgNxOXJ1daOescylPVO3JuFbJm5p7muB6kR0rCE65R0U+8k3DWszlu9bOD5AhUiq6rqtm1xYos9Azd7vN6fi6/fSR17RzRCup3l0pqpg/cZOqUOsfkzg1u3//Zb2j5Et7QXj6c94M+VfYbTmGCuaV4Si+uWIhsNtmiqGeRa4TZNdIjcwZG029+/HzgVob5jRuAAlt/ooyIEYEWM/ur3oVlivmhNqzcJAlWFFVi7zt66xacoMz2tKPYgwO5FmmJlWxP6q+few0hRZfS4Qg5y7ShBOsbJ/AiC8ljVfQOijnaou7Dz8+uCUXzXEeXrSNxaRxZyJBje7e2H5slH1gNtrzVSlp470da0RYGA84jfNA2ngSJy70R0m43ik1HlwyUPjjfhclPnqAr13mua5B25ArtueL/q1vL0I29UuAH2KWH4n/Hx1ASL1JW+NmhhGD3Zf5FwaoJvCzG0iqws2TIed1LXepsSy333V9QXazlzYG8cWzvmecNdY0Z83A6Ori4OWbKz43AFL1jL2WuStRTtD564+0+OdcvfBfmsWGFS73/jhGx+Om1emqdyUprmMKsGpdpKR7kLZSLTGiuE5H1QBOlAGJlDJ8Ygi0FTopPgoOwvaNVXdyDOrqayFUdcXMrvON6+urvs2NPKQsS6iMFaXfWRDwXvXQrYvLY5JdCUMumFLgUFZjGzRUqqU4LXPBvrLbtLr2naTgOoI/2kZ6Zxl2GW5DGyc979/REwQXuXUqjPfqdb+fIaeX97houT0F3TtAiKOLGjvWTguAi9zk79tQnCqvVrCnDF9a03uI/h6QCleJ4z53l8NH5i+3fPkahRbLqlK18IuLLLP3bcAzwNYpytF9Ury3O4e56uPdBrdeXqfILIwfHv3Wvn5B2djvGjAOK4uwmUk936dJ7Ios4nzrmBVfO4VtHF18T1dzb+z7EgB9akLaDcj84qMeWneLD1R1liX80ZbSgXIA1av1/yNdInDKt9gdZoMvSGqvtWu2F9EdhIj0MjPrRLF6B0mNZ5y2Li1KmhSP0aK72oDVe3XQs7XjN7UWlGso+cGa4NNFctwbuJRmPGTuR128Lm8Qyx/NX5/2Zu1moJDy9GnAfCxOwuWi/DRre+xxN33Bpv8Yth375jrjAlZxXrj7NSR6GX0M2U1acygwyAi+1NkwqmRGXe2xBnnVu8hXRFCtV5UHF3a8RGROdV2S9Rgv2HPgomc3kUWAGfaHGd5PlK3wMDgiqmaiTlV8L5ZYMU4ZPAEInju/V0sEQYhfmd/G5yZSLAP5dyBC53IIvajo+dNPmdJlS590a3TMAOReROhTYivEZ5ejBQZujDX8D5OnVDijK8mycvHqty37YeYCY1yajDjgSDDXFam87uRqUk+eW5mHbHFTR4b8DF+kRpalDxZNs8ZyukC+ycgj3xZv+H7bE1rFa+p4ngLhVxG+ssVPQ+cSPsBeN3+13RRV4G7WL02zFQAzIiCE2t9gyFg02OPa9RXrE58h+DYnCbQVUQWhT1PabbRuaOOWCfZt1RyzXIXP6tR5AqqRxOhckmOf2h8eLTsV8Zbq5F08/LCpsFdCUlPp9H19ehpdf0/5PzIuNPR0/vfcu4fYMKnq2TpgHMvIKHYrfzN9RW6GhhUXTaSodb66pL9HEQs7GqqYZdRHemHxMN8bnXYuHcqIpvLPHXF16Dirm90eF6Q5WXEPFrFR0twTwYTVJ53QsC+dNgl0DbvIWzJ8uYpZySIV8T2Ggdl4BFu/nhGXjPvskp5TdXdva8/OfSc+iEKkjXuKKm6UQSX+jWnofLWGoVpX+LGBIGQYFQ83w2INNWVeI0Zx8OHDNSEwhHUVy6oUiOdFtwZOibWH+/dzTsrhQeAcg+wgyn5dAPNlrMRjciKbF7l+TZ6fIYVWdQ6oA7dStPjgM73RqniU1RMRkQ56JXYZbqaoiCB6W72qsNcxVXOTFNZ1+KieY5Cje3aig2nStrnhf2TdFlisSW4nswrP/98iZ77WonPFbe28pxxKOCAPLDLu1Jq+80X6LthoEH0X2FuhdyIHUdIU1IBmMV6l/pIp02CJwjB9dNCz+sq9/e+NOktXWKyRZ9G3TXO5gqfoijfD7wjYiZQgZlYKFzQvekYJVbQtTc9TsKOcXkNw6L3MnfJ0S0sYCfrLMAUOmB9QaqAFUQqD2kXN+493aDfKgGu5DuZU46eM7GeffsSMUleorn9P2r/DwvMt5rp2bfh90VDymzB8aBzfmwbatfCP79GMCjEukBPbuvmV3KxF6jByKScur/OPZ81DIKmym7kIEPrIq7e7XH2+d0fWFH00SUAf/vt53d/nH24/PZbl3O7xgqz0T25keo2ZsnywQP2Rz1g94VtNAiGRWwjwtfsxEUpaa4DTOx1sU3gwiykokIzElOBdEJJCTgu4kdBAu8DsYhmG8yGzYkfHR0A7PPYRO3xiV2irqt5okNh5rk2KnblO9RrJwuIde/SaPdoXfORLkh6bLFL2xhsYNL4YpO27sXXu1gSCzYaaKqnmiwQe+xUg2hEgWn2y3vCSvloPMGHBy4s897+/zActTWZXee/k2yxvBOj94zsZfIkm6N+x93Hn5QTJG3trGzHL31umoz2OssOcDJfQNhtsHMPv0zXkNVsivcwKPpaYMatrGswl2uvM64uurVtgMRl3UFDlwEIg/GswjrnOrMm4hHzOSbxGtKtffXRuSyKSvQjUQPuxHHATY/l7j29M/9OwzZ1w5s+zrJ+LG83WOT/JsOvZi1vBht2jGZ4NHfDgXeY05UuGWEyWpboVB48cL/BSgwfHZ4661oUZSZTKeOb9++u0e8ujtompYYZ+TJpKsHNf7xFXyqqRrBbKy4yRftInWmTGzoB0S36UBedBdO6GiudRLxIu0Rl7DYClmh5VODoEFUTeBx7NN08foMGzLEqEqyWJZsgvIDLiAXIDdEqj9aVdodmXLSrHdI5Nn2r8LF051SQVYFVrLKShu62xIP2xY9+fcJkkE4VhWa2ir4XCF3ELaBqCC+WALWUgKyc/yMB1RJH74ThEKeiby94dM9Y7AvHI7cV1Jqe0ZkWGSbQGCV++YmlrUVE571DeL4s1z+JO7OKfr8TkRGjslxHxV3vULeUj3t5ugfhNcfRNYbIqFgyEbEockg6RW60yBaZ3jBDousPkS243GhcxM9d6dIWZp2OeoJXFyIyJlKqEyZKqor5NlrC+4B2SW7TEF9jnmKvsDIrlTQyi/8kBdTXP2UQcYxPmyc7m1wuszyFsC3h+PlvRGQFvsuMiRU22CVsdzSnCS6FgolETDORjumS64zPeRb7WXSH9vcJiUdHBu/Qjo2F2KUdu6q3S/vnhLTfJKT9zwlp/4+EtP+ShraRJcdzmkKlNNTju2ciKyoOxvd8m+CerImXtwnskqLibFmUaaxva2VivoydhOQpsxRGiaZfSPzYiMi0S0hMsIJakTTepCWcxpvUW12VCXqREtGUVSdxVY001vWgdwlUiJHGOmapaINbk4R4JdidwEJqShJswvUbK5VEl8L6jSzNiuI8QVhNFmVGeIIYtiWc4JEE6Kr51sQPi1rKOgnlssoSvGkQxQwjmCcoINIZXlJBthGzrrq0BebbP2k+T8H3OgMY0CSUHRxMGq5dYm0S6vNluX6TJgatszkzf0kCNEZ0FrdXXI+wktFVtU5yzIEqJSp+lZt2Mf5ovbY6hKlZuTh//OCIIw5mXxLiDk0+HoJch/aCcZrCh9HZIsUiskXM4uxdwilsA52xEpIUsySqjpXrn3JtygGYfyTaWpEktDlb0BRujIZAc0FzFq1gdJc2E2l2SSHzilNNZAppe+JsmUA3yVJvsIna879DPZRBHoWwokumjcLxIyEt7QQWn6JlKlGrZLLWgESuEulXl5nvtngC6kZRXCQwJF0pUCq20xnXm5VkOnMdZuNT32KFk2zwfKQQNgbltetvH5su0waL6H2Oc23mlYrVLLCmSl2voBRUq+i8xrej65rk2GShc8MifrPrY5EG9tFc4jyPfQZYHvtZtYYOSnAXsSIjSsoiCSqRJZzATWNFliY50iMepRBzeRsdnqnU8SFLWalLxSIT5dgwU0XPPuNM0HgQOy1VHbWjTkMXim/jh7W4dKin2YLL6Nd5QzxByr/1eaNrHUs0gcaxPnQCVqPnJnC5TLJ1xTLJAS6liq3Ainm1THHMCqZJCrVQ6CQbNkUfCEENgCtFpxtdhzsA6NgZf45q7HQ8sdnE9kCSVJRJ1wA6uicq41tGUrFlFujH9Wi6G0FV/DurzFxT3uhko3ambsm6Fq9JNlmCwk3fEye2MvBkY2uDMnOBpOjsYq3thxlZxarzH5CmdyWL/hBQUlUsFRZmgLkbg/ImCeH4V69DIvv0qdcFNAJhJZcZ1mXEhgFd0grHpqoo5insO0UJyMGhjiYiHl/IlnJcCNcOZanyBBzHD2TqBLFh7WLDCfIBNI2dCOAaHidwTjT9En8DhABao1FN4EpptkygeHUZO8qmFUlxDhTJoxvSWpEQKm4EwiZei60uzUpHR9VcExG7UCLYLfaxRB1IZ+zpm6WJv60c0fgvek1Pz9h0t2V0tNYqnyfJQ68UT3AXVpqqLGexq96TtK2oX4ZSiMEQbXAROxq8zpjQBi8SWAZrpkwKM3xdigTQTUaqSsQMs4Zg0QKIomeVkehDJdBg6CZ7JGGzvM+YsxydK5ozg86xyj2aoQb49zA7rnNWQimNdQgFMtBEHwG+AZEchUp1mnwIJtJJ7rIoudzSQWPBg/JbyCoaqPc995iVoYsZQb8zRZf0DhW4D7TQvsWKZdVvBpKcSc40NGeoR/dLDwBKSFdlKZVBQ+BRhDYrbBAzqFR0MbYVHpGW+5AmFCHBe6+jYQEx4ZHdR3ChOROpO/J3WLWjdfnUyMglNSuqZu339UpWgxsNIUHXVDXtiIxEJVaaonfUYOgI7s4qbkTw/K1c6lfXruz1BbrwLb5eIrMKdCkCMOAP1Lc+BrYFek/NH8wIqsPrPNzUSYS3gJbdzSmCwd1kNcWKrGZMsCB/0HN3AnztnvqEXhiQDPGK40pAr99lBX1caxD3MIB7D699z5zSw3E3c2pAuH3/4hFn3y5EFrGm6X7IqzAs+kjvDJyKsXDBFN2oRxRS27juPXSoFnyk4yWg5yZsBw74uZoapOiXimqzB7T7+Gzlh2PlO5MB2vK4UZ3G7kekmrzT3XDKPp4cR/A2tvN3QGjXvwRnHrP3/+H+hnawq4taKcDY4b0BXkO8JN4HbmF7ucyxpsilazfcoMGpalbJ/+I0/IqmFXzDuVQOvj4oRoSwRppSaHeG9/erUlhoTCZo7ztAmHZDCzB7201DKgUd0PYxXVJVMGduTMV0O6RrzMHWjNMlRZyuKUdYa7YUbuHafv3hrQ+QzCfU3zD+np0+P0mnZ8tZJdiXivbbJOLw4evwexxi4nFdUGqLhuXuQBIpBIXcCrRhZjWmKBAKVIY0FruiR5UXPdi1sOIEfdJcUVwuGcEcWQ5GXB/g4rTcwVAjbRpPJ7tytdVh9jrpbBvZy2qNfcFjzrDOVjK5T+CcuMZdg14qbVMjqxW7LXjCeADIHRrLLdxpvhEL4RSr2RnX0jriO+ftAh7L0W/+FzN0JrbNvwbUDfjyWhiE8xmRRVkZqsJqOEkY304snXv2TX8toMfizoIw8/fq9fc//MX6vhed5agl9k2Qbb9Ps7gvZvcN3OAtVeifm5icfuXZAObCpz52/U/6PS9annd2/d71ODJ5+ZBue9ZvmGLHmaH3v3+8tHOnirrgCcRLc6aJoiUWZGutSm+e8X4uCAIJvUQf3/2CroT58fVLdPX+4vI/f0GfroR58xN6vlltkaDMrKhCZCW1b5UmlaLEwLd+ePO//tuLZ0GJULNKqOP68gCdOitwuB2PTrz7HnjMb9xevKqZCh/x/Gkx3dVNBzg/EjDu3hd8iN+eYdp6J5+ZMhXm6O3Z+yCzf0pB08WyjtsZ/0cKOgvL1rL71ahQmMhh5QlL8BTv4D3rsMSGbvAJWqTD7r5GZ3muIE7rdnmInebqJUV57DvnY99Crs7fXbtbafR5rMB6wtePnaCSs1T93Y2uri0rI9EvK8MjO0FEkaEde1yGtSWWue5a0yqIDrs4z5n9Mubtg22nl3/4nptwA1iXEA649Cf8YncLDFhpc62T2HX3vdIweu85vJbKNCp5oHRzeGCDBWBme1jz6oll7+bDxLK+TOppvRsTvKAhv3GqKK7nDjxfrLUkzJqcLm40sHGQ1csKiyWdNa4TkWLBlpWiOZpvgSYVOWQNhfVMeST0wKBodMRaDg66SIB3wCPa/t0SrugBAEULaWjmM7vj5xnFF20udIYzl4qfgHRpVBriiwRbYpGgWpinOA6p8E/KBELFeVZH4tKZ5X0P3s5j1h+tG0w4gQV7aVZUCWrQx21JX6JP9TX2FgJgP6LrOgA2uAl+H7PU6lY9ExgTI65xzbSPi79EmPOgMVG2X4QEN6wgMW9Nlb0DmTASaQOXORPo09WoQiGQIJtMX0VX2ZaoLBO0fbOEFdWxM3ot2QQlLu5GjJ2KDvH2BNy61goZp2IZvVMk8GyNj4RW6IgF6kwezDsPMAIRSCdYIIx+lWqDVT7s043Q2RKSvRTC9sTfQS7dnJoNpSJsekZGTXzoG7c0mHef6hwzCCDjITNiMEMmfJ4rpCUUzFi15FtshKe45lhM8Y5/jwBlnSDSCVEOJrgbsmxfUtbWg12CA7t788R+qaQEUAjW8fDg7vdij5VhpOJYIcCLRjUTzy/vfnkrl3KxCHd/pyQzK5p8eXeY/WgHdKexw/el5duye1aZFRXGJ4uPsq2rmMgJ90vocUOOs/5JUzXKsKwMkdNK2g85zvBNRQjVeoRnQB4/DhztuMQT4AtZE3cp1RYFChMGvE2hnHZ4pD0erVaCBz5dSmHvFau3QsZh80M0MJR2Z7WOh0c3cm9i5FBLoWaAM5o38/FxmJ49zATSzFQB/YmguIB6Fe2prrBGOJelvV3MijKF5Ea0S+YEZ/CdFLIYyauFnhyaOYj6aY0Ia9wzkVv9I5VuBIDRr4xTdOYZmw3EcJ9gr2gm5s7kaMJ4M/+TpCuMiuDGZy3ElUJojgFBxKx3f4QgXL7eja/XiC2J8YTQuUxZPRCY/Jyu8JrJCqxLIotSyYKNZCjSqZm7FHjOoYhsgc7388bEulE7CZnsc7hjdaIgAzscRm0ucwSDgfEb/lKvbueWbc/b6LZryywrYfrlbLEt+hzKwDNyjFt/LysI7uMlFVQxUk8JBAKJfv3UAmZWcNWGershz+yM/DDTRo0/ftZzOgZ262Rzer1/Tt68cGMlnFfQNW2ccMMKqq1ed9aeoiUdfUTyqxANFOLgQgDw4COXQd1zax2D3X2yrfXj/eb0Q6ajNTm999R8wPjQDAdzgxm3CuEeyuDrnd3rg7NTk66dO2hR5qYOr1w0LNVpFMgBPd4okK93O/54eMlitTaYZsnupx/VpBok5hm7h/6YdDvGnNtgMzZGPZSg9eLU0St3KrPKCmpW8gSvJHgnkowcG/5rowsOWEpKJo067XnV+SC5j9daRvbsy0SRkP+c/fz99+j524uz6xfogmnDxLJiekVzKIUP8sLlUibHBdr3EgbZsgvHh19m+OJIxpiSiaOK++o/7aqGOGhODETkozV9fshxIZD239T9dgJ/wFPozRSLEEx6mymGeSx0ut5EPuCcVdqNgKRCmhWMY+XUk1Wb9gwRuNfD5VVwzjXLp0Qa6WbKf7IboY4i9nAx20Oers7iTOw76/Cs4SsNO/FfHySCTwZ7wQduaKcsIw+HMqVKmRgweLIBUUu1xIL9uSerWqTbCvcV9hGS7u6pEXEvmArWkiZC/fnVDge3hYP4cthFO1nNv1HMzYpgRVGpaC4LJnCw4K6jnq6xYVQYfTA9nuMpZ/sWn3SyDvqRlok2rj06z6ziKrEyAIbUTnW/Wp0Q7Mgrm/to1AXNqcKG5lm0pLI9+8Mqn1/rEZvHs2sl1yxvwMP893BZcm+pDjaGB/+x19quTRs2cNpJsnyiWTZDeqw/sx2ZZrB5KGROrpl7PV/1DfcRCLjG6IzZFPyhlie9A5up86NOJfQyMFFno4LFijXSRiqn8S21ghoMoz2Db83st56FZ1+wPOd0Oi33Dsa7r54LLG9H7x2l5+r2GNNM99qP1kEYEtv6dfYlKjm2S2bvZ6kQFURty7EoP6RCTuBP3iODTjW+5W9SG/QOkxUTIy5djhNpjm/6sv4kINO/VNSqD2sfOZAzPUNvc1yiz/APZx/lUri6078PL0+0wmtqLSdOsUJfKqq2CDAIdSmFprVFFS5OtfPN4DfT6EuPgUcsZcVqFEjhpu9w+cb5rKc0AavtBvrgwVHvyyl0eUobMOvv8RpaegfEyPqG/uJlGqlKiKAfq182N497eXYwUiM1dp5i5j3M9AuB0YaJXG400iUlbMGI/eRlqE7Q58kOD4idnuO3zblBzwERlgrSXkPwdPmiIy1UCbjH39IlJlv0Se8C3zYvsEW/kDZ6dq0dYQKHfeS277pawArUqsEmszfiQOINDkCg+n+n0hTKeYbi2512eoN6DJ3XmdeBGcMMgxvN/+aIyU6T1zs2VZ/h60Pvta67hKmPo4AOZzNNwK55MNhdmzYh0y3DYIXCgBSHi5+hbCBmS8DRCjeYck4XTPhYPSgnQPUrcDkCOgjcHVUoloi3NgDTM/9iK8YmZpt67h5LaQSbsolhG4PJqpgYAr8dFQSOBt5RdzmSNHmZMxGvg1jUs2GnDEWFaS/PgJLqlu3AsjgY7ba8P9C1c8B12rvvANclVvWesn9+2U5ls2IDKHVkT4f1ZV3y+72mZ6L3LHGwFlJt0y34X3WJxb8eRIypGdlFUa/N89DVZMXy11dA/cDcTmYSDWZV463vn9XoLsioMEqWx6iOXFbzQXDhXnvcj2m9bXqgHAF4dNUd057Dc1mUWGyb8wjHDtrpO39lTZW9hjImFjJsFGB9m7pG6ID+6HmRNWcbmhYVffElVY7ArxXnW/QfFeZswWiOLqDu2QUHg6xs6DwjUt6yEz26/0HnyI3f+s+Yj1nz0dFm2+fwsjJgch/ZwvTwWf/QDOG77PhwtIvJz9DHbemm3kYOrHDcCo4vnqKLLCqYbI9ty4MLRKhnOgRb22dmilBdY1zucucii6VUdbQfnpg/vB1Z8g5WTuTtVMuiTNuHaI8o7MgHI/c1m0rKRJbILlN2HLseqMQmHJokIsM65mt/h7Dy5fSRKVeKR1zmDtWIq9I4o1mlYkVDOjQ1VRlexvMpW9LRr6dd0lHTH3dJ+12fQLHQO0MFmFbxnRNLP9pubgy9laK9VJnYFpUbYopawh2d+xGGBfPqlf/vc8/CK/8fPq8pFPbHnKpwdp6fzglfz91kuo/nEHHttFobTCf3DdGsS8XEgio18u46nPck8+oa/gdFHwzPTsBkjUu86CxD4EjBs7ZMeqQCQ0y2/S7du73ddh8hg1h1//Q3OkzQGm/4ycoVVdPEI6zN7jOenp9D68cX6BzGD7NGlZkILGVEzudU+eafdCcLcw84L036dNwRZGfB7aDPdAcpeu9Ksz+PjUo+HBolvNrohv0Zjtaw20Q65epvl0jQpTTMLWC5wnqkA5QmU8MKdZbSDT7eXNAudbIOUIMEl94eq4HT6/qbcEKKZsspKip28Y2arocfRxstW23CtK6iG51AGZKl0kXrHveGAhxSpZLGQAeL0tWel3ZwdAOP0/u00yQZEg0yuH9Ffn4DqZ37L6OO9jyOyYdrzz08jqtQrXm2Tnmj959UfSA7yEye2a2Hq+gwjToVYXZLvUedCNzgm7ZdSfdCAt36E9LwXicVuro5+9u7a3Rt7yn0uxjpvtJym6iS+hhuP25kmFtQQ2RFya0+Koh8PyWcFoMs1HSuwetsIMIgDdS3IGy14B4rlyo2AIU8gZHr+GhQQUadBuDZYFNN1uGzy+Uac5a7jRhgoq8IJ0O13qcIQWK3dKv7ajvSzq8TSCPTXhlT6oxBD9okpGEpUwiE4CdwmthS1JUvUjGzPXCiiCyKpDhx9+Tb8eEDQuES/A1TlPc9zdghlg3HItP6VA1v7chOh//hZ1vXaAW5daXGWSnZFGnVIYYdBwg4AKbC3gCIlaywEAPgjNRwU35UYGTkzXYi2ObmYvE9D/94e/be33uvesM3F4qRqh/7j47ZxvRttpa8SiWAs7qPs/B9bprO2HU730owo9Fzx4R+AWgdUNhbd9TtkUfAdHA2vEqkzd56Xj8JZny6wGy36GBNFWQKLCqOiBSElsY6yjduDUfgFTablNrXCd467HULbctoKZVB0sr3t387C6XgBsUee99JtZw+wbJfYLATYp1jB3YSBIr598vfr6+u0Tt8VzCRN229w8tq5zZ5GuZOE8WRaflpDGa3b1qN+RQuWYyenu2qHLPFdAWbpy7Cr6ec3OzYCZZ5rXx14VF6PRd7OeTTLcqJsQLqGRf/5euGm8IckQ8tydinG+Il1oU+UXajb1cNXnzzqFu44t6XSFeBFHWs0V+1UVIs/3XOMbnlTBua//WV/9vL5lMmFpSEP1owRTeYBw0ZPOed3yAscqQlGtmWii6ZNmprPfsplUWJzcqD9Tc8oD4PAyYhKDUVm64Q2tVrEak6KOSNPdlwToXp5KTUfPuGjLOmm9qsd/jHeR/je4fn3RT9953sh7oVZNsTvq1LMwovFoxAp4A5pQLJOQBDdBC7GsFr/ABu+yd3eG6boK9lSyQ2CAudGuhoRCcovEEF1RovPbIQkVYDQwuykCn4Vi7RBSUyH3m48bSiR5kcanPEFKQew1PqEyijtHeSXCAmtMHC1GyEvXTDjrqG8+FNEzSm4aAx658aV6nUNhhAK+udQo/cP5gRVOt69Q/3MRB0TVUXYqLESlP0jhoMtravmm2Gev5WLvWra5cW+2JA/sIndLWGAUYfqNMGboeLDpsjWDB0nSQI87j34kIv05q/fo3f+XN+dfGDfzJxwG2tfwxV/XeYGMTl0q3XEJkGZge9qP1uge/p3c5B9vd+YWejO2NA+qidEtoZA8rjO2V0SdbTrsnr/78m+9fEjppmQR53fOX8H1kQrerJcLdO9dj5ONYUTZnX+nixpTr/j+MMvLd0JfOPYw5XOTMZIEo/RfZ2XZ8nxNgqYk/cqIwxcRxjaS2mWnM83Z2W06PavaYV24LSPHUZx/jDQxf40EFB0nxghwyMhMd5ET07ZED9gBcxLsXpK8X7rW2D4nPiGkwzkvhQQIIPFh+Zwqz28f3GjFbN/P2ftrtO7bkUxF4O2Min7tmOqBuAmUuoDrvSPbfDuPSVznl+K5e+MauvQwA0OOuCKOoV1WDqC3ZHc6Qp9Mrd+fHuGHrcYakXYUD70Q5LswgD0g9alGEkMH586biNOZjXA2TyMBlEBEnYsy9/qzND/Y7k/R2pqWiwg7lc6tC26cSQvh75smM22OBHo4K9ul7/1CL6jRz3vnAHszfyaxXu+k1q8b75f1e8iauXvIz7esEF0rrRshxhtGRrKpog2ddrCFgRHRe/SOuB5E/R+Ps6XjRGAxqy3GaKfkmw1t3HQ1hgmLeH47v0qGDXcJBe+mi2wa5GmuChBpnTOv3z05UwP7xBUqFfucTmx9e7iVpEigVbVmo8Q6Wd9zHm7lc8b3gGfaqFj+AZT4B6MZbfUtcDfe0BBqk2WOXJjLr9veadQfJ5x97DSFGOh8llDhzVX6KebQ9nCTtVtzgdUrElE5jXv9m1Vg7IIZX9tScx4ur685uACFAQDxZFEEHD0VDKMW6fdqMODcdjb58VxXnCAvkd1w6GQlcXj3kldfx2H0uBzHFvpU86yMZJljzOhpss2tbQgoNiXZdzyTkgn36NCthK7wQ5N3bPMY2IE13d4K1jqL6Vw4YU44J+gh5fQeZPxVQtpDZ16d18O1i0ppeWJahZUfKtXyf7ZUhHppiskGY5Rc+/R2alKvT6559foA32zYDqUfZI4kkYr/eQhO+Mk0wU5KvZFa4tSh1TaJBT7VHWQQroOZ7LNe0Ig4WLbGr1po2iuBg9P+Sr2TYnFhXN2VGwB4cE9U3IcmwCC2yBmKmRe0Clv3JAnzXTw4ZUf0dQ8bGlCr1Gl4LgUlccN3BjD9LrIeqPfPwI5FaGRvnxNfoXO92X6Mcf0b8gIpW1lx1qQN0O7b9z8z/tF5lGu0IJA1gImdMn6+uKDc0I5nyOyW364qWcCmnq5mbgV1gh1lUr4JqM9ZWDzZEcjgi2DEBmYw4cu070RiprWYutszrsBx04iRBTCC1kJXJ7w3BoqaChpv9+yYu7J2JAOcZboD8Oe56NRlZhyyXOn8o959lBmv0J7SQVIwGvw7vC3S+DL+yu+1oJ22sfm9ailYt62WboN7mxSzP0OZlAUllnzEh0S2l5QGhP4sb7SoTmWktk65Qtyy9rzQONpVyHaQG99Dt+4ZopaHp6dbEbexeBEEe3KzsIw83CH/WrC6SsttYQUBl2Bxnt399IIllF8sklsdtRZCRfLslT0FDxt/BVHwDPvumyTBTFvpXPiKK0/6sfYr6Chxc/UqZLzlLjjzxZd16zVKWsj0yRPg726b77HU6dvQPqnj5+19Vei79C/mu8MDr1Mmj4M8kbPTTxkQpdn59de9uXYGHFw4pSqr7Fi+CK/OrSIKqnEf745K4qcMRDzWrR0JWv2p+0Druzc8Azn6HXP79BG5B7QbFAmPNwrKCuX16gNn6ENlRRRxYbxCnWBknRKxfZFeLJzcSvW4iBs5ri2dbL7g+pchAcZDVRshKSy+W2/xC3YGpgxSL0MyIrrDAxTogUAIgsF64HO6qEz+nhOzHz0Yra2AXd7qE+5SPCvn4J1qMorJEpRf2MoPBmVKeBZu2ZlZiAxereKISPOUhCKlVT1AaLHKscCakKzNmfofxeqYqgfHKf5XC0iO7XzW6PkFquG2ZecbagMOOAg68pkSIfMbDb5c60mQCSPjQhJogsSk5NcAOMBlExGPDjUNHaYGVOtJFv7NjB7Ty2lXd35uj2K6SIjmWcDxIkHg16IPITCf5S5CnEbkn+KcWJ8G/q0WsT06XXfuxLeKCikp3oMwTttH0TcQ9oW3OX78sDC6zvYzfbtt/M+/EkFSVS5TRPdw/6JBt/TelmxNrGqDNtmi9239eHt5WSxQyoVlCUrwkVWDHpzPqi4oZ9ZxhVCJclr6tfWrCaAgu8DJXmIsTheaf2Fx1TjleNmHmmkdwI9zJmcFH2I4Oe47rv0fD0GY3IilnvRuZUz9C7Shtwk7pEHf7VSF4uNvTIRdqrwBYLy/eaTmEJwSLXAzrZubZngrgNga1pnbM1y61lA/shrMhuakX2sSe88CTvSqYmm2G7nu4t6M7uRGb41k1WW6Vn7TXLFGzQ/bHRiIt+AK+71mezwZAtPloVWwMV0ZtpNvKPfVTAgvxS0WqyrWR3t9tFrX7cYGhcWnURtrpslsBcrGYNjVAjGgU7Ak2g05aFSXD7LosUvJZZAlbLLIX1XMZURbtEYzXraKkmsJU6t8hpXMie+xi8YwbX5YPunGPV5iG9dsxjQXtB9NAQYgeCMBkY8TEMa13xE8Hey8oQWdBXjofGefEtWAY7BAsvgh0HcmSD0DVVzKQG9xzDj/aj+yLAseaivZDPxK3X3C3dVLpYavDu5JrVt45P2Lp1jzljmCreVk6fzRRYgCbEyPJBb9eml2uQ71AfmISL8HnXS+96glKh3298aizTdUJAP64G49crNFYlqUupWUTFca+9Be60yFt84ObsjqLwVNxk6aCLHqiKRFVQxchDdVFwbhP1br5HJVtzMpxacud7MLU1FTl0Oj6ot+T8HydAr6mfduWwv2yXsfS14ANxQ0ffvYw5TZ8Sq+6b0V6uXs34KNcKN7nFQhqEm15o4QRaLpdZnahyEqVeb8QHK/UpMFN2dN+/Q7oVwFIPgbsbw19yRrZT9MsZ0QvXwIBHzxZ8O6KXK54ybzoswA+Vh+8Pq1MpDL1LbbE2DF21YP91dVWea/t/cKliXjMUAoA5cDmTFRZLmgm6Sa0Lxh4u6abz1A9GiDGKzStDOxpimKOvHevWWu9efyNthUscTdk1kuODHhuTnBxwBPv5RY6Zrv0WcG6hAswKrAYc1G3Ol1pTNUM31C1Kpama4SUFKG+f6b6QquZhQLsm4+x2Ar9H7vcd3Aqp0FzJjf2s/iupOzFat2sUT/oqv8bKxA7TNYRjR1T8mZKD6tCpzpTkedtFNNGRkiX1D4qp7uIzgTCnyjTZRaod1P/NPW959dEBAYAkpIDBnCMhxXeKlhQ8mX3ZD1N0NtnF0Q/1M3F23CvmXtjq55/BzHxbjFbXowsYcA7VJgJJ8d1S2v/ecxOAkZIFDMeE88adx8BXwIBlUi4Q9IhnVM/QTatT+o0NupVVaTg+d+V8lbZOjCsZdck2uVe/TT8Switt6g3p/zFYJvgJ03YlfU20j29Ywxc+HTeBJrd+3AkLe/QOlimdUfbskONlubwALhDWWhIG8VK7GkF/EhbsLbulv3RaEULrwZeoVNAT5SWihjwLG8pY4Vgtpw88YsFQ1FClUYk1oHhpAHLw/aBlUVgtJnce7YelNdSQveaeuw9OZfF11jDBxeTUN5FFWQ3PYIJlw2jDRC43Pp/W94t82WRSjApjMM1FxfkWfakwd8HPXBaY+Va6MO96IC5Hrq5u1DNRC/pBczcmbmnua4HqRHSsITrlHRT7yTcNazOW71s4PkCFSKrquq2bXFiiz0DN3u83p+Lr99JHXtHNEK6neXSmqmD9xk6pQ6x+zE6ju/2W9o+RLe0F4+nPeDPlX2G05hgrmleEovrliIbDba4rfha4TZNdIjc7jfj792PnArQ3zGhcgJJbfRTkQIyIsR/dXnQrrFfNCbVmYaDKsCIrl/lb19g0ZYbnNaUeRJidSDPMTCtif9X8e1hpiqw+F4hBzl0lCKdY2T8BEF7Lmi8grHu31oWdh18fnPKrhjhPT/rGIrKYNw14FzsXli8bVQ+4vdZMVXrqSF/XGgEGxiN+0zyQBo7EuRvdYTKOR0qdBzdd61kXZb668E200XMP3FB3l3RFv5a3F2G72gWgT9Wi34efry66HVobNTGMHuy+yLk0QDeFmdtEVhdsmA47qWu9TYllv/uq6wu0nbmwN44tnPM9ccPi82ZgdHVx0JKNFZ87YMlaxl6LvLVoZ+jc1Wd6vFPuPthvzQKDavcbP3zjw3HzyjSVm9I0l1ElONVOMtJdKBuJ1lgxPOeDKkAHysAEKjkeUQSaCp0UH2VnQbumqht5ZjWVtTDq+kJm1/nm1dV134ZGHjLWRRTG6rKPbCh471rI9qXFMYmuhEE3bCkwKIuRLVpKlRK89tlAf9lNel3bbhJQHeE/LSOdswy7LJeBjfP+94+ICcKrnFp15jvV2p/P0PPLO1yUnP6Crl1AxJEF7T0Lx0XgZW7yt00ITrVXS5gzpm+tyX0EXw8oxeuEMd/7q+ED07d7nlyNYsslVela2IVF9rn7FuB5AOt0paheSZ7b3eN89ZFOoztP7xNEFoZv714rP//gbIwXDRjH1UW4jOTer/NEFmU2cd4VrIrPvYI2ri6+p6v5d5YdKaA+dQHtZmRekTEvzZulJ8oa63LeaEupAHnA6vWav5EucVjlG6xOk6E3RNW32hX7i8hOYgQa+blVohi9w6TGUw4bt1YFTerHSPFdbaCq/VrI+ZrRm1orinX03GBtsKliGc5NPAozfjK3ww4+l3eI5a/G7y97s1ZTcGg5+jQAPnZnwXIRPrr1PZa4+95gk18M++4dc50xIatYb5ydOhK9jH6mrCaNGXQYRGR/ikw4NTLjzpY449zqPaQrQqjWi4qjSzs+IjKn2m6JGuw37FkwkdO7yALgTJvjLM9H6hYYGFwxVTMxpwreNwusGIcMnkAEz72/iyXCIMTv7G+DMxMJ9qGcO3ChE1nEfnT0vMnnLKnSpS+6dRpmIDJvIrQJ8TXC04uRIkMX5hrex6kTSpzx1SR5+ViV+7b9EDOhUU4NZjwQZJjLynR+NzI1ySfPzawjtrjJYwM+xi9SQ4uSJ8vmOUM5XWD/BOSRL+s3fJ+taa3iNVUcb6GQy0h/uaLngRNpPwCv2/+aLuoqcBer14aZCoAZUXBirW8wBGx67HGN+orVie8QHJvTBLqKyKKw5ynNNjp31BHrJPuWSq5Z7uJnNYpcQfVoIlQuyfEPjQ+Plv3KeGs1km5eXtg0uCsh6ek0ur4ePa2u/4ecHxl3Onp6/1vO/QNM+HSVLB1w7gUkFLuVv7m+QlcDg6rLRjLUWl9dsp+DiIVdTTXsMqoj/ZB4mM+tDhv3TkVkc5mnrvgaVNz1jQ7PC7K8jJhHq/hoCe7JYILK804I2JcOuwTa5j2ELVnePOWMBPGK2F7joAw8ws0fz8hr5l1WKa+purv39SeHnlM/REGyxh0lVTeK4FK/5jRU3lqjMO1L3JggEBKMiue7AZGmuhKvMeN4+JCBmlA4gvrKBVVqpNOCO0PHxPrjvbt5Z6XwAFDuAXYwJZ9uoNlyNqIRWZHNqzzfRo/PsCKLWgfUoVtpehzQ+d4oVXyKismIKAe9ErtMV1MUJDDdzV51mKu4yplpKutaXDTPUaixXVux4VRJ+7ywf5IuSyy2BNeTeeXnny/Rc18r8bni1laeMw4FHJAHdnlXSm2/+QJ9Nww0iP4rzK2QG7HjCGlKKgCzWO9SH+m0SfAEIbh+Wuh5XeX+3pcmvaVLTLbo06i7xtlc4VMU5fuBd0TMBCowEwuFC7o3HaPECrr2psdJ2DEur2FY9F7mLjm6hQXsZJ0FmEIHrC9IFbCCSOUh7eLGvacb9FslwJV8J3PK0XMm1rNvXyImyUs0t/9H7f9hgflWMz37Nvy+aEiZLTgedM6PbUPtWvjn1wgGhVgX6Mlt3fxKLvYCNRiZlFP317nns4ZB0FTZjRxkaF3E1bs9zj6/+wMrij66BOBvv/387o+zD5fffutybtdYYTa6JzdS3cYsWT54wP6oB+y+sI0GwbCIbUT4mp24KCXNdYCJvS62CVyYhVRUaEZiKpBOKCkBx0X8KEjgfSAW0WyD2bA58aOjA4B9HpuoPT6xS9R1NU90KMw810bFrnyHeu1kAbHuXRrtHq1rPtIFSY8tdmkbgw1MGl9s0ta9+HoXS2LBRgNN9VSTBWKPnWoQjSgwzX55T1gpH40n+PDAhWXe2/8fhqO2JrPr/HeSLZZ3YvSekb1MnmRz1O+4+/iTcoKkrZ2V7filz02T0V5n2QFO5gsIuw127uGX6Rqymk3xHgZFXwvMuJV1DeZy7XXG1UW3tg2QuKw7aOgyAGEwnlVY51xn1kQ8Yj7HJF5DurWvPjqXRVGJfiRqwJ04Drjpsdy9p3fm32nYpm5408dZ1o/l7QaL/N9k+NWs5c1gw47RDI/mbjjwDnO60iUjTEbLEp3KgwfuN1iJ4aPDU2ddi6LMZCplfPP+3TX63cVR26TUMCNfJk0luPmPt+hLRdUIdmvFRaZoH6kzbXJDJyC6RR/qorNgWldjpZOIF2mXqIzdRsASLY8KHB2iagKPY4+mm8dv0IA5VkWC1bJkE4QXcBmxALkhWuXRutLu0IyLdrVDOsembxU+lu6cCrIqsIpVVtLQ3ZZ40L740a9PmAzSqaLQzFbR9wKhi7gFVA3hxRKglhKQlfN/JKBa4uidMBziVPTtBY/uGYt94XjktoJa0zM60yLDBBqjxC8/sbS1iOi8dwjPl+X6J3FnVtHvdyIyYlSW66i46x3qlvJxL0/3ILzmOLrGEBkVSyYiFkUOSafIjRbZItMbZkh0/SGyBZcbjYv4uStd2sKs01FP8OpCRMZESnXCRElVMd9GS3gf0C7JbRria8xT7BVWZqWSRmbxn6SA+vqnDCKO8WnzZGeTy2WWpxC2JRw//42IrMB3mTGxwga7hO2O5jTBpVAwkYhpJtIxXXKd8TnPYj+L7tD+PiHx6MjgHdqxsRC7tGNX9XZp/5yQ9puEtP85Ie3/kZD2X9LQNrLkeE5TqJSGenz3TGRFxcH4nm8T3JM18fI2gV1SVJwtizKN9W2tTMyXsZOQPGWWwijR9AuJHxsRmXYJiQlWUCuSxpu0hNN4k3qrqzJBL1IimrLqJK6qkca6HvQugQox0ljHLBVtcGuSEK8EuxNYSE1Jgk24fmOlkuhSWL+RpVlRnCcIq8mizAhPEMO2hBM8kgBdNd+a+GFRS1knoVxWWYI3DaKYYQTzBAVEOsNLKsg2YtZVl7bAfPsnzecp+F5nAAOahLKDg0nDtUusTUJ9vizXb9LEoHU2Z+YvSYDGiM7i9orrEVYyuqrWSY45UKVExa9y0y7GH63XVocwNSsX548fHHHEwexLQtyhycdDkOvQXjBOU/gwOlukWES2iFmcvUs4hW2gM1ZCkmKWRNWxcv1Trk05APOPRFsrkoQ2Zwuawo3REGguaM6iFYzu0mYizS4pZF5xqolMIW1PnC0T6CZZ6g02UXv+d6iHMsijEFZ0ybRROH4kpKWdwOJTtEwlapVM1hqQyFUi/eoy890WT0DdKIqLBIakKwVKxXY643qzkkxnrsNsfOpbrHCSDZ6PFMLGoLx2/e1j02XaYBG9z3GuzbxSsZoF1lSp6xWUgmoVndf4dnRdkxybLHRuWMRvdn0s0sA+mkuc57HPAMtjP6vW0EEJ7iJWZERJWSRBJbKEE7hprMjSJEd6xKMUYi5vo8MzlTo+ZCkrdalYZKIcG2aq6NlnnAkaD2KnpaqjdtRp6ELxbfywFpcO9TRbcBn9Om+IJ0j5tz5vdK1jiSbQONaHTsBq9NwELpdJtq5YJjnApVSxFVgxr5YpjlnBNEmhFgqdZMOm6AMhqAFwpeh0o+twBwAdO+PPUY2djic2m9geSJKKMukaQEf3RGV8y0gqtswC/bgeTXcjqIp/Z5WZa8obnWzUztQtWdfiNckmS1C46XvixFYGnmxsbVBmLpAUnV2stf0wI6tYdf4D0vSuZNEfAkqqiqXCwgwwd2NQ3iQhHP/qdUhknz71uoBGIKzkMsO6jNgwoEta4dhUFcU8hX2nKAE5ONTRRMTjC9lSjgvh2qEsVZ6A4/iBTJ0gNqxdbDhBPoCmsRMBXMPjBM6Jpl/ib4AQQGs0qglcKc2WCRSvLmNH2bQiKc6BInl0Q1orEkLFjUDYxGux1aVZ6eiommsiYhdKBLvFPpaoA+mMPX2zNPG3lSMa/0Wv6ekZm+62jI7WWuXzJHnoleIJ7sJKU5XlLHbVe5K2FfXLUAoxGKINLmJHg9cZE9rgRQLLYM2USWGGr0uRALrJSFWJmGHWECxaAFH0rDISfagEGgzdZI8kbJb3GXOWo3NFc2bQOVa5RzPUAP8eZsd1zkoopbEOoUAGmugjwDcgkqNQqU6TD8FEOsldFiWXWzpoLHhQfgtZRQP1vuceszJ0MSPod6bokt6hAveBFtq3WLGs+s1AkjPJmYbmDPXofukBQAnpqiylMmgIPIrQZoUNYgaVii7GtsIj0nIf0oQiJHjvdTQsICY8svsILjRnInVH/g6rdrQunxoZuaRmRdWs/b5eyWpwoyEk6Jqqph2RkajESlP0jhoMHcHdWcWNCJ6/lUv96tqVvb5AF77F10tkVoEuRQAG/IH61sfAtkDvqfmDGUF1eJ2HmzqJ8BbQsrs5RTC4m6ymWJHVjAkW5A967k6Ar91Tn9ALA5IhXnFcCej1u6ygj2sN4h4GcO/hte+ZU3o47mZODQi371884uzbhcgi1jTdD3kVhkUf6Z2BUzEWLpiiG/WIQmob172HDtWCj3S8BPTchO3AAT9XU4MU/VJRbfaAdh+frfxwrHxnMkBbHjeq09j9iFSTd7obTtnHk+MI3sZ2/g4I7fqX4Mxj9v4/3N/QDnZ1USsFGDu8N8BriJfE+8AtbC+XOdYUuXTthhs0OFXNKvlfnIZf0bSCbziXysHXB8WIENZIUwrtzvD+flUKC43JBO19BwjTbmgBZm+7aUiloAPaPqZLqgrmzI2pmG6HdI052JpxuqSI0zXlCGvNlsItXNuvP7z1AZL5hPobxt+z0+cn6fRsOasE+1LRfptEHD58HX6PQ0w8rgtKbdGw3B1IIoWgkFuBNsysxhQFQoHKkMZiV/So8qIHuxZWnKBPmiuKyyUjmCPLwYjrA1ycljsYaqRN4+lkV662OsxeJ51tI3tZrbEveMwZ1tlKJvcJnBPXuGvQS6VtamS1YrcFTxgPALlDY7mFO803YiGcYjU741paR3znvF3AYzn6zf9ihs7EtvnXgLoBX14Lg3A+I7IoK0NVWA0nCePbiaVzz77prwX0WNxZEGb+Xr3+/oe/WN/3orMctcS+CbLt92kW98XsvoEbvKUK/XMTk9OvPBvAXPjUx67/Sb/nRcvzzq7fux5HJi8f0m3P+g1T7Dgz9P73j5d27lRRFzyBeGnONFG0xIJsrVXpzTPezwVBIKGX6OO7X9CVMD++fomu3l9c/ucv6NOVMG9+Qs83qy0SlJkVVYispPat0qRSlBj41g9v/td/e/EsKBFqVgl1XF8eoFNnBQ6349GJd98Dj/mN24tXNVPhI54/Laa7uukA50cCxt37gg/x2zNMW+/kM1Omwhy9PXsfZPZPKWi6WNZxO+P/SEFnYdladr8aFQoTOaw8YQme4h28Zx2W2NANPkGLdNjd1+gszxXEad0uD7HTXL2kKI9953zsW8jV+btrdyuNPo8VWE/4+rETVHKWqr+70dW1ZWUk+mVleGQniCgytGOPy7C2xDLXXWtaBdFhF+c5s1/GvH2w7fTyD99zE24A6xLCAZf+hF/sboEBK22udRK77r5XGkbvPYfXUplGJQ+Ubg4PbLAAzGwPa149sezdfJhY1pdJPa13Y4IXNOQ3ThXF9dyB54u1loRZk9PFjQY2DrJ6WWGxpLPGdSJSLNiyUjRH8y3QpCKHrKGwnimPhB4YFI2OWMvBQRcJ8A54RNu/W8IVPQCgaCENzXxmd/w8o/iizYXOcOZS8ROQLo1KQ3yRYEssElQL8xTHIRX+SZlAqDjP6khcOrO878Hbecz6o3WDCSewYC/NiipBDfq4LelL9Km+xt5CAOxHdF0HwAY3we9jllrdqmcCY2LENa6Z9nHxlwhzHjQmyvaLkOCGFSTmramydyATRiJt4DJnAn26GlUoBBJkk+mr6CrbEpVlgrZvlrCiOnZGryWboMTF3YixU9Eh3p6AW9daIeNULKN3igSerfGR0AodsUCdyYN55wFGIALpBAuE0a9SbbDKh326ETpbQrKXQtie+DvIpZtTs6FUhE3PyKiJD33jlgbz7lOdYwYBZDxkRgxmyITPc4W0hIIZq5Z8i43wFNcciyne8e8RoKwTRDohysEEd0OW7UvK2nqwS3Bgd2+e2C+VlAAKwToeHtz9XuyxMoxUHCsEeNGoZuL55d0vb+VSLhbh7u+UZGZFky/vDrMf7YDuNHb4vrR8W3bPKrOiwvhk8VG2dRUTOeF+CT1uyHHWP2mqRhmWlSFyWkn7IccZvqkIoVqP8AzI48eBox2XeAJ8IWviLqXaokBhwoC3KZTTDo+0x6PVSvDAp0sp7L1i9VbIOGx+iAaG0u6s1vHw6EbuTYwcainUDHBG82Y+Pg7Ts4eZQJqZKqA/ERQXUK+iPdUV1gjnsrS3i1lRppDciHbJnOAMvpNCFiN5tdCTQzMHUT+tEWGNeyZyq3+k0o0AMPqVcYrOPGOzgRjuE+wVzcTcmRxNGG/mf5J0hVER3PishbhSCM0xIIiY9e6PEITL17vx9RqxJTGeEDqXKasHApOf0xVeM1mBdUlkUSpZsJEMRTo1c5cCzzkUkS3Q+X7emFg3aichk30Od6xOFGRgh8OozWWOYDAwfsNf6tXt3LLteRvddm2ZZSVMv5wttkWfQxl4Ro5x6+9lBcF9vKSCKkbqKYFAINGvn1rAzAqu2lBvN+SZnZEfZtqo8cfPek7HwG6dbE6v98/JmxdurITzCrqmjRNuWEG11evO2lO0pKOPSH4VooFCHFwIAB585DKoe26tY7C7T7a1frzfnH7IdLQmp/eemg8YH5rhYG4w41Yh3EMZfL2ze31wdmrStXMHLcrc1OGVi4alOo0COaDHGwXy9W7HHw8vWazWBtMs2f30o5pUg8Q8Y/fQH5Nux5hzG2zGxqiHErRenDp65U5lVllBzUqe4JUE70SSkWPDf210wQFLScmkUac9rzofJPfxWsvInn2ZKBLyn7Ofv/8ePX97cXb9Al0wbZhYVkyvaA6l8EFeuFzK5LhA+17CIFt24fjwywxfHMkYUzJxVHFf/add1RAHzYmBiHy0ps8POS4E0v6but9O4A94Cr2ZYhGCSW8zxTCPhU7Xm8gHnLNKuxGQVEizgnGsnHqyatOeIQL3eri8Cs65ZvmUSCPdTPlPdiPUUcQeLmZ7yNPVWZyJfWcdnjV8pWEn/uuDRPDJYC/4wA3tlGXk4VCmVCkTAwZPNiBqqZZYsD/3ZFWLdFvhvsI+QtLdPTUi7gVTwVrSRKg/v9rh4LZwEF8Ou2gnq/k3irlZEawoKhXNZcEEDhbcddTTNTaMCqMPpsdzPOVs3+KTTtZBP9Iy0ca1R+eZVVwlVgbAkNqp7lerE4IdeWVzH426oDlV2NA8i5ZUtmd/WOXzaz1i83h2reSa5Q14mP8eLkvuLdXBxvDgP/Za27VpwwZOO0mWTzTLZkiP9We2I9MMNg+FzMk1c6/nq77hPgIB1xidMZuCP9TypHdgM3V+1KmEXgYm6mxUsFixRtpI5TS+pVZQg2G0Z/Ctmf3Ws/DsC5bnnE6n5d7BePfVc4Hl7ei9o/Rc3R5jmule+9E6CENiW7/OvkQlx3bJ7P0sFaKCqG05FuWHVMgJ/Ml7ZNCpxrf8TWqD3mGyYmLEpctxIs3xTV/WnwRk+peKWvVh7SMHcqZn6G2OS/QZ/uHso1wKV3f69+HliVZ4Ta3lxClW6EtF1RYBBqEupdC0tqjCxal2vhn8Zhp96THwiKWsWI0CKdz0HS7fOJ/1lCZgtd1AHzw46n05hS5PaQNm/T1eQ0vvgBhZ39BfvEwjVQkR9GP1y+bmcS/PDkZqpMbOU8y8h5l+ITDaMJHLjUa6pIQtGLGfvAzVCfo82eEBsdNz/LY5N+g5IMJSQdprCJ4uX3SkhSoB9/hbusRkiz7pXeDb5gW26BfSRs+utSNM4LCP3PZdVwtYgVo12GT2RhxIvMEBCFT/71SaQjnPUHy7005vUI+h8zrzOjBjmGFwo/nfHDHZafJ6x6bqM3x96L3WdZcw9XEU0OFspgnYNQ8Gu2vTJmS6ZRisUBiQ4nDxM5QNxGwJOFrhBlPO6YIJH6sH5QSofgUuR0AHgbujCsUS8dYGYHrmX2zF2MRsU8/dYymNYFM2MWxjMFkVE0Pgt6OCwNHAO+ouR5ImL3Mm4nUQi3o27JShqDDt5RlQUt2yHVgWB6PdlvcHunYOuE579x3gusSq3lP2zy/bqWxWbACljuzpsL6sS36/1/RM9J4lDtZCqm26Bf+rLrH414OIMTUjuyjqtXkeupqsWP76CqgfmNvJTKLBrGq89f2zGt0FGRVGyfIY1ZHLaj4ILtxrj/sxrbdND5QjAI+uumPac3guixKLbXMe4dhBO33nr6ypstdQxsRCho0CrG9T1wgd0B89L7LmbEPToqIvvqTKEfi14nyL/qPCnC0YzdEF1D274GCQlQ2dZ0TKW3aiR/c/6By58Vv/GfMxaz462mz7HF5WBkzuI1uYHj7rH5ohfJcdH452MfkZ+rgt3dTbyIEVjlvB8cVTdJFFBZPtsW15cIEI9UyHYGv7zEwRqmuMy13uXGSxlKqO9sMT84e3I0vewcqJvJ1qWZRp+xDtEYUd+WDkvmZTSZnIEtllyo5j1wOV2IRDk0RkWMd87e8QVr6cPjLlSvGIy9yhGnFVGmc0q1SsaEiHpqYqw8t4PmVLOvr1tEs6avrjLmm/6xMoFnpnqADTKr5zYulH282NobdStJcqE9uickNMUUu4o3M/wrBgXr3y/33uWXjl/8PnNYXC/phTFc7O89M54eu5m0z38Rwirp1Wa4Pp5L4hmnWpmFhQpUbeXYfznmReXcP/oOiD4dkJmKxxiRedZQgcKXjWlkmPVGCIybbfpXu3t9vuI2QQq+6f/kaHCVrjDT9ZuaJqmniEtdl9xtPzc2j9+AKdw/hh1qgyE4GljMj5nCrf/JPuZGHuAeelSZ+OO4LsLLgd9JnuIEXvXWn257FRyYdDo4RXG92wP8PRGnabSKdc/e0SCbqUhrkFLFdYj3SA0mRqWKHOUrrBx5sL2qVO1gFqkODS22M1cHpdfxNOSNFsOUVFxS6+UdP18ONoo2WrTZjWVXSjEyhDslS6aN3j3lCAQ6pU0hjoYFG62vPSDo5u4HF6n3aaJEOiQQb3r8jPbyC1c/9l1NGexzH5cO25h8dxFao1z9Ypb/T+k6oPZAeZyTO79XAVHaZRpyLMbqn3qBOBG3zTtivpXkigW39CGt7rpEJXN2d/e3eNru09hX4XI91XWm4TVVIfw+3HjQxzC2qIrCi51UcFke+nhNNikIWazjV4nQ1EGKSB+haErRbcY+VSxQagkCcwch0fDSrIqNMAPBtsqsk6fHa5XGPOcrcRA0z0FeFkqNb7FCFI7JZudV9tR9r5dQJpZNorY0qdMehBm4Q0LGUKgRD8BE4TW4q68kUqZrYHThSRRZEUJ+6efDs+fEAoXIK/YYryvqcZO8Sy4VhkWp+q4a0d2enwP/xs6xqtILeu1DgrJZsirTrEsOMAAQfAVNgbALGSFRZiAJyRGm7KjwqMjLzZTgTb3FwsvufhH2/P3vt771Vv+OZCMVL1Y//RMduYvs3WklepBHBW93EWvs9N0xm7budbCWY0eu6Y0C8ArQMKe+uOuj3yCJgOzoZXibTZW8/rJ8GMTxeY7RYdrKmCTIFFxRGRgtDSWEf5xq3hCLzCZpNS+zrBW4e9bqFtGS2lMkha+f72b2ehFNyg2GPvO6mW0ydY9gsMdkKsc+zAToJAMf9++fv11TV6h+8KJvKmrXd4We3cJk/D3GmiODItP43B7PZNqzGfwiWL0dOzXZVjtpiuYPPURfj1lJObHTvBMq+Vry48Sq/nYi+HfLpFOTFWQD3j4r983XBTmCPyoSUZ+3RDvMS60CfKbvTtqsGLbx51C1fc+xLpKpCijjX6qzZKiuW/zjkmt5xpQ/O/vvJ/e9l8ysSCkvBHC6boBvOgIYPnvPMbhEWOtEQj21LRJdNGba1nP6WyKLFZebD+hgfU52HAJASlpmLTFUK7ei0iVQeFvLEnG86pMGr7T/83AAD//7KgNRE=" -} diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled deleted file mode 100644 index cb9399134fe..00000000000 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ /dev/null @@ -1,41 +0,0 @@ -# Module: f5 -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-f5.html - -- module: f5 - bigipapm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9504 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - bigipafm: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9528 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 6cafc440876ed138e78e12215e2b4da6e2ceccde Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:37:48 +0200 Subject: [PATCH 07/22] feat: remove deprecated fortinet clientendpoint, fortimail, fortimanager --- filebeat/docs/fields.asciidoc | 5427 ----------- filebeat/docs/modules/fortinet.asciidoc | 144 - x-pack/filebeat/filebeat.reference.yml | 57 - .../filebeat/module/fortinet/_meta/config.yml | 57 - .../module/fortinet/_meta/docs.asciidoc | 144 - .../fortinet/clientendpoint/_meta/fields.yml | 2635 ------ .../fortinet/clientendpoint/config/input.yml | 93 - .../clientendpoint/config/liblogparser.js | 2514 ----- .../clientendpoint/config/pipeline.js | 180 - .../clientendpoint/ingest/pipeline.yml | 64 - .../fortinet/clientendpoint/manifest.yml | 31 - .../clientendpoint/test/generated.log | 100 - .../test/generated.log-expected.json | 5781 ------------ x-pack/filebeat/module/fortinet/fields.go | 2 +- .../fortinet/fortimail/_meta/fields.yml | 2635 ------ .../fortinet/fortimail/config/input.yml | 87 - .../fortinet/fortimail/config/liblogparser.js | 2514 ----- .../fortinet/fortimail/config/pipeline.js | 1706 ---- .../fortinet/fortimail/ingest/pipeline.yml | 69 - .../module/fortinet/fortimail/manifest.yml | 31 - .../fortinet/fortimail/test/generated.log | 100 - .../test/generated.log-expected.json | 4091 --------- .../fortinet/fortimanager/_meta/fields.yml | 2635 ------ .../fortinet/fortimanager/config/input.yml | 87 - .../fortimanager/config/liblogparser.js | 2514 ----- .../fortinet/fortimanager/config/pipeline.js | 506 -- .../fortinet/fortimanager/ingest/pipeline.yml | 93 - .../module/fortinet/fortimanager/manifest.yml | 31 - .../fortinet/fortimanager/test/generated.log | 100 - .../test/generated.log-expected.json | 8095 ----------------- .../filebeat/modules.d/fortinet.yml.disabled | 57 - 31 files changed, 1 insertion(+), 42579 deletions(-) delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log delete mode 100644 x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/config/input.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/manifest.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/test/generated.log delete mode 100644 x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/config/input.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/manifest.yml delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/test/generated.log delete mode 100644 x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2a3ba95ade9..738327f0456 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -29080,5433 +29080,6 @@ fortinet Module -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [float] === fortinet diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index f6575c7db65..7671ba7a711 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -18,9 +18,6 @@ This is a module for Fortinet logs sent in the syslog format. It supports the following devices: - `firewall` fileset: Supports FortiOS Firewall logs. -- `clientendpoint` fileset: Supports FortiClient Endpoint Protection logs. -- `fortimail` fileset: Supports FortiMail logs. -- `fortimanager` fileset: Supports FortiManager logs. To configure a remote syslog destination, please reference the https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting[Fortigate/FortiOS Documentation]. @@ -78,147 +75,6 @@ events. Defaults to `[fortinet-firewall, forwarded]`. :fileset_ex!: -[float] -==== `clientendpoint` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/fortinet_forticlient[Fortinet FortiClient Logs] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9510` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `fortimail` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/fortinet_fortimail[Fortinet FortiMail] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail" device revision 131. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9529` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `fortimanager` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/fortinet_fortimanager[Fortinet FortiManager Logs] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9530` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index c2d17ddd1b4..3d0d676d747 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -877,63 +877,6 @@ filebeat.modules: # This can't be used in combination with internal_interfaces and external_interfaces. #var.internal_networks: [ "private" ] - clientendpoint: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9510 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimail: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9529 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimanager: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9530 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #--------------------- Google Cloud Platform (GCP) Module --------------------- - module: gcp vpcflow: diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 0412d06bd2c..971e753bf1c 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -27,60 +27,3 @@ # [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/network-direction-processor.html#supported-named-network-ranges). # This can't be used in combination with internal_interfaces and external_interfaces. #var.internal_networks: [ "private" ] - - clientendpoint: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9510 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimail: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9529 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimanager: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9530 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index 4b224e49019..d691fb1125d 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -11,9 +11,6 @@ This is a module for Fortinet logs sent in the syslog format. It supports the following devices: - `firewall` fileset: Supports FortiOS Firewall logs. -- `clientendpoint` fileset: Supports FortiClient Endpoint Protection logs. -- `fortimail` fileset: Supports FortiMail logs. -- `fortimanager` fileset: Supports FortiManager logs. To configure a remote syslog destination, please reference the https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting[Fortigate/FortiOS Documentation]. @@ -71,147 +68,6 @@ events. Defaults to `[fortinet-firewall, forwarded]`. :fileset_ex!: -[float] -==== `clientendpoint` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/fortinet_forticlient[Fortinet FortiClient Logs] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "forticlientendpoint" device revision 0. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9510` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `fortimail` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/fortinet_fortimail[Fortinet FortiMail] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail" device revision 131. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9529` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `fortimanager` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/fortinet_fortimanager[Fortinet FortiManager Logs] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9530` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - [float] ==== Fortinet ECS fields diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml b/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml deleted file mode 100644 index 5505a5c6f03..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ /dev/null @@ -1,93 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else if eq .input "tcp" }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" -framing: rfc6587 - -{{ else if eq .input "udp" }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiClient" - type: "Anti-Virus" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/fortinet/clientendpoint/config/liblogparser.js - - ${path.home}/module/fortinet/clientendpoint/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, -]); - -var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, -])); - -var msg1 = msg("enter", part1); - -var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, -])); - -var msg2 = msg("repeated", part2); - -var msg3 = msg("ms-wbt-server", dup9); - -var msg4 = msg("http", dup9); - -var msg5 = msg("https", dup9); - -var msg6 = msg("smtp", dup9); - -var msg7 = msg("pop3", dup9); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), -]); - -var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, -])); diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml deleted file mode 100644 index 28fa93a69a2..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Fortinet FortiClient Endpoint Security - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml deleted file mode 100644 index d51ef04d332..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["fortinet.clientendpoint", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9530 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log deleted file mode 100644 index 11c42635932..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure -February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown -February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success -March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success -March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure -April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown -April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure -May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown -May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure -June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success -June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure -July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown -July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success -August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure -August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure -August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure -September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown -September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown -October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure -October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure -November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown -November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure -December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success -December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success -January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success -January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success -February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure -February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success -March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown -March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success -April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure -April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown -April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure -May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success -May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown -June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown -June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success -July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success -July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure -August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown -August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success -September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown -September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure -October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure -October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure -November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown -November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success -December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown -December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success -December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success -January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure -January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure -February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown -February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown -March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success -March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure -April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure -April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success -May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown -May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success -June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown -June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success -July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success -July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown -August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown -August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success -August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure -September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown -September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure -October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure -October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown -November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure -November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure -December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure -December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success -January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure -January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown -February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown -February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success -March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure -March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success -April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success -April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown -April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success -May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure -May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown -June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success -June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure -July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success -July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success -August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure -August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure -September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure -September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown -October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success -October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success -November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success -November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown -November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure -December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json deleted file mode 100644 index b049592d14c..00000000000 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ /dev/null @@ -1,5781 +0,0 @@ -[ - { - "destination.ip": "10.102.123.34", - "destination.port": 3994, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "boNemoe4402.www.invalid", - "input.type": "log", - "log.offset": 0, - "network.direction": "external", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7880, - "related.hosts": [ - "boNemoe4402.www.invalid", - "litesse6379.api.domain" - ], - "related.ip": [ - "10.102.123.34", - "10.150.92.220" - ], - "related.user": [ - "sumdo" - ], - "rsa.counters.dclass_c1": 5286, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "boNemoe4402.www.invalid" - ], - "rsa.network.domain": "litesse6379.api.domain", - "rsa.network.network_service": "http", - "server.domain": "litesse6379.api.domain", - "server.registered_domain": "api.domain", - "server.subdomain": "litesse6379", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.150.92.220", - "source.port": 7178, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "sumdo" - }, - { - "destination.ip": "10.149.203.46", - "destination.port": 5861, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "olupt4880.api.home", - "input.type": "log", - "log.offset": 281, - "network.direction": "internal", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4539, - "related.hosts": [ - "gnaali6189.internal.localhost", - "olupt4880.api.home" - ], - "related.ip": [ - "10.149.203.46", - "10.33.212.159" - ], - "related.user": [ - "mipsumq" - ], - "rsa.counters.dclass_c1": 4402, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "olupt4880.api.home" - ], - "rsa.network.domain": "gnaali6189.internal.localhost", - "rsa.network.network_service": "https", - "server.domain": "gnaali6189.internal.localhost", - "server.registered_domain": "internal.localhost", - "server.subdomain": "gnaali6189", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.33.212.159", - "source.port": 2789, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "mipsumq" - }, - { - "destination.ip": "10.118.175.9", - "destination.port": 2802, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "aqu1628.internal.domain", - "input.type": "log", - "log.offset": 563, - "network.direction": "unknown", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 445, - "related.hosts": [ - "aqu1628.internal.domain", - "quis1130.internal.corp" - ], - "related.ip": [ - "10.118.175.9", - "10.173.116.41" - ], - "related.user": [ - "uame" - ], - "rsa.counters.dclass_c1": 7019, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "aqu1628.internal.domain" - ], - "rsa.network.domain": "quis1130.internal.corp", - "rsa.network.network_service": "smtp", - "server.domain": "quis1130.internal.corp", - "server.registered_domain": "internal.corp", - "server.subdomain": "quis1130", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.173.116.41", - "source.port": 3710, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uame" - }, - { - "destination.ip": "10.202.204.154", - "destination.port": 3587, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tinculp2940.internal.local", - "input.type": "log", - "log.offset": 837, - "network.direction": "unknown", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5712, - "related.hosts": [ - "reprehe189.internal.home", - "tinculp2940.internal.local" - ], - "related.ip": [ - "10.134.137.177", - "10.202.204.154" - ], - "related.user": [ - "orsitame" - ], - "rsa.counters.dclass_c1": 2458, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "tinculp2940.internal.local" - ], - "rsa.network.domain": "reprehe189.internal.home", - "rsa.network.network_service": "https", - "server.domain": "reprehe189.internal.home", - "server.registered_domain": "internal.home", - "server.subdomain": "reprehe189", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.134.137.177", - "source.port": 7868, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "orsitame" - }, - { - "destination.ip": "10.70.0.60", - "destination.port": 4982, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "rad2103.api.domain", - "input.type": "log", - "log.offset": 1122, - "network.direction": "inbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6557, - "related.hosts": [ - "enimad2283.internal.domain", - "rad2103.api.domain" - ], - "related.ip": [ - "10.245.142.250", - "10.70.0.60" - ], - "related.user": [ - "eos" - ], - "rsa.counters.dclass_c1": 2638, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "rad2103.api.domain" - ], - "rsa.network.domain": "enimad2283.internal.domain", - "rsa.network.network_service": "pop3", - "server.domain": "enimad2283.internal.domain", - "server.registered_domain": "internal.domain", - "server.subdomain": "enimad2283", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.245.142.250", - "source.port": 5408, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "eos" - }, - { - "destination.ip": "10.200.188.142", - "destination.port": 7143, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "enim5316.www5.local", - "input.type": "log", - "log.offset": 1395, - "network.direction": "external", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2061, - "related.hosts": [ - "doloreeu3553.www5.home", - "enim5316.www5.local" - ], - "related.ip": [ - "10.200.188.142", - "10.202.72.124" - ], - "related.user": [ - "iusmodt" - ], - "rsa.counters.dclass_c1": 513, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "enim5316.www5.local" - ], - "rsa.network.domain": "doloreeu3553.www5.home", - "rsa.network.network_service": "smtp", - "server.domain": "doloreeu3553.www5.home", - "server.registered_domain": "www5.home", - "server.subdomain": "doloreeu3553", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.202.72.124", - "source.port": 4665, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "iusmodt" - }, - { - "destination.ip": "10.214.225.125", - "destination.port": 2121, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "reetdolo2770.www5.local", - "input.type": "log", - "log.offset": 1669, - "network.direction": "outbound", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5722, - "related.hosts": [ - "iutal13.api.localdomain", - "reetdolo2770.www5.local" - ], - "related.ip": [ - "10.12.44.169", - "10.214.225.125" - ], - "related.user": [ - "erep" - ], - "rsa.counters.dclass_c1": 6071, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "reetdolo2770.www5.local" - ], - "rsa.network.domain": "iutal13.api.localdomain", - "rsa.network.network_service": "pop3", - "server.domain": "iutal13.api.localdomain", - "server.registered_domain": "api.localdomain", - "server.subdomain": "iutal13", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.12.44.169", - "source.port": 5710, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "erep" - }, - { - "destination.ip": "10.198.136.50", - "destination.port": 2089, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "isiu1114.internal.corp", - "input.type": "log", - "log.offset": 1946, - "network.direction": "unknown", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5037, - "related.hosts": [ - "isiu1114.internal.corp", - "uovol492.www.localhost" - ], - "related.ip": [ - "10.198.136.50", - "10.66.108.11" - ], - "related.user": [ - "uptatev" - ], - "rsa.counters.dclass_c1": 3856, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "isiu1114.internal.corp" - ], - "rsa.network.domain": "uovol492.www.localhost", - "rsa.network.network_service": "http", - "server.domain": "uovol492.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "uovol492", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.66.108.11", - "source.port": 6875, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uptatev" - }, - { - "destination.ip": "10.69.20.77", - "destination.port": 7579, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "usmodte1296.www.corp", - "input.type": "log", - "log.offset": 2213, - "network.direction": "unknown", - "network.protocol": "igmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 776, - "related.hosts": [ - "osquir6997.corp", - "usmodte1296.www.corp" - ], - "related.ip": [ - "10.178.244.31", - "10.69.20.77" - ], - "related.user": [ - "umdolor" - ], - "rsa.counters.dclass_c1": 5575, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "usmodte1296.www.corp" - ], - "rsa.network.domain": "osquir6997.corp", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "osquir6997.corp", - "server.registered_domain": "osquir6997.corp", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.178.244.31", - "source.port": 3857, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "umdolor" - }, - { - "destination.ip": "10.203.5.162", - "destination.port": 7290, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tatno4987.www5.localhost", - "input.type": "log", - "log.offset": 2481, - "network.direction": "unknown", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6096, - "related.hosts": [ - "eniam7007.api.invalid", - "tatno4987.www5.localhost" - ], - "related.ip": [ - "10.203.5.162", - "10.54.231.100" - ], - "related.user": [ - "umdolore" - ], - "rsa.counters.dclass_c1": 3162, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "tatno4987.www5.localhost" - ], - "rsa.network.domain": "eniam7007.api.invalid", - "rsa.network.network_service": "pop3", - "server.domain": "eniam7007.api.invalid", - "server.registered_domain": "api.invalid", - "server.subdomain": "eniam7007", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.54.231.100", - "source.port": 5616, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "umdolore" - }, - { - "destination.ip": "10.136.252.240", - "destination.port": 4105, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tatno6787.internal.localhost", - "input.type": "log", - "log.offset": 2751, - "network.direction": "outbound", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7307, - "related.hosts": [ - "snulapar3794.api.domain", - "tatno6787.internal.localhost" - ], - "related.ip": [ - "10.136.252.240", - "10.65.83.160" - ], - "related.user": [ - "ender" - ], - "rsa.counters.dclass_c1": 7148, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "tatno6787.internal.localhost" - ], - "rsa.network.domain": "snulapar3794.api.domain", - "rsa.network.network_service": "pop3", - "server.domain": "snulapar3794.api.domain", - "server.registered_domain": "api.domain", - "server.subdomain": "snulapar3794", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.65.83.160", - "source.port": 3592, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ender" - }, - { - "destination.ip": "10.210.213.18", - "destination.port": 3970, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "essecill2595.mail.local", - "input.type": "log", - "log.offset": 3031, - "network.direction": "internal", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2703, - "related.hosts": [ - "essecill2595.mail.local", - "liq5883.localdomain" - ], - "related.ip": [ - "10.210.213.18", - "10.57.40.29" - ], - "related.user": [ - "onse" - ], - "rsa.counters.dclass_c1": 6179, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "essecill2595.mail.local" - ], - "rsa.network.domain": "liq5883.localdomain", - "rsa.network.network_service": "http", - "server.domain": "liq5883.localdomain", - "server.registered_domain": "liq5883.localdomain", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.57.40.29", - "source.port": 7616, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "onse" - }, - { - "destination.ip": "10.200.156.102", - "destination.port": 6061, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ali6446.localhost", - "input.type": "log", - "log.offset": 3294, - "network.direction": "outbound", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5166, - "related.hosts": [ - "ali6446.localhost", - "rsint7026.test" - ], - "related.ip": [ - "10.144.82.69", - "10.200.156.102" - ], - "related.user": [ - "rveli" - ], - "rsa.counters.dclass_c1": 7041, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "ali6446.localhost" - ], - "rsa.network.domain": "rsint7026.test", - "rsa.network.network_service": "smtp", - "server.domain": "rsint7026.test", - "server.registered_domain": "rsint7026.test", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.144.82.69", - "source.port": 2896, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "rveli" - }, - { - "destination.ip": "10.72.58.135", - "destination.port": 2382, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "torev7118.internal.domain", - "input.type": "log", - "log.offset": 3551, - "network.direction": "internal", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7668, - "related.hosts": [ - "qua2945.www.local", - "torev7118.internal.domain" - ], - "related.ip": [ - "10.109.232.112", - "10.72.58.135" - ], - "related.user": [ - "xea" - ], - "rsa.counters.dclass_c1": 1112, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "torev7118.internal.domain" - ], - "rsa.network.domain": "qua2945.www.local", - "rsa.network.network_service": "smtp", - "server.domain": "qua2945.www.local", - "server.registered_domain": "www.local", - "server.subdomain": "qua2945", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.109.232.112", - "source.port": 5160, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "xea" - }, - { - "destination.ip": "10.72.29.73", - "destination.port": 203, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "dolore6103.www5.example", - "input.type": "log", - "log.offset": 3823, - "network.direction": "unknown", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1044, - "related.hosts": [ - "dolore6103.www5.example", - "luptat6494.www.example" - ], - "related.ip": [ - "10.38.22.45", - "10.72.29.73" - ], - "related.user": [ - "onproide" - ], - "rsa.counters.dclass_c1": 4979, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "dolore6103.www5.example" - ], - "rsa.network.domain": "luptat6494.www.example", - "rsa.network.network_service": "http", - "server.domain": "luptat6494.www.example", - "server.registered_domain": "www.example", - "server.subdomain": "luptat6494", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.38.22.45", - "source.port": 1493, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "onproide" - }, - { - "destination.ip": "10.76.72.111", - "destination.port": 7388, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "errorsi6996.www.domain", - "input.type": "log", - "log.offset": 4096, - "network.direction": "internal", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7183, - "related.hosts": [ - "errorsi6996.www.domain", - "moenimi6317.internal.invalid" - ], - "related.ip": [ - "10.70.95.74", - "10.76.72.111" - ], - "related.user": [ - "ivelits" - ], - "rsa.counters.dclass_c1": 2362, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "errorsi6996.www.domain" - ], - "rsa.network.domain": "moenimi6317.internal.invalid", - "rsa.network.network_service": "smtp", - "server.domain": "moenimi6317.internal.invalid", - "server.registered_domain": "internal.invalid", - "server.subdomain": "moenimi6317", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.70.95.74", - "source.port": 6119, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ivelits" - }, - { - "destination.ip": "10.73.69.75", - "destination.port": 6218, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "lumquido5839.api.corp", - "input.type": "log", - "log.offset": 4379, - "network.direction": "unknown", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6907, - "related.hosts": [ - "lumquido5839.api.corp", - "tion1761.home" - ], - "related.ip": [ - "10.19.201.13", - "10.73.69.75" - ], - "related.user": [ - "tat" - ], - "rsa.counters.dclass_c1": 2655, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "lumquido5839.api.corp" - ], - "rsa.network.domain": "tion1761.home", - "rsa.network.network_service": "https", - "server.domain": "tion1761.home", - "server.registered_domain": "tion1761.home", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.19.201.13", - "source.port": 5006, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tat" - }, - { - "destination.ip": "10.84.105.75", - "destination.port": 98, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "aperia4409.www5.invalid", - "input.type": "log", - "log.offset": 4640, - "network.direction": "external", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 499, - "related.hosts": [ - "aperia4409.www5.invalid", - "santium4235.api.local" - ], - "related.ip": [ - "10.78.151.178", - "10.84.105.75" - ], - "related.user": [ - "iquaUten" - ], - "rsa.counters.dclass_c1": 4085, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "aperia4409.www5.invalid" - ], - "rsa.network.domain": "santium4235.api.local", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "santium4235.api.local", - "server.registered_domain": "api.local", - "server.subdomain": "santium4235", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.78.151.178", - "source.port": 1846, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "iquaUten" - }, - { - "destination.ip": "10.25.192.202", - "destination.port": 6462, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tem2496.api.lan", - "input.type": "log", - "log.offset": 4925, - "network.direction": "internal", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1531, - "related.hosts": [ - "CSed2857.www5.example", - "tem2496.api.lan" - ], - "related.ip": [ - "10.135.233.146", - "10.25.192.202" - ], - "related.user": [ - "emeumfu" - ], - "rsa.counters.dclass_c1": 4610, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "tem2496.api.lan" - ], - "rsa.network.domain": "CSed2857.www5.example", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "CSed2857.www5.example", - "server.registered_domain": "www5.example", - "server.subdomain": "CSed2857", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.135.233.146", - "source.port": 4181, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "emeumfu" - }, - { - "destination.ip": "10.104.134.200", - "destination.port": 2508, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "eme6710.mail.invalid", - "input.type": "log", - "log.offset": 5204, - "network.direction": "outbound", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6051, - "related.hosts": [ - "eme6710.mail.invalid", - "equep5085.mail.domain" - ], - "related.ip": [ - "10.104.134.200", - "10.121.219.204" - ], - "related.user": [ - "uptat" - ], - "rsa.counters.dclass_c1": 7084, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "eme6710.mail.invalid" - ], - "rsa.network.domain": "equep5085.mail.domain", - "rsa.network.network_service": "https", - "server.domain": "equep5085.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "equep5085", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.121.219.204", - "source.port": 3611, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uptat" - }, - { - "destination.ip": "10.225.160.182", - "destination.port": 4810, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ihilm1669.mail.invalid", - "input.type": "log", - "log.offset": 5477, - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6994, - "related.hosts": [ - "conseq557.mail.lan", - "ihilm1669.mail.invalid" - ], - "related.ip": [ - "10.191.105.82", - "10.225.160.182" - ], - "related.user": [ - "eirure" - ], - "rsa.counters.dclass_c1": 3936, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "ihilm1669.mail.invalid" - ], - "rsa.network.domain": "conseq557.mail.lan", - "rsa.network.network_service": "https", - "server.domain": "conseq557.mail.lan", - "server.registered_domain": "mail.lan", - "server.subdomain": "conseq557", - "server.top_level_domain": "lan", - "service.type": "fortinet", - "source.ip": "10.191.105.82", - "source.port": 3361, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "eirure" - }, - { - "destination.ip": "10.161.57.8", - "destination.port": 2716, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "umexerci1284.internal.localdomain", - "input.type": "log", - "log.offset": 5751, - "network.direction": "inbound", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5200, - "related.hosts": [ - "ite2026.www.invalid", - "umexerci1284.internal.localdomain" - ], - "related.ip": [ - "10.141.44.153", - "10.161.57.8" - ], - "related.user": [ - "quisnos" - ], - "rsa.counters.dclass_c1": 3333, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "umexerci1284.internal.localdomain" - ], - "rsa.network.domain": "ite2026.www.invalid", - "rsa.network.network_service": "smtp", - "server.domain": "ite2026.www.invalid", - "server.registered_domain": "www.invalid", - "server.subdomain": "ite2026", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.141.44.153", - "source.port": 3750, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "quisnos" - }, - { - "destination.ip": "10.6.167.7", - "destination.port": 2022, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "adol485.example", - "input.type": "log", - "log.offset": 6034, - "network.direction": "internal", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3365, - "related.hosts": [ - "adol485.example", - "lit5929.test" - ], - "related.ip": [ - "10.153.111.103", - "10.6.167.7" - ], - "related.user": [ - "eumfug" - ], - "rsa.counters.dclass_c1": 7424, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "adol485.example" - ], - "rsa.network.domain": "lit5929.test", - "rsa.network.network_service": "https", - "server.domain": "lit5929.test", - "server.registered_domain": "lit5929.test", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.153.111.103", - "source.port": 4977, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "eumfug" - }, - { - "destination.ip": "10.134.148.219", - "destination.port": 4430, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "evita5008.www.localdomain", - "input.type": "log", - "log.offset": 6293, - "network.direction": "inbound", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1835, - "related.hosts": [ - "evita5008.www.localdomain", - "oru6938.invalid" - ], - "related.ip": [ - "10.134.148.219", - "10.248.204.182" - ], - "related.user": [ - "uioffi" - ], - "rsa.counters.dclass_c1": 4168, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "evita5008.www.localdomain" - ], - "rsa.network.domain": "oru6938.invalid", - "rsa.network.network_service": "pop3", - "server.domain": "oru6938.invalid", - "server.registered_domain": "oru6938.invalid", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.248.204.182", - "source.port": 1331, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uioffi" - }, - { - "destination.ip": "10.163.5.243", - "destination.port": 4129, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tsedqu2456.www5.invalid", - "input.type": "log", - "log.offset": 6562, - "network.direction": "unknown", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2019, - "related.hosts": [ - "etdol5473.local", - "tsedqu2456.www5.invalid" - ], - "related.ip": [ - "10.163.5.243", - "10.178.77.231" - ], - "related.user": [ - "liquide" - ], - "rsa.counters.dclass_c1": 1123, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "tsedqu2456.www5.invalid" - ], - "rsa.network.domain": "etdol5473.local", - "rsa.network.network_service": "smtp", - "server.domain": "etdol5473.local", - "server.registered_domain": "etdol5473.local", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.178.77.231", - "source.port": 5294, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "liquide" - }, - { - "destination.ip": "10.221.89.228", - "destination.port": 2447, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ris3314.mail.invalid", - "input.type": "log", - "log.offset": 6831, - "network.direction": "outbound", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2493, - "related.hosts": [ - "nimid893.mail.corp", - "ris3314.mail.invalid" - ], - "related.ip": [ - "10.177.194.18", - "10.221.89.228" - ], - "related.user": [ - "aliquam" - ], - "rsa.counters.dclass_c1": 1747, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "ris3314.mail.invalid" - ], - "rsa.network.domain": "nimid893.mail.corp", - "rsa.network.network_service": "smtp", - "server.domain": "nimid893.mail.corp", - "server.registered_domain": "mail.corp", - "server.subdomain": "nimid893", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.177.194.18", - "source.port": 766, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "aliquam" - }, - { - "destination.ip": "10.32.239.1", - "destination.port": 3128, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "reme622.mail.example", - "input.type": "log", - "log.offset": 7099, - "network.direction": "unknown", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3022, - "related.hosts": [ - "reme622.mail.example", - "rumwritt6003.host" - ], - "related.ip": [ - "10.241.65.49", - "10.32.239.1" - ], - "related.user": [ - "idata" - ], - "rsa.counters.dclass_c1": 3522, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "reme622.mail.example" - ], - "rsa.network.domain": "rumwritt6003.host", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "rumwritt6003.host", - "server.registered_domain": "rumwritt6003.host", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.241.65.49", - "source.port": 3027, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "idata" - }, - { - "destination.ip": "10.101.57.120", - "destination.port": 6501, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "non3341.mail.invalid", - "input.type": "log", - "log.offset": 7373, - "network.direction": "internal", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2328, - "related.hosts": [ - "non3341.mail.invalid", - "xeacomm6855.api.corp" - ], - "related.ip": [ - "10.101.57.120", - "10.168.90.81" - ], - "related.user": [ - "eporr" - ], - "rsa.counters.dclass_c1": 5516, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "non3341.mail.invalid" - ], - "rsa.network.domain": "xeacomm6855.api.corp", - "rsa.network.network_service": "http", - "server.domain": "xeacomm6855.api.corp", - "server.registered_domain": "api.corp", - "server.subdomain": "xeacomm6855", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.168.90.81", - "source.port": 6866, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "eporr" - }, - { - "destination.ip": "10.130.14.60", - "destination.port": 2051, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ris727.api.local", - "input.type": "log", - "log.offset": 7646, - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1156, - "related.hosts": [ - "icabo4125.mail.domain", - "ris727.api.local" - ], - "related.ip": [ - "10.130.14.60", - "10.14.211.43" - ], - "related.user": [ - "litse" - ], - "rsa.counters.dclass_c1": 7200, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "ris727.api.local" - ], - "rsa.network.domain": "icabo4125.mail.domain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "icabo4125.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "icabo4125", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.14.211.43", - "source.port": 4456, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "litse" - }, - { - "destination.ip": "10.248.101.25", - "destination.port": 5740, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "stquido5705.api.host", - "input.type": "log", - "log.offset": 7918, - "network.direction": "unknown", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6003, - "related.hosts": [ - "ionofdeF5643.www.localhost", - "stquido5705.api.host" - ], - "related.ip": [ - "10.248.101.25", - "10.60.129.15" - ], - "related.user": [ - "evolup" - ], - "rsa.counters.dclass_c1": 6437, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "stquido5705.api.host" - ], - "rsa.network.domain": "ionofdeF5643.www.localhost", - "rsa.network.network_service": "http", - "server.domain": "ionofdeF5643.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "ionofdeF5643", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.60.129.15", - "source.port": 106, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "evolup" - }, - { - "destination.ip": "10.111.187.12", - "destination.port": 3994, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "etcons7378.api.lan", - "input.type": "log", - "log.offset": 8192, - "network.direction": "inbound", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5651, - "related.hosts": [ - "etcons7378.api.lan", - "orem6702.invalid" - ], - "related.ip": [ - "10.111.187.12", - "10.72.93.28" - ], - "related.user": [ - "niamqui" - ], - "rsa.counters.dclass_c1": 3427, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "etcons7378.api.lan" - ], - "rsa.network.domain": "orem6702.invalid", - "rsa.network.network_service": "https", - "server.domain": "orem6702.invalid", - "server.registered_domain": "orem6702.invalid", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.72.93.28", - "source.port": 3577, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "niamqui" - }, - { - "destination.ip": "10.66.2.232", - "destination.port": 5764, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "vita2681.www5.local", - "input.type": "log", - "log.offset": 8450, - "network.direction": "outbound", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3470, - "related.hosts": [ - "oin6780.mail.domain", - "vita2681.www5.local" - ], - "related.ip": [ - "10.27.14.168", - "10.66.2.232" - ], - "related.user": [ - "uirati" - ], - "rsa.counters.dclass_c1": 6708, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "vita2681.www5.local" - ], - "rsa.network.domain": "oin6780.mail.domain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "oin6780.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "oin6780", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.27.14.168", - "source.port": 2224, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uirati" - }, - { - "destination.ip": "10.195.2.130", - "destination.port": 202, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tnulapa7592.www.local", - "input.type": "log", - "log.offset": 8727, - "network.direction": "internal", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6932, - "related.hosts": [ - "eprehen3224.www5.localdomain", - "tnulapa7592.www.local" - ], - "related.ip": [ - "10.195.2.130", - "10.75.99.127" - ], - "related.user": [ - "inibusB" - ], - "rsa.counters.dclass_c1": 3828, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "tnulapa7592.www.local" - ], - "rsa.network.domain": "eprehen3224.www5.localdomain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "eprehen3224.www5.localdomain", - "server.registered_domain": "www5.localdomain", - "server.subdomain": "eprehen3224", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.75.99.127", - "source.port": 1766, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "inibusB" - }, - { - "destination.ip": "10.245.104.182", - "destination.port": 55, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "lup2134.www.localhost", - "input.type": "log", - "log.offset": 9015, - "network.direction": "outbound", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6945, - "related.hosts": [ - "lup2134.www.localhost", - "ptasn6599.www.localhost" - ], - "related.ip": [ - "10.201.238.90", - "10.245.104.182" - ], - "related.user": [ - "ovol" - ], - "rsa.counters.dclass_c1": 4198, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "lup2134.www.localhost" - ], - "rsa.network.domain": "ptasn6599.www.localhost", - "rsa.network.network_service": "pop3", - "server.domain": "ptasn6599.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "ptasn6599", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.201.238.90", - "source.port": 3759, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ovol" - }, - { - "destination.ip": "10.105.91.31", - "destination.port": 5987, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tanimid3337.mail.corp", - "input.type": "log", - "log.offset": 9287, - "network.direction": "external", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 853, - "related.hosts": [ - "nisist2752.home", - "tanimid3337.mail.corp" - ], - "related.ip": [ - "10.105.91.31", - "10.217.150.196" - ], - "related.user": [ - "con" - ], - "rsa.counters.dclass_c1": 4444, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "tanimid3337.mail.corp" - ], - "rsa.network.domain": "nisist2752.home", - "rsa.network.network_service": "http", - "server.domain": "nisist2752.home", - "server.registered_domain": "nisist2752.home", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.217.150.196", - "source.port": 2056, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "con" - }, - { - "destination.ip": "10.184.18.202", - "destination.port": 205, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "eumiu765.api.lan", - "input.type": "log", - "log.offset": 9556, - "network.direction": "outbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4153, - "related.hosts": [ - "eumiu765.api.lan", - "gitsedqu2649.mail.lan" - ], - "related.ip": [ - "10.184.18.202", - "10.4.157.1" - ], - "related.user": [ - "oditem" - ], - "rsa.counters.dclass_c1": 725, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "eumiu765.api.lan" - ], - "rsa.network.domain": "gitsedqu2649.mail.lan", - "rsa.network.network_service": "https", - "server.domain": "gitsedqu2649.mail.lan", - "server.registered_domain": "mail.lan", - "server.subdomain": "gitsedqu2649", - "server.top_level_domain": "lan", - "service.type": "fortinet", - "source.ip": "10.4.157.1", - "source.port": 52, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "oditem" - }, - { - "destination.ip": "10.113.95.59", - "destination.port": 4367, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "mquelau5326.mail.lan", - "input.type": "log", - "log.offset": 9824, - "network.direction": "internal", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1693, - "related.hosts": [ - "entsunt3962.www.example", - "mquelau5326.mail.lan" - ], - "related.ip": [ - "10.113.95.59", - "10.255.39.252" - ], - "related.user": [ - "persp" - ], - "rsa.counters.dclass_c1": 3147, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "mquelau5326.mail.lan" - ], - "rsa.network.domain": "entsunt3962.www.example", - "rsa.network.network_service": "https", - "server.domain": "entsunt3962.www.example", - "server.registered_domain": "www.example", - "server.subdomain": "entsunt3962", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.255.39.252", - "source.port": 863, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "persp" - }, - { - "destination.ip": "10.83.177.2", - "destination.port": 1827, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "idestlab2631.www.lan", - "input.type": "log", - "log.offset": 10097, - "network.direction": "internal", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 337, - "related.hosts": [ - "idestlab2631.www.lan", - "tut2703.www.host" - ], - "related.ip": [ - "10.27.16.118", - "10.83.177.2" - ], - "related.user": [ - "borios" - ], - "rsa.counters.dclass_c1": 1300, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "idestlab2631.www.lan" - ], - "rsa.network.domain": "tut2703.www.host", - "rsa.network.network_service": "http", - "server.domain": "tut2703.www.host", - "server.registered_domain": "www.host", - "server.subdomain": "tut2703", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.27.16.118", - "source.port": 18, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "borios" - }, - { - "destination.ip": "10.167.227.44", - "destination.port": 5736, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "inesci6789.test", - "input.type": "log", - "log.offset": 10353, - "network.direction": "outbound", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7041, - "related.hosts": [ - "entorev160.test", - "inesci6789.test" - ], - "related.ip": [ - "10.167.227.44", - "10.38.54.72" - ], - "related.user": [ - "riamea" - ], - "rsa.counters.dclass_c1": 7644, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "inesci6789.test" - ], - "rsa.network.domain": "entorev160.test", - "rsa.network.network_service": "http", - "server.domain": "entorev160.test", - "server.registered_domain": "entorev160.test", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.38.54.72", - "source.port": 6595, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "riamea" - }, - { - "destination.ip": "10.215.205.216", - "destination.port": 647, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ccaeca7077.internal.corp", - "input.type": "log", - "log.offset": 10608, - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3854, - "related.hosts": [ - "ccaeca7077.internal.corp", - "proide3714.mail.localdomain" - ], - "related.ip": [ - "10.215.205.216", - "10.216.54.184" - ], - "related.user": [ - "ameiusm" - ], - "rsa.counters.dclass_c1": 7536, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "ccaeca7077.internal.corp" - ], - "rsa.network.domain": "proide3714.mail.localdomain", - "rsa.network.network_service": "http", - "server.domain": "proide3714.mail.localdomain", - "server.registered_domain": "mail.localdomain", - "server.subdomain": "proide3714", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.216.54.184", - "source.port": 1495, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ameiusm" - }, - { - "destination.ip": "10.9.18.237", - "destination.port": 2486, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ima2031.api.corp", - "input.type": "log", - "log.offset": 10891, - "network.direction": "internal", - "network.protocol": "igmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 55, - "related.hosts": [ - "ima2031.api.corp", - "tot5313.mail.invalid" - ], - "related.ip": [ - "10.9.12.248", - "10.9.18.237" - ], - "related.user": [ - "uradi" - ], - "rsa.counters.dclass_c1": 6379, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "ima2031.api.corp" - ], - "rsa.network.domain": "tot5313.mail.invalid", - "rsa.network.network_service": "smtp", - "server.domain": "tot5313.mail.invalid", - "server.registered_domain": "mail.invalid", - "server.subdomain": "tot5313", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.9.12.248", - "source.port": 765, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uradi" - }, - { - "destination.ip": "10.41.123.102", - "destination.port": 2300, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ian867.internal.corp", - "input.type": "log", - "log.offset": 11153, - "network.direction": "external", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 228, - "related.hosts": [ - "ian867.internal.corp", - "rumet3801.internal.domain" - ], - "related.ip": [ - "10.41.123.102", - "10.83.130.226" - ], - "related.user": [ - "tenim" - ], - "rsa.counters.dclass_c1": 7661, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "ian867.internal.corp" - ], - "rsa.network.domain": "rumet3801.internal.domain", - "rsa.network.network_service": "https", - "server.domain": "rumet3801.internal.domain", - "server.registered_domain": "internal.domain", - "server.subdomain": "rumet3801", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.83.130.226", - "source.port": 1542, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tenim" - }, - { - "destination.ip": "10.80.152.108", - "destination.port": 2742, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "lorin4249.corp", - "input.type": "log", - "log.offset": 11432, - "network.direction": "outbound", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4253, - "related.hosts": [ - "liqua2834.www5.lan", - "lorin4249.corp" - ], - "related.ip": [ - "10.175.112.197", - "10.80.152.108" - ], - "related.user": [ - "tametcon" - ], - "rsa.counters.dclass_c1": 6984, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "lorin4249.corp" - ], - "rsa.network.domain": "liqua2834.www5.lan", - "rsa.network.network_service": "pop3", - "server.domain": "liqua2834.www5.lan", - "server.registered_domain": "www5.lan", - "server.subdomain": "liqua2834", - "server.top_level_domain": "lan", - "service.type": "fortinet", - "source.ip": "10.175.112.197", - "source.port": 1749, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tametcon" - }, - { - "destination.ip": "10.142.25.100", - "destination.port": 5770, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "gnaaliqu3935.api.test", - "input.type": "log", - "log.offset": 11701, - "network.direction": "internal", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2200, - "related.hosts": [ - "gnaaliqu3935.api.test", - "sequat7273.api.host" - ], - "related.ip": [ - "10.134.18.114", - "10.142.25.100" - ], - "related.user": [ - "osqui" - ], - "rsa.counters.dclass_c1": 624, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "gnaaliqu3935.api.test" - ], - "rsa.network.domain": "sequat7273.api.host", - "rsa.network.network_service": "smtp", - "server.domain": "sequat7273.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "sequat7273", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.134.18.114", - "source.port": 2761, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "osqui" - }, - { - "destination.ip": "10.223.119.218", - "destination.port": 300, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "nsequat1859.internal.localhost", - "input.type": "log", - "log.offset": 11966, - "network.direction": "internal", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5717, - "related.hosts": [ - "nsequat1859.internal.localhost", - "uidol4575.localhost" - ], - "related.ip": [ - "10.223.119.218", - "10.28.118.160" - ], - "related.user": [ - "ntsunt" - ], - "rsa.counters.dclass_c1": 4387, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "nsequat1859.internal.localhost" - ], - "rsa.network.domain": "uidol4575.localhost", - "rsa.network.network_service": "http", - "server.domain": "uidol4575.localhost", - "server.registered_domain": "uidol4575.localhost", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.28.118.160", - "source.port": 6247, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ntsunt" - }, - { - "destination.ip": "10.47.28.48", - "destination.port": 3032, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ritin2495.api.corp", - "input.type": "log", - "log.offset": 12249, - "network.direction": "unknown", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4469, - "related.hosts": [ - "oremq2000.api.corp", - "ritin2495.api.corp" - ], - "related.ip": [ - "10.110.114.175", - "10.47.28.48" - ], - "related.user": [ - "plicab" - ], - "rsa.counters.dclass_c1": 4488, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "ritin2495.api.corp" - ], - "rsa.network.domain": "oremq2000.api.corp", - "rsa.network.network_service": "https", - "server.domain": "oremq2000.api.corp", - "server.registered_domain": "api.corp", - "server.subdomain": "oremq2000", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.110.114.175", - "source.port": 4986, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "plicab" - }, - { - "destination.ip": "10.90.33.138", - "destination.port": 7876, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tetur2694.mail.local", - "input.type": "log", - "log.offset": 12516, - "network.direction": "external", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5524, - "related.hosts": [ - "oremi1485.api.localhost", - "tetur2694.mail.local" - ], - "related.ip": [ - "10.40.251.202", - "10.90.33.138" - ], - "related.user": [ - "nvolupt" - ], - "rsa.counters.dclass_c1": 6847, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "tetur2694.mail.local" - ], - "rsa.network.domain": "oremi1485.api.localhost", - "rsa.network.network_service": "pop3", - "server.domain": "oremi1485.api.localhost", - "server.registered_domain": "api.localhost", - "server.subdomain": "oremi1485", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.40.251.202", - "source.port": 5733, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "nvolupt" - }, - { - "destination.ip": "10.227.173.252", - "destination.port": 5337, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "rem7043.localhost", - "input.type": "log", - "log.offset": 12794, - "network.direction": "external", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3624, - "related.hosts": [ - "rem7043.localhost", - "sequatD5469.www5.lan" - ], - "related.ip": [ - "10.227.173.252", - "10.65.2.106" - ], - "related.user": [ - "itation" - ], - "rsa.counters.dclass_c1": 7576, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "rem7043.localhost" - ], - "rsa.network.domain": "sequatD5469.www5.lan", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "sequatD5469.www5.lan", - "server.registered_domain": "www5.lan", - "server.subdomain": "sequatD5469", - "server.top_level_domain": "lan", - "service.type": "fortinet", - "source.ip": "10.65.2.106", - "source.port": 5410, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "itation" - }, - { - "destination.ip": "10.28.84.106", - "destination.port": 4844, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "emqu2846.internal.home", - "input.type": "log", - "log.offset": 13075, - "network.direction": "inbound", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1609, - "related.hosts": [ - "emqu2846.internal.home", - "item2738.test" - ], - "related.ip": [ - "10.193.233.229", - "10.28.84.106" - ], - "related.user": [ - "tla" - ], - "rsa.counters.dclass_c1": 3096, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "emqu2846.internal.home" - ], - "rsa.network.domain": "item2738.test", - "rsa.network.network_service": "https", - "server.domain": "item2738.test", - "server.registered_domain": "item2738.test", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.193.233.229", - "source.port": 2859, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tla" - }, - { - "destination.ip": "10.210.89.183", - "destination.port": 2589, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "dqu6144.api.localhost", - "input.type": "log", - "log.offset": 13341, - "network.direction": "external", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6248, - "related.hosts": [ - "dqu6144.api.localhost", - "iosamnis1047.internal.localdomain" - ], - "related.ip": [ - "10.150.245.88", - "10.210.89.183" - ], - "related.user": [ - "sequa" - ], - "rsa.counters.dclass_c1": 2700, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "dqu6144.api.localhost" - ], - "rsa.network.domain": "iosamnis1047.internal.localdomain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "iosamnis1047.internal.localdomain", - "server.registered_domain": "internal.localdomain", - "server.subdomain": "iosamnis1047", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.150.245.88", - "source.port": 3642, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "sequa" - }, - { - "destination.ip": "10.85.185.13", - "destination.port": 7793, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "giatquov1918.internal.example", - "input.type": "log", - "log.offset": 13637, - "network.direction": "outbound", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7224, - "related.hosts": [ - "giatquov1918.internal.example", - "orroq6677.internal.example" - ], - "related.ip": [ - "10.180.195.43", - "10.85.185.13" - ], - "related.user": [ - "voluptas" - ], - "rsa.counters.dclass_c1": 1867, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "giatquov1918.internal.example" - ], - "rsa.network.domain": "orroq6677.internal.example", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "orroq6677.internal.example", - "server.registered_domain": "internal.example", - "server.subdomain": "orroq6677", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.180.195.43", - "source.port": 4540, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "voluptas" - }, - { - "destination.ip": "10.210.28.247", - "destination.port": 7257, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "estl5804.internal.local", - "input.type": "log", - "log.offset": 13936, - "network.direction": "unknown", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 430, - "related.hosts": [ - "estl5804.internal.local", - "onevo4326.internal.local" - ], - "related.ip": [ - "10.207.211.230", - "10.210.28.247" - ], - "related.user": [ - "tate" - ], - "rsa.counters.dclass_c1": 7672, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "estl5804.internal.local" - ], - "rsa.network.domain": "onevo4326.internal.local", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "onevo4326.internal.local", - "server.registered_domain": "internal.local", - "server.subdomain": "onevo4326", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.207.211.230", - "source.port": 3449, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tate" - }, - { - "destination.ip": "10.248.165.185", - "destination.port": 5460, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "Sedut1775.www.domain", - "input.type": "log", - "log.offset": 14222, - "network.direction": "external", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3589, - "related.hosts": [ - "Sedut1775.www.domain", - "itaedict7233.mail.localdomain" - ], - "related.ip": [ - "10.248.165.185", - "10.86.11.48" - ], - "related.user": [ - "dquiac" - ], - "rsa.counters.dclass_c1": 4801, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "Sedut1775.www.domain" - ], - "rsa.network.domain": "itaedict7233.mail.localdomain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "itaedict7233.mail.localdomain", - "server.registered_domain": "mail.localdomain", - "server.subdomain": "itaedict7233", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.86.11.48", - "source.port": 3436, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "dquiac" - }, - { - "destination.ip": "10.47.125.38", - "destination.port": 3896, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "mac7484.www5.test", - "input.type": "log", - "log.offset": 14513, - "network.direction": "outbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4814, - "related.hosts": [ - "mac7484.www5.test", - "numquam5869.internal.example" - ], - "related.ip": [ - "10.118.6.177", - "10.47.125.38" - ], - "related.user": [ - "quunt" - ], - "rsa.counters.dclass_c1": 1844, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "mac7484.www5.test" - ], - "rsa.network.domain": "numquam5869.internal.example", - "rsa.network.network_service": "http", - "server.domain": "numquam5869.internal.example", - "server.registered_domain": "internal.example", - "server.subdomain": "numquam5869", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.118.6.177", - "source.port": 6977, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "quunt" - }, - { - "destination.ip": "10.60.142.127", - "destination.port": 5112, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "oin1140.mail.localhost", - "input.type": "log", - "log.offset": 14789, - "network.direction": "outbound", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 276, - "related.hosts": [ - "oin1140.mail.localhost", - "onu6137.api.home" - ], - "related.ip": [ - "10.50.233.155", - "10.60.142.127" - ], - "related.user": [ - "atv" - ], - "rsa.counters.dclass_c1": 2241, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "oin1140.mail.localhost" - ], - "rsa.network.domain": "onu6137.api.home", - "rsa.network.network_service": "pop3", - "server.domain": "onu6137.api.home", - "server.registered_domain": "api.home", - "server.subdomain": "onu6137", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.50.233.155", - "source.port": 1081, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "atv" - }, - { - "destination.ip": "10.120.10.211", - "destination.port": 7661, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "naaliq3710.api.local", - "input.type": "log", - "log.offset": 15054, - "network.direction": "internal", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2452, - "related.hosts": [ - "aecatcup2241.www5.test", - "naaliq3710.api.local" - ], - "related.ip": [ - "10.120.10.211", - "10.28.82.189" - ], - "related.user": [ - "rcit" - ], - "rsa.counters.dclass_c1": 7705, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "naaliq3710.api.local" - ], - "rsa.network.domain": "aecatcup2241.www5.test", - "rsa.network.network_service": "http", - "server.domain": "aecatcup2241.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "aecatcup2241", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.28.82.189", - "source.port": 3916, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "rcit" - }, - { - "destination.ip": "10.6.38.163", - "destination.port": 4059, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "volupta3552.internal.localhost", - "input.type": "log", - "log.offset": 15318, - "network.direction": "inbound", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3453, - "related.hosts": [ - "labor6360.mail.local", - "volupta3552.internal.localhost" - ], - "related.ip": [ - "10.31.237.225", - "10.6.38.163" - ], - "related.user": [ - "olup" - ], - "rsa.counters.dclass_c1": 2820, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "volupta3552.internal.localhost" - ], - "rsa.network.domain": "labor6360.mail.local", - "rsa.network.network_service": "pop3", - "server.domain": "labor6360.mail.local", - "server.registered_domain": "mail.local", - "server.subdomain": "labor6360", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.31.237.225", - "source.port": 6153, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "olup" - }, - { - "destination.ip": "10.125.165.144", - "destination.port": 7889, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "onse380.internal.localdomain", - "input.type": "log", - "log.offset": 15594, - "network.direction": "inbound", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2302, - "related.hosts": [ - "mveleum4322.www5.host", - "onse380.internal.localdomain" - ], - "related.ip": [ - "10.125.165.144", - "10.226.5.189" - ], - "related.user": [ - "mvolu" - ], - "rsa.counters.dclass_c1": 5407, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "onse380.internal.localdomain" - ], - "rsa.network.domain": "mveleum4322.www5.host", - "rsa.network.network_service": "https", - "server.domain": "mveleum4322.www5.host", - "server.registered_domain": "www5.host", - "server.subdomain": "mveleum4322", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.226.5.189", - "source.port": 3371, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "mvolu" - }, - { - "destination.ip": "10.46.56.204", - "destination.port": 5070, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "queips4947.mail.example", - "input.type": "log", - "log.offset": 15872, - "network.direction": "unknown", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7079, - "related.hosts": [ - "archite1843.mail.home", - "queips4947.mail.example" - ], - "related.ip": [ - "10.46.56.204", - "10.97.149.97" - ], - "related.user": [ - "dolorsit" - ], - "rsa.counters.dclass_c1": 2441, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "queips4947.mail.example" - ], - "rsa.network.domain": "archite1843.mail.home", - "rsa.network.network_service": "smtp", - "server.domain": "archite1843.mail.home", - "server.registered_domain": "mail.home", - "server.subdomain": "archite1843", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.97.149.97", - "source.port": 2463, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "dolorsit" - }, - { - "destination.ip": "10.28.105.124", - "destination.port": 4797, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "oloreseo5039.test", - "input.type": "log", - "log.offset": 16138, - "network.direction": "outbound", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5773, - "related.hosts": [ - "itanim4024.api.example", - "oloreseo5039.test" - ], - "related.ip": [ - "10.218.0.197", - "10.28.105.124" - ], - "related.user": [ - "ntNe" - ], - "rsa.counters.dclass_c1": 5749, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "oloreseo5039.test" - ], - "rsa.network.domain": "itanim4024.api.example", - "rsa.network.network_service": "https", - "server.domain": "itanim4024.api.example", - "server.registered_domain": "api.example", - "server.subdomain": "itanim4024", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.218.0.197", - "source.port": 7581, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ntNe" - }, - { - "destination.ip": "10.17.87.79", - "destination.port": 3414, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "minim459.mail.local", - "input.type": "log", - "log.offset": 16405, - "network.direction": "outbound", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1586, - "related.hosts": [ - "minim459.mail.local", - "nreprehe715.api.home" - ], - "related.ip": [ - "10.123.199.198", - "10.17.87.79" - ], - "related.user": [ - "ratvolu" - ], - "rsa.counters.dclass_c1": 5006, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "minim459.mail.local" - ], - "rsa.network.domain": "nreprehe715.api.home", - "rsa.network.network_service": "https", - "server.domain": "nreprehe715.api.home", - "server.registered_domain": "api.home", - "server.subdomain": "nreprehe715", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.123.199.198", - "source.port": 6332, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ratvolu" - }, - { - "destination.ip": "10.115.68.40", - "destination.port": 5483, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "eratv211.api.host", - "input.type": "log", - "log.offset": 16672, - "network.direction": "internal", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5137, - "related.hosts": [ - "eratv211.api.host", - "unte893.internal.host" - ], - "related.ip": [ - "10.115.68.40", - "10.38.86.177" - ], - "related.user": [ - "mpo" - ], - "rsa.counters.dclass_c1": 2841, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "eratv211.api.host" - ], - "rsa.network.domain": "unte893.internal.host", - "rsa.network.network_service": "https", - "server.domain": "unte893.internal.host", - "server.registered_domain": "internal.host", - "server.subdomain": "unte893", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.38.86.177", - "source.port": 5768, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "mpo" - }, - { - "destination.ip": "10.115.174.107", - "destination.port": 5597, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "aparia1179.www.localdomain", - "input.type": "log", - "log.offset": 16935, - "network.direction": "internal", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5704, - "related.hosts": [ - "aparia1179.www.localdomain", - "aspe951.mail.domain" - ], - "related.ip": [ - "10.115.174.107", - "10.193.118.163" - ], - "related.user": [ - "exeacomm" - ], - "rsa.counters.dclass_c1": 10, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "aparia1179.www.localdomain" - ], - "rsa.network.domain": "aspe951.mail.domain", - "rsa.network.network_service": "https", - "server.domain": "aspe951.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "aspe951", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.193.118.163", - "source.port": 548, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "exeacomm" - }, - { - "destination.ip": "10.77.77.208", - "destination.port": 1101, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "iatqu6203.mail.corp", - "input.type": "log", - "log.offset": 17210, - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2310, - "related.hosts": [ - "dipiscin4957.www.home", - "iatqu6203.mail.corp" - ], - "related.ip": [ - "10.37.128.49", - "10.77.77.208" - ], - "related.user": [ - "moles" - ], - "rsa.counters.dclass_c1": 2653, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "iatqu6203.mail.corp" - ], - "rsa.network.domain": "dipiscin4957.www.home", - "rsa.network.network_service": "http", - "server.domain": "dipiscin4957.www.home", - "server.registered_domain": "www.home", - "server.subdomain": "dipiscin4957", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.37.128.49", - "source.port": 625, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "moles" - }, - { - "destination.ip": "10.1.96.93", - "destination.port": 428, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "ptasnula6576.api.invalid", - "input.type": "log", - "log.offset": 17477, - "network.direction": "internal", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5398, - "related.hosts": [ - "econs2687.internal.localdomain", - "ptasnula6576.api.invalid" - ], - "related.ip": [ - "10.1.96.93", - "10.54.73.158" - ], - "related.user": [ - "lloinven" - ], - "rsa.counters.dclass_c1": 4392, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "ptasnula6576.api.invalid" - ], - "rsa.network.domain": "econs2687.internal.localdomain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "econs2687.internal.localdomain", - "server.registered_domain": "internal.localdomain", - "server.subdomain": "econs2687", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.54.73.158", - "source.port": 5752, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "lloinven" - }, - { - "destination.ip": "10.182.152.242", - "destination.port": 6998, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "mag1506.internal.domain", - "input.type": "log", - "log.offset": 17766, - "network.direction": "inbound", - "network.protocol": "igmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2465, - "related.hosts": [ - "mag1506.internal.domain", - "tiumto5834.api.lan" - ], - "related.ip": [ - "10.131.126.109", - "10.182.152.242" - ], - "related.user": [ - "dolor" - ], - "rsa.counters.dclass_c1": 3208, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "mag1506.internal.domain" - ], - "rsa.network.domain": "tiumto5834.api.lan", - "rsa.network.network_service": "smtp", - "server.domain": "tiumto5834.api.lan", - "server.registered_domain": "api.lan", - "server.subdomain": "tiumto5834", - "server.top_level_domain": "lan", - "service.type": "fortinet", - "source.ip": "10.131.126.109", - "source.port": 1877, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "dolor" - }, - { - "destination.ip": "10.77.229.168", - "destination.port": 3777, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "fugits1163.host", - "input.type": "log", - "log.offset": 18041, - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6064, - "related.hosts": [ - "fugits1163.host", - "iutal6032.www.test" - ], - "related.ip": [ - "10.181.247.224", - "10.77.229.168" - ], - "related.user": [ - "adol" - ], - "rsa.counters.dclass_c1": 329, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "fugits1163.host" - ], - "rsa.network.domain": "iutal6032.www.test", - "rsa.network.network_service": "http", - "server.domain": "iutal6032.www.test", - "server.registered_domain": "www.test", - "server.subdomain": "iutal6032", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.181.247.224", - "source.port": 260, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "adol" - }, - { - "destination.ip": "10.72.162.6", - "destination.port": 5516, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "gitse2463.www5.invalid", - "input.type": "log", - "log.offset": 18303, - "network.direction": "outbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2861, - "related.hosts": [ - "gitse2463.www5.invalid", - "inculp2078.host" - ], - "related.ip": [ - "10.235.116.121", - "10.72.162.6" - ], - "related.user": [ - "oinv" - ], - "rsa.counters.dclass_c1": 1444, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "gitse2463.www5.invalid" - ], - "rsa.network.domain": "inculp2078.host", - "rsa.network.network_service": "http", - "server.domain": "inculp2078.host", - "server.registered_domain": "inculp2078.host", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.235.116.121", - "source.port": 1, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "oinv" - }, - { - "destination.ip": "10.28.124.236", - "destination.port": 3434, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "temse6953.www.example", - "input.type": "log", - "log.offset": 18572, - "network.direction": "internal", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3559, - "related.hosts": [ - "mexerc2757.internal.home", - "temse6953.www.example" - ], - "related.ip": [ - "10.149.193.117", - "10.28.124.236" - ], - "related.user": [ - "mullam" - ], - "rsa.counters.dclass_c1": 3176, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "temse6953.www.example" - ], - "rsa.network.domain": "mexerc2757.internal.home", - "rsa.network.network_service": "https", - "server.domain": "mexerc2757.internal.home", - "server.registered_domain": "internal.home", - "server.subdomain": "mexerc2757", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.149.193.117", - "source.port": 5343, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "mullam" - }, - { - "destination.ip": "10.196.96.162", - "destination.port": 6378, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "deriti6952.mail.domain", - "input.type": "log", - "log.offset": 18860, - "network.direction": "outbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1710, - "related.hosts": [ - "deriti6952.mail.domain", - "squira4455.api.domain" - ], - "related.ip": [ - "10.196.96.162", - "10.34.131.224" - ], - "related.user": [ - "tnonproi" - ], - "rsa.counters.dclass_c1": 7174, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "deriti6952.mail.domain" - ], - "rsa.network.domain": "squira4455.api.domain", - "rsa.network.network_service": "http", - "server.domain": "squira4455.api.domain", - "server.registered_domain": "api.domain", - "server.subdomain": "squira4455", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.34.131.224", - "source.port": 649, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tnonproi" - }, - { - "destination.ip": "10.77.78.180", - "destination.port": 5380, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "abor1370.www.domain", - "input.type": "log", - "log.offset": 19144, - "network.direction": "inbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4984, - "related.hosts": [ - "abor1370.www.domain", - "emveleum3661.localhost" - ], - "related.ip": [ - "10.77.78.180", - "10.97.236.123" - ], - "related.user": [ - "nisi" - ], - "rsa.counters.dclass_c1": 4782, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "abor1370.www.domain" - ], - "rsa.network.domain": "emveleum3661.localhost", - "rsa.network.network_service": "https", - "server.domain": "emveleum3661.localhost", - "server.registered_domain": "emveleum3661.localhost", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.97.236.123", - "source.port": 5159, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "nisi" - }, - { - "destination.ip": "10.45.54.107", - "destination.port": 3593, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "emullamc5418.mail.test", - "input.type": "log", - "log.offset": 19419, - "network.direction": "unknown", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3421, - "related.hosts": [ - "emullamc5418.mail.test", - "sedquiac6517.internal.localhost" - ], - "related.ip": [ - "10.45.54.107", - "10.82.133.66" - ], - "related.user": [ - "olorem" - ], - "rsa.counters.dclass_c1": 5362, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "emullamc5418.mail.test" - ], - "rsa.network.domain": "sedquiac6517.internal.localhost", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "sedquiac6517.internal.localhost", - "server.registered_domain": "internal.localhost", - "server.subdomain": "sedquiac6517", - "server.top_level_domain": "localhost", - "service.type": "fortinet", - "source.ip": "10.82.133.66", - "source.port": 7229, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "olorem" - }, - { - "destination.ip": "10.170.252.219", - "destination.port": 2454, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "squirati7050.www5.lan", - "input.type": "log", - "log.offset": 19708, - "network.direction": "external", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4020, - "related.hosts": [ - "squirati7050.www5.lan", - "veniam3148.www5.home" - ], - "related.ip": [ - "10.170.252.219", - "10.180.180.230" - ], - "related.user": [ - "nse" - ], - "rsa.counters.dclass_c1": 7020, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "squirati7050.www5.lan" - ], - "rsa.network.domain": "veniam3148.www5.home", - "rsa.network.network_service": "pop3", - "server.domain": "veniam3148.www5.home", - "server.registered_domain": "www5.home", - "server.subdomain": "veniam3148", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.180.180.230", - "source.port": 4147, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "nse" - }, - { - "destination.ip": "10.65.144.51", - "destination.port": 2283, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "venia2079.mail.example", - "input.type": "log", - "log.offset": 19984, - "network.direction": "outbound", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 617, - "related.hosts": [ - "unt3559.www.home", - "venia2079.mail.example" - ], - "related.ip": [ - "10.5.11.205", - "10.65.144.51" - ], - "related.user": [ - "uptat" - ], - "rsa.counters.dclass_c1": 5050, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "venia2079.mail.example" - ], - "rsa.network.domain": "unt3559.www.home", - "rsa.network.network_service": "http", - "server.domain": "unt3559.www.home", - "server.registered_domain": "www.home", - "server.subdomain": "unt3559", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.5.11.205", - "source.port": 4901, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "uptat" - }, - { - "destination.ip": "10.76.122.196", - "destination.port": 5325, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "snostrum3450.www5.localhost", - "input.type": "log", - "log.offset": 20247, - "network.direction": "external", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 487, - "related.hosts": [ - "rere5274.mail.domain", - "snostrum3450.www5.localhost" - ], - "related.ip": [ - "10.195.223.82", - "10.76.122.196" - ], - "related.user": [ - "umiurer" - ], - "rsa.counters.dclass_c1": 593, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "snostrum3450.www5.localhost" - ], - "rsa.network.domain": "rere5274.mail.domain", - "rsa.network.network_service": "smtp", - "server.domain": "rere5274.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "rere5274", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.195.223.82", - "source.port": 3128, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "umiurer" - }, - { - "destination.ip": "10.225.255.211", - "destination.port": 3369, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "gelitsed3249.corp", - "input.type": "log", - "log.offset": 20522, - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2442, - "related.hosts": [ - "gelitsed3249.corp", - "uaeabi3728.www5.invalid" - ], - "related.ip": [ - "10.138.210.116", - "10.225.255.211" - ], - "related.user": [ - "fugiatn" - ], - "rsa.counters.dclass_c1": 956, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "gelitsed3249.corp" - ], - "rsa.network.domain": "uaeabi3728.www5.invalid", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "uaeabi3728.www5.invalid", - "server.registered_domain": "www5.invalid", - "server.subdomain": "uaeabi3728", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.138.210.116", - "source.port": 5595, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "fugiatn" - }, - { - "destination.ip": "10.219.1.151", - "destination.port": 4323, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "dolor7082.internal.localhost", - "input.type": "log", - "log.offset": 20805, - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6311, - "related.hosts": [ - "dolor7082.internal.localhost", - "uamqu2804.test" - ], - "related.ip": [ - "10.219.1.151", - "10.250.81.189" - ], - "related.user": [ - "ori" - ], - "rsa.counters.dclass_c1": 3262, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "dolor7082.internal.localhost" - ], - "rsa.network.domain": "uamqu2804.test", - "rsa.network.network_service": "smtp", - "server.domain": "uamqu2804.test", - "server.registered_domain": "uamqu2804.test", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.250.81.189", - "source.port": 5404, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ori" - }, - { - "destination.ip": "10.76.125.70", - "destination.port": 756, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "totam6886.api.localhost", - "input.type": "log", - "log.offset": 21076, - "network.direction": "internal", - "network.protocol": "ggp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 7128, - "related.hosts": [ - "olor5201.host", - "totam6886.api.localhost" - ], - "related.ip": [ - "10.54.23.133", - "10.76.125.70" - ], - "related.user": [ - "oloreeu" - ], - "rsa.counters.dclass_c1": 1916, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "totam6886.api.localhost" - ], - "rsa.network.domain": "olor5201.host", - "rsa.network.network_service": "https", - "server.domain": "olor5201.host", - "server.registered_domain": "olor5201.host", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.54.23.133", - "source.port": 3258, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "oloreeu" - }, - { - "destination.ip": "10.189.42.62", - "destination.port": 4262, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "laborum5749.www.example", - "input.type": "log", - "log.offset": 21347, - "network.direction": "unknown", - "network.protocol": "igmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2780, - "related.hosts": [ - "eufug3348.www.lan", - "laborum5749.www.example" - ], - "related.ip": [ - "10.189.42.62", - "10.36.110.69" - ], - "related.user": [ - "eque" - ], - "rsa.counters.dclass_c1": 170, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "laborum5749.www.example" - ], - "rsa.network.domain": "eufug3348.www.lan", - "rsa.network.network_service": "http", - "server.domain": "eufug3348.www.lan", - "server.registered_domain": "www.lan", - "server.subdomain": "eufug3348", - "server.top_level_domain": "lan", - "service.type": "fortinet", - "source.ip": "10.36.110.69", - "source.port": 4187, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "eque" - }, - { - "destination.ip": "10.183.202.82", - "destination.port": 2208, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "lup3313.api.home", - "input.type": "log", - "log.offset": 21616, - "network.direction": "unknown", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3284, - "related.hosts": [ - "lup3313.api.home", - "stquidol239.www5.invalid" - ], - "related.ip": [ - "10.183.202.82", - "10.47.179.68" - ], - "related.user": [ - "umfugi" - ], - "rsa.counters.dclass_c1": 2645, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "lup3313.api.home" - ], - "rsa.network.domain": "stquidol239.www5.invalid", - "rsa.network.network_service": "https", - "server.domain": "stquidol239.www5.invalid", - "server.registered_domain": "www5.invalid", - "server.subdomain": "stquidol239", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.47.179.68", - "source.port": 5107, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "umfugi" - }, - { - "destination.ip": "10.221.206.74", - "destination.port": 1480, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "edq5397.www.test", - "input.type": "log", - "log.offset": 21882, - "network.direction": "inbound", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2314, - "related.hosts": [ - "edq5397.www.test", - "gia6531.mail.invalid" - ], - "related.ip": [ - "10.221.206.74", - "10.73.28.165" - ], - "related.user": [ - "quas" - ], - "rsa.counters.dclass_c1": 5572, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "edq5397.www.test" - ], - "rsa.network.domain": "gia6531.mail.invalid", - "rsa.network.network_service": "pop3", - "server.domain": "gia6531.mail.invalid", - "server.registered_domain": "mail.invalid", - "server.subdomain": "gia6531", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.73.28.165", - "source.port": 3668, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "quas" - }, - { - "destination.ip": "10.14.204.36", - "destination.port": 4887, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "udan6536.www5.test", - "input.type": "log", - "log.offset": 22154, - "network.direction": "inbound", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5284, - "related.hosts": [ - "lamcola4879.www5.localdomain", - "udan6536.www5.test" - ], - "related.ip": [ - "10.14.204.36", - "10.85.104.146" - ], - "related.user": [ - "emp" - ], - "rsa.counters.dclass_c1": 973, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "udan6536.www5.test" - ], - "rsa.network.domain": "lamcola4879.www5.localdomain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "lamcola4879.www5.localdomain", - "server.registered_domain": "www5.localdomain", - "server.subdomain": "lamcola4879", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.85.104.146", - "source.port": 3442, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "emp" - }, - { - "destination.ip": "10.30.246.132", - "destination.port": 388, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "rumet6923.www5.lan", - "input.type": "log", - "log.offset": 22429, - "network.direction": "outbound", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3990, - "related.hosts": [ - "edquian330.mail.local", - "rumet6923.www5.lan" - ], - "related.ip": [ - "10.208.18.210", - "10.30.246.132" - ], - "related.user": [ - "veniam" - ], - "rsa.counters.dclass_c1": 5624, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "rumet6923.www5.lan" - ], - "rsa.network.domain": "edquian330.mail.local", - "rsa.network.network_service": "https", - "server.domain": "edquian330.mail.local", - "server.registered_domain": "mail.local", - "server.subdomain": "edquian330", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.208.18.210", - "source.port": 3601, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "veniam" - }, - { - "destination.ip": "10.19.119.17", - "destination.port": 3822, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "itse522.internal.localdomain", - "input.type": "log", - "log.offset": 22698, - "network.direction": "unknown", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4337, - "related.hosts": [ - "itse522.internal.localdomain", - "santi837.api.domain" - ], - "related.ip": [ - "10.106.249.91", - "10.19.119.17" - ], - "related.user": [ - "lit" - ], - "rsa.counters.dclass_c1": 2783, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "itse522.internal.localdomain" - ], - "rsa.network.domain": "santi837.api.domain", - "rsa.network.network_service": "pop3", - "server.domain": "santi837.api.domain", - "server.registered_domain": "api.domain", - "server.subdomain": "santi837", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.106.249.91", - "source.port": 1732, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "lit" - }, - { - "destination.ip": "10.181.41.154", - "destination.port": 866, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "amc3059.local", - "input.type": "log", - "log.offset": 22970, - "network.direction": "unknown", - "network.protocol": "igmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5275, - "related.hosts": [ - "amc3059.local", - "lpaquiof804.internal.invalid" - ], - "related.ip": [ - "10.181.41.154", - "10.29.109.126" - ], - "related.user": [ - "labo" - ], - "rsa.counters.dclass_c1": 6721, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "amc3059.local" - ], - "rsa.network.domain": "lpaquiof804.internal.invalid", - "rsa.network.network_service": "http", - "server.domain": "lpaquiof804.internal.invalid", - "server.registered_domain": "internal.invalid", - "server.subdomain": "lpaquiof804", - "server.top_level_domain": "invalid", - "service.type": "fortinet", - "source.ip": "10.29.109.126", - "source.port": 6261, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "labo" - }, - { - "destination.ip": "10.164.120.197", - "destination.port": 2304, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "enbyCi3813.api.domain", - "input.type": "log", - "log.offset": 23236, - "network.direction": "external", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2286, - "related.hosts": [ - "enbyCi3813.api.domain", - "nonn4478.host" - ], - "related.ip": [ - "10.164.120.197", - "10.164.207.42" - ], - "related.user": [ - "pta" - ], - "rsa.counters.dclass_c1": 3116, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "enbyCi3813.api.domain" - ], - "rsa.network.domain": "nonn4478.host", - "rsa.network.network_service": "https", - "server.domain": "nonn4478.host", - "server.registered_domain": "nonn4478.host", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.164.207.42", - "source.port": 1901, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "pta" - }, - { - "destination.ip": "10.154.191.225", - "destination.port": 7856, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "liquipex1155.mail.corp", - "input.type": "log", - "log.offset": 23505, - "network.direction": "unknown", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2990, - "related.hosts": [ - "amquaer3985.www5.example", - "liquipex1155.mail.corp" - ], - "related.ip": [ - "10.154.191.225", - "10.183.189.133" - ], - "related.user": [ - "ita" - ], - "rsa.counters.dclass_c1": 6105, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "liquipex1155.mail.corp" - ], - "rsa.network.domain": "amquaer3985.www5.example", - "rsa.network.network_service": "smtp", - "server.domain": "amquaer3985.www5.example", - "server.registered_domain": "www5.example", - "server.subdomain": "amquaer3985", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.183.189.133", - "source.port": 5347, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ita" - }, - { - "destination.ip": "10.103.189.199", - "destination.port": 767, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "isn3991.local", - "input.type": "log", - "log.offset": 23783, - "network.direction": "outbound", - "network.protocol": "igmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 226, - "related.hosts": [ - "isn3991.local", - "orem6317.local" - ], - "related.ip": [ - "10.103.189.199", - "10.29.120.226" - ], - "related.user": [ - "emu" - ], - "rsa.counters.dclass_c1": 5452, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "isn3991.local" - ], - "rsa.network.domain": "orem6317.local", - "rsa.network.network_service": "smtp", - "server.domain": "orem6317.local", - "server.registered_domain": "orem6317.local", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.29.120.226", - "source.port": 1296, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "emu" - }, - { - "destination.ip": "10.210.153.7", - "destination.port": 7030, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "iumtotam1010.www5.corp", - "input.type": "log", - "log.offset": 24037, - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4691, - "related.hosts": [ - "iumtotam1010.www5.corp", - "velill3230.www.corp" - ], - "related.ip": [ - "10.133.254.23", - "10.210.153.7" - ], - "related.user": [ - "voluptas" - ], - "rsa.counters.dclass_c1": 2088, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "iumtotam1010.www5.corp" - ], - "rsa.network.domain": "velill3230.www.corp", - "rsa.network.network_service": "https", - "server.domain": "velill3230.www.corp", - "server.registered_domain": "www.corp", - "server.subdomain": "velill3230", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.133.254.23", - "source.port": 6251, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "voluptas" - }, - { - "destination.ip": "10.91.2.135", - "destination.port": 2141, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "onsecte91.www5.localdomain", - "input.type": "log", - "log.offset": 24312, - "network.direction": "outbound", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5647, - "related.hosts": [ - "onsecte91.www5.localdomain", - "orumS757.www5.corp" - ], - "related.ip": [ - "10.126.245.73", - "10.91.2.135" - ], - "related.user": [ - "olore" - ], - "rsa.counters.dclass_c1": 4680, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "onsecte91.www5.localdomain" - ], - "rsa.network.domain": "orumS757.www5.corp", - "rsa.network.network_service": "pop3", - "server.domain": "orumS757.www5.corp", - "server.registered_domain": "www5.corp", - "server.subdomain": "orumS757", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.126.245.73", - "source.port": 180, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "olore" - }, - { - "destination.ip": "10.137.85.123", - "destination.port": 7073, - "event.action": "deny", - "event.code": "https", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "abori7686.internal.host", - "input.type": "log", - "log.offset": 24583, - "network.direction": "internal", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 2313, - "related.hosts": [ - "abori7686.internal.host", - "emi4534.www.localdomain" - ], - "related.ip": [ - "10.137.85.123", - "10.183.243.246" - ], - "related.user": [ - "cid" - ], - "rsa.counters.dclass_c1": 6402, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "https", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "abori7686.internal.host" - ], - "rsa.network.domain": "emi4534.www.localdomain", - "rsa.network.network_service": "https", - "server.domain": "emi4534.www.localdomain", - "server.registered_domain": "www.localdomain", - "server.subdomain": "emi4534", - "server.top_level_domain": "localdomain", - "service.type": "fortinet", - "source.ip": "10.183.243.246", - "source.port": 218, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "cid" - }, - { - "destination.ip": "10.10.86.55", - "destination.port": 5132, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "reprehen3513.test", - "input.type": "log", - "log.offset": 24859, - "network.direction": "external", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1585, - "related.hosts": [ - "inimav1576.mail.example", - "reprehen3513.test" - ], - "related.ip": [ - "10.10.86.55", - "10.61.225.196" - ], - "related.user": [ - "eniamqu" - ], - "rsa.counters.dclass_c1": 3034, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "reprehen3513.test" - ], - "rsa.network.domain": "inimav1576.mail.example", - "rsa.network.network_service": "smtp", - "server.domain": "inimav1576.mail.example", - "server.registered_domain": "mail.example", - "server.subdomain": "inimav1576", - "server.top_level_domain": "example", - "service.type": "fortinet", - "source.ip": "10.61.225.196", - "source.port": 4720, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "eniamqu" - }, - { - "destination.ip": "10.79.73.195", - "destination.port": 457, - "event.action": "deny", - "event.code": "http", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "orroquis284.api.domain", - "input.type": "log", - "log.offset": 25128, - "network.direction": "outbound", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 3141, - "related.hosts": [ - "aturQu7083.mail.host", - "orroquis284.api.domain" - ], - "related.ip": [ - "10.125.143.153", - "10.79.73.195" - ], - "related.user": [ - "emip" - ], - "rsa.counters.dclass_c1": 7645, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "http", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "orroquis284.api.domain" - ], - "rsa.network.domain": "aturQu7083.mail.host", - "rsa.network.network_service": "http", - "server.domain": "aturQu7083.mail.host", - "server.registered_domain": "mail.host", - "server.subdomain": "aturQu7083", - "server.top_level_domain": "host", - "service.type": "fortinet", - "source.ip": "10.125.143.153", - "source.port": 2657, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "emip" - }, - { - "destination.ip": "10.64.139.17", - "destination.port": 2438, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tionula2060.www5.localhost", - "input.type": "log", - "log.offset": 25396, - "network.direction": "external", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6331, - "related.hosts": [ - "lumqui7769.mail.local", - "tionula2060.www5.localhost" - ], - "related.ip": [ - "10.240.216.85", - "10.64.139.17" - ], - "related.user": [ - "nimadmin" - ], - "rsa.counters.dclass_c1": 4982, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "tionula2060.www5.localhost" - ], - "rsa.network.domain": "lumqui7769.mail.local", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "lumqui7769.mail.local", - "server.registered_domain": "mail.local", - "server.subdomain": "lumqui7769", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.240.216.85", - "source.port": 2046, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "nimadmin" - }, - { - "destination.ip": "10.222.245.80", - "destination.port": 4017, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "rumSecti111.www5.domain", - "input.type": "log", - "log.offset": 25683, - "network.direction": "inbound", - "network.protocol": "ipv6", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4474, - "related.hosts": [ - "rumSecti111.www5.domain", - "siarc6339.internal.corp" - ], - "related.ip": [ - "10.222.245.80", - "10.87.90.49" - ], - "related.user": [ - "ptatemse" - ], - "rsa.counters.dclass_c1": 3380, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "rumSecti111.www5.domain" - ], - "rsa.network.domain": "siarc6339.internal.corp", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "siarc6339.internal.corp", - "server.registered_domain": "internal.corp", - "server.subdomain": "siarc6339", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.87.90.49", - "source.port": 1486, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "ptatemse" - }, - { - "destination.ip": "10.87.144.208", - "destination.port": 2440, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "olores7881.local", - "input.type": "log", - "log.offset": 25971, - "network.direction": "unknown", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4855, - "related.hosts": [ - "olores7881.local", - "ptatev6552.www.test" - ], - "related.ip": [ - "10.143.53.214", - "10.87.144.208" - ], - "related.user": [ - "psumq" - ], - "rsa.counters.dclass_c1": 5772, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "olores7881.local" - ], - "rsa.network.domain": "ptatev6552.www.test", - "rsa.network.network_service": "pop3", - "server.domain": "ptatev6552.www.test", - "server.registered_domain": "www.test", - "server.subdomain": "ptatev6552", - "server.top_level_domain": "test", - "service.type": "fortinet", - "source.ip": "10.143.53.214", - "source.port": 3310, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "psumq" - }, - { - "destination.ip": "10.105.97.134", - "destination.port": 1935, - "event.action": "deny", - "event.code": "pop3", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tDuis3281.www5.localdomain", - "input.type": "log", - "log.offset": 26239, - "network.direction": "unknown", - "network.protocol": "ipv6-icmp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 1729, - "related.hosts": [ - "byC5766.internal.home", - "tDuis3281.www5.localdomain" - ], - "related.ip": [ - "10.105.97.134", - "10.204.178.19" - ], - "related.user": [ - "mexercit" - ], - "rsa.counters.dclass_c1": 6564, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "pop3", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "tDuis3281.www5.localdomain" - ], - "rsa.network.domain": "byC5766.internal.home", - "rsa.network.network_service": "pop3", - "server.domain": "byC5766.internal.home", - "server.registered_domain": "internal.home", - "server.subdomain": "byC5766", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.204.178.19", - "source.port": 616, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "mexercit" - }, - { - "destination.ip": "10.194.67.223", - "destination.port": 5767, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "uptasnul2751.www5.corp", - "input.type": "log", - "log.offset": 26526, - "network.direction": "inbound", - "network.protocol": "rdp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 4493, - "related.hosts": [ - "hender6628.local", - "uptasnul2751.www5.corp" - ], - "related.ip": [ - "10.161.64.168", - "10.194.67.223" - ], - "related.user": [ - "tion" - ], - "rsa.counters.dclass_c1": 3673, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "unknown", - "rsa.network.alias_host": [ - "uptasnul2751.www5.corp" - ], - "rsa.network.domain": "hender6628.local", - "rsa.network.network_service": "smtp", - "server.domain": "hender6628.local", - "server.registered_domain": "hender6628.local", - "server.top_level_domain": "local", - "service.type": "fortinet", - "source.ip": "10.161.64.168", - "source.port": 7154, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "tion" - }, - { - "destination.ip": "10.120.148.241", - "destination.port": 1655, - "event.action": "deny", - "event.code": "smtp", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "upt6017.api.localdomain", - "input.type": "log", - "log.offset": 26795, - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 6094, - "related.hosts": [ - "upt6017.api.localdomain", - "xercit7649.www5.home" - ], - "related.ip": [ - "10.100.154.220", - "10.120.148.241" - ], - "related.user": [ - "rsitam" - ], - "rsa.counters.dclass_c1": 5150, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "smtp", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "failure", - "rsa.network.alias_host": [ - "upt6017.api.localdomain" - ], - "rsa.network.domain": "xercit7649.www5.home", - "rsa.network.network_service": "smtp", - "server.domain": "xercit7649.www5.home", - "server.registered_domain": "www5.home", - "server.subdomain": "xercit7649", - "server.top_level_domain": "home", - "service.type": "fortinet", - "source.ip": "10.100.154.220", - "source.port": 5535, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "rsitam" - }, - { - "destination.ip": "10.180.90.112", - "destination.port": 1936, - "event.action": "deny", - "event.code": "ms-wbt-server", - "event.dataset": "fortinet.clientendpoint", - "event.module": "fortinet", - "event.original": "December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success", - "event.outcome": "failure", - "fileset.name": "clientendpoint", - "host.name": "tpers2217.internal.lan", - "input.type": "log", - "log.offset": 27072, - "network.direction": "outbound", - "network.protocol": "udp", - "observer.product": "FortiClient", - "observer.type": "Anti-Virus", - "observer.vendor": "Fortinet", - "process.pid": 5012, - "related.hosts": [ - "porissu1470.domain", - "tpers2217.internal.lan" - ], - "related.ip": [ - "10.116.153.19", - "10.180.90.112" - ], - "related.user": [ - "itessequ" - ], - "rsa.counters.dclass_c1": 2216, - "rsa.counters.dclass_c1_str": "block_count", - "rsa.internal.messageid": "ms-wbt-server", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.result": "success", - "rsa.network.alias_host": [ - "tpers2217.internal.lan" - ], - "rsa.network.domain": "porissu1470.domain", - "rsa.network.network_service": "ms-wbt-server", - "server.domain": "porissu1470.domain", - "server.registered_domain": "porissu1470.domain", - "server.top_level_domain": "domain", - "service.type": "fortinet", - "source.ip": "10.116.153.19", - "source.port": 6610, - "tags": [ - "fortinet.clientendpoint", - "forwarded" - ], - "user.name": "itessequ" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 39de2f819f0..1bcc00adca2 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded zlib format compressed contents of module/fortinet. func AssetFortinet() string { - return "eJzsvetzG7eWL/p9/grcfDhxUra84zxmds7M3NJI9rbOyDK35cfUrV3FArsXSURooA2gSTF//S08utlvtSgsSp45+ZBKRHLhh9fCeq8X5AZ2v5OlVIYJMP9EiGGGw+/kzf4vKehEsdwwKX4n//5PhJDq++SdTAsO/0TIkgFP9e/uU/vPCyJoBr8TAWYr1c0JEwbUkiZwYv9efY0QuQG1VczA78Soov6J2eXwu8W3lSqt/b0HT/nPFc2AyCUxayhHJtXIZLsGBe4zo+hyyRKypposAASRCw1qA+lJZwJK03ugXSlZ5LW/tpdlT9fBEpQ38A+THxqgb4j9IJleNf4+PsLwkneW/eOaafs9wjQpNKTESJLQ3BRhgRXdkgy0piv7/9SQRGag7aSl/bxFmpBLuSLnkMgUVP9EPC3WBnXodEq6sAFh5nZqkQkHwMirH5ZcuzVPpDAgjLYXgAltqDAlDN2L0bDsEIApNe0PuuiYx2SHINSQ7Zola0KJBq2ZFGTNjCaUXIH5wowArcvdP+kcjWqyei0LnhIBG1BkAdW5y6nSQN6BoRYaJUsls9pQzy7lSr+c0eQGjP6hQ/6cKUgM3z0nJuCm5AN4buBPuKjBPOldSA4b4AesJJeifT8bK3kOuYKEmoAkhSUTkBIpuINl6IIDyWjejyrTq3m0CzOyx+/CPb84/4lsKC/CjWcpCMOWLJxOuKWJIVyu/H6pzka42TFLPpwW9z27HTlVhiUFp8r9PmzsyeDJ6JA+6KT0nYwO5eGTMrglm+Puyav/uyfje2JHxdmQh11fufhj7ibS3pYng25DD2F66NAUaFmoBOntffiyYd3/hyHThhrIQJinCI4WKTPzhNPWHX4i8EAYtXuKwNZWpnqKwJg4DBiuxFRyjqd70lKgh3AP3GVbAqQxdagBuaZPz6x9sdT7LZqOHNIREh6mRbTkkA71O7SI4VVsGUeOtIqiZjbpXT6/XJ1pRlo+0rOC916+5BhidSHY1wL2YrSq5h/+tGsqtWdSJPZxoEY+dc12gN1sGC47rK/umR2GLVlC6/f5Uq7I6w0IQ64dcyaFSEFZFURBYFSdqS/ZLaREg7FEGj9ujqGHFZZyEzq0H6ywVJvQIX2vTelaAuPblw47mJ153WNN7rcGa6mR5NX6uXwrtamzSN4+kRpEysSq/FD3HZuaDenbWV92yAHr/GhwYS9mm18ITVNleeXQdW8vbmf2Rn6ri7v5DXt5f/ufu7x2tfB5Q5sveENa3VqWEkpWbAOiMpJ9u4KAXaLD7Be4Gkj6FIW/b8OjMWjQkPluruArwl7XnYdug928Fzu3yq/90GTmLtLzYM02lHzc5UAS2uUgCyDAzBoU+XQhzE+/EanIGy6p+fkVWVDtTlHpIFuyVaGc6HfHvA8Rd7/heTs3KJ7yGcG+YH+9klhmtjHtuBz5mzcwSLWlKkUT6mocrTbt+kpezD435D1KFHDa3lJC9E4byMIjGmBbamvwJ1X7xbP/LxVbMUF5+ZumtHLHOmDJXyOBERezz7/1LEGA31mJhy9Bhai7yjFen/1B7QqOh74+a6ApqKP4rt+6ocjF+UO8pB5v3VnqyBzmK33SRjaezNHtbLQUtC72gpa7KFZ1OZOcQ2Kk+hYZsF29R4i5sWeOaZL4pYPUIm0IqpeyLbaQkYV+ghpfliyeiqiaSe2C3TIpyGLX2TRCFHwtQBtLULMs57uwT/bLltEToMmaaJYCefYXYtaqIK9+/fUHsqWaaABRjTKyEk9CeJ2wEjqXQgPeUiTfzKlIZCFMZVMosoVnevYq614K5BldyA3UFoOJ3sjKkr1po4Bmg/cn+WaOzSMvFaSsaMtpMRbquz7JsTIssCVh5h/Fq7/89FftWfrL3DHQEvQ/OrP5h9UHL+kOFHlFXouE5rrg3rNiVcp78fU+6g90fvTEVvaN8vMr8m92us/Jzz+TfyOJVFZedrMIgz4n/4ub/22/yDRpLsp3vVsoZApPVtcVW5gnlPMFTW5wJWAPTkjjrg01Xq+wiwgizSUTxqkmBvoDnN3hmINSEik+bS8P6hwSRrlD7JBqI5WVrMXOSx32gw3lLPUHow8UIUtZiNS+MBwceCZWQTi6M3ixeSM6lGP4AsN1GHEbDezCjkuaPpV3LsAhmv0JJAOjWNKjdQRVuP5lpwv7575kwvbZp2Yv0cpluW0n5K3c2q3p6pxMEKmsMmYkuQHI71i0J/HifSOLpmQCWs83LJ2nWF7X1yXnWYEARY275KldwZpeuGHKFJRbpb1hexc9Jg6WMat2O1+5Www/i3DVL86JstxaO4OKWzSqVmCqr925ElohBT09+kr4SLjxlVAorqAu4784L22vHyCTBsh1OO+JAvfQLnZDjNL+UzpivgHHSxhprnPOMCMbnrQ6r1lH7H8SspnluYjn3d06+waEs16eulJrCU/Ifw8Po2cvS8YfwUdvR7XK0ezsdBZk34QKuzwsy6VqS7zEPZHfXBhE8TTMH5/8U+UUcae695lSm6p8sf/JXmH3co7TzE/Iq19/I1u37hlQQSjn/bYCZ9R3YtLefkS2oMCTpYZwoNoQKVrpIs1FfHQx8dtexJ67iuG2DWv3RarULZyLaoJkLSSXq13bEbdkqiPFEvIrSdZU0cT4RbSXeufwO6O5IIUIMT28YTMfzKiNndDtHfWYToQR36XTKDIrZEpRuhEU3Q7yNMdZW2IlTZzE6n0UItgcZJIUqqSoDRUpVSkRUmWUsz/74nulynrXJw1RDgcvkSwWnSfpXou0R12BecnZEtyMexR8DYkU6YCAvd/uuTaYdpaRCTGRyCznYHoPwKARlToB3ijWYoO1fDNlHukgX9uxe4/z0FFunszB45dJYdaRtmmfnxor5mUf5ZQ+0sK/FinGsluSf0qBXW1hhC3a0UsR04fXfmyvcIdFod3oU2Lg1oTLRzagdC2dIh2LA+vZ34ceth3QWNPcp+klUqWQ4r2DIcgmPFO6GrGUMcpIm+qLdf9697VSMjtxVAuXlK8TEFQx6cX6rOCGvTAMFKF5zsvsl32xmowKuupLzSWEO/dOqS96UB6rJsx8r4ncCu8ZMzTL25bBgNiOZiF2b5/RJFkzq93IFPQJeVdo49SkOlF7K6kZiMulBg7cpFEGtlxa3Bs4hiTkNrkc0K+dgiUoEIk/ENSK1inbsNRKNu489DOy65KRfWwtXv8kb3OmjjbD/X56X9CtPYnM8J2frLZMz8prFpQ7oOO20YibPmjCeW65ccXPTjpDVuFksojNgbKOIPdQitX6x74qToL8WkBxtKNkT7c/RXv+uKWaOBDpwLlx4H6KvagRhYLGgiLwtFVmEF7fVYaBNZ8jQM3nGNJzHpMVNYm+ik4VQVaqvSKPo0K21MfeN6bzXN7rzTmUbd7F1w5xFuwfiFY1hNiGIJp0hPgYgrUuOLbbaUCLkoVJZAYvPYZKeXFR2XLZOSFUhCVoKJADBwQ2oJjBTB0ZmVg5ekgCrHl2xkw+uMmLndqB/pWuMl0sNed3yiFhS7ZXfPqlW+/MGaqpEmRl/Gimng2oTIws3SdMlCaqNDhZenEHtflYm/C5qaXXNUGpyPvrEBrLdBkQ0LarufHLHRrKktS51Cwi45h0tpw6LVJfYcqF8pd3d7AKT8HNHK900T1ZkSgyUCy5Ly/qndsRsthGJlbPZKtuhmdL/n53prYBkUoVAmZHZyYXfzxC9ZrStSsXf0DSr0dbYPi54J3lthx0HJjn9Ji16r7rXsiQ9R/YTLByrWkVWyykIZSsQ8WL/gBaLlfzMlDlUZh6eRDvzdSPUTOlwfv+5sKtXFlqxz76BX/JWbLDvj0jfGHmAITq2YLvBvhywTHjpvsX8EPBwQHrZ6dSGLjFllgrQBfC2+v29VBpmmr7L/eoUl4C6isAc8fjnKypWMFcwBabFww5LmFbc/U7IcQYxRaFgRqH6Mboaw/dSuv156+fdeicRmN21cpxhla2cmzRnCLYji/yYOryW49y6zLA7IKVBQf1PuZLbUCdkGvwm1JoUCd0Ba6Ud4h0X0pVYujQLsl4uT1xvyf+97W6FVKRhZJb+1n51yBrerVrsJ70RTqjysQ201WEY1tUwp2SnezQY90pydNKbMS6UjKH4FDEeotPBaEclKmii9R+0PA3794K7KNWBMAFIfUIzCkRUrxQkIPTZMaiH5zacMwnJymUshem0lfcTjo57iXzHrbS/dOZ2ZaZdRCWPa8n527Ahcs2EUSKFytp/3vkJXBCyrxHcEScN605A186ABakXBLLHQwDfUKu9zyl3dignlmFg/jMp/MV2ioxPmXUB9ukgf2Ghack4YU25YEM/9PZJvcTpu1OhpzoYN+wgq/7dFgEOrr0429Yv0bvyzLhCWXf36V4WZTnDgWhWsuEOXup3Y1efdJt2CW7gd8JJfl6p1lCOUmZvnlOcuV6ojwnYJLv+wVlqughuZf3fOh9no2iGRhQmuRUuype2hVy8LUIEplllovJhtO+m1oDJhkV9/x78FgSX20PER4mz74TmeVF9w4ibBslWyZSuQ3xtIkUCeTmeRVJMbgYnWkuC8535GtBuTd+pjKjTASuIWoDcTnwdNWtnrHEpZGpW5HwkokbSEMuUBmITrWzTgUFxX7yXQXthKVjG8c7VSFQWV29dZM3S7QBlPDeXz8Wrvd5sLyS6265nsrpDCpj7cZO2CbWMKZD68//uKT9c2RJe8k4/h2vpvzGjVZdYwVpkQApPUfQb27ToBjl857XFO0RuXZDlmJz+32sPYD2hRm0C0Byow8qORDDYhxGtw/dmup1dUOtWNiTZVgkax/5W+bYVGmGZyWlVokwO5FqmBOtEvur6v+7mabE8nNBmIu5K0TCgSr7J1cIbw8tJBAGa6cqEzvv9j545ld06zw96RcrkdmCiapudv3BCmmj6h6v14apQh/b0leXRhyAYYvfcRykPVfizI/uazIOW0q9BoduGq+Wz1uZL87Jlec0z0LhBuK77YWkX4vth3652hugH8OWXzM/X5y7JQ0pbxWb6FoPmh45Hwbop3DiD5HlBVum+5XUjd5h1rJvenVDgrYXF0bt2MIr30c8NXbpz6qBycX5nZJsLPvcHZKsBfZKpHuJ9oSc+fzMUO+U+w/GpVkHUDW/8dN3wRy3KEyVuSlN9RgVgoP2KyP9g7KVZEMVowveyQL0RRmYIDmnA4xAg9Co9VEaG1oXVf3IJ5ZTWQmjzC9kdp+vX17M2jI0CSVjvUVhKC/7wIaCk3Mh954WD5JcCEOu2UpQxywGjmguFWbx2u87/Mse0lkpu0lX1dH9pwVSu8vulKWy5+Bcvf9ImEh4kYJlZ6FTrf35CXn2+pZmOYffycwbRDxZx71P+u0izjN3dN+mM07tn5Z+ZEzfWJH7AFz3SMWrmTGvwtPwgembEZerUWy1AoXXwq5/yT7XfQEBg5NO1wr0WvLUnh6vqw90Gm243o9gWej63gNXfvbByxg/VMU4Ls7700gme+cTmeXzI8dduV0JsVeujau37+li8cLCkcLlpy5duxmZFsmQlhbE0keKGqsjr7ilVK7ygOXrJb6BLnFUpVuqHidCr1tV33JXGh4iO4mB0sjPLBOl5B1NynrK/cKtZUFH1WOkeFEKqGqcC3ldM3pTawVUR48N1oaaIpbgXNmjKOOPpnbYwRfylrD05fD7ZV/W4hgILaJPncLH/i5YFP1Xt3zHkLvvdQ75ebfv3iHPGROyiOXjrOWR6FX0O2U5aUyjQ8ci+0tkwtiVGRtH4pRzy/eILpIEtF4WnLy245NEpqDtkSiL/fZrFkykcBt5ATjT5jDJ84G8xQ3sVDFVgliAcv7NjCrGXQRPjwXP+9/FilC3iC/sb3tnJhDOoVz44kKPJBGH0cmzKp4zB6XzkHTrOUxnyYKIsA+ILys8/TCQZOjNXN33GDugxAtfVZBXsFX5b9sPKROapGAo4z1GhoUsTO13A1OT/OixmaXFllZxbA7H8ENqIMs5WjTPKUlhSYMLKFS+LH34IVrTSsUbUJzuXCKXkeFxJc96bqT9wGnd4dewLLPAva1eG2YKV5iR9E5srxt0CzY99LpG9WLV7DsJjY0UgVclMsvsfcI5RmeeOmG1YN9cyQ1Lvf2srCKXgR4MhEplcrij8f7WsjeM76XGpB6X1y8a3OYu6OlxeH05Oi6v/0MuDrQ7HTy9/yMXwQHTf7tyhlc499wFFPudv55dkIuOQFWHgVa1NmSXjCOImNhVZcOuoirS97GHhdjqfuHes4j5QqbYGV+djLu20BGwEItlQDxax6+W4F0GR8g8r5mAQ+qwD6Ct/CFsxdLKlTNgxMtia42dNPAIL388Ia+ad15gPlNld+/ZJ189p3REuWCNW0iKuhXBh34toC+9tazCNBa4cQRDSK9VPG0aRKrsSrqhjNOuI4NUpnDi8iuXoNRApwV/hw6x9cfzuwVlJQsFoLwDtjOlEG6g2epkgCOybL4o0nQX3T7DsnnUPKAa3ULDYYXOR61U8SkqJiNWOWil2M11cYyEBKbr0au+5iotUmaqzLp9XbSAqK+x3T5jw7OSvXthfJI+Siz2Cm6OppWffX5NnoVcic8Ft7LygnGXwOHiwF7f5lLbb/5AXnQNDaLthbkRcisaipCGpHDFLDZN6gOdNhN6BBNcOyz0rMxyvwqpSZewosmOfBpU1zhbKPoYSflh4MYSM0EyysRS0QxGwzFyqlzXXvw6CQ3hcuaGJVcy9cHR+7KAtaizHlDkDunLhQrYhcDSkJp1465gS94WwqmS72QKnDxjYnPy43PCZPKcLOy/wP6LCsp3mumTH/v9iybJ50tOO53zY8tQTQn/bEbcoM7W5fjkrmx+JZejhRqMREXq/7oIOMsyCBqUPci9gDZZXL7bQvb53ReqgHz0AcA//vj53ZfTD69//NHH3G6oomzwTG6luomZsnznBftSDlj3sA0awaiILUSEnJ24VUqq54Am9rnYIagwS6lAaJbEZCA1UxIC4iy+FaTHPxCL6HxLWbc58YOtA672eWyi9vrETlHXxQLpUphFqo2Knfnu8rXRDGL1tzTaO1rmfOAZSQ9Ndtk3BuuINCHZZJ/3EvJdLIklGzQ0lVNFM8QeOtXeakQ902yn9/Qz5YPrCd7fcGHBB/n/Q3fUvcjsO/89yhFLazb6AGQU5KMcjtKPO4ZPyiMEbTV2tqaXPjNVRHsZZefqZP7gzG6dk3u3Z7osWc2O4Q9zSV9Lyrhd67KYyyzwjIvzem6bq8Rl1UEDq54SBsNRhWXM9dyKiAfM55DAaxduHbKPzmSWFaJtieqgE4cVbnoouiu4NX+Dfpm6wqYPk6wfiu2aivQ/ZL/XbI/NUMMO4QwPRtcduAFOFzpnCZPRokSPpcE79FuqRNfp8NSha5Hlc4nFjK+v3s3Ie29H3Qel9gP5etRQguu/X5KvBaiB2q0FF3MF7UqduMENNYPojnwok856w7oqKT2J+JDWicrYbQQs0fwgw9FdVE2Pc+zBdNP4DRoopypD2C1LFsG8QPOICcgV0SKN1pW2QTNutasG6ZSatlT4ULoLEMk6oypWWklFd5fTTvviB3ufaNIJp4pCc76OfhYSWMZNoKoIL1eu1BICWbn4A4FqTqN3wvAVp6IfL+d0n7PYD06o3JaBFT2jgxZzmrjGKPHTTyxtLSIq7zXCi1W++UXcmnX09z0R88Soeaqj1l2vUbeUD/M8TSC84TQ6xxBzECsmIiZFdkljxEaL+XKut8wk0fmHmC+53GqaxY9dqdMWZoNHHcHrkog5E5jshIkcVLbYRQt479DOkxsc4hvKMc4Ky+e5kkbO47ukHPXNL3NncYxPm6PdTS5X8xRjsS3h+PFviZhn9HZuTCyzQZOwPdEcEB6FjAkk0Ezggc65nvMFn8d2izZo/wWRePTK4DXasWsh1mnHzuqt0/4VkfZviLT/GZH2vyDS/isObSNzTheAwVIq6vHVMzHPCu6E78UO4Z0siec3CHJJVnC2ynIc6dtKmZSvYgchBcoMQyjR8DWJbxsRc+0DEhF2UKsER5u0hHG0Sb3TRY7QizQRVVo1iqpqpLGqB9wisBAjjVXMsGg7tQaFeCHYraBCakgQDuHmN7sqSI/C5jeZmzXQFMGsJrN8nnAEG7YljOAkcXTVYmfim0UtZY1COS/mCD6NRDHDEsoREoj0nK5AJLuIUVd12oLy3Z+QLjBwb+auDCgKZV8OBge1D6xFob5Y5ZvfcGzQer5g5q8ohcYSPY/bK65FWMnorFqjXHNHFRIVP8tNext/tF5bNcJg1t7OH9844ok7sQ+FuK8mH6+CXI32knHA0GH0fImxiWwZMzm7SRhDNtBzlrsgxTkKq2P55pdUm7xTzD8Sba0SFNqcLQFDjdHO0JxByqIljDZpM4FzSjKZFhx0IjFWOxBnKwTeJHO9pSZqz/8a9b4I8iiEFayYNorGt4TsaSNIfApyrKVWaGutXSVyhcRffWS+P+II1I0CmiEIkj4VCAs2nnC9XUum577DbHzqO6ooygFPBxJhY1De+P72sekybaiI3uc41WZRqFjNAkuq4HsFYVAtomONL0eXOcmxybrODcv4za4PrTQwRnNF0zT2HWBpbLdqWToI4S1i2TxRUmYoVYksYQQ1jWVznODIUPEIY5nzm+jlmXIdv2Qpy3WuWGSinBpmiujRZ5wJiFdiZ09VR+2oU9F1ybfxzVpc+qqn8yWX0Z/zijhCyL/VeaNzHUsUgeNYHRoBavTYBC5XKEdXrFAucC5VbAaWLYoVxjXLmE4w2EKmUQ4sRh8IAcYVV4pONzoP9wWgY0f8eaqxw/HEdhtbA0HJKJO+AXR0TVTGl4ykYqt5Tz+uB9PdClDx36x87pvyRicbtTP1nqxv8YpyyBASN0NPnNjMIJCNzQ3yuTckRYdLtbYfzpN1rDz/Dmm4zVl0R0AOKlspKkyn5m4MylsUwvGfXl+J7NOnVhfQCISVXM2pziM2DKiTVjQ2VQWUY8h3ChK3Dr7qKBLx+ItsKcct4VqjLFWKgDi+IVMj2Ia1tw0jxANoiB0I4BseIygnGr7GPwB9BVqjUUVQpTRbITBence2smmVYNwDlaTRBWmtkr6quBEIm3gttuo0Cx29quYmEbETJXq7xT6UqC/SGXv6ZmXiHytPNL5Hr+rpGZvuLo9erbVIFyhx6IXiCG9hoUHNUxY76x2lbUXpGcJYBpNoQ7PY1uDNnAlt6BJBMtgwZTDE8E0uEEo3GakKEdPM2lcWraei6GlhJPlQCNIZuooeQWyW95lylpIzBSkz5IyqNFQz1K78ez8c3zkLcZWGOoQ6Mq6JPnH1DRLJSV+qThUPwQTeyr3Oci530GkseOf6LWURraj3xDNm19DbjFy/MwUruCUZbRda2PtixapoNwNBB8mZds0ZytHD1rsCSkQXeS6VId3Co4Rs19QQZkiuYDl0FB4QlnufJhR9Cx+0jgoCYSJUdh+oC82ZwO7IX4NqR6vj1MTIFZg1qJP99/VaFp0XjRABG1BVOyIjSU6VBvIODHUdwf1dpdUSPLuUK/1y5tNefyDnocXXc2LWPV2KXDHgDxBaHzvYglyB+cKMAN2/z91DjbJ4S9eyu7pFbnA/WQ1UJesTJlgvPtdz9wj1tVvs0/XCcMEQLzkthOv1uypcH9eyiHt/AfdWvfaROeGX467mVBXhDv2LB5R9uxHziDlN0yqvumHJR7g17lYMmQuO0Y16gCHtG9dduQ7Vgg90vHTVcxHbgbv6uRoMUfC1AG1GinYfHq18/1r5XmRwbXn8qJ5jty1SVdxp05wyhskjcr6xxt9dhXb9e+/MY/b+v7u/oR3s4rxkCm7s/rPhtIZ4Qbz3PML2cVlQDcSHa1doSOdWVbsUfvE4eEXVCr5CLpUvX9+7jIRQTTSAa3dGx/tVKSo0TY7Q3rdTYdoPLZzYuz80SaFcB7Qx0DmojHlx41ig90P6xhxswzisgHDYACdUa7YSfuP2/fr7j74ryfyI/NuNP3LSF4/S6dkiKwT7WkC7TSLtv3w1vIdVTDysC0op0bDUX8hECgEutoJsmVkPMQpCejJDKoldwUHpRfdWLexyOn5SPVFcrlhCObEIBlQfh+Jx0bmhBto0Pt7a5eud7odXC2fbylZUa+wHnnJG9Xwt0XUCr8RV6prrpbJvamS5Yr0FT389AOIvjUXr3rTQiCXhQNXJKdfSKuKN+3bunOXkbfjFCTkVu+r/OtSN0+W1MISmJ4nM8sKA6mfDKGZ8OzE89ey79l64HouNDWHmH8Wrv/z0V6v7nte2o1yx73phh3M6j+sxm2q4oTtQ5J8rm5x+GWA4cP23Pnb+D/6ZF3vMjVM/uh8HBi/fxdu+bzdMseOckKv3H1/buYMCbzxx9tKU6URBTkWys1JlEM94OxaEuBV6Tj6++51cCPPzq+fk4ur89X/9Tj5dCPPbL+TZdr0jAphZgyLJWurQKk0qBYlx3/rpt//3//nh+94VAbNG5HHt9XA89SSj/e14NPLpu+c1v/Zn8aIE1X/F06cFus6b7kB+YMG4yQ98H96WYLrXTj4zZQrKyeXpVS/YP6UAPFvWYSfj/5MCTvrX1sL9Zliom8jdzNNtwVN8g0f2YUUNbOkjtEh3p3tGTtNUOTutP+V9cKqnN8nyQ/2cD/WFXJy9m/lXadA9llF9RO9Hw6jkJdXwdpOLmYUyYP2ya3hgJ4goa2jHHl7DUhKb++5ax2UQNbg0TZn9MuV7h22tl3//O3fEA2BVQnfBZbjh580j0IGyj7VGkeumPmmUXAWEM6lMxZI7TDd1Dja3Aczs7ua8+shr7+fDxKp8TMppvRtaeAF9euOxrLgBndN8qdYyYVbk9HajjoxDLF9WVKzgpFKdEimWbFUoSMli52iCSF3UUD+fyQ8sPdBJGh2QlnsHXSLUO+ARZf96Cld0A4CCTBqYh8ju+HFG8Zc2FXpO5z4UH4F0bhQO8SXCkVgiZAtzjOuAVf8kR1hUms5LSxyeWN7W4O08Ttqj1Y0JjyDBvjZrUAIM+bjL4Tn5VD5jl84A9jOZlQawzkvwfkhSK1v1HEGYGFCNS9DBLv6cUM57hYl8/0UX4EaVC8zbgLJvIBNGEm3cY84E+XQxyFASFyCLxq+is2xLVOYIbd8sYQU6dkSvJYuQ4uJfxNih6M7ejoDWt1aYcxCr6J0iHWYrfCBKoQMSqBd5KK85YARJXDjBklDyRqotVWm3TzchpysX7KUItTf+1sXSLcBsAUS/6Bm5auJ9fdzSUF531XkwxJWMd5ERnRkyEeJcXVhCxoxlS6HFRv8UN5yKY/jxJxgoywCRmomyM8GmyXLvSdlYDXblFNjmyxPbUwmJq0KwiVcPbprHnirDkoJTRVy9aFKCePb69vdLuZLLZX/3d0jmZg3o29sA+9EO6G9jDfdri9vCPS3MGoQJweKDsHURs3LCtIAeP+Qw9E8a1CBgWZhEHnelw5DDgK+LJAGtBzC7yuOHFUc7LPDE4SJWxF1JtSM9iQkdbMdgTg2M0MJouZJz8OlcCvuuWL7VJxxWPyQdQak5q028enQD7yYlvmqpyxngDNJqPsEO05KHmSCamaKHfxKXXACBRQeqa6oJTWVuXxezBqaI3Ir9lvmFM/RWCpkNxNW6nhya+RL1xxUirHDPRGr5j1S6WgBK3jAO5DQAO+kswxRjr6gm5u/kYMB4Nf9HCVcYXILrELUQdxX65tizEDHz3R+wED5e7zrka8ReieGA0IXEzB7omfwC1nTDZOGky0RmuZIZG4hQhGODey3ogrsksiU5G8fGxKZiO4gg2wgbUifpBdBAGLW5zAEAe8av8GHvbu2V3d+3wWO3T7MshGmns8WW6FOXBj5PDlHrJ0lB7j1egQDFknJKbkFcoF87tICZtXtq+3q7kQD2JPnpRBs17Pws53RI2a1Hm9Or8TkF8cKPhTivXtW0UsINy0Bbvu6lPQU5DDqRwi5EKwpx50a4woMP3AY18WgdUrv70Y7Wz9Pm9NNcR2tyOnlqwWB81ww7c3Mz3jOECczg253dqztnp466d/6iRZmbunvnotVSPQ4DuYOPVwzk2z2OP9+9ZbFaGxxny6bxR3VUDhLzjk3gH0c9jjHn1jmMlVDvUtBaduromTuFWc8zMGv5CF4S2rAkEw8jfG1ww10tJSVRrU4jXp0Pkgd7rQUyci6RLCH/dfLrX/5Cnl2en85+IOdMGyZWBdNrSF0qfC8WLlcSvS7QmCfMRcsuPY6wze6LAxFjSiJbFcfyP+2u9iGoboyzyEdr+nyf65K4sP8q77dm+HOY+nymVPSVSd9HilEeqzpdayIfaMoK7UcgUhHNMsap8uzJsk17hxL3rvenV7l7rll6zEoj9Uj5T/YglFbEVl3M/SXHy7M4FWN33bk1QqZhzf4bjETuk85ZCIYbqKVlpP2mTKkwAwM6Lhu31FKtqGB/jkRVC7yjMHWxD1jp+pkaWO4lU725pEhVf97Y4dxr4Ut8+dpFjajmt0C5WSdUAckVpDJjgvYm3NXY04waBsLoO8PjOT3mbC/po07Wl36EHOng2qvzvWVcOVXGFUPaT3WcrR6x2FFgNlM46hJSUNRAOo8WVDZyPizzeVOOWDnPZkpuWFoVDwvfo3nOg6TaORih+I991poybb+As58kS480y2rIUOvP7Aam2ds81EVObpj3nq/bgvtACbhK6IzZFPy+kifcOpmp9qNaJvSqZ6JeRnUSK9VEG6k8x7fUMjDUjfa9+9aJ/db3/bPPWJpyOB6Xe+fGm8rnera3xvcO4nNle4zjTHcWRqtVGBK70jv7nOSc2i2z77NUBESidvmQld+FQh5Bn5wQQacq3fKt1Ia8o8maiQGVLqVInOO79lp/Ei7SP1dg2YeVj3yRM31CLlOak8/uf7x8lErh807/0X08yZpuwEpOHKgiXwtQO+JqEOpcCg2lRNWfnGrnO3e/OQ6/DDXwEktZsbIKpPDT93X5hnGWUzoC1P0B+hCKo05F6ro84RrM2me8LC3dKGJkdcPw8DJNVCFErx6rn1cvj/c8+zJSAzl2geI8aJj4G0HJlolUbjXROSRsyRL7yfO+PMEQJ9u9IHZ6Hu8+5oY8cxVhQST7Z8i5Ln+orRYphHvHL2FFkx35pJuFbysPbNZOpI0eXWtHOILCPvDa11UtB8XlqrlDZl/EzopXdQB6sv8bmaYunae7fM1p4wvUQ9V5vXjdM2M3w96DFn5zwGSPE9c7NNUQ4RtM7yWve+2mPlwFtDub4xjsKodBc2/2AZl+Gzo71F+Q4u7kZ5c2ELMl4GCGm5tyCksmgq3eMSdX1S+j+UDRQYfuoEQxJGx7A0xL/IvNGCubLfbcQy2lgdqUlQ3bGJqssyOXwN+P6hacdLSj+nagNHlZMBGvg1jUu2Gn7JIKcR/PHiZVT9tx2+LLaO/T+3u6dnZQ4759d6DOqSrPlP3z8/1UtmvWKaVO7O2wuqwPfp80PRO9Z4kvayHVDm/D/1XnVPz7nRVjSiDNKuqleN73NNll+deXjvodc3s0kagzq7Le+visBk/BHIRRMj+EdaSyWHSMC5POeBjTattwRzqCw+izO457D89kllOxq+6ju3aunb7XVzag7DM0Z2Ip+4UCqm+wc4Tu4B8tLbJEtgXcqujLr1gxAm8Kznfk7wXlbMkgJecu79kbB3uhbGExT6S8YY/kdP8CC+LH3+vPlA9J89Grze7d4XlhnMh9YAvTu+/6h2qI0GUnmKO9Tf6EfNzlfup7y4FdHL+Dw5unYDmPWky2Bdti8IYI9b3uK1vbBnMMU10lXDbRectiLlVp7Xcu5g+XA1teq5UT+TiVa5Hj9iEaWQo78p2W+xKmkhJJEmmCsuPY/SA5Nf2myUTMqY7p7a8RViGdPjLlQvGI21yjGnFXKmV0XqhY1pAaTQ1qTlfxdMo96ejPU5N01PDHJulw6hEYC9waEE60iq+cWPrRTnMl6K0VtEJlYktUfohj5BI2eO5HN6wTr16G/z4LEF6G/whxTX1mf8pB9Ufnhek8ovfcT6buPHcW11qrtc500tAQzapUTCxBqQG/a3feR5lXXfC/c+l7zbNHAFnWJV7WtqHnSjm3tkS9Uj1DHO34vfZ+e3vsProIYlX/039CN0BruOEny9egjmOPsDJ7iHh6duZaP/5Aztz4/dBAmSMVSxlY5zNQofknNKIwR4rzAqrruLaQtQ23g36va5WiR3ea/XmoVfL+pVH6d5tcsz/7rTXsBomnXPznayJgJQ3zG5ivqR7oAKWTY5cVqm2lH3y4uaDdarQOUJ0Al9YZKwunl/k3/QEpmq2OkVHRrG9UdT38ONho2XITpnURXeh0lF2wFJ617mE+FIcQlEK1gXY2pc49X9vBybVzTo9xp6NESFSVwYMX+dm1C+0cf4xq3PMwkPfnniMYh1mo1ny+wXzR2y7VYMjuBZPO7dGjRfQyjRqLMLuBoFEjFTf4bt+upP4gOd76C9HOXycVubg+/c93MzKz7xR5Lwa6r+zRImVSH4L241b2o3VsKFlDcqMPMiJPY8K4Ncj6ms5V9TqrEmEuDDS0INxzwREpFxTrFIV8BCHX46iqggwqDQ6zoaY4WofPOsoN5Sz1B7EHRJsRHq2q9RgjdCt2AzvdZtuRTn4ZQBqZ9tqYXM+Z60GLQtptJcaCJPQJ3Ca2EmXmi1TM7O64UYnMMtQ6cRNxexzBINSfgr9lCnhb04xtYtlyKuZaP1bDWzuy5+FfwmzLHK1etD7VeJ5Ldoyw6j7AHgFxCByofm3ALWuypkJ0Cmdgl5sKozogAz7bI5Vtrh6W0PPwy+XpVXj3XraGrx4UI1Xb9h+9ZhvTN/ON5AXWApyWfZxF6HNTdcYu2/kWghlNnnkQ+gdXrcMl9pYddVvkiQPdOxteIHGzy4D1k2AmhAucNJMONqBcpMCy4CSRIoHcWEX52u/hQHmF7RaT+/qFtwp72ULbAs2lMkTa9X37H6d9Ibi9yx773Em1On6AZTvBoGFiXVBf7KS3UMzfXr+fXczIO3qbMZFWbb37t9XO7ehhmI0migPTCtPozG5sWpX41J+yGD0822c5zpfHS9h87CT8csroYkfDWBa48sV5qNIbUIwi5MfblEeuFVDOOPtvnzdcJeaItCtJxr7dzl5iVehHim4M7aqdFl85dTOf3Puc6KInRJ1q8q/aKClW/77gNLnhTBtI//Vl+Nvz6lMmlpD0f7RkCraU9woydMFrvyFUpERLMnAsFayYNmpnNftjMoucmnUo1l9hIG0MHZDOKHUsmD4R2udrJVLVqpBX8mSFHISpxaRUUcBSGSagfgP6z3gDSTPw/o07/D42o6RH3tj/eH9d+2L7jvSu45JxOFlTvT5JVPJz2946ean+vXPqzj6c/fyKvKV6XcaJ3wWk9/gOMQBCrPJKNfxOFmDaZpE7sL2TacHBMbucKs3Eyi+fXUe901yu2uXj+/gNaarJnud0vjG+iBPA2n9OfZ6wazvquMqzD6fnF5+uf+hf0yayG8M6z0ssXJyqjJwmN0JuOaQrIB/rY42AQluoxsszBqAvmikKhmtnva0yUVrGlVFIPX2KIoF6e1oNQDLQjZTxYUjdNpJ7OJ2GrROR9AR0jALoc7uTSKclJOg23OujYFaqb9YRofytwelGsPSxxFhYzj2MZoXJESxZJ5Y+FhJL2hWSmgCjE8C6BzFU/WcSCMvSXMsdSKRINXnhqsq7CjiQEs1EAq7GWbPH2xjOjimVxFkuV3HL0ScvCKxO/H//23fv5J+Mc/ry15O/fDcBoGXqHT2RxFlM/2LUqoGNwOgGjJJYz1ad9DACQfnOsET3uXYjQfno7MfeedxIy9XFIjQEdKpzCeUeqD0FPNhLTldNcB701PcOi3t5f8GsoWeOoMhfPJkHJs/RBKOPThRJCuew89JPKKeR567ghJJ8EkI0xrCvtzeNPdjvd2y7JNK+1cCc+cXpFAkeQ6bavgMUZB+YviGXsIFJO6eTnn7/0c5WPc7+dPbcp+ITO6aA1BkcUjDOdBFKn60K+8VJwLGEi3syit7QEAQs7fCPEUiInKsOyExjX8HtFl1jOC39efdSHdyPeod8DDRDFVgIwnscqg+5IaEx5jg+LJblaE9VJtyX+5uvRcJj18ootlqBIjk1BpTQjkN5I2RyAyalhvqGDguq4bdfCIhENppUT5vAyGMZY0mrQlEpeen7T0/Fh/aKe2CTHvAiZWML1BORMRWEpTwdg05kj6sj2lHzaK4bg4wDGrXXHb4s7tyzWjqcHWsKJLPGM3v4ILLgRp5q/CjMGu1mNXuUTDtEZp0r2Umbi4Tooy+eaWQieWgBIJhhtBSlmsWZp8EdqPqMsYKtoQZhLahItyzthL5HQvUfHfJjSASkc1V0SntEwnJ1eka+FlRRYZgAC82KEx+K4JidjLAb/oEKMKS9XUwQ2hdUDIweZystnAaBYSTSCDC99T5iwXEj1IvuTEWFIJwGMPcRTRc9sagkkickFLW9hmnPcUI570aoRAJzRjkHNRGHUgzUHJBePcvSg7+WnPmxCIj0hY9xLQPppjL0bmoIiSPMnV9d75M/pq1bbyUGgvKwdAYbhoXEJs/OQiXayXctSZWT2bHUwLMu/WEsIIyiXNAxIfxB5+fMj0CuTj9OOz5oBv+znnSlURiINuF6TsI0w4oFtKYaSTKq42mMMoxnuaKm030xFhwplmxVKH/J7ThsUUzatuVKLv44BqhWh7UxRJ2aV0iQGuOMAUIzSTTxuNrPwc0w6eovV+Y2l9sRpeRhrKiB7uN/keZYw7h6E0oigaoScM5ao9wFB485XV+/rdJZJjKnNdWajYmQD9s4T37aIepPwiV4ntrSvzHNMZSsV2ugKSgkJ8Lbjx9n5G1rhGE0PJWLPxDZgXAleQO3nLaBrqDKfDTs6EGovrAlC6OU1fmnoJJFihkwdmYHmBy65uAUGst848FMC7lJJC+y4UV50MX//P5iRs6aA4wAyTIqsI7y5QU5aw0wiqQQaGF811fvZg5Mc4wROPbdc8GjWGpZ82ltDzWGzDII1t+pOBI2p2T7Mk0lRyrLi01C6IyXSNBKb105DMlkOhGVUbSbjhsJ15fTNy6LfW9zVqCNYm7lpnBLr3+mTFOVjTiDHwTSq93l6ztd5fVfRNTt/AC+fp0Lr3Fvsn/1p+BzNbFxsH2eXZGzZlXVESDdLlokliReCKN9O2ivKky8jIUwNB+xmD4E1L4292mekzOjOOFypQnVWibe1VK2958e0O0hb9ARf46FNWHL4bMXCe3ZxZvrWHhTjn4czi9n0dAK9MU9v4q2tn0ttKLj9YEqkRAvu7V2I8NdLmNhZTn6WbiYRTsLesT0GAnt9fXbeGjRz+319WUstFuKfmytRBcLbatHCgZaWJAl4wZUDNB5gSTFzD61+m4OY1B32A4eBsQrN7U+I5PtCIoZllCOKOvtd7UcjFg1Uaym6BGdngUkloGjvWITQ6gTxRtffCqoxuPXHrSB1zKD+vcmwNkAmknx8+tJVsSUQrfgWCQM5442EZOiPFJqqKJiJC/tgVgMJY6+syMoyKUyE25W2q2MEA/RlGVJhb4jAO3Q8JdzKwFPjThLu40WSKR1uM+N8XkRTIreviTREIVBSGuUEVgb3HCOc3CxQdPDOFLYMGH6avZEQvT21I2RALkQBtSSJlMD8lLY4BmVwkJNs5Ok6ySfZ7ovRDgGlLdnM/Juavp4arcL7YZVBbZYuVlTEKHlZWktdZBTG6OMYuFypca48eHB3udM31gBesXEiqhpfJnncGtUu5YGibRjlzPiyPeWCBoGJZOBptnRUC2ZWIHKFRPGDle4jsWtQUfwZZSJxCju4qp7qg6RSIL+xZvrMJoL4SbNsSYCHOVScfFN5FcVPMwY3Q641mAT4CEE6zpUIW54SlT1HgzeG1jHNFHKrVCVHiPkQxbQ7R2IlavqPmAHakuT+MvYGekOdN76wdJbnDUMqIKNZZJCVYOFl3PdxDVxwZB8Zeeuq5k9Ws7mlDLtwxBdQkuzU/0INjNH89IeKv/YX5mlklipLb24SGO8MXCogQp1bJPDFFJtjqAJ7YGl99aKHEBM7aMDbuLLrs2SZqynVmZ0XO+vSWuoMVTrbW/ndARcb7+Q1lB34er2WsADpqbZ0B3PAKM3eMaSHpahferQJHhS4z3krWM29VkyUh9tM99f32sz7zK9PUi2qMGabIbTBi8DrQ7o+nqSsKONPt5F1HJptlR126yM4SuE1WGsWImqGtdg+hFD8hWk07VjbYoCa28/fdq3caqDvZhNj+1N0dA5U9mnKScOaC55guWDe306e38Zylq04rrGEeGJFA1I04QJ8D0bcZboyxpct4x9/Q/CdDkkpEQqIuSUZasaSyKt275x5VQrPuSyp9x0nINlSe+rhnOZONfuxFwI0HlPnzsSaaGuZ61s0UmAXNLSUiqkBBKL6mNniGFAG9RQ1U8f35HXmzJYdQKc25GD9CAk7yjj5PVtsqZiBaGs9fnVNVGgcyk0ECr0FhTRMDGyAQKtbwZu7gqj6bLdK9LxC8O46KXuWGPwGJbm6+Lz/1ZQlbqa7YqlEMZzlWq0odmEejBLmul5TguNZHWsaoOfCsp3mvlqUe+ooCtXXquqczBrYBjB+yee48eBdUD/BEUugwfowyRfwTIxkGmsenv1ZIzXoREEub6+moQLTU6ro5okrrlS8DhYrj7OQvG/1igjYDh4iykOoo++HK0BVbW6COUpdr740NL3o5j46ttvraleo1WueRMGmKyh+MmNldCI4F906zfdpIftANhjmnbe7VcRLSyXM6IKDhNtKx4Oor1zvzrTVBPXgWNl3zArAeCAOhWG6ZxmToZsdjwZw7WlKoV0iWXq9FlYQdfejzcB2tcU6435+/mU90TRDPCOUJXX3x1nBBJAyvRNXzvGOrCHCTIKwMWddMiM4JJI6tAbKzhD/QhNQzPfJLzQYy/eA0NeXZWzDVOmoJyEsUITzQkINd2AShlWHe8316ekPcAwmK03wva1Ho2E5wssSK7k7S7Yeydy8RU1sKXDWsWhIRV/83QJy+t8icxmM/m6FK18oOwEjKrez6GN8GE6JGRS7SYXena9PrAqbLimEb7fxxRxYE1f5IoN17p8EJa3p2SmmOsqPQXJHLEJytvTqeVI13SO51B/e0o+TPKer6lI9ZreoBWGuSRvO0OMoMEqV+U6ijkRiMglSeVWcEnTyRrIepGKuQKqsYy0b4EqswBqHDbSGmoYF1utETNx3pbkyZIuFEuILrKMTlFG1hIr4Oet1Gbaa8Eoppdm8xthE4RWlmR5Ui/REBdIzYE1c82TvWPr4uzdbHrDLosRrZinF4zyB4HDE7pddetd7rjCPXGVjauRJMorMFupbohRdLlkSd94w9jEXOcMZ8UuZtevzwgTC1mIlFzPLqbASRx6DYpRLpCkgIswCvHDTJa9y+aoWKiCqevdu+vpWOyrNJ42+GBbTjmU7xvFp6UN1oLwMYMILvbDTDbJMYHVtao88cz1WJnEG3ypdSwLynvFVkxQVwMhRAq7gX3L8MqwVDlHpgBuB4NGBfwBuAsAuUfMKV4S0EFgNpSzNKNI9mf7Cr07PauUTxc+HAYl7z9NYbHx8wzKdZqSY8AQn+g9jomm1eHRIqD5T//jfQSDBqqSCVVUbxhWpTlX865BfhAEp2IkWeZw9+Hl6ZV95WXGxGovsQiy2BmYYKngVMhimHs/DJcsjJdVDsAFFMs77AK9mvSHYbAEhIY5Z2idGd/RW5YVWa32Qs3D6a1hVnS/9EimQB6D+rASj8HGGjI/PoCXEMhlY8gRZAKJUbl72CA/AmKkQGDMtrMToMiEjoiZBz4el5aqZdmu0yeZzWbntVKKU1Ah5SJfytV0Hc/JVzg4QumiKdmEXG4RbTxvvGWnM8ggHDQpyLHEjCbTHTsZ5VZRmKe008ufRGI29k6HYSAljYHuhoVWKqIH1v0KrmRUFEjy9TtLmiamUJP9OhnVBlSqDdrZeudGqJ+uwJnWUhsvb2cFNyznQESwvFQKwqSTaOlrlaDqCH6UhqpQm4Xr8rWm+oEzgZQVGT7D8eNMjS3PYNif/CA0wadW2AchJGk6BxvT0/pmZ6DXGZp9t4oJsMNMLPUbXjfE+sie+/hhJupkmFVqXLHcqaHt2SozaFkTrqVxJUH79Bep2J+QluXjl1y6jqCWAbs4UOPDPaacNLRT5g1cE0+XTNE63M3OLl6cX1+3xxjBIpiR6gVenMJboNysyTs/0MSyPiUsvAvYgjUtFD/LsarYVFzq3ez6PycA0SvExpehzhCZlYXIryb6ATKDVPXxHb31GRwZcwUoySfBDPk8LR4P72xPO8wCK8bVtfe6R8NBAZhNiELXkSswU6JZBGznmH3dr2Bbhh3JYN9v5aaMQmuGekZH1jLATDxHsEXtimSBhYZIk2+8x4TZhyigmtyLSMBWc4lVVxW25JpLc4/1uTX2GCIJS95SZUBtKK+ZrCpjox2+JoufTAC8RJR6r+S+vebEJ1dIhmU/dj2Jrhr0B2FInqKyq8ofeT0xMtECQmRSFZ4Wp5pmjJA8ReVUFbr2KHcgwuRTFaaSWU1lEZKneAxrf67uw7UsJCSj7Xuekuv7RZdInm5zJZFsbRbQF1iQNz71ZKbktHhGKbYMK2P0lCw5XbmcL5H6BqHMB36dzgjTYezJ6fEyB4Va4Ol9Dr68uG8yMyW60WJCbTy5xzS96SRmPZs9nmtvIpvISnHL2XRQTS6HIguDFyH3vjDT4uJkYfDCXCyKe4S45FRrSPHNvn6cqWZf++0tltbnNKrUq1duIKnS+5WZxevTO6NmTeSScClz36us1i3Ph50khWJmFyKzJ2AFrGzfL6dXROaGZezP0FYYpvAr+625sEI1DqzPsys3BhHyPn3x8zXV8Aox98nhcoNM5KL5WqKGLMwa9IdhYAmfMyUT0NMU5FxyluzwlLyZoz9RvculRKypa3dGSj71kMiRLvgP2p5LuSJFziVNCSglFZmWB2e/tYCx+ImHxVWH1XGJBcHnYiRpjjgKDkbi8TCgwZQAvVzJBSBaxy+ZuKn8BjM7WGUonwQuqdtqoyL79OGyVGPa49wFyLCROxiFNdkR7tcuJW+pYm1YD+NSnvhE02uAMt9gxZ8eYg8OoBBTMctF8kmq90KF+L4EUNMemK92xM1YeN6DQlCvrsnXArQp+6lOrRHxtaBK34yEnD9oif5eUEWFYQKIHYTAbc6pmCi9fS2koXCbAKRYXYQvln4UF2qzABCkM944vIwOl2g5PNS5jOD12CjncgspeVE3rLOlY2QvFlSXH7lAaPeBD472n02cCN41+bubxLTQEgel0CPbffiiehyFPmAl3Uc/3A1f0ZTJBVob+g+WPFlM6kLvoGBJ+R7IFBk/wEi41DCSRRwFDbGsz5smw3juf5VcFfaPk8H6dlxYSYQ9aLdrlqxJOey9QWP1cqtCQTwYO9DUV0XR7Wgc7wOvwdZHyd4PDFbEQQVn0n1INmkKHG1pIAG2gTRwsOZIw6AQiyGcclBmcg0EFfDjXL1rX5/mBnZVgdDuiHdiQy7SOQbyPkU7FZbMFKJsa8ZV+2SqaUu4BKUoL7A6u9ZaB/eNNQIsk2Ntuw5Ou7RkyWw2u1dJco9ma/JRZfiBjMIhc5EH9kUqNKGNcsmkMfYIVKtDYyaMOsvLNOlRwVdMJE6/mg7FfhvT9Pz+YlYOM9GuqEAXHCkEsLKEt0cZRoNWMclimTksryY2HlJaDzsQHybuNVg3J9ooECuXEu4c6lM6wyit5fwGkHzmH07PLz5dk+vr94Qa3+RqupxXcEAU9AoOE9O0LBDEu2+BTLv4OqFCYAkw+4zeaz8MeffuesKDYkGNviWHa9UlkGnPhU4k1h7VCom/LwuJXzeGG0YV/K9HUaM6g43AEpoZtkFDdr0fwBnEq9antX6o02BiVUe5Oj1zKCfna2gQBlG/urarcy/dSsNXLChfCxAJTI5e86WUkM54FTagq9ZP9cHuADVSRuqhutR94vvu6Iv1MD34vCyP+ubv51dEqkm1WDS4LJM5WkU3T3+S6SJgwbIpfjk9vyccU+RIHRRKHNd2jImdEzRsAO8RuW5TH8axpjmoVMlcJZvU8ipkwTawQyXz3P1fQHAfpJZr4yGtM+1DUeagWG5/jQfzvMJmkeZgOcSBQPG0zo+h7o4fzI1MnnmsE/wj/lf2XB4Xoff2h/MafDpT0dqzeXy0dtT7IWVi5QOqsBh0C6ofbBqrdqov0rPRlK5PZxft4UZg/YnxePieCJb4PapT4SVeuHyLyRIQVoWcZoTrfct6anGXA/Fh6K7KcrZ116G8pyNOizsdh/FQPshlqEUGep1TBVjNyfdYXbGL1lDDwHAL3U4K5NcqwWvaHioo3yOWX6sEt197G9JEi6lWCWomT4A1uUu7Vglmr/EAZ2qPca0S3B7jAc+aqjQ0D57WZDwAQ0zk6SKbmMfjTjpil/HOQZ/cYFyrBE8CDLCmeXC0SjCbdwcsU/t2WzRofbsDlmktuy2Soxzr+3fr1irBa4AdUH2a1LZQa8xjfH029QyjHZn/oBqqTpzXYKYpJ5rTZiHLqJiury/J6cRCmVrz8QqeD7TRnjs0zSHGwNwRFREFTWuMYTiGIiY07h1rrkaFFPqlL/I1RXUzY93aIoitEwvVa0PRChb+y19enfx0Wy5Oo2zoGB6sw3OaZkyEivnNYUbRYNXMmFoqQxtmsFponxZGll0W3DDEKLZawaS4LF0s/gCsfnXBHtIaYgwLZl26s0b27XWxePHOjTbVv1gs2mJjVHinn/uGGIODF/VwKVedAUaQ6JwlTI7csVihD9VIU6MftvY+ICbiVeXpQrjmvfLO9U4kqBV9Pq7BDVJWIXMFck1VgXYiQrxjVuFzaUsHoNMFYqBkqEbRGmIQDeIbbFqNReSyrERoDKjnhC2JkAKe2y+K0j03YQHNWgFFDOH8cnF+HQaZGEOFt5uuTlmwTMJmkk0Si2n4Z9HIqX3ejURue5vW+s8d2vvWSIPl6PloSZPMBZ9PBBIiFjDx1J4lP9iE98gomgB6SEfCqV77sSbpwUZRkTKs9uVXpx/dCJrTKkV1Gia0Ommu1LQbwev/k1cpzAGtIeXVddV+3qHj90DnRP4jaxhTcBWQcGEQOlu9YRz2y1VAWZx7SnSVKYQAjnW+vPLux5i2ex5O/DVqIpm8MHgiQQPQRFaABibof9NgFEgOSm/RaKXgfLqYispVpy80KMxOjp9EDV9ZbGtqS8dirKXjw+p6yK3FUeQ53zWHGQajuGcZLB1O339YS/UPlyVXmnL1K0CcYQU51BA1BhnDhHqa9ngmnyGFyJNqeCZeurEyBZFsHZ+0a5Y4Qai0aOZLqcYV9QfB2vf8qso6T1wpk6G6WMrgoiDH5aBCL6XFjnz6+G4SQAVoLUqXoFygvpHT0GwokhBeFveZEiO0oTlek5I9kImdSnA137a2O6UXfIlonkFDNY4K7HMLWGusu8Eh+mDa2Cb6YZ5U4SrMOOTDALkwHrT0+M8FF6DognHLLnVCRRhxouseNcLi89SIig1Wtapyy6aoSBumsAz2ny3pqTtiv4ulwXogF+fkWSHY1wL8aMR15mdLBmpCyP9GsnyO6HtxafD55LKHmxzr9M6u6l+bhMQrwDh4LmYaEvI5F+SjV7MnMqBc4Hp6nJMnWODtmrXWYBiYGpbPHnbIP7yZbN7eFFwkWE2Umsz5jBpYTTJ1W1BoHKCBaYoma9EgPqoNPBNZ5BbNxPf5y+W0RdnyrwXlaNmBFkd7gDEwqCEMFszkAIbNNt9wind+v8zI58vTq0m7tEVqqP/lYQ31t1TI3NA8R3TRnl6R9/Wq76d5zqtCQJN0/C1W2/8vvu3/Sh64ekBvtpCzDdLKAb0hXyAnF4IZ5hfss+s/dze0W1qYNWLR3P86Lcz6XiVzb0szMiagTxqmVnO4RUs2L7MG/6uXM3T/o0QUujCfVFkEJ63HTm5AbRUzwev1T23Y3QUcgWtXqRSWOv2fyXYNCrwZLlyLqoqtdCFkkJ50JqA0vQfa9ul0sQr699pfSroOVjvLc5j80AB9Q+wHyXSbiYyNMH5mG8v+cc20K7nHtK8QayRJaG6KsMCKbvdNktfUkERmoO2kXZZg54xdyhU5h0SmrQNaTcTT6hzvQ6dT0nUxLX296h9KOABGXv2w5NqteSKFAWFcoBMT2lBhShi6F2NP2NAUgGnXRNZFxzwmVzuempB+ScuaGGTNjCaUXIH5woywjCXs/knnaFST1WtZ8JQI2IAiC6jOXU6VBvIODPVlRZdKZrWhnl3KlX45o8kNGP1Dh/w5U5AYvntOTMBNyQfw3MCfcFGDedK7kBw2HbV0ykr2PPKNlTyHXIH3HVokKSyZgJRIwR0sQxccSEbzflSZXnWDZmKewLDHZdPhi/OffBk0f+Mrq4f/FtzSxBAuV36/uu+Qmx1zAoE/Le57djtyqgxLCk6V+33Y2JPBk9EhfdBJ6TsZHcrDJ2VwSzbH3ZNX/3dPxvekpxxfpA152PWViz/mvbmLTwZdtznDk4CmoNcN/ySw2WXDuv8PQ+bcUVm3wMGTAEeLlJl5wmmnAc+TgAc9af1PAtg66bqknwQwJg4DhisxlZzj6Z60FOgh3AN32ZYAaUwdakCu6dMza18s9X6LpiOHdISEh2kRLTmkQ/0OLWJ4FXs8AUdYRVEzm/Qun1+uzjQjLR/pWcF7L19yDLE6uHX3Dt1q/uFPu6ZSeyZFYh8HauRT12wH2M2G4bLD+uqe2WGqbqXlgbyUK/J6A8KUxRsKkYKyKoiCwKg6U1+yW0iJBmOJNH7cHEMPKyzlJnRoP1hhqTahQ/pem9JnCI9tXzrsYHbmdY81ud8arGUn+hfhXL6V2tRZJG+fSA0idd4W/6HuOzY1G9K3s76dwKEpq9v50eDCXsw2v9TTM3uve3txO7M38ltd3M1v2Mv72//c5e3x/iLwhjZf8Ia0urUsJZSs2AZEZST7dgUBu0SH2S9wNZD0KQp/34ZHY9CgIfPdXHWK8cfY67rz0G2wm/di51b5tR+azNxFeh6s2Ya6rrEkoV0OsgACzKxBkU8Xwvz0G5GKvOGSmp9fEd+jMnQOTOqlTO6Y9yHi7jc8b+cGxVM+I9gXknZ8X1SAY9pxOfI3b2CQaktViibU1Thabdr1lbyYfW7Ie5Qo4LQb46d9DRH/iAbYoWivO6naL579f6nYirk+Uf43TWnljnXAkr9GAiMuZp9/61mCAL+zEg9fggpRd5VjvD77g9oVHA99fdZAU1BH8V2/dUORi/OHeEk93rqz1JE5zFf6pI1sPJmj29loKWhd7AUtd1Gs6nImOXfRgt8iA7ar9wgxN/bMMU0Sv3SQWqQNQfVSdkNNhxf6CWp8WbJ4KqJqJrULdsukj7jtzL7sQMk00SzL+S7sk/2ySxMGmqyJZimQZ38hZq0K8urXX38gW6qJBhDVKCMr8SSE1wkroXMpNOAtRfLNnApXqrWyKVTp7PYq614K5BldyA3UFoOJ3sjKkr1po4Bmg/cn+WaOzSMvFaSsaMtpMRbquz7JsTIssCVh5h/Fq7/89FftWfrL3DHQEvQ/OrP5h9UHL+kOFHlFXouE5roIxaSsSnkvvt5H/YHOj57Yyr5Rfn5F/s1O9zn5+WfybySRysrLvqiSH/Q5+V/c/G/7RaZJc1G+691CIVN4srqu2MI8oZwvaHKDKwF7cEIad22o8XqFXUQQaS6ZME41abdnKYG6wzEHpTodG6LLgzqHhFHuEDuk2khlJWux81KH/WBDOUv9wegDRchSFiK1LwwHB56JVRCO7gxebN6IDuUYvsBwHUbcRgO7sOOSpk/lnQtwfDOnDIxiSY/WEVTh+pedLuyf+5IJ22efmr1EK5fltp2Qt3Jrt6arczJBpLLKmJHkBiC/Y9GexIv3jSyakgloPd+wdJ5ieV1fl5xnBQIUNe6Su8JZNb2wrD5ycd60vYseEwfLmFW7na/cLYafRbjqF+dEWW6tnUHFLRpVKzDV1+5cCa2Qgp4efSV8JNz4SigUV1CX8V+cl7bXD677wb5mpwL30C52Q4zS/lM6Yr4Bx0vZv1bnvFP+7X9McIdmHbH/SchmPf0PY553d+vsGxDOennqSq0lPCH/PTyMnr0sWadtwRF89HZUqxzNzk5nQfZNqLDLw7Jcqr6GhC5x8dsKgyiehvnjk3+qnCLe35Cmo8oX+5/sFXYv5zjN/IS8+vU3snXrngEVhHLebytwRn0nJu3tR2QLCjxZaggHqg2RopUu0lzERxcTv+1F7LmrGG7bsHZfpErdwrmoJkjWQnK52rUdcUumeiqH/kqSNVU0MX4R7aXeOfzOaC5IIUJMD2/YzAczamMndHtHPaYTYcR36TSKzAqZUpRuBEW3gzzNcdaWWEkTJ7F6H4UINgeZJIUqKWpDRUpVSoRUGeXsz774Xqmy3vVJQ5TDwUski0XnSbrXIu1RV2BecrYEN+MeBV9DIkU6IGDvt3uuDaadZWRCrhJLzsH0HoBBIyp1ArxRrMUGa/lmyjzSQb62Y/ce56Gj3DyZg8cvk8K0+1U9tJJA2gmQeHDRA5E+0sK/FinGsluSf0qBXW1hhC3a0UsR04fXfmyvcIdFod3oU2Lg1oTLV9agLNGlY3FgPfv70MO2Axprmvs0vUSqFFK8dzAE2YRnSlcjljJGGWlTfbHuX+++VkpmJ45q4ZLydQKCKia9WJ8V3LAXhoEitFZFal+sJqOCrvpScwnhzr1T6oselMeqCTPfayK3wnvGDM3ytmUwIHb1qZXsBh8xo0myZla7kSnoE/Ku0MapSXWivnXXQFwuNXDgJo0ysOXS4t7AMSQht8nlgH7tVFmi2h0IakXrlG1YaiWbZpekaiktI7suGdnH1uL1T/I2Z+poM9zvp/cF3dqTyAzf+clqy/SsvGZBuQM6bhuNuOmDJpznlhtX/OykM2QVTiaL2Bwo6whyD6VYrX/sq+IkyK8FFEc7Sq5nmDtFe/64pZo4EOnAuXHgfoq9qBGFgsaCIvC0VWYQXt9VhoE1nyNAzecY0nMekxU1ib6KThVBVqq9Io+jQrbUx943pvNc3uvNOZRt3sXXDnEW7B+IVjWE2Iag3v4gDxesdcGx3U4DWpQsTCIzeOkxVMqLi8qW3VLWVJTdS+oK5MABgQ2obi3hI02sHD0kAdY8O2MmH9zkxU7tQP9KV5kurug41d4Bu2R7xadfuvXOnKGaKkFWxo9m6tmAysTI0n3CRGmiSoOTpRd3f+sGtE343NTS65qgVOT9dQiNZboMCGjb1dz45Q4NZUnqXGoWkXFMOltOnRaprzDlQvnLuztYhafgZo5XuuierEgUGSiW3JcX9c7tCFlsIxOrZ7JVN8OzJX+/O1ML3U7Y3XxLLv54hOo1pWtXdvvx14Hh54J3lju0bRgB5jk9Zq2677oXMmT911s6O2msjC0W0hBK1qHiRX8ALZereRmo8ihMvTyI92bqx6iZ0uB9+2Linn30C/6Ss2SHfXtG+MLMAQjVswXfDfDlgmPGTfcv4IeCQ7P4eR2SK3l8iy2xVoAuhLfX7euh0jTV9l/uUaW8BNRXAOaOxzlZU7GCuYAtNi8YclzCtubqd0KIMYotCgM1DtGN0dceupXW689fP+vQOY3G7KqVcw2Mj39znCLYji8K3ZRr8luPcusywOyClQUH9T7mS21AnZBr8JtSaFAndAWulHeIdF9KVWLo0C7JeLk98S1n/e9rdSukIgslt9q17vN/TcpG1VbtGqwnfZHOqDKxzXQV4dgWlXCnZCc79Fh3SvK0EhuxrpTMITgUsd7iU0EoB2Wq6CK1HzT8zbu3AvuoFQFwQUg9AnNKhBQvFOTgNJmx6Ie+loy4dfQLpeyFqfQVt5NOjnvJvIetdP90ZrZlZh2EZc/rybkbcOGyTQSR4oVvzDLyEjghZd4jOCLOm9acgS8dAAtSLonlDoaBPiHXe57SbmxQz6zCQXzm0/kKbZUYnzLqg23SwH7DwtOyvaY/kENdUN1PmLY7GXKig33DCr7u02ER6OjST6vZGumWZcITyr6/S/GyKM8dCkK1lglz9lK7G736pNuwS3YDvxNK8vVOs4RykjJ985zkyvVEeU7AJN/3C8pU0UNyL+/50Ps8G0UzMKA0yal2Vby0K+TgaxEkMsssF5MNp303tQZMMiru+ffgsSS+2h4iPEyefScyy4vuHUTYNkq2TKRyG+JpEykSyM3zKpJicDE601wWnO98gzhn/Ex9S1rPNURtIC4Hnq661TOWuDQydSsSXjJxA2nIBSoD0al21qmgoNhPvqugnbB0bON4pyoEKqurt27yZok2gBLe++vHwvU+D5ZXct0t11M5nUFlrN3YCdvEGsZ0aP35H5e0f44saS8Zx7/j1ZTfuNGqa6wgLRIgpecI+s1tGhSjfN7zmqI9ItduyFJsbr+PtQfQvjCDdgFIbvRBJQdiWIzD6PahW1O9rm6oFQt7sgyLZO0jf8scmyrN8Kyk1CoRZidSDXOiVWJ/Vf1/N9OUWH4uCHMxd4VIOFBl/+QK4e2hhQTCYO1UZWLn3d4Hz/x6evo96RcrkdmCiapudv3BCmmj6h6vl2tbfWxLX10a6TYLb1j8juMg7bkSZ350X5Nx2FLqNTh003i1fN7KfHFOrjyneRYKNxDfbS8k/VpsP/TL1d4A/Ri2/Jr5+eLcLWlIeavYRNd60PTI+TBAP4UTf4gsL9gy3a+kbvQOs5Z906sbErS9uDBqxxZe+T7iqbFLf1YNXO/rSQYk2Vj2uTskWQvslUj3Eu0JOfP5maHeKfcfjEuzDqBqfuOn74I5blGYKnNTmuoxKoRrcuoMPv5B2UqyoYrRBe9kAfqiDEyQnNMBRqBBaNT6KI0NrYuqfuQTy6mshFHmFzK7z9cvL2ZtGZqEkrHeojCUl31gQ8HJuZB7T4sHSS6EIddsJahjFgNHNJcKs3jt9x3+ZQ/prJTdpKvq6P7TAqndZXfKUtlzcK7efyRMJLxIwbKz0KnW/vyEPHt9S7Ocw+9k5g0inqzj3if9dhHnmTu6b9MZp/ZPSz8ypm+syH0Arnuk4tXMmFfhafjA9M2Iy9UotlqBwmth179kn+u+gIDBSadrBXoteWpPj9fVBzqNNlzvR7AsdH3vgSs/++BljB+qYhwX5/1pJJO984nM8vmR467croTYK9fG1dv3dLF4YeFI4fJTl67djEyLZEhLC2LpI0WN1ZFX3FIqV3nA8vUS30CXOKrSLVWPE6HXrapvuSsND5GdxEBp5GeWiVLyjiZlPeV+4dayoKPqMVK8KAVUNc6FvK4Zvam1AqqjxwZrQ00RS3Cu7FGU8UdTO+zgC3lLWPpy+P2yL2txDIQW0adO4WN/FyyK/qtbvmPI3fc6h/y823fvkOeMCVnE8nHW8kj0Kvqdspw0ptGhY5H9JTJh7MqMjSNxyrnle0QXSQJaLwtOXtvxSSJT0PZIlMV++zULJlK4jbwAnGlzmOT5QN7iBnaqmCpBLEA5/2ZGFeMugqfHguf972JFqFvEF/a3vTMTCOdQLnxxoUeSiMPo5FkVz5mD0nlIuvUcprNkQUTYB8SXFZ5+GEgy9Gau7nuMHVDiha8qyCvYqvy37YeUCU1SMJTxHiPDQham9ruBqUl+9NjM0mJLqzg2h2P4ITWQ5RwtmueUpLCkwQUUKl+WPvwQrWml4g0oTncukcvI8LiSZz030n7gtO7wa1iWWeDeVq8NM4UrzEh6J7bXDboFmx56XaN6sWr2nYTGRorAqxKZZfY+4RyjM0+dsFqwb67khqXeflZWkctADwZCpTI53NF4f2vZG8b3UmNSj8vrFw1ucxf09Di8vhwdl9f/IRcH2p0Ont7/kYvggOm/XTnDK5x77gKK/c5fzy7IRUegqsNAq1obskvGEURM7KqyYVdRFen72MNCbHW/cO9ZxHwhU+yMr07GXVvoCFiIxTIgHq3jV0vwLoMjZJ7XTMAhddgH0Fb+ELZiaeXKGTDiZbG1xk4aeISXP56QV807LzCfqbK79+yTr55TOqJcsMYtJEXdiuBDvxbQl95aVmEaC9w4giGk1yqeNg0iVXYl3VDGadeRQSpTOHH5lUtQaqDTgr9Dh9j64/ndgrKShQJQ3gHbmVIIN9BsdTLAEVk2XxRpuotun2HZPGoeUI1uoeGwQuejVqr4FBWTEasctFLs5ro4RkIC0/XoVV9zlRYpM1Vm3b4uWkDU19hun7HhWcnevTA+SR8lFnsFN0fTys8+vybPQq7E54JbWXnBuEvgcHFgr29zqe03fyAvuoYG0fbC3Ai5FQ1FSENSuGIWmyb1gU6bCT2CCa4dFnpWZrlfhdSkS1jRZEc+DaprnC0UfYyk/DBwY4mZIBllYqloBqPhGDlVrmsvfp2EhnA5c8OSK5n64Oh9WcBa1FkPKHKH9OVCBexCYGlIzbpxV7AlbwvhVMl3MgVOnjGxOfnxOWEyeU4W9l9g/0UF5TvN9MmP/f5Fk+TzJaedzvmxZaimhH82I25QZ+tyfHJXNr+Sy9FCDUaiIvV/XQScZRkEDcoe5F5Amywu320h+/zuC1VAPvoA4B9//Pzuy+mH1z/+6GNuN1RRNngmt1LdxExZvvOCfSkHrHvYBo1gVMQWIkLOTtwqJdVzQBP7XOwQVJilVCA0S2IykJopCQFxFt8K0uMfiEV0vqWs25z4wdYBV/s8NlF7fWKnqOtigXQpzCLVRsXOfHf52mgGsfpbGu0dLXM+8Iykhya77BuDdUSakGyyz3sJ+S6WxJINGprKqaIZYg+dam81op5pttN7+pnywfUE72+4sOCD/P+hO+peZPad/x7liKU1G30AMgryUQ5H6ccdwyflEYK2Gjtb00ufmSqivYyyc3Uyf3Bmt87JvdszXZasZsfwh7mkryVl3K51WcxlFnjGxXk9t81V4rLqoIFVTwmD4ajCMuZ6bkXEA+ZzSOC1C7cO2UdnMssK0bZEddCJwwo3PRTdFdyav0G/TF1h04dJ1g/Fdk1F+h+y32u2x2aoYYdwhgej6w7cAKcLnbOEyWhRosfS4B36LVWi63R46tC1yPK5xGLG11fvZuS9t6Pug1L7gXw9aijB9d8vydcC1EDt1oKLuYJ2pU7c4IaaQXRHPpRJZ71hXZWUnkR8SOtEZew2ApZofpDh6C6qpsc59mC6afwGDZRTlSHsliWLYF6gecQE5IpokUbrStugGbfaVYN0Sk1bKnwo3QWIZJ1RFSutpKK7y2mnffGDvU806YRTRaE5X0c/Cwks4yZQVYSXK1dqCYGsXPyBQDWn0Tth+IpT0Y+Xc7rPWewHJ1Ruy8CKntFBizlNXGOU+OknlrYWEZX3GuHFKt/8Im7NOvr7noh5YtQ81VHrrteoW8qHeZ4mEN5wGp1jiDmIFRMRkyK7pDFio8V8OddbZpLo/EPMl1xuNc3ix67UaQuzwaOO4HVJxJwJTHbCRA4qW+yiBbx3aOfJDQ7xDeUYZ4Xl81xJI+fxXVKO+uaXubM4xqfN0e4ml6t5irHYlnD8+LdEzDN6OzcmltmgSdieaA4Ij0LGBBJoJvBA51zP+YLPY7tFG7T/gkg8emXwGu3YtRDrtGNn9dZp/4pI+zdE2v+MSPtfEGn/FYe2kTmnC8BgKRX1+OqZmGcFd8L3YofwTpbE8xsEuSQrOFtlOY70baVMylexg5ACZYYhlGj4msS3jYi59gGJCDuoVYKjTVrCONqk3ukiR+hFmogqrRpFVTXSWNUDbhFYiJHGKmZYtJ1ag0K8EOxWUCE1JAiHcPObXRWkR2Hzm8zNGmiKYFaTWT5POIIN2xJGcJI4umqxM/HNopayRqGcF3MEn0aimGEJ5QgJRHpOVyCSXcSoqzptQfnuT0gXGLg3c1cGFIWyLweDg9oH1qJQX6zyzW84Nmg9XzDzV5RCY4mex+0V1yKsZHRWrVGuuaMKiYqf5aa9jT9ar60aYTBrb+ePbxzxxJ3Yh0LcV5OPV0GuRnvJOGDoMHq+xNhEtoyZnN0kjCEb6DnLXZDiHIXVsXzzS6pN3inmH4m2VgkKbc6WgKHGaGdoziBl0RJGm7SZwDklmUwLDjqRGKsdiLMVAm+Sud5SE7Xnf416XwR5FMIKVkwbReNbQva0ESQ+BTnWUiu0tdauErlC4q8+Mt8fcQTqRgHNEARJnwqEBRtPuN6uJdNz32E2PvUdVRTlgKcDibAxKG98f/vYdJk2VETvc5xqsyhUrGaBJVXwvYIwqBbRscaXo8uc5NhkXeeGZfxm14dWGhijuaJpGvsOsDS2W7UsHYTwFrFsnigpM5SqRJYwgprGsjlOcGSoeISxzPlN9PJMuY5fspTlOlcsMlFODTNF9OgzzgTEK7Gzp6qjdtSp6Lrk2/hmLS591dP5ksvoz3lFHCHk3+q80bmOJYrAcawOjQA1emwClyuUoytWKBc4lyo2A8sWxQrjmmVMJxhsIdMoBxajD4QA44orRacbnYf7AtCxI/481djheGK7ja2BoGSU/f/sfetzGzmS5/f7K7D94SxPqOlu92Nv+npnQyupp3Uju7WW7Z7YmIgKsAokMUIBZQBFiv3XXyCBeqNIigKK9t7Nh4m2SCYSr0Q+fylsA+jglqgIrxkJSZeJpx/Xs+luOJHh36wisU15g5MN2pm6IWtbvEY5ZBEKN11PnNDCwJENLQ2KxDqSgrOLlTIfJukqVJ3/gDR5LGjwQEBBZL6UmOsB5m4IypsohMM/vRaJ7MOHXhfQAISlWCZYFQEbBrRJSxyaqiSYxdDvJElhHSzqaCTi4RfZUA4L4dqiLGQWgePwjkwVwTesrG84Qj6AIqETAWzD4wjGiSKfwh8AH0BrMKoRTClFlxEErypCe9mUTGPcA5lmwRVpJVMfKm4Awjpci602zVIFR9Vcpzx0oYS3W+xziVqQztDT10sd/lhZouEjenVPz9B0t0VwtNYym0fJQy8li/AWlorIJKOhq96jtK2oIkMxlkGnSuM8tDd4nVCuNF5E0AzWVOoYavi64BGgm7SQJQ/pZvXBonkQRS9KLdC7kqPB0HX2SMRmeR8xoxm6lCSjGl1imTk0QwXw7352bOesiKs01iEUyEATfQT4BqlgyFeqU+dDUB5v5a7zgoktGTQW3Lt+C1EGA/U+8IyZNbQ+I+h3JsmSPKIc94EWmlgsX5b9ZiDRmWRUQXOGanS39QCghFRZFEJqNAQeRWizwhpRjQpJFmNH4RlpuU9pQuFbeGd11Cwgyh2y+wguNKM8dkf+FqtmtDafCmmxJHpF5Kz5vlqJcvCiIcTJmsi6HZEWqMBSEfSGaAwdwe1dxfUSnN2KpXp1Z8teX6Ir1+LrHOmVp0sRgAG/I671MbDN0Vuif6eaE+Xf5+GhjrJ4C2jZXd8iGNxOVhEs09WMcurlD3ruToCv3ROf0AsDkiFeMVxy6PW7LKGPawXi7gdw7+G175hTfDjuek41CLfrXzxi7JuNSALWNB2GvArDovfkUcOtGHMXTNGNekQgNY3r3kKHas5GOl4Cem7EduCAn6uIRpJ8KonSO0C7j89WfjpWvlUZoC2PHdVK7L5Hqs477bpTdvFkOYLYWOfvgNCufvLOPGTv//39Dc1gN1eVUICx/WcDrIZwSbxPPMLmcZljRZBN1665QYNbVe+S+8Vp+OV1K/iacyEtfL13GRHCCilCoN0Z3t2vSmKucDpBe98BwrQdmoPa2xyatJTQAW0X0wWRObXqxlRMN0Paxhx0TRlZEsTImjCElaJLbjeu6dfvP/oAyXxC+Q3j7zjp85N0ejaclZx+Kkm/TSL2X74Wv8chJh7XBaXSaGhmL2QqOCeQW4E2VK/GBAVCnsqQWmOX5KjyoiebFmY5QZ7UTxQTS5pihgwHI6YPcHFa7mCokTaNp1u7YrVVfvZa6Wwb0ctqDf3AY0axSlYiuk1gjbjaXINeKk1TIyMV2y14/HgAyF4awy28aa4RS8oIlrMLpoQxxDv37QqC5ehX94sZuuDb+l8D6hpsecU1wtksFXlRaiL9YjiKG99MLJ559lV/L6DHYmdDqP5H+fqbb/9sbN+r1nZUK/aVl213TpOwEbNDHTd4SyT619onp145NoA5/60PXf8T/8zzhufOqd+5H0cmL++TbS/6DVPMODP09rf312buRBLrPAF/aUZVKkmBebo1WqVTz1g/FwTBCp2j929+Qjdcf/f6HN28vbr++0/oww3XP36PzjarLeKE6hWRKF0J5VqlCSlJquFb3/747//y8oV3RYheRZRx/fUAmTrLsb8dj4p8+p54ze/tWbypmPJf8ezzYrotm/ZwfiRg3MEPvI/fnmLaWCcfqdQlZuj24q2X2T8EJ/F8WcedjP8SnMz8a2vY/WJEKExkv/CELfgc3+Ad+7DEmmzwCVqkw+m+QxdZJsFPa0+5j5366U3z4tg453NjITeXb+7sqzQaHsuxmjD60XEqWU3Vvd3o5s6wMuL9Mmt4ZCeIIGtoxh5fw0oTS2x3rWkFRItdnGXUfBmzJmDb6uXvf+cmPADGJIQLLtwNv+oegQErTa51FL3u0CcNo7eOwzshdS2SB0I3gwAbbADV2/2SV0289nY+lC+rx6Sa1puxhefEZzdO5cV13IHli5USKTUqp/UbDXQcZOSyxHxJZrXplAq+oMtSkgzNt0CT8AyyhvxypjgSemBQNDqiLXsHXUTAO2ABdf92CVdwB4AkudAkcZnd4fOMwi9txlWCE5uKH4F0oWUc4osIR2IRoVqYxbgOsfBPigiLirOk8sTFU8v7FryZx6w/WtuZcAIN9lqviOREo/fbgpyjD9UzdgsOsO/QXeUAG7wEv41palWrngmUiRHTuGLa+cXPEWbMq0wUzRchwQ1LSMxbE2neQMq1QErDY045+nAzKlBSSJCNJq+Ci2xDVBQR2r4ZwpKo0Bm9hmyEEhf7IoZORQd/ewRubWuFhBG+DN4pEng2ykdELXREA7UqD2atAAxHKaQTLBBGvwi5wTIb9ulG6GIJyV4SYXPjHyGXbk70hhDuVz0DoyY+NcYtNGbtUJ1lBgFkPGRGDGZIuctzhbSEnGojllyLDf8U1wzzKeL4BzgoqwSRlotyMMGuy7KJpKyNBbsEA7b78oSOVJIUUAjW4fDgDovYY6lpWjIsEeBFo4qJs+vHn27FUiwW/u7vJE30ikTf3g6z782A9ja2+L42fBt2L0q9Ily7ZPFRtlUZEjnhsIQeO+Q46x8UkaMMi1KnYtqVdkOOM3xfpilRaoRnQB4/DhztuMQT4AsZFXcp5BZ5ChMGvE0hnDo8kh6PRipBgE8Vgpt3xcgtn3JY/xANFKXurNbh8OhG3k2MLGop1AwwSrJ6Ps4P09OHKUeK6tIjPxEUFxAnoh3VFVYIZ6Iwr4teESqR2PBmy+zCafwouMhH8mqhJ4eiFqJ+WiXCKPeUZ0b+CKnqBcDoF8oIunCMzQbLcIizl9cTs3dyNGG8nv9J0hVGl+DeZS2EXQXfHD0LEbLe/RkLYfP17l29RuiVGE8InYuY1QOeyc/JCq+pKEG7TEVeSJHTkQxFMjVz1xzPGRSRLdDlbt4oX9diJyKTfQ47WifyMtDhMGhzmSMY9Ixf8xd7d1uvbHPfRo9dU2ZZct0vZwut0WdQBp6kx5j1B2lB8B4vCSeSptWUYEEg0a+fWkD1Cp5aX2835Jidpd/OlJbjwc9qTsfAbp1sTq93z8mpF3asiPPymqa1Ea5pTpSR61bbk6Qgo0EktwvBQCH2bgQADz5zG+SBR+sY7O6THa3vDpvTt4kK1uT04Kk5h/G+GQ7mBjNuBMIBwuDLnd3rvbOTk+6dvWhB5ib371wwLNVpBMgeOV4LkC/3OH63f8tCtTaYZssOk49yUgkS8o4dID8mPY4h5zY4jLVSDyVoPT918MqdUq+SnOiVOEGUBHc8yciy4b42uuGApSRFVK/TjqjOO8Gcv9YwsuNcRvKE/H32wzffoLPbq4u7l+iKKk35sqRqRTIohffywsRSRMcF2hUJg2zZheXDbTN8cSRjTIrIXsVd9Z9mV30c1DcGPPLBmj4/5bqkkPZf1/22HH/Aky9mirkPJr3JFMMsFDpdbyLvcEZLZUdAQiJFc8qwtOLJiE1zh1J41/3lVXDPFc2mRBppZ8p/MAeh8iL2cDGbSx6vzuKC77rrENZwlYYt/69zEsEng7PgHDekVZaR+V2ZQsZMDBiEbGCphVxiTv/YkVXN4x2FQxf7iJVun6mR5V5Q6a0ljYT684sZDl4LC/FlsYs6Wc2/Esz0KsWSoEKSTOSUY2/BXUs83WFNCddqb3o8w1PO9hafdLIW+pEUkQ6uuTovjOAqsNQAhtRMdbdYnRDsyAmbQyTqgmREYk2yJFhS2Y7zYYTPL9WIdfDsToo1zWrwMPc9XBTMaaqDg+HAf8yz1tVp/QpOM0maTTTLekiH9ae3I9P0Ng+FzMk1tdHzVV9xH4GAq5XOkE3Bn6p5kkfQmVo/alVCLz0TtToqaKxYIaWFtBLfUMuJxjDaC/jWzHzrhX/2Oc0yRqaTcm9gvEPlnGd7W3LvKDlXtceYZrp3brQWwhDfVtHZc1QwbLbMvM9CIsJTuS3GvPyQCjmBPXlABp2sbctfhdLoDU5XlI+YdBmOJDm+6q/1Bw6Z/oUkRnwY/ciCnKkZus1wgT7CP6x+lAlu607/MXw80QqvidGcGMESfSqJ3CLAIFSF4IpUGpW/ONXMN4HfTCMvHQZeaihLWqFAcjt9i8s3zmc1pQlYbQ7QOweOeiin0OUprsOsf8YraOkOiJGxDd3DSxWSJedeO1ad1y+PjTxbGKmRGjtHMXEWZvyNwGhDeSY2CqmCpHRBU/PJua9O0OXJDi+ImZ7lt8m5QWeACEt42jxDELp82VotVHJ4x2/JEqdb9EF1gW/rCGzeL6QNnl1rRpjAYB957dumFrACtWpwyMyLOFjxGgfAU/3fqTSFcp7h8nWnHV+hHkPnteq1Z8YwQ+9Bc785YrLT5PWOTdVl+DrXeyXrrmHq4yigw9lM47CrAwbdvWkSMu02DHbID0ixv/gZygZCtgQcrXCDKWdkQbnz1YNwAlS/HBcjoIPA3VGFYpF4axwwPfUvtGCsfbax5+6wlEawKWsfttY4XeUTQ+A3o8KCo4F11N6OKE1e5pSH6yAW9G6YKUNRYdzH0yOk2mU7sC0WRrsp7/d07RxwHfft28N1gWV1psyfz5upbFZ0AKWOzO0wtqxNfj9oejp4zxILayHkNt6G/6wKzP+yFzGmYqSLol6p576nySzLz6+A+p65nUwlGsyqwlvfPavRU5AQrqUojhEdmSjnA+fCQWfcjWmsbbKnHAF4tNUd097DS5EXmG/r+wjXDtrpW3tlTaR5hhLKF8KvFGD1ELtGaI/86FmRFWcbEhcVffEpVo7ALyVjW/SfJWZ0QUmGrqDu2ToHvaxsyDxJhXigJwq6/07myI7f2M+YjWnzwdFmm3B4UWpQuY9sYbr/rr+rh3Bddpw72vrkZ+j9trBTbzwHZnHsDo5vniSLJCiYbI9tw4N1RMgXygdb22dmClddrVx2ubOexULIytsPIeZ3tyNb3sLKCXycqrUo4vYh2rEUZuS9nvuKTSlEJE2ky5QZx+wHKrD2uyZTnmAVMtrfIixdOX1gyqVkAbe5RTXgrtTGaFLKUN6QFk1FZIKX4WzKhnTw56lLOmj6Y5e0O/URBAt51ISDahXeODH0g53mWtFbSdJLlQmtUdkhpqgl7Mjc9zAsqFev3H9fOhZeuf9weU0+tz9mRPqz89x0Thg9t5NpB8/B49pqtTaYTuYaohmTivIFkXIk7jqc9yTzaiv+e5fe656dgMkKl3jR2gbPlYKwtoh6pTxDTHb8rm3c3hy795BBLNt/+hsZJmiNN/ykxYrIafwRRmd3GU9nl9D68SW6hPH9rBGpJwJLGVnnSyJd80/SycLcAc5LooaOWwvZ2nAz6AvVQoreudP0j2O9kk+HRvHvNrqnf/i9NfQhkky5+ds14mQpNLUbWKywGukApdKpYYVaW2kHH28uaLY6WgeoQYJL74xVwOlV/Y0/IUXR5RQVFV18o7rr4fvRRstGmlClyuBKJ1CGZKl43rrnxVCAQyJlVB/oYFPa0vPaDI7uITi9SzpNkiFRI4O7KPLZPaR27n6MWtLzOCafLj138DguQpViyTrmi94PqTpHtpeZLDFHD5fBYRpVLML0gTiLOhK4wVdNu5L2gwSy9XukIF4nJLq5v/jbmzt0Z94p9Bsf6b7ScBupkvoYbt9vhJ9bEEPpiqQP6ign8mFCOC4Gma/pXI3XWUOEQRqoa0HYSMEdWi6RdAAKeQIl1/JRo4KMGg3As8a6nKzDZ5vLNWY0swfRw0RfEE6Gar1LEMKKPZCt6ovtQCe/SiANTHuldaESCj1oo5CGrYyxICn+DG4TXfKq8kVIqrd7blQq8jwqTtyBfFs+nEPIX4K/oZKwvqUZ2sWyYZgnSp2q4a0Z2crw391sqxotL7e21DgpBJ0irdrHsOUAAQfAlN8agGVNV5jzAXBGbLgpNyowMhKznQi2uX5YXM/D328v3rp371Vv+PpB0UL2ff/BMduoekjWgpWxFuCi6uPMXZ+bujN21c635FQrdGaZUC8BrQMKe6uOuj3yCJj2zoaVkaTZreP1A6fapQvMukUHayIhU2BRMpQKnpJCG0P53u7hCLzCZhNT+tqFNwZ71ULbMFoIqZEw6/vrf1z4UnC9yx763Am5nD7Bsl9g0HGxzrEFO/ECxfz1+re7mzv0Bj/mlGd1W2//tpq5TZ6G2WmiODItN43B7HZNq1af/CWLwdOzbZVjspiuYPPURfjVlKOrHR1nmZPKN1cOpddxsZNDNt2mnBgroJpx/t++brguzOHZUJMMfbvBX2JM6BNlN7p21WDF10Hd3Bb3niNVelLUsUI/Ky0FX/5lznD6wKjSJPv5lfvbef0p5QuS+j9aUEk2mHkVGTxnrd8gzDOkBBo5lpIsqdJyayz7KYVFgfXKgfXXPKA+DwMmwSk1FZu2ENrWa6VCtlDIa32y5pxw3cpJqfh2DRlndTe1We/yj/M+xneH526K/ttW9kPVCrLpCd/UpWmJFwuaQqeAOSEciTkAQ7QQu+qFV/gJ3PZv7vDe1k5fwxaPrBDmKjbQ0YhMkHiDcqIUXjpkoVQYCQwtyHyq4K1YoiuSimwkcONoBfcyWdTmgClIPYanlCdQRmneJLFAlCuNua7Y8Fvpmh71DGfDl8arTMNFo8Y+1bZSqWkwgFbGOoUeub9TzYlS1e7v72PAyZrINsREgaUi6A3RGHRtVzVbD3V2K5bq1Z1Ni305IH/lEroaxQCjd8RKA3vCeYvNESwYso7ihHlevDhXy7jqr9vjN+6e31x960ImFritsY+hqv8RpxoxsbT7NUSmgdlBL2p3WuB7qts5yPzebexs9GQMSB91UnwnY0B5/KSMbsl62j15/f/3ZPeemFHjbMjzrq+Y/zPxolV9NtytYwU7n8eaJDHzWp+/bLHu//M4A+stXsn885jDZUZ1AojSnyN7XdPnM2JsFbAnblDGKD+OsbgaUyU5Pt+TlpGj2r3GXbYFIVnsMo7xwEMb+NBCQZJsoIcMlITnWRE9PWRAfY8VMb6K01eK91vbepfPLtdgmoGWD3lW8MnLl06hVjv/fq1Gy3r+7k/brlF7KXhqHgesxedu2Y6IG4CZiygO26t7aYax6Sut+3wrlq4xq6tDADQ4Y4JI4gTVYOoL+kgypAj0yu38uDuGGjdYqk0Y0H62wVJvwoD0kzZl6AkM71867mAO5vWENXnaGgQESdhxLn+tMkPdiWT9E6kIr7GDmVgq37Fp+ZC+nPWlxxywwY9GF/bmbv19g+g3ct37izuYvRZf6uKuf4y9vD/+v7u8kauX3Br35YJ1pLW9ZRnCaEnXhNdOsi9XETBLdJz/Iq4Fkn2Oyt+XEdEYdWiIYptI8inCXreDh7DBMG8Hx3ftUMHu4CKdO2+2xrZGOsVDCTInVfrnhxuuv/0RCYl+YQLr7153E7VSwRd0WcrxDJVm3seou1/wvCEM+rkWPoJlPAHqxVh+S1UP9KU7GITcYJlFU+p295q3CsnHjr6HkSQMD5PLLDiqe0Qd2w7OEk6qanA6hKRLyjGrftPVVvasQyz9a0dixM3dxx89S4C8eLAowBLUHA1XOcTr0xzUoeJ47OuzIjiLWCDfMe1gKHRz9ZwoqeW3HSwFMsfFSj9rJxtLk+h+Nlxn0TaKFlwUY7pcCsYA+fRLFMBm9U6Qc2POHFUotUtXNXhrKaq3YtiQYnyhP0OLL0/nn4uqmgulq9K7+XawaXUvLUNQ0bxgW7dP5suQjkxwukKKZgSdfYP0Spbo9Q8/vEQb7JoBVaPsWInPQnk9YCVcZ5xoS5F+MafCtkWpfAo1cqq5yspLAZ3huViT1mJQf5FNJd6UlgTno/cn/WKOzYmXimT0KNiDfQv1lU9zrB0LdIGorpB7QKS/skCfFdPDhlT/QFDxsSUSvUbXPMWFKhmu4caeJNd91J8Z/PDkVvpG+e41+jcz3XP03Xfo31AqpNGXLWpA1Q7tfzL9v80XqULdRfEDWHCRkc/W1uUbkqSYsTlOH+IXL2WEC101NwO7wixiVbUCpslYXzk4HNHhiODIAGQ2ZsCx7USvhTSaNd9arcN80IKT8DGF0EKUPDMvDIOWCgpq+g9LXuzeiAHlELFAdx12hI1GdmHLBM4+l3fOsYMU/QPaSUqaeqwOZwq3vwy2sH3uKyFsnn2sG41WLKptm6FfxcZszdDmpBwJaYwxLdADIcWeRfssXrwvZNFsa4lkHbNl+XUleaCxlO0wzaGXfssuXFMJTU9vrrq+d+5xcbS7ssNi2Fm4q35zhaSR1gocKsPuIKP9++uViFaRfPKV6HYUGcmXixIKGgr+Br7qHeDZ112WU0mwa+UzIijN/6pAzBcQeHEjJapgNDb+yGdrzisaq5T1mSnSx8E+HXre4daZN6Dq6eNOXWW1uCfkv0eE0YqXQcOfSWL00MRHSHR3eXHndN8Uc7M8NC+E7Gu8CJ7ILy4Novw83B8f7FMFhrivWS0amvJl85PGYLd6DljmM/T6hx/RBtY9J5gjzJjfV1DVLy9Q4z9CGyKJJYs1YgQrjQTvlYt0F/HkauKXvYieuxojbOvW7nchM1g4yGoi6YoLJpbbfiBuQeVAi0XoB5SusMSptotIAIDIcGF7sKOSu5we1vGZj1bUhi7otoH6mEGEXf0SjEWRGyVT8CqMIPFmVKaBZO2plTgFjdXGKLjzOYg0LWVFUWnMMywzxIXMMaN/+PJ7hcy965O5LIejl+iwbnY7FqnhumbmFaMLAjP2GPiKpIJnIwp2s92J0hNA0vsmRHkq8oIR7T0Ao05UDAr8OFS00ljqEx3kezO29ziPHeXuyRw9frngwbGMs0GCxLNBD3h2ooW/5lmMZTck/xD8RPg31eiVimnTa9/3V3ggoqLd6AsE7bRdE3EHaFtxl+3KA/Ps73MP27bfzPv5JCVJhcxIFu8ddEk27plS9YiVjlFl2tRfbMfXh6+VFPkMqJZQlK9SwrGkwqr1eck0/VpTIhEuClZVvzRgNTnmeOkrzUWIQXinshctU5ZXhah+oZDYcBsZ0zgv+p5Bx3HV92h4+7RC6Yoa60ZkRM3Qm1JpMJPaRC3+1UheLtbkyE3aKcAWC8P3mkyhCcEmVwPatbNtz3hqDwQ2qnVG1zQzmg2cB78gu68E2fve4vkn+VhQOdkMm/20saBHcxKpZls7WWWEntHXDFNwQHf7RgNu+h687kqezQZDNvhoZWgJlAdvplmvf+irAhrkp5KUkx0lc7rtKWrk4wZD49KyjbDVZrMA5kI1a6gXNaBS0FnQCDJtmesIr+8yj8FrkURgtUhiaM9FSFHUJRqqWUdDNYKu1HpFTmNC9sxH7xszeC6f9OYcKzb3ybVjggXNA9FDQwjtCMLpQIkPoVirkp0I9l6UOhU5eWV5qI0X14JlcEIwd0vQMSBHDghZE0l1bHDPMfxoN7orAhxrLtpz+Uzces2+0nWli6EGcSfbrL4xfPzarQ3mjGGqOF05fjaTZwNqFyPNBr1d616uXr59fWAibsLHrpXetgSFRL/du9RYqqqEgL5fDcavdmisSlIVQtGAguOgswXmNM8afOD67o6i8JRMJ/Ggi54oiniZE0nTp8oi79wm6t18QCVbfTOsWLL3ezC1NeEZdDreK7fE/J8nQK+pQrti2F+2zVj8WvDBckNH352MWUkfE6vuq9Ferk7MOC/XCte5xVxohOteaP4EWiaWSZWochKhXh3EJwv1KTBTOrLvr5BuBbDUQ+DuWvEXjKbbKfrljMiFO2DAoWdzth2RyyWLmTftX8B3pYPv94tTwTV5jK2x1gzdNGD/VXVVlinzf/CoYlYx5AOA2fM4pyvMlyThZBNbFowFLsmmFeoHJURrSeelJi0JMczRV5Z1o623n7+RtsIFDibs6pVjgx4bk9wcMAT7+UWWmbb+5jFuoQLMLFgFOKianC+5JnKG7ondlFIROcNLAlDeLtN9IWTFw4B2Rcbq7Sn8Htnft3ArhERzKTbms+qvadWJ0Zhdo3jSN9kdljq0m64mHNqj4u6UGFSHTnWnBMuaLqKRrpQoiAsoxnqLLzjCjEhdZxfJZlD3NxvecuKjBQIASUgehTlDXPCvJSkIWDK7sh+m6GzSxdH39TOxetwraiNsVfhnMDPXFqOR9egKBpxDtQlHgn+9FOa/d7wEoKQkHsUx4rxxKxj4ChgwTIoFgh7xlKgZum9kSr+xQbuyKg7Hl7acr1TGiLElozbZJnPit+5HkrJS6epAun8Mtgl+QpXZSVcT7fwbRvGFT8dVoMm1H3vD/Ba9hWWKp5S92Gd4GS6vgAuElRIpBX+p2Q2vPQkbdksfyE+tVoTQevAcFRJ6opwjotMXfkUZSxyq5fSeIBYMRTSRChVYAYqXAiAH1w9a5LmRYqITtB+W1hCd7lT37HtwKo2vtYcRHiYrvlORF+XwDkbYNow2lGdi4/JpXb/I8zqTYnQxBtNclIxt0acSM+v8zESOqWulC/OuBmJi5Olqez0jtaAfNHej/IFkrhaoSkTHCrxTzkAxn3xVszaj2a6NYwNUiKiirt26ybol+gxU7P12fyq+fiuc5xXdD+F66qAzkTntN3aK7WJ1Y7Ya3e3WtL8LrGkvKIt/x+sp/wKj1ddYkqxMCaoiR8TvbrNd8RPPaxrtEbnvNOLvv4+tB9C8MKN+AZI+qKMgB0J4jN3o5qFbYbWqb6hRCz1VhmW6spm/VY1NXWZ4WVHqQYSZidTDzJRMza/qfw8rTZGR5xxRyLkrecoIluZPAITXsOYKCKverVVh5/7ogxV+5RDn6bN+sVKRz+sGvIvOg+XKRuUTXq81laWa2tPX1kaAgXGP3zQBUs+VuLSjW0zGcU+pteCmaz1rvcw3V66JNjpzwA1Vd0lb9Gt4e+nXq60D+lQt+p37+eaq3aG1FhND70E3ImfTAO0UZvYQGVmwocpvpK7VNiaWfTeq6wq0rbqw04/NrfE9ccPiy3pgdHO1V5MN5Z/bo8kaxl7zrNFoZ+jS1mc6vFNmP9itzQKDsvuNb79y7rh5qevKTaHrx6jkjCi7MsI+KBuB1lhSPGeDKkALykA5KhgeEQSKcBUVH6WzoW1V1Y48M5LKaBhVfSE1+3z/6uaur0MjBxlrPQpjddlHNhQ8uBayibRYJtEN1+ieLjkGYTFyRAshY4LXvhjIL3NI7yrdTQCqI/ynYaR1l+GUZcJzcN7+9h5RnrIyI0acuU615uczdHb9iPOCkZ/QnXWIWLIgvWd+vwhE5iaPbYJzqnla/JxR9WBU7iP4ekIpXsuN+dY9De+oetgRctWSLpdExmth51+yj+1YgOMBtNOVJGolWGZOj7XVRzqNdkLvE3gWhrF3J5XP3lkd42UNxnFz5S8jOTg6n4q8SCbOu4JdcblX0MbV+vdUOf/asCM41KcuoN2MyMp0zEpzaumJssbanNfSUkhAHjByveJvpEscltkGy9Nk6A1R9Y10xe4hMpMYgUY+M0IUozc4rfCU/cqtEUGT2jGCf10pqHK3FLK2ZvCm1pJgFTw3WGmsy1CKc+2PwpSdzOwwg8/FI6LZq/H3y7ys5RQcGo4+DICP7V0wXPivbvWORe6+NzjkV8O+e8c8Z5SLMlSMs1VHopbB75SRpCGdDgOP7PeBCcdGZuwciQvGjNxDqkxTotSiZOjajI9SkRFljkQF9uu3LCjPyGPgBWBU6eM0z2fKFhgYTDFZMTEnEuKbOZaUQQaPx4Nn4+98iTAs4tfmt96Z8QjnUMwtuNCJNGI3Ojqr8zkLIlXhim6thBksmVMRmoT4CuHp5UiRoXVzDd/j2AklVvmqk7ycr8p+23yIKVcoIxpT5nEyzEWpW78bmZpgk+dmVh5bXOexAR/jD6kmecGiZfNcoIwssAsBOeTLKobvsjWNVrwmkuEtFHJp4R5XdOa5keYDsLrdr8miqgK3vnqlqS4BmBF5J9bYBkPApude16BRrJZ/J8WhOY0gq1KR5+Y+xTlGl5Y6oq1k30KKNc2s/6xCkcuJGk2EykR6fKDx6d6yXyhrtMa0nZfnVw0eC0h6Oo2sr0aPK+v/KeZH+p2Ont7/EXMXgPHfroLGA869goRiu/P3dzfoZqBQtdmIhlrrqkt2cxCwsKuuhl0GNaSf4g9zudV+5d6KiGQustgVX4OKu77S4XhBhpcR9WgVHi3BhgwmqDxvuYBd6bBNoK3jIXRJszqUM+LEy0NbjYMy8AAvfzglr553UcZ8pqru3ncfLHpOFYiCZI1HkpZtL4JN/ZoTX3lrhcK0K3FjAkeI1yuedR0idXUlXmPK8DCQgWpXOIL6ygWRcqTTgr1Dx/j6w8XdnLGSOwAoG4AdTMmlGyi6nI1IRJon8zLLtsH9MzRPgtYBteiWihwHdL7TSxWeoqQiIMpBr8QuUeUUBQlUtbNXLeYqLjOq68q6BhfNceRrbNdUbFhR0oQXdk/SZomFXsH1ZFb55cdrdOZqJT6WzOjKc8qggAPywK4fC6HMN1+ir4eOBt6PwjxwseEdQ0iRtAQwi3WX+kinzRRP4ILrp4VeVlXub11p0i1Z4nSLPoyaa4zOJT5FUb4buLPElKMcU76QOCc70zEKLKFrb3ychI5yeQfDorcis8nRDSxgK+vMwxTao31BqoBZiFgWUhc37i3ZoF9LDqbkG5ERhs4oX8/+dI6oSM/R3PwfMf+HOWZbRdXsT/74ok6LZMHwoHN+aB2qq+Ff3iEYFHxdICe3VfMrsdgJ1KBFVE7tX+eOzwoGQRFpDrKXoXUeVu72OPv45ncsCXpvE4D/9KePb36/eHf9pz/ZnNs1lpiOnsmNkA8hS5b3XrDfqwHbEbZRJxjmoZUIV7MTFqWkfg5wap6LbQQTZiEk4YqmIQVIy5UUgeM8vBfEEx8IRTTZYDpsTvxs7wBgn4cmaq5P6BJ1Vc4jXQo9z5SWoSvfoV47mkOs/ZYGe0ermo94TtJji12axmADlcYVmzR1L67exZBY0FFHUzXVaI7YY6fqRSPyTLNf3uMXykfjCT7dcWGYd/r/u+GojcpsO/+d5IhlLR+9Y2Qnkyc5HFUcdxd/QkyQtNXZ2ZZdeqbrjPYqyw5wMl+C221wcvdHpivIajpFPAyKvhaYMrPWFZjLnZMZN1ft2jZA4jLmoCZLD4TBeFZhlXOdGBXxiPkck3gN6dau+uhS5HnJ+56oAXf8OOCm53L3ljzqvxK/Tl3zpo7TrJ/L2z3m2X8If9Ss4U1jTY+RDM/mbjhwhzlVqoKmVATLEp3KggfuN1jyYdDhc2dd8bxIRCxhfP/2zR36zfpRm6RUPyOfJk0luP/PW/SpJHIEu7VkPJGkj9QZN7mh5RDdondV0Zk3ravW0tOAD2mbqAjdRsAQLY5yHO2jqj3BsWfTzcI3aMAMyzzCbhmyEdwLuAhYgFwTLbNgXWk7NMOiXXVIZ1j3tcLn0p0Tnq5yLEOVldR0twUetC9+dvQJp4N0qiA0k1Xws5CSRdgCqprwYglQSxHIivk/I1AtcPBOGBZxKvjxgqB7QkM/OA65LSdG9QzONE9wCo1RwpefGNqKBzTeW4Tny2L9PX/Uq+Dve8qTVMskU0Fx11vUDeXjIk8HEF4zHFxi8ITwJeUBiyKHpGPkRvNkkagN1Wlw+cGTBRMbhfPwuStt2lyv41GPEHVJeUJ5THFCeUFkPt8GS3gf0C7ShzjE15jFOCu0SAoptEjCh6SA+vr7BDyO4WmzaHeTiWWSxVhsQzh8/lvKkxw/JlqHcht0CZsTzUiERyGnPBLTlMdjumAqYXOWhA6Ldmh/E5F4cGTwFu3QWIht2qGretu0f4hI+8eItP81Iu3/FZH2n+PQ1qJgeE5iiJSaenjzjCd5yUD5nm8jvJMV8eIhgl6Sl4wu8yKO9m20TMyWoZOQHGUaQylR5FMa3jfCE2UTEiPsoJJpHGvSEI5jTaqtKosIvUhTXpdVRzFVtdDG9CCPEUSIFtoYZrFog1kThXjJ6SPHXCiSRjiE6x/NqkR6FNY/ikKvCM4iuNVEXiQpi+DDNoQjBEmArpxvdXi3qKGsolAuyiRCTCOVVNMUswgFRCrBS8LTbcCsqzZtjtn2D5LNY/C9TgAGNAplCwcTh2ubWBuF+nxZrH+M44NWyZzqP0cBGktVErZXXI+wFMFFtYpyzYEqSWX4KjdlffzBem21CBO9sn7+8M4RSxzUvijELZp8OAS5Fu0FZSSGDaOSRYxNpIuQxdldwjF0A5XQApIUkyiijhbr7zOliwGYfyDaSqZRaDO6IDHMGAWO5pxkNFjBaJc25XFOSS6ykhGVihir7YjTZQTZJAq1wTpoz/8WdV8GeRDCkiyp0hKH94Q0tCNofJIUsZZaRltrBUjkMpJ8tZn59ohHoK4lwXkERdKWAsViO55yvVkJqhLbYTY89S2WOMoBz0YKYUNQXtv+9qHpUqUxD97nOFN6XspQzQIrqsT2CopBtQzOa3g9uqpJDk0WOjcswje7PhZpYBfNJc6y0HeAZqHDqhV0UIS3iOZJKoXIo6ASGcIRzDSaJ3GSIx3iUYxlLh6CwzMVKjxkKS1UIWlgogxrqsvg2WeMchIOYqehqoJ21KnpQvFteLcWExb1NFkwEfw5r4lHSPk3Nm9wqWOIRpA4xoaOwGrw3AQmllGOLl9GucCFkKEFWD4vlzGuWU5VGkMs5CrKgY3RB4ITDeBKwekGl+EWADp0xp+lGjodj282oS2QKBVlwjaADm6JivCakZB0mXj6cT2b7oYTGf7NKhLblDc42aCdqRuytsVrlEMWoXDT9cQJLQwc2dDSoEisIyk4u1gp82GSrkLV+Q9Ik8eCBg8EFETmS4m5HmDuhqC8iUI4/NNrkcg+fOh1AQ1AWIplglURsGFAm7TEoalKglkM/U6SFNbBoo5GIh5+kQ3lsBCuLcpCZhE4Du/IVBF8w8r6hiPkAygSOhHANjyOYJwo8in8AfABtAajGsGUUnQZQfCqIrSXTck0xj2QaRZckVYy9aHiBiCsw7XYatMsVXBUzXXKQxdKeLvFPpeoBekMPX291OGPlSUaPqJX9/QMTXdbBEdrLbN5lDz0UrIIb2GpiEwyGrrqPUrbiioyFGMZdKo0zkN7g9cJ5UrjRQTNYE2ljqGGrwseAbpJC1nykG5WHyyaB1H0otQCvSs5GgxdZ49EbJb3ETOaoUtJMqrRJZaZQzNUAP/uZ8d2zoq4SmMdQoEMNNFHgG+QCoZ8pTp1PgTl8VbuOi+Y2JJBY8G967cQZTBQ7wPPmFlD6zOCfmeSLMkjynEfaKGJxfJl2W8GEp1JRhU0Z6hGd1sPAEpIlUUhpEZD4FGENiusEdWokGQxdhSekZb7lCYUvoV3VkfNAqLcIbuP4EIzymN35G+xakZr86mQFkuiV0TOmu+rlSgHLxpCnKyJrNsRaYEKLBVBb4jG0BHc3lVcL8HZrViqV3e27PUlunItvs6RXnm6FAEY8DviWh8D2xy9Jfp3qjlR/n0eHuooi7eAlt31LYLB7WQVwTJdzSinXv6g5+4E+No98Qm9MCAZ4hXDJYdev8sS+rhWIO5+APceXvuOOcWH467nVINwu/7FI8a+2YgkYE3TYcirMCx6Tx413Ioxd8EU3ahHBFLTuO4tdKjmbKTjJaDnRmwHDvi5imgkyaeSKL0DtPv4bOWnY+VblQHa8thRrcTue6TqvNOuO2UXT5YjiI11/g4I7eon78xD9v7f39/QDHZzVQkFGNt/NsBqCJfE+8QjbB6XOVYE2XTtmhs0uFX1LrlfnIZfXreCrzkX0sLXe5cRIayQIgTaneHd/aok5gqnE7T3HSBM26E5qL3NoUlLCR3QdjFdEJlTq25MxXQzpG3MQdeUkSVBjKwJQ1gpuuR245p+/f6jD5DMJ5TfMP6Okz4/Sadnw1nJ6aeS9NskYv/la/F7HGLicV1QKo2GZvZCpoJzArkVaEP1akxQIOSpDKk1dkmOKi96smlhlhPkSf1EMbGkKWbIcDBi+gAXp+UOhhpp03i6tStWW+Vnr5XOthG9rNbQDzxmFKtkJaLbBNaIq8016KXSNDUyUrHdgsePB4DspTHcwpvmGrGkjGA5u2BKGEO8c9+uIFiOfnW/mKELvq3/NaCuwZZXXCOczVKRF6Um0i+Go7jxzcTimWdf9fcCeix2NoTqf5Svv/n2z8b2vWptR7ViX3nZduc0CRsxO9Rxg7dEon+tfXLqlWMDmPPf+tD1P/HPPG947pz6nftxZPLyPtn2ot8wxYwzQ29/e39t5k4ksc4T8JdmVKWSFJinW6NVOvWM9XNBEKzQOXr/5id0w/V3r8/Rzdur67//hD7ccP3j9+hss9oiTqheEYnSlVCuVZqQkqQavvXtj//+Ly9feFeE6FVEGddfD5Cpsxz72/GoyKfvidf83p7Fm4op/xXPPi+m27JpD+dHAsYd/MD7+O0ppo118pFKXWKGbi/eepn9Q3ASz5d13Mn4L8HJzL+2ht0vRoTCRPYLT9iCz/EN3rEPS6zJBp+gRTqc7jt0kWUS/LT2lPvYqZ/eNC+OjXM+NxZyc/nmzr5Ko+GxHKsJox8dp5LVVN3bjW7uDCsj3i+zhkd2ggiyhmbs8TWsNLHEdteaVkC02MVZRs2XMWsCtq1e/v53bsIDYExCuODC3fCr7hEYsNLkWkfR6w590jB66zi8E1LXInkgdDMIsMEGUL3dL3nVxGtv50P5snpMqmm9GVt4Tnx241ReXMcdWL5YKZFSo3Jav9FAx0FGLkvMl2RWm06p4Au6LCXJ0HwLNAnPIGvIL2eKI6EHBkWjI9qyd9BFBLwDFlD3b5dwBXcASJILTRKX2R0+zyj80mZcJTixqfgRSBdaxiG+iHAkFhGqhVmM6xAL/6SIsKg4SypPXDy1vG/Bm3nM+qO1nQkn0GCv9YpITjR6vy3IOfpQPWO34AD7Dt1VDrDBS/DbmKZWteqZQJkYMY0rpp1f/BxhxrzKRNF8ERLcsITEvDWR5g2kXAukNDzmlKMPN6MCJYUE2WjyKrjINkRFEaHtmyEsiQqd0WvIRihxsS9i6FR08LdH4Na2VkgY4cvgnSKBZ6N8RNRCRzRQq/Jg1grAcJRCOsECYfSLkBsss2GfboQulpDsJRE2N/4RcunmRG8I4X7VMzBq4lNj3EJj1g7VWWYQQMZDZsRghpS7PFdIS8ipNmLJtdjwT3HNMJ8ijn+Ag7JKEGm5KAcT7Losm0jK2liwSzBguy9P6EglSQGFYB0OD+6wiD2WmqYlwxIBXjSqmDi7fvzpVizFYuHv/k7SRK9I9O3tMPveDGhvY4vva8O3Yfei1CvCtUsWH2VblSGREw5L6LFDjrP+QRE5yrAodSqmXWk35DjD92WaEqVGeAbk8ePA0Y5LPAG+kFFxl0JukacwYcDbFMKpwyPp8WikEgT4VCG4eVeM3PIph/UP0UBR6s5qHQ6PbuTdxMiilkLNAKMkq+fj/DA9fZhypKguPfITQXEBcSLaUV1hhXAmCvO66BWhEokNb7bMLpzGj4KLfCSvFnpyKGoh6qdVIoxyT3lm5I+Qql4AjH6hjKALx9hssAyHOHt5PTF7J0cTxuv5nyRdYXQJ7l3WQthV8M3RsxAh692fsRA2X+/e1WuEXonxhNC5iFk94Jn8nKzwmooStMtU5IUUOR3JUCRTM3fN8ZxBEdkCXe7mjfJ1LXYiMtnnsKN1Ii8DHQ6DNpc5gkHP+DV/sXe39co292302DVlliXX/XK20Bp9BmXgSXqMWX+QFgTv8ZJwImlaTQkWBBL9+qkFVK/gqfX1dkOO2Vn67UxpOR78rOZ0DOzWyeb0evecnHphx4o4L69pWhvhmuZEGblutT1JCjIaRHK7EAwUYu9GAPDgM7dBHni0jsHuPtnR+u6wOX2bqGBNTg+emnMY75vhYG4w40YgHCAMvtzZvd47Oznp3tmLFmRucv/OBcNSnUaA7JHjtQD5co/jd/u3LFRrg2m27DD5KCeVICHv2AHyY9LjGHJug8NYK/VQgtbzUwev3Cn1KsmJXokTRElwx5OMLBvua6MbDlhKUkT1Ou2I6rwTzPlrDSM7zmUkT8jfZz988w06u726uHuJrqjSlC9LqlYkg1J4Ly9MLEV0XKBdkTDIll1YPtw2wxdHMsakiOxV3FX/aXbVx0F9Y8AjH6zp81OuSwpp/3Xdb8vxBzz5YqaY+2DSm0wxzEKh0/Um8g5ntFR2BCQkUjSnDEsrnozYNHcohXfdX14F91zRbEqkkXam/AdzECovYg8Xs7nk8eosLviuuw5hDVdp2PL/OicRfDI4C85xQ1plGZnflSlkzMSAQcgGllrIJeb0jx1Z1TzeUTh0sY9Y6faZGlnuBZXeWtJIqD+/mOHgtbAQXxa7qJPV/CvBTK9SLAkqJMlETjn2Fty1xNMd1pRwrfamxzM85Wxv8Ukna6EfSRHp4Jqr88IIrgJLDWBIzVR3i9UJwY6csDlEoi5IRiTWJEuCJZXtOB9G+PxSjVgHz+6kWNOsBg9z38NFwZymOjgYDvzHPGtdndav4DSTpNlEs6yHdFh/ejsyTW/zUMicXFMbPV/1FfcRCLha6QzZFPypmid5BJ2p9aNWJfTSM1Gro4LGihVSWkgr8Q21nGgMo72Ab83Mt174Z5/TLGNkOin3BsY7VM55trcl946Sc1V7jGmme+dGayEM8W0VnT1HBcNmy8z7LCQiPJXbYszLD6mQE9iTB2TQydq2/FUojd7gdEX5iEmX4UiS46v+Wn/gkOlfSGLEh9GPLMiZmqHbDBfoI/zD6keZ4Lbu9B/DxxOt8JoYzYkRLNGnksgtAgxCVQiuSKVR+YtTzXwT+M008tJh4KWGsqQVCiS307e4fON8VlOagNXmAL1z4KiHcgpdnuI6zPpnvIKW7oAYGdvQPbxUIVly7rVj1Xn98tjIs4WRGqmxcxQTZ2HG3wiMNpRnYqOQKkhKFzQ1n5z76gRdnuzwgpjpWX6bnBt0BoiwhKfNMwShy5et1UIlh3f8lixxukUfVBf4to7A5v1C2uDZtWaECQz2kde+bWoBK1CrBofMvIiDFa9xADzV/51KUyjnGS5fd9rxFeoxdF6rXntmDDP0HjT3myMmO01e79hUXYavc71Xsu4apj6OAjqczTQOuzpg0N2bJiHTbsNgh/yAFPuLn6FsIGRLwNEKN5hyRhaUO189CCdA9ctxMQI6CNwdVSgWibfGAdNT/0ILxtpnG3vuDktpBJuy9mFrjdNVPjEEfjMqLDgaWEft7YjS5GVOebgOYkHvhpkyFBXGfTw9QqpdtgPbYmG0m/J+T9fOAddx3749XBdYVmfK/Pm8mcpmRQdQ6sjcDmPL2uT3g6ang/cssbAWQm7jbfjPqsD8L3sRYypGuijqlXrue5rMsvz8CqjvmdvJVKLBrCq89d2zGj0FCeFaiuIY0ZGJcj5wLhx0xt2Yxtome8oRgEdb3THtPbwUeYH5tr6PcO2gnb61V9ZEmmcooXwh/EoBVg+xa4T2yI+eFVlxtiFxUdEXn2LlCPxSMrZF/1liRheUZOgK6p6tc9DLyobMk1SIB3qioPvvZI7s+I39jNmYNh8cbbYJhxelBpX7yBam++/6u3oI12XHuaOtT36G3m8LO/XGc2AWx+7g+OZJskiCgsn22DY8WEeEfKF8sLV9ZqZw1dXKZZc761kshKy8/RBifnc7suUtrJzAx6laiyJuH6IdS2FG3uu5r9iUQkTSRLpMmXHMfqACa79rMuUJViGj/S3C0pXTB6ZcShZwm1tUA+5KbYwmpQzlDWnRVEQmeBnOpmxIB3+euqSDpj92SbtTH0GwkEdNOKhW4Y0TQz/Yaa4VvZUkvVSZ0BqVHWKKWsKOzH0Pw4J69cr996Vj4ZX7D5fX5HP7Y0akPzvPTeeE0XM7mXbwHDyurVZrg+lkriGaMakoXxApR+Kuw3lPMq+24r936b3u2QmYrHCJF61t8FwpCGuLqFfKM8Rkx+/axu3NsXsPGcSy/ae/kWGC1njDT1qsiJzGH2F0dpfxdHYJrR9foksY388akXoisJSRdb4k0jX/JJ0szB3gvCRq6Li1kK0NN4O+UC2k6J07Tf841iv5dGgU/26je/qH31tDHyLJlJu/XSNOlkJTu4HFCquRDlAqnRpWqLWVdvDx5oJmq6N1gBokuPTOWAWcXtXf+BNSFF1OUVHRxTequx6+H220bKQJVaoMrnQCZUiWiuete14MBTgkUkb1gQ42pS09r83g6B6C07uk0yQZEjUyuIsin91Daufux6glPY9j8unScweP4yJUKZasY77o/ZCqc2R7mckSc/RwGRymUcUiTB+Is6gjgRt81bQraT9IIFu/RwridUKim/uLv725Q3fmnUK/8ZHuKw23kSqpj+H2/Ub4uQUxlK5I+qCOciIfJoTjYpD5ms7VeJ01RBikgboWhI0U3KHlEkkHoJAnUHItHzUqyKjRADxrrMvJOny2uVxjRjN7ED1M9AXhZKjWuwQhrNgD2aq+2A508qsE0sC0V1oXKqHQgzYKadjKGAuS4s/gNtElrypfhKR6u+dGpSLPo+LEHci35cM5hPwl+BsqCetbmqFdLBuGeaLUqRrempGtDP/dzbaq0fJya0uNk0LQKdKqfQxbDhBwAEz5rQFY1nSFOR8AZ8SGm3KjAiMjMduJYJvrh8X1PPz99uKte/de9YavHxQtZN/3HxyzjaqHZC1YGWsBLqo+ztz1uak7Y1ftfEtOtUJnlgn1EtA6oLC36qjbI4+Aae9sWBlJmt06Xj9wql26wKxbdLAmEjIFFiVDqeApKbQxlO/tHo7AK2w2MaWvXXhjsFcttA2jhZAaCbO+v/7HhS8F17vsoc+dkMvpEyz7BQYdF+scW7ATL1DMX69/u7u5Q2/wY055Vrf19m+rmdvkaZidJooj03LTGMxu17Rq9clfshg8PdtWOSaL6Qo2T12EX005utrRcZY5qXxz5VB6HRc7OWTTbcqJsQKqGef/7euG68Icng01ydC3G/wlxoQ+UXaja1cNVnwd1M1tce85UqUnRR0r9LPSUvDlX+YMpw+MKk2yn1+5v53Xn1K+IKn/owWVZIOZV5HBc9b6DcI8Q0qgkWMpyZIqLbfGsp9SWBRYrxxYf80D6vMwYBKcUlOxaQuhbb1WKmQLhbzWJ2vOCddy+z/+bwAAAP//JY3DGQ==" + return "eJzUnd9y47qR8O/zFKhcJVWZSb6Tb1NbU7VbpUjjWBVb1jH9J3cqiGyJOAYBDgBK9jz9FgBSImmLbllqb9ZX54wl9M8g2OhuNLq/sCd4+cZW2jihwP2OMSechG/sYv8vGdjUiNIJrb6x//4dY2z3eXats0rC7xhbCZCZ/RZ+63++MMUL6Izc/LiXEr6xtdFV2frXN6Q0PxdhbLYyuthLDoA3SeuDfYTOGDseIeFrzm3+NTXpX3/pfKZBe4KXrTZZ73cDgP5nfDv+6y/sktuc6VUQ8x6IgS2X8k2C/uT4HwMSuIVvbAmOH8cWn5KfO1ZyY4Va754vsy9W6vXX3nf6c9mn52nqFtZx9+oTw5OIgPU/ozTVlXIe1AsB9ofb0WR6n/zx7Tntkj05UQARl+SmYKP0SemthGwN7K4tawCKbKL8b1EA7c+dlSFx3FXWr3qXA7NgLRppI9wLDdTlaCeAFWAtX2MeU5aZgzii/0IiSaZzNsoyA9biABZeHNFqiRzsri1hEGZt3vqrz4jyj46mG2B5SyWei2USMdiMo17mrBBEr9LID83uLRgExvrwKhHKwRreWssICK/SmFDMQqpVZtkX5hUqK7m1kDErVApMcuuYBcC852tQRNrPT1Qcn31hsP4a//u/fn+tfwop+Z//4+tffo8A9EpdvIVwhsmMO8Z0gsEAQ7VLdIY+TKC4fHEitemTrQoalLscWJpDkNBsGd5YYrZaFsI5yIKZskM5gjqOQIe9knzdhYvQ2P2OSnulqVekcy0U5hmX5Zd/mw2mLMkMo7tgiqSV8QZAtH6iA8HLkqVaOaMlipBMMZSlFCkPYCj14D9vqRREC2YcJ4eVRh/2YnpkRtgnerJbYZ/YFWwA9eRsyol2ab+2vJRGf43mf2LbXKQ58zIVZIyrjGXgIPX6zH/E6HXlP4gCpzIujlQUNtj19CysJ2gAiVBztYEcTn1ZK9YKBvTDBz2GUT3wca5D+NKbIv83aJzjaV6QWX6d/RgKLmQtEjoyh/moVFYYG+tMhA/7DQmeCefKGbFeg2Eldw6MskFDecVU8vQJXMYdZ1vhcrbkFv72/xmoVGdCrY/8AwY2y3NMaS2FiYz9mTntOGYjCF8l28UjGGoDrzIxNEFSt6b7OAg/Mp7BptoQaVG/1CJN0hEyDDQYr/v4tIR1L/bbdJCFQXI5Xdijcrk24mc0aLDBj8rlZG9W5XJQ7ihLtHJ5abTTdGsoDJ9qyVzOHRNKOMEbU4p3iHG4FszmzVf8/DPYE3UQa8lVthWZy2mo/v5q+CESBdnCVJJIK8xGY/aj4oYrJxR4NG9O3FYSkJtkTWhN+pmAia5MCmyKMNqXXB2Qfp5H6XE6Axwm0U6By3TBqWKUfw8S2CSIwD7A8B0C47SGOcY0XVpLpUwTMBuRAksAtx2nXMoFFcyYSwkGyWGMALMAol3Pq/T6vJaNoywGKvtSBm9LZF59rtAKPR04dTzJmJvMEj84rLV5Qc5b/PCnbCyvhB3GIlKT4zH7Hlwt9LuWZibY7FRu4Pj1+IdZQDnDpeJDRvhJ62ccJbDZ6A63fMgC/mMw9RuFUM4egzAm3GJBBlY8UM4tkWXU5ulIOcyzWnPniMzHsVYrsa5MfMm9HLGsUI9ttdbL3z4DSi9/gxTzhq3WJacyaLtIHTlDQGQhiS6PM1zZ+pgB9eqv1u651NsBp+Q0VdShu/sX68o6zJV7Y7OflHQmqEdhQIK1bNyT8h4OnXJKkstGCFY55dxaMWRCnvbg4vC4RVSfo9IZbf2T2uZ8A3cwlObrHHgGhugQ4fLubs4uexIO08hML38jVAcKUqdNrS1xD1AKUG4xmHZ0EtWjWIlaSkjnwRltUlcZZcLY2AtAp64FnMpShW8iDC7lJtWyKg5Pykkv/sPNdM7GXQEDIEXBFdVSvpqycU/AIEmlyNL4ktn1PMB0ZQzg+H0vJI9SuWXdrbUvaojMKwihFWGCX3Cyx/F9H+8EItMxUq1C8JIIrTmta8SwQmdIKme4oHIhH0cXLHeu3MecDVhnRJg5jLaM/mcmLDfFwGHwSZDR7W52X7zLGz9I6NtFAWGBxfSasCfHXR/Dp58EEFkHD/MZGwcBGJBqYH2daIlXyoXs6No9QJqZ/mu8HIiYngI1q4olGA81Kks2dkYyqdeWcWt1Go9awmnwUQndEXlDTvxwLtZUrA6vvTPRjqcXybl4M0m+HCZX87PRKvLJnczONrchh4SaNyaqnIl4taLGXa3OxSpK8rUwnZ9tLdiB0OOZaJPk8ny05Os2Sa7ORbvl5MvWW3TnooUlOS0s2UpIB+Yc0GVFZMXM79k97hJVat6JHZwGEp2bWygrFz0wdBzBCCdSLgltvf1TbYQx7yaqNcaPMIdf4xMDHP0ZQ6ZQp0Z2PvjvQjWcv3bSA0x0Ae3PIXA2QBZSfPiOiiJmHAqqUN0kjB0EYUAcN1wN3Es7kcVxFsYPcQQDpTYO8WZl7VPQcxNhpiVT9p0EtI+mv0y8BYzNOPPjEc3DMW9MvBchtCrA5Zro3Zk0QlhPygDWhjadYwIhNwifxpHBRii36rx7ZyW6HAUZKbCpcmBWPMUm5GWwoQsq1ROFi5NkeVouCvtWivA5UC7Hc3aNvT6e+cdF9oY5oeJGKZqHhSEiu5dlrba1ndqRMsgi9doMaeOPJ3tPhH3yBvRaqDUzOL0sS3h2pl9Lg53piV3NWRieCbXSpkAmt2U6tSHvlI5qJdQaTGmEcl5cVXhDrCd0gK/gQqXOyJBX7Yae5mmG/vQiqaWFFG7WlYUEHNRS5+VD6qsdHmWO7iu4njAEHkGybqCq84YxWdV7GLo9sM2EtHJ3VM2JEfEiq+n2B4i7o6pjYCsL5nOm8ZWkd+hi9ENkzzRzWFPVMRaUQ9XCortz3eVCThjRWdlEmHpphZhTJmxMQwwXWl6sgwLD5hZkp7QftX/8t9zKaKqrLW9ysY68ITjSRIU2GzpNIbPuEzyhPVh2tFcUACm9j1dwyJ3duhUvhPyESbtJWE/UEFW+3YDKNFH+VJvr8pH1RL3HZSxZltkrMIOLoQedAc5u6IIlb6gMG68OofC0pdvIe8sMuy05bT/tYd4kRz3M90JvJ9kWLSx0GM46uhtobaAkQRk71tnPexGtXrktN3DUE6yU92G8WUnqGrcwo8T68hVkeO/Yuqqierb399NJk4jdhp3O8bm9GRldCJXdY1Yc8FLLlOoM7vtofnNVl7Xo5XUNE9GZFB0knDEBKjUvJdEUPebgcjCt+h9M2EYkZEwbpjRm2uI3yBTH99346Cg+lDolSt747of2zm2sUCd1Go52kXchwJZepRBNVDLv3RZFAYVLSyttiC6QeKq7VyIOA21IU1Xv767Z902TrIrAeR5YSCeRXHMh2ffnNOdqDXVZ68ksYQZsqZUFxpXdgmEWkJkNUI/1fwa3DIXRrFgr7iqqWjTfazEhe+m1rCE8QeX5hvz8f1TcZExvwBiRQS0vVKqxjheIejArXthFyStLFHXc1QYfKS5frIjVoq654utQXmtX52DeYRjg/Ul38BNgA+hPMOyqPgG6RZ0VrFIHhaWqt9e+jPFdZbHYQZLMUFxkdlqbCmWuhVLwNCyzu3ld/K8nZQBGQoyY0hDdxXK0Dkzc6Z1uylO8xOJDq1VUKrhd338q5zYnq1xzUQtAeyjxjxsqoXGG88Uwf/iQHvUBwJ4Jt979RwkjLFdzZioJyNhKxCGMd+5nB+eahA4ca7+HeQuABmqknLAlL4INueGywnFtuckgW1GFOuMtrNrX3stDoP3IqPaYXyeY/cTwAuiW0O5e/2s5A0gAmbBP1mlDVsn+wgCEvJNXwwxwaSJ36MIbztBeQjiaxSaVlR3a8U5MeQ1VzjbCuIpLVstiKqQyIwgt34DJBFUd74tkxPoCDsNsYxB2Qae9H2HJSqOfX+p4L1KLr7mDLT/sVXw0peIfcVwmyrZeYvP5XH9vTKuYKItgNO1+Dn3C03xIKLR5QRd6Dr0+qCpshKYRsd8HxhzI+ZfSiMO1Lk9iuRyxuRHaoO6253xB2ATlcoQtR5rzBd2B+uWI3aJOz3OuMpvzJ7LCMFfs8pWIARqqclWho1gwgZhesUxvldQ8Q3sg+TJTCwPcUgVpL4EbtwTuAhvriTrMJdY54U2cy2Z4tuJLI1Jmq6LgGGck11QJP5faOtxuITjlKc3mb0wgjFaRFmXaLtFwXpDWAdZcG9ccbE3H13N8wy7PSFbMMxpG5UlwdEZ3qG79UgatcCRXXW+TyqKcgdtq88Sc4auVSN+Sd5hNLWwpaGZsOk++j5lQS12pjCXzKQYnDfQWjOBSEVkB01oKi2LQtrdQMRhFRVWHuq6vEzyL35WGrw2eHMtpRMW+URJ3bbCVhE+ZRDDdi0GH5ISi6lrVrHgReqygdEMstU4VQbkxYi0UDzUQ6kzhIDg4LRe7wNLucAQD3E8GPSvwLciQAHJEzindJaAPwWy4FFnBieLPfhe6Ho13zmdIH66Fspt7jIo9/z2DZp4wdwwE4Ra950CGVg9LOwPNP+OX9xkMFrhJEVVUnwRVpblQ864z/EEIydXAZZmPHx9ejWZ+l9eFUOu9xaLY8sUBIlIhudLVYe19GpeuXLRVPsAFnOp0OCR6dcc/jCFSUBYWUpB1Zrzmz6KoilbthdYJZ4yGedP9KpJgkIdQTyvxWMdY65sftxAtBHbVETlApogUVXgPO8MPQAwUCDxn21kEik75gJn5wc3jyo/qVXbo9Mnm8/mkVUoRQ0V0F/lKr/E+XrCvaDjq0kWY24RSbwljPBcxsvNKyEEcMisoqMSCp/iDnYJL7ygsMv6qlz87k7Lx73QtBjLWEfQ+FlmpiDewjiu4UnBVEdnX135onrrKoM91Cm4dmMw6srV1HSS0V1etmXJtXbS3i0o6UUpgqo687BwE1Er041uTkvoIUUrHVWj9FaHLV87tiX8JZKIq6BVOlIPNLS/g8HnySTT1mVrlN4T6kmY4YBMW1ze7AJsXZPHdXU6AF4Ms9VvvboT1kaP2iWKQPhlllZpQLBeb2l6sC0d2ayK0NN5Z0PH6izbiJ2RN+fiV1KEjqFfAIQ/UxXQPzEojW2UxwIVcXToj63A3H0+/TJKkL2OARQmnzRe6PIVL4NLl7DoKQpb1abDoXsAeFi4VvyipqtjstNT1PPknAsSuCRtf1nWG2LwpRD5DngMUjqjq4zV/jjc4ChEKULJ7JRx7wOXj0a1t3GJWVDmuob3XEQ0HFVA2Iaq7jszAYbJZFGwXlH3dZ7Bt0o50Hd/v3U0ZROumep6drBeAQa4j2JJ2RfJgdUMk9BsfmSj7ENVU6F5ECrZWaqq6qrBlidTuiPl5dn4ZEhlLMVLlwGy4bIWsdsFGL75li39FAK8Ird6Z3rfXRG65Sguq+HHoSTTrjH8QQ8uMVF3tziMTZGaiByJUUjuenqbCBSO0zEg11Y6uL+UdIko9tWNqlBVWRWiZ0Sms/bo6Rmt5JKKg7Y3MWHJcdomW2bY0mijW5oEeYcku4tWTudG4fEattoLqxuiIrSRfhztfKosNQkVM/BrNmbC1bPT1eF2CIS3wdFNCLC8em8xgshs9E2njyT0TvukkZT2bPU8SQ2RIVUpbzuYVFbociq4cXYbcTeVweXG6cnRpLp7iiBSXklsLGX3YN8rBhn39p7dUXl/wqLLoXgVB2mTHlZml69M75y5nesWk1mXsVdbqlhfTTtLKCPdSZ2YjWIHqtu/jaMZ06UQhftZthQGjr/ynFsob1TRYD/NZkMGUPqYvfplzC78Q3n0KXEEIUouWuSZNWZh3xj+MQWV8zo1OweIc5FJLkb7QOXnzMD7SvSu1Jqyp65+M1hK7SPRAF/yTHs+VXrOqlJpnDIzRhuHuwflPLWEof+K0vOp6dsLFgvrMxWnWlTgIBwP5eBRogEnQK41eAmF0/Eqop925wdwL2wXKUXBpO1Z7VrL726vGjenLeQ/IiYF38CyqyUs4rl1K2XPF+linaak4ODL0WqMsNlT5px+JB9dQhFcxm0mKl1SPoiLcX2oo3Abzw0vcDKXnnZSCOkvYjwqsa/qpYmtE/Ki4sU8DKecnTdGvFTdcOaGAeSEMnkvJFdJ6+1Fpx+E5BcioughPV1FKSLVZAij2St4wXsEPl2j5eKpzk8Eb2biUegsZ+9IOrItVUGRfltw2vwqJ0OEXMTk6/g75h9C9Jr+GPwKXWhJQKjvwuD8+qZGjsh+YyfCrP76Pb3gm9JKsDf2tH54tUV3oAwqVlR9BMDZ+jZFKbWHgFvFZaJhXfTE0WcsL/2v0uvL/iIaN7bioLhG+QbvNRZqzRuzR0FS93HapIBHGC8LuKoZvB/N4T3wNtjFL9jgYqoyDHQ7qfUg3WQaSbGogBbGBrNZgXUmHoQiLIYwkGIeugWBqfppXL4n1aZ7gZVcg9LXEd9mIi3QOQR5TtNNQ2Ux1lm0ruOq3TIObwhUYw2VF1dm11Tr4LVkDYIUeatv14WuXflg2n8+PKkkeabauHHSGT1QUgSxkHvgdqbKMd8ols47sAVTvQ1NeGA2RF5z1aOAHJUnwr/Ao/tOUoeeb6bwRg4wrGrCVJEoB3EXC+1IO05BVTPIs88DyC7LxkLH28AHiaeZeR3VLZp0BtQ5XwsOBOqYzjLFWL56A6Mz8djSZ3icsSW4Yd7HJFd7OqyQQGnqVBOQ1LQ9C+O57ENyLb1OuFJUBs7/Rm0Qx7Po6QWwoHmpwL/m4V92A4LYLm2qqZ9QqJH7TFBJPOuIOU9Xnr5/iRr0SNoClrHBiQ0aW7AWEgPiu9WmrHyoOk6o6ymw0DpTo+xoWlCP0rxI/O0f5VhZ+UKH8qEClgM5ei6WUiNb4Lm3A7lo/tYW9AzVQRupUX+qY/L53+mKd5gdPmvKoF79OZkwbVC0WC+GWyYKsolscHxW6qFmoYoqPo8mROK4qiTooNByJl4HsnGBhA3SbSNIf/TBHzkswmdGlSTeZ11XEhm2tDo0uy/B/NcExpF5r05G2lfZHKUswovTfpsOc7Ng8aQleQ3wQlM7rvKvr7kRhQTL7Q2RFnI/Eb/l1+bmE8bS/Xq/1mQ6W1q/Nz6f1Uo8jFWodE6qoFHQPNQrDqerg+hJtG13rejSf9sUNYP2k2DxiTwQ/+BHVqeguXoT7FmgLiKpCTjfD9diynla9d4B4Gt2sKWfbPjrURx7EWfXuweH5KE86MrSqAJuX3ABVc/I9ayh20RN1GIy20C0qkd+alK5pe11B+YhcfmtS2n7tfSRkxNSalPQmT42F7tJuTUrZa7zGwfYYtyal7TFe8+TcZHXzYFyT8RqM8CLPazLkPZ6w0gm7jL9a6OgG49akdBZgjYU7wbEmpWzeXbNg+3Z7GrK+3TULrmW3J/mUZX18t25rUroG2DXVPaptobWUyzgZY9cw2ZL5O7ew68SZgMM5J1bybiHLszIlyRUbIQtlWiuHK3ieGKOdBJquiCGYd7IizkLTk3EYx3HCC437g7VQo0Ir++dY5Avjurmhbm1nMFuRheqt42QFC//zL798/X/PzeR0yoYO8VAtnlFWCFVXzO+KGaShqpmBLZVhnXBULbRHldNNl4Ughjkj1mtA5WXZavkbUPWrq+MhPRFDLJR16cad27dJtfxyHaRhzxerZd9sPCve6OEtEUM4dFkPV3r9SsAAiS1FKvTAO3au1IedJGz2w9a/D4QX8Xbl6ep0zaPundsXlZJW9LnLIQhpqpCFArluV4EWSUi3zHZ84drSB+hsRZgoWVej6Ik4SEO4B7teYxG9aioROgfmT0ysmNIK/uQ/qJrjOcQEutwAJ0zhfJxOkloIMoeK7mmGOmV1ZBI2qJgkldKI26LT2D7vThO3vc1a/ec+2vvWaUd10HPnh2ZFSD5HgtQZC5Q8rW0pCkPsR87wFMhTOlLJbR5lofxgZ7jKBFX78tnoLkiwku+uqOKYyOqkhVLTQUL0/9GzVP8NZA0pZ8mu/Xygk0fQBZP/kz0MDFcFqVSOoLPVhZCwn64KmuLcmOwqVykFkmp9Rec9ysA9vYhz/jnqkqAnhs4k6AAhVQEZTO3/4TAqogPKGNHoXcG5n2KpQnX6yoKh7OR4r1p8TbEtbEvHaqil42l1PfTWc1RlKV+6Yg7DGBlVhsgOX98/raX67VWjlTCv/g5ICqokhxZRR8gQE+lq2vOg15Ah1EktHuRLN1Sm4EyxjnsbmiUijEpPs1hpM+yon4S17/m1K+uMnClXkB6xNMlFtR1Xgql7KS1f2P3dNQrQAFmL0hWYkKjvNI5mw4mM8Ka4DyZHaMNLuiYlexBkpxJaz7fv7WJ6wTdEiwI6rvFZwR56YD1Z78MRnsH02ZDnMP9Whaso85A/BhTSeMiuxz9UUoHhSyG9urQpV7VE5NE9aYbFAzajYkNVrap5ZBgXaSMMVcD+wQ+NfSL+s1QebASZTtgfKiV+VBClsdCZX6wEGETK/0aLckF49hKuwZfosoebkmr1zmftj6FIogNMwzOdW0jZQ6nYXXSzkQqoVLQnPeGQp47A+znrzcFhMHPYPjttkd9eoMPbm0qqlKqJUlc5j7mDNSrU7aHINECHCePJehrCTbXDg1SRW7IQ38PjFW5StvJHxSXZ7UDP0RcwBEOawuBh0AkMm225kZxu/T7O2cPVaIZ6SluihvqPpzXU33KlS8fLkvCIdjRjN+2q76OylLtCQCgff0vV9v8xtv1f6w/OHvCnLZRiQzRzwJ/YI5RsqoQTccIeQv+599GeeeVywqK5/xpVLj+qZO5zE0amBLq3gK3m8Ex22by5NfivNzXD/j/+JwAA//8LDRzB" } diff --git a/x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml b/x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml deleted file mode 100644 index f56d1508955..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiMail" - type: "Firewall" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/fortinet/fortimail/config/liblogparser.js - - ${path.home}/module/fortinet/fortimail/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js b/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - -var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - -var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - -var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - -var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - -var dup7 = setc("eventcategory","1401000000"); - -var dup8 = setf("msg","$MSG"); - -var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup10 = setf("hardware_id","hfld1"); - -var dup11 = setf("id","hfld2"); - -var dup12 = setf("id1","hfld3"); - -var dup13 = setf("event_type","msgIdPart1"); - -var dup14 = setf("category","msgIdPart2"); - -var dup15 = setf("severity","hseverity"); - -var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - -var dup17 = setc("eventcategory","1602000000"); - -var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - -var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - -var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - -var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - -var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - -var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - -var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - -var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - -var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - -var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - -var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - -var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - -var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - -var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - -var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - -var dup33 = setc("eventcategory","1003010000"); - -var dup34 = setf("event_type","messageid"); - -var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - -var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - -var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - -var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - -var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - -var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - -var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - -var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - -var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - -var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - -var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - -var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - -var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - -var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - -var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - -var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - -var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - -var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - -var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - -var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - -var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - -var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - -var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - -var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - -var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - -var dup60 = setc("eventcategory","1207000000"); - -var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - -var dup62 = setc("eventcategory","1207040000"); - -var dup63 = linear_select([ - dup3, - dup4, -]); - -var dup64 = linear_select([ - dup5, - dup6, -]); - -var dup65 = linear_select([ - dup19, - dup20, -]); - -var dup66 = linear_select([ - dup22, - dup23, -]); - -var dup67 = linear_select([ - dup3, - dup20, -]); - -var dup68 = linear_select([ - dup24, - dup25, -]); - -var dup69 = linear_select([ - dup27, - dup28, -]); - -var dup70 = linear_select([ - dup29, - dup30, -]); - -var dup71 = linear_select([ - dup36, - dup37, -]); - -var dup72 = linear_select([ - dup38, - dup39, -]); - -var dup73 = linear_select([ - dup40, - dup41, -]); - -var dup74 = linear_select([ - dup42, - dup43, - dup44, -]); - -var dup75 = linear_select([ - dup45, - dup46, -]); - -var dup76 = linear_select([ - dup47, - dup48, -]); - -var dup77 = linear_select([ - dup49, - dup50, -]); - -var dup78 = linear_select([ - dup52, - dup53, -]); - -var dup79 = linear_select([ - dup54, - dup55, -]); - -var dup80 = linear_select([ - dup56, - dup57, -]); - -var dup81 = linear_select([ - dup58, - dup59, -]); - -var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, -])); - -var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, -])); - -var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, -]); - -var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - -var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg1 = msg("event_admin", all1); - -var msg2 = msg("event_pop3", dup82); - -var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg3 = msg("event_webmail", all2); - -var msg4 = msg("event_system", dup82); - -var msg5 = msg("event_imap", dup82); - -var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - -var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - -var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - -var select2 = linear_select([ - part3, - part4, -]); - -var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - -var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg6 = msg("event_smtp:01", all3); - -var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - -var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg7 = msg("event_smtp:02", all4); - -var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - -var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg8 = msg("event_smtp:03", all5); - -var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - -var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - -var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - -var select3 = linear_select([ - part9, - part10, -]); - -var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - -var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - -var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - -var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - -var select4 = linear_select([ - part12, - part13, - part14, -]); - -var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg9 = msg("event_smtp:04", all6); - -var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - -var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg10 = msg("event_smtp:05", all7); - -var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - -var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - -var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - -var select5 = linear_select([ - part17, - part18, -]); - -var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - -var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg11 = msg("event_smtp:06", all8); - -var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - -var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg12 = msg("event_smtp:07", all9); - -var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - -var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg13 = msg("event_smtp:08", all10); - -var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - -var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg14 = msg("event_smtp:09", all11); - -var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - -var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), -}); - -var msg15 = msg("event_smtp:10", all12); - -var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - -var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - -var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - -var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - -var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - -var select6 = linear_select([ - part25, - part26, - part27, - part28, -]); - -var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg16 = msg("event_smtp:11", all13); - -var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - -var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg17 = msg("event_smtp", all14); - -var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", -}, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, -])); - -var msg18 = msg("event_smtp:12", part30); - -var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, -]); - -var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - -var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg19 = msg("event_update", all15); - -var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - -var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - -var select8 = linear_select([ - part32, - part33, -]); - -var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - -var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); - -var msg20 = msg("event_config", all16); - -var select9 = linear_select([ - dup31, - dup32, -]); - -var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg21 = msg("virus", all17); - -var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - -var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - -var select10 = linear_select([ - part35, - part36, -]); - -var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - -var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), -}); - -var msg22 = msg("virus_infected", all18); - -var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - -var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - -var select11 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - -var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - -var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - -var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - -var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, -]); - -var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - -var select13 = linear_select([ - part44, - dup5, - dup6, -]); - -var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg23 = msg("virus_file-signature", all19); - -var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - -var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg24 = msg("statistics", all20); - -var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg25 = msg("statistics:01", all21); - -var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - -var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - -var select14 = linear_select([ - part46, - part47, -]); - -var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - -var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - -var select15 = linear_select([ - part48, - part49, -]); - -var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - -var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - -var select16 = linear_select([ - part50, - part51, -]); - -var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - -var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - -var select17 = linear_select([ - part52, - part53, -]); - -var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - -var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - -var select18 = linear_select([ - part54, - part55, -]); - -var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - -var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - -var select19 = linear_select([ - part56, - part57, -]); - -var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - -var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg26 = msg("statistics:02", all22); - -var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - -var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - -var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - -var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - -var select20 = linear_select([ - part60, - part61, - part62, -]); - -var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - -var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - -var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - -var select21 = linear_select([ - part64, - part65, -]); - -var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - -var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg27 = msg("statistics:03", all23); - -var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - -var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - -var select22 = linear_select([ - part67, - part68, -]); - -var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - -var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - -var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - -var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - -var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - -var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - -var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, -]); - -var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - -var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - -var select24 = linear_select([ - part75, - part76, -]); - -var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - -var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - -var select25 = linear_select([ - part77, - part78, -]); - -var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - -var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - -var select26 = linear_select([ - part79, - part80, -]); - -var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - -var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - -var select27 = linear_select([ - part81, - part82, -]); - -var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - -var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - -var select28 = linear_select([ - part83, - part84, -]); - -var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - -var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - -var select29 = linear_select([ - part85, - part86, -]); - -var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - -var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - -var select30 = linear_select([ - part87, - part88, -]); - -var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - -var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - -var select31 = linear_select([ - part89, - part90, -]); - -var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - -var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - -var select32 = linear_select([ - part91, - part92, -]); - -var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - -var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - -var select33 = linear_select([ - part93, - part94, -]); - -var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - -var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - -var select34 = linear_select([ - part95, - part96, -]); - -var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - -var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - -var select35 = linear_select([ - part97, - part98, -]); - -var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg28 = msg("statistics:04", all24); - -var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", -}, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, -])); - -var msg29 = msg("statistics:05", part99); - -var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, -]); - -var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - -var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - -var select37 = linear_select([ - part100, - part101, -]); - -var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - -var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - -var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - -var select38 = linear_select([ - part103, - part104, -]); - -var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - -var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - -var select39 = linear_select([ - part105, - part106, -]); - -var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg30 = msg("spam", all25); - -var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, -])); - -var msg31 = msg("spam:04", part107); - -var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - -var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - -var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - -var select40 = linear_select([ - part109, - part110, -]); - -var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - -var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg32 = msg("spam:03", all26); - -var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, -])); - -var msg33 = msg("spam:02", part112); - -var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - -var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - -var select41 = linear_select([ - part113, - part114, -]); - -var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), -}); - -var msg34 = msg("spam:01", all27); - -var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), -]); - -var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - -var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - -var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - -var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - -var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - -var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - -var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - -var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - -var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - -var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - -var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - -var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - -var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - -var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - -var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - -var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - -var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - -var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - -var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - -var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - -var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - -var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - -var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - -var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - -var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - -var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - -var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - -var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - -var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - -var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - -var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - -var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - -var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - -var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - -var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - -var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - -var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - -var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - -var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - -var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - -var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - -var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - -var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - -var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - -var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - -var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - -var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - -var select43 = linear_select([ - dup3, - dup4, -]); - -var select44 = linear_select([ - dup5, - dup6, -]); - -var select45 = linear_select([ - dup19, - dup20, -]); - -var select46 = linear_select([ - dup22, - dup23, -]); - -var select47 = linear_select([ - dup3, - dup20, -]); - -var select48 = linear_select([ - dup24, - dup25, -]); - -var select49 = linear_select([ - dup27, - dup28, -]); - -var select50 = linear_select([ - dup29, - dup30, -]); - -var select51 = linear_select([ - dup36, - dup37, -]); - -var select52 = linear_select([ - dup38, - dup39, -]); - -var select53 = linear_select([ - dup40, - dup41, -]); - -var select54 = linear_select([ - dup42, - dup43, - dup44, -]); - -var select55 = linear_select([ - dup45, - dup46, -]); - -var select56 = linear_select([ - dup47, - dup48, -]); - -var select57 = linear_select([ - dup49, - dup50, -]); - -var select58 = linear_select([ - dup52, - dup53, -]); - -var select59 = linear_select([ - dup54, - dup55, -]); - -var select60 = linear_select([ - dup56, - dup57, -]); - -var select61 = linear_select([ - dup58, - dup59, -]); - -var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), -}); diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml deleted file mode 100644 index 817ec9d3e14..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -description: Pipeline for Fortinet FortiMail - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # Serial Number - - set: - field: observer.serial_number - value: "{{rsa.misc.hardware_id}}" - ignore_empty_value: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/fortimail/manifest.yml b/x-pack/filebeat/module/fortinet/fortimail/manifest.yml deleted file mode 100644 index d9782e4e6ea..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimail/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["fortinet.fortimail", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9545 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log deleted file mode 100644 index 0e5a02242a5..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg="boNemoe" -date=2016-2-12 time=13:12:33 device_id=ehend log_id=ritquiin log_part=umqui type=virus subtype=infected pri=very-high from="mest" to=enderitq client_name="sperna884.internal.domain" client_ip="10.165.201.71" session_id="pisciv" msg="uii" -date=2016-2-26 time=20:15:08 device_id=doeiu log_id=nia log_part=olupt type=event subtype=config pri=low user=quipexe ui=alo(10.212.18.145) module=umdo submodule=itessequ msg=vol -date=2016-3-12 time=03:17:42 device_id=uipexea log_id=tatio log_part=minim type=event subtype=pop3 pri=high user=ceroinBC ui=ratvolup action=deny status=iatu msg="ionofde" -date=2016-3-26 time=10:20:16 device_id=itati log_id=mfu log_part=uid type=event subtype=pop3 pri=very-high user=obeataev ui=lor action=block status=autfu msg="natura" -date=2016-4-9 time=17:22:51 device_id=llamcorp log_id=ari log_part=eataevit type=event subtype=system pri=high user=iam ui=mqua action=allow status=olab msg=mquisnos -date=2016-4-24 time=00:25:25 device_id=enimad log_id=incididu log_part=eci type=virus pri=very-high from=tenbyCic to=boree src=10.98.69.43 session_id="iinea" msg=ipit -date=2016-5-8 time=07:27:59 device_id=taliqu log_id=temUten log_part=ccusan type=virus subtype=infected pri=low from="Ciceroi" to="aveniam" client_name="uradi7307.internal.corp" client_ip="10.118.96.139" session_id="sitas" msg=ehenderi -date=2016-5-22 time=14:30:33 device_id=smo log_id=litessec log_part=emporinc type=event subtype=pop3 pri=very-high user=ipsumq ui=atcu action=allow status=tessec msg="remipsum" -date=2016-6-5 time=21:33:08 device_id=ntutl log_id=caecatc log_part=onsequat type=event subtype=update pri=low msg="edquiano" -date=2016-6-20 time=04:35:42 device_id=idestla log_id=Nemoeni log_part=uradi type=statistics pri=very-high session_id="lup" from="remeumf" mailer=antiumto client_name="10.241.165.37" MSISDN=aUteni resolved=ittenbyC to="aperi" direction="inbound" message_length=ita virus="ipi" disposition=rsitamet classifier="lupt" subject="xea" -date=2016-7-4 time=11:38:16 device_id=amvolup log_id=sequi log_part=rehend type=event subtype=webmail pri=high user=eme ui=numqu(10.232.149.140) action=allow status=lum msg=utali -date=2016-7-18 time=18:40:50 device_id=estiae log_id=sci log_part=oei type=virus_file-signature pri=low snostrud to=nama src="10.24.67.250" session_id="dolor" msg="nnum" -date=2016-8-2 time=01:43:25 device_id=oluptas log_id=tNequepo log_part=lup type=event subtype=update pri=medium msg=equat -date=2016-8-16 time=08:45:59 device_id=abi log_id=sectetur log_part=uioffi type=event subtype=update pri=high msg=veniamq -date=2016-8-30 time=15:48:33 device_id=orem log_id=beata log_part=hitecto type=statistics pri=very-high session_id="texp" client_name="[10.179.124.125]"dst_ip="10.177.36.38" from="sequine" to="ectio" polid="dutper" domain="lamcolab3252.www.invalid" subject="gel" mailer="lorsitam" resolved="mpo" direction="inbound" virus="ris" disposition="uamqu" classifier="lor" message_length=oide -date=2016-9-13 time=22:51:07 device_id=didunt log_id=uptatema log_part=intocc type=virus subtype=file-signature pri=very-high from="orema" to=invento src=[10.164.39.248] session_id="nofdeFin" msg=sequam -date=2016-9-28 time=05:53:42 device_id=tvolu log_id=ecte log_part=tinvolu type=virus_file-signature pri=high from="ntiumdo" to="autfu" src=gnaaliq [10.52.135.156] session_id="litse" msg="icabo" -date=2016-10-12 time=12:56:16 device_id=stru log_id=tectobe log_part=Nequepo type=event subtype=config pri=very-high user=pora ui=boree module=evolup submodule=ionofdeF msg="evelit" -date=2016-10-26 time=19:58:50 device_id=uatD log_id=ariatu log_part=edquiac type=event subtype=smtp pri=high user=atno ui=tani action=allow status=ntocca session_id=ostru log_part=ntoccae msg=autf -date=2016-11-10 time=03:01:24 device_id=tenimad log_id=minimav log_part=udexerci type=spam pri=very-high session_id="itam" client_name="str976.internal.localhost [10.166.225.26]" from=tanimid to=umdo subject="natuse" msg="gnamal" -date=2016-11-24 time=10:03:59 device_id=intoc log_id=rQuisau log_part=itess type=virus subtype=infected pri=high from=evit to="runtm" client_name="molli4306.www5.home" client_ip="10.218.243.47" session_id="borios" msg=rsitvolu -date=2016-12-8 time=17:06:33 device_id=quamqua log_id=eacommod log_part=ctetura type=event subtype=imap pri=high user=tpersp ui=stla action=allow status=sequamni msg=uradi -date=2016-12-23 time=00:09:07 device_id=dolore log_id=onsecte log_part=nBCSedut type=virus subtype=file-signature pri=high from="modocons" to=gitsed src="10.16.177.212" session_id="emp" msg="Attachment file (pisciv) has sha1 hash value: lumdolor" -date=2017-1-6 time=07:11:41 device_id=uaUten log_id=nby log_part=mve type=event subtype=config pri=low user=isau ui=rautodi(10.96.97.81) module=pis submodule=nsequat msg=doloreme -date=2017-1-20 time=14:14:16 device_id=aec log_id=fdeF log_part=iquidexe type=spam pri=low session_id="niamq" client_name= "lapariat7287.internal.host" client_ip="10.140.7.83" dst_ip="10.68.246.187" from="icabo" to="gna" subject="con" msg="preh" -date=2017-2-3 time=21:16:50 device_id=amcor log_id=ica log_part=lillum type=event subtype=admin pri=very-high user=dicta ui=taedicta action=accept status=poriss reason=failure msg=equaturv -date=2017-2-18 time=04:19:24 device_id=tpersp log_id=llamc log_part=nte type=event subtype=pop3 pri=very-high user=utali ui=porinc(10.48.204.44) action=accept status=dat msg=aincidu -date=2017-3-4 time=11:21:59 device_id=dipisci log_id=spernatu log_part=admi type=event subtype=pop3 pri=very-high user=quunt ui=olori action=allow status=autodit msg=elit -date=2017-3-18 time=18:24:33 device_id=nte log_id=ulpa log_part=sitam type=virus subtype=file-signature pri=low enderit to=sequa src="[10.111.233.194]" session_id=eirure msg=deserun -date=2017-4-2 time=01:27:07 device_id=ptateve log_id=enderi log_part=ptatem type=event subtype=smtp pri=very-high user=fugi ui=labo action=block status=ullamcor session_id=itationu msg=proident -date=2017-4-16 time=08:29:41 device_id=atione log_id=lores log_part=ritati type=statistics pri=very-high session_id=uii client_name=estl5804.internal.local client_ip=10.73.207.70 dst_ip=10.179.210.218 from=taut hfrom=tanimi to=rumSecti polid=iuntNe domain=atise3421.www5.localdomain mailer=oluptas resolved=emvele src_type=isnost direction=inbound virus=Sedut disposition=yCiceroi classifier=quunt message_length=acommod subject=sitvol -date=2017-4-30 time=15:32:16 device_id=liquide log_id=odt log_part=Sedutpe type=event subtype=admin pri=medium user=rroq ui=rcit(10.43.62.246) action=accept status=estl reason=success msg=citatio -date=2017-5-14 time=22:34:50 device_id=taedict log_id=edquian log_part=loremeu type=event subtype=admin pri=very-high user=volupta ui=dmi action=allow status=aaliq reason=unknown msg=lupta -date=2017-5-29 time=05:37:24 device_id=occ log_id=oloreseo log_part=iruredol type=virus subtype=file-signature pri=very-high derit to=orese src="[10.28.105.124]" session_id="strude" msg=eritin -date=2017-6-12 time=12:39:58 device_id=temUten log_id=dutper log_part=sitamet type=event subtype=admin pri=very-high user=illumqui ui=saq action=block status=ritqu reason=unknown msg="idolor" -date=2017-6-26 time=19:42:33 device_id=quide log_id=quaU log_part=undeomni type=virus_file-signature pri=medium acomm to=iutali src="[10.219.13.150]" session_id=Finibus msg=radi -date=2017-7-11 time=02:45:07 device_id=inrepr log_id=mol log_part=umdolors type=event subtype=pop3 pri=medium user=imad ui=oriosam(10.163.114.215) action=deny status=sitametc msg=onsequa -date=2017-7-25 time=09:47:41 device_id=riosa log_id=tNe log_part=pisc type=event subtype=webmail pri=very-high user=caecat ui=rautod(10.124.32.120) action=accept status=atcupi msg=atem -date=2017-8-8 time=16:50:15 device_id=undeom log_id=emullamc log_part=tec type=event subtype=imap pri=medium user=eetdo ui=tlab action=cancel status=liq msg=seddoeiu -date=2017-8-22 time=23:52:50 device_id=edictasu log_id=mdolors log_part=oremi type=event subtype=imap pri=medium user=atis ui=atDuis action=accept status=nisiut msg="rumwri" -date=2017-9-6 time=06:55:24 device_id=lumqu log_id=onulamco log_part=ons type=event subtype=pop3 pri=low user=uptat ui=unt action=accept status=uido msg=tla -date=2017-9-20 time=13:57:58 device_id=uamqu log_id=olori log_part=ido type=spam pri=low session_id="sunt" from="autfugit" to="emUte" msg=iusmodi -date=2017-10-4 time=21:00:32 device_id=umS log_id=iciadese log_part=riatur type=event subtype=webmail pri=very-high user=xeacommo ui=Cicero(10.247.53.179) action=cancel status=ditau msg=atemaccu -date=2017-10-19 time=04:03:07 device_id=urau log_id=etur log_part=rsitvol type=event subtype=config pri=low user=laborum ui=ostr(10.70.91.185) module=lumdo submodule=acom msg="eFini" -date=2017-11-2 time=11:05:41 device_id=upta log_id=itessequ log_part=iusmodit type=event subtype=update pri=very-high msg=exerci -date=2017-11-16 time=18:08:15 device_id=mmodoco log_id=amni log_part=atnul type=event subtype=webmail pri=medium user=iquidexe ui=illumq(10.215.65.52) action=accept status=tasnul msg="tuserr" -date=2017-12-1 time=01:10:49 device_id=porinc log_id=riame log_part=riat type=event subtype=admin pri=medium user=rumSec ui=orp action=deny status=udan reason=unknown msg="essequam" -date=2017-12-15 time=08:13:24 device_id=itse log_id=ilm log_part=mvel type=virus subtype=infected pri=high from=seos to=exercita client_name="edolori3822.api.home" client_ip="10.63.177.46" session_id="oluptate" msg=lit -date=2017-12-29 time=15:15:58 device_id=iciade log_id=uis log_part=amc type=event subtype=webmail pri=medium user=Ute ui=ptassita action=allow status=runtm msg="eturadip" -date=2018-1-12 time=22:18:32 device_id=colabori log_id=imidestl log_part=piscing type=virus subtype=file-signature pri=high from="isn" to=smod src="idunt [10.29.120.226]" session_id="atev" msg="ectio" -date=2018-1-27 time=05:21:06 device_id=atcupid log_id=onse log_part=psa type=virus_file-signature pri=high destla to="fugitse" src=[10.12.86.130] session_id=dese msg="Attachment file (duntutla) has sha1 hash value: lamco" -date=2018-2-10 time=12:23:41 device_id=gna log_id=ici log_part=quamnih type=event subtype=pop3 pri=low user=iameaque ui=identsun action=deny status=aquio msg="rspicia" -date=2018-2-24 time=19:26:15 device_id=uiineavo log_id=sistena log_part=uidexeac type=virus subtype=infected pri=high from="amquisno" to=modoc client_name="magnam3267.corp" client_ip="10.95.32.86" session_id="Bonorum" msg=lesti -date=2018-3-11 time=02:28:49 device_id=lupta log_id=byC log_part=imadm type=spam pri=low session_id="nci" from="orroquis" to="ulapa" subject="iumdo" msg="iusmodit" -date=2018-3-25 time=09:31:24 device_id=obeataev log_id=umf log_part=olesti type=event subtype=config pri=low user=quaeabil ui=emip module=aturQu submodule=itesse msg="iamqui" -date=2018-4-8 time=16:33:58 device_id=inim log_id=etdol log_part=Sed type=event subtype=pop3 pri=very-high user=tten ui=etur action=allow status=mipsumqu msg="eprehen" -date=2018-4-22 time=23:36:32 device_id=itaedict log_id=olorema log_part=rep type=event subtype=update pri=low msg=ptatemse -date=2018-5-7 time=06:39:06 device_id=eleumi log_id=edic log_part=udexerc type=event subtype=pop3 pri=low user=olabori ui=odic action=block status=lica msg=secil -date=2018-5-21 time=13:41:41 device_id=nimadmin log_id=midest log_part=modt type=event subtype=update pri=very-high msg=tocca -date=2018-6-4 time=20:44:15 device_id=usant log_id=mipsumq log_part=ident type=event subtype=config pri=very-high user=sequatD ui=ercitati(10.40.89.185) module=temse submodule=caecat msg="cusanti" -date=2018-6-19 time=03:46:49 device_id=conseq log_id=itame log_part=tenat type=virus subtype=infected pri=very-high from="yCiceroi" to="nostrum" client_name="orroquis5179.local" client_ip="10.252.96.71" session_id="tvolu" msg="dutper" -date=2018-7-3 time=10:49:23 device_id=ugiatqu log_id=eruntmo log_part=nimve type=virus subtype=infected pri=very-high from=natus to=boreet client_name="luptasnu757.www.home" client_ip="10.174.210.232" session_id=ovolupta msg="volup" -date=2018-7-17 time=17:51:58 device_id=Bonoru log_id=rcitati log_part=nula type=event subtype=imap pri=medium user=deomni ui=adipi(10.120.232.62) action=block status=ntutl msg="volupt" -date=2018-8-1 time=00:54:32 device_id=mquameiu log_id=loremq log_part=turmagni type=event subtype=imap pri=very-high user=emUtenim ui=ende action=block status=amnis msg=rvelil -date=2018-8-15 time=07:57:06 device_id=rumetMa log_id=mexerci log_part=urEx type=virus subtype=file-signature pri=medium liq to=abore src=10.200.225.45 session_id=dol msg=exe -date=2018-8-29 time=14:59:40 device_id=audant log_id=rspicia log_part=pitl type=statistics pri=high session_id=mmod client_name=taevit4968.mail.local client_ip=10.144.111.42 dst_ip=10.62.61.1 from=lam hfrom=asnu to=com polid=rep domain=mveni5084.internal.local mailer=num resolved=ctetura src_type=quaerat direction=inbound virus=umexer disposition=amnih classifier=tper message_length=pisciv subject=tconsect -date=2018-9-12 time=22:02:15 device_id=emipsumq log_id=culpaq log_part=quamq type=event subtype=pop3 pri=medium user=emvel ui=pta(10.183.213.223) action=block status=hend msg=remagna -date=2018-9-27 time=05:04:49 device_id=lauda log_id=plicaboN log_part=dolo type=virus subtype=file-signature pri=medium from="elit" to=sam src="tMal [10.52.190.18]" session_id=isni msg=quid -date=2018-10-11 time=12:07:23 device_id=inibus log_id=secte log_part=ctobeat type=event subtype=config pri=low user=iqui ui=animide module=pid submodule=itanimi msg="onoru" -date=2018-10-25 time=19:09:57 device_id=naaliq log_id=plica log_part=asiarc type=event subtype=imap pri=low user=seq ui=snula(10.203.110.206) action=deny status=dipi msg=ecatc -date=2018-11-9 time=02:12:32 device_id=dolo log_id=velites log_part=oloremi type=virus_file-signature pri=high apari to=tsunt src="caecat [10.108.10.197]" session_id=enim msg="Attachment file (umq) has sha1 hash value: sistena" -date=2018-11-23 time=09:15:06 device_id=imipsam log_id=eumiu log_part=tatevel type=event subtype=smtp pri=high user=quisnostui=sequines(10.115.154.104) action=cancelstatus=lorumsession_id="suntexpl" msg="DSN: to <; reason:success; sessionid:tatis" -date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id="ionev" msg="to=<, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imvenia" -date=2018-12-21 time=23:20:14 device_id=atevelit log_id=ugitsed log_part=dminimve type=virus subtype=file-signature pri=very-high from="onse" to=uiac src=tquii [10.164.49.95] session_id=emeumfu msg="inBCSedu" -date=2019-1-5 time=06:22:49 device_id=ddo log_id=emp log_part=inBC type=event subtype=smtp pri=low user=eacommui=aboNem(10.11.45.141) action=allowstatus=remasession_id="mcol"msg="STARTTLS=tion, cert-subject=umquia, cert-issuer=lorsita, verifymsg=spici" -date=2019-1-19 time=13:25:23 device_id=odit log_id=vol log_part=epteurs type=statistics pri=very-high session_id="cteturad" client_name="modi6930.internal.test[10.60.164.100]"dst_ip="10.161.1.146" from="etconse" to="nproiden" polid="ionem" domain="taevitae6868.www.corp" subject="ehende" mailer="rep" resolved="nostru" direction="internal" virus="ipiscin" disposition="trudexe" classifier="qua" message_length=modit -date=2019-2-2 time=20:27:57 device_id=orsit log_id=deFinibu log_part=iaecons type=event subtype=admin pri=very-high user=rautod ui=onorumet(10.157.118.41) action=cancel status=chit reason=unknown msg="erspici" -date=2019-2-17 time=03:30:32 device_id=quidol log_id=tinv log_part=Utenima type=statistics pri=high session_id=temqu client_name=uradip7802.mail.example client_ip=10.44.35.57 dst_ip=10.93.239.216 from=vento hfrom=litsed to=ciun polid=rehender domain=tetura7106.www5.corp mailer=eosquir resolved=tqu src_type=emips direction=internal virus=tinvolu disposition=ptat classifier=amquisn message_length=Finibus subject=nsequat -date=2019-3-3 time=10:33:06 device_id=evelite log_id=remquela log_part=toreve type=event subtype=update pri=high msg="dolor" -date=2019-3-17 time=17:35:40 device_id=itse log_id=lapari log_part=Bonor type=event subtype=update pri=medium msg=exeaco -date=2019-4-1 time=00:38:14 device_id=emvele log_id=tNeq log_part=olorsita type=virus_file-signature pri=medium eleumiu to=etdol src="imadmin [10.123.154.140]" session_id=liqu msg=dolor -date=2019-4-15 time=07:40:49 device_id=aliq log_id=utem log_part=oreetd type=event subtype=imap pri=very-high user=mremape ui=ude action=deny status=emac msg=rmagnido -date=2019-4-29 time=14:43:23 device_id=pariatur log_id=cita log_part=tvo type=event subtype=admin pri=high user=rve ui=atemacc(10.141.108.1) action=deny status=ciunt reason=success msg="beataevi" -date=2019-5-13 time=21:45:57 device_id=imaven log_id=dmin log_part=sum type=event subtype=system pri=low user=lore ui=nim action=cancel status=edquiac msg=psamvolu -date=2019-5-28 time=04:48:31 device_id=iade log_id=tae log_part=obe type=event subtype=admin pri=medium user=ulapari ui=rittenby(10.31.31.193) action=deny status=nvol reason=unknown msg="luptatem" -date=2019-6-11 time=11:51:06 device_id=conse log_id=ruredolo log_part=ati type=event subtype=system pri=low user=olors ui=roid(10.234.156.8) action=block status=uteiru msg="xer" -date=2019-6-25 time=18:53:40 device_id=nvol log_id=uame log_part=quia type=event subtype=update pri=very-high msg="labor" -date=2019-7-10 time=01:56:14 device_id=mwritte log_id=modit log_part=quamnih type=event subtype=config pri=medium user=itanimid ui=uiin module=nibusBo submodule=iusm msg="nostru" -date=2019-7-24 time=08:58:48 device_id=vel log_id=preh log_part=madmini type=event subtype=update pri=high msg=edutpers -date=2019-8-7 time=16:01:23 device_id=sBonoru log_id=everi log_part=squ type=virus subtype=file-signature pri=medium from="utla" to=nse src=10.160.236.78 session_id=nostrude msg="Attachment file (rinc) has sha1 hash value: tno" -date=2019-8-21 time=23:03:57 device_id=cid log_id=nonproi log_part=dolor type=event subtype=admin pri=medium user=molli ui=oeiusm(10.244.19.62) action=accept status=nnumquam reason=unknown msg="tdolore" -date=2019-9-5 time=06:06:31 device_id=icta log_id=epteu log_part=nvent type=event subtype=webmail pri=high user=mquiavol ui=odiconse(10.147.52.164) action=allow status=untutl msg=ugiatnul -date=2019-9-19 time=13:09:05 device_id=quaturve log_id=elaudant log_part=olup type=spam pri=high session_id="iacon" client_name= "ncu3839.www.localhost" client_ip="10.201.105.58" dst_ip="10.251.183.113" from="ent" to="ionemu" subject="eseosqu" msg="uptatem" -date=2019-10-3 time=20:11:40 device_id=eprehen log_id=oinB log_part=lor type=statistics pri=low session_id="citatio" client_name="[10.209.203.156]"dst_ip="10.132.139.98" from="pariat" to="borisnis" direction="unknown" virus="oremagn" disposition="emagna" classifier="uidolor" message_length=remag -date=2019-10-18 time=03:14:14 device_id=tiumtot log_id=ulamcola log_part=epr type=event subtype=admin pri=low user=nculpa ui=enbyCice(10.152.196.145) action=block status=uptas reason=success msg="iadeseru" -date=2019-11-1 time=10:16:48 device_id=equ log_id=turadip log_part=ataev type=virus_file-signature pri=medium from="oree" to="nimadmi" src="utaliq [10.78.38.143]" session_id=qui msg="Attachment file (epteurs) has sha1 hash value: did" -date=2019-11-15 time=17:19:22 device_id=sunt log_id=orumSe log_part=olupta type=event subtype=update pri=very-high msg=pta -date=2019-11-30 time=00:21:57 device_id=ntutlabo log_id=leumiure log_part=tasnu type=event subtype=smtp pri=high user=amquaui=tionevol(10.209.124.81) action=allowstatus=tobesession_id="ssequa" log_part=emp msg="to=<; reason:success; sessionid:tatis\"", - "fileset.name": "fortimail", - "host.ip": "10.115.154.104", - "input.type": "log", - "log.level": "high", - "log.offset": 14016, - "observer.product": "FortiMail", - "observer.serial_number": "imipsam", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.115.154.104" - ], - "related.user": [ - "quisnost" - ], - "rsa.email.email_dst": "iqu", - "rsa.internal.messageid": "event_smtp", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "smtp", - "rsa.misc.event_state": "lorum", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "imipsam", - "rsa.misc.log_session_id": "suntexpl", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "smtp", - "rsa.misc.reference_id": "eumiu", - "rsa.misc.reference_id1": "tatevel", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "rsa.network.network_service": "sequines", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "service.type": "fortinet", - "source.ip": "10.115.154.104", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "quisnost" - }, - { - "@timestamp": "2018-12-07T18:17:40.000Z", - "event.action": "block", - "event.code": "aborio", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id=\"ionev\" msg=\"to=<, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imvenia\"", - "fileset.name": "fortimail", - "host.hostname": "olaboris3175.internal.home", - "input.type": "log", - "log.level": "medium", - "log.offset": 14269, - "network.protocol": "ipv6-icmp", - "observer.product": "FortiMail", - "observer.serial_number": "econ", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.hosts": [ - "olaboris3175.internal.home" - ], - "related.ip": [ - "10.250.94.95" - ], - "related.user": [ - "nbyCi" - ], - "rsa.email.email_dst": "vitaedi", - "rsa.internal.messageid": "event_smtp", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "smtp", - "rsa.misc.event_state": "velillum", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "econ", - "rsa.misc.log_session_id": "ionev", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "smtp", - "rsa.misc.reference_id": "aborio", - "rsa.misc.reference_id1": "rve", - "rsa.misc.severity": "medium", - "rsa.network.network_service": "runtmoll", - "rsa.time.event_time": "2018-12-07T18:17:40.000Z", - "service.type": "fortinet", - "source.address": "olaboris3175.internal.home", - "source.ip": "10.250.94.95", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "nbyCi" - }, - { - "@timestamp": "2018-12-22T01:20:14.000Z", - "event.action": "virus_file-signature", - "event.code": "ugitsed", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2018-12-21 time=23:20:14 device_id=atevelit log_id=ugitsed log_part=dminimve type=virus subtype=file-signature pri=very-high from=\"onse\" to=uiac src=tquii [10.164.49.95] session_id=emeumfu msg=\"inBCSedu\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "very-high", - "log.offset": 14586, - "observer.product": "FortiMail", - "observer.serial_number": "atevelit", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.164.49.95" - ], - "rsa.email.email_dst": "uiac", - "rsa.email.email_src": "onse", - "rsa.internal.event_desc": "inBCSedu", - "rsa.internal.messageid": "virus_file-signature", - "rsa.misc.event_type": "virus_file-signature", - "rsa.misc.hardware_id": "atevelit", - "rsa.misc.log_session_id": "emeumfu", - "rsa.misc.msgIdPart1": "virus", - "rsa.misc.msgIdPart2": "file-signature", - "rsa.misc.reference_id": "ugitsed", - "rsa.misc.reference_id1": "dminimve", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2018-12-22T01:20:14.000Z", - "service.type": "fortinet", - "source.domain": "tquii", - "source.ip": "10.164.49.95", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "event.action": "allow", - "event.code": "emp", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-1-5 time=06:22:49 device_id=ddo log_id=emp log_part=inBC type=event subtype=smtp pri=low user=eacommui=aboNem(10.11.45.141) action=allowstatus=remasession_id=\"mcol\"msg=\"STARTTLS=tion, cert-subject=umquia, cert-issuer=lorsita, verifymsg=spici\"", - "fileset.name": "fortimail", - "host.ip": "10.11.45.141", - "input.type": "log", - "log.level": "low", - "log.offset": 14795, - "observer.product": "FortiMail", - "observer.serial_number": "ddo", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.11.45.141" - ], - "related.user": [ - "eacomm" - ], - "rsa.crypto.cert_subject": "umquia", - "rsa.internal.messageid": "event_smtp", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "smtp", - "rsa.misc.event_state": "rema", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "ddo", - "rsa.misc.log_session_id": "mcol", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "smtp", - "rsa.misc.reference_id": "emp", - "rsa.misc.reference_id1": "inBC", - "rsa.misc.severity": "low", - "rsa.network.network_service": "aboNem", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "eacomm" - }, - { - "@timestamp": "2019-01-19T15:25:23.000Z", - "destination.ip": "10.161.1.146", - "event.action": "statistics", - "event.code": "vol", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-1-19 time=13:25:23 device_id=odit log_id=vol log_part=epteurs type=statistics pri=very-high session_id=\"cteturad\" client_name=\"modi6930.internal.test[10.60.164.100]\"dst_ip=\"10.161.1.146\" from=\"etconse\" to=\"nproiden\" polid=\"ionem\" domain=\"taevitae6868.www.corp\" subject=\"ehende\" mailer=\"rep\" resolved=\"nostru\" direction=\"internal\" virus=\"ipiscin\" disposition=\"trudexe\" classifier=\"qua\" message_length=modit", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "very-high", - "log.offset": 15048, - "network.direction": "internal", - "observer.product": "FortiMail", - "observer.serial_number": "odit", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.hosts": [ - "modi6930.internal.test", - "taevitae6868.www.corp" - ], - "related.ip": [ - "10.161.1.146", - "10.60.164.100" - ], - "rsa.email.email_dst": "nproiden", - "rsa.email.email_src": "etconse", - "rsa.email.subject": "ehende", - "rsa.internal.messageid": "statistics", - "rsa.misc.client": "rep", - "rsa.misc.context": "nostru", - "rsa.misc.disposition": "trudexe", - "rsa.misc.event_type": "statistics", - "rsa.misc.filter": "qua", - "rsa.misc.hardware_id": "odit", - "rsa.misc.log_session_id": "cteturad", - "rsa.misc.reference_id": "vol", - "rsa.misc.reference_id1": "epteurs", - "rsa.misc.severity": "very-high", - "rsa.misc.virusname": "ipiscin", - "rsa.network.domain": "taevitae6868.www.corp", - "rsa.time.event_time": "2019-01-19T15:25:23.000Z", - "rsa.web.fqdn": "modi6930.internal.test", - "server.domain": "taevitae6868.www.corp", - "server.registered_domain": "www.corp", - "server.subdomain": "taevitae6868", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.60.164.100", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-02-02T22:27:57.000Z", - "event.action": "cancel", - "event.code": "deFinibu", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-2-2 time=20:27:57 device_id=orsit log_id=deFinibu log_part=iaecons type=event subtype=admin pri=very-high user=rautod ui=onorumet(10.157.118.41) action=cancel status=chit reason=unknown msg=\"erspici\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "very-high", - "log.offset": 15464, - "observer.product": "FortiMail", - "observer.serial_number": "orsit", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.157.118.41" - ], - "related.user": [ - "rautod" - ], - "rsa.internal.event_desc": "erspici", - "rsa.internal.messageid": "event_admin", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "admin", - "rsa.misc.event_state": "chit", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "orsit", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "admin", - "rsa.misc.reference_id": "deFinibu", - "rsa.misc.reference_id1": "iaecons", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "very-high", - "rsa.network.network_service": "onorumet", - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", - "service.type": "fortinet", - "source.ip": "10.157.118.41", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "rautod" - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "destination.ip": "10.93.239.216", - "event.action": "statistics", - "event.code": "tinv", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-2-17 time=03:30:32 device_id=quidol log_id=tinv log_part=Utenima type=statistics pri=high session_id=temqu client_name=uradip7802.mail.example client_ip=10.44.35.57 dst_ip=10.93.239.216 from=vento hfrom=litsed to=ciun polid=rehender domain=tetura7106.www5.corp mailer=eosquir resolved=tqu src_type=emips direction=internal virus=tinvolu disposition=ptat classifier=amquisn message_length=Finibus subject=nsequat", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "high", - "log.offset": 15674, - "network.direction": "internal", - "observer.product": "FortiMail", - "observer.serial_number": "quidol", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.hosts": [ - "tetura7106.www5.corp", - "uradip7802.mail.example" - ], - "related.ip": [ - "10.44.35.57", - "10.93.239.216" - ], - "rsa.email.email_dst": "ciun", - "rsa.email.email_src": "vento", - "rsa.email.subject": "nsequat", - "rsa.internal.messageid": "statistics", - "rsa.misc.client": "eosquir", - "rsa.misc.context": "tqu", - "rsa.misc.disposition": "ptat", - "rsa.misc.event_type": "statistics", - "rsa.misc.filter": "amquisn", - "rsa.misc.hardware_id": "quidol", - "rsa.misc.log_session_id": "temqu", - "rsa.misc.reference_id": "tinv", - "rsa.misc.reference_id1": "Utenima", - "rsa.misc.severity": "high", - "rsa.misc.virusname": "tinvolu", - "rsa.network.domain": "tetura7106.www5.corp", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "rsa.web.fqdn": "uradip7802.mail.example", - "server.domain": "tetura7106.www5.corp", - "server.registered_domain": "www5.corp", - "server.subdomain": "tetura7106", - "server.top_level_domain": "corp", - "service.type": "fortinet", - "source.ip": "10.44.35.57", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "event.action": "event", - "event.code": "remquela", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-3-3 time=10:33:06 device_id=evelite log_id=remquela log_part=toreve type=event subtype=update pri=high msg=\"dolor\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "high", - "log.offset": 16096, - "observer.product": "FortiMail", - "observer.serial_number": "evelite", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "rsa.internal.event_desc": "dolor", - "rsa.internal.messageid": "event_update", - "rsa.misc.category": "update", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "evelite", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "update", - "rsa.misc.reference_id": "remquela", - "rsa.misc.reference_id1": "toreve", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-17T19:35:40.000Z", - "event.action": "event", - "event.code": "lapari", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-3-17 time=17:35:40 device_id=itse log_id=lapari log_part=Bonor type=event subtype=update pri=medium msg=exeaco", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 16221, - "observer.product": "FortiMail", - "observer.serial_number": "itse", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "rsa.internal.event_desc": "exeaco", - "rsa.internal.messageid": "event_update", - "rsa.misc.category": "update", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "itse", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "update", - "rsa.misc.reference_id": "lapari", - "rsa.misc.reference_id1": "Bonor", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-01T02:38:14.000Z", - "event.action": "virus_file-signature", - "event.code": "tNeq", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-4-1 time=00:38:14 device_id=emvele log_id=tNeq log_part=olorsita type=virus_file-signature pri=medium eleumiu to=etdol src=\"imadmin [10.123.154.140]\" session_id=liqu msg=dolor", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 16342, - "observer.product": "FortiMail", - "observer.serial_number": "emvele", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.123.154.140" - ], - "rsa.email.email_dst": "etdol", - "rsa.email.email_src": "eleumiu", - "rsa.internal.event_desc": "dolor", - "rsa.internal.messageid": "virus_file-signature", - "rsa.misc.event_type": "virus_file-signature", - "rsa.misc.hardware_id": "emvele", - "rsa.misc.log_session_id": "liqu", - "rsa.misc.reference_id": "tNeq", - "rsa.misc.reference_id1": "olorsita", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-04-01T02:38:14.000Z", - "service.type": "fortinet", - "source.domain": "imadmin", - "source.ip": "10.123.154.140", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "event.action": "deny", - "event.code": "utem", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-4-15 time=07:40:49 device_id=aliq log_id=utem log_part=oreetd type=event subtype=imap pri=very-high user=mremape ui=ude action=deny status=emac msg=rmagnido", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "very-high", - "log.offset": 16528, - "observer.product": "FortiMail", - "observer.serial_number": "aliq", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.user": [ - "mremape" - ], - "rsa.internal.event_desc": "rmagnido", - "rsa.internal.messageid": "event_imap", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "imap", - "rsa.misc.event_state": "emac", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "aliq", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "imap", - "rsa.misc.reference_id": "utem", - "rsa.misc.reference_id1": "oreetd", - "rsa.misc.severity": "very-high", - "rsa.network.network_service": "ude", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "mremape" - }, - { - "@timestamp": "2019-04-29T16:43:23.000Z", - "event.action": "deny", - "event.code": "cita", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-4-29 time=14:43:23 device_id=pariatur log_id=cita log_part=tvo type=event subtype=admin pri=high user=rve ui=atemacc(10.141.108.1) action=deny status=ciunt reason=success msg=\"beataevi\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "high", - "log.offset": 16695, - "observer.product": "FortiMail", - "observer.serial_number": "pariatur", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.141.108.1" - ], - "related.user": [ - "rve" - ], - "rsa.internal.event_desc": "beataevi", - "rsa.internal.messageid": "event_admin", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "admin", - "rsa.misc.event_state": "ciunt", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "pariatur", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "admin", - "rsa.misc.reference_id": "cita", - "rsa.misc.reference_id1": "tvo", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "rsa.network.network_service": "atemacc", - "rsa.time.event_time": "2019-04-29T16:43:23.000Z", - "service.type": "fortinet", - "source.ip": "10.141.108.1", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "rve" - }, - { - "@timestamp": "2019-05-13T23:45:57.000Z", - "event.action": "cancel", - "event.code": "dmin", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-5-13 time=21:45:57 device_id=imaven log_id=dmin log_part=sum type=event subtype=system pri=low user=lore ui=nim action=cancel status=edquiac msg=psamvolu", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "low", - "log.offset": 16891, - "observer.product": "FortiMail", - "observer.serial_number": "imaven", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.user": [ - "lore" - ], - "rsa.internal.event_desc": "psamvolu", - "rsa.internal.messageid": "event_system", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "system", - "rsa.misc.event_state": "edquiac", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "imaven", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "system", - "rsa.misc.reference_id": "dmin", - "rsa.misc.reference_id1": "sum", - "rsa.misc.severity": "low", - "rsa.network.network_service": "nim", - "rsa.time.event_time": "2019-05-13T23:45:57.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "lore" - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "event.action": "deny", - "event.code": "tae", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-5-28 time=04:48:31 device_id=iade log_id=tae log_part=obe type=event subtype=admin pri=medium user=ulapari ui=rittenby(10.31.31.193) action=deny status=nvol reason=unknown msg=\"luptatem\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 17055, - "observer.product": "FortiMail", - "observer.serial_number": "iade", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.31.31.193" - ], - "related.user": [ - "ulapari" - ], - "rsa.internal.event_desc": "luptatem", - "rsa.internal.messageid": "event_admin", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "admin", - "rsa.misc.event_state": "nvol", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "iade", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "admin", - "rsa.misc.reference_id": "tae", - "rsa.misc.reference_id1": "obe", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "medium", - "rsa.network.network_service": "rittenby", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "service.type": "fortinet", - "source.ip": "10.31.31.193", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "ulapari" - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "event.action": "block", - "event.code": "ruredolo", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-6-11 time=11:51:06 device_id=conse log_id=ruredolo log_part=ati type=event subtype=system pri=low user=olors ui=roid(10.234.156.8) action=block status=uteiru msg=\"xer\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "low", - "log.offset": 17252, - "observer.product": "FortiMail", - "observer.serial_number": "conse", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.234.156.8" - ], - "related.user": [ - "olors" - ], - "rsa.internal.event_desc": "xer", - "rsa.internal.messageid": "event_system", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "system", - "rsa.misc.event_state": "uteiru", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "conse", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "system", - "rsa.misc.reference_id": "ruredolo", - "rsa.misc.reference_id1": "ati", - "rsa.misc.severity": "low", - "rsa.network.network_service": "roid", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "service.type": "fortinet", - "source.ip": "10.234.156.8", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "olors" - }, - { - "@timestamp": "2019-06-25T20:53:40.000Z", - "event.action": "event", - "event.code": "uame", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-6-25 time=18:53:40 device_id=nvol log_id=uame log_part=quia type=event subtype=update pri=very-high msg=\"labor\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "very-high", - "log.offset": 17430, - "observer.product": "FortiMail", - "observer.serial_number": "nvol", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "rsa.internal.event_desc": "labor", - "rsa.internal.messageid": "event_update", - "rsa.misc.category": "update", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "nvol", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "update", - "rsa.misc.reference_id": "uame", - "rsa.misc.reference_id1": "quia", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-06-25T20:53:40.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "event.action": "event", - "event.code": "modit", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-7-10 time=01:56:14 device_id=mwritte log_id=modit log_part=quamnih type=event subtype=config pri=medium user=itanimid ui=uiin module=nibusBo submodule=iusm msg=\"nostru\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 17552, - "observer.product": "FortiMail", - "observer.serial_number": "mwritte", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.user": [ - "itanimid" - ], - "rsa.internal.event_desc": "nostru", - "rsa.internal.messageid": "event_config", - "rsa.misc.category": "config", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "mwritte", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "config", - "rsa.misc.reference_id": "modit", - "rsa.misc.reference_id1": "quamnih", - "rsa.misc.severity": "medium", - "rsa.network.network_service": "uiin", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "itanimid" - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "event.action": "event", - "event.code": "preh", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-7-24 time=08:58:48 device_id=vel log_id=preh log_part=madmini type=event subtype=update pri=high msg=edutpers", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "high", - "log.offset": 17731, - "observer.product": "FortiMail", - "observer.serial_number": "vel", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "rsa.internal.event_desc": "edutpers", - "rsa.internal.messageid": "event_update", - "rsa.misc.category": "update", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "vel", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "update", - "rsa.misc.reference_id": "preh", - "rsa.misc.reference_id1": "madmini", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-07T18:01:23.000Z", - "event.action": "virus_file-signature", - "event.code": "everi", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-8-7 time=16:01:23 device_id=sBonoru log_id=everi log_part=squ type=virus subtype=file-signature pri=medium from=\"utla\" to=nse src=10.160.236.78 session_id=nostrude msg=\"Attachment file (rinc) has sha1 hash value: tno\"", - "file.name": "rinc", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 17851, - "observer.product": "FortiMail", - "observer.serial_number": "sBonoru", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.160.236.78" - ], - "rsa.email.email_dst": "nse", - "rsa.email.email_src": "utla", - "rsa.internal.messageid": "virus_file-signature", - "rsa.misc.checksum": "tno", - "rsa.misc.event_type": "virus_file-signature", - "rsa.misc.hardware_id": "sBonoru", - "rsa.misc.log_session_id": "nostrude", - "rsa.misc.msgIdPart1": "virus", - "rsa.misc.msgIdPart2": "file-signature", - "rsa.misc.reference_id": "everi", - "rsa.misc.reference_id1": "squ", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", - "service.type": "fortinet", - "source.ip": "10.160.236.78", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-22T01:03:57.000Z", - "event.action": "accept", - "event.code": "nonproi", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-8-21 time=23:03:57 device_id=cid log_id=nonproi log_part=dolor type=event subtype=admin pri=medium user=molli ui=oeiusm(10.244.19.62) action=accept status=nnumquam reason=unknown msg=\"tdolore\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 18079, - "observer.product": "FortiMail", - "observer.serial_number": "cid", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.244.19.62" - ], - "related.user": [ - "molli" - ], - "rsa.internal.event_desc": "tdolore", - "rsa.internal.messageid": "event_admin", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "admin", - "rsa.misc.event_state": "nnumquam", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "cid", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "admin", - "rsa.misc.reference_id": "nonproi", - "rsa.misc.reference_id1": "dolor", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "medium", - "rsa.network.network_service": "oeiusm", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", - "service.type": "fortinet", - "source.ip": "10.244.19.62", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "molli" - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "event.action": "allow", - "event.code": "epteu", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-9-5 time=06:06:31 device_id=icta log_id=epteu log_part=nvent type=event subtype=webmail pri=high user=mquiavol ui=odiconse(10.147.52.164) action=allow status=untutl msg=ugiatnul", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "high", - "log.offset": 18282, - "observer.product": "FortiMail", - "observer.serial_number": "icta", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.147.52.164" - ], - "related.user": [ - "mquiavol" - ], - "rsa.internal.event_desc": "ugiatnul", - "rsa.internal.messageid": "event_webmail", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "webmail", - "rsa.misc.event_state": "untutl", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "icta", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "webmail", - "rsa.misc.reference_id": "epteu", - "rsa.misc.reference_id1": "nvent", - "rsa.misc.severity": "high", - "rsa.network.network_service": "odiconse", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "service.type": "fortinet", - "source.ip": "10.147.52.164", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "mquiavol" - }, - { - "@timestamp": "2019-09-19T15:09:05.000Z", - "destination.ip": "10.251.183.113", - "event.action": "spam", - "event.code": "elaudant", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-9-19 time=13:09:05 device_id=quaturve log_id=elaudant log_part=olup type=spam pri=high session_id=\"iacon\" client_name= \"ncu3839.www.localhost\" client_ip=\"10.201.105.58\" dst_ip=\"10.251.183.113\" from=\"ent\" to=\"ionemu\" subject=\"eseosqu\" msg=\"uptatem\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "high", - "log.offset": 18470, - "observer.product": "FortiMail", - "observer.serial_number": "quaturve", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.hosts": [ - "ncu3839.www.localhost" - ], - "related.ip": [ - "10.201.105.58", - "10.251.183.113" - ], - "rsa.email.email_dst": "ionemu", - "rsa.email.email_src": "ent", - "rsa.email.subject": "eseosqu", - "rsa.internal.event_desc": "uptatem", - "rsa.internal.messageid": "spam", - "rsa.misc.event_type": "spam", - "rsa.misc.hardware_id": "quaturve", - "rsa.misc.log_session_id": "iacon", - "rsa.misc.reference_id": "elaudant", - "rsa.misc.reference_id1": "olup", - "rsa.misc.severity": "high", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", - "rsa.web.fqdn": "ncu3839.www.localhost", - "service.type": "fortinet", - "source.ip": "10.201.105.58", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-03T22:11:40.000Z", - "destination.ip": "10.132.139.98", - "event.action": "statistics", - "event.code": "oinB", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-10-3 time=20:11:40 device_id=eprehen log_id=oinB log_part=lor type=statistics pri=low session_id=\"citatio\" client_name=\"[10.209.203.156]\"dst_ip=\"10.132.139.98\" from=\"pariat\" to=\"borisnis\" direction=\"unknown\" virus=\"oremagn\" disposition=\"emagna\" classifier=\"uidolor\" message_length=remag", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "low", - "log.offset": 18728, - "network.direction": "unknown", - "observer.product": "FortiMail", - "observer.serial_number": "eprehen", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.132.139.98", - "10.209.203.156" - ], - "rsa.email.email_dst": "borisnis", - "rsa.email.email_src": "pariat", - "rsa.internal.messageid": "statistics", - "rsa.misc.disposition": "emagna", - "rsa.misc.event_type": "statistics", - "rsa.misc.filter": "uidolor", - "rsa.misc.hardware_id": "eprehen", - "rsa.misc.log_session_id": "citatio", - "rsa.misc.reference_id": "oinB", - "rsa.misc.reference_id1": "lor", - "rsa.misc.severity": "low", - "rsa.misc.virusname": "oremagn", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", - "service.type": "fortinet", - "source.ip": "10.209.203.156", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "event.action": "block", - "event.code": "ulamcola", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-10-18 time=03:14:14 device_id=tiumtot log_id=ulamcola log_part=epr type=event subtype=admin pri=low user=nculpa ui=enbyCice(10.152.196.145) action=block status=uptas reason=success msg=\"iadeseru\"", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "low", - "log.offset": 19025, - "observer.product": "FortiMail", - "observer.serial_number": "tiumtot", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.152.196.145" - ], - "related.user": [ - "nculpa" - ], - "rsa.internal.event_desc": "iadeseru", - "rsa.internal.messageid": "event_admin", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "admin", - "rsa.misc.event_state": "uptas", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "tiumtot", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "admin", - "rsa.misc.reference_id": "ulamcola", - "rsa.misc.reference_id1": "epr", - "rsa.misc.result": "success", - "rsa.misc.severity": "low", - "rsa.network.network_service": "enbyCice", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "service.type": "fortinet", - "source.ip": "10.152.196.145", - "tags": [ - "fortinet.fortimail", - "forwarded" - ], - "user.name": "nculpa" - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "event.action": "virus_file-signature", - "event.code": "turadip", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-11-1 time=10:16:48 device_id=equ log_id=turadip log_part=ataev type=virus_file-signature pri=medium from=\"oree\" to=\"nimadmi\" src=\"utaliq [10.78.38.143]\" session_id=qui msg=\"Attachment file (epteurs) has sha1 hash value: did\"", - "file.name": "epteurs", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "medium", - "log.offset": 19231, - "observer.product": "FortiMail", - "observer.serial_number": "equ", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "related.ip": [ - "10.78.38.143" - ], - "rsa.email.email_dst": "nimadmi", - "rsa.email.email_src": "oree", - "rsa.internal.messageid": "virus_file-signature", - "rsa.misc.checksum": "did", - "rsa.misc.event_type": "virus_file-signature", - "rsa.misc.hardware_id": "equ", - "rsa.misc.log_session_id": "qui", - "rsa.misc.reference_id": "turadip", - "rsa.misc.reference_id1": "ataev", - "rsa.misc.severity": "medium", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "service.type": "fortinet", - "source.domain": "utaliq", - "source.ip": "10.78.38.143", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-15T19:19:22.000Z", - "event.action": "event", - "event.code": "orumSe", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-11-15 time=17:19:22 device_id=sunt log_id=orumSe log_part=olupta type=event subtype=update pri=very-high msg=pta", - "fileset.name": "fortimail", - "input.type": "log", - "log.level": "very-high", - "log.offset": 19466, - "observer.product": "FortiMail", - "observer.serial_number": "sunt", - "observer.type": "Firewall", - "observer.vendor": "Fortinet", - "rsa.internal.event_desc": "pta", - "rsa.internal.messageid": "event_update", - "rsa.misc.category": "update", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "sunt", - "rsa.misc.msgIdPart1": "event", - "rsa.misc.msgIdPart2": "update", - "rsa.misc.reference_id": "orumSe", - "rsa.misc.reference_id1": "olupta", - "rsa.misc.severity": "very-high", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimail", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-30T02:21:57.000Z", - "event.action": "allow", - "event.code": "leumiure", - "event.dataset": "fortinet.fortimail", - "event.module": "fortinet", - "event.original": "date=2019-11-30 time=00:21:57 device_id=ntutlabo log_id=leumiure log_part=tasnu type=event subtype=smtp pri=high user=amquaui=tionevol(10.209.124.81) action=allowstatus=tobesession_id=\"ssequa\" log_part=emp msg=\"to=< - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml deleted file mode 100644 index b9d0a0ad797..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiManager" - type: "Configuration" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/fortinet/fortimanager/config/liblogparser.js - - ${path.home}/module/fortinet/fortimanager/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js b/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, -])); - -var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, -])); - -var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, -])); - -var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, -]); - -var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, -])); - -var msg1 = msg("fortinetmgr:01", part1); - -var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, -])); - -var msg2 = msg("fortinetmgr", part2); - -var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - -var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - -var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - -var select2 = linear_select([ - part4, - part5, -]); - -var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - -var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - -var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - -var select3 = linear_select([ - part7, - part8, -]); - -var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - -var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - -var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - -var select4 = linear_select([ - part10, - part11, -]); - -var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), -}); - -var msg3 = msg("fortinetmgr:04", all1); - -var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, -])); - -var msg4 = msg("fortinetmgr:02", part12); - -var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, -])); - -var msg5 = msg("fortinetmgr:03", part13); - -var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - -var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - -var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - -var select5 = linear_select([ - part15, - part16, -]); - -var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - -var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), -}); - -var msg6 = msg("fortinetmgr:05", all2); - -var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", -}, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, -])); - -var msg7 = msg("event_fortinetmgr_tvm", part18); - -var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, -]); - -var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", -}, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, -])); - -var msg8 = msg("generic_fortinetmgr", part19); - -var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", -}, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, -])); - -var msg9 = msg("generic_fortinetmgr_1", part20); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), -]); diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml deleted file mode 100644 index 146ed98dc9a..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for Fortinet Manager/Analyzer - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # Serial Number - - set: - field: observer.serial_number - value: "{{rsa.misc.hardware_id}}" - ignore_empty_value: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml b/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml deleted file mode 100644 index 97a401f008c..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["fortinet.fortimanager", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9546 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log deleted file mode 100644 index 7da64dddce2..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -logver=iusm devname="modtempo" devid="olab" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci -date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima -logver=seq dtime=2016-02-26 20:15:08.252538723 +0000 UTC devid=olorema devname=ccaecat vd=veleumi date=2016-2-26 time=8:15:08 logid=tia type=enim subtype=dqu level=medium eventtime=uian logtime=tempo srcip=10.200.188.142 srcport=4665 srcintf=eth4496 srcintfrole=eetd dstip=10.94.103.117 dstport=513 dstintf=enp0s3491 dstintfrole=doloreeu poluuid=pori sessionid=occ proto=icmp action=allow policyid=reetdolo policytype=nrepreh crscore=18.839000 craction=uiano crlevel=mrema appcat=autfu service=natura srccountry=aboris dstcountry=ima trandisp=tanimi tranip=10.15.159.80 tranport=6378 duration=121.916000 sentbyte=6517 rcvdbyte=13 sentpkt=ugiatqu app=eacomm -logver=liqu devname="lorem" devid="emq" vd=isiu date=2016-3-12 time=3:17:42 logid=nimadmi type=iatisu subtype=iat level=low eventtime=suntinc logtime=elits srcip=10.131.233.27 srcport=5037 srcintf=eth3676 srcintfrole=eataevit dstip=10.50.112.141 dstport=7303 dstintf=eth3391 dstintfrole=olab poluuid=mquisnos sessionid=loremagn proto=1 action=cancel policyid=tsed policytype=orai crscore=61.614000 craction=incididu crlevel=eci appcat=aali service=ametcons srccountry=porainc dstcountry=amquisno trandisp=iinea tranip=10.27.88.95 tranport=776 duration=5.911000 sentbyte=1147 rcvdbyte=3269 sentpkt=tvol app=moll -date=2016-3-26 time=10:20:16 logver=inim devid=ema devname=roinBCSe logid=onse type=tae subtype=tatno level=very-high vd=oluptate srcip=10.52.54.178 srcport=4427 srcintf=lo1567 dstip=10.37.58.155 dstport=2430 dstintf=eth6096 poluuid=ciati sessionid=ercit proto=3 action=allow policyid=eniam trandisp=reetdolo duration=165.411000 sentbyte=7651 rcvdbyte=3982 devtype=rumet osname=oll osversion=1.5670 mastersrcmac=nido srcmac=01:00:5e:c3:0a:41 crscore=71.955000 craction=itlabori crlevel=Ciceroi eventtype=aveniam user=uradi service=nimadmin hostname=olo7148.mail.home profile=snulapar reqtype=aedic url=https://api.example.com/iumto/aboreetd.gif?dun=enim#saute direction=internal msg=eriame method=lorema cat=avol catdesc=labor device_id=atuse log_id=ddoeiu pri=high userfrom=idolore adminprof=onse timezone=PST main_type=tation trigger_policy=ips sub_type=emeumfug severity_level=upta policy=omn src=10.87.212.179 src_port=1758 dst=10.157.213.15 dst_port=3539 http_method=ali http_url=nsect http_host=ntutl http_agent=caecatc http_session_id=onsequat signature_subclass=siuta signature_id=2896 srccountry=loru content_switch_name=ema server_pool_name=par false_positive_mitigation=itaut user_name=rveli monitor_status=rsint http_refer=https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf http_version=antiumto dev_id=strude threat_weight=ctetura history_threat_weight=usmod threat_level=edqui ftp_mode=mquidol ftp_cmd=ita cipher_suite=ipi msg_id=rsitamet -date=2016-4-9 time=5:22:51 logver=eseru devid=remeum devname=orain logid=quip type=oin subtype=uisquam level=high vd=tinvol srcip=10.19.68.92 srcport=1409 srcintf=enp0s33 dstip=10.38.22.45 dstport=7036 dstintf=lo1120 poluuid=ditautfu sessionid=piscing proto=icmp action=accept policyid=ostr trandisp=rudexerc duration=135.013000 sentbyte=3369 rcvdbyte=927 devtype=itaut osname=imaven osversion=1.152 mastersrcmac=umdolo srcmac=01:00:5e:f7:4a:fd crscore=169.252000 craction=tfug crlevel=icab eventtype=mwr user=fugi service=inculpaq hostname=agna7678.internal.host profile=equa reqtype=mexercit url=https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia direction=unknown msg=olupt method=dit cat=sumquiad catdesc=dexeaco device_id=ivelits log_id=moenimi pri=medium userfrom=etdolo adminprof=inv timezone=CEST main_type=ommod trigger_policy=sequatur sub_type=uidolo severity_level=lumquido policy=nihi src=10.114.150.67 src_port=1407 dst=10.76.73.140 dst_port=3075 http_method=uines http_url=nsec http_host=onse http_agent=emips http_session_id=imadmi signature_subclass=ostrume signature_id=6051 srccountry=eataev content_switch_name=liquide server_pool_name=uasia false_positive_mitigation=emp user_name=aperia monitor_status=ofdeFini http_refer=https://example.org/vol/riat.htm?atvol=umiur#imad http_version=msequi dev_id=isnostru threat_weight=iquaUten history_threat_weight=santium threat_level=iciatisu ftp_mode=rehender ftp_cmd=eporroqu cipher_suite=uat msg_id=tem -logver=suntinc date=2016-4-24 time=12:25:25 log_id=xeac devid=nidolo devname=tatn logid=eli type=nnu subtype=dolo level=low vd=nse srcip=10.202.204.239 srcport=7783 srcintf=lo2857 dstip=10.147.28.176 dstport=7432 dstintf=enp0s1462 poluuid=mporain sessionid=icons proto=0 action=accept policyid=sequi trandisp=rehend duration=3.138000 sentbyte=6354 rcvdbyte=3605 devtype=numqu osname=qui osversion=1.4059 mastersrcmac=equi srcmac=01:00:5e:68:86:a1 crscore=72.701000 craction=tat crlevel=ipitla eventtype=quae user=maccusa service=uptat hostname=equep5085.mail.domain profile=aqu reqtype=rpo url=https://www.example.org/inesci/serror.html?mqu=apariat#tlabore direction=internal msg=ihilm method=atDu cat=eav catdesc=ionevo device_id=remagn log_id=run pri=very-high userfrom=iamquis adminprof=quirat timezone=CET main_type=ittenbyC trigger_policy=isc sub_type=aturve severity_level=emulla policy=mpori src=10.195.36.51 src_port=3905 dst=10.95.64.124 dst_port=7042 http_method=iadese http_url=nsectet http_host=utla http_agent=utei http_session_id=laborum signature_subclass=tionof signature_id=7613 srccountry=oin content_switch_name=lapari server_pool_name=data false_positive_mitigation=dolor user_name=nnum monitor_status=eritqu http_refer=https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu http_version=namali dev_id=taevit threat_weight=rinrepre history_threat_weight=etconse threat_level=tincu ftp_mode=ari ftp_cmd=exercit cipher_suite=sci msg_id=quamnih -logver=occae dtime=2016-05-08 07:27:59.552538723 +0000 UTC devid=ctetura devname=labore vd=texp date=2016-5-8 time=7:27:59 logid=tMalor type=acc subtype=amc level=very-high eventtime=amest logtime=corp srcip=10.176.216.90 srcport=2428 srcintf=eth2591 srcintfrole=dantiumt dstip=10.186.85.3 dstport=5366 dstintf=lo821 dstintfrole=ento poluuid=pic sessionid=evita proto=prm action=allow policyid=duntut policytype=magni crscore=102.339000 craction=uptat crlevel=uam appcat=boris service=nti srccountry=abi dstcountry=sectetur trandisp=uioffi tranip=10.114.16.155 tranport=1608 duration=62.941000 sentbyte=5110 rcvdbyte=3818 sentpkt=ipi app=reseos -logver=mcolab date=2016-5-22 time=2:30:33 log_id=neav devid=oquisqu devname=sperna logid=eabilloi type=estia subtype=tper level=very-high vd=volupt srcip=10.188.169.107 srcport=2138 srcintf=eth6448 dstip=10.214.7.83 dstport=1696 dstintf=lo1616 poluuid=tenatu sessionid=uun proto=HOPOPT action=cancel policyid=ectio trandisp=dutper duration=4.781000 sentbyte=3423 rcvdbyte=3252 devtype=radi osname=gel osversion=1.3917 mastersrcmac=iduntu srcmac=01:00:5e:21:f5:0a crscore=57.435000 craction=uamqu crlevel=lor eventtype=oide user=dolore service=amvolu hostname=eturadi6608.mail.host profile=aera reqtype=ate url=https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus direction=inbound msg=uaUteni method=udantium cat=pre catdesc=xeacom device_id=stlabo log_id=dictasu pri=low userfrom=catc adminprof=nsect timezone=GMT-07:00 main_type=asia trigger_policy=econs sub_type=uir severity_level=dol policy=essecil src=10.23.62.94 src_port=4368 dst=10.61.163.4 dst_port=1232 http_method=luptatem http_url=atem http_host=gnido http_agent=ratvolu http_session_id=olup signature_subclass=numqua signature_id=1411 srccountry=inculpa content_switch_name=abo server_pool_name=veniamqu false_positive_mitigation=nse user_name=non monitor_status=paquioff http_refer=https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema http_version=intocc dev_id=liqu threat_weight=eporr history_threat_weight=xeacomm threat_level=mveleu ftp_mode=nofdeFin ftp_cmd=sequam cipher_suite=temvel msg_id=ris -date=2016-6-5 time=9:33:08 logver=nisiuta devid=tvolu devname=ecte logid=tinvolu type=iurer subtype=iciadese level=medium vd=gnaaliq srcip=10.52.135.156 srcport=2660 srcintf=eth4502 dstip=10.133.89.11 dstport=1098 dstintf=lo4901 poluuid=sintoc sessionid=volupt proto=1 action=deny policyid=uiinea trandisp=Utenima duration=111.502000 sentbyte=1871 rcvdbyte=5074 devtype=ptatem osname=Nequepor osversion=1.2580 mastersrcmac=ugiatnu srcmac=01:00:5e:4a:7f:b8 crscore=103.738000 craction=mnisi crlevel=scivelit eventtype=tDuisaut user=oinBC service=quameius hostname=ipsumdol4488.api.localdomain profile=ommodico reqtype=ptas url=https://example.com/tetu/stru.htm?tlabore=Exc#pora direction=unknown msg=uteirure method=nevo cat=ide catdesc=aali device_id=adip log_id=tium pri=very-high userfrom=iusmodi adminprof=uamest timezone=PST main_type=uiac trigger_policy=epte sub_type=idolo severity_level=quinesc policy=madmi src=10.28.76.42 src_port=3427 dst=10.106.31.86 dst_port=4198 http_method=sno http_url=atno http_host=tani http_agent=volu http_session_id=nonn signature_subclass=inventor signature_id=6088 srccountry=autf content_switch_name=quamni server_pool_name=iatisu false_positive_mitigation=sec user_name=cons monitor_status=sBon http_refer=https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor http_version=tobea dev_id=tor threat_weight=qui history_threat_weight=ntmollit threat_level=tenatus ftp_mode=cipitlab ftp_cmd=ipsumd cipher_suite=antiu msg_id=uirati -logver=ersp dtime=2016-06-20 04:35:42.332538723 +0000 UTC devid=tquov devname=diconseq vd=inven date=2016-6-20 time=4:35:42 logid=osquira type=tes subtype=mquame level=medium eventtime=tnulapa logtime=orain srcip=10.238.164.74 srcport=2201 srcintf=lo4249 srcintfrole=madmi dstip=10.106.162.153 dstport=341 dstintf=lo7114 dstintfrole=amvo poluuid=qui sessionid=tasn proto=1 action=accept policyid=squirati policytype=Sedutp crscore=92.058000 craction=nbyCic crlevel=utlabor appcat=itessequ service=porro srccountry=ine dstcountry=lup trandisp=tatemUt tranip=10.58.214.16 tranport=508 duration=166.566000 sentbyte=2715 rcvdbyte=7130 sentpkt=pici app=abor -logver=tquiin dtime=2016-07-04 11:38:16.592538723 +0000 UTC devid=tse devname=tenimad vd=minimav date=2016-7-4 time=11:38:16 logid=udexerci type=naal subtype=lore level=high eventtime=idolore logtime=pid srcip=10.225.141.20 srcport=2282 srcintf=enp0s4046 srcintfrole=natuse dstip=10.217.150.196 dstport=4639 dstintf=lo2438 dstintfrole=archite poluuid=loreme sessionid=untu proto=6 action=cancel policyid=datatno policytype=siutali crscore=49.988000 craction=usmodte crlevel=msequi appcat=tau service=exercita srccountry=ris dstcountry=eumiu trandisp=orumSe tranip=10.110.31.190 tranport=945 duration=12.946000 sentbyte=248 rcvdbyte=5300 sentpkt=eeufugia app=evit -date=2016-7-18 time=6:40:50 devname=molli device_id=velitse log_id=oditem type=generic subtype=gitsedqu pri=very-high devid=oremi devname=mestq logid=temUt type=olor subtype=ineavo level=very-high vd=mquelau srcip=10.168.236.85 srcport=6846 srcintf=eth651 dstip=10.140.113.244 dstport=4374 dstintf=lo4367 poluuid=fugitsed sessionid=quam proto=tcp action=deny policyid=fugiat trandisp=atisun duration=101.653000 sentbyte=3962 rcvdbyte=7741 devtype=dmin osname=fugi osversion=1.3319 mastersrcmac=inci srcmac=01:00:5e:e6:ad:ae crscore=39.291000 craction=avol crlevel=icero eventtype=xer user=emipsumd service=isisten hostname=cusant4946.www.domain profile=itecto reqtype=reetdol url=https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi direction=unknown msg=aquioffi method=tamet cat=quatur catdesc=uisa device_id=eFi log_id=mexe pri=high userfrom=rpori adminprof=ice timezone=GMT+02:00 main_type=entorev trigger_policy=commodo sub_type=conseq severity_level=ame policy=tatn src=10.137.56.173 src_port=3932 dst=10.69.103.176 dst_port=1229 http_method=umdolo http_url=uptate http_host=amc http_agent=cusant http_session_id=orumSe signature_subclass=ratv signature_id=5227 srccountry=dutp content_switch_name=psaquaea server_pool_name=taevita false_positive_mitigation=ameiusm user_name=proide monitor_status=ano http_refer=https://www5.example.org/tvol/velitess.htm?edqui=nre#veli http_version=volupta dev_id=rnatu threat_weight=elitse history_threat_weight=ima threat_level=quasia ftp_mode=adi ftp_cmd=umwrit cipher_suite=uptate msg_id=mac -logver=dolore devname="onsecte" devid="nBCSedut" vd=ugiat date=2016-8-2 time=1:43:25 logid=onulam type=ate subtype=odoconse level=high eventtime=quatu logtime=veli srcip=10.30.47.165 srcport=631 srcintf=eth267 srcintfrole=sectet dstip=10.5.235.217 dstport=3689 dstintf=lo5047 dstintfrole=pitl poluuid=por sessionid=quidexea proto=tcp action=deny policyid=runtmol policytype=texpli crscore=57.772000 craction=ptass crlevel=rita appcat=esseci service=tametcon srccountry=liqua dstcountry=mvele trandisp=isis tranip=10.25.212.118 tranport=1190 duration=179.686000 sentbyte=238 rcvdbyte=7122 sentpkt=dantium app=lor -date=2016-8-16 time=8:45:59 logver=onemulla devid=dolorem devname=tvolu logid=nreprehe type=tetu subtype=mdol level=high vd=nby srcip=10.20.26.210 srcport=2791 srcintf=eth5968 dstip=10.85.96.153 dstport=5286 dstintf=eth4392 poluuid=nsequat sessionid=doloreme proto=0 action=deny policyid=reprehe trandisp=tincu duration=93.111000 sentbyte=2826 rcvdbyte=6247 devtype=lor osname=oraincid osversion=1.225 mastersrcmac=emeumfug srcmac=01:00:5e:1d:39:39 crscore=114.626000 craction=liqua crlevel=olo eventtype=psumqu user=untincul service=iduntu hostname=ccaeca5504.internal.example profile=reseo reqtype=oreetd url=https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr direction=external msg=ercit method=etMal cat=qua catdesc=rsita device_id=ate log_id=ipsamvo pri=low userfrom=adeseru adminprof=tdol timezone=CET main_type=rem trigger_policy=asper sub_type=idunt severity_level=luptat policy=eveli src=10.149.13.76 src_port=7809 dst=10.40.152.253 dst_port=1478 http_method=ritt http_url=iaeco http_host=equaturv http_agent=siu http_session_id=snost signature_subclass=tpersp signature_id=2624 srccountry=quaea content_switch_name=ametcons server_pool_name=utali false_positive_mitigation=porinc user_name=tetur monitor_status=xce http_refer=https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor http_version=lupta dev_id=xeaco threat_weight=nvolupt history_threat_weight=oremi threat_level=elites ftp_mode=nbyCi ftp_cmd=tevel cipher_suite=usc msg_id=rem -logver=cab dtime=2016-08-30 15:48:33.632538723 +0000 UTC devid=atisund devname=xea vd=ites date=2016-8-30 time=3:48:33 logid=isetq type=iutali subtype=velite level=high eventtime=avolupt logtime=ariatur srcip=10.98.194.212 srcport=5469 srcintf=lo1208 srcintfrole=atisetqu dstip=10.51.213.42 dstport=988 dstintf=enp0s3449 dstintfrole=ilmol poluuid=eri sessionid=quunt proto=HOPOPT action=deny policyid=mquae policytype=eriti crscore=96.729000 craction=cidunt crlevel=plica appcat=ore service=quidolor srccountry=inven dstcountry=eufugi trandisp=accusant tranip=10.233.120.207 tranport=136 duration=171.844000 sentbyte=2859 rcvdbyte=4844 sentpkt=eaqu app=nvol -logver=leumiu devname="tla" devid="item" vd=nimid date=2016-9-13 time=10:51:07 logid=dat type=periam subtype=dqu level=high eventtime=dminima logtime=dutpers srcip=10.245.187.229 srcport=4953 srcintf=lo3642 srcintfrole=prehen dstip=10.67.132.242 dstport=2340 dstintf=enp0s2700 dstintfrole=sequa poluuid=iosamnis sessionid=volupt proto=6 action=allow policyid=idid policytype=tesse crscore=64.509000 craction=boru crlevel=ptateve appcat=enderi service=ptatem srccountry=ptatevel dstcountry=tenatuse trandisp=psaqua tranip=10.241.132.176 tranport=7224 duration=167.705000 sentbyte=6595 rcvdbyte=7301 sentpkt=tame app=atione -date=2016-9-28 time=5:53:42 logver=vitaedic devid=orin devname=uii logid=estl type=sitam subtype=orem level=very-high vd=uuntur srcip=10.210.28.247 srcport=3449 srcintf=eth4185 dstip=10.237.180.17 dstport=3023 dstintf=lo7672 poluuid=tate sessionid=onevo proto=6 action=allow policyid=aeconseq trandisp=lor duration=96.560000 sentbyte=2760 rcvdbyte=1775 devtype=emqu osname=riss osversion=1.1847 mastersrcmac=sitvol srcmac=01:00:5e:a5:5a:54 crscore=129.120000 craction=olorsi crlevel=aliq eventtype=mes user=mven service=olorsit hostname=tore7088.www.invalid profile=ruredo reqtype=mac url=https://mail.example.org/ptassita/its.gif?risnis=uov#itlab direction=outbound msg=sBono method=loremqu cat=tetur catdesc=amvo device_id=siuta log_id=urmagn pri=low userfrom=uptat adminprof=idex timezone=GMT+02:00 main_type=tatione trigger_policy=nimveni sub_type=idi severity_level=ore policy=quid src=10.212.214.4 src_port=6040 dst=10.199.47.220 dst_port=4084 http_method=oin http_url=hil http_host=cingel http_agent=modocon http_session_id=ipsu signature_subclass=ntNeq signature_id=1081 srccountry=aUt content_switch_name=boNem server_pool_name=nturm false_positive_mitigation=emips user_name=atv monitor_status=onu http_refer=https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor http_version=oqu dev_id=naaliq threat_weight=remeu history_threat_weight=osquir threat_level=mod ftp_mode=col ftp_cmd=mve cipher_suite=liquide msg_id=odt -date=2016-10-12 time=12:56:16 logver=inv devid=rroq devname=rcit logid=aecatcup type=olabor subtype=estl level=very-high vd=citatio srcip=10.168.40.197 srcport=7699 srcintf=enp0s3071 dstip=10.206.69.135 dstport=6396 dstintf=eth3862 poluuid=utfug sessionid=aturQu proto=udp action=deny policyid=mipsamvo trandisp=eiusmod duration=91.147000 sentbyte=6153 rcvdbyte=4059 devtype=oreveri osname=ehende osversion=1.760 mastersrcmac=Except srcmac=01:00:5e:bf:07:ee crscore=45.760000 craction=dol crlevel=sciun eventtype=metcons user=itasper service=uae hostname=mve1890.internal.home profile=tatemU reqtype=mad url=https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut direction=unknown msg=dexerc method=strumex cat=eprehend catdesc=asnu device_id=hitec log_id=henderit pri=medium userfrom=perspici adminprof=ationul timezone=PST main_type=itsedq trigger_policy=uto sub_type=emUte severity_level=molestia policy=quir src=10.46.56.204 src_port=2463 dst=10.234.165.130 dst_port=7079 http_method=umf http_url=quames http_host=dolorsit http_agent=archite http_session_id=remq signature_subclass=veniamq signature_id=1236 srccountry=uta content_switch_name=emo server_pool_name=itq false_positive_mitigation=derit user_name=orese monitor_status=dolor http_refer=https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore http_version=Cic dev_id=olorema threat_weight=mollita history_threat_weight=tatem threat_level=iae ftp_mode=quido ftp_cmd=emip cipher_suite=inBC msg_id=mol -logver=turadipi date=2016-10-26 time=7:58:50 log_id=usmodi devid=ree devname=saquaea logid=ation type=luptas subtype=minim level=very-high vd=lorsi srcip=10.61.123.159 srcport=754 srcintf=eth7713 dstip=10.141.158.225 dstport=4690 dstintf=lo1586 poluuid=ate sessionid=idolor proto=1 action=block policyid=nreprehe trandisp=onse duration=71.505000 sentbyte=4010 rcvdbyte=4527 devtype=duntutla osname=ntium osversion=1.4450 mastersrcmac=asuntexp srcmac=01:00:5e:26:56:73 crscore=5.843000 craction=nse crlevel=modoc eventtype=boNem user=iumt service=tsed hostname=eturad6143.www.home profile=uamnihil reqtype=llam url=https://example.net/aparia/tatnon.jpg?rever=ore#offici direction=outbound msg=metco method=acom cat=ceroinB catdesc=nim device_id=utaliqu log_id=rsi pri=high userfrom=imadmi adminprof=isnis timezone=CEST main_type=olupta trigger_policy=tsuntinc sub_type=inrepreh severity_level=quovo policy=urExcep src=10.128.46.70 src_port=5269 dst=10.95.117.134 dst_port=1723 http_method=acommodi http_url=essecill http_host=billoi http_agent=moles http_session_id=dipiscin signature_subclass=olup signature_id=5976 srccountry=undeomni content_switch_name=accusa server_pool_name=natu false_positive_mitigation=liquid user_name=enim monitor_status=Finibus http_refer=https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc http_version=Cice dev_id=taedi threat_weight=tquido history_threat_weight=ptasnula threat_level=oru ftp_mode=ill ftp_cmd=mporinc cipher_suite=onsectet msg_id=idolo -date=2016-11-10 time=3:01:24 logver=edolo devid=ugiatquo devname=ntium logid=uptate type=lloinven subtype=econs level=medium vd=tetura srcip=10.135.106.42 srcport=6602 srcintf=lo154 dstip=10.224.30.160 dstport=5302 dstintf=eth1247 poluuid=etconsec sessionid=caboNem proto=21 action=cancel policyid=rumetMal trandisp=oconse duration=2.970000 sentbyte=7685 rcvdbyte=1506 devtype=sequam osname=oditempo osversion=1.7544 mastersrcmac=taliqui srcmac=01:00:5e:98:79:a3 crscore=78.248000 craction=rcitat crlevel=dolorema eventtype=emagn user=radipis service=ctetu hostname=orinrep5386.www.corp profile=stenatus reqtype=equep url=https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih direction=inbound msg=autemv method=emq cat=plicaboN catdesc=amc device_id=vol log_id=admi pri=medium userfrom=culpaq adminprof=saute timezone=GMT+02:00 main_type=ende trigger_policy=abor sub_type=magnid severity_level=adol policy=iutal src=10.208.21.135 src_port=2721 dst=10.253.228.140 dst_port=6748 http_method=ugitse http_url=quiineav http_host=billoinv http_agent=sci http_session_id=col signature_subclass=obea signature_id=5700 srccountry=tatev content_switch_name=luptas server_pool_name=uptatem false_positive_mitigation=oinv user_name=inculp monitor_status=onofd http_refer=https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe http_version=tat dev_id=onproide threat_weight=ntmo history_threat_weight=loreeu threat_level=temse ftp_mode=aspernat ftp_cmd=ume cipher_suite=caecat msg_id=rautod -logver=ercitat date=2016-11-24 time=10:03:59 log_id=lapar devid=ritati devname=edquia logid=itesse type=mullam subtype=mexerc level=medium vd=amvolu srcip=10.120.231.161 srcport=1129 srcintf=lo653 dstip=10.210.62.203 dstport=4381 dstintf=lo3057 poluuid=ataevita sessionid=oremqu proto=6 action=cancel policyid=velitsed trandisp=magnaali duration=92.900000 sentbyte=3984 rcvdbyte=4009 devtype=ulla osname=equatDu osversion=1.1710 mastersrcmac=aconse srcmac=01:00:5e:92:c2:23 crscore=20.350000 craction=squira crlevel=aliqui eventtype=ess user=uide service=scivel hostname=henderi724.www5.home profile=tquas reqtype=aquio url=https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer direction=internal msg=isnostru method=nofdeFi cat=aquioff catdesc=saqu device_id=remips log_id=illoi pri=medium userfrom=abori adminprof=uisnostr timezone=GMT+02:00 main_type=ilmole trigger_policy=ugi sub_type=niamquis severity_level=nisi policy=emveleum src=10.243.226.122 src_port=3512 dst=10.3.23.172 dst_port=7332 http_method=emullamc http_url=tec http_host=Nemo http_agent=tutlabo http_session_id=mveleum signature_subclass=liq signature_id=7229 srccountry=sBonorum content_switch_name=atems server_pool_name=quira false_positive_mitigation=tassita user_name=olorem monitor_status=sedquiac http_refer=https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore http_version=tation dev_id=loinve threat_weight=tatevel history_threat_weight=iumdolo threat_level=untu ftp_mode=ict ftp_cmd=squirati cipher_suite=tem msg_id=mestq -logver=luptate date=2016-12-8 time=5:06:33 log_id=llamc devid=eleumiu devname=uei logid=Nequepo type=radipis subtype=cive level=low vd=orumSec srcip=10.56.74.7 srcport=6149 srcintf=eth2940 dstip=10.73.10.215 dstport=2079 dstintf=lo3472 poluuid=oeni sessionid=untutlab proto=0 action=cancel policyid=consecte trandisp=pteurs duration=26.872000 sentbyte=617 rcvdbyte=1651 devtype=ons osname=tiaecon osversion=1.5380 mastersrcmac=unt srcmac=01:00:5e:99:7b:4a crscore=124.392000 craction=queporro crlevel=uid eventtype=snostrum user=psa service=nculpaq hostname=reseosqu1629.mail.lan profile=utemvel reqtype=epteur url=https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi direction=external msg=uameiusm method=adm cat=gelitsed catdesc=tiumto device_id=cor log_id=odoco pri=high userfrom=labore adminprof=ianonnu timezone=PST main_type=rum trigger_policy=erc sub_type=ehende severity_level=tutla policy=licaboNe src=10.94.242.80 src_port=2724 dst=10.106.85.174 dst_port=307 http_method=atiset http_url=serror http_host=onse http_agent=umquam http_session_id=emagn signature_subclass=emulla signature_id=1963 srccountry=iquaUt content_switch_name=mnihilm server_pool_name=redo false_positive_mitigation=etMaloru user_name=lmo monitor_status=iquidex http_refer=https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol http_version=dolorsi dev_id=nturmag threat_weight=tura history_threat_weight=osquirat threat_level=equat ftp_mode=aliquid ftp_cmd=usantiu cipher_suite=idunt msg_id=atqu -logver=liquam dtime=2016-12-23 00:09:07.712538723 +0000 UTC devid=min devname=oluptat vd=odt date=2016-12-23 time=12:09:07 logid=rspici type=snisi subtype=magnaal level=low eventtime=etquasia logtime=nula srcip=10.117.63.181 srcport=5299 srcintf=lo7416 srcintfrole=Cicero dstip=10.247.53.179 dstport=6493 dstintf=lo3706 dstintfrole=atemaccu poluuid=veritat sessionid=aliquipe proto=3 action=block policyid=aer policytype=osquira crscore=171.144000 craction=minim crlevel=scipi appcat=tur service=acon srccountry=Nemoenim dstcountry=usm trandisp=labori tranip=10.168.20.20 tranport=68 duration=167.038000 sentbyte=7188 rcvdbyte=5749 sentpkt=xeac app=umdolors -logver=uiadolo date=2017-1-6 time=7:11:41 log_id=empor devid=umexerci devname=duntut logid=uovol type=prehend subtype=eufug level=low vd=eufug srcip=10.100.53.8 srcport=4318 srcintf=eth5767 dstip=10.163.17.172 dstport=854 dstintf=enp0s3903 poluuid=upta sessionid=atc proto=3 action=block policyid=upta trandisp=itessequ duration=165.935000 sentbyte=4211 rcvdbyte=405 devtype=exerci osname=idata osversion=1.2208 mastersrcmac=usmod srcmac=01:00:5e:c0:47:f3 crscore=135.374000 craction=isiutali crlevel=iquidexe eventtype=illumq user=luptatem service=ite hostname=tasnul4179.internal.host profile=amvo reqtype=tnul url=https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut direction=inbound msg=modico method=metco cat=cillu catdesc=iuntNeq device_id=eddoei log_id=rsin pri=very-high userfrom=eriam adminprof=pernat timezone=CEST main_type=imve trigger_policy=essequam sub_type=ueporro severity_level=aliqu policy=upt src=10.141.156.217 src_port=2700 dst=10.53.168.187 dst_port=73 http_method=emacc http_url=emp http_host=lamcola http_agent=veli http_session_id=venia signature_subclass=risni signature_id=1535 srccountry=uat content_switch_name=onemulla server_pool_name=riaturEx false_positive_mitigation=deri user_name=amqu monitor_status=lorsitam http_refer=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip http_version=upta dev_id=tetura threat_weight=rumet history_threat_weight=uptasnul threat_level=antiumdo ftp_mode=ecill ftp_cmd=iduntu cipher_suite=pisci msg_id=sunt -date=2017-1-20 time=2:14:16 devname=oco device_id=aboree log_id=ainci type=generic subtype=osqu pri=very-high devid=sus devname=imavenia logid=expli type=ugiat subtype=rnat level=low vd=orem srcip=10.37.174.58 srcport=3193 srcintf=lo2990 dstip=10.249.60.66 dstport=4859 dstintf=enp0s1732 poluuid=eve sessionid=tco proto=3 action=accept policyid=oluptate trandisp=lit duration=70.988000 sentbyte=6327 rcvdbyte=837 devtype=oquisqu osname=turadip osversion=1.3402 mastersrcmac=amc srcmac=01:00:5e:dd:dc:44 crscore=160.379000 craction=apar crlevel=runtm eventtype=eturadip user=olorsi service=itseddo hostname=bore5546.www.local profile=labo reqtype=lpaquiof url=https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus direction=inbound msg=eufugia method=ncididun cat=hen catdesc=periamea device_id=itametco log_id=vel pri=high userfrom=rere adminprof=pta timezone=CEST main_type=equeporr trigger_policy=met sub_type=volup severity_level=ptate policy=entsu src=10.44.198.184 src_port=5695 dst=10.189.82.19 dst_port=4267 http_method=odoc http_url=atura http_host=tur http_agent=tur http_session_id=atnonpr signature_subclass=ita signature_id=7570 srccountry=colabori content_switch_name=imidestl server_pool_name=piscing false_positive_mitigation=ceroi user_name=iconsequ monitor_status=iat http_refer=https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu http_version=quid dev_id=atcupid threat_weight=onse history_threat_weight=psa threat_level=ate ftp_mode=con ftp_cmd=tqu cipher_suite=eirur msg_id=dese -logver=mquisnos date=2017-2-3 time=9:16:50 log_id=lore devid=isci devname=Dui logid=reetdo type=ever subtype=civelits level=high vd=quiav srcip=10.154.34.15 srcport=5986 srcintf=enp0s4064 dstip=10.153.172.249 dstport=7030 dstintf=enp0s3067 poluuid=henderit sessionid=remq proto=21 action=cancel policyid=tla trandisp=arch duration=52.795000 sentbyte=5453 rcvdbyte=3097 devtype=ror osname=onsecte osversion=1.91 mastersrcmac=aecatcup srcmac=01:00:5e:58:7e:f5 crscore=133.560000 craction=quas crlevel=occaeca eventtype=eturadip user=ent service=rumSecti hostname=Utenima260.mail.invalid profile=cept reqtype=aedictas url=https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque direction=external msg=essequa method=aquio cat=rspicia catdesc=deom device_id=oluptat log_id=roinBCSe pri=medium userfrom=onproide adminprof=uamnih timezone=GMT+02:00 main_type=tatisetq trigger_policy=uidolo sub_type=umdolore severity_level=dmi policy=tam src=10.151.170.207 src_port=1400 dst=10.181.183.104 dst_port=5554 http_method=amni http_url=tatio http_host=amquisno http_agent=modoc http_session_id=magnam signature_subclass=uinesc signature_id=4248 srccountry=idatat content_switch_name=onev server_pool_name=orsi false_positive_mitigation=ntsunt user_name=iosamni monitor_status=idu http_refer=https://example.net/idolo/reet.txt?its=umdolor#isiu http_version=assi dev_id=eserun threat_weight=rvelill history_threat_weight=lupta threat_level=byC ftp_mode=imadm ftp_cmd=uta cipher_suite=tisu msg_id=remagnam -logver=iumdo date=2017-2-18 time=4:19:24 log_id=iusmodit devid=aturv devname=ectetura logid=obeataev type=umf subtype=olesti level=low vd=quaeabil srcip=10.19.99.129 srcport=956 srcintf=eth62 dstip=10.205.132.218 dstport=1643 dstintf=enp0s5908 poluuid=inim sessionid=etdol proto=17 action=deny policyid=oremeumf trandisp=lesti duration=49.961000 sentbyte=3376 rcvdbyte=6209 devtype=enima osname=tnulapar osversion=1.7278 mastersrcmac=sequ srcmac=01:00:5e:4a:1d:f8 crscore=84.522000 craction=tionula crlevel=accus eventtype=uatu user=mquis service=lab hostname=uido2046.mail.lan profile=tena reqtype=aal url=https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota direction=external msg=rumSecti method=riamea cat=eca catdesc=oluptate device_id=Duisa log_id=consequa pri=low userfrom=iaecon adminprof=aevitaed timezone=PT main_type=rep trigger_policy=remap sub_type=deri severity_level=quaeratv policy=involu src=10.70.7.23 src_port=2758 dst=10.130.240.11 dst_port=6515 http_method=odic http_url=iuta http_host=liquaUte http_agent=scivelit http_session_id=Nequ signature_subclass=quid signature_id=1044 srccountry=lloinve content_switch_name=borisnis server_pool_name=onorumet false_positive_mitigation=ptatema user_name=eavolup monitor_status=ipsumq http_refer=https://www.example.org/tno/iss.gif?ptatev=atu#teturad http_version=eturad dev_id=tDuis threat_weight=mwritten history_threat_weight=tat threat_level=equ ftp_mode=sumdolo ftp_cmd=idolorem cipher_suite=temvele msg_id=oremque -logver=inimve devname="uio" devid="mexercit" vd=byC date=2017-3-4 time=11:21:59 logid=uae type=oremip subtype=its level=very-high eventtime=iavol logtime=natuserr srcip=10.37.161.101 srcport=1552 srcintf=enp0s6659 srcintfrole=evit dstip=10.111.182.212 dstport=4493 dstintf=lo6533 dstintfrole=lamco poluuid=tion sessionid=hender proto=icmp action=deny policyid=seq policytype=rumSe crscore=88.660000 craction=madmi crlevel=tlabore appcat=idunt service=expl srccountry=olore dstcountry=uian trandisp=atuserro tranip=10.17.209.252 tranport=2119 duration=135.770000 sentbyte=313 rcvdbyte=6509 sentpkt=oinBCS app=itsedd -logver=ipis devname="itautfu" devid="nesci" vd=tam date=2017-3-18 time=6:24:33 logid=sin type=idexeac subtype=nimadmin level=medium eventtime=edutper logtime=tevelite srcip=10.158.175.98 srcport=1491 srcintf=enp0s7649 srcintfrole=oinBCSed dstip=10.170.196.181 dstport=6994 dstintf=enp0s5873 dstintfrole=obeatae poluuid=iquid sessionid=evo proto=udp action=allow policyid=mqu policytype=pteursi crscore=98.596000 craction=expl crlevel=essecill appcat=totamre service=rpo srccountry=velites dstcountry=nonpro trandisp=nula tranip=10.153.166.133 tranport=4638 duration=39.506000 sentbyte=6610 rcvdbyte=1936 sentpkt=olu app=imide -date=2017-4-2 time=1:27:07 logver=amn devid=itessequ devname=porissu logid=umd type=sumd subtype=sectetur level=low vd=aUtenima srcip=10.62.10.137 srcport=5596 srcintf=lo6539 dstip=10.138.249.251 dstport=630 dstintf=eth1576 poluuid=deritinv sessionid=evelite proto=6 action=accept policyid=stiaecon trandisp=usBono duration=155.835000 sentbyte=3942 rcvdbyte=5360 devtype=ttenb osname=olor osversion=1.5978 mastersrcmac=lapa srcmac=01:00:5e:b0:3e:44 crscore=105.845000 craction=lors crlevel=oluptat eventtype=enimad user=tis service=qua hostname=con6049.internal.lan profile=quelaud reqtype=luptat url=https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn direction=inbound msg=teursint method=etMa cat=llita catdesc=ntsunt device_id=nturmag log_id=uredol pri=high userfrom=temsequi adminprof=mquia timezone=ET main_type=enbyCic trigger_policy=iveli sub_type=conseq severity_level=itame policy=tenat src=10.63.171.91 src_port=4396 dst=10.48.25.200 dst_port=5179 http_method=nse http_url=mveniam http_host=tuser http_agent=mmo http_session_id=eve signature_subclass=nbyCicer signature_id=6129 srccountry=ciad content_switch_name=ugiatqu server_pool_name=eruntmo false_positive_mitigation=nimve user_name=usanti monitor_status=ion http_refer=https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup http_version=macc dev_id=ria threat_weight=beat history_threat_weight=rro threat_level=tuser ftp_mode=ctasu ftp_cmd=irat cipher_suite=sitame msg_id=oinven -logver=ute dtime=2017-04-16 08:29:41.792538723 +0000 UTC devid=mexer devname=iam vd=Bonoru date=2017-4-16 time=8:29:41 logid=rcitati type=nula subtype=ameaquei level=low eventtime=adipi logtime=mquis srcip=10.174.17.46 srcport=2743 srcintf=eth6814 srcintfrole=ine dstip=10.77.105.81 dstport=4455 dstintf=enp0s7799 dstintfrole=orem poluuid=giatqu sessionid=rsint proto=udp action=allow policyid=paq policytype=uianon crscore=60.762000 craction=uisautem crlevel=mquameiu appcat=loremq service=turmagni srccountry=ores dstcountry=ddoe trandisp=uid tranip=10.38.168.190 tranport=7260 duration=129.140000 sentbyte=368 rcvdbyte=7791 sentpkt=incidi app=aedictas -logver=temaccus devname="ons" devid="unt" vd=liq date=2017-4-30 time=3:32:16 logid=abore type=iumdo subtype=oreeu level=high eventtime=exe logtime=tis srcip=10.36.99.207 srcport=4829 srcintf=lo497 srcintfrole=tvol dstip=10.225.37.73 dstport=5630 dstintf=eth1882 dstintfrole=eniamqu poluuid=iumt sessionid=porissus proto=udp action=cancel policyid=tsunt policytype=rnat crscore=88.508000 craction=ured crlevel=ctetu appcat=oreeu service=uasiarch srccountry=Malor dstcountry=boriosa trandisp=cillumdo tranip=10.166.142.198 tranport=4151 duration=1.040000 sentbyte=465 rcvdbyte=7663 sentpkt=oreetd app=lor -logver=etc devname="eturadip" devid="nost" vd=atus date=2017-5-14 time=10:34:50 logid=tassitas type=obea subtype=velite level=medium eventtime=litse logtime=san srcip=10.66.90.225 srcport=4846 srcintf=lo4891 srcintfrole=moenimi dstip=10.214.156.161 dstport=3854 dstintf=eth1188 dstintfrole=ati poluuid=rauto sessionid=doloreeu proto=6 action=block policyid=eumfu policytype=docons crscore=3.408000 craction=eumf crlevel=roquisq appcat=uasi service=maveniam srccountry=uis dstcountry=lill trandisp=remeum tranip=10.145.194.12 tranport=1001 duration=25.398000 sentbyte=6452 rcvdbyte=6820 sentpkt=aturE app=umto -logver=pariat devname="iutal" devid="teturad" vd=ese date=2017-5-29 time=5:37:24 logid=eddoei type=lorumw subtype=eca level=medium eventtime=nimve logtime=duntut srcip=10.6.242.108 srcport=3373 srcintf=lo3230 srcintfrole=qua dstip=10.156.208.5 dstport=7612 dstintf=lo1800 dstintfrole=quisn poluuid=pteu sessionid=uatD proto=0 action=cancel policyid=antiu policytype=velillum crscore=166.389000 craction=iatquovo crlevel=lapari appcat=Mal service=itinvo srccountry=snulap dstcountry=cidu trandisp=hilmol tranip=10.163.36.101 tranport=253 duration=72.488000 sentbyte=1880 rcvdbyte=4638 sentpkt=ident app=scip -date=2017-6-12 time=12:39:58 devname=uamqu device_id=iusmodi log_id=esciun type=generic subtype=tasnul pri=medium devid=ccusant devname=epteurs logid=rmag type=quisquam subtype=eporroqu level=very-high vd=dit srcip=10.25.134.171 srcport=7867 srcintf=eth4543 dstip=10.43.235.230 dstport=2198 dstintf=lo4581 poluuid=BCSe sessionid=rem proto=0 action=allow policyid=eeufug trandisp=ntin duration=6.686000 sentbyte=5763 rcvdbyte=1048 devtype=cinge osname=tatem osversion=1.4713 mastersrcmac=eritqu srcmac=01:00:5e:ed:6b:57 crscore=10.603000 craction=nimip crlevel=iutaliq eventtype=olore user=onemul service=trudexe hostname=remeum2641.www5.corp profile=Quisa reqtype=quiav url=https://www5.example.com/elit/sam.htm?nevolu=unt#isni direction=outbound msg=ecillum method=olor cat=amei catdesc=doconseq device_id=conseq log_id=emve pri=very-high userfrom=tiu adminprof=wri timezone=GMT-07:00 main_type=asper trigger_policy=dictasun sub_type=psa severity_level=lorese policy=olupta src=10.220.148.127 src_port=6681 dst=10.68.233.163 dst_port=3126 http_method=itanimi http_url=onoru http_host=data http_agent=ugits http_session_id=ittenb signature_subclass=tobeatae signature_id=5617 srccountry=quis content_switch_name=exe server_pool_name=naa false_positive_mitigation=equat user_name=estiaec monitor_status=pitlabo http_refer=https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa http_version=nostrum dev_id=autodita threat_weight=ntut history_threat_weight=temveleu threat_level=itametco ftp_mode=etcons ftp_cmd=etco cipher_suite=iuntN msg_id=utfugi -logver=isnostru date=2017-6-26 time=7:42:33 log_id=nul devid=ntocca devname=trudex logid=tvol type=lup subtype=mipsamv level=medium vd=qua srcip=10.249.194.7 srcport=4987 srcintf=enp0s2282 dstip=10.57.116.17 dstport=90 dstintf=enp0s7442 poluuid=xcep sessionid=gnidol proto=0 action=allow policyid=uaeab trandisp=ptat duration=136.310000 sentbyte=1078 rcvdbyte=6196 devtype=eturadip osname=amquaera osversion=1.4481 mastersrcmac=equ srcmac=01:00:5e:00:fd:79 crscore=18.750000 craction=olesti crlevel=edquia eventtype=ihi user=undeomn service=ape hostname=itaspe3216.localdomain profile=onsecte reqtype=prehende url=https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru direction=unknown msg=numq method=quae cat=periam catdesc=ain device_id=umiurer log_id=mquido pri=very-high userfrom=onorume adminprof=abill timezone=GMT+02:00 main_type=uov trigger_policy=mini sub_type=mve severity_level=tionev policy=uasiarch src=10.116.82.108 src_port=7276 dst=10.94.177.125 dst_port=6683 http_method=nimides http_url=olorsit http_host=naaliq http_agent=plica http_session_id=asiarc signature_subclass=lor signature_id=5152 srccountry=snula content_switch_name=pici server_pool_name=bori false_positive_mitigation=dipi user_name=ecatc monitor_status=quovolu http_refer=https://example.net/itse/sse.gif?lupt=quatur#dminim http_version=ptatevel dev_id=aperiame threat_weight=stenat history_threat_weight=uianonnu threat_level=tatiset ftp_mode=quira ftp_cmd=ciatisun cipher_suite=duntutl msg_id=nven -date=2017-7-11 time=2:45:07 devname=saq device_id=asiarch log_id=ssuscipi type=generic subtype=utla pri=medium devid=tquovo devname=fugi logid=nse type=nesciu subtype=todit level=very-high vd=inrepreh srcip=10.14.192.162 srcport=2536 srcintf=enp0s4429 dstip=10.179.128.6 dstport=3375 dstintf=enp0s4580 poluuid=ptate sessionid=volupta proto=3 action=cancel policyid=utla trandisp=emi duration=171.651000 sentbyte=3313 rcvdbyte=7131 devtype=velites osname=oloremi osversion=1.4442 mastersrcmac=apari srcmac=01:00:5e:0c:fb:2b crscore=140.065000 craction=uel crlevel=fficiad eventtype=teirured user=nostru service=rcit hostname=mea6298.api.example profile=eumiu reqtype=tatevel url=https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl direction=inbound msg=Sedut method=tatis cat=audant catdesc=obeata device_id=uredol log_id=uptat pri=low userfrom=entorev adminprof=quuntur timezone=GMT+02:00 main_type=exercit trigger_policy=dexer sub_type=idolor severity_level=onpr policy=uira src=10.115.121.243 src_port=550 dst=10.113.152.241 dst_port=2330 http_method=ali http_url=udexerci http_host=uae http_agent=imveni http_session_id=econ signature_subclass=aborio signature_id=1122 srccountry=setquas content_switch_name=nbyCi server_pool_name=runtmoll false_positive_mitigation=busBon user_name=norumetM monitor_status=isno http_refer=https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure http_version=isiut dev_id=tin threat_weight=rporiss history_threat_weight=billoinv threat_level=etconse ftp_mode=nesciu ftp_cmd=mali cipher_suite=roinBCSe msg_id=eetdolor -date=2017-7-25 time=9:47:41 logver=upt devid=equamni devname=atcupi logid=enima type=uptateve subtype=fugitsed level=medium vd=lorem srcip=10.68.159.207 srcport=3320 srcintf=enp0s7206 dstip=10.139.195.188 dstport=893 dstintf=enp0s6960 poluuid=lits sessionid=tvolu proto=17 action=accept policyid=ollitan trandisp=temseq duration=0.684000 sentbyte=3045 rcvdbyte=6863 devtype=edictasu osname=eturadi osversion=1.3804 mastersrcmac=edquiano srcmac=01:00:5e:09:79:f2 crscore=11.231000 craction=taevitae crlevel=tevel eventtype=tatemse user=gitsed service=agn hostname=iqu7510.internal.corp profile=equeporr reqtype=amremap url=https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit direction=unknown msg=ntutlabo method=idex cat=nihilmo catdesc=reetdo device_id=xeaco log_id=taliqu pri=medium userfrom=hite adminprof=umfugi timezone=CT main_type=dminimve trigger_policy=remips sub_type=laboreet severity_level=uptate policy=tot src=10.49.82.45 src_port=435 dst=10.179.153.97 dst_port=1908 http_method=ade http_url=nihilmol http_host=nder http_agent=ano http_session_id=rumexer signature_subclass=eab signature_id=2387 srccountry=saquaeab content_switch_name=eli server_pool_name=rissusci false_positive_mitigation=ectetur user_name=dictasun monitor_status=inimv http_refer=https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium http_version=ide dev_id=quunturm threat_weight=quovo history_threat_weight=quaturve threat_level=ntiumdol ftp_mode=conse ftp_cmd=aturve cipher_suite=edqui msg_id=tvolu -logver=ore devname="lors" devid="saute" vd=ecillumd date=2017-8-8 time=4:50:15 logid=iumto type=sequatu subtype=tiumtot level=medium eventtime=mdoloree logtime=que srcip=10.98.52.184 srcport=7402 srcintf=eth3784 srcintfrole=ita dstip=10.99.55.115 dstport=1537 dstintf=eth855 dstintfrole=isnostru poluuid=iad sessionid=ngelits proto=tcp action=accept policyid=billoi policytype=reseo crscore=158.047000 craction=uov crlevel=pariat appcat=icaboNe service=boreetd srccountry=uir dstcountry=rumex trandisp=ectobea tranip=10.205.83.138 tranport=6239 duration=170.113000 sentbyte=3290 rcvdbyte=722 sentpkt=ibus app=lumdol -logver=onnu devname="reprehe" devid="metMa" vd=emoen date=2017-8-22 time=11:52:50 logid=ptate type=mipsumqu subtype=turad level=high eventtime=billo logtime=doloremi srcip=10.197.128.162 srcport=2052 srcintf=lo6750 srcintfrole=ionof dstip=10.90.189.248 dstport=1293 dstintf=lo2402 dstintfrole=roi poluuid=reh sessionid=volup proto=prm action=allow policyid=iconsequ policytype=ueporr crscore=127.832000 craction=archite crlevel=tur appcat=ddo service=emp srccountry=inBC dstcountry=did trandisp=atcupi tranip=10.228.11.50 tranport=984 duration=3.401000 sentbyte=6907 rcvdbyte=422 sentpkt=mcol app=tion -date=2017-9-6 time=6:55:24 devname=moll device_id=roinBCS log_id=odit type=event subtype=vol pri=low desc=aloru user=cteturad userfrom=modi msg=cip action=deny adom=ntoccae2859.www.test session_id=incididu -date=2017-9-20 time=1:57:58 devname=uinesci device_id=otamr log_id=tsed type=generic subtype=rExc pri=medium devid=saute devname=umdol logid=rerepr type=ipiscin subtype=trudexe level=high vd=ineavol srcip=10.29.34.211 srcport=5638 srcintf=eth1805 dstip=10.161.15.82 dstport=6598 dstintf=enp0s5799 poluuid=aco sessionid=eFini proto=17 action=cancel policyid=mipsa trandisp=uas duration=118.122000 sentbyte=1737 rcvdbyte=6283 devtype=umexe osname=xce osversion=1.7318 mastersrcmac=suntex srcmac=01:00:5e:5b:68:89 crscore=29.865000 craction=rcitati crlevel=siutali eventtype=uiratio user=ficia service=orsit hostname=deFinibu3940.internal.lan profile=rautod reqtype=onorumet url=https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun direction=unknown msg=tinv method=Utenima cat=nse catdesc=umq device_id=enim log_id=oreve pri=low userfrom=snisiu adminprof=atem timezone=ET main_type=vento trigger_policy=litsed sub_type=ciun severity_level=rehender policy=tetura src=10.124.71.88 src_port=7540 dst=10.22.248.52 dst_port=6566 http_method=cons http_url=tinvolu http_host=ptat http_agent=amquisn http_session_id=Finibus signature_subclass=nsequat signature_id=3661 srccountry=scipi content_switch_name=rem server_pool_name=reh false_positive_mitigation=rsitame user_name=tcons monitor_status=squamest http_refer=https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi http_version=usmodit dev_id=orese threat_weight=umdolore history_threat_weight=umqui threat_level=adipisci ftp_mode=eir ftp_cmd=ull cipher_suite=tlabor msg_id=itecto -date=2017-10-4 time=9:00:32 logver=ametcons devid=velite devname=ipexeac logid=explicab type=samvolu subtype=teiru level=low vd=orinrep srcip=10.228.213.136 srcport=7247 srcintf=lo1719 dstip=10.185.107.27 dstport=2257 dstintf=enp0s4999 poluuid=iduntutl sessionid=mipsumd proto=udp action=block policyid=quelauda trandisp=rcit duration=166.303000 sentbyte=7229 rcvdbyte=6230 devtype=orese osname=evelite osversion=1.4895 mastersrcmac=oremipsu srcmac=01:00:5e:cd:f6:0e crscore=37.237000 craction=equunt crlevel=mto eventtype=iae user=dent service=Uten hostname=tatiset4191.localdomain profile=aconseq reqtype=mquamei url=https://api.example.org/fug/liquid.txt?ptate=lloi#nseq direction=external msg=isetqua method=ianonn cat=oluptas catdesc=doe device_id=quipex log_id=rchitect pri=very-high userfrom=Bonor adminprof=ipex timezone=PT main_type=upta trigger_policy=ivel sub_type=tmollita severity_level=tionofd policy=iatnula src=10.185.37.176 src_port=1859 dst=10.26.58.20 dst_port=2809 http_method=essequam http_url=undeo http_host=ficiade http_agent=uiinea http_session_id=uianonn signature_subclass=eavolupt signature_id=784 srccountry=elitsedq content_switch_name=liquam server_pool_name=sinto false_positive_mitigation=edi user_name=eumiure monitor_status=ore http_refer=https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri http_version=tiae dev_id=giat threat_weight=nculpa history_threat_weight=olupt threat_level=tvol ftp_mode=ostru ftp_cmd=mea cipher_suite=tuserror msg_id=agnama -logver=deritq dtime=2017-10-19 04:03:07.172538723 +0000 UTC devid=boreetdo devname=teni vd=iin date=2017-10-19 time=4:03:07 logid=nostr type=luptatem subtype=tNequepo level=low eventtime=eumfug logtime=sper srcip=10.200.12.126 srcport=2347 srcintf=enp0s7374 srcintfrole=liqu dstip=10.14.145.107 dstport=4362 dstintf=enp0s7861 dstintfrole=aliq poluuid=utem sessionid=oreetd proto=HOPOPT action=block policyid=Nequepo policytype=edictas crscore=55.933000 craction=tur crlevel=borisnis appcat=elitsedd service=hitecto srccountry=loremi dstcountry=nven trandisp=isci tranip=10.250.231.196 tranport=5863 duration=4.105000 sentbyte=2763 rcvdbyte=5047 sentpkt=aquioff app=cip -logver=onsequat dtime=2017-11-02 11:05:41.432538723 +0000 UTC devid=tiumd devname=atuse vd=imad date=2017-11-2 time=11:05:41 logid=tura type=equuntur subtype=rve level=high eventtime=mqua logtime=xer srcip=10.225.34.176 srcport=5569 srcintf=lo2867 srcintfrole=amquisn dstip=10.21.203.112 dstport=5930 dstintf=enp0s1294 dstintfrole=sum poluuid=lloinve sessionid=eni proto=HOPOPT action=cancel policyid=edquiac policytype=psamvolu crscore=80.314000 craction=unturma crlevel=iavol appcat=psumdol service=urautodi srccountry=equamni dstcountry=fugia trandisp=uptate tranip=10.103.36.192 tranport=1974 duration=129.001000 sentbyte=2801 rcvdbyte=2565 sentpkt=imidest app=citation -logver=nof devname="usantiu" devid="periam" vd=remip date=2017-11-16 time=6:08:15 logid=dexea type=aturExc subtype=antiumto level=low eventtime=obe logtime=niamqu srcip=10.140.59.161 srcport=3599 srcintf=eth575 srcintfrole=tev dstip=10.5.67.140 dstport=5687 dstintf=enp0s6143 dstintfrole=intoc poluuid=obeataev sessionid=rrorsit proto=udp action=accept policyid=umquid policytype=olabo crscore=79.046000 craction=dolor crlevel=rsp appcat=quir service=giatqu srccountry=olors dstcountry=roid trandisp=lorum tranip=10.118.111.183 tranport=5410 duration=96.462000 sentbyte=6821 rcvdbyte=6222 sentpkt=mipsu app=nvol -date=2017-12-1 time=1:10:49 logver=llu devid=quaUt devname=labor logid=oris type=tatemse subtype=uta level=very-high vd=tse srcip=10.170.104.148 srcport=5722 srcintf=lo259 dstip=10.60.92.40 dstport=5836 dstintf=enp0s4446 poluuid=dicons sessionid=BCSedutp proto=udp action=accept policyid=ritatise trandisp=nihilm duration=104.607000 sentbyte=6659 rcvdbyte=5351 devtype=isauteir osname=eritquii osversion=1.4493 mastersrcmac=uisno srcmac=01:00:5e:e9:ec:d5 crscore=34.736000 craction=itaed crlevel=invol eventtype=Loremips user=cidun service=tassitas hostname=nimadmi4084.api.home profile=eufugia reqtype=nor url=https://example.net/aturQui/tquii.html?uiac=squ#litess direction=unknown msg=involupt method=itempo cat=upt catdesc=rve device_id=amq log_id=abillo pri=high userfrom=ationem adminprof=Nem timezone=OMST main_type=ollita trigger_policy=dipisci sub_type=amnisiu severity_level=ptat policy=epr src=10.7.70.169 src_port=2514 dst=10.28.212.191 dst_port=1997 http_method=nostru http_url=Loremip http_host=veleumiu http_agent=rcita http_session_id=turad signature_subclass=sequamni signature_id=4799 srccountry=ollita content_switch_name=ectetu server_pool_name=radi false_positive_mitigation=ula user_name=itsed monitor_status=rad http_refer=https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin http_version=suntexpl dev_id=urve threat_weight=sBonoru history_threat_weight=everi threat_level=squ ftp_mode=emagnaal ftp_cmd=nih cipher_suite=ncididu msg_id=itati -date=2017-12-15 time=8:13:24 logver=estla devid=ione devname=ecillum logid=maccu type=ame subtype=pitlabo level=very-high vd=urExc srcip=10.37.124.214 srcport=6919 srcintf=lo7727 dstip=10.37.111.228 dstport=7082 dstintf=enp0s20 poluuid=dmini sessionid=tquid proto=17 action=block policyid=iatisun trandisp=cto duration=144.899000 sentbyte=2372 rcvdbyte=7417 devtype=imadmini osname=iatisund osversion=1.6506 mastersrcmac=aUtenim srcmac=01:00:5e:28:0c:11 crscore=172.422000 craction=etdol crlevel=sed eventtype=uep user=ametco service=nde hostname=reprehe3525.www5.example profile=mquisno reqtype=eaco url=https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel direction=internal msg=dexea method=sedquia cat=litesse catdesc=ntmo device_id=aliqu log_id=iqu pri=very-high userfrom=ationula adminprof=doconse timezone=CEST main_type=oreeufug trigger_policy=ptatems sub_type=tenima severity_level=emagnam policy=iaco src=10.148.197.60 src_port=5711 dst=10.143.144.52 dst_port=974 http_method=nvo http_url=lab http_host=sedqui http_agent=iuntNe http_session_id=tdolor signature_subclass=Ute signature_id=2191 srccountry=uepor content_switch_name=umSecti server_pool_name=eabil false_positive_mitigation=ibusB user_name=rporis monitor_status=etco http_refer=https://example.org/ereprehe/olu.html?liqu=ipsu#siarch http_version=itautfu dev_id=rrorsi threat_weight=ole history_threat_weight=odi threat_level=tper ftp_mode=olor ftp_cmd=corpo cipher_suite=commod msg_id=iumd -logver=aborisn dtime=2017-12-29 15:15:58.472538723 +0000 UTC devid=onproid devname=sitv vd=equam date=2017-12-29 time=3:15:58 logid=bor type=ameaquei subtype=aeca level=very-high eventtime=aperiam logtime=ngelit srcip=10.217.145.137 srcport=5242 srcintf=enp0s6940 srcintfrole=orema dstip=10.22.149.132 dstport=7725 dstintf=lo7156 dstintfrole=neavolup poluuid=lits sessionid=Nemoen proto=0 action=block policyid=rur policytype=quaturve crscore=166.007000 craction=oeiusmod crlevel=uidolore appcat=iacon service=ncu srccountry=quaturve dstcountry=ciad trandisp=diconseq tranip=10.251.183.113 tranport=2604 duration=161.433000 sentbyte=5697 rcvdbyte=7299 sentpkt=eseosqu app=uptatem -logver=uamnihil devname="nisi" devid="imadm" vd=siutali date=2018-1-12 time=10:18:32 logid=mfugi type=ceroinBC subtype=lorumw level=low eventtime=squir logtime=commod srcip=10.183.16.252 srcport=3150 srcintf=lo6718 srcintfrole=eabillo dstip=10.203.66.175 dstport=3904 dstintf=enp0s3868 dstintfrole=dipisciv poluuid=nsequun sessionid=hen proto=icmp action=accept policyid=velillum policytype=itamet crscore=123.013000 craction=hil crlevel=itl appcat=idolo service=ncidid srccountry=oid dstcountry=iarchit trandisp=volupt tranip=10.51.60.203 tranport=5315 duration=165.955000 sentbyte=7551 rcvdbyte=1519 sentpkt=ten app=Utenim -date=2018-1-27 time=5:21:06 logver=uasiarch devid=iamquisn devname=magnama logid=reprehe type=citatio subtype=dolo level=medium vd=esciunt srcip=10.133.245.26 srcport=1727 srcintf=enp0s2674 dstip=10.76.87.30 dstport=2858 dstintf=enp0s2918 poluuid=remag sessionid=roinBCSe proto=HOPOPT action=accept policyid=labori trandisp=ditau duration=39.920000 sentbyte=5413 rcvdbyte=6650 devtype=tam osname=olu osversion=1.409 mastersrcmac=iut srcmac=01:00:5e:5c:c2:50 crscore=69.137000 craction=boris crlevel=ris eventtype=nisiuta user=utper service=uipexe hostname=ursint411.www.lan profile=gnamali reqtype=iumdo url=https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc direction=internal msg=lamco method=natuser cat=Excepteu catdesc=omnis device_id=tati log_id=orinc pri=very-high userfrom=eturadi adminprof=cinge timezone=PT main_type=ira trigger_policy=niamq sub_type=quatD severity_level=nevol policy=lumquid src=10.157.14.165 src_port=7170 dst=10.61.200.105 dst_port=2813 http_method=tquov http_url=natu http_host=doei http_agent=acomm http_session_id=veleumi signature_subclass=volupt signature_id=6822 srccountry=itatise content_switch_name=ure server_pool_name=userro false_positive_mitigation=oree user_name=nimadmi monitor_status=utaliq http_refer=https://example.com/tinvolu/uredol.txt?did=lamcol#idolor http_version=tutlabor dev_id=nse threat_weight=rauto history_threat_weight=rese threat_level=nonproi ftp_mode=doconse ftp_cmd=henderi cipher_suite=tisunde msg_id=ende -date=2018-2-10 time=12:23:41 logver=commod devid=oris devname=rcita logid=ataev type=oris subtype=incidi level=high vd=tutlabo srcip=10.32.66.161 srcport=881 srcintf=lo4523 dstip=10.134.238.8 dstport=2976 dstintf=enp0s1238 poluuid=edquiac sessionid=sit proto=HOPOPT action=allow policyid=olo trandisp=laboris duration=163.866000 sentbyte=7328 rcvdbyte=5375 devtype=tutl osname=nevolu osversion=1.5475 mastersrcmac=ostru srcmac=01:00:5e:e9:5f:84 crscore=157.516000 craction=aven crlevel=idolore eventtype=psaqu user=psa service=pta hostname=ididunt7607.mail.localhost profile=ntutlabo reqtype=leumiure url=https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe direction=internal msg=Lore method=oin cat=eritquii catdesc=taliqui device_id=ecatcu log_id=entoreve pri=high userfrom=umquam adminprof=onev timezone=CET main_type=tionev trigger_policy=ali sub_type=ionu severity_level=perna policy=moll src=10.242.178.15 src_port=3948 dst=10.217.111.77 dst_port=7309 http_method=datatno http_url=equepor http_host=antium http_agent=ugiatn http_session_id=utpe signature_subclass=hend signature_id=1170 srccountry=agnamali content_switch_name=ptateve server_pool_name=aliqua false_positive_mitigation=officiad user_name=nimadmin monitor_status=iavol http_refer=https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis http_version=olor dev_id=emoenim threat_weight=turadipi history_threat_weight=umSec threat_level=onsecte ftp_mode=inibusBo ftp_cmd=tqui cipher_suite=sequun msg_id=nimadm -date=2018-2-24 time=7:26:15 logver=vitaedic devid=remip devname=rsita logid=rehe type=aper subtype=gnaa level=low vd=uta srcip=10.161.128.235 srcport=6280 srcintf=eth2121 dstip=10.84.29.117 dstport=1245 dstintf=eth7500 poluuid=errorsi sessionid=umwr proto=HOPOPT action=cancel policyid=cupida trandisp=rinc duration=5.709000 sentbyte=289 rcvdbyte=6059 devtype=dquia osname=ommod osversion=1.142 mastersrcmac=dico srcmac=01:00:5e:06:53:8a crscore=35.836000 craction=imipsa crlevel=iscinge eventtype=ora user=meumfug service=inimve hostname=mco2906.domain profile=sitvolu reqtype=eratv url=https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav direction=inbound msg=nse method=turQuis cat=tat catdesc=pta device_id=henderi log_id=onsec pri=high userfrom=itaspern adminprof=tau timezone=GMT+02:00 main_type=rsintoc trigger_policy=boreetd sub_type=rehende severity_level=sitamet policy=xerc src=10.199.119.251 src_port=7286 dst=10.86.152.227 dst_port=850 http_method=ant http_url=tiu http_host=ommodoco http_agent=rehe http_session_id=eseosqu signature_subclass=oeius signature_id=641 srccountry=eaqueip content_switch_name=laud server_pool_name=uido false_positive_mitigation=uis user_name=msequin monitor_status=autem http_refer=https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist http_version=orroqui dev_id=sci threat_weight=psamvolu history_threat_weight=itsedqui threat_level=oreve ftp_mode=omn ftp_cmd=onevol cipher_suite=ese msg_id=reprehen -date=2018-3-11 time=2:28:49 logver=eumfugia devid=nimvenia devname=dol logid=rissusc type=lit subtype=quin level=low vd=eddoei srcip=10.35.73.208 srcport=7081 srcintf=eth6552 dstip=10.216.120.61 dstport=6389 dstintf=eth2068 poluuid=dolor sessionid=emUteni proto=tcp action=deny policyid=illoin trandisp=rinre duration=166.295000 sentbyte=5988 rcvdbyte=3374 devtype=olorem osname=mquae osversion=1.1789 mastersrcmac=rQuis srcmac=01:00:5e:b5:9a:3e crscore=5.250000 craction=enimadmi crlevel=elit eventtype=uia user=tem service=unt hostname=ntex5135.corp profile=mqua reqtype=equa url=https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd direction=outbound msg=olorin method=oluptat cat=olors catdesc=mSecti device_id=ius log_id=quian pri=low userfrom=urExce adminprof=upt timezone=PST main_type=pteurs trigger_policy=intocc sub_type=abo severity_level=orisnis policy=reseo src=10.239.194.105 src_port=3629 dst=10.234.171.117 dst_port=4488 http_method=tenatus http_url=odic http_host=ono http_agent=umtota http_session_id=consequ signature_subclass=ine signature_id=3409 srccountry=dex content_switch_name=ipis server_pool_name=nsecte false_positive_mitigation=miurere user_name=tat monitor_status=pitlabor http_refer=https://example.com/olupta/ape.jpg?mnisiut=eabil#olu http_version=uaUte dev_id=empor threat_weight=ate history_threat_weight=eca threat_level=inre ftp_mode=aliqu ftp_cmd=orem cipher_suite=dquian msg_id=isaute -logver=emagnaal dtime=2018-03-25 09:31:24.032538723 +0000 UTC devid=uunturm devname=nonnumq vd=tqu date=2018-3-25 time=9:31:24 logid=ntocca type=emquelau subtype=adolorsi level=medium eventtime=maliquam logtime=ovol srcip=10.34.41.75 srcport=4436 srcintf=enp0s7638 srcintfrole=eseosqu dstip=10.249.16.201 dstport=4293 dstintf=lo5084 dstintfrole=mvele poluuid=qui sessionid=etMa proto=3 action=accept policyid=aspe policytype=uradipi crscore=22.220000 craction=atu crlevel=amremape appcat=illoinve service=uis srccountry=itanimi dstcountry=rinc trandisp=isistena tranip=10.107.168.208 tranport=1864 duration=45.477000 sentbyte=1067 rcvdbyte=2855 sentpkt=ctionofd app=uianonnu -logver=nisiste date=2018-4-8 time=4:33:58 log_id=sedqu devid=itautfu devname=aaliq logid=tDui type=ernatur subtype=itsed level=low vd=xeacomm srcip=10.112.57.220 srcport=5803 srcintf=enp0s1897 dstip=10.19.151.236 dstport=884 dstintf=enp0s4144 poluuid=estiaeco sessionid=vele proto=HOPOPT action=allow policyid=yCiceroi trandisp=loremeu duration=156.263000 sentbyte=3719 rcvdbyte=7292 devtype=colab osname=itte osversion=1.6905 mastersrcmac=orumS srcmac=01:00:5e:c1:b8:93 crscore=60.950000 craction=uptat crlevel=incidun eventtype=agnaaliq user=aturQuis service=cepteurs hostname=tat1845.internal.invalid profile=rumetMal reqtype=tiumtot url=https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat direction=inbound msg=eddoe method=seq cat=uae catdesc=tobeata device_id=ctas log_id=vol pri=high userfrom=gna adminprof=itautf timezone=ET main_type=eprehe trigger_policy=ariatu sub_type=aqueip severity_level=aqueip policy=rautod src=10.96.168.24 src_port=6206 dst=10.109.106.194 dst_port=5356 http_method=Sedut http_url=stiaec http_host=rveli http_agent=serr http_session_id=umdolo signature_subclass=iduntut signature_id=4281 srccountry=rorsitv content_switch_name=caboNemo server_pool_name=cididun false_positive_mitigation=iamqu user_name=ommodoc monitor_status=mwrit http_refer=https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo http_version=oru dev_id=ainc threat_weight=aeab history_threat_weight=iat threat_level=acom ftp_mode=olo ftp_cmd=eipsaq cipher_suite=enatu msg_id=mfu -logver=aliqui date=2018-4-22 time=11:36:32 log_id=uipexea devid=sauteiru devname=nibusB logid=eetdolo type=issuscip subtype=iduntu level=high vd=rinc srcip=10.109.224.208 srcport=1769 srcintf=enp0s3638 dstip=10.31.34.96 dstport=4651 dstintf=enp0s390 poluuid=atis sessionid=edol proto=icmp action=deny policyid=adip trandisp=ugiatq duration=128.795000 sentbyte=4249 rcvdbyte=6693 devtype=atemUte osname=emag osversion=1.1353 mastersrcmac=ecatcup srcmac=01:00:5e:63:85:d2 crscore=62.286000 craction=oin crlevel=isautem eventtype=eiusm user=assit service=ulpaq hostname=ulamc767.internal.lan profile=iades reqtype=mremape url=https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed direction=inbound msg=maveniam method=ctobeat cat=emoenim catdesc=oqui device_id=olab log_id=remagnam pri=high userfrom=mSecti adminprof=volupt timezone=OMST main_type=ela trigger_policy=fugits sub_type=litseddo severity_level=idestl policy=ptasn src=10.112.155.228 src_port=5011 dst=10.47.191.95 dst_port=6242 http_method=velillu http_url=radipi http_host=iatn http_agent=aturE http_session_id=beat signature_subclass=pern signature_id=7568 srccountry=itvolupt content_switch_name=uradip server_pool_name=perspi false_positive_mitigation=uaer user_name=aed monitor_status=tectobe http_refer=https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali http_version=ofdeFin dev_id=siutaliq threat_weight=urvel history_threat_weight=turE threat_level=ntium ftp_mode=imadmi ftp_cmd=dquiac cipher_suite=liquide msg_id=uatD -logver=gnidolor dtime=2018-05-07 06:39:06.812538723 +0000 UTC devid=BCSedut devname=metco vd=vel date=2018-5-7 time=6:39:06 logid=tmol type=acommodi subtype=ccaecat level=low eventtime=mqu logtime=mips srcip=10.103.169.94 srcport=2174 srcintf=lo5821 srcintfrole=osqu dstip=10.140.137.17 dstport=446 dstintf=enp0s4444 dstintfrole=iono poluuid=atcupi sessionid=dexe proto=0 action=allow policyid=exerci policytype=ems crscore=15.728000 craction=nulapa crlevel=tess appcat=eroi service=enby srccountry=riatur dstcountry=amrema trandisp=illum tranip=10.62.241.218 tranport=7444 duration=5.969000 sentbyte=4832 rcvdbyte=6033 sentpkt=urere app=involu -logver=tem devname="litsedq" devid="amre" vd=orpori date=2018-5-21 time=1:41:41 logid=sistena type=iam subtype=saquae level=low eventtime=itanimid logtime=ianonnum srcip=10.90.229.92 srcport=6796 srcintf=lo1752 srcintfrole=inculp dstip=10.251.212.166 dstport=3925 dstintf=eth1592 dstintfrole=aboNemo poluuid=tsedquia sessionid=ididun proto=21 action=cancel policyid=enim policytype=gnido crscore=85.453000 craction=erepr crlevel=tsedqu appcat=uisa service=uptat srccountry=siutal dstcountry=umetMalo trandisp=onevolu tranip=10.77.105.160 tranport=5541 duration=155.903000 sentbyte=5294 rcvdbyte=2687 sentpkt=ira app=umfu -date=2018-6-4 time=8:44:15 logver=uamq devid=mnisist devname=dutp logid=ecillu type=ipsaqu subtype=asun level=very-high vd=llumd srcip=10.100.223.157 srcport=1307 srcintf=eth5742 dstip=10.232.243.87 dstport=4546 dstintf=lo299 poluuid=atisetq sessionid=mSectio proto=0 action=cancel policyid=nonnumqu trandisp=atis duration=63.050000 sentbyte=3508 rcvdbyte=205 devtype=uam osname=tisunde osversion=1.4261 mastersrcmac=rured srcmac=01:00:5e:8a:c1:2a crscore=19.243000 craction=meumfug crlevel=iam eventtype=animi user=porainc service=nsectetu hostname=spici5547.internal.test profile=tate reqtype=sintocca url=https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi direction=internal msg=tnul method=ons cat=radip catdesc=amremap device_id=dolorsit log_id=atisund pri=very-high userfrom=uredo adminprof=uamni timezone=CT main_type=quisqua trigger_policy=sedquian sub_type=lamcorpo severity_level=rem policy=apariat src=10.216.49.112 src_port=4521 dst=10.112.242.68 dst_port=3105 http_method=aut http_url=eriti http_host=ipsum http_agent=com http_session_id=uptate signature_subclass=tevelite signature_id=5880 srccountry=nimadmi content_switch_name=mquiado server_pool_name=agn false_positive_mitigation=dip user_name=urmag monitor_status=nim http_refer=https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm http_version=uunturma dev_id=namaliqu threat_weight=tatemacc history_threat_weight=licab threat_level=roidents ftp_mode=volupta ftp_cmd=stiaeco cipher_suite=tanim msg_id=osam -date=2018-6-19 time=3:46:49 logver=tla devid=nimve devname=edutpe logid=tenb type=billoinv subtype=asia level=medium vd=paquioff srcip=10.252.175.174 srcport=1995 srcintf=enp0s1531 dstip=10.196.226.219 dstport=545 dstintf=lo2390 poluuid=uaera sessionid=nsequa proto=tcp action=accept policyid=orporis trandisp=oluptate duration=28.731000 sentbyte=2397 rcvdbyte=1768 devtype=itvolu osname=citation osversion=1.491 mastersrcmac=aincid srcmac=01:00:5e:7e:ea:3f crscore=149.960000 craction=tNeque crlevel=uidolore eventtype=uatDuisa user=usB service=magnaali hostname=istenatu3686.invalid profile=remagna reqtype=eritqu url=https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve direction=internal msg=oremagna method=nulamc cat=tempori catdesc=rsintocc device_id=nderit log_id=etco pri=very-high userfrom=lore adminprof=ameiusmo timezone=PT main_type=veniamqu trigger_policy=equat sub_type=reeu severity_level=atemacc policy=rsitvolu src=10.182.58.108 src_port=4811 dst=10.96.100.84 dst_port=2253 http_method=utlabore http_url=texplica http_host=boru http_agent=ntut http_session_id=elaud signature_subclass=acomm signature_id=5667 srccountry=emUten content_switch_name=uamni server_pool_name=laboris false_positive_mitigation=pers user_name=lpaquiof monitor_status=isisten http_refer=https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors http_version=uid dev_id=numqua threat_weight=citatio history_threat_weight=sed threat_level=mUten ftp_mode=eursint ftp_cmd=velillum cipher_suite=oin msg_id=teurs -logver=untutl devname="cons" devid="vel" vd=illumdo date=2018-7-3 time=10:49:23 logid=rios type=deF subtype=dutpe level=very-high eventtime=itan logtime=uisnos srcip=10.228.61.5 srcport=1179 srcintf=eth4741 srcintfrole=lites dstip=10.246.41.77 dstport=1217 dstintf=lo7502 dstintfrole=olu poluuid=ectet sessionid=tquovo proto=17 action=block policyid=lapa policytype=xeacom crscore=22.822000 craction=qui crlevel=henderi appcat=rainc service=dminim srccountry=sse dstcountry=tatem trandisp=umexe tranip=10.157.22.21 tranport=5252 duration=135.630000 sentbyte=2167 rcvdbyte=2952 sentpkt=quamei app=nvento -logver=qua devname="llumdo" devid="tot" vd=itquii date=2018-7-17 time=5:51:58 logid=psu type=iat subtype=ept level=high eventtime=ectob logtime=aUtenim srcip=10.242.119.111 srcport=645 srcintf=lo1640 srcintfrole=tDuisa dstip=10.239.231.168 dstport=88 dstintf=lo3385 dstintfrole=nimi poluuid=niamqu sessionid=uioffi proto=1 action=allow policyid=consequa policytype=tionu crscore=60.452000 craction=quines crlevel=entsu appcat=ineavol service=abor srccountry=giatq dstcountry=nonpro trandisp=elitsedd tranip=10.188.131.18 tranport=981 duration=46.954000 sentbyte=2770 rcvdbyte=4226 sentpkt=tam app=uovo -logver=orinrepr date=2018-8-1 time=12:54:32 log_id=untut devid=siu devname=lorem logid=icons type=hende subtype=umdol level=medium vd=psaq srcip=10.24.154.250 srcport=2108 srcintf=eth2707 dstip=10.124.187.230 dstport=6119 dstintf=lo105 poluuid=mqu sessionid=tse proto=udp action=accept policyid=ueip trandisp=amvo duration=20.956000 sentbyte=2068 rcvdbyte=306 devtype=reetdolo osname=tten osversion=1.979 mastersrcmac=usa srcmac=01:00:5e:6a:a6:c9 crscore=45.307000 craction=oremagna crlevel=siuta eventtype=amnihil user=nderit service=ficia hostname=tru3812.mail.lan profile=olo reqtype=xer url=https://api.example.net/nsec/smo.gif?etq=trumexe#rai direction=outbound msg=tNequepo method=byCicer cat=imvenia catdesc=ipit device_id=tdolorem log_id=nderitin pri=low userfrom=enderitq adminprof=amvolu timezone=GMT-07:00 main_type=temvele trigger_policy=ofd sub_type=quam severity_level=umdol policy=porincid src=10.106.101.87 src_port=7569 dst=10.247.124.74 dst_port=2491 http_method=inea http_url=ipsu http_host=iden http_agent=oreseo http_session_id=edictasu signature_subclass=aerat signature_id=4358 srccountry=lites content_switch_name=col server_pool_name=litsedd false_positive_mitigation=mnis user_name=ainci monitor_status=aturve http_refer=https://api.example.com/mporain/secte.txt?amqui=rume#uptate http_version=tisundeo dev_id=uid threat_weight=eFini history_threat_weight=mnis threat_level=tametco ftp_mode=snisiut ftp_cmd=lit cipher_suite=laborio msg_id=aaliqu -date=2018-8-15 time=7:57:06 devname=mid device_id=henderi log_id=consec type=event subtype=dquia pri=high desc=isiutali user=rehe userfrom=volupta msg=etcons action=deny adom=etdol408.internal.home session_id=agnamali -date=2018-8-29 time=2:59:40 logver=cae devid=Utenimad devname=onsequ logid=Bon type=amquisno subtype=mullam level=very-high vd=admi srcip=10.111.106.60 srcport=5449 srcintf=lo5820 dstip=10.142.181.192 dstport=4386 dstintf=lo6200 poluuid=lmolest sessionid=miurerep proto=17 action=allow policyid=Sed trandisp=isau duration=66.574000 sentbyte=75 rcvdbyte=806 devtype=idest osname=ostru osversion=1.4342 mastersrcmac=enimip srcmac=01:00:5e:11:d6:5d crscore=66.141000 craction=umquiado crlevel=taspe eventtype=empori user=mipsum service=tium hostname=riaturE1644.www5.example profile=ender reqtype=uine url=https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta direction=internal msg=reetdo method=mad cat=mdolor catdesc=amcorpor device_id=oremquel log_id=san pri=high userfrom=amqui adminprof=itatise timezone=GMT-07:00 main_type=cia trigger_policy=lup sub_type=cipitla severity_level=niam policy=mullamc src=10.215.144.167 src_port=6675 dst=10.162.114.52 dst_port=2925 http_method=quepor http_url=Lor http_host=ten http_agent=exeacomm http_session_id=cusan signature_subclass=oquisq signature_id=4993 srccountry=ihilmol content_switch_name=seosqui server_pool_name=tiset false_positive_mitigation=ciade user_name=erspici monitor_status=xercitat http_refer=https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita http_version=loreme dev_id=eratv threat_weight=tametcon history_threat_weight=orsi threat_level=ull ftp_mode=mcor ftp_cmd=iamquis cipher_suite=aeabi msg_id=ore -date=2018-9-12 time=10:02:15 logver=catcup devid=ectetur devname=cons logid=spiciati type=upidata subtype=utlabo level=high vd=ersp srcip=10.101.207.156 srcport=2086 srcintf=enp0s4931 dstip=10.12.8.82 dstport=4369 dstintf=enp0s7520 poluuid=nemull sessionid=trumex proto=6 action=accept policyid=doloremq trandisp=iade duration=26.420000 sentbyte=5013 rcvdbyte=7641 devtype=uidolo osname=ita osversion=1.6452 mastersrcmac=rchite srcmac=01:00:5e:41:90:bf crscore=107.693000 craction=tionem crlevel=volupta eventtype=adol user=econsequ service=orever hostname=mdolo7008.api.corp profile=reetdolo reqtype=psam url=https://www5.example.org/orumet/aliqu.txt?tion=sun#utod direction=outbound msg=rinci method=uamestqu cat=riatu catdesc=ulaparia device_id=remagna log_id=fugi pri=very-high userfrom=xerc adminprof=caecat timezone=OMST main_type=cor trigger_policy=nonnumqu sub_type=uidexea severity_level=emu policy=asia src=10.162.128.87 src_port=6214 dst=10.78.75.82 dst_port=7799 http_method=uptat http_url=con http_host=tem http_agent=orpori http_session_id=lor signature_subclass=quiinea signature_id=7098 srccountry=rroquis content_switch_name=dolorema server_pool_name=prehe false_positive_mitigation=bori user_name=Sedutp monitor_status=ritinvo http_refer=https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve http_version=tdolo dev_id=billoi threat_weight=sequu history_threat_weight=ffic threat_level=imadmini ftp_mode=isnostru ftp_cmd=ostr cipher_suite=tinvo msg_id=lorumwr -logver=ctetura devname="reseosqu" devid="ittenbyC" vd=tlabor date=2018-9-27 time=5:04:49 logid=auteir type=uredolo subtype=uido level=medium eventtime=quiratio logtime=aincidu srcip=10.75.198.93 srcport=1982 srcintf=eth725 srcintfrole=umqu dstip=10.137.36.151 dstport=196 dstintf=lo1813 dstintfrole=rspici poluuid=duntutla sessionid=emeu proto=1 action=block policyid=atemUten policytype=turadipi crscore=16.226000 craction=estqu crlevel=orinre appcat=prehen service=equa srccountry=ciatisun dstcountry=mdolorem trandisp=nnumq tranip=10.51.106.43 tranport=6486 duration=78.551000 sentbyte=3531 rcvdbyte=5464 sentpkt=oremeumf app=volupt -logver=tnulapa devname="caecatcu" devid="xcepte" vd=deserun date=2018-10-11 time=12:07:23 logid=mvol type=erep subtype=teurs level=low eventtime=tiumdol logtime=byCicer srcip=10.154.151.111 srcport=5860 srcintf=eth1273 srcintfrole=uisnos dstip=10.7.230.206 dstport=5757 dstintf=lo1291 dstintfrole=pisc poluuid=eumfu sessionid=tseddoe proto=HOPOPT action=allow policyid=emulla policytype=bill crscore=147.522000 craction=oditaut crlevel=oloremqu appcat=untNeque service=reetdol srccountry=perspi dstcountry=tlab trandisp=udexerci tranip=10.249.93.150 tranport=799 duration=113.020000 sentbyte=2808 rcvdbyte=5744 sentpkt=ovolup app=squ -date=2018-10-25 time=7:09:57 logver=dolor devid=lit devname=ptatem logid=oeiusmod type=ugi subtype=utaliq level=very-high vd=toc srcip=10.76.177.154 srcport=1428 srcintf=eth4425 dstip=10.207.160.170 dstport=7037 dstintf=lo1570 poluuid=reseo sessionid=iration proto=tcp action=deny policyid=magn trandisp=iaecon duration=54.100000 sentbyte=622 rcvdbyte=6280 devtype=ill osname=oris osversion=1.5718 mastersrcmac=ulamcol srcmac=01:00:5e:19:ce:4b crscore=142.771000 craction=oNe crlevel=utfu eventtype=santiumd user=cididunt service=ctasu hostname=itse5466.api.example profile=ica reqtype=mnisis url=https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin direction=outbound msg=uat method=itasper cat=nibusBo catdesc=volupta device_id=olorinr log_id=iameaq pri=high userfrom=docons adminprof=uun timezone=OMST main_type=mremap trigger_policy=ate sub_type=agnaal severity_level=ibusB policy=mexe src=10.217.209.221 src_port=3639 dst=10.26.4.3 dst_port=5291 http_method=rsitame http_url=eca http_host=quirat http_agent=urmagn http_session_id=essec signature_subclass=prehende signature_id=1261 srccountry=setquas content_switch_name=nti server_pool_name=osamnis false_positive_mitigation=atisetqu user_name=ciduntut monitor_status=atisu http_refer=https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu http_version=suntincu dev_id=lore threat_weight=equatu history_threat_weight=enbyCi threat_level=dolo ftp_mode=adipi ftp_cmd=beata cipher_suite=evelites msg_id=ipiscive -logver=umtot date=2018-11-9 time=2:12:32 log_id=eumiurer devid=inv devname=eac logid=rainc type=tinculp subtype=uianon level=high vd=corpori srcip=10.232.131.132 srcport=581 srcintf=enp0s6255 dstip=10.232.246.98 dstport=1854 dstintf=enp0s1526 poluuid=ivelit sessionid=itlabori proto=icmp action=accept policyid=oide trandisp=magni duration=72.993000 sentbyte=5817 rcvdbyte=6960 devtype=rrorsit osname=emipsu osversion=1.6603 mastersrcmac=temUte srcmac=01:00:5e:fe:be:28 crscore=134.746000 craction=hitec crlevel=sci eventtype=luptatev user=ruredo service=iamquis hostname=dquiac6194.api.lan profile=nidolo reqtype=runtmoll url=https://www5.example.org/utlabo/scip.html?voluptas=inv#upta direction=external msg=ors method=olupta cat=raincidu catdesc=nisi device_id=uipexea log_id=taedic pri=high userfrom=ugi adminprof=urExcep timezone=CET main_type=usant trigger_policy=uidolore sub_type=litse severity_level=ugitse policy=utfugi src=10.241.140.241 src_port=1813 dst=10.180.162.174 dst_port=7186 http_method=ido http_url=atnu http_host=ssuscipi http_agent=evita http_session_id=tconsect signature_subclass=lpaquiof signature_id=532 srccountry=lors content_switch_name=Finibus server_pool_name=totam false_positive_mitigation=idat user_name=nulapar monitor_status=git http_refer=https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli http_version=siuta dev_id=porincid threat_weight=itame history_threat_weight=inv threat_level=remaper ftp_mode=quaUteni ftp_cmd=evelit cipher_suite=oluptat msg_id=ditem -date=2018-11-23 time=9:15:06 devname=oditautf device_id=asiarc log_id=eddoei type=generic subtype=iatqu pri=very-high devid=itessec devname=dat logid=tdol type=emul subtype=ariatu level=high vd=reseo srcip=10.53.70.207 srcport=1793 srcintf=lo2279 dstip=10.73.140.61 dstport=2114 dstintf=lo368 poluuid=stlabo sessionid=atema proto=1 action=deny policyid=orporiss trandisp=iamq duration=128.426000 sentbyte=1800 rcvdbyte=5783 devtype=pis osname=riosam osversion=1.2052 mastersrcmac=iosam srcmac=01:00:5e:21:d3:0a crscore=65.426000 craction=archi crlevel=nes eventtype=atvolupt user=umwritt service=uae hostname=amco1592.mail.host profile=aaliq reqtype=olupta url=https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata direction=outbound msg=tame method=olo cat=vel catdesc=equamn device_id=tempora log_id=enimip pri=very-high userfrom=saqua adminprof=aperia timezone=OMST main_type=tNeque trigger_policy=metcon sub_type=enimadmi severity_level=orem policy=corpor src=10.110.99.222 src_port=5685 dst=10.62.140.108 dst_port=1225 http_method=ssitasp http_url=ptat http_host=asp http_agent=uatDui http_session_id=nofdeFin signature_subclass=unde signature_id=3979 srccountry=seruntm content_switch_name=aera server_pool_name=scive false_positive_mitigation=ngelit user_name=moenimi monitor_status=mqu http_refer=https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund http_version=tutla dev_id=isund threat_weight=atemU history_threat_weight=uidex threat_level=uptate ftp_mode=eac ftp_cmd=peria cipher_suite=amaliq msg_id=ium -logver=ptate date=2018-12-7 time=4:17:40 log_id=tenatu devid=emo devname=ratio logid=maperia type=Maloru subtype=sumquia level=low vd=imadmini srcip=10.237.5.219 srcport=3828 srcintf=eth4604 dstip=10.197.99.150 dstport=3877 dstintf=enp0s7388 poluuid=odo sessionid=itseddoe proto=prm action=accept policyid=itinvo trandisp=uiavol duration=96.864000 sentbyte=2685 rcvdbyte=7612 devtype=urmagn osname=ficiade osversion=1.2691 mastersrcmac=equ srcmac=01:00:5e:f5:2a:24 crscore=163.671000 craction=mipsum crlevel=dolor eventtype=cupidata user=niamquis service=lapariat hostname=dicta7226.mail.example profile=eddoei reqtype=cingel url=https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn direction=unknown msg=loinv method=umd cat=madmi catdesc=xercit device_id=avolup log_id=etdo pri=medium userfrom=veleum adminprof=emUten timezone=CT main_type=proiden trigger_policy=cita sub_type=iac severity_level=ntincul policy=mnisiste src=10.4.244.115 src_port=4588 dst=10.53.50.77 dst_port=5330 http_method=lorem http_url=lore http_host=orroqu http_agent=tlabo http_session_id=iameaque signature_subclass=sautemve signature_id=6466 srccountry=emoe content_switch_name=ameiusmo server_pool_name=ntiumtot false_positive_mitigation=aeab user_name=idolo monitor_status=temac http_refer=https://api.example.net/ollita/idolore.html?illu=iut#asiarc http_version=imidest dev_id=mwri threat_weight=orsi history_threat_weight=ritinvol threat_level=rporiss ftp_mode=atu ftp_cmd=ddo cipher_suite=veli msg_id=ata -logver=lor dtime=2018-12-21 23:20:14.972538723 +0000 UTC devid=ori devname=eleumiu vd=amre date=2018-12-21 time=11:20:14 logid=atur type=untex subtype=Except level=very-high eventtime=econse logtime=iac srcip=10.221.100.157 srcport=865 srcintf=lo4518 srcintfrole=mqu dstip=10.236.211.111 dstport=1801 dstintf=enp0s454 dstintfrole=rauto poluuid=pteursi sessionid=iquamqua proto=tcp action=allow policyid=psumqui policytype=equeporr crscore=32.741000 craction=cusanti crlevel=doloreme appcat=nsecte service=reprehen srccountry=taspe dstcountry=litess trandisp=enimadm tranip=10.120.212.78 tranport=119 duration=17.257000 sentbyte=4752 rcvdbyte=3484 sentpkt=ntsuntin app=ectetur -date=2019-1-5 time=6:22:49 logver=intocca devid=vel devname=xeacom logid=orum type=voluptat subtype=nsequ level=medium vd=tenimad srcip=10.140.215.210 srcport=7229 srcintf=lo568 dstip=10.71.213.217 dstport=7475 dstintf=eth5820 poluuid=lup sessionid=reetdolo proto=HOPOPT action=accept policyid=dolor trandisp=emagnam duration=154.150000 sentbyte=2336 rcvdbyte=5326 devtype=emull osname=enatuser osversion=1.3052 mastersrcmac=ectob srcmac=01:00:5e:4a:5d:af crscore=9.013000 craction=niamqu crlevel=nrep eventtype=lauda user=ionevo service=busB hostname=pidatatn2627.www.localdomain profile=eritinvo reqtype=quiav url=https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere direction=inbound msg=ciun method=ssitaspe cat=deomnis catdesc=ulamcol device_id=onn log_id=redol pri=medium userfrom=utlabore adminprof=nci timezone=OMST main_type=liqu trigger_policy=ectetura sub_type=aUte severity_level=untNeque policy=roi src=10.210.82.202 src_port=2749 dst=10.208.231.15 dst_port=412 http_method=rios http_url=diconseq http_host=tenima http_agent=iusm http_session_id=mveleumi signature_subclass=equinesc signature_id=5076 srccountry=mfugiatq content_switch_name=dmini server_pool_name=emveleu false_positive_mitigation=loree user_name=riatur monitor_status=tempor http_refer=https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua http_version=ciat dev_id=iamq threat_weight=porin history_threat_weight=yCi threat_level=arc ftp_mode=santium ftp_cmd=numquame cipher_suite=umfugi msg_id=amestqui -logver=tesseq devname="nimides" devid="iusmodte" vd=involup date=2019-1-19 time=1:25:23 logid=edd type=dolorsi subtype=mcolabo level=low eventtime=exe logtime=nve srcip=10.226.255.3 srcport=5449 srcintf=lo7680 srcintfrole=iaconseq dstip=10.123.59.69 dstport=5399 dstintf=lo5835 dstintfrole=ntsunti poluuid=bor sessionid=uisnos proto=6 action=accept policyid=tation policytype=seddoe crscore=21.625000 craction=eur crlevel=ntmolli appcat=pitl service=nulap srccountry=ipexe dstcountry=aqueipsa trandisp=psum tranip=10.53.251.202 tranport=7501 duration=131.751000 sentbyte=6876 rcvdbyte=220 sentpkt=ugi app=ptate -logver=rur devname="edut" devid="sitametc" vd=iarchite date=2019-2-2 time=8:27:57 logid=uide type=iono subtype=aboris level=very-high eventtime=imidest logtime=ulamc srcip=10.3.85.176 srcport=318 srcintf=eth2546 srcintfrole=uptateve dstip=10.212.56.26 dstport=3032 dstintf=enp0s2353 dstintfrole=loin poluuid=cinge sessionid=tutl proto=udp action=block policyid=nesciu policytype=ueip crscore=162.484000 craction=orumSe crlevel=mSe appcat=itame service=quaturv srccountry=lumdolor dstcountry=persp trandisp=leumi tranip=10.29.141.252 tranport=2077 duration=106.468000 sentbyte=3472 rcvdbyte=7868 sentpkt=orum app=reseos -date=2019-2-17 time=3:30:32 devname=orem device_id=seq log_id=cus type=generic subtype=tnulap pri=very-high devid=psamvolu devname=inculp logid=eni type=tcupid subtype=ercita level=very-high vd=olorinr srcip=10.110.166.81 srcport=7354 srcintf=lo3023 dstip=10.181.48.82 dstport=1225 dstintf=eth7640 poluuid=conseq sessionid=Nemoen proto=6 action=cancel policyid=umquamei trandisp=nih duration=55.527000 sentbyte=3449 rcvdbyte=4658 devtype=quia osname=eabill osversion=1.95 mastersrcmac=oeiusmo srcmac=01:00:5e:82:ca:1b crscore=67.321000 craction=rumwrit crlevel=tionofd eventtype=ill user=orroquis service=laparia hostname=emveleu4029.api.local profile=tconse reqtype=ntsun url=https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia direction=external msg=metcons method=lumd cat=liquaUt catdesc=snos device_id=maccusan log_id=oeni pri=medium userfrom=tiaecon adminprof=tincu timezone=GMT-07:00 main_type=untmoll trigger_policy=par sub_type=idatatno severity_level=tfugit policy=tla src=10.126.11.186 src_port=589 dst=10.236.175.163 dst_port=6562 http_method=atemqui http_url=icaboN http_host=Utenimad http_agent=res http_session_id=officiad signature_subclass=nsectet signature_id=3977 srccountry=temU content_switch_name=ciduntut server_pool_name=ionofd false_positive_mitigation=etqua user_name=udantiu monitor_status=tium http_refer=https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons http_version=uamestq dev_id=aliquaUt threat_weight=boreet history_threat_weight=mquam threat_level=volu ftp_mode=nof ftp_cmd=boNe cipher_suite=ovolu msg_id=cid -logver=equamn devname="mes" devid="itatio" vd=ssecillu date=2019-3-3 time=10:33:06 logid=oeius type=itin subtype=nostrud level=medium eventtime=byCic logtime=mnisiuta srcip=10.171.60.173 srcport=209 srcintf=lo1917 srcintfrole=usmodite dstip=10.11.150.136 dstport=3615 dstintf=lo5438 dstintfrole=olup poluuid=urQuis sessionid=iquip proto=1 action=cancel policyid=untutl policytype=elite crscore=176.898000 craction=ipsaq crlevel=spici appcat=nvolupt service=antiu srccountry=llumquid dstcountry=paq trandisp=olup tranip=10.83.98.220 tranport=1300 duration=73.115000 sentbyte=5812 rcvdbyte=3339 sentpkt=amquis app=umtotam -logver=pitlabo dtime=2019-03-17 17:35:40.532538723 +0000 UTC devid=lorsita devname=datatno vd=emac date=2019-3-17 time=5:35:40 logid=uiavo type=tdo subtype=ratvolup level=high eventtime=dolo logtime=quioffic srcip=10.238.49.73 srcport=1554 srcintf=enp0s11 srcintfrole=riatu dstip=10.74.88.209 dstport=740 dstintf=lo5287 dstintfrole=quep poluuid=tfugitse sessionid=oenimips proto=udp action=deny policyid=mdo policytype=map crscore=148.871000 craction=osqui crlevel=consequ appcat=catcupid service=velitess srccountry=sit dstcountry=ipisc trandisp=onsectet tranip=10.92.3.166 tranport=5777 duration=156.314000 sentbyte=715 rcvdbyte=3946 sentpkt=itvol app=dolo -logver=amquisno dtime=2019-04-01 00:38:14.792538723 +0000 UTC devid=uptasnul devname=ptate vd=deri date=2019-4-1 time=12:38:14 logid=periamea type=equatD subtype=quaturQu level=high eventtime=rpo logtime=inr srcip=10.119.248.36 srcport=2450 srcintf=enp0s1885 srcintfrole=ten dstip=10.187.107.47 dstport=288 dstintf=lo2445 dstintfrole=fugia poluuid=psa sessionid=iset proto=prm action=allow policyid=ecte policytype=ionemull crscore=84.399000 craction=sBo crlevel=nimides appcat=iurere service=edolorin srccountry=labor dstcountry=quelaud trandisp=ira tranip=10.84.200.121 tranport=3226 duration=128.212000 sentbyte=2150 rcvdbyte=4329 sentpkt=nos app=icta -logver=itseddo devname="tasu" devid="mquae" vd=CSedu date=2019-4-15 time=7:40:49 logid=atae type=aeconseq subtype=boNemo level=very-high eventtime=nemulla logtime=tmollit srcip=10.167.128.229 srcport=4052 srcintf=eth1833 srcintfrole=ciatisu dstip=10.135.213.17 dstport=6427 dstintf=eth6468 dstintfrole=ritat poluuid=dipi sessionid=asnulapa proto=prm action=block policyid=onsequa policytype=seddoe crscore=23.021000 craction=Bonorume crlevel=emeumfu appcat=tla service=uidexea srccountry=odtem dstcountry=nvolupt trandisp=stia tranip=10.30.239.222 tranport=1546 duration=10.721000 sentbyte=6561 rcvdbyte=1057 sentpkt=itectobe app=rroq -date=2019-4-29 time=2:43:23 devname=uunt device_id=pic log_id=unt type=generic subtype=emUt pri=medium devid=pernatur devname=orem logid=enbyCice type=velil subtype=nsequat level=low vd=duntutl srcip=10.238.172.76 srcport=156 srcintf=lo1215 dstip=10.201.119.253 dstport=2230 dstintf=enp0s7218 poluuid=nimad sessionid=tionu proto=udp action=block policyid=emagna trandisp=quin duration=68.078000 sentbyte=2527 rcvdbyte=1150 devtype=consequ osname=min osversion=1.1028 mastersrcmac=edicta srcmac=01:00:5e:cd:6c:ed crscore=163.905000 craction=itinvolu crlevel=urerepre eventtype=iumdol user=serror service=uptass hostname=rspic5637.api.local profile=itatise reqtype=iut url=https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce direction=inbound msg=uraut method=reetdol cat=umtotam catdesc=itaedi device_id=ant log_id=tiumt pri=very-high userfrom=ratvolup adminprof=iamqu timezone=CT main_type=quaturve trigger_policy=tsunti sub_type=ero severity_level=iusmodi policy=acomm src=10.169.133.219 src_port=92 dst=10.115.166.48 dst_port=7491 http_method=eleumiur http_url=ididun http_host=edi http_agent=gia http_session_id=uaturQui signature_subclass=emi signature_id=5446 srccountry=etM content_switch_name=eve server_pool_name=iru false_positive_mitigation=ipit user_name=emq monitor_status=elitsedq http_refer=https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua http_version=erit dev_id=lorsitam threat_weight=emagnama history_threat_weight=ute threat_level=Excep ftp_mode=utpersp ftp_cmd=rehe cipher_suite=tiumt msg_id=ulamc -logver=runt date=2019-5-13 time=9:45:57 log_id=emipsu devid=icaboNem devname=Except logid=fugits type=maliquam subtype=mav level=very-high vd=ecill srcip=10.36.122.89 srcport=5040 srcintf=lo3887 dstip=10.206.76.186 dstport=741 dstintf=eth2435 poluuid=atisund sessionid=enbyCic proto=1 action=block policyid=nrepre trandisp=uisautem duration=145.667000 sentbyte=4247 rcvdbyte=4374 devtype=tio osname=aconseq osversion=1.4195 mastersrcmac=enatuser srcmac=01:00:5e:1a:9c:4f crscore=124.786000 craction=rcitatio crlevel=olore eventtype=ntexp user=atio service=roquisqu hostname=rror3870.www5.local profile=volu reqtype=occ url=https://www5.example.net/culpa/isun.txt?cola=tura#rat direction=internal msg=sect method=ing cat=nis catdesc=aboreet device_id=ulapari log_id=isetqu pri=high userfrom=ons adminprof=Sedu timezone=CEST main_type=icaboNem trigger_policy=enderi sub_type=edqu severity_level=cita policy=uidolore src=10.146.255.40 src_port=3003 dst=10.226.39.82 dst_port=3950 http_method=oluptate http_url=orumwrit http_host=aconse http_agent=ites http_session_id=abori signature_subclass=dolor signature_id=3543 srccountry=amqu content_switch_name=uamest server_pool_name=ntoccaec false_positive_mitigation=ites user_name=caecatcu monitor_status=iof http_refer=https://api.example.com/uae/mdolo.txt?aute=itatise#utpers http_version=equunt dev_id=Nemo threat_weight=itse history_threat_weight=lillumq threat_level=idid ftp_mode=uis ftp_cmd=velits cipher_suite=mmodo msg_id=rporissu -logver=utemvel dtime=2019-05-28 04:48:31.832538723 +0000 UTC devid=exercita devname=emaperi vd=aspernat date=2019-5-28 time=4:48:31 logid=ddoei type=nihi subtype=umfu level=low eventtime=ehen logtime=olupt srcip=10.53.82.96 srcport=7088 srcintf=eth297 srcintfrole=nostru dstip=10.224.212.88 dstport=5404 dstintf=lo4266 dstintfrole=natuserr poluuid=ipi sessionid=eniamqui proto=icmp action=deny policyid=urvelill policytype=iadese crscore=174.116000 craction=isundeo crlevel=emq appcat=rehender service=uat srccountry=apa dstcountry=tani trandisp=per tranip=10.35.240.70 tranport=2587 duration=62.993000 sentbyte=7102 rcvdbyte=2380 sentpkt=ataevit app=chi -logver=lorsita devname="oeius" devid="trud" vd=aco date=2019-6-11 time=11:51:06 logid=uei type=tsedqu subtype=agni level=very-high eventtime=rsint logtime=catc srcip=10.186.253.240 srcport=6982 srcintf=enp0s5429 srcintfrole=end dstip=10.233.128.7 dstport=2455 dstintf=eth5315 dstintfrole=onnumq poluuid=lupt sessionid=ugiatq proto=prm action=cancel policyid=utla policytype=iosamn crscore=164.209000 craction=tor crlevel=toreve appcat=ita service=orain srccountry=tnulap dstcountry=aevitae trandisp=aqu tranip=10.66.149.234 tranport=6236 duration=128.130000 sentbyte=6344 rcvdbyte=475 sentpkt=loremeu app=tate -logver=elaud dtime=2019-06-25 18:53:40.352538723 +0000 UTC devid=iad devname=irat vd=upi date=2019-6-25 time=6:53:40 logid=rsintocc type=itanim subtype=sinto level=medium eventtime=lore logtime=eabi srcip=10.227.133.134 srcport=3351 srcintf=enp0s4820 srcintfrole=erspici dstip=10.46.11.114 dstport=4009 dstintf=enp0s7159 dstintfrole=oremq poluuid=rspiciat sessionid=ptas proto=tcp action=cancel policyid=ore policytype=dut crscore=128.554000 craction=remape crlevel=itectob appcat=sedquia service=mquisnos srccountry=mwritt dstcountry=avolupt trandisp=lumdolo tranip=10.173.140.201 tranport=6422 duration=133.394000 sentbyte=7249 rcvdbyte=1387 sentpkt=str app=sit -logver=elillum dtime=2019-07-10 01:56:14.612538723 +0000 UTC devid=isnos devname=emp vd=eos date=2019-7-10 time=1:56:14 logid=sciveli type=Bonoru subtype=rai level=low eventtime=omm logtime=cepteu srcip=10.205.18.11 srcport=6737 srcintf=eth4759 srcintfrole=ueipsa dstip=10.69.130.207 dstport=1191 dstintf=eth614 dstintfrole=architec poluuid=era sessionid=ptatem proto=udp action=cancel policyid=isi policytype=ssecill crscore=44.181000 craction=exerci crlevel=ptatemUt appcat=temqu service=ofd srccountry=nimvenia dstcountry=ari trandisp=eir tranip=10.170.236.123 tranport=4346 duration=150.036000 sentbyte=6877 rcvdbyte=1751 sentpkt=orum app=tation -logver=repre date=2019-7-24 time=8:58:48 log_id=ore devid=ionemu devname=rehend logid=uiad type=tasu subtype=sciun level=high vd=taev srcip=10.196.124.206 srcport=7569 srcintf=enp0s2181 dstip=10.186.88.110 dstport=4203 dstintf=enp0s5497 poluuid=asnulapa sessionid=hende proto=0 action=deny policyid=ntmolli trandisp=uto duration=178.755000 sentbyte=6361 rcvdbyte=1742 devtype=ipsu osname=taedi osversion=1.2682 mastersrcmac=acom srcmac=01:00:5e:99:e3:a5 crscore=175.099000 craction=Cic crlevel=aturveli eventtype=lica user=Exc service=amvolup hostname=velill3821.mail.invalid profile=asnulap reqtype=usmodte url=https://example.com/loremag/mqu.gif?bore=lapari#aborios direction=external msg=lorem method=mnisiuta cat=quiadolo catdesc=abo device_id=msequine log_id=mrem pri=medium userfrom=atuserr adminprof=nsequatu timezone=ET main_type=uptasnu trigger_policy=atemUt sub_type=iurere severity_level=oident policy=volup src=10.97.254.192 src_port=302 dst=10.124.34.251 dst_port=3899 http_method=imide http_url=sequa http_host=ine http_agent=ollitan http_session_id=eacomm signature_subclass=onseq signature_id=6250 srccountry=reetd content_switch_name=equamnih server_pool_name=tevelite false_positive_mitigation=sitvolup user_name=epor monitor_status=atatnonp http_refer=https://example.org/elauda/ria.htm?uptatemU=iono#quun http_version=itationu dev_id=eniamqui threat_weight=adolo history_threat_weight=oreetdol threat_level=uinesciu ftp_mode=sciun ftp_cmd=tametc cipher_suite=rExcep msg_id=avolup -logver=olores devname="ineavol" devid="bori" vd=taev date=2019-8-7 time=4:01:23 logid=ngelit type=uidexea subtype=stiaec level=very-high eventtime=quipex logtime=rsintoc srcip=10.9.41.221 srcport=4010 srcintf=eth434 srcintfrole=estlabor dstip=10.81.58.91 dstport=2247 dstintf=lo6072 dstintfrole=udexerci poluuid=onemul sessionid=elaud proto=tcp action=cancel policyid=trudexe policytype=tiumtota crscore=53.861000 craction=ariaturE crlevel=fug appcat=umqu service=umqu srccountry=roide dstcountry=tio trandisp=autem tranip=10.204.98.238 tranport=3885 duration=108.380000 sentbyte=2498 rcvdbyte=3936 sentpkt=aquioffi app=aliqui -date=2019-8-21 time=11:03:57 devname=unti device_id=tena log_id=velits type=event subtype=oditautf pri=high desc=rmagni user=tiono userfrom=utemvele msg=taevi action=cancel adom=xplicabo4308.www.example session_id=tquo -logver=nrepr devname="uipex" devid="alorumw" vd=nibus date=2019-9-5 time=6:06:31 logid=eiusmo type=rci subtype=seosquir level=medium eventtime=ume logtime=ercitati srcip=10.35.84.125 srcport=341 srcintf=enp0s2388 srcintfrole=pernatu dstip=10.37.120.29 dstport=4170 dstintf=enp0s1127 dstintfrole=tasuntex poluuid=etura sessionid=taedi proto=udp action=accept policyid=quiacon policytype=udexerc crscore=66.169000 craction=undeomni crlevel=ritquiin appcat=taspern service=iadeser srccountry=nos dstcountry=mollita trandisp=eserun tranip=10.212.208.70 tranport=3237 duration=36.569000 sentbyte=5330 rcvdbyte=11 sentpkt=otamr app=eveli -logver=temsequi devname="aturvel" devid="elaudan" vd=alorum date=2019-9-19 time=1:09:05 logid=olor type=inesc subtype=tlaborio level=high eventtime=equeporr logtime=seq srcip=10.143.65.84 srcport=2670 srcintf=enp0s5828 srcintfrole=ddoeiu dstip=10.199.201.26 dstport=3770 dstintf=eth4236 dstintfrole=ore poluuid=onse sessionid=abo proto=1 action=accept policyid=magnaa policytype=tateveli crscore=94.258000 craction=xplica crlevel=dex appcat=rsintocc service=iusmo srccountry=oquisqu dstcountry=ullamcor trandisp=remagn tranip=10.207.207.106 tranport=2048 duration=94.877000 sentbyte=6896 rcvdbyte=7419 sentpkt=tvolup app=ites -logver=rExce dtime=2019-10-03 20:11:40.172538723 +0000 UTC devid=rittenby devname=gni vd=ritq date=2019-10-3 time=8:11:40 logid=lestiaec type=rissusci subtype=fdeFi level=high eventtime=ehende logtime=riatu srcip=10.204.27.48 srcport=5998 srcintf=lo7358 srcintfrole=emaperia dstip=10.163.236.253 dstport=7768 dstintf=enp0s2100 dstintfrole=sequatu poluuid=ugi sessionid=oditau proto=1 action=block policyid=mvele policytype=atae crscore=123.668000 craction=imips crlevel=admi appcat=ocons service=tiumdol srccountry=sunt dstcountry=rrorsi trandisp=remagna tranip=10.41.61.88 tranport=426 duration=82.943000 sentbyte=525 rcvdbyte=3702 sentpkt=dolor app=ips -logver=ipitlab dtime=2019-10-18 03:14:14.432538723 +0000 UTC devid=ipsa devname=dents vd=erepreh date=2019-10-18 time=3:14:14 logid=amest type=dolore subtype=xer level=medium eventtime=onemul logtime=off srcip=10.246.81.164 srcport=3453 srcintf=lo3071 srcintfrole=ende dstip=10.185.44.26 dstport=3193 dstintf=lo7861 dstintfrole=tationul poluuid=tam sessionid=byCic proto=0 action=cancel policyid=cons policytype=serro crscore=5.473000 craction=uiac crlevel=aecatcu appcat=sed service=uisnostr srccountry=aquei dstcountry=ation trandisp=sumqu tranip=10.53.110.111 tranport=2549 duration=141.141000 sentbyte=5569 rcvdbyte=5239 sentpkt=entore app=uaturQ -logver=xpli date=2019-11-1 time=10:16:48 log_id=quae devid=totamre devname=lam logid=quamestq type=porai subtype=oinve level=medium vd=hender srcip=10.84.154.230 srcport=1335 srcintf=enp0s1127 dstip=10.212.63.179 dstport=6790 dstintf=eth1762 poluuid=eufugia sessionid=temqu proto=3 action=allow policyid=tvolup trandisp=lori duration=130.339000 sentbyte=4763 rcvdbyte=4334 devtype=rnatur osname=etdolo osversion=1.802 mastersrcmac=adipisci srcmac=01:00:5e:7b:68:0e crscore=36.122000 craction=culpaq crlevel=quis eventtype=lupt user=upt service=aboN hostname=cupida6106.www5.local profile=tdo reqtype=asperna url=https://api.example.com/aco/empo.jpg?iumdol=iusm#ido direction=unknown msg=peri method=aspernat cat=seq catdesc=olup device_id=uamqu log_id=veli pri=high userfrom=etco adminprof=nulap timezone=CT main_type=radip trigger_policy=tali sub_type=ntin severity_level=loreseos policy=ites src=10.109.172.90 src_port=2785 dst=10.146.77.206 dst_port=1554 http_method=amnihilm http_url=ipsamv http_host=proid http_agent=xcep http_session_id=udantium signature_subclass=sum signature_id=1723 srccountry=iaecon content_switch_name=euf server_pool_name=norume false_positive_mitigation=hilmo user_name=aquaeab monitor_status=eporr http_refer=https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu http_version=lapa dev_id=imadm threat_weight=giatquo history_threat_weight=oeiusm threat_level=oreeuf ftp_mode=iusmodt ftp_cmd=umwrit cipher_suite=atatn msg_id=uatD -date=2019-11-15 time=5:19:22 devname=ptate device_id=Nemoe log_id=cupidat type=generic subtype=onsequ pri=high devid=nostr devname=umtotam logid=mqua type=emU subtype=gnido level=very-high vd=plicab srcip=10.8.161.226 srcport=3191 srcintf=eth5256 dstip=10.13.234.237 dstport=3760 dstintf=enp0s1149 poluuid=oeiusmo sessionid=nisi proto=6 action=allow policyid=lupt trandisp=tlaborio duration=18.804000 sentbyte=1061 rcvdbyte=6464 devtype=itan osname=iquidexe osversion=1.2314 mastersrcmac=fugia srcmac=01:00:5e:09:8f:0e crscore=5.320000 craction=onof crlevel=quam eventtype=rure user=ipis service=liqu hostname=unt2122.internal.local profile=orsitame reqtype=tassitas url=https://example.org/uidolor/turve.htm?temporai=uasiarch#ect direction=unknown msg=occae method=lpaqu cat=minimav catdesc=col device_id=riamea log_id=ern pri=low userfrom=odtempo adminprof=con timezone=CEST main_type=offici trigger_policy=uipexe sub_type=ium severity_level=quamqua policy=nsequatu src=10.38.18.72 src_port=3177 dst=10.202.250.141 dst_port=1824 http_method=volu http_url=quatDui http_host=stenat http_agent=liquip http_session_id=eiusmodt signature_subclass=dmi signature_id=4174 srccountry=ameaque content_switch_name=pitlabor server_pool_name=essequa false_positive_mitigation=ini user_name=maperia monitor_status=ovolup http_refer=https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei http_version=iveli dev_id=lill threat_weight=voluptat history_threat_weight=aturveli threat_level=incidunt ftp_mode=tatnonp ftp_cmd=abi cipher_suite=nimave msg_id=atu -logver=siu date=2019-11-30 time=12:21:57 log_id=inrepr devid=cero devname=ita logid=xercitat type=meumfug subtype=umt level=very-high vd=laparia srcip=10.195.87.127 srcport=760 srcintf=lo3094 dstip=10.52.118.202 dstport=6556 dstintf=enp0s5751 poluuid=ectobe sessionid=rehender proto=udp action=block policyid=orinc trandisp=tcons duration=52.473000 sentbyte=7043 rcvdbyte=4714 devtype=suscipi osname=imipsam osversion=1.4674 mastersrcmac=hilm srcmac=01:00:5e:73:ca:c1 crscore=54.412000 craction=etd crlevel=erspici eventtype=tfug user=atatno service=sed hostname=luptat2613.internal.localhost profile=olupt reqtype=mipsum url=https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo direction=inbound msg=alorum method=tmollit cat=bori catdesc=antium device_id=reetdo log_id=rchitec pri=medium userfrom=cipitlab adminprof=venia timezone=CT main_type=quid trigger_policy=mwrit sub_type=cid severity_level=lupt policy=adipisc src=10.182.124.88 src_port=116 dst=10.139.144.75 dst_port=5037 http_method=utodi http_url=isiutali http_host=oremeu http_agent=mquaerat http_session_id=conse signature_subclass=mestq signature_id=5535 srccountry=turQuisa content_switch_name=itasper server_pool_name=cidu false_positive_mitigation=ips user_name=modo monitor_status=ela http_refer=https://example.org/unti/niamqu.html?ris=veli#giatnu http_version=tanimide dev_id=ectetur threat_weight=umexer history_threat_weight=nim threat_level=nisiuta ftp_mode=cipitla ftp_cmd=ditautf cipher_suite=oluptasn msg_id=madmin -date=2019-12-14 time=7:24:31 logver=imadm devid=stla devname=cab logid=orr type=olu subtype=quatDu level=low vd=siste srcip=10.151.47.249 srcport=6697 srcintf=lo5632 dstip=10.155.194.6 dstport=3005 dstintf=enp0s6106 poluuid=quatDu sessionid=deFinib proto=HOPOPT action=block policyid=taedic trandisp=ffi duration=130.219000 sentbyte=2693 rcvdbyte=568 devtype=consequ osname=rumw osversion=1.1386 mastersrcmac=temveleu srcmac=01:00:5e:df:96:27 crscore=104.315000 craction=item crlevel=remipsum eventtype=olupt user=usc service=ernat hostname=neavo4796.internal.domain profile=tatemac reqtype=exer url=https://www5.example.com/xea/ssecill.html?quianonn=quun#one direction=internal msg=riame method=uaUte cat=quae catdesc=utlabor device_id=ameius log_id=tate pri=very-high userfrom=lupta adminprof=atemseq timezone=CEST main_type=amcolab trigger_policy=ectobea sub_type=itsedq severity_level=pta policy=remipsu src=10.35.10.19 src_port=3941 dst=10.188.124.185 dst_port=5837 http_method=tali http_url=tasper http_host=amquisn http_agent=esciu http_session_id=iamea signature_subclass=perspi signature_id=7117 srccountry=emaccus content_switch_name=expl server_pool_name=giat false_positive_mitigation=uscipi user_name=dolo monitor_status=tionevol http_refer=https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept http_version=Mal dev_id=tquasia threat_weight=ficiad history_threat_weight=roinBC threat_level=eufu ftp_mode=tio ftp_cmd=equatDu cipher_suite=exea msg_id=tasnulap diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json deleted file mode 100644 index 09250acd07b..00000000000 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ /dev/null @@ -1,8095 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "destination.bytes": 449, - "destination.geo.country_name": "sequa", - "destination.ip": "10.44.173.44", - "destination.nat.ip": "10.189.58.145", - "destination.nat.port": 5273, - "destination.port": 6125, - "event.action": "allow", - "event.code": "sse", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 0, - "network.bytes": 8329, - "observer.egress.interface.name": "enp0s3068", - "observer.ingress.interface.name": "eth5722", - "observer.product": "FortiManager", - "observer.serial_number": "olab", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "modtempo" - ], - "related.ip": [ - "10.189.58.145", - "10.20.234.169", - "10.44.173.44" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "der", - "rsa.misc.context": "abo", - "rsa.misc.event_source": "modtempo", - "rsa.misc.event_type": "exercita", - "rsa.misc.hardware_id": "olab", - "rsa.misc.log_session_id": "psa", - "rsa.misc.obj_name": "nci", - "rsa.misc.policy_id": "ntium", - "rsa.misc.reference_id": "sse", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "nto", - "rsa.network.dinterface": "enp0s3068", - "rsa.network.network_service": "lupt", - "rsa.network.sinterface": "eth5722", - "rsa.time.duration_time": 14.119, - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "rsa.time.event_time_str": "odoco", - "rsa.web.reputation_num": 13.8, - "service.type": "fortinet", - "source.bytes": 7880, - "source.geo.country_name": "dolore", - "source.ip": "10.20.234.169", - "source.port": 1001, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-02-12T03:12:33.000Z", - "destination.bytes": 3879, - "destination.ip": "10.171.204.166", - "destination.port": 6668, - "event.action": "accept", - "event.code": "atio", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "aer445.host", - "http.request.referrer": "https://api.example.org/tamremap/tur.html?radipis=isetq#estqui", - "input.type": "log", - "log.level": "high", - "log.offset": 593, - "network.bytes": 10257, - "network.direction": "external", - "observer.egress.interface.name": "enp0s2581", - "observer.ingress.interface.name": "enp0s208", - "observer.product": "FortiManager", - "observer.serial_number": "tur", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.410", - "related.hosts": [ - "aer445.host", - "mvolu", - "pisciv" - ], - "related.ip": [ - "10.171.204.166", - "10.62.4.246" - ], - "related.user": [ - "oluptas" - ], - "rsa.internal.event_desc": "com", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "eius", - "rsa.misc.OS": "anonnu", - "rsa.misc.action": [ - "accept", - "mol" - ], - "rsa.misc.category": "exe", - "rsa.misc.client": "radip", - "rsa.misc.context": "nibus", - "rsa.misc.event_source": "pisciv", - "rsa.misc.event_type": "umexe", - "rsa.misc.fcatnum": "byC", - "rsa.misc.filter": "tinculp", - "rsa.misc.hardware_id": "tur", - "rsa.misc.log_session_id": "tNequ", - "rsa.misc.policy_id": "uidolor", - "rsa.misc.policy_name": "ionofde", - "rsa.misc.reference_id": "atio", - "rsa.misc.rule_name": "eumiu", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 6728, - "rsa.misc.version": "1.410", - "rsa.misc.vsys": "iatnu", - "rsa.network.alias_host": [ - "aer445.host" - ], - "rsa.network.dinterface": "enp0s2581", - "rsa.network.network_service": "emape", - "rsa.network.sinterface": "enp0s208", - "rsa.threat.threat_desc": "sum", - "rsa.time.duration_time": 72.226, - "rsa.time.event_time": "2016-02-12T03:12:33.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 145.047, - "rsa.web.web_ref_domain": "mvolu", - "rule.name": "eumiu", - "service.type": "fortinet", - "source.bytes": 6378, - "source.geo.country_name": "tconsec", - "source.ip": "10.62.4.246", - "source.mac": "01:00:5e:84:66:6c", - "source.port": 189, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "htm", - "url.fragment": "roinBCS", - "url.original": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", - "url.path": "/orisn/cca.htm", - "url.query": [ - "ofdeF=metcons", - "taspe" - ], - "url.scheme": "https", - "user.name": "oluptas" - }, - { - "@timestamp": "2016-02-26T10:15:08.000Z", - "destination.bytes": 13, - "destination.geo.country_name": "ima", - "destination.ip": "10.94.103.117", - "destination.nat.ip": "10.15.159.80", - "destination.nat.port": 6378, - "destination.port": 513, - "event.action": "allow", - "event.code": "tia", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=seq dtime=2016-02-26 20:15:08.252538723 +0000 UTC devid=olorema devname=ccaecat vd=veleumi date=2016-2-26 time=8:15:08 logid=tia type=enim subtype=dqu level=medium eventtime=uian logtime=tempo srcip=10.200.188.142 srcport=4665 srcintf=eth4496 srcintfrole=eetd dstip=10.94.103.117 dstport=513 dstintf=enp0s3491 dstintfrole=doloreeu poluuid=pori sessionid=occ proto=icmp action=allow policyid=reetdolo policytype=nrepreh crscore=18.839000 craction=uiano crlevel=mrema appcat=autfu service=natura srccountry=aboris dstcountry=ima trandisp=tanimi tranip=10.15.159.80 tranport=6378 duration=121.916000 sentbyte=6517 rcvdbyte=13 sentpkt=ugiatqu app=eacomm", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 2051, - "network.bytes": 6530, - "observer.egress.interface.name": "enp0s3491", - "observer.ingress.interface.name": "eth4496", - "observer.product": "FortiManager", - "observer.serial_number": "olorema", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "ccaecat" - ], - "related.ip": [ - "10.15.159.80", - "10.200.188.142", - "10.94.103.117" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "dqu", - "rsa.misc.context": "tanimi", - "rsa.misc.event_source": "ccaecat", - "rsa.misc.event_type": "enim", - "rsa.misc.hardware_id": "olorema", - "rsa.misc.log_session_id": "occ", - "rsa.misc.obj_name": "eacomm", - "rsa.misc.policy_id": "reetdolo", - "rsa.misc.reference_id": "tia", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "veleumi", - "rsa.network.dinterface": "enp0s3491", - "rsa.network.network_service": "natura", - "rsa.network.sinterface": "eth4496", - "rsa.time.duration_time": 121.916, - "rsa.time.event_time": "2016-02-26T10:15:08.000Z", - "rsa.time.event_time_str": "uian", - "rsa.web.reputation_num": 18.839, - "service.type": "fortinet", - "source.bytes": 6517, - "source.geo.country_name": "aboris", - "source.ip": "10.200.188.142", - "source.port": 4665, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.bytes": 3269, - "destination.geo.country_name": "amquisno", - "destination.ip": "10.50.112.141", - "destination.nat.ip": "10.27.88.95", - "destination.nat.port": 776, - "destination.port": 7303, - "event.action": "cancel", - "event.code": "nimadmi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=liqu devname=\"lorem\" devid=\"emq\" vd=isiu date=2016-3-12 time=3:17:42 logid=nimadmi type=iatisu subtype=iat level=low eventtime=suntinc logtime=elits srcip=10.131.233.27 srcport=5037 srcintf=eth3676 srcintfrole=eataevit dstip=10.50.112.141 dstport=7303 dstintf=eth3391 dstintfrole=olab poluuid=mquisnos sessionid=loremagn proto=1 action=cancel policyid=tsed policytype=orai crscore=61.614000 craction=incididu crlevel=eci appcat=aali service=ametcons srccountry=porainc dstcountry=amquisno trandisp=iinea tranip=10.27.88.95 tranport=776 duration=5.911000 sentbyte=1147 rcvdbyte=3269 sentpkt=tvol app=moll", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 2708, - "network.bytes": 4416, - "observer.egress.interface.name": "eth3391", - "observer.ingress.interface.name": "eth3676", - "observer.product": "FortiManager", - "observer.serial_number": "emq", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "lorem" - ], - "related.ip": [ - "10.131.233.27", - "10.27.88.95", - "10.50.112.141" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "iat", - "rsa.misc.context": "iinea", - "rsa.misc.event_source": "lorem", - "rsa.misc.event_type": "iatisu", - "rsa.misc.hardware_id": "emq", - "rsa.misc.log_session_id": "loremagn", - "rsa.misc.obj_name": "moll", - "rsa.misc.policy_id": "tsed", - "rsa.misc.reference_id": "nimadmi", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "isiu", - "rsa.network.dinterface": "eth3391", - "rsa.network.network_service": "ametcons", - "rsa.network.sinterface": "eth3676", - "rsa.time.duration_time": 5.911, - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "rsa.time.event_time_str": "suntinc", - "rsa.web.reputation_num": 61.614, - "service.type": "fortinet", - "source.bytes": 1147, - "source.geo.country_name": "porainc", - "source.ip": "10.131.233.27", - "source.port": 5037, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "destination.bytes": 3982, - "destination.ip": "10.157.213.15", - "destination.port": 3539, - "event.action": "allow", - "event.code": "ddoeiu", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-3-26 time=10:20:16 logver=inim devid=ema devname=roinBCSe logid=onse type=tae subtype=tatno level=very-high vd=oluptate srcip=10.52.54.178 srcport=4427 srcintf=lo1567 dstip=10.37.58.155 dstport=2430 dstintf=eth6096 poluuid=ciati sessionid=ercit proto=3 action=allow policyid=eniam trandisp=reetdolo duration=165.411000 sentbyte=7651 rcvdbyte=3982 devtype=rumet osname=oll osversion=1.5670 mastersrcmac=nido srcmac=01:00:5e:c3:0a:41 crscore=71.955000 craction=itlabori crlevel=Ciceroi eventtype=aveniam user=uradi service=nimadmin hostname=olo7148.mail.home profile=snulapar reqtype=aedic url=https://api.example.com/iumto/aboreetd.gif?dun=enim#saute direction=internal msg=eriame method=lorema cat=avol catdesc=labor device_id=atuse log_id=ddoeiu pri=high userfrom=idolore adminprof=onse timezone=PST main_type=tation trigger_policy=ips sub_type=emeumfug severity_level=upta policy=omn src=10.87.212.179 src_port=1758 dst=10.157.213.15 dst_port=3539 http_method=ali http_url=nsect http_host=ntutl http_agent=caecatc http_session_id=onsequat signature_subclass=siuta signature_id=2896 srccountry=loru content_switch_name=ema server_pool_name=par false_positive_mitigation=itaut user_name=rveli monitor_status=rsint http_refer=https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf http_version=antiumto dev_id=strude threat_weight=ctetura history_threat_weight=usmod threat_level=edqui ftp_mode=mquidol ftp_cmd=ita cipher_suite=ipi msg_id=rsitamet", - "event.timezone": "PST", - "fileset.name": "fortimanager", - "host.name": "olo7148.mail.home", - "http.request.referrer": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", - "input.type": "log", - "log.level": "high", - "log.offset": 3319, - "network.bytes": 11633, - "network.direction": "internal", - "network.protocol": "GGP", - "observer.egress.interface.name": "eth6096", - "observer.ingress.interface.name": "lo1567", - "observer.product": "FortiManager", - "observer.serial_number": "atuse", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.5670", - "related.hosts": [ - "ntutl", - "olo7148.mail.home", - "roinBCSe" - ], - "related.ip": [ - "10.157.213.15", - "10.87.212.179" - ], - "related.user": [ - "rveli" - ], - "rsa.internal.event_desc": "eriame", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "aveniam", - "rsa.misc.OS": "oll", - "rsa.misc.action": [ - "ali", - "allow" - ], - "rsa.misc.category": "emeumfug", - "rsa.misc.client": "caecatc", - "rsa.misc.context": "reetdolo", - "rsa.misc.event_source": "roinBCSe", - "rsa.misc.event_type": "tae", - "rsa.misc.fcatnum": "avol", - "rsa.misc.filter": "labor", - "rsa.misc.hardware_id": "atuse", - "rsa.misc.log_session_id": "onsequat", - "rsa.misc.policy_id": "eniam", - "rsa.misc.policy_name": "omn", - "rsa.misc.reference_id": "ddoeiu", - "rsa.misc.rule_name": "snulapar", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 2896, - "rsa.misc.version": "1.5670", - "rsa.misc.vsys": "oluptate", - "rsa.network.alias_host": [ - "olo7148.mail.home" - ], - "rsa.network.dinterface": "eth6096", - "rsa.network.network_service": "nimadmin", - "rsa.network.sinterface": "lo1567", - "rsa.threat.threat_desc": "edqui", - "rsa.time.duration_time": 165.411, - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "rsa.time.timezone": "PST", - "rsa.web.reputation_num": 71.955, - "rsa.web.web_ref_domain": "ntutl", - "rule.name": "snulapar", - "service.type": "fortinet", - "source.bytes": 7651, - "source.geo.country_name": "loru", - "source.ip": "10.87.212.179", - "source.mac": "01:00:5e:c3:0a:41", - "source.port": 1758, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.com", - "url.extension": "gif", - "url.fragment": "saute", - "url.original": "https://api.example.com/iumto/aboreetd.gif?dun=enim#saute", - "url.path": "/iumto/aboreetd.gif", - "url.query": [ - "dun=enim", - "nsect" - ], - "url.scheme": "https", - "user.name": "rveli" - }, - { - "@timestamp": "2016-04-09T07:22:51.000Z", - "destination.bytes": 927, - "destination.ip": "10.76.73.140", - "destination.port": 3075, - "event.action": "accept", - "event.code": "moenimi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-4-9 time=5:22:51 logver=eseru devid=remeum devname=orain logid=quip type=oin subtype=uisquam level=high vd=tinvol srcip=10.19.68.92 srcport=1409 srcintf=enp0s33 dstip=10.38.22.45 dstport=7036 dstintf=lo1120 poluuid=ditautfu sessionid=piscing proto=icmp action=accept policyid=ostr trandisp=rudexerc duration=135.013000 sentbyte=3369 rcvdbyte=927 devtype=itaut osname=imaven osversion=1.152 mastersrcmac=umdolo srcmac=01:00:5e:f7:4a:fd crscore=169.252000 craction=tfug crlevel=icab eventtype=mwr user=fugi service=inculpaq hostname=agna7678.internal.host profile=equa reqtype=mexercit url=https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia direction=unknown msg=olupt method=dit cat=sumquiad catdesc=dexeaco device_id=ivelits log_id=moenimi pri=medium userfrom=etdolo adminprof=inv timezone=CEST main_type=ommod trigger_policy=sequatur sub_type=uidolo severity_level=lumquido policy=nihi src=10.114.150.67 src_port=1407 dst=10.76.73.140 dst_port=3075 http_method=uines http_url=nsec http_host=onse http_agent=emips http_session_id=imadmi signature_subclass=ostrume signature_id=6051 srccountry=eataev content_switch_name=liquide server_pool_name=uasia false_positive_mitigation=emp user_name=aperia monitor_status=ofdeFini http_refer=https://example.org/vol/riat.htm?atvol=umiur#imad http_version=msequi dev_id=isnostru threat_weight=iquaUten history_threat_weight=santium threat_level=iciatisu ftp_mode=rehender ftp_cmd=eporroqu cipher_suite=uat msg_id=tem", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "agna7678.internal.host", - "http.request.referrer": "https://example.org/vol/riat.htm?atvol=umiur#imad", - "input.type": "log", - "log.level": "medium", - "log.offset": 4778, - "network.bytes": 4296, - "network.direction": "unknown", - "observer.egress.interface.name": "lo1120", - "observer.ingress.interface.name": "enp0s33", - "observer.product": "FortiManager", - "observer.serial_number": "ivelits", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.152", - "related.hosts": [ - "agna7678.internal.host", - "onse", - "orain" - ], - "related.ip": [ - "10.114.150.67", - "10.76.73.140" - ], - "related.user": [ - "aperia" - ], - "rsa.internal.event_desc": "olupt", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "mwr", - "rsa.misc.OS": "imaven", - "rsa.misc.action": [ - "accept", - "uines" - ], - "rsa.misc.category": "uidolo", - "rsa.misc.client": "emips", - "rsa.misc.context": "rudexerc", - "rsa.misc.event_source": "orain", - "rsa.misc.event_type": "oin", - "rsa.misc.fcatnum": "sumquiad", - "rsa.misc.filter": "dexeaco", - "rsa.misc.hardware_id": "ivelits", - "rsa.misc.log_session_id": "imadmi", - "rsa.misc.policy_id": "ostr", - "rsa.misc.policy_name": "nihi", - "rsa.misc.reference_id": "moenimi", - "rsa.misc.rule_name": "equa", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 6051, - "rsa.misc.version": "1.152", - "rsa.misc.vsys": "tinvol", - "rsa.network.alias_host": [ - "agna7678.internal.host" - ], - "rsa.network.dinterface": "lo1120", - "rsa.network.network_service": "inculpaq", - "rsa.network.sinterface": "enp0s33", - "rsa.threat.threat_desc": "iciatisu", - "rsa.time.duration_time": 135.013, - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 169.252, - "rsa.web.web_ref_domain": "onse", - "rule.name": "equa", - "service.type": "fortinet", - "source.bytes": 3369, - "source.geo.country_name": "eataev", - "source.ip": "10.114.150.67", - "source.mac": "01:00:5e:f7:4a:fd", - "source.port": 1407, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "txt", - "url.fragment": "picia", - "url.original": "https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia", - "url.path": "/tasuntex/sunt.txt", - "url.query": [ - "nsec", - "ume=incidi" - ], - "url.scheme": "https", - "user.name": "aperia" - }, - { - "@timestamp": "2016-04-24T14:25:25.000Z", - "destination.bytes": 3605, - "destination.ip": "10.95.64.124", - "destination.port": 7042, - "event.action": "accept", - "event.code": "run", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=suntinc date=2016-4-24 time=12:25:25 log_id=xeac devid=nidolo devname=tatn logid=eli type=nnu subtype=dolo level=low vd=nse srcip=10.202.204.239 srcport=7783 srcintf=lo2857 dstip=10.147.28.176 dstport=7432 dstintf=enp0s1462 poluuid=mporain sessionid=icons proto=0 action=accept policyid=sequi trandisp=rehend duration=3.138000 sentbyte=6354 rcvdbyte=3605 devtype=numqu osname=qui osversion=1.4059 mastersrcmac=equi srcmac=01:00:5e:68:86:a1 crscore=72.701000 craction=tat crlevel=ipitla eventtype=quae user=maccusa service=uptat hostname=equep5085.mail.domain profile=aqu reqtype=rpo url=https://www.example.org/inesci/serror.html?mqu=apariat#tlabore direction=internal msg=ihilm method=atDu cat=eav catdesc=ionevo device_id=remagn log_id=run pri=very-high userfrom=iamquis adminprof=quirat timezone=CET main_type=ittenbyC trigger_policy=isc sub_type=aturve severity_level=emulla policy=mpori src=10.195.36.51 src_port=3905 dst=10.95.64.124 dst_port=7042 http_method=iadese http_url=nsectet http_host=utla http_agent=utei http_session_id=laborum signature_subclass=tionof signature_id=7613 srccountry=oin content_switch_name=lapari server_pool_name=data false_positive_mitigation=dolor user_name=nnum monitor_status=eritqu http_refer=https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu http_version=namali dev_id=taevit threat_weight=rinrepre history_threat_weight=etconse threat_level=tincu ftp_mode=ari ftp_cmd=exercit cipher_suite=sci msg_id=quamnih", - "event.timezone": "CET", - "fileset.name": "fortimanager", - "host.name": "equep5085.mail.domain", - "http.request.referrer": "https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6253, - "network.bytes": 9959, - "network.direction": "internal", - "observer.egress.interface.name": "enp0s1462", - "observer.ingress.interface.name": "lo2857", - "observer.product": "FortiManager", - "observer.serial_number": "remagn", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4059", - "related.hosts": [ - "equep5085.mail.domain", - "tatn", - "utla" - ], - "related.ip": [ - "10.195.36.51", - "10.95.64.124" - ], - "related.user": [ - "nnum" - ], - "rsa.internal.event_desc": "ihilm", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "quae", - "rsa.misc.OS": "qui", - "rsa.misc.action": [ - "accept", - "iadese" - ], - "rsa.misc.category": "aturve", - "rsa.misc.client": "utei", - "rsa.misc.context": "rehend", - "rsa.misc.event_source": "tatn", - "rsa.misc.event_type": "nnu", - "rsa.misc.fcatnum": "eav", - "rsa.misc.filter": "ionevo", - "rsa.misc.hardware_id": "remagn", - "rsa.misc.log_session_id": "laborum", - "rsa.misc.policy_id": "sequi", - "rsa.misc.policy_name": "mpori", - "rsa.misc.reference_id": "run", - "rsa.misc.rule_name": "aqu", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 7613, - "rsa.misc.version": "1.4059", - "rsa.misc.vsys": "nse", - "rsa.network.alias_host": [ - "equep5085.mail.domain" - ], - "rsa.network.dinterface": "enp0s1462", - "rsa.network.network_service": "uptat", - "rsa.network.sinterface": "lo2857", - "rsa.threat.threat_desc": "tincu", - "rsa.time.duration_time": 3.138, - "rsa.time.event_time": "2016-04-24T14:25:25.000Z", - "rsa.time.timezone": "CET", - "rsa.web.reputation_num": 72.701, - "rsa.web.web_ref_domain": "utla", - "rule.name": "aqu", - "service.type": "fortinet", - "source.bytes": 6354, - "source.geo.country_name": "oin", - "source.ip": "10.195.36.51", - "source.mac": "01:00:5e:68:86:a1", - "source.port": 3905, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.org", - "url.extension": "html", - "url.fragment": "tlabore", - "url.original": "https://www.example.org/inesci/serror.html?mqu=apariat#tlabore", - "url.path": "/inesci/serror.html", - "url.query": [ - "mqu=apariat", - "nsectet" - ], - "url.scheme": "https", - "user.name": "nnum" - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "destination.bytes": 3818, - "destination.geo.country_name": "sectetur", - "destination.ip": "10.186.85.3", - "destination.nat.ip": "10.114.16.155", - "destination.nat.port": 1608, - "destination.port": 5366, - "event.action": "allow", - "event.code": "tMalor", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=occae dtime=2016-05-08 07:27:59.552538723 +0000 UTC devid=ctetura devname=labore vd=texp date=2016-5-8 time=7:27:59 logid=tMalor type=acc subtype=amc level=very-high eventtime=amest logtime=corp srcip=10.176.216.90 srcport=2428 srcintf=eth2591 srcintfrole=dantiumt dstip=10.186.85.3 dstport=5366 dstintf=lo821 dstintfrole=ento poluuid=pic sessionid=evita proto=prm action=allow policyid=duntut policytype=magni crscore=102.339000 craction=uptat crlevel=uam appcat=boris service=nti srccountry=abi dstcountry=sectetur trandisp=uioffi tranip=10.114.16.155 tranport=1608 duration=62.941000 sentbyte=5110 rcvdbyte=3818 sentpkt=ipi app=reseos", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 7719, - "network.bytes": 8928, - "observer.egress.interface.name": "lo821", - "observer.ingress.interface.name": "eth2591", - "observer.product": "FortiManager", - "observer.serial_number": "ctetura", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "labore" - ], - "related.ip": [ - "10.114.16.155", - "10.176.216.90", - "10.186.85.3" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "amc", - "rsa.misc.context": "uioffi", - "rsa.misc.event_source": "labore", - "rsa.misc.event_type": "acc", - "rsa.misc.hardware_id": "ctetura", - "rsa.misc.log_session_id": "evita", - "rsa.misc.obj_name": "reseos", - "rsa.misc.policy_id": "duntut", - "rsa.misc.reference_id": "tMalor", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "texp", - "rsa.network.dinterface": "lo821", - "rsa.network.network_service": "nti", - "rsa.network.sinterface": "eth2591", - "rsa.time.duration_time": 62.941, - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "rsa.time.event_time_str": "amest", - "rsa.web.reputation_num": 102.339, - "service.type": "fortinet", - "source.bytes": 5110, - "source.geo.country_name": "abi", - "source.ip": "10.176.216.90", - "source.port": 2428, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-05-22T04:30:33.000Z", - "destination.bytes": 3252, - "destination.ip": "10.61.163.4", - "destination.port": 1232, - "event.action": "cancel", - "event.code": "dictasu", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=mcolab date=2016-5-22 time=2:30:33 log_id=neav devid=oquisqu devname=sperna logid=eabilloi type=estia subtype=tper level=very-high vd=volupt srcip=10.188.169.107 srcport=2138 srcintf=eth6448 dstip=10.214.7.83 dstport=1696 dstintf=lo1616 poluuid=tenatu sessionid=uun proto=HOPOPT action=cancel policyid=ectio trandisp=dutper duration=4.781000 sentbyte=3423 rcvdbyte=3252 devtype=radi osname=gel osversion=1.3917 mastersrcmac=iduntu srcmac=01:00:5e:21:f5:0a crscore=57.435000 craction=uamqu crlevel=lor eventtype=oide user=dolore service=amvolu hostname=eturadi6608.mail.host profile=aera reqtype=ate url=https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus direction=inbound msg=uaUteni method=udantium cat=pre catdesc=xeacom device_id=stlabo log_id=dictasu pri=low userfrom=catc adminprof=nsect timezone=GMT-07:00 main_type=asia trigger_policy=econs sub_type=uir severity_level=dol policy=essecil src=10.23.62.94 src_port=4368 dst=10.61.163.4 dst_port=1232 http_method=luptatem http_url=atem http_host=gnido http_agent=ratvolu http_session_id=olup signature_subclass=numqua signature_id=1411 srccountry=inculpa content_switch_name=abo server_pool_name=veniamqu false_positive_mitigation=nse user_name=non monitor_status=paquioff http_refer=https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema http_version=intocc dev_id=liqu threat_weight=eporr history_threat_weight=xeacomm threat_level=mveleu ftp_mode=nofdeFin ftp_cmd=sequam cipher_suite=temvel msg_id=ris", - "event.timezone": "GMT-07:00", - "fileset.name": "fortimanager", - "host.name": "eturadi6608.mail.host", - "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", - "input.type": "log", - "log.level": "low", - "log.offset": 8364, - "network.bytes": 6675, - "network.direction": "inbound", - "observer.egress.interface.name": "lo1616", - "observer.ingress.interface.name": "eth6448", - "observer.product": "FortiManager", - "observer.serial_number": "stlabo", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.3917", - "related.hosts": [ - "eturadi6608.mail.host", - "gnido", - "sperna" - ], - "related.ip": [ - "10.23.62.94", - "10.61.163.4" - ], - "related.user": [ - "non" - ], - "rsa.internal.event_desc": "uaUteni", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "oide", - "rsa.misc.OS": "gel", - "rsa.misc.action": [ - "cancel", - "luptatem" - ], - "rsa.misc.category": "uir", - "rsa.misc.client": "ratvolu", - "rsa.misc.context": "dutper", - "rsa.misc.event_source": "sperna", - "rsa.misc.event_type": "estia", - "rsa.misc.fcatnum": "pre", - "rsa.misc.filter": "xeacom", - "rsa.misc.hardware_id": "stlabo", - "rsa.misc.log_session_id": "olup", - "rsa.misc.policy_id": "ectio", - "rsa.misc.policy_name": "essecil", - "rsa.misc.reference_id": "dictasu", - "rsa.misc.rule_name": "aera", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 1411, - "rsa.misc.version": "1.3917", - "rsa.misc.vsys": "volupt", - "rsa.network.alias_host": [ - "eturadi6608.mail.host" - ], - "rsa.network.dinterface": "lo1616", - "rsa.network.network_service": "amvolu", - "rsa.network.sinterface": "eth6448", - "rsa.threat.threat_desc": "mveleu", - "rsa.time.duration_time": 4.781, - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.reputation_num": 57.435, - "rsa.web.web_ref_domain": "gnido", - "rule.name": "aera", - "service.type": "fortinet", - "source.bytes": 3423, - "source.geo.country_name": "inculpa", - "source.ip": "10.23.62.94", - "source.mac": "01:00:5e:21:f5:0a", - "source.port": 4368, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.com", - "url.extension": "htm", - "url.fragment": "issus", - "url.original": "https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus", - "url.path": "/nimid/itatione.htm", - "url.query": [ - "atem", - "umwr=oluptate" - ], - "url.scheme": "https", - "user.name": "non" - }, - { - "@timestamp": "2016-06-05T11:33:08.000Z", - "destination.bytes": 5074, - "destination.ip": "10.106.31.86", - "destination.port": 4198, - "event.action": "deny", - "event.code": "tium", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-6-5 time=9:33:08 logver=nisiuta devid=tvolu devname=ecte logid=tinvolu type=iurer subtype=iciadese level=medium vd=gnaaliq srcip=10.52.135.156 srcport=2660 srcintf=eth4502 dstip=10.133.89.11 dstport=1098 dstintf=lo4901 poluuid=sintoc sessionid=volupt proto=1 action=deny policyid=uiinea trandisp=Utenima duration=111.502000 sentbyte=1871 rcvdbyte=5074 devtype=ptatem osname=Nequepor osversion=1.2580 mastersrcmac=ugiatnu srcmac=01:00:5e:4a:7f:b8 crscore=103.738000 craction=mnisi crlevel=scivelit eventtype=tDuisaut user=oinBC service=quameius hostname=ipsumdol4488.api.localdomain profile=ommodico reqtype=ptas url=https://example.com/tetu/stru.htm?tlabore=Exc#pora direction=unknown msg=uteirure method=nevo cat=ide catdesc=aali device_id=adip log_id=tium pri=very-high userfrom=iusmodi adminprof=uamest timezone=PST main_type=uiac trigger_policy=epte sub_type=idolo severity_level=quinesc policy=madmi src=10.28.76.42 src_port=3427 dst=10.106.31.86 dst_port=4198 http_method=sno http_url=atno http_host=tani http_agent=volu http_session_id=nonn signature_subclass=inventor signature_id=6088 srccountry=autf content_switch_name=quamni server_pool_name=iatisu false_positive_mitigation=sec user_name=cons monitor_status=sBon http_refer=https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor http_version=tobea dev_id=tor threat_weight=qui history_threat_weight=ntmollit threat_level=tenatus ftp_mode=cipitlab ftp_cmd=ipsumd cipher_suite=antiu msg_id=uirati", - "event.timezone": "PST", - "fileset.name": "fortimanager", - "host.name": "ipsumdol4488.api.localdomain", - "http.request.referrer": "https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor", - "input.type": "log", - "log.level": "very-high", - "log.offset": 9850, - "network.bytes": 6945, - "network.direction": "unknown", - "observer.egress.interface.name": "lo4901", - "observer.ingress.interface.name": "eth4502", - "observer.product": "FortiManager", - "observer.serial_number": "adip", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.2580", - "related.hosts": [ - "ecte", - "ipsumdol4488.api.localdomain", - "tani" - ], - "related.ip": [ - "10.106.31.86", - "10.28.76.42" - ], - "related.user": [ - "cons" - ], - "rsa.internal.event_desc": "uteirure", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "tDuisaut", - "rsa.misc.OS": "Nequepor", - "rsa.misc.action": [ - "deny", - "sno" - ], - "rsa.misc.category": "idolo", - "rsa.misc.client": "volu", - "rsa.misc.context": "Utenima", - "rsa.misc.event_source": "ecte", - "rsa.misc.event_type": "iurer", - "rsa.misc.fcatnum": "ide", - "rsa.misc.filter": "aali", - "rsa.misc.hardware_id": "adip", - "rsa.misc.log_session_id": "nonn", - "rsa.misc.policy_id": "uiinea", - "rsa.misc.policy_name": "madmi", - "rsa.misc.reference_id": "tium", - "rsa.misc.rule_name": "ommodico", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 6088, - "rsa.misc.version": "1.2580", - "rsa.misc.vsys": "gnaaliq", - "rsa.network.alias_host": [ - "ipsumdol4488.api.localdomain" - ], - "rsa.network.dinterface": "lo4901", - "rsa.network.network_service": "quameius", - "rsa.network.sinterface": "eth4502", - "rsa.threat.threat_desc": "tenatus", - "rsa.time.duration_time": 111.502, - "rsa.time.event_time": "2016-06-05T11:33:08.000Z", - "rsa.time.timezone": "PST", - "rsa.web.reputation_num": 103.738, - "rsa.web.web_ref_domain": "tani", - "rule.name": "ommodico", - "service.type": "fortinet", - "source.bytes": 1871, - "source.geo.country_name": "autf", - "source.ip": "10.28.76.42", - "source.mac": "01:00:5e:4a:7f:b8", - "source.port": 3427, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.com", - "url.extension": "htm", - "url.fragment": "pora", - "url.original": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", - "url.path": "/tetu/stru.htm", - "url.query": [ - "atno", - "tlabore=Exc" - ], - "url.scheme": "https", - "user.name": "cons" - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.bytes": 7130, - "destination.geo.country_name": "lup", - "destination.ip": "10.106.162.153", - "destination.nat.ip": "10.58.214.16", - "destination.nat.port": 508, - "destination.port": 341, - "event.action": "accept", - "event.code": "osquira", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ersp dtime=2016-06-20 04:35:42.332538723 +0000 UTC devid=tquov devname=diconseq vd=inven date=2016-6-20 time=4:35:42 logid=osquira type=tes subtype=mquame level=medium eventtime=tnulapa logtime=orain srcip=10.238.164.74 srcport=2201 srcintf=lo4249 srcintfrole=madmi dstip=10.106.162.153 dstport=341 dstintf=lo7114 dstintfrole=amvo poluuid=qui sessionid=tasn proto=1 action=accept policyid=squirati policytype=Sedutp crscore=92.058000 craction=nbyCic crlevel=utlabor appcat=itessequ service=porro srccountry=ine dstcountry=lup trandisp=tatemUt tranip=10.58.214.16 tranport=508 duration=166.566000 sentbyte=2715 rcvdbyte=7130 sentpkt=pici app=abor", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 11323, - "network.bytes": 9845, - "observer.egress.interface.name": "lo7114", - "observer.ingress.interface.name": "lo4249", - "observer.product": "FortiManager", - "observer.serial_number": "tquov", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "diconseq" - ], - "related.ip": [ - "10.106.162.153", - "10.238.164.74", - "10.58.214.16" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "mquame", - "rsa.misc.context": "tatemUt", - "rsa.misc.event_source": "diconseq", - "rsa.misc.event_type": "tes", - "rsa.misc.hardware_id": "tquov", - "rsa.misc.log_session_id": "tasn", - "rsa.misc.obj_name": "abor", - "rsa.misc.policy_id": "squirati", - "rsa.misc.reference_id": "osquira", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "inven", - "rsa.network.dinterface": "lo7114", - "rsa.network.network_service": "porro", - "rsa.network.sinterface": "lo4249", - "rsa.time.duration_time": 166.566, - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "rsa.time.event_time_str": "tnulapa", - "rsa.web.reputation_num": 92.058, - "service.type": "fortinet", - "source.bytes": 2715, - "source.geo.country_name": "ine", - "source.ip": "10.238.164.74", - "source.port": 2201, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "destination.bytes": 5300, - "destination.geo.country_name": "eumiu", - "destination.ip": "10.217.150.196", - "destination.nat.ip": "10.110.31.190", - "destination.nat.port": 945, - "destination.port": 4639, - "event.action": "cancel", - "event.code": "udexerci", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=tquiin dtime=2016-07-04 11:38:16.592538723 +0000 UTC devid=tse devname=tenimad vd=minimav date=2016-7-4 time=11:38:16 logid=udexerci type=naal subtype=lore level=high eventtime=idolore logtime=pid srcip=10.225.141.20 srcport=2282 srcintf=enp0s4046 srcintfrole=natuse dstip=10.217.150.196 dstport=4639 dstintf=lo2438 dstintfrole=archite poluuid=loreme sessionid=untu proto=6 action=cancel policyid=datatno policytype=siutali crscore=49.988000 craction=usmodte crlevel=msequi appcat=tau service=exercita srccountry=ris dstcountry=eumiu trandisp=orumSe tranip=10.110.31.190 tranport=945 duration=12.946000 sentbyte=248 rcvdbyte=5300 sentpkt=eeufugia app=evit", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 11976, - "network.bytes": 5548, - "observer.egress.interface.name": "lo2438", - "observer.ingress.interface.name": "enp0s4046", - "observer.product": "FortiManager", - "observer.serial_number": "tse", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "tenimad" - ], - "related.ip": [ - "10.110.31.190", - "10.217.150.196", - "10.225.141.20" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "lore", - "rsa.misc.context": "orumSe", - "rsa.misc.event_source": "tenimad", - "rsa.misc.event_type": "naal", - "rsa.misc.hardware_id": "tse", - "rsa.misc.log_session_id": "untu", - "rsa.misc.obj_name": "evit", - "rsa.misc.policy_id": "datatno", - "rsa.misc.reference_id": "udexerci", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "minimav", - "rsa.network.dinterface": "lo2438", - "rsa.network.network_service": "exercita", - "rsa.network.sinterface": "enp0s4046", - "rsa.time.duration_time": 12.946, - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "rsa.time.event_time_str": "idolore", - "rsa.web.reputation_num": 49.988, - "service.type": "fortinet", - "source.bytes": 248, - "source.geo.country_name": "ris", - "source.ip": "10.225.141.20", - "source.port": 2282, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-07-18T08:40:50.000Z", - "destination.bytes": 7741, - "destination.ip": "10.69.103.176", - "destination.port": 1229, - "event.action": "deny", - "event.code": "mexe", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-7-18 time=6:40:50 devname=molli device_id=velitse log_id=oditem type=generic subtype=gitsedqu pri=very-high devid=oremi devname=mestq logid=temUt type=olor subtype=ineavo level=very-high vd=mquelau srcip=10.168.236.85 srcport=6846 srcintf=eth651 dstip=10.140.113.244 dstport=4374 dstintf=lo4367 poluuid=fugitsed sessionid=quam proto=tcp action=deny policyid=fugiat trandisp=atisun duration=101.653000 sentbyte=3962 rcvdbyte=7741 devtype=dmin osname=fugi osversion=1.3319 mastersrcmac=inci srcmac=01:00:5e:e6:ad:ae crscore=39.291000 craction=avol crlevel=icero eventtype=xer user=emipsumd service=isisten hostname=cusant4946.www.domain profile=itecto reqtype=reetdol url=https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi direction=unknown msg=aquioffi method=tamet cat=quatur catdesc=uisa device_id=eFi log_id=mexe pri=high userfrom=rpori adminprof=ice timezone=GMT+02:00 main_type=entorev trigger_policy=commodo sub_type=conseq severity_level=ame policy=tatn src=10.137.56.173 src_port=3932 dst=10.69.103.176 dst_port=1229 http_method=umdolo http_url=uptate http_host=amc http_agent=cusant http_session_id=orumSe signature_subclass=ratv signature_id=5227 srccountry=dutp content_switch_name=psaquaea server_pool_name=taevita false_positive_mitigation=ameiusm user_name=proide monitor_status=ano http_refer=https://www5.example.org/tvol/velitess.htm?edqui=nre#veli http_version=volupta dev_id=rnatu threat_weight=elitse history_threat_weight=ima threat_level=quasia ftp_mode=adi ftp_cmd=umwrit cipher_suite=uptate msg_id=mac", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "cusant4946.www.domain", - "http.request.referrer": "https://www5.example.org/tvol/velitess.htm?edqui=nre#veli", - "input.type": "log", - "log.level": "high", - "log.offset": 12639, - "network.bytes": 11703, - "network.direction": "unknown", - "observer.egress.interface.name": "lo4367", - "observer.ingress.interface.name": "eth651", - "observer.product": "FortiManager", - "observer.serial_number": "eFi", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.3319", - "related.hosts": [ - "amc", - "cusant4946.www.domain", - "mestq" - ], - "related.ip": [ - "10.137.56.173", - "10.69.103.176" - ], - "related.user": [ - "proide" - ], - "rsa.internal.event_desc": "aquioffi", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "xer", - "rsa.misc.OS": "fugi", - "rsa.misc.action": [ - "deny", - "umdolo" - ], - "rsa.misc.category": "conseq", - "rsa.misc.client": "cusant", - "rsa.misc.context": "atisun", - "rsa.misc.event_source": "mestq", - "rsa.misc.event_type": "olor", - "rsa.misc.fcatnum": "quatur", - "rsa.misc.filter": "uisa", - "rsa.misc.hardware_id": "eFi", - "rsa.misc.log_session_id": "orumSe", - "rsa.misc.policy_id": "fugiat", - "rsa.misc.policy_name": "tatn", - "rsa.misc.reference_id": "mexe", - "rsa.misc.rule_name": "itecto", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 5227, - "rsa.misc.version": "1.3319", - "rsa.misc.vsys": "mquelau", - "rsa.network.alias_host": [ - "cusant4946.www.domain" - ], - "rsa.network.dinterface": "lo4367", - "rsa.network.network_service": "isisten", - "rsa.network.sinterface": "eth651", - "rsa.threat.threat_desc": "quasia", - "rsa.time.duration_time": 101.653, - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 39.291, - "rsa.web.web_ref_domain": "amc", - "rule.name": "itecto", - "service.type": "fortinet", - "source.bytes": 3962, - "source.geo.country_name": "dutp", - "source.ip": "10.137.56.173", - "source.mac": "01:00:5e:e6:ad:ae", - "source.port": 3932, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.com", - "url.extension": "htm", - "url.fragment": "isnisi", - "url.original": "https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi", - "url.path": "/isnostr/umqu.htm", - "url.query": [ - "emquia=inesci", - "uptate" - ], - "url.scheme": "https", - "user.name": "proide" - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "destination.bytes": 7122, - "destination.geo.country_name": "mvele", - "destination.ip": "10.5.235.217", - "destination.nat.ip": "10.25.212.118", - "destination.nat.port": 1190, - "destination.port": 3689, - "event.action": "deny", - "event.code": "onulam", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=dolore devname=\"onsecte\" devid=\"nBCSedut\" vd=ugiat date=2016-8-2 time=1:43:25 logid=onulam type=ate subtype=odoconse level=high eventtime=quatu logtime=veli srcip=10.30.47.165 srcport=631 srcintf=eth267 srcintfrole=sectet dstip=10.5.235.217 dstport=3689 dstintf=lo5047 dstintfrole=pitl poluuid=por sessionid=quidexea proto=tcp action=deny policyid=runtmol policytype=texpli crscore=57.772000 craction=ptass crlevel=rita appcat=esseci service=tametcon srccountry=liqua dstcountry=mvele trandisp=isis tranip=10.25.212.118 tranport=1190 duration=179.686000 sentbyte=238 rcvdbyte=7122 sentpkt=dantium app=lor", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 14185, - "network.bytes": 7360, - "observer.egress.interface.name": "lo5047", - "observer.ingress.interface.name": "eth267", - "observer.product": "FortiManager", - "observer.serial_number": "nBCSedut", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "onsecte" - ], - "related.ip": [ - "10.25.212.118", - "10.30.47.165", - "10.5.235.217" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "odoconse", - "rsa.misc.context": "isis", - "rsa.misc.event_source": "onsecte", - "rsa.misc.event_type": "ate", - "rsa.misc.hardware_id": "nBCSedut", - "rsa.misc.log_session_id": "quidexea", - "rsa.misc.obj_name": "lor", - "rsa.misc.policy_id": "runtmol", - "rsa.misc.reference_id": "onulam", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "ugiat", - "rsa.network.dinterface": "lo5047", - "rsa.network.network_service": "tametcon", - "rsa.network.sinterface": "eth267", - "rsa.time.duration_time": 179.686, - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "rsa.time.event_time_str": "quatu", - "rsa.web.reputation_num": 57.772, - "service.type": "fortinet", - "source.bytes": 238, - "source.geo.country_name": "liqua", - "source.ip": "10.30.47.165", - "source.port": 631, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "destination.bytes": 6247, - "destination.ip": "10.40.152.253", - "destination.port": 1478, - "event.action": "deny", - "event.code": "ipsamvo", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-8-16 time=8:45:59 logver=onemulla devid=dolorem devname=tvolu logid=nreprehe type=tetu subtype=mdol level=high vd=nby srcip=10.20.26.210 srcport=2791 srcintf=eth5968 dstip=10.85.96.153 dstport=5286 dstintf=eth4392 poluuid=nsequat sessionid=doloreme proto=0 action=deny policyid=reprehe trandisp=tincu duration=93.111000 sentbyte=2826 rcvdbyte=6247 devtype=lor osname=oraincid osversion=1.225 mastersrcmac=emeumfug srcmac=01:00:5e:1d:39:39 crscore=114.626000 craction=liqua crlevel=olo eventtype=psumqu user=untincul service=iduntu hostname=ccaeca5504.internal.example profile=reseo reqtype=oreetd url=https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr direction=external msg=ercit method=etMal cat=qua catdesc=rsita device_id=ate log_id=ipsamvo pri=low userfrom=adeseru adminprof=tdol timezone=CET main_type=rem trigger_policy=asper sub_type=idunt severity_level=luptat policy=eveli src=10.149.13.76 src_port=7809 dst=10.40.152.253 dst_port=1478 http_method=ritt http_url=iaeco http_host=equaturv http_agent=siu http_session_id=snost signature_subclass=tpersp signature_id=2624 srccountry=quaea content_switch_name=ametcons server_pool_name=utali false_positive_mitigation=porinc user_name=tetur monitor_status=xce http_refer=https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor http_version=lupta dev_id=xeaco threat_weight=nvolupt history_threat_weight=oremi threat_level=elites ftp_mode=nbyCi ftp_cmd=tevel cipher_suite=usc msg_id=rem", - "event.timezone": "CET", - "fileset.name": "fortimanager", - "host.name": "ccaeca5504.internal.example", - "http.request.referrer": "https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor", - "input.type": "log", - "log.level": "low", - "log.offset": 14797, - "network.bytes": 9073, - "network.direction": "external", - "observer.egress.interface.name": "eth4392", - "observer.ingress.interface.name": "eth5968", - "observer.product": "FortiManager", - "observer.serial_number": "ate", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.225", - "related.hosts": [ - "ccaeca5504.internal.example", - "equaturv", - "tvolu" - ], - "related.ip": [ - "10.149.13.76", - "10.40.152.253" - ], - "related.user": [ - "tetur" - ], - "rsa.internal.event_desc": "ercit", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "psumqu", - "rsa.misc.OS": "oraincid", - "rsa.misc.action": [ - "deny", - "ritt" - ], - "rsa.misc.category": "idunt", - "rsa.misc.client": "siu", - "rsa.misc.context": "tincu", - "rsa.misc.event_source": "tvolu", - "rsa.misc.event_type": "tetu", - "rsa.misc.fcatnum": "qua", - "rsa.misc.filter": "rsita", - "rsa.misc.hardware_id": "ate", - "rsa.misc.log_session_id": "snost", - "rsa.misc.policy_id": "reprehe", - "rsa.misc.policy_name": "eveli", - "rsa.misc.reference_id": "ipsamvo", - "rsa.misc.rule_name": "reseo", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 2624, - "rsa.misc.version": "1.225", - "rsa.misc.vsys": "nby", - "rsa.network.alias_host": [ - "ccaeca5504.internal.example" - ], - "rsa.network.dinterface": "eth4392", - "rsa.network.network_service": "iduntu", - "rsa.network.sinterface": "eth5968", - "rsa.threat.threat_desc": "elites", - "rsa.time.duration_time": 93.111, - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "rsa.time.timezone": "CET", - "rsa.web.reputation_num": 114.626, - "rsa.web.web_ref_domain": "equaturv", - "rule.name": "reseo", - "service.type": "fortinet", - "source.bytes": 2826, - "source.geo.country_name": "quaea", - "source.ip": "10.149.13.76", - "source.mac": "01:00:5e:1d:39:39", - "source.port": 7809, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.org", - "url.extension": "txt", - "url.fragment": "urerepr", - "url.original": "https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr", - "url.path": "/tiaec/rumwrit.txt", - "url.query": [ - "iaeco", - "oconsequ=edquiac" - ], - "url.scheme": "https", - "user.name": "tetur" - }, - { - "@timestamp": "2016-08-30T05:48:33.000Z", - "destination.bytes": 4844, - "destination.geo.country_name": "eufugi", - "destination.ip": "10.51.213.42", - "destination.nat.ip": "10.233.120.207", - "destination.nat.port": 136, - "destination.port": 988, - "event.action": "deny", - "event.code": "isetq", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=cab dtime=2016-08-30 15:48:33.632538723 +0000 UTC devid=atisund devname=xea vd=ites date=2016-8-30 time=3:48:33 logid=isetq type=iutali subtype=velite level=high eventtime=avolupt logtime=ariatur srcip=10.98.194.212 srcport=5469 srcintf=lo1208 srcintfrole=atisetqu dstip=10.51.213.42 dstport=988 dstintf=enp0s3449 dstintfrole=ilmol poluuid=eri sessionid=quunt proto=HOPOPT action=deny policyid=mquae policytype=eriti crscore=96.729000 craction=cidunt crlevel=plica appcat=ore service=quidolor srccountry=inven dstcountry=eufugi trandisp=accusant tranip=10.233.120.207 tranport=136 duration=171.844000 sentbyte=2859 rcvdbyte=4844 sentpkt=eaqu app=nvol", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 16267, - "network.bytes": 7703, - "observer.egress.interface.name": "enp0s3449", - "observer.ingress.interface.name": "lo1208", - "observer.product": "FortiManager", - "observer.serial_number": "atisund", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "xea" - ], - "related.ip": [ - "10.233.120.207", - "10.51.213.42", - "10.98.194.212" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "velite", - "rsa.misc.context": "accusant", - "rsa.misc.event_source": "xea", - "rsa.misc.event_type": "iutali", - "rsa.misc.hardware_id": "atisund", - "rsa.misc.log_session_id": "quunt", - "rsa.misc.obj_name": "nvol", - "rsa.misc.policy_id": "mquae", - "rsa.misc.reference_id": "isetq", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "ites", - "rsa.network.dinterface": "enp0s3449", - "rsa.network.network_service": "quidolor", - "rsa.network.sinterface": "lo1208", - "rsa.time.duration_time": 171.844, - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", - "rsa.time.event_time_str": "avolupt", - "rsa.web.reputation_num": 96.729, - "service.type": "fortinet", - "source.bytes": 2859, - "source.geo.country_name": "inven", - "source.ip": "10.98.194.212", - "source.port": 5469, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-13T12:51:07.000Z", - "destination.bytes": 7301, - "destination.geo.country_name": "tenatuse", - "destination.ip": "10.67.132.242", - "destination.nat.ip": "10.241.132.176", - "destination.nat.port": 7224, - "destination.port": 2340, - "event.action": "allow", - "event.code": "dat", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=leumiu devname=\"tla\" devid=\"item\" vd=nimid date=2016-9-13 time=10:51:07 logid=dat type=periam subtype=dqu level=high eventtime=dminima logtime=dutpers srcip=10.245.187.229 srcport=4953 srcintf=lo3642 srcintfrole=prehen dstip=10.67.132.242 dstport=2340 dstintf=enp0s2700 dstintfrole=sequa poluuid=iosamnis sessionid=volupt proto=6 action=allow policyid=idid policytype=tesse crscore=64.509000 craction=boru crlevel=ptateve appcat=enderi service=ptatem srccountry=ptatevel dstcountry=tenatuse trandisp=psaqua tranip=10.241.132.176 tranport=7224 duration=167.705000 sentbyte=6595 rcvdbyte=7301 sentpkt=tame app=atione", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 16925, - "network.bytes": 13896, - "observer.egress.interface.name": "enp0s2700", - "observer.ingress.interface.name": "lo3642", - "observer.product": "FortiManager", - "observer.serial_number": "item", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "tla" - ], - "related.ip": [ - "10.241.132.176", - "10.245.187.229", - "10.67.132.242" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "dqu", - "rsa.misc.context": "psaqua", - "rsa.misc.event_source": "tla", - "rsa.misc.event_type": "periam", - "rsa.misc.hardware_id": "item", - "rsa.misc.log_session_id": "volupt", - "rsa.misc.obj_name": "atione", - "rsa.misc.policy_id": "idid", - "rsa.misc.reference_id": "dat", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "nimid", - "rsa.network.dinterface": "enp0s2700", - "rsa.network.network_service": "ptatem", - "rsa.network.sinterface": "lo3642", - "rsa.time.duration_time": 167.705, - "rsa.time.event_time": "2016-09-13T12:51:07.000Z", - "rsa.time.event_time_str": "dminima", - "rsa.web.reputation_num": 64.509, - "service.type": "fortinet", - "source.bytes": 6595, - "source.geo.country_name": "ptatevel", - "source.ip": "10.245.187.229", - "source.port": 4953, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "destination.bytes": 1775, - "destination.ip": "10.199.47.220", - "destination.port": 4084, - "event.action": "allow", - "event.code": "urmagn", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-9-28 time=5:53:42 logver=vitaedic devid=orin devname=uii logid=estl type=sitam subtype=orem level=very-high vd=uuntur srcip=10.210.28.247 srcport=3449 srcintf=eth4185 dstip=10.237.180.17 dstport=3023 dstintf=lo7672 poluuid=tate sessionid=onevo proto=6 action=allow policyid=aeconseq trandisp=lor duration=96.560000 sentbyte=2760 rcvdbyte=1775 devtype=emqu osname=riss osversion=1.1847 mastersrcmac=sitvol srcmac=01:00:5e:a5:5a:54 crscore=129.120000 craction=olorsi crlevel=aliq eventtype=mes user=mven service=olorsit hostname=tore7088.www.invalid profile=ruredo reqtype=mac url=https://mail.example.org/ptassita/its.gif?risnis=uov#itlab direction=outbound msg=sBono method=loremqu cat=tetur catdesc=amvo device_id=siuta log_id=urmagn pri=low userfrom=uptat adminprof=idex timezone=GMT+02:00 main_type=tatione trigger_policy=nimveni sub_type=idi severity_level=ore policy=quid src=10.212.214.4 src_port=6040 dst=10.199.47.220 dst_port=4084 http_method=oin http_url=hil http_host=cingel http_agent=modocon http_session_id=ipsu signature_subclass=ntNeq signature_id=1081 srccountry=aUt content_switch_name=boNem server_pool_name=nturm false_positive_mitigation=emips user_name=atv monitor_status=onu http_refer=https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor http_version=oqu dev_id=naaliq threat_weight=remeu history_threat_weight=osquir threat_level=mod ftp_mode=col ftp_cmd=mve cipher_suite=liquide msg_id=odt", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "tore7088.www.invalid", - "http.request.referrer": "https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor", - "input.type": "log", - "log.level": "low", - "log.offset": 17547, - "network.bytes": 4535, - "network.direction": "outbound", - "observer.egress.interface.name": "lo7672", - "observer.ingress.interface.name": "eth4185", - "observer.product": "FortiManager", - "observer.serial_number": "siuta", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.1847", - "related.hosts": [ - "cingel", - "tore7088.www.invalid", - "uii" - ], - "related.ip": [ - "10.199.47.220", - "10.212.214.4" - ], - "related.user": [ - "atv" - ], - "rsa.internal.event_desc": "sBono", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "mes", - "rsa.misc.OS": "riss", - "rsa.misc.action": [ - "allow", - "oin" - ], - "rsa.misc.category": "idi", - "rsa.misc.client": "modocon", - "rsa.misc.context": "lor", - "rsa.misc.event_source": "uii", - "rsa.misc.event_type": "sitam", - "rsa.misc.fcatnum": "tetur", - "rsa.misc.filter": "amvo", - "rsa.misc.hardware_id": "siuta", - "rsa.misc.log_session_id": "ipsu", - "rsa.misc.policy_id": "aeconseq", - "rsa.misc.policy_name": "quid", - "rsa.misc.reference_id": "urmagn", - "rsa.misc.rule_name": "ruredo", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 1081, - "rsa.misc.version": "1.1847", - "rsa.misc.vsys": "uuntur", - "rsa.network.alias_host": [ - "tore7088.www.invalid" - ], - "rsa.network.dinterface": "lo7672", - "rsa.network.network_service": "olorsit", - "rsa.network.sinterface": "eth4185", - "rsa.threat.threat_desc": "mod", - "rsa.time.duration_time": 96.56, - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 129.12, - "rsa.web.web_ref_domain": "cingel", - "rule.name": "ruredo", - "service.type": "fortinet", - "source.bytes": 2760, - "source.geo.country_name": "aUt", - "source.ip": "10.212.214.4", - "source.mac": "01:00:5e:a5:5a:54", - "source.port": 6040, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.org", - "url.extension": "gif", - "url.fragment": "itlab", - "url.original": "https://mail.example.org/ptassita/its.gif?risnis=uov#itlab", - "url.path": "/ptassita/its.gif", - "url.query": [ - "hil", - "risnis=uov" - ], - "url.scheme": "https", - "user.name": "atv" - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "destination.bytes": 4059, - "destination.ip": "10.234.165.130", - "destination.port": 7079, - "event.action": "deny", - "event.code": "henderit", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-10-12 time=12:56:16 logver=inv devid=rroq devname=rcit logid=aecatcup type=olabor subtype=estl level=very-high vd=citatio srcip=10.168.40.197 srcport=7699 srcintf=enp0s3071 dstip=10.206.69.135 dstport=6396 dstintf=eth3862 poluuid=utfug sessionid=aturQu proto=udp action=deny policyid=mipsamvo trandisp=eiusmod duration=91.147000 sentbyte=6153 rcvdbyte=4059 devtype=oreveri osname=ehende osversion=1.760 mastersrcmac=Except srcmac=01:00:5e:bf:07:ee crscore=45.760000 craction=dol crlevel=sciun eventtype=metcons user=itasper service=uae hostname=mve1890.internal.home profile=tatemU reqtype=mad url=https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut direction=unknown msg=dexerc method=strumex cat=eprehend catdesc=asnu device_id=hitec log_id=henderit pri=medium userfrom=perspici adminprof=ationul timezone=PST main_type=itsedq trigger_policy=uto sub_type=emUte severity_level=molestia policy=quir src=10.46.56.204 src_port=2463 dst=10.234.165.130 dst_port=7079 http_method=umf http_url=quames http_host=dolorsit http_agent=archite http_session_id=remq signature_subclass=veniamq signature_id=1236 srccountry=uta content_switch_name=emo server_pool_name=itq false_positive_mitigation=derit user_name=orese monitor_status=dolor http_refer=https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore http_version=Cic dev_id=olorema threat_weight=mollita history_threat_weight=tatem threat_level=iae ftp_mode=quido ftp_cmd=emip cipher_suite=inBC msg_id=mol", - "event.timezone": "PST", - "fileset.name": "fortimanager", - "host.name": "mve1890.internal.home", - "http.request.referrer": "https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore", - "input.type": "log", - "log.level": "medium", - "log.offset": 18984, - "network.bytes": 10212, - "network.direction": "unknown", - "observer.egress.interface.name": "eth3862", - "observer.ingress.interface.name": "enp0s3071", - "observer.product": "FortiManager", - "observer.serial_number": "hitec", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.760", - "related.hosts": [ - "dolorsit", - "mve1890.internal.home", - "rcit" - ], - "related.ip": [ - "10.234.165.130", - "10.46.56.204" - ], - "related.user": [ - "orese" - ], - "rsa.internal.event_desc": "dexerc", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "metcons", - "rsa.misc.OS": "ehende", - "rsa.misc.action": [ - "deny", - "umf" - ], - "rsa.misc.category": "emUte", - "rsa.misc.client": "archite", - "rsa.misc.context": "eiusmod", - "rsa.misc.event_source": "rcit", - "rsa.misc.event_type": "olabor", - "rsa.misc.fcatnum": "eprehend", - "rsa.misc.filter": "asnu", - "rsa.misc.hardware_id": "hitec", - "rsa.misc.log_session_id": "remq", - "rsa.misc.policy_id": "mipsamvo", - "rsa.misc.policy_name": "quir", - "rsa.misc.reference_id": "henderit", - "rsa.misc.rule_name": "tatemU", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 1236, - "rsa.misc.version": "1.760", - "rsa.misc.vsys": "citatio", - "rsa.network.alias_host": [ - "mve1890.internal.home" - ], - "rsa.network.dinterface": "eth3862", - "rsa.network.network_service": "uae", - "rsa.network.sinterface": "enp0s3071", - "rsa.threat.threat_desc": "iae", - "rsa.time.duration_time": 91.147, - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "rsa.time.timezone": "PST", - "rsa.web.reputation_num": 45.76, - "rsa.web.web_ref_domain": "dolorsit", - "rule.name": "tatemU", - "service.type": "fortinet", - "source.bytes": 6153, - "source.geo.country_name": "uta", - "source.ip": "10.46.56.204", - "source.mac": "01:00:5e:bf:07:ee", - "source.port": 2463, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.org", - "url.extension": "htm", - "url.fragment": "toditaut", - "url.original": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", - "url.path": "/redol/gnaa.htm", - "url.query": [ - "aliquamq=dtempori", - "quames" - ], - "url.scheme": "https", - "user.name": "orese" - }, - { - "@timestamp": "2016-10-26T09:58:50.000Z", - "destination.bytes": 4527, - "destination.ip": "10.95.117.134", - "destination.port": 1723, - "event.action": "block", - "event.code": "rsi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=turadipi date=2016-10-26 time=7:58:50 log_id=usmodi devid=ree devname=saquaea logid=ation type=luptas subtype=minim level=very-high vd=lorsi srcip=10.61.123.159 srcport=754 srcintf=eth7713 dstip=10.141.158.225 dstport=4690 dstintf=lo1586 poluuid=ate sessionid=idolor proto=1 action=block policyid=nreprehe trandisp=onse duration=71.505000 sentbyte=4010 rcvdbyte=4527 devtype=duntutla osname=ntium osversion=1.4450 mastersrcmac=asuntexp srcmac=01:00:5e:26:56:73 crscore=5.843000 craction=nse crlevel=modoc eventtype=boNem user=iumt service=tsed hostname=eturad6143.www.home profile=uamnihil reqtype=llam url=https://example.net/aparia/tatnon.jpg?rever=ore#offici direction=outbound msg=metco method=acom cat=ceroinB catdesc=nim device_id=utaliqu log_id=rsi pri=high userfrom=imadmi adminprof=isnis timezone=CEST main_type=olupta trigger_policy=tsuntinc sub_type=inrepreh severity_level=quovo policy=urExcep src=10.128.46.70 src_port=5269 dst=10.95.117.134 dst_port=1723 http_method=acommodi http_url=essecill http_host=billoi http_agent=moles http_session_id=dipiscin signature_subclass=olup signature_id=5976 srccountry=undeomni content_switch_name=accusa server_pool_name=natu false_positive_mitigation=liquid user_name=enim monitor_status=Finibus http_refer=https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc http_version=Cice dev_id=taedi threat_weight=tquido history_threat_weight=ptasnula threat_level=oru ftp_mode=ill ftp_cmd=mporinc cipher_suite=onsectet msg_id=idolo", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "eturad6143.www.home", - "http.request.referrer": "https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc", - "input.type": "log", - "log.level": "high", - "log.offset": 20462, - "network.bytes": 8537, - "network.direction": "outbound", - "observer.egress.interface.name": "lo1586", - "observer.ingress.interface.name": "eth7713", - "observer.product": "FortiManager", - "observer.serial_number": "utaliqu", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4450", - "related.hosts": [ - "billoi", - "eturad6143.www.home", - "saquaea" - ], - "related.ip": [ - "10.128.46.70", - "10.95.117.134" - ], - "related.user": [ - "enim" - ], - "rsa.internal.event_desc": "metco", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "boNem", - "rsa.misc.OS": "ntium", - "rsa.misc.action": [ - "acommodi", - "block" - ], - "rsa.misc.category": "inrepreh", - "rsa.misc.client": "moles", - "rsa.misc.context": "onse", - "rsa.misc.event_source": "saquaea", - "rsa.misc.event_type": "luptas", - "rsa.misc.fcatnum": "ceroinB", - "rsa.misc.filter": "nim", - "rsa.misc.hardware_id": "utaliqu", - "rsa.misc.log_session_id": "dipiscin", - "rsa.misc.policy_id": "nreprehe", - "rsa.misc.policy_name": "urExcep", - "rsa.misc.reference_id": "rsi", - "rsa.misc.rule_name": "uamnihil", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 5976, - "rsa.misc.version": "1.4450", - "rsa.misc.vsys": "lorsi", - "rsa.network.alias_host": [ - "eturad6143.www.home" - ], - "rsa.network.dinterface": "lo1586", - "rsa.network.network_service": "tsed", - "rsa.network.sinterface": "eth7713", - "rsa.threat.threat_desc": "oru", - "rsa.time.duration_time": 71.505, - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 5.843, - "rsa.web.web_ref_domain": "billoi", - "rule.name": "uamnihil", - "service.type": "fortinet", - "source.bytes": 4010, - "source.geo.country_name": "undeomni", - "source.ip": "10.128.46.70", - "source.mac": "01:00:5e:26:56:73", - "source.port": 5269, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.net", - "url.extension": "jpg", - "url.fragment": "offici", - "url.original": "https://example.net/aparia/tatnon.jpg?rever=ore#offici", - "url.path": "/aparia/tatnon.jpg", - "url.query": [ - "essecill", - "rever=ore" - ], - "url.scheme": "https", - "user.name": "enim" - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "destination.bytes": 1506, - "destination.ip": "10.253.228.140", - "destination.port": 6748, - "event.action": "cancel", - "event.code": "admi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2016-11-10 time=3:01:24 logver=edolo devid=ugiatquo devname=ntium logid=uptate type=lloinven subtype=econs level=medium vd=tetura srcip=10.135.106.42 srcport=6602 srcintf=lo154 dstip=10.224.30.160 dstport=5302 dstintf=eth1247 poluuid=etconsec sessionid=caboNem proto=21 action=cancel policyid=rumetMal trandisp=oconse duration=2.970000 sentbyte=7685 rcvdbyte=1506 devtype=sequam osname=oditempo osversion=1.7544 mastersrcmac=taliqui srcmac=01:00:5e:98:79:a3 crscore=78.248000 craction=rcitat crlevel=dolorema eventtype=emagn user=radipis service=ctetu hostname=orinrep5386.www.corp profile=stenatus reqtype=equep url=https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih direction=inbound msg=autemv method=emq cat=plicaboN catdesc=amc device_id=vol log_id=admi pri=medium userfrom=culpaq adminprof=saute timezone=GMT+02:00 main_type=ende trigger_policy=abor sub_type=magnid severity_level=adol policy=iutal src=10.208.21.135 src_port=2721 dst=10.253.228.140 dst_port=6748 http_method=ugitse http_url=quiineav http_host=billoinv http_agent=sci http_session_id=col signature_subclass=obea signature_id=5700 srccountry=tatev content_switch_name=luptas server_pool_name=uptatem false_positive_mitigation=oinv user_name=inculp monitor_status=onofd http_refer=https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe http_version=tat dev_id=onproide threat_weight=ntmo history_threat_weight=loreeu threat_level=temse ftp_mode=aspernat ftp_cmd=ume cipher_suite=caecat msg_id=rautod", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "orinrep5386.www.corp", - "http.request.referrer": "https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe", - "input.type": "log", - "log.level": "medium", - "log.offset": 21953, - "network.bytes": 9191, - "network.direction": "inbound", - "observer.egress.interface.name": "eth1247", - "observer.ingress.interface.name": "lo154", - "observer.product": "FortiManager", - "observer.serial_number": "vol", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.7544", - "related.hosts": [ - "billoinv", - "ntium", - "orinrep5386.www.corp" - ], - "related.ip": [ - "10.208.21.135", - "10.253.228.140" - ], - "related.user": [ - "inculp" - ], - "rsa.internal.event_desc": "autemv", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "emagn", - "rsa.misc.OS": "oditempo", - "rsa.misc.action": [ - "cancel", - "ugitse" - ], - "rsa.misc.category": "magnid", - "rsa.misc.client": "sci", - "rsa.misc.context": "oconse", - "rsa.misc.event_source": "ntium", - "rsa.misc.event_type": "lloinven", - "rsa.misc.fcatnum": "plicaboN", - "rsa.misc.filter": "amc", - "rsa.misc.hardware_id": "vol", - "rsa.misc.log_session_id": "col", - "rsa.misc.policy_id": "rumetMal", - "rsa.misc.policy_name": "iutal", - "rsa.misc.reference_id": "admi", - "rsa.misc.rule_name": "stenatus", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 5700, - "rsa.misc.version": "1.7544", - "rsa.misc.vsys": "tetura", - "rsa.network.alias_host": [ - "orinrep5386.www.corp" - ], - "rsa.network.dinterface": "eth1247", - "rsa.network.network_service": "ctetu", - "rsa.network.sinterface": "lo154", - "rsa.threat.threat_desc": "temse", - "rsa.time.duration_time": 2.97, - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 78.248, - "rsa.web.web_ref_domain": "billoinv", - "rule.name": "stenatus", - "service.type": "fortinet", - "source.bytes": 7685, - "source.geo.country_name": "tatev", - "source.ip": "10.208.21.135", - "source.mac": "01:00:5e:98:79:a3", - "source.port": 2721, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.com", - "url.extension": "txt", - "url.fragment": "equamnih", - "url.original": "https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih", - "url.path": "/tali/BCS.txt", - "url.query": [ - "iqu=niamqu", - "quiineav" - ], - "url.scheme": "https", - "user.name": "inculp" - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "destination.bytes": 4009, - "destination.ip": "10.3.23.172", - "destination.port": 7332, - "event.action": "cancel", - "event.code": "illoi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ercitat date=2016-11-24 time=10:03:59 log_id=lapar devid=ritati devname=edquia logid=itesse type=mullam subtype=mexerc level=medium vd=amvolu srcip=10.120.231.161 srcport=1129 srcintf=lo653 dstip=10.210.62.203 dstport=4381 dstintf=lo3057 poluuid=ataevita sessionid=oremqu proto=6 action=cancel policyid=velitsed trandisp=magnaali duration=92.900000 sentbyte=3984 rcvdbyte=4009 devtype=ulla osname=equatDu osversion=1.1710 mastersrcmac=aconse srcmac=01:00:5e:92:c2:23 crscore=20.350000 craction=squira crlevel=aliqui eventtype=ess user=uide service=scivel hostname=henderi724.www5.home profile=tquas reqtype=aquio url=https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer direction=internal msg=isnostru method=nofdeFi cat=aquioff catdesc=saqu device_id=remips log_id=illoi pri=medium userfrom=abori adminprof=uisnostr timezone=GMT+02:00 main_type=ilmole trigger_policy=ugi sub_type=niamquis severity_level=nisi policy=emveleum src=10.243.226.122 src_port=3512 dst=10.3.23.172 dst_port=7332 http_method=emullamc http_url=tec http_host=Nemo http_agent=tutlabo http_session_id=mveleum signature_subclass=liq signature_id=7229 srccountry=sBonorum content_switch_name=atems server_pool_name=quira false_positive_mitigation=tassita user_name=olorem monitor_status=sedquiac http_refer=https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore http_version=tation dev_id=loinve threat_weight=tatevel history_threat_weight=iumdolo threat_level=untu ftp_mode=ict ftp_cmd=squirati cipher_suite=tem msg_id=mestq", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "henderi724.www5.home", - "http.request.referrer": "https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore", - "input.type": "log", - "log.level": "medium", - "log.offset": 23443, - "network.bytes": 7993, - "network.direction": "internal", - "observer.egress.interface.name": "lo3057", - "observer.ingress.interface.name": "lo653", - "observer.product": "FortiManager", - "observer.serial_number": "remips", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.1710", - "related.hosts": [ - "Nemo", - "edquia", - "henderi724.www5.home" - ], - "related.ip": [ - "10.243.226.122", - "10.3.23.172" - ], - "related.user": [ - "olorem" - ], - "rsa.internal.event_desc": "isnostru", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "ess", - "rsa.misc.OS": "equatDu", - "rsa.misc.action": [ - "cancel", - "emullamc" - ], - "rsa.misc.category": "niamquis", - "rsa.misc.client": "tutlabo", - "rsa.misc.context": "magnaali", - "rsa.misc.event_source": "edquia", - "rsa.misc.event_type": "mullam", - "rsa.misc.fcatnum": "aquioff", - "rsa.misc.filter": "saqu", - "rsa.misc.hardware_id": "remips", - "rsa.misc.log_session_id": "mveleum", - "rsa.misc.policy_id": "velitsed", - "rsa.misc.policy_name": "emveleum", - "rsa.misc.reference_id": "illoi", - "rsa.misc.rule_name": "tquas", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 7229, - "rsa.misc.version": "1.1710", - "rsa.misc.vsys": "amvolu", - "rsa.network.alias_host": [ - "henderi724.www5.home" - ], - "rsa.network.dinterface": "lo3057", - "rsa.network.network_service": "scivel", - "rsa.network.sinterface": "lo653", - "rsa.threat.threat_desc": "untu", - "rsa.time.duration_time": 92.9, - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 20.35, - "rsa.web.web_ref_domain": "Nemo", - "rule.name": "tquas", - "service.type": "fortinet", - "source.bytes": 3984, - "source.geo.country_name": "sBonorum", - "source.ip": "10.243.226.122", - "source.mac": "01:00:5e:92:c2:23", - "source.port": 3512, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "mexer", - "url.original": "https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer", - "url.path": "/iame/orroquis.htm", - "url.query": [ - "tec", - "tiumd=ntmoll" - ], - "url.scheme": "https", - "user.name": "olorem" - }, - { - "@timestamp": "2016-12-08T07:06:33.000Z", - "destination.bytes": 1651, - "destination.ip": "10.106.85.174", - "destination.port": 307, - "event.action": "cancel", - "event.code": "odoco", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=luptate date=2016-12-8 time=5:06:33 log_id=llamc devid=eleumiu devname=uei logid=Nequepo type=radipis subtype=cive level=low vd=orumSec srcip=10.56.74.7 srcport=6149 srcintf=eth2940 dstip=10.73.10.215 dstport=2079 dstintf=lo3472 poluuid=oeni sessionid=untutlab proto=0 action=cancel policyid=consecte trandisp=pteurs duration=26.872000 sentbyte=617 rcvdbyte=1651 devtype=ons osname=tiaecon osversion=1.5380 mastersrcmac=unt srcmac=01:00:5e:99:7b:4a crscore=124.392000 craction=queporro crlevel=uid eventtype=snostrum user=psa service=nculpaq hostname=reseosqu1629.mail.lan profile=utemvel reqtype=epteur url=https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi direction=external msg=uameiusm method=adm cat=gelitsed catdesc=tiumto device_id=cor log_id=odoco pri=high userfrom=labore adminprof=ianonnu timezone=PST main_type=rum trigger_policy=erc sub_type=ehende severity_level=tutla policy=licaboNe src=10.94.242.80 src_port=2724 dst=10.106.85.174 dst_port=307 http_method=atiset http_url=serror http_host=onse http_agent=umquam http_session_id=emagn signature_subclass=emulla signature_id=1963 srccountry=iquaUt content_switch_name=mnihilm server_pool_name=redo false_positive_mitigation=etMaloru user_name=lmo monitor_status=iquidex http_refer=https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol http_version=dolorsi dev_id=nturmag threat_weight=tura history_threat_weight=osquirat threat_level=equat ftp_mode=aliquid ftp_cmd=usantiu cipher_suite=idunt msg_id=atqu", - "event.timezone": "PST", - "fileset.name": "fortimanager", - "host.name": "reseosqu1629.mail.lan", - "http.request.referrer": "https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol", - "input.type": "log", - "log.level": "high", - "log.offset": 24962, - "network.bytes": 2268, - "network.direction": "external", - "observer.egress.interface.name": "lo3472", - "observer.ingress.interface.name": "eth2940", - "observer.product": "FortiManager", - "observer.serial_number": "cor", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.5380", - "related.hosts": [ - "onse", - "reseosqu1629.mail.lan", - "uei" - ], - "related.ip": [ - "10.106.85.174", - "10.94.242.80" - ], - "related.user": [ - "lmo" - ], - "rsa.internal.event_desc": "uameiusm", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "snostrum", - "rsa.misc.OS": "tiaecon", - "rsa.misc.action": [ - "atiset", - "cancel" - ], - "rsa.misc.category": "ehende", - "rsa.misc.client": "umquam", - "rsa.misc.context": "pteurs", - "rsa.misc.event_source": "uei", - "rsa.misc.event_type": "radipis", - "rsa.misc.fcatnum": "gelitsed", - "rsa.misc.filter": "tiumto", - "rsa.misc.hardware_id": "cor", - "rsa.misc.log_session_id": "emagn", - "rsa.misc.policy_id": "consecte", - "rsa.misc.policy_name": "licaboNe", - "rsa.misc.reference_id": "odoco", - "rsa.misc.rule_name": "utemvel", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 1963, - "rsa.misc.version": "1.5380", - "rsa.misc.vsys": "orumSec", - "rsa.network.alias_host": [ - "reseosqu1629.mail.lan" - ], - "rsa.network.dinterface": "lo3472", - "rsa.network.network_service": "nculpaq", - "rsa.network.sinterface": "eth2940", - "rsa.threat.threat_desc": "equat", - "rsa.time.duration_time": 26.872, - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", - "rsa.time.timezone": "PST", - "rsa.web.reputation_num": 124.392, - "rsa.web.web_ref_domain": "onse", - "rule.name": "utemvel", - "service.type": "fortinet", - "source.bytes": 617, - "source.geo.country_name": "iquaUt", - "source.ip": "10.94.242.80", - "source.mac": "01:00:5e:99:7b:4a", - "source.port": 2724, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "htm", - "url.fragment": "mnisi", - "url.original": "https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi", - "url.path": "/iame/laudanti.htm", - "url.query": [ - "serror", - "stquido=rsitvolu" - ], - "url.scheme": "https", - "user.name": "lmo" - }, - { - "@timestamp": "2016-12-23T14:09:07.000Z", - "destination.bytes": 5749, - "destination.geo.country_name": "usm", - "destination.ip": "10.247.53.179", - "destination.nat.ip": "10.168.20.20", - "destination.nat.port": 68, - "destination.port": 6493, - "event.action": "block", - "event.code": "rspici", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=liquam dtime=2016-12-23 00:09:07.712538723 +0000 UTC devid=min devname=oluptat vd=odt date=2016-12-23 time=12:09:07 logid=rspici type=snisi subtype=magnaal level=low eventtime=etquasia logtime=nula srcip=10.117.63.181 srcport=5299 srcintf=lo7416 srcintfrole=Cicero dstip=10.247.53.179 dstport=6493 dstintf=lo3706 dstintfrole=atemaccu poluuid=veritat sessionid=aliquipe proto=3 action=block policyid=aer policytype=osquira crscore=171.144000 craction=minim crlevel=scipi appcat=tur service=acon srccountry=Nemoenim dstcountry=usm trandisp=labori tranip=10.168.20.20 tranport=68 duration=167.038000 sentbyte=7188 rcvdbyte=5749 sentpkt=xeac app=umdolors", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 26461, - "network.bytes": 12937, - "network.protocol": "GGP", - "observer.egress.interface.name": "lo3706", - "observer.ingress.interface.name": "lo7416", - "observer.product": "FortiManager", - "observer.serial_number": "min", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "oluptat" - ], - "related.ip": [ - "10.117.63.181", - "10.168.20.20", - "10.247.53.179" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "magnaal", - "rsa.misc.context": "labori", - "rsa.misc.event_source": "oluptat", - "rsa.misc.event_type": "snisi", - "rsa.misc.hardware_id": "min", - "rsa.misc.log_session_id": "aliquipe", - "rsa.misc.obj_name": "umdolors", - "rsa.misc.policy_id": "aer", - "rsa.misc.reference_id": "rspici", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "odt", - "rsa.network.dinterface": "lo3706", - "rsa.network.network_service": "acon", - "rsa.network.sinterface": "lo7416", - "rsa.time.duration_time": 167.038, - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", - "rsa.time.event_time_str": "etquasia", - "rsa.web.reputation_num": 171.144, - "service.type": "fortinet", - "source.bytes": 7188, - "source.geo.country_name": "Nemoenim", - "source.ip": "10.117.63.181", - "source.port": 5299, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.bytes": 405, - "destination.ip": "10.53.168.187", - "destination.port": 73, - "event.action": "block", - "event.code": "rsin", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=uiadolo date=2017-1-6 time=7:11:41 log_id=empor devid=umexerci devname=duntut logid=uovol type=prehend subtype=eufug level=low vd=eufug srcip=10.100.53.8 srcport=4318 srcintf=eth5767 dstip=10.163.17.172 dstport=854 dstintf=enp0s3903 poluuid=upta sessionid=atc proto=3 action=block policyid=upta trandisp=itessequ duration=165.935000 sentbyte=4211 rcvdbyte=405 devtype=exerci osname=idata osversion=1.2208 mastersrcmac=usmod srcmac=01:00:5e:c0:47:f3 crscore=135.374000 craction=isiutali crlevel=iquidexe eventtype=illumq user=luptatem service=ite hostname=tasnul4179.internal.host profile=amvo reqtype=tnul url=https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut direction=inbound msg=modico method=metco cat=cillu catdesc=iuntNeq device_id=eddoei log_id=rsin pri=very-high userfrom=eriam adminprof=pernat timezone=CEST main_type=imve trigger_policy=essequam sub_type=ueporro severity_level=aliqu policy=upt src=10.141.156.217 src_port=2700 dst=10.53.168.187 dst_port=73 http_method=emacc http_url=emp http_host=lamcola http_agent=veli http_session_id=venia signature_subclass=risni signature_id=1535 srccountry=uat content_switch_name=onemulla server_pool_name=riaturEx false_positive_mitigation=deri user_name=amqu monitor_status=lorsitam http_refer=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip http_version=upta dev_id=tetura threat_weight=rumet history_threat_weight=uptasnul threat_level=antiumdo ftp_mode=ecill ftp_cmd=iduntu cipher_suite=pisci msg_id=sunt", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "tasnul4179.internal.host", - "http.request.referrer": "https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip", - "input.type": "log", - "log.level": "very-high", - "log.offset": 27119, - "network.bytes": 4616, - "network.direction": "inbound", - "network.protocol": "GGP", - "observer.egress.interface.name": "enp0s3903", - "observer.ingress.interface.name": "eth5767", - "observer.product": "FortiManager", - "observer.serial_number": "eddoei", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.2208", - "related.hosts": [ - "duntut", - "lamcola", - "tasnul4179.internal.host" - ], - "related.ip": [ - "10.141.156.217", - "10.53.168.187" - ], - "related.user": [ - "amqu" - ], - "rsa.internal.event_desc": "modico", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "illumq", - "rsa.misc.OS": "idata", - "rsa.misc.action": [ - "block", - "emacc" - ], - "rsa.misc.category": "ueporro", - "rsa.misc.client": "veli", - "rsa.misc.context": "itessequ", - "rsa.misc.event_source": "duntut", - "rsa.misc.event_type": "prehend", - "rsa.misc.fcatnum": "cillu", - "rsa.misc.filter": "iuntNeq", - "rsa.misc.hardware_id": "eddoei", - "rsa.misc.log_session_id": "venia", - "rsa.misc.policy_id": "upta", - "rsa.misc.policy_name": "upt", - "rsa.misc.reference_id": "rsin", - "rsa.misc.rule_name": "amvo", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 1535, - "rsa.misc.version": "1.2208", - "rsa.misc.vsys": "eufug", - "rsa.network.alias_host": [ - "tasnul4179.internal.host" - ], - "rsa.network.dinterface": "enp0s3903", - "rsa.network.network_service": "ite", - "rsa.network.sinterface": "eth5767", - "rsa.threat.threat_desc": "antiumdo", - "rsa.time.duration_time": 165.935, - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 135.374, - "rsa.web.web_ref_domain": "lamcola", - "rule.name": "amvo", - "service.type": "fortinet", - "source.bytes": 4211, - "source.geo.country_name": "uat", - "source.ip": "10.141.156.217", - "source.mac": "01:00:5e:c0:47:f3", - "source.port": 2700, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.org", - "url.extension": "jpg", - "url.fragment": "rQuisaut", - "url.original": "https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut", - "url.path": "/ess/quiad.jpg", - "url.query": [ - "emp", - "ten=litanim" - ], - "url.scheme": "https", - "user.name": "amqu" - }, - { - "@timestamp": "2017-01-20T04:14:16.000Z", - "destination.bytes": 837, - "destination.ip": "10.189.82.19", - "destination.port": 4267, - "event.action": "accept", - "event.code": "vel", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-1-20 time=2:14:16 devname=oco device_id=aboree log_id=ainci type=generic subtype=osqu pri=very-high devid=sus devname=imavenia logid=expli type=ugiat subtype=rnat level=low vd=orem srcip=10.37.174.58 srcport=3193 srcintf=lo2990 dstip=10.249.60.66 dstport=4859 dstintf=enp0s1732 poluuid=eve sessionid=tco proto=3 action=accept policyid=oluptate trandisp=lit duration=70.988000 sentbyte=6327 rcvdbyte=837 devtype=oquisqu osname=turadip osversion=1.3402 mastersrcmac=amc srcmac=01:00:5e:dd:dc:44 crscore=160.379000 craction=apar crlevel=runtm eventtype=eturadip user=olorsi service=itseddo hostname=bore5546.www.local profile=labo reqtype=lpaquiof url=https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus direction=inbound msg=eufugia method=ncididun cat=hen catdesc=periamea device_id=itametco log_id=vel pri=high userfrom=rere adminprof=pta timezone=CEST main_type=equeporr trigger_policy=met sub_type=volup severity_level=ptate policy=entsu src=10.44.198.184 src_port=5695 dst=10.189.82.19 dst_port=4267 http_method=odoc http_url=atura http_host=tur http_agent=tur http_session_id=atnonpr signature_subclass=ita signature_id=7570 srccountry=colabori content_switch_name=imidestl server_pool_name=piscing false_positive_mitigation=ceroi user_name=iconsequ monitor_status=iat http_refer=https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu http_version=quid dev_id=atcupid threat_weight=onse history_threat_weight=psa threat_level=ate ftp_mode=con ftp_cmd=tqu cipher_suite=eirur msg_id=dese", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "bore5546.www.local", - "http.request.referrer": "https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu", - "input.type": "log", - "log.level": "high", - "log.offset": 28610, - "network.bytes": 7164, - "network.direction": "inbound", - "network.protocol": "GGP", - "observer.egress.interface.name": "enp0s1732", - "observer.ingress.interface.name": "lo2990", - "observer.product": "FortiManager", - "observer.serial_number": "itametco", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.3402", - "related.hosts": [ - "bore5546.www.local", - "imavenia", - "tur" - ], - "related.ip": [ - "10.189.82.19", - "10.44.198.184" - ], - "related.user": [ - "iconsequ" - ], - "rsa.internal.event_desc": "eufugia", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "eturadip", - "rsa.misc.OS": "turadip", - "rsa.misc.action": [ - "accept", - "odoc" - ], - "rsa.misc.category": "volup", - "rsa.misc.client": "tur", - "rsa.misc.context": "lit", - "rsa.misc.event_source": "imavenia", - "rsa.misc.event_type": "ugiat", - "rsa.misc.fcatnum": "hen", - "rsa.misc.filter": "periamea", - "rsa.misc.hardware_id": "itametco", - "rsa.misc.log_session_id": "atnonpr", - "rsa.misc.policy_id": "oluptate", - "rsa.misc.policy_name": "entsu", - "rsa.misc.reference_id": "vel", - "rsa.misc.rule_name": "labo", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 7570, - "rsa.misc.version": "1.3402", - "rsa.misc.vsys": "orem", - "rsa.network.alias_host": [ - "bore5546.www.local" - ], - "rsa.network.dinterface": "enp0s1732", - "rsa.network.network_service": "itseddo", - "rsa.network.sinterface": "lo2990", - "rsa.threat.threat_desc": "ate", - "rsa.time.duration_time": 70.988, - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 160.379, - "rsa.web.web_ref_domain": "tur", - "rule.name": "labo", - "service.type": "fortinet", - "source.bytes": 6327, - "source.geo.country_name": "colabori", - "source.ip": "10.44.198.184", - "source.mac": "01:00:5e:dd:dc:44", - "source.port": 5695, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.com", - "url.extension": "txt", - "url.fragment": "Finibus", - "url.original": "https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus", - "url.path": "/xeac/llitanim.txt", - "url.query": [ - "atura", - "oreverit=scip" - ], - "url.scheme": "https", - "user.name": "iconsequ" - }, - { - "@timestamp": "2017-02-03T11:16:50.000Z", - "destination.bytes": 3097, - "destination.ip": "10.181.183.104", - "destination.port": 5554, - "event.action": "cancel", - "event.code": "roinBCSe", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=mquisnos date=2017-2-3 time=9:16:50 log_id=lore devid=isci devname=Dui logid=reetdo type=ever subtype=civelits level=high vd=quiav srcip=10.154.34.15 srcport=5986 srcintf=enp0s4064 dstip=10.153.172.249 dstport=7030 dstintf=enp0s3067 poluuid=henderit sessionid=remq proto=21 action=cancel policyid=tla trandisp=arch duration=52.795000 sentbyte=5453 rcvdbyte=3097 devtype=ror osname=onsecte osversion=1.91 mastersrcmac=aecatcup srcmac=01:00:5e:58:7e:f5 crscore=133.560000 craction=quas crlevel=occaeca eventtype=eturadip user=ent service=rumSecti hostname=Utenima260.mail.invalid profile=cept reqtype=aedictas url=https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque direction=external msg=essequa method=aquio cat=rspicia catdesc=deom device_id=oluptat log_id=roinBCSe pri=medium userfrom=onproide adminprof=uamnih timezone=GMT+02:00 main_type=tatisetq trigger_policy=uidolo sub_type=umdolore severity_level=dmi policy=tam src=10.151.170.207 src_port=1400 dst=10.181.183.104 dst_port=5554 http_method=amni http_url=tatio http_host=amquisno http_agent=modoc http_session_id=magnam signature_subclass=uinesc signature_id=4248 srccountry=idatat content_switch_name=onev server_pool_name=orsi false_positive_mitigation=ntsunt user_name=iosamni monitor_status=idu http_refer=https://example.net/idolo/reet.txt?its=umdolor#isiu http_version=assi dev_id=eserun threat_weight=rvelill history_threat_weight=lupta threat_level=byC ftp_mode=imadm ftp_cmd=uta cipher_suite=tisu msg_id=remagnam", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "Utenima260.mail.invalid", - "http.request.referrer": "https://example.net/idolo/reet.txt?its=umdolor#isiu", - "input.type": "log", - "log.level": "medium", - "log.offset": 30121, - "network.bytes": 8550, - "network.direction": "external", - "observer.egress.interface.name": "enp0s3067", - "observer.ingress.interface.name": "enp0s4064", - "observer.product": "FortiManager", - "observer.serial_number": "oluptat", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.91", - "related.hosts": [ - "Dui", - "Utenima260.mail.invalid", - "amquisno" - ], - "related.ip": [ - "10.151.170.207", - "10.181.183.104" - ], - "related.user": [ - "iosamni" - ], - "rsa.internal.event_desc": "essequa", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "eturadip", - "rsa.misc.OS": "onsecte", - "rsa.misc.action": [ - "amni", - "cancel" - ], - "rsa.misc.category": "umdolore", - "rsa.misc.client": "modoc", - "rsa.misc.context": "arch", - "rsa.misc.event_source": "Dui", - "rsa.misc.event_type": "ever", - "rsa.misc.fcatnum": "rspicia", - "rsa.misc.filter": "deom", - "rsa.misc.hardware_id": "oluptat", - "rsa.misc.log_session_id": "magnam", - "rsa.misc.policy_id": "tla", - "rsa.misc.policy_name": "tam", - "rsa.misc.reference_id": "roinBCSe", - "rsa.misc.rule_name": "cept", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 4248, - "rsa.misc.version": "1.91", - "rsa.misc.vsys": "quiav", - "rsa.network.alias_host": [ - "Utenima260.mail.invalid" - ], - "rsa.network.dinterface": "enp0s3067", - "rsa.network.network_service": "rumSecti", - "rsa.network.sinterface": "enp0s4064", - "rsa.threat.threat_desc": "byC", - "rsa.time.duration_time": 52.795, - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 133.56, - "rsa.web.web_ref_domain": "amquisno", - "rule.name": "cept", - "service.type": "fortinet", - "source.bytes": 5453, - "source.geo.country_name": "idatat", - "source.ip": "10.151.170.207", - "source.mac": "01:00:5e:58:7e:f5", - "source.port": 1400, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "iameaque", - "url.original": "https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque", - "url.path": "/orio/gna.gif", - "url.query": [ - "aaliquaU=olu", - "tatio" - ], - "url.scheme": "https", - "user.name": "iosamni" - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "destination.bytes": 6209, - "destination.ip": "10.130.240.11", - "destination.port": 6515, - "event.action": "deny", - "event.code": "consequa", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=iumdo date=2017-2-18 time=4:19:24 log_id=iusmodit devid=aturv devname=ectetura logid=obeataev type=umf subtype=olesti level=low vd=quaeabil srcip=10.19.99.129 srcport=956 srcintf=eth62 dstip=10.205.132.218 dstport=1643 dstintf=enp0s5908 poluuid=inim sessionid=etdol proto=17 action=deny policyid=oremeumf trandisp=lesti duration=49.961000 sentbyte=3376 rcvdbyte=6209 devtype=enima osname=tnulapar osversion=1.7278 mastersrcmac=sequ srcmac=01:00:5e:4a:1d:f8 crscore=84.522000 craction=tionula crlevel=accus eventtype=uatu user=mquis service=lab hostname=uido2046.mail.lan profile=tena reqtype=aal url=https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota direction=external msg=rumSecti method=riamea cat=eca catdesc=oluptate device_id=Duisa log_id=consequa pri=low userfrom=iaecon adminprof=aevitaed timezone=PT main_type=rep trigger_policy=remap sub_type=deri severity_level=quaeratv policy=involu src=10.70.7.23 src_port=2758 dst=10.130.240.11 dst_port=6515 http_method=odic http_url=iuta http_host=liquaUte http_agent=scivelit http_session_id=Nequ signature_subclass=quid signature_id=1044 srccountry=lloinve content_switch_name=borisnis server_pool_name=onorumet false_positive_mitigation=ptatema user_name=eavolup monitor_status=ipsumq http_refer=https://www.example.org/tno/iss.gif?ptatev=atu#teturad http_version=eturad dev_id=tDuis threat_weight=mwritten history_threat_weight=tat threat_level=equ ftp_mode=sumdolo ftp_cmd=idolorem cipher_suite=temvele msg_id=oremque", - "event.timezone": "PT", - "fileset.name": "fortimanager", - "host.name": "uido2046.mail.lan", - "http.request.referrer": "https://www.example.org/tno/iss.gif?ptatev=atu#teturad", - "input.type": "log", - "log.level": "low", - "log.offset": 31615, - "network.bytes": 9585, - "network.direction": "external", - "observer.egress.interface.name": "enp0s5908", - "observer.ingress.interface.name": "eth62", - "observer.product": "FortiManager", - "observer.serial_number": "Duisa", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.7278", - "related.hosts": [ - "ectetura", - "liquaUte", - "uido2046.mail.lan" - ], - "related.ip": [ - "10.130.240.11", - "10.70.7.23" - ], - "related.user": [ - "eavolup" - ], - "rsa.internal.event_desc": "rumSecti", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "uatu", - "rsa.misc.OS": "tnulapar", - "rsa.misc.action": [ - "deny", - "odic" - ], - "rsa.misc.category": "deri", - "rsa.misc.client": "scivelit", - "rsa.misc.context": "lesti", - "rsa.misc.event_source": "ectetura", - "rsa.misc.event_type": "umf", - "rsa.misc.fcatnum": "eca", - "rsa.misc.filter": "oluptate", - "rsa.misc.hardware_id": "Duisa", - "rsa.misc.log_session_id": "Nequ", - "rsa.misc.policy_id": "oremeumf", - "rsa.misc.policy_name": "involu", - "rsa.misc.reference_id": "consequa", - "rsa.misc.rule_name": "tena", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 1044, - "rsa.misc.version": "1.7278", - "rsa.misc.vsys": "quaeabil", - "rsa.network.alias_host": [ - "uido2046.mail.lan" - ], - "rsa.network.dinterface": "enp0s5908", - "rsa.network.network_service": "lab", - "rsa.network.sinterface": "eth62", - "rsa.threat.threat_desc": "equ", - "rsa.time.duration_time": 49.961, - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "rsa.time.timezone": "PT", - "rsa.web.reputation_num": 84.522, - "rsa.web.web_ref_domain": "liquaUte", - "rule.name": "tena", - "service.type": "fortinet", - "source.bytes": 3376, - "source.geo.country_name": "lloinve", - "source.ip": "10.70.7.23", - "source.mac": "01:00:5e:4a:1d:f8", - "source.port": 2758, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.org", - "url.extension": "txt", - "url.fragment": "umtota", - "url.original": "https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota", - "url.path": "/nimadmin/lumqui.txt", - "url.query": [ - "iquip=tinculpa", - "iuta" - ], - "url.scheme": "https", - "user.name": "eavolup" - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "destination.bytes": 6509, - "destination.geo.country_name": "uian", - "destination.ip": "10.111.182.212", - "destination.nat.ip": "10.17.209.252", - "destination.nat.port": 2119, - "destination.port": 4493, - "event.action": "deny", - "event.code": "uae", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=inimve devname=\"uio\" devid=\"mexercit\" vd=byC date=2017-3-4 time=11:21:59 logid=uae type=oremip subtype=its level=very-high eventtime=iavol logtime=natuserr srcip=10.37.161.101 srcport=1552 srcintf=enp0s6659 srcintfrole=evit dstip=10.111.182.212 dstport=4493 dstintf=lo6533 dstintfrole=lamco poluuid=tion sessionid=hender proto=icmp action=deny policyid=seq policytype=rumSe crscore=88.660000 craction=madmi crlevel=tlabore appcat=idunt service=expl srccountry=olore dstcountry=uian trandisp=atuserro tranip=10.17.209.252 tranport=2119 duration=135.770000 sentbyte=313 rcvdbyte=6509 sentpkt=oinBCS app=itsedd", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 33111, - "network.bytes": 6822, - "observer.egress.interface.name": "lo6533", - "observer.ingress.interface.name": "enp0s6659", - "observer.product": "FortiManager", - "observer.serial_number": "mexercit", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "uio" - ], - "related.ip": [ - "10.111.182.212", - "10.17.209.252", - "10.37.161.101" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "its", - "rsa.misc.context": "atuserro", - "rsa.misc.event_source": "uio", - "rsa.misc.event_type": "oremip", - "rsa.misc.hardware_id": "mexercit", - "rsa.misc.log_session_id": "hender", - "rsa.misc.obj_name": "itsedd", - "rsa.misc.policy_id": "seq", - "rsa.misc.reference_id": "uae", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "byC", - "rsa.network.dinterface": "lo6533", - "rsa.network.network_service": "expl", - "rsa.network.sinterface": "enp0s6659", - "rsa.time.duration_time": 135.77, - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "rsa.time.event_time_str": "iavol", - "rsa.web.reputation_num": 88.66, - "service.type": "fortinet", - "source.bytes": 313, - "source.geo.country_name": "olore", - "source.ip": "10.37.161.101", - "source.port": 1552, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-03-18T08:24:33.000Z", - "destination.bytes": 1936, - "destination.geo.country_name": "nonpro", - "destination.ip": "10.170.196.181", - "destination.nat.ip": "10.153.166.133", - "destination.nat.port": 4638, - "destination.port": 6994, - "event.action": "allow", - "event.code": "sin", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ipis devname=\"itautfu\" devid=\"nesci\" vd=tam date=2017-3-18 time=6:24:33 logid=sin type=idexeac subtype=nimadmin level=medium eventtime=edutper logtime=tevelite srcip=10.158.175.98 srcport=1491 srcintf=enp0s7649 srcintfrole=oinBCSed dstip=10.170.196.181 dstport=6994 dstintf=enp0s5873 dstintfrole=obeatae poluuid=iquid sessionid=evo proto=udp action=allow policyid=mqu policytype=pteursi crscore=98.596000 craction=expl crlevel=essecill appcat=totamre service=rpo srccountry=velites dstcountry=nonpro trandisp=nula tranip=10.153.166.133 tranport=4638 duration=39.506000 sentbyte=6610 rcvdbyte=1936 sentpkt=olu app=imide", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 33726, - "network.bytes": 8546, - "observer.egress.interface.name": "enp0s5873", - "observer.ingress.interface.name": "enp0s7649", - "observer.product": "FortiManager", - "observer.serial_number": "nesci", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "itautfu" - ], - "related.ip": [ - "10.153.166.133", - "10.158.175.98", - "10.170.196.181" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "nimadmin", - "rsa.misc.context": "nula", - "rsa.misc.event_source": "itautfu", - "rsa.misc.event_type": "idexeac", - "rsa.misc.hardware_id": "nesci", - "rsa.misc.log_session_id": "evo", - "rsa.misc.obj_name": "imide", - "rsa.misc.policy_id": "mqu", - "rsa.misc.reference_id": "sin", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "tam", - "rsa.network.dinterface": "enp0s5873", - "rsa.network.network_service": "rpo", - "rsa.network.sinterface": "enp0s7649", - "rsa.time.duration_time": 39.506, - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", - "rsa.time.event_time_str": "edutper", - "rsa.web.reputation_num": 98.596, - "service.type": "fortinet", - "source.bytes": 6610, - "source.geo.country_name": "velites", - "source.ip": "10.158.175.98", - "source.port": 1491, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "destination.bytes": 5360, - "destination.ip": "10.48.25.200", - "destination.port": 5179, - "event.action": "accept", - "event.code": "uredol", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-4-2 time=1:27:07 logver=amn devid=itessequ devname=porissu logid=umd type=sumd subtype=sectetur level=low vd=aUtenima srcip=10.62.10.137 srcport=5596 srcintf=lo6539 dstip=10.138.249.251 dstport=630 dstintf=eth1576 poluuid=deritinv sessionid=evelite proto=6 action=accept policyid=stiaecon trandisp=usBono duration=155.835000 sentbyte=3942 rcvdbyte=5360 devtype=ttenb osname=olor osversion=1.5978 mastersrcmac=lapa srcmac=01:00:5e:b0:3e:44 crscore=105.845000 craction=lors crlevel=oluptat eventtype=enimad user=tis service=qua hostname=con6049.internal.lan profile=quelaud reqtype=luptat url=https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn direction=inbound msg=teursint method=etMa cat=llita catdesc=ntsunt device_id=nturmag log_id=uredol pri=high userfrom=temsequi adminprof=mquia timezone=ET main_type=enbyCic trigger_policy=iveli sub_type=conseq severity_level=itame policy=tenat src=10.63.171.91 src_port=4396 dst=10.48.25.200 dst_port=5179 http_method=nse http_url=mveniam http_host=tuser http_agent=mmo http_session_id=eve signature_subclass=nbyCicer signature_id=6129 srccountry=ciad content_switch_name=ugiatqu server_pool_name=eruntmo false_positive_mitigation=nimve user_name=usanti monitor_status=ion http_refer=https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup http_version=macc dev_id=ria threat_weight=beat history_threat_weight=rro threat_level=tuser ftp_mode=ctasu ftp_cmd=irat cipher_suite=sitame msg_id=oinven", - "event.timezone": "ET", - "fileset.name": "fortimanager", - "host.name": "con6049.internal.lan", - "http.request.referrer": "https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup", - "input.type": "log", - "log.level": "high", - "log.offset": 34352, - "network.bytes": 9302, - "network.direction": "inbound", - "observer.egress.interface.name": "eth1576", - "observer.ingress.interface.name": "lo6539", - "observer.product": "FortiManager", - "observer.serial_number": "nturmag", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.5978", - "related.hosts": [ - "con6049.internal.lan", - "porissu", - "tuser" - ], - "related.ip": [ - "10.48.25.200", - "10.63.171.91" - ], - "related.user": [ - "usanti" - ], - "rsa.internal.event_desc": "teursint", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "enimad", - "rsa.misc.OS": "olor", - "rsa.misc.action": [ - "accept", - "nse" - ], - "rsa.misc.category": "conseq", - "rsa.misc.client": "mmo", - "rsa.misc.context": "usBono", - "rsa.misc.event_source": "porissu", - "rsa.misc.event_type": "sumd", - "rsa.misc.fcatnum": "llita", - "rsa.misc.filter": "ntsunt", - "rsa.misc.hardware_id": "nturmag", - "rsa.misc.log_session_id": "eve", - "rsa.misc.policy_id": "stiaecon", - "rsa.misc.policy_name": "tenat", - "rsa.misc.reference_id": "uredol", - "rsa.misc.rule_name": "quelaud", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 6129, - "rsa.misc.version": "1.5978", - "rsa.misc.vsys": "aUtenima", - "rsa.network.alias_host": [ - "con6049.internal.lan" - ], - "rsa.network.dinterface": "eth1576", - "rsa.network.network_service": "qua", - "rsa.network.sinterface": "lo6539", - "rsa.threat.threat_desc": "tuser", - "rsa.time.duration_time": 155.835, - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "rsa.time.timezone": "ET", - "rsa.web.reputation_num": 105.845, - "rsa.web.web_ref_domain": "tuser", - "rule.name": "quelaud", - "service.type": "fortinet", - "source.bytes": 3942, - "source.geo.country_name": "ciad", - "source.ip": "10.63.171.91", - "source.mac": "01:00:5e:b0:3e:44", - "source.port": 4396, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "internal.example.com", - "url.extension": "jpg", - "url.fragment": "quisn", - "url.original": "https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn", - "url.path": "/temse/caecat.jpg", - "url.query": [ - "emeu=tatemac", - "mveniam" - ], - "url.scheme": "https", - "user.name": "usanti" - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "destination.bytes": 7791, - "destination.geo.country_name": "ddoe", - "destination.ip": "10.77.105.81", - "destination.nat.ip": "10.38.168.190", - "destination.nat.port": 7260, - "destination.port": 4455, - "event.action": "allow", - "event.code": "rcitati", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ute dtime=2017-04-16 08:29:41.792538723 +0000 UTC devid=mexer devname=iam vd=Bonoru date=2017-4-16 time=8:29:41 logid=rcitati type=nula subtype=ameaquei level=low eventtime=adipi logtime=mquis srcip=10.174.17.46 srcport=2743 srcintf=eth6814 srcintfrole=ine dstip=10.77.105.81 dstport=4455 dstintf=enp0s7799 dstintfrole=orem poluuid=giatqu sessionid=rsint proto=udp action=allow policyid=paq policytype=uianon crscore=60.762000 craction=uisautem crlevel=mquameiu appcat=loremq service=turmagni srccountry=ores dstcountry=ddoe trandisp=uid tranip=10.38.168.190 tranport=7260 duration=129.140000 sentbyte=368 rcvdbyte=7791 sentpkt=incidi app=aedictas", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 35821, - "network.bytes": 8159, - "observer.egress.interface.name": "enp0s7799", - "observer.ingress.interface.name": "eth6814", - "observer.product": "FortiManager", - "observer.serial_number": "mexer", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "iam" - ], - "related.ip": [ - "10.174.17.46", - "10.38.168.190", - "10.77.105.81" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ameaquei", - "rsa.misc.context": "uid", - "rsa.misc.event_source": "iam", - "rsa.misc.event_type": "nula", - "rsa.misc.hardware_id": "mexer", - "rsa.misc.log_session_id": "rsint", - "rsa.misc.obj_name": "aedictas", - "rsa.misc.policy_id": "paq", - "rsa.misc.reference_id": "rcitati", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "Bonoru", - "rsa.network.dinterface": "enp0s7799", - "rsa.network.network_service": "turmagni", - "rsa.network.sinterface": "eth6814", - "rsa.time.duration_time": 129.14, - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "rsa.time.event_time_str": "adipi", - "rsa.web.reputation_num": 60.762, - "service.type": "fortinet", - "source.bytes": 368, - "source.geo.country_name": "ores", - "source.ip": "10.174.17.46", - "source.port": 2743, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-30T05:32:16.000Z", - "destination.bytes": 7663, - "destination.geo.country_name": "boriosa", - "destination.ip": "10.225.37.73", - "destination.nat.ip": "10.166.142.198", - "destination.nat.port": 4151, - "destination.port": 5630, - "event.action": "cancel", - "event.code": "abore", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=temaccus devname=\"ons\" devid=\"unt\" vd=liq date=2017-4-30 time=3:32:16 logid=abore type=iumdo subtype=oreeu level=high eventtime=exe logtime=tis srcip=10.36.99.207 srcport=4829 srcintf=lo497 srcintfrole=tvol dstip=10.225.37.73 dstport=5630 dstintf=eth1882 dstintfrole=eniamqu poluuid=iumt sessionid=porissus proto=udp action=cancel policyid=tsunt policytype=rnat crscore=88.508000 craction=ured crlevel=ctetu appcat=oreeu service=uasiarch srccountry=Malor dstcountry=boriosa trandisp=cillumdo tranip=10.166.142.198 tranport=4151 duration=1.040000 sentbyte=465 rcvdbyte=7663 sentpkt=oreetd app=lor", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 36476, - "network.bytes": 8128, - "observer.egress.interface.name": "eth1882", - "observer.ingress.interface.name": "lo497", - "observer.product": "FortiManager", - "observer.serial_number": "unt", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "ons" - ], - "related.ip": [ - "10.166.142.198", - "10.225.37.73", - "10.36.99.207" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "oreeu", - "rsa.misc.context": "cillumdo", - "rsa.misc.event_source": "ons", - "rsa.misc.event_type": "iumdo", - "rsa.misc.hardware_id": "unt", - "rsa.misc.log_session_id": "porissus", - "rsa.misc.obj_name": "lor", - "rsa.misc.policy_id": "tsunt", - "rsa.misc.reference_id": "abore", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "liq", - "rsa.network.dinterface": "eth1882", - "rsa.network.network_service": "uasiarch", - "rsa.network.sinterface": "lo497", - "rsa.time.duration_time": 1.04, - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", - "rsa.time.event_time_str": "exe", - "rsa.web.reputation_num": 88.508, - "service.type": "fortinet", - "source.bytes": 465, - "source.geo.country_name": "Malor", - "source.ip": "10.36.99.207", - "source.port": 4829, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-05-14T12:34:50.000Z", - "destination.bytes": 6820, - "destination.geo.country_name": "lill", - "destination.ip": "10.214.156.161", - "destination.nat.ip": "10.145.194.12", - "destination.nat.port": 1001, - "destination.port": 3854, - "event.action": "block", - "event.code": "tassitas", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=etc devname=\"eturadip\" devid=\"nost\" vd=atus date=2017-5-14 time=10:34:50 logid=tassitas type=obea subtype=velite level=medium eventtime=litse logtime=san srcip=10.66.90.225 srcport=4846 srcintf=lo4891 srcintfrole=moenimi dstip=10.214.156.161 dstport=3854 dstintf=eth1188 dstintfrole=ati poluuid=rauto sessionid=doloreeu proto=6 action=block policyid=eumfu policytype=docons crscore=3.408000 craction=eumf crlevel=roquisq appcat=uasi service=maveniam srccountry=uis dstcountry=lill trandisp=remeum tranip=10.145.194.12 tranport=1001 duration=25.398000 sentbyte=6452 rcvdbyte=6820 sentpkt=aturE app=umto", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 37079, - "network.bytes": 13272, - "observer.egress.interface.name": "eth1188", - "observer.ingress.interface.name": "lo4891", - "observer.product": "FortiManager", - "observer.serial_number": "nost", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "eturadip" - ], - "related.ip": [ - "10.145.194.12", - "10.214.156.161", - "10.66.90.225" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "velite", - "rsa.misc.context": "remeum", - "rsa.misc.event_source": "eturadip", - "rsa.misc.event_type": "obea", - "rsa.misc.hardware_id": "nost", - "rsa.misc.log_session_id": "doloreeu", - "rsa.misc.obj_name": "umto", - "rsa.misc.policy_id": "eumfu", - "rsa.misc.reference_id": "tassitas", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "atus", - "rsa.network.dinterface": "eth1188", - "rsa.network.network_service": "maveniam", - "rsa.network.sinterface": "lo4891", - "rsa.time.duration_time": 25.398, - "rsa.time.event_time": "2017-05-14T12:34:50.000Z", - "rsa.time.event_time_str": "litse", - "rsa.web.reputation_num": 3.408, - "service.type": "fortinet", - "source.bytes": 6452, - "source.geo.country_name": "uis", - "source.ip": "10.66.90.225", - "source.port": 4846, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "destination.bytes": 4638, - "destination.geo.country_name": "cidu", - "destination.ip": "10.156.208.5", - "destination.nat.ip": "10.163.36.101", - "destination.nat.port": 253, - "destination.port": 7612, - "event.action": "cancel", - "event.code": "eddoei", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=pariat devname=\"iutal\" devid=\"teturad\" vd=ese date=2017-5-29 time=5:37:24 logid=eddoei type=lorumw subtype=eca level=medium eventtime=nimve logtime=duntut srcip=10.6.242.108 srcport=3373 srcintf=lo3230 srcintfrole=qua dstip=10.156.208.5 dstport=7612 dstintf=lo1800 dstintfrole=quisn poluuid=pteu sessionid=uatD proto=0 action=cancel policyid=antiu policytype=velillum crscore=166.389000 craction=iatquovo crlevel=lapari appcat=Mal service=itinvo srccountry=snulap dstcountry=cidu trandisp=hilmol tranip=10.163.36.101 tranport=253 duration=72.488000 sentbyte=1880 rcvdbyte=4638 sentpkt=ident app=scip", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 37688, - "network.bytes": 6518, - "observer.egress.interface.name": "lo1800", - "observer.ingress.interface.name": "lo3230", - "observer.product": "FortiManager", - "observer.serial_number": "teturad", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "iutal" - ], - "related.ip": [ - "10.156.208.5", - "10.163.36.101", - "10.6.242.108" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "eca", - "rsa.misc.context": "hilmol", - "rsa.misc.event_source": "iutal", - "rsa.misc.event_type": "lorumw", - "rsa.misc.hardware_id": "teturad", - "rsa.misc.log_session_id": "uatD", - "rsa.misc.obj_name": "scip", - "rsa.misc.policy_id": "antiu", - "rsa.misc.reference_id": "eddoei", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "ese", - "rsa.network.dinterface": "lo1800", - "rsa.network.network_service": "itinvo", - "rsa.network.sinterface": "lo3230", - "rsa.time.duration_time": 72.488, - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "rsa.time.event_time_str": "nimve", - "rsa.web.reputation_num": 166.389, - "service.type": "fortinet", - "source.bytes": 1880, - "source.geo.country_name": "snulap", - "source.ip": "10.6.242.108", - "source.port": 3373, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "destination.bytes": 1048, - "destination.ip": "10.68.233.163", - "destination.port": 3126, - "event.action": "allow", - "event.code": "emve", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-6-12 time=12:39:58 devname=uamqu device_id=iusmodi log_id=esciun type=generic subtype=tasnul pri=medium devid=ccusant devname=epteurs logid=rmag type=quisquam subtype=eporroqu level=very-high vd=dit srcip=10.25.134.171 srcport=7867 srcintf=eth4543 dstip=10.43.235.230 dstport=2198 dstintf=lo4581 poluuid=BCSe sessionid=rem proto=0 action=allow policyid=eeufug trandisp=ntin duration=6.686000 sentbyte=5763 rcvdbyte=1048 devtype=cinge osname=tatem osversion=1.4713 mastersrcmac=eritqu srcmac=01:00:5e:ed:6b:57 crscore=10.603000 craction=nimip crlevel=iutaliq eventtype=olore user=onemul service=trudexe hostname=remeum2641.www5.corp profile=Quisa reqtype=quiav url=https://www5.example.com/elit/sam.htm?nevolu=unt#isni direction=outbound msg=ecillum method=olor cat=amei catdesc=doconseq device_id=conseq log_id=emve pri=very-high userfrom=tiu adminprof=wri timezone=GMT-07:00 main_type=asper trigger_policy=dictasun sub_type=psa severity_level=lorese policy=olupta src=10.220.148.127 src_port=6681 dst=10.68.233.163 dst_port=3126 http_method=itanimi http_url=onoru http_host=data http_agent=ugits http_session_id=ittenb signature_subclass=tobeatae signature_id=5617 srccountry=quis content_switch_name=exe server_pool_name=naa false_positive_mitigation=equat user_name=estiaec monitor_status=pitlabo http_refer=https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa http_version=nostrum dev_id=autodita threat_weight=ntut history_threat_weight=temveleu threat_level=itametco ftp_mode=etcons ftp_cmd=etco cipher_suite=iuntN msg_id=utfugi", - "event.timezone": "GMT-07:00", - "fileset.name": "fortimanager", - "host.name": "remeum2641.www5.corp", - "http.request.referrer": "https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa", - "input.type": "log", - "log.level": "very-high", - "log.offset": 38295, - "network.bytes": 6811, - "network.direction": "outbound", - "observer.egress.interface.name": "lo4581", - "observer.ingress.interface.name": "eth4543", - "observer.product": "FortiManager", - "observer.serial_number": "conseq", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4713", - "related.hosts": [ - "data", - "epteurs", - "remeum2641.www5.corp" - ], - "related.ip": [ - "10.220.148.127", - "10.68.233.163" - ], - "related.user": [ - "estiaec" - ], - "rsa.internal.event_desc": "ecillum", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "olore", - "rsa.misc.OS": "tatem", - "rsa.misc.action": [ - "allow", - "itanimi" - ], - "rsa.misc.category": "psa", - "rsa.misc.client": "ugits", - "rsa.misc.context": "ntin", - "rsa.misc.event_source": "epteurs", - "rsa.misc.event_type": "quisquam", - "rsa.misc.fcatnum": "amei", - "rsa.misc.filter": "doconseq", - "rsa.misc.hardware_id": "conseq", - "rsa.misc.log_session_id": "ittenb", - "rsa.misc.policy_id": "eeufug", - "rsa.misc.policy_name": "olupta", - "rsa.misc.reference_id": "emve", - "rsa.misc.rule_name": "Quisa", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 5617, - "rsa.misc.version": "1.4713", - "rsa.misc.vsys": "dit", - "rsa.network.alias_host": [ - "remeum2641.www5.corp" - ], - "rsa.network.dinterface": "lo4581", - "rsa.network.network_service": "trudexe", - "rsa.network.sinterface": "eth4543", - "rsa.threat.threat_desc": "itametco", - "rsa.time.duration_time": 6.686, - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.reputation_num": 10.603, - "rsa.web.web_ref_domain": "data", - "rule.name": "Quisa", - "service.type": "fortinet", - "source.bytes": 5763, - "source.geo.country_name": "quis", - "source.ip": "10.220.148.127", - "source.mac": "01:00:5e:ed:6b:57", - "source.port": 6681, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.com", - "url.extension": "htm", - "url.fragment": "isni", - "url.original": "https://www5.example.com/elit/sam.htm?nevolu=unt#isni", - "url.path": "/elit/sam.htm", - "url.query": [ - "nevolu=unt", - "onoru" - ], - "url.scheme": "https", - "user.name": "estiaec" - }, - { - "@timestamp": "2017-06-26T09:42:33.000Z", - "destination.bytes": 6196, - "destination.ip": "10.94.177.125", - "destination.port": 6683, - "event.action": "allow", - "event.code": "mquido", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=isnostru date=2017-6-26 time=7:42:33 log_id=nul devid=ntocca devname=trudex logid=tvol type=lup subtype=mipsamv level=medium vd=qua srcip=10.249.194.7 srcport=4987 srcintf=enp0s2282 dstip=10.57.116.17 dstport=90 dstintf=enp0s7442 poluuid=xcep sessionid=gnidol proto=0 action=allow policyid=uaeab trandisp=ptat duration=136.310000 sentbyte=1078 rcvdbyte=6196 devtype=eturadip osname=amquaera osversion=1.4481 mastersrcmac=equ srcmac=01:00:5e:00:fd:79 crscore=18.750000 craction=olesti crlevel=edquia eventtype=ihi user=undeomn service=ape hostname=itaspe3216.localdomain profile=onsecte reqtype=prehende url=https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru direction=unknown msg=numq method=quae cat=periam catdesc=ain device_id=umiurer log_id=mquido pri=very-high userfrom=onorume adminprof=abill timezone=GMT+02:00 main_type=uov trigger_policy=mini sub_type=mve severity_level=tionev policy=uasiarch src=10.116.82.108 src_port=7276 dst=10.94.177.125 dst_port=6683 http_method=nimides http_url=olorsit http_host=naaliq http_agent=plica http_session_id=asiarc signature_subclass=lor signature_id=5152 srccountry=snula content_switch_name=pici server_pool_name=bori false_positive_mitigation=dipi user_name=ecatc monitor_status=quovolu http_refer=https://example.net/itse/sse.gif?lupt=quatur#dminim http_version=ptatevel dev_id=aperiame threat_weight=stenat history_threat_weight=uianonnu threat_level=tatiset ftp_mode=quira ftp_cmd=ciatisun cipher_suite=duntutl msg_id=nven", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "itaspe3216.localdomain", - "http.request.referrer": "https://example.net/itse/sse.gif?lupt=quatur#dminim", - "input.type": "log", - "log.level": "very-high", - "log.offset": 39842, - "network.bytes": 7274, - "network.direction": "unknown", - "observer.egress.interface.name": "enp0s7442", - "observer.ingress.interface.name": "enp0s2282", - "observer.product": "FortiManager", - "observer.serial_number": "umiurer", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4481", - "related.hosts": [ - "itaspe3216.localdomain", - "naaliq", - "trudex" - ], - "related.ip": [ - "10.116.82.108", - "10.94.177.125" - ], - "related.user": [ - "ecatc" - ], - "rsa.internal.event_desc": "numq", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "ihi", - "rsa.misc.OS": "amquaera", - "rsa.misc.action": [ - "allow", - "nimides" - ], - "rsa.misc.category": "mve", - "rsa.misc.client": "plica", - "rsa.misc.context": "ptat", - "rsa.misc.event_source": "trudex", - "rsa.misc.event_type": "lup", - "rsa.misc.fcatnum": "periam", - "rsa.misc.filter": "ain", - "rsa.misc.hardware_id": "umiurer", - "rsa.misc.log_session_id": "asiarc", - "rsa.misc.policy_id": "uaeab", - "rsa.misc.policy_name": "uasiarch", - "rsa.misc.reference_id": "mquido", - "rsa.misc.rule_name": "onsecte", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 5152, - "rsa.misc.version": "1.4481", - "rsa.misc.vsys": "qua", - "rsa.network.alias_host": [ - "itaspe3216.localdomain" - ], - "rsa.network.dinterface": "enp0s7442", - "rsa.network.network_service": "ape", - "rsa.network.sinterface": "enp0s2282", - "rsa.threat.threat_desc": "tatiset", - "rsa.time.duration_time": 136.31, - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 18.75, - "rsa.web.web_ref_domain": "naaliq", - "rule.name": "onsecte", - "service.type": "fortinet", - "source.bytes": 1078, - "source.geo.country_name": "snula", - "source.ip": "10.116.82.108", - "source.mac": "01:00:5e:00:fd:79", - "source.port": 7276, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "iadeseru", - "url.original": "https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru", - "url.path": "/porro/issu.htm", - "url.query": [ - "inculpa=ruredol", - "olorsit" - ], - "url.scheme": "https", - "user.name": "ecatc" - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "destination.bytes": 7131, - "destination.ip": "10.113.152.241", - "destination.port": 2330, - "event.action": "cancel", - "event.code": "uptat", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-7-11 time=2:45:07 devname=saq device_id=asiarch log_id=ssuscipi type=generic subtype=utla pri=medium devid=tquovo devname=fugi logid=nse type=nesciu subtype=todit level=very-high vd=inrepreh srcip=10.14.192.162 srcport=2536 srcintf=enp0s4429 dstip=10.179.128.6 dstport=3375 dstintf=enp0s4580 poluuid=ptate sessionid=volupta proto=3 action=cancel policyid=utla trandisp=emi duration=171.651000 sentbyte=3313 rcvdbyte=7131 devtype=velites osname=oloremi osversion=1.4442 mastersrcmac=apari srcmac=01:00:5e:0c:fb:2b crscore=140.065000 craction=uel crlevel=fficiad eventtype=teirured user=nostru service=rcit hostname=mea6298.api.example profile=eumiu reqtype=tatevel url=https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl direction=inbound msg=Sedut method=tatis cat=audant catdesc=obeata device_id=uredol log_id=uptat pri=low userfrom=entorev adminprof=quuntur timezone=GMT+02:00 main_type=exercit trigger_policy=dexer sub_type=idolor severity_level=onpr policy=uira src=10.115.121.243 src_port=550 dst=10.113.152.241 dst_port=2330 http_method=ali http_url=udexerci http_host=uae http_agent=imveni http_session_id=econ signature_subclass=aborio signature_id=1122 srccountry=setquas content_switch_name=nbyCi server_pool_name=runtmoll false_positive_mitigation=busBon user_name=norumetM monitor_status=isno http_refer=https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure http_version=isiut dev_id=tin threat_weight=rporiss history_threat_weight=billoinv threat_level=etconse ftp_mode=nesciu ftp_cmd=mali cipher_suite=roinBCSe msg_id=eetdolor", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "mea6298.api.example", - "http.request.referrer": "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure", - "input.type": "log", - "log.level": "low", - "log.offset": 41333, - "network.bytes": 10444, - "network.direction": "inbound", - "network.protocol": "GGP", - "observer.egress.interface.name": "enp0s4580", - "observer.ingress.interface.name": "enp0s4429", - "observer.product": "FortiManager", - "observer.serial_number": "uredol", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4442", - "related.hosts": [ - "fugi", - "mea6298.api.example", - "uae" - ], - "related.ip": [ - "10.113.152.241", - "10.115.121.243" - ], - "related.user": [ - "norumetM" - ], - "rsa.internal.event_desc": "Sedut", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "teirured", - "rsa.misc.OS": "oloremi", - "rsa.misc.action": [ - "ali", - "cancel" - ], - "rsa.misc.category": "idolor", - "rsa.misc.client": "imveni", - "rsa.misc.context": "emi", - "rsa.misc.event_source": "fugi", - "rsa.misc.event_type": "nesciu", - "rsa.misc.fcatnum": "audant", - "rsa.misc.filter": "obeata", - "rsa.misc.hardware_id": "uredol", - "rsa.misc.log_session_id": "econ", - "rsa.misc.policy_id": "utla", - "rsa.misc.policy_name": "uira", - "rsa.misc.reference_id": "uptat", - "rsa.misc.rule_name": "eumiu", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 1122, - "rsa.misc.version": "1.4442", - "rsa.misc.vsys": "inrepreh", - "rsa.network.alias_host": [ - "mea6298.api.example" - ], - "rsa.network.dinterface": "enp0s4580", - "rsa.network.network_service": "rcit", - "rsa.network.sinterface": "enp0s4429", - "rsa.threat.threat_desc": "etconse", - "rsa.time.duration_time": 171.651, - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 140.065, - "rsa.web.web_ref_domain": "uae", - "rule.name": "eumiu", - "service.type": "fortinet", - "source.bytes": 3313, - "source.geo.country_name": "setquas", - "source.ip": "10.115.121.243", - "source.mac": "01:00:5e:0c:fb:2b", - "source.port": 550, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.org", - "url.extension": "gif", - "url.fragment": "suntexpl", - "url.original": "https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl", - "url.path": "/uamquaer/texplica.gif", - "url.query": [ - "sequa=lorum", - "udexerci" - ], - "url.scheme": "https", - "user.name": "norumetM" - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "destination.bytes": 6863, - "destination.ip": "10.179.153.97", - "destination.port": 1908, - "event.action": "accept", - "event.code": "taliqu", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-7-25 time=9:47:41 logver=upt devid=equamni devname=atcupi logid=enima type=uptateve subtype=fugitsed level=medium vd=lorem srcip=10.68.159.207 srcport=3320 srcintf=enp0s7206 dstip=10.139.195.188 dstport=893 dstintf=enp0s6960 poluuid=lits sessionid=tvolu proto=17 action=accept policyid=ollitan trandisp=temseq duration=0.684000 sentbyte=3045 rcvdbyte=6863 devtype=edictasu osname=eturadi osversion=1.3804 mastersrcmac=edquiano srcmac=01:00:5e:09:79:f2 crscore=11.231000 craction=taevitae crlevel=tevel eventtype=tatemse user=gitsed service=agn hostname=iqu7510.internal.corp profile=equeporr reqtype=amremap url=https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit direction=unknown msg=ntutlabo method=idex cat=nihilmo catdesc=reetdo device_id=xeaco log_id=taliqu pri=medium userfrom=hite adminprof=umfugi timezone=CT main_type=dminimve trigger_policy=remips sub_type=laboreet severity_level=uptate policy=tot src=10.49.82.45 src_port=435 dst=10.179.153.97 dst_port=1908 http_method=ade http_url=nihilmol http_host=nder http_agent=ano http_session_id=rumexer signature_subclass=eab signature_id=2387 srccountry=saquaeab content_switch_name=eli server_pool_name=rissusci false_positive_mitigation=ectetur user_name=dictasun monitor_status=inimv http_refer=https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium http_version=ide dev_id=quunturm threat_weight=quovo history_threat_weight=quaturve threat_level=ntiumdol ftp_mode=conse ftp_cmd=aturve cipher_suite=edqui msg_id=tvolu", - "event.timezone": "CT", - "fileset.name": "fortimanager", - "host.name": "iqu7510.internal.corp", - "http.request.referrer": "https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium", - "input.type": "log", - "log.level": "medium", - "log.offset": 42910, - "network.bytes": 9908, - "network.direction": "unknown", - "observer.egress.interface.name": "enp0s6960", - "observer.ingress.interface.name": "enp0s7206", - "observer.product": "FortiManager", - "observer.serial_number": "xeaco", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.3804", - "related.hosts": [ - "atcupi", - "iqu7510.internal.corp", - "nder" - ], - "related.ip": [ - "10.179.153.97", - "10.49.82.45" - ], - "related.user": [ - "dictasun" - ], - "rsa.internal.event_desc": "ntutlabo", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "tatemse", - "rsa.misc.OS": "eturadi", - "rsa.misc.action": [ - "accept", - "ade" - ], - "rsa.misc.category": "laboreet", - "rsa.misc.client": "ano", - "rsa.misc.context": "temseq", - "rsa.misc.event_source": "atcupi", - "rsa.misc.event_type": "uptateve", - "rsa.misc.fcatnum": "nihilmo", - "rsa.misc.filter": "reetdo", - "rsa.misc.hardware_id": "xeaco", - "rsa.misc.log_session_id": "rumexer", - "rsa.misc.policy_id": "ollitan", - "rsa.misc.policy_name": "tot", - "rsa.misc.reference_id": "taliqu", - "rsa.misc.rule_name": "equeporr", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 2387, - "rsa.misc.version": "1.3804", - "rsa.misc.vsys": "lorem", - "rsa.network.alias_host": [ - "iqu7510.internal.corp" - ], - "rsa.network.dinterface": "enp0s6960", - "rsa.network.network_service": "agn", - "rsa.network.sinterface": "enp0s7206", - "rsa.threat.threat_desc": "ntiumdol", - "rsa.time.duration_time": 0.684, - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "rsa.time.timezone": "CT", - "rsa.web.reputation_num": 11.231, - "rsa.web.web_ref_domain": "nder", - "rule.name": "equeporr", - "service.type": "fortinet", - "source.bytes": 3045, - "source.geo.country_name": "saquaeab", - "source.ip": "10.49.82.45", - "source.mac": "01:00:5e:09:79:f2", - "source.port": 435, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.org", - "url.extension": "gif", - "url.fragment": "rsit", - "url.original": "https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit", - "url.path": "/aqu/utemvele.gif", - "url.query": [ - "nihilmol", - "serrorsi=tsedquia" - ], - "url.scheme": "https", - "user.name": "dictasun" - }, - { - "@timestamp": "2017-08-08T06:50:15.000Z", - "destination.bytes": 722, - "destination.geo.country_name": "rumex", - "destination.ip": "10.99.55.115", - "destination.nat.ip": "10.205.83.138", - "destination.nat.port": 6239, - "destination.port": 1537, - "event.action": "accept", - "event.code": "iumto", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ore devname=\"lors\" devid=\"saute\" vd=ecillumd date=2017-8-8 time=4:50:15 logid=iumto type=sequatu subtype=tiumtot level=medium eventtime=mdoloree logtime=que srcip=10.98.52.184 srcport=7402 srcintf=eth3784 srcintfrole=ita dstip=10.99.55.115 dstport=1537 dstintf=eth855 dstintfrole=isnostru poluuid=iad sessionid=ngelits proto=tcp action=accept policyid=billoi policytype=reseo crscore=158.047000 craction=uov crlevel=pariat appcat=icaboNe service=boreetd srccountry=uir dstcountry=rumex trandisp=ectobea tranip=10.205.83.138 tranport=6239 duration=170.113000 sentbyte=3290 rcvdbyte=722 sentpkt=ibus app=lumdol", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 44420, - "network.bytes": 4012, - "observer.egress.interface.name": "eth855", - "observer.ingress.interface.name": "eth3784", - "observer.product": "FortiManager", - "observer.serial_number": "saute", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "lors" - ], - "related.ip": [ - "10.205.83.138", - "10.98.52.184", - "10.99.55.115" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "tiumtot", - "rsa.misc.context": "ectobea", - "rsa.misc.event_source": "lors", - "rsa.misc.event_type": "sequatu", - "rsa.misc.hardware_id": "saute", - "rsa.misc.log_session_id": "ngelits", - "rsa.misc.obj_name": "lumdol", - "rsa.misc.policy_id": "billoi", - "rsa.misc.reference_id": "iumto", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "ecillumd", - "rsa.network.dinterface": "eth855", - "rsa.network.network_service": "boreetd", - "rsa.network.sinterface": "eth3784", - "rsa.time.duration_time": 170.113, - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", - "rsa.time.event_time_str": "mdoloree", - "rsa.web.reputation_num": 158.047, - "service.type": "fortinet", - "source.bytes": 3290, - "source.geo.country_name": "uir", - "source.ip": "10.98.52.184", - "source.port": 7402, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-08-22T13:52:50.000Z", - "destination.bytes": 422, - "destination.geo.country_name": "did", - "destination.ip": "10.90.189.248", - "destination.nat.ip": "10.228.11.50", - "destination.nat.port": 984, - "destination.port": 1293, - "event.action": "allow", - "event.code": "ptate", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=onnu devname=\"reprehe\" devid=\"metMa\" vd=emoen date=2017-8-22 time=11:52:50 logid=ptate type=mipsumqu subtype=turad level=high eventtime=billo logtime=doloremi srcip=10.197.128.162 srcport=2052 srcintf=lo6750 srcintfrole=ionof dstip=10.90.189.248 dstport=1293 dstintf=lo2402 dstintfrole=roi poluuid=reh sessionid=volup proto=prm action=allow policyid=iconsequ policytype=ueporr crscore=127.832000 craction=archite crlevel=tur appcat=ddo service=emp srccountry=inBC dstcountry=did trandisp=atcupi tranip=10.228.11.50 tranport=984 duration=3.401000 sentbyte=6907 rcvdbyte=422 sentpkt=mcol app=tion", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 45036, - "network.bytes": 7329, - "observer.egress.interface.name": "lo2402", - "observer.ingress.interface.name": "lo6750", - "observer.product": "FortiManager", - "observer.serial_number": "metMa", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "reprehe" - ], - "related.ip": [ - "10.197.128.162", - "10.228.11.50", - "10.90.189.248" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "turad", - "rsa.misc.context": "atcupi", - "rsa.misc.event_source": "reprehe", - "rsa.misc.event_type": "mipsumqu", - "rsa.misc.hardware_id": "metMa", - "rsa.misc.log_session_id": "volup", - "rsa.misc.obj_name": "tion", - "rsa.misc.policy_id": "iconsequ", - "rsa.misc.reference_id": "ptate", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "emoen", - "rsa.network.dinterface": "lo2402", - "rsa.network.network_service": "emp", - "rsa.network.sinterface": "lo6750", - "rsa.time.duration_time": 3.401, - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", - "rsa.time.event_time_str": "billo", - "rsa.web.reputation_num": 127.832, - "service.type": "fortinet", - "source.bytes": 6907, - "source.geo.country_name": "inBC", - "source.ip": "10.197.128.162", - "source.port": 2052, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "event.action": "deny", - "event.code": "odit", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-9-6 time=6:55:24 devname=moll device_id=roinBCS log_id=odit type=event subtype=vol pri=low desc=aloru user=cteturad userfrom=modi msg=cip action=deny adom=ntoccae2859.www.test session_id=incididu", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 45638, - "observer.product": "FortiManager", - "observer.serial_number": "roinBCS", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "moll", - "ntoccae2859.www.test" - ], - "related.user": [ - "cteturad" - ], - "rsa.db.index": "cip", - "rsa.internal.event_desc": "aloru", - "rsa.internal.messageid": "event_fortinetmgr", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "vol", - "rsa.misc.event_source": "moll", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "roinBCS", - "rsa.misc.log_session_id": "incididu", - "rsa.misc.reference_id": "odit", - "rsa.misc.severity": "low", - "rsa.network.domain": "ntoccae2859.www.test", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "server.domain": "ntoccae2859.www.test", - "server.registered_domain": "www.test", - "server.subdomain": "ntoccae2859", - "server.top_level_domain": "test", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "user.name": "cteturad" - }, - { - "@timestamp": "2017-09-20T03:57:58.000Z", - "destination.bytes": 6283, - "destination.ip": "10.22.248.52", - "destination.port": 6566, - "event.action": "cancel", - "event.code": "oreve", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-9-20 time=1:57:58 devname=uinesci device_id=otamr log_id=tsed type=generic subtype=rExc pri=medium devid=saute devname=umdol logid=rerepr type=ipiscin subtype=trudexe level=high vd=ineavol srcip=10.29.34.211 srcport=5638 srcintf=eth1805 dstip=10.161.15.82 dstport=6598 dstintf=enp0s5799 poluuid=aco sessionid=eFini proto=17 action=cancel policyid=mipsa trandisp=uas duration=118.122000 sentbyte=1737 rcvdbyte=6283 devtype=umexe osname=xce osversion=1.7318 mastersrcmac=suntex srcmac=01:00:5e:5b:68:89 crscore=29.865000 craction=rcitati crlevel=siutali eventtype=uiratio user=ficia service=orsit hostname=deFinibu3940.internal.lan profile=rautod reqtype=onorumet url=https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun direction=unknown msg=tinv method=Utenima cat=nse catdesc=umq device_id=enim log_id=oreve pri=low userfrom=snisiu adminprof=atem timezone=ET main_type=vento trigger_policy=litsed sub_type=ciun severity_level=rehender policy=tetura src=10.124.71.88 src_port=7540 dst=10.22.248.52 dst_port=6566 http_method=cons http_url=tinvolu http_host=ptat http_agent=amquisn http_session_id=Finibus signature_subclass=nsequat signature_id=3661 srccountry=scipi content_switch_name=rem server_pool_name=reh false_positive_mitigation=rsitame user_name=tcons monitor_status=squamest http_refer=https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi http_version=usmodit dev_id=orese threat_weight=umdolore history_threat_weight=umqui threat_level=adipisci ftp_mode=eir ftp_cmd=ull cipher_suite=tlabor msg_id=itecto", - "event.timezone": "ET", - "fileset.name": "fortimanager", - "host.name": "deFinibu3940.internal.lan", - "http.request.referrer": "https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi", - "input.type": "log", - "log.level": "low", - "log.offset": 45844, - "network.bytes": 8020, - "network.direction": "unknown", - "observer.egress.interface.name": "enp0s5799", - "observer.ingress.interface.name": "eth1805", - "observer.product": "FortiManager", - "observer.serial_number": "enim", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.7318", - "related.hosts": [ - "deFinibu3940.internal.lan", - "ptat", - "umdol" - ], - "related.ip": [ - "10.124.71.88", - "10.22.248.52" - ], - "related.user": [ - "tcons" - ], - "rsa.internal.event_desc": "tinv", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "uiratio", - "rsa.misc.OS": "xce", - "rsa.misc.action": [ - "cancel", - "cons" - ], - "rsa.misc.category": "ciun", - "rsa.misc.client": "amquisn", - "rsa.misc.context": "uas", - "rsa.misc.event_source": "umdol", - "rsa.misc.event_type": "ipiscin", - "rsa.misc.fcatnum": "nse", - "rsa.misc.filter": "umq", - "rsa.misc.hardware_id": "enim", - "rsa.misc.log_session_id": "Finibus", - "rsa.misc.policy_id": "mipsa", - "rsa.misc.policy_name": "tetura", - "rsa.misc.reference_id": "oreve", - "rsa.misc.rule_name": "rautod", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 3661, - "rsa.misc.version": "1.7318", - "rsa.misc.vsys": "ineavol", - "rsa.network.alias_host": [ - "deFinibu3940.internal.lan" - ], - "rsa.network.dinterface": "enp0s5799", - "rsa.network.network_service": "orsit", - "rsa.network.sinterface": "eth1805", - "rsa.threat.threat_desc": "adipisci", - "rsa.time.duration_time": 118.122, - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", - "rsa.time.timezone": "ET", - "rsa.web.reputation_num": 29.865, - "rsa.web.web_ref_domain": "ptat", - "rule.name": "rautod", - "service.type": "fortinet", - "source.bytes": 1737, - "source.geo.country_name": "scipi", - "source.ip": "10.124.71.88", - "source.mac": "01:00:5e:5b:68:89", - "source.port": 7540, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.com", - "url.extension": "txt", - "url.fragment": "adeserun", - "url.original": "https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun", - "url.path": "/etcon/chit.txt", - "url.query": [ - "erspici=itinvolu", - "tinvolu" - ], - "url.scheme": "https", - "user.name": "tcons" - }, - { - "@timestamp": "2017-10-04T11:00:32.000Z", - "destination.bytes": 6230, - "destination.ip": "10.26.58.20", - "destination.port": 2809, - "event.action": "block", - "event.code": "rchitect", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-10-4 time=9:00:32 logver=ametcons devid=velite devname=ipexeac logid=explicab type=samvolu subtype=teiru level=low vd=orinrep srcip=10.228.213.136 srcport=7247 srcintf=lo1719 dstip=10.185.107.27 dstport=2257 dstintf=enp0s4999 poluuid=iduntutl sessionid=mipsumd proto=udp action=block policyid=quelauda trandisp=rcit duration=166.303000 sentbyte=7229 rcvdbyte=6230 devtype=orese osname=evelite osversion=1.4895 mastersrcmac=oremipsu srcmac=01:00:5e:cd:f6:0e crscore=37.237000 craction=equunt crlevel=mto eventtype=iae user=dent service=Uten hostname=tatiset4191.localdomain profile=aconseq reqtype=mquamei url=https://api.example.org/fug/liquid.txt?ptate=lloi#nseq direction=external msg=isetqua method=ianonn cat=oluptas catdesc=doe device_id=quipex log_id=rchitect pri=very-high userfrom=Bonor adminprof=ipex timezone=PT main_type=upta trigger_policy=ivel sub_type=tmollita severity_level=tionofd policy=iatnula src=10.185.37.176 src_port=1859 dst=10.26.58.20 dst_port=2809 http_method=essequam http_url=undeo http_host=ficiade http_agent=uiinea http_session_id=uianonn signature_subclass=eavolupt signature_id=784 srccountry=elitsedq content_switch_name=liquam server_pool_name=sinto false_positive_mitigation=edi user_name=eumiure monitor_status=ore http_refer=https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri http_version=tiae dev_id=giat threat_weight=nculpa history_threat_weight=olupt threat_level=tvol ftp_mode=ostru ftp_cmd=mea cipher_suite=tuserror msg_id=agnama", - "event.timezone": "PT", - "fileset.name": "fortimanager", - "host.name": "tatiset4191.localdomain", - "http.request.referrer": "https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri", - "input.type": "log", - "log.level": "very-high", - "log.offset": 47392, - "network.bytes": 13459, - "network.direction": "external", - "observer.egress.interface.name": "enp0s4999", - "observer.ingress.interface.name": "lo1719", - "observer.product": "FortiManager", - "observer.serial_number": "quipex", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4895", - "related.hosts": [ - "ficiade", - "ipexeac", - "tatiset4191.localdomain" - ], - "related.ip": [ - "10.185.37.176", - "10.26.58.20" - ], - "related.user": [ - "eumiure" - ], - "rsa.internal.event_desc": "isetqua", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "iae", - "rsa.misc.OS": "evelite", - "rsa.misc.action": [ - "block", - "essequam" - ], - "rsa.misc.category": "tmollita", - "rsa.misc.client": "uiinea", - "rsa.misc.context": "rcit", - "rsa.misc.event_source": "ipexeac", - "rsa.misc.event_type": "samvolu", - "rsa.misc.fcatnum": "oluptas", - "rsa.misc.filter": "doe", - "rsa.misc.hardware_id": "quipex", - "rsa.misc.log_session_id": "uianonn", - "rsa.misc.policy_id": "quelauda", - "rsa.misc.policy_name": "iatnula", - "rsa.misc.reference_id": "rchitect", - "rsa.misc.rule_name": "aconseq", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 784, - "rsa.misc.version": "1.4895", - "rsa.misc.vsys": "orinrep", - "rsa.network.alias_host": [ - "tatiset4191.localdomain" - ], - "rsa.network.dinterface": "enp0s4999", - "rsa.network.network_service": "Uten", - "rsa.network.sinterface": "lo1719", - "rsa.threat.threat_desc": "tvol", - "rsa.time.duration_time": 166.303, - "rsa.time.event_time": "2017-10-04T11:00:32.000Z", - "rsa.time.timezone": "PT", - "rsa.web.reputation_num": 37.237, - "rsa.web.web_ref_domain": "ficiade", - "rule.name": "aconseq", - "service.type": "fortinet", - "source.bytes": 7229, - "source.geo.country_name": "elitsedq", - "source.ip": "10.185.37.176", - "source.mac": "01:00:5e:cd:f6:0e", - "source.port": 1859, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.org", - "url.extension": "txt", - "url.fragment": "nseq", - "url.original": "https://api.example.org/fug/liquid.txt?ptate=lloi#nseq", - "url.path": "/fug/liquid.txt", - "url.query": [ - "ptate=lloi", - "undeo" - ], - "url.scheme": "https", - "user.name": "eumiure" - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "destination.bytes": 5047, - "destination.geo.country_name": "nven", - "destination.ip": "10.14.145.107", - "destination.nat.ip": "10.250.231.196", - "destination.nat.port": 5863, - "destination.port": 4362, - "event.action": "block", - "event.code": "nostr", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=deritq dtime=2017-10-19 04:03:07.172538723 +0000 UTC devid=boreetdo devname=teni vd=iin date=2017-10-19 time=4:03:07 logid=nostr type=luptatem subtype=tNequepo level=low eventtime=eumfug logtime=sper srcip=10.200.12.126 srcport=2347 srcintf=enp0s7374 srcintfrole=liqu dstip=10.14.145.107 dstport=4362 dstintf=enp0s7861 dstintfrole=aliq poluuid=utem sessionid=oreetd proto=HOPOPT action=block policyid=Nequepo policytype=edictas crscore=55.933000 craction=tur crlevel=borisnis appcat=elitsedd service=hitecto srccountry=loremi dstcountry=nven trandisp=isci tranip=10.250.231.196 tranport=5863 duration=4.105000 sentbyte=2763 rcvdbyte=5047 sentpkt=aquioff app=cip", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 48887, - "network.bytes": 7810, - "observer.egress.interface.name": "enp0s7861", - "observer.ingress.interface.name": "enp0s7374", - "observer.product": "FortiManager", - "observer.serial_number": "boreetdo", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "teni" - ], - "related.ip": [ - "10.14.145.107", - "10.200.12.126", - "10.250.231.196" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tNequepo", - "rsa.misc.context": "isci", - "rsa.misc.event_source": "teni", - "rsa.misc.event_type": "luptatem", - "rsa.misc.hardware_id": "boreetdo", - "rsa.misc.log_session_id": "oreetd", - "rsa.misc.obj_name": "cip", - "rsa.misc.policy_id": "Nequepo", - "rsa.misc.reference_id": "nostr", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "iin", - "rsa.network.dinterface": "enp0s7861", - "rsa.network.network_service": "hitecto", - "rsa.network.sinterface": "enp0s7374", - "rsa.time.duration_time": 4.105, - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "rsa.time.event_time_str": "eumfug", - "rsa.web.reputation_num": 55.933, - "service.type": "fortinet", - "source.bytes": 2763, - "source.geo.country_name": "loremi", - "source.ip": "10.200.12.126", - "source.port": 2347, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "destination.bytes": 2565, - "destination.geo.country_name": "fugia", - "destination.ip": "10.21.203.112", - "destination.nat.ip": "10.103.36.192", - "destination.nat.port": 1974, - "destination.port": 5930, - "event.action": "cancel", - "event.code": "tura", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=onsequat dtime=2017-11-02 11:05:41.432538723 +0000 UTC devid=tiumd devname=atuse vd=imad date=2017-11-2 time=11:05:41 logid=tura type=equuntur subtype=rve level=high eventtime=mqua logtime=xer srcip=10.225.34.176 srcport=5569 srcintf=lo2867 srcintfrole=amquisn dstip=10.21.203.112 dstport=5930 dstintf=enp0s1294 dstintfrole=sum poluuid=lloinve sessionid=eni proto=HOPOPT action=cancel policyid=edquiac policytype=psamvolu crscore=80.314000 craction=unturma crlevel=iavol appcat=psumdol service=urautodi srccountry=equamni dstcountry=fugia trandisp=uptate tranip=10.103.36.192 tranport=1974 duration=129.001000 sentbyte=2801 rcvdbyte=2565 sentpkt=imidest app=citation", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 49556, - "network.bytes": 5366, - "observer.egress.interface.name": "enp0s1294", - "observer.ingress.interface.name": "lo2867", - "observer.product": "FortiManager", - "observer.serial_number": "tiumd", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "atuse" - ], - "related.ip": [ - "10.103.36.192", - "10.21.203.112", - "10.225.34.176" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "rve", - "rsa.misc.context": "uptate", - "rsa.misc.event_source": "atuse", - "rsa.misc.event_type": "equuntur", - "rsa.misc.hardware_id": "tiumd", - "rsa.misc.log_session_id": "eni", - "rsa.misc.obj_name": "citation", - "rsa.misc.policy_id": "edquiac", - "rsa.misc.reference_id": "tura", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "imad", - "rsa.network.dinterface": "enp0s1294", - "rsa.network.network_service": "urautodi", - "rsa.network.sinterface": "lo2867", - "rsa.time.duration_time": 129.001, - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "rsa.time.event_time_str": "mqua", - "rsa.web.reputation_num": 80.314, - "service.type": "fortinet", - "source.bytes": 2801, - "source.geo.country_name": "equamni", - "source.ip": "10.225.34.176", - "source.port": 5569, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-11-16T08:08:15.000Z", - "destination.bytes": 6222, - "destination.geo.country_name": "roid", - "destination.ip": "10.5.67.140", - "destination.nat.ip": "10.118.111.183", - "destination.nat.port": 5410, - "destination.port": 5687, - "event.action": "accept", - "event.code": "dexea", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=nof devname=\"usantiu\" devid=\"periam\" vd=remip date=2017-11-16 time=6:08:15 logid=dexea type=aturExc subtype=antiumto level=low eventtime=obe logtime=niamqu srcip=10.140.59.161 srcport=3599 srcintf=eth575 srcintfrole=tev dstip=10.5.67.140 dstport=5687 dstintf=enp0s6143 dstintfrole=intoc poluuid=obeataev sessionid=rrorsit proto=udp action=accept policyid=umquid policytype=olabo crscore=79.046000 craction=dolor crlevel=rsp appcat=quir service=giatqu srccountry=olors dstcountry=roid trandisp=lorum tranip=10.118.111.183 tranport=5410 duration=96.462000 sentbyte=6821 rcvdbyte=6222 sentpkt=mipsu app=nvol", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 50230, - "network.bytes": 13043, - "observer.egress.interface.name": "enp0s6143", - "observer.ingress.interface.name": "eth575", - "observer.product": "FortiManager", - "observer.serial_number": "periam", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "usantiu" - ], - "related.ip": [ - "10.118.111.183", - "10.140.59.161", - "10.5.67.140" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "antiumto", - "rsa.misc.context": "lorum", - "rsa.misc.event_source": "usantiu", - "rsa.misc.event_type": "aturExc", - "rsa.misc.hardware_id": "periam", - "rsa.misc.log_session_id": "rrorsit", - "rsa.misc.obj_name": "nvol", - "rsa.misc.policy_id": "umquid", - "rsa.misc.reference_id": "dexea", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "remip", - "rsa.network.dinterface": "enp0s6143", - "rsa.network.network_service": "giatqu", - "rsa.network.sinterface": "eth575", - "rsa.time.duration_time": 96.462, - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", - "rsa.time.event_time_str": "obe", - "rsa.web.reputation_num": 79.046, - "service.type": "fortinet", - "source.bytes": 6821, - "source.geo.country_name": "olors", - "source.ip": "10.140.59.161", - "source.port": 3599, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "destination.bytes": 5351, - "destination.ip": "10.28.212.191", - "destination.port": 1997, - "event.action": "accept", - "event.code": "abillo", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-12-1 time=1:10:49 logver=llu devid=quaUt devname=labor logid=oris type=tatemse subtype=uta level=very-high vd=tse srcip=10.170.104.148 srcport=5722 srcintf=lo259 dstip=10.60.92.40 dstport=5836 dstintf=enp0s4446 poluuid=dicons sessionid=BCSedutp proto=udp action=accept policyid=ritatise trandisp=nihilm duration=104.607000 sentbyte=6659 rcvdbyte=5351 devtype=isauteir osname=eritquii osversion=1.4493 mastersrcmac=uisno srcmac=01:00:5e:e9:ec:d5 crscore=34.736000 craction=itaed crlevel=invol eventtype=Loremips user=cidun service=tassitas hostname=nimadmi4084.api.home profile=eufugia reqtype=nor url=https://example.net/aturQui/tquii.html?uiac=squ#litess direction=unknown msg=involupt method=itempo cat=upt catdesc=rve device_id=amq log_id=abillo pri=high userfrom=ationem adminprof=Nem timezone=OMST main_type=ollita trigger_policy=dipisci sub_type=amnisiu severity_level=ptat policy=epr src=10.7.70.169 src_port=2514 dst=10.28.212.191 dst_port=1997 http_method=nostru http_url=Loremip http_host=veleumiu http_agent=rcita http_session_id=turad signature_subclass=sequamni signature_id=4799 srccountry=ollita content_switch_name=ectetu server_pool_name=radi false_positive_mitigation=ula user_name=itsed monitor_status=rad http_refer=https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin http_version=suntexpl dev_id=urve threat_weight=sBonoru history_threat_weight=everi threat_level=squ ftp_mode=emagnaal ftp_cmd=nih cipher_suite=ncididu msg_id=itati", - "event.timezone": "OMST", - "fileset.name": "fortimanager", - "host.name": "nimadmi4084.api.home", - "http.request.referrer": "https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin", - "input.type": "log", - "log.level": "high", - "log.offset": 50842, - "network.bytes": 12010, - "network.direction": "unknown", - "observer.egress.interface.name": "enp0s4446", - "observer.ingress.interface.name": "lo259", - "observer.product": "FortiManager", - "observer.serial_number": "amq", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4493", - "related.hosts": [ - "labor", - "nimadmi4084.api.home", - "veleumiu" - ], - "related.ip": [ - "10.28.212.191", - "10.7.70.169" - ], - "related.user": [ - "itsed" - ], - "rsa.internal.event_desc": "involupt", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "Loremips", - "rsa.misc.OS": "eritquii", - "rsa.misc.action": [ - "accept", - "nostru" - ], - "rsa.misc.category": "amnisiu", - "rsa.misc.client": "rcita", - "rsa.misc.context": "nihilm", - "rsa.misc.event_source": "labor", - "rsa.misc.event_type": "tatemse", - "rsa.misc.fcatnum": "upt", - "rsa.misc.filter": "rve", - "rsa.misc.hardware_id": "amq", - "rsa.misc.log_session_id": "turad", - "rsa.misc.policy_id": "ritatise", - "rsa.misc.policy_name": "epr", - "rsa.misc.reference_id": "abillo", - "rsa.misc.rule_name": "eufugia", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 4799, - "rsa.misc.version": "1.4493", - "rsa.misc.vsys": "tse", - "rsa.network.alias_host": [ - "nimadmi4084.api.home" - ], - "rsa.network.dinterface": "enp0s4446", - "rsa.network.network_service": "tassitas", - "rsa.network.sinterface": "lo259", - "rsa.threat.threat_desc": "squ", - "rsa.time.duration_time": 104.607, - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.reputation_num": 34.736, - "rsa.web.web_ref_domain": "veleumiu", - "rule.name": "eufugia", - "service.type": "fortinet", - "source.bytes": 6659, - "source.geo.country_name": "ollita", - "source.ip": "10.7.70.169", - "source.mac": "01:00:5e:e9:ec:d5", - "source.port": 2514, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.net", - "url.extension": "html", - "url.fragment": "litess", - "url.original": "https://example.net/aturQui/tquii.html?uiac=squ#litess", - "url.path": "/aturQui/tquii.html", - "url.query": [ - "Loremip", - "uiac=squ" - ], - "url.scheme": "https", - "user.name": "itsed" - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "destination.bytes": 7417, - "destination.ip": "10.143.144.52", - "destination.port": 974, - "event.action": "block", - "event.code": "iqu", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2017-12-15 time=8:13:24 logver=estla devid=ione devname=ecillum logid=maccu type=ame subtype=pitlabo level=very-high vd=urExc srcip=10.37.124.214 srcport=6919 srcintf=lo7727 dstip=10.37.111.228 dstport=7082 dstintf=enp0s20 poluuid=dmini sessionid=tquid proto=17 action=block policyid=iatisun trandisp=cto duration=144.899000 sentbyte=2372 rcvdbyte=7417 devtype=imadmini osname=iatisund osversion=1.6506 mastersrcmac=aUtenim srcmac=01:00:5e:28:0c:11 crscore=172.422000 craction=etdol crlevel=sed eventtype=uep user=ametco service=nde hostname=reprehe3525.www5.example profile=mquisno reqtype=eaco url=https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel direction=internal msg=dexea method=sedquia cat=litesse catdesc=ntmo device_id=aliqu log_id=iqu pri=very-high userfrom=ationula adminprof=doconse timezone=CEST main_type=oreeufug trigger_policy=ptatems sub_type=tenima severity_level=emagnam policy=iaco src=10.148.197.60 src_port=5711 dst=10.143.144.52 dst_port=974 http_method=nvo http_url=lab http_host=sedqui http_agent=iuntNe http_session_id=tdolor signature_subclass=Ute signature_id=2191 srccountry=uepor content_switch_name=umSecti server_pool_name=eabil false_positive_mitigation=ibusB user_name=rporis monitor_status=etco http_refer=https://example.org/ereprehe/olu.html?liqu=ipsu#siarch http_version=itautfu dev_id=rrorsi threat_weight=ole history_threat_weight=odi threat_level=tper ftp_mode=olor ftp_cmd=corpo cipher_suite=commod msg_id=iumd", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "reprehe3525.www5.example", - "http.request.referrer": "https://example.org/ereprehe/olu.html?liqu=ipsu#siarch", - "input.type": "log", - "log.level": "very-high", - "log.offset": 52319, - "network.bytes": 9789, - "network.direction": "internal", - "observer.egress.interface.name": "enp0s20", - "observer.ingress.interface.name": "lo7727", - "observer.product": "FortiManager", - "observer.serial_number": "aliqu", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.6506", - "related.hosts": [ - "ecillum", - "reprehe3525.www5.example", - "sedqui" - ], - "related.ip": [ - "10.143.144.52", - "10.148.197.60" - ], - "related.user": [ - "rporis" - ], - "rsa.internal.event_desc": "dexea", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "uep", - "rsa.misc.OS": "iatisund", - "rsa.misc.action": [ - "block", - "nvo" - ], - "rsa.misc.category": "tenima", - "rsa.misc.client": "iuntNe", - "rsa.misc.context": "cto", - "rsa.misc.event_source": "ecillum", - "rsa.misc.event_type": "ame", - "rsa.misc.fcatnum": "litesse", - "rsa.misc.filter": "ntmo", - "rsa.misc.hardware_id": "aliqu", - "rsa.misc.log_session_id": "tdolor", - "rsa.misc.policy_id": "iatisun", - "rsa.misc.policy_name": "iaco", - "rsa.misc.reference_id": "iqu", - "rsa.misc.rule_name": "mquisno", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 2191, - "rsa.misc.version": "1.6506", - "rsa.misc.vsys": "urExc", - "rsa.network.alias_host": [ - "reprehe3525.www5.example" - ], - "rsa.network.dinterface": "enp0s20", - "rsa.network.network_service": "nde", - "rsa.network.sinterface": "lo7727", - "rsa.threat.threat_desc": "tper", - "rsa.time.duration_time": 144.899, - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 172.422, - "rsa.web.web_ref_domain": "sedqui", - "rule.name": "mquisno", - "service.type": "fortinet", - "source.bytes": 2372, - "source.geo.country_name": "uepor", - "source.ip": "10.148.197.60", - "source.mac": "01:00:5e:28:0c:11", - "source.port": 5711, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.org", - "url.extension": "htm", - "url.fragment": "aturvel", - "url.original": "https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel", - "url.path": "/mvele/teveli.htm", - "url.query": [ - "Nequepor=luptate", - "lab" - ], - "url.scheme": "https", - "user.name": "rporis" - }, - { - "@timestamp": "2017-12-29T05:15:58.000Z", - "destination.bytes": 7299, - "destination.geo.country_name": "ciad", - "destination.ip": "10.22.149.132", - "destination.nat.ip": "10.251.183.113", - "destination.nat.port": 2604, - "destination.port": 7725, - "event.action": "block", - "event.code": "bor", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=aborisn dtime=2017-12-29 15:15:58.472538723 +0000 UTC devid=onproid devname=sitv vd=equam date=2017-12-29 time=3:15:58 logid=bor type=ameaquei subtype=aeca level=very-high eventtime=aperiam logtime=ngelit srcip=10.217.145.137 srcport=5242 srcintf=enp0s6940 srcintfrole=orema dstip=10.22.149.132 dstport=7725 dstintf=lo7156 dstintfrole=neavolup poluuid=lits sessionid=Nemoen proto=0 action=block policyid=rur policytype=quaturve crscore=166.007000 craction=oeiusmod crlevel=uidolore appcat=iacon service=ncu srccountry=quaturve dstcountry=ciad trandisp=diconseq tranip=10.251.183.113 tranport=2604 duration=161.433000 sentbyte=5697 rcvdbyte=7299 sentpkt=eseosqu app=uptatem", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 53795, - "network.bytes": 12996, - "observer.egress.interface.name": "lo7156", - "observer.ingress.interface.name": "enp0s6940", - "observer.product": "FortiManager", - "observer.serial_number": "onproid", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "sitv" - ], - "related.ip": [ - "10.217.145.137", - "10.22.149.132", - "10.251.183.113" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "aeca", - "rsa.misc.context": "diconseq", - "rsa.misc.event_source": "sitv", - "rsa.misc.event_type": "ameaquei", - "rsa.misc.hardware_id": "onproid", - "rsa.misc.log_session_id": "Nemoen", - "rsa.misc.obj_name": "uptatem", - "rsa.misc.policy_id": "rur", - "rsa.misc.reference_id": "bor", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "equam", - "rsa.network.dinterface": "lo7156", - "rsa.network.network_service": "ncu", - "rsa.network.sinterface": "enp0s6940", - "rsa.time.duration_time": 161.433, - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", - "rsa.time.event_time_str": "aperiam", - "rsa.web.reputation_num": 166.007, - "service.type": "fortinet", - "source.bytes": 5697, - "source.geo.country_name": "quaturve", - "source.ip": "10.217.145.137", - "source.port": 5242, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-01-12T12:18:32.000Z", - "destination.bytes": 1519, - "destination.geo.country_name": "iarchit", - "destination.ip": "10.203.66.175", - "destination.nat.ip": "10.51.60.203", - "destination.nat.port": 5315, - "destination.port": 3904, - "event.action": "accept", - "event.code": "mfugi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=uamnihil devname=\"nisi\" devid=\"imadm\" vd=siutali date=2018-1-12 time=10:18:32 logid=mfugi type=ceroinBC subtype=lorumw level=low eventtime=squir logtime=commod srcip=10.183.16.252 srcport=3150 srcintf=lo6718 srcintfrole=eabillo dstip=10.203.66.175 dstport=3904 dstintf=enp0s3868 dstintfrole=dipisciv poluuid=nsequun sessionid=hen proto=icmp action=accept policyid=velillum policytype=itamet crscore=123.013000 craction=hil crlevel=itl appcat=idolo service=ncidid srccountry=oid dstcountry=iarchit trandisp=volupt tranip=10.51.60.203 tranport=5315 duration=165.955000 sentbyte=7551 rcvdbyte=1519 sentpkt=ten app=Utenim", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 54475, - "network.bytes": 9070, - "observer.egress.interface.name": "enp0s3868", - "observer.ingress.interface.name": "lo6718", - "observer.product": "FortiManager", - "observer.serial_number": "imadm", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "nisi" - ], - "related.ip": [ - "10.183.16.252", - "10.203.66.175", - "10.51.60.203" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "lorumw", - "rsa.misc.context": "volupt", - "rsa.misc.event_source": "nisi", - "rsa.misc.event_type": "ceroinBC", - "rsa.misc.hardware_id": "imadm", - "rsa.misc.log_session_id": "hen", - "rsa.misc.obj_name": "Utenim", - "rsa.misc.policy_id": "velillum", - "rsa.misc.reference_id": "mfugi", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "siutali", - "rsa.network.dinterface": "enp0s3868", - "rsa.network.network_service": "ncidid", - "rsa.network.sinterface": "lo6718", - "rsa.time.duration_time": 165.955, - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", - "rsa.time.event_time_str": "squir", - "rsa.web.reputation_num": 123.013, - "service.type": "fortinet", - "source.bytes": 7551, - "source.geo.country_name": "oid", - "source.ip": "10.183.16.252", - "source.port": 3150, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.bytes": 6650, - "destination.ip": "10.61.200.105", - "destination.port": 2813, - "event.action": "accept", - "event.code": "orinc", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-1-27 time=5:21:06 logver=uasiarch devid=iamquisn devname=magnama logid=reprehe type=citatio subtype=dolo level=medium vd=esciunt srcip=10.133.245.26 srcport=1727 srcintf=enp0s2674 dstip=10.76.87.30 dstport=2858 dstintf=enp0s2918 poluuid=remag sessionid=roinBCSe proto=HOPOPT action=accept policyid=labori trandisp=ditau duration=39.920000 sentbyte=5413 rcvdbyte=6650 devtype=tam osname=olu osversion=1.409 mastersrcmac=iut srcmac=01:00:5e:5c:c2:50 crscore=69.137000 craction=boris crlevel=ris eventtype=nisiuta user=utper service=uipexe hostname=ursint411.www.lan profile=gnamali reqtype=iumdo url=https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc direction=internal msg=lamco method=natuser cat=Excepteu catdesc=omnis device_id=tati log_id=orinc pri=very-high userfrom=eturadi adminprof=cinge timezone=PT main_type=ira trigger_policy=niamq sub_type=quatD severity_level=nevol policy=lumquid src=10.157.14.165 src_port=7170 dst=10.61.200.105 dst_port=2813 http_method=tquov http_url=natu http_host=doei http_agent=acomm http_session_id=veleumi signature_subclass=volupt signature_id=6822 srccountry=itatise content_switch_name=ure server_pool_name=userro false_positive_mitigation=oree user_name=nimadmi monitor_status=utaliq http_refer=https://example.com/tinvolu/uredol.txt?did=lamcol#idolor http_version=tutlabor dev_id=nse threat_weight=rauto history_threat_weight=rese threat_level=nonproi ftp_mode=doconse ftp_cmd=henderi cipher_suite=tisunde msg_id=ende", - "event.timezone": "PT", - "fileset.name": "fortimanager", - "host.name": "ursint411.www.lan", - "http.request.referrer": "https://example.com/tinvolu/uredol.txt?did=lamcol#idolor", - "input.type": "log", - "log.level": "very-high", - "log.offset": 55100, - "network.bytes": 12063, - "network.direction": "internal", - "observer.egress.interface.name": "enp0s2918", - "observer.ingress.interface.name": "enp0s2674", - "observer.product": "FortiManager", - "observer.serial_number": "tati", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.409", - "related.hosts": [ - "doei", - "magnama", - "ursint411.www.lan" - ], - "related.ip": [ - "10.157.14.165", - "10.61.200.105" - ], - "related.user": [ - "nimadmi" - ], - "rsa.internal.event_desc": "lamco", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "nisiuta", - "rsa.misc.OS": "olu", - "rsa.misc.action": [ - "accept", - "tquov" - ], - "rsa.misc.category": "quatD", - "rsa.misc.client": "acomm", - "rsa.misc.context": "ditau", - "rsa.misc.event_source": "magnama", - "rsa.misc.event_type": "citatio", - "rsa.misc.fcatnum": "Excepteu", - "rsa.misc.filter": "omnis", - "rsa.misc.hardware_id": "tati", - "rsa.misc.log_session_id": "veleumi", - "rsa.misc.policy_id": "labori", - "rsa.misc.policy_name": "lumquid", - "rsa.misc.reference_id": "orinc", - "rsa.misc.rule_name": "gnamali", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 6822, - "rsa.misc.version": "1.409", - "rsa.misc.vsys": "esciunt", - "rsa.network.alias_host": [ - "ursint411.www.lan" - ], - "rsa.network.dinterface": "enp0s2918", - "rsa.network.network_service": "uipexe", - "rsa.network.sinterface": "enp0s2674", - "rsa.threat.threat_desc": "nonproi", - "rsa.time.duration_time": 39.92, - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "rsa.time.timezone": "PT", - "rsa.web.reputation_num": 69.137, - "rsa.web.web_ref_domain": "doei", - "rule.name": "gnamali", - "service.type": "fortinet", - "source.bytes": 5413, - "source.geo.country_name": "itatise", - "source.ip": "10.157.14.165", - "source.mac": "01:00:5e:5c:c2:50", - "source.port": 7170, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.org", - "url.extension": "jpg", - "url.fragment": "etc", - "url.original": "https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc", - "url.path": "/tem/iadeseru.jpg", - "url.query": [ - "natu", - "olorsita=odoco" - ], - "url.scheme": "https", - "user.name": "nimadmi" - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "destination.bytes": 5375, - "destination.ip": "10.217.111.77", - "destination.port": 7309, - "event.action": "allow", - "event.code": "entoreve", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-2-10 time=12:23:41 logver=commod devid=oris devname=rcita logid=ataev type=oris subtype=incidi level=high vd=tutlabo srcip=10.32.66.161 srcport=881 srcintf=lo4523 dstip=10.134.238.8 dstport=2976 dstintf=enp0s1238 poluuid=edquiac sessionid=sit proto=HOPOPT action=allow policyid=olo trandisp=laboris duration=163.866000 sentbyte=7328 rcvdbyte=5375 devtype=tutl osname=nevolu osversion=1.5475 mastersrcmac=ostru srcmac=01:00:5e:e9:5f:84 crscore=157.516000 craction=aven crlevel=idolore eventtype=psaqu user=psa service=pta hostname=ididunt7607.mail.localhost profile=ntutlabo reqtype=leumiure url=https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe direction=internal msg=Lore method=oin cat=eritquii catdesc=taliqui device_id=ecatcu log_id=entoreve pri=high userfrom=umquam adminprof=onev timezone=CET main_type=tionev trigger_policy=ali sub_type=ionu severity_level=perna policy=moll src=10.242.178.15 src_port=3948 dst=10.217.111.77 dst_port=7309 http_method=datatno http_url=equepor http_host=antium http_agent=ugiatn http_session_id=utpe signature_subclass=hend signature_id=1170 srccountry=agnamali content_switch_name=ptateve server_pool_name=aliqua false_positive_mitigation=officiad user_name=nimadmin monitor_status=iavol http_refer=https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis http_version=olor dev_id=emoenim threat_weight=turadipi history_threat_weight=umSec threat_level=onsecte ftp_mode=inibusBo ftp_cmd=tqui cipher_suite=sequun msg_id=nimadm", - "event.timezone": "CET", - "fileset.name": "fortimanager", - "host.name": "ididunt7607.mail.localhost", - "http.request.referrer": "https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis", - "input.type": "log", - "log.level": "high", - "log.offset": 56577, - "network.bytes": 12703, - "network.direction": "internal", - "observer.egress.interface.name": "enp0s1238", - "observer.ingress.interface.name": "lo4523", - "observer.product": "FortiManager", - "observer.serial_number": "ecatcu", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.5475", - "related.hosts": [ - "antium", - "ididunt7607.mail.localhost", - "rcita" - ], - "related.ip": [ - "10.217.111.77", - "10.242.178.15" - ], - "related.user": [ - "nimadmin" - ], - "rsa.internal.event_desc": "Lore", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "psaqu", - "rsa.misc.OS": "nevolu", - "rsa.misc.action": [ - "allow", - "datatno" - ], - "rsa.misc.category": "ionu", - "rsa.misc.client": "ugiatn", - "rsa.misc.context": "laboris", - "rsa.misc.event_source": "rcita", - "rsa.misc.event_type": "oris", - "rsa.misc.fcatnum": "eritquii", - "rsa.misc.filter": "taliqui", - "rsa.misc.hardware_id": "ecatcu", - "rsa.misc.log_session_id": "utpe", - "rsa.misc.policy_id": "olo", - "rsa.misc.policy_name": "moll", - "rsa.misc.reference_id": "entoreve", - "rsa.misc.rule_name": "ntutlabo", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 1170, - "rsa.misc.version": "1.5475", - "rsa.misc.vsys": "tutlabo", - "rsa.network.alias_host": [ - "ididunt7607.mail.localhost" - ], - "rsa.network.dinterface": "enp0s1238", - "rsa.network.network_service": "pta", - "rsa.network.sinterface": "lo4523", - "rsa.threat.threat_desc": "onsecte", - "rsa.time.duration_time": 163.866, - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "rsa.time.timezone": "CET", - "rsa.web.reputation_num": 157.516, - "rsa.web.web_ref_domain": "antium", - "rule.name": "ntutlabo", - "service.type": "fortinet", - "source.bytes": 7328, - "source.geo.country_name": "agnamali", - "source.ip": "10.242.178.15", - "source.mac": "01:00:5e:e9:5f:84", - "source.port": 3948, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.net", - "url.extension": "gif", - "url.fragment": "tobe", - "url.original": "https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe", - "url.path": "/epteurs/usmodtem.gif", - "url.query": [ - "equepor", - "itvo=asi" - ], - "url.scheme": "https", - "user.name": "nimadmin" - }, - { - "@timestamp": "2018-02-24T09:26:15.000Z", - "destination.bytes": 6059, - "destination.ip": "10.86.152.227", - "destination.port": 850, - "event.action": "cancel", - "event.code": "onsec", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-2-24 time=7:26:15 logver=vitaedic devid=remip devname=rsita logid=rehe type=aper subtype=gnaa level=low vd=uta srcip=10.161.128.235 srcport=6280 srcintf=eth2121 dstip=10.84.29.117 dstport=1245 dstintf=eth7500 poluuid=errorsi sessionid=umwr proto=HOPOPT action=cancel policyid=cupida trandisp=rinc duration=5.709000 sentbyte=289 rcvdbyte=6059 devtype=dquia osname=ommod osversion=1.142 mastersrcmac=dico srcmac=01:00:5e:06:53:8a crscore=35.836000 craction=imipsa crlevel=iscinge eventtype=ora user=meumfug service=inimve hostname=mco2906.domain profile=sitvolu reqtype=eratv url=https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav direction=inbound msg=nse method=turQuis cat=tat catdesc=pta device_id=henderi log_id=onsec pri=high userfrom=itaspern adminprof=tau timezone=GMT+02:00 main_type=rsintoc trigger_policy=boreetd sub_type=rehende severity_level=sitamet policy=xerc src=10.199.119.251 src_port=7286 dst=10.86.152.227 dst_port=850 http_method=ant http_url=tiu http_host=ommodoco http_agent=rehe http_session_id=eseosqu signature_subclass=oeius signature_id=641 srccountry=eaqueip content_switch_name=laud server_pool_name=uido false_positive_mitigation=uis user_name=msequin monitor_status=autem http_refer=https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist http_version=orroqui dev_id=sci threat_weight=psamvolu history_threat_weight=itsedqui threat_level=oreve ftp_mode=omn ftp_cmd=onevol cipher_suite=ese msg_id=reprehen", - "event.timezone": "GMT+02:00", - "fileset.name": "fortimanager", - "host.name": "mco2906.domain", - "http.request.referrer": "https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist", - "input.type": "log", - "log.level": "high", - "log.offset": 58063, - "network.bytes": 6348, - "network.direction": "inbound", - "observer.egress.interface.name": "eth7500", - "observer.ingress.interface.name": "eth2121", - "observer.product": "FortiManager", - "observer.serial_number": "henderi", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.142", - "related.hosts": [ - "mco2906.domain", - "ommodoco", - "rsita" - ], - "related.ip": [ - "10.199.119.251", - "10.86.152.227" - ], - "related.user": [ - "msequin" - ], - "rsa.internal.event_desc": "nse", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "ora", - "rsa.misc.OS": "ommod", - "rsa.misc.action": [ - "ant", - "cancel" - ], - "rsa.misc.category": "rehende", - "rsa.misc.client": "rehe", - "rsa.misc.context": "rinc", - "rsa.misc.event_source": "rsita", - "rsa.misc.event_type": "aper", - "rsa.misc.fcatnum": "tat", - "rsa.misc.filter": "pta", - "rsa.misc.hardware_id": "henderi", - "rsa.misc.log_session_id": "eseosqu", - "rsa.misc.policy_id": "cupida", - "rsa.misc.policy_name": "xerc", - "rsa.misc.reference_id": "onsec", - "rsa.misc.rule_name": "sitvolu", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 641, - "rsa.misc.version": "1.142", - "rsa.misc.vsys": "uta", - "rsa.network.alias_host": [ - "mco2906.domain" - ], - "rsa.network.dinterface": "eth7500", - "rsa.network.network_service": "inimve", - "rsa.network.sinterface": "eth2121", - "rsa.threat.threat_desc": "oreve", - "rsa.time.duration_time": 5.709, - "rsa.time.event_time": "2018-02-24T09:26:15.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.reputation_num": 35.836, - "rsa.web.web_ref_domain": "ommodoco", - "rule.name": "sitvolu", - "service.type": "fortinet", - "source.bytes": 289, - "source.geo.country_name": "eaqueip", - "source.ip": "10.199.119.251", - "source.mac": "01:00:5e:06:53:8a", - "source.port": 7286, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.com", - "url.extension": "txt", - "url.fragment": "eav", - "url.original": "https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav", - "url.path": "/iadolo/cidu.txt", - "url.query": [ - "aliquide=redolori", - "tiu" - ], - "url.scheme": "https", - "user.name": "msequin" - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "destination.bytes": 3374, - "destination.ip": "10.234.171.117", - "destination.port": 4488, - "event.action": "deny", - "event.code": "quian", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-3-11 time=2:28:49 logver=eumfugia devid=nimvenia devname=dol logid=rissusc type=lit subtype=quin level=low vd=eddoei srcip=10.35.73.208 srcport=7081 srcintf=eth6552 dstip=10.216.120.61 dstport=6389 dstintf=eth2068 poluuid=dolor sessionid=emUteni proto=tcp action=deny policyid=illoin trandisp=rinre duration=166.295000 sentbyte=5988 rcvdbyte=3374 devtype=olorem osname=mquae osversion=1.1789 mastersrcmac=rQuis srcmac=01:00:5e:b5:9a:3e crscore=5.250000 craction=enimadmi crlevel=elit eventtype=uia user=tem service=unt hostname=ntex5135.corp profile=mqua reqtype=equa url=https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd direction=outbound msg=olorin method=oluptat cat=olors catdesc=mSecti device_id=ius log_id=quian pri=low userfrom=urExce adminprof=upt timezone=PST main_type=pteurs trigger_policy=intocc sub_type=abo severity_level=orisnis policy=reseo src=10.239.194.105 src_port=3629 dst=10.234.171.117 dst_port=4488 http_method=tenatus http_url=odic http_host=ono http_agent=umtota http_session_id=consequ signature_subclass=ine signature_id=3409 srccountry=dex content_switch_name=ipis server_pool_name=nsecte false_positive_mitigation=miurere user_name=tat monitor_status=pitlabor http_refer=https://example.com/olupta/ape.jpg?mnisiut=eabil#olu http_version=uaUte dev_id=empor threat_weight=ate history_threat_weight=eca threat_level=inre ftp_mode=aliqu ftp_cmd=orem cipher_suite=dquian msg_id=isaute", - "event.timezone": "PST", - "fileset.name": "fortimanager", - "host.name": "ntex5135.corp", - "http.request.referrer": "https://example.com/olupta/ape.jpg?mnisiut=eabil#olu", - "input.type": "log", - "log.level": "low", - "log.offset": 59527, - "network.bytes": 9362, - "network.direction": "outbound", - "observer.egress.interface.name": "eth2068", - "observer.ingress.interface.name": "eth6552", - "observer.product": "FortiManager", - "observer.serial_number": "ius", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.1789", - "related.hosts": [ - "dol", - "ntex5135.corp", - "ono" - ], - "related.ip": [ - "10.234.171.117", - "10.239.194.105" - ], - "related.user": [ - "tat" - ], - "rsa.internal.event_desc": "olorin", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "uia", - "rsa.misc.OS": "mquae", - "rsa.misc.action": [ - "deny", - "tenatus" - ], - "rsa.misc.category": "abo", - "rsa.misc.client": "umtota", - "rsa.misc.context": "rinre", - "rsa.misc.event_source": "dol", - "rsa.misc.event_type": "lit", - "rsa.misc.fcatnum": "olors", - "rsa.misc.filter": "mSecti", - "rsa.misc.hardware_id": "ius", - "rsa.misc.log_session_id": "consequ", - "rsa.misc.policy_id": "illoin", - "rsa.misc.policy_name": "reseo", - "rsa.misc.reference_id": "quian", - "rsa.misc.rule_name": "mqua", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 3409, - "rsa.misc.version": "1.1789", - "rsa.misc.vsys": "eddoei", - "rsa.network.alias_host": [ - "ntex5135.corp" - ], - "rsa.network.dinterface": "eth2068", - "rsa.network.network_service": "unt", - "rsa.network.sinterface": "eth6552", - "rsa.threat.threat_desc": "inre", - "rsa.time.duration_time": 166.295, - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "rsa.time.timezone": "PST", - "rsa.web.reputation_num": 5.25, - "rsa.web.web_ref_domain": "ono", - "rule.name": "mqua", - "service.type": "fortinet", - "source.bytes": 5988, - "source.geo.country_name": "dex", - "source.ip": "10.239.194.105", - "source.mac": "01:00:5e:b5:9a:3e", - "source.port": 3629, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "internal.example.com", - "url.extension": "jpg", - "url.fragment": "boreetd", - "url.original": "https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd", - "url.path": "/isc/umdol.jpg", - "url.query": [ - "atn=sectet", - "odic" - ], - "url.scheme": "https", - "user.name": "tat" - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.bytes": 2855, - "destination.geo.country_name": "rinc", - "destination.ip": "10.249.16.201", - "destination.nat.ip": "10.107.168.208", - "destination.nat.port": 1864, - "destination.port": 4293, - "event.action": "accept", - "event.code": "ntocca", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=emagnaal dtime=2018-03-25 09:31:24.032538723 +0000 UTC devid=uunturm devname=nonnumq vd=tqu date=2018-3-25 time=9:31:24 logid=ntocca type=emquelau subtype=adolorsi level=medium eventtime=maliquam logtime=ovol srcip=10.34.41.75 srcport=4436 srcintf=enp0s7638 srcintfrole=eseosqu dstip=10.249.16.201 dstport=4293 dstintf=lo5084 dstintfrole=mvele poluuid=qui sessionid=etMa proto=3 action=accept policyid=aspe policytype=uradipi crscore=22.220000 craction=atu crlevel=amremape appcat=illoinve service=uis srccountry=itanimi dstcountry=rinc trandisp=isistena tranip=10.107.168.208 tranport=1864 duration=45.477000 sentbyte=1067 rcvdbyte=2855 sentpkt=ctionofd app=uianonnu", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 60960, - "network.bytes": 3922, - "network.protocol": "GGP", - "observer.egress.interface.name": "lo5084", - "observer.ingress.interface.name": "enp0s7638", - "observer.product": "FortiManager", - "observer.serial_number": "uunturm", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "nonnumq" - ], - "related.ip": [ - "10.107.168.208", - "10.249.16.201", - "10.34.41.75" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "adolorsi", - "rsa.misc.context": "isistena", - "rsa.misc.event_source": "nonnumq", - "rsa.misc.event_type": "emquelau", - "rsa.misc.hardware_id": "uunturm", - "rsa.misc.log_session_id": "etMa", - "rsa.misc.obj_name": "uianonnu", - "rsa.misc.policy_id": "aspe", - "rsa.misc.reference_id": "ntocca", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "tqu", - "rsa.network.dinterface": "lo5084", - "rsa.network.network_service": "uis", - "rsa.network.sinterface": "enp0s7638", - "rsa.time.duration_time": 45.477, - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "rsa.time.event_time_str": "maliquam", - "rsa.web.reputation_num": 22.22, - "service.type": "fortinet", - "source.bytes": 1067, - "source.geo.country_name": "itanimi", - "source.ip": "10.34.41.75", - "source.port": 4436, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-04-08T06:33:58.000Z", - "destination.bytes": 7292, - "destination.ip": "10.109.106.194", - "destination.port": 5356, - "event.action": "allow", - "event.code": "vol", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=nisiste date=2018-4-8 time=4:33:58 log_id=sedqu devid=itautfu devname=aaliq logid=tDui type=ernatur subtype=itsed level=low vd=xeacomm srcip=10.112.57.220 srcport=5803 srcintf=enp0s1897 dstip=10.19.151.236 dstport=884 dstintf=enp0s4144 poluuid=estiaeco sessionid=vele proto=HOPOPT action=allow policyid=yCiceroi trandisp=loremeu duration=156.263000 sentbyte=3719 rcvdbyte=7292 devtype=colab osname=itte osversion=1.6905 mastersrcmac=orumS srcmac=01:00:5e:c1:b8:93 crscore=60.950000 craction=uptat crlevel=incidun eventtype=agnaaliq user=aturQuis service=cepteurs hostname=tat1845.internal.invalid profile=rumetMal reqtype=tiumtot url=https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat direction=inbound msg=eddoe method=seq cat=uae catdesc=tobeata device_id=ctas log_id=vol pri=high userfrom=gna adminprof=itautf timezone=ET main_type=eprehe trigger_policy=ariatu sub_type=aqueip severity_level=aqueip policy=rautod src=10.96.168.24 src_port=6206 dst=10.109.106.194 dst_port=5356 http_method=Sedut http_url=stiaec http_host=rveli http_agent=serr http_session_id=umdolo signature_subclass=iduntut signature_id=4281 srccountry=rorsitv content_switch_name=caboNemo server_pool_name=cididun false_positive_mitigation=iamqu user_name=ommodoc monitor_status=mwrit http_refer=https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo http_version=oru dev_id=ainc threat_weight=aeab history_threat_weight=iat threat_level=acom ftp_mode=olo ftp_cmd=eipsaq cipher_suite=enatu msg_id=mfu", - "event.timezone": "ET", - "fileset.name": "fortimanager", - "host.name": "tat1845.internal.invalid", - "http.request.referrer": "https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo", - "input.type": "log", - "log.level": "high", - "log.offset": 61635, - "network.bytes": 11011, - "network.direction": "inbound", - "observer.egress.interface.name": "enp0s4144", - "observer.ingress.interface.name": "enp0s1897", - "observer.product": "FortiManager", - "observer.serial_number": "ctas", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.6905", - "related.hosts": [ - "aaliq", - "rveli", - "tat1845.internal.invalid" - ], - "related.ip": [ - "10.109.106.194", - "10.96.168.24" - ], - "related.user": [ - "ommodoc" - ], - "rsa.internal.event_desc": "eddoe", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "agnaaliq", - "rsa.misc.OS": "itte", - "rsa.misc.action": [ - "Sedut", - "allow" - ], - "rsa.misc.category": "aqueip", - "rsa.misc.client": "serr", - "rsa.misc.context": "loremeu", - "rsa.misc.event_source": "aaliq", - "rsa.misc.event_type": "ernatur", - "rsa.misc.fcatnum": "uae", - "rsa.misc.filter": "tobeata", - "rsa.misc.hardware_id": "ctas", - "rsa.misc.log_session_id": "umdolo", - "rsa.misc.policy_id": "yCiceroi", - "rsa.misc.policy_name": "rautod", - "rsa.misc.reference_id": "vol", - "rsa.misc.rule_name": "rumetMal", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 4281, - "rsa.misc.version": "1.6905", - "rsa.misc.vsys": "xeacomm", - "rsa.network.alias_host": [ - "tat1845.internal.invalid" - ], - "rsa.network.dinterface": "enp0s4144", - "rsa.network.network_service": "cepteurs", - "rsa.network.sinterface": "enp0s1897", - "rsa.threat.threat_desc": "acom", - "rsa.time.duration_time": 156.263, - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", - "rsa.time.timezone": "ET", - "rsa.web.reputation_num": 60.95, - "rsa.web.web_ref_domain": "rveli", - "rule.name": "rumetMal", - "service.type": "fortinet", - "source.bytes": 3719, - "source.geo.country_name": "rorsitv", - "source.ip": "10.96.168.24", - "source.mac": "01:00:5e:c1:b8:93", - "source.port": 6206, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.com", - "url.extension": "txt", - "url.fragment": "ptat", - "url.original": "https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat", - "url.path": "/imadm/ugiat.txt", - "url.query": [ - "Nequepor=nisiu", - "stiaec" - ], - "url.scheme": "https", - "user.name": "ommodoc" - }, - { - "@timestamp": "2018-04-22T13:36:32.000Z", - "destination.bytes": 6693, - "destination.ip": "10.47.191.95", - "destination.port": 6242, - "event.action": "deny", - "event.code": "remagnam", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=aliqui date=2018-4-22 time=11:36:32 log_id=uipexea devid=sauteiru devname=nibusB logid=eetdolo type=issuscip subtype=iduntu level=high vd=rinc srcip=10.109.224.208 srcport=1769 srcintf=enp0s3638 dstip=10.31.34.96 dstport=4651 dstintf=enp0s390 poluuid=atis sessionid=edol proto=icmp action=deny policyid=adip trandisp=ugiatq duration=128.795000 sentbyte=4249 rcvdbyte=6693 devtype=atemUte osname=emag osversion=1.1353 mastersrcmac=ecatcup srcmac=01:00:5e:63:85:d2 crscore=62.286000 craction=oin crlevel=isautem eventtype=eiusm user=assit service=ulpaq hostname=ulamc767.internal.lan profile=iades reqtype=mremape url=https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed direction=inbound msg=maveniam method=ctobeat cat=emoenim catdesc=oqui device_id=olab log_id=remagnam pri=high userfrom=mSecti adminprof=volupt timezone=OMST main_type=ela trigger_policy=fugits sub_type=litseddo severity_level=idestl policy=ptasn src=10.112.155.228 src_port=5011 dst=10.47.191.95 dst_port=6242 http_method=velillu http_url=radipi http_host=iatn http_agent=aturE http_session_id=beat signature_subclass=pern signature_id=7568 srccountry=itvolupt content_switch_name=uradip server_pool_name=perspi false_positive_mitigation=uaer user_name=aed monitor_status=tectobe http_refer=https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali http_version=ofdeFin dev_id=siutaliq threat_weight=urvel history_threat_weight=turE threat_level=ntium ftp_mode=imadmi ftp_cmd=dquiac cipher_suite=liquide msg_id=uatD", - "event.timezone": "OMST", - "fileset.name": "fortimanager", - "host.name": "ulamc767.internal.lan", - "http.request.referrer": "https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali", - "input.type": "log", - "log.level": "high", - "log.offset": 63134, - "network.bytes": 10942, - "network.direction": "inbound", - "observer.egress.interface.name": "enp0s390", - "observer.ingress.interface.name": "enp0s3638", - "observer.product": "FortiManager", - "observer.serial_number": "olab", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.1353", - "related.hosts": [ - "iatn", - "nibusB", - "ulamc767.internal.lan" - ], - "related.ip": [ - "10.112.155.228", - "10.47.191.95" - ], - "related.user": [ - "aed" - ], - "rsa.internal.event_desc": "maveniam", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "eiusm", - "rsa.misc.OS": "emag", - "rsa.misc.action": [ - "deny", - "velillu" - ], - "rsa.misc.category": "litseddo", - "rsa.misc.client": "aturE", - "rsa.misc.context": "ugiatq", - "rsa.misc.event_source": "nibusB", - "rsa.misc.event_type": "issuscip", - "rsa.misc.fcatnum": "emoenim", - "rsa.misc.filter": "oqui", - "rsa.misc.hardware_id": "olab", - "rsa.misc.log_session_id": "beat", - "rsa.misc.policy_id": "adip", - "rsa.misc.policy_name": "ptasn", - "rsa.misc.reference_id": "remagnam", - "rsa.misc.rule_name": "iades", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 7568, - "rsa.misc.version": "1.1353", - "rsa.misc.vsys": "rinc", - "rsa.network.alias_host": [ - "ulamc767.internal.lan" - ], - "rsa.network.dinterface": "enp0s390", - "rsa.network.network_service": "ulpaq", - "rsa.network.sinterface": "enp0s3638", - "rsa.threat.threat_desc": "ntium", - "rsa.time.duration_time": 128.795, - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.reputation_num": 62.286, - "rsa.web.web_ref_domain": "iatn", - "rule.name": "iades", - "service.type": "fortinet", - "source.bytes": 4249, - "source.geo.country_name": "itvolupt", - "source.ip": "10.112.155.228", - "source.mac": "01:00:5e:63:85:d2", - "source.port": 5011, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "sed", - "url.original": "https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed", - "url.path": "/ionemu/nul.jpg", - "url.query": [ - "radipi", - "volupt=ori" - ], - "url.scheme": "https", - "user.name": "aed" - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "destination.bytes": 6033, - "destination.geo.country_name": "amrema", - "destination.ip": "10.140.137.17", - "destination.nat.ip": "10.62.241.218", - "destination.nat.port": 7444, - "destination.port": 446, - "event.action": "allow", - "event.code": "tmol", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=gnidolor dtime=2018-05-07 06:39:06.812538723 +0000 UTC devid=BCSedut devname=metco vd=vel date=2018-5-7 time=6:39:06 logid=tmol type=acommodi subtype=ccaecat level=low eventtime=mqu logtime=mips srcip=10.103.169.94 srcport=2174 srcintf=lo5821 srcintfrole=osqu dstip=10.140.137.17 dstport=446 dstintf=enp0s4444 dstintfrole=iono poluuid=atcupi sessionid=dexe proto=0 action=allow policyid=exerci policytype=ems crscore=15.728000 craction=nulapa crlevel=tess appcat=eroi service=enby srccountry=riatur dstcountry=amrema trandisp=illum tranip=10.62.241.218 tranport=7444 duration=5.969000 sentbyte=4832 rcvdbyte=6033 sentpkt=urere app=involu", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 64633, - "network.bytes": 10865, - "observer.egress.interface.name": "enp0s4444", - "observer.ingress.interface.name": "lo5821", - "observer.product": "FortiManager", - "observer.serial_number": "BCSedut", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "metco" - ], - "related.ip": [ - "10.103.169.94", - "10.140.137.17", - "10.62.241.218" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ccaecat", - "rsa.misc.context": "illum", - "rsa.misc.event_source": "metco", - "rsa.misc.event_type": "acommodi", - "rsa.misc.hardware_id": "BCSedut", - "rsa.misc.log_session_id": "dexe", - "rsa.misc.obj_name": "involu", - "rsa.misc.policy_id": "exerci", - "rsa.misc.reference_id": "tmol", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "vel", - "rsa.network.dinterface": "enp0s4444", - "rsa.network.network_service": "enby", - "rsa.network.sinterface": "lo5821", - "rsa.time.duration_time": 5.969, - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "rsa.time.event_time_str": "mqu", - "rsa.web.reputation_num": 15.728, - "service.type": "fortinet", - "source.bytes": 4832, - "source.geo.country_name": "riatur", - "source.ip": "10.103.169.94", - "source.port": 2174, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-05-21T03:41:41.000Z", - "destination.bytes": 2687, - "destination.geo.country_name": "umetMalo", - "destination.ip": "10.251.212.166", - "destination.nat.ip": "10.77.105.160", - "destination.nat.port": 5541, - "destination.port": 3925, - "event.action": "cancel", - "event.code": "sistena", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=tem devname=\"litsedq\" devid=\"amre\" vd=orpori date=2018-5-21 time=1:41:41 logid=sistena type=iam subtype=saquae level=low eventtime=itanimid logtime=ianonnum srcip=10.90.229.92 srcport=6796 srcintf=lo1752 srcintfrole=inculp dstip=10.251.212.166 dstport=3925 dstintf=eth1592 dstintfrole=aboNemo poluuid=tsedquia sessionid=ididun proto=21 action=cancel policyid=enim policytype=gnido crscore=85.453000 craction=erepr crlevel=tsedqu appcat=uisa service=uptat srccountry=siutal dstcountry=umetMalo trandisp=onevolu tranip=10.77.105.160 tranport=5541 duration=155.903000 sentbyte=5294 rcvdbyte=2687 sentpkt=ira app=umfu", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 65278, - "network.bytes": 7981, - "observer.egress.interface.name": "eth1592", - "observer.ingress.interface.name": "lo1752", - "observer.product": "FortiManager", - "observer.serial_number": "amre", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "litsedq" - ], - "related.ip": [ - "10.251.212.166", - "10.77.105.160", - "10.90.229.92" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "saquae", - "rsa.misc.context": "onevolu", - "rsa.misc.event_source": "litsedq", - "rsa.misc.event_type": "iam", - "rsa.misc.hardware_id": "amre", - "rsa.misc.log_session_id": "ididun", - "rsa.misc.obj_name": "umfu", - "rsa.misc.policy_id": "enim", - "rsa.misc.reference_id": "sistena", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "orpori", - "rsa.network.dinterface": "eth1592", - "rsa.network.network_service": "uptat", - "rsa.network.sinterface": "lo1752", - "rsa.time.duration_time": 155.903, - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", - "rsa.time.event_time_str": "itanimid", - "rsa.web.reputation_num": 85.453, - "service.type": "fortinet", - "source.bytes": 5294, - "source.geo.country_name": "siutal", - "source.ip": "10.90.229.92", - "source.port": 6796, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-06-04T10:44:15.000Z", - "destination.bytes": 205, - "destination.ip": "10.112.242.68", - "destination.port": 3105, - "event.action": "cancel", - "event.code": "atisund", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-6-4 time=8:44:15 logver=uamq devid=mnisist devname=dutp logid=ecillu type=ipsaqu subtype=asun level=very-high vd=llumd srcip=10.100.223.157 srcport=1307 srcintf=eth5742 dstip=10.232.243.87 dstport=4546 dstintf=lo299 poluuid=atisetq sessionid=mSectio proto=0 action=cancel policyid=nonnumqu trandisp=atis duration=63.050000 sentbyte=3508 rcvdbyte=205 devtype=uam osname=tisunde osversion=1.4261 mastersrcmac=rured srcmac=01:00:5e:8a:c1:2a crscore=19.243000 craction=meumfug crlevel=iam eventtype=animi user=porainc service=nsectetu hostname=spici5547.internal.test profile=tate reqtype=sintocca url=https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi direction=internal msg=tnul method=ons cat=radip catdesc=amremap device_id=dolorsit log_id=atisund pri=very-high userfrom=uredo adminprof=uamni timezone=CT main_type=quisqua trigger_policy=sedquian sub_type=lamcorpo severity_level=rem policy=apariat src=10.216.49.112 src_port=4521 dst=10.112.242.68 dst_port=3105 http_method=aut http_url=eriti http_host=ipsum http_agent=com http_session_id=uptate signature_subclass=tevelite signature_id=5880 srccountry=nimadmi content_switch_name=mquiado server_pool_name=agn false_positive_mitigation=dip user_name=urmag monitor_status=nim http_refer=https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm http_version=uunturma dev_id=namaliqu threat_weight=tatemacc history_threat_weight=licab threat_level=roidents ftp_mode=volupta ftp_cmd=stiaeco cipher_suite=tanim msg_id=osam", - "event.timezone": "CT", - "fileset.name": "fortimanager", - "host.name": "spici5547.internal.test", - "http.request.referrer": "https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm", - "input.type": "log", - "log.level": "very-high", - "log.offset": 65899, - "network.bytes": 3713, - "network.direction": "internal", - "observer.egress.interface.name": "lo299", - "observer.ingress.interface.name": "eth5742", - "observer.product": "FortiManager", - "observer.serial_number": "dolorsit", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4261", - "related.hosts": [ - "dutp", - "ipsum", - "spici5547.internal.test" - ], - "related.ip": [ - "10.112.242.68", - "10.216.49.112" - ], - "related.user": [ - "urmag" - ], - "rsa.internal.event_desc": "tnul", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "animi", - "rsa.misc.OS": "tisunde", - "rsa.misc.action": [ - "aut", - "cancel" - ], - "rsa.misc.category": "lamcorpo", - "rsa.misc.client": "com", - "rsa.misc.context": "atis", - "rsa.misc.event_source": "dutp", - "rsa.misc.event_type": "ipsaqu", - "rsa.misc.fcatnum": "radip", - "rsa.misc.filter": "amremap", - "rsa.misc.hardware_id": "dolorsit", - "rsa.misc.log_session_id": "uptate", - "rsa.misc.policy_id": "nonnumqu", - "rsa.misc.policy_name": "apariat", - "rsa.misc.reference_id": "atisund", - "rsa.misc.rule_name": "tate", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 5880, - "rsa.misc.version": "1.4261", - "rsa.misc.vsys": "llumd", - "rsa.network.alias_host": [ - "spici5547.internal.test" - ], - "rsa.network.dinterface": "lo299", - "rsa.network.network_service": "nsectetu", - "rsa.network.sinterface": "eth5742", - "rsa.threat.threat_desc": "roidents", - "rsa.time.duration_time": 63.05, - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", - "rsa.time.timezone": "CT", - "rsa.web.reputation_num": 19.243, - "rsa.web.web_ref_domain": "ipsum", - "rule.name": "tate", - "service.type": "fortinet", - "source.bytes": 3508, - "source.geo.country_name": "nimadmi", - "source.ip": "10.216.49.112", - "source.mac": "01:00:5e:8a:c1:2a", - "source.port": 4521, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.org", - "url.extension": "html", - "url.fragment": "henderi", - "url.original": "https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi", - "url.path": "/asuntex/uovolup.html", - "url.query": [ - "amali=uiav", - "eriti" - ], - "url.scheme": "https", - "user.name": "urmag" - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.bytes": 1768, - "destination.ip": "10.96.100.84", - "destination.port": 2253, - "event.action": "accept", - "event.code": "etco", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-6-19 time=3:46:49 logver=tla devid=nimve devname=edutpe logid=tenb type=billoinv subtype=asia level=medium vd=paquioff srcip=10.252.175.174 srcport=1995 srcintf=enp0s1531 dstip=10.196.226.219 dstport=545 dstintf=lo2390 poluuid=uaera sessionid=nsequa proto=tcp action=accept policyid=orporis trandisp=oluptate duration=28.731000 sentbyte=2397 rcvdbyte=1768 devtype=itvolu osname=citation osversion=1.491 mastersrcmac=aincid srcmac=01:00:5e:7e:ea:3f crscore=149.960000 craction=tNeque crlevel=uidolore eventtype=uatDuisa user=usB service=magnaali hostname=istenatu3686.invalid profile=remagna reqtype=eritqu url=https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve direction=internal msg=oremagna method=nulamc cat=tempori catdesc=rsintocc device_id=nderit log_id=etco pri=very-high userfrom=lore adminprof=ameiusmo timezone=PT main_type=veniamqu trigger_policy=equat sub_type=reeu severity_level=atemacc policy=rsitvolu src=10.182.58.108 src_port=4811 dst=10.96.100.84 dst_port=2253 http_method=utlabore http_url=texplica http_host=boru http_agent=ntut http_session_id=elaud signature_subclass=acomm signature_id=5667 srccountry=emUten content_switch_name=uamni server_pool_name=laboris false_positive_mitigation=pers user_name=lpaquiof monitor_status=isisten http_refer=https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors http_version=uid dev_id=numqua threat_weight=citatio history_threat_weight=sed threat_level=mUten ftp_mode=eursint ftp_cmd=velillum cipher_suite=oin msg_id=teurs", - "event.timezone": "PT", - "fileset.name": "fortimanager", - "host.name": "istenatu3686.invalid", - "http.request.referrer": "https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors", - "input.type": "log", - "log.level": "very-high", - "log.offset": 67398, - "network.bytes": 4165, - "network.direction": "internal", - "observer.egress.interface.name": "lo2390", - "observer.ingress.interface.name": "enp0s1531", - "observer.product": "FortiManager", - "observer.serial_number": "nderit", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.491", - "related.hosts": [ - "boru", - "edutpe", - "istenatu3686.invalid" - ], - "related.ip": [ - "10.182.58.108", - "10.96.100.84" - ], - "related.user": [ - "lpaquiof" - ], - "rsa.internal.event_desc": "oremagna", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "uatDuisa", - "rsa.misc.OS": "citation", - "rsa.misc.action": [ - "accept", - "utlabore" - ], - "rsa.misc.category": "reeu", - "rsa.misc.client": "ntut", - "rsa.misc.context": "oluptate", - "rsa.misc.event_source": "edutpe", - "rsa.misc.event_type": "billoinv", - "rsa.misc.fcatnum": "tempori", - "rsa.misc.filter": "rsintocc", - "rsa.misc.hardware_id": "nderit", - "rsa.misc.log_session_id": "elaud", - "rsa.misc.policy_id": "orporis", - "rsa.misc.policy_name": "rsitvolu", - "rsa.misc.reference_id": "etco", - "rsa.misc.rule_name": "remagna", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 5667, - "rsa.misc.version": "1.491", - "rsa.misc.vsys": "paquioff", - "rsa.network.alias_host": [ - "istenatu3686.invalid" - ], - "rsa.network.dinterface": "lo2390", - "rsa.network.network_service": "magnaali", - "rsa.network.sinterface": "enp0s1531", - "rsa.threat.threat_desc": "mUten", - "rsa.time.duration_time": 28.731, - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "rsa.time.timezone": "PT", - "rsa.web.reputation_num": 149.96, - "rsa.web.web_ref_domain": "boru", - "rule.name": "remagna", - "service.type": "fortinet", - "source.bytes": 2397, - "source.geo.country_name": "emUten", - "source.ip": "10.182.58.108", - "source.mac": "01:00:5e:7e:ea:3f", - "source.port": 4811, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "dminimve", - "url.original": "https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve", - "url.path": "/mnisiut/porinci.htm", - "url.query": [ - "norum=emUten", - "texplica" - ], - "url.scheme": "https", - "user.name": "lpaquiof" - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "destination.bytes": 2952, - "destination.geo.country_name": "tatem", - "destination.ip": "10.246.41.77", - "destination.nat.ip": "10.157.22.21", - "destination.nat.port": 5252, - "destination.port": 1217, - "event.action": "block", - "event.code": "rios", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=untutl devname=\"cons\" devid=\"vel\" vd=illumdo date=2018-7-3 time=10:49:23 logid=rios type=deF subtype=dutpe level=very-high eventtime=itan logtime=uisnos srcip=10.228.61.5 srcport=1179 srcintf=eth4741 srcintfrole=lites dstip=10.246.41.77 dstport=1217 dstintf=lo7502 dstintfrole=olu poluuid=ectet sessionid=tquovo proto=17 action=block policyid=lapa policytype=xeacom crscore=22.822000 craction=qui crlevel=henderi appcat=rainc service=dminim srccountry=sse dstcountry=tatem trandisp=umexe tranip=10.157.22.21 tranport=5252 duration=135.630000 sentbyte=2167 rcvdbyte=2952 sentpkt=quamei app=nvento", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 68917, - "network.bytes": 5119, - "observer.egress.interface.name": "lo7502", - "observer.ingress.interface.name": "eth4741", - "observer.product": "FortiManager", - "observer.serial_number": "vel", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "cons" - ], - "related.ip": [ - "10.157.22.21", - "10.228.61.5", - "10.246.41.77" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "dutpe", - "rsa.misc.context": "umexe", - "rsa.misc.event_source": "cons", - "rsa.misc.event_type": "deF", - "rsa.misc.hardware_id": "vel", - "rsa.misc.log_session_id": "tquovo", - "rsa.misc.obj_name": "nvento", - "rsa.misc.policy_id": "lapa", - "rsa.misc.reference_id": "rios", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "illumdo", - "rsa.network.dinterface": "lo7502", - "rsa.network.network_service": "dminim", - "rsa.network.sinterface": "eth4741", - "rsa.time.duration_time": 135.63, - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "rsa.time.event_time_str": "itan", - "rsa.web.reputation_num": 22.822, - "service.type": "fortinet", - "source.bytes": 2167, - "source.geo.country_name": "sse", - "source.ip": "10.228.61.5", - "source.port": 1179, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-07-17T07:51:58.000Z", - "destination.bytes": 4226, - "destination.geo.country_name": "nonpro", - "destination.ip": "10.239.231.168", - "destination.nat.ip": "10.188.131.18", - "destination.nat.port": 981, - "destination.port": 88, - "event.action": "allow", - "event.code": "psu", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=qua devname=\"llumdo\" devid=\"tot\" vd=itquii date=2018-7-17 time=5:51:58 logid=psu type=iat subtype=ept level=high eventtime=ectob logtime=aUtenim srcip=10.242.119.111 srcport=645 srcintf=lo1640 srcintfrole=tDuisa dstip=10.239.231.168 dstport=88 dstintf=lo3385 dstintfrole=nimi poluuid=niamqu sessionid=uioffi proto=1 action=allow policyid=consequa policytype=tionu crscore=60.452000 craction=quines crlevel=entsu appcat=ineavol service=abor srccountry=giatq dstcountry=nonpro trandisp=elitsedd tranip=10.188.131.18 tranport=981 duration=46.954000 sentbyte=2770 rcvdbyte=4226 sentpkt=tam app=uovo", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 69520, - "network.bytes": 6996, - "observer.egress.interface.name": "lo3385", - "observer.ingress.interface.name": "lo1640", - "observer.product": "FortiManager", - "observer.serial_number": "tot", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "llumdo" - ], - "related.ip": [ - "10.188.131.18", - "10.239.231.168", - "10.242.119.111" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ept", - "rsa.misc.context": "elitsedd", - "rsa.misc.event_source": "llumdo", - "rsa.misc.event_type": "iat", - "rsa.misc.hardware_id": "tot", - "rsa.misc.log_session_id": "uioffi", - "rsa.misc.obj_name": "uovo", - "rsa.misc.policy_id": "consequa", - "rsa.misc.reference_id": "psu", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "itquii", - "rsa.network.dinterface": "lo3385", - "rsa.network.network_service": "abor", - "rsa.network.sinterface": "lo1640", - "rsa.time.duration_time": 46.954, - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", - "rsa.time.event_time_str": "ectob", - "rsa.web.reputation_num": 60.452, - "service.type": "fortinet", - "source.bytes": 2770, - "source.geo.country_name": "giatq", - "source.ip": "10.242.119.111", - "source.port": 645, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-08-01T14:54:32.000Z", - "destination.bytes": 306, - "destination.ip": "10.247.124.74", - "destination.port": 2491, - "event.action": "accept", - "event.code": "nderitin", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=orinrepr date=2018-8-1 time=12:54:32 log_id=untut devid=siu devname=lorem logid=icons type=hende subtype=umdol level=medium vd=psaq srcip=10.24.154.250 srcport=2108 srcintf=eth2707 dstip=10.124.187.230 dstport=6119 dstintf=lo105 poluuid=mqu sessionid=tse proto=udp action=accept policyid=ueip trandisp=amvo duration=20.956000 sentbyte=2068 rcvdbyte=306 devtype=reetdolo osname=tten osversion=1.979 mastersrcmac=usa srcmac=01:00:5e:6a:a6:c9 crscore=45.307000 craction=oremagna crlevel=siuta eventtype=amnihil user=nderit service=ficia hostname=tru3812.mail.lan profile=olo reqtype=xer url=https://api.example.net/nsec/smo.gif?etq=trumexe#rai direction=outbound msg=tNequepo method=byCicer cat=imvenia catdesc=ipit device_id=tdolorem log_id=nderitin pri=low userfrom=enderitq adminprof=amvolu timezone=GMT-07:00 main_type=temvele trigger_policy=ofd sub_type=quam severity_level=umdol policy=porincid src=10.106.101.87 src_port=7569 dst=10.247.124.74 dst_port=2491 http_method=inea http_url=ipsu http_host=iden http_agent=oreseo http_session_id=edictasu signature_subclass=aerat signature_id=4358 srccountry=lites content_switch_name=col server_pool_name=litsedd false_positive_mitigation=mnis user_name=ainci monitor_status=aturve http_refer=https://api.example.com/mporain/secte.txt?amqui=rume#uptate http_version=tisundeo dev_id=uid threat_weight=eFini history_threat_weight=mnis threat_level=tametco ftp_mode=snisiut ftp_cmd=lit cipher_suite=laborio msg_id=aaliqu", - "event.timezone": "GMT-07:00", - "fileset.name": "fortimanager", - "host.name": "tru3812.mail.lan", - "http.request.referrer": "https://api.example.com/mporain/secte.txt?amqui=rume#uptate", - "input.type": "log", - "log.level": "low", - "log.offset": 70122, - "network.bytes": 2374, - "network.direction": "outbound", - "observer.egress.interface.name": "lo105", - "observer.ingress.interface.name": "eth2707", - "observer.product": "FortiManager", - "observer.serial_number": "tdolorem", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.979", - "related.hosts": [ - "iden", - "lorem", - "tru3812.mail.lan" - ], - "related.ip": [ - "10.106.101.87", - "10.247.124.74" - ], - "related.user": [ - "ainci" - ], - "rsa.internal.event_desc": "tNequepo", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "amnihil", - "rsa.misc.OS": "tten", - "rsa.misc.action": [ - "accept", - "inea" - ], - "rsa.misc.category": "quam", - "rsa.misc.client": "oreseo", - "rsa.misc.context": "amvo", - "rsa.misc.event_source": "lorem", - "rsa.misc.event_type": "hende", - "rsa.misc.fcatnum": "imvenia", - "rsa.misc.filter": "ipit", - "rsa.misc.hardware_id": "tdolorem", - "rsa.misc.log_session_id": "edictasu", - "rsa.misc.policy_id": "ueip", - "rsa.misc.policy_name": "porincid", - "rsa.misc.reference_id": "nderitin", - "rsa.misc.rule_name": "olo", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 4358, - "rsa.misc.version": "1.979", - "rsa.misc.vsys": "psaq", - "rsa.network.alias_host": [ - "tru3812.mail.lan" - ], - "rsa.network.dinterface": "lo105", - "rsa.network.network_service": "ficia", - "rsa.network.sinterface": "eth2707", - "rsa.threat.threat_desc": "tametco", - "rsa.time.duration_time": 20.956, - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.reputation_num": 45.307, - "rsa.web.web_ref_domain": "iden", - "rule.name": "olo", - "service.type": "fortinet", - "source.bytes": 2068, - "source.geo.country_name": "lites", - "source.ip": "10.106.101.87", - "source.mac": "01:00:5e:6a:a6:c9", - "source.port": 7569, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.net", - "url.extension": "gif", - "url.fragment": "rai", - "url.original": "https://api.example.net/nsec/smo.gif?etq=trumexe#rai", - "url.path": "/nsec/smo.gif", - "url.query": [ - "etq=trumexe", - "ipsu" - ], - "url.scheme": "https", - "user.name": "ainci" - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "event.action": "deny", - "event.code": "consec", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-8-15 time=7:57:06 devname=mid device_id=henderi log_id=consec type=event subtype=dquia pri=high desc=isiutali user=rehe userfrom=volupta msg=etcons action=deny adom=etdol408.internal.home session_id=agnamali", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 71594, - "observer.product": "FortiManager", - "observer.serial_number": "henderi", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "etdol408.internal.home", - "mid" - ], - "related.user": [ - "rehe" - ], - "rsa.db.index": "etcons", - "rsa.internal.event_desc": "isiutali", - "rsa.internal.messageid": "event_fortinetmgr", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "dquia", - "rsa.misc.event_source": "mid", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "henderi", - "rsa.misc.log_session_id": "agnamali", - "rsa.misc.reference_id": "consec", - "rsa.misc.severity": "high", - "rsa.network.domain": "etdol408.internal.home", - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "server.domain": "etdol408.internal.home", - "server.registered_domain": "internal.home", - "server.subdomain": "etdol408", - "server.top_level_domain": "home", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "user.name": "rehe" - }, - { - "@timestamp": "2018-08-29T04:59:40.000Z", - "destination.bytes": 806, - "destination.ip": "10.162.114.52", - "destination.port": 2925, - "event.action": "allow", - "event.code": "san", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-8-29 time=2:59:40 logver=cae devid=Utenimad devname=onsequ logid=Bon type=amquisno subtype=mullam level=very-high vd=admi srcip=10.111.106.60 srcport=5449 srcintf=lo5820 dstip=10.142.181.192 dstport=4386 dstintf=lo6200 poluuid=lmolest sessionid=miurerep proto=17 action=allow policyid=Sed trandisp=isau duration=66.574000 sentbyte=75 rcvdbyte=806 devtype=idest osname=ostru osversion=1.4342 mastersrcmac=enimip srcmac=01:00:5e:11:d6:5d crscore=66.141000 craction=umquiado crlevel=taspe eventtype=empori user=mipsum service=tium hostname=riaturE1644.www5.example profile=ender reqtype=uine url=https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta direction=internal msg=reetdo method=mad cat=mdolor catdesc=amcorpor device_id=oremquel log_id=san pri=high userfrom=amqui adminprof=itatise timezone=GMT-07:00 main_type=cia trigger_policy=lup sub_type=cipitla severity_level=niam policy=mullamc src=10.215.144.167 src_port=6675 dst=10.162.114.52 dst_port=2925 http_method=quepor http_url=Lor http_host=ten http_agent=exeacomm http_session_id=cusan signature_subclass=oquisq signature_id=4993 srccountry=ihilmol content_switch_name=seosqui server_pool_name=tiset false_positive_mitigation=ciade user_name=erspici monitor_status=xercitat http_refer=https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita http_version=loreme dev_id=eratv threat_weight=tametcon history_threat_weight=orsi threat_level=ull ftp_mode=mcor ftp_cmd=iamquis cipher_suite=aeabi msg_id=ore", - "event.timezone": "GMT-07:00", - "fileset.name": "fortimanager", - "host.name": "riaturE1644.www5.example", - "http.request.referrer": "https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita", - "input.type": "log", - "log.level": "high", - "log.offset": 71812, - "network.bytes": 881, - "network.direction": "internal", - "observer.egress.interface.name": "lo6200", - "observer.ingress.interface.name": "lo5820", - "observer.product": "FortiManager", - "observer.serial_number": "oremquel", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4342", - "related.hosts": [ - "onsequ", - "riaturE1644.www5.example", - "ten" - ], - "related.ip": [ - "10.162.114.52", - "10.215.144.167" - ], - "related.user": [ - "erspici" - ], - "rsa.internal.event_desc": "reetdo", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "empori", - "rsa.misc.OS": "ostru", - "rsa.misc.action": [ - "allow", - "quepor" - ], - "rsa.misc.category": "cipitla", - "rsa.misc.client": "exeacomm", - "rsa.misc.context": "isau", - "rsa.misc.event_source": "onsequ", - "rsa.misc.event_type": "amquisno", - "rsa.misc.fcatnum": "mdolor", - "rsa.misc.filter": "amcorpor", - "rsa.misc.hardware_id": "oremquel", - "rsa.misc.log_session_id": "cusan", - "rsa.misc.policy_id": "Sed", - "rsa.misc.policy_name": "mullamc", - "rsa.misc.reference_id": "san", - "rsa.misc.rule_name": "ender", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 4993, - "rsa.misc.version": "1.4342", - "rsa.misc.vsys": "admi", - "rsa.network.alias_host": [ - "riaturE1644.www5.example" - ], - "rsa.network.dinterface": "lo6200", - "rsa.network.network_service": "tium", - "rsa.network.sinterface": "lo5820", - "rsa.threat.threat_desc": "ull", - "rsa.time.duration_time": 66.574, - "rsa.time.event_time": "2018-08-29T04:59:40.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.reputation_num": 66.141, - "rsa.web.web_ref_domain": "ten", - "rule.name": "ender", - "service.type": "fortinet", - "source.bytes": 75, - "source.geo.country_name": "ihilmol", - "source.ip": "10.215.144.167", - "source.mac": "01:00:5e:11:d6:5d", - "source.port": 6675, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "internal.example.com", - "url.extension": "txt", - "url.fragment": "upta", - "url.original": "https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta", - "url.path": "/dolo/exeacom.txt", - "url.query": [ - "Lor", - "tlab=eufugiat" - ], - "url.scheme": "https", - "user.name": "erspici" - }, - { - "@timestamp": "2018-09-12T12:02:15.000Z", - "destination.bytes": 7641, - "destination.ip": "10.78.75.82", - "destination.port": 7799, - "event.action": "accept", - "event.code": "fugi", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-9-12 time=10:02:15 logver=catcup devid=ectetur devname=cons logid=spiciati type=upidata subtype=utlabo level=high vd=ersp srcip=10.101.207.156 srcport=2086 srcintf=enp0s4931 dstip=10.12.8.82 dstport=4369 dstintf=enp0s7520 poluuid=nemull sessionid=trumex proto=6 action=accept policyid=doloremq trandisp=iade duration=26.420000 sentbyte=5013 rcvdbyte=7641 devtype=uidolo osname=ita osversion=1.6452 mastersrcmac=rchite srcmac=01:00:5e:41:90:bf crscore=107.693000 craction=tionem crlevel=volupta eventtype=adol user=econsequ service=orever hostname=mdolo7008.api.corp profile=reetdolo reqtype=psam url=https://www5.example.org/orumet/aliqu.txt?tion=sun#utod direction=outbound msg=rinci method=uamestqu cat=riatu catdesc=ulaparia device_id=remagna log_id=fugi pri=very-high userfrom=xerc adminprof=caecat timezone=OMST main_type=cor trigger_policy=nonnumqu sub_type=uidexea severity_level=emu policy=asia src=10.162.128.87 src_port=6214 dst=10.78.75.82 dst_port=7799 http_method=uptat http_url=con http_host=tem http_agent=orpori http_session_id=lor signature_subclass=quiinea signature_id=7098 srccountry=rroquis content_switch_name=dolorema server_pool_name=prehe false_positive_mitigation=bori user_name=Sedutp monitor_status=ritinvo http_refer=https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve http_version=tdolo dev_id=billoi threat_weight=sequu history_threat_weight=ffic threat_level=imadmini ftp_mode=isnostru ftp_cmd=ostr cipher_suite=tinvo msg_id=lorumwr", - "event.timezone": "OMST", - "fileset.name": "fortimanager", - "host.name": "mdolo7008.api.corp", - "http.request.referrer": "https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve", - "input.type": "log", - "log.level": "very-high", - "log.offset": 73306, - "network.bytes": 12654, - "network.direction": "outbound", - "observer.egress.interface.name": "enp0s7520", - "observer.ingress.interface.name": "enp0s4931", - "observer.product": "FortiManager", - "observer.serial_number": "remagna", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.6452", - "related.hosts": [ - "cons", - "mdolo7008.api.corp", - "tem" - ], - "related.ip": [ - "10.162.128.87", - "10.78.75.82" - ], - "related.user": [ - "Sedutp" - ], - "rsa.internal.event_desc": "rinci", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "adol", - "rsa.misc.OS": "ita", - "rsa.misc.action": [ - "accept", - "uptat" - ], - "rsa.misc.category": "uidexea", - "rsa.misc.client": "orpori", - "rsa.misc.context": "iade", - "rsa.misc.event_source": "cons", - "rsa.misc.event_type": "upidata", - "rsa.misc.fcatnum": "riatu", - "rsa.misc.filter": "ulaparia", - "rsa.misc.hardware_id": "remagna", - "rsa.misc.log_session_id": "lor", - "rsa.misc.policy_id": "doloremq", - "rsa.misc.policy_name": "asia", - "rsa.misc.reference_id": "fugi", - "rsa.misc.rule_name": "reetdolo", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 7098, - "rsa.misc.version": "1.6452", - "rsa.misc.vsys": "ersp", - "rsa.network.alias_host": [ - "mdolo7008.api.corp" - ], - "rsa.network.dinterface": "enp0s7520", - "rsa.network.network_service": "orever", - "rsa.network.sinterface": "enp0s4931", - "rsa.threat.threat_desc": "imadmini", - "rsa.time.duration_time": 26.42, - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.reputation_num": 107.693, - "rsa.web.web_ref_domain": "tem", - "rule.name": "reetdolo", - "service.type": "fortinet", - "source.bytes": 5013, - "source.geo.country_name": "rroquis", - "source.ip": "10.162.128.87", - "source.mac": "01:00:5e:41:90:bf", - "source.port": 6214, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.org", - "url.extension": "txt", - "url.fragment": "utod", - "url.original": "https://www5.example.org/orumet/aliqu.txt?tion=sun#utod", - "url.path": "/orumet/aliqu.txt", - "url.query": [ - "con", - "tion=sun" - ], - "url.scheme": "https", - "user.name": "Sedutp" - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "destination.bytes": 5464, - "destination.geo.country_name": "mdolorem", - "destination.ip": "10.137.36.151", - "destination.nat.ip": "10.51.106.43", - "destination.nat.port": 6486, - "destination.port": 196, - "event.action": "block", - "event.code": "auteir", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ctetura devname=\"reseosqu\" devid=\"ittenbyC\" vd=tlabor date=2018-9-27 time=5:04:49 logid=auteir type=uredolo subtype=uido level=medium eventtime=quiratio logtime=aincidu srcip=10.75.198.93 srcport=1982 srcintf=eth725 srcintfrole=umqu dstip=10.137.36.151 dstport=196 dstintf=lo1813 dstintfrole=rspici poluuid=duntutla sessionid=emeu proto=1 action=block policyid=atemUten policytype=turadipi crscore=16.226000 craction=estqu crlevel=orinre appcat=prehen service=equa srccountry=ciatisun dstcountry=mdolorem trandisp=nnumq tranip=10.51.106.43 tranport=6486 duration=78.551000 sentbyte=3531 rcvdbyte=5464 sentpkt=oremeumf app=volupt", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 74789, - "network.bytes": 8995, - "observer.egress.interface.name": "lo1813", - "observer.ingress.interface.name": "eth725", - "observer.product": "FortiManager", - "observer.serial_number": "ittenbyC", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "reseosqu" - ], - "related.ip": [ - "10.137.36.151", - "10.51.106.43", - "10.75.198.93" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "uido", - "rsa.misc.context": "nnumq", - "rsa.misc.event_source": "reseosqu", - "rsa.misc.event_type": "uredolo", - "rsa.misc.hardware_id": "ittenbyC", - "rsa.misc.log_session_id": "emeu", - "rsa.misc.obj_name": "volupt", - "rsa.misc.policy_id": "atemUten", - "rsa.misc.reference_id": "auteir", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "tlabor", - "rsa.network.dinterface": "lo1813", - "rsa.network.network_service": "equa", - "rsa.network.sinterface": "eth725", - "rsa.time.duration_time": 78.551, - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "rsa.time.event_time_str": "quiratio", - "rsa.web.reputation_num": 16.226, - "service.type": "fortinet", - "source.bytes": 3531, - "source.geo.country_name": "ciatisun", - "source.ip": "10.75.198.93", - "source.port": 1982, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.bytes": 5744, - "destination.geo.country_name": "tlab", - "destination.ip": "10.7.230.206", - "destination.nat.ip": "10.249.93.150", - "destination.nat.port": 799, - "destination.port": 5757, - "event.action": "allow", - "event.code": "mvol", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=tnulapa devname=\"caecatcu\" devid=\"xcepte\" vd=deserun date=2018-10-11 time=12:07:23 logid=mvol type=erep subtype=teurs level=low eventtime=tiumdol logtime=byCicer srcip=10.154.151.111 srcport=5860 srcintf=eth1273 srcintfrole=uisnos dstip=10.7.230.206 dstport=5757 dstintf=lo1291 dstintfrole=pisc poluuid=eumfu sessionid=tseddoe proto=HOPOPT action=allow policyid=emulla policytype=bill crscore=147.522000 craction=oditaut crlevel=oloremqu appcat=untNeque service=reetdol srccountry=perspi dstcountry=tlab trandisp=udexerci tranip=10.249.93.150 tranport=799 duration=113.020000 sentbyte=2808 rcvdbyte=5744 sentpkt=ovolup app=squ", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 75425, - "network.bytes": 8552, - "observer.egress.interface.name": "lo1291", - "observer.ingress.interface.name": "eth1273", - "observer.product": "FortiManager", - "observer.serial_number": "xcepte", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "caecatcu" - ], - "related.ip": [ - "10.154.151.111", - "10.249.93.150", - "10.7.230.206" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "teurs", - "rsa.misc.context": "udexerci", - "rsa.misc.event_source": "caecatcu", - "rsa.misc.event_type": "erep", - "rsa.misc.hardware_id": "xcepte", - "rsa.misc.log_session_id": "tseddoe", - "rsa.misc.obj_name": "squ", - "rsa.misc.policy_id": "emulla", - "rsa.misc.reference_id": "mvol", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "deserun", - "rsa.network.dinterface": "lo1291", - "rsa.network.network_service": "reetdol", - "rsa.network.sinterface": "eth1273", - "rsa.time.duration_time": 113.02, - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "rsa.time.event_time_str": "tiumdol", - "rsa.web.reputation_num": 147.522, - "service.type": "fortinet", - "source.bytes": 2808, - "source.geo.country_name": "perspi", - "source.ip": "10.154.151.111", - "source.port": 5860, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2018-10-25T09:09:57.000Z", - "destination.bytes": 6280, - "destination.ip": "10.26.4.3", - "destination.port": 5291, - "event.action": "deny", - "event.code": "iameaq", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-10-25 time=7:09:57 logver=dolor devid=lit devname=ptatem logid=oeiusmod type=ugi subtype=utaliq level=very-high vd=toc srcip=10.76.177.154 srcport=1428 srcintf=eth4425 dstip=10.207.160.170 dstport=7037 dstintf=lo1570 poluuid=reseo sessionid=iration proto=tcp action=deny policyid=magn trandisp=iaecon duration=54.100000 sentbyte=622 rcvdbyte=6280 devtype=ill osname=oris osversion=1.5718 mastersrcmac=ulamcol srcmac=01:00:5e:19:ce:4b crscore=142.771000 craction=oNe crlevel=utfu eventtype=santiumd user=cididunt service=ctasu hostname=itse5466.api.example profile=ica reqtype=mnisis url=https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin direction=outbound msg=uat method=itasper cat=nibusBo catdesc=volupta device_id=olorinr log_id=iameaq pri=high userfrom=docons adminprof=uun timezone=OMST main_type=mremap trigger_policy=ate sub_type=agnaal severity_level=ibusB policy=mexe src=10.217.209.221 src_port=3639 dst=10.26.4.3 dst_port=5291 http_method=rsitame http_url=eca http_host=quirat http_agent=urmagn http_session_id=essec signature_subclass=prehende signature_id=1261 srccountry=setquas content_switch_name=nti server_pool_name=osamnis false_positive_mitigation=atisetqu user_name=ciduntut monitor_status=atisu http_refer=https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu http_version=suntincu dev_id=lore threat_weight=equatu history_threat_weight=enbyCi threat_level=dolo ftp_mode=adipi ftp_cmd=beata cipher_suite=evelites msg_id=ipiscive", - "event.timezone": "OMST", - "fileset.name": "fortimanager", - "host.name": "itse5466.api.example", - "http.request.referrer": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", - "input.type": "log", - "log.level": "high", - "log.offset": 76059, - "network.bytes": 6902, - "network.direction": "outbound", - "observer.egress.interface.name": "lo1570", - "observer.ingress.interface.name": "eth4425", - "observer.product": "FortiManager", - "observer.serial_number": "olorinr", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.5718", - "related.hosts": [ - "itse5466.api.example", - "ptatem", - "quirat" - ], - "related.ip": [ - "10.217.209.221", - "10.26.4.3" - ], - "related.user": [ - "ciduntut" - ], - "rsa.internal.event_desc": "uat", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "santiumd", - "rsa.misc.OS": "oris", - "rsa.misc.action": [ - "deny", - "rsitame" - ], - "rsa.misc.category": "agnaal", - "rsa.misc.client": "urmagn", - "rsa.misc.context": "iaecon", - "rsa.misc.event_source": "ptatem", - "rsa.misc.event_type": "ugi", - "rsa.misc.fcatnum": "nibusBo", - "rsa.misc.filter": "volupta", - "rsa.misc.hardware_id": "olorinr", - "rsa.misc.log_session_id": "essec", - "rsa.misc.policy_id": "magn", - "rsa.misc.policy_name": "mexe", - "rsa.misc.reference_id": "iameaq", - "rsa.misc.rule_name": "ica", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 1261, - "rsa.misc.version": "1.5718", - "rsa.misc.vsys": "toc", - "rsa.network.alias_host": [ - "itse5466.api.example" - ], - "rsa.network.dinterface": "lo1570", - "rsa.network.network_service": "ctasu", - "rsa.network.sinterface": "eth4425", - "rsa.threat.threat_desc": "dolo", - "rsa.time.duration_time": 54.1, - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.reputation_num": 142.771, - "rsa.web.web_ref_domain": "quirat", - "rule.name": "ica", - "service.type": "fortinet", - "source.bytes": 622, - "source.geo.country_name": "setquas", - "source.ip": "10.217.209.221", - "source.mac": "01:00:5e:19:ce:4b", - "source.port": 3639, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "internal.example.com", - "url.extension": "gif", - "url.fragment": "iscin", - "url.original": "https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin", - "url.path": "/nonnumqu/isciveli.gif", - "url.query": [ - "eca", - "wri=aute" - ], - "url.scheme": "https", - "user.name": "ciduntut" - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "destination.bytes": 6960, - "destination.ip": "10.180.162.174", - "destination.port": 7186, - "event.action": "accept", - "event.code": "taedic", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=umtot date=2018-11-9 time=2:12:32 log_id=eumiurer devid=inv devname=eac logid=rainc type=tinculp subtype=uianon level=high vd=corpori srcip=10.232.131.132 srcport=581 srcintf=enp0s6255 dstip=10.232.246.98 dstport=1854 dstintf=enp0s1526 poluuid=ivelit sessionid=itlabori proto=icmp action=accept policyid=oide trandisp=magni duration=72.993000 sentbyte=5817 rcvdbyte=6960 devtype=rrorsit osname=emipsu osversion=1.6603 mastersrcmac=temUte srcmac=01:00:5e:fe:be:28 crscore=134.746000 craction=hitec crlevel=sci eventtype=luptatev user=ruredo service=iamquis hostname=dquiac6194.api.lan profile=nidolo reqtype=runtmoll url=https://www5.example.org/utlabo/scip.html?voluptas=inv#upta direction=external msg=ors method=olupta cat=raincidu catdesc=nisi device_id=uipexea log_id=taedic pri=high userfrom=ugi adminprof=urExcep timezone=CET main_type=usant trigger_policy=uidolore sub_type=litse severity_level=ugitse policy=utfugi src=10.241.140.241 src_port=1813 dst=10.180.162.174 dst_port=7186 http_method=ido http_url=atnu http_host=ssuscipi http_agent=evita http_session_id=tconsect signature_subclass=lpaquiof signature_id=532 srccountry=lors content_switch_name=Finibus server_pool_name=totam false_positive_mitigation=idat user_name=nulapar monitor_status=git http_refer=https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli http_version=siuta dev_id=porincid threat_weight=itame history_threat_weight=inv threat_level=remaper ftp_mode=quaUteni ftp_cmd=evelit cipher_suite=oluptat msg_id=ditem", - "event.timezone": "CET", - "fileset.name": "fortimanager", - "host.name": "dquiac6194.api.lan", - "http.request.referrer": "https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli", - "input.type": "log", - "log.level": "high", - "log.offset": 77550, - "network.bytes": 12777, - "network.direction": "external", - "observer.egress.interface.name": "enp0s1526", - "observer.ingress.interface.name": "enp0s6255", - "observer.product": "FortiManager", - "observer.serial_number": "uipexea", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.6603", - "related.hosts": [ - "dquiac6194.api.lan", - "eac", - "ssuscipi" - ], - "related.ip": [ - "10.180.162.174", - "10.241.140.241" - ], - "related.user": [ - "nulapar" - ], - "rsa.internal.event_desc": "ors", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "luptatev", - "rsa.misc.OS": "emipsu", - "rsa.misc.action": [ - "accept", - "ido" - ], - "rsa.misc.category": "litse", - "rsa.misc.client": "evita", - "rsa.misc.context": "magni", - "rsa.misc.event_source": "eac", - "rsa.misc.event_type": "tinculp", - "rsa.misc.fcatnum": "raincidu", - "rsa.misc.filter": "nisi", - "rsa.misc.hardware_id": "uipexea", - "rsa.misc.log_session_id": "tconsect", - "rsa.misc.policy_id": "oide", - "rsa.misc.policy_name": "utfugi", - "rsa.misc.reference_id": "taedic", - "rsa.misc.rule_name": "nidolo", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 532, - "rsa.misc.version": "1.6603", - "rsa.misc.vsys": "corpori", - "rsa.network.alias_host": [ - "dquiac6194.api.lan" - ], - "rsa.network.dinterface": "enp0s1526", - "rsa.network.network_service": "iamquis", - "rsa.network.sinterface": "enp0s6255", - "rsa.threat.threat_desc": "remaper", - "rsa.time.duration_time": 72.993, - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "rsa.time.timezone": "CET", - "rsa.web.reputation_num": 134.746, - "rsa.web.web_ref_domain": "ssuscipi", - "rule.name": "nidolo", - "service.type": "fortinet", - "source.bytes": 5817, - "source.geo.country_name": "lors", - "source.ip": "10.241.140.241", - "source.mac": "01:00:5e:fe:be:28", - "source.port": 1813, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.org", - "url.extension": "html", - "url.fragment": "upta", - "url.original": "https://www5.example.org/utlabo/scip.html?voluptas=inv#upta", - "url.path": "/utlabo/scip.html", - "url.query": [ - "atnu", - "voluptas=inv" - ], - "url.scheme": "https", - "user.name": "nulapar" - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "destination.bytes": 5783, - "destination.ip": "10.62.140.108", - "destination.port": 1225, - "event.action": "deny", - "event.code": "enimip", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2018-11-23 time=9:15:06 devname=oditautf device_id=asiarc log_id=eddoei type=generic subtype=iatqu pri=very-high devid=itessec devname=dat logid=tdol type=emul subtype=ariatu level=high vd=reseo srcip=10.53.70.207 srcport=1793 srcintf=lo2279 dstip=10.73.140.61 dstport=2114 dstintf=lo368 poluuid=stlabo sessionid=atema proto=1 action=deny policyid=orporiss trandisp=iamq duration=128.426000 sentbyte=1800 rcvdbyte=5783 devtype=pis osname=riosam osversion=1.2052 mastersrcmac=iosam srcmac=01:00:5e:21:d3:0a crscore=65.426000 craction=archi crlevel=nes eventtype=atvolupt user=umwritt service=uae hostname=amco1592.mail.host profile=aaliq reqtype=olupta url=https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata direction=outbound msg=tame method=olo cat=vel catdesc=equamn device_id=tempora log_id=enimip pri=very-high userfrom=saqua adminprof=aperia timezone=OMST main_type=tNeque trigger_policy=metcon sub_type=enimadmi severity_level=orem policy=corpor src=10.110.99.222 src_port=5685 dst=10.62.140.108 dst_port=1225 http_method=ssitasp http_url=ptat http_host=asp http_agent=uatDui http_session_id=nofdeFin signature_subclass=unde signature_id=3979 srccountry=seruntm content_switch_name=aera server_pool_name=scive false_positive_mitigation=ngelit user_name=moenimi monitor_status=mqu http_refer=https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund http_version=tutla dev_id=isund threat_weight=atemU history_threat_weight=uidex threat_level=uptate ftp_mode=eac ftp_cmd=peria cipher_suite=amaliq msg_id=ium", - "event.timezone": "OMST", - "fileset.name": "fortimanager", - "host.name": "amco1592.mail.host", - "http.request.referrer": "https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund", - "input.type": "log", - "log.level": "very-high", - "log.offset": 79056, - "network.bytes": 7583, - "network.direction": "outbound", - "observer.egress.interface.name": "lo368", - "observer.ingress.interface.name": "lo2279", - "observer.product": "FortiManager", - "observer.serial_number": "tempora", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.2052", - "related.hosts": [ - "amco1592.mail.host", - "asp", - "dat" - ], - "related.ip": [ - "10.110.99.222", - "10.62.140.108" - ], - "related.user": [ - "moenimi" - ], - "rsa.internal.event_desc": "tame", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "atvolupt", - "rsa.misc.OS": "riosam", - "rsa.misc.action": [ - "deny", - "ssitasp" - ], - "rsa.misc.category": "enimadmi", - "rsa.misc.client": "uatDui", - "rsa.misc.context": "iamq", - "rsa.misc.event_source": "dat", - "rsa.misc.event_type": "emul", - "rsa.misc.fcatnum": "vel", - "rsa.misc.filter": "equamn", - "rsa.misc.hardware_id": "tempora", - "rsa.misc.log_session_id": "nofdeFin", - "rsa.misc.policy_id": "orporiss", - "rsa.misc.policy_name": "corpor", - "rsa.misc.reference_id": "enimip", - "rsa.misc.rule_name": "aaliq", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 3979, - "rsa.misc.version": "1.2052", - "rsa.misc.vsys": "reseo", - "rsa.network.alias_host": [ - "amco1592.mail.host" - ], - "rsa.network.dinterface": "lo368", - "rsa.network.network_service": "uae", - "rsa.network.sinterface": "lo2279", - "rsa.threat.threat_desc": "uptate", - "rsa.time.duration_time": 128.426, - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.reputation_num": 65.426, - "rsa.web.web_ref_domain": "asp", - "rule.name": "aaliq", - "service.type": "fortinet", - "source.bytes": 1800, - "source.geo.country_name": "seruntm", - "source.ip": "10.110.99.222", - "source.mac": "01:00:5e:21:d3:0a", - "source.port": 5685, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "internal.example.com", - "url.extension": "txt", - "url.fragment": "obeata", - "url.original": "https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata", - "url.path": "/ssusci/snostrud.txt", - "url.query": [ - "dolo=siutaliq", - "ptat" - ], - "url.scheme": "https", - "user.name": "moenimi" - }, - { - "@timestamp": "2018-12-07T06:17:40.000Z", - "destination.bytes": 7612, - "destination.ip": "10.53.50.77", - "destination.port": 5330, - "event.action": "accept", - "event.code": "etdo", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ptate date=2018-12-7 time=4:17:40 log_id=tenatu devid=emo devname=ratio logid=maperia type=Maloru subtype=sumquia level=low vd=imadmini srcip=10.237.5.219 srcport=3828 srcintf=eth4604 dstip=10.197.99.150 dstport=3877 dstintf=enp0s7388 poluuid=odo sessionid=itseddoe proto=prm action=accept policyid=itinvo trandisp=uiavol duration=96.864000 sentbyte=2685 rcvdbyte=7612 devtype=urmagn osname=ficiade osversion=1.2691 mastersrcmac=equ srcmac=01:00:5e:f5:2a:24 crscore=163.671000 craction=mipsum crlevel=dolor eventtype=cupidata user=niamquis service=lapariat hostname=dicta7226.mail.example profile=eddoei reqtype=cingel url=https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn direction=unknown msg=loinv method=umd cat=madmi catdesc=xercit device_id=avolup log_id=etdo pri=medium userfrom=veleum adminprof=emUten timezone=CT main_type=proiden trigger_policy=cita sub_type=iac severity_level=ntincul policy=mnisiste src=10.4.244.115 src_port=4588 dst=10.53.50.77 dst_port=5330 http_method=lorem http_url=lore http_host=orroqu http_agent=tlabo http_session_id=iameaque signature_subclass=sautemve signature_id=6466 srccountry=emoe content_switch_name=ameiusmo server_pool_name=ntiumtot false_positive_mitigation=aeab user_name=idolo monitor_status=temac http_refer=https://api.example.net/ollita/idolore.html?illu=iut#asiarc http_version=imidest dev_id=mwri threat_weight=orsi history_threat_weight=ritinvol threat_level=rporiss ftp_mode=atu ftp_cmd=ddo cipher_suite=veli msg_id=ata", - "event.timezone": "CT", - "fileset.name": "fortimanager", - "host.name": "dicta7226.mail.example", - "http.request.referrer": "https://api.example.net/ollita/idolore.html?illu=iut#asiarc", - "input.type": "log", - "log.level": "medium", - "log.offset": 80595, - "network.bytes": 10297, - "network.direction": "unknown", - "observer.egress.interface.name": "enp0s7388", - "observer.ingress.interface.name": "eth4604", - "observer.product": "FortiManager", - "observer.serial_number": "avolup", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.2691", - "related.hosts": [ - "dicta7226.mail.example", - "orroqu", - "ratio" - ], - "related.ip": [ - "10.4.244.115", - "10.53.50.77" - ], - "related.user": [ - "idolo" - ], - "rsa.internal.event_desc": "loinv", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "cupidata", - "rsa.misc.OS": "ficiade", - "rsa.misc.action": [ - "accept", - "lorem" - ], - "rsa.misc.category": "iac", - "rsa.misc.client": "tlabo", - "rsa.misc.context": "uiavol", - "rsa.misc.event_source": "ratio", - "rsa.misc.event_type": "Maloru", - "rsa.misc.fcatnum": "madmi", - "rsa.misc.filter": "xercit", - "rsa.misc.hardware_id": "avolup", - "rsa.misc.log_session_id": "iameaque", - "rsa.misc.policy_id": "itinvo", - "rsa.misc.policy_name": "mnisiste", - "rsa.misc.reference_id": "etdo", - "rsa.misc.rule_name": "eddoei", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 6466, - "rsa.misc.version": "1.2691", - "rsa.misc.vsys": "imadmini", - "rsa.network.alias_host": [ - "dicta7226.mail.example" - ], - "rsa.network.dinterface": "enp0s7388", - "rsa.network.network_service": "lapariat", - "rsa.network.sinterface": "eth4604", - "rsa.threat.threat_desc": "rporiss", - "rsa.time.duration_time": 96.864, - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", - "rsa.time.timezone": "CT", - "rsa.web.reputation_num": 163.671, - "rsa.web.web_ref_domain": "orroqu", - "rule.name": "eddoei", - "service.type": "fortinet", - "source.bytes": 2685, - "source.geo.country_name": "emoe", - "source.ip": "10.4.244.115", - "source.mac": "01:00:5e:f5:2a:24", - "source.port": 4588, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.com", - "url.extension": "jpg", - "url.fragment": "ptasn", - "url.original": "https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn", - "url.path": "/temporai/umw.jpg", - "url.query": [ - "lore", - "mveniamq=litsed" - ], - "url.scheme": "https", - "user.name": "idolo" - }, - { - "@timestamp": "2018-12-21T13:20:14.000Z", - "destination.bytes": 3484, - "destination.geo.country_name": "litess", - "destination.ip": "10.236.211.111", - "destination.nat.ip": "10.120.212.78", - "destination.nat.port": 119, - "destination.port": 1801, - "event.action": "allow", - "event.code": "atur", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=lor dtime=2018-12-21 23:20:14.972538723 +0000 UTC devid=ori devname=eleumiu vd=amre date=2018-12-21 time=11:20:14 logid=atur type=untex subtype=Except level=very-high eventtime=econse logtime=iac srcip=10.221.100.157 srcport=865 srcintf=lo4518 srcintfrole=mqu dstip=10.236.211.111 dstport=1801 dstintf=enp0s454 dstintfrole=rauto poluuid=pteursi sessionid=iquamqua proto=tcp action=allow policyid=psumqui policytype=equeporr crscore=32.741000 craction=cusanti crlevel=doloreme appcat=nsecte service=reprehen srccountry=taspe dstcountry=litess trandisp=enimadm tranip=10.120.212.78 tranport=119 duration=17.257000 sentbyte=4752 rcvdbyte=3484 sentpkt=ntsuntin app=ectetur", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 82093, - "network.bytes": 8236, - "observer.egress.interface.name": "enp0s454", - "observer.ingress.interface.name": "lo4518", - "observer.product": "FortiManager", - "observer.serial_number": "ori", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "eleumiu" - ], - "related.ip": [ - "10.120.212.78", - "10.221.100.157", - "10.236.211.111" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "Except", - "rsa.misc.context": "enimadm", - "rsa.misc.event_source": "eleumiu", - "rsa.misc.event_type": "untex", - "rsa.misc.hardware_id": "ori", - "rsa.misc.log_session_id": "iquamqua", - "rsa.misc.obj_name": "ectetur", - "rsa.misc.policy_id": "psumqui", - "rsa.misc.reference_id": "atur", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "amre", - "rsa.network.dinterface": "enp0s454", - "rsa.network.network_service": "reprehen", - "rsa.network.sinterface": "lo4518", - "rsa.time.duration_time": 17.257, - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", - "rsa.time.event_time_str": "econse", - "rsa.web.reputation_num": 32.741, - "service.type": "fortinet", - "source.bytes": 4752, - "source.geo.country_name": "taspe", - "source.ip": "10.221.100.157", - "source.port": 865, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "destination.bytes": 5326, - "destination.ip": "10.208.231.15", - "destination.port": 412, - "event.action": "accept", - "event.code": "redol", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2019-1-5 time=6:22:49 logver=intocca devid=vel devname=xeacom logid=orum type=voluptat subtype=nsequ level=medium vd=tenimad srcip=10.140.215.210 srcport=7229 srcintf=lo568 dstip=10.71.213.217 dstport=7475 dstintf=eth5820 poluuid=lup sessionid=reetdolo proto=HOPOPT action=accept policyid=dolor trandisp=emagnam duration=154.150000 sentbyte=2336 rcvdbyte=5326 devtype=emull osname=enatuser osversion=1.3052 mastersrcmac=ectob srcmac=01:00:5e:4a:5d:af crscore=9.013000 craction=niamqu crlevel=nrep eventtype=lauda user=ionevo service=busB hostname=pidatatn2627.www.localdomain profile=eritinvo reqtype=quiav url=https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere direction=inbound msg=ciun method=ssitaspe cat=deomnis catdesc=ulamcol device_id=onn log_id=redol pri=medium userfrom=utlabore adminprof=nci timezone=OMST main_type=liqu trigger_policy=ectetura sub_type=aUte severity_level=untNeque policy=roi src=10.210.82.202 src_port=2749 dst=10.208.231.15 dst_port=412 http_method=rios http_url=diconseq http_host=tenima http_agent=iusm http_session_id=mveleumi signature_subclass=equinesc signature_id=5076 srccountry=mfugiatq content_switch_name=dmini server_pool_name=emveleu false_positive_mitigation=loree user_name=riatur monitor_status=tempor http_refer=https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua http_version=ciat dev_id=iamq threat_weight=porin history_threat_weight=yCi threat_level=arc ftp_mode=santium ftp_cmd=numquame cipher_suite=umfugi msg_id=amestqui", - "event.timezone": "OMST", - "fileset.name": "fortimanager", - "host.name": "pidatatn2627.www.localdomain", - "http.request.referrer": "https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua", - "input.type": "log", - "log.level": "medium", - "log.offset": 82769, - "network.bytes": 7662, - "network.direction": "inbound", - "observer.egress.interface.name": "eth5820", - "observer.ingress.interface.name": "lo568", - "observer.product": "FortiManager", - "observer.serial_number": "onn", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.3052", - "related.hosts": [ - "pidatatn2627.www.localdomain", - "tenima", - "xeacom" - ], - "related.ip": [ - "10.208.231.15", - "10.210.82.202" - ], - "related.user": [ - "riatur" - ], - "rsa.internal.event_desc": "ciun", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "lauda", - "rsa.misc.OS": "enatuser", - "rsa.misc.action": [ - "accept", - "rios" - ], - "rsa.misc.category": "aUte", - "rsa.misc.client": "iusm", - "rsa.misc.context": "emagnam", - "rsa.misc.event_source": "xeacom", - "rsa.misc.event_type": "voluptat", - "rsa.misc.fcatnum": "deomnis", - "rsa.misc.filter": "ulamcol", - "rsa.misc.hardware_id": "onn", - "rsa.misc.log_session_id": "mveleumi", - "rsa.misc.policy_id": "dolor", - "rsa.misc.policy_name": "roi", - "rsa.misc.reference_id": "redol", - "rsa.misc.rule_name": "eritinvo", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 5076, - "rsa.misc.version": "1.3052", - "rsa.misc.vsys": "tenimad", - "rsa.network.alias_host": [ - "pidatatn2627.www.localdomain" - ], - "rsa.network.dinterface": "eth5820", - "rsa.network.network_service": "busB", - "rsa.network.sinterface": "lo568", - "rsa.threat.threat_desc": "arc", - "rsa.time.duration_time": 154.15, - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.reputation_num": 9.013, - "rsa.web.web_ref_domain": "tenima", - "rule.name": "eritinvo", - "service.type": "fortinet", - "source.bytes": 2336, - "source.geo.country_name": "mfugiatq", - "source.ip": "10.210.82.202", - "source.mac": "01:00:5e:4a:5d:af", - "source.port": 2749, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "mail.example.org", - "url.extension": "gif", - "url.fragment": "umiurere", - "url.original": "https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere", - "url.path": "/ngelit/dipiscin.gif", - "url.query": [ - "diconseq", - "serro=ctet" - ], - "url.scheme": "https", - "user.name": "riatur" - }, - { - "@timestamp": "2019-01-19T03:25:23.000Z", - "destination.bytes": 220, - "destination.geo.country_name": "aqueipsa", - "destination.ip": "10.123.59.69", - "destination.nat.ip": "10.53.251.202", - "destination.nat.port": 7501, - "destination.port": 5399, - "event.action": "accept", - "event.code": "edd", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=tesseq devname=\"nimides\" devid=\"iusmodte\" vd=involup date=2019-1-19 time=1:25:23 logid=edd type=dolorsi subtype=mcolabo level=low eventtime=exe logtime=nve srcip=10.226.255.3 srcport=5449 srcintf=lo7680 srcintfrole=iaconseq dstip=10.123.59.69 dstport=5399 dstintf=lo5835 dstintfrole=ntsunti poluuid=bor sessionid=uisnos proto=6 action=accept policyid=tation policytype=seddoe crscore=21.625000 craction=eur crlevel=ntmolli appcat=pitl service=nulap srccountry=ipexe dstcountry=aqueipsa trandisp=psum tranip=10.53.251.202 tranport=7501 duration=131.751000 sentbyte=6876 rcvdbyte=220 sentpkt=ugi app=ptate", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 84276, - "network.bytes": 7096, - "observer.egress.interface.name": "lo5835", - "observer.ingress.interface.name": "lo7680", - "observer.product": "FortiManager", - "observer.serial_number": "iusmodte", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "nimides" - ], - "related.ip": [ - "10.123.59.69", - "10.226.255.3", - "10.53.251.202" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "mcolabo", - "rsa.misc.context": "psum", - "rsa.misc.event_source": "nimides", - "rsa.misc.event_type": "dolorsi", - "rsa.misc.hardware_id": "iusmodte", - "rsa.misc.log_session_id": "uisnos", - "rsa.misc.obj_name": "ptate", - "rsa.misc.policy_id": "tation", - "rsa.misc.reference_id": "edd", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "involup", - "rsa.network.dinterface": "lo5835", - "rsa.network.network_service": "nulap", - "rsa.network.sinterface": "lo7680", - "rsa.time.duration_time": 131.751, - "rsa.time.event_time": "2019-01-19T03:25:23.000Z", - "rsa.time.event_time_str": "exe", - "rsa.web.reputation_num": 21.625, - "service.type": "fortinet", - "source.bytes": 6876, - "source.geo.country_name": "ipexe", - "source.ip": "10.226.255.3", - "source.port": 5449, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-02-02T10:27:57.000Z", - "destination.bytes": 7868, - "destination.geo.country_name": "persp", - "destination.ip": "10.212.56.26", - "destination.nat.ip": "10.29.141.252", - "destination.nat.port": 2077, - "destination.port": 3032, - "event.action": "block", - "event.code": "uide", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=rur devname=\"edut\" devid=\"sitametc\" vd=iarchite date=2019-2-2 time=8:27:57 logid=uide type=iono subtype=aboris level=very-high eventtime=imidest logtime=ulamc srcip=10.3.85.176 srcport=318 srcintf=eth2546 srcintfrole=uptateve dstip=10.212.56.26 dstport=3032 dstintf=enp0s2353 dstintfrole=loin poluuid=cinge sessionid=tutl proto=udp action=block policyid=nesciu policytype=ueip crscore=162.484000 craction=orumSe crlevel=mSe appcat=itame service=quaturv srccountry=lumdolor dstcountry=persp trandisp=leumi tranip=10.29.141.252 tranport=2077 duration=106.468000 sentbyte=3472 rcvdbyte=7868 sentpkt=orum app=reseos", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 84887, - "network.bytes": 11340, - "observer.egress.interface.name": "enp0s2353", - "observer.ingress.interface.name": "eth2546", - "observer.product": "FortiManager", - "observer.serial_number": "sitametc", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "edut" - ], - "related.ip": [ - "10.212.56.26", - "10.29.141.252", - "10.3.85.176" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "aboris", - "rsa.misc.context": "leumi", - "rsa.misc.event_source": "edut", - "rsa.misc.event_type": "iono", - "rsa.misc.hardware_id": "sitametc", - "rsa.misc.log_session_id": "tutl", - "rsa.misc.obj_name": "reseos", - "rsa.misc.policy_id": "nesciu", - "rsa.misc.reference_id": "uide", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "iarchite", - "rsa.network.dinterface": "enp0s2353", - "rsa.network.network_service": "quaturv", - "rsa.network.sinterface": "eth2546", - "rsa.time.duration_time": 106.468, - "rsa.time.event_time": "2019-02-02T10:27:57.000Z", - "rsa.time.event_time_str": "imidest", - "rsa.web.reputation_num": 162.484, - "service.type": "fortinet", - "source.bytes": 3472, - "source.geo.country_name": "lumdolor", - "source.ip": "10.3.85.176", - "source.port": 318, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "destination.bytes": 4658, - "destination.ip": "10.236.175.163", - "destination.port": 6562, - "event.action": "cancel", - "event.code": "oeni", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2019-2-17 time=3:30:32 devname=orem device_id=seq log_id=cus type=generic subtype=tnulap pri=very-high devid=psamvolu devname=inculp logid=eni type=tcupid subtype=ercita level=very-high vd=olorinr srcip=10.110.166.81 srcport=7354 srcintf=lo3023 dstip=10.181.48.82 dstport=1225 dstintf=eth7640 poluuid=conseq sessionid=Nemoen proto=6 action=cancel policyid=umquamei trandisp=nih duration=55.527000 sentbyte=3449 rcvdbyte=4658 devtype=quia osname=eabill osversion=1.95 mastersrcmac=oeiusmo srcmac=01:00:5e:82:ca:1b crscore=67.321000 craction=rumwrit crlevel=tionofd eventtype=ill user=orroquis service=laparia hostname=emveleu4029.api.local profile=tconse reqtype=ntsun url=https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia direction=external msg=metcons method=lumd cat=liquaUt catdesc=snos device_id=maccusan log_id=oeni pri=medium userfrom=tiaecon adminprof=tincu timezone=GMT-07:00 main_type=untmoll trigger_policy=par sub_type=idatatno severity_level=tfugit policy=tla src=10.126.11.186 src_port=589 dst=10.236.175.163 dst_port=6562 http_method=atemqui http_url=icaboN http_host=Utenimad http_agent=res http_session_id=officiad signature_subclass=nsectet signature_id=3977 srccountry=temU content_switch_name=ciduntut server_pool_name=ionofd false_positive_mitigation=etqua user_name=udantiu monitor_status=tium http_refer=https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons http_version=uamestq dev_id=aliquaUt threat_weight=boreet history_threat_weight=mquam threat_level=volu ftp_mode=nof ftp_cmd=boNe cipher_suite=ovolu msg_id=cid", - "event.timezone": "GMT-07:00", - "fileset.name": "fortimanager", - "host.name": "emveleu4029.api.local", - "http.request.referrer": "https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons", - "input.type": "log", - "log.level": "medium", - "log.offset": 85506, - "network.bytes": 8107, - "network.direction": "external", - "observer.egress.interface.name": "eth7640", - "observer.ingress.interface.name": "lo3023", - "observer.product": "FortiManager", - "observer.serial_number": "maccusan", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.95", - "related.hosts": [ - "Utenimad", - "emveleu4029.api.local", - "inculp" - ], - "related.ip": [ - "10.126.11.186", - "10.236.175.163" - ], - "related.user": [ - "udantiu" - ], - "rsa.internal.event_desc": "metcons", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "ill", - "rsa.misc.OS": "eabill", - "rsa.misc.action": [ - "atemqui", - "cancel" - ], - "rsa.misc.category": "idatatno", - "rsa.misc.client": "res", - "rsa.misc.context": "nih", - "rsa.misc.event_source": "inculp", - "rsa.misc.event_type": "tcupid", - "rsa.misc.fcatnum": "liquaUt", - "rsa.misc.filter": "snos", - "rsa.misc.hardware_id": "maccusan", - "rsa.misc.log_session_id": "officiad", - "rsa.misc.policy_id": "umquamei", - "rsa.misc.policy_name": "tla", - "rsa.misc.reference_id": "oeni", - "rsa.misc.rule_name": "tconse", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 3977, - "rsa.misc.version": "1.95", - "rsa.misc.vsys": "olorinr", - "rsa.network.alias_host": [ - "emveleu4029.api.local" - ], - "rsa.network.dinterface": "eth7640", - "rsa.network.network_service": "laparia", - "rsa.network.sinterface": "lo3023", - "rsa.threat.threat_desc": "volu", - "rsa.time.duration_time": 55.527, - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.reputation_num": 67.321, - "rsa.web.web_ref_domain": "Utenimad", - "rule.name": "tconse", - "service.type": "fortinet", - "source.bytes": 3449, - "source.geo.country_name": "temU", - "source.ip": "10.126.11.186", - "source.mac": "01:00:5e:82:ca:1b", - "source.port": 589, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "internal.example.net", - "url.extension": "htm", - "url.fragment": "lestia", - "url.original": "https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia", - "url.path": "/inc/riaturEx.htm", - "url.query": [ - "icaboN", - "mnihilm=itinvo" - ], - "url.scheme": "https", - "user.name": "udantiu" - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "destination.bytes": 3339, - "destination.geo.country_name": "paq", - "destination.ip": "10.11.150.136", - "destination.nat.ip": "10.83.98.220", - "destination.nat.port": 1300, - "destination.port": 3615, - "event.action": "cancel", - "event.code": "oeius", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=equamn devname=\"mes\" devid=\"itatio\" vd=ssecillu date=2019-3-3 time=10:33:06 logid=oeius type=itin subtype=nostrud level=medium eventtime=byCic logtime=mnisiuta srcip=10.171.60.173 srcport=209 srcintf=lo1917 srcintfrole=usmodite dstip=10.11.150.136 dstport=3615 dstintf=lo5438 dstintfrole=olup poluuid=urQuis sessionid=iquip proto=1 action=cancel policyid=untutl policytype=elite crscore=176.898000 craction=ipsaq crlevel=spici appcat=nvolupt service=antiu srccountry=llumquid dstcountry=paq trandisp=olup tranip=10.83.98.220 tranport=1300 duration=73.115000 sentbyte=5812 rcvdbyte=3339 sentpkt=amquis app=umtotam", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 87085, - "network.bytes": 9151, - "observer.egress.interface.name": "lo5438", - "observer.ingress.interface.name": "lo1917", - "observer.product": "FortiManager", - "observer.serial_number": "itatio", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "mes" - ], - "related.ip": [ - "10.11.150.136", - "10.171.60.173", - "10.83.98.220" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "nostrud", - "rsa.misc.context": "olup", - "rsa.misc.event_source": "mes", - "rsa.misc.event_type": "itin", - "rsa.misc.hardware_id": "itatio", - "rsa.misc.log_session_id": "iquip", - "rsa.misc.obj_name": "umtotam", - "rsa.misc.policy_id": "untutl", - "rsa.misc.reference_id": "oeius", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "ssecillu", - "rsa.network.dinterface": "lo5438", - "rsa.network.network_service": "antiu", - "rsa.network.sinterface": "lo1917", - "rsa.time.duration_time": 73.115, - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "rsa.time.event_time_str": "byCic", - "rsa.web.reputation_num": 176.898, - "service.type": "fortinet", - "source.bytes": 5812, - "source.geo.country_name": "llumquid", - "source.ip": "10.171.60.173", - "source.port": 209, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-03-17T07:35:40.000Z", - "destination.bytes": 3946, - "destination.geo.country_name": "ipisc", - "destination.ip": "10.74.88.209", - "destination.nat.ip": "10.92.3.166", - "destination.nat.port": 5777, - "destination.port": 740, - "event.action": "deny", - "event.code": "uiavo", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=pitlabo dtime=2019-03-17 17:35:40.532538723 +0000 UTC devid=lorsita devname=datatno vd=emac date=2019-3-17 time=5:35:40 logid=uiavo type=tdo subtype=ratvolup level=high eventtime=dolo logtime=quioffic srcip=10.238.49.73 srcport=1554 srcintf=enp0s11 srcintfrole=riatu dstip=10.74.88.209 dstport=740 dstintf=lo5287 dstintfrole=quep poluuid=tfugitse sessionid=oenimips proto=udp action=deny policyid=mdo policytype=map crscore=148.871000 craction=osqui crlevel=consequ appcat=catcupid service=velitess srccountry=sit dstcountry=ipisc trandisp=onsectet tranip=10.92.3.166 tranport=5777 duration=156.314000 sentbyte=715 rcvdbyte=3946 sentpkt=itvol app=dolo", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 87705, - "network.bytes": 4661, - "observer.egress.interface.name": "lo5287", - "observer.ingress.interface.name": "enp0s11", - "observer.product": "FortiManager", - "observer.serial_number": "lorsita", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "datatno" - ], - "related.ip": [ - "10.238.49.73", - "10.74.88.209", - "10.92.3.166" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ratvolup", - "rsa.misc.context": "onsectet", - "rsa.misc.event_source": "datatno", - "rsa.misc.event_type": "tdo", - "rsa.misc.hardware_id": "lorsita", - "rsa.misc.log_session_id": "oenimips", - "rsa.misc.obj_name": "dolo", - "rsa.misc.policy_id": "mdo", - "rsa.misc.reference_id": "uiavo", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "emac", - "rsa.network.dinterface": "lo5287", - "rsa.network.network_service": "velitess", - "rsa.network.sinterface": "enp0s11", - "rsa.time.duration_time": 156.314, - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", - "rsa.time.event_time_str": "dolo", - "rsa.web.reputation_num": 148.871, - "service.type": "fortinet", - "source.bytes": 715, - "source.geo.country_name": "sit", - "source.ip": "10.238.49.73", - "source.port": 1554, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-01T14:38:14.000Z", - "destination.bytes": 4329, - "destination.geo.country_name": "quelaud", - "destination.ip": "10.187.107.47", - "destination.nat.ip": "10.84.200.121", - "destination.nat.port": 3226, - "destination.port": 288, - "event.action": "allow", - "event.code": "periamea", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=amquisno dtime=2019-04-01 00:38:14.792538723 +0000 UTC devid=uptasnul devname=ptate vd=deri date=2019-4-1 time=12:38:14 logid=periamea type=equatD subtype=quaturQu level=high eventtime=rpo logtime=inr srcip=10.119.248.36 srcport=2450 srcintf=enp0s1885 srcintfrole=ten dstip=10.187.107.47 dstport=288 dstintf=lo2445 dstintfrole=fugia poluuid=psa sessionid=iset proto=prm action=allow policyid=ecte policytype=ionemull crscore=84.399000 craction=sBo crlevel=nimides appcat=iurere service=edolorin srccountry=labor dstcountry=quelaud trandisp=ira tranip=10.84.200.121 tranport=3226 duration=128.212000 sentbyte=2150 rcvdbyte=4329 sentpkt=nos app=icta", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 88364, - "network.bytes": 6479, - "observer.egress.interface.name": "lo2445", - "observer.ingress.interface.name": "enp0s1885", - "observer.product": "FortiManager", - "observer.serial_number": "uptasnul", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "ptate" - ], - "related.ip": [ - "10.119.248.36", - "10.187.107.47", - "10.84.200.121" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "quaturQu", - "rsa.misc.context": "ira", - "rsa.misc.event_source": "ptate", - "rsa.misc.event_type": "equatD", - "rsa.misc.hardware_id": "uptasnul", - "rsa.misc.log_session_id": "iset", - "rsa.misc.obj_name": "icta", - "rsa.misc.policy_id": "ecte", - "rsa.misc.reference_id": "periamea", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "deri", - "rsa.network.dinterface": "lo2445", - "rsa.network.network_service": "edolorin", - "rsa.network.sinterface": "enp0s1885", - "rsa.time.duration_time": 128.212, - "rsa.time.event_time": "2019-04-01T14:38:14.000Z", - "rsa.time.event_time_str": "rpo", - "rsa.web.reputation_num": 84.399, - "service.type": "fortinet", - "source.bytes": 2150, - "source.geo.country_name": "labor", - "source.ip": "10.119.248.36", - "source.port": 2450, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.bytes": 1057, - "destination.geo.country_name": "nvolupt", - "destination.ip": "10.135.213.17", - "destination.nat.ip": "10.30.239.222", - "destination.nat.port": 1546, - "destination.port": 6427, - "event.action": "block", - "event.code": "atae", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=itseddo devname=\"tasu\" devid=\"mquae\" vd=CSedu date=2019-4-15 time=7:40:49 logid=atae type=aeconseq subtype=boNemo level=very-high eventtime=nemulla logtime=tmollit srcip=10.167.128.229 srcport=4052 srcintf=eth1833 srcintfrole=ciatisu dstip=10.135.213.17 dstport=6427 dstintf=eth6468 dstintfrole=ritat poluuid=dipi sessionid=asnulapa proto=prm action=block policyid=onsequa policytype=seddoe crscore=23.021000 craction=Bonorume crlevel=emeumfu appcat=tla service=uidexea srccountry=odtem dstcountry=nvolupt trandisp=stia tranip=10.30.239.222 tranport=1546 duration=10.721000 sentbyte=6561 rcvdbyte=1057 sentpkt=itectobe app=rroq", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 89019, - "network.bytes": 7618, - "observer.egress.interface.name": "eth6468", - "observer.ingress.interface.name": "eth1833", - "observer.product": "FortiManager", - "observer.serial_number": "mquae", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "tasu" - ], - "related.ip": [ - "10.135.213.17", - "10.167.128.229", - "10.30.239.222" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "boNemo", - "rsa.misc.context": "stia", - "rsa.misc.event_source": "tasu", - "rsa.misc.event_type": "aeconseq", - "rsa.misc.hardware_id": "mquae", - "rsa.misc.log_session_id": "asnulapa", - "rsa.misc.obj_name": "rroq", - "rsa.misc.policy_id": "onsequa", - "rsa.misc.reference_id": "atae", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "CSedu", - "rsa.network.dinterface": "eth6468", - "rsa.network.network_service": "uidexea", - "rsa.network.sinterface": "eth1833", - "rsa.time.duration_time": 10.721, - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "rsa.time.event_time_str": "nemulla", - "rsa.web.reputation_num": 23.021, - "service.type": "fortinet", - "source.bytes": 6561, - "source.geo.country_name": "odtem", - "source.ip": "10.167.128.229", - "source.port": 4052, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-04-29T04:43:23.000Z", - "destination.bytes": 1150, - "destination.ip": "10.115.166.48", - "destination.port": 7491, - "event.action": "block", - "event.code": "tiumt", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2019-4-29 time=2:43:23 devname=uunt device_id=pic log_id=unt type=generic subtype=emUt pri=medium devid=pernatur devname=orem logid=enbyCice type=velil subtype=nsequat level=low vd=duntutl srcip=10.238.172.76 srcport=156 srcintf=lo1215 dstip=10.201.119.253 dstport=2230 dstintf=enp0s7218 poluuid=nimad sessionid=tionu proto=udp action=block policyid=emagna trandisp=quin duration=68.078000 sentbyte=2527 rcvdbyte=1150 devtype=consequ osname=min osversion=1.1028 mastersrcmac=edicta srcmac=01:00:5e:cd:6c:ed crscore=163.905000 craction=itinvolu crlevel=urerepre eventtype=iumdol user=serror service=uptass hostname=rspic5637.api.local profile=itatise reqtype=iut url=https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce direction=inbound msg=uraut method=reetdol cat=umtotam catdesc=itaedi device_id=ant log_id=tiumt pri=very-high userfrom=ratvolup adminprof=iamqu timezone=CT main_type=quaturve trigger_policy=tsunti sub_type=ero severity_level=iusmodi policy=acomm src=10.169.133.219 src_port=92 dst=10.115.166.48 dst_port=7491 http_method=eleumiur http_url=ididun http_host=edi http_agent=gia http_session_id=uaturQui signature_subclass=emi signature_id=5446 srccountry=etM content_switch_name=eve server_pool_name=iru false_positive_mitigation=ipit user_name=emq monitor_status=elitsedq http_refer=https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua http_version=erit dev_id=lorsitam threat_weight=emagnama history_threat_weight=ute threat_level=Excep ftp_mode=utpersp ftp_cmd=rehe cipher_suite=tiumt msg_id=ulamc", - "event.timezone": "CT", - "fileset.name": "fortimanager", - "host.name": "rspic5637.api.local", - "http.request.referrer": "https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua", - "input.type": "log", - "log.level": "very-high", - "log.offset": 89654, - "network.bytes": 3677, - "network.direction": "inbound", - "observer.egress.interface.name": "enp0s7218", - "observer.ingress.interface.name": "lo1215", - "observer.product": "FortiManager", - "observer.serial_number": "ant", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.1028", - "related.hosts": [ - "edi", - "orem", - "rspic5637.api.local" - ], - "related.ip": [ - "10.115.166.48", - "10.169.133.219" - ], - "related.user": [ - "emq" - ], - "rsa.internal.event_desc": "uraut", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "iumdol", - "rsa.misc.OS": "min", - "rsa.misc.action": [ - "block", - "eleumiur" - ], - "rsa.misc.category": "ero", - "rsa.misc.client": "gia", - "rsa.misc.context": "quin", - "rsa.misc.event_source": "orem", - "rsa.misc.event_type": "velil", - "rsa.misc.fcatnum": "umtotam", - "rsa.misc.filter": "itaedi", - "rsa.misc.hardware_id": "ant", - "rsa.misc.log_session_id": "uaturQui", - "rsa.misc.policy_id": "emagna", - "rsa.misc.policy_name": "acomm", - "rsa.misc.reference_id": "tiumt", - "rsa.misc.rule_name": "itatise", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 5446, - "rsa.misc.version": "1.1028", - "rsa.misc.vsys": "duntutl", - "rsa.network.alias_host": [ - "rspic5637.api.local" - ], - "rsa.network.dinterface": "enp0s7218", - "rsa.network.network_service": "uptass", - "rsa.network.sinterface": "lo1215", - "rsa.threat.threat_desc": "Excep", - "rsa.time.duration_time": 68.078, - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", - "rsa.time.timezone": "CT", - "rsa.web.reputation_num": 163.905, - "rsa.web.web_ref_domain": "edi", - "rule.name": "itatise", - "service.type": "fortinet", - "source.bytes": 2527, - "source.geo.country_name": "etM", - "source.ip": "10.169.133.219", - "source.mac": "01:00:5e:cd:6c:ed", - "source.port": 92, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.net", - "url.extension": "txt", - "url.fragment": "rExce", - "url.original": "https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce", - "url.path": "/ita/esse.txt", - "url.query": [ - "amquis=iatquovo", - "ididun" - ], - "url.scheme": "https", - "user.name": "emq" - }, - { - "@timestamp": "2019-05-13T11:45:57.000Z", - "destination.bytes": 4374, - "destination.ip": "10.226.39.82", - "destination.port": 3950, - "event.action": "block", - "event.code": "isetqu", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=runt date=2019-5-13 time=9:45:57 log_id=emipsu devid=icaboNem devname=Except logid=fugits type=maliquam subtype=mav level=very-high vd=ecill srcip=10.36.122.89 srcport=5040 srcintf=lo3887 dstip=10.206.76.186 dstport=741 dstintf=eth2435 poluuid=atisund sessionid=enbyCic proto=1 action=block policyid=nrepre trandisp=uisautem duration=145.667000 sentbyte=4247 rcvdbyte=4374 devtype=tio osname=aconseq osversion=1.4195 mastersrcmac=enatuser srcmac=01:00:5e:1a:9c:4f crscore=124.786000 craction=rcitatio crlevel=olore eventtype=ntexp user=atio service=roquisqu hostname=rror3870.www5.local profile=volu reqtype=occ url=https://www5.example.net/culpa/isun.txt?cola=tura#rat direction=internal msg=sect method=ing cat=nis catdesc=aboreet device_id=ulapari log_id=isetqu pri=high userfrom=ons adminprof=Sedu timezone=CEST main_type=icaboNem trigger_policy=enderi sub_type=edqu severity_level=cita policy=uidolore src=10.146.255.40 src_port=3003 dst=10.226.39.82 dst_port=3950 http_method=oluptate http_url=orumwrit http_host=aconse http_agent=ites http_session_id=abori signature_subclass=dolor signature_id=3543 srccountry=amqu content_switch_name=uamest server_pool_name=ntoccaec false_positive_mitigation=ites user_name=caecatcu monitor_status=iof http_refer=https://api.example.com/uae/mdolo.txt?aute=itatise#utpers http_version=equunt dev_id=Nemo threat_weight=itse history_threat_weight=lillumq threat_level=idid ftp_mode=uis ftp_cmd=velits cipher_suite=mmodo msg_id=rporissu", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "rror3870.www5.local", - "http.request.referrer": "https://api.example.com/uae/mdolo.txt?aute=itatise#utpers", - "input.type": "log", - "log.level": "high", - "log.offset": 91192, - "network.bytes": 8621, - "network.direction": "internal", - "observer.egress.interface.name": "eth2435", - "observer.ingress.interface.name": "lo3887", - "observer.product": "FortiManager", - "observer.serial_number": "ulapari", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4195", - "related.hosts": [ - "Except", - "aconse", - "rror3870.www5.local" - ], - "related.ip": [ - "10.146.255.40", - "10.226.39.82" - ], - "related.user": [ - "caecatcu" - ], - "rsa.internal.event_desc": "sect", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "ntexp", - "rsa.misc.OS": "aconseq", - "rsa.misc.action": [ - "block", - "oluptate" - ], - "rsa.misc.category": "edqu", - "rsa.misc.client": "ites", - "rsa.misc.context": "uisautem", - "rsa.misc.event_source": "Except", - "rsa.misc.event_type": "maliquam", - "rsa.misc.fcatnum": "nis", - "rsa.misc.filter": "aboreet", - "rsa.misc.hardware_id": "ulapari", - "rsa.misc.log_session_id": "abori", - "rsa.misc.policy_id": "nrepre", - "rsa.misc.policy_name": "uidolore", - "rsa.misc.reference_id": "isetqu", - "rsa.misc.rule_name": "volu", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 3543, - "rsa.misc.version": "1.4195", - "rsa.misc.vsys": "ecill", - "rsa.network.alias_host": [ - "rror3870.www5.local" - ], - "rsa.network.dinterface": "eth2435", - "rsa.network.network_service": "roquisqu", - "rsa.network.sinterface": "lo3887", - "rsa.threat.threat_desc": "idid", - "rsa.time.duration_time": 145.667, - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 124.786, - "rsa.web.web_ref_domain": "aconse", - "rule.name": "volu", - "service.type": "fortinet", - "source.bytes": 4247, - "source.geo.country_name": "amqu", - "source.ip": "10.146.255.40", - "source.mac": "01:00:5e:1a:9c:4f", - "source.port": 3003, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.net", - "url.extension": "txt", - "url.fragment": "rat", - "url.original": "https://www5.example.net/culpa/isun.txt?cola=tura#rat", - "url.path": "/culpa/isun.txt", - "url.query": [ - "cola=tura", - "orumwrit" - ], - "url.scheme": "https", - "user.name": "caecatcu" - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "destination.bytes": 2380, - "destination.geo.country_name": "tani", - "destination.ip": "10.224.212.88", - "destination.nat.ip": "10.35.240.70", - "destination.nat.port": 2587, - "destination.port": 5404, - "event.action": "deny", - "event.code": "ddoei", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=utemvel dtime=2019-05-28 04:48:31.832538723 +0000 UTC devid=exercita devname=emaperi vd=aspernat date=2019-5-28 time=4:48:31 logid=ddoei type=nihi subtype=umfu level=low eventtime=ehen logtime=olupt srcip=10.53.82.96 srcport=7088 srcintf=eth297 srcintfrole=nostru dstip=10.224.212.88 dstport=5404 dstintf=lo4266 dstintfrole=natuserr poluuid=ipi sessionid=eniamqui proto=icmp action=deny policyid=urvelill policytype=iadese crscore=174.116000 craction=isundeo crlevel=emq appcat=rehender service=uat srccountry=apa dstcountry=tani trandisp=per tranip=10.35.240.70 tranport=2587 duration=62.993000 sentbyte=7102 rcvdbyte=2380 sentpkt=ataevit app=chi", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 92675, - "network.bytes": 9482, - "observer.egress.interface.name": "lo4266", - "observer.ingress.interface.name": "eth297", - "observer.product": "FortiManager", - "observer.serial_number": "exercita", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "emaperi" - ], - "related.ip": [ - "10.224.212.88", - "10.35.240.70", - "10.53.82.96" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "umfu", - "rsa.misc.context": "per", - "rsa.misc.event_source": "emaperi", - "rsa.misc.event_type": "nihi", - "rsa.misc.hardware_id": "exercita", - "rsa.misc.log_session_id": "eniamqui", - "rsa.misc.obj_name": "chi", - "rsa.misc.policy_id": "urvelill", - "rsa.misc.reference_id": "ddoei", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "aspernat", - "rsa.network.dinterface": "lo4266", - "rsa.network.network_service": "uat", - "rsa.network.sinterface": "eth297", - "rsa.time.duration_time": 62.993, - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "rsa.time.event_time_str": "ehen", - "rsa.web.reputation_num": 174.116, - "service.type": "fortinet", - "source.bytes": 7102, - "source.geo.country_name": "apa", - "source.ip": "10.53.82.96", - "source.port": 7088, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "destination.bytes": 475, - "destination.geo.country_name": "aevitae", - "destination.ip": "10.233.128.7", - "destination.nat.ip": "10.66.149.234", - "destination.nat.port": 6236, - "destination.port": 2455, - "event.action": "cancel", - "event.code": "uei", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=lorsita devname=\"oeius\" devid=\"trud\" vd=aco date=2019-6-11 time=11:51:06 logid=uei type=tsedqu subtype=agni level=very-high eventtime=rsint logtime=catc srcip=10.186.253.240 srcport=6982 srcintf=enp0s5429 srcintfrole=end dstip=10.233.128.7 dstport=2455 dstintf=eth5315 dstintfrole=onnumq poluuid=lupt sessionid=ugiatq proto=prm action=cancel policyid=utla policytype=iosamn crscore=164.209000 craction=tor crlevel=toreve appcat=ita service=orain srccountry=tnulap dstcountry=aevitae trandisp=aqu tranip=10.66.149.234 tranport=6236 duration=128.130000 sentbyte=6344 rcvdbyte=475 sentpkt=loremeu app=tate", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 93330, - "network.bytes": 6819, - "observer.egress.interface.name": "eth5315", - "observer.ingress.interface.name": "enp0s5429", - "observer.product": "FortiManager", - "observer.serial_number": "trud", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "oeius" - ], - "related.ip": [ - "10.186.253.240", - "10.233.128.7", - "10.66.149.234" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "agni", - "rsa.misc.context": "aqu", - "rsa.misc.event_source": "oeius", - "rsa.misc.event_type": "tsedqu", - "rsa.misc.hardware_id": "trud", - "rsa.misc.log_session_id": "ugiatq", - "rsa.misc.obj_name": "tate", - "rsa.misc.policy_id": "utla", - "rsa.misc.reference_id": "uei", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "aco", - "rsa.network.dinterface": "eth5315", - "rsa.network.network_service": "orain", - "rsa.network.sinterface": "enp0s5429", - "rsa.time.duration_time": 128.13, - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "rsa.time.event_time_str": "rsint", - "rsa.web.reputation_num": 164.209, - "service.type": "fortinet", - "source.bytes": 6344, - "source.geo.country_name": "tnulap", - "source.ip": "10.186.253.240", - "source.port": 6982, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-06-25T08:53:40.000Z", - "destination.bytes": 1387, - "destination.geo.country_name": "avolupt", - "destination.ip": "10.46.11.114", - "destination.nat.ip": "10.173.140.201", - "destination.nat.port": 6422, - "destination.port": 4009, - "event.action": "cancel", - "event.code": "rsintocc", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=elaud dtime=2019-06-25 18:53:40.352538723 +0000 UTC devid=iad devname=irat vd=upi date=2019-6-25 time=6:53:40 logid=rsintocc type=itanim subtype=sinto level=medium eventtime=lore logtime=eabi srcip=10.227.133.134 srcport=3351 srcintf=enp0s4820 srcintfrole=erspici dstip=10.46.11.114 dstport=4009 dstintf=enp0s7159 dstintfrole=oremq poluuid=rspiciat sessionid=ptas proto=tcp action=cancel policyid=ore policytype=dut crscore=128.554000 craction=remape crlevel=itectob appcat=sedquia service=mquisnos srccountry=mwritt dstcountry=avolupt trandisp=lumdolo tranip=10.173.140.201 tranport=6422 duration=133.394000 sentbyte=7249 rcvdbyte=1387 sentpkt=str app=sit", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 93940, - "network.bytes": 8636, - "observer.egress.interface.name": "enp0s7159", - "observer.ingress.interface.name": "enp0s4820", - "observer.product": "FortiManager", - "observer.serial_number": "iad", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "irat" - ], - "related.ip": [ - "10.173.140.201", - "10.227.133.134", - "10.46.11.114" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "sinto", - "rsa.misc.context": "lumdolo", - "rsa.misc.event_source": "irat", - "rsa.misc.event_type": "itanim", - "rsa.misc.hardware_id": "iad", - "rsa.misc.log_session_id": "ptas", - "rsa.misc.obj_name": "sit", - "rsa.misc.policy_id": "ore", - "rsa.misc.reference_id": "rsintocc", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "upi", - "rsa.network.dinterface": "enp0s7159", - "rsa.network.network_service": "mquisnos", - "rsa.network.sinterface": "enp0s4820", - "rsa.time.duration_time": 133.394, - "rsa.time.event_time": "2019-06-25T08:53:40.000Z", - "rsa.time.event_time_str": "lore", - "rsa.web.reputation_num": 128.554, - "service.type": "fortinet", - "source.bytes": 7249, - "source.geo.country_name": "mwritt", - "source.ip": "10.227.133.134", - "source.port": 3351, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "destination.bytes": 1751, - "destination.geo.country_name": "ari", - "destination.ip": "10.69.130.207", - "destination.nat.ip": "10.170.236.123", - "destination.nat.port": 4346, - "destination.port": 1191, - "event.action": "cancel", - "event.code": "sciveli", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=elillum dtime=2019-07-10 01:56:14.612538723 +0000 UTC devid=isnos devname=emp vd=eos date=2019-7-10 time=1:56:14 logid=sciveli type=Bonoru subtype=rai level=low eventtime=omm logtime=cepteu srcip=10.205.18.11 srcport=6737 srcintf=eth4759 srcintfrole=ueipsa dstip=10.69.130.207 dstport=1191 dstintf=eth614 dstintfrole=architec poluuid=era sessionid=ptatem proto=udp action=cancel policyid=isi policytype=ssecill crscore=44.181000 craction=exerci crlevel=ptatemUt appcat=temqu service=ofd srccountry=nimvenia dstcountry=ari trandisp=eir tranip=10.170.236.123 tranport=4346 duration=150.036000 sentbyte=6877 rcvdbyte=1751 sentpkt=orum app=tation", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "low", - "log.offset": 94604, - "network.bytes": 8628, - "observer.egress.interface.name": "eth614", - "observer.ingress.interface.name": "eth4759", - "observer.product": "FortiManager", - "observer.serial_number": "isnos", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "emp" - ], - "related.ip": [ - "10.170.236.123", - "10.205.18.11", - "10.69.130.207" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "rai", - "rsa.misc.context": "eir", - "rsa.misc.event_source": "emp", - "rsa.misc.event_type": "Bonoru", - "rsa.misc.hardware_id": "isnos", - "rsa.misc.log_session_id": "ptatem", - "rsa.misc.obj_name": "tation", - "rsa.misc.policy_id": "isi", - "rsa.misc.reference_id": "sciveli", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "eos", - "rsa.network.dinterface": "eth614", - "rsa.network.network_service": "ofd", - "rsa.network.sinterface": "eth4759", - "rsa.time.duration_time": 150.036, - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "rsa.time.event_time_str": "omm", - "rsa.web.reputation_num": 44.181, - "service.type": "fortinet", - "source.bytes": 6877, - "source.geo.country_name": "nimvenia", - "source.ip": "10.205.18.11", - "source.port": 6737, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "destination.bytes": 1742, - "destination.ip": "10.124.34.251", - "destination.port": 3899, - "event.action": "deny", - "event.code": "mrem", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=repre date=2019-7-24 time=8:58:48 log_id=ore devid=ionemu devname=rehend logid=uiad type=tasu subtype=sciun level=high vd=taev srcip=10.196.124.206 srcport=7569 srcintf=enp0s2181 dstip=10.186.88.110 dstport=4203 dstintf=enp0s5497 poluuid=asnulapa sessionid=hende proto=0 action=deny policyid=ntmolli trandisp=uto duration=178.755000 sentbyte=6361 rcvdbyte=1742 devtype=ipsu osname=taedi osversion=1.2682 mastersrcmac=acom srcmac=01:00:5e:99:e3:a5 crscore=175.099000 craction=Cic crlevel=aturveli eventtype=lica user=Exc service=amvolup hostname=velill3821.mail.invalid profile=asnulap reqtype=usmodte url=https://example.com/loremag/mqu.gif?bore=lapari#aborios direction=external msg=lorem method=mnisiuta cat=quiadolo catdesc=abo device_id=msequine log_id=mrem pri=medium userfrom=atuserr adminprof=nsequatu timezone=ET main_type=uptasnu trigger_policy=atemUt sub_type=iurere severity_level=oident policy=volup src=10.97.254.192 src_port=302 dst=10.124.34.251 dst_port=3899 http_method=imide http_url=sequa http_host=ine http_agent=ollitan http_session_id=eacomm signature_subclass=onseq signature_id=6250 srccountry=reetd content_switch_name=equamnih server_pool_name=tevelite false_positive_mitigation=sitvolup user_name=epor monitor_status=atatnonp http_refer=https://example.org/elauda/ria.htm?uptatemU=iono#quun http_version=itationu dev_id=eniamqui threat_weight=adolo history_threat_weight=oreetdol threat_level=uinesciu ftp_mode=sciun ftp_cmd=tametc cipher_suite=rExcep msg_id=avolup", - "event.timezone": "ET", - "fileset.name": "fortimanager", - "host.name": "velill3821.mail.invalid", - "http.request.referrer": "https://example.org/elauda/ria.htm?uptatemU=iono#quun", - "input.type": "log", - "log.level": "medium", - "log.offset": 95254, - "network.bytes": 8103, - "network.direction": "external", - "observer.egress.interface.name": "enp0s5497", - "observer.ingress.interface.name": "enp0s2181", - "observer.product": "FortiManager", - "observer.serial_number": "msequine", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.2682", - "related.hosts": [ - "ine", - "rehend", - "velill3821.mail.invalid" - ], - "related.ip": [ - "10.124.34.251", - "10.97.254.192" - ], - "related.user": [ - "epor" - ], - "rsa.internal.event_desc": "lorem", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "lica", - "rsa.misc.OS": "taedi", - "rsa.misc.action": [ - "deny", - "imide" - ], - "rsa.misc.category": "iurere", - "rsa.misc.client": "ollitan", - "rsa.misc.context": "uto", - "rsa.misc.event_source": "rehend", - "rsa.misc.event_type": "tasu", - "rsa.misc.fcatnum": "quiadolo", - "rsa.misc.filter": "abo", - "rsa.misc.hardware_id": "msequine", - "rsa.misc.log_session_id": "eacomm", - "rsa.misc.policy_id": "ntmolli", - "rsa.misc.policy_name": "volup", - "rsa.misc.reference_id": "mrem", - "rsa.misc.rule_name": "asnulap", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 6250, - "rsa.misc.version": "1.2682", - "rsa.misc.vsys": "taev", - "rsa.network.alias_host": [ - "velill3821.mail.invalid" - ], - "rsa.network.dinterface": "enp0s5497", - "rsa.network.network_service": "amvolup", - "rsa.network.sinterface": "enp0s2181", - "rsa.threat.threat_desc": "uinesciu", - "rsa.time.duration_time": 178.755, - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "rsa.time.timezone": "ET", - "rsa.web.reputation_num": 175.099, - "rsa.web.web_ref_domain": "ine", - "rule.name": "asnulap", - "service.type": "fortinet", - "source.bytes": 6361, - "source.geo.country_name": "reetd", - "source.ip": "10.97.254.192", - "source.mac": "01:00:5e:99:e3:a5", - "source.port": 302, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.com", - "url.extension": "gif", - "url.fragment": "aborios", - "url.original": "https://example.com/loremag/mqu.gif?bore=lapari#aborios", - "url.path": "/loremag/mqu.gif", - "url.query": [ - "bore=lapari", - "sequa" - ], - "url.scheme": "https", - "user.name": "epor" - }, - { - "@timestamp": "2019-08-07T06:01:23.000Z", - "destination.bytes": 3936, - "destination.geo.country_name": "tio", - "destination.ip": "10.81.58.91", - "destination.nat.ip": "10.204.98.238", - "destination.nat.port": 3885, - "destination.port": 2247, - "event.action": "cancel", - "event.code": "ngelit", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=olores devname=\"ineavol\" devid=\"bori\" vd=taev date=2019-8-7 time=4:01:23 logid=ngelit type=uidexea subtype=stiaec level=very-high eventtime=quipex logtime=rsintoc srcip=10.9.41.221 srcport=4010 srcintf=eth434 srcintfrole=estlabor dstip=10.81.58.91 dstport=2247 dstintf=lo6072 dstintfrole=udexerci poluuid=onemul sessionid=elaud proto=tcp action=cancel policyid=trudexe policytype=tiumtota crscore=53.861000 craction=ariaturE crlevel=fug appcat=umqu service=umqu srccountry=roide dstcountry=tio trandisp=autem tranip=10.204.98.238 tranport=3885 duration=108.380000 sentbyte=2498 rcvdbyte=3936 sentpkt=aquioffi app=aliqui", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "very-high", - "log.offset": 96754, - "network.bytes": 6434, - "observer.egress.interface.name": "lo6072", - "observer.ingress.interface.name": "eth434", - "observer.product": "FortiManager", - "observer.serial_number": "bori", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "ineavol" - ], - "related.ip": [ - "10.204.98.238", - "10.81.58.91", - "10.9.41.221" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "stiaec", - "rsa.misc.context": "autem", - "rsa.misc.event_source": "ineavol", - "rsa.misc.event_type": "uidexea", - "rsa.misc.hardware_id": "bori", - "rsa.misc.log_session_id": "elaud", - "rsa.misc.obj_name": "aliqui", - "rsa.misc.policy_id": "trudexe", - "rsa.misc.reference_id": "ngelit", - "rsa.misc.severity": "very-high", - "rsa.misc.vsys": "taev", - "rsa.network.dinterface": "lo6072", - "rsa.network.network_service": "umqu", - "rsa.network.sinterface": "eth434", - "rsa.time.duration_time": 108.38, - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", - "rsa.time.event_time_str": "quipex", - "rsa.web.reputation_num": 53.861, - "service.type": "fortinet", - "source.bytes": 2498, - "source.geo.country_name": "roide", - "source.ip": "10.9.41.221", - "source.port": 4010, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-08-21T13:03:57.000Z", - "event.action": "cancel", - "event.code": "velits", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2019-8-21 time=11:03:57 devname=unti device_id=tena log_id=velits type=event subtype=oditautf pri=high desc=rmagni user=tiono userfrom=utemvele msg=taevi action=cancel adom=xplicabo4308.www.example session_id=tquo", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 97381, - "observer.product": "FortiManager", - "observer.serial_number": "tena", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "unti", - "xplicabo4308.www.example" - ], - "related.user": [ - "tiono" - ], - "rsa.db.index": "taevi", - "rsa.internal.event_desc": "rmagni", - "rsa.internal.messageid": "event_fortinetmgr", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "oditautf", - "rsa.misc.event_source": "unti", - "rsa.misc.event_type": "event", - "rsa.misc.hardware_id": "tena", - "rsa.misc.log_session_id": "tquo", - "rsa.misc.reference_id": "velits", - "rsa.misc.severity": "high", - "rsa.network.domain": "xplicabo4308.www.example", - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", - "server.domain": "xplicabo4308.www.example", - "server.registered_domain": "www.example", - "server.subdomain": "xplicabo4308", - "server.top_level_domain": "example", - "service.type": "fortinet", - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "user.name": "tiono" - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "destination.bytes": 11, - "destination.geo.country_name": "mollita", - "destination.ip": "10.37.120.29", - "destination.nat.ip": "10.212.208.70", - "destination.nat.port": 3237, - "destination.port": 4170, - "event.action": "accept", - "event.code": "eiusmo", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=nrepr devname=\"uipex\" devid=\"alorumw\" vd=nibus date=2019-9-5 time=6:06:31 logid=eiusmo type=rci subtype=seosquir level=medium eventtime=ume logtime=ercitati srcip=10.35.84.125 srcport=341 srcintf=enp0s2388 srcintfrole=pernatu dstip=10.37.120.29 dstport=4170 dstintf=enp0s1127 dstintfrole=tasuntex poluuid=etura sessionid=taedi proto=udp action=accept policyid=quiacon policytype=udexerc crscore=66.169000 craction=undeomni crlevel=ritquiin appcat=taspern service=iadeser srccountry=nos dstcountry=mollita trandisp=eserun tranip=10.212.208.70 tranport=3237 duration=36.569000 sentbyte=5330 rcvdbyte=11 sentpkt=otamr app=eveli", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 97600, - "network.bytes": 5341, - "observer.egress.interface.name": "enp0s1127", - "observer.ingress.interface.name": "enp0s2388", - "observer.product": "FortiManager", - "observer.serial_number": "alorumw", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "uipex" - ], - "related.ip": [ - "10.212.208.70", - "10.35.84.125", - "10.37.120.29" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "seosquir", - "rsa.misc.context": "eserun", - "rsa.misc.event_source": "uipex", - "rsa.misc.event_type": "rci", - "rsa.misc.hardware_id": "alorumw", - "rsa.misc.log_session_id": "taedi", - "rsa.misc.obj_name": "eveli", - "rsa.misc.policy_id": "quiacon", - "rsa.misc.reference_id": "eiusmo", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "nibus", - "rsa.network.dinterface": "enp0s1127", - "rsa.network.network_service": "iadeser", - "rsa.network.sinterface": "enp0s2388", - "rsa.time.duration_time": 36.569, - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "rsa.time.event_time_str": "ume", - "rsa.web.reputation_num": 66.169, - "service.type": "fortinet", - "source.bytes": 5330, - "source.geo.country_name": "nos", - "source.ip": "10.35.84.125", - "source.port": 341, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-09-19T03:09:05.000Z", - "destination.bytes": 7419, - "destination.geo.country_name": "ullamcor", - "destination.ip": "10.199.201.26", - "destination.nat.ip": "10.207.207.106", - "destination.nat.port": 2048, - "destination.port": 3770, - "event.action": "accept", - "event.code": "olor", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=temsequi devname=\"aturvel\" devid=\"elaudan\" vd=alorum date=2019-9-19 time=1:09:05 logid=olor type=inesc subtype=tlaborio level=high eventtime=equeporr logtime=seq srcip=10.143.65.84 srcport=2670 srcintf=enp0s5828 srcintfrole=ddoeiu dstip=10.199.201.26 dstport=3770 dstintf=eth4236 dstintfrole=ore poluuid=onse sessionid=abo proto=1 action=accept policyid=magnaa policytype=tateveli crscore=94.258000 craction=xplica crlevel=dex appcat=rsintocc service=iusmo srccountry=oquisqu dstcountry=ullamcor trandisp=remagn tranip=10.207.207.106 tranport=2048 duration=94.877000 sentbyte=6896 rcvdbyte=7419 sentpkt=tvolup app=ites", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 98232, - "network.bytes": 14315, - "observer.egress.interface.name": "eth4236", - "observer.ingress.interface.name": "enp0s5828", - "observer.product": "FortiManager", - "observer.serial_number": "elaudan", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "aturvel" - ], - "related.ip": [ - "10.143.65.84", - "10.199.201.26", - "10.207.207.106" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "tlaborio", - "rsa.misc.context": "remagn", - "rsa.misc.event_source": "aturvel", - "rsa.misc.event_type": "inesc", - "rsa.misc.hardware_id": "elaudan", - "rsa.misc.log_session_id": "abo", - "rsa.misc.obj_name": "ites", - "rsa.misc.policy_id": "magnaa", - "rsa.misc.reference_id": "olor", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "alorum", - "rsa.network.dinterface": "eth4236", - "rsa.network.network_service": "iusmo", - "rsa.network.sinterface": "enp0s5828", - "rsa.time.duration_time": 94.877, - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", - "rsa.time.event_time_str": "equeporr", - "rsa.web.reputation_num": 94.258, - "service.type": "fortinet", - "source.bytes": 6896, - "source.geo.country_name": "oquisqu", - "source.ip": "10.143.65.84", - "source.port": 2670, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-03T10:11:40.000Z", - "destination.bytes": 3702, - "destination.geo.country_name": "rrorsi", - "destination.ip": "10.163.236.253", - "destination.nat.ip": "10.41.61.88", - "destination.nat.port": 426, - "destination.port": 7768, - "event.action": "block", - "event.code": "lestiaec", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=rExce dtime=2019-10-03 20:11:40.172538723 +0000 UTC devid=rittenby devname=gni vd=ritq date=2019-10-3 time=8:11:40 logid=lestiaec type=rissusci subtype=fdeFi level=high eventtime=ehende logtime=riatu srcip=10.204.27.48 srcport=5998 srcintf=lo7358 srcintfrole=emaperia dstip=10.163.236.253 dstport=7768 dstintf=enp0s2100 dstintfrole=sequatu poluuid=ugi sessionid=oditau proto=1 action=block policyid=mvele policytype=atae crscore=123.668000 craction=imips crlevel=admi appcat=ocons service=tiumdol srccountry=sunt dstcountry=rrorsi trandisp=remagna tranip=10.41.61.88 tranport=426 duration=82.943000 sentbyte=525 rcvdbyte=3702 sentpkt=dolor app=ips", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "high", - "log.offset": 98858, - "network.bytes": 4227, - "observer.egress.interface.name": "enp0s2100", - "observer.ingress.interface.name": "lo7358", - "observer.product": "FortiManager", - "observer.serial_number": "rittenby", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "gni" - ], - "related.ip": [ - "10.163.236.253", - "10.204.27.48", - "10.41.61.88" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "fdeFi", - "rsa.misc.context": "remagna", - "rsa.misc.event_source": "gni", - "rsa.misc.event_type": "rissusci", - "rsa.misc.hardware_id": "rittenby", - "rsa.misc.log_session_id": "oditau", - "rsa.misc.obj_name": "ips", - "rsa.misc.policy_id": "mvele", - "rsa.misc.reference_id": "lestiaec", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "ritq", - "rsa.network.dinterface": "enp0s2100", - "rsa.network.network_service": "tiumdol", - "rsa.network.sinterface": "lo7358", - "rsa.time.duration_time": 82.943, - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", - "rsa.time.event_time_str": "ehende", - "rsa.web.reputation_num": 123.668, - "service.type": "fortinet", - "source.bytes": 525, - "source.geo.country_name": "sunt", - "source.ip": "10.204.27.48", - "source.port": 5998, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "destination.bytes": 5239, - "destination.geo.country_name": "ation", - "destination.ip": "10.185.44.26", - "destination.nat.ip": "10.53.110.111", - "destination.nat.port": 2549, - "destination.port": 3193, - "event.action": "cancel", - "event.code": "amest", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=ipitlab dtime=2019-10-18 03:14:14.432538723 +0000 UTC devid=ipsa devname=dents vd=erepreh date=2019-10-18 time=3:14:14 logid=amest type=dolore subtype=xer level=medium eventtime=onemul logtime=off srcip=10.246.81.164 srcport=3453 srcintf=lo3071 srcintfrole=ende dstip=10.185.44.26 dstport=3193 dstintf=lo7861 dstintfrole=tationul poluuid=tam sessionid=byCic proto=0 action=cancel policyid=cons policytype=serro crscore=5.473000 craction=uiac crlevel=aecatcu appcat=sed service=uisnostr srccountry=aquei dstcountry=ation trandisp=sumqu tranip=10.53.110.111 tranport=2549 duration=141.141000 sentbyte=5569 rcvdbyte=5239 sentpkt=entore app=uaturQ", - "fileset.name": "fortimanager", - "input.type": "log", - "log.level": "medium", - "log.offset": 99513, - "network.bytes": 10808, - "observer.egress.interface.name": "lo7861", - "observer.ingress.interface.name": "lo3071", - "observer.product": "FortiManager", - "observer.serial_number": "ipsa", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "related.hosts": [ - "dents" - ], - "related.ip": [ - "10.185.44.26", - "10.246.81.164", - "10.53.110.111" - ], - "rsa.internal.messageid": "generic_fortinetmgr_1", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "xer", - "rsa.misc.context": "sumqu", - "rsa.misc.event_source": "dents", - "rsa.misc.event_type": "dolore", - "rsa.misc.hardware_id": "ipsa", - "rsa.misc.log_session_id": "byCic", - "rsa.misc.obj_name": "uaturQ", - "rsa.misc.policy_id": "cons", - "rsa.misc.reference_id": "amest", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "erepreh", - "rsa.network.dinterface": "lo7861", - "rsa.network.network_service": "uisnostr", - "rsa.network.sinterface": "lo3071", - "rsa.time.duration_time": 141.141, - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "rsa.time.event_time_str": "onemul", - "rsa.web.reputation_num": 5.473, - "service.type": "fortinet", - "source.bytes": 5569, - "source.geo.country_name": "aquei", - "source.ip": "10.246.81.164", - "source.port": 3453, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ] - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "destination.bytes": 4334, - "destination.ip": "10.146.77.206", - "destination.port": 1554, - "event.action": "allow", - "event.code": "veli", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=xpli date=2019-11-1 time=10:16:48 log_id=quae devid=totamre devname=lam logid=quamestq type=porai subtype=oinve level=medium vd=hender srcip=10.84.154.230 srcport=1335 srcintf=enp0s1127 dstip=10.212.63.179 dstport=6790 dstintf=eth1762 poluuid=eufugia sessionid=temqu proto=3 action=allow policyid=tvolup trandisp=lori duration=130.339000 sentbyte=4763 rcvdbyte=4334 devtype=rnatur osname=etdolo osversion=1.802 mastersrcmac=adipisci srcmac=01:00:5e:7b:68:0e crscore=36.122000 craction=culpaq crlevel=quis eventtype=lupt user=upt service=aboN hostname=cupida6106.www5.local profile=tdo reqtype=asperna url=https://api.example.com/aco/empo.jpg?iumdol=iusm#ido direction=unknown msg=peri method=aspernat cat=seq catdesc=olup device_id=uamqu log_id=veli pri=high userfrom=etco adminprof=nulap timezone=CT main_type=radip trigger_policy=tali sub_type=ntin severity_level=loreseos policy=ites src=10.109.172.90 src_port=2785 dst=10.146.77.206 dst_port=1554 http_method=amnihilm http_url=ipsamv http_host=proid http_agent=xcep http_session_id=udantium signature_subclass=sum signature_id=1723 srccountry=iaecon content_switch_name=euf server_pool_name=norume false_positive_mitigation=hilmo user_name=aquaeab monitor_status=eporr http_refer=https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu http_version=lapa dev_id=imadm threat_weight=giatquo history_threat_weight=oeiusm threat_level=oreeuf ftp_mode=iusmodt ftp_cmd=umwrit cipher_suite=atatn msg_id=uatD", - "event.timezone": "CT", - "fileset.name": "fortimanager", - "host.name": "cupida6106.www5.local", - "http.request.referrer": "https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu", - "input.type": "log", - "log.level": "high", - "log.offset": 100164, - "network.bytes": 9097, - "network.direction": "unknown", - "network.protocol": "GGP", - "observer.egress.interface.name": "eth1762", - "observer.ingress.interface.name": "enp0s1127", - "observer.product": "FortiManager", - "observer.serial_number": "uamqu", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.802", - "related.hosts": [ - "cupida6106.www5.local", - "lam", - "proid" - ], - "related.ip": [ - "10.109.172.90", - "10.146.77.206" - ], - "related.user": [ - "aquaeab" - ], - "rsa.internal.event_desc": "peri", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "lupt", - "rsa.misc.OS": "etdolo", - "rsa.misc.action": [ - "allow", - "amnihilm" - ], - "rsa.misc.category": "ntin", - "rsa.misc.client": "xcep", - "rsa.misc.context": "lori", - "rsa.misc.event_source": "lam", - "rsa.misc.event_type": "porai", - "rsa.misc.fcatnum": "seq", - "rsa.misc.filter": "olup", - "rsa.misc.hardware_id": "uamqu", - "rsa.misc.log_session_id": "udantium", - "rsa.misc.policy_id": "tvolup", - "rsa.misc.policy_name": "ites", - "rsa.misc.reference_id": "veli", - "rsa.misc.rule_name": "tdo", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 1723, - "rsa.misc.version": "1.802", - "rsa.misc.vsys": "hender", - "rsa.network.alias_host": [ - "cupida6106.www5.local" - ], - "rsa.network.dinterface": "eth1762", - "rsa.network.network_service": "aboN", - "rsa.network.sinterface": "enp0s1127", - "rsa.threat.threat_desc": "oreeuf", - "rsa.time.duration_time": 130.339, - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "rsa.time.timezone": "CT", - "rsa.web.reputation_num": 36.122, - "rsa.web.web_ref_domain": "proid", - "rule.name": "tdo", - "service.type": "fortinet", - "source.bytes": 4763, - "source.geo.country_name": "iaecon", - "source.ip": "10.109.172.90", - "source.mac": "01:00:5e:7b:68:0e", - "source.port": 2785, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "api.example.com", - "url.extension": "jpg", - "url.fragment": "ido", - "url.original": "https://api.example.com/aco/empo.jpg?iumdol=iusm#ido", - "url.path": "/aco/empo.jpg", - "url.query": [ - "ipsamv", - "iumdol=iusm" - ], - "url.scheme": "https", - "user.name": "aquaeab" - }, - { - "@timestamp": "2019-11-15T07:19:22.000Z", - "destination.bytes": 6464, - "destination.ip": "10.202.250.141", - "destination.port": 1824, - "event.action": "allow", - "event.code": "ern", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2019-11-15 time=5:19:22 devname=ptate device_id=Nemoe log_id=cupidat type=generic subtype=onsequ pri=high devid=nostr devname=umtotam logid=mqua type=emU subtype=gnido level=very-high vd=plicab srcip=10.8.161.226 srcport=3191 srcintf=eth5256 dstip=10.13.234.237 dstport=3760 dstintf=enp0s1149 poluuid=oeiusmo sessionid=nisi proto=6 action=allow policyid=lupt trandisp=tlaborio duration=18.804000 sentbyte=1061 rcvdbyte=6464 devtype=itan osname=iquidexe osversion=1.2314 mastersrcmac=fugia srcmac=01:00:5e:09:8f:0e crscore=5.320000 craction=onof crlevel=quam eventtype=rure user=ipis service=liqu hostname=unt2122.internal.local profile=orsitame reqtype=tassitas url=https://example.org/uidolor/turve.htm?temporai=uasiarch#ect direction=unknown msg=occae method=lpaqu cat=minimav catdesc=col device_id=riamea log_id=ern pri=low userfrom=odtempo adminprof=con timezone=CEST main_type=offici trigger_policy=uipexe sub_type=ium severity_level=quamqua policy=nsequatu src=10.38.18.72 src_port=3177 dst=10.202.250.141 dst_port=1824 http_method=volu http_url=quatDui http_host=stenat http_agent=liquip http_session_id=eiusmodt signature_subclass=dmi signature_id=4174 srccountry=ameaque content_switch_name=pitlabor server_pool_name=essequa false_positive_mitigation=ini user_name=maperia monitor_status=ovolup http_refer=https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei http_version=iveli dev_id=lill threat_weight=voluptat history_threat_weight=aturveli threat_level=incidunt ftp_mode=tatnonp ftp_cmd=abi cipher_suite=nimave msg_id=atu", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "unt2122.internal.local", - "http.request.referrer": "https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei", - "input.type": "log", - "log.level": "low", - "log.offset": 101635, - "network.bytes": 7525, - "network.direction": "unknown", - "observer.egress.interface.name": "enp0s1149", - "observer.ingress.interface.name": "eth5256", - "observer.product": "FortiManager", - "observer.serial_number": "riamea", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.2314", - "related.hosts": [ - "stenat", - "umtotam", - "unt2122.internal.local" - ], - "related.ip": [ - "10.202.250.141", - "10.38.18.72" - ], - "related.user": [ - "maperia" - ], - "rsa.internal.event_desc": "occae", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "rure", - "rsa.misc.OS": "iquidexe", - "rsa.misc.action": [ - "allow", - "volu" - ], - "rsa.misc.category": "ium", - "rsa.misc.client": "liquip", - "rsa.misc.context": "tlaborio", - "rsa.misc.event_source": "umtotam", - "rsa.misc.event_type": "emU", - "rsa.misc.fcatnum": "minimav", - "rsa.misc.filter": "col", - "rsa.misc.hardware_id": "riamea", - "rsa.misc.log_session_id": "eiusmodt", - "rsa.misc.policy_id": "lupt", - "rsa.misc.policy_name": "nsequatu", - "rsa.misc.reference_id": "ern", - "rsa.misc.rule_name": "orsitame", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 4174, - "rsa.misc.version": "1.2314", - "rsa.misc.vsys": "plicab", - "rsa.network.alias_host": [ - "unt2122.internal.local" - ], - "rsa.network.dinterface": "enp0s1149", - "rsa.network.network_service": "liqu", - "rsa.network.sinterface": "eth5256", - "rsa.threat.threat_desc": "incidunt", - "rsa.time.duration_time": 18.804, - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 5.32, - "rsa.web.web_ref_domain": "stenat", - "rule.name": "orsitame", - "service.type": "fortinet", - "source.bytes": 1061, - "source.geo.country_name": "ameaque", - "source.ip": "10.38.18.72", - "source.mac": "01:00:5e:09:8f:0e", - "source.port": 3177, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "ect", - "url.original": "https://example.org/uidolor/turve.htm?temporai=uasiarch#ect", - "url.path": "/uidolor/turve.htm", - "url.query": [ - "quatDui", - "temporai=uasiarch" - ], - "url.scheme": "https", - "user.name": "maperia" - }, - { - "@timestamp": "2019-11-30T14:21:57.000Z", - "destination.bytes": 4714, - "destination.ip": "10.139.144.75", - "destination.port": 5037, - "event.action": "block", - "event.code": "rchitec", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "logver=siu date=2019-11-30 time=12:21:57 log_id=inrepr devid=cero devname=ita logid=xercitat type=meumfug subtype=umt level=very-high vd=laparia srcip=10.195.87.127 srcport=760 srcintf=lo3094 dstip=10.52.118.202 dstport=6556 dstintf=enp0s5751 poluuid=ectobe sessionid=rehender proto=udp action=block policyid=orinc trandisp=tcons duration=52.473000 sentbyte=7043 rcvdbyte=4714 devtype=suscipi osname=imipsam osversion=1.4674 mastersrcmac=hilm srcmac=01:00:5e:73:ca:c1 crscore=54.412000 craction=etd crlevel=erspici eventtype=tfug user=atatno service=sed hostname=luptat2613.internal.localhost profile=olupt reqtype=mipsum url=https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo direction=inbound msg=alorum method=tmollit cat=bori catdesc=antium device_id=reetdo log_id=rchitec pri=medium userfrom=cipitlab adminprof=venia timezone=CT main_type=quid trigger_policy=mwrit sub_type=cid severity_level=lupt policy=adipisc src=10.182.124.88 src_port=116 dst=10.139.144.75 dst_port=5037 http_method=utodi http_url=isiutali http_host=oremeu http_agent=mquaerat http_session_id=conse signature_subclass=mestq signature_id=5535 srccountry=turQuisa content_switch_name=itasper server_pool_name=cidu false_positive_mitigation=ips user_name=modo monitor_status=ela http_refer=https://example.org/unti/niamqu.html?ris=veli#giatnu http_version=tanimide dev_id=ectetur threat_weight=umexer history_threat_weight=nim threat_level=nisiuta ftp_mode=cipitla ftp_cmd=ditautf cipher_suite=oluptasn msg_id=madmin", - "event.timezone": "CT", - "fileset.name": "fortimanager", - "host.name": "luptat2613.internal.localhost", - "http.request.referrer": "https://example.org/unti/niamqu.html?ris=veli#giatnu", - "input.type": "log", - "log.level": "medium", - "log.offset": 103183, - "network.bytes": 11757, - "network.direction": "inbound", - "observer.egress.interface.name": "enp0s5751", - "observer.ingress.interface.name": "lo3094", - "observer.product": "FortiManager", - "observer.serial_number": "reetdo", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.4674", - "related.hosts": [ - "ita", - "luptat2613.internal.localhost", - "oremeu" - ], - "related.ip": [ - "10.139.144.75", - "10.182.124.88" - ], - "related.user": [ - "modo" - ], - "rsa.internal.event_desc": "alorum", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "tfug", - "rsa.misc.OS": "imipsam", - "rsa.misc.action": [ - "block", - "utodi" - ], - "rsa.misc.category": "cid", - "rsa.misc.client": "mquaerat", - "rsa.misc.context": "tcons", - "rsa.misc.event_source": "ita", - "rsa.misc.event_type": "meumfug", - "rsa.misc.fcatnum": "bori", - "rsa.misc.filter": "antium", - "rsa.misc.hardware_id": "reetdo", - "rsa.misc.log_session_id": "conse", - "rsa.misc.policy_id": "orinc", - "rsa.misc.policy_name": "adipisc", - "rsa.misc.reference_id": "rchitec", - "rsa.misc.rule_name": "olupt", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 5535, - "rsa.misc.version": "1.4674", - "rsa.misc.vsys": "laparia", - "rsa.network.alias_host": [ - "luptat2613.internal.localhost" - ], - "rsa.network.dinterface": "enp0s5751", - "rsa.network.network_service": "sed", - "rsa.network.sinterface": "lo3094", - "rsa.threat.threat_desc": "nisiuta", - "rsa.time.duration_time": 52.473, - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", - "rsa.time.timezone": "CT", - "rsa.web.reputation_num": 54.412, - "rsa.web.web_ref_domain": "oremeu", - "rule.name": "olupt", - "service.type": "fortinet", - "source.bytes": 7043, - "source.geo.country_name": "turQuisa", - "source.ip": "10.182.124.88", - "source.mac": "01:00:5e:73:ca:c1", - "source.port": 116, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www.example.net", - "url.extension": "htm", - "url.fragment": "odtempo", - "url.original": "https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo", - "url.path": "/Maloru/lapariat.htm", - "url.query": [ - "isiutali", - "tlabori=rehender" - ], - "url.scheme": "https", - "user.name": "modo" - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "destination.bytes": 568, - "destination.ip": "10.188.124.185", - "destination.port": 5837, - "event.action": "block", - "event.code": "tate", - "event.dataset": "fortinet.fortimanager", - "event.module": "fortinet", - "event.original": "date=2019-12-14 time=7:24:31 logver=imadm devid=stla devname=cab logid=orr type=olu subtype=quatDu level=low vd=siste srcip=10.151.47.249 srcport=6697 srcintf=lo5632 dstip=10.155.194.6 dstport=3005 dstintf=enp0s6106 poluuid=quatDu sessionid=deFinib proto=HOPOPT action=block policyid=taedic trandisp=ffi duration=130.219000 sentbyte=2693 rcvdbyte=568 devtype=consequ osname=rumw osversion=1.1386 mastersrcmac=temveleu srcmac=01:00:5e:df:96:27 crscore=104.315000 craction=item crlevel=remipsum eventtype=olupt user=usc service=ernat hostname=neavo4796.internal.domain profile=tatemac reqtype=exer url=https://www5.example.com/xea/ssecill.html?quianonn=quun#one direction=internal msg=riame method=uaUte cat=quae catdesc=utlabor device_id=ameius log_id=tate pri=very-high userfrom=lupta adminprof=atemseq timezone=CEST main_type=amcolab trigger_policy=ectobea sub_type=itsedq severity_level=pta policy=remipsu src=10.35.10.19 src_port=3941 dst=10.188.124.185 dst_port=5837 http_method=tali http_url=tasper http_host=amquisn http_agent=esciu http_session_id=iamea signature_subclass=perspi signature_id=7117 srccountry=emaccus content_switch_name=expl server_pool_name=giat false_positive_mitigation=uscipi user_name=dolo monitor_status=tionevol http_refer=https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept http_version=Mal dev_id=tquasia threat_weight=ficiad history_threat_weight=roinBC threat_level=eufu ftp_mode=tio ftp_cmd=equatDu cipher_suite=exea msg_id=tasnulap", - "event.timezone": "CEST", - "fileset.name": "fortimanager", - "host.name": "neavo4796.internal.domain", - "http.request.referrer": "https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept", - "input.type": "log", - "log.level": "very-high", - "log.offset": 104692, - "network.bytes": 3261, - "network.direction": "internal", - "observer.egress.interface.name": "enp0s6106", - "observer.ingress.interface.name": "lo5632", - "observer.product": "FortiManager", - "observer.serial_number": "ameius", - "observer.type": "Configuration", - "observer.vendor": "Fortinet", - "observer.version": "1.1386", - "related.hosts": [ - "amquisn", - "cab", - "neavo4796.internal.domain" - ], - "related.ip": [ - "10.188.124.185", - "10.35.10.19" - ], - "related.user": [ - "dolo" - ], - "rsa.internal.event_desc": "riame", - "rsa.internal.messageid": "generic_fortinetmgr", - "rsa.investigations.event_vcat": "olupt", - "rsa.misc.OS": "rumw", - "rsa.misc.action": [ - "block", - "tali" - ], - "rsa.misc.category": "itsedq", - "rsa.misc.client": "esciu", - "rsa.misc.context": "ffi", - "rsa.misc.event_source": "cab", - "rsa.misc.event_type": "olu", - "rsa.misc.fcatnum": "quae", - "rsa.misc.filter": "utlabor", - "rsa.misc.hardware_id": "ameius", - "rsa.misc.log_session_id": "iamea", - "rsa.misc.policy_id": "taedic", - "rsa.misc.policy_name": "remipsu", - "rsa.misc.reference_id": "tate", - "rsa.misc.rule_name": "tatemac", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 7117, - "rsa.misc.version": "1.1386", - "rsa.misc.vsys": "siste", - "rsa.network.alias_host": [ - "neavo4796.internal.domain" - ], - "rsa.network.dinterface": "enp0s6106", - "rsa.network.network_service": "ernat", - "rsa.network.sinterface": "lo5632", - "rsa.threat.threat_desc": "eufu", - "rsa.time.duration_time": 130.219, - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.reputation_num": 104.315, - "rsa.web.web_ref_domain": "amquisn", - "rule.name": "tatemac", - "service.type": "fortinet", - "source.bytes": 2693, - "source.geo.country_name": "emaccus", - "source.ip": "10.35.10.19", - "source.mac": "01:00:5e:df:96:27", - "source.port": 3941, - "tags": [ - "fortinet.fortimanager", - "forwarded" - ], - "url.domain": "www5.example.com", - "url.extension": "html", - "url.fragment": "one", - "url.original": "https://www5.example.com/xea/ssecill.html?quianonn=quun#one", - "url.path": "/xea/ssecill.html", - "url.query": [ - "quianonn=quun", - "tasper" - ], - "url.scheme": "https", - "user.name": "dolo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index 2c7092892ae..86ba39d3218 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -30,60 +30,3 @@ # [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/network-direction-processor.html#supported-named-network-ranges). # This can't be used in combination with internal_interfaces and external_interfaces. #var.internal_networks: [ "private" ] - - clientendpoint: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9510 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimail: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9529 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - fortimanager: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9530 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 0e0fed9fe17bd14d8b6fe982e80c8fb9927b2f5a Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:38:51 +0200 Subject: [PATCH 08/22] feat: remove deprecated impreva --- filebeat/docs/fields.asciidoc | 10869 ---------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/imperva/README.md | 7 - .../filebeat/module/imperva/_meta/config.yml | 19 - .../module/imperva/_meta/docs.asciidoc | 70 - .../filebeat/module/imperva/_meta/fields.yml | 5 - x-pack/filebeat/module/imperva/fields.go | 23 - .../imperva/securesphere/_meta/fields.yml | 2635 ---- .../imperva/securesphere/config/input.yml | 87 - .../securesphere/config/liblogparser.js | 2514 ---- .../imperva/securesphere/config/pipeline.js | 316 - .../imperva/securesphere/ingest/pipeline.yml | 88 - .../module/imperva/securesphere/manifest.yml | 31 - .../imperva/securesphere/test/generated.log | 100 - .../test/generated.log-expected.json | 5716 -------- .../filebeat/modules.d/imperva.yml.disabled | 22 - 18 files changed, 22526 deletions(-) delete mode 100644 x-pack/filebeat/module/imperva/README.md delete mode 100644 x-pack/filebeat/module/imperva/_meta/config.yml delete mode 100644 x-pack/filebeat/module/imperva/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/imperva/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/imperva/fields.go delete mode 100644 x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/imperva/securesphere/config/input.yml delete mode 100644 x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/imperva/securesphere/config/pipeline.js delete mode 100644 x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/imperva/securesphere/manifest.yml delete mode 100644 x-pack/filebeat/module/imperva/securesphere/test/generated.log delete mode 100644 x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/imperva.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 738327f0456..0ea5811a35c 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -42,7 +42,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -36391,10874 +36390,6 @@ alias to: source.geo.region_iso_code -- -[[exported-fields-imperva]] -== Imperva SecureSphere fields - -imperva fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - -[[exported-fields-infoblox]] -== Infoblox NIOS fields - -infoblox fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-iptables]] == iptables fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 65a1f0f9ffb..870f2b2a2df 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -24,7 +24,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -94,7 +93,6 @@ include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] include::modules/iis.asciidoc[] -include::modules/imperva.asciidoc[] include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] include::modules/juniper.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 3d0d676d747..05d961c494b 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1091,27 +1091,6 @@ filebeat.modules: # can be added under this section. #input: -#------------------------- Imperva SecureSphere Module ------------------------- -- module: imperva - securesphere: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9511 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #---------------------------- Infoblox NIOS Module ---------------------------- - module: infoblox nios: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index cf06ccebc10..59048aceeb4 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -31,7 +31,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/juniper" diff --git a/x-pack/filebeat/module/imperva/README.md b/x-pack/filebeat/module/imperva/README.md deleted file mode 100644 index b19deeb6e09..00000000000 --- a/x-pack/filebeat/module/imperva/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# imperva module - -This is a module for Imperva SecureSphere logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML impervawaf version 117 -at 2020-07-13 17:55:36.873349 +0000 UTC. - diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml deleted file mode 100644 index 1ffb9f5d708..00000000000 --- a/x-pack/filebeat/module/imperva/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: imperva - securesphere: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9511 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc deleted file mode 100644 index 6639cabb9b7..00000000000 --- a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: imperva -:has-dashboards: false - -== Imperva module - -deprecated::[8.12.0,"This module is deprecated. See <> for migration options."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Imperva SecureSphere logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: securesphere - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `securesphere` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "impervawaf" device revision 117. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9511` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/imperva/_meta/fields.yml b/x-pack/filebeat/module/imperva/_meta/fields.yml deleted file mode 100644 index ff50b302fab..00000000000 --- a/x-pack/filebeat/module/imperva/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: imperva - title: Imperva SecureSphere - description: > - imperva fields. - fields: diff --git a/x-pack/filebeat/module/imperva/fields.go b/x-pack/filebeat/module/imperva/fields.go deleted file mode 100644 index bea96eb12c0..00000000000 --- a/x-pack/filebeat/module/imperva/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package imperva - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "imperva", asset.ModuleFieldsPri, AssetImperva); err != nil { - panic(err) - } -} - -// AssetImperva returns asset data. -// This is the base64 encoded zlib format compressed contents of module/imperva. -func AssetImperva() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8Jr2rQS/oXQiy3Al6Tc/8Hcgms0XBZL0DDXwgpwTDNa8uVfE3+7S+EkPanZMZBlGbyFxL+6zV+6v73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+pK6bL39wg+7f/e0wqImhG7gHZl0q1MVo4g/MxqOptxRhbUkCmAJGpqQC+hnAwI0IbeAdu5Vk3d++suWzZwES1JxRb+4+DHFogtsVmkMvOtv+9fYZzlA7Z/XHDjvke4IY2BklhFGK1tExis6YpUYAydu39TS5iqwDiilft8BzQhb9WcnAJTJeg4IR4W30XqUHJauLAEaQtHWmLAAeHM3A8sN8hzpqQFaY27AFwaS6Vt0TBRHC2vDkGwpHb3gyF23OPkliDUktWCswWhxIAxXEmy4NYQSt6D/Z1bCca0uz8ZHI2OWLNQjSiJhCVoMoXu3NVUGyDvwFKHGiUzrareUk/fqrl5cUHZFVjzbAD+lGtgVqyfExvwpuQDeGngT7jsoTmJMlLAEsQBnBRK7t7PLU6eQq2BURswKWHGJZRESYFoWToVQCpax7GqzLxIdmH27PG7cM/PT38gSyqacON5CdLyGQ+nE64ps0Soud8vPdgIpI478OG04PfcdtRUW84aQTX+PmzsZPRkDEAfdFJiJ2MAefykjG7J8rh78vL/78n+PXGr5tmQ+11fNf2jQEJ2t+XRYLekhwi97KhpMKrRLNPbe3+25br/98PMWGqhAmkfI3K0KbktmKA7d/iRoAfS6vVjRGzhdKrHiBiXhyGWV2NqJcfjPWkl0EOkR162zQDKlDbUiF4TszN7X2ztfofNQA8ZKAn3syJ29JAB9BusiHEu7jhHjsRF2XObRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4q/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/OnKfkx9/JP9KmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8TSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Zyy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qlk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXzbNaioq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6xwN0r2lDu2r6B7C4He0Qy18LPmC3k6D7EfOSPmevum+GFzJU/QcxE7xcC9rlFktlCSWL0PEinkAr1LxoE1UeRKi3B/HOQv0YPVO2ZN/fMd0K21Kj+Igr/kpwts59e/bIhQtEIHTPlmI9IpcbkTNvOs7AD40ARCwuTpW0cJ1bY+0QOpfeX7fph0rL0rj/w0eVihahWAOYGx5ntqByDoWEVW5ZMBa4hFUv1I9KiLWaTxsLPQkxzNE3HnWnrfefv7joMDVNJuw6zgmerW3lPqahIbibX+SR6etvEeMWK8Acw9qGg2aT86WXoCfkEvymNAb0hM4BW3mHTPeZ0i0OA9gtGK+3M/w98b/v9a1Qmky1WrnP2r8GXdObXaP9pM/LC6ptajddBzi1RyXcKTWoDj3WnVKi7NTGXFdK1RACirne4jeSUAHadtlFerNo+JsPbwXx0WsCgElIEYW5JFLJ7zTUgJbMvuwHNBuO+eSwRmt3YTp7BXcS9bgX3EfY2vDPgLIVt4ugLHtZT05xwSlWm0ii5Hdz5f57z0uASkoRURwz0k17wcAXiIBDUs2Ikw6Wg5mQy41M2R1s0K+syoPxiS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgl/wo3byVATHfwbTvHFT8dVoKNrP/6GxS1635Ypn1L25CbDy2F5ilgQaoxiHP2lbjei9iRu2Ft+Ba8JJfVibTijgpTcXD0ntcaZKM8JWPYkrihTTQ+pvbzjQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgoTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZ5l0kxyowBmbNGiDX50lDhnZ+lqiiXQWrI3kJCjTxdfa9nKnVpD+lOJXzL5RWUoRaoTUSnBr1TwUBxn3zToTbh5b6NE4OuEFlFXX90k3dL7CLQovfb5UPh9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMKnW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7/VtMQgInfrprna5x7ignFfucvL87J+UCh6qORrWttqC7Zj0HCwq6uGnae1JC+iz8s5FbHlXsvIoqpKnNXfA0q7naVjoALcbiMqEeL9N0SfMjgCJXnPRdwKB32CbRdPITPedmFckaceFVqq3FQBp7g5U+n5HV0103OZ6qd7n3xyXfPaQNRmKxxDazpexF86tcUYuWtbRemfYkbR3CERL3i5bZDpKuupEvKBR0GMkjnCidYXzkDrUcmLfg7dIivP13cLRgrVWgA5QOwA5JCuoHh88mIRORVMW3Kcp3cP8OrImkdUA9uY+CwRud7vVTpIWquEnY52CmxK0xzjIIEbvrZq77nKm1KbrvKuk1ftIBRbLDdpmLDi5JNeGE/kT5LLDUHl0ezyk8+n5GnoVbicyOcrjzlAgs4MA/s7LpWxn3zGflu6GiQu1GYK6lWcssQMsAabGax3IY+MmmT0SO44HbTQk/aKvf3oTTpLcwpW5NPo+aa4FNNH6IoPyy8xWIuSUW5nGlawd50jJpqnNqbv0/ClnJ5gcuS96r0ydGbtoC9rLMIUuQG7QtTBRwjcllI233j3sOK/NpINCXfqRIEecrlcvLtc8IVe06m7v/A/R+VVKwNN5Nv4/FFy+piJuhgcn5qHWpbwz+5ILgo+rpQTq7b4VdqtrdRg1VZMfV/nQY82zYIBrQ7yFGEllVaubuD2ed3v1MN5KNPAP7228/vfn/z4ezbb33O7ZJqykfP5Erpq5QlyzdesN/bBfsRtlEnGJWplYhQs5O2S0n3HFDmnot1BhNmpjRIw1lKAdJzJWXAuErvBYnEB1IBLVaUD4cT39s7gL3PUwN11yd1ibppppkuhZ2WxurUle9Yr53NIdZ/S5O9o23NRz4n6aHFLpvBYAOVJhSbbOpeQr2LAzHjo46mltRsjthDSY12I4qQuVveExfKB/cTvLvjwiEf9P8Pw1U3KrOf/PcgR6zs+egDInuRfJDD0cZx9+Gn1BGStrZ2tmeXPrVdRnubZYd9Mp+h221wcm+OTLctq/kx4mFY9DWjXDhet81cLoLMOD/t17ZhJy5nDlqYR1oYjGcVtjnXhVMRD6DnkMRrTLcO1UcnqqoaueuJGmAnD2vcdF/s3sO1/TvEdeoON3OYZn1f3C6pLP9dxaNmG9wstfwQyXBv7IYLbyFnGlNzxlWyLNFjWfCI/YpqOQw6PHbUjazqQuUSxpfv312Q37wfdZOUGkfky1FTCS7/4y350oAe6d3aCFlo2O3UmTe5oecQXZMPbdFZNK2r09JZwoe0D1SlHiPggNYHOY5ugmojwbF7wy3TD2igguoqw245sBncC7ROWIDcAW3KZFNpt2Cm7Xa1BbqkdlcrvC/cKUi2qKhOVVbSwV3XdDC++N7RJ8oG6VRJYBaL5GeBwSxtAVUHeDbHVksZwKrpHxmg1jT5JAzfcSr58cKge8FTPzihc1sFTvVMjrQsKMPBKOnLTxxsIxMa7z3A03m9/Ele20Xy953JglldlCZp3/UedAf5sMjTLQAvBU0uMWQBcs5lwqLIIegcudGymBVmxS1LLj9kMRNqZWiVPnelD1vaZT7oGaIuTBZc5hQnXNagq+k6WcL7AHbNrvIAX1KR46zwuqi1sqpIH5JC6MufCvQ4poctst1NoeZFmYPZDnD6/Dcmi4peF9amchtsA3YnWkCGR6HiMhPSXOZDuhamEFNRpA6LbsH+PiPw5J3Be7BT90Lsw05d1duH/XNG2K8ywv6XjLD/R0bYf80D26pa0CnkECkd9PTmmSyqRqDyPV1neCdb4PVVBr2kagSfV3Ue7dtpmVTMUychBcg8h1Ji4AtL7xuRhfEJiRl20GiWx5p0gPNYk2ZtmjrDLFImu7LqLKaqVdaZHnCdQYRYZZ1hlgs2mjVZgDeSX0sqlQGW4RAuXzmuZHoUlq9UbRdAywxuNVXVBRMZfNgOcIYgCcLV07VN7xZ1kE0WyHVTZIhpMM0tZ1RkKCAyBZ2DZOuEWVd92JKK9Z9QTnPgvSywDWgWyL4dTB6sfWJtFujTeb18lccHbYopt3/N0miMmSLtrLgdwFolF9UmyzVHqMB0+io34338yWZt9QCDXXg/f3rniAeOal8W4L6bfLoOcj3YMy4ghw1jilmOTeSzlMXZ24Bz6Aam4DUmKRZZRB2vlz+VxtaDZv6JYBvNssAWfAY5zBiDjuYKSp6sYHQbNpd5TkmlykaAYSoHtwNwPs8gm1RtVtQmnfnfgx7LIE8CWMOcG6tpek/IBnYGjU9DnYvVOhuvDXYi15nkq8/M90c8A3SrgVYZFElfCpQL7XzK9WqhuCn8hNn00NdU0ywHvBwphE0Beenn26eGy42lMvmc49LYaaNTDQtsoYKfFZQDapMc1/R6dFuTnBosTm6YpR92fWingX0w57QsU98BXqYOq7atgzK8RbwqmFaqytKVyAHOYKbxqsiTHBk6HuVgc32VvD1TbdK3LOW1qTVPDFRQy22TPPtMcAnpWuxsoJqkE3U6uFh8m96tJZTvelrMhEr+nHfAM6T8O5s3udRxQDNIHGdDZ0A1eW6CUPMsR1fOs1zgWunUAqyaNvMc16zihuUQC5XJcmBzzIGQYLG5UnK4yWW4bwCdOuPPQ02djidXq9QWSJaKMuUHQCe3RFV6zUhpPi8i87juDXclQad/s+rCD+VNDjbpZOoNWD/iNcshy1C4GWbipBYGAWxqaVAX3pGUHF1qjPuwYItUdf4D0HBd8+SBgBp0NddU2kHP3RSQV1kAp396fSeyT592poAmAKzVvKCmTjgwoA9a09RQNVCRQ7/TwJAPvutoJuDpmewgp23h2oOsdJkB4/SOTJPBN2y8bzhDPoCB1IkAfuBxBuPEwJf0ByDWoDUZ1AymlOHzDILX1Km9bEazHPdAszK5Im00i3XFTQDYphux1YfZmORdNZdMpi6UiE6LvS9Q36QzNfl2btMfKw80fUSvm+mZGu66Tt6ttSmnWfLQGy0yvIWNAV2UPHXVe5axFW1kKAcbLDOWVqm9wcuCS2PpLINmsOTa5lDDl7XM0LrJKt3IlG7WWFu0SEfRN41V5EMjyWDpLnsk47C8z1TwkpxoKLklJ1SXoZuhwfbvcXT85KyMXBqbEIpgcIg+wf4GTAkSK9Xp8iG4zMe5s6oWag2DwYI38m+mmmRNvW95xhwPvc8I551pmMM1qehuo4VNLFbOm91hINmRFNzgcIZ29bD12ECJmKaulbZk2HiUkNWCWsItqTXMxo7CPdJy7zKEIsb4YHV0KBAuQ2f3kb7QgsvcE/l7qLrV+ngaYtUc7AL0ZPN9s1DN4EUjRMISdDeOyCpSU22AvANLcSK4v6u0Y8HTt2puXlz4stdn5DSM+HpO7CIypQibAX+AMPoY0ZbkPdjfuZVg4vs8PNRZmDfDkd3dLcLFPbEGqGaLCZc8ih/O3D1Cf+0d8YmzMDAZ4oWgjcRZv/MG57i2TdzjDdx3+rXvoSl/O+6Opq4Jd5hfPGLsu40oEtY03a7zKi5LPsK1xVsx5i44xjTqEYG0GVz3HidUSzEy8RK752YcB479cw1YouFLA8buadp9eLby3Xvle5UBx/L4Vb3E3vVIdXmn2+6UfTh5jDA2tvV37NBuXkcpTzn7/+b5hm6x89NWKODa8bOBVkO6JN47HmH3uEypAeLTtTtsyOBWdbsUfvEw+MpuFHyHudK+fX2UjYRQQwwAjjuj++dVaSoNZUcY7zvoMO2Xlqj2bg4NazROQNuHdA264l7dOBbSmyX9YA6+5ALmQAQsQRBqDJ9Lv3Gbef3xo48tmR9QfuP6e0769EEmPTvMGsm/NLA7JpHGL18P38M6Jh42BaXVaHjpLyRTUgLmVpAVt4sxQUFIpDKk09g1HFRedGfTwrET5Un3RAk154wK4jAYMX0Qi4fFDpcaGdP4cLyrF2sTR6+XzrZSO1mtqR94Kjg1xUJltwm8EdeZazhLZTPUyEnF/gieeD8A4i+NwxbftDCIhQmgevJGGOUM8a37dorBcvJr+MWEvJHr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P6zefn9D391tu9pbztajn0TRTuc0yJtxOy2jhu6Bk3+pfPJmRcBDUQufutT1//kP/Nyg/PWqd+7HwcmL98k257sDkxx60zI+98+njnaQYN3nqC/tOSGaaipZGunVQb1TOzmghDk0HPy8d1rci7tjy+fk/P3p2f/+Zp8Opf21U/k6WqxJhK4XYAmbKFMGJWmtAZm8Vs/vPpf/+3ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+D9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If05+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9FQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfz97LeL8wvyjl5XXJbdWO/4tjrajp6GuTVEcYSsQMaAun1kdepTvGQxeXq2r3IsZscr2HzoIvyW5Oxqx5azLEjl89PQpTdgsRdDcbxNeeBeAS3F1X/5uuGuMEeWQ00y9e1Gf4kzoR8ouzGMq0YrvgvqVr649zkxTSRFnRryN2O1kvN/mwrKrgQ3Fsq/vQh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6L/83AAD//8D3qv4=" -} diff --git a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml b/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml deleted file mode 100644 index ded2efcd652..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Imperva" - product: "Secure" - type: "WAF" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/imperva/securesphere/config/liblogparser.js - - ${path.home}/module/imperva/securesphere/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup2, - dup3, -])); - -var msg1 = msg("IMPERVA_ALERT:02", part1); - -var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup4, - dup3, -])); - -var msg2 = msg("IMPERVA_ALERT", part2); - -var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup2, - dup3, -])); - -var msg3 = msg("IMPERVA_ALERT:03", part3); - -var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup4, - dup3, -])); - -var msg4 = msg("IMPERVA_ALERT:01", part4); - -var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup2, - dup3, -])); - -var msg5 = msg("IMPERVA_EVENT:01", part5); - -var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup4, - dup3, -])); - -var msg6 = msg("IMPERVA_EVENT", part6); - -var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup3, - dup13, -])); - -var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); - -var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup12, - dup3, - dup13, -])); - -var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); - -var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup16, - dup3, - dup13, -])); - -var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); - -var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup16, - dup3, - dup13, -])); - -var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); - -var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup12, - dup3, - dup13, -])); - -var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); - -var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup12, - dup3, - dup13, -])); - -var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); - -var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup4, - dup3, - dup13, -])); - -var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); - -var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup4, - dup3, - dup13, -])); - -var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); - -var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, -])); - -var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); - -var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, -])); - -var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); - -var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ - setc("eventcategory","1401050200"), - dup20, - dup12, - dup3, - dup13, -])); - -var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); - -var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - setc("eventcategory","1206000000"), - dup4, - dup3, - dup13, -])); - -var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); - -var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "Imperva": select2, - }), -]); diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml deleted file mode 100644 index e37b497a0ef..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for Imperva SecureSphere - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/imperva/securesphere/manifest.yml b/x-pack/filebeat/module/imperva/securesphere/manifest.yml deleted file mode 100644 index b9313395043..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["imperva.securesphere", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9531 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log b/x-pack/filebeat/module/imperva/securesphere/test/generated.log deleted file mode 100644 index fe6e7cfdfcc..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application="scivel",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action="cancel",rawQuery="sit" -%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message="eacomm" -%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application="taliqu",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action="accept",rawQuery="ehenderi" -%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application="admi",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action="cancel",rawQuery="xercitat" -%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName="tionof",evntDesc="snostrud",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName="bor",occurrences=7243,httpHost=hitect,webMethod=dol,url="https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug",webQuery="lit",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application="eaq",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel -%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName="volupt",evntDesc="osqui",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName="eprehend",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url="https://example.net/tlabo/uames.gif?mpo=offi#giatnu",webQuery="ulapa",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application="onsecte",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept -%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application="atcu",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action="accept",rawQuery="rau" -%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application="tlabore",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action="cancel",rawQuery="tenbyCi" -%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application="temqu",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action="deny",rawQuery="uamni" -%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application="esciuntN",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action="block",rawQuery="ofdeFini" -%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application="cusant",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action="accept",rawQuery="uia" -%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application="tutlab",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action="block",rawQuery="orumSe" -%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName="tconsect",evntDesc="aquae",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName="eumiure",occurrences=4603,httpHost=ima,webMethod=quasia,url="https://example.org/umwrit/uptate.html?ctetura=aveni#elit",webQuery="seosqui",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application="cinge",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action="accept",errormsg="unknown" -%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName="tenim",evntDesc="rumet",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName="ama",occurrences=332,httpHost=runtmol,webMethod=texpli,url="https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele",webQuery="isis",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application="ationev",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny -%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application="onula",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action="block",rawQuery="uisaute" -%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application="mvolu",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action="deny",rawQuery="amcor" -%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application="nofd",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action="accept",rawQuery="borisnis" -%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application="tla",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action="cancel",rawQuery="reetd" -%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message="volupt" -%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application="itationu",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action="deny",rawQuery="mmodoc" -%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application="rcit",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action="allow",rawQuery="aturve" -%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application="eprehend",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action="cancel",rawQuery="ccae" -%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName="tatem",evntDesc="iae",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName="saquaea",occurrences=6344,httpHost=eetd,webMethod=illu,url="https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur",webQuery="tionula",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application="asuntexp",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action="deny",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application="roquisqu",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action="cancel",rawQuery="inrepreh" -%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName="natu",evntDesc="liquid",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName="radipisc",occurrences=5347,httpHost=nibus,webMethod=vitaed,url="https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo",webQuery="atemUte",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application="osamnis",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action="allow",errormsg="unknown" -%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application="tiumto",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action="block",rawQuery="equamnih" -%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName="licaboNe",evntDesc="tautfug",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName="ici",occurrences=7102,httpHost=mips,webMethod=itae,url="https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu",webQuery="tan",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application="usantiu",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block -%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application="acom",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action="accept",rawQuery="reet" -%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application="lestia",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action="block",rawQuery="uames" -%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application="tametco",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action="block",rawQuery="prehen" -%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application="emi",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action="block",rawQuery="edutp" -%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message="temvele" -%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName="ibusBo",evntDesc="orin",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName="tatemse",occurrences=4493,httpHost=amqui,webMethod=lamco,url="https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi",webQuery="tlabore",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application="itsedd",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action="block",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application="dat",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action="block",rawQuery="iav" -%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application="tis",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action="allow",rawQuery="tconse" -%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message="nturmag" -%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application="taevit",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action="cancel",rawQuery="aquae" -%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application="ptat",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action="block",rawQuery="velillum" -%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName="emipsumq",evntDesc="culpaq",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName="adipisc",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url="https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui",webQuery="lup",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application="iades",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action="cancel",errormsg="success" -%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message="Quisa" -%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName="iuntN",evntDesc="utfugi",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName="exeacomm",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url="https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs",webQuery="ercitati",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application="edquia",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action="accept",errormsg="unknown" -%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application="apari",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action="deny",rawQuery="eumiu" -%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application="ptatemse",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action="cancel",rawQuery="Except" -%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message="inBCSedu" -%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application="dictasun",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action="accept",rawQuery="quovo" -%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application="rumex",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action="block",rawQuery="ihil" -%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application="itaedi",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action="block",rawQuery="onorumet" -%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application="itation",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action="allow",rawQuery="liquid" -%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName="vol",evntDesc="epteurs",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName="yCice",occurrences=508,httpHost=ionem,webMethod=taevitae,url="https://api.example.net/quam/saute.htm?nostru=docons#emipsumq",webQuery="orinr",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application="conse",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action="allow",errormsg="failure" -%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application="oloremq",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action="allow",rawQuery="mto" -%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application="umdolo",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action="block",rawQuery="ipex" -%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application="mea",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action="block",rawQuery="liq" -%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application="itatis",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action="block",rawQuery="hende" -%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName="tiumd",evntDesc="atuse",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName="nulapari",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url="https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia",webQuery="edquiac",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application="eritin",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action="cancel",errormsg="unknown" -%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application="tatemse",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action="deny",rawQuery="BCSedutp" -%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName="eabil",evntDesc="ibusB",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName="siarch",occurrences=7468,httpHost=setq,webMethod=rumwr,url="https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd",webQuery="ntore",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application="caecat",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action="deny",errormsg="success" -%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application="utod",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action="deny",rawQuery="nemullam" -%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application="uasiarch",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action="accept",rawQuery="oremagn" -%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName="tutlabo",evntDesc="nto",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName="sintoc",occurrences=7580,httpHost=laboris,webMethod=ali,url="https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa",webQuery="sunt",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application="amqua",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel -%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName="atu",evntDesc="adeseru",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName="datatno",occurrences=3538,httpHost=siar,webMethod=orisnis,url="https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco",webQuery="ommodoco",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application="stenat",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny -%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application="tau",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action="block",rawQuery="ant" -%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application="qua",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action="deny",rawQuery="onevol" -%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application="dolor",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action="cancel",rawQuery="dquiaco" -%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application="abo",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action="cancel",rawQuery="equuntu" -%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application="velitess",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action="cancel",rawQuery="cepteurs" -%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName="ptate",evntDesc="enimips",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName="ctas",occurrences=7128,httpHost=sequ,webMethod=gna,url="https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod",webQuery="tur",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application="rorsitv",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel -%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message="deserun" -%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message="utali" -%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application="urere",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action="cancel",rawQuery="quatu" -%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application="enim",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action="accept",rawQuery="lamco" -%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message="cepte" -%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application="uidolore",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action="cancel",rawQuery="porinci" -%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message="nos" -%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application="entsu",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action="allow",rawQuery="uovo" -%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application="natuser",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action="allow",rawQuery="byCicer" -%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application="cept",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action="cancel",rawQuery="maven" -%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application="aaliqu",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action="allow",rawQuery="ipex" -%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application="siarch",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action="cancel",rawQuery="ita" -%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application="riaturE",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action="accept",rawQuery="non" -%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application="cons",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action="block",rawQuery="cusan" -%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application="ser",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action="cancel",rawQuery="ore" -%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message="ntutla" -%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application="exerc",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action="accept",rawQuery="econsequ" -%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application="cca",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action="block",rawQuery="nul" -%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application="uat",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action="allow",rawQuery="sperna" -%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName="busBonor",evntDesc="enima",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName="eab",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url="https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu",webQuery="suntincu",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application="eumiurer",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow -%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message="ten" -%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application="etdo",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action="cancel",rawQuery="osquira" -%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application="ididun",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action="allow",rawQuery="seos" -%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application="tvol",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action="deny",rawQuery="edquian" -%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application="enatuser",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action="deny",rawQuery="ipsamvol" -%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName="uisnos",evntDesc="loi",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName="aqueipsa",occurrences=5863,httpHost=ide,webMethod=atcupi,url="https://www.example.com/sit/ugi.gif?sitametc=rur#edut",webQuery="sitametc",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application="uptateve",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block -%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName="alorumwr",evntDesc="pis",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName="atemq",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url="https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem",webQuery="plicab",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application="olorinr",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action="allow",errormsg="failure" -%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName="eabill",evntDesc="itatiset",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName="emveleu",occurrences=4029,httpHost=norumet,webMethod=tconse,url="https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo",webQuery="lestia",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application="untmoll",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action="deny",errormsg="success" -%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application="ameiusm",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action="deny",rawQuery="natus" -%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName="nevo",evntDesc="stiaec",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName="iutaliqu",occurrences=3711,httpHost=onsectet,webMethod=iat,url="https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip",webQuery="iquaUte",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application="urEx",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action="block",errormsg="success" -%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application="uptatemU",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action="block",rawQuery="tmollit" -%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName="ommodi",evntDesc="ritat",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName="tla",occurrences=2608,httpHost=ender,webMethod=quid,url="https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema",webQuery="ioffici",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application="emquia",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel -%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application="tetura",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action="deny",rawQuery="nemu" -%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application="exerci",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action="accept",rawQuery="icer" diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json deleted file mode 100644 index 2865f2ce2cb..00000000000 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ /dev/null @@ -1,5716 +0,0 @@ -[ - { - "destination.ip": "10.70.155.35", - "destination.port": 892, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "ommod", - "host.hostname": "radipis5408.mail.local", - "input.type": "log", - "log.offset": 0, - "network.application": "scivel", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "radipis5408.mail.local" - ], - "related.ip": [ - "10.70.155.35", - "10.81.122.126" - ], - "related.user": [ - "aqui", - "magn", - "tatno" - ], - "rsa.counters.dclass_c1": 5910, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "enatuse", - "rsa.db.index": "sit", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "ommod", - "rsa.misc.group_object": "uam", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 10.347, - "rsa.time.starttime": "2016-01-29T08:09:59.000Z", - "service.type": "imperva", - "source.address": "radipis5408.mail.local", - "source.ip": "10.81.122.126", - "source.port": 4141, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "tatno" - }, - { - "event.action": "erep", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message=\"eacomm\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "low", - "log.offset": 439, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "temq" - ], - "rsa.internal.event_desc": "eacomm", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "erep", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2016-02-12T15:12:33.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "temq" - }, - { - "destination.ip": "10.58.116.231", - "destination.port": 996, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application=\"taliqu\",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action=\"accept\",rawQuery=\"ehenderi\"", - "fileset.name": "securesphere", - "group.name": "oll", - "host.hostname": "ccusan7572.api.home", - "input.type": "log", - "log.offset": 580, - "network.application": "taliqu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ccusan7572.api.home" - ], - "related.ip": [ - "10.159.182.171", - "10.58.116.231" - ], - "related.user": [ - "qua", - "temUten", - "uradi" - ], - "rsa.counters.dclass_c1": 3626, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "aveniam", - "rsa.db.index": "ehenderi", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "rumet", - "rsa.misc.group": "oll", - "rsa.misc.group_object": "apariat", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 79.328, - "rsa.time.starttime": "2016-02-26T22:15:08.000Z", - "service.type": "imperva", - "source.address": "ccusan7572.api.home", - "source.ip": "10.159.182.171", - "source.port": 3947, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "qua" - }, - { - "destination.ip": "10.232.27.250", - "destination.port": 7838, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application=\"admi\",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action=\"cancel\",rawQuery=\"xercitat\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "luptatev", - "host.hostname": "elaudant5931.internal.invalid", - "input.type": "log", - "log.offset": 1023, - "network.application": "admi", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "elaudant5931.internal.invalid" - ], - "related.ip": [ - "10.18.124.28", - "10.232.27.250" - ], - "related.user": [ - "lapariat", - "modocons", - "mquidol" - ], - "rsa.counters.dclass_c1": 6564, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "lores", - "rsa.db.index": "xercitat", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "luptatev", - "rsa.misc.group_object": "rsitamet", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 87.496, - "rsa.time.starttime": "2016-03-12T05:17:42.000Z", - "service.type": "imperva", - "source.address": "elaudant5931.internal.invalid", - "source.ip": "10.18.124.28", - "source.port": 7668, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mquidol" - }, - { - "destination.ip": "10.197.250.10", - "destination.port": 5697, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName=\"tionof\",evntDesc=\"snostrud\",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName=\"bor\",occurrences=7243,httpHost=hitect,webMethod=dol,url=\"https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug\",webQuery=\"lit\",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application=\"eaq\",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel", - "fileset.name": "securesphere", - "group.name": "laborum", - "host.hostname": "amest4147.mail.host", - "input.type": "log", - "log.level": "high", - "log.offset": 1487, - "network.application": "eaq", - "network.direction": "external", - "network.protocol": "icmp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "amest4147.mail.host" - ], - "related.ip": [ - "10.197.250.10", - "10.6.137.200" - ], - "related.user": [ - "intoc", - "occae", - "oluptas" - ], - "rsa.counters.event_counter": 7243, - "rsa.db.database": "tNequepo", - "rsa.internal.event_desc": "snostrud", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel", - "dol" - ], - "rsa.misc.category": "nama", - "rsa.misc.disposition": "quisnos", - "rsa.misc.event_type": "ite", - "rsa.misc.group": "laborum", - "rsa.misc.log_session_id": "eaq", - "rsa.misc.operation_id": "ationemu", - "rsa.misc.policy_name": "bor", - "rsa.misc.result_code": "estia", - "rsa.misc.rule_name": "tionof", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2016-03-26T12:20:16.000Z", - "rsa.web.alias_host": "hitect", - "rule.name": "tionof", - "service.type": "imperva", - "source.address": "amest4147.mail.host", - "source.ip": "10.6.137.200", - "source.port": 2707, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "internal.example.net", - "url.extension": "html", - "url.fragment": "eumfug", - "url.original": "https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug", - "url.path": "/namali/taevit.html", - "url.query": [ - "lit", - "nsecte=itame" - ], - "url.scheme": "https", - "user.name": "occae" - }, - { - "destination.ip": "10.36.194.106", - "destination.port": 5473, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName=\"volupt\",evntDesc=\"osqui\",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName=\"eprehend\",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url=\"https://example.net/tlabo/uames.gif?mpo=offi#giatnu\",webQuery=\"ulapa\",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application=\"onsecte\",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept", - "fileset.name": "securesphere", - "group.name": "tlab", - "host.hostname": "eratv6205.internal.lan", - "input.type": "log", - "log.level": "medium", - "log.offset": 2221, - "network.application": "onsecte", - "network.direction": "outbound", - "network.protocol": "igmp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "eratv6205.internal.lan" - ], - "related.ip": [ - "10.179.124.125", - "10.36.194.106" - ], - "related.user": [ - "acommod", - "ncidid", - "reme" - ], - "rsa.counters.event_counter": 2462, - "rsa.db.database": "uaUteni", - "rsa.internal.event_desc": "osqui", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept", - "lamcolab" - ], - "rsa.misc.category": "xerc", - "rsa.misc.disposition": "iutali", - "rsa.misc.event_type": "fdeFi", - "rsa.misc.group": "tlab", - "rsa.misc.log_session_id": "uptate", - "rsa.misc.operation_id": "sperna", - "rsa.misc.policy_name": "eprehend", - "rsa.misc.result_code": "quioffi", - "rsa.misc.rule_name": "volupt", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2016-04-09T19:22:51.000Z", - "rsa.web.alias_host": "dutper", - "rule.name": "volupt", - "service.type": "imperva", - "source.address": "eratv6205.internal.lan", - "source.ip": "10.179.124.125", - "source.port": 1696, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "example.net", - "url.extension": "gif", - "url.fragment": "giatnu", - "url.original": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", - "url.path": "/tlabo/uames.gif", - "url.query": [ - "mpo=offi", - "ulapa" - ], - "url.scheme": "https", - "user.name": "ncidid" - }, - { - "destination.ip": "10.129.149.43", - "destination.port": 3304, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application=\"atcu\",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action=\"accept\",rawQuery=\"rau\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "dexea", - "host.hostname": "didunt1355.corp", - "input.type": "log", - "log.offset": 2965, - "network.application": "atcu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "didunt1355.corp" - ], - "related.ip": [ - "10.129.149.43", - "10.211.105.204" - ], - "related.user": [ - "eveli", - "labor", - "orema" - ], - "rsa.counters.dclass_c1": 6855, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "udan", - "rsa.db.index": "rau", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "dexea", - "rsa.misc.group_object": "aliquide", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 74.098, - "rsa.time.starttime": "2016-04-24T02:25:25.000Z", - "service.type": "imperva", - "source.address": "didunt1355.corp", - "source.ip": "10.211.105.204", - "source.port": 2742, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "eveli" - }, - { - "destination.ip": "10.214.191.180", - "destination.port": 5848, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application=\"tlabore\",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action=\"cancel\",rawQuery=\"tenbyCi\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "luptatev", - "host.hostname": "pora6854.www5.home", - "input.type": "log", - "log.offset": 3402, - "network.application": "tlabore", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "pora6854.www5.home" - ], - "related.ip": [ - "10.112.250.193", - "10.214.191.180" - ], - "related.user": [ - "Exc", - "ide", - "ipsumdol" - ], - "rsa.counters.dclass_c1": 6852, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "nevo", - "rsa.db.index": "tenbyCi", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "luptatev", - "rsa.misc.group_object": "urerepr", - "rsa.misc.result": "success", - "rsa.time.duration_time": 49.573, - "rsa.time.starttime": "2016-05-08T09:27:59.000Z", - "service.type": "imperva", - "source.address": "pora6854.www5.home", - "source.ip": "10.112.250.193", - "source.port": 5705, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ipsumdol" - }, - { - "destination.ip": "10.251.20.13", - "destination.port": 264, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application=\"temqu\",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action=\"deny\",rawQuery=\"uamni\"", - "fileset.name": "securesphere", - "group.name": "utpe", - "host.hostname": "ptasn6599.www.localhost", - "input.type": "log", - "log.offset": 3849, - "network.application": "temqu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ptasn6599.www.localhost" - ], - "related.ip": [ - "10.192.34.76", - "10.251.20.13" - ], - "related.user": [ - "iquipe", - "ovol", - "tnonpro" - ], - "rsa.counters.dclass_c1": 3645, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "lore", - "rsa.db.index": "uamni", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "abor", - "rsa.misc.group": "utpe", - "rsa.misc.group_object": "upida", - "rsa.misc.result": "success", - "rsa.time.duration_time": 20.909, - "rsa.time.starttime": "2016-05-22T16:30:33.000Z", - "service.type": "imperva", - "source.address": "ptasn6599.www.localhost", - "source.ip": "10.192.34.76", - "source.port": 1450, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "iquipe" - }, - { - "destination.ip": "10.74.105.218", - "destination.port": 2438, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application=\"esciuntN\",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action=\"block\",rawQuery=\"ofdeFini\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "ium", - "host.hostname": "ptasnu6684.mail.lan", - "input.type": "log", - "log.offset": 4290, - "network.application": "esciuntN", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ptasnu6684.mail.lan" - ], - "related.ip": [ - "10.59.138.212", - "10.74.105.218" - ], - "related.user": [ - "archite", - "boree", - "idunt" - ], - "rsa.counters.dclass_c1": 248, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "orumSe", - "rsa.db.index": "ofdeFini", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ium", - "rsa.misc.group_object": "asi", - "rsa.misc.result": "success", - "rsa.time.duration_time": 158.45, - "rsa.time.starttime": "2016-06-05T23:33:08.000Z", - "service.type": "imperva", - "source.address": "ptasnu6684.mail.lan", - "source.ip": "10.59.138.212", - "source.port": 7829, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "archite" - }, - { - "destination.ip": "10.168.159.13", - "destination.port": 3319, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application=\"cusant\",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action=\"accept\",rawQuery=\"uia\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "isisten", - "host.hostname": "rinre2977.api.corp", - "input.type": "log", - "log.offset": 4738, - "network.application": "cusant", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "rinre2977.api.corp" - ], - "related.ip": [ - "10.168.159.13", - "10.230.173.4" - ], - "related.user": [ - "atemq", - "inci", - "isnostr" - ], - "rsa.counters.dclass_c1": 6135, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "totamre", - "rsa.db.index": "uia", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "isisten", - "rsa.misc.group_object": "avol", - "rsa.misc.result": "success", - "rsa.time.duration_time": 86.668, - "rsa.time.starttime": "2016-06-20T06:35:42.000Z", - "service.type": "imperva", - "source.address": "rinre2977.api.corp", - "source.ip": "10.230.173.4", - "source.port": 2631, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "inci" - }, - { - "destination.ip": "10.49.167.57", - "destination.port": 2119, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application=\"tutlab\",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action=\"block\",rawQuery=\"orumSe\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "seq", - "host.hostname": "atevelit2450.local", - "input.type": "log", - "log.offset": 5178, - "network.application": "tutlab", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "atevelit2450.local" - ], - "related.ip": [ - "10.41.21.204", - "10.49.167.57" - ], - "related.user": [ - "ccaeca", - "sau", - "tali" - ], - "rsa.counters.dclass_c1": 6818, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "aperia", - "rsa.db.index": "orumSe", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "seq", - "rsa.misc.group_object": "rpori", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 115.224, - "rsa.time.starttime": "2016-07-04T13:38:16.000Z", - "service.type": "imperva", - "source.address": "atevelit2450.local", - "source.ip": "10.41.21.204", - "source.port": 3540, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "tali" - }, - { - "destination.ip": "10.62.147.186", - "destination.port": 5592, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName=\"tconsect\",evntDesc=\"aquae\",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName=\"eumiure\",occurrences=4603,httpHost=ima,webMethod=quasia,url=\"https://example.org/umwrit/uptate.html?ctetura=aveni#elit\",webQuery=\"seosqui\",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application=\"cinge\",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action=\"accept\",errormsg=\"unknown\"", - "fileset.name": "securesphere", - "group.name": "siut", - "host.hostname": "itla658.api.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 5610, - "network.application": "cinge", - "network.direction": "inbound", - "network.protocol": "ipv6", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "itla658.api.localhost" - ], - "related.ip": [ - "10.216.125.252", - "10.62.147.186" - ], - "related.user": [ - "dolore", - "llamco", - "lorsita" - ], - "rsa.counters.event_counter": 4603, - "rsa.db.database": "uptate", - "rsa.internal.event_desc": "aquae", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept", - "quasia" - ], - "rsa.misc.category": "boreetdo", - "rsa.misc.disposition": "aturve", - "rsa.misc.event_type": "ditemp", - "rsa.misc.group": "siut", - "rsa.misc.log_session_id": "tot", - "rsa.misc.operation_id": "dutp", - "rsa.misc.policy_name": "eumiure", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "uradi", - "rsa.misc.rule_name": "tconsect", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2016-07-18T20:40:50.000Z", - "rsa.web.alias_host": "ima", - "rule.name": "tconsect", - "service.type": "imperva", - "source.address": "itla658.api.localhost", - "source.ip": "10.216.125.252", - "source.port": 3406, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "example.org", - "url.extension": "html", - "url.fragment": "elit", - "url.original": "https://example.org/umwrit/uptate.html?ctetura=aveni#elit", - "url.path": "/umwrit/uptate.html", - "url.query": [ - "ctetura=aveni", - "seosqui" - ], - "url.scheme": "https", - "user.name": "llamco" - }, - { - "destination.ip": "10.204.128.215", - "destination.port": 2538, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName=\"tenim\",evntDesc=\"rumet\",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName=\"ama\",occurrences=332,httpHost=runtmol,webMethod=texpli,url=\"https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele\",webQuery=\"isis\",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application=\"ationev\",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny", - "fileset.name": "securesphere", - "group.name": "veli", - "host.hostname": "umdolor4389.api.home", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6379, - "network.application": "ationev", - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "umdolor4389.api.home" - ], - "related.ip": [ - "10.204.128.215", - "10.52.125.9" - ], - "related.user": [ - "nci", - "paquioff", - "rum" - ], - "rsa.counters.event_counter": 332, - "rsa.db.database": "isau", - "rsa.internal.event_desc": "rumet", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny", - "texpli" - ], - "rsa.misc.category": "verita", - "rsa.misc.disposition": "sectet", - "rsa.misc.event_type": "etdo", - "rsa.misc.group": "veli", - "rsa.misc.log_session_id": "emUteni", - "rsa.misc.operation_id": "ate", - "rsa.misc.policy_name": "ama", - "rsa.misc.result_code": "utlab", - "rsa.misc.rule_name": "tenim", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2016-08-02T03:43:25.000Z", - "rsa.web.alias_host": "runtmol", - "rule.name": "tenim", - "service.type": "imperva", - "source.address": "umdolor4389.api.home", - "source.ip": "10.52.125.9", - "source.port": 3689, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "api.example.org", - "url.extension": "txt", - "url.fragment": "mvele", - "url.original": "https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele", - "url.path": "/roidents/tem.txt", - "url.query": [ - "isis", - "tametcon=liqua" - ], - "url.scheme": "https", - "user.name": "rum" - }, - { - "destination.ip": "10.200.68.129", - "destination.port": 2558, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application=\"onula\",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action=\"block\",rawQuery=\"uisaute\"", - "fileset.name": "securesphere", - "group.name": "ate", - "host.hostname": "rationev6444.localhost", - "input.type": "log", - "log.offset": 7117, - "network.application": "onula", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "rationev6444.localhost" - ], - "related.ip": [ - "10.200.68.129", - "10.34.148.166" - ], - "related.user": [ - "icabo", - "miu", - "untutlab" - ], - "rsa.counters.dclass_c1": 5427, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tatem", - "rsa.db.index": "uisaute", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "rsita", - "rsa.misc.group": "ate", - "rsa.misc.group_object": "preh", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 176.685, - "rsa.time.starttime": "2016-08-16T10:45:59.000Z", - "service.type": "imperva", - "source.address": "rationev6444.localhost", - "source.ip": "10.34.148.166", - "source.port": 3022, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "icabo" - }, - { - "destination.ip": "10.226.101.180", - "destination.port": 1000, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application=\"mvolu\",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action=\"deny\",rawQuery=\"amcor\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "usmodi", - "host.hostname": "ipi7727.www5.domain", - "input.type": "log", - "log.offset": 7557, - "network.application": "mvolu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ipi7727.www5.domain" - ], - "related.ip": [ - "10.134.5.40", - "10.226.101.180" - ], - "related.user": [ - "conse", - "licabo", - "siu" - ], - "rsa.counters.dclass_c1": 6356, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "isiu", - "rsa.db.index": "amcor", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "usmodi", - "rsa.misc.group_object": "llamc", - "rsa.misc.result": "success", - "rsa.time.duration_time": 41.238, - "rsa.time.starttime": "2016-08-30T17:48:33.000Z", - "service.type": "imperva", - "source.address": "ipi7727.www5.domain", - "source.ip": "10.134.5.40", - "source.port": 7284, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "siu" - }, - { - "destination.ip": "10.126.26.131", - "destination.port": 2595, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application=\"nofd\",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action=\"accept\",rawQuery=\"borisnis\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "rroqu", - "host.hostname": "spernatu5539.domain", - "input.type": "log", - "log.offset": 7992, - "network.application": "nofd", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "spernatu5539.domain" - ], - "related.ip": [ - "10.126.26.131", - "10.30.98.10" - ], - "related.user": [ - "dipisci", - "olori", - "velite" - ], - "rsa.counters.dclass_c1": 7717, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "quunt", - "rsa.db.index": "borisnis", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "rroqu", - "rsa.misc.group_object": "itation", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 96.729, - "rsa.time.starttime": "2016-09-14T00:51:07.000Z", - "service.type": "imperva", - "source.address": "spernatu5539.domain", - "source.ip": "10.30.98.10", - "source.port": 7576, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "velite" - }, - { - "destination.ip": "10.190.10.219", - "destination.port": 5530, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application=\"tla\",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action=\"cancel\",rawQuery=\"reetd\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "leumiu", - "host.hostname": "nimid372.api.corp", - "input.type": "log", - "log.offset": 8445, - "network.application": "tla", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "nimid372.api.corp" - ], - "related.ip": [ - "10.190.10.219", - "10.233.120.207" - ], - "related.user": [ - "accusant", - "item", - "quamnih" - ], - "rsa.counters.dclass_c1": 3278, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "atcupid", - "rsa.db.index": "reetd", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "leumiu", - "rsa.misc.group_object": "stenatu", - "rsa.misc.result": "success", - "rsa.time.duration_time": 60.949, - "rsa.time.starttime": "2016-09-28T07:53:42.000Z", - "service.type": "imperva", - "source.address": "nimid372.api.corp", - "source.ip": "10.233.120.207", - "source.port": 136, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "accusant" - }, - { - "event.action": "rad", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message=\"volupt\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "low", - "log.offset": 8890, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "sequa" - ], - "rsa.internal.event_desc": "volupt", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "rad", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2016-10-12T14:56:16.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "sequa" - }, - { - "destination.ip": "10.100.98.56", - "destination.port": 1089, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application=\"itationu\",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action=\"deny\",rawQuery=\"mmodoc\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "ullamcor", - "host.hostname": "maliquam2147.internal.home", - "input.type": "log", - "log.offset": 9029, - "network.application": "itationu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "maliquam2147.internal.home" - ], - "related.ip": [ - "10.100.98.56", - "10.248.184.200" - ], - "related.user": [ - "boru", - "proident", - "ritati" - ], - "rsa.counters.dclass_c1": 5923, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "lores", - "rsa.db.index": "mmodoc", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ullamcor", - "rsa.misc.group_object": "ptatem", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 179.541, - "rsa.time.starttime": "2016-10-26T21:58:50.000Z", - "service.type": "imperva", - "source.address": "maliquam2147.internal.home", - "source.ip": "10.248.184.200", - "source.port": 5315, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "boru" - }, - { - "destination.ip": "10.197.6.245", - "destination.port": 27, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application=\"rcit\",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action=\"allow\",rawQuery=\"aturve\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "rroq", - "host.hostname": "olabor2983.internal.localhost", - "input.type": "log", - "log.offset": 9492, - "network.application": "rcit", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "olabor2983.internal.localhost" - ], - "related.ip": [ - "10.197.6.245", - "10.82.28.220" - ], - "related.user": [ - "aecatcup", - "dtempo", - "oluptat" - ], - "rsa.counters.dclass_c1": 3071, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "citatio", - "rsa.db.index": "aturve", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "rroq", - "rsa.misc.group_object": "imad", - "rsa.misc.result": "success", - "rsa.time.duration_time": 120.142, - "rsa.time.starttime": "2016-11-10T05:01:24.000Z", - "service.type": "imperva", - "source.address": "olabor2983.internal.localhost", - "source.ip": "10.82.28.220", - "source.port": 3570, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "dtempo" - }, - { - "destination.ip": "10.6.27.103", - "destination.port": 3179, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application=\"eprehend\",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action=\"cancel\",rawQuery=\"ccae\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "strumex", - "host.hostname": "hitec2111.mail.corp", - "input.type": "log", - "log.offset": 9953, - "network.application": "eprehend", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "hitec2111.mail.corp" - ], - "related.ip": [ - "10.167.252.183", - "10.6.27.103" - ], - "related.user": [ - "asnu", - "ationul", - "redol" - ], - "rsa.counters.dclass_c1": 6606, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "perspici", - "rsa.db.index": "ccae", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "strumex", - "rsa.misc.group_object": "doei", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 155.907, - "rsa.time.starttime": "2016-11-24T12:03:59.000Z", - "service.type": "imperva", - "source.address": "hitec2111.mail.corp", - "source.ip": "10.167.252.183", - "source.port": 2003, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "redol" - }, - { - "destination.ip": "10.81.184.7", - "destination.port": 6735, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName=\"tatem\",evntDesc=\"iae\",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName=\"saquaea\",occurrences=6344,httpHost=eetd,webMethod=illu,url=\"https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur\",webQuery=\"tionula\",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application=\"asuntexp\",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action=\"deny\",errormsg=\"failure\"", - "fileset.name": "securesphere", - "group.name": "mollita", - "host.hostname": "adminim2559.www5.invalid", - "input.type": "log", - "log.level": "medium", - "log.offset": 10408, - "network.application": "asuntexp", - "network.direction": "external", - "network.protocol": "tcp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "adminim2559.www5.invalid" - ], - "related.ip": [ - "10.81.184.7", - "10.88.45.111" - ], - "related.user": [ - "iameaque", - "lmole", - "undeomni" - ], - "rsa.counters.event_counter": 6344, - "rsa.db.database": "nderi", - "rsa.internal.event_desc": "iae", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny", - "illu" - ], - "rsa.misc.category": "quido", - "rsa.misc.disposition": "emip", - "rsa.misc.event_type": "inBC", - "rsa.misc.group": "mollita", - "rsa.misc.log_session_id": "uamei", - "rsa.misc.operation_id": "ntNe", - "rsa.misc.policy_name": "saquaea", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "ecatcupi", - "rsa.misc.rule_name": "tatem", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2016-12-08T19:06:33.000Z", - "rsa.web.alias_host": "eetd", - "rule.name": "tatem", - "service.type": "imperva", - "source.address": "adminim2559.www5.invalid", - "source.ip": "10.88.45.111", - "source.port": 6165, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "mail.example.com", - "url.extension": "gif", - "url.fragment": "tetur", - "url.original": "https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur", - "url.path": "/lorsi/repreh.gif", - "url.query": [ - "sitamet=utlabo", - "tionula" - ], - "url.scheme": "https", - "user.name": "undeomni" - }, - { - "destination.ip": "10.214.3.140", - "destination.port": 6127, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application=\"roquisqu\",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action=\"cancel\",rawQuery=\"inrepreh\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "ection", - "host.hostname": "dolorem6882.api.local", - "input.type": "log", - "log.offset": 11171, - "network.application": "roquisqu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "dolorem6882.api.local" - ], - "related.ip": [ - "10.214.3.140", - "10.29.119.245" - ], - "related.user": [ - "edolorin", - "scipitl", - "taliqui" - ], - "rsa.counters.dclass_c1": 5140, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "rsi", - "rsa.db.index": "inrepreh", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ection", - "rsa.misc.group_object": "olli", - "rsa.misc.result": "success", - "rsa.time.duration_time": 119.229, - "rsa.time.starttime": "2016-12-23T02:09:07.000Z", - "service.type": "imperva", - "source.address": "dolorem6882.api.local", - "source.ip": "10.29.119.245", - "source.port": 1179, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "scipitl" - }, - { - "destination.ip": "10.110.133.7", - "destination.port": 57, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName=\"natu\",evntDesc=\"liquid\",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName=\"radipisc\",occurrences=5347,httpHost=nibus,webMethod=vitaed,url=\"https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo\",webQuery=\"atemUte\",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application=\"osamnis\",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action=\"allow\",errormsg=\"unknown\"", - "fileset.name": "securesphere", - "group.name": "accusa", - "host.hostname": "temaccu5302.test", - "input.type": "log", - "log.level": "medium", - "log.offset": 11619, - "network.application": "osamnis", - "network.direction": "external", - "network.protocol": "rdp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "temaccu5302.test" - ], - "related.ip": [ - "10.110.133.7", - "10.218.123.234" - ], - "related.user": [ - "caboNem", - "etconsec", - "pta" - ], - "rsa.counters.event_counter": 5347, - "rsa.db.database": "urExcept", - "rsa.internal.event_desc": "liquid", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "allow", - "vitaed" - ], - "rsa.misc.category": "enim", - "rsa.misc.disposition": "Finibus", - "rsa.misc.event_type": "radi", - "rsa.misc.group": "accusa", - "rsa.misc.log_session_id": "eosquira", - "rsa.misc.operation_id": "dipiscin", - "rsa.misc.policy_name": "radipisc", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "mdolore", - "rsa.misc.rule_name": "natu", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2017-01-06T09:11:41.000Z", - "rsa.web.alias_host": "nibus", - "rule.name": "natu", - "service.type": "imperva", - "source.address": "temaccu5302.test", - "source.ip": "10.218.123.234", - "source.port": 2064, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "idolo", - "url.original": "https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo", - "url.path": "/etconsec/elillum.htm", - "url.query": [ - "atemUte", - "mporinc=onsectet" - ], - "url.scheme": "https", - "user.name": "pta" - }, - { - "destination.ip": "10.105.190.170", - "destination.port": 2519, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application=\"tiumto\",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action=\"block\",rawQuery=\"equamnih\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "dolor", - "host.hostname": "nder347.www.corp", - "input.type": "log", - "log.offset": 12387, - "network.application": "tiumto", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "nder347.www.corp" - ], - "related.ip": [ - "10.105.190.170", - "10.182.152.242" - ], - "related.user": [ - "doeiu", - "litan", - "mquisn" - ], - "rsa.counters.dclass_c1": 3474, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "alorum", - "rsa.db.index": "equamnih", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "dolor", - "rsa.misc.group_object": "orumw", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 68.556, - "rsa.time.starttime": "2017-01-20T16:14:16.000Z", - "service.type": "imperva", - "source.address": "nder347.www.corp", - "source.ip": "10.182.152.242", - "source.port": 1877, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "doeiu" - }, - { - "destination.ip": "10.123.166.197", - "destination.port": 7082, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName=\"licaboNe\",evntDesc=\"tautfug\",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName=\"ici\",occurrences=7102,httpHost=mips,webMethod=itae,url=\"https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu\",webQuery=\"tan\",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application=\"usantiu\",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block", - "fileset.name": "securesphere", - "group.name": "tutla", - "host.hostname": "idunt4633.internal.host", - "input.type": "log", - "log.level": "low", - "log.offset": 12830, - "network.application": "usantiu", - "network.direction": "inbound", - "network.protocol": "ipv6-icmp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "idunt4633.internal.host" - ], - "related.ip": [ - "10.123.166.197", - "10.59.188.188" - ], - "related.user": [ - "emUte", - "liquam", - "min" - ], - "rsa.counters.event_counter": 7102, - "rsa.db.database": "oluptat", - "rsa.internal.event_desc": "tautfug", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block", - "itae" - ], - "rsa.misc.category": "giatquov", - "rsa.misc.disposition": "olu", - "rsa.misc.event_type": "rmagnido", - "rsa.misc.group": "tutla", - "rsa.misc.log_session_id": "autfugit", - "rsa.misc.operation_id": "citati", - "rsa.misc.policy_name": "ici", - "rsa.misc.result_code": "sunt", - "rsa.misc.rule_name": "licaboNe", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2017-02-03T23:16:50.000Z", - "rsa.web.alias_host": "mips", - "rule.name": "licaboNe", - "service.type": "imperva", - "source.address": "idunt4633.internal.host", - "source.ip": "10.59.188.188", - "source.port": 7647, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "remipsu", - "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", - "url.path": "/atnula/ditautf.jpg", - "url.query": [ - "iquidex=olup", - "tan" - ], - "url.scheme": "https", - "user.name": "emUte" - }, - { - "destination.ip": "10.72.75.207", - "destination.port": 6336, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application=\"acom\",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action=\"accept\",rawQuery=\"reet\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "lumdo", - "host.hostname": "ectob4634.mail.localhost", - "input.type": "log", - "log.offset": 13585, - "network.application": "acom", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ectob4634.mail.localhost" - ], - "related.ip": [ - "10.201.168.116", - "10.72.75.207" - ], - "related.user": [ - "eFini", - "eufug", - "urau" - ], - "rsa.counters.dclass_c1": 3348, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "prehend", - "rsa.db.index": "reet", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "lumdo", - "rsa.misc.group_object": "utali", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 79.765, - "rsa.time.starttime": "2017-02-18T06:19:24.000Z", - "service.type": "imperva", - "source.address": "ectob4634.mail.localhost", - "source.ip": "10.201.168.116", - "source.port": 2037, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "urau" - }, - { - "destination.ip": "10.9.46.123", - "destination.port": 586, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application=\"lestia\",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action=\"block\",rawQuery=\"uames\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "miurerep", - "host.hostname": "snu6436.www.local", - "input.type": "log", - "log.offset": 14032, - "network.application": "lestia", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "snu6436.www.local" - ], - "related.ip": [ - "10.58.133.175", - "10.9.46.123" - ], - "related.user": [ - "mfu", - "nde", - "oco" - ], - "rsa.counters.dclass_c1": 3795, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "texplica", - "rsa.db.index": "uames", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "miurerep", - "rsa.misc.group_object": "llumq", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 14.713, - "rsa.time.starttime": "2017-03-04T13:21:59.000Z", - "service.type": "imperva", - "source.address": "snu6436.www.local", - "source.ip": "10.58.133.175", - "source.port": 1634, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mfu" - }, - { - "destination.ip": "10.169.50.59", - "destination.port": 7693, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application=\"tametco\",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action=\"block\",rawQuery=\"prehen\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "serrorsi", - "host.hostname": "lore7099.www.host", - "input.type": "log", - "log.offset": 14468, - "network.application": "tametco", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "lore7099.www.host" - ], - "related.ip": [ - "10.169.50.59", - "10.70.29.203" - ], - "related.user": [ - "mquisnos", - "pta", - "veniamq" - ], - "rsa.counters.dclass_c1": 2358, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "isn", - "rsa.db.index": "prehen", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "serrorsi", - "rsa.misc.group_object": "piciatis", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 94.46, - "rsa.time.starttime": "2017-03-18T20:24:33.000Z", - "service.type": "imperva", - "source.address": "lore7099.www.host", - "source.ip": "10.70.29.203", - "source.port": 5994, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "pta" - }, - { - "destination.ip": "10.165.182.111", - "destination.port": 5525, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application=\"emi\",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action=\"block\",rawQuery=\"edutp\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "cid", - "host.hostname": "lesti6939.api.local", - "input.type": "log", - "log.offset": 14919, - "network.application": "emi", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "lesti6939.api.local" - ], - "related.ip": [ - "10.137.85.123", - "10.165.182.111" - ], - "related.user": [ - "Bonorum", - "ames", - "sis" - ], - "rsa.counters.dclass_c1": 6401, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "idu", - "rsa.db.index": "edutp", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "cid", - "rsa.misc.group_object": "amquisno", - "rsa.misc.result": "success", - "rsa.time.duration_time": 171.434, - "rsa.time.starttime": "2017-04-02T03:27:07.000Z", - "service.type": "imperva", - "source.address": "lesti6939.api.local", - "source.ip": "10.137.85.123", - "source.port": 218, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ames" - }, - { - "event.action": "tateveli", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message=\"temvele\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "high", - "log.offset": 15352, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "sumdolo" - ], - "rsa.internal.event_desc": "temvele", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "tateveli", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2017-04-16T10:29:41.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "sumdolo" - }, - { - "destination.ip": "10.173.178.109", - "destination.port": 6659, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName=\"ibusBo\",evntDesc=\"orin\",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName=\"tatemse\",occurrences=4493,httpHost=amqui,webMethod=lamco,url=\"https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi\",webQuery=\"tlabore\",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", - "fileset.name": "securesphere", - "group.name": "onofdeF", - "host.hostname": "upt6017.api.localdomain", - "input.type": "log", - "log.level": "high", - "log.offset": 15503, - "network.application": "itsedd", - "network.direction": "inbound", - "network.protocol": "rdp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "upt6017.api.localdomain" - ], - "related.ip": [ - "10.173.178.109", - "10.64.184.196" - ], - "related.user": [ - "nesci", - "tam", - "uian" - ], - "rsa.counters.event_counter": 4493, - "rsa.db.database": "sin", - "rsa.internal.event_desc": "orin", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block", - "lamco" - ], - "rsa.misc.category": "enia", - "rsa.misc.disposition": "iavol", - "rsa.misc.event_type": "natuserr", - "rsa.misc.group": "onofdeF", - "rsa.misc.log_session_id": "olore", - "rsa.misc.operation_id": "inimve", - "rsa.misc.policy_name": "tatemse", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "expl", - "rsa.misc.rule_name": "ibusBo", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2017-04-30T17:32:16.000Z", - "rsa.web.alias_host": "amqui", - "rule.name": "ibusBo", - "service.type": "imperva", - "source.address": "upt6017.api.localdomain", - "source.ip": "10.64.184.196", - "source.port": 3327, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "www.example.net", - "url.extension": "htm", - "url.fragment": "madmi", - "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", - "url.path": "/hender/ptatemU.htm", - "url.query": [ - "mquisnos=tnulapa", - "tlabore" - ], - "url.scheme": "https", - "user.name": "uian" - }, - { - "destination.ip": "10.90.50.149", - "destination.port": 1936, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "ectobea", - "host.hostname": "turQuis4046.api.test", - "input.type": "log", - "log.offset": 16271, - "network.application": "dat", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "turQuis4046.api.test" - ], - "related.ip": [ - "10.168.225.209", - "10.90.50.149" - ], - "related.user": [ - "aUtenima", - "olu", - "olupta" - ], - "rsa.counters.dclass_c1": 1127, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "deomnisi", - "rsa.db.index": "iav", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ectobea", - "rsa.misc.group_object": "taliq", - "rsa.misc.result": "success", - "rsa.time.duration_time": 55.87, - "rsa.time.starttime": "2017-05-15T00:34:50.000Z", - "service.type": "imperva", - "source.address": "turQuis4046.api.test", - "source.ip": "10.168.225.209", - "source.port": 6, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "olu" - }, - { - "destination.ip": "10.59.182.36", - "destination.port": 5792, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "enimad", - "host.hostname": "con6049.internal.lan", - "input.type": "log", - "log.offset": 16712, - "network.application": "tis", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "con6049.internal.lan" - ], - "related.ip": [ - "10.18.150.82", - "10.59.182.36" - ], - "related.user": [ - "luptat", - "mtota", - "qua" - ], - "rsa.counters.dclass_c1": 6112, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "quelaud", - "rsa.db.index": "tconse", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "enimad", - "rsa.misc.group_object": "rit", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 135.357, - "rsa.time.starttime": "2017-05-29T07:37:24.000Z", - "service.type": "imperva", - "source.address": "con6049.internal.lan", - "source.ip": "10.18.150.82", - "source.port": 6648, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mtota" - }, - { - "event.action": "ulamcola", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "very-high", - "log.offset": 17148, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "llita" - ], - "rsa.internal.event_desc": "nturmag", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "ulamcola", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2017-06-12T14:39:58.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "llita" - }, - { - "destination.ip": "10.228.229.144", - "destination.port": 3236, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application=\"taevit\",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action=\"cancel\",rawQuery=\"aquae\"", - "fileset.name": "securesphere", - "group.name": "remeum", - "host.hostname": "tatnonp1371.www.invalid", - "input.type": "log", - "log.offset": 17295, - "network.application": "taevit", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tatnonp1371.www.invalid" - ], - "related.ip": [ - "10.151.240.35", - "10.228.229.144" - ], - "related.user": [ - "ama", - "ametcons", - "lam" - ], - "rsa.counters.dclass_c1": 4325, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "xercit", - "rsa.db.index": "aquae", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "lill", - "rsa.misc.group": "remeum", - "rsa.misc.group_object": "roquisq", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 168.492, - "rsa.time.starttime": "2017-06-26T21:42:33.000Z", - "service.type": "imperva", - "source.address": "tatnonp1371.www.invalid", - "source.ip": "10.151.240.35", - "source.port": 3197, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ametcons" - }, - { - "destination.ip": "10.242.48.203", - "destination.port": 1102, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application=\"ptat\",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action=\"block\",rawQuery=\"velillum\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "ola", - "host.hostname": "tium3542.internal.invalid", - "input.type": "log", - "log.offset": 17739, - "network.application": "ptat", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tium3542.internal.invalid" - ], - "related.ip": [ - "10.147.142.242", - "10.242.48.203" - ], - "related.user": [ - "ese", - "quasi", - "quisn" - ], - "rsa.counters.dclass_c1": 3970, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "squamest", - "rsa.db.index": "velillum", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ola", - "rsa.misc.group_object": "eca", - "rsa.misc.result": "success", - "rsa.time.duration_time": 11.548, - "rsa.time.starttime": "2017-07-11T04:45:07.000Z", - "service.type": "imperva", - "source.address": "tium3542.internal.invalid", - "source.ip": "10.147.142.242", - "source.port": 2586, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ese" - }, - { - "destination.ip": "10.254.10.98", - "destination.port": 3787, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName=\"emipsumq\",evntDesc=\"culpaq\",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName=\"adipisc\",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url=\"https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui\",webQuery=\"lup\",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application=\"iades\",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action=\"cancel\",errormsg=\"success\"", - "fileset.name": "securesphere", - "group.name": "paq", - "host.hostname": "radipis3991.mail.invalid", - "input.type": "log", - "log.level": "very-high", - "log.offset": 18185, - "network.application": "iades", - "network.direction": "outbound", - "network.protocol": "ipv6", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "radipis3991.mail.invalid" - ], - "related.ip": [ - "10.213.165.165", - "10.254.10.98" - ], - "related.user": [ - "civeli", - "eufugia", - "ttenb" - ], - "rsa.counters.event_counter": 7365, - "rsa.db.database": "utlabore", - "rsa.internal.event_desc": "culpaq", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel", - "uptasn" - ], - "rsa.misc.category": "quamq", - "rsa.misc.disposition": "usan", - "rsa.misc.event_type": "tdolo", - "rsa.misc.group": "paq", - "rsa.misc.log_session_id": "giat", - "rsa.misc.operation_id": "lapari", - "rsa.misc.policy_name": "adipisc", - "rsa.misc.result": "success", - "rsa.misc.result_code": "isau", - "rsa.misc.rule_name": "emipsumq", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2017-07-25T11:47:41.000Z", - "rsa.web.alias_host": "tasnul", - "rule.name": "emipsumq", - "service.type": "imperva", - "source.address": "radipis3991.mail.invalid", - "source.ip": "10.213.165.165", - "source.port": 4723, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "example.net", - "url.extension": "gif", - "url.fragment": "temqui", - "url.original": "https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui", - "url.path": "/itati/oidentsu.gif", - "url.query": [ - "eporroqu=aturve", - "lup" - ], - "url.scheme": "https", - "user.name": "ttenb" - }, - { - "event.action": "trudexe", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message=\"Quisa\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "very-high", - "log.offset": 18948, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "ura" - ], - "rsa.internal.event_desc": "Quisa", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "trudexe", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2017-08-08T18:50:15.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ura" - }, - { - "destination.ip": "10.169.28.157", - "destination.port": 3402, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName=\"iuntN\",evntDesc=\"utfugi\",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName=\"exeacomm\",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url=\"https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs\",webQuery=\"ercitati\",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application=\"edquia\",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action=\"accept\",errormsg=\"unknown\"", - "fileset.name": "securesphere", - "group.name": "etco", - "host.hostname": "ihi7294.www5.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 19095, - "network.application": "edquia", - "network.direction": "internal", - "network.protocol": "ipv6", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ihi7294.www5.localhost" - ], - "related.ip": [ - "10.116.1.130", - "10.169.28.157" - ], - "related.user": [ - "amco", - "eturadip", - "reseo" - ], - "rsa.counters.event_counter": 1295, - "rsa.db.database": "ons", - "rsa.internal.event_desc": "utfugi", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept", - "pexeaco" - ], - "rsa.misc.category": "ursintoc", - "rsa.misc.disposition": "tio", - "rsa.misc.event_type": "mmodicon", - "rsa.misc.group": "etco", - "rsa.misc.log_session_id": "lumquid", - "rsa.misc.operation_id": "llitani", - "rsa.misc.policy_name": "exeacomm", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "serro", - "rsa.misc.rule_name": "iuntN", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2017-08-23T01:52:50.000Z", - "rsa.web.alias_host": "ionula", - "rule.name": "iuntN", - "service.type": "imperva", - "source.address": "ihi7294.www5.localhost", - "source.ip": "10.116.1.130", - "source.port": 5439, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "pteurs", - "url.original": "https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs", - "url.path": "/uamqua/Neq.gif", - "url.query": [ - "ercitati", - "eumiu=nim" - ], - "url.scheme": "https", - "user.name": "eturadip" - }, - { - "destination.ip": "10.29.138.31", - "destination.port": 5871, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application=\"apari\",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action=\"deny\",rawQuery=\"eumiu\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "equa", - "host.hostname": "caecat4920.api.host", - "input.type": "log", - "log.offset": 19873, - "network.application": "apari", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "caecat4920.api.host" - ], - "related.ip": [ - "10.29.138.31", - "10.45.69.152" - ], - "related.user": [ - "tsunt", - "umq", - "volupta" - ], - "rsa.counters.dclass_c1": 744, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "enim", - "rsa.db.index": "eumiu", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "equa", - "rsa.misc.group_object": "emi", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 33.416, - "rsa.time.starttime": "2017-09-06T08:55:24.000Z", - "service.type": "imperva", - "source.address": "caecat4920.api.host", - "source.ip": "10.45.69.152", - "source.port": 4083, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "volupta" - }, - { - "destination.ip": "10.152.213.228", - "destination.port": 3387, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application=\"ptatemse\",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action=\"cancel\",rawQuery=\"Except\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "osqu", - "host.hostname": "setquas6188.internal.local", - "input.type": "log", - "log.offset": 20314, - "network.application": "ptatemse", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "setquas6188.internal.local" - ], - "related.ip": [ - "10.100.113.11", - "10.152.213.228" - ], - "related.user": [ - "itationu", - "ptatev", - "velillum" - ], - "rsa.counters.dclass_c1": 7245, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "magnaali", - "rsa.db.index": "Except", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "osqu", - "rsa.misc.group_object": "aliqu", - "rsa.misc.result": "success", - "rsa.time.duration_time": 131.118, - "rsa.time.starttime": "2017-09-20T15:57:58.000Z", - "service.type": "imperva", - "source.address": "setquas6188.internal.local", - "source.ip": "10.100.113.11", - "source.port": 6971, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ptatev" - }, - { - "event.action": "tquii", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message=\"inBCSedu\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "low", - "log.offset": 20779, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "reme" - ], - "rsa.internal.event_desc": "inBCSedu", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "tquii", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2017-10-04T23:00:32.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "reme" - }, - { - "destination.ip": "10.208.33.55", - "destination.port": 1849, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application=\"dictasun\",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action=\"accept\",rawQuery=\"quovo\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "ectetur", - "host.hostname": "nibusBo3674.www5.localhost", - "input.type": "log", - "log.offset": 20919, - "network.application": "dictasun", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "nibusBo3674.www5.localhost" - ], - "related.ip": [ - "10.208.33.55", - "10.248.102.129" - ], - "related.user": [ - "inimv", - "mremaper", - "ulapari" - ], - "rsa.counters.dclass_c1": 6433, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ntut", - "rsa.db.index": "quovo", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ectetur", - "rsa.misc.group_object": "iatn", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 111.36, - "rsa.time.starttime": "2017-10-19T06:03:07.000Z", - "service.type": "imperva", - "source.address": "nibusBo3674.www5.localhost", - "source.ip": "10.248.102.129", - "source.port": 3510, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ulapari" - }, - { - "destination.ip": "10.203.164.132", - "destination.port": 6213, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application=\"rumex\",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action=\"block\",rawQuery=\"ihil\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "uir", - "host.hostname": "totamr7676.www5.home", - "input.type": "log", - "log.offset": 21377, - "network.application": "rumex", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "totamr7676.www5.home" - ], - "related.ip": [ - "10.109.230.216", - "10.203.164.132" - ], - "related.user": [ - "ectobea", - "ibus", - "mporin" - ], - "rsa.counters.dclass_c1": 547, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "imadm", - "rsa.db.index": "ihil", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "uir", - "rsa.misc.group_object": "uov", - "rsa.misc.result": "success", - "rsa.time.duration_time": 166.971, - "rsa.time.starttime": "2017-11-02T13:05:41.000Z", - "service.type": "imperva", - "source.address": "totamr7676.www5.home", - "source.ip": "10.109.230.216", - "source.port": 4447, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mporin" - }, - { - "destination.ip": "10.151.203.60", - "destination.port": 482, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application=\"itaedi\",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action=\"block\",rawQuery=\"onorumet\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "psam", - "host.hostname": "idents7231.mail.home", - "input.type": "log", - "log.offset": 21821, - "network.application": "itaedi", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "idents7231.mail.home" - ], - "related.ip": [ - "10.117.81.75", - "10.151.203.60" - ], - "related.user": [ - "dol", - "exeac", - "iconsequ" - ], - "rsa.counters.dclass_c1": 484, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "veniamqu", - "rsa.db.index": "onorumet", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "psam", - "rsa.misc.group_object": "iciatis", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 27.563, - "rsa.time.starttime": "2017-11-16T20:08:15.000Z", - "service.type": "imperva", - "source.address": "idents7231.mail.home", - "source.ip": "10.117.81.75", - "source.port": 3365, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "dol" - }, - { - "destination.ip": "10.224.217.153", - "destination.port": 6339, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application=\"itation\",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action=\"allow\",rawQuery=\"liquid\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "tur", - "host.hostname": "tat50.mail.host", - "input.type": "log", - "log.offset": 22263, - "network.application": "itation", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tat50.mail.host" - ], - "related.ip": [ - "10.224.217.153", - "10.45.152.205" - ], - "related.user": [ - "eriti", - "imav", - "utlabo" - ], - "rsa.counters.dclass_c1": 922, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "essequam", - "rsa.db.index": "liquid", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "tur", - "rsa.misc.group_object": "riame", - "rsa.misc.result": "success", - "rsa.time.duration_time": 17.709, - "service.type": "imperva", - "source.address": "tat50.mail.host", - "source.ip": "10.45.152.205", - "source.port": 6907, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "eriti" - }, - { - "destination.ip": "10.1.193.187", - "destination.port": 5119, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName=\"vol\",evntDesc=\"epteurs\",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName=\"yCice\",occurrences=508,httpHost=ionem,webMethod=taevitae,url=\"https://api.example.net/quam/saute.htm?nostru=docons#emipsumq\",webQuery=\"orinr\",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application=\"conse\",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action=\"allow\",errormsg=\"failure\"", - "fileset.name": "securesphere", - "group.name": "odit", - "host.hostname": "mips3283.corp", - "input.type": "log", - "log.level": "low", - "log.offset": 22703, - "network.application": "conse", - "network.direction": "internal", - "network.protocol": "udp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "mips3283.corp" - ], - "related.ip": [ - "10.1.193.187", - "10.60.164.100" - ], - "related.user": [ - "adipis", - "hite", - "ugi" - ], - "rsa.counters.event_counter": 508, - "rsa.db.database": "abo", - "rsa.internal.event_desc": "epteurs", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "allow", - "taevitae" - ], - "rsa.misc.category": "itse", - "rsa.misc.disposition": "rever", - "rsa.misc.event_type": "sBonoru", - "rsa.misc.group": "odit", - "rsa.misc.log_session_id": "tass", - "rsa.misc.operation_id": "umq", - "rsa.misc.policy_name": "yCice", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "umdo", - "rsa.misc.rule_name": "vol", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2017-12-15T10:13:24.000Z", - "rsa.web.alias_host": "ionem", - "rule.name": "vol", - "service.type": "imperva", - "source.address": "mips3283.corp", - "source.ip": "10.60.164.100", - "source.port": 2652, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "api.example.net", - "url.extension": "htm", - "url.fragment": "emipsumq", - "url.original": "https://api.example.net/quam/saute.htm?nostru=docons#emipsumq", - "url.path": "/quam/saute.htm", - "url.query": [ - "nostru=docons", - "orinr" - ], - "url.scheme": "https", - "user.name": "ugi" - }, - { - "destination.ip": "10.248.244.203", - "destination.port": 806, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application=\"oloremq\",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action=\"allow\",rawQuery=\"mto\"", - "fileset.name": "securesphere", - "group.name": "eatae", - "host.hostname": "aliquip7229.mail.domain", - "input.type": "log", - "log.offset": 23440, - "network.application": "oloremq", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "aliquip7229.mail.domain" - ], - "related.ip": [ - "10.146.228.234", - "10.248.244.203" - ], - "related.user": [ - "eiusm", - "mquamei", - "sum" - ], - "rsa.counters.dclass_c1": 3058, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "doe", - "rsa.db.index": "mto", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "taed", - "rsa.misc.group": "eatae", - "rsa.misc.group_object": "rissusci", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 133.358, - "rsa.time.starttime": "2017-12-29T17:15:58.000Z", - "service.type": "imperva", - "source.address": "aliquip7229.mail.domain", - "source.ip": "10.146.228.234", - "source.port": 4346, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mquamei" - }, - { - "destination.ip": "10.122.127.237", - "destination.port": 1138, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application=\"umdolo\",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action=\"block\",rawQuery=\"ipex\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "uidex", - "host.hostname": "fde7756.mail.corp", - "input.type": "log", - "log.offset": 23887, - "network.application": "umdolo", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "fde7756.mail.corp" - ], - "related.ip": [ - "10.122.127.237", - "10.86.121.152" - ], - "related.user": [ - "consecte", - "ine", - "nimv" - ], - "rsa.counters.dclass_c1": 2771, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "usmod", - "rsa.db.index": "ipex", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "uidex", - "rsa.misc.group_object": "mquamei", - "rsa.misc.result": "success", - "rsa.time.duration_time": 136.167, - "rsa.time.starttime": "2018-01-13T00:18:32.000Z", - "service.type": "imperva", - "source.address": "fde7756.mail.corp", - "source.ip": "10.86.121.152", - "source.port": 3971, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "consecte" - }, - { - "destination.ip": "10.201.223.119", - "destination.port": 3614, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application=\"mea\",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action=\"block\",rawQuery=\"liq\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "ostru", - "host.hostname": "agnama5013.internal.example", - "input.type": "log", - "log.offset": 24328, - "network.application": "mea", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "agnama5013.internal.example" - ], - "related.ip": [ - "10.201.223.119", - "10.204.223.184" - ], - "related.user": [ - "rcit", - "teni", - "tuserror" - ], - "rsa.counters.dclass_c1": 4113, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "boreetdo", - "rsa.db.index": "liq", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "ostru", - "rsa.misc.group_object": "giat", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 161.837, - "rsa.time.starttime": "2018-01-27T07:21:06.000Z", - "service.type": "imperva", - "source.address": "agnama5013.internal.example", - "source.ip": "10.204.223.184", - "source.port": 6092, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "rcit" - }, - { - "destination.ip": "10.200.12.126", - "destination.port": 2347, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application=\"itatis\",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action=\"block\",rawQuery=\"hende\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "oreetd", - "host.hostname": "edictas4693.home", - "input.type": "log", - "log.offset": 24771, - "network.application": "itatis", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "edictas4693.home" - ], - "related.ip": [ - "10.200.12.126", - "10.223.56.33" - ], - "related.user": [ - "Nequepo", - "elitsedd", - "magnido" - ], - "rsa.counters.dclass_c1": 3243, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "borisnis", - "rsa.db.index": "hende", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "oreetd", - "rsa.misc.group_object": "ing", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 75.415, - "rsa.time.starttime": "2018-02-10T14:23:41.000Z", - "service.type": "imperva", - "source.address": "edictas4693.home", - "source.ip": "10.223.56.33", - "source.port": 5899, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "magnido" - }, - { - "destination.ip": "10.65.225.101", - "destination.port": 1752, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName=\"tiumd\",evntDesc=\"atuse\",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName=\"nulapari\",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url=\"https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia\",webQuery=\"edquiac\",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application=\"eritin\",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action=\"cancel\",errormsg=\"unknown\"", - "fileset.name": "securesphere", - "group.name": "onsequat", - "host.hostname": "nibu2565.api.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 25217, - "network.application": "eritin", - "network.direction": "outbound", - "network.protocol": "ipv6", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "nibu2565.api.local" - ], - "related.ip": [ - "10.65.225.101", - "10.94.89.177" - ], - "related.user": [ - "citation", - "emquel", - "tuserror" - ], - "rsa.counters.event_counter": 2513, - "rsa.db.database": "rspiciat", - "rsa.internal.event_desc": "atuse", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel", - "eruntmol" - ], - "rsa.misc.category": "imad", - "rsa.misc.disposition": "tura", - "rsa.misc.event_type": "equuntur", - "rsa.misc.group": "onsequat", - "rsa.misc.log_session_id": "ritq", - "rsa.misc.operation_id": "deseru", - "rsa.misc.policy_name": "nulapari", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "teturad", - "rsa.misc.rule_name": "tiumd", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2018-02-24T21:26:15.000Z", - "rsa.web.alias_host": "ostrumex", - "rule.name": "tiumd", - "service.type": "imperva", - "source.address": "nibu2565.api.local", - "source.ip": "10.94.89.177", - "source.port": 428, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "internal.example.com", - "url.extension": "htm", - "url.fragment": "asia", - "url.original": "https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia", - "url.path": "/imide/uiineav.htm", - "url.query": [ - "edquiac", - "lloinve=eni" - ], - "url.scheme": "https", - "user.name": "tuserror" - }, - { - "destination.ip": "10.65.174.196", - "destination.port": 472, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application=\"tatemse\",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action=\"deny\",rawQuery=\"BCSedutp\"", - "fileset.name": "securesphere", - "group.name": "labor", - "host.hostname": "tsun7120.home", - "input.type": "log", - "log.offset": 26002, - "network.application": "tatemse", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tsun7120.home" - ], - "related.ip": [ - "10.191.184.105", - "10.65.174.196" - ], - "related.user": [ - "iin", - "tione", - "uta" - ], - "rsa.counters.dclass_c1": 5836, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "per", - "rsa.db.index": "BCSedutp", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "quaUt", - "rsa.misc.group": "labor", - "rsa.misc.group_object": "iat", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 61.864, - "rsa.time.starttime": "2018-03-11T04:28:49.000Z", - "service.type": "imperva", - "source.address": "tsun7120.home", - "source.ip": "10.191.184.105", - "source.port": 6821, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "iin" - }, - { - "destination.ip": "10.41.181.179", - "destination.port": 2803, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName=\"eabil\",evntDesc=\"ibusB\",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName=\"siarch\",occurrences=7468,httpHost=setq,webMethod=rumwr,url=\"https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd\",webQuery=\"ntore\",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application=\"caecat\",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action=\"deny\",errormsg=\"success\"", - "fileset.name": "securesphere", - "group.name": "umSecti", - "host.hostname": "lumquid6940.mail.localdomain", - "input.type": "log", - "log.level": "very-high", - "log.offset": 26426, - "network.application": "caecat", - "network.direction": "outbound", - "network.protocol": "rdp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "lumquid6940.mail.localdomain" - ], - "related.ip": [ - "10.224.148.48", - "10.41.181.179" - ], - "related.user": [ - "equepor", - "iosamn", - "niam" - ], - "rsa.counters.event_counter": 7468, - "rsa.db.database": "erspicia", - "rsa.internal.event_desc": "ibusB", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny", - "rumwr" - ], - "rsa.misc.category": "rporis", - "rsa.misc.disposition": "etco", - "rsa.misc.event_type": "mip", - "rsa.misc.group": "umSecti", - "rsa.misc.log_session_id": "tutl", - "rsa.misc.operation_id": "tdolor", - "rsa.misc.policy_name": "siarch", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ion", - "rsa.misc.rule_name": "eabil", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2018-03-25T11:31:24.000Z", - "rsa.web.alias_host": "setq", - "rule.name": "eabil", - "service.type": "imperva", - "source.address": "lumquid6940.mail.localdomain", - "source.ip": "10.224.148.48", - "source.port": 6078, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "api.example.com", - "url.extension": "gif", - "url.fragment": "iumd", - "url.original": "https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd", - "url.path": "/ptatem/mporain.gif", - "url.query": [ - "corpo=commod", - "ntore" - ], - "url.scheme": "https", - "user.name": "niam" - }, - { - "destination.ip": "10.21.208.103", - "destination.port": 5543, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application=\"utod\",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action=\"deny\",rawQuery=\"nemullam\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "diconseq", - "host.hostname": "amcorp7299.api.example", - "input.type": "log", - "log.offset": 27184, - "network.application": "utod", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "amcorp7299.api.example" - ], - "related.ip": [ - "10.21.208.103", - "10.21.61.134" - ], - "related.user": [ - "imidest", - "mipsa", - "ostr" - ], - "rsa.counters.dclass_c1": 7766, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uptatem", - "rsa.db.index": "nemullam", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "diconseq", - "rsa.misc.group_object": "iacon", - "rsa.misc.result": "success", - "rsa.time.duration_time": 91.186, - "rsa.time.starttime": "2018-04-08T18:33:58.000Z", - "service.type": "imperva", - "source.address": "amcorp7299.api.example", - "source.ip": "10.21.61.134", - "source.port": 6124, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "imidest" - }, - { - "destination.ip": "10.23.6.216", - "destination.port": 4578, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application=\"uasiarch\",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action=\"accept\",rawQuery=\"oremagn\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "labore", - "host.hostname": "magnama868.api.local", - "input.type": "log", - "log.offset": 27634, - "network.application": "uasiarch", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "magnama868.api.local" - ], - "related.ip": [ - "10.221.192.116", - "10.23.6.216" - ], - "related.user": [ - "iamquisn", - "iarchit", - "tevelite" - ], - "rsa.counters.dclass_c1": 639, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "Section", - "rsa.db.index": "oremagn", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "labore", - "rsa.misc.group_object": "usBonor", - "rsa.misc.result": "success", - "rsa.time.duration_time": 6.388, - "rsa.time.starttime": "2018-04-23T01:36:32.000Z", - "service.type": "imperva", - "source.address": "magnama868.api.local", - "source.ip": "10.221.192.116", - "source.port": 4688, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "iarchit" - }, - { - "destination.ip": "10.240.62.238", - "destination.port": 5850, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName=\"tutlabo\",evntDesc=\"nto\",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName=\"sintoc\",occurrences=7580,httpHost=laboris,webMethod=ali,url=\"https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa\",webQuery=\"sunt\",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application=\"amqua\",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel", - "fileset.name": "securesphere", - "group.name": "tate", - "host.hostname": "tionevol3157.mail.invalid", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28092, - "network.application": "amqua", - "network.direction": "external", - "network.protocol": "ipv6", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tionevol3157.mail.invalid" - ], - "related.ip": [ - "10.191.142.143", - "10.240.62.238" - ], - "related.user": [ - "animide", - "modtempo", - "nofde" - ], - "rsa.counters.event_counter": 7580, - "rsa.db.database": "Lore", - "rsa.internal.event_desc": "nto", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "ali", - "cancel" - ], - "rsa.misc.category": "sciv", - "rsa.misc.disposition": "tlabo", - "rsa.misc.event_type": "nsequun", - "rsa.misc.group": "tate", - "rsa.misc.log_session_id": "emveleum", - "rsa.misc.operation_id": "rcita", - "rsa.misc.policy_name": "sintoc", - "rsa.misc.result_code": "olupta", - "rsa.misc.rule_name": "tutlabo", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2018-05-07T08:39:06.000Z", - "rsa.web.alias_host": "laboris", - "rule.name": "tutlabo", - "service.type": "imperva", - "source.address": "tionevol3157.mail.invalid", - "source.ip": "10.191.142.143", - "source.port": 2976, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "www5.example.net", - "url.extension": "gif", - "url.fragment": "onsequa", - "url.original": "https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa", - "url.path": "/aUten/edutpers.gif", - "url.query": [ - "apariatu=mnisis", - "sunt" - ], - "url.scheme": "https", - "user.name": "modtempo" - }, - { - "destination.ip": "10.111.22.134", - "destination.port": 7499, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName=\"atu\",evntDesc=\"adeseru\",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName=\"datatno\",occurrences=3538,httpHost=siar,webMethod=orisnis,url=\"https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco\",webQuery=\"ommodoco\",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application=\"stenat\",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny", - "fileset.name": "securesphere", - "group.name": "onev", - "host.hostname": "mquis319.api.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28845, - "network.application": "stenat", - "network.direction": "external", - "network.protocol": "igmp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "mquis319.api.local" - ], - "related.ip": [ - "10.111.22.134", - "10.178.79.217" - ], - "related.user": [ - "ccusan", - "inibusBo", - "tqui" - ], - "rsa.counters.event_counter": 3538, - "rsa.db.database": "sequun", - "rsa.internal.event_desc": "adeseru", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny", - "orisnis" - ], - "rsa.misc.category": "sitas", - "rsa.misc.disposition": "eni", - "rsa.misc.event_type": "cte", - "rsa.misc.group": "onev", - "rsa.misc.log_session_id": "oidents", - "rsa.misc.operation_id": "ecatcu", - "rsa.misc.policy_name": "datatno", - "rsa.misc.result_code": "rita", - "rsa.misc.rule_name": "atu", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2018-05-21T15:41:41.000Z", - "rsa.web.alias_host": "siar", - "rule.name": "atu", - "service.type": "imperva", - "source.address": "mquis319.api.local", - "source.ip": "10.178.79.217", - "source.port": 3124, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "www.example.net", - "url.extension": "jpg", - "url.fragment": "iaeco", - "url.original": "https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco", - "url.path": "/mvolup/pidat.jpg", - "url.query": [ - "ents=nsec", - "ommodoco" - ], - "url.scheme": "https", - "user.name": "ccusan" - }, - { - "destination.ip": "10.161.225.172", - "destination.port": 3708, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application=\"tau\",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action=\"block\",rawQuery=\"ant\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "itaspern", - "host.hostname": "urad5712.api.host", - "input.type": "log", - "log.offset": 29582, - "network.application": "tau", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "urad5712.api.host" - ], - "related.ip": [ - "10.161.225.172", - "10.77.86.215" - ], - "related.user": [ - "meaqu", - "rcit", - "xerc" - ], - "rsa.counters.dclass_c1": 7286, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "sitamet", - "rsa.db.index": "ant", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "itaspern", - "rsa.misc.group_object": "con", - "rsa.misc.result": "success", - "rsa.time.duration_time": 143.926, - "rsa.time.starttime": "2018-06-04T22:44:15.000Z", - "service.type": "imperva", - "source.address": "urad5712.api.host", - "source.ip": "10.77.86.215", - "source.port": 6390, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "meaqu" - }, - { - "destination.ip": "10.186.133.184", - "destination.port": 7864, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application=\"qua\",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action=\"deny\",rawQuery=\"onevol\"", - "fileset.name": "securesphere", - "group.name": "mporai", - "host.hostname": "enbyCic4659.www5.example", - "input.type": "log", - "log.offset": 30021, - "network.application": "qua", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "enbyCic4659.www5.example" - ], - "related.ip": [ - "10.186.133.184", - "10.211.161.187" - ], - "related.user": [ - "acons", - "boriosa", - "sci" - ], - "rsa.counters.dclass_c1": 1578, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "orroqui", - "rsa.db.index": "onevol", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "autem", - "rsa.misc.group": "mporai", - "rsa.misc.group_object": "laud", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 66.164, - "rsa.time.starttime": "2018-06-19T05:46:49.000Z", - "service.type": "imperva", - "source.address": "enbyCic4659.www5.example", - "source.ip": "10.211.161.187", - "source.port": 843, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "boriosa" - }, - { - "destination.ip": "10.160.147.230", - "destination.port": 2126, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application=\"dolor\",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action=\"cancel\",rawQuery=\"dquiaco\"", - "fileset.name": "securesphere", - "group.name": "dolo", - "host.hostname": "inBCSed5308.api.corp", - "input.type": "log", - "log.offset": 30463, - "network.application": "dolor", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "inBCSed5308.api.corp" - ], - "related.ip": [ - "10.160.147.230", - "10.254.198.47" - ], - "related.user": [ - "illoin", - "ndeomnis", - "nimvenia" - ], - "rsa.counters.dclass_c1": 5988, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "modicons", - "rsa.db.index": "dquiaco", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "ueporroq", - "rsa.misc.group": "dolo", - "rsa.misc.group_object": "lit", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 34.664, - "rsa.time.starttime": "2018-07-03T12:49:23.000Z", - "service.type": "imperva", - "source.address": "inBCSed5308.api.corp", - "source.ip": "10.254.198.47", - "source.port": 3925, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "nimvenia" - }, - { - "destination.ip": "10.40.24.93", - "destination.port": 7487, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application=\"abo\",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action=\"cancel\",rawQuery=\"equuntu\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "intocc", - "host.hostname": "reseo2067.api.localdomain", - "input.type": "log", - "log.offset": 30915, - "network.application": "abo", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "reseo2067.api.localdomain" - ], - "related.ip": [ - "10.182.197.243", - "10.40.24.93" - ], - "related.user": [ - "exerci", - "mSecti", - "orisnis" - ], - "rsa.counters.dclass_c1": 4129, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "nsectetu", - "rsa.db.index": "equuntu", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "intocc", - "rsa.misc.group_object": "xerci", - "rsa.misc.result": "success", - "rsa.time.duration_time": 171.277, - "rsa.time.starttime": "2018-07-17T19:51:58.000Z", - "service.type": "imperva", - "source.address": "reseo2067.api.localdomain", - "source.ip": "10.182.197.243", - "source.port": 3687, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mSecti" - }, - { - "destination.ip": "10.249.13.159", - "destination.port": 3023, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application=\"velitess\",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action=\"cancel\",rawQuery=\"cepteurs\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "reh", - "host.hostname": "itte6905.mail.invalid", - "input.type": "log", - "log.offset": 31363, - "network.application": "velitess", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "itte6905.mail.invalid" - ], - "related.ip": [ - "10.108.130.106", - "10.249.13.159" - ], - "related.user": [ - "colab", - "exeacomm", - "uisautei" - ], - "rsa.counters.dclass_c1": 1044, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tesseq", - "rsa.db.index": "cepteurs", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "reh", - "rsa.misc.group_object": "scinge", - "rsa.misc.result": "success", - "rsa.time.duration_time": 112.679, - "rsa.time.starttime": "2018-08-01T02:54:32.000Z", - "service.type": "imperva", - "source.address": "itte6905.mail.invalid", - "source.ip": "10.108.130.106", - "source.port": 7601, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "uisautei" - }, - { - "destination.ip": "10.39.244.49", - "destination.port": 3852, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName=\"ptate\",evntDesc=\"enimips\",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName=\"ctas\",occurrences=7128,httpHost=sequ,webMethod=gna,url=\"https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod\",webQuery=\"tur\",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application=\"rorsitv\",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel", - "fileset.name": "securesphere", - "group.name": "caboNe", - "host.hostname": "caboNemo274.www.host", - "input.type": "log", - "log.level": "very-high", - "log.offset": 31820, - "network.application": "rorsitv", - "network.direction": "internal", - "network.protocol": "ggp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "caboNemo274.www.host" - ], - "related.ip": [ - "10.39.244.49", - "10.64.94.174" - ], - "related.user": [ - "Sedut", - "estiae", - "iunt" - ], - "rsa.counters.event_counter": 7128, - "rsa.db.database": "eFinibu", - "rsa.internal.event_desc": "enimips", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel", - "gna" - ], - "rsa.misc.category": "Nequepor", - "rsa.misc.disposition": "nisiu", - "rsa.misc.event_type": "ptat", - "rsa.misc.group": "caboNe", - "rsa.misc.log_session_id": "aven", - "rsa.misc.operation_id": "ioffic", - "rsa.misc.policy_name": "ctas", - "rsa.misc.result_code": "uovo", - "rsa.misc.rule_name": "ptate", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2018-08-15T09:57:06.000Z", - "rsa.web.alias_host": "sequ", - "rule.name": "ptate", - "service.type": "imperva", - "source.address": "caboNemo274.www.host", - "source.ip": "10.64.94.174", - "source.port": 4082, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "internal.example.org", - "url.extension": "txt", - "url.fragment": "rautod", - "url.original": "https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod", - "url.path": "/aev/uovolup.txt", - "url.query": [ - "aqueip=aqueip", - "tur" - ], - "url.scheme": "https", - "user.name": "Sedut" - }, - { - "event.action": "ercitati", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message=\"deserun\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "very-high", - "log.offset": 32562, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "imad" - ], - "rsa.internal.event_desc": "deserun", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "ercitati", - "rsa.misc.severity": "very-high", - "rsa.time.starttime": "2018-08-29T16:59:40.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "imad" - }, - { - "event.action": "uatDuis", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message=\"utali\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "medium", - "log.offset": 32706, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "apari" - ], - "rsa.internal.event_desc": "utali", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "uatDuis", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2018-09-13T00:02:15.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "apari" - }, - { - "destination.ip": "10.115.203.143", - "destination.port": 6889, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application=\"urere\",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action=\"cancel\",rawQuery=\"quatu\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "entor", - "host.hostname": "qui5978.api.test", - "input.type": "log", - "log.offset": 32854, - "network.application": "urere", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "qui5978.api.test" - ], - "related.ip": [ - "10.115.203.143", - "10.134.135.22" - ], - "related.user": [ - "involu", - "orpori", - "utoditau" - ], - "rsa.counters.dclass_c1": 7868, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "amre", - "rsa.db.index": "quatu", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "entor", - "rsa.misc.group_object": "serror", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 5.277, - "rsa.time.starttime": "2018-09-27T07:04:49.000Z", - "service.type": "imperva", - "source.address": "qui5978.api.test", - "source.ip": "10.134.135.22", - "source.port": 1809, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "utoditau" - }, - { - "destination.ip": "10.43.244.252", - "destination.port": 1752, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application=\"enim\",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action=\"accept\",rawQuery=\"lamco\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "tatiset", - "host.hostname": "iamq2577.internal.corp", - "input.type": "log", - "log.offset": 33304, - "network.application": "enim", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "iamq2577.internal.corp" - ], - "related.ip": [ - "10.251.212.166", - "10.43.244.252" - ], - "related.user": [ - "gnido", - "inculp", - "uptat" - ], - "rsa.counters.dclass_c1": 6947, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uisa", - "rsa.db.index": "lamco", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "tatiset", - "rsa.misc.group_object": "iur", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 144.976, - "rsa.time.starttime": "2018-10-11T14:07:23.000Z", - "service.type": "imperva", - "source.address": "iamq2577.internal.corp", - "source.ip": "10.251.212.166", - "source.port": 3925, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "inculp" - }, - { - "event.action": "edutpe", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message=\"cepte\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "medium", - "log.offset": 33759, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "isunde" - ], - "rsa.internal.event_desc": "cepte", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "edutpe", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2018-10-25T21:09:57.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "isunde" - }, - { - "destination.ip": "10.20.231.188", - "destination.port": 1200, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application=\"uidolore\",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action=\"cancel\",rawQuery=\"porinci\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "tNeque", - "host.hostname": "usB4127.localhost", - "input.type": "log", - "log.offset": 33902, - "network.application": "uidolore", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "usB4127.localhost" - ], - "related.ip": [ - "10.20.231.188", - "10.88.189.164" - ], - "related.user": [ - "mqu", - "tesseq", - "uatDuisa" - ], - "rsa.counters.dclass_c1": 1623, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ufugia", - "rsa.db.index": "porinci", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "tNeque", - "rsa.misc.group_object": "iusmod", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 33.468, - "rsa.time.starttime": "2018-11-09T04:12:32.000Z", - "service.type": "imperva", - "source.address": "usB4127.localhost", - "source.ip": "10.88.189.164", - "source.port": 1373, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "tesseq" - }, - { - "event.action": "uianon", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message=\"nos\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "low", - "log.offset": 34350, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "quamquae" - ], - "rsa.internal.event_desc": "nos", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "uianon", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2018-11-23T11:15:06.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "quamquae" - }, - { - "destination.ip": "10.231.77.26", - "destination.port": 7082, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application=\"entsu\",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action=\"allow\",rawQuery=\"uovo\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "quines", - "host.hostname": "abor3266.mail.home", - "input.type": "log", - "log.offset": 34487, - "network.application": "entsu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "abor3266.mail.home" - ], - "related.ip": [ - "10.225.11.197", - "10.231.77.26" - ], - "related.user": [ - "ineavol", - "rehe", - "volu" - ], - "rsa.counters.dclass_c1": 3064, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "voluptat", - "rsa.db.index": "uovo", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "quines", - "rsa.misc.group_object": "siarchi", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 61.96, - "service.type": "imperva", - "source.address": "abor3266.mail.home", - "source.ip": "10.225.11.197", - "source.port": 3513, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "rehe" - }, - { - "destination.ip": "10.148.3.197", - "destination.port": 979, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application=\"natuser\",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action=\"allow\",rawQuery=\"byCicer\"", - "fileset.name": "securesphere", - "group.name": "tru", - "host.hostname": "eprehe2455.www.home", - "input.type": "log", - "log.offset": 34938, - "network.application": "natuser", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "eprehe2455.www.home" - ], - "related.ip": [ - "10.106.166.105", - "10.148.3.197" - ], - "related.user": [ - "avolup", - "olupt", - "usa" - ], - "rsa.counters.dclass_c1": 2658, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "smo", - "rsa.db.index": "byCicer", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "ficia", - "rsa.misc.group": "tru", - "rsa.misc.group_object": "oremagna", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 84.894, - "rsa.time.starttime": "2018-12-22T01:20:14.000Z", - "service.type": "imperva", - "source.address": "eprehe2455.www.home", - "source.ip": "10.106.166.105", - "source.port": 4567, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "usa" - }, - { - "destination.ip": "10.172.121.239", - "destination.port": 5339, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application=\"cept\",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action=\"cancel\",rawQuery=\"maven\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "mpo", - "host.hostname": "destla2110.www5.localdomain", - "input.type": "log", - "log.offset": 35381, - "network.application": "cept", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "destla2110.www5.localdomain" - ], - "related.ip": [ - "10.172.121.239", - "10.57.169.205" - ], - "related.user": [ - "ctas", - "ipsu", - "iuta" - ], - "rsa.counters.dclass_c1": 392, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "inea", - "rsa.db.index": "maven", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "mpo", - "rsa.misc.group_object": "reeufugi", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 19.061, - "rsa.time.starttime": "2019-01-05T08:22:49.000Z", - "service.type": "imperva", - "source.address": "destla2110.www5.localdomain", - "source.ip": "10.57.169.205", - "source.port": 3093, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "iuta" - }, - { - "destination.ip": "10.129.234.200", - "destination.port": 3833, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application=\"aaliqu\",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action=\"allow\",rawQuery=\"ipex\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "laborio", - "host.hostname": "exerc3694.api.home", - "input.type": "log", - "log.offset": 35821, - "network.application": "aaliqu", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "exerc3694.api.home" - ], - "related.ip": [ - "10.129.234.200", - "10.42.218.103" - ], - "related.user": [ - "dquia", - "tevelit", - "tisundeo" - ], - "rsa.counters.dclass_c1": 6709, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "consec", - "rsa.db.index": "ipex", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "laborio", - "rsa.misc.group_object": "mnis", - "rsa.misc.result": "success", - "rsa.time.duration_time": 34.273, - "rsa.time.starttime": "2019-01-19T15:25:23.000Z", - "service.type": "imperva", - "source.address": "exerc3694.api.home", - "source.ip": "10.42.218.103", - "source.port": 3315, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "tisundeo" - }, - { - "destination.ip": "10.111.132.221", - "destination.port": 2262, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application=\"siarch\",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action=\"cancel\",rawQuery=\"ita\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "admi", - "host.hostname": "ididu5928.www5.local", - "input.type": "log", - "log.offset": 36271, - "network.application": "siarch", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ididu5928.www5.local" - ], - "related.ip": [ - "10.111.132.221", - "10.76.121.224" - ], - "related.user": [ - "ali", - "oloremi", - "scive" - ], - "rsa.counters.dclass_c1": 6155, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tNe", - "rsa.db.index": "ita", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "admi", - "rsa.misc.group_object": "xcep", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 139.491, - "rsa.time.starttime": "2019-02-02T22:27:57.000Z", - "service.type": "imperva", - "source.address": "ididu5928.www5.local", - "source.ip": "10.76.121.224", - "source.port": 4305, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ali" - }, - { - "destination.ip": "10.195.8.141", - "destination.port": 4342, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application=\"riaturE\",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action=\"accept\",rawQuery=\"non\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "tium", - "host.hostname": "boriosa7066.www.corp", - "input.type": "log", - "log.offset": 36701, - "network.application": "riaturE", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "boriosa7066.www.corp" - ], - "related.ip": [ - "10.17.214.21", - "10.195.8.141" - ], - "related.user": [ - "dolo", - "enimip", - "ota" - ], - "rsa.counters.dclass_c1": 469, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "Nequep", - "rsa.db.index": "non", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "tium", - "rsa.misc.group_object": "umquiado", - "rsa.misc.result": "success", - "rsa.time.duration_time": 146.775, - "rsa.time.starttime": "2019-02-17T05:30:32.000Z", - "service.type": "imperva", - "source.address": "boriosa7066.www.corp", - "source.ip": "10.17.214.21", - "source.port": 4821, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "enimip" - }, - { - "destination.ip": "10.173.13.179", - "destination.port": 1211, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application=\"cons\",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action=\"block\",rawQuery=\"cusan\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "liqu", - "host.hostname": "ssusc1892.internal.host", - "input.type": "log", - "log.offset": 37150, - "network.application": "cons", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "ssusc1892.internal.host" - ], - "related.ip": [ - "10.173.13.179", - "10.179.60.167" - ], - "related.user": [ - "apar", - "isn", - "ptasn" - ], - "rsa.counters.dclass_c1": 758, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "xplic", - "rsa.db.index": "cusan", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "liqu", - "rsa.misc.group_object": "amqui", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 58.8, - "rsa.time.starttime": "2019-03-03T12:33:06.000Z", - "service.type": "imperva", - "source.address": "ssusc1892.internal.host", - "source.ip": "10.179.60.167", - "source.port": 1124, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ptasn" - }, - { - "destination.ip": "10.42.135.34", - "destination.port": 4361, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application=\"ser\",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action=\"cancel\",rawQuery=\"ore\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "lmolest", - "host.hostname": "iatisund424.mail.localdomain", - "input.type": "log", - "log.offset": 37585, - "network.application": "ser", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "iatisund424.mail.localdomain" - ], - "related.ip": [ - "10.178.190.123", - "10.42.135.34" - ], - "related.user": [ - "ore", - "orsi", - "tiset" - ], - "rsa.counters.dclass_c1": 2290, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "tametcon", - "rsa.db.index": "ore", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "lmolest", - "rsa.misc.group_object": "xercitat", - "rsa.misc.result": "success", - "rsa.time.duration_time": 1.468, - "rsa.time.starttime": "2019-03-17T19:35:40.000Z", - "service.type": "imperva", - "source.address": "iatisund424.mail.localdomain", - "source.ip": "10.178.190.123", - "source.port": 3288, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "tiset" - }, - { - "event.action": "cons", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message=\"ntutla\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "medium", - "log.offset": 38037, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "fugit" - ], - "rsa.internal.event_desc": "ntutla", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "cons", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2019-04-01T02:38:14.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "fugit" - }, - { - "destination.ip": "10.207.198.239", - "destination.port": 4735, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application=\"exerc\",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action=\"accept\",rawQuery=\"econsequ\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "ori", - "host.hostname": "uidolo7626.local", - "input.type": "log", - "log.offset": 38180, - "network.application": "exerc", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "uidolo7626.local" - ], - "related.ip": [ - "10.207.198.239", - "10.8.147.176" - ], - "related.user": [ - "Loremips", - "aUteni", - "incididu" - ], - "rsa.counters.dclass_c1": 3043, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "rchite", - "rsa.db.index": "econsequ", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "ori", - "rsa.misc.group_object": "odtem", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 36.712, - "rsa.time.starttime": "2019-04-15T09:40:49.000Z", - "service.type": "imperva", - "source.address": "uidolo7626.local", - "source.ip": "10.8.147.176", - "source.port": 5920, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "Loremips" - }, - { - "destination.ip": "10.116.26.185", - "destination.port": 595, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application=\"cca\",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action=\"block\",rawQuery=\"nul\"", - "fileset.name": "securesphere", - "group.name": "uelau", - "host.hostname": "dmini3435.internal.domain", - "input.type": "log", - "log.offset": 38627, - "network.application": "cca", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "dmini3435.internal.domain" - ], - "related.ip": [ - "10.116.26.185", - "10.206.221.180" - ], - "related.user": [ - "litesseq", - "nseq", - "oNe" - ], - "rsa.counters.dclass_c1": 3218, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "rumexerc", - "rsa.db.index": "nul", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "rumS", - "rsa.misc.group": "uelau", - "rsa.misc.group_object": "repr", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 26.485, - "rsa.time.starttime": "2019-04-29T16:43:23.000Z", - "service.type": "imperva", - "source.address": "dmini3435.internal.domain", - "source.ip": "10.206.221.180", - "source.port": 6818, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "oNe" - }, - { - "destination.ip": "10.86.180.150", - "destination.port": 5495, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application=\"uat\",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action=\"allow\",rawQuery=\"sperna\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "equunt", - "host.hostname": "nibusBo1864.domain", - "input.type": "log", - "log.offset": 39075, - "network.application": "uat", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "nibusBo1864.domain" - ], - "related.ip": [ - "10.253.127.130", - "10.86.180.150" - ], - "related.user": [ - "etconsec", - "itasper", - "mnisis" - ], - "rsa.counters.dclass_c1": 4564, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "ent", - "rsa.db.index": "sperna", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "equunt", - "rsa.misc.group_object": "isciveli", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 4.592, - "rsa.time.starttime": "2019-05-13T23:45:57.000Z", - "service.type": "imperva", - "source.address": "nibusBo1864.domain", - "source.ip": "10.253.127.130", - "source.port": 5339, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mnisis" - }, - { - "destination.ip": "10.158.161.5", - "destination.port": 579, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName=\"busBonor\",evntDesc=\"enima\",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName=\"eab\",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url=\"https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu\",webQuery=\"suntincu\",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application=\"eumiurer\",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow", - "fileset.name": "securesphere", - "group.name": "ciade", - "host.hostname": "inv6528.www5.example", - "input.type": "log", - "log.level": "high", - "log.offset": 39520, - "network.application": "eumiurer", - "network.direction": "inbound", - "network.protocol": "ipv6-icmp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "inv6528.www5.example" - ], - "related.ip": [ - "10.158.161.5", - "10.220.175.201" - ], - "related.user": [ - "dolo", - "rrors" - ], - "rsa.counters.event_counter": 4098, - "rsa.db.database": "tsed", - "rsa.internal.event_desc": "enima", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "allow", - "atisu" - ], - "rsa.misc.category": "emseq", - "rsa.misc.disposition": "osamni", - "rsa.misc.event_type": "umetMa", - "rsa.misc.group": "ciade", - "rsa.misc.log_session_id": "enbyCi", - "rsa.misc.operation_id": "mexe", - "rsa.misc.policy_name": "eab", - "rsa.misc.result_code": "equatu", - "rsa.misc.rule_name": "busBonor", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2019-05-28T06:48:31.000Z", - "rsa.web.alias_host": "ciduntut", - "rule.name": "busBonor", - "service.type": "imperva", - "source.address": "inv6528.www5.example", - "source.ip": "10.220.175.201", - "source.port": 4469, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "internal.example.com", - "url.extension": "txt", - "url.fragment": "amnisiu", - "url.original": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", - "url.path": "/architec/incul.txt", - "url.query": [ - "aborios=mco", - "suntincu" - ], - "url.scheme": "https", - "user.name": "dolo" - }, - { - "event.action": "ema", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message=\"ten\"", - "fileset.name": "securesphere", - "input.type": "log", - "log.level": "low", - "log.offset": 40273, - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.user": [ - "mpo" - ], - "rsa.internal.event_desc": "ten", - "rsa.internal.messageid": "Imperva", - "rsa.misc.event_type": "ema", - "rsa.misc.severity": "low", - "rsa.time.starttime": "2019-06-11T13:51:06.000Z", - "service.type": "imperva", - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "mpo" - }, - { - "destination.ip": "10.150.27.144", - "destination.port": 5627, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application=\"etdo\",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action=\"cancel\",rawQuery=\"osquira\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "avolup", - "host.hostname": "nisiutal4437.www.example", - "input.type": "log", - "log.offset": 40407, - "network.application": "etdo", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "nisiutal4437.www.example" - ], - "related.ip": [ - "10.150.27.144", - "10.248.16.82" - ], - "related.user": [ - "ditautf", - "res", - "tuserror" - ], - "rsa.counters.dclass_c1": 4367, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uipex", - "rsa.db.index": "osquira", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "avolup", - "rsa.misc.group_object": "loinv", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 25.972, - "rsa.time.starttime": "2019-06-25T20:53:40.000Z", - "service.type": "imperva", - "source.address": "nisiutal4437.www.example", - "source.ip": "10.248.16.82", - "source.port": 6834, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "res" - }, - { - "destination.ip": "10.146.131.76", - "destination.port": 2281, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application=\"ididun\",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action=\"allow\",rawQuery=\"seos\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "untmoll", - "host.hostname": "tqui5172.www.local", - "input.type": "log", - "log.offset": 40851, - "network.application": "ididun", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tqui5172.www.local" - ], - "related.ip": [ - "10.146.131.76", - "10.173.19.140" - ], - "related.user": [ - "Except", - "olo", - "orsi" - ], - "rsa.counters.dclass_c1": 5844, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "untex", - "rsa.db.index": "seos", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "Logout", - "rsa.misc.group": "untmoll", - "rsa.misc.group_object": "atu", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 52.55, - "rsa.time.starttime": "2019-07-10T03:56:14.000Z", - "service.type": "imperva", - "source.address": "tqui5172.www.local", - "source.ip": "10.173.19.140", - "source.port": 7780, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "orsi" - }, - { - "destination.ip": "10.69.5.227", - "destination.port": 5845, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application=\"tvol\",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action=\"deny\",rawQuery=\"edquian\"", - "fileset.name": "securesphere", - "group.name": "emeu", - "host.hostname": "intocca6708.mail.corp", - "input.type": "log", - "log.offset": 41284, - "network.application": "tvol", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "intocca6708.mail.corp" - ], - "related.ip": [ - "10.171.175.165", - "10.69.5.227" - ], - "related.user": [ - "doloreme", - "ntocc", - "rumw" - ], - "rsa.counters.dclass_c1": 5201, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "dquiaco", - "rsa.db.index": "edquian", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "onemull", - "rsa.misc.group": "emeu", - "rsa.misc.group_object": "taspe", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 46.69, - "rsa.time.starttime": "2019-07-24T10:58:48.000Z", - "service.type": "imperva", - "source.address": "intocca6708.mail.corp", - "source.ip": "10.171.175.165", - "source.port": 5776, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "doloreme" - }, - { - "destination.ip": "10.213.214.118", - "destination.port": 7851, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application=\"enatuser\",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action=\"deny\",rawQuery=\"ipsamvol\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "emull", - "host.hostname": "isetqu2843.www.invalid", - "input.type": "log", - "log.offset": 41730, - "network.application": "enatuser", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "isetqu2843.www.invalid" - ], - "related.ip": [ - "10.213.214.118", - "10.253.175.129" - ], - "related.user": [ - "ate", - "epteurs", - "nrep" - ], - "rsa.counters.dclass_c1": 6260, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "niamqu", - "rsa.db.index": "ipsamvol", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "emull", - "rsa.misc.group_object": "rsi", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 9.295, - "rsa.time.starttime": "2019-08-07T18:01:23.000Z", - "service.type": "imperva", - "source.address": "isetqu2843.www.invalid", - "source.ip": "10.253.175.129", - "source.port": 5547, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "ate" - }, - { - "destination.ip": "10.89.26.170", - "destination.port": 3548, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName=\"uisnos\",evntDesc=\"loi\",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName=\"aqueipsa\",occurrences=5863,httpHost=ide,webMethod=atcupi,url=\"https://www.example.com/sit/ugi.gif?sitametc=rur#edut\",webQuery=\"sitametc\",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application=\"uptateve\",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block", - "fileset.name": "securesphere", - "group.name": "bor", - "host.hostname": "commodo6041.mail.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 42181, - "network.application": "uptateve", - "network.direction": "internal", - "network.protocol": "rdp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "commodo6041.mail.localhost" - ], - "related.ip": [ - "10.149.91.130", - "10.89.26.170" - ], - "related.user": [ - "aboris", - "atus", - "orumetMa" - ], - "rsa.counters.event_counter": 5863, - "rsa.db.database": "inventor", - "rsa.internal.event_desc": "loi", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "atcupi", - "block" - ], - "rsa.misc.category": "tation", - "rsa.misc.disposition": "seddoe", - "rsa.misc.event_type": "adol", - "rsa.misc.group": "bor", - "rsa.misc.log_session_id": "iono", - "rsa.misc.operation_id": "estquido", - "rsa.misc.policy_name": "aqueipsa", - "rsa.misc.result_code": "uide", - "rsa.misc.rule_name": "uisnos", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2019-08-22T01:03:57.000Z", - "rsa.web.alias_host": "ide", - "rule.name": "uisnos", - "service.type": "imperva", - "source.address": "commodo6041.mail.localhost", - "source.ip": "10.149.91.130", - "source.port": 7756, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "www.example.com", - "url.extension": "gif", - "url.fragment": "edut", - "url.original": "https://www.example.com/sit/ugi.gif?sitametc=rur#edut", - "url.path": "/sit/ugi.gif", - "url.query": [ - "sitametc", - "sitametc=rur" - ], - "url.scheme": "https", - "user.name": "aboris" - }, - { - "destination.ip": "10.81.108.232", - "destination.port": 856, - "event.action": "allow", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName=\"alorumwr\",evntDesc=\"pis\",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName=\"atemq\",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url=\"https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem\",webQuery=\"plicab\",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application=\"olorinr\",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action=\"allow\",errormsg=\"failure\"", - "fileset.name": "securesphere", - "group.name": "teturad", - "host.hostname": "gitse6744.api.local", - "input.type": "log", - "log.level": "high", - "log.offset": 42925, - "network.application": "olorinr", - "network.direction": "inbound", - "network.protocol": "rdp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "gitse6744.api.local" - ], - "related.ip": [ - "10.52.106.68", - "10.81.108.232" - ], - "related.user": [ - "aco", - "neavolup", - "uaturve" - ], - "rsa.counters.event_counter": 5098, - "rsa.db.database": "lapa", - "rsa.internal.event_desc": "pis", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "Quisaut", - "allow" - ], - "rsa.misc.category": "idol", - "rsa.misc.disposition": "mmodico", - "rsa.misc.event_type": "emaccu", - "rsa.misc.group": "teturad", - "rsa.misc.log_session_id": "naaliq", - "rsa.misc.operation_id": "tmolli", - "rsa.misc.policy_name": "atemq", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "eiusmodt", - "rsa.misc.rule_name": "alorumwr", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2019-09-05T08:06:31.000Z", - "rsa.web.alias_host": "volupta", - "rule.name": "alorumwr", - "service.type": "imperva", - "source.address": "gitse6744.api.local", - "source.ip": "10.52.106.68", - "source.port": 5818, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "amrem", - "url.original": "https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem", - "url.path": "/obeatae/sedqui.jpg", - "url.query": [ - "nulap=onseq", - "plicab" - ], - "url.scheme": "https", - "user.name": "aco" - }, - { - "destination.ip": "10.223.10.28", - "destination.port": 1991, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName=\"eabill\",evntDesc=\"itatiset\",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName=\"emveleu\",occurrences=4029,httpHost=norumet,webMethod=tconse,url=\"https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo\",webQuery=\"lestia\",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application=\"untmoll\",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action=\"deny\",errormsg=\"success\"", - "fileset.name": "securesphere", - "group.name": "quia", - "host.hostname": "par3605.internal.localdomain", - "input.type": "log", - "log.level": "high", - "log.offset": 43696, - "network.application": "untmoll", - "network.direction": "unknown", - "network.protocol": "icmp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "par3605.internal.localdomain" - ], - "related.ip": [ - "10.223.10.28", - "10.230.48.97" - ], - "related.user": [ - "erit", - "untex", - "usmodte" - ], - "rsa.counters.event_counter": 4029, - "rsa.db.database": "ommodi", - "rsa.internal.event_desc": "itatiset", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "deny", - "tconse" - ], - "rsa.misc.category": "uaerat", - "rsa.misc.disposition": "met", - "rsa.misc.event_type": "isno", - "rsa.misc.group": "quia", - "rsa.misc.log_session_id": "enderi", - "rsa.misc.operation_id": "umquamei", - "rsa.misc.policy_name": "emveleu", - "rsa.misc.result": "success", - "rsa.misc.result_code": "eavo", - "rsa.misc.rule_name": "eabill", - "rsa.misc.severity": "high", - "rsa.time.starttime": "2019-09-19T15:09:05.000Z", - "rsa.web.alias_host": "norumet", - "rule.name": "eabill", - "service.type": "imperva", - "source.address": "par3605.internal.localdomain", - "source.ip": "10.230.48.97", - "source.port": 2572, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "mail.example.com", - "url.extension": "htm", - "url.fragment": "itinvo", - "url.original": "https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo", - "url.path": "/iaturE/inc.htm", - "url.query": [ - "lestia", - "uisaut=mnihilm" - ], - "url.scheme": "https", - "user.name": "erit" - }, - { - "destination.ip": "10.115.42.231", - "destination.port": 2143, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application=\"ameiusm\",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action=\"deny\",rawQuery=\"natus\"", - "event.outcome": "failure", - "fileset.name": "securesphere", - "group.name": "abi", - "host.hostname": "isau4356.www.home", - "input.type": "log", - "log.offset": 44466, - "network.application": "ameiusm", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "isau4356.www.home" - ], - "related.ip": [ - "10.115.42.231", - "10.161.212.150" - ], - "related.user": [ - "res", - "sequamn", - "tasnul" - ], - "rsa.counters.dclass_c1": 4846, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "niamqui", - "rsa.db.index": "natus", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "abi", - "rsa.misc.group_object": "corporis", - "rsa.misc.result": "failure", - "rsa.time.duration_time": 6.993, - "rsa.time.starttime": "2019-10-03T22:11:40.000Z", - "service.type": "imperva", - "source.address": "isau4356.www.home", - "source.ip": "10.161.212.150", - "source.port": 2748, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "res" - }, - { - "destination.ip": "10.247.108.144", - "destination.port": 3896, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName=\"nevo\",evntDesc=\"stiaec\",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName=\"iutaliqu\",occurrences=3711,httpHost=onsectet,webMethod=iat,url=\"https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip\",webQuery=\"iquaUte\",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application=\"urEx\",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action=\"block\",errormsg=\"success\"", - "fileset.name": "securesphere", - "group.name": "sciuntNe", - "host.hostname": "labo3477.www5.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 44914, - "network.application": "urEx", - "network.direction": "internal", - "network.protocol": "ipv6", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "labo3477.www5.domain" - ], - "related.ip": [ - "10.226.75.20", - "10.247.108.144" - ], - "related.user": [ - "fugia", - "maccusan", - "tema" - ], - "rsa.counters.event_counter": 3711, - "rsa.db.database": "psa", - "rsa.internal.event_desc": "stiaec", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block", - "iat" - ], - "rsa.misc.category": "officia", - "rsa.misc.disposition": "ametcon", - "rsa.misc.event_type": "gnid", - "rsa.misc.group": "sciuntNe", - "rsa.misc.log_session_id": "dent", - "rsa.misc.operation_id": "emp", - "rsa.misc.policy_name": "iutaliqu", - "rsa.misc.result": "success", - "rsa.misc.result_code": "writt", - "rsa.misc.rule_name": "nevo", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2019-10-18T05:14:14.000Z", - "rsa.web.alias_host": "onsectet", - "rule.name": "nevo", - "service.type": "imperva", - "source.address": "labo3477.www5.domain", - "source.ip": "10.226.75.20", - "source.port": 5677, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "www5.example.org", - "url.extension": "htm", - "url.fragment": "eip", - "url.original": "https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip", - "url.path": "/elaud/temsequ.htm", - "url.query": [ - "dolo=iciatisu", - "iquaUte" - ], - "url.scheme": "https", - "user.name": "tema" - }, - { - "destination.ip": "10.192.15.65", - "destination.port": 3328, - "event.action": "block", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application=\"uptatemU\",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action=\"block\",rawQuery=\"tmollit\"", - "fileset.name": "securesphere", - "group.name": "ntoreve", - "host.hostname": "itseddo2209.mail.domain", - "input.type": "log", - "log.offset": 45679, - "network.application": "uptatemU", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "itseddo2209.mail.domain" - ], - "related.ip": [ - "10.192.15.65", - "10.97.22.61" - ], - "related.user": [ - "illumd", - "nimides", - "rExcep" - ], - "rsa.counters.dclass_c1": 4173, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "olu", - "rsa.db.index": "tmollit", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "aparia", - "rsa.misc.group": "ntoreve", - "rsa.misc.group_object": "labor", - "rsa.misc.result": "success", - "rsa.time.duration_time": 166.27, - "rsa.time.starttime": "2019-11-01T12:16:48.000Z", - "service.type": "imperva", - "source.address": "itseddo2209.mail.domain", - "source.ip": "10.97.22.61", - "source.port": 6420, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "nimides" - }, - { - "destination.ip": "10.116.76.161", - "destination.port": 2009, - "event.action": "cancel", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName=\"ommodi\",evntDesc=\"ritat\",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName=\"tla\",occurrences=2608,httpHost=ender,webMethod=quid,url=\"https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema\",webQuery=\"ioffici\",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application=\"emquia\",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel", - "fileset.name": "securesphere", - "group.name": "vol", - "host.hostname": "duntutl3396.api.host", - "input.type": "log", - "log.level": "medium", - "log.offset": 46132, - "network.application": "emquia", - "network.direction": "outbound", - "network.protocol": "tcp", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "duntutl3396.api.host" - ], - "related.ip": [ - "10.116.76.161", - "10.197.254.133" - ], - "related.user": [ - "ide", - "idu", - "trudex" - ], - "rsa.counters.event_counter": 2608, - "rsa.db.database": "ncul", - "rsa.internal.event_desc": "ritat", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "cancel", - "quid" - ], - "rsa.misc.category": "dipi", - "rsa.misc.disposition": "asnulapa", - "rsa.misc.event_type": "atev", - "rsa.misc.group": "vol", - "rsa.misc.log_session_id": "metconse", - "rsa.misc.operation_id": "venia", - "rsa.misc.policy_name": "tla", - "rsa.misc.result_code": "tat", - "rsa.misc.rule_name": "ommodi", - "rsa.misc.severity": "medium", - "rsa.time.starttime": "2019-11-15T19:19:22.000Z", - "rsa.web.alias_host": "ender", - "rule.name": "ommodi", - "service.type": "imperva", - "source.address": "duntutl3396.api.host", - "source.ip": "10.197.254.133", - "source.port": 7469, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "url.domain": "mail.example.net", - "url.extension": "htm", - "url.fragment": "ema", - "url.original": "https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema", - "url.path": "/teturad/nimide.htm", - "url.query": [ - "ioffici", - "ueporroq=writ" - ], - "url.scheme": "https", - "user.name": "ide" - }, - { - "destination.ip": "10.28.77.79", - "destination.port": 3615, - "event.action": "deny", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application=\"tetura\",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action=\"deny\",rawQuery=\"nemu\"", - "event.outcome": "success", - "fileset.name": "securesphere", - "group.name": "nti", - "host.hostname": "colabo6686.internal.invalid", - "input.type": "log", - "log.offset": 46865, - "network.application": "tetura", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "colabo6686.internal.invalid" - ], - "related.ip": [ - "10.144.14.15", - "10.28.77.79" - ], - "related.user": [ - "rspic", - "upta", - "utlab" - ], - "rsa.counters.dclass_c1": 4810, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "uptass", - "rsa.db.index": "nemu", - "rsa.internal.messageid": "Imperva", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "Login", - "rsa.misc.group": "nti", - "rsa.misc.group_object": "consequ", - "rsa.misc.result": "success", - "rsa.time.duration_time": 22.348, - "rsa.time.starttime": "2019-11-30T02:21:57.000Z", - "service.type": "imperva", - "source.address": "colabo6686.internal.invalid", - "source.ip": "10.144.14.15", - "source.port": 1150, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "upta" - }, - { - "destination.ip": "10.248.177.182", - "destination.port": 317, - "event.action": "accept", - "event.code": "Imperva", - "event.dataset": "imperva.securesphere", - "event.module": "imperva", - "event.original": "%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application=\"exerci\",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action=\"accept\",rawQuery=\"icer\"", - "fileset.name": "securesphere", - "group.name": "taedicta", - "host.hostname": "tsunti1164.www.example", - "input.type": "log", - "log.offset": 47307, - "network.application": "exerci", - "observer.product": "Secure", - "observer.type": "WAF", - "observer.vendor": "Imperva", - "related.hosts": [ - "tsunti1164.www.example" - ], - "related.ip": [ - "10.18.15.43", - "10.248.177.182" - ], - "related.user": [ - "caecat", - "quaturve", - "quei" - ], - "rsa.counters.dclass_c1": 983, - "rsa.counters.dclass_c1_str": "Affected Rows", - "rsa.db.database": "equatur", - "rsa.db.index": "icer", - "rsa.internal.messageid": "Imperva", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "tiumt", - "rsa.misc.group": "taedicta", - "rsa.misc.group_object": "reetdol", - "rsa.misc.result": "unknown", - "rsa.time.duration_time": 113.318, - "rsa.time.starttime": "2019-12-14T09:24:31.000Z", - "service.type": "imperva", - "source.address": "tsunti1164.www.example", - "source.ip": "10.18.15.43", - "source.port": 2224, - "tags": [ - "forwarded", - "imperva.securesphere" - ], - "user.name": "quei" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled deleted file mode 100644 index e6616398303..00000000000 --- a/x-pack/filebeat/modules.d/imperva.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: imperva -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-imperva.html - -- module: imperva - securesphere: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9511 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From de69740c903f46e351319a6be807b42241ce4fff Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:39:22 +0200 Subject: [PATCH 09/22] feat: remove deprecated infoblox --- filebeat/docs/fields.asciidoc | 1 - filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/infoblox/README.md | 7 - .../filebeat/module/infoblox/_meta/config.yml | 19 - .../module/infoblox/_meta/docs.asciidoc | 70 - .../filebeat/module/infoblox/_meta/fields.yml | 5 - x-pack/filebeat/module/infoblox/fields.go | 23 - .../module/infoblox/nios/_meta/fields.yml | 2635 ------------ .../module/infoblox/nios/config/input.yml | 87 - .../infoblox/nios/config/liblogparser.js | 2514 ----------- .../module/infoblox/nios/config/pipeline.js | 3697 ----------------- .../module/infoblox/nios/ingest/pipeline.yml | 64 - .../module/infoblox/nios/manifest.yml | 31 - .../module/infoblox/nios/test/generated.log | 100 - .../nios/test/generated.log-expected.json | 2722 ------------ .../filebeat/modules.d/infoblox.yml.disabled | 22 - 18 files changed, 12021 deletions(-) delete mode 100644 x-pack/filebeat/module/infoblox/README.md delete mode 100644 x-pack/filebeat/module/infoblox/_meta/config.yml delete mode 100644 x-pack/filebeat/module/infoblox/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/infoblox/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/infoblox/fields.go delete mode 100644 x-pack/filebeat/module/infoblox/nios/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/infoblox/nios/config/input.yml delete mode 100644 x-pack/filebeat/module/infoblox/nios/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/infoblox/nios/config/pipeline.js delete mode 100644 x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/infoblox/nios/manifest.yml delete mode 100644 x-pack/filebeat/module/infoblox/nios/test/generated.log delete mode 100644 x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/infoblox.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0ea5811a35c..1f786a8be25 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -42,7 +42,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 870f2b2a2df..d4558b50582 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -24,7 +24,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -93,7 +92,6 @@ include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] include::modules/iis.asciidoc[] -include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] include::modules/juniper.asciidoc[] include::modules/kafka.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 05d961c494b..36113570a9e 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1091,27 +1091,6 @@ filebeat.modules: # can be added under this section. #input: -#---------------------------- Infoblox NIOS Module ---------------------------- -- module: infoblox - nios: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9512 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #------------------------------- Iptables Module ------------------------------- - module: iptables log: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 59048aceeb4..74856aa4b53 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -31,7 +31,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/juniper" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/microsoft" diff --git a/x-pack/filebeat/module/infoblox/README.md b/x-pack/filebeat/module/infoblox/README.md deleted file mode 100644 index 71a9075d5ab..00000000000 --- a/x-pack/filebeat/module/infoblox/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# infoblox module - -This is a module for Infoblox NIOS logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML infobloxnios version 134 -at 2020-12-23 15:19:50.215335 +0000 UTC. - diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml deleted file mode 100644 index 03c704cc5ba..00000000000 --- a/x-pack/filebeat/module/infoblox/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: infoblox - nios: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9512 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc deleted file mode 100644 index dc894b8f3c3..00000000000 --- a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: infoblox -:has-dashboards: false - -== Infoblox module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/infoblox_nios[Infoblox NIOS] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Infoblox NIOS logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: nios - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `nios` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "infobloxnios" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9512` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/infoblox/_meta/fields.yml b/x-pack/filebeat/module/infoblox/_meta/fields.yml deleted file mode 100644 index 38b39cb5624..00000000000 --- a/x-pack/filebeat/module/infoblox/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: infoblox - title: Infoblox NIOS - description: > - infoblox fields. - fields: diff --git a/x-pack/filebeat/module/infoblox/fields.go b/x-pack/filebeat/module/infoblox/fields.go deleted file mode 100644 index 00ce879c705..00000000000 --- a/x-pack/filebeat/module/infoblox/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package infoblox - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "infoblox", asset.ModuleFieldsPri, AssetInfoblox); err != nil { - panic(err) - } -} - -// AssetInfoblox returns asset data. -// This is the base64 encoded zlib format compressed contents of module/infoblox. -func AssetInfoblox() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q8JlzM1Fer6L4RYbgW8JufhL+T9+W+XfyGkBMM0ry1X8jX5t78QQrofkRkHUZrJX0j4r9f4sfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHZYrpcve3yMItf97TysgakbsAtqVSbcyWS1AA35mNZ3NOCMLasgUQBI1NaCXUE4GG9CG3gHbuVZN3fvrLlk2cBEtScUW/uPgxxaILbFZpDLzrb/vX2Gc5AOyf1xw475HuCGNgZJYRRitbRMIrOmKVGAMnbt/U0uYqsC4TSv3+Q5oQt6qOTkFpkrQ8Y14WHwXqUO308KFJUhbuK0lBhwQzkz9QHKDNGdKWpDWuAvApbFU2hYNE8XR8uoQBEtqdz8YYsc9Tm4JQi1ZLThbEEoMGMOVJAtuDaHkPdjfuZVgTHv6kwFrdJs1C9WIkkhYgiZT6PiuptoAeQeWOtQomWlV9ZZ6+lbNzYsLyq7AmmcD8KdcA7Ni/ZzYgDclH8BLA8/hsofmJEpIAUsQB1BSKLl7P7coeQq1BkZtwKSEGZdQEiUFomXpVACpaB3HqjLzItmF2XPG78I9Pz/9gSypaMKN5yVIy2c8cCdcU2aJUHN/XnpwELg77sAHbsHvueOoqbacNYJq/H042MkoZwxAH8QpMc4YQB7nlNEjWR73TF7+/zPZfyZu1TwHcr/rq6Z/FLiR3WN5NNgt6SFCLztqGoxqNMv09t6fbLnu//0wM5ZaqEDax4gcbUpuCybozh1+JOiBtHr9GBFbOJ3qMSLG5WGI5dWYWsnxeDmtBHqI9MhLthlAmdKGGtFrYnZm74ut3e+wGeghAyXhflbEjh4ygH6DFTFOxR3nyJGoKHtukyj5PLkG20xEPhKh4J3Jx46hVjeSf2lgo0brbv/hT+tto/ZESeYeB2rVY7dsR8TNkucVh33qnrhl+Iwz2r/Pb9WcnC1BWnKJwpk0sgTtTBANQVANtj7j11ASA9YB2frx9hpm3GBpD2EA+94GS3cIA9B3OpShJzC9f+kwxhzs6w40uRsNFspk0lf7fPmrMrYvIsUuRxqQJZfz9kMTY5ueD+nroS8/hMEGPxol7PnF8idCy1I7WTl23XeJO9i9VV8rcZevcpP31f+75HXUyi8bduWCd6T1vWUloWTOlyA7J9nXqwg4Eh3mv8hrgZSPUfn7OiIaow4NVa8LDV8ynHU/eIgHjPuerpHKZ35pcoEX6XnwZltKPq5rIIwOJcgUCHC7AE0+nUv7wyuiNPlFKGp/fEmm1CAXtQGyGZ83GlW/G/Z9iLr7Fe8bw6D5jM8E/gX367nK5WbbZx23K3/1DgalV1SX2ZS6nkTrbbtPyfOLz1v6HiUaBN09UkLM2liowiMa0HbQFuA51XjiuX8rzedcUtH+ZltbuYEOufSvPYkR5xefX0VIENAfUOL+JOgwGlI5xeuzYdSh4njo67MAWoI+Suz6V1yKnJ/eJ0rq8e0HSxHMYbHSR+1kE6zI7mejraJ1vlG08KI40+VECQHMKv01CmBHvQfIuXE8xw1hnnRQOky3FNW3aldtIXsI/QgtvopNH4uqWimDyW6VkmS6HhwaIRq+NGCsA2h4VYt1OCf3ZSfoCVC2IIaXQJ5+T+xCN+Tlzz8/IytqiAGQ3Sp7KPEolNdbUMLUShrIRwr21XAFU420nU+hqaZe6LmrbKIQyFM6VUvoEYPLaGZlK96M1UCr0fvDvhq2eWBSQcmbXT0tBaG+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8c7Oafzh58S9egyUtyJhmtTSN8ZMWZlHeS6zHo9wx+RHIrY6v8+JL8q9vuc/Ljj+RfCVPa6cu4i7Doc/Lfhf2f7ovckG2ifBM9QqlKeLS2rlxBwagQU8qu8mrAHjmpLF4bar1d4YgIsqwVlxZNEwvxBGdkjgK0Vpny0zb6oKmBcSoQY8TUWKWdZi3XXutwHyyp4KVnjBhShMxUI0v3wghA5LmcB+XoxuTF7RsxgJwiFhiuw56w0cgprIWi5WN55wI6xPA/gVRgNWcRqyOYwv0voy3sn/tWCLtnn9qNRqtm7bFNyK9q5Y5maHNySZR2xphV5AqgvoFoj+LF+0qIphUDY4olL4syV9T1rJU8c5CgqcVLXjoK9uzCJde2ocIZ7Vu+dxlxcfCKO7MbY+VIDL+LcNXPT4l20tqgQwWJRvUcbPe1GylhdKakpwenhM+E208JnSUUNBT856et7/UDVMoCuQz8zjTgQztdjwlK9782EPMVBF7CSoWpBc+Z2fCozXnDB2r/o9DNnMzNyO9469wbEHi95brWaglPyH+NCKMXLzMuHiBG71Z1xtHFyZuLoPsyKh15eFUrvavxEnwiv7o0iOZxuD8++acKDXE03WOu1G1Tvtn8ZGOwez0HLfMJefnzK7JCuldAJaFCxH0F6NRHNWnjPyIr0ODBUksEUGOJkjvlIttEfHA18esmYuSu5gjbBtr9rnSJhMOsJmALqYSar3cDcTOuB1osIT8TtqCaMuuJ6C71GvFHp7kkjQw5PWLLZz5aUZu6oNsH6nMGEfbELtGiqJySqWQbRtB0NSrTULLuqJWUocbqYxQy+BwUY41uIRpLZUl1SaTSFRX8z1h+r9JVlD5lyHI4mESqmQ6epDsRaYN1h8wLwWeAO44Y+AaYkuWIgr057sLYnH6WPRvikqmqFmCjDDDqRKWowFvNd8Rgr95M2wdi5Eu3dpSdx1h5mzNH2a9S0i4SHdOmPjVVzssmy6l8IMKfyTIH2R3IP5XM3W1hj1h0q7cqpk+v/bhL4YGIynaj3xAL1zZcPrIEbXrlFOW+PLDI+d6X2dZAU21zU6bHlC6hzPcOhiSb8EyZbsVWx2gzbbov9uPrw9dKq2qCUBssyjcMJNVcebW+aoTl31kOmtC6Fm31y6ZZTUUlncdKcwkRGN5p7UWPlMfVEG6fGKJW0kfGLK3qXc9gwNit5lAc3j5rCFtwZ92oEsyEvGuMRTOpD9TdSmpH8nKphQMPaa8Am80c3ks4hiaEh9wu6GmnYQYaJPMMQZ1qXfIlL51mg/wQF2SXrSD7uEO8+Cava66PtsPNefpY0LXjRG7F2m/WOKHn9DWHFDLoft9owkMfdeE8d9K4k2eTwZJdOplqUkugaqDI3RdiR//UVwU1yC8NNEdjJcfdnos28nFFDUEkyhG+QeR+SE3UhErBFkEzyLR5ZTO8vvMqB651kQHVusihPdcpRdE20JfJoWbQlXqvyMOYkDvmY/SNGTyXd3pzDhWbN8m1Q4IFmwdipxtCakcQZQMlPoVibRqRO+w0YkWpxjJVwQuPQ2e8YFa2mg04hMpAgi0DcoRBYAma25ylI3s21q4eigB7kZ19Lp+8xYuD3oH+le4qXRw0jDvVwPiMbwyfuHbrgzljPVWCrpw/mylyAJ2LkZebgonWRVWGIEsU72A2H+sQPm9b6X1LUGny22VIjeWmTQjY9avh+u0JjVVJmloZnlBw3Iq30JyWpe8whan87d0d7cLTCFvka110R1Ekmwo0Z3eVRdG9HaGKbc/G+pVs3c3wYsnf78HWliBLpUPC7N6dqekfD9C9pg3tqukfwOJ2tEMsfy34gNxOgu5HzEv6nL3qvhleyFD1H8RM8HItaJdbLJUllCxCx4t4Aq1Q86JNVHkQod4y4p2F+jF6pmzJvr9juhW2pUbxEVf8leBsnfv27JELF4hA6J4txXpELjciZ950nIAfGgGIWFycKmnhOrfG2iF0Lr2/btMPlZalcf+HjyoVLUKxBjA3PM5sQeUcCgmr3LJgLHAJq16oH5UQazWfNhZ6EmKYo2886k5b7z9/cdFhappM2HWUEzxb28p9RENDcDe/yCPT198ixi1WgDmCtQ0HzSbnSy9BT8gl+ENpDOgJnQO28g6Z7jOlWxwGsFswXm9n+Hvif9/rW6E0mWq1cp+1fw26pje7RvtJn5cXVNvUbroOcGqPSrhTalAdeqw7pUTZqY25rpSqIQQUc73FbyShArTtsov0ZtHwNx/eCuKj1wQAk5AiCnNJpJLfaagBLZl92Q9oNhzzyWGN1u7CdPYKniTqcS+4j7C14Z/BzlbcLoKy7GU9OcUFp1htIomS382V++89LwEqKUVEccy4b9oLBr5ABBySakacdLAczIRcbmTK7mCDfmVVHoxPfDlfY5wR40tGfbJNGcRvIDwlTDTGtgwZ/jE4JvwJN+4kQ0108G84xRc/HVeBjq79+BsWt+h9W6Z8StmTmwwvh+UpYkGoMYpx9Je604jak3hgb/kVvCaU1Iu14YwKUnJz9ZzUGmeiPCdg2ZO4okw1PaT28o4Pva+z0bQCC9qQmhrs4mWwkYPvRcBUVTkppraC9sPSGrBsr7rn34OH0vh6Z5jhYfLim6mqboZ3MMOxUbLislSrkE/LlGRQ2+ddJsUoMQbbnDVCrMmXhgrv/CxVRbkMUkP2FhJq5Onqez1TqUt7tu5UwrdcXkEZaoHaRHRq0DsVDBT3yTcdahNe7js4MegKkVXU9Uc3ebfELgItejiV6kHw+q0OnldyOWzX0wWdQVd8d7BTbhdrWBOx9fy/X9P+MbGmPeMi/x3vtvwLrtZdYw1lw4C0kSOIu9sMaE5FEXlNsz0il7hkqzbvvo+9B9C9MKN+AWBX5qCWAyk8xmF199AtqFl0N9SphZEqw4YtfOZvW2PTlRmetJB2WoS5jXTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfm8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KZI0lLx1YmLoPdiOyPk0QL+FiWciJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+Itc40p90C5Pz0xs12VT+uRs0WYfYS1luNNoJOfH1maHfqfAf7NdmEUG9/Y0fvgnuuGlju8pNZbvHqJECjKeM8g/KSpEl1ZxOxaAK0Ddl4JLUgo4IAgPSZO2PsnWgfVXVrzxxksppGG19IXfnfPni/GJXhyahZaz3KIzVZR84UPDWtZCbSItHkpxLSy75XFIUFiMsWiuds3ntk4H8ckx60epuCrs64n86RHp3GbmsVBHGef/bR8IlE00JTpyFSbXu5xPy9OyaVrWA1+TCO0Q8WJTek7hfBCNzR49tonNq87TEMePmyqncB+B1h1K8nhvzfXgaPnBztSfkajWfz0HnG2EXJ9nnfiwg4IDa6UKDWShROu7xtvrIpNGt0PsRPAvD2HuQyk8/eB3jWdeM4/w0XkZy6+g8U1VdHDnvCk8l5F7hGFfv3zPN9DuHjpJYnzrDcTOqbNiYlRbU0gfKGutj3klLpbHzgJPrLX4jU+KoLldUP0yG3rCrvpOuNDxEbhMjrZGfOiFKyTvK2n7KceXWiaCj2jFKftcqqHq/FPK2ZvKh1hqoSZ4bbCy1TSrFufNHUS4ezOxwi0/VNeHli/H3y72szTEwdBh9GjQ+9nfBYRG/uu07lnn63oDJT4dz9w55zrhUTaoYZ6+OxMyT3yknSVM6HQYe2Z8SA87dmXGLJd4I4eQeMQ1jYMysEeTMrU+YKsE4lmib/cYtCy5LuE5MAMGNPUzzvKdswYXRFNMtElPQGN+sqOYCM3giHjwff5dzQpGI37nfRncmM/ChmvrmQg+kEYfVydMun7MGbepQdOslzIBkQUXYJMS3HZ6ejRQZejfX8D3OnVDila8uySv4qvy33YeUS0NKsJSLiJNhqhrb+93I1pQ4em5m67GlXR4b4jH+kFqoapEtm+cNKWFGQwgodL5sY/ghW9NpxUvQgq6xkMuq8LiSp5Eb6T5Aqzv8GmZtFbj31RvLbYONGUl0YxvbYNiw6b7XNWkUq+ffYTQ1phlkFVNV5e5THjY68dAJ7yX71loteen9Z20XuQrMaCJUqdjhgca7e8t+4WKjNbJ+Xl5cNbiuMenpYWR9u3peWf+Hmh7odzp4e/9bTUMAJn67ap6vce4pJhT7k7+8OCfnA4Wqj0a2rrWhumQ/BgkLu7pq2HlSQ/ou/rCQWx1X7r2IKKaqzF3xNai421U6Ai7E4TKiHi3Sd0vwIYMjVJ73XMChdNgn0HbxED7nZRfKGXHiVamtxkEZeIKXP52S1+27bnI+U+1074tPvntOG4jCZI1rYE3fi+BTv6YQK29tuzDtS9w4giMk6hUvtx0iXXUlXVIu6DCQQTpXOMH6yhloPTJpwd+hQ3z96eJuwVipQgMoH4AdbCmkGxg+n4xIRF4V06Ys18n9M7wqktYB9eA2Bg5rdL7XS5UeouYqYZeDnRK7wjTHKEjgpp+96nuu0qbktqus2/RFCxjFBtttKja8KNmEF/Zv0meJpabg8mhW+cnnM/I01Ep8boTTladcYAEH5oGdXdfKuG8+I98NHQ1yNwpzJdVKbhlCBliDzSyW29BHJm0yegQX3G5a6Elb5f4+lCa9hTlla/Jp1FwTfKrpQxTlh4W3SMwlqSiXM00r2JuOUVONU3vz90nYUi4vcFnyXpU+OXrTFrCXdRZBitygfWGqgCNELgtpu2/ce1iRXxuJpuQ7VYIgT7lcTr59Trhiz8nU/R+4/6OSirXhZvJtPL5oWV3MBB1Mzk+tQ21r+CcXBBdFXxfKyXU7/ErN9jZqsCorpv6v04Bn2wbBgHaMHEVoWaWVuzuYfX73O9VAPvoE4G+//fzu9zcfzr791ufcLqmmfJQnV0pfpSxZvvGC/d4u2I+wjTrBqEytRISanbRdSrrngDL3XKwzmDAzpUEazlIKkJ4rKQPGVXovSCQ+kAposaJ8OJz43t4B7H2eGqi7PqlL1E0zzXQp7LQ0VqeufMd67WwOsf5bmuwdbWs+8jlJDy122QwGG6g0odhkU/cS6l0ciBkfdTS1W83miD10q9FuRJFt7pb3xIXywf0E7+64cMgH/f/DcNWNyuwn/z0Ii5U9H31AZC+SD8IcbRx3H35KHSFpa+tke3bpU9tltLdZdtgn8xm63Qace3Nkum1ZzY8RD8OirxnlwtG6beZyEWTG+Wm/tg07cTlz0MI80sJgPKuwzbkunIp4wH4OSbzGdOtQfXSiqqqRu56oAXbysMZN98XuPVzbv0Ncp+5wM4dp1vfF7ZLK8t9VPGq2wc1Syw+RDPfGbrjwFnKmMTVnXCXLEj2WBY/Yr6iWw6DDY0fdyKouVC5hfPn+3QX5zftRN0mpcUS+HDWV4PI/3pIvDeiR3q2NkIWG3U6deZMbeg7RNfnQFp1F07o6LZ0lfEj7QFXqMQIOaH2Q4+gmqDYSHLs33DL9gAYqqK4ynJYDm8G9QOuEBcgd0KZMNpV2C2babldboEtqd7XC+8KdgmSLiupUZSUd3HVNB+OL7x19omyQTpUEZrFIzgsMZmkLqDrAszm2WsoAVk3/yAC1psknYfiOU8nZC4PuBU/94ITObRU41TM50rKgDAejpC8/cbCNTGi89wBP5/XyJ3ltF8nfdyYLZnVRmqR913vQHeTDIk+3ALwUNLnEkAXIOZcJiyKHoHPkRstiVpgVtyy5/JDFTKiVoVX63JU+bGmX+aBniLowWXCZU5xwWYOuputkCe8D2DW7ygN8SUUOXuF1UWtlVZE+JIXQlz8V6HFMD1tku5tCzYsyB7Ed4PT5b0wWFb0urE3lNtgG7DhaQIZHoeIyE9Jc5kO6FqYQU1GkDotuwf4+I/DkncF7sFP3QuzDTl3V24f9c0bYrzLC/peMsP9HRth/zQPbqlrQKeQQKR309OaZLKpGoPI9XWd4J1vg9VUGvaRqBJ9XdR7t22mZVMxTJyEFyDyHUmLgC0vvG5GF8QmJGU7QaJbHmnSA81iTZm2aOsMsUia7suospqpV1pkecJ1BhFhlnWGWCzaaNVmAN5JfSyqVAZaBCZevHFUyPQrLV6q2C6BlBreaquqCiQw+bAc4Q5AE4erp2qZ3izrIJgvkuikyxDSY5pYzKjIUEJmCzkGydcKsqz5sScX6TyinOfBeFtgGNAtk3w4mD9Y+sTYL9Om8Xr7K44M2xZTbv2ZpNMZMkXZW3A5grZKLapPlmiNUYDp9lZvxPv5ks7Z6gMEuvJ8/vXPEA0e1Lwtw300+XQe5HuwZF5DDhjHFLMch8lnK4uxtwDl0A1PwGpMUiyyijtfLn0pj60Ez/0SwjWZZYAs+gxxmjEFHcwUlT1Ywug2byzxcUqmyEWCYykHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnIrXORmuDnch1JvnqM/M9i2eAbjXQKoMi6UuBcqGdT7leLRQ3hZ8wmx76mmqahcHLkULYFJCXfr59arjcWCqTzzkujZ02OtWwwBYq+FlBOaA2yXFNr0e3NcmpweLkhln6YdeHdhrYB3NOyzL1HeBl6rBq2zoow1vEq4JppaosXYkc4AxmGq+KPMmRoeNRDjLXV8nbM9UmfctSXpta88RABbXcNsmzzwSXkK7FzgaqSTpRp4OLxbfp3VpC+a6nxUyo5M95BzxDyr+zeZNLHQc0g8RxNnQGVJPnJgg1z8K6cp7lAtdKpxZg1bSZ57hmFTcsh1ioTBaGzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcsTJahcDPMxEktDALY1NKgLrwjKTm61Bj3YcEWqer8B6DhuubJAwE16GquqbSDnrspIK+yAE7/9PpOZJ8+7UwBTQBYq3lBTZ1wYEAftKapoWqgIod+p4EhHXzX0UzA0xPZQU7bwrUHWekyA8bpHZkmg2/YeN9whnwAA6kTAfzA4wzGiYEv6Rkg1qA1GdQMppTh8wyC19SpvWxGsxz3QLMyuSJtNIt1xU0A2KYbsdWH2ZjkXTWXTKYulIhOi70vUN+kM/X27dymZysPNH1Er5vpmRruuk7erbUpp1ny0BstMryFjQFdlDx11XuWsRVtZCgHGSwzllapvcHLgktj6SyDZrDk2uZQw5e1zNC6ySrdyJRu1lhbtEhH0TeNVeRDI8lg6S57JOOwvM9U8JKcaCi5JSdUl6GbocH273F0/OSsjFQamxCKYHCIPsH+BkwJEivV6fIhuMxHubOqFmoNg8GCN9JvpppkTb1vyWOOht5nhPPONMzhmlR0t9HCJhYr583uMJDsSApucDhDu3o4emygRExT10pbMmw8SshqQS3hltQaZmOscI+03LsMoYgRPlgdHQqEy9DZfaQvtOAy90T+HqputT6ehlg1B7sAPdl83yxUM3jRCJGwBN2NI7KK1FQbIO/AUpwI7u8q7Ujw9K2amxcXvuz1GTkNI76eE7uITCnCZsAfIIw+RrQleQ/2d24lmPg5D5k6C/FmOLK7u0W4uN+sAarZYsIlj+KHM3eP0F97R3ziLAxMhnghaCNx1u+8wTmubRP3eAP3nX7te/aUvx13t6euCXeYXzxi7LuDKBLWNN2u8youSz7CtcVbMeYuOMY06hGBtBlc9x4nVEsxMvESu+dmHAeO/XMNWKLhSwPG7mnafXi28t175XuVAcfy+FW9xN71SHV5p9vulH04eYwwNrb1d+zQbl5Hd55y9v/N8w3dYuenrVDAteO8gVZDuiTeO7Kwe1ym1ADx6dodNmRwq7pTCr94GHxlNwq+w1xp374+SkZCqCEGAMed0f3zqjSVhrIjjPcddJj2S0tUezdMwxqNE9D2IV2DrrhXN46F9GZJP5iDL7mAORABSxCEGsPn0h/cZl5/nPWxJfMDym9cfw+nTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw5UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND0e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+Esbny3sXzm2Te7Z4EzFrcOhNt/Ni+//+GvzvY97R1HS7FvomgHPi3SRsxu67iha9DkXzqfnHkR0EDk4rc+df1Pfp6XG5y3uH7veRyYvHyTbHuyOzDFrTMh73/7eOb2Dhq88wT9pSU3TENNJVs7rTKoZ2I3F4QghZ6Tj+9ek3Npf3z5nJy/Pz37z9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQpAnaRUcbt0gNl6qSi8XE8JjP33fGaX3pePG+Ril/x8nEh3ZdNN2B+YMO4Wz/wMXx3FNONdfKZa9tQQd6+eR9F9k8lIZ8v6zDO+D9KwiROW4fuVyNCcSM3C088gsf4Bu85hzm1sKIPMCIdufuCvClLjX5az+UxdLqnl1X1oXHO+8ZCzk/eXfhXaTQ8VlFzxOjHllPJa6rh7SbnFw6VEe+Xo+GBkyCS0NCtPU7DVhMr/HSt4wqIHrq0LLn7MhWbgG1vln/8nTsiAziTEC+4Cjf8dJsFBqhscq2z6HW3fdIoeR8wvFDadiJ5IHRLDLDhAXC7vlnymiPT3u+Hy3n7mLTbejdGeAkxu/FYXtyAHVq+1BjFuFM5vd9ooOMQJ5c1lXOYdKYTU3LG542GkkzXCBNkiVlDcTlTH9h6YFA0OqItRxedZeh3IBLq/v0SruQOAA2VslCEzO70eUbpSVtKU9DCp+JnAF1bnQf4LANLzDJUC4sc1yFX/5M6A1FpWbSeuHxq+a4F7/Yx2V2t70x4AA32zC5AS7Dk47qG5+RT+4y9RQfYj+SidYANXoLfxjS1dlTPEZSJEdO4RTr4xZ8TKkRUmag3X8QEN6oxMW8J2r2BXFpFjMXHnEvy6XxUoDBMkM0mr5KLbAdU1RnGvjnAGkzqjF4HNkOJi38RU6eio789A7Z+tEIhQM6TT4pEnJ3ykVELHdFAvcpDRS8AIwnDdIIZoeQXpVdUl8M53YS8mWOylybU3fhrzKWbgl0ByLjqmbhr4l1j3MpS0Q/VeWQItozHzIjBDrkMea6YllBx68RSGLER3+JSUHmMOP4tHJRtgkjPRTnY4LbLchNJWToLdo4G7PbLkzpSCQy7ECzT9YO7XcSeastZI6gm2C+atEg8Pbt+/VbN1WwWn/4OrLALyH68W8h+dAv629jD+8zh7dB909gFSBuSxUfRNk3Kzgm3S+jxS46j/smAHkVYNZap41I6LDmO8GXDGBgzgjN2Hj+sOdphiSeIF3Eq7lzpNYkUJgxwO4Zw2sIRdnB0UgkDfKZW0r0rTm7FlMPuh2SgKG3vapmuH93Iu0mJ71qKNQOCQ9ntJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldwcmSecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAJT8wgWQNwGxyYAMt3H2ym5j/k6OJox3+3+QdIVRElyGrIW0VIjtMUKIlPXu9yCEz9e7DPUaqSkxnhA6VTmrByKbn8KCLrlqULtkqqq1qvhIhiIcG7kzSacCi8hm5GQ/blwuO7GTEcldDLe0ThJFYAvDpMNlDkAwsn6HX+7T7b2ym/s2ynabMstG2t1yttQafYll4AU7xKy/lRaE7/EcJGjO2i0hQTDRbze1gNsFPrWx2W4kIDthP0yM1ePBz3ZPh7TderA9vdy/p6Be+LUy7itqmnZGuOUVGCfXvbanoYbRIFI4hWRNIW48CGw8eM9j0LdkrUN6dz8Ya/14uz39UJhkQ05vvbXgML5ph4O94Y43AuEWwuDr3d3LG3enj3p2/qIl2Zu++eSS9VI9jgC5QY53AuTrZccfbz6yVKMNjnNkt5OP+qgSJOUdu4X8OCo7ptzbgBk7pR5L0Hb81Mkrdxq7KCqwC/UAURK65UkmHo3wtdEDx15KWmX1Ou2J6nxQIvhrHSJ7+DKTJ+Q/Jz9//z15+vb0zcUzcsqN5XLecLOAEkvho7gINVfZ+wLti4RhtuzM4xGOGb84kjGmVWav4r76T3eqMQy6G4Me+WRDn+9yXRim/Xd1vz3HH+IUi5lSGWuTvskUoyJVd7qdjXygJW+MX4EoTQyvuKDaiycnNt0dYviux8ur8J4bXh6z00g/U/6TY4TWi7jTF3NzyfPVWbyR++46hjVCpWHP/xucRPjJgBeC4wZ6ZRll3JWpdM7EgEHIBkmt9JxK/ueerGqZjxVuS+wDKN3nqRFyz7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY+72LX3QzfrWj1BnYlx3dZ44wVVTbbEZ0mar+8XqEZsdBWFzG4k6gxI0tVAWyZLK9vCHEz6/tCt2wbMLrZa87JqHhe/RuhZBUx0wRmj+4561bZ02ruBsNsnLI+2yWzL0+rPrkW1Gh4di5uSS++j5YldxH2kB1ymdKYeC31XzhGvUmXo/6lVCzyMb9ToqaqzUEGOV9hLfQavAUlztCX5r4r71JL77ipelgONJuXe43m3lXOR4e3LvIDnXjsc4znYvwmq9DkNy3UZnn5NaUHdk7n1WmoBkel2PefkxFfII9uQtMuh0Z1v+qowl7yhbcDli0pU0k+T4ZpfWnyRm+tcanPhw+pFvcmYm5G1Ja/IZ/+H1o1JJX3f6z+HjSRZ0CU5zEkA1+dKAXhPsQWhqJQ20GlW8ONXtt8DfHEdehh54zEHWvO0CKf32fV++cTzbLR0B1Q0DfQjNUW+LKU55yusw2+XxtrX0VhMjZxuGh5cbohspo3ased69PD7y7NtIjdTYBYhFsDDzHwQlKy5LtTLE1MD4jDP3yfNYnWDIkx1eELc9j+8m54Y8xY6wINnmGcLQ5bMetUgj8R1/C3PK1uST2W5820Vgq91C2uTZtW6FIxjsI69939RCVLBWDZnMvYgDind9ACLV/1uVpljOMyTf9rbzK9Rj3Xm9eh3ZMe4wymjhNwds9jh5vWNbDRm+wfXeyroz3Pp4F9Dhbo7jsOsCBttns0nI9McwOKF4Q4qbi5+xbCDlSMDRCjfccgkzLoOvHoUTdvWraD3SdBCxO6hQLBNuGwfMjvqXWjB2Ptvcew+9lEZ6U3Y+bGspW1RHboG/WRUJTgbWUf84sgx5mXKZboJY0rvhtoxFhXkfz4iQ6pft4LH4Ntqb8v7I1M4B1nnfvhuwrqluecr9+flmK6sFH7RSJ+52OFvWJ7/fans2+cwS39ZC6XW+A/+bqan8txs7xrSIbHdRb9Xz2NPkyPK3Fwj9hr09mEo02FXbb33/rka5oABptaoPER2laqYD58KteDys6axtuKEcAXH01R3HvYcnqqqpXHf3Ea8djtP39soStHuGCi5nKq4UUHOVu0boBvmxY0W2mK0gb1f02ZdcOQK/NEKsyX80VPAZh5KcYt2zdw5GUVnBtGBKXfEHCrr/DlPi19/Yz1SMafPJu81uwuF1Y1HlPnCE6c13/UO3RJiyE9zR3ic/IR/Xtd/6xnPgiONPcPzwNMyKpM1kd9B2OHhHhH5iYm1rd5E5hquuUy63sfOexVrp1tuPIeYPb0eOvNcrJzE7tbSo884h2kMKt/KNnvsWTa1UJk1kGym3jjsPUlMbd00yWVCTMtrfA6xDOX1iyI0WCY+5BzXhqXTGaNHoVN6QHkwDuqDzdDblBnTy52kbdNL0x23QgeszCBa4tiBRtUpvnDj4ybi5U/QWGnZSZVJrVH6JY9QSbsncj7gsqlcvwn+fBBRehP8IeU0xtz8VoOPZeWE7Dxg995vpB8/R49obtTbYThkGojmTissZaD0Sdx3u+yj76iv+N5I+6p49ApJtX+JZ7xgiVwrD2irrlYoscTT2O/Nxe8d2HzGDWPf/9A8YJmiND/zk9QL0cfwRTmcPGU9PT3D04zNyguvHUQNtj9QsZYTOJ6DD8E/YysLc05wXsoaOe4TsHbhb9InpdYree9L8z0O9kndvjRI/bXLJ/4x7a/hVJply/o8zImGuLPcHWC+oGZkAZdix2wr1jtIvPj5c0B11tglQgwSXHR5rG6e39TfxhBTD58eoqNjub9RNPfw4OmjZSRNuTJNc6UTImCyVz1t3vxgKYghaZ/WBDg6lLz3P3OLkEoPT+6TTUTIkus7gIYr89BJTO/c/Rj3peRiSd5eee3AcF6HGiGKZ80XfDakGR3YUmbJwrEeb5G0aTS7A/AqCRZ2pucE3m3El/QcJZetPxGC8TmlyfvnmH+8uyIV7p8hvcmT6ygbbTJXUh2D7caXi2KIYYgtgV+YgJ/LthHDeHmSxoXNdv86uRRimgYYRhBspuEfLBc0HTSEfQMn1eHRdQUaNBsTZUtscbcJnH8slFbz0jBhBYlcQHq2r9T5BiBS7grXZFduJOL9NIE0Me2FtbQqOM2izgMajzEEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/Dfw27bGq0otr7UuKgVP0ZadQxhjwFBDBCpuDWAZGULKuWgcUbudlNhVURkJGZ7pLbN3cMSZh7+/vbN+/DuvdhZvntQrNK7vv/kPdu4uSqWSjS5CPCmneMsw5ybbjJ2O863kdwa8tQjYZ5htw4s7G0n6u6AJ4h0dDeiySTN3gZcP0luQ7rAZLvoYAkaMwVmjSBMSQa1dYbypT/DkfYKq1VO6esJ7wz2doS2Q7RW2hLl6Pvrv7+JpeBGyZ6a75SeHz/BcrfAYMvFOqW+2Um0Uczfz367OL8g7+h1xWXZjfWOH6vb29HTMLeGKI5sK2xjsLt92+rUp3jJYvL0bF/lWMyOV7D50EX47Zazqx1bzrIglc9PQ5fegMVeDMXxDuWBewW0O67+y9cNd4U5shxqkqlvN/pLnAn9QNmNYVw1WvFdULfyxb3PiWkiKerUkL8Zq5Wc/9tUUHYluLFQ/u1F+Nvz7lMuZ8DiH824hhUVUUWGTkXvN4TKkhhFRthSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV67/83wAAAP//6JKosA==" -} diff --git a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml b/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml deleted file mode 100644 index f475dd2fca6..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Infoblox" - product: "Network" - type: "IPAM" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/infoblox/nios/config/liblogparser.js - - ${path.home}/module/infoblox/nios/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{hhostname->} %{p0}"); - -var dup2 = setc("eventcategory","1401070000"); - -var dup3 = setc("ec_theme","Authentication"); - -var dup4 = setc("ec_subject","User"); - -var dup5 = setc("ec_activity","Logoff"); - -var dup6 = setc("ec_outcome","Success"); - -var dup7 = setf("msg","$MSG"); - -var dup8 = date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup9 = setf("event_source","hhostname"); - -var dup10 = setc("eventcategory","1401060000"); - -var dup11 = setc("ec_activity","Logon"); - -var dup12 = setc("eventcategory","1609000000"); - -var dup13 = setc("eventcategory","1605000000"); - -var dup14 = setc("eventcategory","1401030000"); - -var dup15 = setc("ec_outcome","Failure"); - -var dup16 = setc("eventcategory","1603000000"); - -var dup17 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); - -var dup18 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); - -var dup19 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); - -var dup20 = setc("action","DHCPDECLINE"); - -var dup21 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); - -var dup22 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); - -var dup23 = setc("action","DHCPRELEASE"); - -var dup24 = setc("action","DHCPDISCOVER"); - -var dup25 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); - -var dup26 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); - -var dup27 = setc("action","DHCPREQUEST"); - -var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); - -var dup29 = setc("event_description","unknown network segment"); - -var dup30 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dZ], - ], -}); - -var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); - -var dup32 = setc("action","DHCPACK"); - -var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); - -var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); - -var dup35 = setf("domain","zone"); - -var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); - -var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); - -var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); - -var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); - -var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); - -var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); - -var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); - -var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); - -var dup44 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); - -var dup45 = setc("event_description","updating zone"); - -var dup46 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); - -var dup47 = setf("domain","hostname"); - -var dup48 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); - -var dup49 = setc("eventcategory","1801010000"); - -var dup50 = setc("ec_activity","Request"); - -var dup51 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); - -var dup52 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); - -var dup53 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); - -var dup54 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); - -var dup55 = setc("action","Refused"); - -var dup56 = setf("dns_querytype","event_description"); - -var dup57 = setc("eventcategory","1901000000"); - -var dup58 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); - -var dup59 = setc("eventcategory","1801000000"); - -var dup60 = setf("zone","domain"); - -var dup61 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dD,dZ], - ], -}); - -var dup62 = setf("info","hdata"); - -var dup63 = setc("eventcategory","1301000000"); - -var dup64 = setc("eventcategory","1303000000"); - -var dup65 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ - dup13, - dup7, - dup9, -])); - -var dup66 = linear_select([ - dup18, - dup19, -]); - -var dup67 = linear_select([ - dup21, - dup22, -]); - -var dup68 = linear_select([ - dup26, - dup22, -]); - -var dup69 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var dup70 = linear_select([ - dup33, - dup34, -]); - -var dup71 = linear_select([ - dup37, - dup38, - dup39, -]); - -var dup72 = linear_select([ - dup42, - dup43, - dup44, -]); - -var dup73 = linear_select([ - dup52, - dup53, -]); - -var dup74 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ - dup16, - dup7, - dup9, -])); - -var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ - dup16, - dup7, - dup9, -])); - -var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var dup77 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ - dup13, - dup7, - dup9, - dup62, -])); - -var hdr1 = match("HEADER#0:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ - setc("header_id","001"), -])); - -var part1 = match("HEADER#1:006/1_0", "nwparser.p0", "%{hhostip} %{messageid}[%{data}]: %{p0}"); - -var part2 = match("HEADER#1:006/1_1", "nwparser.p0", "%{hhostip} %{messageid}: %{p0}"); - -var select1 = linear_select([ - part1, - part2, -]); - -var part3 = match_copy("HEADER#1:006/2", "nwparser.p0", "payload"); - -var all1 = all_match({ - processors: [ - dup1, - select1, - part3, - ], - on_success: processor_chain([ - setc("header_id","006"), - ]), -}); - -var hdr2 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","005"), -])); - -var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "-%{p0}"); - -var part5 = match_copy("HEADER#3:002/1_1", "nwparser.p0", "p0"); - -var select2 = linear_select([ - part4, - part5, -]); - -var part6 = match("HEADER#3:002/2", "nwparser.p0", ":%{messageid->} %{payload}"); - -var all2 = all_match({ - processors: [ - dup1, - select2, - part6, - ], - on_success: processor_chain([ - setc("header_id","002"), - ]), -}); - -var hdr3 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr4 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var hdr5 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var select3 = linear_select([ - hdr1, - all1, - hdr2, - all2, - hdr3, - hdr4, - hdr5, -]); - -var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, -])); - -var msg1 = msg("httpd", part7); - -var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ - dup10, - dup3, - dup4, - dup11, - dup6, - dup7, - dup8, - dup9, -])); - -var msg2 = msg("httpd:01", part8); - -var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ - dup12, - dup7, - dup8, - dup9, -])); - -var msg3 = msg("httpd:02", part9); - -var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ - dup12, - dup7, - dup8, - dup9, -])); - -var msg4 = msg("httpd:03", part10); - -var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg5 = msg("httpd:04", part11); - -var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ - dup13, - dup7, - dup8, - dup9, -])); - -var msg6 = msg("httpd:05", part12); - -var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ - dup14, - dup3, - dup4, - dup11, - dup15, - dup7, - dup8, - dup9, -])); - -var msg7 = msg("httpd:07", part13); - -var msg8 = msg("httpd:06", dup65); - -var select4 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, -]); - -var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","RRQ from remote host"), -])); - -var msg9 = msg("in.tftpd:01", part14); - -var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","sending NAK to remote host"), -])); - -var msg10 = msg("in.tftpd:02", part15); - -var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ - setc("eventcategory","1801030000"), - dup7, - dup9, -])); - -var msg11 = msg("in.tftpd", part16); - -var select5 = linear_select([ - msg9, - msg10, - msg11, -]); - -var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); - -var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); - -var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); - -var select6 = linear_select([ - part18, - part19, -]); - -var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "seconds%{}"); - -var all3 = all_match({ - processors: [ - part17, - select6, - part20, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","received a REQUEST DHCP packet from relay-agent"), - ]), -}); - -var msg12 = msg("dhcpd:12", all3); - -var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","bind update rejected"), -])); - -var msg13 = msg("dhcpd:21", part21); - -var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","Unable to add forward map"), -])); - -var msg14 = msg("dhcpd:10", part22); - -var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Average dynamic DNS update latency"), -])); - -var msg15 = msg("dhcpd:13", part23); - -var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Dynamic DNS update timeout count"), -])); - -var msg16 = msg("dhcpd:15", part24); - -var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Removed forward map"), -])); - -var msg17 = msg("dhcpd:22", part25); - -var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Removed reverse map"), -])); - -var msg18 = msg("dhcpd:25", part26); - -var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","received shutdown"), -])); - -var msg19 = msg("dhcpd:06", part27); - -var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "new forward map from %{hostname->} %{space->} %{daddr}"); - -var all4 = all_match({ - processors: [ - dup17, - dup66, - part28, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Added new forward map"), - ]), -}); - -var msg20 = msg("dhcpd:18", all4); - -var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "reverse map from %{hostname->} %{space->} %{daddr}"); - -var all5 = all_match({ - processors: [ - dup17, - dup66, - part29, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","added reverse map"), - ]), -}); - -var msg21 = msg("dhcpd:19", all5); - -var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","Abandoning IP declined"), -])); - -var msg22 = msg("dhcpd", part30); - -var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","Abandoning IP pinged before offer"), -])); - -var msg23 = msg("dhcpd:30", part31); - -var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ - dup16, - dup7, - dup9, - dup20, -])); - -var msg24 = msg("dhcpd:01", part32); - -var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ - dup16, - dup7, - dup9, - dup20, -])); - -var msg25 = msg("dhcpd:02", part33); - -var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{dmacaddr->} %{p0}"); - -var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{interface->} (%{info})"); - -var all6 = all_match({ - processors: [ - part34, - dup67, - part35, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup23, - ]), -}); - -var msg26 = msg("dhcpd:03", all6); - -var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ - dup13, - dup7, - dup9, - dup24, -])); - -var msg27 = msg("dhcpd:04", part36); - -var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); - -var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); - -var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); - -var select7 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); - -var all7 = all_match({ - processors: [ - part37, - select7, - part40, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - setc("action","DHCPREQUEST ignored"), - ]), -}); - -var msg28 = msg("dhcpd:07", all7); - -var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{interface}: wrong network"); - -var all8 = all_match({ - processors: [ - dup25, - dup68, - part41, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup27, - setc("result","wrong network"), - ]), -}); - -var msg29 = msg("dhcpd:09", all8); - -var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{interface}: lease %{hostip->} unavailable"); - -var all9 = all_match({ - processors: [ - dup25, - dup68, - part42, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - dup27, - setc("result","lease unavailable"), - ]), -}); - -var msg30 = msg("dhcpd:26", all9); - -var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ - dup13, - dup7, - dup9, - dup27, -])); - -var msg31 = msg("dhcpd:08", part43); - -var all10 = all_match({ - processors: [ - dup25, - dup68, - dup28, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup27, - ]), -}); - -var msg32 = msg("dhcpd:11", all10); - -var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ - dup13, - dup7, - dup9, - dup23, - dup29, -])); - -var msg33 = msg("dhcpd:31", part44); - -var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ - dup13, - dup7, - dup9, - setc("action","BOOTREQUEST"), - dup30, -])); - -var msg34 = msg("dhcpd:32", part45); - -var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Reclaiming abandoned lease"), -])); - -var msg35 = msg("dhcpd:33", part46); - -var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); - -var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); - -var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); - -var select8 = linear_select([ - part48, - part49, -]); - -var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); - -var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); - -var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); - -var part53 = match_copy("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "fld7"); - -var select9 = linear_select([ - part51, - part52, - part53, -]); - -var all11 = all_match({ - processors: [ - part47, - select8, - part50, - select9, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg36 = msg("dhcpd:34", all11); - -var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description"," Unable to add reverse map"), -])); - -var msg37 = msg("dhcpd:35", part54); - -var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description"," Forward map failed"), -])); - -var msg38 = msg("dhcpd:36", part55); - -var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{dmacaddr->} %{p0}"); - -var all12 = all_match({ - processors: [ - part56, - dup67, - dup31, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup32, - ]), -}); - -var msg39 = msg("dhcpd:14", all12); - -var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); - -var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); - -var part59 = match("MESSAGE#39:dhcpd:24/1_1", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); - -var part60 = match("MESSAGE#39:dhcpd:24/1_2", "nwparser.p0", "%{dmacaddr->} via %{p0}"); - -var select10 = linear_select([ - part58, - part59, - part60, -]); - -var all13 = all_match({ - processors: [ - part57, - select10, - dup31, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - setc("action","DHCPOFFER"), - ]), -}); - -var msg40 = msg("dhcpd:24", all13); - -var part61 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ - dup13, - dup7, - dup9, - setc("action","DHCPNAK"), -])); - -var msg41 = msg("dhcpd:17", part61); - -var part62 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} %{p0}"); - -var all14 = all_match({ - processors: [ - part62, - dup68, - dup28, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup24, - ]), -}); - -var msg42 = msg("dhcpd:05", all14); - -var part63 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ - dup13, - dup7, - dup9, - dup32, -])); - -var msg43 = msg("dhcpd:16", part63); - -var part64 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ - dup13, - dup7, - dup9, - setc("action","DHCPINFORM"), -])); - -var msg44 = msg("dhcpd:20", part64); - -var part65 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ - dup13, - dup7, - dup9, - setc("action","DHCPEXPIRE"), -])); - -var msg45 = msg("dhcpd:23", part65); - -var part66 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg46 = msg("dhcpd:28", part66); - -var part67 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg47 = msg("dhcpd:29", part67); - -var part68 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg48 = msg("dhcpd:39", part68); - -var part69 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg49 = msg("dhcpd:41", part69); - -var part70 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg50 = msg("dhcpd:42", part70); - -var part71 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ - dup13, - dup7, - dup9, - setc("dclass_counter1_string","count of leases"), - dup30, -])); - -var msg51 = msg("dhcpd:43", part71); - -var part72 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ - dup13, - dup7, - dup9, - dup30, - dup29, -])); - -var msg52 = msg("dhcpd:44", part72); - -var part73 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg53 = msg("dhcpd:45", part73); - -var part74 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Reclaiming REQUESTed abandoned IP address"), -])); - -var msg54 = msg("dhcpd:46", part74); - -var part75 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); - -var part76 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{p0}"); - -var part77 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{p0}"); - -var select11 = linear_select([ - part76, - part77, -]); - -var part78 = match_copy("MESSAGE#198:dhcpd:47/2", "nwparser.p0", "macaddr"); - -var all15 = all_match({ - processors: [ - part75, - select11, - part78, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg55 = msg("dhcpd:47", all15); - -var part79 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg56 = msg("dhcpd:48", part79); - -var part80 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("protocol","ICMP"), -])); - -var msg57 = msg("dhcpd:49", part80); - -var part81 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg58 = msg("dhcpd:50", part81); - -var part82 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); - -var part83 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); - -var select12 = linear_select([ - part82, - part83, -]); - -var part84 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); - -var part85 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); - -var part86 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); - -var select13 = linear_select([ - part85, - part86, -]); - -var part87 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); - -var all16 = all_match({ - processors: [ - select12, - part84, - select13, - part87, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("disposition","deferred"), - ]), -}); - -var msg59 = msg("dhcpd:51", all16); - -var part88 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg60 = msg("dhcpd:52", part88); - -var msg61 = msg("dhcpd:37", dup69); - -var select14 = linear_select([ - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, -]); - -var part89 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","system event status"), -])); - -var msg62 = msg("ntpd:05", part89); - -var part90 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","frequency initialized from file"), -])); - -var msg63 = msg("ntpd:04", part90); - -var part91 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","ntpd exiting on signal"), -])); - -var msg64 = msg("ntpd:03", part91); - -var part92 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","time slew duraion"), -])); - -var msg65 = msg("ntpd", part92); - -var part93 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","signal had flags"), -])); - -var msg66 = msg("ntpd:01", part93); - -var msg67 = msg("ntpd:02", dup65); - -var select15 = linear_select([ - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, -]); - -var part94 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); - -var all17 = all_match({ - processors: [ - part94, - dup70, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - ]), -}); - -var msg68 = msg("named:16", all17); - -var part95 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); - -var all18 = all_match({ - processors: [ - part95, - dup70, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - dup35, - ]), -}); - -var msg69 = msg("named", all18); - -var part96 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); - -var all19 = all_match({ - processors: [ - part96, - dup70, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - ]), -}); - -var msg70 = msg("named:12", all19); - -var part97 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); - -var part98 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); - -var select16 = linear_select([ - part97, - part98, -]); - -var part99 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); - -var all20 = all_match({ - processors: [ - dup36, - select16, - part99, - dup70, - ], - on_success: processor_chain([ - dup16, - dup7, - dup9, - ]), -}); - -var msg71 = msg("named:01", all20); - -var part100 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); - -var part101 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); - -var part102 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); - -var select17 = linear_select([ - part102, - dup40, -]); - -var part103 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); - -var select18 = linear_select([ - dup41, - part103, -]); - -var all21 = all_match({ - processors: [ - part100, - dup71, - part101, - select17, - select18, - dup72, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup45, - dup35, - ]), -}); - -var msg72 = msg("named:17", all21); - -var part104 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); - -var part105 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); - -var part106 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); - -var select19 = linear_select([ - part105, - part106, -]); - -var part107 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); - -var all22 = all_match({ - processors: [ - part104, - select19, - part107, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg73 = msg("named:18", all22); - -var part108 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); - -var part109 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); - -var part110 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); - -var select20 = linear_select([ - part110, - dup40, -]); - -var part111 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); - -var select21 = linear_select([ - dup41, - part111, -]); - -var all23 = all_match({ - processors: [ - part108, - dup71, - part109, - select20, - select21, - dup72, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup45, - dup35, - ]), -}); - -var msg74 = msg("named:02", all23); - -var part112 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); - -var part113 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); - -var part114 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); - -var select22 = linear_select([ - part113, - part114, -]); - -var all24 = all_match({ - processors: [ - part112, - select22, - dup46, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup47, - ]), -}); - -var msg75 = msg("named:19", all24); - -var part115 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg76 = msg("named:03", part115); - -var part116 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","notify zone is up to date"), -])); - -var msg77 = msg("named:11", part116); - -var part117 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg78 = msg("named:13", part117); - -var part118 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg79 = msg("named:14", part118); - -var part119 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg80 = msg("named:15", part119); - -var part120 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); - -var part121 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); - -var select23 = linear_select([ - part121, - dup48, -]); - -var all25 = all_match({ - processors: [ - part120, - select23, - ], - on_success: processor_chain([ - dup49, - dup50, - dup15, - dup7, - dup9, - setc("event_description","DNS format error"), - dup30, - ]), -}); - -var msg81 = msg("named:25", all25); - -var part122 = match("MESSAGE#67:named:63/2", "nwparser.p0", "#%{saddr->} %{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); - -var all26 = all_match({ - processors: [ - dup51, - dup73, - part122, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg82 = msg("named:63", all26); - -var part123 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); - -var part124 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); - -var part125 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); - -var select24 = linear_select([ - part124, - part125, -]); - -var part126 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); - -var all27 = all_match({ - processors: [ - part123, - select24, - part126, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg83 = msg("named:72", all27); - -var part127 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg84 = msg("named:28", part127); - -var part128 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); - -var part129 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{p0}"); - -var part130 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{p0}"); - -var select25 = linear_select([ - part129, - part130, -]); - -var all28 = all_match({ - processors: [ - part128, - select25, - dup48, - ], - on_success: processor_chain([ - dup49, - dup7, - dup9, - dup30, - setc("event_description","failed"), - ]), -}); - -var msg85 = msg("named:71", all28); - -var part131 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); - -var part132 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); - -var select26 = linear_select([ - part132, - dup46, -]); - -var all29 = all_match({ - processors: [ - part131, - select26, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg86 = msg("named:70", all29); - -var part133 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); - -var part134 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); - -var part135 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); - -var select27 = linear_select([ - part134, - part135, -]); - -var part136 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); - -var part137 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); - -var part138 = match_copy("MESSAGE#72:named:40/3_1", "nwparser.p0", "context"); - -var select28 = linear_select([ - part137, - part138, -]); - -var all30 = all_match({ - processors: [ - part133, - select27, - part136, - select28, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg87 = msg("named:40", all30); - -var part139 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg88 = msg("named:05", part139); - -var part140 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); - -var part141 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); - -var part142 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); - -var select29 = linear_select([ - part140, - part141, - part142, - dup54, -]); - -var part143 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); - -var all31 = all_match({ - processors: [ - dup36, - select29, - part143, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","dns query"), - ]), -}); - -var msg89 = msg("named:10", all31); - -var part144 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","received notify for zone"), -])); - -var msg90 = msg("named:29", part144); - -var part145 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","client received notify for zone"), -])); - -var msg91 = msg("named:08", part145); - -var part146 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","client update forwarding for zone denied"), -])); - -var msg92 = msg("named:09", part146); - -var part147 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); - -var part148 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); - -var part149 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); - -var select30 = linear_select([ - part148, - part149, -]); - -var part150 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); - -var part151 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); - -var part152 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); - -var select31 = linear_select([ - part151, - part152, -]); - -var all32 = all_match({ - processors: [ - part147, - select30, - part150, - select31, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg93 = msg("named:76", all32); - -var part153 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg94 = msg("named:75", part153); - -var part154 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); - -var part155 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); - -var part156 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); - -var select32 = linear_select([ - part155, - part156, -]); - -var all33 = all_match({ - processors: [ - part154, - select32, - dup46, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg95 = msg("named:06", all33); - -var part157 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ - dup13, - dup50, - dup15, - dup7, - dup9, - dup55, - dup30, - dup56, -])); - -var msg96 = msg("named:20", part157); - -var part158 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); - -var part159 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); - -var part160 = match_copy("MESSAGE#82:named:49/1_1", "nwparser.p0", "fld1"); - -var select33 = linear_select([ - part159, - part160, -]); - -var all34 = all_match({ - processors: [ - part158, - select33, - ], - on_success: processor_chain([ - dup57, - dup50, - dup15, - dup7, - dup9, - dup55, - dup30, - dup35, - ]), -}); - -var msg97 = msg("named:49", all34); - -var part161 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{fld2}: zone transfer%{p0}"); - -var part162 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "zone transfer%{p0}"); - -var select34 = linear_select([ - part161, - part162, -]); - -var part163 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); - -var all35 = all_match({ - processors: [ - dup58, - select34, - part163, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg98 = msg("named:24", all35); - -var part164 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{fld2}: no more recursive clients %{p0}"); - -var part165 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "no more recursive clients%{p0}"); - -var select35 = linear_select([ - part164, - part165, -]); - -var part166 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); - -var all36 = all_match({ - processors: [ - dup58, - select35, - part166, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg99 = msg("named:26", all36); - -var part167 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{fld2->} : %{fld3->} response from Internet for %{p0}"); - -var part168 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{fld3->} response from Internet for %{p0}"); - -var select36 = linear_select([ - part167, - part168, -]); - -var part169 = match_copy("MESSAGE#85:named:27/2", "nwparser.p0", "fld4"); - -var all37 = all_match({ - processors: [ - dup58, - select36, - part169, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg100 = msg("named:27", all37); - -var part170 = match("MESSAGE#86:named:38/2", "nwparser.p0", "#%{saddr->} %{p0}"); - -var part171 = match("MESSAGE#86:named:38/3_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); - -var part172 = match("MESSAGE#86:named:38/3_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); - -var select37 = linear_select([ - part171, - part172, - dup54, -]); - -var part173 = match("MESSAGE#86:named:38/4", "nwparser.p0", "%{}query%{p0}"); - -var part174 = match("MESSAGE#86:named:38/5_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); - -var part175 = match("MESSAGE#86:named:38/5_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); - -var select38 = linear_select([ - part174, - part175, -]); - -var all38 = all_match({ - processors: [ - dup51, - dup73, - part170, - select37, - part173, - select38, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg101 = msg("named:38", all38); - -var part176 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ - dup13, - dup50, - dup15, - dup7, - dup9, - dup55, -])); - -var msg102 = msg("named:39", part176); - -var part177 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg103 = msg("named:46", part177); - -var part178 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg104 = msg("named:64", part178); - -var part179 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ - dup13, - dup7, - dup9, - dup47, -])); - -var msg105 = msg("named:45", part179); - -var part180 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); - -var part181 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); - -var part182 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); - -var select39 = linear_select([ - part181, - part182, -]); - -var part183 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); - -var part184 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa"); - -var part185 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6}"); - -var part186 = match_copy("MESSAGE#91:named:44/3_2", "nwparser.p0", "fld5"); - -var select40 = linear_select([ - part184, - part185, - part186, -]); - -var all39 = all_match({ - processors: [ - part180, - select39, - part183, - select40, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg106 = msg("named:44", all39); - -var part187 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg107 = msg("named:43", part187); - -var part188 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ - dup13, - dup7, - dup9, - dup56, -])); - -var msg108 = msg("named:42", part188); - -var part189 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg109 = msg("named:41", part189); - -var part190 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ - setc("eventcategory","1502000000"), - dup7, - dup9, -])); - -var msg110 = msg("named:47", part190); - -var part191 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ - dup57, - dup7, - dup9, - dup30, -])); - -var msg111 = msg("named:48", part191); - -var part192 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg112 = msg("named:62", part192); - -var part193 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg113 = msg("named:53", part193); - -var part194 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ - dup49, - dup7, - dup9, - setc("event_description"," query failed"), -])); - -var msg114 = msg("named:77", part194); - -var part195 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ - dup59, - dup7, - dup9, - dup47, -])); - -var msg115 = msg("named:52", part195); - -var part196 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ - dup59, - dup7, - dup9, -])); - -var msg116 = msg("named:50", part196); - -var part197 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ - dup57, - dup7, - dup9, - dup50, - dup15, - dup55, -])); - -var msg117 = msg("named:51", part197); - -var part198 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ - dup59, - dup7, - dup9, - dup3, - dup15, - dup30, -])); - -var msg118 = msg("named:54", part198); - -var part199 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); - -var part200 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); - -var part201 = match_copy("MESSAGE#104:named:55/1_1", "nwparser.p0", "fld2"); - -var select41 = linear_select([ - part200, - part201, -]); - -var all40 = all_match({ - processors: [ - part199, - select41, - ], - on_success: processor_chain([ - dup59, - dup7, - dup9, - dup6, - dup30, - dup60, - ]), -}); - -var msg119 = msg("named:55", all40); - -var part202 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ - dup59, - dup7, - dup9, - dup50, - dup15, - dup30, - dup60, -])); - -var msg120 = msg("named:56", part202); - -var part203 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ - dup59, - dup7, - dup9, - setc("ec_outcome","Error"), - dup30, - dup60, -])); - -var msg121 = msg("named:57", part203); - -var part204 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); - -var part205 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); - -var part206 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); - -var select42 = linear_select([ - part205, - part206, -]); - -var part207 = match_copy("MESSAGE#107:named:04/2", "nwparser.p0", "sport"); - -var all41 = all_match({ - processors: [ - part204, - select42, - part207, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg122 = msg("named:04", all41); - -var part208 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ - dup59, - dup7, - dup9, - dup30, - dup60, -])); - -var msg123 = msg("named:58", part208); - -var part209 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ - dup13, - dup7, - dup9, - dup30, - dup60, -])); - -var msg124 = msg("named:59", part209); - -var part210 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ - dup13, - dup7, - dup9, - dup30, - dup60, - setc("event_description","skipping nameserver because it is a CNAME"), -])); - -var msg125 = msg("named:60", part210); - -var part211 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg126 = msg("named:61", part211); - -var part212 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - dup35, -])); - -var msg127 = msg("named:73", part212); - -var part213 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg128 = msg("named:74", part213); - -var part214 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); - -var part215 = match_copy("MESSAGE#114:named:07/0_1", "nwparser.payload", "event_description"); - -var select43 = linear_select([ - part214, - part215, -]); - -var all42 = all_match({ - processors: [ - select43, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - dup30, - ]), -}); - -var msg129 = msg("named:07", all42); - -var select44 = linear_select([ - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, -]); - -var part216 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","can't read sid"), -])); - -var msg130 = msg("pidof:01", part216); - -var part217 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg131 = msg("pidof", part217); - -var select45 = linear_select([ - msg130, - msg131, -]); - -var part218 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","Configured local-address not available as source address for DNS updates"), -])); - -var msg132 = msg("validate_dhcpd:01", part218); - -var msg133 = msg("validate_dhcpd", dup74); - -var select46 = linear_select([ - msg132, - msg133, -]); - -var msg134 = msg("syslog-ng", dup65); - -var part219 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg135 = msg("kernel", part219); - -var msg136 = msg("kernel:01", dup65); - -var select47 = linear_select([ - msg135, - msg136, -]); - -var msg137 = msg("radiusd", dup65); - -var part220 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg138 = msg("rc", part220); - -var msg139 = msg("rc3", dup65); - -var part221 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg140 = msg("rcsysinit", part221); - -var msg141 = msg("rcsysinit:01", dup65); - -var select48 = linear_select([ - msg140, - msg141, -]); - -var part222 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg142 = msg("watchdog", part222); - -var part223 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg143 = msg("watchdog:01", part223); - -var part224 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg144 = msg("watchdog:02", part224); - -var part225 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg145 = msg("watchdog:03", part225); - -var msg146 = msg("watchdog:04", dup65); - -var select49 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, -]); - -var msg147 = msg("init", dup65); - -var part226 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg148 = msg("logger", part226); - -var msg149 = msg("logger:01", dup65); - -var select50 = linear_select([ - msg148, - msg149, -]); - -var part227 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg150 = msg("openvpn-member", part227); - -var msg151 = msg("openvpn-member:01", dup75); - -var part228 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg152 = msg("openvpn-member:02", part228); - -var part229 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg153 = msg("openvpn-member:03", part229); - -var msg154 = msg("openvpn-member:04", dup76); - -var msg155 = msg("openvpn-member:05", dup65); - -var select51 = linear_select([ - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, -]); - -var part230 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg156 = msg("sshd", part230); - -var part231 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); - -var part232 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); - -var part233 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); - -var select52 = linear_select([ - part232, - part233, -]); - -var part234 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); - -var all43 = all_match({ - processors: [ - part231, - select52, - part234, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg157 = msg("sshd:01", all43); - -var part235 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg158 = msg("sshd:02", part235); - -var part236 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg159 = msg("sshd:03", part236); - -var part237 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ - setc("eventcategory","1601000000"), - dup7, - dup9, -])); - -var msg160 = msg("sshd:04", part237); - -var part238 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ - dup2, - dup3, - dup5, - dup15, - dup7, - dup9, - setc("event_description","logout"), -])); - -var msg161 = msg("sshd:05", part238); - -var part239 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ - dup16, - dup7, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), -])); - -var msg162 = msg("sshd:06", part239); - -var part240 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ - dup13, - dup7, - setc("result","slowing down ssh login"), - setc("event_description","Sleep 60 seconds"), -])); - -var msg163 = msg("sshd:07", part240); - -var part241 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ - setc("eventcategory","1302010300"), - dup7, - setc("event_description","authentication succeeded"), - dup9, - dup61, -])); - -var msg164 = msg("sshd:08", part241); - -var part242 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","User group"), - dup61, -])); - -var msg165 = msg("sshd:09", part242); - -var part243 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Bad protocol version identification"), - dup61, -])); - -var msg166 = msg("sshd:10", part243); - -var select53 = linear_select([ - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, -]); - -var part244 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg167 = msg("openvpn-master", part244); - -var part245 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg168 = msg("openvpn-master:01", part245); - -var msg169 = msg("openvpn-master:02", dup75); - -var part246 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg170 = msg("openvpn-master:03", part246); - -var part247 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg171 = msg("openvpn-master:04", part247); - -var part248 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg172 = msg("openvpn-master:05", part248); - -var msg173 = msg("openvpn-master:06", dup76); - -var msg174 = msg("openvpn-master:07", dup65); - -var select54 = linear_select([ - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, -]); - -var part249 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg175 = msg("INFOBLOX-Grid", part249); - -var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); - -var part251 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); - -var select55 = linear_select([ - part250, - part251, -]); - -var part252 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); - -var all44 = all_match({ - processors: [ - select55, - part252, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg176 = msg("INFOBLOX-Grid:02", all44); - -var part253 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Upgrade Complete"), -])); - -var msg177 = msg("INFOBLOX-Grid:03", part253); - -var part254 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg178 = msg("INFOBLOX-Grid:04", part254); - -var select56 = linear_select([ - msg175, - msg176, - msg177, - msg178, -]); - -var part255 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg179 = msg("db_jnld", part255); - -var part256 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); - -var part257 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); - -var part258 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); - -var part259 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); - -var part260 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); - -var part261 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); - -var select57 = linear_select([ - part257, - part258, - part259, - part260, - part261, -]); - -var part262 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "\"%{fld1}\" in zone \"%{zone}\""); - -var all45 = all_match({ - processors: [ - part256, - select57, - part262, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg180 = msg("db_jnld:01", all45); - -var select58 = linear_select([ - msg179, - msg180, -]); - -var part263 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); - -var part264 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes}"); - -var part265 = match_copy("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "space"); - -var select59 = linear_select([ - part264, - part265, -]); - -var all46 = all_match({ - processors: [ - part263, - select59, - ], - on_success: processor_chain([ - dup13, - dup7, - dup9, - ]), -}); - -var msg181 = msg("sSMTP", all46); - -var part266 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg182 = msg("sSMTP:02", part266); - -var part267 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ - dup16, - dup7, - dup9, -])); - -var msg183 = msg("sSMTP:03", part267); - -var msg184 = msg("sSMTP:04", dup74); - -var select60 = linear_select([ - msg181, - msg182, - msg183, - msg184, -]); - -var part268 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg185 = msg("scheduled_backups", part268); - -var part269 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Scheduled backup to the FTP server was successful"), -])); - -var msg186 = msg("scheduled_ftp_backups", part269); - -var part270 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ - dup16, - dup7, - dup9, - setc("event_description","Scheduled backup to the FTP server failed"), -])); - -var msg187 = msg("failed_scheduled_ftp_backups", part270); - -var select61 = linear_select([ - msg186, - msg187, -]); - -var part271 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Scheduled backup to the SCP server was successful"), -])); - -var msg188 = msg("scheduled_scp_backups", part271); - -var part272 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg189 = msg("python", part272); - -var part273 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg190 = msg("python:01", part273); - -var part274 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg191 = msg("python:02", part274); - -var part275 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg192 = msg("python:03", part275); - -var part276 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg193 = msg("python:04", part276); - -var part277 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg194 = msg("python:05", part277); - -var msg195 = msg("python:06", dup65); - -var select62 = linear_select([ - msg189, - msg190, - msg191, - msg192, - msg193, - msg194, - msg195, -]); - -var part278 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ - dup12, - dup7, - dup9, -])); - -var msg196 = msg("monitor", part278); - -var part279 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg197 = msg("snmptrapd", part279); - -var part280 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg198 = msg("snmptrapd:01", part280); - -var msg199 = msg("snmptrapd:02", dup65); - -var select63 = linear_select([ - msg197, - msg198, - msg199, -]); - -var part281 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg200 = msg("ntpdate", part281); - -var msg201 = msg("ntpdate:01", dup74); - -var select64 = linear_select([ - msg200, - msg201, -]); - -var msg202 = msg("phonehome", dup65); - -var part282 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg203 = msg("purge_scheduled_tasks", part282); - -var part283 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ - dup14, - dup3, - dup4, - dup11, - dup15, - dup7, - date_time({ - dest: "event_time", - args: ["fld20","fld21"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup9, - setc("event_description","Login Denied"), -])); - -var msg204 = msg("serial_console:04", part283); - -var part284 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ - dup14, - dup3, - dup4, - dup11, - dup15, - dup7, - dup9, - setc("event_description","No authentication methods succeeded for user"), -])); - -var msg205 = msg("serial_console:03", part284); - -var part285 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ - dup10, - dup3, - dup4, - dup11, - dup6, - dup7, - dup8, - dup9, -])); - -var msg206 = msg("serial_console", part285); - -var part286 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ - setc("eventcategory","1302010100"), - dup3, - dup4, - dup11, - dup6, - dup7, - dup9, - setc("event_description","RADIUS authentication succeeded for user"), -])); - -var msg207 = msg("serial_console:01", part286); - -var part287 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","User group identification"), -])); - -var msg208 = msg("serial_console:02", part287); - -var part288 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","system reboot"), -])); - -var msg209 = msg("serial_console:05", part288); - -var part289 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Local authentication succeeded for user"), -])); - -var msg210 = msg("serial_console:06", part289); - -var select65 = linear_select([ - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, -]); - -var msg211 = msg("rc6", dup65); - -var msg212 = msg("acpid", dup65); - -var msg213 = msg("diskcheck", dup65); - -var part290 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg214 = msg("debug_mount", part290); - -var msg215 = msg("smart_check_io", dup65); - -var msg216 = msg("speedstep_control", dup65); - -var part291 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Distribution Started"), -])); - -var msg217 = msg("controld", part291); - -var part292 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","Distribution Complete"), -])); - -var msg218 = msg("controld:02", part292); - -var select66 = linear_select([ - msg217, - msg218, -]); - -var part293 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","shutting down for system reboot"), -])); - -var msg219 = msg("shutdown", part293); - -var part294 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ - dup13, - dup7, - dup9, - setc("event_description","ntpd exiting"), -])); - -var msg220 = msg("ntpd_initres", part294); - -var part295 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg221 = msg("rsyncd", part295); - -var part296 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg222 = msg("rsyncd:01", part296); - -var part297 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg223 = msg("rsyncd:02", part297); - -var part298 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var msg224 = msg("rsyncd:03", part298); - -var part299 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ - dup13, - dup7, - setc("event_description","building file list"), - dup9, -])); - -var msg225 = msg("rsyncd:04", part299); - -var select67 = linear_select([ - msg221, - msg222, - msg223, - msg224, - msg225, -]); - -var msg226 = msg("syslog", dup77); - -var msg227 = msg("restarting", dup77); - -var part300 = match_copy("MESSAGE#227:ipmievd", "nwparser.payload", "fld1", processor_chain([ - dup13, - dup7, - dup9, - dup62, -])); - -var msg228 = msg("ipmievd", part300); - -var part301 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ - dup59, - dup7, - dup9, - dup61, -])); - -var msg229 = msg("netauto_discovery", part301); - -var part302 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ - dup59, - dup7, - dup9, - dup61, - setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), -])); - -var msg230 = msg("netauto_discovery:01", part302); - -var part303 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ - dup59, - dup7, - dup9, - dup61, -])); - -var msg231 = msg("netauto_discovery:02", part303); - -var part304 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ - dup63, - dup7, - dup9, - dup61, - dup15, -])); - -var msg232 = msg("netauto_discovery:03", part304); - -var select68 = linear_select([ - msg229, - msg230, - msg231, - msg232, -]); - -var part305 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ - dup59, - dup7, - dup9, - dup61, -])); - -var msg233 = msg("netauto_core:01", part305); - -var part306 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ - dup59, - dup7, - dup9, - dup61, -])); - -var msg234 = msg("netauto_core", part306); - -var select69 = linear_select([ - msg233, - msg234, -]); - -var part307 = match_copy("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "event_description", processor_chain([ - dup49, - dup7, - dup9, - dup61, - dup15, -])); - -var msg235 = msg("captured_dns_uploader", part307); - -var part308 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ - dup63, - dup7, - dup9, - dup61, - dup11, - dup15, -])); - -var msg236 = msg("DIS", part308); - -var part309 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ - dup59, - dup7, - dup9, - dup61, -])); - -var msg237 = msg("DIS:01", part309); - -var select70 = linear_select([ - msg236, - msg237, -]); - -var part310 = match_copy("MESSAGE#237:ErrorMsg", "nwparser.payload", "result", processor_chain([ - dup64, - dup7, - dup9, - dup61, -])); - -var msg238 = msg("ErrorMsg", part310); - -var part311 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ - dup13, - dup7, - dup9, - dup61, -])); - -var msg239 = msg("tacacs_acct", part311); - -var part312 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ - dup64, - dup7, - dup9, - dup61, - setc("event_description","Accounting request failed."), -])); - -var msg240 = msg("tacacs_acct:01", part312); - -var part313 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ - dup13, - dup7, - dup9, - dup61, -])); - -var msg241 = msg("tacacs_acct:02", part313); - -var select71 = linear_select([ - msg239, - msg240, - msg241, -]); - -var part314 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Relay-forward message"), -])); - -var msg242 = msg("dhcpdv6", part314); - -var part315 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Encapsulated Solicit message"), -])); - -var msg243 = msg("dhcpdv6:01", part315); - -var part316 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","IP unknown - No addresses available for this interface"), -])); - -var msg244 = msg("dhcpdv6:02", part316); - -var part317 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Encapsulating Advertise message"), -])); - -var msg245 = msg("dhcpdv6:03", part317); - -var part318 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Sending Relay-reply message"), -])); - -var msg246 = msg("dhcpdv6:04", part318); - -var part319 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Encapsulated Information-request message"), -])); - -var msg247 = msg("dhcpdv6:05", part319); - -var part320 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Encapsulating Reply message"), -])); - -var msg248 = msg("dhcpdv6:06", part320); - -var part321 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","Encapsulated Renew message"), -])); - -var msg249 = msg("dhcpdv6:07", part321); - -var part322 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var msg250 = msg("dhcpdv6:08", part322); - -var msg251 = msg("dhcpdv6:09", dup69); - -var select72 = linear_select([ - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - msg248, - msg249, - msg250, - msg251, -]); - -var msg252 = msg("debug", dup69); - -var part323 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ - dup13, - dup7, - dup9, - dup30, - setc("event_description","proxying request"), -])); - -var msg253 = msg("cloud_api", part323); - -var chain1 = processor_chain([ - select3, - msgid_select({ - "DIS": select70, - "ErrorMsg": msg238, - "INFOBLOX-Grid": select56, - "acpid": msg212, - "captured_dns_uploader": msg235, - "cloud_api": msg253, - "controld": select66, - "db_jnld": select58, - "debug": msg252, - "debug_mount": msg214, - "dhcpd": select14, - "dhcpdv6": select72, - "diskcheck": msg213, - "httpd": select4, - "in.tftpd": select5, - "init": msg147, - "ipmievd": msg228, - "kernel": select47, - "logger": select50, - "monitor": msg196, - "named": select44, - "netauto_core": select69, - "netauto_discovery": select68, - "ntpd": select15, - "ntpd_initres": msg220, - "ntpdate": select64, - "openvpn-master": select54, - "openvpn-member": select51, - "phonehome": msg202, - "pidof": select45, - "purge_scheduled_tasks": msg203, - "python": select62, - "radiusd": msg137, - "rc": msg138, - "rc3": msg139, - "rc6": msg211, - "rcsysinit": select48, - "restarting": msg227, - "rsyncd": select67, - "sSMTP": select60, - "scheduled_backups": msg185, - "scheduled_ftp_backups": select61, - "scheduled_scp_backups": msg188, - "serial_console": select65, - "shutdown": msg219, - "smart_check_io": msg215, - "snmptrapd": select63, - "speedstep_control": msg216, - "sshd": select53, - "syslog": msg226, - "syslog-ng": msg134, - "tacacs_acct": select71, - "validate_dhcpd": select46, - "watchdog": select49, - }), -]); - -var hdr6 = match("HEADER#1:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); - -var part324 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); - -var part325 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); - -var part326 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); - -var part327 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); - -var part328 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); - -var part329 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); - -var part330 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); - -var part331 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); - -var part332 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); - -var part333 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); - -var part334 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); - -var part335 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); - -var part336 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); - -var part337 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); - -var part338 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); - -var part339 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); - -var part340 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); - -var part341 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); - -var part342 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); - -var part343 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); - -var part344 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); - -var part345 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); - -var part346 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); - -var part347 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); - -var part348 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); - -var part349 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); - -var part350 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); - -var part351 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ - dup13, - dup7, - dup9, -])); - -var select73 = linear_select([ - dup18, - dup19, -]); - -var select74 = linear_select([ - dup21, - dup22, -]); - -var select75 = linear_select([ - dup26, - dup22, -]); - -var part352 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ - dup13, - dup7, - dup9, - dup30, -])); - -var select76 = linear_select([ - dup33, - dup34, -]); - -var select77 = linear_select([ - dup37, - dup38, - dup39, -]); - -var select78 = linear_select([ - dup42, - dup43, - dup44, -]); - -var select79 = linear_select([ - dup52, - dup53, -]); - -var part353 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ - dup16, - dup7, - dup9, -])); - -var part354 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ - dup16, - dup7, - dup9, -])); - -var part355 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ - dup13, - dup7, - dup9, -])); - -var part356 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ - dup13, - dup7, - dup9, - dup62, -])); diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml deleted file mode 100644 index 6c5490c8ce3..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Infoblox NIOS - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/infoblox/nios/manifest.yml b/x-pack/filebeat/module/infoblox/nios/manifest.yml deleted file mode 100644 index 4f6b364c6e7..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["infoblox.nios", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9512 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log deleted file mode 100644 index 642df296f5e..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 29 06:09:59 doeiu3942.localdomain -:rc executing eporr start -February 12 13:12:33 tia7019.www.invalid :diskcheck quis -February 26 20:15:08 dolo1720.api.example 10.250.162.122 logger: com -March 12 03:17:42 ratio1111.localdomain -:diskcheck atio -March 26 10:20:16 tconsec5932.mail.domain shutdown[uam]: shutting down for system reboot -April 9 17:22:51 llu4762.mail.localdomain snmptrapd[scivel]: NET-SNMP version 1.5695 aperi -April 24 00:25:25 estqui6557.www.localhost -:syslog-ng equuntu -May 08 07:27:59 mcolabor1656.www5.corp netauto_discovery[giatq]: quid:fug(uatDuis)10.68.114.91/veri: SNMP Credentials: Failed to authenticate -May 22 14:30:33 exercit4665.internal.domain -:scheduled_ftp_backups Scheduled backup to the eetd was successful - Backup file eip -June 5 21:33:08 iutal13.api.localdomain python[eacomm]: Utenimad: nibusBon.ehend [ueipsaqu]: Populated uidolore niamqu222.localdomain DnsView=tevelit -June 20 04:35:42 boree6686.www5.host ntpd[iinea]: ipit -July 4 11:38:16 itlabori2344.mail.invalid -:openvpn-member OpenVPN 1.4105 [icmp] [aper] essequ -July 18 18:40:50 tessec3539.home nsect: rc6 ntutl -August 2 01:43:25 siuta2896.www.localhost -:ntpd ntpd exiting on signal 2946 -August 16 08:45:59 strude910.internal.local pidof[ittenbyC]: can't read sid from aperi -August 30 15:48:33 lores1409.www.home :sSMTP etc -September 13 22:51:07 nimadmin1493.www5.example rc3[lpa]: entsu -September 28 05:53:42 mqui4683.www.localhost tasuntex: kernel sunt -October 12 12:56:16 incidi2966.www.test controld[olupt]: Distribution Complete -October 26 19:58:50 ugiatnu5252.internal.localdomain -:syslog erc -November 10 03:01:24 aperia4409.www5.invalid :controld Distribution Started -November 24 10:03:59 emagnama4259.example 10.206.136.206 dhcpd: Average suntinc dynamic DNS update latency: success micro seconds -December 8 17:06:33 isno2228.home nnu: smart_check_io dolo -December 23 00:09:07 amvolup7700.www5.corp 10.19.194.101 rsyncd: rsync on orinrepr from conse2991.internal.lan (10.116.104.101) -January 6 07:11:41 tat7551.internal.local rc6[itinvo]: mdolore -January 20 14:14:16 siarchi2289.mail.lan debug_mount[olupta]: mount mipsumd -February 3 21:16:50 remi2114.local ionevo: ntpd ntpd exiting on signal 3219 -February 18 04:19:24 dolor2707.api.localhost httpd[commod]: 2017-2-18 4:19:24.adol [doloremi]: Login_Denied - - to=luptasn ip=10.153.111.103 info=itquiin -March 4 11:21:59 que651.www5.host init[etconse]: tincu -Mar 18 18:24:33 asun1250.api.localdomain DIS[oluptate]: onseq:serunt: Deviceaquaeabi/10.171.157.74login failurefailure -April 2 01:27:07 ento4488.www5.localhost :rc6 eriamea -April 16 08:29:41 pisciv7108.lan 10.140.136.44 named: client 10.31.14.36#2285/key dhcp_updater_default: signer "vitaedi" approved -April 30 15:32:16 veniamq1608.www.localdomain colab: diskcheck ommodico -May 14 22:34:50 tin183.api.corp netauto_discovery[sperna]: eabilloi:estia(tper)10.163.5.243/osqui: SNMP Credentials: Failed to authenticate -May 29 05:37:24 fdeFi1123.api.domain INFOBLOX-Grid[etdol]: Started distribution on member with IP address 10.177.36.38 -June 12 12:39:58 aevit37.www5.test ati: kernel Linux version 1.6668 (gel) (lorsitam) mpo -June 26 19:42:33 aliquam1364.api.corp -:syslog eratv -July 11 02:45:07 uir1374.mail.domain -:smart_check_io quiratio -July 25 09:47:41 nse2256.www.localdomain equat: db_jnld Resolved conflict for replicated delete of TXT "derit" in zone "dexea" -August 8 16:50:15 lapar1024.www5.local intocc: sSMTP Unable to locate liqu2936.api.localdomain. -August 22 23:52:50 tDuisaut3296.www.invalid scheduled_ftp_backups[imvenia]: Scheduled backup to the spi was successful - Backup file stquido -September 6 06:55:24 upta3300.www.home 10.233.48.103 diskcheck: leumiur -September 20 13:57:58 vita2681.www5.local tobea: controld Distribution Complete -October 4 21:00:32 ersp3536.www5.lan 10.93.90.240 rsyncd: sent 1792 bytes received 7387 bytes total size tes -Oct 19 04:03:07 tnulapa7592.www.local DIS[eriti]: litessec: itas: Attempting discover-now for 10.251.106.205 on mporin, using session ID -November 2 11:05:41 roid6604.www.test -:syslog Nemoenim -November 16 18:08:15 nihil657.domain validate_dhcpd[rsitv]: iciade -December 1 01:10:49 ven660.api.lan amnih: watchdog cancel, pid = 3981 -December 15 08:13:24 atatn7364.internal.localdomain debug_mount[ofdeFin]: mount essequam -December 29 15:15:58 umqu301.internal.home init[inesci]: isnisi -January 12 22:18:32 riamea1540.www.host -:ntpd_initres ntpd exiting on signal 15 -January 27 05:21:06 siut5663.local piscinge: rcsysinit fsck from 1.271 -February 10 12:23:41 cinge7339.api.corp -:diskcheck vitaedi -February 24 19:26:15 dolore7072.www5.localhost ect: logger modocons -March 11 02:28:49 odoconse228.mail.localdomain -:syslog-ng veli -March 25 09:31:24 labo267.internal.localhost httpd[etdo]: 2018-3-25 9:31:24.par [lorin]: Login_Denied - - to=pitl ip=10.204.128.215 info=ama -Apr 8 16:33:58 roidents6540.internal.corp -:debug tametcon -April 22 23:36:32 miurerep1152.internal.domain pidof[utlab]: can't read sid from emUteni -May 07 06:39:06 inimve2352.lan :captured_dns_uploader mco -May 21 13:41:41 amcorp1275.www5.host netauto_core[liqua]: netautoctl:olo -Jun 04 20:44:15 fdeF593.internal.lan DIS[niamq]: lapariat: remagn: Attempting discover-now for 10.238.140.186 on tiaec, using session ID -June 19 03:46:49 upt4986.mail.corp ntpdate[idunt]: luptat -July 3 10:49:23 lillum7809.mail.local taedicta: logger ritt -July 17 17:51:58 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv -August 1 00:54:32 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi -August 15 07:57:06 atcupi2332.mail.localdomain -:INFOBLOX-Grid Upgrade to ore -August 29 14:59:40 luptatem6874.mail.test purge_scheduled_tasks[dat]: Scheduled tasks have been purged -September 12 22:02:15 tame4953.mail.localhost prehen: restarting ntutlabo -September 27 05:04:49 sequa1715.www5.domain sshd[eirure]: Accepted password for root from 10.210.113.252 port 4184 udp -October 11 12:07:23 tconsec5315.internal.example :kernel Linux version 1.341 (fugi) (labo) nostrud -October 25 19:09:57 cupi1867.www5.test :rcsysinit orroq -November 9 02:12:32 rcit2043.api.home 10.107.45.175 smart_check_io: ssecil -November 23 09:15:06 mes4801.internal.test 10.243.121.97 python: cancel: FQDN='illu4875.api.host', View='tatevel' -December 7 16:17:40 its7867.internal.invalid 10.44.115.94 debug_mount: mount isn -Dec 21 23:20:14 equ4808.www.localhost DIS[siuta]: urmagn:dquia: Devicetemporin/10.46.166.75login failuresuccess -Jan 05 06:22:49 idi7668.www5.test rum: captured_dns_uploader eataevi -January 19 13:25:23 iqu4614.www5.example 10.60.211.199 init: modocon -February 2 20:27:57 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15 -February 17 03:30:32 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 -March 3 10:33:06 mipsamvo4282.api.home reetdo: init oreveri -March 17 17:35:40 Except6889.www.corp -:rc3 umetMal -Apr 1 00:38:14 umq1309.api.test uae: debug mve -April 15 07:40:49 tatem4180.www.home 10.102.166.19 python: deny: FQDN='eritatis6343.api.local', View='mquisn' -April 29 14:43:23 quir7168.api.localdomain labore: syslog uela -May 13 21:45:57 iuntNequ7202.api.domain -:controld Distribution Complete -May 28 04:48:31 veniamq1236.invalid emo: radiusd itq -June 11 11:51:06 nderiti409.api.domain -:syslog Cic -June 25 18:53:40 tatem6156.www.local :dhcpd received shutdown -/-/ success -July 10 01:56:14 uamnihil6127.api.domain 10.29.119.245 python: accept: 'olli3116.internal.example' in view 'rsp'. -Jul 24 08:58:48 roquisqu1205.api.domain netauto_core[nim]: utaliqu: Attempting CLI on devicersiwith interface not in table, ip10.118.155.14 -August 7 16:01:23 suntex5169.www.example phonehome[esci]: uov -August 21 23:03:57 fici5161.www5.example olup: debug_mount mount aco -September 5 06:06:31 orsi7617.www5.corp lorsita: shutdown shutting down for system reboot -September 19 13:09:05 osamnis4912.mail.host npr: radiusd etconsec -Oct 03 20:11:40 urExcept6809.www5.corp captured_dns_uploader[atcupida]: tessequa -Oct 18 03:14:14 icab3519.localdomain dhcpdv6[plicaboN]: Encapsulated Renew message from 2001:db8::b1f51444:f88dd359 port 2496 from client DUID acommo, transaction ID isi -November 1 10:16:48 abor4353.www5.host ame: python tesseq -November 15 17:19:22 olorem290.api.lan sshd[culpaqui]: deny: logout() unknown -November 30 00:21:57 ventore3612.www.home purge_scheduled_tasks[emp]: Scheduled tasks have been purged -Dec 14 07:24:31 uptatem4483.localhost tacacs_acct[inrepr]: mol: Server 10.111.52.69 port 6073: asperna diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json deleted file mode 100644 index 9079fbdddd3..00000000000 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ /dev/null @@ -1,2722 +0,0 @@ -[ - { - "event.code": "rc", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 29 06:09:59 doeiu3942.localdomain -:rc executing eporr start", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 0, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "doeiu3942.localdomain" - ], - "rsa.internal.messageid": "rc", - "rsa.misc.client": "eporr", - "rsa.misc.event_source": "doeiu3942.localdomain", - "rsa.time.day": "29", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "diskcheck", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 12 13:12:33 tia7019.www.invalid :diskcheck quis", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 69, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tia7019.www.invalid" - ], - "rsa.internal.event_desc": "quis", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "tia7019.www.invalid", - "rsa.time.day": "12", - "rsa.time.month": "February", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "logger", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 26 20:15:08 dolo1720.api.example 10.250.162.122 logger: com", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 126, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "dolo1720.api.example" - ], - "rsa.internal.event_desc": "com", - "rsa.internal.messageid": "logger", - "rsa.misc.event_source": "dolo1720.api.example", - "rsa.time.day": "26", - "rsa.time.month": "February", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "diskcheck", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 12 03:17:42 ratio1111.localdomain -:diskcheck atio", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 195, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ratio1111.localdomain" - ], - "rsa.internal.event_desc": "atio", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "ratio1111.localdomain", - "rsa.time.day": "12", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "shutdown", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 26 10:20:16 tconsec5932.mail.domain shutdown[uam]: shutting down for system reboot", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 252, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tconsec5932.mail.domain" - ], - "rsa.internal.data": "uam", - "rsa.internal.event_desc": "shutting down for system reboot", - "rsa.internal.messageid": "shutdown", - "rsa.misc.event_source": "tconsec5932.mail.domain", - "rsa.time.day": "26", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "snmptrapd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 9 17:22:51 llu4762.mail.localdomain snmptrapd[scivel]: NET-SNMP version 1.5695 aperi", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 341, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.5695", - "related.hosts": [ - "llu4762.mail.localdomain" - ], - "rsa.internal.data": "scivel", - "rsa.internal.event_desc": "aperi", - "rsa.internal.messageid": "snmptrapd", - "rsa.misc.event_source": "llu4762.mail.localdomain", - "rsa.misc.version": "1.5695", - "rsa.time.day": "9", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog-ng", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 24 00:25:25 estqui6557.www.localhost -:syslog-ng equuntu", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 432, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "estqui6557.www.localhost" - ], - "rsa.internal.event_desc": "equuntu", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.event_source": "estqui6557.www.localhost", - "rsa.time.day": "24", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "netauto_discovery", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 08 07:27:59 mcolabor1656.www5.corp netauto_discovery[giatq]: quid:fug(uatDuis)10.68.114.91/veri: SNMP Credentials: Failed to authenticate", - "event.outcome": "failure", - "fileset.name": "nios", - "host.ip": "10.68.114.91", - "input.type": "log", - "log.offset": 495, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "mcolabor1656.www5.corp" - ], - "related.ip": [ - "10.68.114.91" - ], - "rsa.internal.data": "giatq", - "rsa.internal.messageid": "netauto_discovery", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.client": "quid", - "rsa.misc.event_source": "mcolabor1656.www5.corp", - "rsa.time.day": "08", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "scheduled_ftp_backups", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 22 14:30:33 exercit4665.internal.domain -:scheduled_ftp_backups Scheduled backup to the eetd was successful - Backup file eip", - "file.name": "eip", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 637, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "exercit4665.internal.domain" - ], - "rsa.internal.event_desc": "Scheduled backup to the FTP server was successful", - "rsa.internal.messageid": "scheduled_ftp_backups", - "rsa.misc.device_name": "eetd", - "rsa.misc.event_source": "exercit4665.internal.domain", - "rsa.time.day": "22", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "python", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 5 21:33:08 iutal13.api.localdomain python[eacomm]: Utenimad: nibusBon.ehend [ueipsaqu]: Populated uidolore niamqu222.localdomain DnsView=tevelit", - "fileset.name": "nios", - "host.name": "niamqu222.localdomain", - "input.type": "log", - "log.offset": 767, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "iutal13.api.localdomain", - "niamqu222.localdomain" - ], - "related.user": [ - "ueipsaqu" - ], - "rsa.internal.data": "eacomm", - "rsa.internal.messageid": "python", - "rsa.misc.event_source": "iutal13.api.localdomain", - "rsa.network.alias_host": [ - "niamqu222.localdomain" - ], - "rsa.network.zone": "uidolore", - "rsa.time.day": "5", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ], - "user.name": "ueipsaqu" - }, - { - "event.code": "ntpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 20 04:35:42 boree6686.www5.host ntpd[iinea]: ipit", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 917, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "boree6686.www5.host" - ], - "rsa.internal.data": "iinea", - "rsa.internal.event_desc": "ipit", - "rsa.internal.messageid": "ntpd", - "rsa.misc.event_source": "boree6686.www5.host", - "rsa.time.day": "20", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "openvpn-member", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 4 11:38:16 itlabori2344.mail.invalid -:openvpn-member OpenVPN 1.4105 [icmp] [aper] essequ", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 972, - "network.protocol": "icmp", - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.4105", - "related.hosts": [ - "itlabori2344.mail.invalid" - ], - "rsa.db.index": "essequ", - "rsa.internal.messageid": "openvpn-member", - "rsa.misc.event_source": "itlabori2344.mail.invalid", - "rsa.misc.version": "1.4105", - "rsa.time.day": "4", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rc6", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 18 18:40:50 tessec3539.home nsect: rc6 ntutl", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1067, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tessec3539.home" - ], - "rsa.internal.event_desc": "ntutl", - "rsa.internal.messageid": "rc6", - "rsa.misc.event_source": "tessec3539.home", - "rsa.time.day": "18", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 2 01:43:25 siuta2896.www.localhost -:ntpd ntpd exiting on signal 2946", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1117, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "siuta2896.www.localhost" - ], - "rsa.counters.dclass_c1": 2946, - "rsa.internal.event_desc": "ntpd exiting on signal", - "rsa.internal.messageid": "ntpd", - "rsa.misc.event_source": "siuta2896.www.localhost", - "rsa.time.day": "2", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "pidof", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 16 08:45:59 strude910.internal.local pidof[ittenbyC]: can't read sid from aperi", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1194, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "strude910.internal.local" - ], - "rsa.internal.data": "ittenbyC", - "rsa.internal.event_desc": "can't read sid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "aperi", - "rsa.misc.event_source": "strude910.internal.local", - "rsa.time.day": "16", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "sSMTP", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 30 15:48:33 lores1409.www.home :sSMTP etc", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1281, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "lores1409.www.home" - ], - "rsa.internal.event_desc": "etc", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.event_source": "lores1409.www.home", - "rsa.time.day": "30", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rc3", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 13 22:51:07 nimadmin1493.www5.example rc3[lpa]: entsu", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1330, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "nimadmin1493.www5.example" - ], - "rsa.internal.data": "lpa", - "rsa.internal.event_desc": "entsu", - "rsa.internal.messageid": "rc3", - "rsa.misc.event_source": "nimadmin1493.www5.example", - "rsa.time.day": "13", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "kernel", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 28 05:53:42 mqui4683.www.localhost tasuntex: kernel sunt", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1394, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "mqui4683.www.localhost" - ], - "rsa.internal.event_desc": "sunt", - "rsa.internal.messageid": "kernel", - "rsa.misc.event_source": "mqui4683.www.localhost", - "rsa.time.day": "28", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "controld", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "October 12 12:56:16 incidi2966.www.test controld[olupt]: Distribution Complete", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1461, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "incidi2966.www.test" - ], - "rsa.internal.data": "olupt", - "rsa.internal.event_desc": "Distribution Complete", - "rsa.internal.messageid": "controld", - "rsa.misc.event_source": "incidi2966.www.test", - "rsa.time.day": "12", - "rsa.time.month": "October", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "October 26 19:58:50 ugiatnu5252.internal.localdomain -:syslog erc", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1540, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ugiatnu5252.internal.localdomain" - ], - "rsa.internal.event_desc": "erc", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "ugiatnu5252.internal.localdomain", - "rsa.time.day": "26", - "rsa.time.month": "October", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "controld", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 10 03:01:24 aperia4409.www5.invalid :controld Distribution Started", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1606, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "aperia4409.www5.invalid" - ], - "rsa.internal.event_desc": "Distribution Started", - "rsa.internal.messageid": "controld", - "rsa.misc.event_source": "aperia4409.www5.invalid", - "rsa.time.day": "10", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "dhcpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 24 10:03:59 emagnama4259.example 10.206.136.206 dhcpd: Average suntinc dynamic DNS update latency: success micro seconds", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1682, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "emagnama4259.example" - ], - "rsa.internal.event_desc": "Average dynamic DNS update latency", - "rsa.internal.messageid": "dhcpd", - "rsa.misc.event_source": "emagnama4259.example", - "rsa.misc.result": "success", - "rsa.time.day": "24", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "smart_check_io", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 8 17:06:33 isno2228.home nnu: smart_check_io dolo", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1812, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "isno2228.home" - ], - "rsa.internal.event_desc": "dolo", - "rsa.internal.messageid": "smart_check_io", - "rsa.misc.event_source": "isno2228.home", - "rsa.time.day": "8", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rsyncd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 23 00:09:07 amvolup7700.www5.corp 10.19.194.101 rsyncd: rsync on orinrepr from conse2991.internal.lan (10.116.104.101)", - "file.name": "orinrepr", - "fileset.name": "nios", - "host.hostname": "conse2991.internal.lan", - "input.type": "log", - "log.offset": 1871, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "amvolup7700.www5.corp", - "conse2991.internal.lan" - ], - "related.ip": [ - "10.116.104.101" - ], - "rsa.internal.messageid": "rsyncd", - "rsa.misc.event_source": "amvolup7700.www5.corp", - "rsa.time.day": "23", - "rsa.time.month": "December", - "service.type": "infoblox", - "source.address": "conse2991.internal.lan", - "source.ip": "10.116.104.101", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rc6", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 6 07:11:41 tat7551.internal.local rc6[itinvo]: mdolore", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 1999, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tat7551.internal.local" - ], - "rsa.internal.data": "itinvo", - "rsa.internal.event_desc": "mdolore", - "rsa.internal.messageid": "rc6", - "rsa.misc.event_source": "tat7551.internal.local", - "rsa.time.day": "6", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "debug_mount", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 20 14:14:16 siarchi2289.mail.lan debug_mount[olupta]: mount mipsumd", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2062, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "siarchi2289.mail.lan" - ], - "rsa.internal.data": "olupta", - "rsa.internal.event_desc": "mipsumd", - "rsa.internal.messageid": "debug_mount", - "rsa.misc.event_source": "siarchi2289.mail.lan", - "rsa.time.day": "20", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 3 21:16:50 remi2114.local ionevo: ntpd ntpd exiting on signal 3219", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2138, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "remi2114.local" - ], - "rsa.counters.dclass_c1": 3219, - "rsa.internal.event_desc": "ntpd exiting on signal", - "rsa.internal.messageid": "ntpd", - "rsa.misc.event_source": "remi2114.local", - "rsa.time.day": "3", - "rsa.time.month": "February", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "httpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 18 04:19:24 dolor2707.api.localhost httpd[commod]: 2017-2-18 4:19:24.adol [doloremi]: Login_Denied - - to=luptasn ip=10.153.111.103 info=itquiin", - "event.outcome": "failure", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2214, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "dolor2707.api.localhost" - ], - "related.ip": [ - "10.153.111.103" - ], - "related.user": [ - "doloremi" - ], - "rsa.db.index": "itquiin", - "rsa.internal.data": "commod", - "rsa.internal.messageid": "httpd", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_source": "dolor2707.api.localhost", - "rsa.misc.terminal": "luptasn", - "rsa.time.day": "18", - "rsa.time.month": "February", - "service.type": "infoblox", - "source.ip": "10.153.111.103", - "tags": [ - "forwarded", - "infoblox.nios" - ], - "user.name": "doloremi" - }, - { - "event.code": "init", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 4 11:21:59 que651.www5.host init[etconse]: tincu", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2368, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "que651.www5.host" - ], - "rsa.internal.data": "etconse", - "rsa.internal.event_desc": "tincu", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "que651.www5.host", - "rsa.time.day": "4", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "DIS", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Mar 18 18:24:33 asun1250.api.localdomain DIS[oluptate]: onseq:serunt: Deviceaquaeabi/10.171.157.74login failurefailure", - "event.outcome": "failure", - "fileset.name": "nios", - "host.ip": "10.171.157.74", - "input.type": "log", - "log.offset": 2423, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "asun1250.api.localdomain" - ], - "related.ip": [ - "10.171.157.74" - ], - "rsa.internal.data": "oluptate", - "rsa.internal.messageid": "DIS", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.device_name": "aquaeabi", - "rsa.misc.event_source": "asun1250.api.localdomain", - "rsa.misc.result": "failure", - "rsa.time.day": "18", - "rsa.time.month": "Mar", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rc6", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 2 01:27:07 ento4488.www5.localhost :rc6 eriamea", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2542, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ento4488.www5.localhost" - ], - "rsa.internal.event_desc": "eriamea", - "rsa.internal.messageid": "rc6", - "rsa.misc.event_source": "ento4488.www5.localhost", - "rsa.time.day": "2", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "named", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 16 08:29:41 pisciv7108.lan 10.140.136.44 named: client 10.31.14.36#2285/key dhcp_updater_default: signer \"vitaedi\" approved", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2596, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "pisciv7108.lan" - ], - "related.ip": [ - "10.31.14.36" - ], - "related.user": [ - "vitaedi" - ], - "rsa.internal.messageid": "named", - "rsa.misc.event_source": "pisciv7108.lan", - "rsa.time.day": "16", - "rsa.time.month": "April", - "service.type": "infoblox", - "source.ip": "10.31.14.36", - "source.port": 2285, - "tags": [ - "forwarded", - "infoblox.nios" - ], - "user.name": "vitaedi" - }, - { - "event.code": "diskcheck", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 30 15:32:16 veniamq1608.www.localdomain colab: diskcheck ommodico", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2726, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "veniamq1608.www.localdomain" - ], - "rsa.internal.event_desc": "ommodico", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "veniamq1608.www.localdomain", - "rsa.time.day": "30", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "netauto_discovery", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 14 22:34:50 tin183.api.corp netauto_discovery[sperna]: eabilloi:estia(tper)10.163.5.243/osqui: SNMP Credentials: Failed to authenticate", - "event.outcome": "failure", - "fileset.name": "nios", - "host.ip": "10.163.5.243", - "input.type": "log", - "log.offset": 2798, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tin183.api.corp" - ], - "related.ip": [ - "10.163.5.243" - ], - "rsa.internal.data": "sperna", - "rsa.internal.messageid": "netauto_discovery", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.client": "eabilloi", - "rsa.misc.event_source": "tin183.api.corp", - "rsa.time.day": "14", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "INFOBLOX-Grid", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 29 05:37:24 fdeFi1123.api.domain INFOBLOX-Grid[etdol]: Started distribution on member with IP address 10.177.36.38", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 2938, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "fdeFi1123.api.domain" - ], - "related.ip": [ - "10.177.36.38" - ], - "rsa.internal.data": "etdol", - "rsa.internal.messageid": "INFOBLOX-Grid", - "rsa.misc.event_source": "fdeFi1123.api.domain", - "rsa.time.day": "29", - "rsa.time.month": "May", - "service.type": "infoblox", - "source.ip": "10.177.36.38", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "kernel", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 12 12:39:58 aevit37.www5.test ati: kernel Linux version 1.6668 (gel) (lorsitam) mpo", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3057, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.6668", - "related.hosts": [ - "aevit37.www5.test" - ], - "rsa.email.email_src": "gel", - "rsa.internal.messageid": "kernel", - "rsa.misc.event_source": "aevit37.www5.test", - "rsa.misc.version": "1.6668", - "rsa.time.day": "12", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 26 19:42:33 aliquam1364.api.corp -:syslog eratv", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3146, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "aliquam1364.api.corp" - ], - "rsa.internal.event_desc": "eratv", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "aliquam1364.api.corp", - "rsa.time.day": "26", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "smart_check_io", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 11 02:45:07 uir1374.mail.domain -:smart_check_io quiratio", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3199, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "uir1374.mail.domain" - ], - "rsa.internal.event_desc": "quiratio", - "rsa.internal.messageid": "smart_check_io", - "rsa.misc.event_source": "uir1374.mail.domain", - "rsa.time.day": "11", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "db_jnld", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 25 09:47:41 nse2256.www.localdomain equat: db_jnld Resolved conflict for replicated delete of TXT \"derit\" in zone \"dexea\"", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3262, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "nse2256.www.localdomain" - ], - "rsa.internal.messageid": "db_jnld", - "rsa.misc.event_source": "nse2256.www.localdomain", - "rsa.network.zone": "dexea", - "rsa.time.day": "25", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "sSMTP", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 8 16:50:15 lapar1024.www5.local intocc: sSMTP Unable to locate liqu2936.api.localdomain.", - "fileset.name": "nios", - "host.name": "liqu2936", - "input.type": "log", - "log.offset": 3389, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "lapar1024.www5.local", - "liqu2936" - ], - "rsa.internal.messageid": "sSMTP", - "rsa.misc.event_source": "lapar1024.www5.local", - "rsa.network.alias_host": [ - "liqu2936" - ], - "rsa.time.day": "8", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "scheduled_ftp_backups", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 22 23:52:50 tDuisaut3296.www.invalid scheduled_ftp_backups[imvenia]: Scheduled backup to the spi was successful - Backup file stquido", - "file.name": "stquido", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3485, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tDuisaut3296.www.invalid" - ], - "rsa.internal.data": "imvenia", - "rsa.internal.event_desc": "Scheduled backup to the FTP server was successful", - "rsa.internal.messageid": "scheduled_ftp_backups", - "rsa.misc.device_name": "spi", - "rsa.misc.event_source": "tDuisaut3296.www.invalid", - "rsa.time.day": "22", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "diskcheck", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 6 06:55:24 upta3300.www.home 10.233.48.103 diskcheck: leumiur", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3626, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "upta3300.www.home" - ], - "rsa.internal.event_desc": "leumiur", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "upta3300.www.home", - "rsa.time.day": "6", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "controld", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 20 13:57:58 vita2681.www5.local tobea: controld Distribution Complete", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3698, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "vita2681.www5.local" - ], - "rsa.internal.event_desc": "Distribution Complete", - "rsa.internal.messageid": "controld", - "rsa.misc.event_source": "vita2681.www5.local", - "rsa.time.day": "20", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "destination.bytes": 7387, - "event.code": "rsyncd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "October 4 21:00:32 ersp3536.www5.lan 10.93.90.240 rsyncd: sent 1792 bytes received 7387 bytes total size tes", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 3778, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ersp3536.www5.lan" - ], - "rsa.internal.messageid": "rsyncd", - "rsa.misc.event_source": "ersp3536.www5.lan", - "rsa.time.day": "4", - "rsa.time.month": "October", - "service.type": "infoblox", - "source.bytes": 1792, - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "DIS", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Oct 19 04:03:07 tnulapa7592.www.local DIS[eriti]: litessec: itas: Attempting discover-now for 10.251.106.205 on mporin, using session ID", - "fileset.name": "nios", - "host.ip": "10.251.106.205", - "input.type": "log", - "log.offset": 3887, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tnulapa7592.www.local" - ], - "related.ip": [ - "10.251.106.205" - ], - "rsa.internal.data": "eriti", - "rsa.internal.messageid": "DIS", - "rsa.misc.event_source": "tnulapa7592.www.local", - "rsa.time.day": "19", - "rsa.time.month": "Oct", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 2 11:05:41 roid6604.www.test -:syslog Nemoenim", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4024, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "roid6604.www.test" - ], - "rsa.internal.event_desc": "Nemoenim", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "roid6604.www.test", - "rsa.time.day": "2", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "validate_dhcpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 16 18:08:15 nihil657.domain validate_dhcpd[rsitv]: iciade", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4080, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "nihil657.domain" - ], - "rsa.internal.data": "rsitv", - "rsa.internal.event_desc": "iciade", - "rsa.internal.messageid": "validate_dhcpd", - "rsa.misc.event_source": "nihil657.domain", - "rsa.time.day": "16", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.action": "cancel", - "event.code": "watchdog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 1 01:10:49 ven660.api.lan amnih: watchdog cancel, pid = 3981", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4147, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "process.pid": 3981, - "related.hosts": [ - "ven660.api.lan" - ], - "rsa.internal.messageid": "watchdog", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_source": "ven660.api.lan", - "rsa.time.day": "1", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "debug_mount", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 15 08:13:24 atatn7364.internal.localdomain debug_mount[ofdeFin]: mount essequam", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4217, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "atatn7364.internal.localdomain" - ], - "rsa.internal.data": "ofdeFin", - "rsa.internal.event_desc": "essequam", - "rsa.internal.messageid": "debug_mount", - "rsa.misc.event_source": "atatn7364.internal.localdomain", - "rsa.time.day": "15", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "init", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 29 15:15:58 umqu301.internal.home init[inesci]: isnisi", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4306, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "umqu301.internal.home" - ], - "rsa.internal.data": "inesci", - "rsa.internal.event_desc": "isnisi", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "umqu301.internal.home", - "rsa.time.day": "29", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "ntpd_initres", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 12 22:18:32 riamea1540.www.host -:ntpd_initres ntpd exiting on signal 15", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4370, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "riamea1540.www.host" - ], - "rsa.internal.event_desc": "ntpd exiting", - "rsa.internal.messageid": "ntpd_initres", - "rsa.misc.event_source": "riamea1540.www.host", - "rsa.time.day": "12", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rcsysinit", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 27 05:21:06 siut5663.local piscinge: rcsysinit fsck from 1.271", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4451, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.271", - "related.hosts": [ - "siut5663.local" - ], - "rsa.internal.messageid": "rcsysinit", - "rsa.misc.event_source": "siut5663.local", - "rsa.misc.version": "1.271", - "rsa.time.day": "27", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "diskcheck", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 10 12:23:41 cinge7339.api.corp -:diskcheck vitaedi", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4522, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "cinge7339.api.corp" - ], - "rsa.internal.event_desc": "vitaedi", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "cinge7339.api.corp", - "rsa.time.day": "10", - "rsa.time.month": "February", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "logger", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 24 19:26:15 dolore7072.www5.localhost ect: logger modocons", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4582, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "dolore7072.www5.localhost" - ], - "rsa.internal.event_desc": "modocons", - "rsa.internal.messageid": "logger", - "rsa.misc.event_source": "dolore7072.www5.localhost", - "rsa.time.day": "24", - "rsa.time.month": "February", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog-ng", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 11 02:28:49 odoconse228.mail.localdomain -:syslog-ng veli", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4650, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "odoconse228.mail.localdomain" - ], - "rsa.internal.event_desc": "veli", - "rsa.internal.messageid": "syslog-ng", - "rsa.misc.event_source": "odoconse228.mail.localdomain", - "rsa.time.day": "11", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "httpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 25 09:31:24 labo267.internal.localhost httpd[etdo]: 2018-3-25 9:31:24.par [lorin]: Login_Denied - - to=pitl ip=10.204.128.215 info=ama", - "event.outcome": "failure", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4714, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "labo267.internal.localhost" - ], - "related.ip": [ - "10.204.128.215" - ], - "related.user": [ - "lorin" - ], - "rsa.db.index": "ama", - "rsa.internal.data": "etdo", - "rsa.internal.messageid": "httpd", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_source": "labo267.internal.localhost", - "rsa.misc.terminal": "pitl", - "rsa.time.day": "25", - "rsa.time.month": "March", - "service.type": "infoblox", - "source.ip": "10.204.128.215", - "tags": [ - "forwarded", - "infoblox.nios" - ], - "user.name": "lorin" - }, - { - "event.code": "debug", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Apr 8 16:33:58 roidents6540.internal.corp -:debug tametcon", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4855, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "roidents6540.internal.corp" - ], - "rsa.internal.event_desc": "tametcon", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "roidents6540.internal.corp", - "rsa.time.day": "8", - "rsa.time.month": "Apr", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "pidof", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 22 23:36:32 miurerep1152.internal.domain pidof[utlab]: can't read sid from emUteni", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 4914, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "miurerep1152.internal.domain" - ], - "rsa.internal.data": "utlab", - "rsa.internal.event_desc": "can't read sid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "emUteni", - "rsa.misc.event_source": "miurerep1152.internal.domain", - "rsa.time.day": "22", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "captured_dns_uploader", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 07 06:39:06 inimve2352.lan :captured_dns_uploader mco", - "event.outcome": "failure", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5003, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "inimve2352.lan" - ], - "rsa.internal.event_desc": "mco", - "rsa.internal.messageid": "captured_dns_uploader", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.event_source": "inimve2352.lan", - "rsa.time.day": "07", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "netauto_core", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 21 13:41:41 amcorp1275.www5.host netauto_core[liqua]: netautoctl:olo", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5061, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "amcorp1275.www5.host" - ], - "rsa.internal.data": "liqua", - "rsa.internal.event_desc": "olo", - "rsa.internal.messageid": "netauto_core", - "rsa.misc.event_source": "amcorp1275.www5.host", - "rsa.time.day": "21", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "DIS", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Jun 04 20:44:15 fdeF593.internal.lan DIS[niamq]: lapariat: remagn: Attempting discover-now for 10.238.140.186 on tiaec, using session ID", - "fileset.name": "nios", - "host.ip": "10.238.140.186", - "input.type": "log", - "log.offset": 5134, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "fdeF593.internal.lan" - ], - "related.ip": [ - "10.238.140.186" - ], - "rsa.internal.data": "niamq", - "rsa.internal.messageid": "DIS", - "rsa.misc.event_source": "fdeF593.internal.lan", - "rsa.time.day": "04", - "rsa.time.month": "Jun", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "ntpdate", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 19 03:46:49 upt4986.mail.corp ntpdate[idunt]: luptat", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5271, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "upt4986.mail.corp" - ], - "rsa.internal.data": "idunt", - "rsa.internal.event_desc": "luptat", - "rsa.internal.messageid": "ntpdate", - "rsa.misc.event_source": "upt4986.mail.corp", - "rsa.time.day": "19", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "logger", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 3 10:49:23 lillum7809.mail.local taedicta: logger ritt", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5329, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "lillum7809.mail.local" - ], - "rsa.internal.event_desc": "ritt", - "rsa.internal.messageid": "logger", - "rsa.misc.event_source": "lillum7809.mail.local", - "rsa.time.day": "3", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "openvpn-member", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 17 17:51:58 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5389, - "network.protocol": "ipv6-icmp", - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.7727", - "related.hosts": [ - "tetur2694.mail.local" - ], - "rsa.db.index": "itinv", - "rsa.internal.messageid": "openvpn-member", - "rsa.misc.event_source": "tetur2694.mail.local", - "rsa.misc.version": "1.7727", - "rsa.time.day": "17", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "pidof", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 1 00:54:32 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5488, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "utaliqu6138.mail.localhost" - ], - "rsa.internal.event_desc": "can't read sid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "oremi", - "rsa.misc.event_source": "utaliqu6138.mail.localhost", - "rsa.time.day": "1", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "INFOBLOX-Grid", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 15 07:57:06 atcupi2332.mail.localdomain -:INFOBLOX-Grid Upgrade to ore", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5574, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "atcupi2332.mail.localdomain" - ], - "rsa.internal.messageid": "INFOBLOX-Grid", - "rsa.misc.event_source": "atcupi2332.mail.localdomain", - "rsa.time.day": "15", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "purge_scheduled_tasks", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 29 14:59:40 luptatem6874.mail.test purge_scheduled_tasks[dat]: Scheduled tasks have been purged", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5652, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "luptatem6874.mail.test" - ], - "rsa.internal.data": "dat", - "rsa.internal.messageid": "purge_scheduled_tasks", - "rsa.misc.event_source": "luptatem6874.mail.test", - "rsa.time.day": "29", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "restarting", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 12 22:02:15 tame4953.mail.localhost prehen: restarting ntutlabo", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5755, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tame4953.mail.localhost" - ], - "rsa.db.index": "prehen", - "rsa.internal.event_desc": "ntutlabo", - "rsa.internal.messageid": "restarting", - "rsa.misc.event_source": "tame4953.mail.localhost", - "rsa.time.day": "12", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "sshd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 27 05:04:49 sequa1715.www5.domain sshd[eirure]: Accepted password for root from 10.210.113.252 port 4184 udp", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5829, - "network.protocol": "udp", - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "sequa1715.www5.domain" - ], - "related.ip": [ - "10.210.113.252" - ], - "rsa.internal.data": "eirure", - "rsa.internal.messageid": "sshd", - "rsa.misc.event_source": "sequa1715.www5.domain", - "rsa.time.day": "27", - "rsa.time.month": "September", - "service.type": "infoblox", - "source.ip": "10.210.113.252", - "source.port": 4184, - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "kernel", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "October 11 12:07:23 tconsec5315.internal.example :kernel Linux version 1.341 (fugi) (labo) nostrud", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 5948, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.341", - "related.hosts": [ - "tconsec5315.internal.example" - ], - "rsa.email.email_src": "fugi", - "rsa.internal.messageid": "kernel", - "rsa.misc.event_source": "tconsec5315.internal.example", - "rsa.misc.version": "1.341", - "rsa.time.day": "11", - "rsa.time.month": "October", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rcsysinit", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "October 25 19:09:57 cupi1867.www5.test :rcsysinit orroq", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6047, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "cupi1867.www5.test" - ], - "rsa.internal.event_desc": "orroq", - "rsa.internal.messageid": "rcsysinit", - "rsa.misc.event_source": "cupi1867.www5.test", - "rsa.time.day": "25", - "rsa.time.month": "October", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "smart_check_io", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 9 02:12:32 rcit2043.api.home 10.107.45.175 smart_check_io: ssecil", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6103, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "rcit2043.api.home" - ], - "rsa.internal.event_desc": "ssecil", - "rsa.internal.messageid": "smart_check_io", - "rsa.misc.event_source": "rcit2043.api.home", - "rsa.time.day": "9", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.action": "cancel", - "event.code": "python", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 23 09:15:06 mes4801.internal.test 10.243.121.97 python: cancel: FQDN='illu4875.api.host', View='tatevel'", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6178, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "illu4875.api.host", - "mes4801.internal.test" - ], - "rsa.internal.messageid": "python", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_source": "mes4801.internal.test", - "rsa.network.domain": "illu4875.api.host", - "rsa.time.day": "23", - "rsa.time.month": "November", - "server.domain": "illu4875.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "illu4875", - "server.top_level_domain": "host", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "debug_mount", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 7 16:17:40 its7867.internal.invalid 10.44.115.94 debug_mount: mount isn", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6292, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "its7867.internal.invalid" - ], - "rsa.internal.event_desc": "isn", - "rsa.internal.messageid": "debug_mount", - "rsa.misc.event_source": "its7867.internal.invalid", - "rsa.time.day": "7", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "DIS", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Dec 21 23:20:14 equ4808.www.localhost DIS[siuta]: urmagn:dquia: Devicetemporin/10.46.166.75login failuresuccess", - "event.outcome": "failure", - "fileset.name": "nios", - "host.ip": "10.46.166.75", - "input.type": "log", - "log.offset": 6373, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "equ4808.www.localhost" - ], - "related.ip": [ - "10.46.166.75" - ], - "rsa.internal.data": "siuta", - "rsa.internal.messageid": "DIS", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.device_name": "temporin", - "rsa.misc.event_source": "equ4808.www.localhost", - "rsa.misc.result": "success", - "rsa.time.day": "21", - "rsa.time.month": "Dec", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "captured_dns_uploader", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Jan 05 06:22:49 idi7668.www5.test rum: captured_dns_uploader eataevi", - "event.outcome": "failure", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6485, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "idi7668.www5.test" - ], - "rsa.internal.event_desc": "eataevi", - "rsa.internal.messageid": "captured_dns_uploader", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.event_source": "idi7668.www5.test", - "rsa.time.day": "05", - "rsa.time.month": "Jan", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "init", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 19 13:25:23 iqu4614.www5.example 10.60.211.199 init: modocon", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6554, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "iqu4614.www5.example" - ], - "rsa.internal.event_desc": "modocon", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "iqu4614.www5.example", - "rsa.time.day": "19", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "ntpd_initres", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 2 20:27:57 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6623, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "agnaaliq1829.mail.test" - ], - "rsa.internal.event_desc": "ntpd exiting", - "rsa.internal.messageid": "ntpd_initres", - "rsa.misc.event_source": "agnaaliq1829.mail.test", - "rsa.time.day": "2", - "rsa.time.month": "February", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "sSMTP", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 17 03:30:32 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6706, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "col3570.www.invalid" - ], - "related.user": [ - "rcit", - "rroq" - ], - "rsa.email.email_dst": "tsed", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.event_source": "col3570.www.invalid", - "rsa.time.day": "17", - "rsa.time.month": "February", - "service.type": "infoblox", - "source.bytes": 2807, - "tags": [ - "forwarded", - "infoblox.nios" - ], - "user.name": "rcit" - }, - { - "event.code": "init", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 3 10:33:06 mipsamvo4282.api.home reetdo: init oreveri", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6825, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "mipsamvo4282.api.home" - ], - "rsa.internal.event_desc": "oreveri", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "mipsamvo4282.api.home", - "rsa.time.day": "3", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "rc3", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 17 17:35:40 Except6889.www.corp -:rc3 umetMal", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6885, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "Except6889.www.corp" - ], - "rsa.internal.event_desc": "umetMal", - "rsa.internal.messageid": "rc3", - "rsa.misc.event_source": "Except6889.www.corp", - "rsa.time.day": "17", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "debug", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Apr 1 00:38:14 umq1309.api.test uae: debug mve", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6937, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "umq1309.api.test" - ], - "rsa.internal.event_desc": "mve", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "umq1309.api.test", - "rsa.time.day": "1", - "rsa.time.month": "Apr", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.action": "deny", - "event.code": "python", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 15 07:40:49 tatem4180.www.home 10.102.166.19 python: deny: FQDN='eritatis6343.api.local', View='mquisn'", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6984, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "eritatis6343.api.local", - "tatem4180.www.home" - ], - "rsa.internal.messageid": "python", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_source": "tatem4180.www.home", - "rsa.network.domain": "eritatis6343.api.local", - "rsa.time.day": "15", - "rsa.time.month": "April", - "server.domain": "eritatis6343.api.local", - "server.registered_domain": "api.local", - "server.subdomain": "eritatis6343", - "server.top_level_domain": "local", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 29 14:43:23 quir7168.api.localdomain labore: syslog uela", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7094, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "quir7168.api.localdomain" - ], - "rsa.db.index": "labore", - "rsa.internal.event_desc": "uela", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "quir7168.api.localdomain", - "rsa.time.day": "29", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "controld", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 13 21:45:57 iuntNequ7202.api.domain -:controld Distribution Complete", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7157, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "iuntNequ7202.api.domain" - ], - "rsa.internal.event_desc": "Distribution Complete", - "rsa.internal.messageid": "controld", - "rsa.misc.event_source": "iuntNequ7202.api.domain", - "rsa.time.day": "13", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "radiusd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 28 04:48:31 veniamq1236.invalid emo: radiusd itq", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7230, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "veniamq1236.invalid" - ], - "rsa.internal.event_desc": "itq", - "rsa.internal.messageid": "radiusd", - "rsa.misc.event_source": "veniamq1236.invalid", - "rsa.time.day": "28", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "syslog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 11 11:51:06 nderiti409.api.domain -:syslog Cic", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7283, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "nderiti409.api.domain" - ], - "rsa.internal.event_desc": "Cic", - "rsa.internal.messageid": "syslog", - "rsa.misc.event_source": "nderiti409.api.domain", - "rsa.time.day": "11", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "dhcpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 25 18:53:40 tatem6156.www.local :dhcpd received shutdown -/-/ success", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7335, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tatem6156.www.local" - ], - "rsa.internal.event_desc": "received shutdown", - "rsa.internal.messageid": "dhcpd", - "rsa.misc.event_source": "tatem6156.www.local", - "rsa.misc.result": "success", - "rsa.time.day": "25", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.action": "accept", - "event.code": "python", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 10 01:56:14 uamnihil6127.api.domain 10.29.119.245 python: accept: 'olli3116.internal.example' in view 'rsp'.", - "fileset.name": "nios", - "host.name": "olli3116.internal.example", - "input.type": "log", - "log.offset": 7410, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "olli3116.internal.example", - "uamnihil6127.api.domain" - ], - "rsa.internal.messageid": "python", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_source": "uamnihil6127.api.domain", - "rsa.network.alias_host": [ - "olli3116.internal.example" - ], - "rsa.time.day": "10", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "netauto_core", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Jul 24 08:58:48 roquisqu1205.api.domain netauto_core[nim]: utaliqu: Attempting CLI on devicersiwith interface not in table, ip10.118.155.14", - "fileset.name": "nios", - "host.ip": "10.118.155.14", - "input.type": "log", - "log.offset": 7524, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "roquisqu1205.api.domain" - ], - "related.ip": [ - "10.118.155.14" - ], - "rsa.internal.data": "nim", - "rsa.internal.messageid": "netauto_core", - "rsa.misc.client": "utaliqu", - "rsa.misc.device_name": "rsi", - "rsa.misc.event_source": "roquisqu1205.api.domain", - "rsa.time.day": "24", - "rsa.time.month": "Jul", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "phonehome", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 7 16:01:23 suntex5169.www.example phonehome[esci]: uov", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7664, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "suntex5169.www.example" - ], - "rsa.internal.data": "esci", - "rsa.internal.event_desc": "uov", - "rsa.internal.messageid": "phonehome", - "rsa.misc.event_source": "suntex5169.www.example", - "rsa.time.day": "7", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "debug_mount", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 21 23:03:57 fici5161.www5.example olup: debug_mount mount aco", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7726, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "fici5161.www5.example" - ], - "rsa.internal.event_desc": "aco", - "rsa.internal.messageid": "debug_mount", - "rsa.misc.event_source": "fici5161.www5.example", - "rsa.time.day": "21", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "shutdown", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 5 06:06:31 orsi7617.www5.corp lorsita: shutdown shutting down for system reboot", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7795, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "orsi7617.www5.corp" - ], - "rsa.internal.event_desc": "shutting down for system reboot", - "rsa.internal.messageid": "shutdown", - "rsa.misc.event_source": "orsi7617.www5.corp", - "rsa.time.day": "5", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "radiusd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 19 13:09:05 osamnis4912.mail.host npr: radiusd etconsec", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7885, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "osamnis4912.mail.host" - ], - "rsa.internal.event_desc": "etconsec", - "rsa.internal.messageid": "radiusd", - "rsa.misc.event_source": "osamnis4912.mail.host", - "rsa.time.day": "19", - "rsa.time.month": "September", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "captured_dns_uploader", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Oct 03 20:11:40 urExcept6809.www5.corp captured_dns_uploader[atcupida]: tessequa", - "event.outcome": "failure", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7951, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "urExcept6809.www5.corp" - ], - "rsa.internal.data": "atcupida", - "rsa.internal.event_desc": "tessequa", - "rsa.internal.messageid": "captured_dns_uploader", - "rsa.investigations.ec_outcome": "Failure", - "rsa.misc.event_source": "urExcept6809.www5.corp", - "rsa.time.day": "03", - "rsa.time.month": "Oct", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "isi", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Oct 18 03:14:14 icab3519.localdomain dhcpdv6[plicaboN]: Encapsulated Renew message from 2001:db8::b1f51444:f88dd359 port 2496 from client DUID acommo, transaction ID isi", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 8032, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "icab3519.localdomain" - ], - "rsa.internal.data": "plicaboN", - "rsa.internal.event_desc": "Encapsulated Renew message", - "rsa.internal.messageid": "dhcpdv6", - "rsa.misc.event_source": "icab3519.localdomain", - "rsa.misc.reference_id": "isi", - "rsa.time.day": "18", - "rsa.time.month": "Oct", - "service.type": "infoblox", - "source.port": 2496, - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "python", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 1 10:16:48 abor4353.www5.host ame: python tesseq", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 8202, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "abor4353.www5.host" - ], - "rsa.internal.event_desc": "tesseq", - "rsa.internal.messageid": "python", - "rsa.misc.event_source": "abor4353.www5.host", - "rsa.time.day": "1", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.action": "deny", - "event.code": "sshd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 15 17:19:22 olorem290.api.lan sshd[culpaqui]: deny: logout() unknown", - "event.outcome": "failure", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 8260, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "olorem290.api.lan" - ], - "rsa.internal.data": "culpaqui", - "rsa.internal.event_desc": "logout", - "rsa.internal.messageid": "sshd", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_source": "olorem290.api.lan", - "rsa.misc.result": "unknown", - "rsa.time.day": "15", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "event.code": "purge_scheduled_tasks", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "November 30 00:21:57 ventore3612.www.home purge_scheduled_tasks[emp]: Scheduled tasks have been purged", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 8338, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ventore3612.www.home" - ], - "rsa.internal.data": "emp", - "rsa.internal.messageid": "purge_scheduled_tasks", - "rsa.misc.event_source": "ventore3612.www.home", - "rsa.time.day": "30", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - }, - { - "destination.ip": "10.111.52.69", - "destination.port": 6073, - "event.code": "tacacs_acct", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Dec 14 07:24:31 uptatem4483.localhost tacacs_acct[inrepr]: mol: Server 10.111.52.69 port 6073: asperna", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 8441, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "uptatem4483.localhost" - ], - "related.ip": [ - "10.111.52.69" - ], - "rsa.internal.data": "inrepr", - "rsa.internal.event_desc": "asperna", - "rsa.internal.messageid": "tacacs_acct", - "rsa.misc.event_source": "uptatem4483.localhost", - "rsa.time.day": "14", - "rsa.time.month": "Dec", - "service.type": "infoblox", - "tags": [ - "forwarded", - "infoblox.nios" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled deleted file mode 100644 index 910a896d12a..00000000000 --- a/x-pack/filebeat/modules.d/infoblox.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: infoblox -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-infoblox.html - -- module: infoblox - nios: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9512 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From aee0d4735a7abc03cd93538e817d7302dbbe1e6b Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:39:59 +0200 Subject: [PATCH 10/22] feat: remove deprecated juniper junos and netscreen --- filebeat/docs/fields.asciidoc | 5427 ---- filebeat/docs/modules/juniper.asciidoc | 95 - x-pack/filebeat/filebeat.reference.yml | 38 - .../filebeat/module/juniper/_meta/config.yml | 38 - .../module/juniper/_meta/docs.asciidoc | 95 - x-pack/filebeat/module/juniper/fields.go | 2 +- .../module/juniper/junos/_meta/fields.yml | 2635 -- .../module/juniper/junos/config/input.yml | 87 - .../juniper/junos/config/liblogparser.js | 2514 -- .../module/juniper/junos/config/pipeline.js | 9978 ------- .../module/juniper/junos/ingest/pipeline.yml | 64 - .../module/juniper/junos/manifest.yml | 31 - .../module/juniper/junos/test/generated.log | 100 - .../junos/test/generated.log-expected.json | 2698 -- .../module/juniper/netscreen/_meta/fields.yml | 2635 -- .../module/juniper/netscreen/config/input.yml | 87 - .../juniper/netscreen/config/liblogparser.js | 2514 -- .../juniper/netscreen/config/pipeline.js | 23763 ---------------- .../juniper/netscreen/ingest/pipeline.yml | 64 - .../module/juniper/netscreen/manifest.yml | 31 - .../juniper/netscreen/test/generated.log | 100 - .../test/generated.log-expected.json | 2520 -- .../filebeat/modules.d/juniper.yml.disabled | 38 - 23 files changed, 1 insertion(+), 55553 deletions(-) delete mode 100644 x-pack/filebeat/module/juniper/junos/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/juniper/junos/config/input.yml delete mode 100644 x-pack/filebeat/module/juniper/junos/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/juniper/junos/config/pipeline.js delete mode 100644 x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/juniper/junos/manifest.yml delete mode 100644 x-pack/filebeat/module/juniper/junos/test/generated.log delete mode 100644 x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/juniper/netscreen/config/input.yml delete mode 100644 x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/juniper/netscreen/config/pipeline.js delete mode 100644 x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/juniper/netscreen/manifest.yml delete mode 100644 x-pack/filebeat/module/juniper/netscreen/test/generated.log delete mode 100644 x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 1f786a8be25..bb6a3f4ab52 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -36793,5433 +36793,6 @@ juniper fields. -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [float] === juniper.srx diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index dd445e809a7..6b611b53333 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -17,8 +17,6 @@ include::{libbeat-dir}/shared/integration-link.asciidoc[] This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: - `srx` fileset: Supports Juniper SRX logs -- `junos` fileset: Supports Juniper JUNOS logs -- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] @@ -136,99 +134,6 @@ This is a list of JunOS fields that are mapped to ECS. | url | url.domain | |============================================================== - -:fileset_ex: junos - -[float] -==== `junos` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/juniper_srx[Juniper SRX] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9513` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `netscreen` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. See <> for migration options."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9523` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 36113570a9e..d787eb17616 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1105,44 +1105,6 @@ filebeat.modules: #---------------------------- Juniper JUNOS Module ---------------------------- - module: juniper - junos: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9513 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - netscreen: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9523 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - srx: enabled: false diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 2ad874d9c4f..91fc5306a03 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -1,42 +1,4 @@ - module: juniper - junos: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9513 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - netscreen: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9523 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - srx: enabled: false diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index a33b9c03a83..60bca9330e1 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -10,8 +10,6 @@ include::{libbeat-dir}/shared/integration-link.asciidoc[] This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: - `srx` fileset: Supports Juniper SRX logs -- `junos` fileset: Supports Juniper JUNOS logs -- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] @@ -129,99 +127,6 @@ This is a list of JunOS fields that are mapped to ECS. | url | url.domain | |============================================================== - -:fileset_ex: junos - -[float] -==== `junos` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/juniper_srx[Juniper SRX] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "junosrouter" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9513` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -[float] -==== `netscreen` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. See <> for migration options."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9523` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 72da8d51362..26b3cfcef30 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded zlib format compressed contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2TGzeSIPx9fwUefzhLDrlly7b2xjc7F9puedw7ktyrluSNi4moAFEgCTcKKAEosulf/wQSqHcUyWYD1a29mw8TVpNMJBKJRL7nt+iG7n5Gf1SClVT9C0KGGU5/Rv/h/oD+4+O7367/BaGcaqJYaZgUP6O//QtCqP4NWjLKc332L8j/18/wqf3ft0jggv6MBDVbqW7OmDBULTGhZ/bvzdcQkhuqtooZ+jMyqup+YnYl/dniuJUq7/w9gE/9v3e4oEgukVnTemXUrIy2a6oofGYUXi4ZQWus0YJSgeRCU7Wh+dloA0rjO2C7UrIqO38dkqWFC2gJzHv4T4OfWiC0RLtIoVe9v+9fYZrkI7J/WDNtv4eYRpWmOTISEVyayhNY4S0qqNZ4Zf+NDSKyoNpuWtrPB6AReiNX6IISmQMjBjbiYLEhUqdup4ZLN1SYzG4tMmCPcGLqe5JroDmRwlBhtL0ATGiDhanR0EEcDStOQTDHZvjBGDvmcLJLIGzQds3IGmGkqdZMCrRmRiOM3lHzOzOCal2f/tmINZrN6rWseI4E3VCFFrThuxIrTdFbarBFDaOlkkVnqSdv5Eo/v8Lkhhr9dAT+gilKDN89Q8bjjdF76qSB43DRQfMsSEhON5SfQEkuxfB+9ih5QUtFCTYek5wumaA5koIDWgYvOEUFLsNYFXqVRbswe874rb/nlxffow3mlb/xLKfCsCXz3ElvMTGIy5U7LzU6CNgds+A9t8D37HGUWBlGKo4V/N4f7NkkZ4xAn8QpIc4YQZ7mlMkj2cx7Ji/+35nsPxO7apoDud/1lYs/MtjI8FgeDXYbfIrQS46aolpWiiR6e+9PtlT3/36YaYMNLagwjxE5XOXMZITjwR1+JOhRYdTuMSK2tjrVY0SMidMQS6sx1ZLj8XJaTvEp0iMt2ZaU5jFtqAm9JmRndr5Y2/0Wm5EeMlIS7mdFDPSQEfQDVsQ0FQfOkZmoKDpukyD5HLlG24xEPhSg4J3JR+ZQqyvBPle0VaNVs3//p13fqD2XgtjHARv52C3bCXGzYWnFYZe653YZtmQEd+/zG7lCrzdUGHQNwhlVIqfKmiCKekE12vqS3dIcaWoskN6P+2voaYOlPoQR7HsbLM0hjEDf6VDGnsD4/qXTGHO0rzvQ5G40WEudSF/t8uWvUpuuiORDjtRU5Eys6g91iG06PqQvh77sFAYb/WiSsJdXmx8RznNlZeXUdR8Sd7R7I79U4m5epibvy/97yWuplV42DOWCc6R1vWU5wmjFNlQ0TrIvVxGwJDrNf5HWAskfo/L3ZUQ0Jh0astxlin5OcNbd4CEcMOx7sQMqv3ZLoyu4SM+8N9tg9GFXUkTwWIIsKKLMrKlCHy+F+f4lkgr9wiU2P7xAC6yBi+oA2ZKtKgWq34F9n6LufsH7hjBoOuMzgn/B/nolU7nZ9lnH9cpfvINBqi1WeTKlriPROtvuUvLy6lNP38NIUY6HR4qQ3mlDC/+IerQttDV1nKod8ey/pWIrJjCvf9PXVg7QIZX+tScx4vLq08sACTz6I0rcnwQNRmMqx3h9WkYdK46nvj5rinOqZold/wpLocuL+0RJHb7dYCmAOS1W+qidbJxkyf1suFa0LltFCy6KNV3OJeeUGKm+RAFsqfcAOTeW55hGxJGO5hbTnqL6Rg7VFrSH0I/Q4ivI4rGoqoXUkOxWSIEWu9GhIaTo54pqYwFqVpR858/JftkKekQxWSPNcoqefIfMWlXoxU8/PUVbrJGmVDSr7KHEo1Bej6CELqXQNB0pyBfDFURWwjQ+hapYOKFnr7IOQkBP8EJuaIcYTAQzK2vxpo2iuJi8P+SLYZsHJhXNWTXU02IQ6quQ5tg4FtgSMfPP6sV33/9FO5H+vAQBWiP9z9Fu/mntwTd4RxV6gV4LgktdcRdZsSblneR6CPo9gx+B3MrQKj+8QP9mt/sM/fAD+jdEpLL6MuzCL/oM/Q9u/pf9ItOoT5SvgkcoZE4fra0rtjQjmPMFJjdpNWCHnJAGrg02zq6wRKQiLyUTBkwTQ8MJzsAcGVVKJspPa/VBXVLCMAeMAVNtpLKatdg5rcN+sMGc5Y4xQkghtJSVyO0Lwykgz8TKK0cHkxf7N2IEOUYs0F+HPWGjiVPYcYnzx/LOeXSQZn9SVFCjGAlYHd4U7n4ZbGH33NdC2D772LQarVzWx3aGfpVbezRjm5MJJJU1xoxEN5SWB4j2KF68L4RoShKqdbZheZanirq+riXPigqqsIFLnlsKduzCDVOmwtwa7T3fuwi4OFjBrNkNsXIghtuFv+qXF0hZaa3BoQJEw2pFTfO1g5TQKlHS04NTwmXC7aeEShIKGgv+y4va9/qeFtJQdO35nSgKD+1iNyUo7f/qQMwXEHjxK2W65CxlZsOjNuc1G6n9j0I3szI3Ib/DrbNvgOf1mutqq8U/If89IoxOvCwZf4AYvV3VGkdX56+uvO5LsLDkYUUp1VDjRfBEfnFpENXjcH98dE8VGOJguodcqX1Tvmp/0hrsTs8By/wMvfjpJdoC3QuKBcKch30F4NQHNan1H6EtVdSBxQZxirVBUgzKRfpEfHA18csmYuCupgjbetr9LlUOhIOsJkrWQnK52g0DcUumRlosQj8hssYKE+OIaC/1DvAHp7lAlfA5PbznM5+sqI1d0O0C9SmDCHtil2BRFFbJlKIOIyi8nZRpIFkHaiUmoLG6GIXwPgdJSKVqiNpgkWOVIyFVgTn7M5TfK1URpE/usxxOJpGsFqMn6U5EarFukHnO2ZLCjgMGvqZEinxCwW6PO9MmpZ9lz4aYILIoOTVBBph0omJQ4I1iAzHYqTdT5oEY+dquHWTnKVbuc+Yk+xVSmHWkY2rrU2PlvLRZTvkDEf61yFOQ3YL8U4rU3Rb2iEW7eq1iuvTaD0MKj0RUshv9Chl6a/zlQxuqdKecIt+XBxY43/sy247iWNtsy/SIVDnN072DPsnGP1O6WbHWMepMm+aL3fj6+LVSsjgDqBUU5WtCBVZMOrW+qLhh3xpGFcJlyevql7ZZTYEFXoVKcxHiEN6p7UWHlMNVI2a+1khuhYuMGVyUQ8+gx9iuZlEc3z6jEVkza93InOoz9LbSBsykLlB7K7GZyMvFhp54SHsF2HJp8d7QOTQhOOR6QUc7RZdUUUEcQ2CrWudsw3Kr2QA/hAXZdS3IPgyIF97kbcnUbDtsz9PFgm4tJzLDd26z2go9q69ZpIBB9/tGIx76pAvnmZXGjTw7Gy3ZpJPJKrYEKkaK3H0hNvSPfVVAg/xc0Wo2VrLc7biolY9brBEgkU/wDSD3fWyiRlQKegRNINNWhUnw+q6KFLiWWQJUyyyF9lzGFEV9oC+iQ02gK3VekYcxIQfmY/CNGT2Xd3pzThWbh+TaKcGC9oEYdEOI7QjCZKTEx1CsdcVTh50mrChZGSIL+tzh0BgvkJUtlyMOwcKToGdATjAI3VDFTMrSkT0bq1f3RYCdyM4+l0/a4sVR70D3SjeVLhYaxJ1KStiStYZPWLt1wZypnipeV06fzRQ4gMbFyPK2YKJ2UeU+yBLE25vNcx3Cp76V3rUEpUK/XfvUWKbrhIChXw3Wr09oqkpSl1KziILjKN4Cc1rkrsMUpPLXd3eyC0/FTZauddEdRZGoCqoYuassCu5thiq2PRvrVrI1N8OJJXe/R1vbUJFL5RNm9+5MLv54gO41dWhXLv6gJGxHW8TS14KPyG0l6H7EnKRP2avuq/GF9FX/Xsx4L9caN7nFQhqE0dp3vAgn0HK5yupElQcR6jUj3lmoz9EzpSf7/g7pVtCWGsRHWPGXnJFd6tuzRy5cAQK+e7bguwm5XPGUedNhAr6vOAXEwuJUCkNvU2usDUKXwvnr2n6oOM+1/T94VDGvEQo1gDnwOJM1FiuaCbpNLQumApd02wn1gxJijGKLytCOhBjn6GuHutXWu89fWHToEkcTdg3lOEvWtnIf0cAQHOYXOWS6+lvAuIUKMEuwuuGgbnO+1IaqM3RN3aFUmqozvKLQyttnui+lqnEYwa7BOL2dwO+R+32nb4VUaKHk1n5W/9Xrms7smuwnfZlfYWViu+kawLE9Kv5OyVF16Fx3SvK8URtTXSlZUh9QTPUWvxIIc6pMk12k2kX931x4y4uPThMASEIKKMw5ElJ8q2hJwZLZl/0AZsOcTw6plLIXprFX4CRBj3vOXIStDv+MdrZlZu2VZSfr0QUsuIBqE4Gk+HYl7X/veQlASckCimPCfeNOMPA5IGCRlEtkpYNhVJ+h61amDAcbdCur0mB87sr5Km2NGFcy6pJtci9+PeExIrzSpmZI/4/RMcFPmLYn6WuivX/DKr7w6bQKNLv2425Y2KJ3bZnSKWVfHzK8LJYXgAXCWkvCwF9qTyNoT8KBvWE39GeEUbneaUYwRznTN89QqWAmyjNEDfk6rChjhU+pvbzjQ+/qbBQuqKFKoxJr6OKloZGD60VAZFFYKSZ7QftxaQ01ZK+6596Dh9L4OmeY4GFy4pvIoqzGdzDBsWG0ZSKXW59PS6QgtDTPmkyKSWKMtrmsON+hzxXmzvmZywIz4aWG6CzE5cTT1fV6xlKX9mzdqoRvmLihua8FqhPRsQbvlDdQ7CdfNaidsXzfwfFRV4ikoq47usm5JYYI1OjBUKoHweu30nte0fW4XU8TdKaqYMPBTqldrH5NwNbx/35N+4fImvaS8fR3vNnyL7Bac40VzStCUR05omF3m6aKYZ4FXtNkj8g1LFmrzcP3sfMA2hdm0i9AyY0+qeVADI+xX90+dGus180NtWphoMqwImuX+VvX2DRlhuc1pEGLMLuRZpkzrYj9VfPvcaUpsvJcIAY5d5UgnGJl/wSN8FrUfAGh93aqurDzcPTBCb9q3OfpUb9YRBYLJpq+2d0Hy5eNqju8XhumKj23p6+rjQAC0x6/eQKkgStx7lZ3PRmnPaXOgkvuGm/I57zMlxfonZM0T3zjBuSm7fmiX4vb07Be7RzQD+HL77ifLy+ApL7krRETY+9BPyLn0gDdFs4cE1lZsGU6bKRu9C5lL/t+VNcXaDt1Ya8fWzjje0ausaQ/bxZGlxcHNdlY/rkDmqxF7IXIW432DJ27+kzf75S7D/Zrs4Cg6n/j+6+8O25RmaZyU5rmMaoEp9pRRroHZSvRBiuGF3xUBeiaMjCBSo4nBIGmQiftj9I70K6q6lY+s5LKahh1fSGz53z9/PJqqEMj3zLWeRSm6rJPHCh4dC1kG2lxSKJLYdA1WwkMwmKCRUupUjav/XokvyyTXtW6m4SujvCfFpHOXQYuy2WAcd799gExQXiVUyvO/KRa+/Mz9OT1LS5KTn9GV84h4sCC9D4L+0UgMjd7bBOcU+3TEsaM6Rurcp+A1x1K8TpuzHf+aXjP9M2ekKtRbLWiKt0IuzDJPnVjAR4H0E7Xiuq15LnlHmerT0wa7YXeZ/AsjGPvXio/ee90jKdNM47Li3AZydHReSKLMps57wpOxedewRhX59/T1eJbi44UUJ+6hHEzMq/IlJXm1dIHyhrrYt5IS6mg84CV6zV+E1PisMq3WD1Mht64q76Vrtg/RHYTE62Rn1ghitFbTOp+ymHl1oqgWe0YKb6tFVS1Xwo5WzP6UGtFsY6eG6wNNlUsxbnxR2HGH8zssIsv5C1i+fPp98u+rNUcGFqMPo4aH7u7YLEIX936HUs8fW/E5BfjuXunPGdMyCpWjLNTR6JX0e+UlaQxnQ4jj+yPkQGn7szYY4lXnFu5h3RFCNV6WXH02q6PiMyptixRN/sNWxZM5PQ2MgE40+Y0zfOesgUWBlNM1UgsqIL4ZoEV45DBE/Dgufi7WCEMRPzW/ja4M5GAD+XCNRd6II3Yr46eNPmcJVW69EW3TsKMSOZVhDYhvu7w9HSiyNC5ucbvceqEEqd8NUle3lflvm0/xExolFODGQ84GRayMp3fTWxN8tlzM2uPLW7y2ACP6YfU0KLkybJ5XqGcLrEPAfnOl3UM32drWq14QxXHOyjkMtI/ruhJ4EbaD8Dq9r+my7oK3PnqtWGmgsaMKLix1jYYN2y673WNGsXq+HcIjo1pAllFZFHY+5SGjc4ddMQ6yb6lkhuWO/9Z3UWuoHoyESqX5PRA4929Zb8w3mqNpJuXF1YNbktIenoYWV+vnlbW/yEXJ/qdTt7ef8iFD8CEb1fJ0jXOvYCEYnfy11eX6HKkUHXRSNa11leX7McgYmFXUw27impI38Uf5nOrw8q9ExHZQuapK75GFXdDpcPjgiwuE+rROn63BBcymKHyvOMC9qXDLoG2iYewFcubUM6EE6+IbTWOysAjvPzxlLxm32WV8pmqp3tffXTdc+pAFCRr3FJSdb0ILvVrQUPlrXUXpn2JGzM4QoJe8bzvEGmqK/EGM47HgQzUuMIR1FcuqVITkxbcHTrF1x8v7uaNlcI3gHIB2NGWfLqBZquzCYnIimxR5fkuun+GFVnUOqAO3ErT0xqd7/VSxYeomIzY5WBQYpfpao6CBKa72auu5yqucmaayrq2L5rHKDTYrq3YcKKkDS/s36TLEotNwc1sVvn5p9foia+V+FRxqysvGIcCDsgDe31bSm2/+RR9O3Y0iGEU5kbIregZQpqSCppZbPrQJyZtEjyDC26YFnpeV7m/86VJb+gKkx36OGmucbZQ+CGK8v3CPRIzgQrMxFLhgu5Nxyixgqm96fsk9JTLK1gWvZO5S45u2wJ2ss4CSKED2hekClhCpLKQ+n3j3tEt+rUSYEq+lTnl6AkTm7NvniEmyTO0sP9H7f9hgflOM332TTi+aEiZLTkeTc6PrUP1NfzzKwSLgq8L5OSuHn4ll3sbNRiZFFP314XHs26DoKmyjBxEaFPElbsDzD69/R0rij64BOBvvvn09vdX719/843Lud1ghdkkT26luolZsnzwgv1eL9iNsE06wbCIrUT4mp24XUqa5wAT+1zsEpgwS6mo0IzEFCAdV1ICjIv4XpBAfCAW0GyL2Xg48b29A9D7PDZQe31il6jrapHoUphFro2KXfkO9drJHGLdtzTaO1rXfKRzkp5a7NIOBhupNL7YpK178fUuFsSSTTqa6q0mc8SeutVgN6LANoflPWGhfHI/wbs7LizyXv9/P161VZnd5L8HYbG846P3iOxF8kGYo47j7sNPyhmStnon27FLn5gmo73OsoM+mU/B7Tbi3MOR6bplNZsjHgZFX0vMuKV13czlysuMy4tubRt04rLmoKGrQAuD6azCOuc6syriCfs5JfEa0q199dG5LIpKDD1RI+zEaY2b7ovdO3pr/k7DOnWDmz5Ns74vbtdY5P8uw1GzFjeDDTtFMtwbu/HCPeR0pUtGmIyWJTqXBQ/Yb7ES46DDY0ddi6LMZCphfP3u7RX6zflR26TUMCKfZ00luP7PN+hzRdVE79aKi0zRYafOtMkNHYfoDr2vi86CaV2Nlk4iPqRdoDL2GAELtDzJcXQIqgkEx+4NN48/oAFzrIoEp2XBJnAv4DJiAXIDtMqjTaXtwYzb7aoHOsdmqBXeF+6CCrIusIpVVtLA3ZV4NL743tEnTEbpVFFgZuvovEDoMm4BVQN4uYJWSwnAysUfCaCWOPokDNdxKjp7QdA9Y7EfHN+5raBW9YyOtMgwgcEo8ctPLGwtIhrvHcCLVbn5UdyadfT3nYiMGJXlOmrf9Q50C/m0yNMRgDccR5cYIqNixUTEosgx6BS50SJbZnrLDIkuP0S25HKrcRE/d6ULW5hNOugJoi5EZEykFCdMlFQVi120hPcR7JLcpAG+wTwFr7AyK5U0MosfkgLomx8z8DjGh82T3U0uV1megtgWcPz8NyKyAt9mxsRyG/QBW47mNMGjUDCRCGkm0iFdcp3xBc9ih0V7sL9LCDx6Z/AO7Ni9ELuwY1f1dmH/lBD2y4Sw/zUh7P+ZEPZf0sA2suR4QVOIlAZ6fPNMZEXFQfle7BK8kzXw8iaBXlJUnK2KMo32bbVMzFexk5A8ZJZCKdH0M4nvGxGZdgmJCU5QK5LGmrSA01iTeqerMsEsUiKasuokpqqRxpoe9DaBCDHSWMMsFWwwa5IArwS7FVhITUkCJty8tFRJ9ChsXsrSrCnOE7jVZFFmhCfwYVvACYIkAFctdia+W9RC1kkgl1WWIKZBFDOMYJ6ggEhneEUF2UXMuurCFpjv/qT5IgXemwzagCaB7NrBpMHaJdYmgb5YlZuXaXzQOlsw85ckjcaIzuLOihsAVjK6qNZJrjlApUTFr3LTzscfbdZWBzA1a+fnj+8cccBB7UsC3HWTj9dBrgN7yThNYcPobJniENkyZnF2H3AK3UBnrIQkxSyJqGPl5sdcm3LUzD8SbK1IEticLWkKM0aDo7mgOYtWMNqHzUQaLilkXnGqiUxBbQ+crRLIJlnqLTZRZ/53oIcyyKMAVnTFtFE4viekhZ1A41O0TEVqlYzWGjqRq0Ty1WXmOxZPAN0oiosEiqQrBUqFdjrleruWTGduwmx86DuscBIGzycKYWNA3rj59rHhMm2wiD7nONdmUalYwwJrqNTNCkoBtYqOa3w9uq5Jjg0WJjcs4w+7PrXTwD6YK5znse8Ay2OHVevWQQneIlZkRElZJOlKZAEnMNNYkaVJjvQdj1KQubyJ3p6p1PFblrJSl4pFBsqxYaaKnn3GmaDxWuy0UHXUiToNXCi+je/W4tJ1Pc2WXEZ/zhvgCVL+rc0bXepYoAkkjrWhE6AaPTeBy1US1hWrJBe4lCq2ACsW1SrFNSuYJinEQqGTMGyKORCCGmiuFB1udBnuGkDHzvhzUGOn44ntNrYFkqSiTLoB0NEtURlfM5KKrbLAPK57w90KquK/WWXmhvJGBxt1MnUL1o14TcJkCQo3/Uyc2MLAg40tDcrMOZKio4u1th9mZB2rzn8Emt6WLHogoKSqWCkszKjnbgzI2ySA4z+9rhPZx4+DKaARACu5yrAuIw4M6IJWODZURTFPod8pSoAOrutoIuDxiWwhx23h2oEsVZ4A4/iOTJ3AN6ydbzhBPoCmsRMB3MDjBMaJpp/jM0CoQWs0qAlMKc1WCQSvLmN72bQiKe6BInl0RVorEuqKGwGwiTdiqwuz0tG7am6IiF0oEZwWe1+grkln7O2blYnPVg5o/IheM9MzNtxdGb1ba5UvkuShV4oneAsrTVWWs9hV70nGVtSRoRRkMEQbXMT2Bm8yJrTBywSawYYpk0IN35QiQesmI1UlYrpZQ23RAh1FX1VGoveVQKOlm+yRhMPyPmHOcnSuaM4MOscq990MNbR/D6PjJmclpNLUhFAAA0P0EfQ3IJKjUKlOkw/BRDrKvS5KLnd0NFjwIP2WsorW1PtIHrM0dD4jmHem6IreogIPGy20sVixqobDQJIjyZmG4Qz16v7ooYES0lVZSmXQuPEoQts1NogZVCq6nGKFe6Tl3mUIRYjw3upoUEBM+M7uE32hOROpJ/J3ULWrdfHUyMgVNWuqztrv67WsRi8aQoJuqGrGERmJSqw0RW+pwTAR3N1V3JDgyRu50s+vXNnrU3ThR3w9Q2YdmFIEzYDfUz/6GNAW6B01vzMjqA6f85ipkxBvCSO7m1sEi7vNaooVWZ8xwYL4wczdGfprD8QnzMKAZIjnHFcCZv2uKpjjWjdxDzdwH/Rr37On9O24mz01Tbj9/OIJY98eRBaxpum4zquwLPpAbw3ciil3wRzTqCcEUju47h1MqBZ8YuIldM9NOA4c+udqapCinyuqzZ6m3adnK9+9V75TGWAsj1vVSeyhR6rJO+27U/bh5DCC2Fjv79ChXf8c3HnM2f+H5xvaxS4vaqEAa4d5A6yGeEm8d2Rh+7gssKbIpWs32KDRrWpOyf/iYfAVzSj4BnOpXPv6IBkRwhppSmHcGd4/r0phoTGZYbzvqMO0W1qA2tsyDakUTEDbh3RJVcGcujEX0u2SbjAH2zBOVxRxuqEcYa3ZSriDa+f1h1kfWjI/oPyG9fdw+uJBJj1bzCrBPld0OCYRhy9fB9/TOiaeNgWl1mhY7i4kkUJQyK1AW2bWU4ICoUBlSKOxK3pSedGdTQtLTpAnzRPF5YoRzJHFYML0ASweFjtYamJM48PRrlzvdBi9TjrbVg6yWmM/8JgzrLO1TG4TOCOuMddglko71MhKxe4InnA/AOQujcUW3jQ/iIVwitXZK66lNcR79+0CguXoV/+LM/RK7Jp/jaAbsOW1MAjnZ0QWZWWoCovhJG58u7F05tlXw7OAGYu9A2Hmn9WL777/i7V9LzrHUVPsqyDank+zuBGzYx03eEcV+tfGJ6efezQAufCtj13/k57nRYtzj+v3nseJycuHZNvXw4Epdp0z9O63D6/t3qmiznkC/tKcaaJoiQXZWa3Sq2d8mAuCgELP0Ie3P6NLYX548Qxdvrt4/V8/o4+Xwrz8ET3ZrndIUGbWVCGyltqPSpNKUWLgW9+//N//39OvgxShZp1Qxg3pATL1rMDhcTw6Mffd8ZpfO168rJEKX/H8cSHdlU0HMD+xYdzRD3wI34Fi2lonn5gyFebozat3QWT/lIKm82Wdxhn/Rwp6FqatRfeLEaGwkcPCE47gMb7Be85hhQ3d4gcYkQ7cfYVe5bkCP63j8hA6zdNLivLUOOd9YyGX52+v3Ks0GR4rsJ4x+tFzKjlN1b/d6PLKojLh/bI0PHESRBQa2rWnaVhrYpmbrjWvgOigi/Oc2S9j3gZsO7P8w+/cjAxgTUK44NLf8Is+C4xQaXOtk+h1xz5pGL3zGF5JZRqRPBK6OQTY4ACY2R2WvHpm2rv9MLGqH5N6W2+nCC9oyG6cy4vrsQPLF2stCbMqp/MbjXQcZOWywmJFzxrTiUixZKtK0RwtdgCTihyyhsJypjyx9cCoaHRCWw4uukzQ74BH1P27JVzRHQCKFtLQzGd2x88zik/aXOgMZy4VPwHo0qg0wJcJWGKZoFqYp7gOqfqflAmIivOs9sSlU8uHFrzdx9lwta4z4QE02NdmTZWgBn3YlfQZ+lg/Y2/AAfYDuqodYKOX4LcpTa0e1TODMjFhGtdIe7/4M4Q5DyoTZftFSHDDChLzNlTZN5AJI5E28JgzgT5eTgoUAgmyyeRVdJFtgcoywdg3C1hRHTuj14JNUOLiXsTYqejgb0+ArRutkHEqVtEnRQLOVvlIqIVOaKBO5cG8E4ARiEA6wRJh9ItUW6zy8ZxuhF6tINlLIWxv/C3k0i2o2VIqwqpn5K6Jd41xS4N5N1TnkEHQMh4yI0Y7ZMLnuUJaQsGMFUt+xEZ4ixuOxRxx/CMclHWCSMdFOdpg32XZRlI21oJdgQHbf3liRyopgS4Em3j94I6L2GNlGKk4Vgj6RaMaiSevb39+I1dyuQxPf6ckM2ua/Hh7yH6wC7rb2MH7tcXbovuqMmsqjE8Wn0RbVzE7JxyX0OOWnEb9o6ZqEmFZGSLnpbRfchrh64oQqvUEztB5/LTmaKclngBeyKq4K6l2KFCYMMJtDuHUw5EOcLRSCQJ8upTCvitWboWUw+aHaKQo9Xe1idePbuLdxMh1LYWaAc5o3uzH+2EG+jATSDNTBeQnguIC6kW0h7rGGuFclvZ1MWvKFJJb0R6ZI5zBt1LIYiKvFmZyaOZa1M+rRFjlnoncyh+pdEMAjH5hnKJXHrGzERmOcfaKZmPuTk4mjDf7f5B0hUkSXPushbhUCO0xQIiY9e73IITL17v29RqxKTGdELqQKasHAptf0DXeMFmBdklkUSpZsIkMRTo3cq8FXnAoIlui8/24MbFpxE5CJIcY9rROFESgh2HU4TInIBhYv8Ev9el2Xtn2vk2yXVtmWQkzLGeLrdHnUAaekVPM+qO0IHiPV1RQxUi9JSAIJPoNUwuYWcNTG5rthjyyZ+T7M23UdPCz3tMpbbcebE8v9u/JqxdurYT7CpqmjRFuWEG1letO21O0pJNBJH8K0ZpCHDwIaDx4z2NQR7LWKb27H4y1fjhuT99nOtqQ06O35h3Gh3Y42hvsuBUIRwiDL3d3Lw7uTs16du6iRdmbOnxy0XqpziNADsjxRoB8uez4w+EjizXaYJ4jO04+qlklSMw7doT8mJUdY+5txIyNUg8laAM/dfTKncqss4KatXyAKAnueZKRQ8N/bfLAoZeSkkm9TnuiOu8l9/5ai8gevkzkCfmvs5+++w49eXPx6uopumDaMLGqmF7THErhg7hwuZLJ+wLti4RBtuzS4eGPGb44kTGmZGKv4r76T3uqIQyaGwMe+WhDn+9yXQik/Td1vx3HH+AUipliEWqT3maKYR6rO91gI+9xzirtVkBSIc0KxrFy4smKTXuHCLzr4fIquOea5XN2Gulmyn+0jFB7EQd9MdtLnq7O4pXYd9chrOErDTv+X+8kgk9GvOAdN7RTlpGHXZlSpUwMGIVsgNRSrbBgf+7JqhbpWOFYYp9A6S5PTZB7yVSwljRR159f7HLwWrgWX653US+r+VeKuVkTrCgqFc1lwQQOFtx1xNMVNowKow+mx3M8527f4AfdrGv9SMtEjGuvztdWcJVYGWiG1G51v1idsdmRFzbHSNQlzanChuZZtKSyPfxhhc8v9YpN8OxKyQ3Lm+Zh/nu4LLnXVEeM4Zv/2Getr9OGFZx2kyyfaZfNkr7Xn9lNbDM4PBQyJzfMRc/XQ8V9ogVco3TGHAp+V82T3oLO1PlRpxJ6Fdio01FBY8UaaSOVk/gWWkENhtW+hm+d2W99Hd59wfKc0/mk3FtY71g5Fzjejtw7Sc7V4zHm2e6VX63TYUjs6ujsM1RybI/Mvs9SISqI2pVTXn5IhZzBnjwig041tuWvUhv0FpM1ExMmXY4TSY6vhrT+KCDTv1TUig+rH7kmZ/oMvclxiT7BP5x+lEvh6k7/OX480RpvqNWcOMUKfa6o2iHoQahLKTStNapwcardbwa/mUde+h54xEJWrO4CKdz2XV++aTzrLc2AastA731z1GMxhSlPaR1mQx6vW0v3mhhZ29A/vEwjVQkRtGP1s+blcZFn10ZqosbOQ8y8hZn+IDDaMpHLrUa6pIQtGbGfPAvVCfo82fEFsdtz+LY5N+gJdISlgrTPEIQun3aohSoB7/gbusJkhz7qfuPbJgJbDAtpo2fX2hVmMNgnXvuuqQWoQK0aMJl9EUcUb/oABKr/e5WmUM4zJl9/2+kV6qnuvE69DuwYdhhkNP+bEzY7T17v1FZ9hq93vdey7jVsfboL6Hg38zjsmoBB/2zahEx3DKMTCjekOFz8DGUDMUcCTla4wZZzumTC++pBOEFXvwKXE00HAbuTCsUS4dY6YAbqX2zB2PhsU+/d91Ka6E3Z+LCNwWRdzNwCv10VCI5G1lH3OJIMeVkwEW+CWNS7YbcMRYVpH8+AkOqW7cCxuDbabXl/YGrnCOu0b98BrEusap6yf37WbmW7ZqNW6sjeDmvLuuT3o7Znos8scW0tpNqlO/C/6hKLvx3sGFMj0u+iXqvnoafJkuWvzwH6gb09mEo02lXdb33/ria5IKPCKFmeIjpyWS1GzoWjeNyvaa1teqAcAXB01R3z3sNzWZRY7Jr7CNcOxuk7e2VDlX2GMiaWMqwUYH2TukbogPwYWJE1Zluativ68nOqHIFfKs536D8rzNmS0RxdQN2zcw4GUdnSRUakvGEPFHT/nS6QW7+1nzGf0uajd5ttw+FlZUDlPnGE6eG7/r5Zwk/Z8e5o55M/Qx92pdt66zmwxHEnOH14ii6zqM1kB2hbHJwjQn2tQ21rh8jM4aprlMs+ds6zWEpVe/shxPz+zcSRd3rlRGanmhZl2jlEe0hhVz7oua/RVFIm0kT6SNl17HmgEpuwa5KIDOuY0f4OYOXL6SNDrhSPeMwdqBFPpTFGs0rF8oZ0YGqqMryKZ1O2oKM/T33QUdMf+6A91ycQLPTWUAGqVXzjxMKPxs2NordWdJAqE1ujckvMUUvYk7kfYFlQr577/z73KDz3/+HzmkJuf8ypCmfn+e08YPTcbaYbPAePa2fU2mg7uR+IZk0qJpZUqYm463jfs+yrq/gfJH3QPTsDknVf4mXnGAJXCsLaMumVCiwxG/u9dnF7y3YfIINYdf/0DzpO0Joe+MnKNVXz+COszu4znp6cw+jHp+gc1g+jRpWZqVnKBJ3PqfLDP2kvC3NPc16aNHTcIWTnwO2iX+tOp+i9J83+PNUreffWKOHTRtfsz7C3ht0kkimX/3iNBF1Jw9wBlmusJyZAaTJ3W6HOUbrFp4cL2qNONgFqlOAy4LG6cXpdfxNOSNFsNUdFRb+/UTP18MPkoGUrTZjWVXSlEyBDslQ6b939YiiAIVUqqQ90dChd6fnaLo6uITi9TzrNkiHRdAb3UeQn15Dauf8x6kjP05C8u/Tcg+O0CNWaZ5uUL/owpOod2UFk8syyHq6it2nUqQCzG+ot6kTNDb5qx5V0HySQrT8iDfE6qdDl9at/vL1CV/adQr+JiekrLbaJKqlPwfbDVoaxBTFE1pTc6JOcyMcJ4bQ9yEJD55p+nU2LMEgD9SMIWym4R8ulio2aQj6AkuvwaLqCTBoNgLPBppptwmcXyw3mLHeMGEBiKAhn62q9TxACxW7oTg/FdiTOrxNII8NeG1PqjMEM2iSg4ShTEITgR3Cb2ErUlS9SMbM7cKOILIqkfeKOxNvh4R1C4RL8LVOUDy3N2C6WLcci0/qhBt7alZ0M/93vtq7RCmLrSo2zUrI50qpDCDsMEGAASIWtASArWWMhRo0zUreb8qsCIhMx25naNjcPi595+PubV+/8u/d8sHzzoBiphr7/6D3bmL7JNpJXqQjwqp7jLPycm2Yydj3OtxLMaPTEIaGfQrcOKOytJ+oOwCNAOrgbXiWSZm88rh8FMz5d4KxfdLChCjIFlhVHRApCS2MN5Wt3hhPtFbbblNLXEd4a7PUIbYtoKZVB0tL3139/FUrBDZI9Nt9JtZo/wXJYYNBzsS6wa3YSbBTz99e/XV1eobf4tmAib8Z6h4/V7m32NMzeEMWJbfltjHa3b1uN+hQuWYyenu2qHLPlfAWbD12EX285udrRc5Z5qXx54bv0eiz2YsjnO5QH7hVQ77j4b1833BTmiHysSca+3eAvsSb0A2U3+nHVYMU3Qd3CFfc+Q7oKpKhjjf6qjZJi9bcFx+SGM21o/tfn/m/Pmk+ZWFIS/mjJFN1iHlRk8IJ3foOwyJGWaIItFV0xbdTOWvZzCosSm7Vv1t/ggIY4jJAEp9RcaLpCaFevRaTqdCFv9MkGcypMJyelxtsPZDxrpqmdDS7/NO5TePdw7qfov+tkP9SjINuZ8G1dmlF4uWQEJgUsKBVILqAxRKdjV0N4je+A7fDmju9t4/S1aInECmGhUzc6mpAJCm9RQbXGK99ZiEgrgWEEWUgVfCNX6IISmU8Ebjys6F4m17U5YgrSAOE55QmUUdo3SS4RE9pgYWo0wla6YSc9w/n4pQkq03DRmLVPjatUagcMoLW1TmFG7u/MCKp1ffqH5xgIuqGq22KixEpT9JYaDLq2r5ptlnryRq708yuXFvt0BP7CJ3S1igFG76mTBo7DRQfNiV4wdJPECXO/eHGhV2nVX3/Gb/09v7z43odMXOO21j6Gqv5bTAzicuXOa9yZBnYHs6g9t8D3dH9ykP29P9izSc4YgT6JU0KcMYI8zSmTR7KZ90xe/L8z2X8mdtU0B3K/6ysXf2TBblWPBrtNqmDn/VBTNGVe6/3Jlur+3w8zsN7SlczfDzlc5cxk0FH6MaLXN30eEWLriDNxoyLGxGmIpdWYasnxeDktpyeNe01LtiWleeoyjunAQ7fxoWsFSfORHjJSEu5nRQz0kBH0A1bENBXnrxQfjrYNks+Ra7TNSORDAQremXxkDrXa+/cbNVo1+/d/2vWN2nMpiH0csJGP3bKdEDfQZi6hOOxS99wu49JXOvf5jVz5way+DgG6wVkTRFEvqEZbX7JbmiNNYVZu78f9NfS0wVIfwgj2vQ2W5hBGoO90KGNPYHz/0mmMOdrXHWhyNxpEbJKwhy9/rTNDPUfyIUdqKprewVyudIhtOj6kL4e+7BQGG/1okrCXV5sf245+E9d9SNzR7o38Uom7eZmavC//7yVv4uolT+OhXHCOtK63LEcYrdiGisZJ9uUqApZEp/kv0log+WNU/r6MiMakQ0OWu0zRzwnOuhs8hAOGfft2fK99V7AruEjPvDfbYFcjTfBYgixonf758VKY718iqdAvXGLzw4t+ohaRYslWlZrOUGn3fYq6+wXvG8Kgj7XwESzjGbpeTOW31PVAX7qDQaotVnkypW7/rHmnkHzq6XsYKcrxOLnMNUf1j6hH27ezBE7VbZ8OqdiKCczr3/S1lQN0SKV/7UmMuLz69DJAAhTsB4sikKDBaEzlGK9Py6hjxfHU12dNcZ6wQL5n2sFS6PLiPlFSh283WApgTouVPmonGydZcj8bbrJoW0ULLoo1Xc4l59D59EsUwJZ6D5BzY3mOaUQc6eoBbx1F9Y0cD6SYJvQjtPgKsngsqmohtalL7xa70aE1s7QsQM2Kku/8OdkvQzoyxWSNNMspevIdMmtVoRc//fQUbbEfBlSvsocSj0J5PYISfjJOMlKQL4Yr3FiU2qfQdE61V1kHIaAneCE3tEMMFi6yqcWbNoriYvL+kC+GbR6YVDRnJ7U9OESor0KaY+NYYEvETN25B0T6c9fos0Z6PJDqnwgqPnZUoRfotSC41BXHTbuxO8n1EPR7Bj8CuZWhVX54gf7NbvcZ+uEH9G+ISGX1Zdc1oB6H9j+4+V/2i0yjPlHCDSyEzOmjtXXFlmYEc77A5CZ98VJOhTT1cDOwKywR66oVME2m5soBcyRvRwQsAy2zMQeM3SR6I5XVrMXOaR32g047iRBSCC1lJXL7wnAYqaChpv+45MX+jRhBjhEL9NdhT9ho4hR2XOL8sbxzHh2k2Z8wTlIxErA6vCnc/TLYwu65r4WwffaxaTVauayP7Qz9Krf2aMY2JxNIKmuMGYluKC0PEO1RvHhfCNHcaIlsk3Jk+eta8sBgKTdhWsAs/Y5duGEKhp5eXvR97yLg4uhOZQdiuF34q355gZSV1hocKuPpIJPz+xtKJKtIfnBK9CeKTOTLJQkFjQV/277qPfSzb6YsE0WxH+UzISjt/+pAzBcQePErZbrkLHX/kUdrzmuWqpT1ninSp7V9Opbf4dbZN6Ce6eO5rrZa/BPy3yPC6MTLaODPLDF6GOIjFbo6f3XldV+ChSUPK0qphhovgifyi0uDqB6H++Oje6rAEA8Nq0VjU75qf9Ia7E7PAcv8DL346SXaAt0LigXCnId9BXX98hK1/iO0pYo6sNggTrE2SIpBuUifiA+uJn7ZRAzc1RRhW0+736XKgXCQ1UTJWkguV7thIG7J1EiLRegnRNZYYWIcESk0ILJYuBnsqBI+p4f3fOaTFbWxC7pdoD5lEGHfvARrURRWyZSiDiMovJ2UaSBZB2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+zOU3ytVEaRP7rMcTibRcdPs9hCpxbpB5jlnSwo7Dhj4mhIp8gkFuz3uTJsZWtKHNsQEkUXJqQkywKQTFYMCP90qWhuszAMx8rVdO8jOU6zc58xJ9iukiN7LOB8lSNy76YHIH4jwr0WeguwW5J9SPFD/m3r1WsV06bUfhhQeiahkN/oVgnHafoi4b2hbY5fvywMLnO99mW03HOZ9f5CKEqlymqd7B32SjX+mdLNirWPUmTbNF7vx9fFrpWRxBlArKMrXhAqsmHRqfVFxw741jCqEy5LX1S9ts5oCC7wKleYixCG8U9uLDimHq0bMfK2R3AoXGTO4KIeeQY9xPfdofPuMRmTNrHUjc6rP0NtKGzCTukBd/6uJvFxs6ImHtFeALZcW7w2dQxOCQ64XdLRzY88EcQyBrWqdsw3LrWYD/BAWZNe1IPswIF54k7clU7PtsD1PFwu6tZzIDN+5zWor9Ky+ZpECBt3vG4146Af6ddfy7Gy0ZNsfrYotgYrowzQb+se+KqBBfq5oNRsrWe52XNTKxy2GwaVVt8NWF80SkIs1rKEhakSloEfQBDJtVZgEr++qSIFrmSVAtcxSaM9lTFHUBxprWEcLNYGu1HlFHsaEHJiPwTdm9Fze6c05VWwekmunBAvaB2LQDSG2IwiTkRIfQ7HWFX+gtveyMkQW9LnDoTFe/AiWEYdg4UnQMyAnGIRuqGImdXPPqf7RfnVfBDg1XHTg8pl59Jp7pZtKFwsN4k5uWH1r+IS1WxfMmeqp4nXl9NlMgQNoXIwsH812bWa5BvEOzYFJeAif+lZ61xKUCv127VNjma4TAoZ+NVi/PqGpKkldSs0iCo6jeAvMaZG3/YGbuzvZhafiJkvXuuiOokhUBVWM3FUWBfc20+zmIyrZmpvhxJK736OtbajIYdLxQbklF388QPeaOrQrx/Nlu4ilrwUfkRsm+u5FzEn6lL3qvpqc5erFjPdyrXGTWyykQbiZhRZOoOVyldWJKg8i1GtGvLNQn6NnSk/2/R3SraAt9bhxd6P4S87Ibo55ORNy4QoQ8N2zBd9NyOWKp8ybDhPwfeXb94fFqRSG3qbWWBuELttm/3V1VZ5r+3/wqGJeIxRqAHPgcSZrLFY0E3SbWhZMBS7pthPqByXEGMUWlaEdCTHO0dcOdautd5+/ibHCJY4m7BrK8dGMjVluDhiCw/wih0xXfwsYt1ABZglWNxzUbc6X2lB1hq6pO5RKU3WGVxRaeftM96VUNQ4j2DUYp7cT+D1yv+/0rZAKLZTc2s/qv5J6EqM1uyb7SV/mV1iZ2G66BnBsj4q/U3JUHTrXnZI8b6eIJrpSsqQ+oJjqLX4lEOZUmSa7SLWL+r+58JYXH50mAJCEFFCYcySk+FbRkoIlsy/7YY7JJv0++qF5Jk6Pe85chK0O/4x25sditLIeXcCCC6g2EUiKb1fS/veelwCUlCygOCbcN+4EA58DAhZJuUQwI55RfYauW5kyHGzQraxKg/G5K+ertDViXMmoS7bJvfht5pEQXmlTM6T/x+iY4CdM25P0NdHev2EVX/h0WgWaXftxNyxs0bu2TOmUsq8PGV4WywvAAmGtJWHgL7WnEbQn4cDesBv6c2cUIYwefIZKBTNRniFqyNdhRRkrHGvk9IEgFixFDVUalVhDFy8NjRz8PGhZFFaKyV7QflxaQw3Zq+659+ChNL7OGSZ4mJz4JrIoq/EdTHBsGG2ZyOXW59P6eZHPmkyKSWKMtrmsON+hzxXmzvmZywIzP0oX9l0vxOXE09X1eiYaQT8a7sbEDc19LVCdiI41eKe8gWI/+apB7Yzl+w6Oj7pCJBV13dFNzi0xRKBG77frh8Lrt9J7XtH1uF1PE3SmqmDDwU6pXax+zc6gu/2a9g+RNe0l4+nveLPlX2C15hormleEojpyRMPuNjcVPwu8pskekeveIP7h+9h5AO0LM+kXoORGn9RyIIbH2K9uH7o11uvmhlq1MFBlWJG1y/yta2yaMsPzGtKgRZjdSLPMmVbE/qr597jSFFl5LhCDnLtKEE6xsn+CRngtar6AsJ7dWhd2Ho4+OOFXjfs8PeoXi8hi0QzgXfYeLF82qu7wem2YqvTcnr6uNgIITHv85gmQBq7EuVvd9WSc9pQ6C26+0bPOy3x54Ydooye+cUM9XdIV/Vrcnob1aueAfqgR/d79fHnRndDaiImx96AfkXNpgG4LZ46JrCzYMh02Ujd6l7KXfT+q6wu0nbqw148tnPE988Di82ZhdHlxUJON5Z87oMlaxF6IvNVoz9C5q8/0/U65+2C/NgsIqv43vv/Ku+MWlWkqN6VpHqNKcKodZaR7ULYSbbBieMFHVYCuKQMTqOR4QhBoKnTS/ii9A+2qqm7lMyuprIZR1xcye87Xzy+vhjo08i1jnUdhqi77xIGCR9dCtpEWhyS6FAZds5XAICwmWLSUKmXz2q9H8ssy6VWtu0no6gj/aRHp3GXgslwGGOfdbx8QE4RXObXizE+qtT8/Q09e3+Ki5PRndOUcIg4sSO+zsF8EInOzxzbBOdU+LWHMmL6xKvcJeN2hFK/jxnznn4b3TN/sCbkaxVYrqtKNsAuT7FM3FuBxAO10raheS55b7nG2+sSk0V7ofQbPwjj27qXyk/dOx3jaNOO4vAiXkRwdnSeyKLOZ867gVHzuFYxxdf49XS2+tehIAfWpSxg3I/OKTFlpXi19oKyxLuaNtJQKOg9YuV7jNzElDqt8i9XDZOiNu+pb6Yr9Q2Q3MdEa+YkVohi9xaTupxxWbq0ImtWOkeLbWkFV+6WQszWjD7VWFOvoucHaYFPFUpwbfxRm/MHMDrv4Qt4ilj+ffr/sy1rNgaHF6OOo8bG7CxaL8NWt37HE0/dGTH4xnrt3ynPGhKxixTg7dSR6Ff1OWUka0+kw8sj+GBlw6s6MPZZ4xbmVe0hXhFCtlxVHr+36iMicassSdbPfsGXBRE5vIxOAM21O0zzvKVtgYTDFVI3EgiqIbxZYMQ4ZPAEPnou/ixXCQMRv7W+DOxMJ+FAuXHOhB9KI/eroSZPPWVKlS1906yTMiGReRWgT4usOT08nigydm2v8HqdOKHHKV5Pk5X1V7tv2Q8yERjk1mPGAk2EhK9P53cTWJJ89N7P22OImjw3wmH5IDS1Kniyb5xXK6RL7EJDvfFnH8H22ptWKN1RxvINCLiP944qeBG6k/QCsbv9ruqyrwJ2vXhtmKmjMiIIba22DccOm+17XqFGsjn+H4NiYJpBVRBaFvU9p2OjcQUesk+xbKrlhufOf1V3kCqonE6FySU4PNN7dW/YL463WSLp5eWHV4LaEpKeHkfX16mll/R9ycaLf6eTt/Ydc+ABM+HaVLF3j3AtIKHYnf311iS5HClUXjWRda311yX4MIhZ2NdWwq6iG9F38YT63OqzcOxGRLWSeuuJrVHE3VDo8LsjiMqEereN3S3AhgxkqzzsuYF867BJom3gIW7G8CeVMOPGK2FbjqAw8wssfT8lr9l1WKZ+perr31UfXPacOREGyxi0lVdeL4FK/FjRU3lp3YdqXuDGDIyToFc/7DpGmuhJvMON4HMhAjSscQX3lkio1MWnB3aFTfP3x4m7eWCl8AygXgB1tyacbaLY6m5CIrMgWVZ7vovtnWJFFrQPqwK00Pa3R+V4vVXyIismIXQ4GJXaZruYoSGC6m73qeq7iKmemqaxr+6J5jEKD7dqKDSdK2vDC/k26LLHYFNzMZpWff3qNnvhaiU8Vt7rygnEo4IA8sNe3pdT2m0/Rt2NHgxhGYW6E3IqeIaQpqaCZxaYPfWLSJsEzuOCGaaHndZX7O1+a9IauMNmhj5PmGmcLhR+iKN8v3CMxE6jATCwVLujedIwSK5jam75PQk+5vIJl0TuZu+Toti1gJ+ssgBQ6oH1BqoAlRCoLqd837h3dol8rAabkW5lTjp4wsTn75hlikjxDC/t/1P4fFpjvNNNn34Tji4aU2ZLj0eT82DpUX8M/v0KwKPi6QE7u6uFXcrm3UYORSTF1f114POs2CJoqy8hBhDZFXLk7wOzT29+xouiDSwD+5ptPb39/9f71N9+4nNsNVphN8uRWqpuYJcsHL9jv9YLdCNukEwyL2EqEr9mJ26WkeQ4wsc/FLoEJs5SKCs1ITAHScSUlwLiI7wUJxAdiAc22mI2HE9/bOwC9z2MDtdcndom6rhaJLoVZ5Nqo2JXvUK+dzCHWfUujvaN1zUc6J+mpxS7tYLCRSuOLTdq6F1/vYkEs2aSjqd5qMkfsqVsNdiMKbHNY3hMWyif3E7y748Ii7/X/9+NVW5XZTf57EBbLOz56j8heJB+EOeo47j78pJwhaat3sh279IlpMtrrLDvok/kU3G4jzj0cma5bVrM54mFQ9LXEjFta181crrzMuLzo1rZBJy5rDhq6CrQwmM4qrHOuM6sinrCfUxKvId3aVx+dy6KoxNATNcJOnNa46b7YvaO35u80rFM3uOnTNOv74naNRf7vMhw1a3Ez2LBTJMO9sRsv3ENOV7pkhMloWaJzWfCA/RYrMQ46PHbUtSjKTKYSxtfv3l6h35wftU1KDSPyedZUguv/fIM+V1RN9G6tuMgUHXbqTJvc0HGI7tD7uugsmNbVaOkk4kPaBSpjjxGwQMuTHEeHoJpAcOzecPP4Axowx6pIcFoWbAL3Ai4jFiA3QKs82lTaHsy43a56oHNshlrhfeEuqCDrAqtYZSUN3F2JR+OL7x19wmSUThUFZraOzguELuMWUDWAlytotZQArFz8kQBqiaNPwnAdp6KzFwTdMxb7wfGd2wpqVc/oSIsMExiMEr/8xMLWIqLx3gG8WJWbH8WtWUd/34nIiFFZrqP2Xe9At5BPizwdAXjDcXSJITIqVkxELIocg06RGy2yZaa3zJDo8kNkSy63Ghfxc1e6sIXZpIOeIOpCRMZESnHCRElVsdhFS3gfwS7JTRrgG8xT8Aors1JJI7P4ISmAvvkxA49jfNg82d3kcpXlKYhtAcfPfyMiK/BtZkwst0EfsOVoThM8CgUTiZBmIh3SJdcZX/Asdli0B/u7hMCjdwbvwI7dC7ELO3ZVbxf2Twlhv0wI+18Twv6fCWH/JQ1sI0uOFzSFSGmgxzfPRFZUHJTvxS7BO1kDL28S6CVFxdmqKNNo31bLxHwVOwnJQ2YplBJNP5P4vhGRaZeQmOAEtSJprEkLOI01qXe6KhPMIiWiKatOYqoaaazpQW8TiBAjjTXMUsEGsyYJ8EqwW4GF1JQkYMLNS0uVRI/C5qUszZriPIFbTRZlRngCH7YFnCBIAnDVYmfiu0UtZJ0EclllCWIaRDHDCOYJCoh0hldUkF3ErKsubIH57k+aL1LgvcmgDWgSyK4dTBqsXWJtEuiLVbl5mcYHrbMFM39J0miM6CzurLgBYCWji2qd5JoDVEpU/Co37Xz80WZtdQBTs3Z+/vjOEQcc1L4kwF03+Xgd5Dqwl4zTFDaMzpYpDpEtYxZn9wGn0A10xkpIUsySiDpWbn7MtSlHzfwjwdaKJIHN2ZKmMGM0OJoLmrNoBaN92Eyk4ZJC5hWnmsgU1PbA2SqBbJKl3mITdeZ/B3oogzwKYEVXTBuF43tCWtgJND5Fy1SkVsloraETuUokX11mvmPxBNCNorhIoEi6UqBUaKdTrrdryXTmJszGh77DCidh8HyiEDYG5I2bbx8bLtMGi+hzjnNtFpWKNSywhkrdrKAUUKvouMbXo+ua5NhgYXLDMv6w61M7DeyDucJ5HvsOsDx2WLVuHZTgLWJFRpSURZKuRBZwAjONFVma5Ejf8SgFmcub6O2ZSh2/ZSkrdalYZKAcG2aq6NlnnAkar8VOC1VHnajTwIXi2/huLS5d19NsyWX057wBniDl39q80aWOBZpA4lgbOgGq0XMTuFwlYV2xSnKBS6liC7BiUa1SXLOCaZJCLBQ6CcOmmAMhqIHmStHhRpfhrgF07Iw/BzV2Op7YbmNbIEkqyqQbAB3dEpXxNSOp2CoLzOO6N9ytoCr+m1VmbihvdLBRJ1O3YN2I1yRMlqBw08/EiS0MPNjY0qDMnCMpOrpYa/thRtax6vxHoOltyaIHAkqqipXCwox67saAvE0COP7T6zqRffw4mAIaAbCSqwzrMuLAgC5ohWNDVRTzFPqdogTo4LqOJgIen8gWctwWrh3IUuUJMI7vyNQJfMPa+YYT5ANoGjsRwA08TmCcaPo5PgOEGrRGg5rAlNJslUDw6jK2l00rkuIeKJJHV6S1IqGuuBEAm3gjtrowKx29q+aGiNiFEsFpsfcF6pp0xt6+WZn4bOWAxo/oNTM9Y8PdldG7tVb5IkkeeqV4grew0lRlOYtd9Z5kbEUdGUpBBkO0wUVsb/AmY0IbvEygGWyYMinU8E0pErRuMlJVIqabNdQWLdBR9FVlJHpfCTRauskeSTgs7xPmLEfniubMoHOsct/NUEP79zA6bnJWQipNTQgFMDBEH0F/AyI5CpXqNPkQTKSj3Oui5HJHR4MFD9JvKatoTb2P5DFLQ+czgnlniq7oLSrwsNFCG4sVq2o4DCQ5kpxpGM5Qr+6PHhooIV2VpVQGjRuPIrRdY4OYQaWiyylWuEda7l2GUIQI762OBgXEhO/sPtEXmjOReiJ/B1W7WhdPjYxcUbOm6qz9vl7LavSiISTohqpmHJGRqMRKU/SWGgwTwd1dxQ0JnryRK/38ypW9PkUXfsTXM2TWgSlF0Az4PfWjjwFtgd5R8zszgurwOY+ZOgnxljCyu7lFsLjbrKZYkfUZEyyIH8zcnaG/9kB8wiwMSIZ4znElYNbvqoI5rnUT93AD90G/9j17St+Ou9lT04Tbzy+eMPbtQWQRa5qO67wKy6IP9NbArZhyF8wxjXpCILWD697BhGrBJyZeQvfchOPAoX+upgYp+rmi2uxp2n16tvLde+U7lQHG8rhVncQeeqSavNO+O2UfTg4jiI31/g4d2vXPwZ3HnP1/eL6hXezyohYKsHaYN8BqiJfEe0cWto/LAmuKXLp2gw0a3armlPwvHgZf0YyCbzCXyrWvD5IRIayRphTGneH986oUFhqTGcb7jjpMu6UFqL0t05BKwQS0fUiXVBXMqRtzId0u6QZzsA3jdEURpxvKEdaarYQ7uHZef5j1oSXzA8pvWH8Ppy8eZNKzxawS7HNFh2MScfjydfA9rWPiaVNQao2G5e5CEikEhdwKtGVmPSUoEApUhjQau6InlRfd2bSw5AR50jxRXK4YwRxZDCZMH8DiYbGDpSbGND4c7cr1TofR66SzbeUgqzX2A485wzpby+Q2gTPiGnMNZqm0Q42sVOyO4An3A0Du0lhs4U3zg1gIp1idveJaWkO8d98uIFiOfvW/OEOvxK751wi6AVteC4NwfkZkUVaGqrAYTuLGtxtLZ559NTwLmLHYOxBm/lm9+O77v1jb96JzHDXFvgqi7fk0ixsxO9Zxg3dUoX9tfHL6uUcDkAvf+tj1P+l5XrQ497h+73mcmLx8SLZ9PRyYYtc5Q+9++/Da7p0q6pwn4C/NmSaKlliQndUqvXrGh7kgCCj0DH14+zO6FOaHF8/Q5buL1//1M/p4KczLH9GT7XqHBGVmTRUia6n9qDSpFCUGvvX9y//9/z39OkgRatYJZdyQHiBTzwocHsejE3PfHa/5tePFyxqp8BXPHxfSXdl0APMTG8Yd/cCH8B0opq118okpU2GO3rx6F0T2TyloOl/WaZzxf6SgZ2HaWnS/GBEKGzksPOEIHuMbvOccVtjQLX6AEenA3VfoVZ4r8NM6Lg+h0zy9pChPjXPeNxZyef72yr1Kk+GxAusZox89p5LTVP3bjS6vLCoT3i9LwxMnQUShoV17moa1Jpa56VrzCogOujjPmf0y5m3AtjPLP/zOzcgA1iSECy79Db/os8AIlTbXOoled+yThtE7j+GVVKYRySOhm0OADQ6Amd1hyatnpr3bDxOr+jGpt/V2ivCChuzGuby4HjuwfLHWkjCrcjq/0UjHQVYuKyxW9KwxnYgUS7aqFM3RYgcwqcghaygsZ8oTWw+MikYntOXgossE/Q54RN2/W8IV3QGgaCENzXxmd/w8o/ikzYXOcOZS8ROALo1KA3yZgCWWCaqFeYrrkKr/SZmAqDjPak9cOrV8aMHbfZwNV+s6Ex5Ag31t1lQJatCHXUmfoY/1M/YGHGA/oKvaATZ6CX6b0tTqUT0zKBMTpnGNtPeLP0OY86AyUbZfhAQ3rCAxb0OVfQOZMBJpA485E+jj5aRAIZAgm0xeRRfZFqgsE4x9s4AV1bEzei3YBCUu7kWMnYoO/vYE2LrRChmnYhV9UiTgbJWPhFrohAbqVB7MOwEYgQikEywRRr9ItcUqH8/pRujVCpK9FML2xt9CLt2Cmi2lIqx6Ru6aeNcYtzSYd0N1DhkELeMhM2K0QyZ8niukJRTMWLHkR2yEt7jhWMwRxz/CQVkniHRclKMN9l2WbSRlYy3YFRiw/ZcndqSSEuhCsInXD+64iD1WhpGKY4WgXzSqkXjy+vbnN3Ill8vw9HdKMrOmyY+3h+wHu6C7jR28X1u8LbqvKrOmwvhk8Um0dRWzc8JxCT1uyWnUP2qqJhGWlSFyXkr7JacRvq4IoVpP4Aydx09rjnZa4gnghayKu5JqhwKFCSPc5hBOPRzpAEcrlSDAp0sp7Lti5VZIOWx+iEaKUn9Xm3j96CbeTYxc11KoGeCM5s1+vB9moA8zgTQzVUB+IiguoF5Ee6hrrBHOZWlfF7OmTCG5Fe2ROcIZfCuFLCbyamEmh2auRf28SoRV7pnIrfyRSjcEwOgXxil65RE7G5HhGGevaDbm7uRkwniz/wdJV5gkwbXPWohLhdAeA4SIWe9+D0K4fL1rX68RmxLTCaELmbJ6ILD5BV3jDZMVaJdEFqWSBZvIUKRzI/da4AWHIrIlOt+PGxObRuwkRHKIYU/rREEEehhGHS5zAoKB9Rv8Up9u55Vt79sk27VllpUww3K22Bp9DmXgGTnFrD9KC4L3eEUFVYzUWwKCQKLfMLWAmTU8taHZbsgje0a+P9NGTQc/6z2d0nbrwfb0Yv+evHrh1kq4r6Bp2hjhhhVUW7nutD1FSzoZRPKnEK0pxMGDgMaD9zwGdSRrndK7+8FY64fj9vR9pqMNOT16a95hfGiHo73BjluBcIQw+HJ39+Lg7tSsZ+cuWpS9qcMnF62X6jwC5IAcbwTIl8uOPxw+slijDeY5suPko5pVgsS8Y0fIj1nZMebeRszYKPVQgjbwU0ev3KnMOiuoWcsHiJLgnicZOTT81yYPHHopKZnU67QnqvNecu+vtYjs4ctEnpD/Ovvpu+/QkzcXr66eogumDROriuk1zaEUPogLlyuZvC/QvkgYZMsuHR7+mOGLExljSib2Ku6r/7SnGsKguTHgkY829Pku14VA2n9T99tx/AFOoZgpFqE26W2mGOaxutMNNvIe56zSbgUkFdKsYBwrJ56s2LR3iMC7Hi6vgnuuWT5np5FupvxHywi1F3HQF7O95OnqLF6JfXcdwhq+0rDj//VOIvhkxAvecUM7ZRl52JUpVcrEgFHIBkgt1QoL9ueerGqRjhWOJfYJlO7y1AS5l0wFa0kTdf35xS4Hr4Vr8eV6F/Wymn+lmJs1wYqiUtFcFkzgYMFdRzxdYcOoMPpgejzHc+72DX7QzbrWj7RMxLj26nxtBVeJlYFmSO1W94vVGZsdeWFzjERd0pwqbGieRUsq28MfVvj8Uq/YBM+ulNywvGke5r+Hy5J7TXXEGL75j33W+jptWMFpN8nymXbZLOl7/ZndxDaDw0Mhc3LDXPR8PVTcJ1rANUpnzKHgd9U86S3oTJ0fdSqhV4GNOh0VNFaskTZSOYlvoRXUYFjta/jWmf3W1+HdFyzPOZ1Pyr2F9Y6Vc4Hj7ci9k+RcPR5jnu1e+dU6HYbEro7OPkMlx/bI7PssFaKCqF055eWHVMgZ7MkjMuhUY1v+KrVBbzFZMzFh0uU4keT4akjrjwIy/UtFrfiw+pFrcqbP0Jscl+gT/MPpR7kUru70n+PHE63xhlrNiVOs0OeKqh2CHoS6lELTWqMKF6fa/Wbwm3nkpe+BRyxkxeoukMJt3/Xlm8az3tIMqLYM9N43Rz0WU5jylNZhNuTxurV0r4mRtQ39w8s0UpUQQTtWP2teHhd5dm2kJmrsPMTMW5jpDwKjLRO53GqkS0rYkhH7ybNQnaDPkx1fELs9h2+bc4OeQEdYKkj7DEHo8mmHWqgS8I6/oStMduij7je+bSKwxbCQNnp2rV1hBoN94rXvmlqACtSqAZPZF3FE8aYPQKD6v1dpCuU8Y/L1t51eoZ7qzuvU68COYYdBRvO/OWGz8+T1Tm3VZ/h613st617D1qe7gI53M4/DrgkY9M+mTch0xzA6oXBDisPFz1A2EHMk4GSFG2w5p0smvK8ehBN09StwOdF0ELA7qVAsEW6tA2ag/sUWjI3PNvXefS+lid6UjQ/bGEzWxcwt8NtVgeBoZB11jyPJkJcFE/EmiEW9G3bLUFSY9vEMCKlu2Q4ci2uj3Zb3B6Z2jrBO+/YdwLrEquYp++dn7Va2azZqpY7s7bC2rEt+P2p7JvrMEtfWQqpdugP/qy6x+NvBjjE1Iv0u6rV6HnqaLFn++hygH9jbg6lEo13V/db372qSCzIqjJLlKaIjl9Vi5Fw4isf9mtbapgfKEQBHV90x7z08l0WJxa65j3DtYJy+s1c2VNlnKGNiKcNKAdY3qWuEDsiPgRVZY7alabuiLz+nyhH4peJ8h/6zwpwtGc3RBdQ9O+dgEJUtXWREyhv2QEH33+kCufVb+xnzKW0+erfZNhxeVgZU7hNHmB6+6++bJfyUHe+Odj75M/RhV7qtt54DSxx3gtOHp+gyi9pMdoC2xcE5ItTXOtS2dojMHK66RrnsY+c8i6VUtbcfQszv30wceadXTmR2qmlRpp1DtIcUduWDnvsaTSVlIk2kj5Rdx54HKrEJuyaJyLCOGe3vAFa+nD4y5ErxiMfcgRrxVBpjNKtULG9IB6amKsOreDZlCzr689QHHTX9sQ/ac30CwUJvDRWgWsU3Tiz8aNzcKHprRQepMrE1KrfEHLWEPZn7AZYF9eq5/+9zj8Jz/x8+rynk9secqnB2nt/OA0bP3Wa6wXPwuHZGrY22k/uBaNakYmJJlZqIu473Pcu+uor/QdIH3bMzIFn3JV52jiFwpSCsLZNeqcASs7Hfaxe3t2z3ATKIVfdP/6DjBK3pgZ+sXFM1jz/C6uw+4+nJOYx+fIrOYf0walSZmZqlTND5nCo//JP2sjD3NOelSUPHHUJ2Dtwu+rXudIree9Lsz1O9kndvjRI+bXTN/gx7a9hNIply+Y/XSNCVNMwdYLnGemIClCZztxXqHKVbfHq4oD3qZBOgRgkuAx6rG6fX9TfhhBTNVnNUVPT7GzVTDz9MDlq20oRpXUVXOgEyJEul89bdL4YCGFKlkvpAR4fSlZ6v7eLoGoLT+6TTLBkSTWdwH0V+cg2pnfsfo470PA3Ju0vPPThOi1CtebZJ+aIPQ6rekR1EJs8s6+EqeptGnQowu6Heok7U3OCrdlxJ90EC2foj0hCvkwpdXr/6x9srdGXfKfSbmJi+0mKbqJL6FGw/bGUYWxBDZE3JjT7JiXycEE7bgyw0dK7p19m0CIM0UD+CsJWCe7RcqtioKeQDKLkOj6YryKTRADgbbKrZJnx2sdxgznLHiAEkhoJwtq7W+wQhUOyG7vRQbEfi/DqBNDLstTGlzhjMoE0CGo4yBUEIfgS3ia1EXfkiFTO7AzeKyKJI2ifuSLwdHt4hFC7B3zJF+dDSjO1i2XIsMq0fauCtXdnJ8N/9busarSC2rtQ4KyWbI606hLDDAAEGgFTYGgCykjUWYtQ4I3W7Kb8qIDIRs52pbXPzsPiZh7+/efXOv3vPB8s3D4qRauj7j96zjembbCN5lYoAr+o5zsLPuWkmY9fjfCvBjEZPHBL6KXTrgMLeeqLuADwCpIO74VUiafbG4/pRMOPTBc76RQcbqiBTYFlxRKQgtDTWUL52ZzjRXmG7TSl9HeGtwV6P0LaIllIZJC19f/33V6EU3CDZY/OdVKv5EyyHBQY9F+sCu2YnwUYxf3/929XlFXqLbwsm8masd/hY7d5mT8PsDVGc2Jbfxmh3+7bVqE/hksXo6dmuyjFbzlew+dBF+PWWk6sdPWeZl8qXF75Lr8diL4Z8vkN54F4B9Y6L//Z1w01hjsjHmmTs2w3+EmtCP1B2ox9XDVZ8E9QtXHHvM6SrQIo61uiv2igpVn9bcExuONOG5n997v/2rPmUiSUl4Y+WTNEt5kFFBi945zcIixxpiSbYUtEV00btrGU/p7AosVn7Zv0NDmiIwwhJcErNhaYrhHb1WkSqThfyRp9sMKfCdHJSarz/qAQrqTrT6vZfhigN2dyaZ1jTn9GCmq7hP729Hvr9bP23Mq84hQteYqWtBe9x0eoW6Z3mctV9kvfdMEWxHpn0R5P1byMOHcAL+xKkEG4yaGbw0FS7x9otXNSFG8ShLjMOyOt7YFCX/vagBtcX2GSp6CBgEMYdaKFIZvFRFaehyOh9CKIIoGNBox7ow5hEPpouJofPJ4doaRKa5NrchSY9TOLSpIfJYZo0g51Hmuc9cGhHM+cHVpeckV1kCjigR+zdJ81lLM9+GIay7iUwXE8llqMO2AMYpFh+/9qyMgtZiTwLp2A7DMJ9eQ4dgAPoshMJ75kU+1GBYWzxEHGz3Y5Gg4k5CDJo6bQXk3T0OAYLynGpaZ4ZNnE987ESfwADDxL1QAYXn27wdY+7EQIafsqp1fCzJEg42MfjMhFmuwcGI4hhNVLyCeY7TYvsgQszXLA11L1WHYM8xG1TCetx2G482eYgPrpaJMZJV4sT8CJrrDAxVDFtGInIKT1yTSwy8ZySSlEo9SiVvN3VU7BiK8CwDNrSBYJlmif3sOIHqZQpXn0L+Oin32EBjuIMB7J3m0dm79D/KSScA3oI9yAigUHr93lyO6j0IE/j0YkKxKdKN+RwPGm6KCWgTxepw0SqM47iMe0IYvhWK5Jt1DJbqSHh72c6joAGV7emWvTVQ0DDiiApymnpddLJW5DHSKpgb4b7GYWQKQCdCaETE/YTL1FBda9J2sTTs1ApTHcL93i7nZRBl+Y9zuMu6/tweeba8US2m+tYvAN+nO8AOl1ENt8d1CPWV7IyTKwyJrTBYlQZdi9dFSCjEeQwHvG9OEd6b6qSM3GTmdvYlqIDjMwt6gPeh4VKhYU6Cgu5+COihaR4vyA+vPFR4fY9lxw0Pth36+ItvGTcBKZsBBePb4f41Y8zP+oWUFGXp4fvmaFFKRVWuyw+BntgB3GJu/rh9aCEJxs+0fdeOAx2DwajMeARlu/BDGsd435k99M2yGGHT+0+j/qm9iHuXTf+g+6iAUfcs6ia3WF9yg0czUJdie/xbDmoqA81zF2Bqvt7BWph4T7U4ML+3kVWpT3UIwhfV/TTDVXDoWr3O3PXJGEEeMKkaL1ZcXm+68I6zPbQijPYd+0+KADQI1ZnIqe38dbtg9vHfVEZD68OPiOlJOuowQwL8IhQhgv/ZFyuplx+94gqWbPtoMOP3pZSBbIL51k9z6XO0t01C/6OF66TpbFmJlPjo78HZTppGmtmUA94WBiygmaayKhvHyso6sOcooShtyYNGaBN9nE0qPEA50pCbFyR5B3OJbJuAOdyhGYAa5dUsVErrPsuPgB6+DTiMWXvEI7DIK6oqBE4wrdUcUoXWKdw7ADcI3DYUJUzMtH36B44eLjDdvd7cXBVSvFYscZhADeIAzgZk3ge6JF+B42LktNMr/GLn17Gw8CBRQOwYZUJ8y1WdNy59356k4OKelDD95G7+oRwEOSuITEHrfuzsBCkAoeKIu7lbbEgD6osVlJqg0e9/E5VFcfwwssOc8/vZQkd4OlQKf19mLkPb3LNmIF4c/ANB9mxxnqdcSlvqngxPJAeFjAaAJ5GI+pLcmSMxPmbspya8cyV0xd3UNEAavjIU2SvHJ+wsqQ0j0x46mfQ7l9YElKpyNojwDxKe4yZeu7jgdbSaxw8ePXMjXMIFph2YrptzcK//P8BAAD//9qqIVs=" + return "eJzEm8uS47YOhvf9FHiAM7OYU+csvMgDTFWSRSprFk3BEqdpUgGhbvvtU7q4RxfKot1Q4tWMVf7+XxBJgKD6C7zi9QA/Gm9rpBcAtuzwAN/7L+D7n7/9/scLQIHRkK3ZBn+AX14A4PYbOFl0Rfz6AsO/Dt3V9vMFvD7jB/1rpMvHNQC+1niAkkJTj74ldKgjHuCIrEffhzekd7KMB2BqcHQlYe32+TUUjUM4BYJaU7S+vHmJdIF4jS6UX0e/mN/A+CYIdQx+cul2D694fQ9UzK7d8dXf6ISX1DTBezQtQbEu5bR/cmHMTXqISG/WoGr/J+dgoMKEmtT3mtVecfCaH4sFGdX6ocahanUFA0Kms9OiYYLediL8aMZOtp9PEXmvmBSRH4nJxIlsTCZOtmNSU+BgglN2rvMJDzcojKBp9eCsuQpHoIdm3HvEGNuJagv132+SC0aHBVvACLvhYA/5+9qh4WNofKFqbV6RY9KB9Yxll20fcDAA4UThDMZZ9Jxp5XhlFDTS4fJtWP9PBKTNJyPAXSf7xSPHBTpdRywU25XpWWieX9hwMCBhgkyK67p21ugWJDc3UtB0KsfIWKhdTPTsfC9NRJJdIRfEdBkZ3Mrge66KnODSA84butaMgqvhErk12pTRjGWg6y7DDhb0TT+xOe7sKTbHJ3yZSpM2jGQjWyM4UibhWhFZSaemIVTveFQ1hctV3fKrcAHcycA7HqGT+Ui524VfjUhqj6zfgrNTf+8iNGRQ6aIgjCtJpn7GRMeFOXfTSB2IBVPuyMqEvO6jwMjW92NbPCoj+AOhGVvaIT5jU9tBqkJk2Ty0IKZnNRn1RidV0jzwn9s6LqBJ9XarJq6egqYLQXOu11evp558i8xZqSiYtRnw7KawBQJXmqFEj6TbMogrhDPGqMvNgvBIe2zdW27+vt3U6k27RvB5PKLvQmmNdipeI+NZeN88wKGH5/UOTla8gTFQM/QpNGx9qayPrL0R9DCQYUFO+5Dv4mR2b5raWf+q+CK9U+zBwBeYgu+5oL1cUJaLcPwhuEMiB7XmauPGyclKFuGs7cZ2cJgfcsIn6xhpwU2Ky+9DBvW87UdrUHaiLYhJXcZzHUjTVck7uMNOepFV39ZDokBqnqI/LZzG3nFgQiEuP2Gmqw4j3IEy2w2fW/tcNKdOiXd15RN6fxqQMc9EK7vteoqwxu7QrvGCe6ueClNqenQ5XNnUPXlQ2wlPqUnhYd4Jl9IDNSPwXFEb+IhvSJYF00kPhgV4ZUvxs5slO+bHLaztYa+ZtXmVttBBM9StL/AipzvF3Rt9ogNPl5tppA6mEj3MaIEZRxn98Y9yoVxr+X3iVKndtm02/PBSB+J/S70oQlT7zbUW/+CEG72lUVlWtHz0n4jM6DWNyjJM4OnF0J5RRRNEc589I0yZa5FgvPA+YWjJmTG4+eiaKzu66fiPPBfh2qB7LhmVQaddI9kgOGc78Rl0+2nIDcrJQ8hzILtU3Axk9JYah3jUcY/GTsfN8PCGVFjDwwGJnIeBCzPuXQ++OR8Xw+0TQ/HmYcZNeuiajLt0HjCz7xD1uXaoYqW//e//cg56LMyw6ZJJu3dNqKw/BcG6qafChJqej937M2px9vXckVhPG/8svQii1361bHmy29IiN0uWdqWMrM/p2328VFzy0rKV4J1uNC8ja24Ez3dmvFVNyYN43szh3dpR6VgpF8JrI3eG160eLRhm4HUbopkk84yk7zepAllbuYZST4UZNf3I93h7Jf+FlRNiIRx4xCIj8MGYhoSrx46ZVT1Kvno+nAe2O72PBo8u/wPvlTUVNN7+1aC7gi3Qsz1ZjOMz3Z9/s/DydwAAAP//Z0sHxg==" } diff --git a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml b/x-pack/filebeat/module/juniper/junos/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/juniper/junos/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml deleted file mode 100644 index 117a222475f..00000000000 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/juniper/junos/config/liblogparser.js - - ${path.home}/module/juniper/junos/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - -var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - -var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - -var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - -var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - -var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - -var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - -var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - -var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], -}); - -var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], -}); - -var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], -}); - -var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], -}); - -var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], -}); - -var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - -var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - -var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - -var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - -var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - -var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], -}); - -var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - -var dup21 = setc("eventcategory","1605000000"); - -var dup22 = setf("msg","$MSG"); - -var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup24 = setf("hostname","hhost"); - -var dup25 = setc("event_description","AUDIT"); - -var dup26 = setc("event_description","CRON command"); - -var dup27 = setc("eventcategory","1801030000"); - -var dup28 = setc("eventcategory","1801020000"); - -var dup29 = setc("eventcategory","1605010000"); - -var dup30 = setc("eventcategory","1603000000"); - -var dup31 = setc("event_description","Process mode"); - -var dup32 = setc("event_description","NTP Server Unreachable"); - -var dup33 = setc("eventcategory","1401060000"); - -var dup34 = setc("ec_theme","Authentication"); - -var dup35 = setc("ec_subject","User"); - -var dup36 = setc("ec_activity","Logon"); - -var dup37 = setc("ec_outcome","Success"); - -var dup38 = setc("event_description","rpd proceeding"); - -var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - -var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - -var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - -var dup42 = setc("eventcategory","1701010000"); - -var dup43 = setc("ec_outcome","Failure"); - -var dup44 = setc("eventcategory","1401030000"); - -var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - -var dup46 = setc("eventcategory","1803000000"); - -var dup47 = setc("event_type","VPN"); - -var dup48 = setc("eventcategory","1605020000"); - -var dup49 = setc("eventcategory","1602020000"); - -var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - -var dup51 = setc("eventcategory","1603020000"); - -var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup53 = setc("ec_subject","NetworkComm"); - -var dup54 = setc("ec_activity","Create"); - -var dup55 = setc("ec_activity","Stop"); - -var dup56 = setc("event_description","Trap state change"); - -var dup57 = setc("event_description","peer NLRI mismatch"); - -var dup58 = setc("eventcategory","1605030000"); - -var dup59 = setc("eventcategory","1603010000"); - -var dup60 = setc("eventcategory","1606000000"); - -var dup61 = setf("hostname","hhostname"); - -var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup63 = setc("eventcategory","1401050200"); - -var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - -var dup65 = setc("event_description","unable to run in the background as a daemon"); - -var dup66 = setc("event_description","Another copy of this program is running"); - -var dup67 = setc("event_description","Unable to lock PID file"); - -var dup68 = setc("event_description","Unable to update process PID file"); - -var dup69 = setc("eventcategory","1301000000"); - -var dup70 = setc("event_description","Command stopped"); - -var dup71 = setc("event_description","Unable to create pipes for command"); - -var dup72 = setc("event_description","Command exited"); - -var dup73 = setc("eventcategory","1603050000"); - -var dup74 = setc("eventcategory","1801010000"); - -var dup75 = setc("event_description","Login failure"); - -var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - -var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - -var dup78 = setc("event_description","Unable to open file"); - -var dup79 = setc("event_description","SNMP index assigned changed"); - -var dup80 = setc("eventcategory","1302000000"); - -var dup81 = setc("eventcategory","1001020300"); - -var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - -var dup83 = setc("event_description","process_mode"); - -var dup84 = setc("event_description","Logical interface collision"); - -var dup85 = setc("event_description","excessive runtime time during action of module"); - -var dup86 = setc("event_description","Reinitializing"); - -var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - -var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - -var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - -var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - -var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - -var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - -var dup93 = setc("eventcategory","1803010000"); - -var dup94 = setc("ec_activity","Deny"); - -var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - -var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - -var dup97 = setc("event_description","session denied"); - -var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - -var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - -var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - -var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - -var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - -var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - -var dup104 = setc("dclass_counter1_string","No.of packets from client"); - -var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - -var dup106 = setc("event_description","send send-type (index1) failure"); - -var dup107 = setc("event_description","SNMP trap error"); - -var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - -var dup109 = setc("event_description","SNMP TRAP LINK UP"); - -var dup110 = setc("event_description","Login Failure"); - -var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - -var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - -var dup113 = setc("eventcategory","1701020000"); - -var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - -var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - -var dup116 = setc("event_description","User set command"); - -var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - -var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - -var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - -var dup120 = setc("event_description","User set groups to secret"); - -var dup121 = setc("event_description","UI CMDLINE READ LINE"); - -var dup122 = setc("event_description","User commit"); - -var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - -var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - -var dup125 = setc("eventcategory","1401070000"); - -var dup126 = setc("ec_activity","Logoff"); - -var dup127 = setc("event_description","Successful login"); - -var dup128 = setf("hostname","hostip"); - -var dup129 = setc("event_description","TACACS+ failure"); - -var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - -var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - -var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - -var dup133 = setc("eventcategory","1003010000"); - -var dup134 = setc("eventcategory","1901000000"); - -var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, -]); - -var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, -])); - -var dup137 = linear_select([ - dup40, - dup41, -]); - -var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, -])); - -var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, -])); - -var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, -])); - -var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, -])); - -var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, -])); - -var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, -])); - -var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, -])); - -var dup145 = linear_select([ - dup76, - dup77, -]); - -var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, -])); - -var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, -])); - -var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, -])); - -var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, -])); - -var dup150 = linear_select([ - dup88, - dup89, -]); - -var dup151 = linear_select([ - dup90, - dup45, -]); - -var dup152 = linear_select([ - dup95, - dup96, -]); - -var dup153 = linear_select([ - dup101, - dup91, -]); - -var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, -])); - -var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, -])); - -var dup156 = linear_select([ - dup118, - dup119, -]); - -var dup157 = linear_select([ - dup123, - dup124, -]); - -var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, -])); - -var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), -])); - -var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - -var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - -var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - -var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - -var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - -var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, -]); - -var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, -])); - -var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), -}); - -var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, -]); - -var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, -])); - -var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), -}); - -var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, -])); - -var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, -])); - -var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, -])); - -var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, -])); - -var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, -])); - -var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, -])); - -var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, -])); - -var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - -var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), -}); - -var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), -}); - -var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), -}); - -var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, -])); - -var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, -])); - -var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, -])); - -var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, -])); - -var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, -])); - -var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, -])); - -var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, -])); - -var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, -])); - -var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, -])); - -var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, -])); - -var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), -])); - -var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), -])); - -var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), -])); - -var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), -])); - -var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), -])); - -var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - -var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - -var select3 = linear_select([ - part8, - part9, -]); - -var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - -var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), -}); - -var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - -var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - -var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - -var select4 = linear_select([ - hdr36, - hdr37, - hdr38, -]); - -var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - -var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), -}); - -var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), -])); - -var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), -])); - -var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), -])); - -var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), -])); - -var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, -]); - -var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, -])); - -var msg1 = msg("/usr/sbin/sshd", part12); - -var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, -])); - -var msg2 = msg("/usr/libexec/telnetd", part13); - -var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, -])); - -var msg3 = msg("alarmd", part14); - -var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, -])); - -var msg4 = msg("bigd", part15); - -var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, -])); - -var msg5 = msg("bigd:01", part16); - -var select6 = linear_select([ - msg4, - msg5, -]); - -var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, -])); - -var msg6 = msg("bigpipe", part17); - -var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, -])); - -var msg7 = msg("bigpipe:01", part18); - -var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, -])); - -var msg8 = msg("bigpipe:02", part19); - -var select7 = linear_select([ - msg6, - msg7, - msg8, -]); - -var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, -])); - -var msg9 = msg("bigstart", part20); - -var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, -])); - -var msg10 = msg("cgatool", part21); - -var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, -])); - -var msg11 = msg("chassisd:01", part22); - -var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, -])); - -var msg12 = msg("checkd", part23); - -var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, -])); - -var msg13 = msg("checkd:01", part24); - -var select8 = linear_select([ - msg12, - msg13, -]); - -var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, -])); - -var msg14 = msg("cosd", part25); - -var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, -])); - -var msg15 = msg("craftd", part26); - -var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - -var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - -var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - -var select9 = linear_select([ - part28, - part29, -]); - -var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), -}); - -var msg16 = msg("CRON", all8); - -var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - -var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - -var select10 = linear_select([ - part30, - part31, -]); - -var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), -}); - -var msg17 = msg("Cmerror", all9); - -var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, -])); - -var msg18 = msg("cron", part32); - -var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, -])); - -var msg19 = msg("CROND", part33); - -var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, -])); - -var msg20 = msg("CROND:02", part34); - -var select11 = linear_select([ - msg19, - msg20, -]); - -var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, -])); - -var msg21 = msg("crond:01", part35); - -var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, -])); - -var msg22 = msg("dcd", part36); - -var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - -var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - -var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - -var select12 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - -var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), -}); - -var msg23 = msg("EVENT", all10); - -var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, -])); - -var msg24 = msg("ftpd", part41); - -var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, -])); - -var msg25 = msg("ha_rto_stats_handler", part42); - -var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, -])); - -var msg26 = msg("hostinit", part43); - -var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, -])); - -var msg27 = msg("ifinfo", part44); - -var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, -])); - -var msg28 = msg("ifinfo:01", part45); - -var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, -])); - -var msg29 = msg("ifinfo:02", part46); - -var select13 = linear_select([ - msg27, - msg28, - msg29, -]); - -var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, -])); - -var msg30 = msg("ifp_ifl_anydown_change_event", part47); - -var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, -])); - -var msg31 = msg("ifp_ifl_config_event", part48); - -var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, -])); - -var msg32 = msg("ifp_ifl_ext_chg", part49); - -var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, -])); - -var msg33 = msg("inetd", part50); - -var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, -])); - -var msg34 = msg("inetd:01", part51); - -var select14 = linear_select([ - msg33, - msg34, -]); - -var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, -])); - -var msg35 = msg("init:04", part52); - -var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, -])); - -var msg36 = msg("init", part53); - -var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, -])); - -var msg37 = msg("init:01", part54); - -var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, -])); - -var msg38 = msg("init:02", part55); - -var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, -])); - -var msg39 = msg("init:03", part56); - -var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, -]); - -var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, -])); - -var msg40 = msg("ipc_msg_write", part57); - -var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, -])); - -var msg41 = msg("connection_established", part58); - -var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - -var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - -var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - -var select16 = linear_select([ - part60, - part61, -]); - -var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), -}); - -var msg42 = msg("connection_dropped", all11); - -var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, -])); - -var msg43 = msg("kernel", part62); - -var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, -])); - -var msg44 = msg("kernel:01", part63); - -var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, -])); - -var msg45 = msg("kernel:02", part64); - -var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, -])); - -var msg46 = msg("kernel:03", part65); - -var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, -])); - -var msg47 = msg("kernel:04", part66); - -var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, -])); - -var msg48 = msg("kernel:05", part67); - -var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, -])); - -var msg49 = msg("kernel:06", part68); - -var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, -]); - -var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, -])); - -var msg50 = msg("successful_login", part69); - -var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, -])); - -var msg51 = msg("login_attempt", part70); - -var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, -])); - -var msg52 = msg("login", part71); - -var select18 = linear_select([ - msg50, - msg51, - msg52, -]); - -var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, -])); - -var msg53 = msg("lsys_ssam_handler", part72); - -var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, -])); - -var msg54 = msg("mcsn", part73); - -var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, -])); - -var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - -var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, -])); - -var msg56 = msg("MRVL-L2", part75); - -var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, -])); - -var msg57 = msg("profile_ssam_handler", part76); - -var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, -])); - -var msg58 = msg("pst_nat_binding_set_profile", part77); - -var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, -])); - -var msg59 = msg("task_reconfigure", part78); - -var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - -var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - -var select19 = linear_select([ - part79, - part80, -]); - -var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), -}); - -var msg60 = msg("tnetd", all12); - -var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, -])); - -var msg61 = msg("PFEMAN", part81); - -var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, -])); - -var msg62 = msg("mgd", part82); - -var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, -])); - -var msg63 = msg("Resolve", part83); - -var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, -])); - -var msg64 = msg("respawn", part84); - -var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, -])); - -var msg65 = msg("root", part85); - -var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, -])); - -var msg66 = msg("rpd", part86); - -var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, -])); - -var msg67 = msg("rpd:01", part87); - -var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, -])); - -var msg68 = msg("rpd:02", part88); - -var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, -])); - -var msg69 = msg("rpd_proceeding", part89); - -var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, -]); - -var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, -])); - -var msg70 = msg("rshd", part90); - -var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, -])); - -var msg71 = msg("sfd", part91); - -var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, -])); - -var msg72 = msg("sshd", part92); - -var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, -])); - -var msg73 = msg("sshd:02", part93); - -var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, -])); - -var msg74 = msg("sshd:03", part94); - -var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, -])); - -var msg75 = msg("sshd:04", part95); - -var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, -])); - -var msg76 = msg("sshd:05", part96); - -var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - -var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), -}); - -var msg77 = msg("sshd:06", all13); - -var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - -var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), -}); - -var msg78 = msg("sshd:07", all14); - -var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, -])); - -var msg79 = msg("sshd:08", part99); - -var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, -])); - -var msg80 = msg("sshd:09", part100); - -var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, -])); - -var msg81 = msg("sshd:10", part101); - -var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, -])); - -var msg82 = msg("sshd:11", part102); - -var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, -])); - -var msg83 = msg("sshd:12", part103); - -var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, -])); - -var msg84 = msg("sshd:13", part104); - -var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, -])); - -var msg85 = msg("sshd:14", part105); - -var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, -])); - -var msg86 = msg("sshd:15", part106); - -var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, -])); - -var msg87 = msg("sshd:16", part107); - -var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, -]); - -var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - -var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - -var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - -var select22 = linear_select([ - part109, - part110, - dup45, -]); - -var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - -var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), -}); - -var msg88 = msg("Failed:05", all15); - -var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - -var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - -var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - -var select23 = linear_select([ - part113, - part114, -]); - -var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - -var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), -}); - -var msg89 = msg("Failed", all16); - -var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, -])); - -var msg90 = msg("Failed:01", part116); - -var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - -var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - -var select24 = linear_select([ - part117, - part118, -]); - -var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), -}); - -var msg91 = msg("Failed:02", all17); - -var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, -]); - -var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, -])); - -var msg92 = msg("syslogd", part119); - -var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, -])); - -var msg93 = msg("ucd-snmp", part120); - -var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, -])); - -var msg94 = msg("ucd-snmp:01", part121); - -var select26 = linear_select([ - msg93, - msg94, -]); - -var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, -])); - -var msg95 = msg("usp_ipc_client_reconnect", part122); - -var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, -])); - -var msg96 = msg("usp_trace_ipc_disconnect", part123); - -var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, -])); - -var msg97 = msg("usp_trace_ipc_reconnect", part124); - -var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, -])); - -var msg98 = msg("uspinfo", part125); - -var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, -])); - -var msg99 = msg("Version", part126); - -var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, -])); - -var msg100 = msg("xntpd", part127); - -var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, -])); - -var msg101 = msg("xntpd:01", part128); - -var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, -])); - -var msg102 = msg("xntpd:02", part129); - -var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, -])); - -var msg103 = msg("xntpd:03", part130); - -var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, -]); - -var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, -])); - -var msg104 = msg("last", part131); - -var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, -])); - -var msg105 = msg("last:01", part132); - -var select28 = linear_select([ - msg104, - msg105, -]); - -var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, -])); - -var msg106 = msg("BCHIP", part133); - -var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, -])); - -var msg107 = msg("CM", part134); - -var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, -])); - -var msg108 = msg("COS", part135); - -var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, -])); - -var msg109 = msg("COSFPC", part136); - -var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, -])); - -var msg110 = msg("COSMAN", part137); - -var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, -])); - -var msg111 = msg("RDP", part138); - -var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, -])); - -var msg112 = msg("SNTPD", part139); - -var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, -])); - -var msg113 = msg("SSB", part140); - -var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, -])); - -var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - -var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, -])); - -var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - -var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, -])); - -var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - -var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, -])); - -var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - -var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, -])); - -var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - -var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - -var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - -var select29 = linear_select([ - part146, - part147, -]); - -var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - -var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), -}); - -var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - -var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, -])); - -var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - -var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, -])); - -var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - -var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, -])); - -var msg122 = msg("ACCT_XFER_FAILED", part151); - -var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, -])); - -var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - -var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, -])); - -var msg124 = msg("APPQOS_LOG_EVENT", part153); - -var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, -])); - -var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - -var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, -])); - -var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - -var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, -])); - -var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - -var select30 = linear_select([ - msg126, - msg127, -]); - -var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, -])); - -var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - -var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, -])); - -var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - -var select31 = linear_select([ - msg128, - msg129, -]); - -var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - -var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - -var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, -])); - -var msg132 = msg("bgp_connect_start", part159); - -var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, -])); - -var msg133 = msg("bgp_event", part160); - -var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, -])); - -var msg134 = msg("bgp_listen_accept", part161); - -var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, -])); - -var msg135 = msg("bgp_listen_reset", part162); - -var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, -])); - -var msg136 = msg("bgp_nexthop_sanity", part163); - -var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, -])); - -var msg137 = msg("bgp_process_caps", part164); - -var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, -])); - -var msg138 = msg("bgp_process_caps:01", part165); - -var select32 = linear_select([ - msg137, - msg138, -]); - -var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, -])); - -var msg139 = msg("bgp_pp_recv", part166); - -var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, -])); - -var msg140 = msg("bgp_pp_recv:01", part167); - -var select33 = linear_select([ - msg139, - msg140, -]); - -var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, -])); - -var msg141 = msg("bgp_send", part168); - -var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, -])); - -var msg142 = msg("bgp_traffic_timeout", part169); - -var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, -])); - -var msg143 = msg("BOOTPD_ARG_ERR", part170); - -var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, -])); - -var msg144 = msg("BOOTPD_BAD_ID", part171); - -var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, -])); - -var msg145 = msg("BOOTPD_BOOTSTRING", part172); - -var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, -])); - -var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - -var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, -])); - -var msg147 = msg("BOOTPD_CONF_OPEN", part174); - -var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, -])); - -var msg148 = msg("BOOTPD_DUP_REV", part175); - -var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, -])); - -var msg149 = msg("BOOTPD_DUP_SLOT", part176); - -var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, -])); - -var msg150 = msg("BOOTPD_MODEL_CHK", part177); - -var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, -])); - -var msg151 = msg("BOOTPD_MODEL_ERR", part178); - -var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, -])); - -var msg152 = msg("BOOTPD_NEW_CONF", part179); - -var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, -])); - -var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - -var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, -])); - -var msg154 = msg("BOOTPD_NO_CONFIG", part181); - -var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, -])); - -var msg155 = msg("BOOTPD_PARSE_ERR", part182); - -var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, -])); - -var msg156 = msg("BOOTPD_REPARSE", part183); - -var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, -])); - -var msg157 = msg("BOOTPD_SELECT_ERR", part184); - -var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, -])); - -var msg158 = msg("BOOTPD_TIMEOUT", part185); - -var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, -])); - -var msg159 = msg("BOOTPD_VERSION", part186); - -var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, -])); - -var msg160 = msg("CHASSISD", part187); - -var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, -])); - -var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - -var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, -])); - -var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - -var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, -])); - -var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - -var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, -])); - -var msg164 = msg("CHASSISD_CB_READ", part191); - -var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, -])); - -var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - -var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, -])); - -var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - -var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, -])); - -var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - -var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, -])); - -var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - -var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, -])); - -var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - -var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, -])); - -var msg170 = msg("CHASSISD_EXISTS", part197); - -var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, -])); - -var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - -var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, -])); - -var msg172 = msg("CHASSISD_FILE_OPEN", part199); - -var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, -])); - -var msg173 = msg("CHASSISD_FILE_STAT", part200); - -var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, -])); - -var msg174 = msg("CHASSISD_FRU_EVENT", part201); - -var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, -])); - -var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - -var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, -])); - -var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - -var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, -])); - -var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - -var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, -])); - -var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - -var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, -])); - -var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - -var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, -])); - -var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - -var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, -])); - -var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - -var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, -])); - -var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - -var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, -])); - -var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - -var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, -])); - -var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - -var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, -])); - -var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - -var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, -])); - -var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - -var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, -])); - -var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - -var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, -])); - -var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - -var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, -])); - -var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - -var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, -])); - -var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - -var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, -])); - -var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - -var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, -])); - -var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - -var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, -])); - -var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - -var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, -])); - -var msg194 = msg("CHASSISD_PARSE_INIT", part221); - -var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, -])); - -var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - -var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, -])); - -var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - -var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, -])); - -var msg197 = msg("CHASSISD_POWER_CHECK", part224); - -var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, -])); - -var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - -var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, -])); - -var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - -var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, -])); - -var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - -var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, -])); - -var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - -var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, -])); - -var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - -var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, -])); - -var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - -var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, -])); - -var msg204 = msg("CHASSISD_SERIAL_ID", part231); - -var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, -])); - -var msg205 = msg("CHASSISD_SMB_ERROR", part232); - -var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, -])); - -var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - -var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, -])); - -var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - -var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, -])); - -var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - -var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, -])); - -var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - -var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, -])); - -var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - -var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, -])); - -var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - -var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, -])); - -var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - -var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, -])); - -var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - -var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, -])); - -var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - -var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, -])); - -var msg215 = msg("clean_process", part242); - -var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, -])); - -var msg216 = msg("CM_JAVA", part243); - -var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, -])); - -var msg217 = msg("DCD_AS_ROOT", part244); - -var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, -])); - -var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - -var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - -var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, -])); - -var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - -var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, -])); - -var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - -var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, -])); - -var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - -var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, -])); - -var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - -var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, -])); - -var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - -var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, -])); - -var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - -var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, -])); - -var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - -var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - -var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, -])); - -var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - -var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, -])); - -var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - -var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - -var msg231 = msg("ECCD_DUPLICATE", dup141); - -var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, -])); - -var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - -var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, -])); - -var msg233 = msg("ECCD_NOT_ROOT", part256); - -var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, -])); - -var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - -var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, -])); - -var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - -var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, -])); - -var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - -var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - -var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - -var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, -])); - -var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - -var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, -])); - -var msg240 = msg("ECCD_usage", part261); - -var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, -])); - -var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - -var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, -])); - -var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - -var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, -])); - -var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - -var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, -])); - -var msg244 = msg("FSAD_CONFIG_ERROR", part265); - -var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, -])); - -var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - -var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, -])); - -var msg246 = msg("FSAD_FAILED", part267); - -var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, -])); - -var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - -var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, -])); - -var msg248 = msg("FSAD_FILE_FAILED", part269); - -var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, -])); - -var msg249 = msg("FSAD_FILE_REMOVE", part270); - -var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, -])); - -var msg250 = msg("FSAD_FILE_RENAME", part271); - -var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, -])); - -var msg251 = msg("FSAD_FILE_STAT", part272); - -var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, -])); - -var msg252 = msg("FSAD_FILE_SYNC", part273); - -var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, -])); - -var msg253 = msg("FSAD_MAXCONN", part274); - -var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, -])); - -var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - -var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, -])); - -var msg255 = msg("FSAD_NOT_ROOT", part276); - -var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, -])); - -var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - -var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, -])); - -var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - -var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, -])); - -var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - -var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, -])); - -var msg259 = msg("FSAD_RECVERROR", part280); - -var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, -])); - -var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - -var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, -])); - -var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - -var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, -])); - -var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - -var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, -])); - -var msg263 = msg("FSAD_USAGE", part284); - -var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, -])); - -var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - -var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, -])); - -var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - -var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, -])); - -var msg266 = msg("GGSN_TRAP_SEND", part287); - -var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, -])); - -var msg267 = msg("JADE_AUTH_ERROR", part288); - -var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, -])); - -var msg268 = msg("JADE_EXEC_ERROR", part289); - -var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, -])); - -var msg269 = msg("JADE_NO_LOCAL_USER", part290); - -var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, -])); - -var msg270 = msg("JADE_PAM_ERROR", part291); - -var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, -])); - -var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - -var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, -])); - -var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - -var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, -])); - -var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - -var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, -])); - -var msg274 = msg("L2CPD_TASK_REINIT", part295); - -var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, -])); - -var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - -var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, -])); - -var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - -var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - -var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, -])); - -var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - -var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, -])); - -var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - -var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, -])); - -var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - -var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, -])); - -var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - -var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, -])); - -var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - -var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, -])); - -var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - -var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, -])); - -var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - -var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, -])); - -var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - -var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, -])); - -var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - -var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, -])); - -var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - -var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, -])); - -var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - -var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, -])); - -var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - -var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, -])); - -var msg290 = msg("LICENSE_EXPIRED", part310); - -var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, -])); - -var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - -var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, -])); - -var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - -var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, -])); - -var msg293 = msg("LOGIN_ABORTED", part313); - -var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, -])); - -var msg294 = msg("LOGIN_FAILED", part314); - -var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, -])); - -var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - -var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, -])); - -var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - -var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, -])); - -var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - -var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, -])); - -var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - -var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - -var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - -var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - -var select34 = linear_select([ - part321, - dup45, -]); - -var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - -var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), -}); - -var msg299 = msg("LOGIN_INFORMATION", all19); - -var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, -])); - -var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - -var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, -])); - -var msg301 = msg("LOGIN_MALFORMED_USER", part324); - -var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - -var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - -var select35 = linear_select([ - part325, - part326, -]); - -var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - -var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), -}); - -var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - -var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, -])); - -var msg303 = msg("LOGIN_PAM_ERROR", part328); - -var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, -])); - -var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - -var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, -])); - -var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - -var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, -])); - -var msg306 = msg("LOGIN_PAM_STOP", part331); - -var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, -])); - -var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - -var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, -])); - -var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - -var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, -])); - -var msg309 = msg("LOGIN_REFUSED", part334); - -var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, -])); - -var msg310 = msg("LOGIN_ROOT", part335); - -var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, -])); - -var msg311 = msg("LOGIN_TIMED_OUT", part336); - -var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, -])); - -var msg312 = msg("MIB2D_ATM_ERROR", part337); - -var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, -])); - -var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - -var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, -])); - -var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - -var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - -var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - -var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, -])); - -var msg317 = msg("MIB2D_INIT_FAILURE", part340); - -var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, -])); - -var msg318 = msg("MIB2D_KVM_FAILURE", part341); - -var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, -])); - -var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - -var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, -])); - -var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - -var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, -])); - -var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - -var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, -])); - -var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - -var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, -])); - -var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - -var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, -])); - -var msg324 = msg("Multiuser", part347); - -var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, -])); - -var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - -var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, -])); - -var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - -var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, -])); - -var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - -var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, -])); - -var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - -var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, -])); - -var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - -var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, -])); - -var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - -var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, -])); - -var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - -var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, -])); - -var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - -var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, -])); - -var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - -var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - -var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, -])); - -var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - -var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, -])); - -var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - -var msg337 = msg("NASD_DUPLICATE", dup141); - -var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, -])); - -var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - -var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, -])); - -var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - -var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, -])); - -var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - -var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, -])); - -var msg341 = msg("NASD_NOT_ROOT", part362); - -var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - -var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - -var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, -])); - -var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - -var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, -])); - -var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - -var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, -])); - -var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - -var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, -])); - -var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - -var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, -])); - -var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - -var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, -])); - -var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - -var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, -])); - -var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - -var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, -])); - -var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - -var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, -])); - -var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - -var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, -])); - -var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - -var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, -])); - -var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - -var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, -])); - -var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - -var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, -])); - -var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - -var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, -])); - -var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - -var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, -])); - -var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - -var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, -])); - -var msg359 = msg("NASD_usage", part378); - -var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, -])); - -var msg360 = msg("NOTICE", part379); - -var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, -])); - -var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - -var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, -])); - -var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - -var select36 = linear_select([ - msg361, - msg362, -]); - -var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, -])); - -var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - -var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, -])); - -var msg364 = msg("PING_TEST_COMPLETED", part383); - -var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, -])); - -var msg365 = msg("PING_TEST_FAILED", part384); - -var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - -var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - -var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - -var select37 = linear_select([ - part386, - part387, -]); - -var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - -var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), -}); - -var msg366 = msg("process_mode", all21); - -var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, -])); - -var msg367 = msg("process_mode:01", part389); - -var select38 = linear_select([ - msg366, - msg367, -]); - -var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, -])); - -var msg368 = msg("PWC_EXIT", part390); - -var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, -])); - -var msg369 = msg("PWC_HOLD_RELEASE", part391); - -var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, -])); - -var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - -var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, -])); - -var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - -var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, -])); - -var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - -var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, -])); - -var msg373 = msg("PWC_KILL_EVENT", part395); - -var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, -])); - -var msg374 = msg("PWC_KILL_FAILED", part396); - -var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, -])); - -var msg375 = msg("PWC_KQUEUE_ERROR", part397); - -var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, -])); - -var msg376 = msg("PWC_KQUEUE_INIT", part398); - -var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, -])); - -var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - -var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, -])); - -var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - -var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, -])); - -var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - -var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, -])); - -var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - -var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, -])); - -var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - -var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, -])); - -var msg382 = msg("PWC_NO_PROCESS", part404); - -var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, -])); - -var msg383 = msg("PWC_PROCESS_EXIT", part405); - -var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, -])); - -var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - -var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, -])); - -var msg385 = msg("PWC_PROCESS_HOLD", part407); - -var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, -])); - -var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - -var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, -])); - -var msg387 = msg("PWC_PROCESS_OPEN", part409); - -var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, -])); - -var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - -var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, -])); - -var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - -var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, -])); - -var msg390 = msg("PWC_SIGNAL_INIT", part412); - -var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, -])); - -var msg391 = msg("PWC_SOCKET_CONNECT", part413); - -var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, -])); - -var msg392 = msg("PWC_SOCKET_CREATE", part414); - -var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, -])); - -var msg393 = msg("PWC_SOCKET_OPTION", part415); - -var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, -])); - -var msg394 = msg("PWC_STDOUT_WRITE", part416); - -var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, -])); - -var msg395 = msg("PWC_SYSTEM_CALL", part417); - -var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, -])); - -var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - -var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, -])); - -var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - -var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, -])); - -var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - -var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, -])); - -var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - -var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, -])); - -var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - -var msg401 = msg("RMOPD_DUPLICATE", dup141); - -var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, -])); - -var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - -var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, -])); - -var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - -var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, -])); - -var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - -var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, -])); - -var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - -var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, -])); - -var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - -var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, -])); - -var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - -var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, -])); - -var msg408 = msg("RMOPD_NOT_ROOT", part429); - -var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, -])); - -var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - -var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, -])); - -var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - -var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, -])); - -var msg411 = msg("RMOPD_usage", part432); - -var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, -])); - -var msg412 = msg("RPD_ABORT", part433); - -var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, -])); - -var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - -var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, -])); - -var msg414 = msg("RPD_ASSERT", part435); - -var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, -])); - -var msg415 = msg("RPD_ASSERT_SOFT", part436); - -var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, -])); - -var msg416 = msg("RPD_EXIT", part437); - -var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - -var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - -var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, -])); - -var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - -var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, -])); - -var msg420 = msg("RPD_ISIS_ADJUP", part439); - -var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, -])); - -var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - -var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, -])); - -var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - -var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, -])); - -var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - -var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, -])); - -var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - -var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, -])); - -var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - -var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, -])); - -var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - -var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, -])); - -var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - -var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, -])); - -var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - -var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, -])); - -var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - -var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, -])); - -var msg430 = msg("RPD_KRT_IFDGET", part449); - -var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, -])); - -var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - -var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, -])); - -var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - -var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, -])); - -var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - -var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, -])); - -var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - -var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, -])); - -var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - -var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, -])); - -var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - -var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, -])); - -var msg437 = msg("RPD_KRT_NOIFD", part456); - -var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, -])); - -var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - -var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, -])); - -var msg439 = msg("RPD_KRT_VERSION", part458); - -var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, -])); - -var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - -var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, -])); - -var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - -var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, -])); - -var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - -var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, -])); - -var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - -var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, -])); - -var msg444 = msg("RPD_LDP_NBRDOWN", part463); - -var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, -])); - -var msg445 = msg("RPD_LDP_NBRUP", part464); - -var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, -])); - -var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - -var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, -])); - -var msg447 = msg("RPD_LDP_SESSIONUP", part466); - -var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, -])); - -var msg448 = msg("RPD_LOCK_FLOCKED", part467); - -var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, -])); - -var msg449 = msg("RPD_LOCK_LOCKED", part468); - -var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, -])); - -var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - -var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, -])); - -var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - -var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, -])); - -var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - -var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, -])); - -var msg453 = msg("RPD_MPLS_LSP_UP", part472); - -var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, -])); - -var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - -var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, -])); - -var msg455 = msg("RPD_MSDP_PEER_UP", part474); - -var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, -])); - -var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - -var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, -])); - -var msg457 = msg("RPD_OSPF_NBRUP", part476); - -var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, -])); - -var msg458 = msg("RPD_OS_MEMHIGH", part477); - -var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, -])); - -var msg459 = msg("RPD_PIM_NBRDOWN", part478); - -var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, -])); - -var msg460 = msg("RPD_PIM_NBRUP", part479); - -var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, -])); - -var msg461 = msg("RPD_RDISC_CKSUM", part480); - -var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, -])); - -var msg462 = msg("RPD_RDISC_NOMULTI", part481); - -var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, -])); - -var msg463 = msg("RPD_RDISC_NORECVIF", part482); - -var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, -])); - -var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - -var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, -])); - -var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - -var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, -])); - -var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - -var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, -])); - -var msg467 = msg("RPD_RIP_AUTH", part486); - -var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, -])); - -var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - -var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, -])); - -var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - -var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, -])); - -var msg470 = msg("RPD_RT_IFUP", part489); - -var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - -var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, -])); - -var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - -var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - -var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, -])); - -var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - -var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, -])); - -var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - -var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, -])); - -var msg476 = msg("RPD_START", part493); - -var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, -])); - -var msg477 = msg("RPD_SYSTEM", part494); - -var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, -])); - -var msg478 = msg("RPD_TASK_BEGIN", part495); - -var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, -])); - -var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - -var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, -])); - -var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - -var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, -])); - -var msg481 = msg("RPD_TASK_FORK", part498); - -var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, -])); - -var msg482 = msg("RPD_TASK_GETWD", part499); - -var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, -])); - -var msg483 = msg("RPD_TASK_NOREINIT", part500); - -var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, -])); - -var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - -var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, -])); - -var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - -var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, -])); - -var msg486 = msg("RPD_TASK_PIDWRITE", part503); - -var msg487 = msg("RPD_TASK_REINIT", dup149); - -var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, -])); - -var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - -var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, -])); - -var msg489 = msg("RT_COS", part505); - -var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - -var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - -var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - -var select39 = linear_select([ - part508, - dup91, -]); - -var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - -var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - -var select40 = linear_select([ - part510, - dup45, -]); - -var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), -}); - -var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - -var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - -var select41 = linear_select([ - part511, - dup45, -]); - -var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - -var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - -var select42 = linear_select([ - part513, - dup45, -]); - -var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), -}); - -var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - -var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - -var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - -var select43 = linear_select([ - part514, - part515, -]); - -var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - -var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - -var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - -var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - -var select44 = linear_select([ - part517, - part518, - part519, -]); - -var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), -}); - -var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - -var select45 = linear_select([ - msg490, - msg491, - msg492, -]); - -var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - -var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - -var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - -var select46 = linear_select([ - part521, - part522, - dup45, -]); - -var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), -}); - -var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - -var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, -])); - -var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - -var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - -var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), -}); - -var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - -var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - -var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), -}); - -var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - -var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, -]); - -var select48 = linear_select([ - dup103, - dup45, -]); - -var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), -}); - -var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - -var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, -])); - -var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - -var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - -var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - -var select49 = linear_select([ - part527, - part528, -]); - -var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - -var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), -}); - -var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - -var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - -var select50 = linear_select([ - dup103, - part530, - dup45, -]); - -var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - -var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), -}); - -var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - -var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, -]); - -var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, -])); - -var msg501 = msg("RT_SCREEN_IP", part532); - -var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, -])); - -var msg502 = msg("RT_SCREEN_IP:01", part533); - -var select52 = linear_select([ - msg501, - msg502, -]); - -var msg503 = msg("RT_SCREEN_TCP", dup154); - -var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, -])); - -var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - -var msg505 = msg("RT_SCREEN_UDP", dup154); - -var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, -])); - -var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - -var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, -])); - -var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - -var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, -])); - -var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - -var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, -])); - -var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - -var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, -])); - -var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - -var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, -])); - -var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - -var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, -])); - -var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - -var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, -])); - -var msg513 = msg("SERVICED_CONFIG_FILE", part542); - -var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, -])); - -var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - -var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, -])); - -var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - -var msg516 = msg("SERVICED_DUPLICATE", dup141); - -var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, -])); - -var msg517 = msg("SERVICED_EVENT_FAILED", part545); - -var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, -])); - -var msg518 = msg("SERVICED_INIT_FAILED", part546); - -var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, -])); - -var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - -var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, -])); - -var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - -var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, -])); - -var msg521 = msg("SERVICED_NOT_ROOT", part549); - -var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - -var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - -var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, -])); - -var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - -var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, -])); - -var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - -var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, -])); - -var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - -var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, -])); - -var msg527 = msg("SERVICED_SOCKET_IO", part553); - -var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, -])); - -var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - -var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, -])); - -var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - -var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, -])); - -var msg530 = msg("SERVICED_USAGE", part556); - -var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, -])); - -var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - -var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - -var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - -var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - -var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, -])); - -var msg535 = msg("SNMP_NS_LOG_INFO", part558); - -var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, -])); - -var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - -var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, -])); - -var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - -var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, -])); - -var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - -var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, -])); - -var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - -var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, -])); - -var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - -var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, -])); - -var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - -var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, -]); - -var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, -])); - -var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - -var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, -])); - -var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - -var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, -])); - -var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - -var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, -])); - -var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - -var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, -])); - -var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - -var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, -])); - -var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - -var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, -])); - -var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - -var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, -])); - -var msg549 = msg("SNMPD_FILE_FAILURE", part572); - -var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, -])); - -var msg550 = msg("SNMPD_GROUP_ERROR", part573); - -var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, -])); - -var msg551 = msg("SNMPD_INIT_FAILED", part574); - -var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, -])); - -var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - -var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, -])); - -var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - -var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, -])); - -var msg554 = msg("SNMPD_MEMORY_FREED", part577); - -var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, -])); - -var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - -var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, -])); - -var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - -var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, -])); - -var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - -var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, -])); - -var msg558 = msg("SNMPD_RMON_COOKIE", part581); - -var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, -])); - -var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - -var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, -])); - -var msg560 = msg("SNMPD_RMON_IOERROR", part583); - -var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, -])); - -var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - -var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, -])); - -var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - -var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, -])); - -var msg563 = msg("SNMPD_SEND_FAILURE", part586); - -var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, -])); - -var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - -var select54 = linear_select([ - msg563, - msg564, -]); - -var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, -])); - -var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - -var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, -])); - -var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - -var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, -])); - -var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - -var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, -])); - -var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - -var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, -])); - -var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - -var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, -])); - -var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - -var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, -])); - -var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - -var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, -])); - -var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - -var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, -])); - -var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - -var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, -])); - -var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - -var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, -])); - -var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - -var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, -])); - -var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - -var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, -])); - -var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - -var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, -])); - -var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - -var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, -])); - -var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - -var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, -])); - -var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - -var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, -])); - -var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - -var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, -])); - -var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - -var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, -])); - -var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - -var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, -])); - -var msg584 = msg("SNMPD_USER_ERROR", part607); - -var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, -])); - -var msg585 = msg("SNMPD_VIEW_DELETE", part608); - -var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, -])); - -var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - -var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, -])); - -var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - -var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, -])); - -var msg588 = msg("SNMP_GET_ERROR1", part611); - -var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, -])); - -var msg589 = msg("SNMP_GET_ERROR2", part612); - -var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, -])); - -var msg590 = msg("SNMP_GET_ERROR3", part613); - -var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, -])); - -var msg591 = msg("SNMP_GET_ERROR4", part614); - -var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, -])); - -var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - -var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, -])); - -var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - -var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, -])); - -var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - -var select55 = linear_select([ - msg593, - msg594, -]); - -var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, -])); - -var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - -var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, -])); - -var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - -var select56 = linear_select([ - msg595, - msg596, -]); - -var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, -])); - -var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - -var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, -])); - -var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - -var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, -])); - -var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - -var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, -])); - -var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - -var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, -])); - -var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - -var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, -])); - -var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - -var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, -])); - -var msg603 = msg("SSHD_LOGIN_FAILED", part626); - -var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), -])); - -var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - -var select57 = linear_select([ - msg603, - msg604, -]); - -var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, -])); - -var msg605 = msg("task_connect", part628); - -var msg606 = msg("TASK_TASK_REINIT", dup149); - -var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, -])); - -var msg607 = msg("TFTPD_AF_ERR", part629); - -var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, -])); - -var msg608 = msg("TFTPD_BIND_ERR", part630); - -var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, -])); - -var msg609 = msg("TFTPD_CONNECT_ERR", part631); - -var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, -])); - -var msg610 = msg("TFTPD_CONNECT_INFO", part632); - -var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, -])); - -var msg611 = msg("TFTPD_CREATE_ERR", part633); - -var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, -])); - -var msg612 = msg("TFTPD_FIO_ERR", part634); - -var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, -])); - -var msg613 = msg("TFTPD_FORK_ERR", part635); - -var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, -])); - -var msg614 = msg("TFTPD_NAK_ERR", part636); - -var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, -])); - -var msg615 = msg("TFTPD_OPEN_ERR", part637); - -var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, -])); - -var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - -var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, -])); - -var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - -var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, -])); - -var msg618 = msg("TFTPD_RECV_ERR", part640); - -var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, -])); - -var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - -var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, -])); - -var msg620 = msg("TFTPD_SEND_ERR", part642); - -var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, -])); - -var msg621 = msg("TFTPD_SOCKET_ERR", part643); - -var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, -])); - -var msg622 = msg("TFTPD_STATFS_ERR", part644); - -var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, -])); - -var msg623 = msg("TNP", part645); - -var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), -])); - -var msg624 = msg("trace_on", part646); - -var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, -])); - -var msg625 = msg("trace_rotate", part647); - -var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, -])); - -var msg626 = msg("transfer-file", part648); - -var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, -])); - -var msg627 = msg("ttloop", part649); - -var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, -])); - -var msg628 = msg("UI_AUTH_EVENT", part650); - -var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, -])); - -var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - -var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, -])); - -var msg630 = msg("UI_BOOTTIME_FAILED", part652); - -var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, -])); - -var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - -var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, -])); - -var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - -var select58 = linear_select([ - msg631, - msg632, -]); - -var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, -])); - -var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - -var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, -])); - -var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - -var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - -var select59 = linear_select([ - part657, - dup112, -]); - -var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), -}); - -var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - -var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, -])); - -var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - -var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, -])); - -var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - -var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, -])); - -var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - -var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, -]); - -var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - -var select61 = linear_select([ - part661, - dup114, -]); - -var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), -}); - -var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - -var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - -var select62 = linear_select([ - part662, - dup114, -]); - -var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), -}); - -var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - -var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, -])); - -var msg641 = msg("UI_CFG_AUDIT_SET", part663); - -var select63 = linear_select([ - msg639, - msg640, - msg641, -]); - -var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - -var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), -}); - -var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - -var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - -var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), -}); - -var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - -var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, -])); - -var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - -var select64 = linear_select([ - msg642, - msg643, - msg644, -]); - -var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, -])); - -var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - -var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, -])); - -var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - -var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, -])); - -var msg647 = msg("UI_CHILD_EXEC", part669); - -var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, -])); - -var msg648 = msg("UI_CHILD_EXITED", part670); - -var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, -])); - -var msg649 = msg("UI_CHILD_FOPEN", part671); - -var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, -])); - -var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - -var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, -])); - -var msg651 = msg("UI_CHILD_SIGNALED", part673); - -var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, -])); - -var msg652 = msg("UI_CHILD_STOPPED", part674); - -var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, -])); - -var msg653 = msg("UI_CHILD_START", part675); - -var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, -])); - -var msg654 = msg("UI_CHILD_STATUS", part676); - -var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, -])); - -var msg655 = msg("UI_CHILD_WAITPID", part677); - -var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, -])); - -var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - -var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, -])); - -var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - -var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, -])); - -var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - -var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, -])); - -var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - -var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - -var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, -])); - -var msg661 = msg("UI_CMDSET_STOPPED", part682); - -var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, -])); - -var msg662 = msg("UI_CMDSET_WEXITED", part683); - -var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, -])); - -var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - -var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - -var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - -var select65 = linear_select([ - part685, - part686, -]); - -var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), -}); - -var msg664 = msg("UI_COMMIT", all36); - -var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, -])); - -var msg665 = msg("UI_COMMIT_AT", part687); - -var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, -])); - -var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - -var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, -])); - -var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - -var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, -])); - -var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - -var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, -])); - -var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - -var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - -var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - -var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - -var select66 = linear_select([ - part693, - part694, -]); - -var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), -}); - -var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - -var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - -var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), -}); - -var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - -var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, -])); - -var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - -var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, -])); - -var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - -var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - -var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - -var select67 = linear_select([ - part698, - part699, -]); - -var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - -var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), -}); - -var msg674 = msg("UI_COMMIT_PROGRESS", all39); - -var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, -])); - -var msg675 = msg("UI_COMMIT_QUIT", part701); - -var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, -])); - -var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - -var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, -])); - -var msg677 = msg("UI_COMMIT_SYNC", part703); - -var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, -])); - -var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - -var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - -var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - -var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - -var select68 = linear_select([ - part706, - part707, -]); - -var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - -var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - -var select69 = linear_select([ - part709, - dup112, -]); - -var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), -}); - -var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - -var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - -var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), -}); - -var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - -var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, -])); - -var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - -var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, -])); - -var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - -var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - -var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), -}); - -var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - -var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, -])); - -var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - -var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, -])); - -var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - -var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, -])); - -var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - -var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, -])); - -var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - -var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, -])); - -var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - -var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, -])); - -var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - -var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, -])); - -var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - -var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, -])); - -var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - -var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, -])); - -var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - -var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, -])); - -var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - -var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, -])); - -var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - -var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, -])); - -var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - -var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, -])); - -var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - -var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - -var select70 = linear_select([ - dup76, - part727, -]); - -var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - -var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), -}); - -var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - -var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, -])); - -var msg698 = msg("UI_DBASE_RECREATE", part729); - -var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, -])); - -var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - -var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, -])); - -var msg700 = msg("UI_DUPLICATE_UID", part731); - -var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, -])); - -var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - -var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, -])); - -var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - -var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, -])); - -var msg703 = msg("UI_LOAD_EVENT", part734); - -var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, -])); - -var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - -var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, -])); - -var msg705 = msg("UI_LOGIN_EVENT:01", part736); - -var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, -])); - -var msg706 = msg("UI_LOGIN_EVENT", part737); - -var select71 = linear_select([ - msg705, - msg706, -]); - -var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, -])); - -var msg707 = msg("UI_LOGOUT_EVENT", part738); - -var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, -])); - -var msg708 = msg("UI_LOST_CONN", part739); - -var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, -])); - -var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - -var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, -])); - -var msg710 = msg("UI_MGD_TERMINATE", part741); - -var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, -])); - -var msg711 = msg("UI_NETCONF_CMD", part742); - -var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, -])); - -var msg712 = msg("UI_READ_FAILED", part743); - -var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, -])); - -var msg713 = msg("UI_READ_TIMEOUT", part744); - -var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, -])); - -var msg714 = msg("UI_REBOOT_EVENT", part745); - -var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, -])); - -var msg715 = msg("UI_RESTART_EVENT", part746); - -var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, -])); - -var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - -var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, -])); - -var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - -var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, -])); - -var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - -var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, -])); - -var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - -var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, -])); - -var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - -var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, -])); - -var msg721 = msg("UI_SYNC_OTHER_RE", part752); - -var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, -])); - -var msg722 = msg("UI_TACPLUS_ERROR", part753); - -var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, -])); - -var msg723 = msg("UI_VERSION_FAILED", part754); - -var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, -])); - -var msg724 = msg("UI_WRITE_RECONNECT", part755); - -var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, -])); - -var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - -var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, -])); - -var msg726 = msg("WEB_AUTH_FAIL", part757); - -var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, -])); - -var msg727 = msg("WEB_AUTH_SUCCESS", part758); - -var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, -])); - -var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - -var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, -])); - -var msg729 = msg("WEB_READ", part760); - -var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, -])); - -var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - -var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, -])); - -var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - -var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, -])); - -var msg732 = msg("eswd", part763); - -var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, -])); - -var msg733 = msg("eswd:01", part764); - -var select72 = linear_select([ - msg732, - msg733, -]); - -var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, -])); - -var msg734 = msg("/usr/sbin/cron", part765); - -var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, -])); - -var msg735 = msg("chassism:02", part766); - -var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, -])); - -var msg736 = msg("chassism:01", part767); - -var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, -])); - -var msg737 = msg("chassism", part768); - -var select73 = linear_select([ - msg735, - msg736, - msg737, -]); - -var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - -var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, -])); - -var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - -var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, -])); - -var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - -var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, -])); - -var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - -var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, -]); - -var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - -var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, -])); - -var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - -var select75 = linear_select([ - msg742, - msg743, -]); - -var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, -])); - -var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - -var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, -])); - -var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - -var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, -])); - -var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - -var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, -])); - -var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - -var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, -])); - -var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - -var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, -])); - -var msg749 = msg("LACPD_TIMEOUT", part778); - -var msg750 = msg("cli", dup159); - -var msg751 = msg("pfed", dup159); - -var msg752 = msg("idpinfo", dup159); - -var msg753 = msg("kmd", dup159); - -var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg754 = msg("node:01", part779); - -var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg755 = msg("node:02", part780); - -var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg756 = msg("node:03", part781); - -var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg757 = msg("node:04", part782); - -var select76 = linear_select([ - dup131, - dup132, -]); - -var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - -var select77 = linear_select([ - dup132, - dup131, -]); - -var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - -var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), -}); - -var msg758 = msg("node:05", all44); - -var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - -var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - -var select78 = linear_select([ - part785, - part786, -]); - -var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), -}); - -var msg759 = msg("node:06", all45); - -var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg760 = msg("node:07", part787); - -var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg761 = msg("node:08", part788); - -var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, -])); - -var msg762 = msg("node:09", part789); - -var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, -]); - -var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, -])); - -var msg763 = msg("(FPC:01", part790); - -var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, -])); - -var msg764 = msg("(FPC:02", part791); - -var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - -var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - -var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - -var select80 = linear_select([ - part793, - part794, -]); - -var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - -var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), -}); - -var msg765 = msg("(FPC:03", all46); - -var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, -])); - -var msg766 = msg("(FPC:04", part796); - -var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, -])); - -var msg767 = msg("(FPC:05", part797); - -var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, -])); - -var msg768 = msg("(FPC", part798); - -var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, -]); - -var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, -])); - -var msg769 = msg("tnp.bootpd", part799); - -var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, -])); - -var msg770 = msg("AAMW_ACTION_LOG", part800); - -var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, -])); - -var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - -var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, -])); - -var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - -var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, -])); - -var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - -var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, -])); - -var msg774 = msg("RT_SCREEN_ICMP", part804); - -var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, -])); - -var msg775 = msg("SECINTEL_ACTION_LOG", part805); - -var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - -var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - -var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - -var select82 = linear_select([ - part807, - part808, -]); - -var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - -var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), -}); - -var msg776 = msg("qsfp", all47); - -var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, -])); - -var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - -var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, -])); - -var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - -var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, -])); - -var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - -var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, -])); - -var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - -var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, -])); - -var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - -var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - -var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - -var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - -var select83 = linear_select([ - part816, - part817, -]); - -var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), -}); - -var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - -var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, -])); - -var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - -var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, -])); - -var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - -var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, -])); - -var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - -var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, -])); - -var msg786 = msg("JUNOSROUTER_GENERIC", part821); - -var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, -]); - -var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), -]); - -var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - -var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - -var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - -var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - -var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - -var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - -var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - -var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - -var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - -var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - -var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - -var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - -var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - -var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - -var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - -var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - -var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - -var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - -var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - -var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - -var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - -var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - -var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - -var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - -var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - -var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - -var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - -var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - -var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - -var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - -var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - -var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - -var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - -var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - -var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - -var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - -var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - -var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - -var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - -var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - -var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - -var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - -var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - -var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - -var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - -var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - -var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, -]); - -var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, -])); - -var select86 = linear_select([ - dup40, - dup41, -]); - -var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, -])); - -var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, -])); - -var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, -])); - -var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, -])); - -var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, -])); - -var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, -])); - -var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, -])); - -var select87 = linear_select([ - dup76, - dup77, -]); - -var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, -])); - -var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, -])); - -var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, -])); - -var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, -])); - -var select88 = linear_select([ - dup88, - dup89, -]); - -var select89 = linear_select([ - dup90, - dup45, -]); - -var select90 = linear_select([ - dup95, - dup96, -]); - -var select91 = linear_select([ - dup101, - dup91, -]); - -var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, -])); - -var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, -])); - -var select92 = linear_select([ - dup118, - dup119, -]); - -var select93 = linear_select([ - dup123, - dup124, -]); - -var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, -])); - -var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, -])); diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml deleted file mode 100644 index 9199755b6ac..00000000000 --- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Juniper JUNOS - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/juniper/junos/manifest.yml b/x-pack/filebeat/module/juniper/junos/manifest.yml deleted file mode 100644 index eea60eaefcd..00000000000 --- a/x-pack/filebeat/module/juniper/junos/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["juniper.junos", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9533 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/juniper/junos/test/generated.log b/x-pack/filebeat/module/juniper/junos/test/generated.log deleted file mode 100644 index e8663f48748..00000000000 --- a/x-pack/filebeat/module/juniper/junos/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049) -Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed -Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success -Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace> node: dqu -Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367 -Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown -Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono -May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure -May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068 -Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing -Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain -Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd -Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav -Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed -Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown -Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown -Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown -Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed -Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest -Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa -Nov 10 03:01:24 kmd: restart -Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test -Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test -Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357 -Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita -Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown -Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425 -Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693 -Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita -Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure -Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure -Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316 -Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura -May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow' -May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic -Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure -Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable -Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown -Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe -Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176 -Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal -Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown -Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884 -Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146 -Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing -Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex -Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu -Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'. -Dec 15 08:13:24 COS: restart : Received FC->Q map, caecat -Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success -Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les) -Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed -Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file -Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown -Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis -Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur -Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci -Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal -May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure -May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain -Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown -Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification -Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal -Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown -Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere -Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593 -Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown -Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success -Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [ -Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID -Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694 -Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita -Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing -Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure -Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown -Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host -Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen -Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch -Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown -Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339 -Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex -Apr 1 00:38:14 /kmd: -Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown -Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success -May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully -May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success -Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq' -Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server -Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace> BCHIP: : cannot write ucode mask reg -Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown -Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB' -Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure -Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success -Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure -Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse -Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success -Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown -Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed -Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193 -Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure diff --git a/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json deleted file mode 100644 index a4b54007089..00000000000 --- a/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json +++ /dev/null @@ -1,2698 +0,0 @@ -[ - { - "event.action": "RPD_SCHED_TASK_LONGRUNTIME", - "event.code": "RPD_SCHED_TASK_LONGRUNTIME", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 0, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ceroinBC.exe", - "process.pid": 6713, - "rsa.counters.dclass_c1": 7309, - "rsa.counters.dclass_c2": 5049, - "rsa.internal.event_desc": "task extended runtime", - "rsa.internal.messageid": "RPD_SCHED_TASK_LONGRUNTIME", - "rsa.misc.client": ": exe", - "rsa.misc.event_type": "RPD_SCHED_TASK_LONGRUNTIME", - "rsa.misc.pid": "6713", - "rsa.time.day": "29", - "rsa.time.month": "Jan", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "llu", - "event.code": "DCD_FILTER_LIB_ERROR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 89, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "DCD_FILTER_LIB_ERROR message repeated", - "process.pid": 7608, - "rsa.internal.event_desc": "Filter library initialization failed", - "rsa.internal.messageid": "DCD_FILTER_LIB_ERROR", - "rsa.misc.event_type": "llu", - "rsa.time.day": "12", - "rsa.time.month": "Feb", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "cancel", - "event.code": "MIB2D_TRAP_SEND_FAILURE", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 193, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "MIB2D_TRAP_SEND_FAILURE: restart", - "process.pid": 6747, - "rsa.internal.event_desc": "MIB2D TRAP SEND FAILURE", - "rsa.internal.messageid": "MIB2D_TRAP_SEND_FAILURE", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.event_type": "sum", - "rsa.misc.result": "success", - "rsa.time.day": "26", - "rsa.time.month": "Feb", - "service.name": "uaerat", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "node", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace> node: dqu", - "fileset.name": "junos", - "host.name": "fug5500.www.domain", - "input.type": "log", - "log.offset": 279, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "trace> node", - "related.hosts": [ - "fug5500.www.domain" - ], - "rsa.db.index": "dqu", - "rsa.internal.messageid": "node", - "rsa.misc.node": "IFP", - "rsa.network.alias_host": [ - "fug5500.www.domain" - ], - "rsa.time.day": "12", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[7400]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 368, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[7400]", - "rsa.time.day": "26", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "ionul", - "event.code": "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 457, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart", - "process.pid": 7618, - "rsa.internal.event_desc": "KRT IFL CELL RELAY MODE UNSPECIFIED", - "rsa.internal.messageid": "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", - "rsa.misc.client": "nibus", - "rsa.misc.event_type": "ionul", - "rsa.misc.result": "unknown", - "rsa.time.day": "9", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "ume", - "event.code": "CHASSISD_SNMP_TRAP10", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 557, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "CHASSISD_SNMP_TRAP10 message repeated", - "process.pid": 1284, - "rsa.db.index": "ono", - "rsa.internal.event_desc": "SNMP trap - FRU power on", - "rsa.internal.messageid": "CHASSISD_SNMP_TRAP10", - "rsa.misc.event_type": "ume", - "rsa.misc.result": "failure", - "rsa.time.day": "24", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID:", - "event.code": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 648, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "onse.exe", - "process.pid": 254, - "rsa.internal.event_desc": "KRT IFL CELL RELAY MODE INVALID", - "rsa.internal.messageid": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", - "rsa.misc.client": "inibusBo", - "rsa.misc.event_type": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID:", - "rsa.misc.result": "failure", - "rsa.time.day": "8", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "SNMPD_USER_ERROR", - "event.code": "SNMPD_USER_ERROR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 772, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "isc.exe", - "process.pid": 3237, - "related.user": [ - "atiset" - ], - "rsa.counters.dclass_c1": 6404, - "rsa.counters.dclass_c2": 4068, - "rsa.internal.event_desc": "SNMPD USER ERROR", - "rsa.internal.messageid": "SNMPD_USER_ERROR", - "rsa.misc.event_type": "SNMPD_USER_ERROR", - "rsa.misc.result": "conseq: unknown", - "rsa.time.day": "22", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "atiset" - }, - { - "event.code": "[4621]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 895, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[4621]", - "rsa.time.day": "5", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[2227]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 961, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[2227]", - "rsa.time.day": "20", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "aper", - "event.code": "NASD_PPP_SEND_PARTIAL", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1081, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "NASD_PPP_SEND_PARTIAL: restart", - "process.pid": 3994, - "rsa.internal.event_desc": "Unable to send all of message", - "rsa.internal.messageid": "NASD_PPP_SEND_PARTIAL", - "rsa.misc.event_type": "aper", - "rsa.misc.result_code": "santiumd", - "rsa.time.day": "4", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "temqu", - "event.code": "UI_COMMIT_AT_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1181, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "UI_COMMIT_AT_FAILED message repeated", - "process.pid": 7440, - "rsa.db.index": "minimav", - "rsa.internal.event_desc": "User commit failed", - "rsa.internal.messageid": "UI_COMMIT_AT_FAILED", - "rsa.misc.event_type": "temqu", - "rsa.misc.result": "success", - "rsa.time.day": "18", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "BOOTPD_NEW_CONF:", - "event.code": "BOOTPD_NEW_CONF", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1266, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "emipsumd.exe", - "process.pid": 5020, - "rsa.internal.event_desc": "New configuration installed", - "rsa.internal.messageid": "BOOTPD_NEW_CONF", - "rsa.misc.event_type": "BOOTPD_NEW_CONF:", - "rsa.time.day": "2", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "onemulla", - "event.code": "RPD_RIP_JOIN_MULTICAST", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1372, - "network.interface.name": "enp0s4292", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_RIP_JOIN_MULTICAST message repeated", - "process.pid": 60, - "rsa.internal.event_desc": "RIP - Unable to join multicast group", - "rsa.internal.messageid": "RPD_RIP_JOIN_MULTICAST", - "rsa.misc.event_type": "onemulla", - "rsa.misc.result": "unknown", - "rsa.network.interface": "enp0s4292", - "rsa.time.day": "16", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "xea", - "event.code": "FSAD_TERMINATED_CONNECTION", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", - "file.name": "ites", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1494, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "FSAD_TERMINATED_CONNECTION: restart", - "process.pid": 6703, - "rsa.internal.event_desc": "FSAD TERMINATED CONNECTION", - "rsa.internal.messageid": "FSAD_TERMINATED_CONNECTION", - "rsa.misc.event_type": "xea", - "rsa.misc.result": "unknown", - "rsa.time.day": "30", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "eri", - "event.code": "RPD_KRT_IFL_GENERATION", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1597, - "network.interface.name": "lo2169", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_KRT_IFL_GENERATION message repeated", - "process.pid": 5539, - "rsa.internal.event_desc": "ifl generation mismatch", - "rsa.internal.messageid": "RPD_KRT_IFL_GENERATION", - "rsa.misc.event_type": "eri", - "rsa.misc.result": "unknown", - "rsa.network.interface": "lo2169", - "rsa.time.day": "13", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[3453]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1708, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[3453]", - "rsa.time.day": "28", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "RMOPD_usage", - "event.code": "RMOPD_usage", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1797, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "mquisn.exe", - "process.pid": 3993, - "rsa.db.index": "midest", - "rsa.internal.event_desc": "RMOPD usage", - "rsa.internal.messageid": "RMOPD_usage", - "rsa.misc.event_type": "RMOPD_usage", - "rsa.misc.pid": "3993", - "rsa.misc.result": "failure", - "rsa.time.day": "12", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "RPD_ISIS_LSPCKSUM:", - "event.code": "tasun", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 1861, - "network.interface.name": "enp0s1965", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "undeomni.exe", - "process.pid": 4938, - "rsa.counters.dclass_c1": 715, - "rsa.counters.dclass_c2": 3203, - "rsa.internal.event_desc": "IS-IS LSP checksum error on iterface", - "rsa.internal.messageid": "RPD_ISIS_LSPCKSUM", - "rsa.misc.event_type": "RPD_ISIS_LSPCKSUM:", - "rsa.misc.pid": "4938", - "rsa.misc.reference_id": "tasun", - "rsa.misc.result_code": "eratv", - "rsa.network.interface": "enp0s1965", - "rsa.time.day": "26", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "VPN", - "event.code": "kmd", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 10 03:01:24 kmd: restart ", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2028, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "kmd", - "rsa.misc.event_type": "VPN", - "rsa.time.day": "10", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.address": "erspi4926.www5.test", - "event.action": "LOGIN_FAILED:", - "event.code": "LOGIN_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", - "event.outcome": "failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2058, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ever.exe", - "process.pid": 6463, - "related.hosts": [ - "erspi4926.www5.test" - ], - "related.user": [ - "atq" - ], - "rsa.internal.event_desc": "Login failure", - "rsa.internal.messageid": "LOGIN_FAILED", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_type": "LOGIN_FAILED:", - "rsa.misc.pid": "6463", - "rsa.network.host_dst": "erspi4926.www5.test", - "rsa.time.day": "24", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "atq" - }, - { - "event.action": "iadese", - "event.code": "CHASSISD_MBUS_ERROR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2162, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "CHASSISD_MBUS_ERROR message repeated", - "process.pid": 72, - "rsa.internal.event_desc": "management bus failed sanity test", - "rsa.internal.messageid": "CHASSISD_MBUS_ERROR", - "rsa.misc.event_type": "iadese", - "rsa.misc.result_code": "imad", - "rsa.time.day": "8", - "rsa.time.month": "Dec", - "service.name": "nisiu", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "TFTPD_NAK_ERR", - "event.code": "TFTPD_NAK_ERR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2274, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "niamquis.exe", - "process.pid": 1471, - "rsa.counters.dclass_c1": 357, - "rsa.internal.event_desc": "TFTPD NAK ERROR", - "rsa.internal.messageid": "TFTPD_NAK_ERR", - "rsa.misc.event_type": "TFTPD_NAK_ERR", - "rsa.misc.pid": "1471", - "rsa.misc.result_code": "ptatems", - "rsa.time.day": "23", - "rsa.time.month": "Dec", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "atqu", - "event.code": "UI_DUPLICATE_UID", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2349, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "UI_DUPLICATE_UID: restart", - "process.pid": 3350, - "related.user": [ - "naturau", - "olorsita" - ], - "rsa.internal.event_desc": "Users have the same UID", - "rsa.internal.messageid": "UI_DUPLICATE_UID", - "rsa.misc.event_type": "atqu", - "rsa.time.day": "6", - "rsa.time.month": "Jan", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "naturau" - }, - { - "event.action": "TFTPD_CREATE_ERR:", - "event.code": "TFTPD_CREATE_ERR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2445, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "piscivel.exe", - "process.pid": 4753, - "rsa.internal.event_desc": "TFTPD CREATE ERROR", - "rsa.internal.messageid": "TFTPD_CREATE_ERR", - "rsa.misc.event_type": "TFTPD_CREATE_ERR:", - "rsa.misc.pid": "4753", - "rsa.misc.result": "unknown", - "rsa.time.day": "20", - "rsa.time.month": "Jan", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[1269]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2521, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[1269]", - "rsa.time.day": "3", - "rsa.time.month": "Feb", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2603, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.time.day": "18", - "rsa.time.month": "Feb", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", - "event.code": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2685, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ilm.exe", - "process.pid": 3193, - "rsa.counters.dclass_c1": 4003, - "rsa.counters.dclass_c2": 4568, - "rsa.internal.event_desc": "SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps", - "rsa.internal.messageid": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", - "rsa.misc.client": ": fugiatqu", - "rsa.misc.event_type": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", - "rsa.misc.obj_name": "exercita", - "rsa.time.day": "4", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "ntut", - "event.code": "TFTPD_BIND_ERR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2845, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "TFTPD_BIND_ERR: restart", - "process.pid": 1431, - "rsa.internal.event_desc": "TFTPD BIND ERROR", - "rsa.internal.messageid": "TFTPD_BIND_ERR", - "rsa.misc.event_type": "ntut", - "rsa.misc.result": "failure", - "rsa.time.day": "18", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.ip": "10.88.126.165", - "event.action": "RPD_LDP_SESSIONDOWN:", - "event.code": "RPD_LDP_SESSIONDOWN", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 2913, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "doei.exe", - "process.pid": 7073, - "related.ip": [ - "10.88.126.165" - ], - "rsa.internal.event_desc": "LDP session down", - "rsa.internal.messageid": "RPD_LDP_SESSIONDOWN", - "rsa.misc.event_type": "RPD_LDP_SESSIONDOWN:", - "rsa.misc.result": "failure", - "rsa.time.day": "2", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[180]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3033, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[180]", - "rsa.time.day": "16", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "iumdo", - "event.code": "NASD_CHAP_INVALID_CHAP_IDENTIFIER", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", - "file.name": "aturv", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3125, - "network.interface.name": "lo2721", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated", - "process.pid": 796, - "rsa.internal.event_desc": "CHAP INVALID_CHAP IDENTIFIER", - "rsa.internal.messageid": "NASD_CHAP_INVALID_CHAP_IDENTIFIER", - "rsa.misc.event_type": "iumdo", - "rsa.misc.result_code": "ectetura", - "rsa.network.interface": "lo2721", - "rsa.time.day": "30", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "allow", - "event.code": "UI_LOAD_EVENT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3256, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "UI_LOAD_EVENT message repeated", - "process.pid": 6342, - "related.user": [ - "moll" - ], - "rsa.internal.event_desc": "User command", - "rsa.internal.messageid": "UI_LOAD_EVENT", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "seq", - "rsa.time.day": "14", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "moll" - }, - { - "event.action": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", - "event.code": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3352, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "fdeFin.exe", - "process.pid": 4053, - "rsa.counters.dclass_c1": 1450, - "rsa.internal.event_desc": "SNMP TRAP TRACE ROUTE TEST FAILED", - "rsa.internal.messageid": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", - "rsa.misc.event_type": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", - "rsa.misc.obj_name": "edic", - "rsa.misc.pid": "4053", - "rsa.time.day": "29", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "uae", - "event.code": "SNMPD_RTSLIB_ASYNC_EVENT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3483, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "SNMPD_RTSLIB_ASYNC_EVENT: restart", - "process.pid": 508, - "rsa.internal.event_desc": "sequence mismatch", - "rsa.internal.messageid": "SNMPD_RTSLIB_ASYNC_EVENT", - "rsa.misc.client": "oremip", - "rsa.misc.event_type": "uae", - "rsa.misc.result": "failure", - "rsa.time.day": "12", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "BOOTPD_TIMEOUT:", - "event.code": "BOOTPD_TIMEOUT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3579, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ine.exe", - "process.pid": 3181, - "rsa.internal.event_desc": "timeout unreasonable", - "rsa.internal.messageid": "BOOTPD_TIMEOUT", - "rsa.misc.event_type": "BOOTPD_TIMEOUT:", - "rsa.misc.result": "success", - "rsa.time.day": "26", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "abore", - "event.code": "NASD_RADIUS_MESSAGE_UNEXPECTED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3696, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "NASD_RADIUS_MESSAGE_UNEXPECTED message repeated", - "process.pid": 33, - "rsa.internal.event_desc": "Unknown response from RADIUS server", - "rsa.internal.messageid": "NASD_RADIUS_MESSAGE_UNEXPECTED", - "rsa.misc.event_type": "abore", - "rsa.misc.result": "unknown", - "rsa.time.day": "11", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "illum", - "event.code": "PWC_LOCKFILE_BAD_FORMAT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3818, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "PWC_LOCKFILE_BAD_FORMAT: restart", - "process.pid": 3426, - "rsa.internal.event_desc": "PID lock file has bad format", - "rsa.internal.messageid": "PWC_LOCKFILE_BAD_FORMAT", - "rsa.misc.client": "eprehe", - "rsa.misc.event_type": "illum", - "rsa.time.day": "25", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "RPD_KRT_AFUNSUPRT", - "event.code": "RPD_KRT_AFUNSUPRT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 3919, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "snostr.exe", - "process.pid": 1613, - "rsa.counters.dclass_c1": 4176, - "rsa.internal.event_desc": "message with unsupported address family received", - "rsa.internal.messageid": "RPD_KRT_AFUNSUPRT", - "rsa.misc.client": "itaspe", - "rsa.misc.event_type": "RPD_KRT_AFUNSUPRT", - "rsa.misc.pid": "1613", - "rsa.misc.result_code": "tec", - "rsa.time.day": "8", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "PWC_PROCESS_FORCED_HOLD", - "event.code": "PWC_PROCESS_FORCED_HOLD", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4038, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "oreeufug.exe", - "process.pid": 6086, - "rsa.internal.event_desc": "Process forcing hold down of child until signalled", - "rsa.internal.messageid": "PWC_PROCESS_FORCED_HOLD", - "rsa.misc.client": "plicaboN", - "rsa.misc.event_type": "PWC_PROCESS_FORCED_HOLD", - "rsa.misc.pid": "6086", - "rsa.time.day": "22", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "tiu", - "event.code": "MIB2D_IFL_IFINDEX_FAILURE", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4161, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "MIB2D_IFL_IFINDEX_FAILURE message repeated", - "process.pid": 4115, - "related.user": [ - "wri" - ], - "rsa.counters.dclass_c1": 3902, - "rsa.internal.event_desc": "SNMP index assigned changed", - "rsa.internal.messageid": "MIB2D_IFL_IFINDEX_FAILURE", - "rsa.misc.event_type": "tiu", - "rsa.misc.result": "unknown", - "rsa.time.day": "6", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "wri" - }, - { - "event.action": "UI_DBASE_MISMATCH_MAJOR:", - "event.code": "UI_DBASE_MISMATCH_MAJOR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", - "file.name": "ende", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4288, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "pitlabo.exe", - "process.pid": 3498, - "rsa.counters.dclass_c1": 6053, - "rsa.counters.dclass_c2": 4884, - "rsa.internal.event_desc": "Database header major version number mismatch", - "rsa.internal.messageid": "UI_DBASE_MISMATCH_MAJOR", - "rsa.misc.event_type": "UI_DBASE_MISMATCH_MAJOR:", - "rsa.time.day": "20", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "SNMPD_VIEW_INSTALL_DEFAULT", - "event.code": "SNMPD_VIEW_INSTALL_DEFAULT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4467, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "nul.exe", - "process.pid": 1005, - "rsa.counters.dclass_c1": 1243, - "rsa.counters.dclass_c2": 5146, - "rsa.internal.event_desc": "installing default SNMP view", - "rsa.internal.messageid": "SNMPD_VIEW_INSTALL_DEFAULT", - "rsa.misc.event_type": "SNMPD_VIEW_INSTALL_DEFAULT", - "rsa.misc.result": "eetdo: success", - "rsa.time.day": "4", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "uptatem", - "event.code": "DCD_PARSE_STATE_EMERGENCY", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4606, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "DCD_PARSE_STATE_EMERGENCY message repeated", - "process.pid": 2498, - "rsa.internal.event_desc": "unhandled state was encountered during interface parsing", - "rsa.internal.messageid": "DCD_PARSE_STATE_EMERGENCY", - "rsa.misc.event_type": "uptatem", - "rsa.time.day": "19", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "LOGIN_PAM_MAX_RETRIES:", - "event.code": "LOGIN_PAM_MAX_RETRIES", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", - "event.outcome": "failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4742, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ain.exe", - "process.pid": 7192, - "related.user": [ - "iquipex" - ], - "rsa.internal.event_desc": "Login failure", - "rsa.internal.messageid": "LOGIN_PAM_MAX_RETRIES", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_type": "LOGIN_PAM_MAX_RETRIES:", - "rsa.misc.result": "Too many retries while authenticating user", - "rsa.time.day": "2", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "iquipex" - }, - { - "event.action": "BOOTPD_NO_BOOTSTRING", - "event.code": "BOOTPD_NO_BOOTSTRING", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", - "file.name": "veleu", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 4882, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "onorume.exe", - "process.pid": 3290, - "rsa.internal.event_desc": "No boot string found", - "rsa.internal.messageid": "BOOTPD_NO_BOOTSTRING", - "rsa.misc.event_type": "BOOTPD_NO_BOOTSTRING", - "rsa.misc.pid": "3290", - "rsa.time.day": "16", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "sshd", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", - "event.outcome": "failure", - "fileset.name": "junos", - "host.ip": "10.252.209.246", - "input.type": "log", - "log.offset": 4976, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "sshd", - "related.ip": [ - "10.252.209.246" - ], - "related.user": [ - "ciatisun" - ], - "rsa.internal.event_desc": "Login failed for user", - "rsa.internal.messageid": "sshd", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Authentication", - "rsa.time.day": "1", - "rsa.time.month": "Dec", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "ciatisun" - }, - { - "event.code": "COS", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 15 08:13:24 COS: restart : Received FC->Q map, caecat", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5114, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "COS: restart", - "rsa.db.index": "caecat", - "rsa.internal.event_desc": "Received FC Q map", - "rsa.internal.messageid": "COS", - "rsa.time.day": "15", - "rsa.time.month": "Dec", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "nvolupta", - "event.code": "cgatool", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5172, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "cgatool message repeated", - "rsa.internal.event_desc": "cga address genration", - "rsa.internal.messageid": "cgatool", - "rsa.misc.event_type": "nvolupta", - "rsa.misc.result": "success", - "rsa.time.day": "29", - "rsa.time.month": "Dec", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "idolor", - "event.code": "CHASSISD_SNMP_TRAP6", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5254, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "CHASSISD_SNMP_TRAP6 message repeated", - "process.pid": 4667, - "rsa.db.index": "les", - "rsa.internal.event_desc": "SNMP Trap6 generated", - "rsa.internal.messageid": "CHASSISD_SNMP_TRAP6", - "rsa.misc.event_type": "idolor", - "rsa.misc.result": "success", - "rsa.time.day": "12", - "rsa.time.month": "Jan", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5358, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.time.day": "27", - "rsa.time.month": "Jan", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "serrorsi", - "event.code": "DFWD_PARSE_FILTER_EMERGENCY", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5485, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "DFWD_PARSE_FILTER_EMERGENCY message repeated", - "process.pid": 2037, - "rsa.internal.event_desc": "errors encountered while parsing filter index file", - "rsa.internal.messageid": "DFWD_PARSE_FILTER_EMERGENCY", - "rsa.misc.event_type": "serrorsi", - "rsa.time.day": "10", - "rsa.time.month": "Feb", - "service.name": "tsedquia", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.ip": "10.148.255.126", - "event.action": "RPD_LDP_SESSIONDOWN:", - "event.code": "RPD_LDP_SESSIONDOWN", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5624, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "tesse.exe", - "process.pid": 4358, - "related.ip": [ - "10.148.255.126" - ], - "rsa.internal.event_desc": "LDP session down", - "rsa.internal.messageid": "RPD_LDP_SESSIONDOWN", - "rsa.misc.event_type": "RPD_LDP_SESSIONDOWN:", - "rsa.misc.result": "unknown", - "rsa.time.day": "24", - "rsa.time.month": "Feb", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[mipsumqu]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5755, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[mipsumqu]", - "rsa.time.day": "11", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "lsys_ssam_handler", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5876, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "lsys_ssam_handler:", - "rsa.db.index": "tur", - "rsa.internal.event_desc": "processing lsys root-logical-system", - "rsa.internal.messageid": "lsys_ssam_handler", - "rsa.misc.node": "mquis", - "rsa.time.day": "25", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "loreeuf", - "event.code": "UI_LOST_CONN", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 5981, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "UI_LOST_CONN message repeated", - "process.pid": 7847, - "rsa.internal.event_desc": "Lost connection to daemon", - "rsa.internal.messageid": "UI_LOST_CONN", - "rsa.misc.client": "orainci", - "rsa.misc.event_type": "loreeuf", - "rsa.time.day": "8", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "itse", - "event.code": "PWC_PROCESS_HOLD", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6077, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "PWC_PROCESS_HOLD: restart", - "process.pid": 1791, - "rsa.internal.event_desc": "Process holding down child until signalled", - "rsa.internal.messageid": "PWC_PROCESS_HOLD", - "rsa.misc.client": "lapari", - "rsa.misc.event_type": "itse", - "rsa.time.day": "22", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "LIBSERVICED_SOCKET_BIND", - "event.code": "LIBSERVICED_SOCKET_BIND", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6185, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "norum.exe", - "process.pid": 4443, - "rsa.internal.event_desc": "unable to bind socket", - "rsa.internal.messageid": "LIBSERVICED_SOCKET_BIND", - "rsa.misc.event_type": "LIBSERVICED_SOCKET_BIND", - "rsa.misc.result": "failure", - "rsa.misc.result_code": ": dantium", - "rsa.time.day": "7", - "rsa.time.month": "May", - "rsa.wireless.wlan_ssid": "ors", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.address": "mSect5899.domain", - "event.action": "LOGIN_FAILED:", - "event.code": "LOGIN_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", - "event.outcome": "failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6319, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "mfugiat.exe", - "process.pid": 3946, - "related.hosts": [ - "mSect5899.domain" - ], - "related.user": [ - "olu" - ], - "rsa.internal.event_desc": "Login failure", - "rsa.internal.messageid": "LOGIN_FAILED", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_type": "LOGIN_FAILED:", - "rsa.network.host_dst": "mSect5899.domain", - "rsa.time.day": "21", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "olu" - }, - { - "event.action": "MIB2D_IFL_IFINDEX_FAILURE:", - "event.code": "MIB2D_IFL_IFINDEX_FAILURE", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6444, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "idolo.exe", - "process.pid": 6535, - "related.user": [ - "deseru" - ], - "rsa.counters.dclass_c1": 6460, - "rsa.internal.event_desc": "SNMP index assigned changed", - "rsa.internal.messageid": "MIB2D_IFL_IFINDEX_FAILURE", - "rsa.misc.event_type": "MIB2D_IFL_IFINDEX_FAILURE:", - "rsa.misc.pid": "6535", - "rsa.misc.result": "unknown", - "rsa.time.day": "4", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "deseru" - }, - { - "event.action": "CHASSISD_RELEASE_MASTERSHIP:", - "event.code": "CHASSISD_RELEASE_MASTERSHIP", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6564, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "modtempo.exe", - "process.pid": 5276, - "rsa.internal.event_desc": "Release mastership notification", - "rsa.internal.messageid": "CHASSISD_RELEASE_MASTERSHIP", - "rsa.misc.event_type": "CHASSISD_RELEASE_MASTERSHIP:", - "rsa.misc.pid": "5276", - "rsa.time.day": "19", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[3450]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6663, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[3450]", - "rsa.time.day": "3", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "SERVICED_RTSOCK_SEQUENCE", - "event.code": "SERVICED_RTSOCK_SEQUENCE", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6769, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ame.exe", - "process.pid": 226, - "rsa.internal.event_desc": "routing socket sequence error", - "rsa.internal.messageid": "SERVICED_RTSOCK_SEQUENCE", - "rsa.misc.client": "boreet", - "rsa.misc.event_type": "SERVICED_RTSOCK_SEQUENCE", - "rsa.misc.pid": "226", - "rsa.misc.result": "unknown", - "rsa.time.day": "17", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "VPN", - "event.code": "idpinfo", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6873, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "idpinfo", - "rsa.misc.event_type": "VPN", - "rsa.misc.pid": "940", - "rsa.time.day": "1", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "oreeufug", - "event.code": "RPD_KRT_NOIFD", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 6947, - "network.interface.name": "lo4593", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_KRT_NOIFD: restart", - "process.pid": 4822, - "rsa.counters.dclass_c1": 5020, - "rsa.internal.event_desc": "No device for interface", - "rsa.internal.messageid": "RPD_KRT_NOIFD", - "rsa.misc.event_type": "oreeufug", - "rsa.network.interface": "lo4593", - "rsa.time.day": "15", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "craftd:", - "event.code": "craftd", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7040, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "citatio.exe", - "process.pid": 5029, - "rsa.internal.event_desc": "License expiration warning", - "rsa.internal.messageid": "craftd", - "rsa.misc.event_type": "craftd:", - "rsa.misc.result": "unknown", - "rsa.time.day": "29", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "eetd", - "event.code": "ACCT_CU_RTSLIB_error", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", - "file.name": "liquide", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7123, - "network.interface.name": "enp0s2674", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ACCT_CU_RTSLIB_error message repeated", - "process.pid": 7583, - "rsa.internal.event_desc": "Class usage statistics error for interface", - "rsa.internal.messageid": "ACCT_CU_RTSLIB_error", - "rsa.misc.event_type": "eetd", - "rsa.misc.result": "success", - "rsa.network.interface": "enp0s2674", - "rsa.time.day": "12", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "VPN", - "event.code": "kmd", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7263, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "kmd", - "rsa.misc.event_type": "VPN", - "rsa.time.day": "27", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "rauto", - "event.code": "LOGIN_PAM_NONLOCAL_USER", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", - "event.outcome": "failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7328, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "LOGIN_PAM_NONLOCAL_USER: restart", - "process.pid": 686, - "related.user": [ - "rese" - ], - "rsa.internal.event_desc": "Login failure", - "rsa.internal.messageid": "LOGIN_PAM_NONLOCAL_USER", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_type": "rauto", - "rsa.misc.result": "User authenticated but has no local login ID", - "rsa.time.day": "11", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "rese" - }, - { - "event.action": "RPD_KRT_NOIFD", - "event.code": "RPD_KRT_NOIFD", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7441, - "network.interface.name": "enp0s7694", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "doconse.exe", - "process.pid": 6184, - "rsa.counters.dclass_c1": 5991, - "rsa.internal.event_desc": "No device for interface", - "rsa.internal.messageid": "RPD_KRT_NOIFD", - "rsa.misc.event_type": "RPD_KRT_NOIFD", - "rsa.misc.pid": "6184", - "rsa.network.interface": "enp0s7694", - "rsa.time.day": "25", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "uspinfo", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7531, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "quidolor1064.www.domain: uspinfo:", - "rsa.db.index": "rcita", - "rsa.internal.event_desc": "flow_print_session_summary_output received", - "rsa.internal.messageid": "uspinfo", - "rsa.time.day": "9", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "mfugi", - "event.code": "RPD_TASK_REINIT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7631, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_TASK_REINIT: restart", - "process.pid": 1810, - "rsa.internal.event_desc": "Reinitializing", - "rsa.internal.messageid": "RPD_TASK_REINIT", - "rsa.misc.event_type": "mfugi", - "rsa.time.day": "23", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "allow", - "event.code": "ECCD_TRACE_FILE_OPEN_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7702, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "inibusBo.exe", - "process.pid": 2509, - "rsa.internal.event_desc": "ECCD TRACE FILE OPEN FAILURE", - "rsa.internal.messageid": "ECCD_TRACE_FILE_OPEN_FAILED", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.event_type": "ECCD_TRACE_FILE_OPEN_FAILED", - "rsa.misc.pid": "2509", - "rsa.misc.result": "failure", - "rsa.time.day": "7", - "rsa.time.month": "Dec", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "accept", - "event.code": "ECCD_TRACE_FILE_OPEN_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7782, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ECCD_TRACE_FILE_OPEN_FAILED message repeated", - "process.pid": 2815, - "rsa.internal.event_desc": "ECCD TRACE FILE OPEN FAILURE", - "rsa.internal.messageid": "ECCD_TRACE_FILE_OPEN_FAILED", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.event_type": "rudexer", - "rsa.misc.result": "unknown", - "rsa.time.day": "21", - "rsa.time.month": "Dec", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.address": "tod6376.mail.host", - "event.action": "LOGIN_FAILED:", - "event.code": "LOGIN_FAILED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", - "event.outcome": "failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 7876, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "laud.exe", - "process.pid": 913, - "related.hosts": [ - "tod6376.mail.host" - ], - "related.user": [ - "turQ" - ], - "rsa.internal.event_desc": "Login failure", - "rsa.internal.messageid": "LOGIN_FAILED", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.event_type": "LOGIN_FAILED:", - "rsa.network.host_dst": "tod6376.mail.host", - "rsa.time.day": "5", - "rsa.time.month": "Jan", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ], - "user.name": "turQ" - }, - { - "event.action": "FSAD_CONNTIMEDOUT", - "event.code": "FSAD_CONNTIMEDOUT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", - "fileset.name": "junos", - "host.hostname": "oreve2538.www.localdomain", - "input.type": "log", - "log.offset": 8004, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "ine.exe", - "process.pid": 1578, - "related.hosts": [ - "oreve2538.www.localdomain" - ], - "related.ip": [ - "10.44.24.103" - ], - "rsa.internal.event_desc": "Connection timed out to client", - "rsa.internal.messageid": "FSAD_CONNTIMEDOUT", - "rsa.misc.event_type": "FSAD_CONNTIMEDOUT", - "rsa.misc.obj_type": "reprehen", - "rsa.misc.pid": "1578", - "rsa.time.day": "19", - "rsa.time.month": "Jan", - "service.type": "juniper", - "source.address": "oreve2538.www.localdomain", - "source.ip": "10.44.24.103", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "rinre", - "event.code": "UI_SCHEMA_SEQUENCE_ERROR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8161, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "UI_SCHEMA_SEQUENCE_ERROR: restart", - "process.pid": 734, - "rsa.internal.event_desc": "Schema sequence number mismatch", - "rsa.internal.messageid": "UI_SCHEMA_SEQUENCE_ERROR", - "rsa.misc.event_type": "rinre", - "rsa.time.day": "2", - "rsa.time.month": "Feb", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "deny", - "event.code": "LIBJNX_EXEC_PIPE", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8256, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "LIBJNX_EXEC_PIPE: restart", - "process.pid": 946, - "rsa.internal.event_desc": "Unable to create pipes for command", - "rsa.internal.messageid": "LIBJNX_EXEC_PIPE", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "olors", - "rsa.misc.result": "unknown", - "rsa.time.day": "17", - "rsa.time.month": "Feb", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "isnost", - "event.code": "UI_DBASE_MISMATCH_EXTENT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8363, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "UI_DBASE_MISMATCH_EXTENT: restart", - "process.pid": 4686, - "rsa.counters.dclass_c1": 559, - "rsa.counters.dclass_c2": 7339, - "rsa.internal.event_desc": "Database header extent mismatch", - "rsa.internal.messageid": "UI_DBASE_MISMATCH_EXTENT", - "rsa.misc.client": "lumdolor", - "rsa.misc.event_type": "isnost", - "rsa.time.day": "3", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "eumfu", - "event.code": "NASD_usage", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8505, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "NASD_usage message repeated", - "process.pid": 7744, - "rsa.db.index": "quidex", - "rsa.internal.event_desc": "NASD Usage", - "rsa.internal.messageid": "NASD_usage", - "rsa.misc.event_type": "eumfu", - "rsa.misc.result": "unknown", - "rsa.time.day": "17", - "rsa.time.month": "Mar", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "VPN", - "event.code": "kmd", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 1 00:38:14 /kmd: ", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8580, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "kmd", - "rsa.misc.event_type": "VPN", - "rsa.time.day": "1", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "sshd", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", - "fileset.name": "junos", - "input.type": "log", - "log.level": "very-high", - "log.offset": 8602, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "sshd message repeated", - "rsa.internal.event_desc": "can't get client address", - "rsa.internal.messageid": "sshd", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "very-high", - "rsa.time.day": "15", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[4279]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8687, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[4279]", - "rsa.time.day": "29", - "rsa.time.month": "Apr", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "SNMPD_TRAP_QUEUE_DRAINED", - "event.code": "SNMPD_TRAP_QUEUE_DRAINED", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8789, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "uel.exe", - "process.pid": 5770, - "rsa.internal.event_desc": "traps queued - sent successfully", - "rsa.internal.messageid": "SNMPD_TRAP_QUEUE_DRAINED", - "rsa.misc.client": ": metco", - "rsa.misc.event_type": "SNMPD_TRAP_QUEUE_DRAINED", - "rsa.misc.obj_name": "vel", - "rsa.time.day": "13", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[4837]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8919, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[4837]", - "rsa.time.day": "28", - "rsa.time.month": "May", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "piciatis", - "event.code": "TFTPD_RECVCOMPLETE_INFO", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", - "file.name": "tatisetq", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 8994, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "TFTPD_RECVCOMPLETE_INFO message repeated", - "process.pid": 7501, - "rsa.counters.dclass_c1": 3501, - "rsa.counters.dclass_c2": 5877, - "rsa.internal.event_desc": "TFTPD RECVCOMPLETE INFO", - "rsa.internal.messageid": "TFTPD_RECVCOMPLETE_INFO", - "rsa.misc.event_type": "piciatis", - "rsa.time.day": "11", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "usp_trace_ipc_reconnect", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9123, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "message repeated illum.exe", - "rsa.internal.event_desc": "USP trace client cannot reconnect to server", - "rsa.internal.messageid": "usp_trace_ipc_reconnect", - "rsa.misc.node": "usp_trace_ipc_reconnect", - "rsa.time.day": "25", - "rsa.time.month": "Jun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "BCHIP", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace> BCHIP: : cannot write ucode mask reg", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9234, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "tatiset.exe", - "rsa.internal.event_desc": "cannot write ucode mask reg", - "rsa.internal.messageid": "BCHIP", - "rsa.misc.device_name": "IFP trace> BCHIP:", - "rsa.time.day": "10", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "moditemp", - "event.code": "RPD_MPLS_LSP_DOWN", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9344, - "network.interface.name": "eth2042", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_MPLS_LSP_DOWN message repeated", - "process.pid": 5094, - "rsa.internal.event_desc": "MPLS LSP DOWN", - "rsa.internal.messageid": "RPD_MPLS_LSP_DOWN", - "rsa.misc.event_type": "moditemp", - "rsa.misc.result": "unknown", - "rsa.network.interface": "eth2042", - "rsa.time.day": "24", - "rsa.time.month": "Jul", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "uatDuisa", - "event.code": "CHASSISD_PARSE_INIT", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", - "file.name": "usB", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9438, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "CHASSISD_PARSE_INIT: restart", - "process.pid": 4153, - "rsa.internal.event_desc": "Parsing configuration file", - "rsa.internal.messageid": "CHASSISD_PARSE_INIT", - "rsa.misc.event_type": "uatDuisa", - "rsa.time.day": "7", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "upidatat", - "event.code": "RMOPD_ROUTING_INSTANCE_NO_INFO", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9533, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RMOPD_ROUTING_INSTANCE_NO_INFO: restart", - "process.pid": 6922, - "rsa.internal.event_desc": "No information for routing instance", - "rsa.internal.messageid": "RMOPD_ROUTING_INSTANCE_NO_INFO", - "rsa.misc.client": "non", - "rsa.misc.event_type": "upidatat", - "rsa.misc.result": "failure", - "rsa.time.day": "21", - "rsa.time.month": "Aug", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "CHASSISD_TERM_SIGNAL:", - "event.code": "CHASSISD_TERM_SIGNAL", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9656, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "Utenimad.exe", - "process.pid": 4305, - "rsa.internal.event_desc": "Received SIGTERM request", - "rsa.internal.messageid": "CHASSISD_TERM_SIGNAL", - "rsa.misc.event_type": "CHASSISD_TERM_SIGNAL:", - "rsa.misc.pid": "4305", - "rsa.misc.result": "success", - "rsa.time.day": "5", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.ip": "10.49.190.163", - "event.action": "RPD_OSPF_NBRUP", - "event.code": "RPD_OSPF_NBRUP", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9749, - "network.interface.name": "lo50", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "tseddo.exe", - "process.pid": 484, - "related.ip": [ - "10.49.190.163" - ], - "rsa.internal.event_desc": "OSPF neighbor up", - "rsa.internal.messageid": "RPD_OSPF_NBRUP", - "rsa.misc.disposition": "aUteni", - "rsa.misc.event_type": "RPD_OSPF_NBRUP", - "rsa.misc.pid": "484", - "rsa.misc.result": "failure", - "rsa.network.interface": "lo50", - "rsa.time.day": "19", - "rsa.time.month": "Sep", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.code": "[6968]", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9856, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "[6968]", - "rsa.time.day": "3", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "destination.ip": "10.101.99.109", - "event.action": "emu", - "event.code": "RPD_LDP_NBRDOWN", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 9924, - "network.interface.name": "eth4282", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_LDP_NBRDOWN message repeated", - "process.pid": 4598, - "related.ip": [ - "10.101.99.109" - ], - "rsa.internal.event_desc": "LDP neighbor down", - "rsa.internal.messageid": "RPD_LDP_NBRDOWN", - "rsa.misc.event_type": "emu", - "rsa.misc.result": "success", - "rsa.network.interface": "eth4282", - "rsa.time.day": "18", - "rsa.time.month": "Oct", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "con", - "event.code": "RPD_RDISC_NOMULTI", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 10034, - "network.interface.name": "lo7449", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "RPD_RDISC_NOMULTI message repeated", - "process.pid": 4764, - "rsa.counters.dclass_c1": 594, - "rsa.internal.event_desc": "Ignoring interface", - "rsa.internal.messageid": "RPD_RDISC_NOMULTI", - "rsa.misc.event_type": "con", - "rsa.misc.result": "unknown", - "rsa.network.interface": "lo7449", - "rsa.time.day": "1", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "isquames", - "event.code": "BOOTPD_NEW_CONF", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 10141, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "BOOTPD_NEW_CONF: restart", - "process.pid": 1768, - "rsa.internal.event_desc": "New configuration installed", - "rsa.internal.messageid": "BOOTPD_NEW_CONF", - "rsa.misc.event_type": "isquames", - "rsa.time.day": "15", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "ngelit", - "event.code": "SNMP_TRAP_LINK_DOWN", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 10228, - "network.interface.name": "lo3193", - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "SNMP_TRAP_LINK_DOWN message repeated", - "process.pid": 7368, - "rsa.counters.dclass_c1": 4197, - "rsa.internal.event_desc": "SNMP TRAP LINK DOWN", - "rsa.internal.messageid": "SNMP_TRAP_LINK_DOWN", - "rsa.misc.event_type": "ngelit", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ons", - "rsa.network.interface": "lo3193", - "rsa.time.day": "30", - "rsa.time.month": "Nov", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - }, - { - "event.action": "udexerci", - "event.code": "MIB2D_ATM_ERROR", - "event.dataset": "juniper.junos", - "event.module": "juniper", - "event.original": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", - "fileset.name": "junos", - "input.type": "log", - "log.offset": 10366, - "observer.product": "Junos", - "observer.type": "Routers", - "observer.vendor": "Juniper", - "process.name": "MIB2D_ATM_ERROR message repeated", - "process.pid": 4927, - "rsa.internal.event_desc": "MIB2D ATM ERROR", - "rsa.internal.messageid": "MIB2D_ATM_ERROR", - "rsa.misc.event_type": "udexerci", - "rsa.misc.result": "failure", - "rsa.time.day": "14", - "rsa.time.month": "Dec", - "service.name": "voluptat", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.junos" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml b/x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml deleted file mode 100644 index a37550ca836..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/juniper/netscreen/config/liblogparser.js - - ${path.home}/module/juniper/netscreen/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js b/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - -var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - -var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - -var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - -var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - -var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - -var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - -var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - -var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - -var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - -var dup17 = setc("eventcategory","1502000000"); - -var dup18 = setc("eventcategory","1703000000"); - -var dup19 = setc("eventcategory","1603000000"); - -var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - -var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - -var dup22 = setc("eventcategory","1502050000"); - -var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - -var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - -var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - -var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - -var dup27 = setc("eventcategory","1801010000"); - -var dup28 = setc("eventcategory","1401060000"); - -var dup29 = setc("ec_subject","User"); - -var dup30 = setc("ec_activity","Logon"); - -var dup31 = setc("ec_theme","Authentication"); - -var dup32 = setc("ec_outcome","Success"); - -var dup33 = setc("eventcategory","1401070000"); - -var dup34 = setc("ec_activity","Logoff"); - -var dup35 = setc("eventcategory","1303000000"); - -var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - -var dup37 = setc("eventcategory","1402020200"); - -var dup38 = setc("ec_theme","UserGroup"); - -var dup39 = setc("ec_outcome","Error"); - -var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - -var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - -var dup42 = setc("eventcategory","1402020300"); - -var dup43 = setc("ec_activity","Modify"); - -var dup44 = setc("eventcategory","1605000000"); - -var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - -var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - -var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - -var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - -var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - -var dup50 = setc("eventcategory","1701020000"); - -var dup51 = setc("ec_theme","Configuration"); - -var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - -var dup53 = setc("eventcategory","1301000000"); - -var dup54 = setc("ec_outcome","Failure"); - -var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - -var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - -var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - -var dup58 = setc("eventcategory","1001000000"); - -var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - -var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], -}); - -var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], -}); - -var dup62 = setc("eventcategory","1608010000"); - -var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - -var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - -var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - -var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - -var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - -var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - -var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - -var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - -var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - -var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - -var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - -var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - -var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - -var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - -var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - -var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - -var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - -var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - -var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - -var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - -var dup84 = setc("eventcategory","1002020000"); - -var dup85 = setc("eventcategory","1002000000"); - -var dup86 = setc("eventcategory","1603110000"); - -var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - -var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - -var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - -var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - -var dup91 = setc("eventcategory","1613040200"); - -var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - -var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - -var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - -var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - -var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - -var dup97 = setc("eventcategory","1613050200"); - -var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - -var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - -var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - -var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - -var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - -var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - -var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - -var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - -var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - -var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - -var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - -var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - -var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - -var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - -var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - -var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - -var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - -var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - -var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - -var dup117 = setc("eventcategory","1603090000"); - -var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - -var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - -var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - -var dup121 = setc("eventcategory","1603030000"); - -var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - -var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - -var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - -var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - -var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - -var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - -var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - -var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - -var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - -var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - -var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - -var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - -var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - -var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - -var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - -var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - -var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - -var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - -var dup141 = setc("eventcategory","1702030000"); - -var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - -var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - -var dup144 = setc("eventcategory","1601000000"); - -var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - -var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup147 = setc("eventcategory","1103000000"); - -var dup148 = setc("ec_subject","NetworkComm"); - -var dup149 = setc("ec_activity","Scan"); - -var dup150 = setc("ec_theme","TEV"); - -var dup151 = setc("eventcategory","1103010000"); - -var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - -var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - -var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - -var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - -var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - -var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - -var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - -var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - -var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - -var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - -var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - -var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - -var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - -var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - -var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - -var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - -var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - -var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - -var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - -var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - -var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - -var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - -var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - -var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - -var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - -var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - -var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - -var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - -var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - -var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - -var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - -var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - -var dup184 = setc("eventcategory","1603020000"); - -var dup185 = setc("eventcategory","1803000000"); - -var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - -var dup187 = setc("eventcategory","1603010000"); - -var dup188 = setc("eventcategory","1603100000"); - -var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - -var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - -var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - -var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - -var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - -var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - -var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - -var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - -var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - -var dup198 = setc("eventcategory","1801030000"); - -var dup199 = setc("eventcategory","1302010200"); - -var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - -var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - -var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - -var dup203 = setc("eventcategory","1304000000"); - -var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - -var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - -var dup206 = setc("eventcategory","1401030000"); - -var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - -var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - -var dup209 = setc("eventcategory","1605020000"); - -var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - -var dup211 = setc("ec_subject","Certificate"); - -var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - -var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - -var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - -var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - -var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - -var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - -var dup218 = setc("ec_subject","CryptoKey"); - -var dup219 = setc("ec_subject","Configuration"); - -var dup220 = setc("ec_activity","Request"); - -var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - -var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - -var dup223 = setc("eventcategory","1612000000"); - -var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - -var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - -var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - -var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - -var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - -var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - -var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - -var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - -var dup232 = setc("eventcategory","1201000000"); - -var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - -var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - -var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - -var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - -var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - -var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - -var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var dup240 = setc("eventcategory","1401000000"); - -var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - -var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - -var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - -var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - -var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - -var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - -var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - -var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - -var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - -var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - -var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - -var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - -var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - -var dup254 = setc("eventcategory","1608000000"); - -var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - -var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - -var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - -var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - -var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - -var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - -var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - -var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - -var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - -var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - -var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - -var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - -var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - -var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - -var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - -var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - -var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - -var dup272 = setc("eventcategory","1805010000"); - -var dup273 = setc("eventcategory","1805000000"); - -var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], -}); - -var dup276 = setc("action","Deny"); - -var dup277 = setc("disposition","Deny"); - -var dup278 = setc("direction","outgoing"); - -var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], -}); - -var dup280 = setc("direction","incoming"); - -var dup281 = setc("eventcategory","1801000000"); - -var dup282 = setf("action","disposition"); - -var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - -var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - -var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - -var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - -var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - -var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - -var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - -var dup290 = setc("eventcategory","1401050200"); - -var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], -}); - -var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], -}); - -var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - -var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - -var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - -var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var dup297 = setc("eventcategory","1204000000"); - -var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - -var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - -var dup301 = setc("eventcategory","1801020000"); - -var dup302 = setc("disposition","failed"); - -var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - -var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - -var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - -var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - -var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - -var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - -var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - -var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - -var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - -var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - -var dup313 = setc("eventcategory","1803020000"); - -var dup314 = setc("eventcategory","1613030000"); - -var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - -var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - -var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - -var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - -var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - -var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - -var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - -var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - -var dup323 = setc("event_description","Cannot connect to NSM server"); - -var dup324 = setc("eventcategory","1603040000"); - -var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - -var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - -var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - -var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - -var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - -var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - -var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - -var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], -}); - -var dup333 = linear_select([ - dup10, - dup11, -]); - -var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var dup335 = linear_select([ - dup13, - dup14, -]); - -var dup336 = linear_select([ - dup15, - dup16, -]); - -var dup337 = linear_select([ - dup56, - dup57, -]); - -var dup338 = linear_select([ - dup65, - dup66, -]); - -var dup339 = linear_select([ - dup68, - dup69, -]); - -var dup340 = linear_select([ - dup71, - dup72, -]); - -var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, -])); - -var dup342 = linear_select([ - dup74, - dup75, -]); - -var dup343 = linear_select([ - dup81, - dup82, -]); - -var dup344 = linear_select([ - dup24, - dup90, -]); - -var dup345 = linear_select([ - dup94, - dup95, -]); - -var dup346 = linear_select([ - dup98, - dup99, -]); - -var dup347 = linear_select([ - dup100, - dup101, - dup102, -]); - -var dup348 = linear_select([ - dup113, - dup114, -]); - -var dup349 = linear_select([ - dup111, - dup16, -]); - -var dup350 = linear_select([ - dup127, - dup107, -]); - -var dup351 = linear_select([ - dup8, - dup21, -]); - -var dup352 = linear_select([ - dup122, - dup133, -]); - -var dup353 = linear_select([ - dup142, - dup143, -]); - -var dup354 = linear_select([ - dup145, - dup21, -]); - -var dup355 = linear_select([ - dup127, - dup106, -]); - -var dup356 = linear_select([ - dup152, - dup96, -]); - -var dup357 = linear_select([ - dup154, - dup155, -]); - -var dup358 = linear_select([ - dup156, - dup157, -]); - -var dup359 = linear_select([ - dup99, - dup134, -]); - -var dup360 = linear_select([ - dup158, - dup159, -]); - -var dup361 = linear_select([ - dup161, - dup162, -]); - -var dup362 = linear_select([ - dup163, - dup103, -]); - -var dup363 = linear_select([ - dup162, - dup161, -]); - -var dup364 = linear_select([ - dup46, - dup47, -]); - -var dup365 = linear_select([ - dup166, - dup167, -]); - -var dup366 = linear_select([ - dup172, - dup173, -]); - -var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, -]); - -var dup368 = linear_select([ - dup49, - dup21, -]); - -var dup369 = linear_select([ - dup189, - dup190, -]); - -var dup370 = linear_select([ - dup96, - dup152, -]); - -var dup371 = linear_select([ - dup196, - dup197, -]); - -var dup372 = linear_select([ - dup24, - dup200, -]); - -var dup373 = linear_select([ - dup103, - dup163, -]); - -var dup374 = linear_select([ - dup205, - dup118, -]); - -var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var dup376 = linear_select([ - dup212, - dup213, -]); - -var dup377 = linear_select([ - dup215, - dup216, -]); - -var dup378 = linear_select([ - dup222, - dup215, -]); - -var dup379 = linear_select([ - dup224, - dup225, -]); - -var dup380 = linear_select([ - dup231, - dup124, -]); - -var dup381 = linear_select([ - dup229, - dup230, -]); - -var dup382 = linear_select([ - dup233, - dup234, -]); - -var dup383 = linear_select([ - dup236, - dup237, -]); - -var dup384 = linear_select([ - dup242, - dup243, -]); - -var dup385 = linear_select([ - dup245, - dup246, -]); - -var dup386 = linear_select([ - dup247, - dup248, -]); - -var dup387 = linear_select([ - dup249, - dup250, -]); - -var dup388 = linear_select([ - dup251, - dup252, -]); - -var dup389 = linear_select([ - dup260, - dup261, -]); - -var dup390 = linear_select([ - dup264, - dup265, -]); - -var dup391 = linear_select([ - dup268, - dup269, -]); - -var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var dup393 = linear_select([ - dup284, - dup285, -]); - -var dup394 = linear_select([ - dup287, - dup288, -]); - -var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, -])); - -var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, -])); - -var dup397 = linear_select([ - dup300, - dup26, -]); - -var dup398 = linear_select([ - dup115, - dup303, -]); - -var dup399 = linear_select([ - dup125, - dup96, -]); - -var dup400 = linear_select([ - dup189, - dup308, - dup309, -]); - -var dup401 = linear_select([ - dup310, - dup16, -]); - -var dup402 = linear_select([ - dup317, - dup318, -]); - -var dup403 = linear_select([ - dup319, - dup315, -]); - -var dup404 = linear_select([ - dup322, - dup250, -]); - -var dup405 = linear_select([ - dup327, - dup329, -]); - -var dup406 = linear_select([ - dup330, - dup129, -]); - -var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, -])); - -var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, -])); - -var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, -])); - -var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, -])); - -var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), -}); - -var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), -}); - -var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - -var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - -var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - -var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - -var select1 = linear_select([ - part1, - part2, - part3, -]); - -var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - -var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), -}); - -var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, -]); - -var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1 = msg("00001", part5); - -var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg2 = msg("00001:01", part6); - -var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - -var select3 = linear_select([ - part7, - dup7, -]); - -var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - -var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg3 = msg("00001:02", all2); - -var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg4 = msg("00001:03", part9); - -var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - -var select4 = linear_select([ - part10, - dup7, -]); - -var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - -var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - -var select5 = linear_select([ - dup8, - part12, -]); - -var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg5 = msg("00001:04", all3); - -var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - -var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg6 = msg("00001:05", all4); - -var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg7 = msg("00001:06", part14); - -var msg8 = msg("00001:07", dup334); - -var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - -var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - -var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg9 = msg("00001:08", all5); - -var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - -var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg10 = msg("00001:09", all6); - -var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, -]); - -var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg11 = msg("00002:03", part18); - -var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg12 = msg("00002:04", part19); - -var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg13 = msg("00002:05", part20); - -var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg14 = msg("00002:06", part21); - -var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg15 = msg("00002:07", part22); - -var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, -])); - -var msg16 = msg("00002:55", part23); - -var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg17 = msg("00002:08", part24); - -var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg18 = msg("00002:09", part25); - -var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg19 = msg("00002:10", part26); - -var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, -])); - -var msg20 = msg("00002:11", part27); - -var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg21 = msg("00002:12", part28); - -var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg22 = msg("00002:15", part29); - -var msg23 = msg("00002:17", dup334); - -var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - -var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - -var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - -var select7 = linear_select([ - part31, - part32, -]); - -var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - -var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg24 = msg("00002:18", all7); - -var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg25 = msg("00002:19", part34); - -var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - -var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - -var select8 = linear_select([ - part36, - dup20, - dup21, -]); - -var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg26 = msg("00002:20", all8); - -var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - -var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - -var select9 = linear_select([ - part37, - part38, -]); - -var select10 = linear_select([ - dup24, - dup25, -]); - -var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - -var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg27 = msg("00002:21", all9); - -var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - -var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - -var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - -var select11 = linear_select([ - part41, - part42, - dup26, -]); - -var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg28 = msg("00002:22", all10); - -var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - -var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - -var select12 = linear_select([ - dup20, - part44, - dup21, -]); - -var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg29 = msg("00002:23", all11); - -var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - -var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - -var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - -var select13 = linear_select([ - part46, - part47, -]); - -var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg30 = msg("00002:24", all12); - -var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg31 = msg("00002:25", part48); - -var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg32 = msg("00002:26", part49); - -var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg33 = msg("00002:27", part50); - -var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg34 = msg("00002:28", part51); - -var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg35 = msg("00002:29", part52); - -var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, -])); - -var msg36 = msg("00002:30", part53); - -var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, -])); - -var msg37 = msg("00002:41", part54); - -var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, -])); - -var msg38 = msg("00002:31", part55); - -var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - -var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - -var select14 = linear_select([ - part56, - part57, -]); - -var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - -var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg39 = msg("00002:32", all13); - -var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg40 = msg("00002:35", part59); - -var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - -var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - -var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - -var select15 = linear_select([ - part61, - part62, -]); - -var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - -var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg41 = msg("00002:36", all14); - -var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - -var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - -var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - -var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - -var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - -var select16 = linear_select([ - part65, - part66, - part67, - part68, -]); - -var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - -var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg42 = msg("00002:37", all15); - -var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - -var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - -var select17 = linear_select([ - part71, - dup36, -]); - -var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg43 = msg("00002:38", all16); - -var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg44 = msg("00002:39", part72); - -var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg45 = msg("00002:40", part73); - -var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg46 = msg("00002:44", part74); - -var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - -var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - -var select18 = linear_select([ - part76, - dup40, -]); - -var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - -var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - -var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - -var select19 = linear_select([ - part78, - part79, -]); - -var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg47 = msg("00002:42", all17); - -var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - -var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - -var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - -var select20 = linear_select([ - part81, - part82, -]); - -var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - -var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg48 = msg("00002:43", all18); - -var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg49 = msg("00002:50", part84); - -var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg50 = msg("00002:51", part85); - -var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg51 = msg("00002:45", part86); - -var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - -var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - -var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - -var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - -var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - -var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, -]); - -var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - -var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg52 = msg("00002:47", all19); - -var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - -var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - -var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - -var select22 = linear_select([ - part94, - part95, -]); - -var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - -var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - -var select23 = linear_select([ - part97, - dup45, -]); - -var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg53 = msg("00002:48", all20); - -var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - -var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - -var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - -var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - -var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - -var select24 = linear_select([ - part99, - part100, - part101, - part102, -]); - -var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - -var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - -var select25 = linear_select([ - dup46, - part104, - dup47, -]); - -var select26 = linear_select([ - dup48, - dup45, -]); - -var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg54 = msg("00002:52", all21); - -var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg55 = msg("00002:53", part105); - -var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - -var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - -var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - -var select27 = linear_select([ - part107, - part108, -]); - -var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), -}); - -var msg56 = msg("00002:54", all22); - -var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - -var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - -var select28 = linear_select([ - part110, - dup52, -]); - -var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - -var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg57 = msg("00002", all23); - -var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, -])); - -var msg58 = msg("00002:56", part112); - -var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, -]); - -var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg59 = msg("00003", part113); - -var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg60 = msg("00003:01", part114); - -var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg61 = msg("00003:02", part115); - -var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg62 = msg("00003:03", part116); - -var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - -var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - -var select30 = linear_select([ - part117, - part118, -]); - -var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - -var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg63 = msg("00003:05", all24); - -var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, -]); - -var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg64 = msg("00004", part120); - -var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg65 = msg("00004:01", part121); - -var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg66 = msg("00004:02", part122); - -var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg67 = msg("00004:03", part123); - -var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - -var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - -var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), -}); - -var msg68 = msg("00004:04", all25); - -var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, -])); - -var msg69 = msg("00004:05", part126); - -var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg70 = msg("00004:06", part127); - -var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg71 = msg("00004:07", part128); - -var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg72 = msg("00004:08", part129); - -var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, -])); - -var msg73 = msg("00004:09", part130); - -var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, -])); - -var msg74 = msg("00004:10", part131); - -var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg75 = msg("00004:11", part132); - -var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg76 = msg("00004:12", part133); - -var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg77 = msg("00004:13", part134); - -var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - -var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - -var select32 = linear_select([ - part135, - part136, -]); - -var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg78 = msg("00004:14", all26); - -var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg79 = msg("00004:15", part137); - -var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg80 = msg("00004:16", part138); - -var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), -}); - -var msg81 = msg("00004:17", all27); - -var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, -]); - -var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg82 = msg("00005", part139); - -var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg83 = msg("00005:01", part140); - -var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg84 = msg("00005:02", part141); - -var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - -var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - -var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - -var select34 = linear_select([ - part144, - dup73, -]); - -var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - -var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), -}); - -var msg85 = msg("00005:03", all28); - -var msg86 = msg("00005:04", dup341); - -var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg87 = msg("00005:05", part146); - -var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - -var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg88 = msg("00005:06", all29); - -var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - -var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - -var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - -var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - -var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - -var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, -]); - -var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - -var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg89 = msg("00005:07", all30); - -var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - -var select36 = linear_select([ - dup77, - dup78, -]); - -var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - -var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg90 = msg("00005:08", all31); - -var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg91 = msg("00005:09", part156); - -var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg92 = msg("00005:10", part157); - -var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - -var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - -var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - -var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - -var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - -var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - -var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, -]); - -var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg93 = msg("00005:11", all32); - -var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg94 = msg("00005:12", part164); - -var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg95 = msg("00005:13", part165); - -var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg96 = msg("00005:14", part166); - -var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg97 = msg("00005:15", part167); - -var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg98 = msg("00005:16", part168); - -var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - -var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - -var select38 = linear_select([ - part169, - part170, -]); - -var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - -var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg99 = msg("00005:17", all33); - -var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg100 = msg("00005:18", all34); - -var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, -])); - -var msg101 = msg("00005:19", part172); - -var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, -])); - -var msg102 = msg("00005:20", part173); - -var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, -]); - -var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, -])); - -var msg103 = msg("00006", part174); - -var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg104 = msg("00006:01", part175); - -var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg105 = msg("00006:02", part176); - -var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg106 = msg("00006:03", part177); - -var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - -var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg107 = msg("00006:04", all35); - -var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), -}); - -var msg108 = msg("00006:05", all36); - -var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, -]); - -var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg109 = msg("00007", part179); - -var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg110 = msg("00007:01", part180); - -var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - -var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - -var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - -var select41 = linear_select([ - part182, - part183, -]); - -var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg111 = msg("00007:02", all37); - -var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg112 = msg("00007:03", part184); - -var select42 = linear_select([ - dup88, - dup89, -]); - -var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - -var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg113 = msg("00007:04", all38); - -var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg114 = msg("00007:05", part186); - -var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg115 = msg("00007:06", part187); - -var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg116 = msg("00007:07", part188); - -var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg117 = msg("00007:08", part189); - -var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg118 = msg("00007:09", part190); - -var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg119 = msg("00007:10", part191); - -var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - -var select43 = linear_select([ - dup92, - dup93, -]); - -var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg120 = msg("00007:11", all39); - -var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg121 = msg("00007:12", part193); - -var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg122 = msg("00007:13", part194); - -var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, -])); - -var msg123 = msg("00007:14", part195); - -var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg124 = msg("00007:15", part196); - -var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg125 = msg("00007:16", part197); - -var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg126 = msg("00007:17", part198); - -var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - -var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - -var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - -var select44 = linear_select([ - part200, - part201, -]); - -var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - -var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - -var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - -var select45 = linear_select([ - part203, - part204, -]); - -var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg127 = msg("00007:18", all40); - -var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg128 = msg("00007:20", part205); - -var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - -var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg129 = msg("00007:21", all41); - -var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg130 = msg("00007:22", part207); - -var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg131 = msg("00007:23", part208); - -var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg132 = msg("00007:24", part209); - -var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg133 = msg("00007:25", part210); - -var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - -var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - -var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - -var select46 = linear_select([ - part212, - part213, -]); - -var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg134 = msg("00007:26", all42); - -var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg135 = msg("00007:27", part214); - -var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg136 = msg("00007:28", part215); - -var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - -var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - -var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - -var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - -var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - -var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - -var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, -]); - -var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg137 = msg("00007:29", all43); - -var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg138 = msg("00007:30", part222); - -var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - -var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg139 = msg("00007:31", all44); - -var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - -var select48 = linear_select([ - dup89, - dup88, -]); - -var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - -var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg140 = msg("00007:32", all45); - -var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - -var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - -var select49 = linear_select([ - part226, - part227, -]); - -var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - -var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - -var select50 = linear_select([ - part229, - dup96, -]); - -var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - -var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg141 = msg("00007:33", all46); - -var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, -])); - -var msg142 = msg("00007:34", part231); - -var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg143 = msg("00007:35", part232); - -var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg144 = msg("00007:36", part233); - -var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - -var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg145 = msg("00007:37", all47); - -var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - -var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - -var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - -var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - -var select51 = linear_select([ - part237, - part238, -]); - -var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg146 = msg("00007:38", all48); - -var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - -var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg147 = msg("00007:39", all49); - -var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg148 = msg("00007:40", part240); - -var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg149 = msg("00007:41", part241); - -var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg150 = msg("00007:42", part242); - -var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg151 = msg("00007:43", part243); - -var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg152 = msg("00007:44", part244); - -var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg153 = msg("00007:45", part245); - -var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, -])); - -var msg154 = msg("00007:46", part246); - -var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg155 = msg("00007:47", part247); - -var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), -])); - -var msg156 = msg("00007:48", part248); - -var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg157 = msg("00007:49", part249); - -var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - -var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - -var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - -var select52 = linear_select([ - part251, - part252, -]); - -var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - -var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg158 = msg("00007:50", all50); - -var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - -var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - -var select53 = linear_select([ - dup104, - part255, -]); - -var select54 = linear_select([ - dup105, - dup73, -]); - -var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - -var select55 = linear_select([ - dup106, - dup107, -]); - -var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg159 = msg("00007:51", all51); - -var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg160 = msg("00007:52", part257); - -var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg161 = msg("00007:53", part258); - -var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg162 = msg("00007:54", part259); - -var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg163 = msg("00007:55", part260); - -var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg164 = msg("00007:56", part261); - -var select56 = linear_select([ - dup109, - dup110, -]); - -var select57 = linear_select([ - dup111, - dup112, -]); - -var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - -var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg165 = msg("00007:57", all52); - -var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg166 = msg("00007:58", part263); - -var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg167 = msg("00007:59", part264); - -var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg168 = msg("00007:60", part265); - -var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg169 = msg("00007:61", part266); - -var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg170 = msg("00007:62", part267); - -var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg171 = msg("00007:63", part268); - -var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - -var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - -var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg172 = msg("00007:64", all53); - -var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - -var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - -var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - -var select58 = linear_select([ - part272, - part273, -]); - -var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - -var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - -var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg173 = msg("00007:65", all54); - -var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - -var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - -var select59 = linear_select([ - part276, - part277, -]); - -var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - -var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - -var select60 = linear_select([ - part279, - dup115, -]); - -var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg174 = msg("00007:66", all55); - -var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg175 = msg("00007:67", part280); - -var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - -var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - -var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - -var select61 = linear_select([ - part282, - part283, -]); - -var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - -var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - -var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - -var select62 = linear_select([ - part285, - part286, -]); - -var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg176 = msg("00007:68", all56); - -var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg177 = msg("00007:69", part287); - -var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg178 = msg("00007:70", part288); - -var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg179 = msg("00007:71", part289); - -var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg180 = msg("00007:72", part290); - -var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, -]); - -var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, -])); - -var msg181 = msg("00008", part291); - -var msg182 = msg("00008:01", dup341); - -var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg183 = msg("00008:02", part292); - -var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg184 = msg("00008:03", part293); - -var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - -var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - -var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - -var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - -var select64 = linear_select([ - part295, - part296, - part297, -]); - -var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - -var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - -var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - -var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - -var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - -var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - -var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, -]); - -var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), -}); - -var msg185 = msg("00008:04", all57); - -var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg186 = msg("00008:05", part304); - -var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, -])); - -var msg187 = msg("00008:06", part305); - -var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, -])); - -var msg188 = msg("00008:07", part306); - -var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, -])); - -var msg189 = msg("00008:08", part307); - -var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg190 = msg("00008:09", part308); - -var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - -var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), -}); - -var msg191 = msg("00008:10", all58); - -var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, -]); - -var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg192 = msg("00009", part310); - -var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg193 = msg("00009:01", part311); - -var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg194 = msg("00009:02", part312); - -var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg195 = msg("00009:03", part313); - -var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg196 = msg("00009:05", part314); - -var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - -var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - -var select67 = linear_select([ - part315, - part316, -]); - -var select68 = linear_select([ - dup119, - dup16, -]); - -var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - -var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - -var select69 = linear_select([ - dup120, - part318, -]); - -var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - -var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - -var select70 = linear_select([ - part319, - part320, -]); - -var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg197 = msg("00009:06", all59); - -var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - -var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - -var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - -var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - -var select71 = linear_select([ - part323, - part324, -]); - -var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - -var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg198 = msg("00009:07", all60); - -var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg199 = msg("00009:09", part326); - -var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - -var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - -var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - -var select72 = linear_select([ - part328, - part329, -]); - -var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg200 = msg("00009:10", all61); - -var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - -var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - -var select73 = linear_select([ - part330, - part331, -]); - -var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - -var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg201 = msg("00009:11", all62); - -var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg202 = msg("00009:12", part333); - -var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg203 = msg("00009:13", part334); - -var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - -var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - -var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - -var select74 = linear_select([ - part335, - part336, - part337, -]); - -var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - -var select75 = linear_select([ - dup122, - dup123, -]); - -var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - -var select76 = linear_select([ - part339, - dup124, -]); - -var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg204 = msg("00009:14", all63); - -var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - -var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - -var select77 = linear_select([ - part341, - dup125, -]); - -var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg205 = msg("00009:15", all64); - -var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - -var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - -var select78 = linear_select([ - dup129, - dup130, - part343, -]); - -var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - -var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg206 = msg("00009:16", all65); - -var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - -var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - -var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - -var select79 = linear_select([ - part346, - part347, -]); - -var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - -var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg207 = msg("00009:17", all66); - -var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg208 = msg("00009:18", part349); - -var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg209 = msg("00009:19", part350); - -var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg210 = msg("00009:27", part351); - -var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - -var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - -var select80 = linear_select([ - part352, - part353, -]); - -var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - -var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - -var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - -var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - -var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - -var select81 = linear_select([ - part355, - part356, - part357, - part358, -]); - -var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg211 = msg("00009:20", all67); - -var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), -}); - -var msg212 = msg("00009:21", all68); - -var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg213 = msg("00009:22", part360); - -var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, -])); - -var msg214 = msg("00009:23", part361); - -var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - -var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - -var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - -var select82 = linear_select([ - part363, - part364, -]); - -var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - -var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), -}); - -var msg215 = msg("00009:24", all69); - -var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, -])); - -var msg216 = msg("00009:25", part366); - -var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - -var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), -}); - -var msg217 = msg("00009:26", all70); - -var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, -]); - -var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - -var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - -var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - -var select84 = linear_select([ - part369, - part370, -]); - -var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - -var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - -var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - -var select85 = linear_select([ - part372, - part373, - dup126, -]); - -var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - -var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), -}); - -var msg218 = msg("00010", all71); - -var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg219 = msg("00010:01", part375); - -var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg220 = msg("00010:02", part376); - -var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), -}); - -var msg221 = msg("00010:03", all72); - -var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, -]); - -var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg222 = msg("00011", part377); - -var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - -var select87 = linear_select([ - dup57, - dup56, -]); - -var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - -var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg223 = msg("00011:01", all73); - -var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, -])); - -var msg224 = msg("00011:02", part380); - -var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - -var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - -var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - -var select88 = linear_select([ - part382, - part383, -]); - -var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - -var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - -var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - -var select89 = linear_select([ - part385, - part386, -]); - -var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg225 = msg("00011:03", all74); - -var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - -var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - -var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg226 = msg("00011:04", all75); - -var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - -var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - -var select90 = linear_select([ - part389, - part390, -]); - -var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - -var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg227 = msg("00011:05", all76); - -var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, -])); - -var msg228 = msg("00011:07", part392); - -var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg229 = msg("00011:08", part393); - -var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg230 = msg("00011:09", part394); - -var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg231 = msg("00011:10", part395); - -var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg232 = msg("00011:11", part396); - -var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg233 = msg("00011:12", part397); - -var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg234 = msg("00011:13", part398); - -var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - -var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - -var select91 = linear_select([ - dup134, - part400, -]); - -var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg235 = msg("00011:14", all77); - -var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg236 = msg("00011:15", part401); - -var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg237 = msg("00011:16", part402); - -var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - -var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - -var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - -var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - -var select92 = linear_select([ - part404, - part405, - part406, -]); - -var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg238 = msg("00011:17", all78); - -var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - -var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - -var select93 = linear_select([ - part407, - part408, -]); - -var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - -var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - -var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - -var select94 = linear_select([ - part410, - part411, -]); - -var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - -var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - -var select95 = linear_select([ - part413, - dup135, -]); - -var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - -var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg239 = msg("00011:18", all79); - -var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - -var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - -var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - -var select96 = linear_select([ - part416, - part417, -]); - -var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - -var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - -var select97 = linear_select([ - part419, - dup135, -]); - -var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - -var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - -var select98 = linear_select([ - dup107, - part421, -]); - -var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg240 = msg("00011:19", all80); - -var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - -var select99 = linear_select([ - part422, - dup79, -]); - -var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - -var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg241 = msg("00011:20", all81); - -var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg242 = msg("00011:21", part424); - -var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg243 = msg("00011:22", part425); - -var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), -}); - -var msg244 = msg("00011:23", all82); - -var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg245 = msg("00011:24", part426); - -var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg246 = msg("00011:25", part427); - -var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg247 = msg("00011:26", part428); - -var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, -]); - -var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg248 = msg("00012:02", part429); - -var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg249 = msg("00012:03", part430); - -var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg250 = msg("00012:04", part431); - -var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, -])); - -var msg251 = msg("00012:05", part432); - -var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, -])); - -var msg252 = msg("00012:06", part433); - -var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, -])); - -var msg253 = msg("00012:07", part434); - -var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg254 = msg("00012:08", part435); - -var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg255 = msg("00012:09", all83); - -var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), -}); - -var msg256 = msg("00012:10", all84); - -var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, -])); - -var msg257 = msg("00012:11", part436); - -var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg258 = msg("00012:12", part437); - -var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg259 = msg("00012", part438); - -var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg260 = msg("00012:01", part439); - -var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, -]); - -var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg261 = msg("00013", part440); - -var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), -])); - -var msg262 = msg("00013:01", part441); - -var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg263 = msg("00013:02", part442); - -var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, -])); - -var msg264 = msg("00013:03", part443); - -var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, -]); - -var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg265 = msg("00014", part444); - -var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - -var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - -var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - -var select103 = linear_select([ - part446, - part447, -]); - -var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg266 = msg("00014:01", all85); - -var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg267 = msg("00014:02", part448); - -var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg268 = msg("00014:03", part449); - -var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg269 = msg("00014:04", part450); - -var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg270 = msg("00014:05", part451); - -var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg271 = msg("00014:06", part452); - -var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg272 = msg("00014:07", part453); - -var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg273 = msg("00014:08", part454); - -var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, -]); - -var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg274 = msg("00015", part455); - -var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg275 = msg("00015:01", part456); - -var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - -var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - -var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - -var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - -var select105 = linear_select([ - part458, - dup137, - part459, - part460, -]); - -var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg276 = msg("00015:02", all86); - -var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg277 = msg("00015:03", part461); - -var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - -var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - -var select106 = linear_select([ - dup139, - dup140, - part463, -]); - -var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg278 = msg("00015:04", all87); - -var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - -var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - -var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - -var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - -var select107 = linear_select([ - part465, - part466, - dup76, - part467, -]); - -var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg279 = msg("00015:05", all88); - -var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - -var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - -var select108 = linear_select([ - part468, - part469, -]); - -var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - -var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg280 = msg("00015:06", all89); - -var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg281 = msg("00015:07", part471); - -var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, -])); - -var msg282 = msg("00015:08", part472); - -var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - -var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - -var select109 = linear_select([ - part473, - part474, -]); - -var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - -var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg283 = msg("00015:09", all90); - -var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg284 = msg("00015:10", part476); - -var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg285 = msg("00015:11", part477); - -var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - -var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - -var select110 = linear_select([ - part478, - part479, -]); - -var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - -var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - -var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg286 = msg("00015:12", all91); - -var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, -])); - -var msg287 = msg("00015:13", part482); - -var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - -var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg288 = msg("00015:14", all92); - -var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg289 = msg("00015:15", part484); - -var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg290 = msg("00015:16", part485); - -var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg291 = msg("00015:17", part486); - -var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), -])); - -var msg292 = msg("00015:18", part487); - -var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg293 = msg("00015:19", part488); - -var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg294 = msg("00015:20", part489); - -var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - -var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - -var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - -var select111 = linear_select([ - part491, - part492, -]); - -var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg295 = msg("00015:21", all93); - -var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - -var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - -var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - -var select112 = linear_select([ - part493, - part494, - part495, -]); - -var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - -var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg296 = msg("00015:22", all94); - -var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg297 = msg("00015:23", part497); - -var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg298 = msg("00015:24", part498); - -var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg299 = msg("00015:25", part499); - -var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, -])); - -var msg300 = msg("00015:29", part500); - -var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - -var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - -var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - -var select113 = linear_select([ - part502, - part503, -]); - -var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg301 = msg("00015:26", all95); - -var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, -])); - -var msg302 = msg("00015:33", part504); - -var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg303 = msg("00015:27", part505); - -var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg304 = msg("00015:28", part506); - -var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - -var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - -var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg305 = msg("00015:30", all96); - -var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg306 = msg("00015:31", part509); - -var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, -])); - -var msg307 = msg("00015:32", part510); - -var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, -]); - -var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg308 = msg("00016", part511); - -var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, -])); - -var msg309 = msg("00016:01", part512); - -var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, -])); - -var msg310 = msg("00016:02", part513); - -var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, -])); - -var msg311 = msg("00016:03", part514); - -var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg312 = msg("00016:05", part515); - -var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg313 = msg("00016:06", part516); - -var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - -var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg314 = msg("00016:07", all97); - -var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg315 = msg("00016:08", part518); - -var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg316 = msg("00016:09", part519); - -var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, -]); - -var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, -])); - -var msg317 = msg("00017", part520); - -var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - -var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - -var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - -var select116 = linear_select([ - part522, - part523, -]); - -var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - -var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg318 = msg("00017:23", all98); - -var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - -var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - -var select117 = linear_select([ - part525, - part526, -]); - -var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - -var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - -var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg319 = msg("00017:01", all99); - -var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg320 = msg("00017:02", part529); - -var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg321 = msg("00017:03", part530); - -var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - -var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg322 = msg("00017:04", all100); - -var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg323 = msg("00017:05", part532); - -var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - -var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - -var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - -var select118 = linear_select([ - part534, - dup101, - part535, -]); - -var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg324 = msg("00017:06", all101); - -var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - -var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - -var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - -var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - -var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - -var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, -]); - -var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg325 = msg("00017:07", all102); - -var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg326 = msg("00017:08", part541); - -var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - -var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - -var select120 = linear_select([ - part542, - part543, -]); - -var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - -var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - -var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - -var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - -var select121 = linear_select([ - part545, - part546, - part547, -]); - -var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - -var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - -var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - -var select122 = linear_select([ - part549, - part550, - dup36, -]); - -var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg327 = msg("00017:09", all103); - -var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - -var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg328 = msg("00017:10", all104); - -var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg329 = msg("00017:11", part552); - -var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - -var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - -var select123 = linear_select([ - dup109, - dup110, - part554, -]); - -var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg330 = msg("00017:12", all105); - -var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg331 = msg("00017:26", part555); - -var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg332 = msg("00017:13", part556); - -var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, -])); - -var msg333 = msg("00017:14", part557); - -var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - -var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - -var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg334 = msg("00017:15", all106); - -var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - -var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - -var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg335 = msg("00017:31", all107); - -var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - -var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg336 = msg("00017:16", all108); - -var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - -var select124 = linear_select([ - dup99, - dup93, -]); - -var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg337 = msg("00017:17", all109); - -var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - -var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg338 = msg("00017:18", all110); - -var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - -var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - -var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), -}); - -var msg339 = msg("00017:19", all111); - -var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), -}); - -var msg340 = msg("00017:20", all112); - -var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, -])); - -var msg341 = msg("00017:21", part567); - -var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg342 = msg("00017:22", part568); - -var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg343 = msg("00017:24", part569); - -var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg344 = msg("00017:25", part570); - -var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg345 = msg("00017:28", part571); - -var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, -])); - -var msg346 = msg("00017:29", part572); - -var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, -]); - -var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg347 = msg("00018", part573); - -var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, -])); - -var msg348 = msg("00018:01", part574); - -var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg349 = msg("00018:02", part575); - -var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg350 = msg("00018:04", part576); - -var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, -])); - -var msg351 = msg("00018:16", part577); - -var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - -var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - -var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - -var select126 = linear_select([ - part579, - part580, -]); - -var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - -var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg352 = msg("00018:06", all113); - -var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg353 = msg("00018:08", part582); - -var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, -])); - -var msg354 = msg("00018:09", part583); - -var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - -var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - -var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - -var select127 = linear_select([ - part585, - part586, -]); - -var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - -var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), -}); - -var msg355 = msg("00018:10", all114); - -var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - -var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - -var select128 = linear_select([ - part588, - part589, -]); - -var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - -var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - -var select129 = linear_select([ - part591, - dup16, -]); - -var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg356 = msg("00018:11", all115); - -var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - -var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - -var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - -var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - -var select130 = linear_select([ - part593, - part594, - part595, -]); - -var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - -var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg357 = msg("00018:12", all116); - -var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - -var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg358 = msg("00018:32", all117); - -var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - -var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg359 = msg("00018:22", all118); - -var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - -var select131 = linear_select([ - dup78, - dup77, -]); - -var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - -var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg360 = msg("00018:15", all119); - -var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - -var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - -var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - -var select132 = linear_select([ - part602, - part603, -]); - -var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - -var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - -var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - -var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - -var select133 = linear_select([ - part605, - part606, - part607, -]); - -var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - -var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg361 = msg("00018:14", all120); - -var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg362 = msg("00018:29", part609); - -var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg363 = msg("00018:07", part610); - -var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg364 = msg("00018:18", part611); - -var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg365 = msg("00018:17", part612); - -var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg366 = msg("00018:19", part613); - -var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - -var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - -var select134 = linear_select([ - part614, - part615, -]); - -var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - -var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - -var select135 = linear_select([ - part617, - dup103, -]); - -var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - -var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - -var select136 = linear_select([ - part618, - part619, -]); - -var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - -var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg367 = msg("00018:23", all121); - -var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg368 = msg("00018:21", part621); - -var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg369 = msg("00018:24", part622); - -var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - -var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg370 = msg("00018:25", all122); - -var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - -var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg371 = msg("00018:30", all123); - -var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - -var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - -var select137 = linear_select([ - dup48, - part626, -]); - -var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg372 = msg("00018:26", all124); - -var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, -])); - -var msg373 = msg("00018:27", part627); - -var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), -])); - -var msg374 = msg("00018:28", part628); - -var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, -])); - -var msg375 = msg("00018:03", part629); - -var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg376 = msg("00018:31", part630); - -var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, -]); - -var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg377 = msg("00019", part631); - -var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - -var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg378 = msg("00019:01", all125); - -var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - -var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - -var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - -var select139 = linear_select([ - part634, - part635, -]); - -var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg379 = msg("00019:02", all126); - -var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, -])); - -var msg380 = msg("00019:03", part636); - -var select140 = linear_select([ - dup169, - dup78, -]); - -var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, -]); - -var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg381 = msg("00019:04", all127); - -var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - -var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - -var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - -var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - -var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - -var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - -var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - -var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - -var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - -var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, -]); - -var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg382 = msg("00019:05", all128); - -var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - -var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg383 = msg("00019:06", all129); - -var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, -])); - -var msg384 = msg("00019:07", part647); - -var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg385 = msg("00019:08", part648); - -var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - -var select143 = linear_select([ - dup139, - dup170, - dup137, -]); - -var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg386 = msg("00019:09", all130); - -var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - -var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - -var select144 = linear_select([ - part650, - part651, -]); - -var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg387 = msg("00019:10", all131); - -var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - -var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg388 = msg("00019:11", all132); - -var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg389 = msg("00019:12", part653); - -var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - -var select145 = linear_select([ - dup107, - dup106, -]); - -var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - -var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg390 = msg("00019:13", all133); - -var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - -var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg391 = msg("00019:14", all134); - -var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg392 = msg("00019:15", part657); - -var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, -])); - -var msg393 = msg("00019:16", part658); - -var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, -])); - -var msg394 = msg("00019:17", part659); - -var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - -var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - -var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - -var select146 = linear_select([ - part661, - part662, -]); - -var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg395 = msg("00019:18", all135); - -var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, -])); - -var msg396 = msg("00019:19", part663); - -var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, -])); - -var msg397 = msg("00019:20", part664); - -var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, -]); - -var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg398 = msg("00020", part665); - -var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - -var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - -var select148 = linear_select([ - dup152, - part667, -]); - -var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - -var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - -var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - -var select149 = linear_select([ - part669, - part670, -]); - -var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg399 = msg("00020:01", all136); - -var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, -])); - -var msg400 = msg("00020:02", part671); - -var select150 = linear_select([ - msg398, - msg399, - msg400, -]); - -var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg401 = msg("00021", part672); - -var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg402 = msg("00021:01", part673); - -var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg403 = msg("00021:02", part674); - -var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, -])); - -var msg404 = msg("00021:03", part675); - -var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg405 = msg("00021:04", part676); - -var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg406 = msg("00021:05", part677); - -var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), -])); - -var msg407 = msg("00021:06", part678); - -var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, -]); - -var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - -var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - -var select152 = linear_select([ - part679, - part680, -]); - -var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - -var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg408 = msg("00022", all137); - -var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - -var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - -var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - -var select153 = linear_select([ - part682, - part683, - part684, -]); - -var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - -var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg409 = msg("00022:01", all138); - -var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg410 = msg("00022:02", part686); - -var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg411 = msg("00022:03", part687); - -var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - -var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - -var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - -var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - -var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - -var select154 = linear_select([ - part689, - part690, - part691, - part692, -]); - -var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - -var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg412 = msg("00022:04", all139); - -var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg413 = msg("00022:05", part694); - -var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - -var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - -var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - -var select155 = linear_select([ - part696, - part697, -]); - -var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - -var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg414 = msg("00022:06", all140); - -var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg415 = msg("00022:07", part699); - -var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - -var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - -var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - -var select156 = linear_select([ - part700, - part701, - part702, -]); - -var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - -var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - -var select157 = linear_select([ - part704, - dup96, -]); - -var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - -var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - -var select158 = linear_select([ - part706, - dup96, -]); - -var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - -var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg416 = msg("00022:08", all141); - -var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - -var select159 = linear_select([ - dup191, - dup192, -]); - -var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - -var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg417 = msg("00022:09", all142); - -var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - -var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - -var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - -var select160 = linear_select([ - part711, - part712, -]); - -var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg418 = msg("00022:10", all143); - -var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - -var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - -var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - -var select161 = linear_select([ - part714, - part715, -]); - -var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg419 = msg("00022:11", all144); - -var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - -var select162 = linear_select([ - dup192, - dup191, -]); - -var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - -var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg420 = msg("00022:12", all145); - -var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg421 = msg("00022:13", part718); - -var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg422 = msg("00022:14", part719); - -var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, -]); - -var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, -])); - -var msg423 = msg("00023", part720); - -var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, -])); - -var msg424 = msg("00023:01", part721); - -var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, -])); - -var msg425 = msg("00023:02", part722); - -var select164 = linear_select([ - msg423, - msg424, - msg425, -]); - -var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - -var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - -var select165 = linear_select([ - part723, - part724, -]); - -var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - -var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - -var select166 = linear_select([ - part725, - part726, -]); - -var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg426 = msg("00024", all146); - -var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - -var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - -var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - -var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - -var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - -var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, -]); - -var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - -var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg427 = msg("00024:01", all147); - -var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - -var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - -var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - -var select168 = linear_select([ - part734, - part735, -]); - -var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - -var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg428 = msg("00024:02", all148); - -var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - -var select169 = linear_select([ - dup194, - dup106, -]); - -var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - -var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg429 = msg("00024:03", all149); - -var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, -]); - -var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg430 = msg("00025", part739); - -var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg431 = msg("00025:01", part740); - -var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg432 = msg("00025:02", part741); - -var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg433 = msg("00025:03", part742); - -var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg434 = msg("00025:04", part743); - -var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, -]); - -var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg435 = msg("00026", part744); - -var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, -])); - -var msg436 = msg("00026:13", part745); - -var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - -var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - -var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg437 = msg("00026:01", all150); - -var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - -var select172 = linear_select([ - part748, - dup96, -]); - -var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - -var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - -var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - -var select173 = linear_select([ - part750, - part751, -]); - -var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg438 = msg("00026:02", all151); - -var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - -var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg439 = msg("00026:03", all152); - -var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, -])); - -var msg440 = msg("00026:04", part753); - -var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, -])); - -var msg441 = msg("00026:05", part754); - -var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, -])); - -var msg442 = msg("00026:06", part755); - -var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, -])); - -var msg443 = msg("00026:07", part756); - -var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - -var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - -var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg444 = msg("00026:08", all153); - -var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg445 = msg("00026:09", part759); - -var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - -var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - -var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - -var select174 = linear_select([ - part761, - part762, -]); - -var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - -var select175 = linear_select([ - part763, - dup201, -]); - -var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - -var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg446 = msg("00026:10", all154); - -var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg447 = msg("00026:11", part765); - -var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg448 = msg("00026:12", part766); - -var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, -]); - -var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - -var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - -var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - -var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - -var select177 = linear_select([ - part768, - part769, - part770, -]); - -var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg449 = msg("00027", all155); - -var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg450 = msg("00027:01", part771); - -var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg451 = msg("00027:02", part772); - -var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg452 = msg("00027:03", part773); - -var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg453 = msg("00027:04", part774); - -var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - -var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - -var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - -var select178 = linear_select([ - part776, - part777, -]); - -var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - -var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - -var select179 = linear_select([ - part779, - dup127, -]); - -var select180 = linear_select([ - dup207, - dup208, -]); - -var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg454 = msg("00027:05", all156); - -var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - -var select181 = linear_select([ - dup208, - dup207, -]); - -var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg455 = msg("00027:06", all157); - -var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg456 = msg("00027:07", part781); - -var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg457 = msg("00027:08", part782); - -var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg458 = msg("00027:09", part783); - -var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg459 = msg("00027:10", part784); - -var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg460 = msg("00027:11", part785); - -var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - -var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - -var select182 = linear_select([ - part787, - dup193, -]); - -var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - -var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg461 = msg("00027:12", all158); - -var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - -var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg462 = msg("00027:13", all159); - -var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - -var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - -var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - -var select183 = linear_select([ - part791, - part792, -]); - -var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - -var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg463 = msg("00027:14", all160); - -var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg464 = msg("00027:15", part794); - -var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg465 = msg("00027:16", part795); - -var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg466 = msg("00027:17", part796); - -var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg467 = msg("00027:18", part797); - -var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg468 = msg("00027:19", part798); - -var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, -]); - -var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - -var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - -var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - -var select185 = linear_select([ - part799, - part800, - part801, -]); - -var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - -var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), -}); - -var msg469 = msg("00028", all161); - -var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg470 = msg("00029", part803); - -var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, -])); - -var msg471 = msg("00029:01", part804); - -var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - -var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - -var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - -var select186 = linear_select([ - part806, - part807, -]); - -var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - -var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg472 = msg("00029:02", all162); - -var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - -var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - -var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - -var select187 = linear_select([ - part810, - part811, -]); - -var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - -var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg473 = msg("00029:03", all163); - -var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg474 = msg("00029:04", part813); - -var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, -]); - -var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg475 = msg("00030", part814); - -var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - -var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - -var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - -var select189 = linear_select([ - part816, - part817, -]); - -var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg476 = msg("00030:01", all164); - -var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg477 = msg("00030:05", part818); - -var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg478 = msg("00030:06", part819); - -var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg479 = msg("00030:07", part820); - -var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg480 = msg("00030:10", part821); - -var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg481 = msg("00030:12", part822); - -var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - -var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - -var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - -var select190 = linear_select([ - part824, - part825, -]); - -var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg482 = msg("00030:13", all165); - -var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - -var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - -var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - -var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - -var select191 = linear_select([ - part826, - part827, - part828, - part829, -]); - -var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - -var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - -var select192 = linear_select([ - part831, - dup16, -]); - -var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - -var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg483 = msg("00030:14", all166); - -var msg484 = msg("00030:02", dup375); - -var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg485 = msg("00030:15", part833); - -var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg486 = msg("00030:16", part834); - -var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg487 = msg("00030:18", part835); - -var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - -var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - -var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - -var select193 = linear_select([ - part837, - part838, -]); - -var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - -var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg488 = msg("00030:19", all167); - -var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg489 = msg("00030:30", part840); - -var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg490 = msg("00030:31", part841); - -var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg491 = msg("00030:32", part842); - -var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg492 = msg("00030:33", part843); - -var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg493 = msg("00030:34", part844); - -var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg494 = msg("00030:35", part845); - -var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg495 = msg("00030:36", part846); - -var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg496 = msg("00030:37", part847); - -var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg497 = msg("00030:38", part848); - -var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - -var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - -var select194 = linear_select([ - part850, - dup16, -]); - -var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - -var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg498 = msg("00030:39", all168); - -var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - -var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - -var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg499 = msg("00030:17", all169); - -var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - -var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - -var select195 = linear_select([ - dup214, - part855, -]); - -var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - -var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg500 = msg("00030:40", all170); - -var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg501 = msg("00030:41", part857); - -var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg502 = msg("00030:42", part858); - -var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg503 = msg("00030:43", part859); - -var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg504 = msg("00030:44", part860); - -var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg505 = msg("00030:45", part861); - -var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg506 = msg("00030:46", part862); - -var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg507 = msg("00030:47", part863); - -var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg508 = msg("00030:48", part864); - -var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg509 = msg("00030:49", part865); - -var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg510 = msg("00030:50", part866); - -var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg511 = msg("00030:51", part867); - -var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg512 = msg("00030:52", part868); - -var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg513 = msg("00030:53", part869); - -var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, -])); - -var msg514 = msg("00030:54", part870); - -var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - -var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg515 = msg("00030:55", all171); - -var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg516 = msg("00030:56", part872); - -var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg517 = msg("00030:57", part873); - -var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg518 = msg("00030:58", part874); - -var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg519 = msg("00030:59", part875); - -var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg520 = msg("00030:60", part876); - -var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg521 = msg("00030:61", part877); - -var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg522 = msg("00030:62", part878); - -var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg523 = msg("00030:63", part879); - -var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg524 = msg("00030:64", part880); - -var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg525 = msg("00030:65", part881); - -var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg526 = msg("00030:66", part882); - -var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg527 = msg("00030:67", part883); - -var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg528 = msg("00030:68", part884); - -var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg529 = msg("00030:69", part885); - -var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - -var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg530 = msg("00030:70", all172); - -var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg531 = msg("00030:71", part887); - -var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg532 = msg("00030:72", part888); - -var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - -var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - -var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - -var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - -var select196 = linear_select([ - part890, - part891, - part892, -]); - -var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - -var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg533 = msg("00030:73", all173); - -var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg534 = msg("00030:74", part894); - -var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg535 = msg("00030:75", part895); - -var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - -var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - -var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg536 = msg("00030:76", all174); - -var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg537 = msg("00030:77", part898); - -var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg538 = msg("00030:78", part899); - -var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg539 = msg("00030:79", part900); - -var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg540 = msg("00030:80", part901); - -var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg541 = msg("00030:81", part902); - -var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg542 = msg("00030:82", part903); - -var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg543 = msg("00030:83", part904); - -var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg544 = msg("00030:84", part905); - -var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg545 = msg("00030:85", part906); - -var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - -var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), -}); - -var msg546 = msg("00030:86", all175); - -var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, -])); - -var msg547 = msg("00030:87", part908); - -var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - -var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), -}); - -var msg548 = msg("00030:88", all176); - -var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, -]); - -var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg549 = msg("00031:13", part910); - -var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg550 = msg("00031", part911); - -var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg551 = msg("00031:01", part912); - -var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - -var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - -var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - -var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - -var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg552 = msg("00031:02", all177); - -var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - -var select198 = linear_select([ - dup130, - dup129, -]); - -var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - -var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg553 = msg("00031:03", all178); - -var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - -var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - -var select199 = linear_select([ - part920, - dup226, -]); - -var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - -var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg554 = msg("00031:04", all179); - -var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - -var select200 = linear_select([ - dup226, - dup25, -]); - -var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - -var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg555 = msg("00031:11", all180); - -var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - -var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - -var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - -var select201 = linear_select([ - part925, - part926, -]); - -var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - -var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - -var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - -var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - -var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - -var select202 = linear_select([ - part931, - dup96, -]); - -var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - -var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg556 = msg("00031:08", all181); - -var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - -var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg557 = msg("00031:05", all182); - -var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - -var select203 = linear_select([ - part934, - dup229, - dup230, -]); - -var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - -var select204 = linear_select([ - dup105, - dup96, -]); - -var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - -var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - -var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg558 = msg("00031:06", all183); - -var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - -var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg559 = msg("00031:07", all184); - -var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - -var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg560 = msg("00031:09", all185); - -var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg561 = msg("00031:10", part940); - -var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg562 = msg("00031:12", part941); - -var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, -]); - -var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg563 = msg("00032", part942); - -var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, -])); - -var msg564 = msg("00032:01", part943); - -var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - -var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - -var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - -var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - -var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - -var select206 = linear_select([ - part945, - part946, - part947, - part948, -]); - -var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg565 = msg("00032:03", all186); - -var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, -])); - -var msg566 = msg("00032:04", part949); - -var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg567 = msg("00032:05", part950); - -var msg568 = msg("00032:02", dup375); - -var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, -]); - -var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), -])); - -var msg569 = msg("00033:25", part951); - -var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - -var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - -var select208 = linear_select([ - dup52, - part953, -]); - -var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - -var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg570 = msg("00033", all187); - -var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - -var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - -var select209 = linear_select([ - part955, - part956, -]); - -var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - -var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg571 = msg("00033:03", all188); - -var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - -var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg572 = msg("00033:02", all189); - -var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg573 = msg("00033:04", part959); - -var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg574 = msg("00033:05", part960); - -var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, -])); - -var msg575 = msg("00033:06", part961); - -var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, -])); - -var msg576 = msg("00033:01", part962); - -var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg577 = msg("00033:07", part963); - -var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - -var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg578 = msg("00033:08", all190); - -var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - -var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg579 = msg("00033:09", all191); - -var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - -var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - -var select210 = linear_select([ - part967, - dup238, -]); - -var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg580 = msg("00033:10", all192); - -var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - -var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - -var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg581 = msg("00033:11", all193); - -var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - -var select211 = linear_select([ - dup101, - dup238, -]); - -var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg582 = msg("00033:12", all194); - -var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - -var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - -var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - -var select212 = linear_select([ - part972, - part973, -]); - -var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg583 = msg("00033:13", all195); - -var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - -var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg584 = msg("00033:14", all196); - -var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - -var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg585 = msg("00033:15", all197); - -var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - -var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg586 = msg("00033:16", all198); - -var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - -var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - -var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - -var select213 = linear_select([ - part978, - part979, -]); - -var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg587 = msg("00033:17", all199); - -var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - -var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - -var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), -}); - -var msg588 = msg("00033:19", all200); - -var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, -])); - -var msg589 = msg("00033:20", part982); - -var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg590 = msg("00033:21", all201); - -var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), -}); - -var msg591 = msg("00033:22", all202); - -var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg592 = msg("00033:23", part984); - -var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg593 = msg("00033:24", part985); - -var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, -]); - -var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - -var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - -var select215 = linear_select([ - part986, - part987, -]); - -var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - -var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - -var select216 = linear_select([ - part988, - dup201, - part989, -]); - -var select217 = linear_select([ - dup196, - dup103, - dup163, -]); - -var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - -var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg594 = msg("00034", all203); - -var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - -var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - -var select218 = linear_select([ - part991, - part992, -]); - -var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - -var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - -var select219 = linear_select([ - part994, - dup241, -]); - -var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - -var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg595 = msg("00034:01", all204); - -var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg596 = msg("00034:02", part996); - -var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - -var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg597 = msg("00034:03", all205); - -var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg598 = msg("00034:04", part998); - -var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg599 = msg("00034:05", part999); - -var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - -var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - -var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - -var select220 = linear_select([ - part1001, - part1002, -]); - -var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - -var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg600 = msg("00034:06", all206); - -var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg601 = msg("00034:07", part1004); - -var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg602 = msg("00034:08", part1005); - -var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg603 = msg("00034:09", part1006); - -var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - -var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - -var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - -var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - -var select221 = linear_select([ - part1009, - part1010, -]); - -var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - -var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg604 = msg("00034:10", all207); - -var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - -var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - -var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg605 = msg("00034:12", all208); - -var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - -var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - -var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg606 = msg("00034:11", all209); - -var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg607 = msg("00034:15", part1016); - -var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - -var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg608 = msg("00034:18", all210); - -var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - -var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg609 = msg("00034:20", all211); - -var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - -var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - -var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - -var select222 = linear_select([ - part1021, - dup156, -]); - -var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - -var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - -var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - -var select223 = linear_select([ - part1023, - part1024, -]); - -var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg610 = msg("00034:21", all212); - -var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg611 = msg("00034:22", part1025); - -var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - -var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - -var select224 = linear_select([ - part1026, - part1027, -]); - -var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - -var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg612 = msg("00034:23", all213); - -var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg613 = msg("00034:24", part1029); - -var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg614 = msg("00034:25", part1030); - -var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg615 = msg("00034:26", part1031); - -var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg616 = msg("00034:27", part1032); - -var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg617 = msg("00034:28", part1033); - -var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg618 = msg("00034:29", part1034); - -var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg619 = msg("00034:30", part1035); - -var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg620 = msg("00034:31", part1036); - -var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg621 = msg("00034:32", part1037); - -var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg622 = msg("00034:33", part1038); - -var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg623 = msg("00034:34", part1039); - -var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg624 = msg("00034:35", part1040); - -var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg625 = msg("00034:36", part1041); - -var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg626 = msg("00034:37", part1042); - -var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg627 = msg("00034:38", part1043); - -var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg628 = msg("00034:39", part1044); - -var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg629 = msg("00034:40", part1045); - -var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - -var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - -var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg630 = msg("00034:41", all214); - -var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg631 = msg("00034:42", part1048); - -var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg632 = msg("00034:43", part1049); - -var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg633 = msg("00034:44", part1050); - -var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, -]); - -var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg634 = msg("00035", part1051); - -var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg635 = msg("00035:01", part1052); - -var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg636 = msg("00035:02", part1053); - -var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg637 = msg("00035:03", part1054); - -var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - -var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - -var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - -var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - -var select226 = linear_select([ - part1056, - part1057, - part1058, -]); - -var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - -var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg638 = msg("00035:04", all215); - -var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg639 = msg("00035:05", part1060); - -var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - -var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - -var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg640 = msg("00035:06", all216); - -var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg641 = msg("00035:07", part1063); - -var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg642 = msg("00035:08", part1064); - -var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - -var select227 = linear_select([ - part1065, - dup92, -]); - -var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg643 = msg("00035:09", all217); - -var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - -var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - -var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - -var select228 = linear_select([ - part1067, - part1068, -]); - -var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg644 = msg("00035:10", all218); - -var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - -var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - -var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - -var select229 = linear_select([ - part1070, - part1071, -]); - -var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg645 = msg("00035:11", all219); - -var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - -var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - -var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg646 = msg("00035:12", all220); - -var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - -var select230 = linear_select([ - dup101, - part1074, -]); - -var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - -var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg647 = msg("00035:13", all221); - -var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg648 = msg("00035:14", part1076); - -var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - -var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - -var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - -var select231 = linear_select([ - part1078, - part1079, -]); - -var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg649 = msg("00035:15", all222); - -var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg650 = msg("00035:16", part1080); - -var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, -]); - -var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg651 = msg("00036", part1081); - -var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - -var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - -var select233 = linear_select([ - dup214, - part1083, -]); - -var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - -var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg652 = msg("00036:01", all223); - -var select234 = linear_select([ - msg651, - msg652, -]); - -var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - -var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - -var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - -var select235 = linear_select([ - part1086, - part1087, -]); - -var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg653 = msg("00037", all224); - -var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - -var select236 = linear_select([ - dup255, - dup256, -]); - -var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - -var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg654 = msg("00037:01", all225); - -var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg655 = msg("00037:02", part1090); - -var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - -var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - -var select237 = linear_select([ - part1091, - part1092, -]); - -var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - -var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - -var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - -var select238 = linear_select([ - part1094, - part1095, -]); - -var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg656 = msg("00037:03", all226); - -var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg657 = msg("00037:04", part1096); - -var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - -var select239 = linear_select([ - dup256, - dup255, -]); - -var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - -var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - -var select240 = linear_select([ - dup10, - part1099, -]); - -var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg658 = msg("00037:05", all227); - -var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg659 = msg("00037:06", part1100); - -var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, -]); - -var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - -var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - -var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - -var select242 = linear_select([ - part1102, - part1103, -]); - -var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg660 = msg("00038", all228); - -var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg661 = msg("00039", part1104); - -var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - -var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - -var select243 = linear_select([ - part1105, - part1106, -]); - -var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - -var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg662 = msg("00040", all229); - -var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg663 = msg("00040:01", part1108); - -var select244 = linear_select([ - msg662, - msg663, -]); - -var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg664 = msg("00041", part1109); - -var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg665 = msg("00041:01", part1110); - -var select245 = linear_select([ - msg664, - msg665, -]); - -var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg666 = msg("00042", part1111); - -var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, -])); - -var msg667 = msg("00042:01", part1112); - -var select246 = linear_select([ - msg666, - msg667, -]); - -var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg668 = msg("00043", part1113); - -var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - -var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - -var select247 = linear_select([ - dup257, - part1115, -]); - -var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - -var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg669 = msg("00044", all230); - -var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg670 = msg("00044:01", part1117); - -var select248 = linear_select([ - msg669, - msg670, -]); - -var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg671 = msg("00045", part1118); - -var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - -var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - -var select249 = linear_select([ - part1119, - part1120, -]); - -var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - -var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg672 = msg("00047", all231); - -var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - -var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - -var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - -var select250 = linear_select([ - part1123, - part1124, -]); - -var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - -var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - -var select251 = linear_select([ - part1126, - dup112, -]); - -var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - -var select252 = linear_select([ - part1127, - dup139, -]); - -var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - -var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - -var select253 = linear_select([ - part1129, - dup16, -]); - -var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - -var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - -var select254 = linear_select([ - part1131, - dup129, -]); - -var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - -var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg673 = msg("00048", all232); - -var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - -var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - -var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - -var select255 = linear_select([ - part1134, - part1135, -]); - -var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - -var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - -var select256 = linear_select([ - part1137, - dup105, -]); - -var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - -var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg674 = msg("00048:01", all233); - -var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg675 = msg("00048:02", part1139); - -var select257 = linear_select([ - msg673, - msg674, - msg675, -]); - -var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg676 = msg("00049", part1140); - -var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg677 = msg("00049:01", part1141); - -var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg678 = msg("00049:02", part1142); - -var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg679 = msg("00049:03", part1143); - -var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg680 = msg("00049:04", part1144); - -var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg681 = msg("00049:05", part1145); - -var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, -]); - -var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg682 = msg("00050", part1146); - -var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg683 = msg("00051", part1147); - -var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg684 = msg("00052", part1148); - -var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - -var select259 = linear_select([ - dup169, - part1149, -]); - -var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - -var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg685 = msg("00055", all234); - -var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - -var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - -var select260 = linear_select([ - part1151, - part1152, -]); - -var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - -var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg686 = msg("00055:01", all235); - -var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - -var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg687 = msg("00055:02", all236); - -var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - -var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg688 = msg("00055:03", all237); - -var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg689 = msg("00055:04", part1156); - -var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - -var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - -var select261 = linear_select([ - dup110, - part1158, -]); - -var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - -var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg690 = msg("00055:05", all238); - -var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - -var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - -var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - -var select262 = linear_select([ - part1161, - part1162, -]); - -var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - -var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg691 = msg("00055:06", all239); - -var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - -var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - -var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - -var select263 = linear_select([ - part1164, - part1165, - part1166, -]); - -var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - -var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg692 = msg("00055:07", all240); - -var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - -var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - -var select264 = linear_select([ - part1168, - part1169, -]); - -var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - -var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg693 = msg("00055:08", all241); - -var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg694 = msg("00055:09", part1171); - -var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg695 = msg("00055:10", part1172); - -var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, -]); - -var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg696 = msg("00056", part1173); - -var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg697 = msg("00057", part1174); - -var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg698 = msg("00058", part1175); - -var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - -var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - -var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, -]); - -var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg699 = msg("00059", all242); - -var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - -var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - -var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - -var select267 = linear_select([ - part1179, - part1180, -]); - -var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - -var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg700 = msg("00059:02", all243); - -var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg701 = msg("00059:03", part1182); - -var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg702 = msg("00059:04", part1183); - -var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - -var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - -var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - -var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - -var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, -]); - -var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - -var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg703 = msg("00059:05", all244); - -var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg704 = msg("00059:06", part1189); - -var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg705 = msg("00059:07", part1190); - -var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - -var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - -var select269 = linear_select([ - part1191, - part1192, -]); - -var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - -var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg706 = msg("00059:08", all245); - -var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - -var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - -var select270 = linear_select([ - part1194, - part1195, -]); - -var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - -var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - -var select271 = linear_select([ - dup261, - part1197, -]); - -var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - -var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg707 = msg("00059:09", all246); - -var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg708 = msg("00059:01", part1199); - -var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, -]); - -var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), -])); - -var msg709 = msg("00062:01", part1200); - -var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), -])); - -var msg710 = msg("00062:02", part1201); - -var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), -])); - -var msg711 = msg("00062:03", part1202); - -var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg712 = msg("00062", part1203); - -var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, -]); - -var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg713 = msg("00063", part1204); - -var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg714 = msg("00064", part1205); - -var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg715 = msg("00064:01", part1206); - -var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg716 = msg("00064:02", part1207); - -var select274 = linear_select([ - msg714, - msg715, - msg716, -]); - -var msg717 = msg("00070", dup411); - -var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - -var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - -var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - -var select275 = linear_select([ - part1209, - part1210, -]); - -var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg718 = msg("00070:01", all247); - -var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg719 = msg("00070:02", part1211); - -var select276 = linear_select([ - msg717, - msg718, - msg719, -]); - -var msg720 = msg("00071", dup411); - -var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg721 = msg("00071:01", part1212); - -var select277 = linear_select([ - msg720, - msg721, -]); - -var msg722 = msg("00072", dup411); - -var msg723 = msg("00072:01", dup412); - -var select278 = linear_select([ - msg722, - msg723, -]); - -var msg724 = msg("00073", dup411); - -var msg725 = msg("00073:01", dup412); - -var select279 = linear_select([ - msg724, - msg725, -]); - -var msg726 = msg("00074", dup392); - -var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg727 = msg("00075", all248); - -var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), -])); - -var msg728 = msg("00075:02", part1213); - -var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg729 = msg("00075:01", part1214); - -var select280 = linear_select([ - msg727, - msg728, - msg729, -]); - -var msg730 = msg("00076", dup392); - -var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - -var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg731 = msg("00076:01", all249); - -var select281 = linear_select([ - msg730, - msg731, -]); - -var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, -])); - -var msg732 = msg("00077", part1216); - -var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg733 = msg("00077:01", all250); - -var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg734 = msg("00077:02", part1217); - -var select282 = linear_select([ - msg732, - msg733, - msg734, -]); - -var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, -])); - -var msg735 = msg("00084", part1218); - -var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - -var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - -var select283 = linear_select([ - part1219, - part1220, -]); - -var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - -var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg736 = msg("00090", all251); - -var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg737 = msg("00200", part1222); - -var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg738 = msg("00201", part1223); - -var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, -])); - -var msg739 = msg("00202", part1224); - -var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, -])); - -var msg740 = msg("00203", part1225); - -var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - -var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - -var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - -var select284 = linear_select([ - part1227, - part1228, -]); - -var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - -var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg741 = msg("00206", all252); - -var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - -var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - -var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg742 = msg("00206:01", all253); - -var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - -var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - -var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg743 = msg("00206:02", all254); - -var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, -])); - -var msg744 = msg("00206:03", part1234); - -var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, -])); - -var msg745 = msg("00206:04", part1235); - -var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, -]); - -var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, -])); - -var msg746 = msg("00207", part1236); - -var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, -])); - -var msg747 = msg("00207:01", part1237); - -var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, -])); - -var msg748 = msg("00207:02", part1238); - -var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, -])); - -var msg749 = msg("00207:03", part1239); - -var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, -]); - -var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, -])); - -var msg750 = msg("00257", part1240); - -var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, -])); - -var msg751 = msg("00257:14", part1241); - -var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, -])); - -var msg752 = msg("00257:01", part1242); - -var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, -])); - -var msg753 = msg("00257:15", part1243); - -var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, -])); - -var msg754 = msg("00257:02", part1244); - -var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, -])); - -var msg755 = msg("00257:03", part1245); - -var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, -])); - -var msg756 = msg("00257:04", part1246); - -var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, -])); - -var msg757 = msg("00257:05", part1247); - -var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - -var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), -}); - -var msg758 = msg("00257:19", all255); - -var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - -var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), -}); - -var msg759 = msg("00257:16", all256); - -var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - -var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), -}); - -var msg760 = msg("00257:17", all257); - -var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - -var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), -}); - -var msg761 = msg("00257:18", all258); - -var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - -var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - -var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - -var select287 = linear_select([ - part1253, - part1254, -]); - -var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), -}); - -var msg762 = msg("00257:06", all259); - -var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, -])); - -var msg763 = msg("00257:07", part1255); - -var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, -])); - -var msg764 = msg("00257:08", part1256); - -var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - -var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - -var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - -var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - -var select288 = linear_select([ - part1258, - part1259, - part1260, -]); - -var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), -}); - -var msg765 = msg("00257:09", all260); - -var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - -var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - -var select289 = linear_select([ - part1262, - dup286, -]); - -var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), -}); - -var msg766 = msg("00257:10", all261); - -var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - -var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - -var select290 = linear_select([ - part1264, - dup286, -]); - -var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), -}); - -var msg767 = msg("00257:11", all262); - -var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, -])); - -var msg768 = msg("00257:12", part1265); - -var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, -])); - -var msg769 = msg("00257:13", part1266); - -var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, -]); - -var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - -var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - -var select292 = linear_select([ - part1268, - dup289, - dup241, -]); - -var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - -var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg770 = msg("00259", all263); - -var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - -var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg771 = msg("00259:07", all264); - -var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, -])); - -var msg772 = msg("00259:01", part1271); - -var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, -])); - -var msg773 = msg("00259:02", part1272); - -var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg774 = msg("00259:03", part1273); - -var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, -])); - -var msg775 = msg("00259:04", part1274); - -var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - -var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - -var select293 = linear_select([ - dup241, - dup289, - part1276, -]); - -var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - -var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg776 = msg("00259:05", all265); - -var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, -])); - -var msg777 = msg("00259:06", part1278); - -var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, -]); - -var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, -])); - -var msg778 = msg("00262", part1279); - -var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg779 = msg("00263", part1280); - -var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - -var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - -var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - -var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - -var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, -]); - -var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - -var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), -}); - -var msg780 = msg("00400", all266); - -var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, -])); - -var msg781 = msg("00401", part1286); - -var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, -])); - -var msg782 = msg("00402", part1287); - -var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - -var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - -var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), -}); - -var msg783 = msg("00402:01", all267); - -var select296 = linear_select([ - msg782, - msg783, -]); - -var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, -])); - -var msg784 = msg("00403", part1290); - -var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, -])); - -var msg785 = msg("00404", part1291); - -var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, -])); - -var msg786 = msg("00405", part1292); - -var msg787 = msg("00406", dup413); - -var msg788 = msg("00407", dup413); - -var msg789 = msg("00408", dup413); - -var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), -}); - -var msg790 = msg("00409", all268); - -var msg791 = msg("00410", dup413); - -var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, -])); - -var msg792 = msg("00410:01", part1293); - -var select297 = linear_select([ - msg791, - msg792, -]); - -var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - -var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg793 = msg("00411", all269); - -var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - -var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - -var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var msg794 = msg("00413", all270); - -var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - -var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), -}); - -var msg795 = msg("00413:01", all271); - -var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, -])); - -var msg796 = msg("00413:02", part1298); - -var select298 = linear_select([ - msg794, - msg795, - msg796, -]); - -var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, -])); - -var msg797 = msg("00414", part1299); - -var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, -])); - -var msg798 = msg("00414:01", part1300); - -var select299 = linear_select([ - msg797, - msg798, -]); - -var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, -])); - -var msg799 = msg("00415", part1301); - -var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), -}); - -var msg800 = msg("00423", all272); - -var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), -}); - -var msg801 = msg("00429", all273); - -var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), -}); - -var msg802 = msg("00429:01", all274); - -var select300 = linear_select([ - msg801, - msg802, -]); - -var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), -}); - -var msg803 = msg("00430", all275); - -var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), -}); - -var msg804 = msg("00430:01", all276); - -var select301 = linear_select([ - msg803, - msg804, -]); - -var msg805 = msg("00431", dup414); - -var msg806 = msg("00432", dup414); - -var msg807 = msg("00433", dup415); - -var msg808 = msg("00434", dup415); - -var msg809 = msg("00435", dup395); - -var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), -}); - -var msg810 = msg("00435:01", all277); - -var select302 = linear_select([ - msg809, - msg810, -]); - -var msg811 = msg("00436", dup395); - -var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), -}); - -var msg812 = msg("00436:01", all278); - -var select303 = linear_select([ - msg811, - msg812, -]); - -var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, -])); - -var msg813 = msg("00437", part1302); - -var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), -}); - -var msg814 = msg("00437:01", all279); - -var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, -])); - -var msg815 = msg("00437:02", part1303); - -var select304 = linear_select([ - msg813, - msg814, - msg815, -]); - -var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, -])); - -var msg816 = msg("00438", part1304); - -var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, -])); - -var msg817 = msg("00438:01", part1305); - -var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), -}); - -var msg818 = msg("00438:02", all280); - -var select305 = linear_select([ - msg816, - msg817, - msg818, -]); - -var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, -])); - -var msg819 = msg("00440", part1306); - -var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, -])); - -var msg820 = msg("00440:02", part1307); - -var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), -}); - -var msg821 = msg("00440:01", all281); - -var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - -var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), -}); - -var msg822 = msg("00440:03", all282); - -var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, -]); - -var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, -])); - -var msg823 = msg("00441", part1309); - -var msg824 = msg("00442", dup396); - -var msg825 = msg("00443", dup396); - -var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg826 = msg("00511", part1310); - -var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - -var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg827 = msg("00511:01", all283); - -var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg828 = msg("00511:02", part1312); - -var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - -var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg829 = msg("00511:03", all284); - -var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - -var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg830 = msg("00511:04", all285); - -var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - -var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg831 = msg("00511:05", all286); - -var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - -var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg832 = msg("00511:06", all287); - -var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - -var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg833 = msg("00511:07", all288); - -var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - -var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg834 = msg("00511:08", all289); - -var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - -var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg835 = msg("00511:09", all290); - -var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - -var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg836 = msg("00511:10", all291); - -var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - -var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg837 = msg("00511:11", all292); - -var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - -var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg838 = msg("00511:12", all293); - -var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - -var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg839 = msg("00511:13", all294); - -var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg840 = msg("00511:14", part1324); - -var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, -]); - -var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - -var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - -var select308 = linear_select([ - dup123, - part1326, - dup122, -]); - -var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - -var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - -var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - -var select309 = linear_select([ - part1328, - part1329, -]); - -var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), -}); - -var msg841 = msg("00513", all295); - -var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - -var select310 = linear_select([ - part1330, - dup287, -]); - -var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - -var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - -var select311 = linear_select([ - dup96, - part1332, -]); - -var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - -var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg842 = msg("00515", all296); - -var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - -var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - -var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - -var select312 = linear_select([ - part1335, - part1336, -]); - -var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - -var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), -}); - -var msg843 = msg("00515:01", all297); - -var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - -var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - -var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - -var select313 = linear_select([ - part1339, - part1340, -]); - -var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - -var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - -var select314 = linear_select([ - part1341, - part1342, - dup15, -]); - -var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - -var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg844 = msg("00515:02", all298); - -var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - -var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - -var select315 = linear_select([ - part1344, - part1345, -]); - -var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - -var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - -var select316 = linear_select([ - dup304, - part1347, -]); - -var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg845 = msg("00515:04", all299); - -var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg846 = msg("00515:06", part1348); - -var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - -var select317 = linear_select([ - dup305, - dup16, -]); - -var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - -var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - -var select318 = linear_select([ - dup306, - part1351, - dup304, -]); - -var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg847 = msg("00515:05", all300); - -var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg848 = msg("00515:07", part1352); - -var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - -var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - -var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - -var select319 = linear_select([ - part1354, - part1355, -]); - -var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - -var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg849 = msg("00515:08", all301); - -var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg850 = msg("00515:09", part1357); - -var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg851 = msg("00515:10", part1358); - -var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg852 = msg("00515:11", part1359); - -var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - -var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - -var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg853 = msg("00515:12", all302); - -var select320 = linear_select([ - dup288, - dup287, -]); - -var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - -var select321 = linear_select([ - dup306, - dup304, -]); - -var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg854 = msg("00515:13", all303); - -var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - -var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - -var select322 = linear_select([ - part1363, - part1364, -]); - -var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - -var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - -var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - -var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - -var select323 = linear_select([ - part1366, - part1367, - part1368, -]); - -var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg855 = msg("00515:14", all304); - -var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - -var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - -var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - -var select324 = linear_select([ - part1370, - part1371, -]); - -var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg856 = msg("00515:15", all305); - -var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - -var select325 = linear_select([ - part1372, - dup287, -]); - -var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - -var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - -var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg857 = msg("00515:16", all306); - -var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - -var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - -var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - -var select326 = linear_select([ - part1376, - part1377, -]); - -var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - -var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg858 = msg("00515:17", all307); - -var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg859 = msg("00515:18", part1379); - -var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - -var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - -var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - -var select327 = linear_select([ - part1381, - part1382, -]); - -var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg860 = msg("00515:19", all308); - -var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg861 = msg("00515:20", part1383); - -var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, -]); - -var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg862 = msg("00518", part1384); - -var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg863 = msg("00518:17", part1385); - -var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg864 = msg("00518:01", part1386); - -var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg865 = msg("00518:02", part1387); - -var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg866 = msg("00518:03", part1388); - -var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, -])); - -var msg867 = msg("00518:04", part1389); - -var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, -])); - -var msg868 = msg("00518:05", part1390); - -var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, -])); - -var msg869 = msg("00518:06", part1391); - -var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - -var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - -var select329 = linear_select([ - dup24, - part1393, -]); - -var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - -var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg870 = msg("00518:07", all309); - -var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, -])); - -var msg871 = msg("00518:08", part1395); - -var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, -])); - -var msg872 = msg("00518:09", part1396); - -var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, -])); - -var msg873 = msg("00518:10", part1397); - -var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - -var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - -var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - -var select330 = linear_select([ - part1399, - part1400, -]); - -var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - -var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), -}); - -var msg874 = msg("00518:11", all310); - -var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, -])); - -var msg875 = msg("00518:12", part1402); - -var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, -])); - -var msg876 = msg("00518:13", part1403); - -var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, -])); - -var msg877 = msg("00518:14", part1404); - -var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, -]); - -var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - -var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - -var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - -var select332 = linear_select([ - dup194, - part1406, - part1407, -]); - -var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - -var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - -var select333 = linear_select([ - part1409, - dup16, -]); - -var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - -var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg878 = msg("00519", all311); - -var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - -var select334 = linear_select([ - dup307, - dup305, -]); - -var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - -var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg879 = msg("00519:01", all312); - -var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - -var select335 = linear_select([ - dup307, - part1413, -]); - -var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - -var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg880 = msg("00519:02", all313); - -var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, -])); - -var msg881 = msg("00519:03", part1415); - -var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, -])); - -var msg882 = msg("00519:04", part1416); - -var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, -])); - -var msg883 = msg("00519:05", part1417); - -var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, -]); - -var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg884 = msg("00520", part1418); - -var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - -var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - -var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - -var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - -var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - -var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, -]); - -var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - -var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg885 = msg("00520:01", all314); - -var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - -var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - -var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg886 = msg("00520:02", all315); - -var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - -var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - -var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - -var select338 = linear_select([ - part1427, - part1428, - part1429, -]); - -var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - -var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - -var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - -var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg887 = msg("00520:03", all316); - -var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg888 = msg("00520:04", part1433); - -var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg889 = msg("00520:05", part1434); - -var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, -]); - -var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg890 = msg("00521", part1435); - -var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg891 = msg("00522", part1436); - -var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, -])); - -var msg892 = msg("00523", part1437); - -var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, -])); - -var msg893 = msg("00524", part1438); - -var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg894 = msg("00524:02", part1439); - -var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg895 = msg("00524:03", part1440); - -var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg896 = msg("00524:04", part1441); - -var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, -])); - -var msg897 = msg("00524:05", part1442); - -var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, -])); - -var msg898 = msg("00524:06", part1443); - -var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, -])); - -var msg899 = msg("00524:12", part1444); - -var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, -])); - -var msg900 = msg("00524:14", part1445); - -var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - -var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - -var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), -}); - -var msg901 = msg("00524:13", all317); - -var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, -])); - -var msg902 = msg("00524:07", part1448); - -var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, -])); - -var msg903 = msg("00524:08", part1449); - -var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, -])); - -var msg904 = msg("00524:09", part1450); - -var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, -])); - -var msg905 = msg("00524:10", part1451); - -var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, -])); - -var msg906 = msg("00524:11", part1452); - -var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg907 = msg("00524:16", part1453); - -var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, -]); - -var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, -])); - -var msg908 = msg("00525", part1454); - -var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg909 = msg("00525:01", part1455); - -var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg910 = msg("00525:02", part1456); - -var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg911 = msg("00525:03", part1457); - -var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, -]); - -var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg912 = msg("00526", part1458); - -var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - -var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - -var select342 = linear_select([ - dup311, - part1460, -]); - -var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - -var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - -var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - -var select343 = linear_select([ - dup312, - part1462, - part1463, -]); - -var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg913 = msg("00527", all318); - -var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg914 = msg("00527:01", part1464); - -var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - -var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - -var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - -var select344 = linear_select([ - dup311, - part1466, - part1467, -]); - -var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - -var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg915 = msg("00527:02", all319); - -var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, -])); - -var msg916 = msg("00527:03", part1469); - -var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg917 = msg("00527:04", part1470); - -var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - -var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg918 = msg("00527:05", all320); - -var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - -var select345 = linear_select([ - dup106, - dup127, -]); - -var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - -var select346 = linear_select([ - dup312, - part1473, -]); - -var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - -var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg919 = msg("00527:06", all321); - -var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg920 = msg("00527:07", part1475); - -var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg921 = msg("00527:08", part1476); - -var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - -var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - -var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - -var select347 = linear_select([ - part1478, - part1479, -]); - -var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg922 = msg("00527:09", all322); - -var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg923 = msg("00527:10", part1480); - -var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, -]); - -var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, -])); - -var msg924 = msg("00528", part1481); - -var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg925 = msg("00528:01", part1482); - -var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg926 = msg("00528:02", part1483); - -var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, -])); - -var msg927 = msg("00528:03", part1484); - -var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, -])); - -var msg928 = msg("00528:04", part1485); - -var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, -])); - -var msg929 = msg("00528:05", part1486); - -var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), -])); - -var msg930 = msg("00528:06", part1487); - -var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - -var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - -var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - -var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - -var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, -]); - -var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - -var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg931 = msg("00528:07", all323); - -var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, -])); - -var msg932 = msg("00528:08", part1493); - -var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, -])); - -var msg933 = msg("00528:09", part1494); - -var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg934 = msg("00528:10", part1495); - -var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg935 = msg("00528:11", part1496); - -var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), -])); - -var msg936 = msg("00528:12", part1497); - -var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - -var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - -var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - -var select350 = linear_select([ - part1499, - part1500, -]); - -var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - -var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - -var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - -var select351 = linear_select([ - part1503, - dup157, -]); - -var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - -var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg937 = msg("00528:13", all324); - -var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg938 = msg("00528:14", part1505); - -var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - -var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - -var select352 = linear_select([ - dup315, - part1507, -]); - -var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - -var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - -var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - -var select353 = linear_select([ - part1509, - part1510, -]); - -var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg939 = msg("00528:15", all325); - -var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg940 = msg("00528:16", part1511); - -var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg941 = msg("00528:17", part1512); - -var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - -var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), -}); - -var msg942 = msg("00528:18", all326); - -var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - -var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), -}); - -var msg943 = msg("00528:26", all327); - -var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - -var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg944 = msg("00528:19", all328); - -var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - -var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg945 = msg("00528:20", all329); - -var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, -])); - -var msg946 = msg("00528:21", part1517); - -var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - -var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - -var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), -}); - -var msg947 = msg("00528:22", all330); - -var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), -])); - -var msg948 = msg("00528:23", part1520); - -var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, -])); - -var msg949 = msg("00528:24", part1521); - -var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - -var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - -var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), -}); - -var msg950 = msg("00528:25", all331); - -var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, -]); - -var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - -var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - -var select355 = linear_select([ - part1524, - part1525, -]); - -var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - -var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg951 = msg("00529", all332); - -var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - -var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - -var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - -var select356 = linear_select([ - part1528, - part1529, -]); - -var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg952 = msg("00529:01", all333); - -var select357 = linear_select([ - msg951, - msg952, -]); - -var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, -])); - -var msg953 = msg("00530", part1530); - -var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - -var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - -var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg954 = msg("00530:01", all334); - -var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg955 = msg("00530:02", part1533); - -var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg956 = msg("00530:03", part1534); - -var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg957 = msg("00530:04", part1535); - -var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg958 = msg("00530:05", part1536); - -var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg959 = msg("00530:06", part1537); - -var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, -]); - -var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - -var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg960 = msg("00531", all335); - -var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg961 = msg("00531:01", part1539); - -var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg962 = msg("00531:02", part1540); - -var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - -var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - -var select359 = linear_select([ - part1542, - dup115, -]); - -var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - -var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - -var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - -var select360 = linear_select([ - part1544, - part1545, -]); - -var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), -}); - -var msg963 = msg("00531:03", all336); - -var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - -var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - -var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - -var select361 = linear_select([ - part1547, - part1548, - dup189, -]); - -var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - -var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg964 = msg("00531:04", all337); - -var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg965 = msg("00531:05", part1550); - -var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg966 = msg("00531:06", part1551); - -var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg967 = msg("00531:07", part1552); - -var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg968 = msg("00531:08", part1553); - -var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg969 = msg("00531:09", part1554); - -var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg970 = msg("00531:10", part1555); - -var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), -])); - -var msg971 = msg("00531:11", part1556); - -var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg972 = msg("00531:12", part1557); - -var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, -]); - -var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg973 = msg("00533", part1558); - -var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg974 = msg("00534", part1559); - -var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, -])); - -var msg975 = msg("00535", part1560); - -var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, -])); - -var msg976 = msg("00535:01", part1561); - -var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, -])); - -var msg977 = msg("00535:02", part1562); - -var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, -])); - -var msg978 = msg("00535:03", part1563); - -var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), -])); - -var msg979 = msg("00535:04", part1564); - -var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, -])); - -var msg980 = msg("00535:05", part1565); - -var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), -])); - -var msg981 = msg("00535:06", part1566); - -var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, -]); - -var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - -var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - -var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - -var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - -var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - -var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, -]); - -var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), -}); - -var msg982 = msg("00536:49", all338); - -var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, -])); - -var msg983 = msg("00536", part1572); - -var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg984 = msg("00536:01", part1573); - -var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg985 = msg("00536:02", part1574); - -var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg986 = msg("00536:03", part1575); - -var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg987 = msg("00536:04", part1576); - -var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg988 = msg("00536:05", part1577); - -var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg989 = msg("00536:06", part1578); - -var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg990 = msg("00536:07", part1579); - -var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg991 = msg("00536:08", part1580); - -var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg992 = msg("00536:09", part1581); - -var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg993 = msg("00536:10", part1582); - -var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg994 = msg("00536:11", part1583); - -var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg995 = msg("00536:12", part1584); - -var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg996 = msg("00536:13", part1585); - -var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - -var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - -var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg997 = msg("00536:14", all339); - -var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, -])); - -var msg998 = msg("00536:50", part1588); - -var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg999 = msg("00536:15", part1589); - -var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1000 = msg("00536:16", part1590); - -var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1001 = msg("00536:17", part1591); - -var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1002 = msg("00536:18", part1592); - -var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1003 = msg("00536:19", part1593); - -var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1004 = msg("00536:20", part1594); - -var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1005 = msg("00536:21", part1595); - -var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), -])); - -var msg1006 = msg("00536:22", part1596); - -var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), -])); - -var msg1007 = msg("00536:23", part1597); - -var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1008 = msg("00536:24", part1598); - -var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1009 = msg("00536:25", part1599); - -var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1010 = msg("00536:26", part1600); - -var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1011 = msg("00536:27", part1601); - -var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1012 = msg("00536:28", part1602); - -var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1013 = msg("00536:29", part1603); - -var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1014 = msg("00536:30", part1604); - -var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1015 = msg("00536:31", part1605); - -var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1016 = msg("00536:32", part1606); - -var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1017 = msg("00536:33", part1607); - -var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1018 = msg("00536:34", part1608); - -var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1019 = msg("00536:35", part1609); - -var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - -var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - -var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1020 = msg("00536:36", all340); - -var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1021 = msg("00536:37", part1612); - -var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1022 = msg("00536:38", part1613); - -var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1023 = msg("00536:39", part1614); - -var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1024 = msg("00536:40", part1615); - -var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1025 = msg("00536:47", part1616); - -var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1026 = msg("00536:41", part1617); - -var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1027 = msg("00536:42", part1618); - -var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1028 = msg("00536:43", part1619); - -var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1029 = msg("00536:44", part1620); - -var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1030 = msg("00536:45", part1621); - -var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), -])); - -var msg1031 = msg("00536:48", part1622); - -var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1032 = msg("00536:46", part1623); - -var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, -]); - -var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, -])); - -var msg1033 = msg("00537", part1624); - -var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1034 = msg("00537:01", part1625); - -var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1035 = msg("00537:02", part1626); - -var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1036 = msg("00537:03", part1627); - -var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, -]); - -var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - -var select367 = linear_select([ - dup111, - dup119, -]); - -var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - -var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1037 = msg("00538", all341); - -var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1038 = msg("00538:01", part1630); - -var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1039 = msg("00538:02", part1631); - -var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, -])); - -var msg1040 = msg("00538:03", part1632); - -var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1041 = msg("00538:04", part1633); - -var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - -var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - -var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - -var select368 = linear_select([ - part1635, - part1636, -]); - -var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - -var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1042 = msg("00538:05", all342); - -var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - -var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - -var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - -var select369 = linear_select([ - part1639, - part1640, -]); - -var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - -var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1043 = msg("00538:06", all343); - -var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - -var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - -var select370 = linear_select([ - part1643, - dup16, -]); - -var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1044 = msg("00538:07", all344); - -var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1045 = msg("00538:08", part1644); - -var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), -])); - -var msg1046 = msg("00538:09", part1645); - -var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - -var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - -var select371 = linear_select([ - part1647, - dup41, -]); - -var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), -}); - -var msg1047 = msg("00538:10", all345); - -var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, -])); - -var msg1048 = msg("00538:11", part1648); - -var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, -])); - -var msg1049 = msg("00538:12", part1649); - -var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), -])); - -var msg1050 = msg("00538:13", part1650); - -var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, -]); - -var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1051 = msg("00539", part1651); - -var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1052 = msg("00539:01", part1652); - -var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1053 = msg("00539:02", part1653); - -var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1054 = msg("00539:03", part1654); - -var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1055 = msg("00539:04", part1655); - -var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1056 = msg("00539:05", part1656); - -var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1057 = msg("00539:06", part1657); - -var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, -]); - -var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1058 = msg("00541", part1658); - -var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1059 = msg("00541:01", part1659); - -var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1060 = msg("00541:02", part1660); - -var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - -var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - -var select374 = linear_select([ - part1662, - dup21, -]); - -var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1061 = msg("00541:03", all346); - -var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, -]); - -var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1062 = msg("00542", part1663); - -var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - -var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - -var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - -var select376 = linear_select([ - part1665, - part1666, -]); - -var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - -var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - -var select377 = linear_select([ - part1668, - dup106, -]); - -var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - -var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), -}); - -var msg1063 = msg("00543", all347); - -var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), -])); - -var msg1064 = msg("00544", part1670); - -var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1065 = msg("00546", part1671); - -var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, -])); - -var msg1066 = msg("00547", part1672); - -var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, -])); - -var msg1067 = msg("00547:01", part1673); - -var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1068 = msg("00547:02", part1674); - -var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - -var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - -var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - -var select378 = linear_select([ - part1676, - part1677, -]); - -var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - -var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), -}); - -var msg1069 = msg("00547:03", all348); - -var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, -]); - -var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1070 = msg("00549", part1679); - -var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1071 = msg("00551", part1680); - -var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1072 = msg("00551:01", part1681); - -var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - -var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - -var select380 = linear_select([ - part1683, - dup89, -]); - -var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1073 = msg("00551:02", all349); - -var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1074 = msg("00551:03", part1684); - -var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1075 = msg("00551:04", part1685); - -var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, -]); - -var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - -var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - -var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - -var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - -var select382 = linear_select([ - part1687, - part1688, - part1689, -]); - -var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1076 = msg("00553", all350); - -var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1077 = msg("00553:01", part1690); - -var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1078 = msg("00553:02", part1691); - -var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1079 = msg("00553:03", part1692); - -var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - -var select383 = linear_select([ - dup326, - dup327, -]); - -var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - -var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1080 = msg("00553:04", all351); - -var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1081 = msg("00553:05", part1695); - -var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1082 = msg("00553:06", part1696); - -var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1083 = msg("00553:07", part1697); - -var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - -var select384 = linear_select([ - dup327, - dup326, -]); - -var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1084 = msg("00553:08", all352); - -var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1085 = msg("00553:09", part1699); - -var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1086 = msg("00553:10", part1700); - -var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1087 = msg("00553:11", part1701); - -var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1088 = msg("00553:12", part1702); - -var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1089 = msg("00553:13", part1703); - -var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1090 = msg("00553:14", part1704); - -var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1091 = msg("00553:15", part1705); - -var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1092 = msg("00553:16", part1706); - -var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1093 = msg("00553:17", part1707); - -var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1094 = msg("00553:18", part1708); - -var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1095 = msg("00553:19", part1709); - -var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1096 = msg("00553:20", part1710); - -var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1097 = msg("00553:21", part1711); - -var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1098 = msg("00553:22", part1712); - -var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, -]); - -var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - -var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - -var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - -var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - -var select386 = linear_select([ - part1714, - part1715, - part1716, -]); - -var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1099 = msg("00554", all353); - -var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1100 = msg("00554:01", part1717); - -var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1101 = msg("00554:02", part1718); - -var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1102 = msg("00554:03", part1719); - -var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - -var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - -var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1103 = msg("00554:04", all354); - -var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - -var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - -var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - -var select387 = linear_select([ - part1723, - part1724, -]); - -var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1104 = msg("00554:05", all355); - -var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1105 = msg("00554:06", part1725); - -var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - -var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1106 = msg("00554:07", all356); - -var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - -var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - -var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - -var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - -var select388 = linear_select([ - part1728, - part1729, - part1730, -]); - -var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1107 = msg("00554:08", all357); - -var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1108 = msg("00554:09", part1731); - -var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1109 = msg("00554:10", part1732); - -var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1110 = msg("00554:11", part1733); - -var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - -var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - -var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - -var select389 = linear_select([ - part1735, - part1736, -]); - -var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - -var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - -var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - -var select390 = linear_select([ - part1738, - part1739, -]); - -var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - -var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1111 = msg("00554:12", all358); - -var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1112 = msg("00554:13", part1741); - -var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1113 = msg("00554:14", part1742); - -var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1114 = msg("00554:15", part1743); - -var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1115 = msg("00554:16", part1744); - -var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1116 = msg("00554:17", part1745); - -var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, -]); - -var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1117 = msg("00555", part1746); - -var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1118 = msg("00556", part1747); - -var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1119 = msg("00556:01", part1748); - -var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - -var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - -var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - -var select392 = linear_select([ - part1750, - part1751, -]); - -var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - -var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - -var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - -var select393 = linear_select([ - part1753, - part1754, -]); - -var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - -var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1120 = msg("00556:02", all359); - -var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - -var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - -var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - -var select394 = linear_select([ - part1757, - part1758, -]); - -var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - -var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1121 = msg("00556:03", all360); - -var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1122 = msg("00556:04", part1760); - -var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1123 = msg("00556:05", part1761); - -var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1124 = msg("00556:06", part1762); - -var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1125 = msg("00556:07", part1763); - -var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - -var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1126 = msg("00556:08", all361); - -var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, -])); - -var msg1127 = msg("00556:09", part1765); - -var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1128 = msg("00556:10", part1766); - -var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1129 = msg("00556:11", part1767); - -var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - -var select395 = linear_select([ - dup140, - dup169, -]); - -var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - -var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1130 = msg("00556:12", all362); - -var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1131 = msg("00556:13", part1770); - -var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - -var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - -var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1132 = msg("00556:14", all363); - -var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - -var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - -var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), -}); - -var msg1133 = msg("00556:15", all364); - -var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - -var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - -var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - -var select396 = linear_select([ - part1776, - part1777, -]); - -var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - -var select397 = linear_select([ - dup104, - dup120, -]); - -var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1134 = msg("00556:16", all365); - -var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - -var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - -var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - -var select398 = linear_select([ - part1780, - part1781, -]); - -var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - -var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1135 = msg("00556:17", all366); - -var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - -var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - -var select399 = linear_select([ - dup101, - part1784, -]); - -var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - -var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1136 = msg("00556:18", all367); - -var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - -var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - -var select400 = linear_select([ - dup103, - dup96, -]); - -var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - -var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1137 = msg("00556:20", all368); - -var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, -])); - -var msg1138 = msg("00556:21", part1789); - -var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1139 = msg("00556:22", part1790); - -var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, -]); - -var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1140 = msg("00572", part1791); - -var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1141 = msg("00572:01", part1792); - -var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1142 = msg("00572:03", part1793); - -var select402 = linear_select([ - msg1140, - msg1141, - msg1142, -]); - -var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg1143 = msg("00615", part1794); - -var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, -])); - -var msg1144 = msg("00615:01", part1795); - -var select403 = linear_select([ - msg1143, - msg1144, -]); - -var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, -])); - -var msg1145 = msg("00601", part1796); - -var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, -])); - -var msg1146 = msg("00601:01", part1797); - -var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1147 = msg("00601:18", part1798); - -var select404 = linear_select([ - msg1145, - msg1146, - msg1147, -]); - -var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1148 = msg("00602", part1799); - -var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - -var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - -var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - -var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - -var select405 = linear_select([ - part1802, - part1803, -]); - -var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - -var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - -var select406 = linear_select([ - part1805, - dup96, -]); - -var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - -var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1149 = msg("00612", all369); - -var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1150 = msg("00620", part1807); - -var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - -var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - -var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - -var select407 = linear_select([ - part1809, - part1810, -]); - -var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - -var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1151 = msg("00620:01", all370); - -var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1152 = msg("00620:02", part1812); - -var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1153 = msg("00620:03", part1813); - -var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1154 = msg("00620:04", part1814); - -var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, -]); - -var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1155 = msg("00622", part1815); - -var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - -var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - -var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - -var select409 = linear_select([ - part1817, - part1818, -]); - -var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), -}); - -var msg1156 = msg("00625", all371); - -var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - -var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - -var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - -var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - -var select410 = linear_select([ - part1820, - part1821, - part1822, -]); - -var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - -var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), -}); - -var msg1157 = msg("00628", all372); - -var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, -])); - -var msg1158 = msg("00767:50", part1824); - -var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, -])); - -var msg1159 = msg("00767:51", part1825); - -var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, -])); - -var msg1160 = msg("00767:52", part1826); - -var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, -])); - -var msg1161 = msg("00767:53", part1827); - -var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1162 = msg("00767", part1828); - -var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - -var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - -var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - -var select411 = linear_select([ - part1830, - part1831, -]); - -var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1163 = msg("00767:01", all373); - -var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, -])); - -var msg1164 = msg("00767:02", part1832); - -var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1165 = msg("00767:03", part1833); - -var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1166 = msg("00767:04", part1834); - -var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1167 = msg("00767:05", part1835); - -var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1168 = msg("00767:06", part1836); - -var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1169 = msg("00767:07", part1837); - -var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - -var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1170 = msg("00767:08", all374); - -var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - -var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - -var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - -var select412 = linear_select([ - part1840, - part1841, -]); - -var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1171 = msg("00767:09", all375); - -var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - -var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1172 = msg("00767:10", all376); - -var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - -var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - -var select413 = linear_select([ - dup331, - part1844, -]); - -var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - -var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - -var select414 = linear_select([ - dup331, - part1846, -]); - -var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - -var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1173 = msg("00767:11", all377); - -var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1174 = msg("00767:12", part1848); - -var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - -var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1175 = msg("00767:13", all378); - -var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - -var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - -var select415 = linear_select([ - part1851, - dup262, -]); - -var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - -var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - -var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - -var select416 = linear_select([ - part1853, - part1854, -]); - -var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1176 = msg("00767:14", all379); - -var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - -var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - -var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - -var select417 = linear_select([ - part1855, - part1856, - part1857, -]); - -var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - -var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - -var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1177 = msg("00767:15", all380); - -var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1178 = msg("00767:16", part1860); - -var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - -var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1179 = msg("00767:17", all381); - -var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1180 = msg("00767:18", part1862); - -var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1181 = msg("00767:19", part1863); - -var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1182 = msg("00767:20", part1864); - -var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1183 = msg("00767:21", part1865); - -var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - -var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - -var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - -var select418 = linear_select([ - part1867, - part1868, -]); - -var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - -var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - -var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - -var select419 = linear_select([ - part1870, - part1871, -]); - -var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - -var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1184 = msg("00767:22", all382); - -var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var msg1185 = msg("00767:23", part1873); - -var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - -var select420 = linear_select([ - dup169, - dup16, -]); - -var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - -var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - -var select421 = linear_select([ - part1875, - part1876, -]); - -var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1186 = msg("00767:25", all383); - -var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - -var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - -var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - -var select422 = linear_select([ - part1878, - part1879, -]); - -var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - -var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - -var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - -var select423 = linear_select([ - part1881, - part1882, -]); - -var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1187 = msg("00767:26", all384); - -var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - -var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - -var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - -var select424 = linear_select([ - part1884, - part1885, -]); - -var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1188 = msg("00767:27", all385); - -var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1189 = msg("00767:28", part1886); - -var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1190 = msg("00767:29", part1887); - -var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1191 = msg("00767:30", part1888); - -var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - -var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - -var select425 = linear_select([ - part1889, - part1890, -]); - -var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - -var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1192 = msg("00767:31", all386); - -var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - -var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - -var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - -var select426 = linear_select([ - part1893, - part1894, -]); - -var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - -var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1193 = msg("00767:32", all387); - -var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1194 = msg("00767:33", part1896); - -var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1195 = msg("00767:34", part1897); - -var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1196 = msg("00767:35", part1898); - -var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1197 = msg("00767:36", part1899); - -var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1198 = msg("00767:37", part1900); - -var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1199 = msg("00767:38", part1901); - -var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - -var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - -var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - -var select427 = linear_select([ - part1903, - part1904, -]); - -var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - -var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - -var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - -var select428 = linear_select([ - part1906, - part1907, -]); - -var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1200 = msg("00767:39", all388); - -var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1201 = msg("00767:40", part1908); - -var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1202 = msg("00767:42", part1909); - -var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1203 = msg("00767:43", part1910); - -var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1204 = msg("00767:44", part1911); - -var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1205 = msg("00767:45", part1912); - -var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1206 = msg("00767:46", part1913); - -var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, -])); - -var msg1207 = msg("00767:47", part1914); - -var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - -var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - -var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), -}); - -var msg1208 = msg("00767:24", all389); - -var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, -])); - -var msg1209 = msg("00767:48", part1917); - -var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - -var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - -var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - -var select429 = linear_select([ - part1919, - part1920, -]); - -var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - -var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), -}); - -var msg1210 = msg("00767:49", all390); - -var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, -]); - -var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, -])); - -var msg1211 = msg("01269", part1922); - -var msg1212 = msg("01269:01", dup407); - -var msg1213 = msg("01269:02", dup408); - -var msg1214 = msg("01269:03", dup409); - -var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, -]); - -var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, -])); - -var msg1215 = msg("17852", part1923); - -var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, -])); - -var msg1216 = msg("17852:01", part1924); - -var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, -])); - -var msg1217 = msg("17852:02", part1925); - -var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, -])); - -var msg1218 = msg("17852:03", part1926); - -var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, -]); - -var msg1219 = msg("23184", dup410); - -var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, -])); - -var msg1220 = msg("23184:01", part1927); - -var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, -])); - -var msg1221 = msg("23184:02", part1928); - -var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, -])); - -var msg1222 = msg("23184:03", part1929); - -var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, -]); - -var msg1223 = msg("27052", dup410); - -var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, -])); - -var msg1224 = msg("27052:01", part1930); - -var select434 = linear_select([ - msg1223, - msg1224, -]); - -var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, -])); - -var msg1225 = msg("39568", part1931); - -var msg1226 = msg("39568:01", dup407); - -var msg1227 = msg("39568:02", dup408); - -var msg1228 = msg("39568:03", dup409); - -var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, -]); - -var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), -]); - -var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - -var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - -var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - -var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - -var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - -var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - -var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - -var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - -var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - -var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - -var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - -var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - -var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - -var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - -var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - -var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - -var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - -var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - -var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - -var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - -var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - -var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - -var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - -var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - -var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - -var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - -var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - -var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - -var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - -var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - -var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - -var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - -var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - -var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - -var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - -var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - -var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - -var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - -var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - -var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - -var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - -var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - -var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - -var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - -var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - -var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - -var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - -var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - -var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - -var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - -var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - -var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - -var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - -var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - -var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - -var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - -var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - -var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - -var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - -var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - -var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - -var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - -var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - -var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - -var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - -var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - -var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - -var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - -var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - -var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - -var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - -var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - -var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - -var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - -var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - -var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - -var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - -var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - -var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - -var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - -var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - -var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - -var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - -var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - -var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - -var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - -var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - -var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - -var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - -var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - -var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - -var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - -var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - -var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - -var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - -var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - -var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - -var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - -var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - -var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - -var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - -var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - -var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - -var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - -var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - -var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - -var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - -var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - -var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - -var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - -var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - -var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - -var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - -var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - -var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - -var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - -var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - -var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - -var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - -var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - -var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - -var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - -var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - -var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - -var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - -var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - -var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - -var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - -var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - -var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - -var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - -var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - -var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - -var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - -var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - -var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - -var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - -var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - -var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - -var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - -var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - -var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - -var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - -var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - -var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - -var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - -var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - -var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - -var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - -var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - -var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - -var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - -var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - -var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - -var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - -var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - -var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - -var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - -var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - -var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - -var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - -var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - -var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - -var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - -var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - -var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - -var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - -var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - -var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - -var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - -var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - -var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - -var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - -var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - -var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - -var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - -var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - -var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - -var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - -var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - -var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - -var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - -var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - -var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - -var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - -var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - -var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - -var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - -var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - -var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - -var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - -var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - -var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - -var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - -var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - -var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - -var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - -var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - -var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - -var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - -var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - -var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - -var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - -var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - -var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - -var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - -var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - -var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - -var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - -var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - -var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - -var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - -var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - -var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - -var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - -var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - -var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - -var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - -var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - -var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - -var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - -var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - -var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - -var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - -var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - -var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - -var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - -var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - -var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - -var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - -var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - -var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - -var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - -var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - -var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - -var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - -var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - -var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - -var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - -var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - -var select436 = linear_select([ - dup10, - dup11, -]); - -var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var select437 = linear_select([ - dup13, - dup14, -]); - -var select438 = linear_select([ - dup15, - dup16, -]); - -var select439 = linear_select([ - dup56, - dup57, -]); - -var select440 = linear_select([ - dup65, - dup66, -]); - -var select441 = linear_select([ - dup68, - dup69, -]); - -var select442 = linear_select([ - dup71, - dup72, -]); - -var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, -])); - -var select443 = linear_select([ - dup74, - dup75, -]); - -var select444 = linear_select([ - dup81, - dup82, -]); - -var select445 = linear_select([ - dup24, - dup90, -]); - -var select446 = linear_select([ - dup94, - dup95, -]); - -var select447 = linear_select([ - dup98, - dup99, -]); - -var select448 = linear_select([ - dup100, - dup101, - dup102, -]); - -var select449 = linear_select([ - dup113, - dup114, -]); - -var select450 = linear_select([ - dup111, - dup16, -]); - -var select451 = linear_select([ - dup127, - dup107, -]); - -var select452 = linear_select([ - dup8, - dup21, -]); - -var select453 = linear_select([ - dup122, - dup133, -]); - -var select454 = linear_select([ - dup142, - dup143, -]); - -var select455 = linear_select([ - dup145, - dup21, -]); - -var select456 = linear_select([ - dup127, - dup106, -]); - -var select457 = linear_select([ - dup152, - dup96, -]); - -var select458 = linear_select([ - dup154, - dup155, -]); - -var select459 = linear_select([ - dup156, - dup157, -]); - -var select460 = linear_select([ - dup99, - dup134, -]); - -var select461 = linear_select([ - dup158, - dup159, -]); - -var select462 = linear_select([ - dup161, - dup162, -]); - -var select463 = linear_select([ - dup163, - dup103, -]); - -var select464 = linear_select([ - dup162, - dup161, -]); - -var select465 = linear_select([ - dup46, - dup47, -]); - -var select466 = linear_select([ - dup166, - dup167, -]); - -var select467 = linear_select([ - dup172, - dup173, -]); - -var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, -]); - -var select469 = linear_select([ - dup49, - dup21, -]); - -var select470 = linear_select([ - dup189, - dup190, -]); - -var select471 = linear_select([ - dup96, - dup152, -]); - -var select472 = linear_select([ - dup196, - dup197, -]); - -var select473 = linear_select([ - dup24, - dup200, -]); - -var select474 = linear_select([ - dup103, - dup163, -]); - -var select475 = linear_select([ - dup205, - dup118, -]); - -var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var select476 = linear_select([ - dup212, - dup213, -]); - -var select477 = linear_select([ - dup215, - dup216, -]); - -var select478 = linear_select([ - dup222, - dup215, -]); - -var select479 = linear_select([ - dup224, - dup225, -]); - -var select480 = linear_select([ - dup231, - dup124, -]); - -var select481 = linear_select([ - dup229, - dup230, -]); - -var select482 = linear_select([ - dup233, - dup234, -]); - -var select483 = linear_select([ - dup236, - dup237, -]); - -var select484 = linear_select([ - dup242, - dup243, -]); - -var select485 = linear_select([ - dup245, - dup246, -]); - -var select486 = linear_select([ - dup247, - dup248, -]); - -var select487 = linear_select([ - dup249, - dup250, -]); - -var select488 = linear_select([ - dup251, - dup252, -]); - -var select489 = linear_select([ - dup260, - dup261, -]); - -var select490 = linear_select([ - dup264, - dup265, -]); - -var select491 = linear_select([ - dup268, - dup269, -]); - -var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, -])); - -var select492 = linear_select([ - dup284, - dup285, -]); - -var select493 = linear_select([ - dup287, - dup288, -]); - -var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, -])); - -var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, -])); - -var select494 = linear_select([ - dup300, - dup26, -]); - -var select495 = linear_select([ - dup115, - dup303, -]); - -var select496 = linear_select([ - dup125, - dup96, -]); - -var select497 = linear_select([ - dup189, - dup308, - dup309, -]); - -var select498 = linear_select([ - dup310, - dup16, -]); - -var select499 = linear_select([ - dup317, - dup318, -]); - -var select500 = linear_select([ - dup319, - dup315, -]); - -var select501 = linear_select([ - dup322, - dup250, -]); - -var select502 = linear_select([ - dup327, - dup329, -]); - -var select503 = linear_select([ - dup330, - dup129, -]); - -var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, -])); - -var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, -])); - -var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, -])); - -var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, -])); - -var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), -}); - -var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), -}); - -var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), -}); diff --git a/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml deleted file mode 100644 index 74d2f3cc11a..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Netscreen - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/juniper/netscreen/manifest.yml b/x-pack/filebeat/module/juniper/netscreen/manifest.yml deleted file mode 100644 index a6e16398dd2..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["juniper.netscreen", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9539 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log b/x-pack/filebeat/module/juniper/netscreen/test/generated.log deleted file mode 100644 index 3d8481ffa94..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59) -luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33) -deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF) -untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect -eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044) -eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 . -rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo) -intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated -numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33) -ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu -atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet -dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74 -acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50) -tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25) -etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175 -ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi. -umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre -tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese -smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87 -ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50) -mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state -isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added -isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu -bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation -iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51 -orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu -enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User "ntiumto" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883 -ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin -mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid -orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed -ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07) -quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru -emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations -scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita -equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet. -iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable -rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem. -orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet. -eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo -imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam) -ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50) -orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24) -ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51 -umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu > nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)< -inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe -nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 . -uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15) -sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration. -etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima -giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58) -magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32) -tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06) -laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe. -nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266 -ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49) -adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24) -emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added -giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-> untrust-vr: exer -lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat -accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router "asper" used by OSPF, BGP routing instances id has been uninitialized. (dictasun) -itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list -int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49) -mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times -inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110 -tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32) -qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica -udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi -isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15) -utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped. -agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna -ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan -catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure -cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06) -chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success -vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state -rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding -upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065 -ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57) -ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted -luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users. -iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce) -dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun -ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49) -iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23) -qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success -eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31) -veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA -reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed -ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae -archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected! -remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA -llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57) -quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59 -lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA -preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40) -avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed -eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin -texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22) -elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57) -toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json deleted file mode 100644 index 0ca48b975b4..00000000000 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ /dev/null @@ -1,2520 +0,0 @@ -[ - { - "event.code": "00628", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 0, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00628", - "rsa.misc.hardware_id": "olab", - "rsa.misc.severity": "low", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00620", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 126, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00620", - "rsa.misc.hardware_id": "isiutal", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "moenimi", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00062", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", - "fileset.name": "netscreen", - "host.ip": "10.159.227.210", - "input.type": "log", - "log.level": "medium", - "log.offset": 275, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.159.227.210" - ], - "rsa.internal.event_desc": "Track IP succeeded", - "rsa.internal.messageid": "00062", - "rsa.misc.hardware_id": "tquovol", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "ntsuntin", - "rsa.time.event_time_str": "ofdeF", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00004", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 403, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00004", - "rsa.misc.hardware_id": "tem", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "ons", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00034", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 545, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00034", - "rsa.misc.hardware_id": "tatiset", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "eprehen", - "rsa.network.network_port": 1044, - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00026", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 662, - "network.interface.name": "enp0s5377", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00026", - "rsa.misc.disposition": "tasuntex", - "rsa.misc.hardware_id": "mqui", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "civeli", - "rsa.network.interface": "enp0s5377", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00026", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 767, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.user": [ - "xeac" - ], - "rsa.internal.messageid": "00026", - "rsa.misc.hardware_id": "eporroqu", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "uat", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "xeac" - }, - { - "event.code": "00535", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 942, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00535", - "rsa.misc.hardware_id": "ents", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "pida", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00520", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 1045, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00520", - "rsa.misc.hardware_id": "qui", - "rsa.misc.severity": "medium", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00072", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", - "fileset.name": "netscreen", - "group.name": "xerci", - "input.type": "log", - "log.level": "high", - "log.offset": 1212, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "aqu", - "rsa.internal.messageid": "00072", - "rsa.misc.group": "xerci", - "rsa.misc.hardware_id": "quae", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "maccusa", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00084", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 1321, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00084", - "rsa.misc.disposition": "nsectet", - "rsa.misc.hardware_id": "umexerci", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "ern", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00527", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", - "fileset.name": "netscreen", - "host.ip": "10.90.127.74", - "host.mac": "01:00:5e:11:0a:26", - "input.type": "log", - "log.level": "medium", - "log.offset": 1432, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.90.127.74" - ], - "rsa.internal.messageid": "00527", - "rsa.misc.hardware_id": "leumiu", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "namali", - "rsa.network.eth_host": "01:00:5e:11:0a:26", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00050", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 1597, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00050", - "rsa.misc.hardware_id": "amc", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "atur", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00524", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", - "fileset.name": "netscreen", - "host.ip": "10.61.30.190", - "input.type": "log", - "log.level": "medium", - "log.offset": 1694, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.61.30.190" - ], - "rsa.internal.messageid": "00524", - "rsa.misc.hardware_id": "olor", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "Neque", - "rsa.network.network_port": 2509, - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00521", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", - "fileset.name": "netscreen", - "host.ip": "10.210.240.175", - "input.type": "log", - "log.level": "medium", - "log.offset": 1870, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.210.240.175" - ], - "rsa.internal.messageid": "00521", - "rsa.misc.hardware_id": "uela", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "boN", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00553", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 1974, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00553", - "rsa.misc.hardware_id": "tlabo", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "uames", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00005", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 2082, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00005", - "rsa.misc.hardware_id": "oluptate", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "issus", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00038", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 2195, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00038", - "rsa.misc.disposition": "ese", - "rsa.misc.hardware_id": "imvenia", - "rsa.misc.node": "urerepr", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "spi", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00012", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", - "fileset.name": "netscreen", - "group.name": "uiac", - "input.type": "log", - "log.level": "medium", - "log.offset": 2307, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.170.139.87" - ], - "related.user": [ - "idolo" - ], - "rsa.internal.messageid": "00012", - "rsa.misc.disposition": "epte", - "rsa.misc.group": "uiac", - "rsa.misc.hardware_id": "etcons", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "iusmodi", - "service.type": "juniper", - "source.ip": "10.170.139.87", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "idolo" - }, - { - "event.code": "00551", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 2438, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00551", - "rsa.misc.hardware_id": "tquov", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "diconseq", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00071", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", - "fileset.name": "netscreen", - "group.name": "norum", - "input.type": "log", - "log.level": "medium", - "log.offset": 2609, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00071", - "rsa.misc.group": "norum", - "rsa.misc.hardware_id": "nihilmol", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "xercita", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00057", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", - "fileset.name": "netscreen", - "group.name": "cusant", - "input.type": "log", - "log.level": "medium", - "log.offset": 2766, - "observer.egress.interface.name": "eth3657", - "observer.ingress.interface.name": "lo2786", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.198.41.214" - ], - "rsa.internal.messageid": "00057", - "rsa.misc.group": "cusant", - "rsa.misc.hardware_id": "ritatise", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "uamei", - "rsa.network.dinterface": "eth3657", - "rsa.network.sinterface": "lo2786", - "service.type": "juniper", - "source.ip": "10.198.41.214", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00075", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", - "fileset.name": "netscreen", - "group.name": "lor", - "input.type": "log", - "log.level": "high", - "log.offset": 2944, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "velillu", - "rsa.internal.messageid": "00075", - "rsa.misc.group": "lor", - "rsa.misc.hardware_id": "uasiar", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "utlab", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00039", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 3086, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00039", - "rsa.misc.hardware_id": "rauto", - "rsa.misc.node": "itation", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "ationev", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00262", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", - "fileset.name": "netscreen", - "host.ip": "10.11.251.51", - "input.type": "log", - "log.level": "high", - "log.offset": 3191, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.11.251.51" - ], - "related.user": [ - "rum" - ], - "rsa.identity.logon_type": "quaea", - "rsa.internal.messageid": "00262", - "rsa.misc.hardware_id": "equaturv", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "siu", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "rum" - }, - { - "event.code": "00038", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 3331, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00038", - "rsa.misc.disposition": "ecillu", - "rsa.misc.hardware_id": "vitaedic", - "rsa.misc.node": "remagn", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "orin", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00515", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 3444, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.80.237.27" - ], - "related.user": [ - "ntiumto" - ], - "rsa.identity.logon_type": "umetMalo", - "rsa.internal.messageid": "00515", - "rsa.misc.hardware_id": "taut", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "tanimi", - "rsa.network.network_port": 2206, - "service.type": "juniper", - "source.ip": "10.80.237.27", - "source.port": 2883, - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "ntiumto" - }, - { - "event.code": "00073", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", - "fileset.name": "netscreen", - "group.name": "iqu", - "input.type": "log", - "log.level": "high", - "log.offset": 3622, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "oin", - "rsa.internal.messageid": "00073", - "rsa.misc.group": "iqu", - "rsa.misc.hardware_id": "tconsect", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "rum", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00030", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", - "event.outcome": "unknown", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 3726, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00030", - "rsa.investigations.ec_outcome": "Error", - "rsa.investigations.ec_subject": "Certificate", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.hardware_id": "lmo", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "aliquamq", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00034", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 3851, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00034", - "rsa.misc.hardware_id": "elitsed", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "labore", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00612", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 3944, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00612", - "rsa.misc.hardware_id": "itanim", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "nesciun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00077", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", - "fileset.name": "netscreen", - "group.name": "itat", - "input.type": "log", - "log.level": "medium", - "log.offset": 4126, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "stlaboru", - "rsa.internal.messageid": "00077", - "rsa.misc.group": "itat", - "rsa.misc.hardware_id": "quaU", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "undeomni", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00536", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", - "fileset.name": "netscreen", - "host.ip": "10.10.77.119", - "input.type": "log", - "log.level": "high", - "log.offset": 4248, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.10.77.119" - ], - "rsa.internal.messageid": "00536", - "rsa.misc.hardware_id": "plicaboN", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "amc", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00536", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", - "fileset.name": "netscreen", - "host.ip": "10.200.22.41", - "input.type": "log", - "log.level": "medium", - "log.offset": 4418, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.200.22.41" - ], - "rsa.internal.messageid": "00536", - "rsa.misc.hardware_id": "henderi", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "iusmodt", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00203", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 4587, - "network.interface.name": "eth82", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00203", - "rsa.misc.hardware_id": "sintoc", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "atae", - "rsa.network.interface": "eth82", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00011", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 4709, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00011", - "rsa.misc.hardware_id": "tesseci", - "rsa.misc.node": "nse", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "tat", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00002", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", - "event.outcome": "unknown", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 4821, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.user": [ - "atu" - ], - "rsa.internal.messageid": "00002", - "rsa.investigations.ec_outcome": "Error", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.hardware_id": "ursin", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "utemvel", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "atu" - }, - { - "event.code": "00206", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", - "fileset.name": "netscreen", - "host.ip": "10.219.1.151", - "input.type": "log", - "log.level": "high", - "log.offset": 4975, - "network.interface.name": "enp0s3375", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.219.1.151" - ], - "rsa.internal.messageid": "00206", - "rsa.misc.hardware_id": "dolor", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "isiut", - "rsa.network.interface": "enp0s3375", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00075", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", - "fileset.name": "netscreen", - "group.name": "reet", - "input.type": "log", - "log.level": "medium", - "log.offset": 5232, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "tquo", - "rsa.internal.messageid": "00075", - "rsa.misc.group": "reet", - "rsa.misc.hardware_id": "eufug", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "est", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00026", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 5362, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.user": [ - "ntut" - ], - "rsa.internal.messageid": "00026", - "rsa.misc.hardware_id": "ide", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "edq", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "ntut" - }, - { - "event.code": "00048", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 5499, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00048", - "rsa.misc.disposition": "porinc", - "rsa.misc.hardware_id": "saquaea", - "rsa.misc.node": "itatio", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "ons", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00050", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 5689, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00050", - "rsa.misc.hardware_id": "oinBCSed", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "orem", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00555", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", - "fileset.name": "netscreen", - "host.ip": "10.158.18.51", - "input.type": "log", - "log.level": "medium", - "log.offset": 5793, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.158.18.51" - ], - "rsa.internal.messageid": "00555", - "rsa.misc.hardware_id": "hen", - "rsa.misc.node": "ali", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "periamea", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00030", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu > nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)<", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 5926, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00030", - "rsa.misc.hardware_id": "odoc", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "atura", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00003", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 6093, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00003", - "rsa.misc.disposition": "roinBCSe", - "rsa.misc.hardware_id": "tect", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "uiad", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00026", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 6190, - "network.interface.name": "eth7686", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00026", - "rsa.misc.disposition": "tam", - "rsa.misc.hardware_id": "borumSec", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "tatemseq", - "rsa.network.interface": "eth7686", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00620", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 6292, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00620", - "rsa.misc.hardware_id": "sistena", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "uidexeac", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00025", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 6457, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00025", - "rsa.misc.disposition": "quide", - "rsa.misc.hardware_id": "dquianon", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "urExc", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00076", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", - "fileset.name": "netscreen", - "group.name": "fugiatn", - "input.type": "log", - "log.level": "high", - "log.offset": 6605, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "enima", - "rsa.internal.messageid": "00076", - "rsa.misc.group": "fugiatn", - "rsa.misc.hardware_id": "Sed", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "oremeumf", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00524", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", - "fileset.name": "netscreen", - "host.ip": "10.46.217.155", - "input.type": "log", - "log.level": "low", - "log.offset": 6738, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.46.217.155" - ], - "rsa.internal.messageid": "00524", - "rsa.misc.hardware_id": "lors", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "its", - "rsa.network.network_port": 76, - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00628", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 6907, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00628", - "rsa.misc.hardware_id": "sumquiad", - "rsa.misc.severity": "high", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00628", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 7034, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00628", - "rsa.misc.hardware_id": "madmi", - "rsa.misc.severity": "high", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00556", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 7167, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00556", - "rsa.misc.hardware_id": "udantiu", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "itametco", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00058", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 7293, - "network.interface.name": "eth2266", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00058", - "rsa.misc.hardware_id": "uredol", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "maliqua", - "rsa.network.interface": "eth2266", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.154.16.147", - "destination.port": 6881, - "event.code": "00625", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 7413, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.142.21.251", - "10.154.16.147" - ], - "rsa.internal.messageid": "00625", - "rsa.misc.hardware_id": "ute", - "rsa.misc.log_session_id": "tationu", - "rsa.misc.severity": "low", - "service.type": "juniper", - "source.ip": "10.142.21.251", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.119.53.68", - "destination.port": 1783, - "event.code": "00042", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 7588, - "network.interface.name": "enp0s1170", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.105.212.51", - "10.119.53.68" - ], - "rsa.db.index": "giatqu", - "rsa.internal.messageid": "00042", - "rsa.misc.hardware_id": "mquis", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "ratvo", - "rsa.network.interface": "enp0s1170", - "service.type": "juniper", - "source.ip": "10.105.212.51", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00057", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", - "fileset.name": "netscreen", - "group.name": "aparia", - "input.type": "log", - "log.level": "medium", - "log.offset": 7797, - "observer.egress.interface.name": "enp0s90", - "observer.ingress.interface.name": "lo6813", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.174.2.175" - ], - "rsa.internal.messageid": "00057", - "rsa.misc.group": "aparia", - "rsa.misc.hardware_id": "pta", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "dolo", - "rsa.network.dinterface": "enp0s90", - "rsa.network.sinterface": "lo6813", - "service.type": "juniper", - "source.ip": "10.174.2.175", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00549", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-> untrust-vr: exer", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 7970, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00549", - "rsa.misc.hardware_id": "ttenb", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "eirure", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00536", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 8063, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "pariat", - "rsa.internal.messageid": "00536", - "rsa.misc.disposition": "elites", - "rsa.misc.hardware_id": "rcitat", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "cinge", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00049", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 8176, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00049", - "rsa.misc.hardware_id": "CSed", - "rsa.misc.node": "asper", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "tiu", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00064", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 8351, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00064", - "rsa.misc.hardware_id": "onoru", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "data", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00541", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", - "fileset.name": "netscreen", - "host.ip": "10.89.179.48", - "input.type": "log", - "log.level": "high", - "log.offset": 8448, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.89.179.48" - ], - "rsa.internal.messageid": "00541", - "rsa.misc.change_new": "etco", - "rsa.misc.change_old": "etcons", - "rsa.misc.hardware_id": "ionevo", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "llitani", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00017", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 8744, - "network.interface.name": "enp0s4987", - "network.protocol": "icmp", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.57.108.5" - ], - "rsa.counters.dclass_c1": 2282, - "rsa.counters.dclass_c1_str": "Number of times the attack occurred", - "rsa.internal.messageid": "00017", - "rsa.misc.hardware_id": "eetdo", - "rsa.misc.policy_name": "mipsamv", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "mquisno", - "rsa.network.interface": "enp0s4987", - "service.type": "juniper", - "source.ip": "10.57.108.5", - "source.port": 5523, - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00263", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", - "fileset.name": "netscreen", - "host.ip": "10.197.10.110", - "input.type": "log", - "log.level": "low", - "log.offset": 8917, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.197.10.110" - ], - "related.user": [ - "saq" - ], - "rsa.identity.logon_type": "asiarch", - "rsa.internal.messageid": "00263", - "rsa.misc.hardware_id": "aea", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "emipsumd", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "saq" - }, - { - "event.code": "00622", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 9056, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00622", - "rsa.misc.hardware_id": "vel", - "rsa.misc.node": "ptate", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "ionevo", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00528", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 9190, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.59.51.171" - ], - "related.user": [ - "ritquiin" - ], - "rsa.internal.messageid": "00528", - "rsa.misc.hardware_id": "caboN", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "imipsam", - "service.type": "juniper", - "source.ip": "10.59.51.171", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "ritquiin" - }, - { - "event.code": "00071", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", - "fileset.name": "netscreen", - "group.name": "setquas", - "input.type": "log", - "log.level": "medium", - "log.offset": 9360, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "nbyCi", - "rsa.internal.messageid": "00071", - "rsa.misc.group": "setquas", - "rsa.misc.hardware_id": "uae", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "imveni", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00018", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 9480, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.80.103.229" - ], - "related.user": [ - "fugitsed" - ], - "rsa.db.index": "itaedict", - "rsa.internal.messageid": "00018", - "rsa.misc.disposition": "eroi", - "rsa.misc.hardware_id": "luptatev", - "rsa.misc.policy_id": "oNem", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "occaeca", - "service.type": "juniper", - "source.ip": "10.80.103.229", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "fugitsed" - }, - { - "event.code": "00207", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 9651, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00207", - "rsa.misc.hardware_id": "edquiano", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "mSecti", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00075", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", - "fileset.name": "netscreen", - "group.name": "amremap", - "input.type": "log", - "log.level": "high", - "log.offset": 9788, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.db.index": "oremagna", - "rsa.internal.messageid": "00075", - "rsa.misc.group": "amremap", - "rsa.misc.hardware_id": "iqu", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "quamqua", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00040", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 9895, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00040", - "rsa.misc.hardware_id": "ide", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "quunturm", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00524", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", - "fileset.name": "netscreen", - "host.ip": "10.163.9.35", - "input.type": "log", - "log.level": "low", - "log.offset": 10031, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.163.9.35" - ], - "rsa.internal.messageid": "00524", - "rsa.misc.hardware_id": "quame", - "rsa.misc.result": "failure", - "rsa.misc.severity": "low", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.193.80.21", - "destination.port": 5657, - "event.code": "00625", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 10175, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.193.80.21", - "10.51.161.245" - ], - "rsa.internal.messageid": "00625", - "rsa.misc.hardware_id": "modi", - "rsa.misc.log_session_id": "ntoccae", - "rsa.misc.severity": "low", - "service.type": "juniper", - "source.ip": "10.51.161.245", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00524", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 10359, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00524", - "rsa.misc.hardware_id": "iusmodit", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00072", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", - "fileset.name": "netscreen", - "group.name": "lla", - "input.type": "log", - "log.level": "medium", - "log.offset": 10472, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00072", - "rsa.misc.group": "lla", - "rsa.misc.hardware_id": "litsed", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "ciun", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00533", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", - "fileset.name": "netscreen", - "host.ip": "10.41.222.7", - "input.type": "log", - "log.level": "medium", - "log.offset": 10612, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.41.222.7" - ], - "rsa.internal.messageid": "00533", - "rsa.misc.hardware_id": "uaturQ", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "iusmod", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00070", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 10725, - "network.interface.name": "lo4065", - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00070", - "rsa.misc.hardware_id": "ivel", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "tmollita", - "rsa.network.interface": "lo4065", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.134.20.213", - "event.code": "00040", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", - "fileset.name": "netscreen", - "group.name": "xeaco", - "input.type": "log", - "log.level": "low", - "log.offset": 10837, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.134.20.213" - ], - "rsa.internal.messageid": "00040", - "rsa.misc.disposition": "eavolupt", - "rsa.misc.group": "xeaco", - "rsa.misc.hardware_id": "mmodic", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "essequam", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00023", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", - "fileset.name": "netscreen", - "host.ip": "10.110.144.189", - "input.type": "log", - "log.level": "medium", - "log.offset": 10970, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.110.144.189" - ], - "rsa.internal.messageid": "00023", - "rsa.misc.hardware_id": "utaliqui", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "mcorpor", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00034", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 11104, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.user": [ - "tasnu" - ], - "rsa.internal.messageid": "00034", - "rsa.misc.disposition": "olabo", - "rsa.misc.hardware_id": "ing", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "hen", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "tasnu" - }, - { - "event.code": "00554", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 11272, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00554", - "rsa.misc.hardware_id": "orain", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "equaturQ", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00541", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 11435, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00541", - "rsa.misc.disposition": "cidun", - "rsa.misc.hardware_id": "ptasn", - "rsa.misc.serial_number": "Loremips", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "liqui", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00628", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 11556, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00628", - "rsa.misc.hardware_id": "odi", - "rsa.misc.severity": "medium", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00628", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 11683, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00628", - "rsa.misc.hardware_id": "ecatcup", - "rsa.misc.severity": "high", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00538", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 11811, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00538", - "rsa.misc.hardware_id": "iaecon", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "dminima", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00075", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", - "fileset.name": "netscreen", - "group.name": "uasiarch", - "input.type": "log", - "log.level": "low", - "log.offset": 11950, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.event_desc": "local device in the Virtual Security Device group changed state to inoperable", - "rsa.internal.messageid": "00075", - "rsa.misc.event_state": "iamquisn", - "rsa.misc.group": "uasiarch", - "rsa.misc.hardware_id": "reetdolo", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "umquam", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00535", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 12154, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00535", - "rsa.misc.hardware_id": "volupt", - "rsa.misc.result": "SCEP_FAILURE message", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "equ", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00026", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 12270, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00026", - "rsa.misc.hardware_id": "entoreve", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "rudexer", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00038", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 12443, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00038", - "rsa.misc.disposition": "taevitae", - "rsa.misc.hardware_id": "oloreeu", - "rsa.misc.node": "uame", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "imipsa", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00003", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", - "event.outcome": "failure", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 12552, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00003", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.hardware_id": "caboNe", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "ptate", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00529", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 12670, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00529", - "rsa.misc.hardware_id": "ntium", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "veniamqu", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.185.50.112", - "destination.port": 7180, - "event.code": "00625", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 12770, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.126.150.15", - "10.185.50.112" - ], - "rsa.internal.messageid": "00625", - "rsa.misc.hardware_id": "tot", - "rsa.misc.log_session_id": "oreeu", - "rsa.misc.severity": "high", - "service.type": "juniper", - "source.ip": "10.126.150.15", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00521", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", - "fileset.name": "netscreen", - "host.ip": "10.152.90.59", - "input.type": "log", - "log.level": "medium", - "log.offset": 12952, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.152.90.59" - ], - "rsa.internal.messageid": "00521", - "rsa.misc.hardware_id": "tDuisa", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "iscive", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00077", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 13059, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00077", - "rsa.misc.hardware_id": "icons", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "hende", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.166.144.66", - "destination.port": 3051, - "event.code": "00625", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 13177, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.119.181.171", - "10.166.144.66" - ], - "rsa.internal.messageid": "00625", - "rsa.misc.hardware_id": "dol", - "rsa.misc.log_session_id": "gnamal", - "rsa.misc.severity": "low", - "service.type": "juniper", - "source.ip": "10.119.181.171", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00041", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "high", - "log.offset": 13350, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00041", - "rsa.misc.hardware_id": "litse", - "rsa.misc.node": "estqu", - "rsa.misc.severity": "high", - "rsa.misc.vsys": "archit", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "event.code": "00038", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 13479, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00038", - "rsa.misc.disposition": "emporin", - "rsa.misc.hardware_id": "consect", - "rsa.misc.node": "ons", - "rsa.misc.severity": "medium", - "rsa.misc.vsys": "eetdolo", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - }, - { - "destination.ip": "10.96.218.99", - "destination.port": 277, - "event.code": "00021", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 13601, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.96.165.147", - "10.96.218.99" - ], - "related.user": [ - "utla" - ], - "rsa.db.index": "DIP port-translation stickiness was modified", - "rsa.identity.logon_type": "ntm", - "rsa.internal.messageid": "00021", - "rsa.misc.disposition": "atio", - "rsa.misc.hardware_id": "isquames", - "rsa.misc.severity": "low", - "service.type": "juniper", - "source.ip": "10.96.165.147", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "utla" - }, - { - "destination.ip": "10.230.29.67", - "destination.port": 7478, - "event.code": "00021", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "medium", - "log.offset": 13787, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "related.ip": [ - "10.201.72.59", - "10.230.29.67" - ], - "related.user": [ - "repr" - ], - "rsa.db.index": "DIP port-translation stickiness was modified", - "rsa.identity.logon_type": "idu", - "rsa.internal.messageid": "00021", - "rsa.misc.disposition": "uidol", - "rsa.misc.hardware_id": "ratvolu", - "rsa.misc.severity": "medium", - "service.type": "juniper", - "source.ip": "10.201.72.59", - "tags": [ - "forwarded", - "juniper.netscreen" - ], - "user.name": "repr" - }, - { - "event.code": "00602", - "event.dataset": "juniper.netscreen", - "event.module": "juniper", - "event.original": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", - "fileset.name": "netscreen", - "input.type": "log", - "log.level": "low", - "log.offset": 13981, - "observer.product": "Netscreen", - "observer.type": "Firewall", - "observer.vendor": "Juniper", - "rsa.internal.messageid": "00602", - "rsa.misc.hardware_id": "rau", - "rsa.misc.severity": "low", - "rsa.misc.vsys": "sciuntN", - "service.type": "juniper", - "tags": [ - "forwarded", - "juniper.netscreen" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 5fb85afc302..92f66eec68e 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -2,44 +2,6 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-juniper.html - module: juniper - junos: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9513 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - - netscreen: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9523 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - srx: enabled: false From 5b70649cca75419f136ed99d6fda10d8ea1aefe8 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:44:16 +0200 Subject: [PATCH 11/22] feat: remove deprecated microsoft dhcp --- filebeat/docs/fields.asciidoc | 5427 ----------------- filebeat/docs/modules/microsoft.asciidoc | 47 - x-pack/filebeat/filebeat.reference.yml | 20 +- .../module/microsoft/_meta/config.yml | 20 +- .../module/microsoft/_meta/docs.asciidoc | 47 - .../module/microsoft/dhcp/_meta/fields.yml | 2635 -------- .../module/microsoft/dhcp/config/input.yml | 87 - .../microsoft/dhcp/config/liblogparser.js | 2514 -------- .../module/microsoft/dhcp/config/pipeline.js | 1057 ---- .../module/microsoft/dhcp/ingest/pipeline.yml | 64 - .../module/microsoft/dhcp/manifest.yml | 31 - .../module/microsoft/dhcp/test/generated.log | 100 - .../dhcp/test/generated.log-expected.json | 3234 ---------- x-pack/filebeat/module/microsoft/fields.go | 2 +- .../filebeat/modules.d/microsoft.yml.disabled | 20 +- 15 files changed, 4 insertions(+), 15301 deletions(-) delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/config/input.yml delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/manifest.yml delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/test/generated.log delete mode 100644 x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index bb6a3f4ab52..569a3326b4a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -38900,5433 +38900,6 @@ type: keyword Principal name of the user involved in the alert -type: keyword - --- - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - type: keyword -- diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index 4e5ff72b30b..602962a3d59 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -24,7 +24,6 @@ This is a module for ingesting data from the different Microsoft Products. Curre - `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) - `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection) -- `dhcp` fileset: Supports Microsoft DHCP logs include::../include/what-happens.asciidoc[] @@ -219,52 +218,6 @@ image::./images/siem-events-cs.jpg[] [float] And for all other Defender ATP event types, go to Host -> Events. -:fileset_ex: dhcp - -[float] -==== `dhcp` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/microsoft_dhcp[Microsoft DHCP] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. - -include::../include/var-paths.asciidoc[] - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9515` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. :has-dashboards!: diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d787eb17616..09dcb957eea 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1197,28 +1197,10 @@ filebeat.modules: # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" - + # Related scopes, default should be included #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" - dhcp: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9515 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local #--------------------------------- MISP Module --------------------------------- # Deprecated in 7.14.0: Recommended to migrate to the Threat Intel module. diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index 96b1f3db1db..f041d63920c 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -26,25 +26,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" - + # Related scopes, default should be included #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" - dhcp: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9515 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 048354d95a8..49b4c9e4cb1 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -17,7 +17,6 @@ This is a module for ingesting data from the different Microsoft Products. Curre - `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) - `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection) -- `dhcp` fileset: Supports Microsoft DHCP logs include::../include/what-happens.asciidoc[] @@ -212,52 +211,6 @@ image::./images/siem-events-cs.jpg[] [float] And for all other Defender ATP event types, go to Host -> Events. -:fileset_ex: dhcp - -[float] -==== `dhcp` fileset settings - -deprecated::[8.12.0,"This fileset is deprecated. Use the https://docs.elastic.co/integrations/microsoft_dhcp[Microsoft DHCP] Elastic integration instead."] - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. - -include::../include/var-paths.asciidoc[] - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9515` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. :has-dashboards!: diff --git a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/microsoft/dhcp/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml deleted file mode 100644 index 1c7ee86cc9d..00000000000 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Microsoft" - product: "DHCP" - type: "Application" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/microsoft/dhcp/config/liblogparser.js - - ${path.home}/module/microsoft/dhcp/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i Date: Thu, 15 Feb 2024 13:44:48 +0200 Subject: [PATCH 12/22] feat: remove deprecated netscout --- filebeat/docs/fields.asciidoc | 5435 ----------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/netscout/README.md | 7 - .../filebeat/module/netscout/_meta/config.yml | 19 - .../module/netscout/_meta/docs.asciidoc | 68 - .../filebeat/module/netscout/_meta/fields.yml | 5 - x-pack/filebeat/module/netscout/fields.go | 23 - .../netscout/sightline/_meta/fields.yml | 2635 -------- .../netscout/sightline/config/input.yml | 87 - .../netscout/sightline/config/liblogparser.js | 2514 -------- .../netscout/sightline/config/pipeline.js | 1036 ---- .../netscout/sightline/ingest/pipeline.yml | 88 - .../module/netscout/sightline/manifest.yml | 31 - .../netscout/sightline/test/generated.log | 100 - .../test/generated.log-expected.json | 2449 -------- .../filebeat/modules.d/netscout.yml.disabled | 22 - 18 files changed, 14543 deletions(-) delete mode 100644 x-pack/filebeat/module/netscout/README.md delete mode 100644 x-pack/filebeat/module/netscout/_meta/config.yml delete mode 100644 x-pack/filebeat/module/netscout/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/netscout/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/netscout/fields.go delete mode 100644 x-pack/filebeat/module/netscout/sightline/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/netscout/sightline/config/input.yml delete mode 100644 x-pack/filebeat/module/netscout/sightline/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/netscout/sightline/config/pipeline.js delete mode 100644 x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/netscout/sightline/manifest.yml delete mode 100644 x-pack/filebeat/module/netscout/sightline/test/generated.log delete mode 100644 x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/netscout.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 569a3326b4a..e5d9ac24a83 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -59,7 +59,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -50702,5440 +50701,6 @@ type: integer -- -[[exported-fields-netscout]] -== Arbor Peakflow SP fields - -netscout fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-nginx]] == Nginx fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index d4558b50582..d0d869d1731 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -37,7 +37,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -105,7 +104,6 @@ include::modules/mysql.asciidoc[] include::modules/mysqlenterprise.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] -include::modules/netscout.asciidoc[] include::modules/nginx.asciidoc[] include::modules/o365.asciidoc[] include::modules/okta.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 09dcb957eea..1f1daae76aa 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1306,27 +1306,6 @@ filebeat.modules: internal_networks: - private -#-------------------------- Arbor Peakflow SP Module -------------------------- -- module: netscout - sightline: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9502 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #-------------------------------- Nginx Module -------------------------------- #- module: nginx # Access logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 74856aa4b53..f6792ef457f 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -38,7 +38,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mysqlenterprise" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netscout" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/oracle" diff --git a/x-pack/filebeat/module/netscout/README.md b/x-pack/filebeat/module/netscout/README.md deleted file mode 100644 index dd92af09187..00000000000 --- a/x-pack/filebeat/module/netscout/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# netscout module - -This is a module for Arbor Peakflow SP logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML arborpeakflowsp version 109 -at 2020-07-13 17:55:32.50797 +0000 UTC. - diff --git a/x-pack/filebeat/module/netscout/_meta/config.yml b/x-pack/filebeat/module/netscout/_meta/config.yml deleted file mode 100644 index d7bcfcf2e7f..00000000000 --- a/x-pack/filebeat/module/netscout/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: netscout - sightline: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9502 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc deleted file mode 100644 index 6ae6035957e..00000000000 --- a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc +++ /dev/null @@ -1,68 +0,0 @@ -[role="xpack"] - -:modulename: netscout -:has-dashboards: false - -== Netscout module - -deprecated::[8.12.0,"This module is deprecated. See <> for migration options."] - -experimental[] - -This is a module for receiving Arbor Peakflow SP logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: sightline - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `sightline` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "arborpeakflowsp" device revision 109. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9502` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/netscout/_meta/fields.yml b/x-pack/filebeat/module/netscout/_meta/fields.yml deleted file mode 100644 index 19fcd1463f8..00000000000 --- a/x-pack/filebeat/module/netscout/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: netscout - title: Arbor Peakflow SP - description: > - netscout fields. - fields: diff --git a/x-pack/filebeat/module/netscout/fields.go b/x-pack/filebeat/module/netscout/fields.go deleted file mode 100644 index 0a75eba568d..00000000000 --- a/x-pack/filebeat/module/netscout/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package netscout - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "netscout", asset.ModuleFieldsPri, AssetNetscout); err != nil { - panic(err) - } -} - -// AssetNetscout returns asset data. -// This is the base64 encoded zlib format compressed contents of module/netscout. -func AssetNetscout() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q+JBGuYauxfCLHcCnhN3uip0uQC6NVMqBW5vPgLISUYpnltuZKvyb/9hRDS/ZDMOIjSTP5Cwn+9xo/d/74jklaAa6yUvppwaUHPKIOJ+3v3NULUEvRKcwuvidVN/xO7ruG1w3SldNn7ewSh9n/vaQVEzYhdQLsy6VYmqwVowM+sprMZZ2RBDZkCSKKmBvQSyslgA9rQO2A716qpe3/dJcsGLqIlqdjCfxz82AKxJTaLVGa+9ff9K4yTfED2jwtu3PcIN6QxUBKrCKO1bQKBNV2RCoyhc/dvaglTFRi3aeU+3wFNyFs1J6fAVAk6vhEPi+8ideh2WriwBGkLt7XEgAPCmakfSG6Q5kxJC9IadwG4NJZK26JhojhaXh2CYEnt7gdD7LjHyS1BqCWrBWcLQokBY7iSZMGtIZS8B/s7txKMaU9/MmCNbrNmoRpREglL0GQKHd/VVBsg78BShxolM62q3lJP36q5eXFB2RVY82wA/pRrYFasnxMb8KbkA3hp4Dlc9tCcRAkpYAniAEoKJXfv5xYlT6HWwKgNmJQw4xJKoqRAtCydCiAVreNYVWZeJLswe874Xbjn56c/kCUVTbjxvARp+YwH7oRryiwRau7PSw8OAnfHHfjALfg9dxw11ZazRlCNvw8HOxnljAHogzglxhkDyOOcMnoky+Oeycv/fyb7z8StmudA7nd91fSPAjeyeyyPBrslPUToZUdNg1GNZpne3vuTLdf9vx9mxlILFUj7GJGjTcltwQTducOPBD2QVq8fI2ILp1M9RsS4PAyxvBpTKzkeL6eVQA+RHnnJNgMoU9pQI3pNzM7sfbG1+x02Az1koCTcz4rY0UMG0G+wIsapuOMcORIVZc9tEiWfJ9dgm4nIRyIUvDP52DHU6kbyLw1s1Gjd7T/8ab1t1J4oydzjQK167JbtiLhZ8rzisE/dE7cMn3FG+/f5rZqTsyVISy5ROJNGlqCdCaIhCKrB1mf8GkpiwDogWz/eXsOMGyztIQxg39tg6Q5hAPpOhzL0BKb3Lx3GmIN93YEmd6PBQplM+mqfL39VxvZFpNjlSAOy5HLefmhibNPzIX099OWHMNjgR6OEPb9Y/kRoWWonK8eu+y5xB7u36msl7vJVbvK++n+XvI5a+WXDrlzwjrS+t6wklMz5EmTnJPt6FQFHosP8F3ktkPIxKn9fR0Rj1KGh6nWh4UuGs+4HD/GAcd/TNVL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGuSiNkA24/NGo+p3w74PUXe/4n1jGDSf8ZnAv+B+PVe53Gz7rON25a/ewaD0iuoym1LXk2i9bfcpeX7xeUvfo0SDoLtHSohZGwtVeEQD2g7aAjynGk8892+l+ZxLKtrfbGsrN9Ahl/61JzHi/OLzqwgJAvoDStyfBB1GQyqneH02jDpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAeyo9wA5N47nuCHMkw5Kh+mWovpW7aotZA+hH6HFV7HpY1FVK2Uw2a1SkkzXg0MjRMOXBox1AA2varEO5+S+7AQ9AcoWxPASyNPviV3ohrz8+ednZEUNMQCyW2UPJR6F8noLSphaSQP5SMG+Gq5gqpG28yk01dQLPXeVTRQCeUqnagk9YnAZzaxsxZuxGmg1en/YV8M2D0wqKHmzq6elINQ3Mc2xcyzwGeH2n83L73/4q/Ei/UWNArRF+p+D3fzT2YNv6Ro0eUnOJKO1aYSPrDiT8k5yPQb9nsGPSG5lbJUfX5J/ddt9Tn78kfwrYUo7fRl3ERZ9Tv67sP/TfZEbsk2Ub6JHKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBFBlrXi0qJpYiGe4IzMUYDWKlN+2kYfNDUwTgVijJgaq7TTrOXaax3ugyUVvPSMEUOKkJlqZOleGAGIPJfzoBzdmLy4fSMGkFPEAsN12BM2GjmFtVC0fCzvXECHGP4nkAqs5ixidQRTuP9ltIX9c98KYffsU7vRaNWsPbYJ+VWt3NEMbU4uidLOGLOKXAHUNxDtUbx4XwnRtGJgTLHkZVHmirqetZJnDhI0tXjJS0fBnl245No2VDijfcv3LiMuDl5xZ3ZjrByJ4XcRrvr5KdFOWht0qCDRqJ6D7b52IyWMzpT09OCU8Jlw+ymhs4SChoL//LT1vX6ASlkgl4HfmQZ8aKfrMUHp/tcGYr6CwEtYqTC14DkzGx61OW/4QO1/FLqZk7kZ+R1vnXsDAq+3XNdaLeEJ+a8RYfTiZcbFA8To3arOOLo4eXMRdF9GpSMPr2qldzVegk/kV5cG0TwO98cn/1ShIY6me8yVum3KN5ufbAx2r+egZT4hL39+RVZI9wqoJFSIuK8AnfqoJm38R2QFGjxYaokAaixRcqdcZJuID64mft1EjNzVHGHbQLvflS6RcJjVBGwhlVDz9W4gbsb1QIsl5GfCFlRTZj0R3aVeI/7oNJekkSGnR2z5zEcralMXdPtAfc4gwp7YJVoUlVMylWzDCJquRmUaStYdtZIy1Fh9jEIGn4NirNEtRGOpLKkuiVS6ooL/GcvvVbqK0qcMWQ4Hk0g108GTdCcibbDukHkh+AxwxxED3wBTshxRsDfHXRib08+yZ0NcMlXVAmyUAUadqBQVeKv5jhjs1Ztp+0CMfOnWjrLzGCtvc+Yo+1VK2kWiY9rUp6bKedlkOZUPRPgzWeYguwP5p5K5uy3sEYtu9VbF9Om1H3cpPBBR2W70G2Lh2obLR5agTa+cotyXBxY53/sy2xpoqm1uyvSY0iWU+d7BkGQTninTrdjqGG2mTffFfnx9+FppVU0QaoNF+YaBpJorr9ZXjbD8O8tBE1rXoq1+2TSrqaik81hpLiECwzutveiR8rgawu0TQ9RK+siYpVW96xkMGLvVHIrD22cNYQvurBtVgpmQd42xaCb1gbpbSe1IXi61cOAh7RVgs5nDewnH0ITwkNsFPe00zECDZJ4hqFOtS77kpdNskB/iguyyFWQfd4gX3+R1zfXRdrg5Tx8LunacyK1Y+80aJ/ScvuaQQgbd7xtNeOijLpznThp38mwyWLJLJ1NNaglUDRS5+0Ls6J/6qqAG+aWB5mis5Ljbc9FGPq6oIYhEOcI3iNwPqYmaUCnYImgGmTavbIbXd17lwLUuMqBaFzm05zqlKNoG+jI51Ay6Uu8VeRgTcsd8jL4xg+fyTm/OoWLzJrl2SLBg80DsdENI7QiibKDEp1CsTSNyh51GrCjVWKYqeOFx6IwXzMpWswGHUBlIsGVAjjAILEFzm7N0ZM/G2tVDEWAvsrPP5ZO3eHHQO9C/0l2li4OGcacaGJ/xjeET1259MGesp0rQlfNnM0UOoHMx8nJTMNG6qMoQZIniHczmYx3C520rvW8JKk1+uwypsdy0CQG7fjVcvz2hsSpJUyvDEwqOW/EWmtOy9B2mMJW/vbujXXgaYYt8rYvuKIpkU4Hm7K6yKLq3I1Sx7dlYv5KtuxleLPn7PdjaEmSpdEiY3bszNf3jAbrXtKFdNf0DWNyOdojlrwUfkNtJ0P2IeUmfs1fdN8MLGar+g5gJXq4F7XKLpbKEkkXoeBFPoBVqXrSJKg8i1FtGvLNQP0bPlC3Z93dMt8K21Cg+4oq/Epytc9+ePXLhAhEI3bOlWI/I5UbkzJuOE/BDIwARi4tTJS1c59ZYO4TOpffXbfqh0rI07v/wUaWiRSjWAOaGx5ktqJxDIWGVWxaMBS5h1Qv1oxJirebTxkJPQgxz9I1H3Wnr/ecvLjpMTZMJu45ygmdrW7mPaGgI7uYXeWT6+lvEuMUKMEewtuGg2eR86SXoCbkEfyiNAT2hc8BW3iHTfaZ0i8MAdgvG6+0Mf0/873t9K5QmU61W7rP2r0HX9GbXaD/p8/KCapvaTdcBTu1RCXdKDapDj3WnlCg7tTHXlVI1hIBirrf4jSRUgLZddpHeLBr+5sNbQXz0mgBgElJEYS6JVPI7DTWgJbMv+wHNhmM+OazR2l2Yzl7Bk0Q97gX3EbY2/DPY2YrbRVCWvawnp7jgFKtNJFHyu7ly/73nJUAlpYgojhn3TXvBwBeIgENSzYiTDpaDmZDLjUzZHWzQr6zKg/GJL+drjDNifMmoT7Ypg/gNhKeEicbYliHDPwbHhD/hxp1kqIkO/g2n+OKn4yrQ0bUff8PiFr1vy5RPKXtyk+HlsDxFLAg1RjGO/lJ3GlF7Eg/sLb+C14SSerE2nFFBSm6unpNa40yU5wQsexJXlKmmh9Re3vGh93U2mlZgQRtSU4NdvAw2cvC9CJiqKifF1FbQflhaA5btVff8e/BQGl/vDDM8TF58M1XVzfAOZjg2SlZclmoV8mmZkgxq+7zLpBglxmCbs0aINfnSUOGdn6WqKJdBasjeQkKNPF19r2cqdWnP1p1K+JbLKyhDLVCbiE4NeqeCgeI++aZDbcLLfQcnBl0hsoq6/ugm75bYRaBF77fLh8Lrtzp4XsnlsF1PF3QGXfHdwU65XaxhTcTW8/9+TfvHxJr2jIv8d7zb8i+4WneNNZQNA9JGjiDubjOgORVF5DXN9ohc4pKt2rz7PvYeQPfCjPoFgF2Zg1oOpPAYh9XdQ7egZtHdUKcWRqoMG7bwmb9tjU1XZnjSQtppEeY20i0zMZq5X3X/HlaaEifPJeGYc9dIJoBq9ydshLdBLRQQBm+nbgs7b44+eOHXDPs8PeoXi6lqymXXN7v/YIWyUX2H12vJdWOO7enrayOIwLjH7zgB0siVOPGr+56M455Sb8Fld4135PNe5vNT8t5LmqehcQPx0/ZC0a/D7Vlcr/YO6Ifw5ffcz+enSNJQ8taJiaH3YDsi59MA/RYmnomcLFhxEzdSl2ads5f9dlQ3FGh7dWGvH1t64/uIXONIf9ItTM5Pb9RkU/nnbtBkHWIvZbnRaCfkxNdnhn6nwn+wX5tFBPX2N374Jrjjpo3tKjeV7R6jRgownjLKPygrRZZUczoVgypA35SBS1ILOiIIDEiTtT/K1oH2VVW/8sRJKqdhtPWF3J3z5Yvzi10dmoSWsd6jMFaXfeBAwVvXQm4iLR5Jci4tueRzSVFYjLBorXTO5rVPBvLLMelFq7sp7OqI/+kQ6d1l5LJSRRjn/W8fCZdMNCU4cRYm1bqfT8jTs2ta1QJekwvvEPFgUXpP4n4RjMwdPbaJzqnN0xLHjJsrp3IfgNcdSvF6bsz34Wn4wM3VnpCr1Xw+B51vhF2cZJ/7sYCAA2qnCw1moUTpuMfb6iOTRrdC70fwLAxj70EqP/3gdYxnXTOO89N4Gcmto/NMVXVx5LwrPJWQe4VjXL1/zzTT7xw6SmJ96gzHzaiyYWNWWlBLHyhrrI95Jy2Vxs4DTq63+I1MiaO6XFH9MBl6w676TrrS8BC5TYy0Rn7qhCgl7yhr+ynHlVsngo5qxyj5Xaug6v1SyNuayYdaa6AmeW6wsdQ2qRTnzh9FuXgws8MtPlXXhJcvxt8v97I2x8DQYfRp0PjY3wWHRfzqtu9Y5ul7AyY/Hc7dO+Q541I1qWKcvToSM09+p5wkTel0GHhkf0oMOHdnxi2WeCOEk3vENIyBMbNGkDO3PmGqBONYom32G7csuCzhOjEBBDf2MM3znrIFF0ZTTLdITEFjfLOimgvM4Il48Hz8Xc4JRSJ+534b3ZnMwIdq6psLPZBGHFYnT7t8zhq0qUPRrZcwA5IFFWGTEN92eHo2UmTo3VzD9zh3QolXvrokr+Cr8t92H1IuDSnBUi4iToapamzvdyNbU+LouZmtx5Z2eWyIx/hDaqGqRbZsnjekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeRm6k+wCt7vBrmLVV4N5Xbyy3DTZmJNGNbWyDYcOm+17XpFGsnn+H0dSYZpBVTFWVu0952OjEQye8l+xba7XkpfeftV3kKjCjiVClYocHGu/uLfuFi43WyPp5eXHV4LrGpKeHkfXt6nll/R9qeqDf6eDt/W81DQGY+O2qeb7GuaeYUOxP/vLinJwPFKo+Gtm61obqkv0YJCzs6qph50kN6bv4w0JudVy59yKimKoyd8XXoOJuV+kIuBCHy4h6tEjfLcGHDI5Qed5zAYfSYZ9A28VD+JyXXShnxIlXpbYaB2XgCV7+dEpet++6yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHawpZBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2L9JnyWWmoLLo1nlJ5/PyNNQK/G5EU5XnnKBBRyYB3Z2XSvjvvmMfDd0NMjdKMyVVCu5ZQgZYA02s1huQx+ZtMnoEVxwu2mhJ22V+/tQmvQW5pStyadRc03wqaYPUZQfFt4iMZekolzONK1gbzpGTTVO7c3fJ2FLubzAZcl7Vfrk6E1bwF7WWQQpcoP2hakCjhC5LKTtvnHvYUV+bSSaku9UCYI85XI5+fY54Yo9J1P3f+D+j0oq1oabybfx+KJldTETdDA5P7UOta3hn1wQXBR9XSgn1+3wKzXb26jBqqyY+r9OA55tGwQD2jFyFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJryUZ5cKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dRuNZsj9tCtRrsRRba5W94TF8oH9xO8u+PCIR/0/w/DVTcqs5/89yAsVvZ89AGRvUg+CHO0cdx9+Cl1hKStrZPt2aVPbZfR3mbZYZ/MZ+h2G3DuzZHptmU1P0Y8DIu+ZpQLR+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB+zkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/DnGdusPNHKZZ3xe3SyrLf1fxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy/94S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqiguspwWg5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSI5LzCYpS2g6gDP5thqKQNYNf0jA9SaJp+E4TtOJWcvDLoXPPWDEzq3VeBUz+RIy4IyHIySvvzEwTYyofHeAzyd18uf5LVdJH/fmSyY1UVpkvZd70F3kA+LPN0C8FLQ5BJDFiDnXCYsihyCzpEbLYtZYVbcsuTyQxYzoVaGVulzV/qwpV3mg54h6sJkwWVOccJlDbqarpMlvA9g1+wqD/AlFTl4hddFrZVVRfqQFEJf/lSgxzE9bJHtbgo1L8ocxHaA0+e/MVlU9LqwNpXbYBuw42gBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/h8ZYf81D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRmOEGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWAYmXL5yVMn0KCxfqdougJYZ3GqqqgsmMviwHeAMQRKEq6drm94t6iCbLJDrpsgQ02CaW86oyFBAZAo6B8nWCbOu+rAlFes/oZzmwHtZYBvQLJB9O5g8WPvE2izQp/N6+SqPD9oUU27/mqXRGDNF2llxO4C1Si6qTZZrjlCB6fRVbsb7+JPN2uoBBrvwfv70zhEPHNW+LMB9N/l0HeR6sGdcQA4bxhSzHIfIZymLs7cB59ANTMFrTFIssog6Xi9/Ko2tB838E8E2mmWBLfgMcpgxBh3NFZQ8WcHoNmwu83BJpcpGgGEqB7UDcD7PIJtUbVbUJp3534MeyyBPAljDnBuraXpPyAZ2Bo1PQ52L1DobrQ12IteZ5KvPzPcsngG61UCrDIqkLwXKhXY+5Xq1UNwUfsJseuhrqmkWBi9HCmFTQF76+fap4XJjqUw+57g0dtroVMMCW6jgZwXlgNokxzW9Ht3WJKcGi5MbZumHXR/aaWAfzDkty9R3gJepw6pt66AMbxGvCqaVqrJ0JXKAM5hpvCryJEeGjkc5yFxfJW/PVJv0LUt5bWrNEwMV1HLbJM8+E1xCuhY7G6gm6USdDi4W36Z3awnlu54WM6GSP+cd8Awp/87mTS51HNAMEsfZ0BlQTZ6bINQ8C+vKeZYLXCudWoBV02ae45pV3LAcYqEyWRg2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMwWYbCzTATJ7UwCGBTS4O68I6k5OhSY9yHBVukqvMfgIbrmicPBNSgq7mm0g567qaAvMoCOP3T6zuRffq0MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ08F1HMwFPT2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kZ4BYg9ZkUDOYUobPMwheU6f2shnNctwDzcrkirTRLNYVNwFgm27EVh9mY5J31VwymbpQIjot9r5AfZPO1Nu3c5uerTzQ9BG9bqZnarjrOnm31qacZslDb7TI8BY2BnRR8tRV71nGVrSRoRxksMxYWqX2Bi8LLo2lswyawZJrm0MNX9YyQ+smq3QjU7pZY23RIh1F3zRWkQ+NJIOlu+yRjMPyPlPBS3KioeSWnFBdhm6GBtu/x9Hxk7MyUmlsQiiCwSH6BPsbMCVIrFSny4fgMh/lzqpaqDUMBgveSL+ZapI19b4ljzkaep8RzjvTMIdrUtHdRgubWKycN7vDQLIjKbjB4Qzt6uHosYESMU1dK23JsPEoIasFtYRbUmuYjbHCPdJy7zKEIkb4YHV0KBAuQ2f3kb7QgsvcE/l7qLrV+ngaYtUc7AL0ZPN9s1DN4EUjRMISdDeOyCpSU22AvANLcSK4v6u0I8HTt2puXlz4stdn5DSM+HpO7CIypQibAX+AMPoY0ZbkPdjfuZVg4uc8ZOosxJvhyO7uFuHifrMGqGaLCZc8ih/O3D1Cf+0d8YmzMDAZ4oWgjcRZv/MG57i2TdzjDdx3+rXv2VP+dtzdnrom3GF+8Yix7w6iSFjTdLvOq7gs+QjXFm/FmLvgGNOoRwTSZnDde5xQLcXIxEvsnptxHDj2zzVgiYYvDRi7p2n34dnKd++V71UGHMvjV/USe9cj1eWdbrtT9uHkMcLY2NbfsUO7eR3decrZ/zfPN3SLnZ+2QgHXjvMGWg3pknjvyMLucZlSA8Sna3fYkMGt6k4p/OJh8JXdKPgOc6V9+/ooGQmhhhgAHHdG98+r0lQayo4w3nfQYdovLVHt3TANazROQNuHdA264l7dOBbSmyX9YA6+5ALmQAQsQRBqDJ9Lf3Cbef1x1seWzA8ov3H9PZw+fZBJzw6zRvIvDeyOSaTxy9fD97COiYdNQWk1Gl76C8mUlIC5FWTF7WJMUBASqQzpNHYNB5UX3dm0cOREedI9UULNOaOCOAxGTB/E4mGxw6VGxjQ+HO3qxdrE0euls63UTlZr6geeCk5NsVDZbQJvxHXmGs5S2Qw1clKxP4In3g+A+EvjsMU3LQxiYQKonrwRRjlDfOu+nWKwnPwafjEhb+S6+9cAukVb3khLaDlhqqobCzouhrO48d3G8pln3+yeBc5Y3DoQbv/ZvPz+h7862/e0dxwtxb6Joh34tEgbMbut44auQZN/6Xxy5kVAA5GL3/rU9T/5eV5ucN7i+r3ncWDy8k2y7cnuwBS3zoS8/+3jmds7aPDOE/SXltwwDTWVbO20yqCeid1cEIIUek4+vntNzqX98eVzcv7+9Ow/X5NP59K++ok8XS3WRAK3C9CELZQJo9KU1sAsfuuHV//rvz17EqUI2EVGGbdLD5Spk4rGx/GYzNx3x2t+6XnxvEUqfsXLx4V0XzbdgPmBDeNu/cDH8N1RTDfWyWeubUMFefvmfRTZP5WEfL6swzjj/ygJkzhtHbpfjQjFjdwsPPEIHuMbvOcc5tTCij7AiHTk7gvypiw1+mk9l8fQ6Z5eVtWHxjnvGws5P3l34V+l0fBYRc0Rox9bTiWvqYa3m5xfOFRGvF+OhgdOgkhCQ7f2OA1bTazw07WOKyB66NKy5O7LVGwCtr1Z/vF37ogM4ExCvOAq3PDTbRYYoLLJtc6i1932SaPkfcDwQmnbieSB0C0xwIYHwO36Zslrjkx7vx8u5+1j0m7r3RjhJcTsxmN5cQN2aPlSYxTjTuX0fqOBjkOcXNZUzmHSmU5MyRmfNxpKMl0jTJAlZg3F5Ux9YOuBQdHoiLYcXXSWod+BSKj790u4kjsANFTKQhEyu9PnGaUnbSlNQQufip8BdG11HuCzDCwxy1AtLHJch1z9T+oMRKVl0Xri8qnluxa828dkd7W+M+EBNNgzuwAtwZKP6xqek0/tM/YWHWA/kovWATZ4CX4b09TaUT1HUCZGTOMW6eAXf06oEFFlot58ERPcqMbEvCVo9wZyaRUxFh9zLsmn81GBwjBBNpu8Si6yHVBVZxj75gBrMKkzeh3YDCUu/kVMnYqO/vYM2PrRCoUAOU8+KRJxdspHRi10RAP1Kg8VvQCMJAzTCWaEkl+UXlFdDud0E/JmjslemlB3468xl24KdgUg46pn4q6Jd41xK0tFP1TnkSHYMh4zIwY75DLkuWJaQsWtE0thxEZ8i0tB5THi+LdwULYJIj0X5WCD2y7LTSRl6SzYORqw2y9P6kglMOxCsEzXD+52EXuqLWeNoJpgv2jSIvH07Pr1WzVXs1l8+juwwi4g+/FuIfvRLehvYw/vM4e3Q/dNYxcgbUgWH0XbNCk7J9wuoccvOY76JwN6FGHVWKaOS+mw5DjClw1jYMwIzth5/LDmaIclniBexKm4c6XXJFKYMMDtGMJpC0fYwdFJJQzwmVpJ9644uRVTDrsfkoGitL2rZbp+dCPvJiW+aynWDAgOZbef4IfZ0Ye5JIbbJiI/CRYXQBDRAeqCGkJLVbvXxS6Aa6JWcnNknnCWXiupqpG8WpzJYbhvUX9cJcIp91yWTv4obToCUPILF0DeBMQmAzLcxtkru435OzmaMN7t/0HSFUZJcBmyFtJSIbbHCCFS1rvfgxA+X+8y1GukpsR4QuhU5aweiGx+Cgu65KpB7ZKpqtaq4iMZinBs5M4knQosIpuRk/24cbnsxE5GJHcx3NI6SRSBLQyTDpc5AMHI+h1+uU+398pu7tso223KLBtpd8vZUmv0JZaBF+wQs/5WWhC+x3OQoDlrt4QEwUS/3dQCbhf41MZmu5GA7IT9MDFWjwc/2z0d0nbrwfb0cv+egnrh18q4r6hp2hnhlldgnFz32p6GGkaDSOEUkjWFuPEgsPHgPY9B35K1Dund/WCs9ePt9vRDYZINOb311oLD+KYdDvaGO94IhFsIg693dy9v3J0+6tn5i5Zkb/rmk0vWS/U4AuQGOd4JkK+XHX+8+chSjTY4zpHdTj7qo0qQlHfsFvLjqOyYcm8DZuyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRg8ceylpldXrtCeq80GJ4K91iOzhy0yekP+c/Pz99+Tp29M3F8/IKTeWy3nDzQJKLIWP4iLUXGXvC7QvEobZsjOPRzhm/OJIxphWmb2K++o/3anGMOhuDHrkkw19vst1YZj239X99hx/iFMsZkplrE36JlOMilTd6XY28oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U+OEVov4k5fzM0lz1dn8Ubuu+sY1giVhj3/b3AS4ScDXgiOG+iVZZRxV6bSORMDBiEbJLXScyr5n3uyqmU+VrgtsQ+gdJ+nRsg94zpaS5qp688vbjl8LXyLL9+7aCur+Vegwi4Y1UBqDaWquKTRgrueeLqgloO05sb0eEGPudu39EE361s/Qp2Jcd3VeeIEV021xWZIm63uF6tHbHYUhM1tJOoMStDUQlkkSyrbwx9O+PzSrtgFzy60WvKyax4WvkfrWgRNdcAYofmPe9a2ddq4grPZJC+PtMtuydDrz65HthkdHoqZk0vuo+eLXcV9pAVcp3SmHAp+V80TrlFn6v2oVwk9j2zU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aT+O4rXpYCjifl3uF6t5VzkePtyb2D5Fw7HuM4270Iq/U6DMl1G519TmpB3ZG591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXVp/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVLffAn9zHHkZeuAxB1nztguk9Nv3ffnG8Wy3dARUNwz0ITRHvS2mOOUpr8Nsl8fb1tJbTYycbRgeXm6IbqSM2rHmeffy+MizbyM1UmMXIBbBwsx/EJSsuCzVyhBTA+Mzztwnz2N1giFPdnhB3PY8vpucG/IUO8KCZJtnCEOXz3rUIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1ZDL3Ig4o3vUBiFT/b1WaYjnPkHzb286vUI915/XqdWTHuMMoo4XfHLDZ4+T1jm01ZPgG13sr685w6+NdQIe7OY7DrgsYbJ/NJiHTH8PghOINKW4ufsaygZQjAUcr3HDLJcy4DL56FE7Y1a+i9UjTQcTuoEKxTLhtHDA76l9qwdj5bHPvPfRSGulN2fmwraVsUR25Bf5mVSQ4GVhH/ePIMuRlymW6CWJJ74bbMhYV5n08I0KqX7aDx+LbaG/K+yNTOwdY5337bsC6prrlKffn55utrBZ80EqduNvhbFmf/H6r7dnkM0t8Wwul1/kO/G+mpvLfbuwY0yKy3UW9Vc9jT5Mjy99eIPQb9vZgKtFgV22/9f27GuWCAqTVqj5EdJSqmQ6cC7fi8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9FQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXfusbz4Ejjj/B8cPTMCuSNpPdQdvh4B0R+omJta3dReYYrrpOudzGznsWa6Vbbz+GmD+8HTnyXq+cxOzU0qLOO4doDyncyjd67ls0tVKZNJFtpNw67jxITW3cNclkQU3KaH8PsA7l9IkhN1okPOYe1ISn0hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0EHrs8gWODagkTVKr1x4uAn4+ZO0Vto2EmVSa1R+SWOUUu4JXM/4rKoXr0I/30SUHgR/iPkNcXc/lSAjmfnhe08YPTcb6YfPEePa2/U2mA7ZRiI5kwqLmeg9Ujcdbjvo+yrr/jfSPqoe/YISLZ9iWe9Y4hcKQxrq6xXKrLE0djvzMftHdt9xAxi3f/TP2CYoDU+8JPXC9DH8Uc4nT1kPD09wdGPz8gJrh9HDbQ9UrOUETqfgA7DP2ErC3NPc17IGjruEbJ34G7RJ6bXKXrvSfM/D/VK3r01Svy0ySX/M+6t4VeZZMr5P86IhLmy3B9gvaBmZAKUYcduK9Q7Sr/4+HBBd9TZJkANElx2eKxtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc6OJS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysKxHm2St2k0uQDzKwgWdabmBt9sxpX0HySUrT8Rg/E6pcn55Zt/vLsgF+6dIr/JkekrG2wzVVIfgu3HlYpji2KILYBdmYOcyLcTwnl7kMWGznX9OrsWYZgGGkYQbqTgHi0XNB80hXwAJdfj0XUFGTUaEGdLbXO0CZ99LJdU8NIzYgSJXUF4tK7W+wQhUuwK1mZXbCfi/DaBNDHshbW1KTjOoM0CGo8yB0EYfQS3ic9lW/miNLfrG24UU1WVtU/cLfH2eASHULwEf8U1iF1LM7WLZSWoLIx5qIG3bmUvw38Pu21rtKLY+lLjolb8GGnVMYQ9BgQxQKTi1gCSlS2olIPGGbnbTYVVEZGRmO2R2jZ3D0uYefj72zfvw7v3Ymf57kGxSu/6/pP3bOPmqlgq0eQiwJt2jrMMc266ydjtON9GcmvIU4+EeYbdOrCwt52ouwOeINLR3YgmkzR7G3D9JLkN6QKT7aKDJWjMFJg1gjAlGdTWGcqX/gxH2iusVjmlrye8M9jbEdoO0VppS5Sj76///iaWghsle2q+U3p+/ATL3QKDLRfrlPpmJ9FGMX8/++3i/IK8o9cVl2U31jt+rG5vR0/D3BqiOLKtsI3B7vZtq1Of4iWLydOzfZVjMTteweZDF+G3W86udmw5y4JUPj8NXXoDFnsxFMc7lAfuFdDuuPovXzfcFebIcqhJpr7d6C9xJvQDZTeGcdVoxXdB3coX9z4npomkqFND/masVnL+b1NB2ZXgxkL5txfhb8+7T7mcAYt/NOMaVlREFRk6Fb3fECpLYhQZYUsNc26sXjvL/pjCoqZ2EZr1dziQXRwGSKJT6lho+kJoX6/FlO51Ie/0yQ5zkFav//J/AwAA///ZCKpQ" -} diff --git a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml b/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml deleted file mode 100644 index 677a2b3462e..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Netscout" - product: "Arbor" - type: "DDOS" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/netscout/sightline/config/liblogparser.js - - ${path.home}/module/netscout/sightline/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{msgIdPart2->} %{p0}"); - -var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], -}); - -var dup12 = setc("eventcategory","1801010000"); - -var dup13 = setf("msg","$MSG"); - -var dup14 = date_time({ - dest: "starttime", - args: ["fld15","fld16","fld17","fld18","fld19","fld20"], - fmts: [ - [dW,dM,dD,dH,dT,dS], - ], -}); - -var dup15 = setc("eventcategory","1801020000"); - -var dup16 = date_time({ - dest: "endtime", - args: ["fld15","fld16","fld17","fld18","fld19","fld20"], - fmts: [ - [dW,dM,dD,dH,dT,dS], - ], -}); - -var dup17 = setc("eventcategory","1607000000"); - -var dup18 = setc("eventcategory","1605000000"); - -var dup19 = setc("eventcategory","1701000000"); - -var dup20 = setc("eventcategory","1603010000"); - -var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); - -var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); - -var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "leader %{parent_node}"); - -var dup24 = setc("eventcategory","1502020000"); - -var dup25 = setc("event_type","TMS mitigation"); - -var dup26 = setc("disposition","ongoing"); - -var dup27 = setc("disposition","done"); - -var dup28 = setc("event_type","Third party mitigation"); - -var dup29 = setc("event_type","Blackhole mitigation"); - -var dup30 = setc("event_type","Flowspec mitigation"); - -var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); - -var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); - -var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); - -var dup34 = setc("eventcategory","1002000000"); - -var dup35 = setc("signame","Bandwidth"); - -var dup36 = date_time({ - dest: "starttime", - args: ["fld15","fld16","fld17","fld18","fld19","fld20"], - fmts: [ - [dW,dM,dD,dN,dU,dO], - ], -}); - -var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); - -var dup38 = date_time({ - dest: "starttime", - args: ["fld2","fld3"], - fmts: [ - [dW,dc("-"),dM,dc("-"),dF,dZ], - ], -}); - -var dup39 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}", processor_chain([ - dup1, -])); - -var dup40 = linear_select([ - dup2, - dup3, -]); - -var dup41 = linear_select([ - dup6, - dup7, - dup8, - dup9, -]); - -var dup42 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup12, - dup13, - dup14, -])); - -var dup43 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup15, - dup13, - dup16, -])); - -var dup44 = linear_select([ - dup21, - dup22, -]); - -var dup45 = linear_select([ - dup31, - dup32, -]); - -var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "TMS %{p0}"); - -var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Third party %{p0}"); - -var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Blackhole %{p0}"); - -var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Flowspec %{p0}"); - -var select1 = linear_select([ - part1, - part2, - part3, - part4, -]); - -var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{p0}"); - -var all1 = all_match({ - processors: [ - dup39, - select1, - part5, - ], - on_success: processor_chain([ - setc("header_id","0001"), - ]), -}); - -var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{p0}"); - -var all2 = all_match({ - processors: [ - dup39, - dup40, - part6, - ], - on_success: processor_chain([ - setc("header_id","0002"), - dup4, - ]), -}); - -var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{p0}"); - -var all3 = all_match({ - processors: [ - dup39, - dup40, - dup5, - dup41, - part7, - ], - on_success: processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - constant("usage_"), - field("msgIdPart1"), - ], - }), - ]), -}); - -var all4 = all_match({ - processors: [ - dup39, - dup40, - dup5, - dup41, - dup10, - ], - on_success: processor_chain([ - setc("header_id","0003"), - dup4, - ]), -}); - -var part8 = match("HEADER#4:0004/1_2", "nwparser.p0", "High %{p0}"); - -var select2 = linear_select([ - dup2, - dup3, - part8, -]); - -var all5 = all_match({ - processors: [ - dup39, - select2, - dup10, - ], - on_success: processor_chain([ - setc("header_id","0004"), - dup4, - ]), -}); - -var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{p0}", processor_chain([ - setc("header_id","0005"), - dup11, -])); - -var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{p0}", processor_chain([ - setc("header_id","0006"), - dup11, -])); - -var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0007"), - dup11, -])); - -var hdr4 = match("HEADER#8:0010", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{msgIdPart1->} %{msgIdPart2}: %{payload}", processor_chain([ - setc("header_id","0010"), - dup4, -])); - -var hdr5 = match("HEADER#9:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ - setc("header_id","0009"), -])); - -var select3 = linear_select([ - all1, - all2, - all3, - all4, - all5, - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, -]); - -var part9 = match("MESSAGE#0:Flow:Down", "nwparser.payload", "Flow down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup12, - dup13, - dup14, -])); - -var msg1 = msg("Flow:Down", part9); - -var part10 = match("MESSAGE#1:Flow:Restored", "nwparser.payload", "Flow restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup15, - dup13, - dup16, -])); - -var msg2 = msg("Flow:Restored", part10); - -var select4 = linear_select([ - msg1, - msg2, -]); - -var msg3 = msg("BGP:Down", dup42); - -var msg4 = msg("BGP:Restored", dup43); - -var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([ - dup17, - dup13, -])); - -var msg5 = msg("BGP:Instability", part11); - -var part12 = match("MESSAGE#5:BGP:Instability_Ended", "nwparser.payload", "%{protocol->} Instability for router %{node->} ended", processor_chain([ - dup18, - dup13, -])); - -var msg6 = msg("BGP:Instability_Ended", part12); - -var part13 = match("MESSAGE#6:BGP:Hijack", "nwparser.payload", "%{protocol->} Hijack local_prefix %{fld26->} router %{node->} bgp_prefix %{fld27->} bgp_attributes %{event_description}", processor_chain([ - setc("eventcategory","1002050000"), - dup13, -])); - -var msg7 = msg("BGP:Hijack", part13); - -var part14 = match("MESSAGE#7:BGP:Hijack_Done", "nwparser.payload", "%{protocol->} Hijack for prefix %{fld26->} router %{node->} done", processor_chain([ - dup18, - dup13, -])); - -var msg8 = msg("BGP:Hijack_Done", part14); - -var part15 = match("MESSAGE#8:BGP:Trap", "nwparser.payload", "%{protocol->} Trap %{node}: Prefix %{fld5->} %{fld6->} %{event_description}", processor_chain([ - dup19, - dup13, -])); - -var msg9 = msg("BGP:Trap", part15); - -var select5 = linear_select([ - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, -]); - -var part16 = match("MESSAGE#9:Device:Unreachable", "nwparser.payload", "Device %{node->} unreachable by controller %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ - dup12, - dup13, - dup14, -])); - -var msg10 = msg("Device:Unreachable", part16); - -var part17 = match("MESSAGE#10:Device:Reachable", "nwparser.payload", "Device %{node->} reachable again by controller %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup15, - dup13, - dup16, -])); - -var msg11 = msg("Device:Reachable", part17); - -var select6 = linear_select([ - msg10, - msg11, -]); - -var part18 = match("MESSAGE#11:Hardware:Failure", "nwparser.payload", "Hardware failure on %{node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} GMT: %{event_description}", processor_chain([ - dup20, - dup13, - dup14, -])); - -var msg12 = msg("Hardware:Failure", part18); - -var part19 = match("MESSAGE#12:Hardware:Failure_Done", "nwparser.payload", "Hardware failure on %{node->} done at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} GMT: %{event_description}", processor_chain([ - dup18, - dup13, - dup16, -])); - -var msg13 = msg("Hardware:Failure_Done", part19); - -var select7 = linear_select([ - msg12, - msg13, -]); - -var msg14 = msg("SNMP:Down", dup42); - -var msg15 = msg("SNMP:Restored", dup43); - -var select8 = linear_select([ - msg14, - msg15, -]); - -var part20 = match("MESSAGE#15:configuration", "nwparser.payload", "configuration was changed on leader %{parent_node->} to version %{version->} by %{administrator}", processor_chain([ - dup19, - dup13, - setc("event_description","Configuration changed"), -])); - -var msg16 = msg("configuration", part20); - -var part21 = match("MESSAGE#16:Autoclassification", "nwparser.payload", "Autoclassification was restarted on %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21->} by %{administrator}", processor_chain([ - dup19, - dup13, - setc("event_description","Autoclassification restarted"), - dup14, -])); - -var msg17 = msg("Autoclassification", part21); - -var part22 = match("MESSAGE#17:GRE:Down", "nwparser.payload", "GRE tunnel down for destination %{daddr}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup12, - dup13, - dup14, -])); - -var msg18 = msg("GRE:Down", part22); - -var part23 = match("MESSAGE#18:GRE:Restored", "nwparser.payload", "GRE tunnel restored for destination %{daddr}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - setc("eventcategory","1801020100"), - dup13, - dup16, -])); - -var msg19 = msg("GRE:Restored", part23); - -var select9 = linear_select([ - msg18, - msg19, -]); - -var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all6 = all_match({ - processors: [ - part24, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup25, - dup26, - dup14, - ]), -}); - -var msg20 = msg("mitigation:TMS_Start", all6); - -var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp: TMS mitigation %{policyname->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all7 = all_match({ - processors: [ - part25, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup25, - dup27, - dup16, - ]), -}); - -var msg21 = msg("mitigation:TMS_Stop", all7); - -var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all8 = all_match({ - processors: [ - part26, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup28, - dup26, - dup14, - ]), -}); - -var msg22 = msg("mitigation:Thirdparty_Start", all8); - -var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload", "pfsp: Third party mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all9 = all_match({ - processors: [ - part27, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup28, - dup27, - ]), -}); - -var msg23 = msg("mitigation:Thirdparty_Stop", all9); - -var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all10 = all_match({ - processors: [ - part28, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup29, - dup26, - dup14, - ]), -}); - -var msg24 = msg("mitigation:Blackhole_Start", all10); - -var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", "pfsp: Blackhole mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all11 = all_match({ - processors: [ - part29, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup29, - dup27, - ]), -}); - -var msg25 = msg("mitigation:Blackhole_Stop", all11); - -var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} started at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all12 = all_match({ - processors: [ - part30, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup30, - dup26, - dup14, - ]), -}); - -var msg26 = msg("mitigation:Flowspec_Start", all12); - -var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", "pfsp: Flowspec mitigation %{node->} stopped at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all13 = all_match({ - processors: [ - part31, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - dup30, - dup27, - ]), -}); - -var msg27 = msg("mitigation:Flowspec_Stop", all13); - -var select10 = linear_select([ - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, -]); - -var part32 = match("MESSAGE#27:TMS:Fault_Cleared", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node->} cleared", processor_chain([ - dup18, - dup13, - setc("event_type","Fault Cleared"), -])); - -var msg28 = msg("TMS:Fault_Cleared", part32); - -var part33 = match("MESSAGE#28:TMS:Fault", "nwparser.payload", "TMS '%{event_description}' fault for resource '%{resource}' on TMS %{node}", processor_chain([ - dup20, - dup13, - setc("event_type","Fault Occured"), -])); - -var msg29 = msg("TMS:Fault", part33); - -var select11 = linear_select([ - msg28, - msg29, -]); - -var part34 = match("MESSAGE#29:usage_alert:Interface", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} for router %{node->} interface \"%{interface}\" speed %{fld2->} threshold %{fld25->} observed %{trigger_val->} pct %{fld3}", processor_chain([ - dup17, - dup13, -])); - -var msg30 = msg("usage_alert:Interface", part34); - -var part35 = match("MESSAGE#30:usage_alert:Interface_Done", "nwparser.payload", "pfsp: %{trigger_desc->} interface usage alert %{fld1->} done for router %{node->} interface \"%{interface}\"", processor_chain([ - dup18, - dup13, -])); - -var msg31 = msg("usage_alert:Interface_Done", part35); - -var part36 = match("MESSAGE#31:usage_alert:Fingerprint_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ - dup17, - dup13, -])); - -var msg32 = msg("usage_alert:Fingerprint_Threshold", part36); - -var part37 = match("MESSAGE#32:usage_alert:Fingerprint_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for fingerprint %{policyname->} done", processor_chain([ - dup18, - dup13, -])); - -var msg33 = msg("usage_alert:Fingerprint_Threshold_Done", part37); - -var part38 = match("MESSAGE#33:usage_alert:Service_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} usage alert %{fld2->} for service %{service}, %{application->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ - dup17, - dup13, -])); - -var msg34 = msg("usage_alert:Service_Threshold", part38); - -var part39 = match("MESSAGE#34:usage_alert:Service_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} %{fld1->} alert %{fld2->} for service %{service->} done", processor_chain([ - dup18, - dup13, -])); - -var msg35 = msg("usage_alert:Service_Threshold_Done", part39); - -var part40 = match("MESSAGE#35:usage_alert:ManagedObject_Threshold", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{category->} %{fld2->} threshold %{fld25->} observed %{trigger_val}", processor_chain([ - dup17, - dup13, -])); - -var msg36 = msg("usage_alert:ManagedObject_Threshold", part40); - -var part41 = match("MESSAGE#36:usage_alert:ManagedObject_Threshold_Done", "nwparser.payload", "pfsp: %{trigger_desc->} usage alert %{fld1->} for %{fld3->} %{fld4->} done", processor_chain([ - dup18, - dup13, -])); - -var msg37 = msg("usage_alert:ManagedObject_Threshold_Done", part41); - -var select12 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, -]); - -var part42 = match("MESSAGE#37:Test", "nwparser.payload", "Test syslog message%{}", processor_chain([ - dup18, - dup13, -])); - -var msg38 = msg("Test", part42); - -var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} ran at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all14 = all_match({ - processors: [ - part43, - dup44, - dup23, - ], - on_success: processor_chain([ - dup24, - dup13, - setc("event_type","Script mitigation"), - dup26, - dup14, - ]), -}); - -var msg39 = msg("script", all14); - -var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all15 = all_match({ - processors: [ - part44, - dup45, - dup33, - ], - on_success: processor_chain([ - dup34, - dup13, - dup35, - dup36, - ]), -}); - -var msg40 = msg("anomaly:Resource_Info:01", all15); - -var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", "anomaly Bandwidth id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all16 = all_match({ - processors: [ - part45, - dup45, - dup37, - ], - on_success: processor_chain([ - dup34, - dup13, - dup35, - dup36, - ]), -}); - -var msg41 = msg("anomaly:Resource_Info:02", all16); - -var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} impact %{fld10->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all17 = all_match({ - processors: [ - part46, - dup45, - dup33, - ], - on_success: processor_chain([ - dup34, - dup13, - dup36, - ]), -}); - -var msg42 = msg("anomaly:Resource_Info:03", all17); - -var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", "anomaly %{signame->} id %{event_id->} status %{disposition->} severity %{severity->} classification %{category->} src %{daddr}/%{dport->} %{fld1->} dst %{saddr}/%{sport->} %{fld2->} start %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{p0}"); - -var all18 = all_match({ - processors: [ - part47, - dup45, - dup37, - ], - on_success: processor_chain([ - dup34, - dup13, - dup36, - ]), -}); - -var msg43 = msg("anomaly:Resource_Info:04", all18); - -var part48 = match("MESSAGE#43:anomaly:Router_Info:01", "nwparser.payload", "anomaly Bandwidth id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ - dup34, - dup13, - dup35, -])); - -var msg44 = msg("anomaly:Router_Info:01", part48); - -var part49 = match("MESSAGE#44:anomaly:Router_Info:02", "nwparser.payload", "anomaly %{signame->} id %{sigid->} status %{disposition->} severity %{severity->} classification %{category->} router %{fld6->} router_name %{node->} interface %{fld4->} interface_name \"%{interface}\" %{fld5}", processor_chain([ - dup34, - dup13, -])); - -var msg45 = msg("anomaly:Router_Info:02", part49); - -var select13 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, -]); - -var part50 = match("MESSAGE#45:Peakflow:Unreachable", "nwparser.payload", "Peakflow device %{node->} unreachable by %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20}", processor_chain([ - dup12, - dup13, - dup14, -])); - -var msg46 = msg("Peakflow:Unreachable", part50); - -var part51 = match("MESSAGE#46:Peakflow:Reachable", "nwparser.payload", "Peakflow device %{node->} reachable again by %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup15, - dup13, - dup16, -])); - -var msg47 = msg("Peakflow:Reachable", part51); - -var select14 = linear_select([ - msg46, - msg47, -]); - -var part52 = match("MESSAGE#47:Host:Detection", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, stop %{fld5->} %{fld6->} %{fld7}, , importance %{severity}, managed_objects (%{fld8}), is now %{result}, (parent managed object %{fld9})", processor_chain([ - dup18, - dup13, - dup38, - date_time({ - dest: "endtime", - args: ["fld5","fld6"], - fmts: [ - [dW,dc("-"),dM,dc("-"),dF,dZ], - ], - }), -])); - -var msg48 = msg("Host:Detection", part52); - -var part53 = match("MESSAGE#48:Host:Detection:01", "nwparser.payload", "Host Detection alert %{fld1}, start %{fld2->} %{fld3->} %{fld4}, duration %{duration}, direction %{direction}, host %{saddr}, signatures (%{signame}), impact %{fld5}, importance %{severity}, managed_objects (%{fld6}), (parent managed object %{fld7})", processor_chain([ - dup18, - dup13, - dup38, -])); - -var msg49 = msg("Host:Detection:01", part53); - -var select15 = linear_select([ - msg48, - msg49, -]); - -var part54 = match("MESSAGE#49:Infrastructure", "nwparser.payload", "AIF license expiring cleared,URL: %{url}", processor_chain([ - dup18, - dup13, - setc("event_description","AIF license expiring cleared"), -])); - -var msg50 = msg("Infrastructure", part54); - -var part55 = match("MESSAGE#50:Infrastructure:02", "nwparser.payload", "Hardware sensor detected a critical state. System Fan%{fld1}:%{fld2}Triggering value:%{fld3},URL:%{url}", processor_chain([ - dup18, - dup13, - setc("event_description","Hardware sensor detected a critical state"), -])); - -var msg51 = msg("Infrastructure:02", part55); - -var part56 = match("MESSAGE#51:Infrastructure:01", "nwparser.payload", "AIF license expired cleared,URL: %{url}", processor_chain([ - dup18, - dup13, - setc("event_description","AIF license expired cleared"), -])); - -var msg52 = msg("Infrastructure:01", part56); - -var select16 = linear_select([ - msg50, - msg51, - msg52, -]); - -var part57 = match("MESSAGE#52:Blocked_Host", "nwparser.payload", "Blocked host%{saddr}at%{fld1}by Blocked Countries using%{protocol}destination%{daddr},URL:%{url}", processor_chain([ - setc("eventcategory","1803000000"), - dup13, -])); - -var msg53 = msg("Blocked_Host", part57); - -var part58 = match("MESSAGE#53:Change_Log", "nwparser.payload", "Username:%{username}, Subsystem:%{fld1}, Setting Type:%{fld2}, Message:%{fld3}", processor_chain([ - dup18, - dup13, -])); - -var msg54 = msg("Change_Log", part58); - -var part59 = match("MESSAGE#54:Protection_Mode", "nwparser.payload", "Changed protection mode to active for protection group%{group},URL:%{url}", processor_chain([ - dup18, - dup13, - setc("event_description","Changed protection mode to active for protection group"), -])); - -var msg55 = msg("Protection_Mode", part59); - -var chain1 = processor_chain([ - select3, - msgid_select({ - "Autoclassification": msg17, - "BGP": select5, - "Blocked_Host": msg53, - "Change_Log": msg54, - "Device": select6, - "Flow": select4, - "GRE": select9, - "Hardware": select7, - "Host": select15, - "Infrastructure": select16, - "Peakflow": select14, - "Protection_Mode": msg55, - "SNMP": select8, - "TMS": select11, - "Test": msg38, - "anomaly": select13, - "configuration": msg16, - "mitigation": select10, - "script": msg39, - "usage_alert": select12, - }), -]); - -var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); - -var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); - -var part62 = match("HEADER#2:0008/2", "nwparser.p0", "%{} %{p0}"); - -var part63 = match("HEADER#2:0008/3_0", "nwparser.p0", "jitter %{p0}"); - -var part64 = match("HEADER#2:0008/3_1", "nwparser.p0", "loss %{p0}"); - -var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); - -var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); - -var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); - -var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); - -var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); - -var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "leader %{parent_node}"); - -var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); - -var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); - -var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); - -var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); - -var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}", processor_chain([ - dup1, -])); - -var select17 = linear_select([ - dup2, - dup3, -]); - -var select18 = linear_select([ - dup6, - dup7, - dup8, - dup9, -]); - -var part75 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup12, - dup13, - dup14, -])); - -var part76 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ - dup15, - dup13, - dup16, -])); - -var select19 = linear_select([ - dup21, - dup22, -]); - -var select20 = linear_select([ - dup31, - dup32, -]); diff --git a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml deleted file mode 100644 index 22f32138c27..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for Arbor Peakflow SP - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/netscout/sightline/manifest.yml b/x-pack/filebeat/module/netscout/sightline/manifest.yml deleted file mode 100644 index e10cef66bf8..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["netscout.sightline", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9524 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log deleted file mode 100644 index bd8d089c540..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci -February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac -February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq -March 12 03:17:42 pfsp: Test syslog message -March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16 -April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin) -April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi -May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59 -May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti -June 5 21:33:08 pfsp: script ufugiatn ran at 2016-06-05 21:33:08 tionulam, leader uameius -June 20 04:35:42 pfsp: Alert Test syslog message -July 4 11:38:16 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci -July 18 18:40:50 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-18 18:40:50 tNequ -August 2 01:43:25 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap -August 16 08:45:59 pfsp: Alert script estqui ran at 2016-08-16 08:45:59 uasiarch, leader emaper -August 30 15:48:33 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis -September 13 22:51:07 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt -September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 atatnonp by uiano -October 12 12:56:16 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc -October 26 19:58:50 pfsp: Hardware failure on tatevel since 2016-10-26 19:58:50 GMT: abilloi -November 10 03:01:24 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc -November 24 10:03:59 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate -December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 iam by qua -December 23 00:09:07 pfsp: Test syslog message -January 6 07:11:41 pfsp: Autoclassification was restarted on 2017-01-06 07:11:41 olupta by turveli -January 20 14:14:16 pfsp: Alert Autoclassification was restarted on 2017-01-20 14:14:16 ntutl by caecatc -February 3 21:16:50 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-02-03 21:16:50 lup -February 18 04:19:24 pfsp: Alert Hardware failure on aperi since 2017-02-18 04:19:24 GMT: lor -March 4 11:21:59 pfsp: The BGP Instability for router oin ended -March 18 18:24:33 pfsp: Hardware failure on ritatis done at 2017-03-18 18:24:33 oloremi GMT: pitla -April 2 01:27:07 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des -April 16 08:29:41 pfsp: Device tdolorem unreachable by controller ono since 2017-04-16 08:29:41 -April 30 15:32:16 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-30 15:32:16 lumquido -May 14 22:34:50 Lor: Test: Test syslog message -May 29 05:37:24 pfsp: Alert script modoco ran at 2017-05-29 05:37:24 , leader estqu -June 12 12:39:58 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae -June 26 19:42:33 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore -July 11 02:45:07 pfsp: Device mque reachable again by controller uovolup at 2017-07-11 02:45:07 samvolu -July 25 09:47:41 pfsp: The Host Detection alert eirure, start 2017-07-25 09:47:41 conseq, duration 38.117000, stop 2017-07-25 09:47:41 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) -August 8 16:50:15 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol -August 22 23:52:50 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) -September 6 06:55:24 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup -September 20 13:57:58 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv -October 4 21:00:32 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu -October 19 04:03:07 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-19 04:03:07 olor -November 2 11:05:41 pfsp: Alert Device xerc reachable again by controller iutali at 2017-11-02 11:05:41 fdeFi -November 16 18:08:15 pfsp: BGP down for router ati, leader tlabo since 2017-11-16 18:08:15 uames -December 1 01:10:49 pfsp: script offi ran at 2017-12-01 01:10:49 , leader giatnu -December 15 08:13:24 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte -December 29 15:15:58 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-29 15:15:58 dexea -January 12 22:18:32 pfsp: Test syslog message -January 27 05:21:06 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-27 05:21:06 litse -February 10 12:23:41 pfsp: Alert Host Detection alert sperna, start 2018-02-10 12:23:41 sintocc, duration 24.633000, stop 2018-02-10 12:23:41 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) -February 24 19:26:15 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc -March 11 02:28:49 pfsp: BGP Instability for router iatisu ended -March 25 09:31:24 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven -April 8 16:33:58 pfsp: Test syslog message -April 22 23:36:32 Sedutp: Test: Test syslog message -May 7 06:39:06 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe -May 21 13:41:41 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse -June 4 20:44:15 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro -June 19 03:46:49 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-19 03:46:49 -July 3 10:49:23 pfsp: configuration was changed on leader natuse to version 1.4425 by ati -July 17 17:51:58 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto -August 1 00:54:32 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-01 00:54:32 dmin -August 15 07:57:06 pfsp: The Host Detection alert uscipitl, start 2018-08-15 07:57:06 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) -August 29 14:59:40 pfsp: Alert Test syslog message -September 12 22:02:15 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo -September 27 05:04:49 pfsp: Alert script nre ran at 2018-09-27 05:04:49 veli, leader volupta -October 11 12:07:23 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) -October 25 19:09:57 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden -November 9 02:12:32 pfsp: Device isis reachable again by controller uasiar at 2018-11-09 02:12:32 utlab -November 23 09:15:06 pfsp: Alert script dantium ran at 2018-11-23 09:15:06 lor, leader velillu -December 7 16:17:40 pfsp: The script tvolu ran at 2018-12-07 16:17:40 nreprehe, leader tetu -December 21 23:20:14 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips -January 5 06:22:49 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt -January 19 13:25:23 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation -February 2 20:27:57 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt -February 17 03:30:32 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo -March 3 10:33:06 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo -March 17 17:35:40 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor -April 1 00:38:14 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) -April 15 07:40:49 pfsp: Alert Test syslog message -April 29 14:43:23 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex -May 13 21:45:57 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu -May 28 04:48:31 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done -June 11 11:51:06 pfsp: Host Detection alert col, start 2019-06-11 11:51:06 mve, duration 177.586000, stop 2019-06-11 11:51:06 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) -June 25 18:53:40 pfsp: script remipsum ran at 2019-06-25 18:53:40 , leader tempor -July 10 01:56:14 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela -July 24 08:58:48 uto: Test: Test syslog message -August 7 16:01:23 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol -August 21 23:03:57 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae -September 5 06:06:31 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom -September 19 13:09:05 pfsp: The Host Detection alert inBCSedu, start 2019-09-19 13:09:05 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab) -October 3 20:11:40 pfsp: Hardware failure on ntiu since 2019-10-03 20:11:40 GMT: radipisc -October 18 03:14:14 pfsp: script vitaed ran at 2019-10-18 03:14:14 ser, leader etconsec -November 1 10:16:48 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu -November 15 17:19:22 pfsp: Alert script msequ ran at 2019-11-15 17:19:22 uat, leader lupta -November 30 00:21:57 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui -December 14 07:24:31 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json deleted file mode 100644 index 4f6e77ae773..00000000000 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ /dev/null @@ -1,2449 +0,0 @@ -[ - { - "event.code": "configuration", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 0, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "observer.version": "1.6078", - "related.user": [ - "rci" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "olab", - "rsa.misc.version": "1.6078", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "rci" - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 96, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "tatemac" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-02-12T15:12:33.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "tatemac" - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 205, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "nseq" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "nseq" - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 12 03:17:42 pfsp: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 311, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 355, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "ritquiin", - "rsa.misc.parent_node": "umqui", - "rsa.time.starttime": "2016-03-26T12:20:16.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "medium", - "log.offset": 459, - "network.direction": "external", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.51.132.10" - ], - "rsa.internal.messageid": "Host", - "rsa.misc.policy_name": "utper", - "rsa.misc.severity": "medium", - "rsa.time.duration_time": 116.48, - "rsa.time.starttime": "2016-04-09T19:22:51.000Z", - "service.type": "netscout", - "source.ip": "10.51.132.10", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 715, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "incidi" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-04-24T02:25:25.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "incidi" - }, - { - "event.code": "Peakflow", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 809, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Peakflow", - "rsa.misc.node": "oloremqu", - "rsa.misc.parent_node": "temvel", - "rsa.time.starttime": "2016-05-08T09:27:59.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 909, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "anti" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-05-22T16:30:33.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "anti" - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 5 21:33:08 pfsp: script ufugiatn ran at 2016-06-05 21:33:08 tionulam, leader uameius", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1002, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "ufugiatn", - "rsa.misc.parent_node": "uameius", - "rsa.time.starttime": "2016-06-05T23:33:08.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 20 04:35:42 pfsp: Alert Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1092, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "configuration", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 4 11:38:16 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1141, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "observer.version": "1.5162", - "related.user": [ - "nci" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "uipexea", - "rsa.misc.version": "1.5162", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "nci" - }, - { - "event.code": "SNMP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 18 18:40:50 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-18 18:40:50 tNequ", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1232, - "network.protocol": "SNMP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "SNMP", - "rsa.misc.node": "mvolu", - "rsa.misc.parent_node": "radip", - "rsa.time.endtime": "2016-07-18T20:40:50.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 2 01:43:25 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", - "fileset.name": "sightline", - "group.name": "dquiac", - "input.type": "log", - "log.offset": 1333, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "dquiac", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "tamremap", - "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", - "url.path": "/uam/untutl.jpg", - "url.query": "llu=uptassi", - "url.scheme": "https" - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 16 08:45:59 pfsp: Alert script estqui ran at 2016-08-16 08:45:59 uasiarch, leader emaper", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1501, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "estqui", - "rsa.misc.parent_node": "emaper", - "rsa.time.starttime": "2016-08-16T10:45:59.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "destination.ip": "10.155.162.162", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 30 15:48:33 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1597, - "network.protocol": "udp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.155.162.162", - "10.66.171.247" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.66.171.247", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www5.example.org", - "url.extension": "jpg", - "url.fragment": "uatDuis", - "url.original": "https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", - "url.path": "/seq/olorema.jpg", - "url.query": "quid=fug", - "url.scheme": "https" - }, - { - "event.action": "Fault Occured", - "event.code": "TMS", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 13 22:51:07 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1782, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "eip", - "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "lupta", - "rsa.misc.event_type": "Fault Occured", - "rsa.misc.node": "iusmodt", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 atatnonp by uiano", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1868, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "uiano" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-09-28T07:53:42.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "uiano" - }, - { - "destination.ip": "10.179.26.34", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 12 12:56:16 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 1976, - "network.protocol": "ipv6-icmp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.179.26.34", - "10.38.77.13" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.38.77.13", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "example.org", - "url.extension": "gif", - "url.fragment": "suntinc", - "url.original": "https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", - "url.path": "/isiu/nimadmi.gif", - "url.query": "ari=equun", - "url.scheme": "https" - }, - { - "event.code": "Hardware", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 26 19:58:50 pfsp: Hardware failure on tatevel since 2016-10-26 19:58:50 GMT: abilloi", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 2166, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "abilloi", - "rsa.internal.messageid": "Hardware", - "rsa.misc.node": "tatevel", - "rsa.time.starttime": "2016-10-26T21:58:50.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "anomaly", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 10 03:01:24 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2259, - "network.interface.name": "lo5882", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "enimad", - "rsa.misc.disposition": "tsed", - "rsa.misc.node": "eci", - "rsa.misc.policy_name": "ore", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id": 2933, - "rsa.network.interface": "lo5882", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "anomaly", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 24 10:03:59 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "high", - "log.offset": 2442, - "network.interface.name": "lo4987", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "deomni", - "rsa.misc.disposition": "inim", - "rsa.misc.node": "ntsuntin", - "rsa.misc.policy_name": "Bandwidth", - "rsa.misc.severity": "high", - "rsa.misc.sig_id": 2902, - "rsa.network.interface": "lo4987", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 iam by qua", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 2640, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "qua" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-12-08T19:06:33.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "qua" - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 23 00:09:07 pfsp: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 2739, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 6 07:11:41 pfsp: Autoclassification was restarted on 2017-01-06 07:11:41 olupta by turveli", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 2786, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "turveli" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2017-01-06T09:11:41.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "turveli" - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 20 14:14:16 pfsp: Alert Autoclassification was restarted on 2017-01-20 14:14:16 ntutl by caecatc", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 2885, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "caecatc" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2017-01-20T16:14:16.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "caecatc" - }, - { - "destination.ip": "10.224.68.213", - "event.code": "GRE", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 3 21:16:50 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-02-03 21:16:50 lup", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 2990, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.224.68.213" - ], - "rsa.internal.messageid": "GRE", - "rsa.misc.parent_node": "taed", - "rsa.time.endtime": "2017-02-03T23:16:50.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Hardware", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 18 04:19:24 pfsp: Alert Hardware failure on aperi since 2017-02-18 04:19:24 GMT: lor", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3112, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "lor", - "rsa.internal.messageid": "Hardware", - "rsa.misc.node": "aperi", - "rsa.time.starttime": "2017-02-18T06:19:24.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 4 11:21:59 pfsp: The BGP Instability for router oin ended", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3206, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "oin", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Hardware", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 18 18:24:33 pfsp: Hardware failure on ritatis done at 2017-03-18 18:24:33 oloremi GMT: pitla", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3270, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "pitla", - "rsa.internal.messageid": "Hardware", - "rsa.misc.node": "ritatis", - "rsa.time.endtime": "2017-03-18T20:24:33.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 2 01:27:07 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3369, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "mqui" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "mqui" - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 16 08:29:41 pfsp: Device tdolorem unreachable by controller ono since 2017-04-16 08:29:41", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3475, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "tdolorem", - "rsa.misc.parent_node": "ono", - "rsa.time.starttime": "2017-04-16T10:29:41.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "destination.ip": "10.60.185.151", - "event.code": "GRE", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 30 15:32:16 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-30 15:32:16 lumquido", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3571, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.60.185.151" - ], - "rsa.internal.messageid": "GRE", - "rsa.misc.parent_node": "uidolo", - "rsa.time.starttime": "2017-04-30T17:32:16.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 14 22:34:50 Lor: Test: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3695, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 29 05:37:24 pfsp: Alert script modoco ran at 2017-05-29 05:37:24 , leader estqu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3742, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "modoco", - "rsa.misc.parent_node": "estqu", - "rsa.time.starttime": "2017-05-29T07:37:24.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 12 12:39:58 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", - "fileset.name": "sightline", - "group.name": "ents", - "input.type": "log", - "log.offset": 3826, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "ents", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www.example.net", - "url.extension": "gif", - "url.fragment": "psaquae", - "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", - "url.path": "/nse/sinto.gif", - "url.query": "CSed=lupt", - "url.scheme": "https" - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 26 19:42:33 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 3989, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "mdolore", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "reetd", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 11 02:45:07 pfsp: Device mque reachable again by controller uovolup at 2017-07-11 02:45:07 samvolu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 4061, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "mque", - "rsa.misc.parent_node": "uovolup", - "rsa.time.endtime": "2017-07-11T04:45:07.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 25 09:47:41 pfsp: The Host Detection alert eirure, start 2017-07-25 09:47:41 conseq, duration 38.117000, stop 2017-07-25 09:47:41 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4165, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Host", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "very-high", - "rsa.time.duration_time": 38.117, - "rsa.time.endtime": "2017-07-25T11:47:41.000Z", - "rsa.time.starttime": "2017-07-25T11:47:41.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 8 16:50:15 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 4401, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "dol", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "doloremi", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 22 23:52:50 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 4470, - "network.protocol": "ipv6", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "tincu", - "rsa.misc.trigger_val": "sci", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 6 06:55:24 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", - "fileset.name": "sightline", - "group.name": "eaq", - "input.type": "log", - "log.offset": 4579, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "eaq", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "lup", - "url.original": "https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", - "url.path": "/corp/modtemp.jpg", - "url.query": "oluptas=tNequepo", - "url.scheme": "https" - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 20 13:57:58 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 4748, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "suntexp" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "suntexp" - }, - { - "destination.ip": "10.168.131.247", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 4 21:00:32 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 4860, - "network.protocol": "rdp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.136.232.108", - "10.168.131.247" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.136.232.108", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "example.net", - "url.extension": "jpg", - "url.fragment": "pariatu", - "url.original": "https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", - "url.path": "/temqu/edol.jpg", - "url.query": "ipi=reseos", - "url.scheme": "https" - }, - { - "destination.ip": "10.209.182.237", - "event.code": "GRE", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 19 04:03:07 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-19 04:03:07 olor", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5047, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.209.182.237" - ], - "rsa.internal.messageid": "GRE", - "rsa.misc.parent_node": "tper", - "rsa.time.endtime": "2017-10-19T06:03:07.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 2 11:05:41 pfsp: Alert Device xerc reachable again by controller iutali at 2017-11-02 11:05:41 fdeFi", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5165, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "xerc", - "rsa.misc.parent_node": "iutali", - "rsa.time.endtime": "2017-11-02T13:05:41.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 16 18:08:15 pfsp: BGP down for router ati, leader tlabo since 2017-11-16 18:08:15 uames", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5275, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "ati", - "rsa.misc.parent_node": "tlabo", - "rsa.time.starttime": "2017-11-16T20:08:15.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 1 01:10:49 pfsp: script offi ran at 2017-12-01 01:10:49 , leader giatnu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5372, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "offi", - "rsa.misc.parent_node": "giatnu", - "rsa.time.starttime": "2017-12-01T03:10:49.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "destination.ip": "10.163.161.165", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 15 08:13:24 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5453, - "network.protocol": "rdp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.163.161.165", - "10.83.23.104" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.83.23.104", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www5.example.org", - "url.extension": "txt", - "url.fragment": "nsecte", - "url.original": "https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", - "url.path": "/atem/gnido.txt", - "url.query": "tmollita=fde", - "url.scheme": "https" - }, - { - "destination.ip": "10.53.248.4", - "event.code": "GRE", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 29 15:15:58 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-29 15:15:58 dexea", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5646, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.53.248.4" - ], - "rsa.internal.messageid": "GRE", - "rsa.misc.parent_node": "derit", - "rsa.time.endtime": "2017-12-29T17:15:58.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 12 22:18:32 pfsp: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5764, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Flow", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 27 05:21:06 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-27 05:21:06 litse", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 5810, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Flow", - "rsa.misc.node": "tessec", - "rsa.misc.parent_node": "olupta", - "rsa.time.starttime": "2018-01-27T07:21:06.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 10 12:23:41 pfsp: Alert Host Detection alert sperna, start 2018-02-10 12:23:41 sintocc, duration 24.633000, stop 2018-02-10 12:23:41 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "medium", - "log.offset": 5917, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Host", - "rsa.misc.result": "success", - "rsa.misc.severity": "medium", - "rsa.time.duration_time": 24.633, - "rsa.time.endtime": "2018-02-10T14:23:41.000Z", - "rsa.time.starttime": "2018-02-10T14:23:41.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 24 19:26:15 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6163, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "uiac" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "uiac" - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 11 02:28:49 pfsp: BGP Instability for router iatisu ended", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6268, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "iatisu", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 25 09:31:24 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6332, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "ersp" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "ersp" - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 8 16:33:58 pfsp: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6438, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 22 23:36:32 Sedutp: Test: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6481, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 7 06:39:06 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6533, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "rsitv" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "rsitv" - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 21 13:41:41 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", - "fileset.name": "sightline", - "group.name": "upida", - "input.type": "log", - "log.offset": 6635, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "upida", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "api.example.com", - "url.extension": "html", - "url.fragment": "tse", - "url.original": "https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", - "url.path": "/eufugi/pici.html", - "url.query": "ccaecat=tquiin", - "url.scheme": "https" - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 4 20:44:15 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6798, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "udexerci" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "udexerci" - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 19 03:46:49 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-19 03:46:49", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 6905, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "illoin", - "rsa.misc.parent_node": "tanimid", - "rsa.time.starttime": "2018-06-19T05:46:49.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "configuration", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 3 10:49:23 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 7006, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "observer.version": "1.4425", - "related.user": [ - "ati" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "natuse", - "rsa.misc.version": "1.4425", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "ati" - }, - { - "event.code": "anomaly", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 17 17:51:58 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "low", - "log.offset": 7096, - "network.interface.name": "enp0s4306", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "itess", - "rsa.misc.disposition": "queips", - "rsa.misc.node": "ofdeFini", - "rsa.misc.policy_name": "Bandwidth", - "rsa.misc.severity": "low", - "rsa.misc.sig_id": 2366, - "rsa.network.interface": "enp0s4306", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "SNMP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 1 00:54:32 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-01 00:54:32 dmin", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 7290, - "network.protocol": "SNMP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "SNMP", - "rsa.misc.node": "entsunt", - "rsa.misc.parent_node": "ihilm", - "rsa.time.endtime": "2018-08-01T02:54:32.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 15 07:57:06 pfsp: The Host Detection alert uscipitl, start 2018-08-15 07:57:06 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "medium", - "log.offset": 7389, - "network.direction": "internal", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.54.49.84" - ], - "rsa.internal.messageid": "Host", - "rsa.misc.policy_name": "ciad", - "rsa.misc.severity": "medium", - "rsa.time.duration_time": 29.657, - "rsa.time.starttime": "2018-08-15T09:57:06.000Z", - "service.type": "netscout", - "source.ip": "10.54.49.84", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 29 14:59:40 pfsp: Alert Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 7641, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "anomaly", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 12 22:02:15 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "medium", - "log.offset": 7692, - "network.interface.name": "lo4293", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "tutlab", - "rsa.misc.disposition": "commodo", - "rsa.misc.node": "atevelit", - "rsa.misc.policy_name": "Bandwidth", - "rsa.misc.severity": "medium", - "rsa.misc.sig_id": 5089, - "rsa.network.interface": "lo4293", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 27 05:04:49 pfsp: Alert script nre ran at 2018-09-27 05:04:49 veli, leader volupta", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 7876, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "nre", - "rsa.misc.parent_node": "volupta", - "rsa.time.starttime": "2018-09-27T07:04:49.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 11 12:07:23 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 7969, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "uptate", - "rsa.misc.trigger_val": "tpersp", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Fault Occured", - "event.code": "TMS", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 25 19:09:57 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 8075, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "tem", - "rsa.internal.messageid": "TMS", - "rsa.internal.resource": "dol", - "rsa.misc.event_type": "Fault Occured", - "rsa.misc.node": "proiden", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 9 02:12:32 pfsp: Device isis reachable again by controller uasiar at 2018-11-09 02:12:32 utlab", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 8157, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "isis", - "rsa.misc.parent_node": "uasiar", - "rsa.time.endtime": "2018-11-09T04:12:32.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 23 09:15:06 pfsp: Alert script dantium ran at 2018-11-23 09:15:06 lor, leader velillu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 8261, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "dantium", - "rsa.misc.parent_node": "velillu", - "rsa.time.starttime": "2018-11-23T11:15:06.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 7 16:17:40 pfsp: The script tvolu ran at 2018-12-07 16:17:40 nreprehe, leader tetu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 8356, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "tvolu", - "rsa.misc.parent_node": "tetu", - "rsa.time.starttime": "2018-12-07T18:17:40.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "destination.ip": "10.28.226.128", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 21 23:20:14 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 8448, - "network.protocol": "ipv6-icmp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.122.76.148", - "10.28.226.128" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.122.76.148", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "mail.example.org", - "url.extension": "txt", - "url.fragment": "remips", - "url.original": "https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", - "url.path": "/idunt/luptat.txt", - "url.query": "ica=lillum", - "url.scheme": "https" - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 5 06:22:49 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", - "fileset.name": "sightline", - "group.name": "amcor", - "input.type": "log", - "log.offset": 8647, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "amcor", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "internal.example.com", - "url.extension": "html", - "url.fragment": "amvolupt", - "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", - "url.path": "/ineavol/iosa.html", - "url.query": "usc=rem", - "url.scheme": "https" - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "January 19 13:25:23 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", - "fileset.name": "sightline", - "group.name": "equepor", - "input.type": "log", - "log.offset": 8817, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "equepor", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "internal.example.org", - "url.extension": "txt", - "url.fragment": "itation", - "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", - "url.path": "/quaUten/nisiut.txt", - "url.query": "teturad=perspici", - "url.scheme": "https" - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 2 20:27:57 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", - "fileset.name": "sightline", - "group.name": "isciv", - "input.type": "log", - "log.offset": 8999, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "isciv", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "mail.example.org", - "url.extension": "txt", - "url.fragment": "quunt", - "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", - "url.path": "/nofd/dipisci.txt", - "url.query": "ilmol=eri", - "url.scheme": "https" - }, - { - "destination.ip": "10.98.209.10", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "February 17 03:30:32 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9166, - "network.protocol": "ggp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.31.177.226", - "10.98.209.10" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.31.177.226", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www.example.org", - "url.extension": "html", - "url.fragment": "labo", - "url.original": "https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", - "url.path": "/ptateve/enderi.html", - "url.query": "toccaec=fugi", - "url.scheme": "https" - }, - { - "destination.ip": "10.179.210.218", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 3 10:33:06 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9364, - "network.protocol": "igmp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.179.210.218", - "10.44.47.27" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.44.47.27", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www.example.org", - "url.extension": "jpg", - "url.fragment": "umetMalo", - "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "url.path": "/tanimi/rumSecti.jpg", - "url.query": "emporain=ntiumto", - "url.scheme": "https" - }, - { - "event.code": "configuration", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "March 17 17:35:40 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9562, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "observer.version": "1.2883", - "related.user": [ - "lor" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "emvele", - "rsa.misc.version": "1.2883", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "lor" - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 1 00:38:14 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9660, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "iquamqua", - "rsa.misc.trigger_val": "ita", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 15 07:40:49 pfsp: Alert Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9767, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "April 29 14:43:23 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9817, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "tMal" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "tMal" - }, - { - "event.code": "configuration", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 13 21:45:57 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 9922, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "observer.version": "1.2552", - "related.user": [ - "onu" - ], - "rsa.internal.event_desc": "Configuration changed", - "rsa.internal.messageid": "configuration", - "rsa.misc.parent_node": "maveni", - "rsa.misc.version": "1.2552", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "onu" - }, - { - "event.code": "BGP", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "May 28 04:48:31 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 10018, - "network.protocol": "BGP", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "BGP", - "rsa.misc.node": "norumet", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 11 11:51:06 pfsp: Host Detection alert col, start 2019-06-11 11:51:06 mve, duration 177.586000, stop 2019-06-11 11:51:06 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10097, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Host", - "rsa.misc.result": "failure", - "rsa.misc.severity": "very-high", - "rsa.time.duration_time": 177.586, - "rsa.time.endtime": "2019-06-11T13:51:06.000Z", - "rsa.time.starttime": "2019-06-11T13:51:06.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "June 25 18:53:40 pfsp: script remipsum ran at 2019-06-25 18:53:40 , leader tempor", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 10329, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "remipsum", - "rsa.misc.parent_node": "tempor", - "rsa.time.starttime": "2019-06-25T20:53:40.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 10 01:56:14 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 10411, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "orroqu" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "orroqu" - }, - { - "event.code": "Test", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "July 24 08:58:48 uto: Test: Test syslog message", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 10516, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 7 16:01:23 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 10564, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "veniamq" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "veniamq" - }, - { - "destination.ip": "10.55.156.64", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "August 21 23:03:57 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 10673, - "network.protocol": "ggp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.151.129.181", - "10.55.156.64" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.151.129.181", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www.example.net", - "url.extension": "txt", - "url.fragment": "iae", - "url.original": "https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", - "url.path": "/itanim/nesciun.txt", - "url.query": "mollita=tatem", - "url.scheme": "https" - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 5 06:06:31 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", - "fileset.name": "sightline", - "group.name": "quasiarc", - "input.type": "log", - "log.offset": 10862, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "quasiarc", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www.example.net", - "url.extension": "jpg", - "url.fragment": "acom", - "url.original": "https://www.example.net/rever/ore.jpg?oluptat=metco#acom", - "url.path": "/rever/ore.jpg", - "url.query": "oluptat=metco", - "url.scheme": "https" - }, - { - "event.code": "Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 19 13:09:05 pfsp: The Host Detection alert inBCSedu, start 2019-09-19 13:09:05 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "medium", - "log.offset": 11030, - "network.direction": "internal", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.46.77.76" - ], - "rsa.internal.messageid": "Host", - "rsa.misc.policy_name": "iacons", - "rsa.misc.severity": "medium", - "rsa.time.duration_time": 77.637, - "rsa.time.starttime": "2019-09-19T15:09:05.000Z", - "service.type": "netscout", - "source.ip": "10.46.77.76", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Hardware", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 3 20:11:40 pfsp: Hardware failure on ntiu since 2019-10-03 20:11:40 GMT: radipisc", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11293, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "radipisc", - "rsa.internal.messageid": "Hardware", - "rsa.misc.node": "ntiu", - "rsa.time.starttime": "2019-10-03T22:11:40.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "October 18 03:14:14 pfsp: script vitaed ran at 2019-10-18 03:14:14 ser, leader etconsec", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11383, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "vitaed", - "rsa.misc.parent_node": "etconsec", - "rsa.time.starttime": "2019-10-18T05:14:14.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "destination.ip": "10.166.90.130", - "event.code": "Blocked_Host", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 1 10:16:48 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11471, - "network.protocol": "icmp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.166.90.130", - "10.73.89.189" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", - "service.type": "netscout", - "source.ip": "10.73.89.189", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "api.example.org", - "url.extension": "htm", - "url.fragment": "apariatu", - "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", - "url.path": "/eosquira/pta.htm", - "url.query": "econs=lmolesti", - "url.scheme": "https" - }, - { - "event.action": "Script mitigation", - "event.code": "script", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 15 17:19:22 pfsp: Alert script msequ ran at 2019-11-15 17:19:22 uat, leader lupta", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11665, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "script", - "rsa.misc.disposition": "ongoing", - "rsa.misc.event_type": "Script mitigation", - "rsa.misc.node": "msequ", - "rsa.misc.parent_node": "lupta", - "rsa.time.starttime": "2019-11-15T19:19:22.000Z", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ] - }, - { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 30 00:21:57 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", - "fileset.name": "sightline", - "group.name": "laudan", - "input.type": "log", - "log.offset": 11756, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "laudan", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "url.domain": "www5.example.com", - "url.extension": "htm", - "url.fragment": "taliqui", - "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", - "url.path": "/atcupida/tessequa.htm", - "url.query": "dolores=equamnih", - "url.scheme": "https" - }, - { - "event.code": "Change_Log", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 14 07:24:31 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 11940, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "rcitat" - ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", - "service.type": "netscout", - "tags": [ - "forwarded", - "netscout.sightline" - ], - "user.name": "rcitat" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled deleted file mode 100644 index 6a0e4c0dce6..00000000000 --- a/x-pack/filebeat/modules.d/netscout.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: netscout -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-netscout.html - -- module: netscout - sightline: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9502 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From a7ffb106045b1be4f388f84040a3631bd6300955 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:45:28 +0200 Subject: [PATCH 13/22] feat: remove deprecated proofpoint --- filebeat/docs/fields.asciidoc | 5435 ----------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/proofpoint/README.md | 7 - .../module/proofpoint/_meta/config.yml | 19 - .../module/proofpoint/_meta/docs.asciidoc | 70 - .../module/proofpoint/_meta/fields.yml | 5 - .../proofpoint/emailsecurity/_meta/fields.yml | 2635 -------- .../proofpoint/emailsecurity/config/input.yml | 87 - .../emailsecurity/config/liblogparser.js | 2514 -------- .../emailsecurity/config/pipeline.js | 2989 --------- .../emailsecurity/ingest/pipeline.yml | 64 - .../proofpoint/emailsecurity/manifest.yml | 31 - .../emailsecurity/test/generated.log | 100 - .../test/generated.log-expected.json | 2555 -------- x-pack/filebeat/module/proofpoint/fields.go | 23 - .../modules.d/proofpoint.yml.disabled | 22 - 18 files changed, 16580 deletions(-) delete mode 100644 x-pack/filebeat/module/proofpoint/README.md delete mode 100644 x-pack/filebeat/module/proofpoint/_meta/config.yml delete mode 100644 x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/proofpoint/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log delete mode 100644 x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/proofpoint/fields.go delete mode 100644 x-pack/filebeat/modules.d/proofpoint.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e5d9ac24a83..b6ca4bc4629 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -68,7 +68,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -54208,5440 +54207,6 @@ type: text -- -[[exported-fields-proofpoint]] -== Proofpoint Email Security fields - -proofpoint fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-rabbitmq]] == RabbitMQ fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index d0d869d1731..0738c21dca4 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -45,7 +45,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -112,7 +111,6 @@ include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/pensando.asciidoc[] include::modules/postgresql.asciidoc[] -include::modules/proofpoint.asciidoc[] include::modules/rabbitmq.asciidoc[] include::modules/radware.asciidoc[] include::modules/redis.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 1f1daae76aa..d3170f9f460 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1469,27 +1469,6 @@ filebeat.modules: # can be added under this section. #input: -#---------------------- Proofpoint Email Security Module ---------------------- -- module: proofpoint - emailsecurity: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9531 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #------------------------------- RabbitMQ Module ------------------------------- - module: rabbitmq # All logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index f6792ef457f..77019a3d5d4 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -42,7 +42,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/oracle" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/proofpoint" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/salesforce" diff --git a/x-pack/filebeat/module/proofpoint/README.md b/x-pack/filebeat/module/proofpoint/README.md deleted file mode 100644 index 9ce835721f0..00000000000 --- a/x-pack/filebeat/module/proofpoint/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# proofpoint module - -This is a module for Proofpoint Email Security logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML proofpoint version 131 -at 2020-09-01 14:17:48.203341 +0000 UTC. - diff --git a/x-pack/filebeat/module/proofpoint/_meta/config.yml b/x-pack/filebeat/module/proofpoint/_meta/config.yml deleted file mode 100644 index 05dcc780bcd..00000000000 --- a/x-pack/filebeat/module/proofpoint/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: proofpoint - emailsecurity: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9531 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc deleted file mode 100644 index 0e678fa7896..00000000000 --- a/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: proofpoint -:has-dashboards: false - -== Proofpoint module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/proofpoint_tap[Proofpoint TAP] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Proofpoint Email Security logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: emailsecurity - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `emailsecurity` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device revision 131. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9531` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/proofpoint/_meta/fields.yml b/x-pack/filebeat/module/proofpoint/_meta/fields.yml deleted file mode 100644 index 6a65d925e9e..00000000000 --- a/x-pack/filebeat/module/proofpoint/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: proofpoint - title: Proofpoint Email Security - description: > - proofpoint fields. - fields: diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml deleted file mode 100644 index e339988e8dc..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Proofpoint" - product: "Email" - type: "Firewall" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/proofpoint/emailsecurity/config/liblogparser.js - - ${path.home}/module/proofpoint/emailsecurity/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js b/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} sampling=%{fld19}"); - -var dup15 = match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); - -var dup16 = setc("eventcategory","1207030000"); - -var dup17 = setc("eventcategory","1207000000"); - -var dup18 = match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); - -var dup19 = match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); - -var dup20 = match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); - -var dup21 = call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld1"), - ], -}); - -var dup22 = setc("eventcategory","1207040200"); - -var dup23 = match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); - -var dup24 = match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); - -var dup25 = setc("eventcategory","1003010000"); - -var dup26 = setc("eventcategory","1003000000"); - -var dup27 = setc("eventcategory","1207040000"); - -var dup28 = match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); - -var dup29 = match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); - -var dup30 = match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); - -var dup31 = match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); - -var dup32 = match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); - -var dup33 = match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); - -var dup34 = match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); - -var dup35 = match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); - -var dup36 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup37 = match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); - -var dup38 = match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); - -var dup39 = match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); - -var dup40 = match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); - -var dup41 = match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); - -var dup42 = match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); - -var dup43 = match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); - -var dup44 = match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); - -var dup45 = linear_select([ - dup1, - dup2, - dup3, - dup4, - dup5, -]); - -var dup46 = linear_select([ - dup14, - dup15, -]); - -var dup47 = linear_select([ - dup19, - dup20, -]); - -var dup48 = match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ - dup26, - dup9, -])); - -var dup49 = match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var dup50 = match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var dup51 = match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ - dup17, - dup9, -])); - -var dup52 = match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ - dup17, - dup9, -])); - -var dup53 = match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ - dup27, - dup9, -])); - -var dup54 = match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ - dup17, - dup9, -])); - -var dup55 = match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ - dup17, - dup9, -])); - -var dup56 = match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ - dup17, - dup9, -])); - -var dup57 = match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ - dup17, - dup9, -])); - -var dup58 = linear_select([ - dup28, - dup29, - dup30, - dup31, -]); - -var dup59 = linear_select([ - dup40, - dup33, - dup34, - dup35, -]); - -var dup60 = match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ - dup17, - dup9, -])); - -var dup61 = match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ - dup17, - dup9, -])); - -var dup62 = match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ - dup17, - dup9, -])); - -var dup63 = all_match({ - processors: [ - dup38, - dup58, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var dup64 = all_match({ - processors: [ - dup39, - dup59, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var dup65 = all_match({ - processors: [ - dup37, - dup58, - dup41, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var dup66 = all_match({ - processors: [ - dup37, - dup58, - dup42, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var dup67 = all_match({ - processors: [ - dup43, - dup59, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var dup68 = all_match({ - processors: [ - dup44, - dup58, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var hdr1 = match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{hinstance}[%{hfld3}]: %{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant("["), - field("hfld3"), - constant("]: "), - field("p0"), - ], - }), -])); - -var part1 = match("HEADER#0:0024/2", "nwparser.p0", "%{}s=%{hfld4->} cmd=send %{p0}"); - -var all1 = all_match({ - processors: [ - hdr1, - dup45, - part1, - ], - on_success: processor_chain([ - setc("header_id","0024"), - setc("messageid","send"), - ]), -}); - -var hdr2 = match("HEADER#1:0023/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]: %{p0}"); - -var part2 = match("HEADER#1:0023/2", "nwparser.p0", "%{} %{payload}"); - -var all2 = all_match({ - processors: [ - hdr2, - dup45, - part2, - ], - on_success: processor_chain([ - setc("header_id","0023"), - ]), -}); - -var hdr3 = match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} %{messageid}[%{hfld2}]: %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld2"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr4 = match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %{hinstance}[%{hfld4}]: %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0026"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant("["), - field("hfld4"), - constant("]: "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" m="), - field("hfld2"), - constant(" x="), - field("hfld3"), - constant(" attachment="), - field("hfld7"), - constant(" file="), - field("hfld5"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr5 = match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0003"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" m="), - field("hfld2"), - constant(" x="), - field("hfld3"), - constant(" attachment="), - field("hfld7"), - constant(" file="), - field("hfld5"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr6 = match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} m=%{hfld4->} x=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0015"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant("["), - field("hfld2"), - constant("]: "), - field("hseverity"), - constant(" s="), - field("hfld3"), - constant(" m="), - field("hfld4"), - constant(" x="), - field("hfld5"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr7 = match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0016"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant("["), - field("hfld2"), - constant("]: "), - field("hseverity"), - constant(" s="), - field("hfld3"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr8 = match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_ttl"), - ], - }), - dup7, -])); - -var hdr9 = match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} cmd=%{messageid->} %{p0}", processor_chain([ - setc("header_id","0018"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(": "), - field("hseverity"), - constant(" s="), - field("hfld2"), - constant(" m="), - field("hfld3"), - constant(" x="), - field("hfld4"), - constant(" cmd="), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr10 = match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance->} %{hseverity->} s=%{hfld2->} mod=%{messageid->} %{p0}", processor_chain([ - setc("header_id","0019"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld2"), - constant(" mod="), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr11 = match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} mod=%{msgIdPart1->} %{msgIdPart2}=%{hfld3->} %{p0}", processor_chain([ - setc("header_id","0020"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant("["), - field("hfld2"), - constant("]: "), - field("hseverity"), - constant(" mod="), - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant("="), - field("hfld3"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr12 = match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ - setc("header_id","0021"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_type"), - ], - }), - dup7, -])); - -var hdr13 = match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} %{msgIdPart1}=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0022"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(": "), - field("hseverity"), - constant(" s="), - field("hfld2"), - constant(" m="), - field("hfld3"), - constant(" x="), - field("hfld4"), - constant(" "), - field("msgIdPart1"), - constant("="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr14 = match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0001"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" m="), - field("hfld2"), - constant(" x="), - field("hfld3"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr15 = match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} cmd=%{messageid->} %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" m="), - field("hfld2"), - constant(" x="), - field("hfld3"), - constant(" cmd="), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr16 = match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0002"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr17 = match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{messageid->} %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" mod="), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr18 = match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} cmd=%{messageid->} %{p0}", processor_chain([ - setc("header_id","0012"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" s="), - field("hfld1"), - constant(" cmd="), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr19 = match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} type=%{hfld5->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0004"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" mod="), - field("msgIdPart1"), - constant(" type="), - field("hfld5"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr20 = match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} pid=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0005"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" pid="), - field("hfld5"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr21 = match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ - setc("header_id","0006"), - dup6, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" mod="), - field("msgIdPart1"), - constant(" cmd="), - field("msgIdPart2"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr22 = match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{messageid->} %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("hseverity"), - constant(" mod="), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr23 = match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} %{hinstance}[%{hfld1}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant("["), - field("hfld1"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr24 = match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid}[%{hfld1}]: %{p0}", processor_chain([ - setc("header_id","0013"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("messageid"), - constant("["), - field("hfld1"), - constant("]: "), - field("p0"), - ], - }), -])); - -var hdr25 = match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0011"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hinstance"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr26 = match("HEADER#25:0010", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ - setc("header_id","0010"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld1"), - constant("]: "), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - all1, - all2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - hdr14, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, -]); - -var part3 = match("MESSAGE#0:mail_env_rcpt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ - dup8, - dup9, -])); - -var msg1 = msg("mail_env_rcpt", part3); - -var part4 = match("MESSAGE#1:mail_env_rcpt:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ - dup8, - dup9, -])); - -var msg2 = msg("mail_env_rcpt:01", part4); - -var select2 = linear_select([ - msg1, - msg2, -]); - -var part5 = match("MESSAGE#2:mail_attachment", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ - dup10, - dup9, -])); - -var msg3 = msg("mail_attachment", part5); - -var part6 = match("MESSAGE#3:mail_attachment:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ - dup10, - dup9, -])); - -var msg4 = msg("mail_attachment:01", part6); - -var part7 = match("MESSAGE#4:mail_attachment:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ - dup10, - dup9, -])); - -var msg5 = msg("mail_attachment:02", part7); - -var part8 = match("MESSAGE#5:mail_attachment:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ - dup10, - dup9, -])); - -var msg6 = msg("mail_attachment:03", part8); - -var select3 = linear_select([ - msg3, - msg4, - msg5, - msg6, -]); - -var part9 = match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup11, - dup9, - dup12, - dup13, -])); - -var msg7 = msg("mail_msg", part9); - -var part10 = match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup11, - dup9, - dup12, - dup13, -])); - -var msg8 = msg("mail_msg:01", part10); - -var part11 = match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup11, - dup9, - dup12, - dup13, -])); - -var msg9 = msg("mail_msg:04", part11); - -var part12 = match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup11, - dup9, - dup12, - dup13, -])); - -var msg10 = msg("mail_msg:02", part12); - -var part13 = match("MESSAGE#10:mail_msg:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup11, - dup9, - dup12, - dup13, -])); - -var msg11 = msg("mail_msg:03", part13); - -var select4 = linear_select([ - msg7, - msg8, - msg9, - msg10, - msg11, -]); - -var part14 = match("MESSAGE#11:mail_env_from:ofrom/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); - -var all3 = all_match({ - processors: [ - part14, - dup46, - ], - on_success: processor_chain([ - dup16, - dup9, - ]), -}); - -var msg12 = msg("mail_env_from:ofrom", all3); - -var part15 = match("MESSAGE#12:mail_env_from:ofrom:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ - dup16, - dup9, -])); - -var msg13 = msg("mail_env_from:ofrom:01", part15); - -var part16 = match("MESSAGE#13:mail_env_from/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); - -var all4 = all_match({ - processors: [ - part16, - dup46, - ], - on_success: processor_chain([ - dup16, - dup9, - ]), -}); - -var msg14 = msg("mail_env_from", all4); - -var part17 = match("MESSAGE#14:mail_env_from:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ - dup16, - dup9, -])); - -var msg15 = msg("mail_env_from:01", part17); - -var select5 = linear_select([ - msg12, - msg13, - msg14, - msg15, -]); - -var part18 = match("MESSAGE#15:mail_helo", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ - dup17, - dup9, -])); - -var msg16 = msg("mail_helo", part18); - -var part19 = match("MESSAGE#16:mail_helo:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ - dup17, - dup9, -])); - -var msg17 = msg("mail_helo:01", part19); - -var select6 = linear_select([ - msg16, - msg17, -]); - -var part20 = match("MESSAGE#17:mail_continue-system-sendmail", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg18 = msg("mail_continue-system-sendmail", part20); - -var part21 = match("MESSAGE#18:mail_release", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=%{result->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg19 = msg("mail_release", part21); - -var part22 = match("MESSAGE#19:session_data/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} %{p0}"); - -var part23 = match("MESSAGE#19:session_data/1_0", "nwparser.p0", "rcpt_notroutes=%{fld20->} data_routes=%{fld21}"); - -var part24 = match("MESSAGE#19:session_data/1_1", "nwparser.p0", "rcpt=%{to->} suborg=%{fld22}"); - -var part25 = match("MESSAGE#19:session_data/1_2", "nwparser.p0", "from=%{from->} suborg=%{fld22}"); - -var select7 = linear_select([ - part23, - part24, - part25, -]); - -var all5 = all_match({ - processors: [ - part22, - select7, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg20 = msg("session_data", all5); - -var part26 = match("MESSAGE#20:session_data:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rcpt_notroutes=%{fld20->} data_routes=%{fld21}", processor_chain([ - dup17, - dup9, -])); - -var msg21 = msg("session_data:01", part26); - -var select8 = linear_select([ - msg20, - msg21, -]); - -var part27 = match("MESSAGE#21:session_store", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg22 = msg("session_store", part27); - -var part28 = match("MESSAGE#22:session_store:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg23 = msg("session_store:01", part28); - -var select9 = linear_select([ - msg22, - msg23, -]); - -var part29 = match("MESSAGE#23:session_headers", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ - dup17, - dup9, -])); - -var msg24 = msg("session_headers", part29); - -var part30 = match("MESSAGE#24:session_headers:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ - dup17, - dup9, -])); - -var msg25 = msg("session_headers:01", part30); - -var select10 = linear_select([ - msg24, - msg25, -]); - -var part31 = match("MESSAGE#25:session_judge/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}"); - -var all6 = all_match({ - processors: [ - dup18, - dup47, - part31, - ], - on_success: processor_chain([ - dup17, - dup9, - dup21, - ]), -}); - -var msg26 = msg("session_judge", all6); - -var part32 = match("MESSAGE#26:session_judge:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}", processor_chain([ - dup17, - dup9, -])); - -var msg27 = msg("session_judge:01", part32); - -var select11 = linear_select([ - msg26, - msg27, -]); - -var part33 = match("MESSAGE#27:session_connect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ - dup17, - dup9, -])); - -var msg28 = msg("session_connect", part33); - -var part34 = match("MESSAGE#28:session_connect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ - dup17, - dup9, -])); - -var msg29 = msg("session_connect:01", part34); - -var select12 = linear_select([ - msg28, - msg29, -]); - -var part35 = match("MESSAGE#29:session_resolve", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ - dup17, - dup9, -])); - -var msg30 = msg("session_resolve", part35); - -var part36 = match("MESSAGE#30:session_resolve:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ - dup17, - dup9, -])); - -var msg31 = msg("session_resolve:01", part36); - -var select13 = linear_select([ - msg30, - msg31, -]); - -var part37 = match("MESSAGE#31:session_throttle", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ - dup17, - dup9, -])); - -var msg32 = msg("session_throttle", part37); - -var part38 = match("MESSAGE#32:session_throttle:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ - dup17, - dup9, -])); - -var msg33 = msg("session_throttle:01", part38); - -var select14 = linear_select([ - msg32, - msg33, -]); - -var part39 = match("MESSAGE#33:session_dispose", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ - dup22, - dup9, -])); - -var msg34 = msg("session_dispose", part39); - -var part40 = match("MESSAGE#34:session_dispose:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ - dup22, - dup9, -])); - -var msg35 = msg("session_dispose:01", part40); - -var part41 = match("MESSAGE#35:session_dispose:02/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}"); - -var all7 = all_match({ - processors: [ - dup18, - dup47, - part41, - ], - on_success: processor_chain([ - dup22, - dup9, - dup21, - ]), -}); - -var msg36 = msg("session_dispose:02", all7); - -var part42 = match("MESSAGE#36:session_dispose:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}", processor_chain([ - dup22, - dup9, -])); - -var msg37 = msg("session_dispose:03", part42); - -var select15 = linear_select([ - msg34, - msg35, - msg36, - msg37, -]); - -var part43 = match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup17, - dup9, - dup13, -])); - -var msg38 = msg("session_disconnect", part43); - -var part44 = match("MESSAGE#38:session_disconnect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup17, - dup9, - dup13, -])); - -var msg39 = msg("session_disconnect:01", part44); - -var select16 = linear_select([ - msg38, - msg39, -]); - -var part45 = match("MESSAGE#39:av_run:02/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{fld1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} %{p0}"); - -var part46 = match("MESSAGE#39:av_run:02/1_0", "nwparser.p0", "cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); - -var part47 = match("MESSAGE#39:av_run:02/1_2", "nwparser.p0", "vendor=%{fld36->} duration=%{p0}"); - -var select17 = linear_select([ - part46, - dup23, - part47, -]); - -var all8 = all_match({ - processors: [ - part45, - select17, - dup24, - ], - on_success: processor_chain([ - dup25, - dup9, - dup21, - ]), -}); - -var msg40 = msg("av_run:02", all8); - -var part48 = match("MESSAGE#40:av_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ - dup25, - dup9, -])); - -var msg41 = msg("av_run:03", part48); - -var part49 = match("MESSAGE#41:av_run/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} %{p0}"); - -var part50 = match("MESSAGE#41:av_run/1_1", "nwparser.p0", "name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); - -var part51 = match("MESSAGE#41:av_run/1_2", "nwparser.p0", "name=%{fld34->} vendor=%{fld36->} duration=%{p0}"); - -var select18 = linear_select([ - dup23, - part50, - part51, -]); - -var all9 = all_match({ - processors: [ - part49, - select18, - dup24, - ], - on_success: processor_chain([ - dup25, - dup9, - ]), -}); - -var msg42 = msg("av_run", all9); - -var part52 = match("MESSAGE#42:av_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ - dup25, - dup9, -])); - -var msg43 = msg("av_run:01", part52); - -var select19 = linear_select([ - msg40, - msg41, - msg42, - msg43, -]); - -var msg44 = msg("av_refresh", dup48); - -var msg45 = msg("av_init", dup48); - -var part53 = match("MESSAGE#45:av_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ - dup26, - dup9, -])); - -var msg46 = msg("av_load", part53); - -var part54 = match("MESSAGE#46:access_run:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg47 = msg("access_run:02", part54); - -var part55 = match("MESSAGE#47:access_run:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg48 = msg("access_run:04", part55); - -var msg49 = msg("access_run:03", dup49); - -var msg50 = msg("access_run:01", dup50); - -var select20 = linear_select([ - msg47, - msg48, - msg49, - msg50, -]); - -var part56 = match("MESSAGE#50:access_refresh", "nwparser.payload", "%{fld0->} %{severity->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ - dup17, - dup9, -])); - -var msg51 = msg("access_refresh", part56); - -var msg52 = msg("access_refresh:01", dup51); - -var select21 = linear_select([ - msg51, - msg52, -]); - -var msg53 = msg("access_load", dup52); - -var msg54 = msg("regulation_init", dup51); - -var msg55 = msg("regulation_refresh", dup51); - -var part57 = match("MESSAGE#55:spam_run:rule/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} %{p0}"); - -var part58 = match("MESSAGE#55:spam_run:rule/1_0", "nwparser.p0", "ipscore=%{fld40->} suspectscore=%{p0}"); - -var part59 = match("MESSAGE#55:spam_run:rule/1_1", "nwparser.p0", "suspectscore=%{p0}"); - -var select22 = linear_select([ - part58, - part59, -]); - -var part60 = match("MESSAGE#55:spam_run:rule/2", "nwparser.p0", "%{fld41->} phishscore=%{fld42->} %{p0}"); - -var part61 = match("MESSAGE#55:spam_run:rule/3_0", "nwparser.p0", "bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{p0}"); - -var part62 = match("MESSAGE#55:spam_run:rule/3_1", "nwparser.p0", "adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{p0}"); - -var select23 = linear_select([ - part61, - part62, -]); - -var part63 = match("MESSAGE#55:spam_run:rule/4", "nwparser.p0", "%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}"); - -var all10 = all_match({ - processors: [ - part57, - select22, - part60, - select23, - part63, - ], - on_success: processor_chain([ - dup27, - dup9, - ]), -}); - -var msg56 = msg("spam_run:rule", all10); - -var part64 = match("MESSAGE#56:spam_run:rule_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ - dup27, - dup9, -])); - -var msg57 = msg("spam_run:rule_02", part64); - -var part65 = match("MESSAGE#57:spam_run:rule_03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld57->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld58->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ - dup27, - dup9, -])); - -var msg58 = msg("spam_run:rule_03", part65); - -var part66 = match("MESSAGE#58:spam_run:rule_04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} kscore.is_bulkscore=%{fld57->} kscore.compositescore=%{fld40->} circleOfTrustscore=%{fld41->} compositescore=%{fld42->} urlsuspect_oldscore=%{fld43->} suspectscore=%{reputation_num->} recipient_domain_to_sender_totalscore=%{fld58->} phishscore=%{fld44->} bulkscore=%{fld45->} kscore.is_spamscore=%{fld46->} recipient_to_sender_totalscore=%{fld47->} recipient_domain_to_sender_domain_totalscore=%{fld48->} rbsscore=%{fld49->} spamscore=%{fld50->} recipient_to_sender_domain_totalscore=%{fld51->} urlsuspectscore=%{fld52->} %{fld53->} duration=%{duration_string}", processor_chain([ - dup27, - dup9, -])); - -var msg59 = msg("spam_run:rule_04", part66); - -var part67 = match("MESSAGE#59:spam_run:rule_05", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld53->} suspectscore=%{fld40->} malwarescore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld54->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ - dup27, - dup9, -])); - -var msg60 = msg("spam_run:rule_05", part67); - -var part68 = match("MESSAGE#60:spam_run:rule_06", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} mod=%{agent->} total_uri_count=%{dclass_counter1->} uris_excluded_from_report_info=%{dclass_counter2}", processor_chain([ - dup27, - dup9, -])); - -var msg61 = msg("spam_run:rule_06", part68); - -var part69 = match("MESSAGE#61:spam_run:action_01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ - dup27, - dup9, -])); - -var msg62 = msg("spam_run:action_01", part69); - -var part70 = match("MESSAGE#62:spam_run:action", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ - dup27, - dup9, -])); - -var msg63 = msg("spam_run:action", part70); - -var part71 = match("MESSAGE#63:spam_run:action_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} num_domains=%{fld53->} num_domains_to_lookup=%{fld40}", processor_chain([ - dup27, - dup9, -])); - -var msg64 = msg("spam_run:action_02", part71); - -var select24 = linear_select([ - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, -]); - -var msg65 = msg("spam_refresh", dup53); - -var msg66 = msg("spam_init", dup53); - -var part72 = match("MESSAGE#66:spam_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ - dup27, - dup9, -])); - -var msg67 = msg("spam_load", part72); - -var part73 = match("MESSAGE#67:batv_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ - dup17, - dup9, -])); - -var msg68 = msg("batv_run", part73); - -var part74 = match("MESSAGE#68:batv_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ - dup17, - dup9, -])); - -var msg69 = msg("batv_run:01", part74); - -var msg70 = msg("batv_run:02", dup49); - -var msg71 = msg("batv_run:03", dup50); - -var select25 = linear_select([ - msg68, - msg69, - msg70, - msg71, -]); - -var msg72 = msg("zerohour_refresh", dup54); - -var msg73 = msg("zerohour_init", dup54); - -var msg74 = msg("zerohour_load", dup52); - -var part75 = match("MESSAGE#74:zerohour_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg75 = msg("zerohour_run", part75); - -var part76 = match("MESSAGE#75:zerohour_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg76 = msg("zerohour_run:01", part76); - -var select26 = linear_select([ - msg75, - msg76, -]); - -var part77 = match("MESSAGE#76:service_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg77 = msg("service_refresh", part77); - -var part78 = match("MESSAGE#77:perl_clone", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg78 = msg("perl_clone", part78); - -var part79 = match("MESSAGE#78:cvt_convert", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg79 = msg("cvt_convert", part79); - -var part80 = match("MESSAGE#79:cvt_convert:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg80 = msg("cvt_convert:01", part80); - -var part81 = match("MESSAGE#80:cvt_convert:02", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg81 = msg("cvt_convert:02", part81); - -var select27 = linear_select([ - msg79, - msg80, - msg81, -]); - -var part82 = match("MESSAGE#81:cvt_detect", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg82 = msg("cvt_detect", part82); - -var msg83 = msg("cvtd:01", dup55); - -var msg84 = msg("cvtd", dup56); - -var select28 = linear_select([ - msg83, - msg84, -]); - -var part83 = match("MESSAGE#84:cvtd_encrypted", "nwparser.payload", "%{fld0->} %{severity->} pid=%{fld5->} mod=%{agent->} encrypted=%{fld6}", processor_chain([ - dup17, - dup9, -])); - -var msg85 = msg("cvtd_encrypted", part83); - -var msg86 = msg("filter:01", dup55); - -var msg87 = msg("filter", dup56); - -var select29 = linear_select([ - msg86, - msg87, -]); - -var msg88 = msg("soap_listen", dup57); - -var msg89 = msg("http_listen", dup57); - -var part84 = match("MESSAGE#89:mltr", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{event_description}", processor_chain([ - dup17, - dup9, -])); - -var msg90 = msg("mltr", part84); - -var msg91 = msg("milter_listen", dup57); - -var msg92 = msg("smtpsrv_load", dup52); - -var msg93 = msg("smtpsrv_listen", dup57); - -var part85 = match("MESSAGE#93:smtpsrv_run", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg94 = msg("smtpsrv_run", part85); - -var part86 = match("MESSAGE#94:smtpsrv/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{p0}"); - -var part87 = match("MESSAGE#94:smtpsrv/1_0", "nwparser.p0", "%{result->} err=%{fld58}"); - -var part88 = match_copy("MESSAGE#94:smtpsrv/1_1", "nwparser.p0", "result"); - -var select30 = linear_select([ - part87, - part88, -]); - -var all11 = all_match({ - processors: [ - part86, - select30, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg95 = msg("smtpsrv", all11); - -var part89 = match("MESSAGE#95:send", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ - dup17, - dup9, -])); - -var msg96 = msg("send", part89); - -var part90 = match("MESSAGE#96:send:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ - dup17, - dup9, -])); - -var msg97 = msg("send:01", part90); - -var part91 = match("MESSAGE#97:send:02", "nwparser.payload", "%{fld0}: %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} rcpt=%{to->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg98 = msg("send:02", part91); - -var select31 = linear_select([ - msg96, - msg97, - msg98, -]); - -var part92 = match("MESSAGE#98:queued-alert/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{p0}"); - -var part93 = match("MESSAGE#98:queued-alert/1_0", "nwparser.p0", "%{fld55->} tls_verify=%{fld70}, pri=%{p0}"); - -var part94 = match("MESSAGE#98:queued-alert/1_1", "nwparser.p0", "%{fld55}, pri=%{p0}"); - -var select32 = linear_select([ - part93, - part94, -]); - -var part95 = match("MESSAGE#98:queued-alert/2", "nwparser.p0", "%{fld23}, relay=%{p0}"); - -var all12 = all_match({ - processors: [ - part92, - select32, - part95, - dup58, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg99 = msg("queued-alert", all12); - -var part96 = match("MESSAGE#99:queued-alert:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); - -var part97 = match("MESSAGE#99:queued-alert:01/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}]"); - -var select33 = linear_select([ - part97, - dup33, - dup34, - dup35, -]); - -var all13 = all_match({ - processors: [ - part96, - select33, - ], - on_success: processor_chain([ - dup17, - dup9, - dup36, - ]), -}); - -var msg100 = msg("queued-alert:01", all13); - -var part98 = match("MESSAGE#100:queued-alert:02/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}],%{p0}"); - -var select34 = linear_select([ - part98, - dup29, - dup30, - dup31, -]); - -var part99 = match("MESSAGE#100:queued-alert:02/2", "nwparser.p0", "%{}version=%{version}, verify=%{fld57}, cipher=%{s_cipher}, bits=%{fld59}"); - -var all14 = all_match({ - processors: [ - dup37, - select34, - part99, - ], - on_success: processor_chain([ - dup17, - dup9, - dup36, - ]), -}); - -var msg101 = msg("queued-alert:02", all14); - -var select35 = linear_select([ - msg99, - msg100, - msg101, -]); - -var msg102 = msg("queued-VoltageEncrypt", dup63); - -var msg103 = msg("queued-VoltageEncrypt:01", dup64); - -var select36 = linear_select([ - msg102, - msg103, -]); - -var msg104 = msg("queued-default", dup63); - -var msg105 = msg("queued-default:01", dup64); - -var msg106 = msg("queued-default:02", dup65); - -var msg107 = msg("queued-default:03", dup66); - -var msg108 = msg("queued-default:04", dup60); - -var select37 = linear_select([ - msg104, - msg105, - msg106, - msg107, - msg108, -]); - -var msg109 = msg("queued-reinject", dup63); - -var msg110 = msg("queued-reinject:01", dup64); - -var msg111 = msg("queued-reinject:02", dup65); - -var msg112 = msg("queued-reinject:03", dup66); - -var part100 = match("MESSAGE#111:queued-reinject:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: maxrcpts=%{fld56}, rcpts=%{fld57}, count=%{fld58}, ids=%{fld59}", processor_chain([ - dup17, - dup9, -])); - -var msg113 = msg("queued-reinject:05", part100); - -var msg114 = msg("queued-reinject:04", dup60); - -var msg115 = msg("queued-reinject:06", dup61); - -var select38 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, -]); - -var part101 = match("MESSAGE#114:queued-eurort/2", "nwparser.p0", "%{}version=%{version}, verify=%{disposition}, cipher=%{fld58}, bits=%{fld59}"); - -var all15 = all_match({ - processors: [ - dup37, - dup58, - part101, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg116 = msg("queued-eurort", all15); - -var msg117 = msg("queued-eurort:01", dup63); - -var msg118 = msg("queued-eurort:02", dup67); - -var msg119 = msg("queued-eurort:03", dup60); - -var select39 = linear_select([ - msg116, - msg117, - msg118, - msg119, -]); - -var msg120 = msg("queued-vdedc2v5", dup63); - -var msg121 = msg("queued-vdedc2v5:01", dup67); - -var select40 = linear_select([ - msg120, - msg121, -]); - -var msg122 = msg("sm-msp-queue", dup66); - -var part102 = match("MESSAGE#122:sm-msp-queue:01", "nwparser.payload", "%{agent}[%{process_id}]: starting daemon (%{fld7}): %{fld6}", processor_chain([ - setc("eventcategory","1605000000"), - dup9, -])); - -var msg123 = msg("sm-msp-queue:01", part102); - -var part103 = match("MESSAGE#123:sm-msp-queue:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, ctladdr=%{fld13}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); - -var all16 = all_match({ - processors: [ - part103, - dup58, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg124 = msg("sm-msp-queue:02", all16); - -var select41 = linear_select([ - msg122, - msg123, - msg124, -]); - -var part104 = match("MESSAGE#124:sendmail:15/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, tls_verify=%{fld24}, pri=%{fld23}, relay=%{p0}"); - -var part105 = match("MESSAGE#124:sendmail:15/1_1", "nwparser.p0", "%{dhost}. [%{daddr}],%{p0}"); - -var part106 = match("MESSAGE#124:sendmail:15/1_2", "nwparser.p0", "%{dhost}.,%{p0}"); - -var select42 = linear_select([ - dup28, - part105, - part106, -]); - -var all17 = all_match({ - processors: [ - part104, - select42, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg125 = msg("sendmail:15", all17); - -var part107 = match("MESSAGE#125:sendmail:14/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld54}, nrcpts=%{fld55}, msgid=%{id}, proto=%{protocol}, daemon=%{p0}"); - -var part108 = match("MESSAGE#125:sendmail:14/1_0", "nwparser.p0", "%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); - -var part109 = match("MESSAGE#125:sendmail:14/1_1", "nwparser.p0", "%{fld69}, relay=%{p0}"); - -var select43 = linear_select([ - part108, - part109, -]); - -var all18 = all_match({ - processors: [ - part107, - select43, - dup59, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg126 = msg("sendmail:14", all18); - -var msg127 = msg("sendmail", dup68); - -var part110 = match("MESSAGE#127:sendmail:01", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: available mech=%{fld2}, allowed mech=%{fld3}", processor_chain([ - dup17, - dup9, -])); - -var msg128 = msg("sendmail:01", part110); - -var part111 = match("MESSAGE#128:sendmail:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: milter=%{fld2}, action=%{action}, reject=%{fld3}", processor_chain([ - dup17, - dup9, -])); - -var msg129 = msg("sendmail:02", part111); - -var part112 = match("MESSAGE#129:sendmail:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}: host=%{hostname}, addr=%{saddr}, reject=%{fld3}", processor_chain([ - dup17, - dup9, -])); - -var msg130 = msg("sendmail:03", part112); - -var part113 = match("MESSAGE#130:sendmail:08", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ - dup17, - dup9, -])); - -var msg131 = msg("sendmail:08", part113); - -var part114 = match("MESSAGE#131:sendmail:09", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} suspectscore=%{fld41->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ - dup17, - dup9, -])); - -var msg132 = msg("sendmail:09", part114); - -var part115 = match("MESSAGE#132:sendmail:10/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: rcpt%{p0}"); - -var part116 = match("MESSAGE#132:sendmail:10/1_0", "nwparser.p0", ": %{p0}"); - -var part117 = match_copy("MESSAGE#132:sendmail:10/1_1", "nwparser.p0", "p0"); - -var select44 = linear_select([ - part116, - part117, -]); - -var part118 = match("MESSAGE#132:sendmail:10/2", "nwparser.p0", "%{} %{fld2}"); - -var all19 = all_match({ - processors: [ - part115, - select44, - part118, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg133 = msg("sendmail:10", all19); - -var part119 = match("MESSAGE#133:sendmail:11/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); - -var all20 = all_match({ - processors: [ - part119, - dup58, - dup42, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg134 = msg("sendmail:11", all20); - -var part120 = match("MESSAGE#134:sendmail:12", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} from %{from}, from=%{fld3}", processor_chain([ - dup17, - dup9, -])); - -var msg135 = msg("sendmail:12", part120); - -var part121 = match("MESSAGE#135:sendmail:13/0_0", "nwparser.payload", "%{fld10->} %{agent}]%{p0}"); - -var part122 = match("MESSAGE#135:sendmail:13/0_1", "nwparser.payload", "%{agent}]%{p0}"); - -var select45 = linear_select([ - part121, - part122, -]); - -var part123 = match("MESSAGE#135:sendmail:13/1", "nwparser.p0", "%{process_id}[: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} file %{filename}: %{fld3}"); - -var all21 = all_match({ - processors: [ - select45, - part123, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg136 = msg("sendmail:13", all21); - -var part124 = match("MESSAGE#136:sendmail:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}:%{event_description}", processor_chain([ - dup17, - dup9, -])); - -var msg137 = msg("sendmail:04", part124); - -var part125 = match("MESSAGE#137:sendmail:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}:%{event_description}", processor_chain([ - dup17, - dup9, -])); - -var msg138 = msg("sendmail:05", part125); - -var part126 = match("MESSAGE#169:sendmail:06/0", "nwparser.payload", "%{agent}[%{process_id}]: AUTH=%{authmethod}, relay=%{p0}"); - -var part127 = match("MESSAGE#169:sendmail:06/2", "nwparser.p0", "%{}authid=%{uid}, mech=%{scheme}, bits=%{fld59}"); - -var all22 = all_match({ - processors: [ - part126, - dup58, - part127, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg139 = msg("sendmail:06", all22); - -var msg140 = msg("sendmail:07", dup61); - -var select46 = linear_select([ - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, -]); - -var part128 = match("MESSAGE#138:info:eid_pid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} pid=%{process_id->} status=%{fld29}", processor_chain([ - dup17, - dup9, -])); - -var msg141 = msg("info:eid_pid_status", part128); - -var part129 = match("MESSAGE#139:info:eid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=%{fld29}", processor_chain([ - dup17, - dup9, -])); - -var msg142 = msg("info:eid_status", part129); - -var part130 = match("MESSAGE#140:info:eid", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} %{info}", processor_chain([ - dup17, - dup9, -])); - -var msg143 = msg("info:eid", part130); - -var msg144 = msg("info:pid", dup62); - -var part131 = match("MESSAGE#143:info/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{p0}"); - -var part132 = match("MESSAGE#143:info/1_0", "nwparser.p0", "%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ofrom=%{from}"); - -var part133 = match("MESSAGE#143:info/1_1", "nwparser.p0", "%{sessionid1->} status=%{info->} restquery_stage=%{fld3}"); - -var part134 = match_copy("MESSAGE#143:info/1_2", "nwparser.p0", "sessionid1"); - -var select47 = linear_select([ - part132, - part133, - part134, -]); - -var all23 = all_match({ - processors: [ - part131, - select47, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg145 = msg("info", all23); - -var part135 = match("MESSAGE#144:info:02", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{action->} active=%{fld2->} expires=%{fld3->} msg=%{event_description}", processor_chain([ - dup17, - dup9, -])); - -var msg146 = msg("info:02", part135); - -var part136 = match("MESSAGE#145:info:03", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} server=%{saddr->} elapsed=%{duration_string->} avgtime=%{fld2->} qname=%{fld3->} qtype=%{fld4}", processor_chain([ - dup17, - dup9, -])); - -var msg147 = msg("info:03", part136); - -var part137 = match("MESSAGE#146:info:01", "nwparser.payload", "%{fld0->} %{severity->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ - dup17, - dup9, -])); - -var msg148 = msg("info:01", part137); - -var part138 = match("MESSAGE#147:info:04/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{p0}"); - -var part139 = match("MESSAGE#147:info:04/1_0", "nwparser.p0", "%{action->} msg=%{event_description}"); - -var part140 = match_copy("MESSAGE#147:info:04/1_1", "nwparser.p0", "action"); - -var select48 = linear_select([ - part139, - part140, -]); - -var all24 = all_match({ - processors: [ - part138, - select48, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg149 = msg("info:04", all24); - -var part141 = match("MESSAGE#148:info:05/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} %{p0}"); - -var part142 = match("MESSAGE#148:info:05/1_0", "nwparser.p0", "type=%{fld6->} cmd=%{obj_type->} id=%{fld5}"); - -var part143 = match("MESSAGE#148:info:05/1_1", "nwparser.p0", "cmd=%{obj_type}"); - -var select49 = linear_select([ - part142, - part143, -]); - -var all25 = all_match({ - processors: [ - part141, - select49, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg150 = msg("info:05", all25); - -var select50 = linear_select([ - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, -]); - -var msg151 = msg("note:pid", dup62); - -var part144 = match("MESSAGE#149:note:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} module=%{agent->} action=%{action->} size=%{bytes}", processor_chain([ - dup17, - dup9, -])); - -var msg152 = msg("note:01", part144); - -var select51 = linear_select([ - msg151, - msg152, -]); - -var part145 = match("MESSAGE#150:rprt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} secprofile_name=%{fld3->} rcpts=%{dclass_counter2->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var msg153 = msg("rprt", part145); - -var part146 = match("MESSAGE#151:err", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} module=%{agent->} age=%{fld6->} limit=%{fld31}", processor_chain([ - dup17, - dup9, -])); - -var msg154 = msg("err", part146); - -var part147 = match("MESSAGE#152:warn", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} eid=%{fld4->} result=%{result}", processor_chain([ - dup17, - dup9, -])); - -var msg155 = msg("warn", part147); - -var part148 = match("MESSAGE#153:warn:01", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file: %{filename}\"", processor_chain([ - dup17, - dup9, -])); - -var msg156 = msg("warn:01", part148); - -var part149 = match("MESSAGE#154:warn:02", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file %{filename->} does not contain enough (or correct) info. Fix this or remove the file.\"", processor_chain([ - dup17, - dup9, - setc("event_description","does not contain enough (or correct) info. Fix this or remove the file"), -])); - -var msg157 = msg("warn:02", part149); - -var select52 = linear_select([ - msg155, - msg156, - msg157, -]); - -var msg158 = msg("queued-aglife", dup68); - -var msg159 = msg("pdr_run", dup50); - -var part150 = match("MESSAGE#157:pdr_ttl/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} ttl=%{fld1->} reply=\"%{p0}"); - -var part151 = match("MESSAGE#157:pdr_ttl/1_0", "nwparser.p0", "\\\"%{fld2->} rscore=%{fld3}\\\"\""); - -var part152 = match("MESSAGE#157:pdr_ttl/1_1", "nwparser.p0", "%{fld2}\""); - -var select53 = linear_select([ - part151, - part152, -]); - -var all26 = all_match({ - processors: [ - part150, - select53, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var msg160 = msg("pdr_ttl", all26); - -var part153 = match("MESSAGE#158:dkimv_run:signature", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} signature=%{fld1->} identity=%{sigid_string->} host=%{hostname->} result=%{result->} result_detail=%{fld2}", processor_chain([ - dup17, - dup9, -])); - -var msg161 = msg("dkimv_run:signature", part153); - -var part154 = match("MESSAGE#159:dkimv_run:status", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=\"%{info}, %{event_state}\"", processor_chain([ - dup17, - dup9, -])); - -var msg162 = msg("dkimv_run:status", part154); - -var select54 = linear_select([ - msg161, - msg162, -]); - -var part155 = match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} unexpected response type=%{fld1}", processor_chain([ - dup17, - dup9, - setc("result","unexpected response"), -])); - -var msg163 = msg("dkimv_type", part155); - -var part156 = match("MESSAGE#161:dkimv_type:01", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} publickey_cache_entries=%{fld6}", processor_chain([ - dup17, - dup9, -])); - -var msg164 = msg("dkimv_type:01", part156); - -var select55 = linear_select([ - msg163, - msg164, -]); - -var msg165 = msg("dmarc_run:rule", dup49); - -var part157 = match("MESSAGE#163:dmarc_run:result", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} result=%{result->} result_detail=%{fld2}", processor_chain([ - dup17, - dup9, -])); - -var msg166 = msg("dmarc_run:result", part157); - -var select56 = linear_select([ - msg165, - msg166, -]); - -var part158 = match("MESSAGE#164:dmarc_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} policy_cache_entries=%{fld6}", processor_chain([ - dup17, - dup9, -])); - -var msg167 = msg("dmarc_type", part158); - -var msg168 = msg("spf_run:rule", dup49); - -var part159 = match("MESSAGE#166:spf_run:cmd", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cmd=%{obj_type->} result=%{result}", processor_chain([ - dup17, - dup9, -])); - -var msg169 = msg("spf_run:cmd", part159); - -var select57 = linear_select([ - msg168, - msg169, -]); - -var part160 = match("MESSAGE#167:action_checksubmsg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} suspectscore=%{fld41->} malwarescore=%{fld49->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} tests=%{fld52}", processor_chain([ - dup17, - dup9, -])); - -var msg170 = msg("action_checksubmsg", part160); - -var part161 = match("MESSAGE#168:rest_oauth", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} authscope=%{fld5->} err=%{fld58}", processor_chain([ - dup17, - dup9, -])); - -var msg171 = msg("rest_oauth", part161); - -var part162 = match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid ccard", processor_chain([ - dup17, - dup9, - setc("event_description","load smartid ccard"), - dup36, -])); - -var msg172 = msg("filter_instance1:01", part162); - -var part163 = match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid jcb", processor_chain([ - dup17, - dup9, - setc("event_description","load smartid jcb"), - dup36, -])); - -var msg173 = msg("filter_instance1:02", part163); - -var part164 = match("MESSAGE#173:filter_instance1:03/0", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=\"%{subject}\" %{p0}"); - -var part165 = match("MESSAGE#173:filter_instance1:03/1_0", "nwparser.p0", "spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{p0}"); - -var part166 = match("MESSAGE#173:filter_instance1:03/1_1", "nwparser.p0", "duration=%{p0}"); - -var select58 = linear_select([ - part165, - part166, -]); - -var part167 = match("MESSAGE#173:filter_instance1:03/2", "nwparser.p0", "%{fld16->} elapsed=%{duration_string}"); - -var all27 = all_match({ - processors: [ - part164, - select58, - part167, - ], - on_success: processor_chain([ - dup11, - dup9, - dup12, - dup13, - dup36, - ]), -}); - -var msg174 = msg("filter_instance1:03", all27); - -var part168 = match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ - dup17, - dup9, - dup13, - dup36, -])); - -var msg175 = msg("filter_instance1:04", part168); - -var part169 = match("MESSAGE#175:filter_instance1:05", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} header.from=\"\\\"%{info}\\\" %{fld4->} \u003c\u003c%{user_address}>\"", processor_chain([ - dup17, - dup9, - dup36, -])); - -var msg176 = msg("filter_instance1:05", part169); - -var part170 = tagval("MESSAGE#176:filter_instance1", "nwparser.payload", tvm, { - "X-Proofpoint-Spam-Details": "fld71", - "a": "fld12", - "action": "action", - "active": "fld2", - "addr": "saddr", - "adjust": "fld46", - "adjustscore": "fld54", - "adultscore": "fld44", - "alert": "fld53", - "attachments": "fld80", - "avgtime": "fld2", - "bulkscore": "fld43", - "cipher": "s_cipher", - "cipher_bits": "fld59", - "classifier": "fld45", - "cmd": "obj_type", - "corrupted": "fld9", - "country": "location_country", - "data_notroutes": "fld32", - "data_routes": "fld31", - "definitions": "fld50", - "delegate-for": "fld5", - "dict": "fld87", - "dkimresult": "fld65", - "duration": "duration_string", - "elapsed": "duration_string", - "engine": "fld49", - "evt": "action", - "expires": "fld3", - "file": "filename", - "from": "from", - "guid": "fld14", - "hdr_mid": "id", - "header-size": "bytes", - "header.from": "fld40", - "helo": "fld32", - "hops-ip": "fld61", - "hops_active": "fld26", - "host": "hostname", - "id": "id", - "install_dir": "directory", - "instance": "fld90", - "ip": "hostip", - "ksurl": "fld7", - "lint": "fld33", - "lip": "fld24", - "m": "mail_id", - "malwarescore": "fld41", - "maxfd": "fld91", - "method": "fld37", - "mime": "content_type", - "mlxlogscore": "fld95", - "mlxscore": "fld94", - "mod": "agent", - "module": "event_source", - "msg": "msg", - "msgs": "fld76", - "notroutes": "fld18", - "num_domains": "fld53", - "num_domains_to_lookup": "fld40", - "oext": "fld8", - "omime": "fld7", - "perlwait": "fld27", - "phishscore": "fld42", - "pid": "process_id", - "policy": "fld48", - "policy_cache_entries": "fld6", - "profile": "fld52", - "prot": "fld25", - "protected": "fld10", - "publickey_cache_entries": "fld6", - "qid": "fld15", - "qname": "fld3", - "qtype": "fld4", - "query": "fld38", - "r": "event_counter", - "rcpt": "to", - "rcpt_notroutes": "fld29", - "rcpt_routes": "fld28", - "rcpts": "fld59", - "realm": "fld61", - "reason": "fld47", - "record": "fld39", - "release": "fld92", - "resolve": "fld28", - "result": "result", - "result_detail": "fld74", - "result_record": "fld2", - "reverse": "fld13", - "rewritten": "fld17", - "routes": "fld4", - "rule": "rulename", - "s": "sessionid", - "scancount": "fld18", - "score": "fld39", - "server": "saddr", - "sha256": "checksum", - "sig": "fld60", - "signatures": "fld94", - "size": "bytes", - "smtp.mailfrom": "fld44", - "spamscore": "reputation_num", - "spfresult": "fld68", - "subject": "subject", - "submsgadjust": "fld53", - "suborg": "fld22", - "suspectscore": "fld41", - "sys": "fld1", - "tests": "fld52", - "threshold": "fld11", - "tls": "fld60", - "tls_version": "fld84", - "type": "fld1", - "uid": "uid", - "user": "username", - "value": "context", - "vendor": "fld36", - "verified": "fld3", - "verify": "fld57", - "version": "version", - "virtual": "fld11", - "virusname": "threat_name", - "x": "sessionid1", -}, processor_chain([ - dup17, - dup36, -])); - -var msg177 = msg("filter_instance1", part170); - -var select59 = linear_select([ - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "access_load": msg53, - "access_refresh": select21, - "access_run": select20, - "action_checksubmsg": msg170, - "av_init": msg45, - "av_load": msg46, - "av_refresh": msg44, - "av_run": select19, - "batv_run": select25, - "cvt_convert": select27, - "cvt_detect": msg82, - "cvtd": select28, - "cvtd_encrypted": msg85, - "dkimv_run": select54, - "dkimv_type": select55, - "dmarc_run": select56, - "dmarc_type": msg167, - "err": msg154, - "filter": select29, - "filter_instance1": select59, - "http_listen": msg89, - "info": select50, - "mail_attachment": select3, - "mail_continue-system-sendmail": msg18, - "mail_env_from": select5, - "mail_env_rcpt": select2, - "mail_helo": select6, - "mail_msg": select4, - "mail_release": msg19, - "milter_listen": msg91, - "mltr": msg90, - "note": select51, - "pdr_run": msg159, - "pdr_ttl": msg160, - "perl_clone": msg78, - "queued-VoltageEncrypt": select36, - "queued-aglife": msg158, - "queued-alert": select35, - "queued-default": select37, - "queued-eurort": select39, - "queued-reinject": select38, - "queued-vdedc2v5": select40, - "regulation_init": msg54, - "regulation_refresh": msg55, - "rest_oauth": msg171, - "rprt": msg153, - "send": select31, - "sendmail": select46, - "service_refresh": msg77, - "session_connect": select12, - "session_data": select8, - "session_disconnect": select16, - "session_dispose": select15, - "session_headers": select10, - "session_judge": select11, - "session_resolve": select13, - "session_store": select9, - "session_throttle": select14, - "sm-msp-queue": select41, - "smtpsrv": msg95, - "smtpsrv_listen": msg93, - "smtpsrv_load": msg92, - "smtpsrv_run": msg94, - "soap_listen": msg88, - "spam_init": msg66, - "spam_load": msg67, - "spam_refresh": msg65, - "spam_run": select24, - "spf_run": select57, - "warn": select52, - "zerohour_init": msg73, - "zerohour_load": msg74, - "zerohour_refresh": msg72, - "zerohour_run": select26, - }), -]); - -var part171 = match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); - -var part172 = match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); - -var part173 = match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); - -var part174 = match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); - -var part175 = match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); - -var part176 = match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); - -var part177 = match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); - -var part178 = match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); - -var part179 = match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); - -var part180 = match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); - -var part181 = match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); - -var part182 = match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); - -var part183 = match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); - -var part184 = match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); - -var part185 = match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); - -var part186 = match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); - -var part187 = match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); - -var part188 = match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); - -var part189 = match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); - -var part190 = match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); - -var part191 = match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); - -var part192 = match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); - -var part193 = match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); - -var part194 = match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); - -var part195 = match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); - -var part196 = match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); - -var part197 = match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); - -var part198 = match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); - -var select60 = linear_select([ - dup1, - dup2, - dup3, - dup4, - dup5, -]); - -var select61 = linear_select([ - dup14, - dup15, -]); - -var select62 = linear_select([ - dup19, - dup20, -]); - -var part199 = match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ - dup26, - dup9, -])); - -var part200 = match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var part201 = match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ - dup17, - dup9, -])); - -var part202 = match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ - dup17, - dup9, -])); - -var part203 = match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ - dup17, - dup9, -])); - -var part204 = match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ - dup27, - dup9, -])); - -var part205 = match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ - dup17, - dup9, -])); - -var part206 = match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ - dup17, - dup9, -])); - -var part207 = match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ - dup17, - dup9, -])); - -var part208 = match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ - dup17, - dup9, -])); - -var select63 = linear_select([ - dup28, - dup29, - dup30, - dup31, -]); - -var select64 = linear_select([ - dup40, - dup33, - dup34, - dup35, -]); - -var part209 = match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ - dup17, - dup9, -])); - -var part210 = match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ - dup17, - dup9, -])); - -var part211 = match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ - dup17, - dup9, -])); - -var all28 = all_match({ - processors: [ - dup38, - dup58, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var all29 = all_match({ - processors: [ - dup39, - dup59, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var all30 = all_match({ - processors: [ - dup37, - dup58, - dup41, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var all31 = all_match({ - processors: [ - dup37, - dup58, - dup42, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var all32 = all_match({ - processors: [ - dup43, - dup59, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); - -var all33 = all_match({ - processors: [ - dup44, - dup58, - dup32, - ], - on_success: processor_chain([ - dup17, - dup9, - ]), -}); diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml deleted file mode 100644 index 6d2b0346ac2..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Proofpoint Email Security - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml deleted file mode 100644 index 508b0323eb3..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["proofpoint.emailsecurity", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9547 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log deleted file mode 100644 index 2c98612c595..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 29 06:09:59 avolupt low mod=perl cmd=clone cmd=olab id=nto duration=sse -2016/02/12T13:12:33.umdo itessequ session_store[vol]: info luptat high s=nibus mod=mipsumq cmd=gnaali module=enatus rule=mquia folder=ameaqu pri=aqu duration=utper -February 26 20:15:08 emape low s=incidi mod=session_connect cmd=nse ip=10.46.185.46 country=temvel lip=iatu prot=serror hops_active=anti routes=ofdeF notroutes=metcons perlwait=roinBCS -2016/03/12T03:17:42.iam mqua queued-eurort[3391]: olab: from=mquisnos, size=5771, class=ore, nrcpts=etconsec, msgid=err, proto=rdp, daemon=mUt, tls_verify=usmodte, auth=ele, relay=tenbyCic5882.api.home [10.69.20.77] -March 26 10:20:16 pteursi medium mod=service cmd=refresh cmd=turveli duration=toccae -April 9 17:22:51 ccusan low mod=zerohour type=Ciceroi cmd=refresh id=aveniam version=uradi -April 24 00:25:25 aboreetd high mod=smtpsrv cmd=listen cmd=dun addr=10.89.185.38 -May 8 07:27:59 ctetura medium mod=zerohour type=dolore cmd=init id=abor version=iqui -May 22 14:30:33 ritatis oloremi high s=icab mod=av_run cmd=mwr rule=fugi name=inculpaq cleaned=agna vendor=tionemu duration=eomnisis -2016/06/05T21:33:08.incidi picia queued-reinject[mUtenima]: warn emaperi[7183]: sumquiad: from=dexeaco, size=6178, class=colabor, nrcpts=iusmodt, msgid=etdolo, proto=tcp, daemon=lorumw, relay=ommod3671.mail.domain -June 20 04:35:42 imadmi high s=tion mod=session_judge cmd=eataev module=liquide rule=uasia -2016/07/04T11:38:16.uames tati access_run[utaliqu]: warn oriosamn medium s=santium m=iciatisu x=rehender mod=eporroqu cmd=uat rule=tem duration=est -July 18 18:40:50 samvolu err eid=ittenbyC module=isc age=aturve limit=emulla -2016/08/02T01:43:25.itame eumfug zerohour_init[lit]: note asun low mod=quamnih type=oluptate cmd=onseq id=serunt version=aquaeabi -August 16 08:45:59 ento warn eid=pic status="evita file suntexp does not contain enough (or correct) info. Fix this or remove the file." -August 30 15:48:33 tmo very-high s=abi mod=spam_run cmd=sectetur rule=uioffi policy=oru score=temqu ndrscore=edol ipscore=colab suspectscore=ommodico phishscore=quatD bulkscore=mcolab spamscore=67.309000 adjustscore=tenima adultscore=tsedqu classifier=agnid adjust=proide reason=dolorem scancount=tlab engine=volupt definitions=osqui raw=xerc tests=iutali duration=fdeFi -2016/09/13T22:51:07.sequine ectio dkimv_type[dutper]: err lamcolab: low mod=radi unexpected response type=gel -September 28 05:53:42 xeacomm very-high mod=av type=aturQui cmd=load id=utlabor -October 12 12:56:16 madmi tur low s=uatD mod=mail_attachment cmd=ariatu id=edquiac file=nci mime=tev type=saute omime=ntocca oext=ostru corrupted=ntoccae protected=autf size=3471 virtual=temquiav -2016/10/26T19:58:50.tor qui queued-aglife[4499]: eavolup: to=fugiatn, delay=docon, xdelay=etconsec, mailer=ios, pri=evolu, relay=ersp3536.www5.lan, dsn=sauteiru, stat=mod -2016/11/10T03:01:24.iquipe itempor mail_env_rcpt[quin]: err upida high s=nve m=remag x=uredol mod=ccaecat cmd=tquiin r=7440 value=temqu verified=ovol routes=ptasn -November 24 10:03:59 idolore low mod=spam type=eetdolo cmd=refresh id=cteturad engine=untut definitions=uamni -December 8 17:06:33 orumSe high mod=regulation type=isnost cmd=init id=queips action=cancel dict=itess file=iscinge -2016-12-23T12:09:07.inci atatn queued-alert[temUt]: info avol[752]: STARTTLS=essequam, relay=[10.193.83.81], version=1.5020, verify=str, cipher=iat, bits=etur -2017/01/06T07:11:41.isnostr umqu smtpsrv_run[tinv]: warn adipisc medium mod=isnisi cmd=ritatise rule=uamei duration=siut -2017/01/20T14:14:16.ttenby boris dkimv_run[stenatu]: err isiuta low s=ratv m=riat x=ianon mod=tsed cmd=nts status="siut, tconsect" -2017/02/03T21:16:50.ctetura aveni sendmail[elit]: note seosqui sequamni[3866]: STARTTLS=tdol, relay=sit6590.lan [10.123.143.188], version=ncididun, verify=umSe, cipher=xeacomm, bits=cinge -February 18 04:19:24 runtmol very-high mod=spam type=odi cmd=load id=ptass -March 4 11:21:59 aec medium mod=spam type=iduntu cmd=load id=ccaeca -March 18 18:24:33 leumiu tla very-high s=uaeratv mod=session_connect cmd=isa ip=10.38.65.236 country=dqu lip=pid prot=rExc hops_active=iusmo routes=tame notroutes=naaliq perlwait=nte -2017/04/02T01:27:07.ullamcor itationu dmarc_run[proident]: rprt maliquam medium s=atione m=lores x=ritati mod=orisni cmd=ons rule=remagn duration=ecillu -April 16 08:29:41 umetMalo high mod=av type=utp cmd=refresh id=aeconseq vendor=lor engine=Sedut definitions=yCiceroi signatures=quunt -April 30 15:32:16 aliq low mod=access type=teni cmd=refresh id=dquiac action=accept dict=tore file=elits -2017/05/14T22:34:50.uamnihi risnis mail_release[uov]: info itlab low s=sBono m=loremqu x=tetur mod=amvo cmd=siuta status=failure err=ommodo -May 29 05:37:24 atv high mod=access type=quira cmd=refresh id=rehende action=block dict=obeataev file=tempor -June 12 12:39:58 tlaboree note s=norumet m=dtempo x=tin module=fugitse action=deny size=3916 -2017/06/26T19:42:33.aturQu aaliq session_store[mipsamvo]: warn eiusmod very-high s=reetdo m=oreveri x=ehende mod=eaqueip cmd=eum module=lamc rule=umetMal folder=asper pri=umq duration=naal -2017/07/11T02:45:07.uto iuntNequ pdr_ttl[esseq]: warn aincidun low s=veniamq mod=occ ttl=oloreseo reply="\"iruredol rscore=veniamqu\"" -July 25 09:47:41 minim ataevi low s=repreh mod=av_run cmd=plic rule=irured name=illumqui cleaned=saq vendor=amali duration=ate -2017/08/08T16:50:15.autfugi tasun mail_continue-system-sendmail[duntutla]: err ntium low s=asuntexp mod=adminim cmd=orisni action=cancel err=lmole -2017/08/22T23:52:50.dolorem tem spam_init[exeacomm]: info aspe very-high mod=mides type=ciun cmd=olupta id=tsuntinc engine=inrepreh definitions=quovo -September 6 06:55:24 occaec acommodi medium s=quaeab mod=mail_env_rcpt cmd=fici r=5161 value=dipiscin verified=olup routes=aco -2017/09/20T13:57:58.mag tob smtpsrv_load[dolores]: rprt equamnih high mod=deF type=itempo cmd=orumw id=redol -October 4 21:00:32 radipis high s=tiumto mod=mail_env_from cmd=litan value=nder qid=stenatus tls=equep routes=ever notroutes=tali host=BCS3474.lan ip=10.1.204.187 sampling=quin -2017/10/19T04:03:07.nculpaq culpaqui regulation_init[tvolup]: note tdolore low mod=col type=obea cmd=emp id=agnaaliq action=cancel dict=uptatem file=oinv -queued-reinject[2957]: odt -2017/11/16T18:08:15.caecat rautod rprt[olest]: info eataev very-high s=ritati m=edquia x=itesse mod=mullam cmd=mexerc secprofile_name=meaque rcpts=5808 duration=mip -2017/12/01T01:10:49.deriti sintocc session_throttle[cididu]: rprt uteir high s=mwrit mod=ptat cmd=der rule=equuntur ip=10.219.133.187 rate=quameiu crate=diduntu limit=eiusmod -December 15 08:13:24 tassita very-high mod=smtpsrv cmd=run cmd=oremi rule=ugitsedq duration=turmag -2017/12/29T15:15:58.consecte pteurs dkimv_run[catcupi]: info autf very-high s=tiaecon m=uaturve x=amquisno mod=uido cmd=tla signature=mquiad identity=CSe host=lors7553.api.local result=unknown result_detail=rroqui -2018/01/12T22:18:32.itae dtempo cvtd[atnula]: warn ditautf low mod=iquidex cmd=olup -2018/01/27T05:21:06.rspici snisi queued-aglife[766]: olor: to=etquasia, delay=nula, xdelay=quiacons, mailer=uisa, pri=xeacommo, relay=[10.65.174.31], dsn=atur, stat=issu -2018/02/10T12:23:41.ite tasnul note[tuserr]: note tise very-high s=tnul m=expl x=ess module=quiad action=cancel size=6084 -2018/02/24T19:26:15.llumq tenim spam_init[eiusmo]: warn ainc medium mod=antiumdo type=ecill cmd=iduntu id=pisci engine=sunt definitions=texplica -March 11 02:28:49 ate action_checksubmsg s=con m=tqu x=eirur action=accept score=tametco submsgadjust=mquisnos spamscore=25.933000 suspectscore=cit malwarescore=siar phishscore=isn adultscore=veniamq bulkscore=lup tests=iumtotam -2018/03/25T09:31:24.voluptas velill regulation_init[rspic]: err orinrepr high mod=meum type=borumSec cmd=aecatcup id=snisiut action=allow dict=nre file=inB -2018/04/08T16:33:58.upt ulamc cvt_detect[cept]: err aedictas low pid=4253 mod=orio cmd=gna name=ici status=success err=olu -2018/04/22T23:36:32.seq moll queued-VoltageEncrypt[2861]: sunt: from=dquianon, size=956, class=itesse, nrcpts=iamqui, msgid=quide, proto=igmp, daemon=cididun, relay=str4641.domain [10.151.31.58] -2018/05/07T06:39:06.cti rumSecti session_throttle[riamea]: info eca very-high s=tes mod=equam cmd=isi rule=iaecon ip=10.119.38.124 rate=rep crate=remap limit=deri -May 21 13:41:41 scipit high pid=745 mod=cvt cmd=detect cmd=borisnis name=onorumet status=success err=isiutali -June 4 20:44:15 aedict low mod=cvtd cmd=miurere -2018/06/19T03:46:49.seq rumSe queued-vdedc2v5[tatnonp]: rprt ommo[4821]: idunt: to=expl, delay=olore, xdelay=uian, mailer=atuserro, pri=madminim, relay=[10.52.47.230] [10.113.119.47], dsn=quioff, stat=iuntN -2018/07/03T10:49:23.mquis lorsi filter[tetura]: rprt eeufug high mod=modt sig=iduntutl -July 17 17:51:58 expl very-high pid=prehende mod=cvtd cmd=encrypted encrypted=lup -August 1 00:54:32 umd sumd medium s=dat mod=session_judge cmd=aUtenima module=turQuis rule=taevi -2018/08/15T07:57:06.ercitati eve spf_run[rro]: err oeiusmo very-high s=cusanti m=tconse x=rem mod=tseddoei cmd=teursint rule=etMa duration=llita -2018/08/29T14:59:40.nostrum orroquis av_init[eumi]: info tvo low mod=tuser type=mmo cmd=eve id=nbyCicer vendor=scipit engine=equuntu definitions=quamni signatures=turveli -September 12 22:02:15 ihilm medium s=caboNemo mod=mltr uptas -2018/09/27T05:04:49.dol exe info[tis]: note oluptat low eid=tinvolup pid=497 status=tvol -October 11 12:07:23 eritqui medium s=atus mod=session_judge cmd=tassitas module=obea rule=velite -2018/10/25T19:09:57.lore luptate av_init[eritqu]: err elites very-high mod=tamr type=serr cmd=usci id=unturmag vendor=dexeaco engine=lupta definitions=ura signatures=oreeufug -2018/11/09T02:12:32.ree itten milter_listen[quipexea]: warn orsitv medium mod=nostrum cmd=autodita addr=10.27.154.247 -2018/11/23T09:15:06.utfugi ursintoc dkimv_type[tio]: rprt mmodicon: high mod=trudex unexpected response type=tvol -2018/12/07T16:17:40.rehen uaeab session_throttle[ptat]: warn mipsu high s=eturadip mod=amquaera cmd=rsitamet rule=leumiur ip=10.253.121.154 rate=olesti crate=edquia limit=ihi -December 21 23:20:14 emoenimi high pid=5895 mod=cvt cmd=detect cmd=mqu name=onorume status=unknown err=veleu -January 5 06:22:49 dquia high s=bori mod=mltr dipi -January 19 13:25:23 quovolu high s=dexe mod=mltr nemul -2019/02/02T20:27:57.quatur dminim mail_msg[ptatevel]: warn aperiame very-high s=eirured mod=sequamn cmd=perspici module=inimve rule=aea action=allow attachments=5821 rcpts=296 routes=ptat size=4878 guid=nde hdr_mid=quame qid=orumwri subject=atisu spamscore=66.849000 virusname=tse duration=rad elapsed=iat -2019/02/17T03:30:32.lorum suntexpl sm-msp-queue[iqu]: rprt iquamqu[6293]: audant: to=obeata, ctladdr=uredol, delay=uptat, xdelay=toditau, mailer=uiad, pri=nvolupta, relay=[10.80.133.120] [10.147.147.248], dsn=onpr, stat=uira -2019/03/03T10:33:06.aliqu sequine regulation_refresh[utaliqui]: note isciv very-high mod=econ type=aborio cmd=rve id=catcup action=deny dict=runtmoll file=busBon -2019/03/17T17:35:40.occaeca dan queued-alert[pta]: err upt[4762]: itaedict: to=eroi, delay=onemull, xdelay=mdo, mailer=labore, pri=lorem, relay=[10.68.159.207] [10.232.240.177], dsn=estq, stat=quasiarc -2019/04/01T00:38:14.tDuisaut uel warn[dexerc]: info vol high eid=agn status="iqu file: quamqua" -April 15 07:40:49 uunturm very-high mod=regulation type=iaconseq cmd=init id=tseddo action=cancel dict=rissusci file=ectetur -April 29 14:43:23 quaturve medium mod=zerohour type=gnamali cmd=init id=iumtota version=issusci -2019/05/13T21:45:57.ecillumd iumto dmarc_type[sequatu]: rprt tiumtot: medium mod=mdoloree type=que cmd=inBCSed id=cteturad policy_cache_entries=umq -May 28 04:48:31 reseo quam very-high s=pariat mod=mail_env_rcpt cmd=icaboNe r=4840 value=lumd verified=tiaec routes=lorem -June 11 11:51:06 seq low mod=info sys=lorsita evt=deny active=itation expires=utlabo msg=tat -June 25 18:53:40 ididu medium s=epteurs mod=mail_env_from cmd=itse value=rever ofrom=sBonoru qid=ecatcu tls=ntoccae routes=iscive notroutes=amni host=etconse5657.api.lan ip=10.118.249.126 sampling=dminimv -2019/07/10T01:56:14.rep nostru access_load[docons]: info emipsumq low mod=qua type=modit cmd=tatione id=aedicta -July 24 08:58:48 uas high s=reeufu mod=mail_env_from cmd=umexe value=xce ofrom=omnisis qid=corporis tls=tco routes=stiaec notroutes=Cicero host=ven5410.mail.host ip=10.170.55.203 sampling=deom -2019/08/07T16:01:23.Utenima nse info[umq]: note enim low mod=meaquei sys=snisiu evt=allow active=atev expires=vento msg=litsed -August 21 23:03:57 susc taed high s=mipsumd mod=mail_continue-system-sendmail cmd=eiusmo action=block err=sum -September 5 06:06:31 ipex low s=upta cmd=send profile=ivel qid=tmollita rcpts=tionofd -2019/09/19T13:09:05.ccaec repreh http_listen[imven]: note usan very-high mod=idolo cmd=olup addr=10.199.46.88 -2019/10/03T20:11:40.nulapari beataevi queued-VoltageEncrypt[3274]: eruntmol: from=plicab, size=5930, class=dmin, nrcpts=sum, msgid=lloinve, proto=ggp, daemon=nim, relay=Sedutper7794.www5.domain [10.154.22.241] -2019/10/18T03:14:14.nvol doloreeu cvtd_encrypted[elillumq]: info loremeum medium pid=obeataev mod=rrorsit encrypted=aincid -November 1 10:16:48 nis info pid=472 iin /uteiru: xer -2019/11/15T17:19:22.isauteir eritquii soap_listen[atevelit]: note dese low mod=ionula cmd=itaed addr=10.38.111.125 -November 30 00:21:57 ationem high mod=spam type=ing cmd=load id=ollita -2019/12/14T07:24:31.nih ncididu queued-default[4250]: STARTTLS=gitsed, relay=estla4081.corp, version=meumf, verify=rExce, cipher=quisquam, bits=boreet diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json deleted file mode 100644 index 337be783e7a..00000000000 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json +++ /dev/null @@ -1,2555 +0,0 @@ -[ - { - "event.code": "perl_clone", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "January 29 06:09:59 avolupt low mod=perl cmd=clone cmd=olab id=nto duration=sse", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 0, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "perl_clone", - "rsa.misc.client": "perl", - "rsa.misc.msgIdPart1": "perl", - "rsa.misc.msgIdPart2": "clone", - "rsa.misc.obj_type": "clone cmd=olab", - "rsa.misc.severity": "low", - "rsa.time.duration_str": "sse", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_store", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/02/12T13:12:33.umdo itessequ session_store[vol]: info luptat high s=nibus mod=mipsumq cmd=gnaali module=enatus rule=mquia folder=ameaqu pri=aqu duration=utper", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 80, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.hosts": [ - "enatus" - ], - "rsa.internal.messageid": "session_store", - "rsa.misc.client": "mipsumq", - "rsa.misc.event_source": "enatus", - "rsa.misc.log_session_id": "nibus", - "rsa.misc.obj_type": "gnaali", - "rsa.misc.rule_name": "mquia", - "rsa.misc.severity": "high", - "rsa.time.duration_str": "utper", - "rule.name": "mquia", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_connect_nse", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "February 26 20:15:08 emape low s=incidi mod=session_connect cmd=nse ip=10.46.185.46 country=temvel lip=iatu prot=serror hops_active=anti routes=ofdeF notroutes=metcons perlwait=roinBCS", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 244, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "session_connect_nse", - "rsa.misc.msgIdPart1": "session_connect", - "rsa.misc.msgIdPart2": "nse", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "tenbyCic5882.api.home", - "destination.ip": "10.69.20.77", - "event.code": "err", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/03/12T03:17:42.iam mqua queued-eurort[3391]: olab: from=mquisnos, size=5771, class=ore, nrcpts=etconsec, msgid=err, proto=rdp, daemon=mUt, tls_verify=usmodte, auth=ele, relay=tenbyCic5882.api.home [10.69.20.77]", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 429, - "network.bytes": 5771, - "network.protocol": "rdp", - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 3391, - "related.hosts": [ - "tenbyCic5882.api.home" - ], - "related.ip": [ - "10.69.20.77" - ], - "rsa.email.email_src": "mquisnos", - "rsa.internal.messageid": "queued-eurort", - "rsa.misc.client": "queued-eurort", - "rsa.misc.reference_id": "err", - "rsa.network.host_dst": "tenbyCic5882.api.home", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "service_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "March 26 10:20:16 pteursi medium mod=service cmd=refresh cmd=turveli duration=toccae", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 645, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "service_refresh", - "rsa.misc.client": "service", - "rsa.misc.msgIdPart1": "service", - "rsa.misc.msgIdPart2": "refresh", - "rsa.misc.obj_type": "refresh cmd=turveli", - "rsa.misc.severity": "medium", - "rsa.time.duration_str": "toccae", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "zerohour_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "April 9 17:22:51 ccusan low mod=zerohour type=Ciceroi cmd=refresh id=aveniam version=uradi", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 730, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "zerohour_refresh", - "rsa.misc.client": "zerohour", - "rsa.misc.msgIdPart1": "zerohour", - "rsa.misc.msgIdPart2": "refresh", - "rsa.misc.obj_type": "refresh", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "smtpsrv_listen", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "April 24 00:25:25 aboreetd high mod=smtpsrv cmd=listen cmd=dun addr=10.89.185.38", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 821, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.89.185.38" - ], - "rsa.internal.messageid": "smtpsrv_listen", - "rsa.misc.client": "smtpsrv", - "rsa.misc.msgIdPart1": "smtpsrv", - "rsa.misc.msgIdPart2": "listen", - "rsa.misc.obj_type": "listen cmd=dun", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "source.ip": "10.89.185.38", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "zerohour_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "May 8 07:27:59 ctetura medium mod=zerohour type=dolore cmd=init id=abor version=iqui", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 902, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "zerohour_init", - "rsa.misc.client": "zerohour", - "rsa.misc.msgIdPart1": "zerohour", - "rsa.misc.msgIdPart2": "init", - "rsa.misc.obj_type": "init", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "av_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "May 22 14:30:33 ritatis oloremi high s=icab mod=av_run cmd=mwr rule=fugi name=inculpaq cleaned=agna vendor=tionemu duration=eomnisis", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 987, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "av_run", - "rsa.misc.client": "av_run", - "rsa.misc.log_session_id": "icab", - "rsa.misc.obj_type": "mwr", - "rsa.misc.rule_name": "fugi", - "rsa.misc.severity": "high", - "rsa.time.duration_str": "eomnisis", - "rule.name": "fugi", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "ommod3671.mail.domain", - "event.code": "etdolo", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/06/05T21:33:08.incidi picia queued-reinject[mUtenima]: warn emaperi[7183]: sumquiad: from=dexeaco, size=6178, class=colabor, nrcpts=iusmodt, msgid=etdolo, proto=tcp, daemon=lorumw, relay=ommod3671.mail.domain", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 1120, - "network.bytes": 6178, - "network.protocol": "tcp", - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 7183, - "related.hosts": [ - "ommod3671.mail.domain" - ], - "rsa.email.email_src": "dexeaco", - "rsa.internal.messageid": "queued-reinject", - "rsa.misc.client": "emaperi", - "rsa.misc.reference_id": "etdolo", - "rsa.network.host_dst": "ommod3671.mail.domain", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_judge_eataev", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "June 20 04:35:42 imadmi high s=tion mod=session_judge cmd=eataev module=liquide rule=uasia", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 1334, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "session_judge_eataev", - "rsa.misc.msgIdPart1": "session_judge", - "rsa.misc.msgIdPart2": "eataev", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "access_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/07/04T11:38:16.uames tati access_run[utaliqu]: warn oriosamn medium s=santium m=iciatisu x=rehender mod=eporroqu cmd=uat rule=tem duration=est", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 1425, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "access_run", - "rsa.misc.client": "eporroqu", - "rsa.misc.log_session_id": "santium", - "rsa.misc.log_session_id1": "rehender", - "rsa.misc.mail_id": "iciatisu", - "rsa.misc.obj_type": "uat", - "rsa.misc.rule_name": "tem", - "rsa.misc.severity": "medium", - "rsa.time.duration_str": "est", - "rule.name": "tem", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "err", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "July 18 18:40:50 samvolu err eid=ittenbyC module=isc age=aturve limit=emulla", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "err", - "log.offset": 1573, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "err", - "rsa.misc.client": "isc", - "rsa.misc.severity": "err", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "zerohour_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/08/02T01:43:25.itame eumfug zerohour_init[lit]: note asun low mod=quamnih type=oluptate cmd=onseq id=serunt version=aquaeabi", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 1650, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "zerohour_init", - "rsa.misc.client": "quamnih", - "rsa.misc.obj_type": "onseq", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "warn", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "August 16 08:45:59 ento warn eid=pic status=\"evita file suntexp does not contain enough (or correct) info. Fix this or remove the file.\"", - "file.name": "suntexp", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "warn", - "log.offset": 1780, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.event_desc": "does not contain enough (or correct) info. Fix this or remove the file", - "rsa.internal.messageid": "warn", - "rsa.misc.event_state": "evita", - "rsa.misc.severity": "warn", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_run_sectetur", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "August 30 15:48:33 tmo very-high s=abi mod=spam_run cmd=sectetur rule=uioffi policy=oru score=temqu ndrscore=edol ipscore=colab suspectscore=ommodico phishscore=quatD bulkscore=mcolab spamscore=67.309000 adjustscore=tenima adultscore=tsedqu classifier=agnid adjust=proide reason=dolorem scancount=tlab engine=volupt definitions=osqui raw=xerc tests=iutali duration=fdeFi", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 1917, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_run_sectetur", - "rsa.misc.msgIdPart1": "spam_run", - "rsa.misc.msgIdPart2": "sectetur", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "dkimv_type", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/09/13T22:51:07.sequine ectio dkimv_type[dutper]: err lamcolab: low mod=radi unexpected response type=gel", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 2288, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "dkimv_type", - "rsa.misc.client": "radi", - "rsa.misc.result": "unexpected response", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "av_load", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "September 28 05:53:42 xeacomm very-high mod=av type=aturQui cmd=load id=utlabor", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2398, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "av_load", - "rsa.misc.client": "av", - "rsa.misc.msgIdPart1": "av", - "rsa.misc.msgIdPart2": "load", - "rsa.misc.obj_type": "load", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_attachment", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "October 12 12:56:16 madmi tur low s=uatD mod=mail_attachment cmd=ariatu id=edquiac file=nci mime=tev type=saute omime=ntocca oext=ostru corrupted=ntoccae protected=autf size=3471 virtual=temquiav", - "file.name": "nci", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 2478, - "network.bytes": 3471, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_attachment", - "rsa.misc.client": "mail_attachment", - "rsa.misc.content_type": "tev", - "rsa.misc.log_session_id": "uatD", - "rsa.misc.obj_type": "ariatu", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "ersp3536.www5.lan", - "event.code": "queued-aglife", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/10/26T19:58:50.tor qui queued-aglife[4499]: eavolup: to=fugiatn, delay=docon, xdelay=etconsec, mailer=ios, pri=evolu, relay=ersp3536.www5.lan, dsn=sauteiru, stat=mod", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 2674, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 4499, - "related.hosts": [ - "ersp3536.www5.lan" - ], - "rsa.db.index": "mod", - "rsa.email.email_dst": "fugiatn", - "rsa.internal.messageid": "queued-aglife", - "rsa.misc.client": "queued-aglife", - "rsa.misc.result_code": "sauteiru", - "rsa.network.host_dst": "ersp3536.www5.lan", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_env_rcpt", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016/11/10T03:01:24.iquipe itempor mail_env_rcpt[quin]: err upida high s=nve m=remag x=uredol mod=ccaecat cmd=tquiin r=7440 value=temqu verified=ovol routes=ptasn", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 2845, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.counters.event_counter": 7440, - "rsa.email.email_dst": "temqu", - "rsa.internal.messageid": "mail_env_rcpt", - "rsa.misc.client": "ccaecat", - "rsa.misc.log_session_id": "nve", - "rsa.misc.log_session_id1": "uredol", - "rsa.misc.mail_id": "remag", - "rsa.misc.obj_type": "tquiin", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "November 24 10:03:59 idolore low mod=spam type=eetdolo cmd=refresh id=cteturad engine=untut definitions=uamni", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 3008, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_refresh", - "rsa.misc.client": "spam", - "rsa.misc.msgIdPart1": "spam", - "rsa.misc.msgIdPart2": "refresh", - "rsa.misc.obj_type": "refresh", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "cancel", - "event.code": "regulation_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "December 8 17:06:33 orumSe high mod=regulation type=isnost cmd=init id=queips action=cancel dict=itess file=iscinge", - "file.name": "iscinge", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 3118, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "regulation_init", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "regulation", - "rsa.misc.msgIdPart1": "regulation", - "rsa.misc.msgIdPart2": "init", - "rsa.misc.obj_type": "init", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.ip": "10.193.83.81", - "event.code": "queued-alert", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2016-12-23T12:09:07.inci atatn queued-alert[temUt]: info avol[752]: STARTTLS=essequam, relay=[10.193.83.81], version=1.5020, verify=str, cipher=iat, bits=etur", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 3234, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "observer.version": "1.5020", - "process.pid": 752, - "related.ip": [ - "10.193.83.81" - ], - "rsa.crypto.cipher_src": "iat", - "rsa.internal.messageid": "queued-alert", - "rsa.misc.client": "avol", - "rsa.misc.version": "1.5020", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "smtpsrv_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/01/06T07:11:41.isnostr umqu smtpsrv_run[tinv]: warn adipisc medium mod=isnisi cmd=ritatise rule=uamei duration=siut", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 3393, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "smtpsrv_run", - "rsa.misc.client": "isnisi", - "rsa.misc.obj_type": "ritatise", - "rsa.misc.rule_name": "uamei", - "rsa.misc.severity": "medium", - "rsa.time.duration_str": "siut", - "rule.name": "uamei", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "dkimv_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/01/20T14:14:16.ttenby boris dkimv_run[stenatu]: err isiuta low s=ratv m=riat x=ianon mod=tsed cmd=nts status=\"siut, tconsect\"", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 3514, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.db.index": "siut", - "rsa.internal.messageid": "dkimv_run", - "rsa.misc.client": "tsed", - "rsa.misc.event_state": "tconsect", - "rsa.misc.log_session_id": "ratv", - "rsa.misc.log_session_id1": "ianon", - "rsa.misc.mail_id": "riat", - "rsa.misc.obj_type": "nts", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "sit6590.lan", - "destination.ip": "10.123.143.188", - "event.code": "sendmail", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/02/03T21:16:50.ctetura aveni sendmail[elit]: note seosqui sequamni[3866]: STARTTLS=tdol, relay=sit6590.lan [10.123.143.188], version=ncididun, verify=umSe, cipher=xeacomm, bits=cinge", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 3645, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 3866, - "related.hosts": [ - "sit6590.lan" - ], - "related.ip": [ - "10.123.143.188" - ], - "rsa.internal.messageid": "sendmail", - "rsa.misc.client": "sequamni", - "rsa.network.host_dst": "sit6590.lan", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_load", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "February 18 04:19:24 runtmol very-high mod=spam type=odi cmd=load id=ptass", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3833, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_load", - "rsa.misc.client": "spam", - "rsa.misc.msgIdPart1": "spam", - "rsa.misc.msgIdPart2": "load", - "rsa.misc.obj_type": "load", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_load", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "March 4 11:21:59 aec medium mod=spam type=iduntu cmd=load id=ccaeca", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 3908, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_load", - "rsa.misc.client": "spam", - "rsa.misc.msgIdPart1": "spam", - "rsa.misc.msgIdPart2": "load", - "rsa.misc.obj_type": "load", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_connect", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "March 18 18:24:33 leumiu tla very-high s=uaeratv mod=session_connect cmd=isa ip=10.38.65.236 country=dqu lip=pid prot=rExc hops_active=iusmo routes=tame notroutes=naaliq perlwait=nte", - "fileset.name": "emailsecurity", - "geo.country_name": "dqu", - "host.ip": "10.38.65.236", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3976, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.38.65.236" - ], - "rsa.internal.messageid": "session_connect", - "rsa.misc.client": "session_connect", - "rsa.misc.log_session_id": "uaeratv", - "rsa.misc.obj_type": "isa", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "dmarc_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/04/02T01:27:07.ullamcor itationu dmarc_run[proident]: rprt maliquam medium s=atione m=lores x=ritati mod=orisni cmd=ons rule=remagn duration=ecillu", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 4159, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "dmarc_run", - "rsa.misc.client": "orisni", - "rsa.misc.log_session_id": "atione", - "rsa.misc.log_session_id1": "ritati", - "rsa.misc.mail_id": "lores", - "rsa.misc.obj_type": "ons", - "rsa.misc.rule_name": "remagn", - "rsa.misc.severity": "medium", - "rsa.time.duration_str": "ecillu", - "rule.name": "remagn", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "av_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "April 16 08:29:41 umetMalo high mod=av type=utp cmd=refresh id=aeconseq vendor=lor engine=Sedut definitions=yCiceroi signatures=quunt", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 4312, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "av_refresh", - "rsa.misc.client": "av", - "rsa.misc.msgIdPart1": "av", - "rsa.misc.msgIdPart2": "refresh", - "rsa.misc.obj_type": "refresh", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "accept", - "event.code": "access_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "April 30 15:32:16 aliq low mod=access type=teni cmd=refresh id=dquiac action=accept dict=tore file=elits", - "file.name": "elits", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 4446, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "access_refresh", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.client": "access", - "rsa.misc.msgIdPart1": "access", - "rsa.misc.msgIdPart2": "refresh", - "rsa.misc.obj_type": "refresh", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_release", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/05/14T22:34:50.uamnihi risnis mail_release[uov]: info itlab low s=sBono m=loremqu x=tetur mod=amvo cmd=siuta status=failure err=ommodo", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 4551, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_release", - "rsa.misc.client": "amvo", - "rsa.misc.log_session_id": "sBono", - "rsa.misc.log_session_id1": "tetur", - "rsa.misc.mail_id": "loremqu", - "rsa.misc.obj_type": "siuta", - "rsa.misc.result": "failure", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "block", - "event.code": "access_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "May 29 05:37:24 atv high mod=access type=quira cmd=refresh id=rehende action=block dict=obeataev file=tempor", - "file.name": "tempor", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 4691, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "access_refresh", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.client": "access", - "rsa.misc.msgIdPart1": "access", - "rsa.misc.msgIdPart2": "refresh", - "rsa.misc.obj_type": "refresh", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "deny", - "event.code": "note", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "June 12 12:39:58 tlaboree note s=norumet m=dtempo x=tin module=fugitse action=deny size=3916", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "note", - "log.offset": 4800, - "network.bytes": 3916, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "note", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.client": "fugitse", - "rsa.misc.log_session_id": "norumet", - "rsa.misc.log_session_id1": "tin", - "rsa.misc.mail_id": "dtempo", - "rsa.misc.severity": "note", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_store", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/06/26T19:42:33.aturQu aaliq session_store[mipsamvo]: warn eiusmod very-high s=reetdo m=oreveri x=ehende mod=eaqueip cmd=eum module=lamc rule=umetMal folder=asper pri=umq duration=naal", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4893, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.hosts": [ - "lamc" - ], - "rsa.internal.messageid": "session_store", - "rsa.misc.client": "eaqueip", - "rsa.misc.event_source": "lamc", - "rsa.misc.log_session_id": "reetdo", - "rsa.misc.log_session_id1": "ehende", - "rsa.misc.mail_id": "oreveri", - "rsa.misc.obj_type": "eum", - "rsa.misc.rule_name": "umetMal", - "rsa.misc.severity": "very-high", - "rsa.time.duration_str": "naal", - "rule.name": "umetMal", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "pdr_ttl", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/07/11T02:45:07.uto iuntNequ pdr_ttl[esseq]: warn aincidun low s=veniamq mod=occ ttl=oloreseo reply=\"\\\"iruredol rscore=veniamqu\\\"\"", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 5082, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "pdr_ttl", - "rsa.misc.client": "occ", - "rsa.misc.log_session_id": "veniamq", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "av_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "July 25 09:47:41 minim ataevi low s=repreh mod=av_run cmd=plic rule=irured name=illumqui cleaned=saq vendor=amali duration=ate", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 5217, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "av_run", - "rsa.misc.client": "av_run", - "rsa.misc.log_session_id": "repreh", - "rsa.misc.obj_type": "plic", - "rsa.misc.rule_name": "irured", - "rsa.misc.severity": "low", - "rsa.time.duration_str": "ate", - "rule.name": "irured", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "cancel", - "event.code": "mail_continue-system-sendmail", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/08/08T16:50:15.autfugi tasun mail_continue-system-sendmail[duntutla]: err ntium low s=asuntexp mod=adminim cmd=orisni action=cancel err=lmole", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 5344, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_continue-system-sendmail", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "adminim", - "rsa.misc.log_session_id": "asuntexp", - "rsa.misc.obj_type": "orisni", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/08/22T23:52:50.dolorem tem spam_init[exeacomm]: info aspe very-high mod=mides type=ciun cmd=olupta id=tsuntinc engine=inrepreh definitions=quovo", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5491, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_init", - "rsa.misc.client": "mides", - "rsa.misc.obj_type": "olupta", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_env_rcpt", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "September 6 06:55:24 occaec acommodi medium s=quaeab mod=mail_env_rcpt cmd=fici r=5161 value=dipiscin verified=olup routes=aco", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 5641, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.counters.event_counter": 5161, - "rsa.email.email_dst": "dipiscin", - "rsa.internal.messageid": "mail_env_rcpt", - "rsa.misc.client": "mail_env_rcpt", - "rsa.misc.log_session_id": "quaeab", - "rsa.misc.obj_type": "fici", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "smtpsrv_load", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/09/20T13:57:58.mag tob smtpsrv_load[dolores]: rprt equamnih high mod=deF type=itempo cmd=orumw id=redol", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 5768, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "smtpsrv_load", - "rsa.misc.client": "deF", - "rsa.misc.obj_type": "orumw", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_env_from_litan", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "October 4 21:00:32 radipis high s=tiumto mod=mail_env_from cmd=litan value=nder qid=stenatus tls=equep routes=ever notroutes=tali host=BCS3474.lan ip=10.1.204.187 sampling=quin", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 5877, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_env_from_litan", - "rsa.misc.msgIdPart1": "mail_env_from", - "rsa.misc.msgIdPart2": "litan", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "cancel", - "event.code": "regulation_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/10/19T04:03:07.nculpaq culpaqui regulation_init[tvolup]: note tdolore low mod=col type=obea cmd=emp id=agnaaliq action=cancel dict=uptatem file=oinv", - "file.name": "oinv", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 6054, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "regulation_init", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "col", - "rsa.misc.obj_type": "emp", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "queued-reinject", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "queued-reinject[2957]: odt", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 6208, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 2957, - "rsa.internal.event_desc": "odt", - "rsa.internal.messageid": "queued-reinject", - "rsa.misc.client": "queued-reinject", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "rprt", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/11/16T18:08:15.caecat rautod rprt[olest]: info eataev very-high s=ritati m=edquia x=itesse mod=mullam cmd=mexerc secprofile_name=meaque rcpts=5808 duration=mip", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6235, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.counters.dclass_c2": 5808, - "rsa.internal.messageid": "rprt", - "rsa.misc.client": "mullam", - "rsa.misc.log_session_id": "ritati", - "rsa.misc.log_session_id1": "itesse", - "rsa.misc.mail_id": "edquia", - "rsa.misc.obj_type": "mexerc", - "rsa.misc.severity": "very-high", - "rsa.time.duration_str": "mip", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_throttle", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/12/01T01:10:49.deriti sintocc session_throttle[cididu]: rprt uteir high s=mwrit mod=ptat cmd=der rule=equuntur ip=10.219.133.187 rate=quameiu crate=diduntu limit=eiusmod", - "fileset.name": "emailsecurity", - "host.ip": "10.219.133.187", - "input.type": "log", - "log.level": "high", - "log.offset": 6400, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.219.133.187" - ], - "rsa.internal.messageid": "session_throttle", - "rsa.misc.client": "ptat", - "rsa.misc.log_session_id": "mwrit", - "rsa.misc.obj_type": "der", - "rsa.misc.rule_name": "equuntur", - "rsa.misc.severity": "high", - "rule.name": "equuntur", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "smtpsrv_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "December 15 08:13:24 tassita very-high mod=smtpsrv cmd=run cmd=oremi rule=ugitsedq duration=turmag", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6575, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "smtpsrv_run", - "rsa.misc.client": "smtpsrv", - "rsa.misc.msgIdPart1": "smtpsrv", - "rsa.misc.msgIdPart2": "run", - "rsa.misc.obj_type": "run cmd=oremi", - "rsa.misc.rule_name": "ugitsedq", - "rsa.misc.severity": "very-high", - "rsa.time.duration_str": "turmag", - "rule.name": "ugitsedq", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "dkimv_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2017/12/29T15:15:58.consecte pteurs dkimv_run[catcupi]: info autf very-high s=tiaecon m=uaturve x=amquisno mod=uido cmd=tla signature=mquiad identity=CSe host=lors7553.api.local result=unknown result_detail=rroqui", - "fileset.name": "emailsecurity", - "host.name": "lors7553.api.local", - "input.type": "log", - "log.level": "very-high", - "log.offset": 6674, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.hosts": [ - "lors7553.api.local" - ], - "rsa.internal.messageid": "dkimv_run", - "rsa.misc.client": "uido", - "rsa.misc.log_session_id": "tiaecon", - "rsa.misc.log_session_id1": "amquisno", - "rsa.misc.mail_id": "uaturve", - "rsa.misc.obj_type": "tla", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "very-high", - "rsa.misc.sig_id_str": "CSe", - "rsa.network.alias_host": [ - "lors7553.api.local" - ], - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvtd", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/01/12T22:18:32.itae dtempo cvtd[atnula]: warn ditautf low mod=iquidex cmd=olup", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 6888, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "cvtd", - "rsa.misc.client": "iquidex", - "rsa.misc.obj_type": "olup", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.ip": "10.65.174.31", - "event.code": "queued-aglife", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/01/27T05:21:06.rspici snisi queued-aglife[766]: olor: to=etquasia, delay=nula, xdelay=quiacons, mailer=uisa, pri=xeacommo, relay=[10.65.174.31], dsn=atur, stat=issu", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 6972, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 766, - "related.ip": [ - "10.65.174.31" - ], - "rsa.db.index": "issu", - "rsa.email.email_dst": "etquasia", - "rsa.internal.messageid": "queued-aglife", - "rsa.misc.client": "queued-aglife", - "rsa.misc.result_code": "atur", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "cancel", - "event.code": "note", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/02/10T12:23:41.ite tasnul note[tuserr]: note tise very-high s=tnul m=expl x=ess module=quiad action=cancel size=6084", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 7142, - "network.bytes": 6084, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "note", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "quiad", - "rsa.misc.log_session_id": "tnul", - "rsa.misc.log_session_id1": "ess", - "rsa.misc.mail_id": "expl", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/02/24T19:26:15.llumq tenim spam_init[eiusmo]: warn ainc medium mod=antiumdo type=ecill cmd=iduntu id=pisci engine=sunt definitions=texplica", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 7264, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_init", - "rsa.misc.client": "antiumdo", - "rsa.misc.obj_type": "iduntu", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "accept", - "event.code": "action_checksubmsg", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "March 11 02:28:49 ate action_checksubmsg s=con m=tqu x=eirur action=accept score=tametco submsgadjust=mquisnos spamscore=25.933000 suspectscore=cit malwarescore=siar phishscore=isn adultscore=veniamq bulkscore=lup tests=iumtotam", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "action_checksubmsg", - "log.offset": 7409, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "action_checksubmsg", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.log_session_id": "con", - "rsa.misc.log_session_id1": "eirur", - "rsa.misc.mail_id": "tqu", - "rsa.misc.severity": "action_checksubmsg", - "rsa.web.reputation_num": 25.933, - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "allow", - "event.code": "regulation_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/03/25T09:31:24.voluptas velill regulation_init[rspic]: err orinrepr high mod=meum type=borumSec cmd=aecatcup id=snisiut action=allow dict=nre file=inB", - "file.name": "inB", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 7638, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "regulation_init", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.client": "meum", - "rsa.misc.obj_type": "aecatcup", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvt_detect", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/04/08T16:33:58.upt ulamc cvt_detect[cept]: err aedictas low pid=4253 mod=orio cmd=gna name=ici status=success err=olu", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 7794, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 4253, - "rsa.internal.messageid": "cvt_detect", - "rsa.misc.client": "orio", - "rsa.misc.obj_type": "gna", - "rsa.misc.result": "success", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "str4641.domain", - "destination.ip": "10.151.31.58", - "event.code": "quide", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/04/22T23:36:32.seq moll queued-VoltageEncrypt[2861]: sunt: from=dquianon, size=956, class=itesse, nrcpts=iamqui, msgid=quide, proto=igmp, daemon=cididun, relay=str4641.domain [10.151.31.58]", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 7917, - "network.bytes": 956, - "network.protocol": "igmp", - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 2861, - "related.hosts": [ - "str4641.domain" - ], - "related.ip": [ - "10.151.31.58" - ], - "rsa.email.email_src": "dquianon", - "rsa.internal.messageid": "queued-VoltageEncrypt", - "rsa.misc.client": "queued-VoltageEncrypt", - "rsa.misc.reference_id": "quide", - "rsa.network.host_dst": "str4641.domain", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_throttle", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/05/07T06:39:06.cti rumSecti session_throttle[riamea]: info eca very-high s=tes mod=equam cmd=isi rule=iaecon ip=10.119.38.124 rate=rep crate=remap limit=deri", - "fileset.name": "emailsecurity", - "host.ip": "10.119.38.124", - "input.type": "log", - "log.level": "very-high", - "log.offset": 8112, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.119.38.124" - ], - "rsa.internal.messageid": "session_throttle", - "rsa.misc.client": "equam", - "rsa.misc.log_session_id": "tes", - "rsa.misc.obj_type": "isi", - "rsa.misc.rule_name": "iaecon", - "rsa.misc.severity": "very-high", - "rule.name": "iaecon", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvt_detect", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "May 21 13:41:41 scipit high pid=745 mod=cvt cmd=detect cmd=borisnis name=onorumet status=success err=isiutali", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 8275, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 745, - "rsa.internal.messageid": "cvt_detect", - "rsa.misc.client": "cvt", - "rsa.misc.msgIdPart1": "cvt", - "rsa.misc.msgIdPart2": "detect", - "rsa.misc.obj_type": "detect cmd=borisnis", - "rsa.misc.result": "success", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvtd", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "June 4 20:44:15 aedict low mod=cvtd cmd=miurere", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 8385, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "cvtd", - "rsa.misc.client": "cvtd", - "rsa.misc.obj_type": "miurere", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.ip": "10.113.119.47", - "event.code": "queued-vdedc2v5", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/06/19T03:46:49.seq rumSe queued-vdedc2v5[tatnonp]: rprt ommo[4821]: idunt: to=expl, delay=olore, xdelay=uian, mailer=atuserro, pri=madminim, relay=[10.52.47.230] [10.113.119.47], dsn=quioff, stat=iuntN", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 8433, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 4821, - "related.ip": [ - "10.113.119.47" - ], - "rsa.db.index": "iuntN", - "rsa.email.email_dst": "expl", - "rsa.internal.messageid": "queued-vdedc2v5", - "rsa.misc.client": "ommo", - "rsa.misc.result_code": "quioff", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "filter", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/07/03T10:49:23.mquis lorsi filter[tetura]: rprt eeufug high mod=modt sig=iduntutl", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 8640, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "filter", - "rsa.misc.client": "modt", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvtd_encrypted", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "July 17 17:51:58 expl very-high pid=prehende mod=cvtd cmd=encrypted encrypted=lup", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 8727, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "cvtd_encrypted", - "rsa.misc.client": "cvtd cmd=encrypted", - "rsa.misc.msgIdPart1": "cvtd", - "rsa.misc.msgIdPart2": "encrypted", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_judge", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "August 1 00:54:32 umd sumd medium s=dat mod=session_judge cmd=aUtenima module=turQuis rule=taevi", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 8809, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.hosts": [ - "turQuis" - ], - "rsa.internal.messageid": "session_judge", - "rsa.misc.client": "session_judge", - "rsa.misc.event_source": "turQuis", - "rsa.misc.log_session_id": "dat", - "rsa.misc.obj_type": "aUtenima", - "rsa.misc.rule_name": "taevi", - "rsa.misc.severity": "medium", - "rule.name": "taevi", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spf_run", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/08/15T07:57:06.ercitati eve spf_run[rro]: err oeiusmo very-high s=cusanti m=tconse x=rem mod=tseddoei cmd=teursint rule=etMa duration=llita", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 8906, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spf_run", - "rsa.misc.client": "tseddoei", - "rsa.misc.log_session_id": "cusanti", - "rsa.misc.log_session_id1": "rem", - "rsa.misc.mail_id": "tconse", - "rsa.misc.obj_type": "teursint", - "rsa.misc.rule_name": "etMa", - "rsa.misc.severity": "very-high", - "rsa.time.duration_str": "llita", - "rule.name": "etMa", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "av_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/08/29T14:59:40.nostrum orroquis av_init[eumi]: info tvo low mod=tuser type=mmo cmd=eve id=nbyCicer vendor=scipit engine=equuntu definitions=quamni signatures=turveli", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 9051, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "av_init", - "rsa.misc.client": "tuser", - "rsa.misc.obj_type": "eve", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mltr", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "September 12 22:02:15 ihilm medium s=caboNemo mod=mltr uptas", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 9222, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.event_desc": "uptas", - "rsa.internal.messageid": "mltr", - "rsa.misc.client": "mltr", - "rsa.misc.log_session_id": "caboNemo", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "info", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/09/27T05:04:49.dol exe info[tis]: note oluptat low eid=tinvolup pid=497 status=tvol", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 9283, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 497, - "rsa.internal.messageid": "info", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_judge_tassitas", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "October 11 12:07:23 eritqui medium s=atus mod=session_judge cmd=tassitas module=obea rule=velite", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 9372, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "session_judge_tassitas", - "rsa.misc.msgIdPart1": "session_judge", - "rsa.misc.msgIdPart2": "tassitas", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "av_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/10/25T19:09:57.lore luptate av_init[eritqu]: err elites very-high mod=tamr type=serr cmd=usci id=unturmag vendor=dexeaco engine=lupta definitions=ura signatures=oreeufug", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 9469, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "av_init", - "rsa.misc.client": "tamr", - "rsa.misc.obj_type": "usci", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "milter_listen", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/11/09T02:12:32.ree itten milter_listen[quipexea]: warn orsitv medium mod=nostrum cmd=autodita addr=10.27.154.247", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 9644, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.27.154.247" - ], - "rsa.internal.messageid": "milter_listen", - "rsa.misc.client": "nostrum", - "rsa.misc.obj_type": "autodita", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "source.ip": "10.27.154.247", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "dkimv_type", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/11/23T09:15:06.utfugi ursintoc dkimv_type[tio]: rprt mmodicon: high mod=trudex unexpected response type=tvol", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 9762, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "dkimv_type", - "rsa.misc.client": "trudex", - "rsa.misc.result": "unexpected response", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "session_throttle", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2018/12/07T16:17:40.rehen uaeab session_throttle[ptat]: warn mipsu high s=eturadip mod=amquaera cmd=rsitamet rule=leumiur ip=10.253.121.154 rate=olesti crate=edquia limit=ihi", - "fileset.name": "emailsecurity", - "host.ip": "10.253.121.154", - "input.type": "log", - "log.level": "high", - "log.offset": 9876, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.253.121.154" - ], - "rsa.internal.messageid": "session_throttle", - "rsa.misc.client": "amquaera", - "rsa.misc.log_session_id": "eturadip", - "rsa.misc.obj_type": "rsitamet", - "rsa.misc.rule_name": "leumiur", - "rsa.misc.severity": "high", - "rule.name": "leumiur", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvt_detect", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "December 21 23:20:14 emoenimi high pid=5895 mod=cvt cmd=detect cmd=mqu name=onorume status=unknown err=veleu", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 10051, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 5895, - "rsa.internal.messageid": "cvt_detect", - "rsa.misc.client": "cvt", - "rsa.misc.msgIdPart1": "cvt", - "rsa.misc.msgIdPart2": "detect", - "rsa.misc.obj_type": "detect cmd=mqu", - "rsa.misc.result": "unknown", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mltr", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "January 5 06:22:49 dquia high s=bori mod=mltr dipi", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 10160, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.event_desc": "dipi", - "rsa.internal.messageid": "mltr", - "rsa.misc.client": "mltr", - "rsa.misc.log_session_id": "bori", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mltr", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "January 19 13:25:23 quovolu high s=dexe mod=mltr nemul", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 10211, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.event_desc": "nemul", - "rsa.internal.messageid": "mltr", - "rsa.misc.client": "mltr", - "rsa.misc.log_session_id": "dexe", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "allow", - "event.code": "quame", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/02/02T20:27:57.quatur dminim mail_msg[ptatevel]: warn aperiame very-high s=eirured mod=sequamn cmd=perspici module=inimve rule=aea action=allow attachments=5821 rcpts=296 routes=ptat size=4878 guid=nde hdr_mid=quame qid=orumwri subject=atisu spamscore=66.849000 virusname=tse duration=rad elapsed=iat", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10266, - "network.bytes": 4878, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.hosts": [ - "inimve" - ], - "rsa.counters.dclass_c1": 5821, - "rsa.counters.dclass_c1_str": "No of attachments:", - "rsa.counters.dclass_c2": 296, - "rsa.counters.dclass_c2_str": "No of recipients:", - "rsa.email.subject": "atisu", - "rsa.internal.messageid": "mail_msg", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.client": "sequamn", - "rsa.misc.event_source": "inimve", - "rsa.misc.log_session_id": "eirured", - "rsa.misc.obj_type": "perspici", - "rsa.misc.reference_id": "quame", - "rsa.misc.rule_name": "aea", - "rsa.misc.severity": "very-high", - "rsa.threat.threat_category": "tse", - "rsa.time.duration_str": "rad", - "rsa.web.reputation_num": 66.849, - "rule.name": "aea", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.ip": "10.147.147.248", - "event.code": "sm-msp-queue", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/02/17T03:30:32.lorum suntexpl sm-msp-queue[iqu]: rprt iquamqu[6293]: audant: to=obeata, ctladdr=uredol, delay=uptat, xdelay=toditau, mailer=uiad, pri=nvolupta, relay=[10.80.133.120] [10.147.147.248], dsn=onpr, stat=uira", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 10572, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 6293, - "related.ip": [ - "10.147.147.248" - ], - "rsa.db.index": "uira", - "rsa.email.email_dst": "obeata", - "rsa.internal.messageid": "sm-msp-queue", - "rsa.misc.client": "iquamqu", - "rsa.misc.result_code": "onpr", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "deny", - "event.code": "regulation_refresh", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/03/03T10:33:06.aliqu sequine regulation_refresh[utaliqui]: note isciv very-high mod=econ type=aborio cmd=rve id=catcup action=deny dict=runtmoll file=busBon", - "file.name": "busBon", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10797, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "regulation_refresh", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.client": "econ", - "rsa.misc.obj_type": "rve", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.ip": "10.232.240.177", - "event.code": "queued-alert", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/03/17T17:35:40.occaeca dan queued-alert[pta]: err upt[4762]: itaedict: to=eroi, delay=onemull, xdelay=mdo, mailer=labore, pri=lorem, relay=[10.68.159.207] [10.232.240.177], dsn=estq, stat=quasiarc", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 10959, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 4762, - "related.ip": [ - "10.232.240.177" - ], - "rsa.db.index": "quasiarc", - "rsa.email.email_dst": "eroi", - "rsa.internal.messageid": "queued-alert", - "rsa.misc.client": "upt", - "rsa.misc.result_code": "estq", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "warn", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/04/01T00:38:14.tDuisaut uel warn[dexerc]: info vol high eid=agn status=\"iqu file: quamqua\"", - "file.name": "quamqua", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 11161, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "warn", - "rsa.misc.event_state": "iqu", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "cancel", - "event.code": "regulation_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "April 15 07:40:49 uunturm very-high mod=regulation type=iaconseq cmd=init id=tseddo action=cancel dict=rissusci file=ectetur", - "file.name": "ectetur", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 11257, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "regulation_init", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.client": "regulation", - "rsa.misc.msgIdPart1": "regulation", - "rsa.misc.msgIdPart2": "init", - "rsa.misc.obj_type": "init", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "zerohour_init", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "April 29 14:43:23 quaturve medium mod=zerohour type=gnamali cmd=init id=iumtota version=issusci", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 11382, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "zerohour_init", - "rsa.misc.client": "zerohour", - "rsa.misc.msgIdPart1": "zerohour", - "rsa.misc.msgIdPart2": "init", - "rsa.misc.obj_type": "init", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "dmarc_type", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/05/13T21:45:57.ecillumd iumto dmarc_type[sequatu]: rprt tiumtot: medium mod=mdoloree type=que cmd=inBCSed id=cteturad policy_cache_entries=umq", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 11478, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "dmarc_type", - "rsa.misc.client": "mdoloree", - "rsa.misc.obj_type": "inBCSed", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_env_rcpt", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "May 28 04:48:31 reseo quam very-high s=pariat mod=mail_env_rcpt cmd=icaboNe r=4840 value=lumd verified=tiaec routes=lorem", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 11626, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.counters.event_counter": 4840, - "rsa.email.email_dst": "lumd", - "rsa.internal.messageid": "mail_env_rcpt", - "rsa.misc.client": "mail_env_rcpt", - "rsa.misc.log_session_id": "pariat", - "rsa.misc.obj_type": "icaboNe", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "deny", - "event.code": "info", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "June 11 11:51:06 seq low mod=info sys=lorsita evt=deny active=itation expires=utlabo msg=tat", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 11748, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.event_desc": "tat", - "rsa.internal.messageid": "info", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.client": "info", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_env_from_itse", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "June 25 18:53:40 ididu medium s=epteurs mod=mail_env_from cmd=itse value=rever ofrom=sBonoru qid=ecatcu tls=ntoccae routes=iscive notroutes=amni host=etconse5657.api.lan ip=10.118.249.126 sampling=dminimv", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 11841, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_env_from_itse", - "rsa.misc.msgIdPart1": "mail_env_from", - "rsa.misc.msgIdPart2": "itse", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "access_load", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/07/10T01:56:14.rep nostru access_load[docons]: info emipsumq low mod=qua type=modit cmd=tatione id=aedicta", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 12046, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "access_load", - "rsa.misc.client": "qua", - "rsa.misc.obj_type": "tatione", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "mail_env_from_umexe", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "July 24 08:58:48 uas high s=reeufu mod=mail_env_from cmd=umexe value=xce ofrom=omnisis qid=corporis tls=tco routes=stiaec notroutes=Cicero host=ven5410.mail.host ip=10.170.55.203 sampling=deom", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 12158, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_env_from_umexe", - "rsa.misc.msgIdPart1": "mail_env_from", - "rsa.misc.msgIdPart2": "umexe", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "allow", - "event.code": "info", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/08/07T16:01:23.Utenima nse info[umq]: note enim low mod=meaquei sys=snisiu evt=allow active=atev expires=vento msg=litsed", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 12351, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.event_desc": "litsed", - "rsa.internal.messageid": "info", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.client": "meaquei", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.action": "block", - "event.code": "mail_continue-system-sendmail", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "August 21 23:03:57 susc taed high s=mipsumd mod=mail_continue-system-sendmail cmd=eiusmo action=block err=sum", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 12478, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "mail_continue-system-sendmail", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.client": "mail_continue-system-sendmail", - "rsa.misc.log_session_id": "mipsumd", - "rsa.misc.obj_type": "eiusmo", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "send", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "September 5 06:06:31 ipex low s=upta cmd=send profile=ivel qid=tmollita rcpts=tionofd", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 12588, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.email.email_dst": "tionofd", - "rsa.internal.messageid": "send", - "rsa.misc.log_session_id": "upta", - "rsa.misc.obj_type": "send", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "http_listen", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/09/19T13:09:05.ccaec repreh http_listen[imven]: note usan very-high mod=idolo cmd=olup addr=10.199.46.88", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "very-high", - "log.offset": 12674, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.199.46.88" - ], - "rsa.internal.messageid": "http_listen", - "rsa.misc.client": "idolo", - "rsa.misc.obj_type": "olup", - "rsa.misc.severity": "very-high", - "service.type": "proofpoint", - "source.ip": "10.199.46.88", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "Sedutper7794.www5.domain", - "destination.ip": "10.154.22.241", - "event.code": "lloinve", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/10/03T20:11:40.nulapari beataevi queued-VoltageEncrypt[3274]: eruntmol: from=plicab, size=5930, class=dmin, nrcpts=sum, msgid=lloinve, proto=ggp, daemon=nim, relay=Sedutper7794.www5.domain [10.154.22.241]", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 12784, - "network.bytes": 5930, - "network.protocol": "ggp", - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 3274, - "related.hosts": [ - "Sedutper7794.www5.domain" - ], - "related.ip": [ - "10.154.22.241" - ], - "rsa.email.email_src": "plicab", - "rsa.internal.messageid": "queued-VoltageEncrypt", - "rsa.misc.client": "queued-VoltageEncrypt", - "rsa.misc.reference_id": "lloinve", - "rsa.network.host_dst": "Sedutper7794.www5.domain", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "cvtd_encrypted", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/10/18T03:14:14.nvol doloreeu cvtd_encrypted[elillumq]: info loremeum medium pid=obeataev mod=rrorsit encrypted=aincid", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "medium", - "log.offset": 12994, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "cvtd_encrypted", - "rsa.misc.client": "rrorsit", - "rsa.misc.severity": "medium", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "info", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "November 1 10:16:48 nis info pid=472 iin /uteiru: xer", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "info", - "log.offset": 13117, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 472, - "rsa.db.index": "uteiru", - "rsa.internal.messageid": "info", - "rsa.misc.action": [ - "iin" - ], - "rsa.misc.result_code": "xer", - "rsa.misc.severity": "info", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "soap_listen", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/11/15T17:19:22.isauteir eritquii soap_listen[atevelit]: note dese low mod=ionula cmd=itaed addr=10.38.111.125", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "low", - "log.offset": 13171, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "related.ip": [ - "10.38.111.125" - ], - "rsa.internal.messageid": "soap_listen", - "rsa.misc.client": "ionula", - "rsa.misc.obj_type": "itaed", - "rsa.misc.severity": "low", - "service.type": "proofpoint", - "source.ip": "10.38.111.125", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "event.code": "spam_load", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "November 30 00:21:57 ationem high mod=spam type=ing cmd=load id=ollita", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.level": "high", - "log.offset": 13286, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "rsa.internal.messageid": "spam_load", - "rsa.misc.client": "spam", - "rsa.misc.msgIdPart1": "spam", - "rsa.misc.msgIdPart2": "load", - "rsa.misc.obj_type": "load", - "rsa.misc.severity": "high", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - }, - { - "destination.address": "estla4081.corp", - "event.code": "queued-default", - "event.dataset": "proofpoint.emailsecurity", - "event.module": "proofpoint", - "event.original": "2019/12/14T07:24:31.nih ncididu queued-default[4250]: STARTTLS=gitsed, relay=estla4081.corp, version=meumf, verify=rExce, cipher=quisquam, bits=boreet", - "fileset.name": "emailsecurity", - "input.type": "log", - "log.offset": 13357, - "observer.product": "Email", - "observer.type": "Firewall", - "observer.vendor": "Proofpoint", - "process.pid": 4250, - "related.hosts": [ - "estla4081.corp" - ], - "rsa.internal.messageid": "queued-default", - "rsa.misc.client": "queued-default", - "rsa.network.host_dst": "estla4081.corp", - "service.type": "proofpoint", - "tags": [ - "forwarded", - "proofpoint.emailsecurity" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/proofpoint/fields.go b/x-pack/filebeat/module/proofpoint/fields.go deleted file mode 100644 index ed84d3f4abb..00000000000 --- a/x-pack/filebeat/module/proofpoint/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package proofpoint - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "proofpoint", asset.ModuleFieldsPri, AssetProofpoint); err != nil { - panic(err) - } -} - -// AssetProofpoint returns asset data. -// This is the base64 encoded zlib format compressed contents of module/proofpoint. -func AssetProofpoint() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q9JrZWa1YpL+xdCLLcCXpOL7m/krKJckEtgjeZ2/RdCSjBM89pyJV+Tf/sLIaQHgsw4iNJM/kLCf73GL7j/fUckreA1kWBXSl9NuLSgZ5TBxP29+xohagl6pbmF18Tqpv+JXdfw2mG9Urrs/T2CUvu/97QCombELqBdmXQrk9UCNOBnVtPZjDOyoIZMASRRUwN6CeVksAFt6B2wnWvV1L2/7pJlAxfRklRs4T8OfmyB2BKbRSoz3/r7/hXGST4g+8cFN+57hBvSGCiJVYTR2jaBwJquSAXG0Ln7N7WEqQqM27Ryn++AJuStmpNTYKoEHd+Ih8V3kTp0Oy1cWIK0hdtaYsAB4czUDyQ3SHOmpAVpjbsAXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFcSbLg1hBK3oP9nVsJxrSnPxmwRrdZs1CNKImEJWgyhY7vaqoNkHdgqUONkplWVW+pp2/V3Ly4oOwKrHk2AH/KNTAr1s+JDXhT8gG8NPAcLntoTqKEFLAEcQAlhZK793OLkqdQa2DUBkxKmHEJJVFSIFqWTgWQitZxrCozL5JdmD1n/C7c8/PTH8iSiibceF6CtHzGA3fCNWWWCDX356UHB4G74w584Bb8njuOmmrLWSOoxt+Hg52McsYA9EGcEuOMAeRxThk9kuVxz+Tl/z+T/WfiVs1zIPe7vmr6R4Eb2T2WR4Pdkh4i9LKjpsGoRrNMb+/9yZbr/t8PM2OphQrQLnh0yNGm5LZggu7c4UeCHkir148RsYXTqR4jYlwehlhejamVHI+X00qgh0iPvGSbAZQpbagRvSZmZ/a+2Nr9DpuBHjJQEu5nRezoIQPoN1gR41TccY4ciYqy5zaJks+Ta7DNROQjEQremXzsGGp1I/mXBjZqtO72H/603jZqT5Rk7nGgVj12y3ZE3Cx5XnHYp+6JW4bPOKP9+/xWzcnZEqQllyicSSNL0M4E0RAE1WDrM34NJTFgHZCtH2+vYcYNlvYQBrDvbbB0hzAAfadDGXoC0/uXDmPMwb7uQJO70WChTCZ9tc+Xvypj+yJS7HKkAVlyOW8/NDG26fmQvh768kMYbPCjUcKeXyx/IrQstZOVY9d9l7iD3Vv1tRJ3+So3eV/9v0teR638smFXLnhHWt9bVhJK5nwJsnOSfb2KgCPRYf6LvBZI+RiVv68jojHq0FD1utDwJcNZ94OHeMC47+kaqXzmlyYXeJGeB2+2peTjugbC6FCCTIEAtwvQ5NO5tD+8IkqTX4Si9seXZEoNclEbIJvxeaNR9bth34eou1/xvjEMms/4TOBfcL+eq1xutn3WcbvyV+9gUHpFdZlNqetJtN62+5Q8v/i8pe9RokHQ3SMlxKyNhSo8ogFtB20BnlONJ577t9J8ziUV7W+2tZUb6JBL/9qTGHF+8flVhAQB/QEl7k+CDqMhlVO8PhtGHSqOh74+C6Al6KPErn/Fpcj56X2ipB7ffrAUwRwWK33UTjbBiux+NtoqWucbRQsvijNdTpQQwKzSX6MAdtR7gJwbx3PcEOZJB6XDdEtRfat21Rayh9CP0OKr2PSxqKqVMpjsVilJpuvBoRGi4UsDxjqAhle1WIdzcl92gp4AZQtieAnk6ffELnRDXv788zOyooYYANmtsocSj0J5vQUlTK2kgXykYF8NVzDVSNv5FJpq6oWeu8omCoE8pVO1hB4xuIxmVrbizVgNtBq9P+yrYZsHJhWUvNnV01IQ6puY5tg5FviMcPvP5uX3P/zVeJH+okYB2iL9z8Fu/unswbd0DZq8JGeS0do0wkdWnEl5J7keg37P4EcktzK2yo8vyb+67T4nP/5I/pUwpZ2+jLsIiz4n/13Y/+m+yA3ZJso30SOUqoRHa+vKFRSMCjGl7CqvBuyRk8ritaHW2xWOiCBLn96PpIZ4gjMyRwFaq0z5aRt90NTAOBWIMWJqrNJOs5Zrr3W4D5ZU8NIzRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaOQU1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wz9tgm5Fe1ckcztDm5JEo7Y8wqcgVQ30C0R/HifSVE04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0Fe3bhkmvbUOGM9i3fu4y4OHjFndmNsXIkht9FuOrnp0Q7aW3QoYJEo3oOtvvajZQwOlPS04NTwmfC7aeEzhIKGgr+89PW9/oBKmWBXAZ+ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZm5He8de4NCLzecl1rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY48vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3SugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0iPria+HUTMXJXc4RtA+1+V7pEwmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVEdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Zyy/V+kqSp8yZDkcTCLVTAdP0p2ItMG6Q+aF4DPAHUcMfANMyXJEwd4cd2FsTj/Lng1xyVRVC7BRBhh1olJU4K3mO2KwV2+m7QMx8qVbO8rOY6y8zZmj7FcpaReJjmlTn5oq52WT5VQ+EOHPZJmD7A7kn0rm7rawRyy61VsV06fXftyl8EBEZbvRb4iFaxsuH1mCNr1yinJfHljkfO/LbGugqba5KdNjSpdQ5nsHQ5JNeKZMt2KrY7SZNt0X+/H14WulVTVBqA0W5RsGkmquvFpfNcLy7ywHTWhdi7b6ZdOspqKSzmOluYQIDO+09qJHyuNqCLdPDFEr6SNjllb1rmcwYOxWcygOb581hC24s25UCWZC3jXGopnUB+puJbUjebnUwoGHtFeAzWYO7yUcQxPCQ24X9LTTMAMNknmGoE61LvmSl06zQX6IC7LLVpB93CFefJPXNddH2+HmPH0s6NpxIrdi7TdrnNBz+ppDChl0v2804aGPunCeO2ncybPJYMkunUw1qSVQNVDk7guxo3/qq4Ia5JcGmqOxkuNuz0Ub+biihiAS5QjfIHI/pCZqQqVgi6AZZNq8shle33mVA9e6yIBqXeTQnuuUomgb6MvkUDPoSr1X5GFMyB3zMfrGDJ7LO705h4rNm+TaIcGCzQOx0w0htSOIsoESn0KxNo3IHXYasaJUY5mq4IXHoTNeMCtbzQYcQmUgwZYBOcIgsITQzvIBNtauHooAe5GdfS6fvMWLg96B/pXuKl0cNIw71cD4jG8Mn7h264M5Yz1Vgq6cP5spcgCdi5GXm4KJ1kVVhiBLFO9gNh/rED5vW+l9S1Bp8ttlSI3lpk0I2PWr4frtCY1VSZpaGZ5QcNyKt9CclqXvMIWp/O3dHe3C0whb5GtddEdRJJsKNGd3lUXRvR2him3PxvqVbN3N8GLJ3+/B1pYgS6VDwuzenanpHw/QvaYN7arpH8DidrRDLH8t+IDcToLuR8xL+py96r4ZXshQ9R/ETPByLWiXWyyVJZQsQseLeAKtUPOiTVR5EKHeMuKdhfoxeqZsyb6/Y7oVtqVG8RFX/JXgbJ379uyRCxeIQOieLcV6RC43ImfedJyAHxoBiFhcnCpp4Tq3xtohdC69v27TD5WWpXH/h48qFS1CsQYwNzzObEHlHAoJq9yyYCxwCateqB+VEGs1nzYWehJimKNvPOpOW+8/f3HRYWqaTNh1lBM8W9vKfURDQ3A3v8gj09ffIsYtVoA5grUNB80m50svQU/IJfhDaQzoCZ0DtvIOme4zpVscBrBbMF5vZ/h74n/f61uhNJlqtXKftX8NuqY3u0b7SZ+XF1Tb1G66DnBqj0q4U2pQHXqsO6VE2amNua6UqiEEFHO9xW8koQK07bKL9GbR8Dcf3grio9cEAJOQIgpzSaSS32moAS2ZfdkPaDYc88lhjdbuwnT2Cp4k6nEvuI+wteGfwc5W3C6CsuxlPTnFBadYbSKJkt/NlfvvPS8BKilFRHHMuG/aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEbyA8JUw0xrYMGf4xOCb8CTfuJENNdPBvOMUXPx1XgY6u/fgbFrfofVumfErZk5sML4flKWJBqDGKcfSXutOI2pN4YG/5FbwmlNSLteGMClJyc/Wc1BpnojwnYNmTuKJMNT2k9vKOD72vs9G0AgvakJoa7OJlsJGD70XAVFU5Kaa2gvbD0hqwbK+659+Dh9L4emeY4WHy4pupqm6GdzDDsVGy4rJUq5BPy5RkUNvnXSbFKDEG25w1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe7buVMK3XF5BGWqB2kR0atA7FQwU98k3HWoTXu47ODHoCpFV1PVHN3m3xC4CLXq/XT4UXr/VwfNKLofterqgM+iK7w52yu1iDWsitp7/92vaPybWtGdc5L/j3ZZ/wdW6a6yhbBiQNnIEcXebAc2pKCKvabZH5BKXbNXm3fex9wC6F2bULwDsyhzUciCFxzis7h66BTWL7oY6tTBSZdiwhc/8bWtsujLDkxbSToswt5FumYnRzP2q+/ew0pQ4eS4Jx5y7RjIBVLs/YSO8DWqhgDB4O3Vb2Hlz9MELv2bY5+lRv1hMVVMuu77Z/QcrlI3qO7xeS64bc2xPX18bQQTGPX7HCZBGrsSJX933ZBz3lHoLLrtrvCOf9zKfn5L3XtI8DY0biJ+2F4p+HW7P4nq1d0A/hC+/534+P0WShpK3TkwMvQfbETmfBui3MPFM5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfR+QaR/qTbmFyfnqjJpvKP3eDJusQeynLjUY7ISe+PjP0OxX+g/3aLCKot7/xwzfBHTdtbFe5qWz3GDVSgPGUUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbYOtK+q+pUnTlI5DaOtL+TunC9fnF/s6tAktIz1HoWxuuwDBwreuhZyE2nxSJJzackln0uKwmKERWulczavfTKQX45JL1rdTWFXR/xPh0jvLiOXlSrCOO9/+0i4ZKIpwYmzMKnW/XxCnp5d06r2c3nRIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yT73YwEBB9ROFxrMQonScY+31UcmjW6F3o/gWRjG3oNUfvrB6xjPumYc56fxMpJbR+eZquriyHlXeCoh9wrHuHr/nmmm3zl0lMT61BmOm1Flw8astKCWPlDWWB/zTloqjZ0HnFxv8RuZEkd1uaL6YTL0hl31nXSl4SFymxhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bkx+Opy7d8hzxqVqUsU4e3UkZp78TjlJmtLpMPDI/pQYcO7OjFss8UYIJ/eIaRgDY2aNIGdufcJUCcaxRNvsN25ZcFnCdWICCG7sYZrnPWULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikT8zv02ujOZgQ/V1DcXeiCNOKxOnnb5nDVoU4eiWy9hBiQLKsImIb7t8PRspMjQu7mG73HuhBKvfHVJXsFX5b/tPqRcGlKCpVxEnAxT1dje70a2psTRczNbjy3t8tgQj/GH1EJVi2zZPG9ICTMaQkCh82Ubww/Zmk4rXoIWdI2FXFaFx5U8jdxI9wFa3eHXMGurwL2v3lhuG2zMSKIb29gGw4ZN972uSaNYPf8Oo6kxzSCrmKoqd5/ysNGJh054L9m31mrJS+8/a7vIVWBGE6FKxQ4PNN7dW/YLFxutkfXz8uKqwXWNSU8PI+vb1fPK+j/U9EC/08Hb+99qGgIw8dtV83yNc08xodif/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8bt91k/OZaqd7X3zy3XPaQBQma1wDa/peBJ/6NYVYeWvbhWlf4sYRHCFRr3i57RDpqivpknJBh4EM0rnCCdZXzkDrkUkL/g4d4utPF3cLxkoVGkD5AOxgSyHdwPD5ZEQi8qqYNmW5Tu6f4VWRtA6oB7cxcFij871eqvQQNVcJuxzslNgVpjlGQQI3/exV33OVNiW3XWXdpi9awCg22G5TseFFySa8sH+TPkssNQWXR7PKTz6fkaehVuJzI5yuPOUCCzgwD+zsulbGffMZ+W7oaJC7UZgrqVZyyxAywBpsZrHchj4yaZPRI7jgdtNCT9oq9/ehNOktzClbk0+j5prgU00foig/LLxFYi5JRbmcaVrB3nSMmmqc2pu/T8KWcnmBy5L3qvTJ0Zu2gL2sswhS5AbtC1MFHCFyWUjbfePew4r82kg0Jd+pEgR5yuVy8u1zwhV7Tqbu/8D9H5VUrA03k2/j8UXL6mIm6GByfmodalvDP7kguCj6ulBOrtvhV2q2t1GDVVkx9X+dBjzbNggGtGPkKELLKq3c3cHs87vfqQby0ScAf/vt53e/v/lw9u23Pud2STXlozy5UvoqZcnyjRfs93bBfoRt1AlGZWolItTspO1S0j0HlLnnYp3BhJkpDdJwllKA9FxJGTCu0ntBIvGBVECLFeXD4cT39g5g7/PUQN31SV2ibppppkthp6WxOnXlO9ZrZ3OI9d/SZO9oW/ORz0l6aLHLZjDYQKUJxSabupdQ7+JAzPioo6ndajZH7KFbjXYjimxzt7wnLpQP7id4d8eFQz7o/x+Gq25UZj/570FYrOz56AMie5F8EOZo47j78FPqCElbWyfbs0uf2i6jvc2ywz6Zz9DtNuDcmyPTbctqfox4GBZ9zSgXjtZtM5eLIDPOT/u1bdiJy5mDFuaRFgbjWYVtznXhVMQD9nNI4jWmW4fqoxNVVY3c9UQNsJOHNW66L3bv4dr+HeI6dYebOUyzvi9ul1SW/67iUbMNbpZafohkuDd2w4W3kDONqTnjKlmW6LEseMR+RbUcBh0eO+pGVnWhcgnjy/fvLshv3o+6SUqNI/LlqKkEl//xlnxpQI/0bm2ELDTsdurMm9zQc4iuyYe26Cya1tVp6SzhQ9oHqlKPEXBA64McRzdBtZHg2L3hlukHNFBBdZXhtBzYDO4FWicsQO6ANmWyqbRbMNN2u9oCXVK7qxXeF+4UJFtUVKcqK+ngrms6GF987+gTZYN0qiQwi0VyXmAwS1tA1QGezbHVUgawavpHBqg1TT4Jw3ecSs5eGHQveOoHJ3Ruq8CpnsmRlgVlOBglffmJg21kQuO9B3g6r5c/yWu7SP6+M1kwq4vSJO273oPuIB8WeboF4KWgySWGLEDOuUxYFDkEnSM3Whazwqy4ZcnlhyxmQq0MrdLnrvRhS7vMBz1D1IXJgsuc4oTLGnQ1XSdLeB/ArtlVHuBLKnLwCq+LWiurivQhKYS+/KlAj2N62CLb3RRqXpQ5iO0Ap89/Y7Ko6HVhbSq3wTZgx9ECMjwKFZeZkOYyH9K1MIWYiiJ1WHQL9vcZgSfvDN6DnboXYh926qrePuyfM8J+lRH2v2SE/T8ywv5rHthW1YJOIYdI6aCnN89kUTUCle/pOsM72QKvrzLoJVUj+Lyq82jfTsukYp46CSlA5jmUEgNfWHrfiCyMT0jMcIJGszzWpAOcx5o0a9PUGWaRMtmVVWcxVa2yzvSA6wwixCrrDLNcsNGsyQK8kfxaUqkMsAxMuHzlqJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QjnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+NUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOQ6Rz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5uGSSpWNAMNUDmoH4HyeQTap2qyoTTrzvwc9lkGeBLCGOTdW0/SekA3sDBqfhjoXqXU2WhvsRK4zyVefme9ZPAN0q4FWGRRJXwqUC+18yvVqobgp/ITZ9NDXVNMsDF6OFMKmgLz08+1Tw+XGUpl8znFp7LTRqYYFtlDBzwrKAbVJjmt6PbqtSU4NFic3zNIPuz6008A+mHNalqnvAC9Th1Xb1kEZ3iJeFUwrVWXpSuQAZzDTeFXkSY4MHY9ykLm+St6eqTbpW5by2tSaJwYqqOW2SZ59JriEdC12NlBN0ok6HVwsvk3v1hLKdz0tZkIlf8474BlS/p3Nm1zqOKAZJI6zoTOgmjw3Qah5FtaV8ywXuFY6tQCrps08xzWruGE5xEJlsjBsjjkQEiw2V0oON7kM9w2gU2f8eaip0/HkapXaAslSUab8AOjklqhKrxkpzedFZB7XveGuJOj0b1Zd+KG8ycEmnUy9AetHvGZhsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQzp4LuOZgKensgOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJzwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7H2B+iadqbdv5zY9W3mg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznIYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKvmmsIh8aSQZLd9kjGYflfaaCl+REQ8ktOaG6DN0MDbZ/j6PjJ2dlpNLYhFAEg0P0CfY3YEqQWKlOlw/BZT7KnVW1UGsYDBa8kX4z1SRr6n1LHnM09D4jnHemYQ7XpKK7jRY2sVg5b3aHgWRHUnCDwxna1cPRYwMlYpq6VtqSYeNRQlYLagm3pNYwG2OFe6Tl3mUIRYzwweroUCBchs7uI32hBZe5J/L3UHWr9fE0xKo52AXoyeb7ZqGawYtGiIQl6G4ckVWkptoAeQeW4kRwf1dpR4Knb9XcvLjwZa/PyGkY8fWc2EVkShE2A/4AYfQxoi3Je7C/cyvBxM95yNRZiDfDkd3dLcLF/WYNUM0WEy55FD+cuXuE/to74hNnYWAyxAtBG4mzfucNznFtm7jHG7jv9Gvfs6f87bi7PXVNuMP84hFj3x1EkbCm6XadV3FZ8hGuLd6KMXfBMaZRjwikzeC69zihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Puw7OV794r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2/Y4d28zq685Sz/2+eb+gWOz9thQKuHecNtBrSJfHekYXd4zKlBohP1+6wIYNb1Z1S+MXD4Cu7UfAd5kr79vVRMhJCDTEAOO6M7p9Xpak0lB1hvO+gw7RfWqLau2Ea1micgLYP6Rp0xb26cSykN0v6wRx8yQXMgQhYgiDUGD6X/uA28/rjrI8tmR9QfuP6ezh9+iCTnh1mjeRfGtgdk0jjl6+H72EdEw+bgtJqNLz0F5IpKQFzK8iK28WYoCAkUhnSaewaDiovurNp4ciJ8qR7ooSac0YFcRiMmD6IxcNih0uNjGl8ONrVi7WJo9dLZ1upnazW1A88FZyaYqGy2wTeiOvMNZylshlq5KRifwRPvB8A8ZfGYYtvWhjEwgRQPXkjjHKG+NZ9O8VgOfk1/GJC3sh1968BdIu2vJGW0HLCVFU3FnRcDGdx47uN5TPPvtk9C5yxuHUg3P6zefn9D391tu9p7zhain0TRTvwaZE2YnZbxw1dgyb/0vnkzIuABiIXv/Wp63/y87zc4LzF9XvP48Dk5Ztk25PdgSlunQl5/9vHM7d30OCdJ+gvLblhGmoq2dpplUE9E7u5IAQp9Jx8fPeanEv748vn5Pz96dl/viafzqV99RN5ulqsiQRuF6AJWygTRqUprYFZ/NYPr/7Xf3v2JEoRsIuMMm6XHihTJxWNj+Mxmbnvjtf80vPieYtU/IqXjwvpvmy6AfMDG8bd+oGP4bujmG6sk89c24YK8vbN+yiyfyoJ+XxZh3HG/1ESJnHaOnS/GhGKG7lZeOIRPMY3eM85zKmFFX2AEenI3RfkTVlq9NN6Lo+h0z29rKoPjXPeNxZyfvLuwr9Ko+GxipojRj+2nEpeUw1vNzm/cKiMeL8cDQ+cBJGEhm7tcRq2mljhp2sdV0D00KVlyd2XqdgEbHuz/OPv3BEZwJmEeMFVuOGn2ywwQGWTa51Fr7vtk0bJ+4DhhdK2E8kDoVtigA0PgNv1zZLXHJn2fj9cztvHpN3WuzHCS4jZjcfy4gbs0PKlxijGncrp/UYDHYc4uaypnMOkM52YkjM+bzSUZLpGmCBLzBqKy5n6wNYDg6LREW05uugsQ78DkVD375dwJXcAaKiUhSJkdqfPM0pP2lKaghY+FT8D6NrqPMBnGVhilqFaWOS4Drn6n9QZiErLovXE5VPLdy14t4/J7mp9Z8IDaLBndgFagiUf1zU8J5/aZ+wtOsB+JBetA2zwEvw2pqm1o3qOoEyMmMYt0sEv/pxQIaLKRL35Iia4UY2JeUvQ7g3k0ipiLD7mXJJP56MChWGCbDZ5lVxkO6CqzjD2zQHWYFJn9DqwGUpc/IuYOhUd/e0ZsPWjFQoBcp58UiTi7JSPjFroiAbqVR4qegEYSRimE8wIJb8ovaK6HM7pJuTNHJO9NKHuxl9jLt0U7ApAxlXPxF0T7xrjVpaKfqjOI0OwZTxmRgx2yGXIc8W0hIpbJ5bCiI34FpeCymPE8W/hoGwTRHouysEGt12Wm0jK0lmwczRgt1+e1JFKYNiFYJmuH9ztIvZUW84aQTXBftGkReLp2fXrt2quZrP49HdghV1A9uPdQvajW9Dfxh7eZw5vh+6bxi5A2pAsPoq2aVJ2TrhdQo9fchz1Twb0KMKqsUwdl9JhyXGELxvGwJgRnLHz+GHN0Q5LPEG8iFNx50qvSaQwYYDbMYTTFo6wg6OTShjgM7WS7l1xciumHHY/JANFaXtXy3T96EbeTUp811KsGRAcym4/wQ+zow9zSQy3TUR+EiwugCCiA9QFNYSWqnavi10A10St5ObIPOEsvVZSVSN5tTiTw3Dfov64SoRT7rksnfxR2nQEoOQXLoC8CYhNBmS4jbNXdhvzd3I0Ybzb/4OkK4yS4DJkLaSlQmyPEUKkrHe/ByF8vt5lqNdITYnxhNCpylk9ENn8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cp9u75Xd3LdRttuUWTbS7pazpdboSywDL9ghZv2ttCB8j+cgQXPWbgkJgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tns6pO3Wg+3p5f49BfXCr5VxX1HTtDPCLa/AOLnutT0NNYwGkcIpJGsKceNBYOPBex6DviVrHdK7+8FY68fb7emHwiQbcnrrrQWH8U07HOwNd7wRCLcQBl/v7l7euDt91LPzFy3J3vTNJ5esl+pxBMgNcrwTIF8vO/5485GlGm1wnCO7nXzUR5UgKe/YLeTHUdkx5d4GzNgp9ViCtuOnTl6509hFUYFdqAeIktAtTzLxaISvjR449lLSKqvXaU9U54MSwV/rENnDl5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej3DM+MWRjDGtMnsV99V/ulONYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+1s5AMteWP8CkRpYnjFBdVePDmx6e4Qw3c9Xl6F99zw8pidRvqZ8p8cI7RexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GvBAcN9AryyjjrkylcyYGDEI2SGql51TyP/dkVct8rHBbYh9A6T5PjZB7xnW0ljRT159f3HL4WvgWX7530VZW869AhV0wqoHUGkpVcUmjBXc98XRBLQdpzY3p8YIec7dv6YNu1rd+hDoT47qr88QJrppqi82QNlvdL1aP2OwoCJvbSNQZlKCphbJIllS2hz+c8PmlXbELnl1oteRl1zwsfI/WtQia6oAxQvMf96xt67RxBWezSV4eaZfdkqHXn12PbDM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6Htmo11FRY6WGGKu0l/gOWgWW4mpP8FsT960n8d1XvCwFHE/KvcP1bivnIsfbk3sHybl2PMZxtnsRVut1GJLrNjr7nNSCuiNz77PSBCTT63rMy4+pkEewJ2+RQac72/JXZSx5R9mCyxGTrqSZJMc3u7T+JDHTv9bgxIfTj3yTMzMhb0tak8/4D68flUr6utN/Dh9PsqBLcJqTAKrJlwb0mmAPQlMraaDVqOLFqW6/Bf7mOPIy9MBjDrLmbRdI6bfv+/KN49lu6QiobhjoQ2iOeltMccpTXofZLo+3raW3mhg52zA8vNwQ3UgZtWPN8+7l8ZFn30ZqpMYuQCyChZn/IChZcVmqlSGmBsZnnLlPnsfqBEOe7PCCuO15fDc5N+QpdoQFyTbPEIYun/WoRRqJ7/hbmFO2Jp/MduPbLgJb7RbSJs+udSscwWAfee37phaigrVqyGTuRRxQvOsDEKn+36o0xXKeIfm2t51foR7rzuvV68iOcYdRRgu/OWCzx8nrHdtqyPANrvdW1p3h1se7gA53cxyHXRcw2D6bTUKmP4bBCcUbUtxc/IxlAylHAo5WuOGWS5hxGXz1KJywq19F65Gmg4jdQYVimXDbOGB21L/UgrHz2ebee+ilNNKbsvNhW0vZojpyC/zNqkhwMrCO+seRZcjLlMt0E8SS3g23ZSwqzPt4RoRUv2wHj8W30d6U90emdg6wzvv23YB1TXXLU+7PzzdbWS34oJU6cbfD2bI++f1W27PJZ5b4thZKr/Md+N9MTeW/3dgxpkVku4t6q57HniZHlr+9QOg37O3BVKLBrtp+6/t3NcoFBUirVX2I6ChVMx04F27F42FNZ23DDeUIiKOv7jjuPTxRVU3luruPeO1wnL63V5ag3TNUcDlTcaWAmqvcNUI3yI8dK7LFbAV5u6LPvuTKEfilEWJN/qOhgs84lOQU6569czCKygqmBVPqij9Q0P13mBK//sZ+pmJMm0/ebXYTDq8biyr3gSNMb77rH7olwpSd4I72PvkJ+biu/dY3ngNHHH+C44enYVYkbSa7g7bDwTsi9BMTa1u7i8wxXHWdcrmNnfcs1kq33n4MMX94O3LkvV45idmppUWddw7RHlK4lW/03LdoaqUyaSLbSLl13HmQmtq4a5LJgpqU0f4eYB3K6RNDbrRIeMw9qAlPpTNGi0an8ob0YBrQBZ2nsyk3oJM/T9ugk6Y/boMOXJ9BsMC1BYmqVXrjxMFPxs2dorfQsJMqk1qj8ksco5ZwS+Z+xGVRvXoR/vskoPAi/EfIa4q5/akAHc/OC9t5wOi530w/eI4e196otcF2yjAQzZlUXM5A65G463DfR9lXX/G/kfRR9+wRkGz7Es96xxC5UhjWVlmvVGSJo7HfmY/bO7b7iBnEuv+nf8AwQWt84CevF6CP449wOnvIeHp6gqMfn5ETXD+OGmh7pGYpI3Q+AR2Gf8JWFuae5ryQNXTcI2TvwN2iT0yvU/Tek+Z/HuqVvHtrlPhpk0v+Z9xbw68yyZTzf5wRCXNluT/AekHNyAQow47dVqh3lH7x8eGC7qizTYAaJLjs8FjbOL2tv4knpBg+P0ZFxXZ/o27q4cfRQctOmnBjmuRKJ0LGZKl83rr7xVAQQ9A6qw90cCh96XnmFieXGJzeJ52OkiHRdQYPUeSnl5jauf8x6knPw5C8u/Tcg+O4CDVGFMucL/puSDU4sqPIlIVjPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KVnxAgSu4LwaF2t9wlCpNgVrM2u2E7E+W0CaWLYC2trU3CcQZsFNB5lDoIw+ghuE5/LtvJFaW7XN9wopqoqa5+4W+Lt8QgOoXgJ/oprELuWZmoXy0pQWRjzUANv3cpehv8edtvWaEWx9aXGRa34MdKqYwh7DAhigEjFrQEkK1tQKQeNM3K3mwqrIiIjMdsjtW3uHpYw8/D3t2/eh3fvxc7y3YNild71/Sfv2cbNVbFUoslFgDftHGcZ5tx0k7Hbcb6N5NaQpx4J8wy7dWBhbztRdwc8QaSjuxFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/RmOtFdYrXJKX094Z7C3I7QdorXSlihH31///U0sBTdK9tR8p/T8+AmWuwUGWy7WKfXNTqKNYv5+9tvF+QV5R68rLsturHf8WN3ejp6GuTVEcWRbYRuD3e3bVqc+xUsWk6dn+yrHYna8gs2HLsJvt5xd7dhylgWpfH4auvQGLPZiKI53KA/cK6DdcfVfvm64K8yR5VCTTH270V/iTOgHym4M46rRiu+CupUv7n1OTBNJUaeG/M1YreT836aCsivBjYXyby/C3553n3I5Axb/aMY1rKiIKjJ0Knq/IVSWxCgywpYa5txYvXaW/TGFRU3tIjTr73AguzgMkESn1LHQ9IXQvl6LKd3rQt7pkx3mIK1e/+X/BgAA//8Rua+k" -} diff --git a/x-pack/filebeat/modules.d/proofpoint.yml.disabled b/x-pack/filebeat/modules.d/proofpoint.yml.disabled deleted file mode 100644 index 2c5dfec92e5..00000000000 --- a/x-pack/filebeat/modules.d/proofpoint.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: proofpoint -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-proofpoint.html - -- module: proofpoint - emailsecurity: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9531 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 6151a3848152c535384cf3fbbfeeb446746ebc8f Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 13:56:00 +0200 Subject: [PATCH 14/22] feat: remove deprecated radware --- filebeat/docs/fields.asciidoc | 5435 ----------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/radware/README.md | 7 - .../filebeat/module/radware/_meta/config.yml | 19 - .../module/radware/_meta/docs.asciidoc | 70 - .../filebeat/module/radware/_meta/fields.yml | 5 - .../radware/defensepro/_meta/fields.yml | 2635 -------- .../radware/defensepro/config/input.yml | 87 - .../radware/defensepro/config/liblogparser.js | 2514 -------- .../radware/defensepro/config/pipeline.js | 920 --- .../radware/defensepro/ingest/pipeline.yml | 64 - .../module/radware/defensepro/manifest.yml | 31 - x-pack/filebeat/module/radware/fields.go | 23 - .../filebeat/modules.d/radware.yml.disabled | 22 - 16 files changed, 11856 deletions(-) delete mode 100644 x-pack/filebeat/module/radware/README.md delete mode 100644 x-pack/filebeat/module/radware/_meta/config.yml delete mode 100644 x-pack/filebeat/module/radware/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/radware/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/radware/defensepro/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/radware/defensepro/config/input.yml delete mode 100644 x-pack/filebeat/module/radware/defensepro/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/radware/defensepro/config/pipeline.js delete mode 100644 x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/radware/defensepro/manifest.yml delete mode 100644 x-pack/filebeat/module/radware/fields.go delete mode 100644 x-pack/filebeat/modules.d/radware.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b6ca4bc4629..59285b9012a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -69,7 +69,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -54238,5440 +54237,6 @@ example: <0.222.0> -- -[[exported-fields-radware]] -== Radware DefensePro fields - -radware fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-redis]] == Redis fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 0738c21dca4..a1d29135c59 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -46,7 +46,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -112,7 +111,6 @@ include::modules/panw.asciidoc[] include::modules/pensando.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/rabbitmq.asciidoc[] -include::modules/radware.asciidoc[] include::modules/redis.asciidoc[] include::modules/salesforce.asciidoc[] include::modules/santa.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d3170f9f460..a775589a1c5 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1479,27 +1479,6 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] -#-------------------------- Radware DefensePro Module -------------------------- -- module: radware - defensepro: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9518 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #-------------------------------- Redis Module -------------------------------- #- module: redis # Main logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 77019a3d5d4..22e719ca3c9 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -43,7 +43,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/oracle" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/salesforce" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snort" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snyk" diff --git a/x-pack/filebeat/module/radware/README.md b/x-pack/filebeat/module/radware/README.md deleted file mode 100644 index d85f315d23f..00000000000 --- a/x-pack/filebeat/module/radware/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# radware module - -This is a module for Radware DefensePro logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML radwaredp version 114 -at 2020-07-13 17:55:41.342523 +0000 UTC. - diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml deleted file mode 100644 index 5341bf6064f..00000000000 --- a/x-pack/filebeat/module/radware/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: radware - defensepro: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9518 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc deleted file mode 100644 index 834586f8535..00000000000 --- a/x-pack/filebeat/module/radware/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: radware -:has-dashboards: false - -== Radware module - -deprecated::[8.12.0,"This module is deprecated. See <> for migration options."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Radware DefensePro logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: defensepro - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `defensepro` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "radwaredp" device revision 114. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9518` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/radware/_meta/fields.yml b/x-pack/filebeat/module/radware/_meta/fields.yml deleted file mode 100644 index 394601bc000..00000000000 --- a/x-pack/filebeat/module/radware/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: radware - title: Radware DefensePro - description: > - radware fields. - fields: diff --git a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml b/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/radware/defensepro/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml deleted file mode 100644 index 929b596bbd9..00000000000 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Radware" - product: "DefensePro" - type: "IDS" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/radware/defensepro/config/liblogparser.js - - ${path.home}/module/radware/defensepro/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); - -var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{p0}"); - -var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{p0}"); - -var dup4 = match("MESSAGE#0:Intrusions:01/2", "nwparser.p0", "%{sport->} %{p0}"); - -var dup5 = match("MESSAGE#0:Intrusions:01/3_0", "nwparser.p0", "%{daddr}:%{p0}"); - -var dup6 = match("MESSAGE#0:Intrusions:01/3_1", "nwparser.p0", "%{daddr->} %{p0}"); - -var dup7 = match("MESSAGE#0:Intrusions:01/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); - -var dup8 = match("MESSAGE#0:Intrusions:01/5_0", "nwparser.p0", "%{action->} %{sigid_string}"); - -var dup9 = match_copy("MESSAGE#0:Intrusions:01/5_1", "nwparser.p0", "action"); - -var dup10 = setc("eventcategory","1001000000"); - -var dup11 = setc("ec_theme","TEV"); - -var dup12 = setf("msg","$MSG"); - -var dup13 = date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dF,dc("-"),dG,dc("-"),dW,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup14 = setc("dclass_counter1_string","Bandwidth in Kbps"); - -var dup15 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); - -var dup16 = match("MESSAGE#1:Intrusions:02/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); - -var dup17 = setc("eventcategory","1002000000"); - -var dup18 = setc("ec_subject","NetworkComm"); - -var dup19 = setc("ec_activity","Scan"); - -var dup20 = setc("eventcategory","1401000000"); - -var dup21 = setc("ec_subject","User"); - -var dup22 = setc("ec_theme","ALM"); - -var dup23 = setc("ec_activity","Modify"); - -var dup24 = setc("ec_theme","Configuration"); - -var dup25 = setc("eventcategory","1612000000"); - -var dup26 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); - -var dup27 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); - -var dup28 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); - -var dup29 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); - -var dup30 = match_copy("MESSAGE#22:Login:04/3_1", "nwparser.p0", "result"); - -var dup31 = setc("eventcategory","1401030000"); - -var dup32 = setc("ec_activity","Logon"); - -var dup33 = setc("ec_theme","Authentication"); - -var dup34 = setc("ec_outcome","Failure"); - -var dup35 = setc("event_description","Login Failed"); - -var dup36 = setc("ec_outcome","Error"); - -var dup37 = setc("eventcategory","1603000000"); - -var dup38 = setc("ec_theme","AccessControl"); - -var dup39 = setc("eventcategory","1401060000"); - -var dup40 = setc("ec_outcome","Success"); - -var dup41 = setc("event_description","User logged in"); - -var dup42 = linear_select([ - dup2, - dup3, -]); - -var dup43 = linear_select([ - dup5, - dup6, -]); - -var dup44 = linear_select([ - dup8, - dup9, -]); - -var dup45 = linear_select([ - dup26, - dup27, -]); - -var dup46 = linear_select([ - dup29, - dup30, -]); - -var dup47 = all_match({ - processors: [ - dup1, - dup42, - dup4, - dup43, - dup7, - dup44, - ], - on_success: processor_chain([ - dup10, - dup11, - dup12, - dup13, - dup14, - ]), -}); - -var dup48 = all_match({ - processors: [ - dup15, - dup42, - dup4, - dup43, - dup16, - ], - on_success: processor_chain([ - dup10, - dup11, - dup12, - dup14, - ]), -}); - -var dup49 = all_match({ - processors: [ - dup1, - dup42, - dup4, - dup43, - dup7, - dup44, - ], - on_success: processor_chain([ - dup17, - dup11, - dup12, - dup13, - dup14, - ]), -}); - -var dup50 = all_match({ - processors: [ - dup15, - dup42, - dup4, - dup43, - dup16, - ], - on_success: processor_chain([ - dup17, - dup11, - dup12, - dup14, - ]), -}); - -var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld3"), - constant(" "), - field("messageid"), - constant(" \\\""), - field("hfld4"), - constant("\\\" "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("hfld2"), - constant(" "), - field("messageid"), - constant(" \""), - field("hfld3"), - constant("\" "), - field("p0"), - ], - }), -])); - -var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0004"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, -]); - -var msg1 = msg("Intrusions:01", dup47); - -var msg2 = msg("Intrusions:02", dup48); - -var select2 = linear_select([ - msg1, - msg2, -]); - -var msg3 = msg("SynFlood:01", dup49); - -var msg4 = msg("Behavioral-DoS:01", dup49); - -var msg5 = msg("Behavioral-DoS:02", dup50); - -var select3 = linear_select([ - msg4, - msg5, -]); - -var all1 = all_match({ - processors: [ - dup1, - dup42, - dup4, - dup43, - dup7, - dup44, - ], - on_success: processor_chain([ - dup10, - dup18, - dup19, - dup11, - dup12, - dup13, - dup14, - ]), -}); - -var msg6 = msg("Anti-Scanning:01", all1); - -var all2 = all_match({ - processors: [ - dup15, - dup42, - dup4, - dup43, - dup16, - ], - on_success: processor_chain([ - dup10, - dup18, - dup19, - dup11, - dup12, - dup14, - ]), -}); - -var msg7 = msg("Anti-Scanning:02", all2); - -var select4 = linear_select([ - msg6, - msg7, -]); - -var msg8 = msg("DoS:01", dup49); - -var all3 = all_match({ - processors: [ - dup15, - dup42, - dup4, - dup43, - dup16, - ], - on_success: processor_chain([ - dup17, - dup18, - dup19, - dup11, - dup12, - dup14, - ]), -}); - -var msg9 = msg("DoS:02", all3); - -var select5 = linear_select([ - msg8, - msg9, -]); - -var msg10 = msg("Cracking-Protection:01", dup47); - -var msg11 = msg("Cracking-Protection:02", dup48); - -var select6 = linear_select([ - msg10, - msg11, -]); - -var msg12 = msg("Anomalies:01", dup49); - -var msg13 = msg("Anomalies:02", dup50); - -var select7 = linear_select([ - msg12, - msg13, -]); - -var msg14 = msg("HttpFlood:01", dup49); - -var msg15 = msg("HttpFlood:02", dup50); - -var select8 = linear_select([ - msg14, - msg15, -]); - -var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup20, - dup21, - setc("ec_activity","Execute"), - dup22, - dup12, - dup13, -])); - -var msg16 = msg("COMMAND:", part1); - -var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ - dup20, - dup21, - dup23, - dup24, - dup12, - dup13, -])); - -var msg17 = msg("Configuration:01", part2); - -var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ - dup20, - dup21, - dup24, - dup12, - dup13, -])); - -var msg18 = msg("Configuration:02", part3); - -var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup20, - dup21, - dup24, - dup12, - setc("event_description","Configuration File downloaded"), - dup13, -])); - -var msg19 = msg("Configuration:03", part4); - -var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([ - dup25, - dup24, - dup12, - setc("event_description","Configuration Upload has been completed"), - dup13, -])); - -var msg20 = msg("Configuration:04", part5); - -var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([ - dup25, - dup24, - dup12, - setc("event_description","Configuration Download has been completed"), - dup13, -])); - -var msg21 = msg("Configuration:05", part6); - -var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ - dup25, - dup23, - dup24, - dup12, - setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"), - dup13, -])); - -var msg22 = msg("Configuration:06", part7); - -var select9 = linear_select([ - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, -]); - -var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p0}"); - -var all4 = all_match({ - processors: [ - part8, - dup45, - dup28, - dup46, - ], - on_success: processor_chain([ - dup31, - dup21, - dup32, - dup33, - dup34, - dup12, - dup35, - ]), -}); - -var msg23 = msg("Login:04", all4); - -var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ - dup31, - dup21, - dup32, - dup33, - dup36, - dup12, - setc("event_description","Login Locked"), -])); - -var msg24 = msg("Login:05", part9); - -var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed %{p0}"); - -var all5 = all_match({ - processors: [ - part10, - dup45, - dup28, - dup46, - ], - on_success: processor_chain([ - dup31, - dup21, - dup32, - dup33, - dup34, - dup12, - dup35, - dup13, - ]), -}); - -var msg25 = msg("Login:01", all5); - -var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([ - dup31, - dup21, - dup32, - dup33, - dup34, - dup12, - dup35, - dup13, -])); - -var msg26 = msg("Login:02", part11); - -var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ - dup31, - dup21, - dup32, - dup33, - dup36, - dup12, - dup35, - dup13, -])); - -var msg27 = msg("Login:03", part12); - -var select10 = linear_select([ - msg23, - msg24, - msg25, - msg26, - msg27, -]); - -var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([ - dup37, - dup22, - dup12, - setc("event_description","Connection to NTP server timed out"), - dup13, -])); - -var msg28 = msg("Connection", part13); - -var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup20, - dup21, - dup22, - dup12, - setc("event_description","Device was rebooted"), - dup13, -])); - -var msg29 = msg("Device", part14); - -var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([ - dup25, - dup22, - dup12, - setc("event_description","Power supply fully operational"), - dup13, -])); - -var msg30 = msg("Power", part15); - -var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([ - dup25, - setc("ec_activity","Start"), - dup22, - dup12, - setc("event_description","Cold Start"), - dup13, -])); - -var msg31 = msg("Cold", part16); - -var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Port %{interface->} %{p0}"); - -var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}"); - -var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up%{}"); - -var select11 = linear_select([ - part18, - part19, -]); - -var all6 = all_match({ - processors: [ - part17, - select11, - ], - on_success: processor_chain([ - dup25, - dup22, - dup12, - setc("event_description","Port Status Change"), - dup13, - ]), -}); - -var msg32 = msg("Port", all6); - -var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([ - dup25, - dup22, - dup12, - setc("event_description","DefensePro Powered off"), - dup13, -])); - -var msg33 = msg("DefensePro", part20); - -var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); - -var all7 = all_match({ - processors: [ - part21, - dup44, - ], - on_success: processor_chain([ - dup37, - dup38, - dup12, - dup13, - ]), -}); - -var msg34 = msg("Access:01", all7); - -var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ - dup37, - dup38, - dup12, - setc("event_description","Access attempted by unauthorized NMS"), - dup13, -])); - -var msg35 = msg("Access", part22); - -var select12 = linear_select([ - msg34, - msg35, -]); - -var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([ - dup20, - dup22, - dup12, - setc("event_description","Reboot required for latest changes"), - dup13, -])); - -var msg36 = msg("Please", part23); - -var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ - dup39, - dup21, - dup32, - dup33, - dup40, - dup12, - dup41, -])); - -var msg37 = msg("User:01", part24); - -var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ - dup39, - dup21, - dup32, - dup33, - dup40, - dup12, - dup41, - dup13, -])); - -var msg38 = msg("User", part25); - -var select13 = linear_select([ - msg37, - msg38, -]); - -var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([ - dup20, - dup12, - setc("event_description","Certificate expired"), - dup13, - date_time({ - dest: "endtime", - args: ["fld5"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW], - ], - }), -])); - -var msg39 = msg("Certificate", part26); - -var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup20, - dup12, - dup13, -])); - -var msg40 = msg("Vision", part27); - -var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([ - dup25, - dup22, - dup12, - setc("event_description","Updating policy database"), -])); - -var msg41 = msg("Updating", part28); - -var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([ - dup25, - dup24, - dup40, - dup12, - setc("event_description","Policy database updated successfully"), -])); - -var msg42 = msg("Policy", part29); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "Access": select12, - "Anomalies": select7, - "Anti-Scanning": select4, - "Behavioral-DoS": select3, - "COMMAND:": msg16, - "Certificate": msg39, - "Cold": msg31, - "Configuration": select9, - "Connection": msg28, - "Cracking-Protection": select6, - "DefensePro": msg33, - "Device": msg29, - "DoS": select5, - "HttpFlood": select8, - "Intrusions": select2, - "Login": select10, - "Please": msg36, - "Policy": msg42, - "Port": msg32, - "Power": msg30, - "SynFlood": msg3, - "Updating": msg41, - "User": select13, - "Vision": msg40, - }), -]); - -var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); - -var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{p0}"); - -var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{p0}"); - -var part33 = match("MESSAGE#0:Intrusions:01/2", "nwparser.p0", "%{sport->} %{p0}"); - -var part34 = match("MESSAGE#0:Intrusions:01/3_0", "nwparser.p0", "%{daddr}:%{p0}"); - -var part35 = match("MESSAGE#0:Intrusions:01/3_1", "nwparser.p0", "%{daddr->} %{p0}"); - -var part36 = match("MESSAGE#0:Intrusions:01/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); - -var part37 = match("MESSAGE#0:Intrusions:01/5_0", "nwparser.p0", "%{action->} %{sigid_string}"); - -var part38 = match_copy("MESSAGE#0:Intrusions:01/5_1", "nwparser.p0", "action"); - -var part39 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); - -var part40 = match("MESSAGE#1:Intrusions:02/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); - -var part41 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); - -var part42 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); - -var part43 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); - -var part44 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); - -var part45 = match_copy("MESSAGE#22:Login:04/3_1", "nwparser.p0", "result"); - -var select14 = linear_select([ - dup2, - dup3, -]); - -var select15 = linear_select([ - dup5, - dup6, -]); - -var select16 = linear_select([ - dup8, - dup9, -]); - -var select17 = linear_select([ - dup26, - dup27, -]); - -var select18 = linear_select([ - dup29, - dup30, -]); - -var all8 = all_match({ - processors: [ - dup1, - dup42, - dup4, - dup43, - dup7, - dup44, - ], - on_success: processor_chain([ - dup10, - dup11, - dup12, - dup13, - dup14, - ]), -}); - -var all9 = all_match({ - processors: [ - dup15, - dup42, - dup4, - dup43, - dup16, - ], - on_success: processor_chain([ - dup10, - dup11, - dup12, - dup14, - ]), -}); - -var all10 = all_match({ - processors: [ - dup1, - dup42, - dup4, - dup43, - dup7, - dup44, - ], - on_success: processor_chain([ - dup17, - dup11, - dup12, - dup13, - dup14, - ]), -}); - -var all11 = all_match({ - processors: [ - dup15, - dup42, - dup4, - dup43, - dup16, - ], - on_success: processor_chain([ - dup17, - dup11, - dup12, - dup14, - ]), -}); diff --git a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml deleted file mode 100644 index 4812096fb70..00000000000 --- a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Radware DefensePro - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/radware/defensepro/manifest.yml b/x-pack/filebeat/module/radware/defensepro/manifest.yml deleted file mode 100644 index b516c39cec5..00000000000 --- a/x-pack/filebeat/module/radware/defensepro/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["radware.defensepro", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9535 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/radware/fields.go b/x-pack/filebeat/module/radware/fields.go deleted file mode 100644 index 5dc61100f7a..00000000000 --- a/x-pack/filebeat/module/radware/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package radware - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "radware", asset.ModuleFieldsPri, AssetRadware); err != nil { - panic(err) - } -} - -// AssetRadware returns asset data. -// This is the base64 encoded zlib format compressed contents of module/radware. -func AssetRadware() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q+JpuWKavgLIZZbAa/JB/8HcgozkAYutPoLISUYpnltuZKvyb/9hRDS/pDMOIjSTP5Cwn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0QXSld9v4ewaf933taAVEzYhfQrky6lclqARrwM6vpbMYZWVBDpgCSqKkBvYRyMtiANvQO2M61aureX3fJsoGLaEkqtvAfBz+2QGyJzSKVmW/9ff8K4yQfkP3jghv3PcINaQyUxCrCaG2bQGBNV6QCY+jc/ZtawlQFxm1auc93QBPyVs3JKTBVgo5vxMPiu0gdup0WLixB2sJtLTHggHBm6geSG6Q5U9KCtMZdAC6NpdK2aJgojpZXhyBYUrv7wRA77nFySxBqyWrB2YJQYsAYriRZcGsIJe/B/s6tBGPa058MWKPbrFmoRpREwhI0mULHdzXVBsg7sNShRslMq6q31NO3am5eXFB2BdY8G4A/5RqYFevnxAa8KfkAXhp4Dpc9NCdRQgpYgjiAkkLJ3fu5RclTqDUwagMmJcy4hJIoKRAtS6cCSEXrOFaVmRfJLsyeM34X7vn56Q9kSUUTbjwvQVo+44E74ZoyS4Sa+/PSg4PA3XEHPnALfs8dR0215awRVOPvw8FORjljAPogTolxxgDyOKeMHsnyuGfy8v+fyf4zcavmOZD7XV81/aPAjewey6PBbkkPEXrZUdNgVKNZprf3/mTLdf/vh5mx1EIF0j5G5GhTclswQXfu8CNBD6TV68eI2MLpVI8RMS4PQyyvxtRKjsfLaSXQQ6RHXrLNAMqUNtSIXhOzM3tfbO1+h81ADxkoCfezInb0kAH0G6yIcSruOEeOREXZc5tEyefJNdhmIvKRCAXvTD52DLW6kfxLAxs1Wnf7D39abxu1J0oy9zhQqx67ZTsibpY8rzjsU/fELcNnnNH+fX6r5uRsCdKSSxTOpJElaGeCaAiCarD1Gb+GkhiwDsjWj7fXMOMGS3sIA9j3Nli6QxiAvtOhDD2B6f1LhzHmYF93oMndaLBQJpO+2ufLX5WxfREpdjnSgCy5nLcfmhjb9HxIXw99+SEMNvjRKGHPL5Y/EVqW2snKseu+S9zB7q36Wom7fJWbvK/+3yWvo1Z+2bArF7wjre8tKwklc74E2TnJvl5FwJHoMP9FXgukfIzK39cR0Rh1aKh6XWj4kuGs+8FDPGDc93SNVD7zS5MLvEjPgzfbUvJxXQNhdChBpkCA2wVo8ulc2h9eEaXJL0JR++NLMqUGuagNkM34vNGo+t2w70PU3a943xgGzWd8JvAvuF/PVS432z7ruF35q3cwKL2iusym1PUkWm/bfUqeX3ze0vco0SDo7pESYtbGQhUe0YC2g7YAz6nGE8/9W2k+55KK9jfb2soNdMilf+1JjDi/+PwqQoKA/oAS9ydBh9GQyilenw2jDhXHQ1+fBdAS9FFi17/iUuT89D5RUo9vP1iKYA6LlT5qJ5tgRXY/G20VrfONooUXxZkuJ0oIYFbpr1EAO+o9QM6N4zluCPOkg9JhuqWovlW7agvZQ+hHaPFVbPpYVNVKGUx2q5Qk0/Xg0AjR8KUBYx1Aw6tarMM5uS87QU+AsgUxvATy9HtiF7ohL3/++RlZUUMMgOxW2UOJR6G83oISplbSQD5SsK+GK5hqpO18Ck019ULPXWUThUCe0qlaQo8YXEYzK1vxZqwGWo3eH/bVsM0DkwpK3uzqaSkI9U1Mc+wcC3xGuP1n8/L7H/5qvEh/UaMAbZH+52A3/3T24Fu6Bk1ekjPJaG0a4SMrzqS8k1yPQb9n8COSWxlb5ceX5F/ddp+TH38k/0qY0k5fxl2ERZ+T/y7s/3Rf5IZsE+Wb6BFKVcKjtXXlCgpGhZhSdpVXA/bISWXx2lDr7QpHRJBlrbi0aJpYiCc4I3MUoLXKlJ+20QdNDYxTgRgjpsYq7TRrufZah/tgSQUvPWPEkCJkphpZuhdGACLP5TwoRzcmL27fiAHkFLHAcB32hI1GTmEtFC0fyzsX0CGG/wmkAqs5i1gdwRTufxltYf/ct0LYPfvUbjRaNWuPbUJ+VSt3NEObk0uitDPGrCJXAPUNRHsUL95XQjStGBhTLHlZlLmirmet5JmDBE0tXvLSUbBnFy65tg0Vzmjf8r3LiIuDV9yZ3RgrR2L4XYSrfn5KtJPWBh0qSDSq52C7r91ICaMzJT09OCV8Jtx+SugsoaCh4D8/bX2vH6BSFshl4HemAR/a6XpMULr/tYGYryDwElYqTC14zsyGR23OGz5Q+x+FbuZkbkZ+x1vn3oDA6y3XtVZLeEL+a0QYvXiZcfEAMXq3qjOOLk7eXATdl1HpyMOrWuldjZfgE/nVpUE0j8P98ck/VWiIo+kec6Vum/LN5icbg93rOWiZT8jLn1+RFdK9AioJFSLuK0CnPqpJG/8RWYEGD5ZaIoAaS5TcKRfZJuKDq4lfNxEjdzVH2DbQ7nelSyQcZjUBW0gl1Hy9G4ibcT3QYgn5mbAF1ZRZT0R3qdeIPzrNJWlkyOkRWz7z0Yra1AXdPlCfM4iwJ3aJFkXllEwl2zCCpqtRmYaSdUetpAw1Vh+jkMHnoBhrdAvRWCpLqksila6o4H/G8nuVrqL0KUOWw8EkUs108CTdiUgbrDtkXgg+A9xxxMA3wJQsRxTszXEXxub0s+zZEJdMVbUAG2WAUScqRQXear4jBnv1Zto+ECNfurWj7DzGytucOcp+lZJ2keiYNvWpqXJeNllO5QMR/kyWOcjuQP6pZO5uC3vEolu9VTF9eu3HXQoPRFS2G/2GWLi24fKRJWjTK6co9+WBRc73vsy2Bppqm5syPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182zWoqKuk8VppLiMDwTmsveqQ8roZw+8QQtZI+MmZpVe96BgPGbjWH4vD2WUPYgjvrRpVgJuRdYyyaSX2g7lZSO5KXSy0ceEh7Bdhs5vBewjE0ITzkdkFPOw0z0CCZZwjqVOuSL3npNBvkh7ggu2wF2ccd4sU3eV1zfbQdbs7Tx4KuHSdyK9Z+s8YJPaevOaSQQff7RhMe+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv6p74qqEF+aaA5Gis57vZctJGPK2oIIlGO8A0i90NqoiZUCrYImkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVswCFUBhJsGZAjDAJL0NzmLB3Zs7F29VAE2Ivs7HP55C1eHPQO9K90V+nioGHcqQbGZ3xj+MS1Wx/MGeupEnTl/NlMkQPoXIy83BRMtC6qMgRZongHs/lYh/B520rvW4JKk98uQ2osN21CwK5fDddvT2isStLUyvCEguNWvIXmtCx9hylM5W/v7mgXnkbYIl/rojuKItlUoDm7qyyK7u0IVWx7NtavZOtuhhdL/n4PtrYEWSodEmb37kxN/3iA7jVtaFdN/wAWt6MdYvlrwQfkdhJ0P2Je0ufsVffN8EKGqv8gZoKXa0G73GKpLKFkETpexBNohZoXbaLKgwj1lhHvLNSP0TNlS/b9HdOtsC01io+44q8EZ+vct2ePXLhABEL3bCnWI3K5ETnzpuME/NAIQMTi4lRJC9e5NdYOoXPp/XWbfqi0LI37P3xUqWgRijWAueFxZgsq51BIWOWWBWOBS1j1Qv2ohFir+bSx0JMQwxx941F32nr/+YuLDlPTZMKuo5zg2dpW7iMaGoK7+UUemb7+FjFusQLMEaxtOGg2OV96CXpCLsEfSmNAT+gcsJV3yHSfKd3iMIDdgvF6O8PfE//7Xt8KpclUq5X7rP1r0DW92TXaT/q8vKDapnbTdYBTe1TCnVKD6tBj3Sklyk5tzHWlVA0hoJjrLX4jCRWgbZddpDeLhr/58FYQH70mAJiEFFGYSyKV/E5DDWjJ7Mt+QLPhmE8Oa7R2F6azV/AkUY97wX2ErQ3/DHa24nYRlGUv68kpLjjFahNJlPxurtx/73kJUEkpIopjxn3TXjDwBSLgkFQz4qSD5WAm5HIjU3YHG/Qrq/JgfOLL+RrjjBhfMuqTbcogfgPhKWGiMbZlyPCPwTHhT7hxJxlqooN/wym++Om4CnR07cffsLhF79sy5VPKntxkeDksTxELQo1RjKO/1J1G1J7EA3vLr+A1oaRerA1nVJCSm6vnpNY4E+U5AcuexBVlqukhtZd3fOh9nY2mFVjQhtTUYBcvg40cfC8CpqrKSTG1FbQfltaAZXvVPf8ePJTG1zvDDA+TF99MVXUzvIMZjo2SFZelWoV8WqYkg9o+7zIpRokx2OasEWJNvjRUeOdnqSrKZZAasreQUCNPV9/rmUpd2rN1pxK+5fIKylAL1CaiU4PeqWCguE++6VCb8HLfwYlBV4isoq4/usm7JXYRaNH77fKh8PqtDp5Xcjls19MFnUFXfHewU24Xa1gTsfX8v1/T/jGxpj3jIv8d77b8C67WXWMNZcOAtJEjiLvbDGhORRF5TbM9Ipe4ZKs2776PvQfQvTCjfgFgV+aglgMpPMZhdffQLahZdDfUqYWRKsOGLXzmb1tj05UZnrSQdlqEuY10y0yMZu5X3b+HlabEyXNJOObcNZIJoNr9CRvhbVALBYTB26nbws6bow9e+DXDPk+P+sViqppy2fXN7j9YoWxU3+H1WnLdmGN7+vraCCIw7vE7ToA0ciVO/Oq+J+O4p9RbcNld4x35vJf5/JS895LmaWjcQPy0vVD063B7FtervQP6IXz5Pffz+SmSNJS8dWJi6D3Yjsj5NEC/hYlnIicLVtzEjdSlWefsZb8d1Q0F2l5d2OvHlt74PiLXONKfdAuT89MbNdlU/rkbNFmH2EtZbjTaCTnx9Zmh36nwH+zXZhFBvf2NH74J7rhpY7vKTWW7x6iRAoynjPIPykqRJdWcTsWgCtA3ZeCS1IKOCAID0mTtj7J1oH1V1a88cZLKaRhtfSF353z54vxiV4cmoWWs9yiM1WUfOFDw1rWQm0iLR5KcS0su+VxSFBYjLFornbN57ZOB/HJMetHqbgq7OuJ/OkR6dxm5rFQRxnn/20fCJRNNCU6chUm17ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthFyfZ534sIOCA2ulCg1koUTru8bb6yKTRrdD7ETwLw9h7kMpPP3gd41nXjOP8NF5GcuvoPFNVXRw57wpPJeRe4RhX798zzfQ7h46SWJ86w3EzqmzYmJUW1NIHyhrrY95JS6Wx84CT6y1+I1PiqMZx3g+iAA676jvpSsND5DYx0hr5qROilLyjrO2nHFdunQg6qh2j5Hetgqr3SyFvayYfaq2BmuS5wcZS26RSnDt/FOXiwcwOt/hUXRNevhh/v9zL2hwDQ4fRp0HjY38XHBbxq9u+Y5mn7w2Y/HQ4d++Q54xL1aSKcfbqSMw8+Z1ykjSl02Hgkf0pMeDcnRm3WOKNEE7uEdMwBsbMGkHO3PqEqRKMY4m22W/csuCyhOvEBBDc2MM0z3vKFlwYTTHdIjEFjfHNimouMIMn4sHz8Xc5JxSJ+J37bXRnMgMfqqlvLvRAGnFYnTzt8jlr0KYORbdewgxIFlSETUJ82+Hp2UiRoXdzDd/j3AklXvnqkryCr8p/231IuTSkBEu5iDgZpqqxvd+NbE2Jo+dmth5b2uWxIR7jD6mFqhbZsnnekBJmNISAQufLNoYfsjWdVrwELegaC7msCo8reRq5ke4DtLrDr2HWVoF7X72x3DbYmJFEN7axDYYNm+57XZNGsXr+HUZTY5pBVjFVVe4+5WGjEw+d8F6yb63Vkpfef9Z2kavAjCZClYodHmi8u7fsFy42WiPr5+XFVYPrGpOeHkbWt6vnlfV/qOmBfqeDt/e/1TQEYOK3q+b5GueeYkKxP/nLi3NyPlCo+mhk61obqkv2Y5CwsKurhp0nNaTv4g8LudVx5d6LiGKqytwVX4OKu12lI+BCHC4j6tEifbcEHzI4QuV5zwUcSod9Am0XD+FzXnahnBEnXpXaahyUgSd4+dMped2+6ybnM9VO97745LvntIEoTNa4Btb0vQg+9WsKsfLWtgvTvsSNIzhCol7xctsh0lVX0iXlgg4DGaRzhROsr5yB1iOTFvwdOsTXny7uFoyVKjSA8gHYwZZCuoHh88mIRORVMW3Kcp3cP8OrImkdUA9uY+CwRud7vVTpIWquEnY52CmxK0xzjIIEbvrZq77nKm1KbrvKuk1ftIBRbLDdpmLDi5JNeGH/Jn2WWGoKLo9mlZ98PiNPQ63E50Y4XXnKBRZwYB7Y2XWtjPvmM/Ld0NEgd6MwV1Kt5JYhZIA12MxiuQ19ZNImo0dwwe2mhZ60Ve7vQ2nSW5hTtiafRs01waeaPkRRflh4i8RckopyOdO0gr3pGDXVOLU3f5+ELeXyApcl71Xpk6M3bQF7WWcRpMgN2hemCjhC5LKQtvvGvYcV+bWRaEq+UyUI8pTL5eTb54Qr9pxM3f+B+z8qqVgbbibfxuOLltXFTNDB5PzUOtS2hn9yQXBR9HWhnFy3w6/UbG+jBquyYur/Og14tm0QDGjHyFGEllVaubuD2ed3v1MN5KNPAP7228/vfn/z4ezbb33O7ZJqykd5cqX0VcqS5Rsv2O/tgv0I26gTjMrUSkSo2UnbpaR7Dihzz8U6gwkzUxqk4SylAOm5kjJgXKX3gkTiA6mAFivKh8OJ7+0dwN7nqYG665O6RN0000yXwk5LY3Xqynes187mEOu/pcne0bbmI5+T9NBil81gsIFKE4pNNnUvod7FgZjxUUdTu9VsjthDtxrtRhTZ5m55T1woH9xP8O6OC4d80P8/DFfdqMx+8t+DsFjZ89EHRPYi+SDM0cZx9+Gn1BGStrZOtmeXPrVdRnubZYd9Mp+h223AuTdHptuW1fwY8TAs+ppRLhyt22YuF0FmnJ/2a9uwE5czBy3MIy0MxrMK25zrwqmIB+znkMRrTLcO1UcnqqoaueuJGmAnD2vcdF/s3sO1/TvEdeoON3OYZn1f3C6pLP9dxaNmG9wstfwQyXBv7IYLbyFnGlNzxlWyLNFjWfCI/YpqOQw6PHbUjazqQuUSxpfv312Q37wfdZOUGkfky1FTCS7/4y350oAe6d3aCFlo2O3UmTe5oecQXZMPbdFZNK2r09JZwoe0D1SlHiPggNYHOY5ugmojwbF7wy3TD2igguoqw2k5sBncC7ROWIDcAW3KZFNpt2Cm7Xa1BbqkdlcrvC/cKUi2qKhOVVbSwV3XdDC++N7RJ8oG6VRJYBaL5LzAYJa2gKoDPJtjq6UMYNX0jwxQa5p8EobvOJWcvTDoXvDUD07o3FaBUz2TIy0LynAwSvryEwfbyITGew/wdF4vf5LXdpH8fWeyYFYXpUnad70H3UE+LPJ0C8BLQZNLDFmAnHOZsChyCDpHbrQsZoVZccuSyw9ZzIRaGVqlz13pw5Z2mQ96hqgLkwWXOcUJlzXoarpOlvA+gF2zqzzAl1Tk4BVeF7VWVhXpQ1IIfflTgR7H9LBFtrsp1LwocxDbAU6f/8ZkUdHrwtpUboNtwI6jBWR4FCouMyHNZT6ka2EKMRVF6rDoFuzvMwJP3hm8Bzt1L8Q+7NRVvX3YP2eE/Soj7H/JCPt/ZIT91zywraoFnUIOkdJBT2+eyaJqBCrf03WGd7IFXl9l0EuqRvB5VefRvp2WScU8dRJSgMxzKCUGvrD0vhFZGJ+QmOEEjWZ5rEkHOI81adamqTPMImWyK6vOYqpaZZ3pAdcZRIhV1hlmuWCjWZMFeCP5taRSGWAZmHD5ylEl06OwfKVquwBaZnCrqaoumMjgw3aAMwRJEK6erm16t6iDbLJArpsiQ0yDaW45oyJDAZEp6BwkWyfMuurDllSs/4RymgPvZYFtQLNA9u1g8mDtE2uzQJ/O6+WrPD5oU0y5/WuWRmPMFGlnxe0A1iq5qDZZrjlCBabTV7kZ7+NPNmurBxjswvv50ztHPHBU+7IA993k03WQ68GecQE5bBhTzHIcIp+lLM7eBpxDNzAFrzFJscgi6ni9/Kk0th40808E22iWBbbgM8hhxhh0NFdQ8mQFo9uwuczDJZUqGwGGqRzUDsD5PINsUrVZUZt05n8PeiyDPAlgDXNurKbpPSEb2Bk0Pg11LlLrbLQ22IlcZ5KvPjPfs3gG6FYDrTIokr4UKBfa+ZTr1UJxU/gJs+mhr6mmWRi8HCmETQF56efbp4bLjaUy+Zzj0thpo1MNC2yhgp8VlANqkxzX9Hp0W5OcGixObpilH3Z9aKeBfTDntCxT3wFepg6rtq2DMrxFvCqYVqrK0pXIAc5gpvGqyJMcGToe5SBzfZW8PVNt0rcs5bWpNU8MVFDLbZM8+0xwCela7GygmqQTdTq4WHyb3q0llO96WsyESv6cd8AzpPw7mze51HFAM0gcZ0NnQDV5boJQ8yysK+dZLnCtdGoBVk2beY5rVnHDcoiFymRh2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNwmQZCjfDTJzUwiCATS0N6sI7kpKjS41xHxZskarOfwAarmuePBBQg67mmko76LmbAvIqC+D0T6/vRPbp084U0ASAtZoX1NQJBwb0QWuaGqoGKnLodxoY0sF3Hc0EPD2RHeS0LVx7kJUuM2Cc3pFpMviGjfcNZ8gHMJA6EcAPPM5gnBj4kp4BYg1ak0HNYEoZPs8geE2d2stmNMtxDzQrkyvSRrNYV9wEgG26EVt9mI1J3lVzyWTqQonotNj7AvVNOlNv385terbyQNNH9LqZnqnhruvk3VqbcpolD73RIsNb2BjQRclTV71nGVvRRoZykMEyY2mV2hu8LLg0ls4yaAZLrm0ONXxZywytm6zSjUzpZo21RYt0FH3TWEU+NJIMlu6yRzIOy/tMBS/JiYaSW3JCdRm6GRps/x5Hx0/OykilsQmhCAaH6BPsb8CUILFSnS4fgst8lDuraqHWMBgseCP9ZqpJ1tT7ljzmaOh9RjjvTMMcrklFdxstbGKxct7sDgPJjqTgBocztKuHo8cGSsQ0da20JcPGo4SsFtQSbkmtYTbGCvdIy73LEIoY4YPV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4ET9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgomf85CpsxBvhiO7u1uEi/vNGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvmdP+dtxd3vqmnCH+cUjxr47iCJhTdPtOq/isuQjXFu8FWPugmNMox4RSJvBde9xQrUUIxMvsXtuxnHg2D/XgCUavjRg7J6m3YdnK9+9V75XGXAsj1/VS+xdj1SXd7rtTtmHk8cIY2Nbf8cO7eZ1dOcpZ//fPN/QLXZ+2goFXDvOG2g1pEvivSMLu8dlSg0Qn67dYUMGt6o7pfCLh8FXdqPgO8yV9u3ro2QkhBpiAHDcGd0/r0pTaSg7wnjfQYdpv7REtXfDNKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Bbeb1x1kfWzI/oPzG9fdw+vRBJj07zBrJvzSwOyaRxi9fD9/DOiYeNgWl1Wh46S8kU1IC5laQFbeLMUFBSKQypNPYNRxUXnRn08KRE+VJ90QJNeeMCuIwGDF9EIuHxQ6XGhnT+HC0qxdrE0evl862UjtZrakfeCo4NcVCZbcJvBHXmWs4S2Uz1MhJxf4Inng/AOIvjcMW37QwiIUJoHryRhjlDPGt+3aKwXLya/jFhLyR6+5fA+gWbXkjLaHlhKmqbizouBjO4sZ3G8tnnn2zexY4Y3HrQLj9Z/Py+x/+6mzf095xtBT7Jop24NMibcTsto4bugZN/qXzyZkXAQ1ELn7rU9f/5Od5ucF5i+v3nseBycs3ybYnuwNT3DoT8v63j2du76DBO0/QX1pywzTUVLK10yqDeiZ2c0EIUug5+fjuNTmX9seXz8n5+9Oz/3xNPp1L++on8nS1WBMJ3C5AE7ZQJoxKU1oDs/itH179r//27EmUImAXGWXcLj1Qpk4qGh/HYzJz3x2v+aXnxfMWqfgVLx8X0n3ZdAPmBzaMu/UDH8N3RzHdWCefubYNFeTtm/dRZP9UEvL5sg7jjP+jJEzitHXofjUiFDdys/DEI3iMb/Cec5hTCyv6ACPSkbsvyJuy1Oin9VweQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+ORoeOAkiCQ3d2uM0bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjMoAzCfGCq3DDT7dZYIDKJtc6i1532yeNkvcBwwulbSeSB0K3xAAbHgC365slrzky7f1+uJy3j0m7rXdjhJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrSlNAUtfCp+BtC11XmAzzKwxCxDtbDIcR1y9T+pMxCVlkXricunlu9a8G4fk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwY7JDLkOeKaQkVt04shREb8S0uBZXHiOPfwkHZJoj0XJSDDW67LDeRlKWzYOdowG6/PKkjlcCwC8EyXT+420XsqbacNYJqgv2iSYvE07Pr12/VXM1m8envwAq7gOzHu4XsR7egv409vM8c3g7dN41dgLQhWXwUbdOk7Jxwu4Qev+Q46p8M6FGEVWOZOi6lw5LjCF82jIExIzhj5/HDmqMdlniCeBGn4s6VXpNIYcIAt2MIpy0cYQdHJ5UwwGdqJd274uRWTDnsfkgGitL2rpbp+tGNvJuU+K6lWDMgOJTdfoIfZkcf5pIYbpuI/CRYXABBRAeoC2oILVXtXhe7AK6JWsnNkXnCWXqtpKpG8mpxJofhvkX9cZUIp9xzWTr5o7TpCEDJL1wAeRMQmwzIcBtnr+w25u/kaMJ4t/8HSVcYJcFlyFpIS4XYHiOESFnvfg9C+Hy9y1CvkZoS4wmhU5WzeiCy+Sks6JKrBrVLpqpaq4qPZCjCsZE7k3QqsIhsRk7248blshM7GZHcxXBL6yRRBLYwTDpc5gAEI+t3+OU+3d4ru7lvo2y3KbNspN0tZ0ut0ZdYBl6wQ8z6W2lB+B7PQYLmrN0SEgQT/XZTC7hd4FMbm+1GArIT9sPEWD0e/Gz3dEjbrQfb08v9ewrqhV8r476ipmlnhFtegXFy3Wt7GmoYDSKFU0jWFOLGg8DGg/c8Bn1L1jqkd/eDsdaPt9vTD4VJNuT01lsLDuObdjjYG+54IxBuIQy+3t29vHF3+qhn5y9akr3pm08uWS/V4wiQG+R4J0C+Xnb88eYjSzXa4DhHdjv5qI8qQVLesVvIj6OyY8q9DZixU+qxBG3HT528cqexi6ICu1APECWhW55k4tEIXxs9cOylpFVWr9OeqM4HJYK/1iGyhy8zeUL+c/Lz99+Tp29P31w8I6fcWC7nDTcLKLEUPoqLUHOVvS/QvkgYZsvOPB7hmPGLIxljWmX2Ku6r/3SnGsOguzHokU829Pku14Vh2n9X99tz/CFOsZgplbE26ZtMMSpSdafb2cgHWvLG+BWI0sTwiguqvXhyYtPdIYbvery8Cu+54eUxO430M+U/OUZovYg7fTE3lzxfncUbue+uY1gjVBr2/L/BSYSfDHghOG6gV5ZRxl2ZSudMDBiEbJDUSs+p5H/uyaqW+VjhtsQ+gNJ9nhoh94zraC1ppq4/v7jl8LXwLb5876KtrOZfgQq7YFQDqTWUquKSRgvueuLpgloO0pob0+MFPeZu39IH3axv/Qh1JsZ1V+eJE1w11RabIW22ul+sHrHZURA2t5GoMyhBUwtlkSypbA9/OOHzS7tiFzy70GrJy655WPgerWsRNNUBY4TmP+5Z29Zp4wrOZpO8PNIuuyVDrz+7HtlmdHgoZk4uuY+eL3YV95EWcJ3SmXIo+F01T7hGnan3o14l9DyyUa+josZKDTFWaS/xHbQKLMXVnuC3Ju5bT+K7r3hZCjielHuH691WzkWOtyf3DpJz7XiM42z3IqzW6zAk12109jmpBXVH5t5npQlIptf1mJcfUyGPYE/eIoNOd7blr8pY8o6yBZcjJl1JM0mOb3Zp/Ulipn+twYkPpx/5JmdmQt6WtCaf8R9ePyqV9HWn/xw+nmRBl+A0JwFUky8N6DXBHoSmVtJAq1HFi1Pdfgv8zXHkZeiBxxxkzdsukNJv3/flG8ez3dIRUN0w0IfQHPW2mOKUp7wOs10eb1tLbzUxcrZheHi5IbqRMmrHmufdy+Mjz76N1EiNXYBYBAsz/0FQsuKyVCtDTA2MzzhznzyP1QmGPNnhBXHb8/hucm7IU+wIC5JtniEMXT7rUYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1ZDJ3Is4oHjXByBS/b9VaYrlPEPybW87v0I91p3Xq9eRHeMOo4wWfnPAZo+T1zu21ZDhG1zvraw7w62PdwEd7uY4DrsuYLB9NpuETH8MgxOKN6S4ufgZywZSjgQcrXDDLZcw4zL46lE4YVe/itYjTQcRu4MKxTLhtnHA7Kh/qQVj57PNvffQS2mkN2Xnw7aWskV15Bb4m1WR4GRgHfWPI8uQlymX6SaIJb0bbstYVJj38YwIqX7ZDh6Lb6O9Ke+PTO0cYJ337bsB65rqlqfcn59vtrJa8EErdeJuh7NlffL7rbZnk88s8W0tlF7nO/C/mZrKf7uxY0yLyHYX9VY9jz1Njix/e4HQb9jbg6lEg121/db372qUCwqQVqv6ENFRqmY6cC7cisfDms7ahhvKERBHX91x3Ht4oqqaynV3H/Ha4Th9b68sQbtnqOBypuJKATVXuWuEbpAfO1Zki9kK8nZFn33JlSPwSyPEmvxHQwWfcSjJKdY9e+dgFJUVTAum1BV/oKD77zAlfv2N/UzFmDafvNvsJhxeNxZV7gNHmN581z90S4QpO8Ed7X3yE/JxXfutbzwHjjj+BMcPT8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HbkyHu9chKzU0uLOu8coj2kcCvf6Llv0dRKZdJEtpFy67jzIDW1cdckkwU1KaP9PcA6lNMnhtxokfCYe1ATnkpnjBaNTuUN6cE0oAs6T2dTbkAnf562QSdNf9wGHbg+g2CBawsSVav0xomDn4ybO0VvoWEnVSa1RuWXOEYt4ZbM/YjLonr1Ivz3SUDhRfiPkNcUc/tTATqenRe284DRc7+ZfvAcPa69UWuD7ZRhIJozqbicgdYjcdfhvo+yr77ifyPpo+7ZIyDZ9iWe9Y4hcqUwrK2yXqnIEkdjvzMft3ds9xEziHX/T/+AYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkbofAI6DP+ErSzMPc15IWvouEfI3oG7RZ+YXqfovSfN/zzUK3n31ijx0yaX/M+4t4ZfZZIp5/84IxLmynJ/gPWCmpEJUIYdu61Q7yj94uPDBd1RZ5sANUhw2eGxtnF6W38TT0gxfH6Miort/kbd1MOPo4OWnTThxjTJlU6EjMlS+bx194uhIIagdVYf6OBQ+tLzzC1OLjE4vU86HSVDousMHqLITy8xtXP/Y9STnocheXfpuQfHcRFqjCiWOV/03ZBqcGRHkSkLx3q0Sd6m0eQCzK8gWNSZmht8sxlX0n+QULb+RAzG65Qm55dv/vHugly4d4r8Jkemr2ywzVRJfQi2H1cqji2KIbYAdmUOciLfTgjn7UEWGzrX9evsWoRhGmgYQbiRgnu0XNB80BTyAZRcj0fXFWTUaECcLbXN0SZ89rFcUsFLz4gRJHYF4dG6Wu8ThEixK1ibXbGdiPPbBNLEsBfW1qbgOIM2C2g8yhwEYfQR3CY+l23li9Lcrm+4UUxVVdY+cbfE2+MRHELxEvwV1yB2Lc3ULpaVoLIw5qEG3rqVvQz/Pey2rdGKYutLjYta8WOkVccQ9hgQxACRilsDSFa2oFIOGmfkbjcVVkVERmK2R2rb3D0sYebh72/fvA/v3oud5bsHxSq96/tP3rONm6tiqUSTiwBv2jnOMsy56SZjt+N8G8mtIU89EuYZduvAwt52ou4OeIJIR3cjmkzS7G3A9ZPkNqQLTLaLDpagMVNg1gjClGRQW2coX/ozHGmvsFrllL6e8M5gb0doO0RrpS1Rjr6//vubWApulOyp+U7p+fETLHcLDLZcrFPqm51EG8X8/ey3i/ML8o5eV1yW3Vjv+LG6vR09DXNriOLItsI2Brvbt61OfYqXLCZPz/ZVjsXseAWbD12E3245u9qx5SwLUvn8NHTpDVjsxVAc71AeuFdAu+Pqv3zdcFeYI8uhJpn6dqO/xJnQD5TdGMZVoxXfBXUrX9z7nJgmkqJODfmbsVrJ+b9NBWVXghsL5d9ehL897z7lcgYs/tGMa1hREVVk6FT0fkOoLIlRZIQtNcy5sXrtLPtjCoua2kVo1t/hQHZxGCCJTqljoekLoX29FlO614W80yc7zEFavf7L/w0AAP//Bbmp8Q==" -} diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled deleted file mode 100644 index fe39a7b805e..00000000000 --- a/x-pack/filebeat/modules.d/radware.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: radware -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-radware.html - -- module: radware - defensepro: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9518 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From 942c7f057b4317e50527a04507fa7521c2cbb637 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 14:01:39 +0200 Subject: [PATCH 15/22] feat: remove deprecated snort --- filebeat/docs/fields.asciidoc | 5435 - filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/snort/README.md | 7 - x-pack/filebeat/module/snort/_meta/config.yml | 19 - .../filebeat/module/snort/_meta/docs.asciidoc | 72 - x-pack/filebeat/module/snort/_meta/fields.yml | 5 - x-pack/filebeat/module/snort/fields.go | 23 - .../module/snort/log/_meta/fields.yml | 2635 - .../module/snort/log/config/input.yml | 87 - .../module/snort/log/config/liblogparser.js | 2514 - .../module/snort/log/config/pipeline.js | 137498 --------------- .../module/snort/log/ingest/pipeline.yml | 64 - x-pack/filebeat/module/snort/log/manifest.yml | 31 - .../module/snort/log/test/generated.log | 100 - .../log/test/generated.log-expected.json | 3784 - x-pack/filebeat/modules.d/snort.yml.disabled | 22 - 18 files changed, 152320 deletions(-) delete mode 100644 x-pack/filebeat/module/snort/README.md delete mode 100644 x-pack/filebeat/module/snort/_meta/config.yml delete mode 100644 x-pack/filebeat/module/snort/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/snort/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/snort/fields.go delete mode 100644 x-pack/filebeat/module/snort/log/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/snort/log/config/input.yml delete mode 100644 x-pack/filebeat/module/snort/log/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/snort/log/config/pipeline.js delete mode 100644 x-pack/filebeat/module/snort/log/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/snort/log/manifest.yml delete mode 100644 x-pack/filebeat/module/snort/log/test/generated.log delete mode 100644 x-pack/filebeat/module/snort/log/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/snort.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 59285b9012a..b8658a9d7a0 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -73,7 +73,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -55296,5440 +55295,6 @@ type: keyword -- -[[exported-fields-snort]] -== Snort/Sourcefire fields - -snort fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-snyk]] == Snyk fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index a1d29135c59..8e7820f9da6 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -49,7 +49,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -114,7 +113,6 @@ include::modules/rabbitmq.asciidoc[] include::modules/redis.asciidoc[] include::modules/salesforce.asciidoc[] include::modules/santa.asciidoc[] -include::modules/snort.asciidoc[] include::modules/snyk.asciidoc[] include::modules/sonicwall.asciidoc[] include::modules/sophos.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index a775589a1c5..419f9a1b183 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1638,27 +1638,6 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: -#--------------------------- Snort/Sourcefire Module --------------------------- -- module: snort - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9532 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #--------------------------------- Snyk Module --------------------------------- - module: snyk audit: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 22e719ca3c9..04441d2a804 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -44,7 +44,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/salesforce" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snort" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snyk" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" diff --git a/x-pack/filebeat/module/snort/README.md b/x-pack/filebeat/module/snort/README.md deleted file mode 100644 index 3be60407787..00000000000 --- a/x-pack/filebeat/module/snort/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# snort module - -This is a module for Snort/Sourcefire logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML snort version 134 -at 2020-09-01 14:18:11.30825 +0000 UTC. - diff --git a/x-pack/filebeat/module/snort/_meta/config.yml b/x-pack/filebeat/module/snort/_meta/config.yml deleted file mode 100644 index e428234a180..00000000000 --- a/x-pack/filebeat/module/snort/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: snort - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9532 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/snort/_meta/docs.asciidoc b/x-pack/filebeat/module/snort/_meta/docs.asciidoc deleted file mode 100644 index 025afa52f35..00000000000 --- a/x-pack/filebeat/module/snort/_meta/docs.asciidoc +++ /dev/null @@ -1,72 +0,0 @@ -[role="xpack"] - -:modulename: snort -:has-dashboards: false - -== Snort module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/snort[Snort] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -:modulename!: - -This is a module for receiving Snort/Sourcefire logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: log - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `log` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "snort" device revision 134. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9532` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/snort/_meta/fields.yml b/x-pack/filebeat/module/snort/_meta/fields.yml deleted file mode 100644 index f9589132eb0..00000000000 --- a/x-pack/filebeat/module/snort/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: snort - title: Snort/Sourcefire - description: > - snort fields. - fields: diff --git a/x-pack/filebeat/module/snort/fields.go b/x-pack/filebeat/module/snort/fields.go deleted file mode 100644 index 7d0c47bdb78..00000000000 --- a/x-pack/filebeat/module/snort/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package snort - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "snort", asset.ModuleFieldsPri, AssetSnort); err != nil { - panic(err) - } -} - -// AssetSnort returns asset data. -// This is the base64 encoded zlib format compressed contents of module/snort. -func AssetSnort() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q+JkUrbvxBiuRXwmly6f764VI1mMOMa/kJICYZpXluu5Gvyb38hhPgfkRkHUZrJX0j4r9f4mfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHYorpcve3yPYtP97TysgakbsAtqVSbcyWS1AA35mNZ3NOCMLasgUQBI1NaCXUE4GG9CG3gHbuVZN3fvrLlk2cBEtScUW/uPgxxaILbFZpDLzrb/vX2Gc5AOyf1xw475HuCGNgZJYRRitbRMIrOmKVGAMnbt/U0uYqsC4TSv3+Q5oQt6qOTkFpkrQ8Y14WHwXqUO308KFJUhbuK0lBhwQzkz9QHKDNGdKWpDWuAvApbFU2hYNE8XR8uoQBEtqdz8YYsc9Tm4JQi1ZLThbEEoMGMOVJAtuDaHkPdjfuZVgTHv6kwFrdJs1C9WIkkhYgiZT6PiuptoAeQeWOtQomWlV9ZZ6+lbNzYsLyq7AmmcD8KdcA7Ni/ZzYgDclH8BLA8/hsofmJEpIAUsQB1BSKLl7P7coeQq1BkZtwKSEGZdQEiUFomXpVACpaB3HqjLzItmF2XPG78I9Pz/9gSypaMKN5yVIy2c8cCdcU2aJUHN/XnpwELg77sAHbsHvueOoqbacNYJq/H042MkoZwxAH8QpMc4YQB7nlNEjWR73TF7+/zPZfyZu1TwHcr/rq6Z/FLiR3WN5NNgt6SFCLztqGgwqr48RN0e2XPf/fpgZSy1UIO1jRI42JbcFE3TnDj8S9EBavX6MiC2cTvUYEePyMMTyakyt5Hi8nFYCPUR65CXbDKBMaUON6DUxO7P3xdbud9gM9JCBknA/K2JHDxlAv8GKGKfijnPkSFSUPbdJlHyeXINtJiIfiVDwzuRjx1CrG8m/NLBRo3W3//Cn9bZRe6Ikc48DteqxW7Yj4mbJ84rDPnVP3DJ8xhnt3+e3ak7OliAt8T5J0sgStDNBNARBNdj6jF9DSQxYB2Trx9trmHGDpT2EAex7GyzdIQxA3+lQhp7A9P6lwxhzsK870ORuNFgok0lf7fPlr8rYvogUuxxpQJZcztsPTYxtej6kr4e+/BAGG/xolLDnF8ufCC1L7WTl2HXfJe5g91Z9rcRdvspN3lf/75LXUSu/bNiVC96R1veWlYSSOV+C7JxkX68i4Eh0mP8irwVSPkbl7+uIaIw6NFS9LjR8yXDW/eAhHjDue7pGKp/5pckFXqTnwZttKfm4roEwOpQgUyDA7QI0+XQu7Q+viNLkF6Go/fElmVKDXNQGyGZ83mhU/W7Y9yHq7le8bwyD5jM+E/gX3K/nKpebbZ913K781TsYlF5RXWZT6noSrbftPiXPLz5v6XuUaBB090gJMWtjoQqPaEDbQVuA51Tjief+rTSfc0lF+5ttbeUGOuTSv/YkRpxffH4VIUFAf0CJ+5Ogw2hI5RSvz4ZRh4rjoa/PAmgJ+iix619xKXJ+ep8oqce3HyxFMIfFSh+1k02wIrufjbaK1vlG0cKL4kyXEyUEMKv01yiAHfUeIOfG8Rw3hHnSQekw3VJU36pdtYXsIfQjtPgqNn0sqmqlDCa7VUqS6XpwaIRo+NKAsQ6g4VUt1uGc3JedoCdA2YIYXgJ5+j2xC92Qlz///IysqCEGQHar7KHEo1Beb0EJUytpIB8p2FfDFUw10nY+haaaeqHnrrKJQiBP6VQtoUcMLqOZla14M1YDrUbvD/tq2OaBSQUlb3b1tBSE+iamOXaOBT4j3P6zefn9D381XqS/qFGAtkj/c7Cbfzp78C1dgyYvyZlktDaN8JEVZ1LeSa7HoN8z+BHJrYyt8uNL8q9uu8/Jjz+SfyVMaacv4y7Cos/Jfxf2f7ovckO2ifJN9AilKuHR2rpyBQWjQkwpu8qrAXvkpLJ4baj1doUjIsiyVlxaNE0sxBOckTkK0Fplyk/b6IOmBsapQIwRU2OVdpq1XHutw32wpIKXnjFiSBEyU40s3QsjAJHnch6UoxuTF7dvxAByilhguA57wkYjp7AWipaP5Z0L6BDD/wRSgdWcRayOYAr3v4y2sH/uWyHsnn1qNxqtmrXHNiG/qpU7mqHNySVR2hljVpErgPoGoj2KF+8rIZpWDIwplrwsylxR17NW8sxBgqYWL3npKNizC5dc24YKZ7Rv+d5lxMXBK+7MboyVIzH8LsJVPz8l2klrgw4VJBrVc7Dd126khNGZkp4enBI+E24/JXSWUNBQ8J+ftr7XD1ApC+Qy8DvTgA/tdD0mKN3/2kDMVxB4CSsVphY8Z2bDozbnDR+o/Y9CN3MyNyO/461zb0Dg9ZbrWqslPCH/NSKMJtSXigeI0btVnXF0cfLmIui+jEpHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO4VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2ER9cTfy6iRi5qznCtoF2vytdIuEwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6IrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/zOW36t0FaVPGbIcDiaRaqaDJ+lORNpg3SHzQvAZ4I4jBr4BpmQ5omBvjrswNqefZc+GuGSqqgXYKAOMOlEpKvBW8x0x2Ks30/aBGPnSrR1l5zFW3ubMUfarlLSLRMe0qU9NlfOyyXIqH4jwZ7LMQXYH8k8lc3db2CMW3eqtiunTaz/uUnggorLd6DfEwrUNl48sQZteOUW5Lw8scr73ZbY10FTb3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bJpVlNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHAQ9orwGYzh/cSjqEJ4SG3C3raaZiBBsk8Q1CnWpd8yUun2SA/xAXZZSvIPu4QL77J65rro+1wc54+FnTtOJFbsfabNU7oOX3NIYUMut83mvDQR104z5007uTZZLBkl06mmtQSqBoocveF2NE/9VVBDfJLA83RWMlxt+eijXxcUUMQiXKEbxC5H1ITNaFSsEXQDDJtXtkMr++8yoFrXWRAtS5yaM91SlG0DfRlcqgZdKXeK/IwJuSO+Rh9YwbP5Z3enEPF5k1y7ZBgweaB2OmGkNoRRNlAiU+hWJtG5A47jVhRqrFMVfDC49AZL5iVrWYDDqEykGDLgBxhEFiC5jZn6ciejbWrhyLAXmRnn8snb/HioHegf6W7ShcHDeNONTA+4xvDJ67d+mDOWE+VoCvnz2aKHEDnYuTlpmCidVGVIcgSxTuYzcc6hM/bVnrfElSa/HYZUmO5aRMCdv1quH57QmNVkqZWhicUHLfiLTSnZek7TGEqf3t3R7vwNMIW+VoX3VEUyaYCzdldZVF0b0eoYtuzsX4lW3czvFjy93uwtSXIUumQMLt3Z2r6xwN0r2lDu2r6B7C4He0Qy18LPiC3k6D7EfOSPmevum+GFzJU/QcxE7xcC9rlFktlCSWL0PEinkAr1LxoE1UeRKi3jHhnoX6Mnilbsu/vmG6FbalRfMQVfyU4W+e+PXvkwgUiELpnS7EekcuNyJk3HSfgh0YAIhYXp0pauM6tsXYInUvvr9v0Q6Vladz/4aNKRYtQrAHMDY8zW1A5h0LCKrcsGAtcwqoX6kclxFrNp42FnoQY5ugbj7rT1vvPX1x0mJomE3Yd5QTP1rZyH9HQENzNL/LI9PW3iHGLFWCOYG3DQbPJ+dJL0BNyCf5QGgN6QueArbxDpvtM6RaHAewWjNfbGf6e+N/3+lYoTaZardxn7V+DrunNrtF+0uflBdU2tZuuA5zaoxLulBpUhx7rTilRdmpjriulaggBxVxv8RtJqABtu+wivVk0/M2Ht4L46DUBwCSkiMJcEqnkdxpqQEtmX/YDmg3HfHJYo7W7MJ29gieJetwL7iNsbfhnsLMVt4ugLHtZT05xwSlWm0ii5Hdz5f57z0uASkoRURwz7pv2goEvEAGHpJoRJx0sBzMhlxuZsjvYoF9ZlQfjE1/O1xhnxPiSUZ9sUwbxGwhPCRONsS1Dhn8Mjgl/wo07yVATHfwbTvHFT8dVoKNrP/6GxS1635Ypn1L25CbDy2F5ilgQaoxiHP2l7jSi9iQe2Ft+Ba8JJfVibTijgpTcXD0ntcaZKM8JWPYkrihTTQ+pvbzjQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgoTS+3hlmeJi8+GaqqpvhHcxwbJSsuCzVKuTTMiUZ1PZ5l0kxSozBNmeNEGvypaHCOz9LVVEug9SQvYWEGnm6+l7PVOrSnq07lfAtl1dQhlqgNhGdGvROBQPFffJNh9qEl/sOTgy6QmQVdf3RTd4tsYtAi95vlw+F12918LySy2G7ni7oDLriu4OdcrtYw5qIref//Zr2j4k17RkX+e94t+VfcLXuGmsoGwakjRxB3N1mQHMqishrmu0RucQlW7V5933sPYDuhRn1CwC7Mge1HEjhMQ6ru4duQc2iu6FOLYxUGTZs4TN/2xqbrszwpIW00yLMbaRbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a78jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GkoeStExND78F2RM6nAfotTDwTOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EbnGkf6kW5icn96oyabyz92gyTrEXspyo9FOyImvzwz9ToX/YL82iwjq7W/88E1wx00b21VuKts9Ro0UYDxllH9QVoosqeZ0KgZVgL4pA5ekFnREEBiQJmt/lK0D7auqfuWJk1ROw2jrC7k758sX5xe7OjQJLWO9R2GsLvvAgYK3roXcRFo8kuRcWnLJ55KisBhh0VrpnM1rnwzkl2PSi1Z3U9jVEf/TIdK7y8hlpYowzvvfPhIumWhKcOIsTKp1P5+Qp2fXtKoFvCYX3iHiwaL0nsT9IhiZO3psE51Tm6cljhk3V07lPgCvO5Ti9dyY78PT8IGbqz0hV6v5fA463wi7OMk+92MBAQfUThcazEKJ0nGPt9VHJo1uhd6P4FkYxt6DVH76wesYz7pmHOen8TKSW0fnmarq4sh5V3gqIfcKx7h6/55ppt85dJTE+tQZjptRZcPGrLSglj5Q1lgf805aKo2dB5xcb/EbmRJHdbmi+mEy9IZd9Z10peEhcpsYaY381AlRSt5R1vZTjiu3TgQd1Y5R8rtWQdX7pZC3NZMPtdZATfLcYGOpbVIpzp0/inLxYGaHW3yqrgkvX4y/X+5lbY6BocPo06Dxsb8LDov41W3fsczT9wZMfjqcu3fIc8alalLFOHt1JGae/E45SZrS6TDwyP6UGHDuzoxbLPFGCCf3iGkYA2NmjSBnbn3CVAnGsUTb7DduWXBZwnViAghu7GGa5z1lCy6MpphukZiCxvhmRTUXmMET8eD5+LucE4pE/M79NrozmYEP1dQ3F3ogjTisTp52+Zw1aFOHolsvYQYkCyrCJiG+7fD0bKTI0Lu5hu9x7oQSr3x1SV7BV+W/7T6kXBpSgqVcRJwMU9XY3u9GtqbE0XMzW48t7fLYEI/xh9RCVYts2TxvSAkzGkJAofNlG8MP2ZpOK16CFnSNhVxWhceVPI3cSPcBWt3h1zBrq8C9r95YbhtszEiiG9vYBsOGTfe9rkmjWD3/DqOpMc0gq5iqKnef8rDRiYdOeC/Zt9ZqyUvvP2u7yFVgRhOhSsUODzTe3Vv2CxcbrZH18/LiqsF1jUlPDyPr29Xzyvo/1PRAv9PB2/vfahoCMPHbVfN8jXNPMaHYn/zlxTk5HyhUfTSyda0N1SX7MUhY2NVVw86TGtJ38YeF3Oq4cu9FRDFVZe6Kr0HF3a7SEXAhDpcR9WiRvluCDxkcofK85wIOpcM+gbaLh/A5L7tQzogTr0ptNQ7KwBO8/OmUvG7fdZPzmWqne1988t1z2kAUJmtcA2v6XgSf+jWFWHlr24VpX+LGERwhUa94ue0Q6aor6ZJyQYeBDNK5wgnWV85A65FJC/4OHeLrTxd3C8ZKFRpA+QDsYEsh3cDw+WREIvKqmDZluU7un+FVkbQOqAe3MXBYo/O9Xqr0EDVXCbsc7JTYFaY5RkECN/3sVd9zlTYlt11l3aYvWsAoNthuU7HhRckmvLB/kz5LLDUFl0ezyk8+n5GnoVbicyOcrjzlAgs4MA/s7LpWxn3zGflu6GiQu1GYK6lWcssQMsAabGax3IY+MmmT0SO44HbTQk/aKvf3oTTpLcwpW5NPo+aa4FNNH6IoPyy8RWIuSUW5nGlawd50jJpqnNqbv0/ClnJ5gcuS96r0ydGbtoC9rLMIUuQG7QtTBRwhcllI233j3sOK/NpINCXfqRIEecrlcvLtc8IVe06m7v/A/R+VVKwNN5Nv4/FFy+piJuhgcn5qHWpbwz+5ILgo+rpQTq7b4VdqtrdRg1VZMfV/nQY82zYIBrRj5ChCyyqt3N3B7PO736kG8tEnAH/77ed3v7/5cPbttz7ndkk15aM8uVL6KmXJ8o0X7Pd2wX6EbdQJRmVqJSLU7KTtUtI9B5S552KdwYSZKQ3ScJZSgPRcSRkwrtJ7QSLxgVRAixXlw+HE9/YOYO/z1EDd9Uldom6aaaZLYaelsTp15TvWa2dziPXf0mTvaFvzkc9Jemixy2Yw2EClCcUmm7qXUO/iQMz4qKOp3Wo2R+yhW412I4psc7e8Jy6UD+4neHfHhUM+6P8fhqtuVGY/+e9BWKzs+egDInuRfBDmaOO4+/BT6ghJW1sn27NLn9ouo73NssM+mc/Q7Tbg3Jsj023Lan6MeBgWfc0oF47WbTOXiyAzzk/7tW3YicuZgxbmkRYG41mFbc514VTEA/ZzSOI1pluH6qMTVVWN3PVEDbCThzVuui927+Ha/h3iOnWHmzlMs74vbpdUlv+u4lGzDW6WWn6IZLg3dsOFt5Azjak54ypZluixLHjEfkW1HAYdHjvqRlZ1oXIJ48v37y7Ib96PuklKjSPy5aipBJf/8ZZ8aUCP9G5thCw07HbqzJvc0HOIrsmHtugsmtbVaeks4UPaB6pSjxFwQOuDHEc3QbWR4Ni94ZbpBzRQQXWV4bQc2AzuBVonLEDugDZlsqm0WzDTdrvaAl1Su6sV3hfuFCRbVFSnKivp4K5rOhhffO/oE2WDdKokMItFcl5gMEtbQNUBns2x1VIGsGr6RwaoNU0+CcN3nErOXhh0L3jqByd0bqvAqZ7JkZYFZTgYJX35iYNtZELjvQd4Oq+XP8lru0j+vjNZMKuL0iTtu96D7iAfFnm6BeCloMklhixAzrlMWBQ5BJ0jN1oWs8KsuGXJ5YcsZkKtDK3S5670YUu7zAc9Q9SFyYLLnOKEyxp0NV0nS3gfwK7ZVR7gSypy8Aqvi1orq4r0ISmEvvypQI9jetgi290Ual6UOYjtAKfPf2OyqOh1YW0qt8E2YMfRAjI8ChWXmZDmMh/StTCFmIoidVh0C/b3GYEn7wzeg526F2Ifduqq3j7snzPCfpUR9r9khP0/MsL+ax7YVtWCTiGHSOmgpzfPZFE1ApXv6TrDO9kCr68y6CVVI/i8qvNo307LpGKeOgkpQOY5lBIDX1h634gsjE9IzHCCRrM81qQDnMeaNGvT1BlmkTLZlVVnMVWtss70gOsMIsQq6wyzXLDRrMkCvJH8WlKpDLAMTLh85aiS6VFYvlK1XQAtM7jVVFUXTGTwYTvAGYIkCFdP1za9W9RBNlkg102RIabBNLecUZGhgMgUdA6SrRNmXfVhSyrWf0I5zYH3ssA2oFkg+3YwebD2ibVZoE/n9fJVHh+0Kabc/jVLozFmirSz4nYAa5VcVJss1xyhAtPpq9yM9/Enm7XVAwx24f386Z0jHjiqfVmA+27y6TrI9WDPuIAcNowpZjkOkc9SFmdvA86hG5iC15ikWGQRdbxe/lQaWw+a+SeCbTTLAlvwGeQwYww6misoebKC0W3YXObhkkqVjQDDVA5qB+B8nkE2qdqsqE06878HPZZBngSwhjk3VtP0npAN7Awan4Y6F6l1Nlob7ESuM8lXn5nvWTwDdKuBVhkUSV8KlAvtfMr1aqG4KfyE2fTQ11TTLAxejhTCpoC89PPtU8PlxlKZfM5xaey00amGBbZQwc8KygG1SY5rej26rUlODRYnN8zSD7s+tNPAPphzWpap7wAvU4dV29ZBGd4iXhVMK1Vl6UrkAGcw03hV5EmODB2PcpC5vkrenqk26VuW8trUmicGKqjltkmefSa4hHQtdjZQTdKJOh1cLL5N79YSync9LWZCJX/OO+AZUv6dzZtc6jigGSSOs6EzoJo8N0GoeRbWlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIwbI45EBIsNldKDje5DPcNoFNn/HmoqdPx5GqV2gLJUlGm/ADo5JaoSq8ZKc3nRWQe173hriTo9G9WXfihvMnBJp1MvQHrR7xmYbIMhZthJk5qYRDAppYGdeEdScnRpca4Dwu2SFXnPwAN1zVPHgioQVdzTaUd9NxNAXmVBXD6p9d3Ivv0aWcKaALAWs0LauqEAwP6oDVNDVUDFTn0Ow0M6eC7jmYCnp7IDnLaFq49yEqXGTBO78g0GXzDxvuGM+QDGEidCOAHHmcwTgx8Sc8AsQatyaBmMKUMn2cQvKZO7WUzmuW4B5qVyRVpo1msK24CwDbdiK0+zMYk76q5ZDJ1oUR0Wux9gfomnam3b+c2PVt5oOkjet1Mz9Rw13Xybq1NOc2Sh95okeEtbAzoouSpq96zjK1oI0M5yGCZsbRK7Q1eFlwaS2cZNIMl1zaHGr6sZYbWTVbpRqZ0s8baokU6ir5prCIfGkkGS3fZIxmH5X2mgpfkREPJLTmhugzdDA22f4+j4ydnZaTS2IRQBIND9An2N2BKkFipTpcPwWU+yp1VtVBrGAwWvJF+M9Uka+p9Sx5zNPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD0WMDJWKaulbakmHjUUJWC2oJt6TWMBtjhXuk5d5lCEWM8MHq6FAgXIbO7iN9oQWXuSfy91B1q/XxNMSqOdgF6Mnm+2ahmsGLRoiEJehuHJFVpKbaAHkHluJEcH9XaUeCp2/V3Ly48GWvz8hpGPH1nNhFZEoRNgP+AGH0MaItyXuwv3MrwcTPecjUWYg3w5Hd3S3Cxf1mDVDNFhMueRQ/nLl7hP7aO+ITZ2FgMsQLQRuJs37nDc5xbZu4xxu47/Rr37On/O24uz11TbjD/OIRY98dRJGwpul2nVdxWfIRri3eijF3wTGmUY8IpM3guvc4oVqKkYmX2D034zhw7J9rwBINXxowdk/T7sOzle/eK9+rDDiWx6/qJfauR6rLO912p+zDyWOEsbGtv2OHdvM6uvOUs/9vnm/oFjs/bYUCrh3nDbQa0iXx3pGF3eMypQaIT9fusCGDW9WdUvjFw+Aru1HwHeZK+/b1UTISQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rthGtZonIC2D+kadMW9unEspDdL+sEcfMkFzIEIWIIg1Bg+l/7gNvP646yPLZkfUH7j+ns4ffogk54dZo3kXxrYHZNI45evh+9hHRMPm4LSajS89BeSKSkBcyvIitvFmKAgJFIZ0mnsGg4qL7qzaeHIifKke6KEmnNGBXEYjJg+iMXDYodLjYxpfDja1Yu1iaPXS2dbqZ2s1tQPPBWcmmKhstsE3ojrzDWcpbIZauSkYn8ET7wfAPGXxmGLb1oYxMIEUD15I4xyhvjWfTvFYDn5NfxiQt7IdfevAXSLtryRltBywlRVNxZ0XAxnceO7jeUzz77ZPQucsbh1INz+s3n5/Q9/dbbvae84Wop9E0U78GmRNmJ2W8cNXYMm/9L55MyLgAYiF7/1qet/8vO83OC8xfV7z+PA5OWbZNuT3YEpbp0Jef/bxzO3d9DgnSfoLy25YRpqKtnaaZVBPRO7uSAEKfScfHz3mpxL++PL5+T8/enZf74mn86lffUTebparIkEbhegCVsoE0alKa2BWfzWD6/+13979iRKEbCLjDJulx4oUycVjY/jMZm5747X/NLz4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8qCfl8WYdxxv9REiZx2jp0vxoRihu5WXjiETzGN3jPOcyphRV9gBHpyN0X5E1ZavTTei6PodM9vayqD41z3jcWcn7y7sK/SqPhsYqaI0Y/tpxKXlMNbzc5v3CojHi/HA0PnASRhIZu7XEatppY4adrHVdA9NClZcndl6nYBGx7s/zj79wRGcCZhHjBVbjhp9ssMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoAND4Db9c2S1xyZ9n4/XM7bx6Td1rsxwkuI2Y3H8uIG7NDypcYoxp3K6f1GAx2HOLmsqZzDpDOdmJIzPm80lGS6RpggS8waisuZ+sDWA4Oi0RFtObroLEO/A5FQ9++XcCV3AGiolIUiZHanzzNKT9pSmoIWPhU/A+ja6jzAZxlYYpahWljkuA65+p/UGYhKy6L1xOVTy3cteLePye5qfWfCA2iwZ3YBWoIlH9c1PCef2mfsLTrAfiQXrQNs8BL8NqaptaN6jqBMjJjGLdLBL/6cUCGiykS9+SImuFGNiXlL0O4N5NIqYiw+5lyST+ejAoVhgmw2eZVcZDugqs4w9s0B1mBSZ/Q6sBlKXPyLmDoVHf3tGbD1oxUKAXKefFIk4uyUj4xa6IgG6lUeKnoBGEkYphPMCCW/KL2iuhzO6SbkzRyTvTSh7sZfYy7dFOwKQMZVz8RdE+8a41aWin6oziNDsGU8ZkYMdshlyHPFtISKWyeWwoiN+BaXgspjxPFv4aBsE0R6LsrBBrddlptIytJZsHM0YLdfntSRSmDYhWCZrh/c7SL2VFvOGkE1wX7RpEXi6dn167dqrmaz+PR3YIVdQPbj3UL2o1vQ38Ye3mcOb4fum8YuQNqQLD6KtmlSdk64XUKPX3Ic9U8G9CjCqrFMHZfSYclxhC8bxsCYEZyx8/hhzdEOSzxBvIhTcedKr0mkMGGA2zGE0xaOsIOjk0oY4DO1ku5dcXIrphx2PyQDRWl7V8t0/ehG3k1KfNdSrBkQHMpuP8EPs6MPc0kMt01EfhIsLoAgogPUBTWElqp2r4tdANdEreTmyDzhLL1WUlUjebU4k8Nw36L+uEqEU+65LJ38Udp0BKDkFy6AvAmITQZkuI2zV3Yb83dyNGG82/+DpCuMkuAyZC2kpUJsjxFCpKx3vwchfL7eZajXSE2J8YTQqcpZPRDZ/BQWdMlVg9olU1WtVcVHMhTh2MidSToVWEQ2Iyf7ceNy2YmdjEjuYrildZIoAlsYJh0ucwCCkfU7/HKfbu+V3dy3UbbblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1m4JCYKJfrupBdwu8KmNzXYjAdkJ+2FirB4PfrZ7OqTt1oPt6eX+PQX1wq+VcV9R07Qzwi2vwDi57rU9DTWMBpHCKSRrCnHjQWDjwXseg74lax3Su/vBWOvH2+3ph8IkG3J6660Fh/FNOxzsDXe8EQi3EAZf7+5e3rg7fdSz8xctyd70zSeXrJfqcQTIDXK8EyBfLzv+ePORpRptcJwju5181EeVICnv2C3kx1HZMeXeBszYKfVYgrbjp05eudPYRVGBXagHiJLQLU8y8WiEr40eOPZS0iqr12lPVOeDEsFf6xDZw5eZPCH/Ofn5++/J07enby6ekVNuLJfzhpsFlFgKH8VFqLnK3hdoXyQMs2VnHo9wzPjFkYwxrTJ7FffVf7pTjWHQ3Rj0yCcb+nyX68Iw7b+r++05/hCnWMyUylib9E2mGBWputPtbOQDLXlj/ApEaWJ4xQXVXjw5senuEMN3PV5ehffc8PKYnUb6mfKfHCO0XsSdvpibS56vzuKN3HfXMawRKg17/t/gJMJPBrwQHDfQK8so465MpXMmBgxCNkhqpedU8j/3ZFXLfKxwW2IfQOk+T42Qe8Z1tJY0U9efX9xy+Fr4Fl++d9FWVvOvQIVdMKqB1BpKVXFJowV3PfF0QS0Hac2N6fGCHnO3b+mDbta3foQ6E+O6q/PECa6aaovNkDZb3S9Wj9jsKAib20jUGZSgqYWySJZUtoc/nPD5pV2xC55daLXkZdc8LHyP1rUImuqAMULzH/esbeu0cQVns0leHmmX3ZKh159dj2wzOjwUMyeX3EfPF7uK+0gLuE7pTDkU/K6aJ1yjztT7Ua8Seh7ZqNdRUWOlhhirtJf4DloFluJqT/BbE/etJ/HdV7wsBRxPyr3D9W4r5yLH25N7B8m5djzGcbZ7EVbrdRiS6zY6+5zUgrojc++z0gQk0+t6zMuPqZBHsCdvkUGnO9vyV2UseUfZgssRk66kmSTHN7u0/iQx07/W4MSH0498kzMzIW9LWpPP+A+vH5VK+rrTfw4fT7KgS3CakwCqyZcG9JpgD0JTK2mg1ajixaluvwX+5jjyMvTAYw6y5m0XSOm37/vyjePZbukIqG4Y6ENojnpbTHHKU16H2S6Pt62lt5oYOdswPLzcEN1IGbVjzfPu5fGRZ99GaqTGLkAsgoWZ/yAoWXFZqpUhpgbGZ5y5T57H6gRDnuzwgrjteXw3OTfkKXaEBck2zxCGLp/1qEUaie/4W5hTtiafzHbj2y4CW+0W0ibPrnUrHMFgH3nt+6YWooK1ashk7kUcULzrAxCp/t+qNMVyniH5tredX6Ee687r1evIjnGHUUYLvzlgs8fJ6x3basjwDa73Vtad4dbHu4AOd3Mch10XMNg+m01Cpj+GwQnFG1LcXPyMZQMpRwKOVrjhlkuYcRl89SicsKtfReuRpoOI3UGFYplw2zhgdtS/1IKx89nm3nvopTTSm7LzYVtL2aI6cgv8zapIcDKwjvrHkWXIy5TLdBPEkt4Nt2UsKsz7eEaEVL9sB4/Ft9HelPdHpnYOsM779t2AdU11y1Puz883W1kt+KCVOnG3w9myPvn9VtuzyWeW+LYWSq/zHfjfTE3lv93YMaZFZLuLequex54mR5a/vUDoN+ztwVSiwa7afuv7dzXKBQVIq1V9iOgoVTMdOBduxeNhTWdtww3lCIijr+447j08UVVN5bq7j3jtcJy+t1eWoN0zVHA5U3GlgJqr3DVCN8iPHSuyxWwFebuiz77kyhH4pRFiTf6joYLPOJTkFOuevXMwisoKpgVT6oo/UND9d5gSv/7GfqZiTJtP3m12Ew6vG4sq94EjTG++6x+6JcKUneCO9j75Cfm4rv3WN54DRxx/guOHp2FWJG0mu4O2w8E7IvQTE2tbu4vMMVx1nXK5jZ33LNZKt95+DDF/eDty5L1eOYnZqaVFnXcO0R5SuJVv9Ny3aGqlMmki20i5ddx5kJrauGuSyYKalNH+HmAdyukTQ260SHjMPagJT6UzRotGp/KG9GAa0AWdp7MpN6CTP0/boJOmP26DDlyfQbDAtQWJqlV648TBT8bNnaK30LCTKpNao/JLHKOWcEvmfsRlUb16Ef77JKDwIvxHyGuKuf2pAB3PzgvbecDoud9MP3iOHtfeqLXBdsowEM2ZVFzOQOuRuOtw30fZV1/xv5H0UffsEZBs+xLPescQuVIY1lZZr1RkiaOx35mP2zu2+4gZxLr/p3/AMEFrfOAnrxegj+OPcDp7yHh6eoKjH5+RE1w/jhpoe6RmKSN0PgEdhn/CVhbmnua8kDV03CNk78Ddok9Mr1P03pPmfx7qlbx7a5T4aZNL/mfcW8OvMsmU83+cEQlzZbk/wHpBzcgEKMOO3Vaod5R+8fHhgu6os02AGiS47PBY2zi9rb+JJ6QYPj9GRcV2f6Nu6uHH0UHLTppwY5rkSidCxmSpfN66+8VQEEPQOqsPdHAofel55hYnlxic3iedjpIh0XUGD1Hkp5eY2rn/MepJz8OQvLv03IPjuAg1RhTLnC/6bkg1OLKjyJSFYz3aJG/TaHIB5lcQLOpMzQ2+2Ywr6T9IKFt/IgbjdUqT88s3/3h3QS7cO0V+kyPTVzbYZqqkPgTbjysVxxbFEFsAuzIHOZFvJ4Tz9iCLDZ3r+nV2LcIwDTSMINxIwT1aLmg+aAr5AEqux6PrCjJqNCDOltrmaBM++1guqeClZ8QIEruC8GhdrfcJQqTYFazNrthOxPltAmli2Atra1NwnEGbBTQeZQ6CMPoIbhOfy7byRWlu1zfcKKaqKmufuFvi7fEIDqF4Cf6KaxC7lmZqF8tKUFkY81ADb93KXob/Hnbb1mhFsfWlxkWt+DHSqmMIewwIYoBIxa0BJCtbUCkHjTNyt5sKqyIiIzHbI7Vt7h6WMPPw97dv3od378XO8t2DYpXe9f0n79nGzVWxVKLJRYA37RxnGebcdJOx23G+jeTWkKceCfMMu3VgYW87UXcHPEGko7sRTSZp9jbg+klyG9IFJttFB0vQmCkwawRhSjKorTOUL/0ZjrRXWK1ySl9PeGewtyO0HaK10pYoR99f//1NLAU3SvbUfKf0/PgJlrsFBlsu1in1zU6ijWL+fvbbxfkFeUevKy7Lbqx3/Fjd3o6ehrk1RHFkW2Ebg93t21anPsVLFpOnZ/sqx2J2vILNhy7Cb7ecXe3YcpYFqXx+Grr0Biz2YiiOdygP3Cug3XH1X75uuCvMkeVQk0x9u9Ff4kzoB8puDOOq0YrvgrqVL+59TkwTSVGnhvzNWK3k/N+mgrIrwY2F8m8vwt+ed59yOQMW/2jGNayoiCoydCp6vyFUlsQoMsKWGubcWL12lv0xhUVN7SI06+9wILs4DJBEp9Sx0PSF0L5eiynd60Le6ZMd5iCtXv/l/wYAAP//HsOoHA==" -} diff --git a/x-pack/filebeat/module/snort/log/_meta/fields.yml b/x-pack/filebeat/module/snort/log/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/snort/log/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml deleted file mode 100644 index 2678c7fa271..00000000000 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Snort" - product: "IDS" - type: "IDS" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/snort/log/config/liblogparser.js - - ${path.home}/module/snort/log/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/snort/log/config/liblogparser.js b/x-pack/filebeat/module/snort/log/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/snort/log/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var dup3 = match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); - -var dup4 = match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); - -var dup5 = match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var dup6 = match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); - -var dup7 = match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); - -var dup8 = match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); - -var dup9 = match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); - -var dup10 = match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); - -var dup11 = match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); - -var dup12 = match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var dup13 = match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var dup14 = match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var dup15 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], -}); - -var dup16 = setc("messageid","Primary_Detection_Engine"); - -var dup17 = call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_"), - field("msgIdPart2"), - ], -}); - -var dup18 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" From "), - field("hsensor"), - constant(" at "), - field("p0"), - ], -}); - -var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" "), - field("msgIdPart3"), - constant(" "), - field("p0"), - ], -}); - -var dup20 = match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); - -var dup21 = match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); - -var dup22 = call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_"), - field("msgIdPart2"), - constant("_"), - field("msgIdPart3"), - ], -}); - -var dup23 = call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_"), - field("msgIdPart2"), - constant("_"), - field("msgIdPart3"), - constant("_"), - field("msgIdPart4"), - ], -}); - -var dup24 = setc("messageid","HMNOTIFY"); - -var dup25 = setc("messageid","SystemSettings"); - -var dup26 = match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); - -var dup27 = match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); - -var dup28 = match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); - -var dup29 = setc("messageid","Snort_AlertLog"); - -var dup30 = match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); - -var dup31 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup32 = setf("msg","$MSG"); - -var dup33 = match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); - -var dup34 = match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); - -var dup35 = match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); - -var dup36 = match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); - -var dup37 = match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); - -var dup38 = match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); - -var dup39 = match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); - -var dup40 = match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); - -var dup41 = match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); - -var dup42 = match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); - -var dup43 = match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); - -var dup44 = setc("eventcategory","1003030000"); - -var dup45 = setf("severity","threat_val"); - -var dup46 = setf("event_log","hfld1"); - -var dup47 = setf("hostname","host"); - -var dup48 = setf("hostid","host"); - -var dup49 = setf("event_counter","hevent_source"); - -var dup50 = setf("sigid","messageid"); - -var dup51 = setf("version","hversion"); - -var dup52 = setf("sensor","hfld11"); - -var dup53 = setf("context","hfld10"); - -var dup54 = setf("fld10","hfld10"); - -var dup55 = call({ - dest: "nwparser.signame", - fn: RMQ, - args: [ - field("fld10"), - ], -}); - -var dup56 = date_time({ - dest: "event_time", - args: ["event_time_string"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW,dc(" UTC")], - ], -}); - -var dup57 = match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); - -var dup58 = match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); - -var dup59 = match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); - -var dup60 = match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); - -var dup61 = setc("eventcategory","1103000000"); - -var dup62 = setc("eventcategory","1002040000"); - -var dup63 = setc("eventcategory","1001020206"); - -var dup64 = setc("eventcategory","1002000000"); - -var dup65 = setc("eventcategory","1001020200"); - -var dup66 = match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); - -var dup67 = match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); - -var dup68 = match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); - -var dup69 = match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); - -var dup70 = setc("eventcategory","1001020100"); - -var dup71 = setc("eventcategory","1001030000"); - -var dup72 = setc("ec_subject","NetworkComm"); - -var dup73 = setc("ec_activity","Detect"); - -var dup74 = setc("ec_theme","TEV"); - -var dup75 = match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); - -var dup76 = setf("signame","context"); - -var dup77 = setc("ec_subject","Process"); - -var dup78 = setc("eventcategory","1001020204"); - -var dup79 = setc("eventcategory","1001030500"); - -var dup80 = setc("eventcategory","1001020300"); - -var dup81 = setc("eventcategory","1001030305"); - -var dup82 = setc("eventcategory","1104000000"); - -var dup83 = setc("eventcategory","1001020205"); - -var dup84 = setc("ec_activity","Scan"); - -var dup85 = setc("eventcategory","1002010100"); - -var dup86 = setc("eventcategory","1002060000"); - -var dup87 = setc("eventcategory","1103020000"); - -var dup88 = setc("eventcategory","1103030000"); - -var dup89 = setc("eventcategory","1001020309"); - -var dup90 = setc("eventcategory","1301000000"); - -var dup91 = setc("eventcategory","1401030000"); - -var dup92 = setc("eventcategory","1003020000"); - -var dup93 = setc("eventcategory","1001030202"); - -var dup94 = setc("eventcategory","1001020308"); - -var dup95 = setc("eventcategory","1001030301"); - -var dup96 = setc("eventcategory","1001030304"); - -var dup97 = setc("eventcategory","1001020306"); - -var dup98 = setc("eventcategory","1001030302"); - -var dup99 = setc("eventcategory","1001020202"); - -var dup100 = setc("eventcategory","1003010000"); - -var dup101 = setc("eventcategory","1001020305"); - -var dup102 = setc("eventcategory","1003000000"); - -var dup103 = setc("eventcategory","1001030201"); - -var dup104 = setc("eventcategory","1001030203"); - -var dup105 = setc("eventcategory","1001020301"); - -var dup106 = setc("eventcategory","1001020304"); - -var dup107 = setc("eventcategory","1201010000"); - -var dup108 = setc("eventcategory","1303000000"); - -var dup109 = setc("eventcategory","1001020203"); - -var dup110 = setc("eventcategory","1204000000"); - -var dup111 = setc("eventcategory","1001020307"); - -var dup112 = setc("eventcategory","1401060000"); - -var dup113 = match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); - -var dup114 = match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); - -var dup115 = match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); - -var dup116 = match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); - -var dup117 = setc("eventcategory","1003050000"); - -var dup118 = setc("eventcategory","1001020201"); - -var dup119 = setc("eventcategory","1207040100"); - -var dup120 = setc("eventcategory","1102000000"); - -var dup121 = setc("eventcategory","1003010800"); - -var dup122 = setc("eventcategory","1603090000"); - -var dup123 = setc("eventcategory","1003040000"); - -var dup124 = match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); - -var dup125 = match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); - -var dup126 = match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); - -var dup127 = setc("eventcategory","1605000000"); - -var dup128 = setc("dclass_counter1_string","connections"); - -var dup129 = date_time({ - dest: "event_time", - args: ["event_time_string"], - fmts: [ - [dB,dF,dH,dc(":"),dT,dc(":"),dS,dW], - ], -}); - -var dup130 = match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); - -var dup131 = match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); - -var dup132 = match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); - -var dup133 = match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); - -var dup134 = match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); - -var dup135 = setc("eventcategory","1605020000"); - -var dup136 = match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); - -var dup137 = setc("ec_subject","User"); - -var dup138 = setc("ec_activity","Logon"); - -var dup139 = setc("ec_theme","Authentication"); - -var dup140 = setc("ec_outcome","Success"); - -var dup141 = setf("filename","hfld1"); - -var dup142 = setf("username","hfld3"); - -var dup143 = setf("hostip","hfld2"); - -var dup144 = setc("ec_activity","Logoff"); - -var dup145 = match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); - -var dup146 = setc("category","Session Expiration"); - -var dup147 = match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); - -var dup148 = match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); - -var dup149 = match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); - -var dup150 = setc("eventcategory","1801000000"); - -var dup151 = setc("dclass_counter1_string","Number of File Events"); - -var dup152 = setc("dclass_counter2_string","Number of IPS Events"); - -var dup153 = match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); - -var dup154 = match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); - -var dup155 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); - -var dup156 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); - -var dup157 = match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); - -var dup158 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dT,dc(":"),dS], - ], -}); - -var dup159 = match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); - -var dup160 = match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); - -var dup161 = date_time({ - dest: "event_time", - args: ["hyear","hmonth","day","time"], - fmts: [ - [dW,dG,dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup162 = date_time({ - dest: "event_time", - args: ["month","day","hyear","time"], - fmts: [ - [dB,dF,dW,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup163 = date_time({ - dest: "starttime", - args: ["fld21"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dH,dc(":"),dU,dc(":"),dO,dc("Z")], - ], -}); - -var dup164 = setf("msg_id","hfld3"); - -var dup165 = constant("1003030000"); - -var dup166 = constant("1001000000"); - -var dup167 = linear_select([ - dup3, - dup4, -]); - -var dup168 = linear_select([ - dup6, - dup7, -]); - -var dup169 = linear_select([ - dup9, - dup10, -]); - -var dup170 = match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ - dup19, -])); - -var dup171 = linear_select([ - dup26, - dup27, -]); - -var dup172 = linear_select([ - dup33, - dup34, - dup35, - dup36, -]); - -var dup173 = linear_select([ - dup38, - dup39, - dup40, -]); - -var dup174 = linear_select([ - dup41, - dup42, - dup43, -]); - -var dup175 = linear_select([ - dup58, - dup59, -]); - -var dup176 = linear_select([ - dup67, - dup68, - dup69, -]); - -var dup177 = linear_select([ - dup113, - dup114, - dup115, -]); - -var dup178 = linear_select([ - dup68, - dup69, -]); - -var dup179 = linear_select([ - dup67, - dup124, - dup68, - dup69, -]); - -var dup180 = linear_select([ - dup39, - dup125, -]); - -var dup181 = linear_select([ - dup42, - dup126, -]); - -var dup182 = linear_select([ - dup131, - dup132, -]); - -var dup183 = match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, -])); - -var dup184 = match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var dup185 = linear_select([ - dup136, - dup134, -]); - -var dup186 = match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var dup187 = match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var dup188 = match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var dup189 = linear_select([ - dup148, - dup149, -]); - -var dup190 = linear_select([ - dup153, - dup154, -]); - -var dup191 = linear_select([ - dup155, - dup156, -]); - -var dup192 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup193 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var dup194 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup195 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var dup196 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup197 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup198 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup199 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup65, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup200 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup201 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup202 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup203 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup204 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup205 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup206 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup207 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup208 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup209 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup210 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup211 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup212 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup213 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup82, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup214 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup215 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup85, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup216 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup85, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup217 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup218 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup86, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup219 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup86, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup220 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup221 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup222 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup223 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup224 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup87, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup225 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup88, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup226 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup88, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup227 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup228 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup229 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup230 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup231 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup232 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup233 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup234 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup235 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup236 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup91, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup237 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup91, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup238 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup239 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup240 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup93, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup241 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup93, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup242 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup243 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup244 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup245 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup246 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup95, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup247 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup95, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup248 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup96, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup249 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup96, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup250 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup251 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup252 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup253 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup254 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup255 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup256 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup257 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup98, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup258 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup259 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup260 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup99, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup261 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup99, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup262 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup263 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup264 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup265 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup266 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup267 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup268 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup269 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup270 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup271 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup103, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup272 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup103, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup273 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup274 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup104, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup275 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup104, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup276 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup105, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup277 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup105, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup278 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup106, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup279 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup106, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup280 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup98, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup281 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup107, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup282 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup107, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup283 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup284 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup285 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup108, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup286 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup108, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup287 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup288 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup289 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup290 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup291 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup292 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup293 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup294 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup295 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup109, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup296 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup109, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup297 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup110, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup298 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup111, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup299 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup111, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup300 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup110, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var dup301 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup112, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup302 = all_match({ - processors: [ - dup177, - dup116, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup303 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup117, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup304 = all_match({ - processors: [ - dup177, - dup116, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup305 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup118, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup306 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup105, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup307 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup308 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup309 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup310 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup311 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup312 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup119, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup313 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup120, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup314 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup315 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup316 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup65, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup317 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup121, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup318 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup319 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup122, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup320 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup123, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup321 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup322 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup99, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup323 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup324 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup325 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup326 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup119, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup327 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup121, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup328 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup93, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup329 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup120, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup330 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup108, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup331 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup104, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup332 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup333 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup334 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup335 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup336 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup337 = all_match({ - processors: [ - dup66, - dup179, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup338 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup118, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup339 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup340 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup341 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup342 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup343 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup344 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup70, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup345 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup346 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup99, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup347 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup348 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup65, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup349 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup105, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup350 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup351 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup352 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup104, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var dup353 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var dup354 = all_match({ - processors: [ - dup130, - dup182, - ], - on_success: processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var dup355 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - dup159, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var dup356 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - dup160, - dup185, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var hdr1 = match("HEADER#0:0055", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ - setc("header_id","0055"), - dup1, -])); - -var hdr2 = match("HEADER#1:0056", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %{fld1->} %NGIPS-%{severity}-%{hfld3}:%{payload}", processor_chain([ - setc("header_id","0056"), - setc("messageid","NGIPS_events"), -])); - -var part1 = match("HEADER#2:00010/2", "nwparser.p0", "%{result}] From %{p0}"); - -var part2 = match("HEADER#2:00010/3_0", "nwparser.p0", "\"%{group_object}/%{hfld11}\" at %{p0}"); - -var part3 = match("HEADER#2:00010/3_1", "nwparser.p0", "%{group_object}/%{hfld11->} at %{p0}"); - -var select1 = linear_select([ - part2, - part3, -]); - -var part4 = match("HEADER#2:00010/4", "nwparser.p0", "%{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var all1 = all_match({ - processors: [ - dup2, - dup167, - part1, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","00010"), - ]), -}); - -var all2 = all_match({ - processors: [ - dup2, - dup167, - dup5, - ], - on_success: processor_chain([ - setc("header_id","00011"), - ]), -}); - -var all3 = all_match({ - processors: [ - dup2, - dup168, - dup8, - ], - on_success: processor_chain([ - setc("header_id","00012"), - ]), -}); - -var all4 = all_match({ - processors: [ - dup2, - dup169, - dup11, - ], - on_success: processor_chain([ - setc("header_id","00013"), - ]), -}); - -var hdr3 = match("HEADER#6:0015", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: %{hfld2}:%{hfld3->} at %{hfld4}: [%{hevent_source}:%{messageid}:%{hversion}]%{payload}", processor_chain([ - setc("header_id","0015"), -])); - -var all5 = all_match({ - processors: [ - dup12, - dup167, - dup13, - ], - on_success: processor_chain([ - setc("header_id","00020"), - ]), -}); - -var all6 = all_match({ - processors: [ - dup12, - dup167, - dup5, - ], - on_success: processor_chain([ - setc("header_id","00021"), - ]), -}); - -var all7 = all_match({ - processors: [ - dup12, - dup168, - dup8, - ], - on_success: processor_chain([ - setc("header_id","00022"), - ]), -}); - -var all8 = all_match({ - processors: [ - dup12, - dup169, - dup11, - ], - on_success: processor_chain([ - setc("header_id","00023"), - ]), -}); - -var all9 = all_match({ - processors: [ - dup14, - dup167, - dup13, - ], - on_success: processor_chain([ - setc("header_id","00030"), - ]), -}); - -var all10 = all_match({ - processors: [ - dup14, - dup167, - dup5, - ], - on_success: processor_chain([ - setc("header_id","00031"), - ]), -}); - -var all11 = all_match({ - processors: [ - dup14, - dup168, - dup8, - ], - on_success: processor_chain([ - setc("header_id","00032"), - ]), -}); - -var all12 = all_match({ - processors: [ - dup14, - dup169, - dup11, - ], - on_success: processor_chain([ - setc("header_id","00033"), - ]), -}); - -var hdr4 = match("HEADER#15:0030/0", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var all13 = all_match({ - processors: [ - hdr4, - dup168, - dup8, - ], - on_success: processor_chain([ - setc("header_id","0030"), - ]), -}); - -var hdr5 = match("HEADER#16:0004", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var hdr6 = match("HEADER#17:0005", "message", "snort: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var hdr7 = match("HEADER#18:0018", "message", "snort[%{hpid}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","0018"), -])); - -var hdr8 = match("HEADER#19:0006", "message", "snort: %{messageid}: %{payload}", processor_chain([ - setc("header_id","0006"), -])); - -var hdr9 = match("HEADER#20:0007", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0007"), - dup15, -])); - -var hdr10 = match("HEADER#21:0008", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ - setc("header_id","0008"), -])); - -var hdr11 = match("HEADER#22:0046", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine (%{hfld10})][%{policyname}][%{hfld2}:%{id}:%{hfld3}]%{payload}", processor_chain([ - setc("header_id","0046"), - dup16, -])); - -var hdr12 = match("HEADER#23:0009", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hpid}][%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ - setc("header_id","0009"), -])); - -var hdr13 = match("HEADER#24:0022", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{host->} %{hfld5}: %{hfld6}: %{hfld7}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ - setc("header_id","0022"), - dup17, - dup18, -])); - -var hdr14 = match("HEADER#25:0010", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ - setc("header_id","0010"), - dup17, - dup18, -])); - -var part5 = match("HEADER#26:0011/1_0", "nwparser.p0", "From %{hsensor->} at%{p0}"); - -var select2 = linear_select([ - part5, - dup20, -]); - -var all14 = all_match({ - processors: [ - dup170, - select2, - dup21, - ], - on_success: processor_chain([ - setc("header_id","0011"), - dup22, - ]), -}); - -var part6 = match("HEADER#27:0014/1_0", "nwparser.p0", "%{fld10->} From %{hsensor->} at%{p0}"); - -var select3 = linear_select([ - part6, - dup20, -]); - -var all15 = all_match({ - processors: [ - dup170, - select3, - dup21, - ], - on_success: processor_chain([ - setc("header_id","0014"), - dup22, - ]), -}); - -var hdr15 = match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} From %{hsensor->} at %{p0}", processor_chain([ - setc("header_id","0012"), - dup23, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" "), - field("msgIdPart3"), - constant(" "), - field("msgIdPart4"), - constant(" From "), - field("hsensor"), - constant(" at "), - field("p0"), - ], - }), -])); - -var hdr16 = match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} %{hfld12->} From %{hsensor->} at %{p0}", processor_chain([ - setc("header_id","0016"), - dup23, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" "), - field("msgIdPart3"), - constant(" "), - field("msgIdPart4"), - constant(" "), - field("hfld12"), - constant(" From "), - field("hsensor"), - constant(" at "), - field("p0"), - ], - }), -])); - -var hdr17 = match("HEADER#30:0013", "message", "%{month->} %{day->} %{time->} %{host->} snort: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0013"), -])); - -var hdr18 = match("HEADER#31:0020", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: HMNOTIFY: %{payload}", processor_chain([ - setc("header_id","0020"), - dup24, -])); - -var hdr19 = match("HEADER#32:0035", "message", "%{month->} %{day->} %{time->} %{host->} : HMNOTIFY: %{payload}", processor_chain([ - setc("header_id","0035"), - dup24, -])); - -var hdr20 = match("HEADER#33:0017", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] \"%{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - dup15, -])); - -var hdr21 = match("HEADER#34:0019", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] %{messageid->} %{p0}", processor_chain([ - setc("header_id","0019"), - dup15, -])); - -var hdr22 = match("HEADER#35:0041", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine%{payload}", processor_chain([ - setc("header_id","0041"), - dup16, -])); - -var hdr23 = match("HEADER#36:0045", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Protocol: %{hprotocol}, %{payload}", processor_chain([ - setc("header_id","0045"), - setc("messageid","connection_events"), -])); - -var hdr24 = match("HEADER#37:0042", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{hfld4->} %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ - setc("header_id","0042"), - dup25, -])); - -var hdr25 = match("HEADER#38:00212", "message", "%{month->} %{day->} %{time->} %{hfld1}: [%{hfld5}] %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ - setc("header_id","00212"), - dup25, -])); - -var hdr26 = match("HEADER#39:0021", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ - setc("header_id","0021"), - dup25, -])); - -var hdr27 = match("HEADER#40:0029", "message", "%{month->} %{day->} %{time->} %{host}: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ - setc("header_id","0029"), -])); - -var hdr28 = match("HEADER#41:0024/0", "message", "snort%{p0}"); - -var all16 = all_match({ - processors: [ - hdr28, - dup171, - dup28, - ], - on_success: processor_chain([ - setc("header_id","0024"), - dup29, - ]), -}); - -var hdr29 = match("HEADER#42:0025/0", "message", "%{month->} %{day->} %{time->} snort%{p0}"); - -var all17 = all_match({ - processors: [ - hdr29, - dup171, - dup28, - ], - on_success: processor_chain([ - setc("header_id","0025"), - dup29, - ]), -}); - -var part7 = match("HEADER#43:0023/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var all18 = all_match({ - processors: [ - dup30, - dup167, - part7, - ], - on_success: processor_chain([ - setc("header_id","0023"), - dup29, - ]), -}); - -var part8 = match("HEADER#44:0026/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var all19 = all_match({ - processors: [ - dup30, - dup167, - part8, - ], - on_success: processor_chain([ - setc("header_id","0026"), - dup29, - ]), -}); - -var all20 = all_match({ - processors: [ - dup30, - dup168, - dup8, - ], - on_success: processor_chain([ - setc("header_id","0027"), - dup29, - ]), -}); - -var all21 = all_match({ - processors: [ - dup30, - dup169, - dup11, - ], - on_success: processor_chain([ - setc("header_id","0028"), - dup29, - ]), -}); - -var hdr30 = match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Sha256:%{hfld2->} Disposition: Malware%{p0}", processor_chain([ - setc("header_id","0040"), - setc("messageid","MALWARE"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" Disposition: Malware"), - field("p0"), - ], - }), -])); - -var hdr31 = match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} From %{hsensor->} at %{p0}", processor_chain([ - setc("header_id","0043"), - dup22, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" "), - field("msgIdPart3"), - constant(" From "), - field("hsensor"), - constant(" at "), - field("p0"), - ], - }), -])); - -var hdr32 = match("HEADER#49:0044", "message", "%{month->} %{day->} %{time->} %{host->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0044"), -])); - -var hdr33 = match("HEADER#50:0057/0", "message", "%{month->} %{day->} %{hyear->} %{time->} %{p0}"); - -var part9 = match("HEADER#50:0057/1_0", "nwparser.p0", "%{hostname}: %FTD-%{p0}"); - -var part10 = match("HEADER#50:0057/1_1", "nwparser.p0", "%{hostname->} %FTD-%{p0}"); - -var select4 = linear_select([ - part9, - part10, -]); - -var part11 = match("HEADER#50:0057/2", "nwparser.p0", "%{fld2}-%{hfld3}:%{payload}"); - -var all22 = all_match({ - processors: [ - hdr33, - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","0057"), - dup1, - ]), -}); - -var hdr34 = match("HEADER#51:0058", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ - setc("header_id","0058"), - dup1, -])); - -var select5 = linear_select([ - hdr1, - hdr2, - all1, - all2, - all3, - all4, - hdr3, - all5, - all6, - all7, - all8, - all9, - all10, - all11, - all12, - all13, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - hdr14, - all14, - all15, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - all16, - all17, - all18, - all19, - all20, - all21, - hdr30, - hdr31, - hdr32, - all22, - hdr34, -]); - -var part12 = match("MESSAGE#0:HMNOTIFY", "nwparser.payload", "%{event_type->} (Sensor %{sensor}): Severity:%{severity}: %{result}", processor_chain([ - setc("eventcategory","1604000000"), - dup31, - dup32, -])); - -var msg1 = msg("HMNOTIFY", part12); - -var msg2 = msg("0", dup192); - -var msg3 = msg("0:01", dup193); - -var select6 = linear_select([ - msg2, - msg3, -]); - -var msg4 = msg("1", dup194); - -var msg5 = msg("1:01", dup195); - -var select7 = linear_select([ - msg4, - msg5, -]); - -var msg6 = msg("2", dup192); - -var msg7 = msg("2:01", dup193); - -var select8 = linear_select([ - msg6, - msg7, -]); - -var msg8 = msg("3", dup192); - -var msg9 = msg("3:01", dup193); - -var select9 = linear_select([ - msg8, - msg9, -]); - -var msg10 = msg("3-10127", dup196); - -var msg11 = msg("3-10161", dup197); - -var msg12 = msg("3-10480", dup196); - -var msg13 = msg("3-10481", dup196); - -var msg14 = msg("3-11619", dup196); - -var msg15 = msg("3-11672", dup196); - -var msg16 = msg("3-12028", dup196); - -var msg17 = msg("3-12636", dup196); - -var msg18 = msg("3-12692", dup196); - -var msg19 = msg("3-7019", dup196); - -var msg20 = msg("3-7196", dup197); - -var msg21 = msg("3-8092", dup198); - -var msg22 = msg("3-8351", dup197); - -var msg23 = msg("3-10126", dup196); - -var msg24 = msg("4", dup192); - -var msg25 = msg("4:01", dup193); - -var select10 = linear_select([ - msg24, - msg25, -]); - -var msg26 = msg("5", dup195); - -var msg27 = msg("6", dup192); - -var msg28 = msg("6:01", dup193); - -var select11 = linear_select([ - msg27, - msg28, -]); - -var msg29 = msg("7", dup192); - -var msg30 = msg("7:01", dup193); - -var select12 = linear_select([ - msg29, - msg30, -]); - -var msg31 = msg("8", dup194); - -var msg32 = msg("8:01", dup195); - -var select13 = linear_select([ - msg31, - msg32, -]); - -var msg33 = msg("9", dup199); - -var msg34 = msg("10", dup200); - -var all23 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - setc("eventcategory","1614000000"), - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg35 = msg("11", all23); - -var msg36 = msg("12", dup192); - -var msg37 = msg("12:01", dup193); - -var select14 = linear_select([ - msg36, - msg37, -]); - -var msg38 = msg("13", dup192); - -var msg39 = msg("13:01", dup193); - -var select15 = linear_select([ - msg38, - msg39, -]); - -var msg40 = msg("14", dup192); - -var msg41 = msg("15", dup192); - -var msg42 = msg("15:01", dup193); - -var select16 = linear_select([ - msg41, - msg42, -]); - -var msg43 = msg("16", dup192); - -var msg44 = msg("16:01", dup193); - -var select17 = linear_select([ - msg43, - msg44, -]); - -var msg45 = msg("17", dup192); - -var msg46 = msg("17:01", dup193); - -var select18 = linear_select([ - msg45, - msg46, -]); - -var msg47 = msg("18", dup192); - -var msg48 = msg("18:01", dup193); - -var select19 = linear_select([ - msg47, - msg48, -]); - -var msg49 = msg("19", dup194); - -var msg50 = msg("19:01", dup195); - -var select20 = linear_select([ - msg49, - msg50, -]); - -var msg51 = msg("20", dup194); - -var msg52 = msg("20:01", dup195); - -var select21 = linear_select([ - msg51, - msg52, -]); - -var msg53 = msg("21", dup194); - -var msg54 = msg("21:01", dup195); - -var select22 = linear_select([ - msg53, - msg54, -]); - -var msg55 = msg("23", dup194); - -var msg56 = msg("23:01", dup195); - -var select23 = linear_select([ - msg55, - msg56, -]); - -var msg57 = msg("24", dup201); - -var msg58 = msg("25", dup201); - -var all24 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var msg59 = msg("25:01", all24); - -var select24 = linear_select([ - msg58, - msg59, -]); - -var msg60 = msg("26", dup195); - -var msg61 = msg("27", dup202); - -var msg62 = msg("28", dup202); - -var msg63 = msg("29", dup202); - -var msg64 = msg("30", dup202); - -var msg65 = msg("34", dup202); - -var msg66 = msg("45", dup192); - -var msg67 = msg("46", dup192); - -var msg68 = msg("46:01", dup193); - -var select25 = linear_select([ - msg67, - msg68, -]); - -var msg69 = msg("47", dup192); - -var msg70 = msg("47:01", dup193); - -var select26 = linear_select([ - msg69, - msg70, -]); - -var msg71 = msg("54", dup192); - -var msg72 = msg("54:01", dup193); - -var select27 = linear_select([ - msg71, - msg72, -]); - -var msg73 = msg("55", dup192); - -var msg74 = msg("55:01", dup193); - -var select28 = linear_select([ - msg73, - msg74, -]); - -var msg75 = msg("58", dup192); - -var msg76 = msg("58:01", dup193); - -var select29 = linear_select([ - msg75, - msg76, -]); - -var msg77 = msg("96", dup192); - -var msg78 = msg("97", dup192); - -var msg79 = msg("97:01", dup193); - -var select30 = linear_select([ - msg78, - msg79, -]); - -var msg80 = msg("103", dup203); - -var msg81 = msg("103:01", dup204); - -var select31 = linear_select([ - msg80, - msg81, -]); - -var msg82 = msg("104", dup205); - -var msg83 = msg("104:01", dup206); - -var select32 = linear_select([ - msg82, - msg83, -]); - -var msg84 = msg("105", dup203); - -var msg85 = msg("105:01", dup204); - -var select33 = linear_select([ - msg84, - msg85, -]); - -var msg86 = msg("105-1", dup203); - -var msg87 = msg("105-2", dup203); - -var msg88 = msg("105-3", dup203); - -var msg89 = msg("105-4", dup207); - -var msg90 = msg("106", dup203); - -var msg91 = msg("106:01", dup204); - -var select34 = linear_select([ - msg90, - msg91, -]); - -var msg92 = msg("106-1", dup208); - -var msg93 = msg("106-2", dup209); - -var msg94 = msg("106-3", dup208); - -var msg95 = msg("106-4", dup208); - -var msg96 = msg("107", dup203); - -var msg97 = msg("107:01", dup204); - -var select35 = linear_select([ - msg96, - msg97, -]); - -var msg98 = msg("108", dup203); - -var all25 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var msg99 = msg("108:01", all25); - -var msg100 = msg("108:02", dup204); - -var select36 = linear_select([ - msg98, - msg99, - msg100, -]); - -var msg101 = msg("109", dup203); - -var msg102 = msg("109:01", dup204); - -var select37 = linear_select([ - msg101, - msg102, -]); - -var msg103 = msg("110", dup203); - -var msg104 = msg("110:01", dup204); - -var select38 = linear_select([ - msg103, - msg104, -]); - -var msg105 = msg("110-1", dup207); - -var msg106 = msg("110-2", dup207); - -var msg107 = msg("110-3", dup207); - -var msg108 = msg("110-4", dup207); - -var msg109 = msg("111", dup203); - -var msg110 = msg("111:01", dup204); - -var select39 = linear_select([ - msg109, - msg110, -]); - -var msg111 = msg("111-1", dup207); - -var msg112 = msg("111-10", dup207); - -var msg113 = msg("111-11", dup207); - -var msg114 = msg("111-12", dup207); - -var msg115 = msg("111-13", dup207); - -var msg116 = msg("111-14", dup207); - -var msg117 = msg("111-15", dup207); - -var msg118 = msg("111-16", dup207); - -var msg119 = msg("111-17", dup207); - -var msg120 = msg("111-2", dup207); - -var msg121 = msg("111-3", dup207); - -var msg122 = msg("111-4", dup207); - -var msg123 = msg("111-5", dup207); - -var msg124 = msg("111-6", dup207); - -var msg125 = msg("111-7", dup207); - -var msg126 = msg("111-8", dup207); - -var msg127 = msg("111-9", dup207); - -var msg128 = msg("112", dup203); - -var msg129 = msg("112:01", dup204); - -var select40 = linear_select([ - msg128, - msg129, -]); - -var msg130 = msg("112-1", dup207); - -var msg131 = msg("112-2", dup207); - -var msg132 = msg("112-3", dup207); - -var msg133 = msg("112-4", dup207); - -var msg134 = msg("113", dup203); - -var msg135 = msg("113:01", dup204); - -var select41 = linear_select([ - msg134, - msg135, -]); - -var msg136 = msg("114", dup203); - -var msg137 = msg("114:01", dup204); - -var select42 = linear_select([ - msg136, - msg137, -]); - -var msg138 = msg("115", dup203); - -var msg139 = msg("115:01", dup204); - -var select43 = linear_select([ - msg138, - msg139, -]); - -var msg140 = msg("115-1", dup207); - -var msg141 = msg("115-2", dup207); - -var msg142 = msg("115-3", dup210); - -var msg143 = msg("115-4", dup210); - -var msg144 = msg("115-5", dup207); - -var msg145 = msg("116", dup203); - -var msg146 = msg("116:01", dup204); - -var select44 = linear_select([ - msg145, - msg146, -]); - -var msg147 = msg("116-5", dup209); - -var msg148 = msg("117", dup203); - -var msg149 = msg("117:01", dup204); - -var select45 = linear_select([ - msg148, - msg149, -]); - -var msg150 = msg("118", dup203); - -var msg151 = msg("118:01", dup204); - -var select46 = linear_select([ - msg150, - msg151, -]); - -var msg152 = msg("119", dup203); - -var all26 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var msg153 = msg("119:01", all26); - -var select47 = linear_select([ - msg152, - msg153, -]); - -var msg154 = msg("119-1", dup211); - -var msg155 = msg("119-10", dup211); - -var msg156 = msg("119-11", dup211); - -var msg157 = msg("119-12", dup211); - -var msg158 = msg("119-13", dup211); - -var msg159 = msg("119-14", dup211); - -var msg160 = msg("119-15", dup211); - -var msg161 = msg("119-16", dup211); - -var msg162 = msg("119-17", dup211); - -var msg163 = msg("119-18", dup211); - -var msg164 = msg("119-2", dup211); - -var msg165 = msg("119-3", dup211); - -var msg166 = msg("119-4", dup211); - -var msg167 = msg("119-5", dup211); - -var msg168 = msg("119-6", dup211); - -var msg169 = msg("119-7", dup211); - -var msg170 = msg("119-8", dup211); - -var msg171 = msg("119-9", dup211); - -var msg172 = msg("120", dup203); - -var msg173 = msg("120:01", dup204); - -var select48 = linear_select([ - msg172, - msg173, -]); - -var msg174 = msg("120-1", dup211); - -var msg175 = msg("121", dup203); - -var msg176 = msg("121:01", dup204); - -var select49 = linear_select([ - msg175, - msg176, -]); - -var msg177 = msg("121-1", dup212); - -var msg178 = msg("121-2", dup212); - -var msg179 = msg("121-3", dup212); - -var msg180 = msg("121-4", dup212); - -var msg181 = msg("122", dup203); - -var msg182 = msg("122:01", dup204); - -var select50 = linear_select([ - msg181, - msg182, -]); - -var msg183 = msg("122-1", dup212); - -var msg184 = msg("122-10", dup212); - -var msg185 = msg("122-11", dup213); - -var msg186 = msg("122-12", dup212); - -var msg187 = msg("122-13", dup212); - -var msg188 = msg("122-14", dup212); - -var msg189 = msg("122-15", dup213); - -var msg190 = msg("122-16", dup212); - -var msg191 = msg("122-17", dup212); - -var msg192 = msg("122-18", dup212); - -var msg193 = msg("122-19", dup213); - -var msg194 = msg("122-2", dup212); - -var msg195 = msg("122-20", dup212); - -var msg196 = msg("122-21", dup212); - -var msg197 = msg("122-22", dup212); - -var msg198 = msg("122-23", dup213); - -var msg199 = msg("122-24", dup212); - -var msg200 = msg("122-25", dup213); - -var msg201 = msg("122-26", dup213); - -var msg202 = msg("122-27", dup212); - -var msg203 = msg("122-3", dup213); - -var msg204 = msg("122-4", dup212); - -var msg205 = msg("122-5", dup212); - -var msg206 = msg("122-6", dup212); - -var msg207 = msg("122-7", dup213); - -var msg208 = msg("122-8", dup212); - -var msg209 = msg("122-9", dup212); - -var msg210 = msg("123-10", dup207); - -var msg211 = msg("123-9", dup207); - -var msg212 = msg("124", dup203); - -var msg213 = msg("124:01", dup204); - -var select51 = linear_select([ - msg212, - msg213, -]); - -var msg214 = msg("124-1", dup210); - -var msg215 = msg("125", dup203); - -var msg216 = msg("125:01", dup204); - -var select52 = linear_select([ - msg215, - msg216, -]); - -var msg217 = msg("125-3", dup207); - -var msg218 = msg("125-5", dup207); - -var msg219 = msg("125-6", dup214); - -var msg220 = msg("125-8", dup207); - -var msg221 = msg("126", dup203); - -var msg222 = msg("126:01", dup204); - -var select53 = linear_select([ - msg221, - msg222, -]); - -var msg223 = msg("126-1", dup207); - -var msg224 = msg("127", dup203); - -var msg225 = msg("127:01", dup204); - -var select54 = linear_select([ - msg224, - msg225, -]); - -var msg226 = msg("128", dup203); - -var msg227 = msg("128:01", dup204); - -var select55 = linear_select([ - msg226, - msg227, -]); - -var msg228 = msg("129", dup203); - -var msg229 = msg("129:01", dup204); - -var select56 = linear_select([ - msg228, - msg229, -]); - -var msg230 = msg("129-2", dup207); - -var msg231 = msg("129-6", dup207); - -var msg232 = msg("130", dup203); - -var msg233 = msg("130:01", dup204); - -var select57 = linear_select([ - msg232, - msg233, -]); - -var msg234 = msg("131", dup203); - -var msg235 = msg("131:01", dup204); - -var select58 = linear_select([ - msg234, - msg235, -]); - -var msg236 = msg("131-3", dup207); - -var msg237 = msg("132", dup203); - -var msg238 = msg("132:01", dup204); - -var select59 = linear_select([ - msg237, - msg238, -]); - -var msg239 = msg("133", dup203); - -var msg240 = msg("133:01", dup204); - -var select60 = linear_select([ - msg239, - msg240, -]); - -var msg241 = msg("134", dup203); - -var msg242 = msg("134:01", dup204); - -var select61 = linear_select([ - msg241, - msg242, -]); - -var msg243 = msg("135", dup203); - -var msg244 = msg("135:01", dup204); - -var select62 = linear_select([ - msg243, - msg244, -]); - -var msg245 = msg("136", dup203); - -var msg246 = msg("136:01", dup204); - -var select63 = linear_select([ - msg245, - msg246, -]); - -var msg247 = msg("137", dup203); - -var msg248 = msg("137:01", dup204); - -var select64 = linear_select([ - msg247, - msg248, -]); - -var msg249 = msg("138", dup203); - -var msg250 = msg("138:01", dup204); - -var select65 = linear_select([ - msg249, - msg250, -]); - -var msg251 = msg("140", dup203); - -var msg252 = msg("140:01", dup204); - -var select66 = linear_select([ - msg251, - msg252, -]); - -var msg253 = msg("141", dup203); - -var msg254 = msg("141:01", dup204); - -var select67 = linear_select([ - msg253, - msg254, -]); - -var msg255 = msg("142", dup203); - -var msg256 = msg("142:01", dup204); - -var select68 = linear_select([ - msg255, - msg256, -]); - -var msg257 = msg("143", dup203); - -var msg258 = msg("143:01", dup204); - -var select69 = linear_select([ - msg257, - msg258, -]); - -var msg259 = msg("144", dup214); - -var all27 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg260 = msg("144:01", all27); - -var select70 = linear_select([ - msg259, - msg260, -]); - -var msg261 = msg("145", dup203); - -var msg262 = msg("145:01", dup204); - -var select71 = linear_select([ - msg261, - msg262, -]); - -var msg263 = msg("146", dup203); - -var msg264 = msg("146:01", dup204); - -var select72 = linear_select([ - msg263, - msg264, -]); - -var msg265 = msg("147", dup203); - -var msg266 = msg("147:01", dup204); - -var select73 = linear_select([ - msg265, - msg266, -]); - -var msg267 = msg("148", dup203); - -var msg268 = msg("148:01", dup204); - -var select74 = linear_select([ - msg267, - msg268, -]); - -var msg269 = msg("149", dup203); - -var msg270 = msg("149:01", dup204); - -var select75 = linear_select([ - msg269, - msg270, -]); - -var msg271 = msg("150", dup203); - -var msg272 = msg("150:01", dup204); - -var select76 = linear_select([ - msg271, - msg272, -]); - -var msg273 = msg("151", dup203); - -var msg274 = msg("151:01", dup204); - -var select77 = linear_select([ - msg273, - msg274, -]); - -var msg275 = msg("152", dup203); - -var msg276 = msg("152:01", dup204); - -var select78 = linear_select([ - msg275, - msg276, -]); - -var msg277 = msg("153", dup203); - -var msg278 = msg("153:01", dup204); - -var select79 = linear_select([ - msg277, - msg278, -]); - -var msg279 = msg("154", dup203); - -var msg280 = msg("154:01", dup204); - -var select80 = linear_select([ - msg279, - msg280, -]); - -var msg281 = msg("155", dup203); - -var msg282 = msg("155:01", dup204); - -var select81 = linear_select([ - msg281, - msg282, -]); - -var msg283 = msg("156", dup203); - -var msg284 = msg("156:01", dup204); - -var select82 = linear_select([ - msg283, - msg284, -]); - -var msg285 = msg("157", dup203); - -var msg286 = msg("157:01", dup204); - -var select83 = linear_select([ - msg285, - msg286, -]); - -var msg287 = msg("158", dup203); - -var msg288 = msg("158:01", dup204); - -var select84 = linear_select([ - msg287, - msg288, -]); - -var msg289 = msg("159", dup203); - -var msg290 = msg("159:01", dup204); - -var select85 = linear_select([ - msg289, - msg290, -]); - -var msg291 = msg("160", dup203); - -var msg292 = msg("160:01", dup204); - -var select86 = linear_select([ - msg291, - msg292, -]); - -var msg293 = msg("161", dup203); - -var msg294 = msg("161:01", dup204); - -var select87 = linear_select([ - msg293, - msg294, -]); - -var msg295 = msg("162", dup203); - -var msg296 = msg("162:01", dup204); - -var select88 = linear_select([ - msg295, - msg296, -]); - -var msg297 = msg("163", dup203); - -var msg298 = msg("163:01", dup204); - -var select89 = linear_select([ - msg297, - msg298, -]); - -var msg299 = msg("164", dup203); - -var msg300 = msg("164:01", dup204); - -var select90 = linear_select([ - msg299, - msg300, -]); - -var msg301 = msg("165", dup203); - -var msg302 = msg("165:01", dup204); - -var select91 = linear_select([ - msg301, - msg302, -]); - -var msg303 = msg("166", dup203); - -var msg304 = msg("166:01", dup204); - -var select92 = linear_select([ - msg303, - msg304, -]); - -var msg305 = msg("167", dup203); - -var msg306 = msg("167:01", dup204); - -var select93 = linear_select([ - msg305, - msg306, -]); - -var msg307 = msg("168", dup203); - -var msg308 = msg("168:01", dup204); - -var select94 = linear_select([ - msg307, - msg308, -]); - -var msg309 = msg("169", dup203); - -var msg310 = msg("169:01", dup204); - -var select95 = linear_select([ - msg309, - msg310, -]); - -var msg311 = msg("170", dup203); - -var msg312 = msg("170:01", dup204); - -var select96 = linear_select([ - msg311, - msg312, -]); - -var msg313 = msg("171", dup203); - -var msg314 = msg("171:01", dup204); - -var select97 = linear_select([ - msg313, - msg314, -]); - -var msg315 = msg("172", dup203); - -var msg316 = msg("172:01", dup204); - -var select98 = linear_select([ - msg315, - msg316, -]); - -var msg317 = msg("173", dup203); - -var msg318 = msg("173:01", dup204); - -var select99 = linear_select([ - msg317, - msg318, -]); - -var msg319 = msg("174", dup203); - -var msg320 = msg("174:01", dup204); - -var select100 = linear_select([ - msg319, - msg320, -]); - -var msg321 = msg("175", dup203); - -var msg322 = msg("175:01", dup204); - -var select101 = linear_select([ - msg321, - msg322, -]); - -var msg323 = msg("176", dup203); - -var msg324 = msg("176:01", dup204); - -var select102 = linear_select([ - msg323, - msg324, -]); - -var msg325 = msg("177", dup203); - -var msg326 = msg("177:01", dup204); - -var select103 = linear_select([ - msg325, - msg326, -]); - -var msg327 = msg("179", dup203); - -var msg328 = msg("179:01", dup204); - -var select104 = linear_select([ - msg327, - msg328, -]); - -var msg329 = msg("180", dup203); - -var msg330 = msg("180:01", dup204); - -var select105 = linear_select([ - msg329, - msg330, -]); - -var all28 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup72, - dup73, - dup74, - dup84, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg331 = msg("181", all28); - -var all29 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup72, - dup73, - dup74, - dup84, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg332 = msg("181:01", all29); - -var select106 = linear_select([ - msg331, - msg332, -]); - -var msg333 = msg("182", dup203); - -var msg334 = msg("182:01", dup204); - -var select107 = linear_select([ - msg333, - msg334, -]); - -var msg335 = msg("183", dup203); - -var msg336 = msg("183:01", dup204); - -var select108 = linear_select([ - msg335, - msg336, -]); - -var msg337 = msg("184", dup203); - -var msg338 = msg("184:01", dup204); - -var select109 = linear_select([ - msg337, - msg338, -]); - -var msg339 = msg("185", dup203); - -var msg340 = msg("185:01", dup204); - -var select110 = linear_select([ - msg339, - msg340, -]); - -var msg341 = msg("186", dup203); - -var msg342 = msg("186:01", dup204); - -var select111 = linear_select([ - msg341, - msg342, -]); - -var msg343 = msg("187", dup203); - -var msg344 = msg("187:01", dup204); - -var select112 = linear_select([ - msg343, - msg344, -]); - -var msg345 = msg("188", dup203); - -var msg346 = msg("188:01", dup204); - -var select113 = linear_select([ - msg345, - msg346, -]); - -var msg347 = msg("189", dup203); - -var msg348 = msg("189:01", dup204); - -var select114 = linear_select([ - msg347, - msg348, -]); - -var msg349 = msg("190", dup203); - -var msg350 = msg("190:01", dup204); - -var select115 = linear_select([ - msg349, - msg350, -]); - -var msg351 = msg("191", dup203); - -var msg352 = msg("191:01", dup204); - -var select116 = linear_select([ - msg351, - msg352, -]); - -var msg353 = msg("192", dup203); - -var msg354 = msg("192:01", dup204); - -var select117 = linear_select([ - msg353, - msg354, -]); - -var msg355 = msg("193", dup203); - -var msg356 = msg("193:01", dup204); - -var select118 = linear_select([ - msg355, - msg356, -]); - -var msg357 = msg("194", dup203); - -var msg358 = msg("194:01", dup204); - -var select119 = linear_select([ - msg357, - msg358, -]); - -var msg359 = msg("195", dup203); - -var msg360 = msg("195:01", dup204); - -var select120 = linear_select([ - msg359, - msg360, -]); - -var msg361 = msg("196", dup203); - -var msg362 = msg("196:01", dup204); - -var select121 = linear_select([ - msg361, - msg362, -]); - -var msg363 = msg("197", dup203); - -var msg364 = msg("197:01", dup204); - -var select122 = linear_select([ - msg363, - msg364, -]); - -var msg365 = msg("198", dup203); - -var msg366 = msg("198:01", dup204); - -var select123 = linear_select([ - msg365, - msg366, -]); - -var msg367 = msg("199", dup203); - -var msg368 = msg("199:01", dup204); - -var select124 = linear_select([ - msg367, - msg368, -]); - -var msg369 = msg("200", dup203); - -var msg370 = msg("200:01", dup204); - -var select125 = linear_select([ - msg369, - msg370, -]); - -var msg371 = msg("201", dup203); - -var msg372 = msg("201:01", dup204); - -var select126 = linear_select([ - msg371, - msg372, -]); - -var msg373 = msg("202", dup203); - -var msg374 = msg("202:01", dup204); - -var select127 = linear_select([ - msg373, - msg374, -]); - -var msg375 = msg("203", dup203); - -var msg376 = msg("203:01", dup204); - -var select128 = linear_select([ - msg375, - msg376, -]); - -var msg377 = msg("204", dup203); - -var msg378 = msg("204:01", dup204); - -var select129 = linear_select([ - msg377, - msg378, -]); - -var msg379 = msg("205", dup203); - -var msg380 = msg("205:01", dup204); - -var select130 = linear_select([ - msg379, - msg380, -]); - -var msg381 = msg("206", dup203); - -var msg382 = msg("206:01", dup204); - -var select131 = linear_select([ - msg381, - msg382, -]); - -var msg383 = msg("207", dup203); - -var msg384 = msg("207:01", dup204); - -var select132 = linear_select([ - msg383, - msg384, -]); - -var msg385 = msg("208", dup203); - -var msg386 = msg("208:01", dup204); - -var select133 = linear_select([ - msg385, - msg386, -]); - -var msg387 = msg("209", dup203); - -var msg388 = msg("209:01", dup204); - -var select134 = linear_select([ - msg387, - msg388, -]); - -var msg389 = msg("210", dup203); - -var msg390 = msg("210:01", dup204); - -var select135 = linear_select([ - msg389, - msg390, -]); - -var msg391 = msg("211", dup203); - -var msg392 = msg("211:01", dup204); - -var select136 = linear_select([ - msg391, - msg392, -]); - -var msg393 = msg("212", dup203); - -var msg394 = msg("212:01", dup204); - -var select137 = linear_select([ - msg393, - msg394, -]); - -var msg395 = msg("213", dup203); - -var msg396 = msg("213:01", dup204); - -var select138 = linear_select([ - msg395, - msg396, -]); - -var msg397 = msg("214", dup203); - -var msg398 = msg("214:01", dup204); - -var select139 = linear_select([ - msg397, - msg398, -]); - -var msg399 = msg("215", dup203); - -var msg400 = msg("215:01", dup204); - -var select140 = linear_select([ - msg399, - msg400, -]); - -var msg401 = msg("216", dup203); - -var msg402 = msg("216:01", dup204); - -var select141 = linear_select([ - msg401, - msg402, -]); - -var msg403 = msg("217", dup203); - -var msg404 = msg("217:01", dup204); - -var select142 = linear_select([ - msg403, - msg404, -]); - -var msg405 = msg("218", dup203); - -var msg406 = msg("218:01", dup204); - -var select143 = linear_select([ - msg405, - msg406, -]); - -var msg407 = msg("219", dup203); - -var msg408 = msg("219:01", dup204); - -var select144 = linear_select([ - msg407, - msg408, -]); - -var msg409 = msg("220", dup203); - -var msg410 = msg("220:01", dup204); - -var select145 = linear_select([ - msg409, - msg410, -]); - -var msg411 = msg("221", dup215); - -var msg412 = msg("221:01", dup216); - -var select146 = linear_select([ - msg411, - msg412, -]); - -var msg413 = msg("222", dup215); - -var msg414 = msg("222:01", dup216); - -var select147 = linear_select([ - msg413, - msg414, -]); - -var msg415 = msg("223", dup215); - -var msg416 = msg("223:01", dup216); - -var select148 = linear_select([ - msg415, - msg416, -]); - -var msg417 = msg("224", dup215); - -var msg418 = msg("224:01", dup216); - -var select149 = linear_select([ - msg417, - msg418, -]); - -var msg419 = msg("225", dup215); - -var msg420 = msg("225:01", dup216); - -var select150 = linear_select([ - msg419, - msg420, -]); - -var msg421 = msg("226", dup215); - -var msg422 = msg("226:01", dup216); - -var select151 = linear_select([ - msg421, - msg422, -]); - -var msg423 = msg("227", dup215); - -var msg424 = msg("227:01", dup216); - -var select152 = linear_select([ - msg423, - msg424, -]); - -var msg425 = msg("228", dup215); - -var msg426 = msg("228:01", dup216); - -var select153 = linear_select([ - msg425, - msg426, -]); - -var msg427 = msg("229", dup215); - -var msg428 = msg("229:01", dup216); - -var select154 = linear_select([ - msg427, - msg428, -]); - -var msg429 = msg("230", dup215); - -var msg430 = msg("230:01", dup216); - -var select155 = linear_select([ - msg429, - msg430, -]); - -var msg431 = msg("231", dup215); - -var msg432 = msg("231:01", dup216); - -var select156 = linear_select([ - msg431, - msg432, -]); - -var msg433 = msg("232", dup215); - -var msg434 = msg("232:01", dup216); - -var select157 = linear_select([ - msg433, - msg434, -]); - -var msg435 = msg("233", dup215); - -var msg436 = msg("233:01", dup216); - -var select158 = linear_select([ - msg435, - msg436, -]); - -var msg437 = msg("234", dup215); - -var msg438 = msg("234:01", dup216); - -var select159 = linear_select([ - msg437, - msg438, -]); - -var msg439 = msg("235", dup215); - -var msg440 = msg("235:01", dup216); - -var select160 = linear_select([ - msg439, - msg440, -]); - -var msg441 = msg("236", dup215); - -var msg442 = msg("236:01", dup216); - -var select161 = linear_select([ - msg441, - msg442, -]); - -var msg443 = msg("237", dup215); - -var msg444 = msg("237:01", dup216); - -var select162 = linear_select([ - msg443, - msg444, -]); - -var msg445 = msg("238", dup215); - -var msg446 = msg("238:01", dup216); - -var select163 = linear_select([ - msg445, - msg446, -]); - -var msg447 = msg("239", dup215); - -var msg448 = msg("239:01", dup216); - -var select164 = linear_select([ - msg447, - msg448, -]); - -var msg449 = msg("240", dup215); - -var msg450 = msg("240:01", dup216); - -var select165 = linear_select([ - msg449, - msg450, -]); - -var msg451 = msg("241", dup215); - -var msg452 = msg("241:01", dup216); - -var select166 = linear_select([ - msg451, - msg452, -]); - -var msg453 = msg("243", dup215); - -var msg454 = msg("243:01", dup216); - -var select167 = linear_select([ - msg453, - msg454, -]); - -var msg455 = msg("244", dup215); - -var msg456 = msg("244:01", dup216); - -var select168 = linear_select([ - msg455, - msg456, -]); - -var msg457 = msg("245", dup215); - -var msg458 = msg("245:01", dup216); - -var select169 = linear_select([ - msg457, - msg458, -]); - -var msg459 = msg("246", dup215); - -var msg460 = msg("246:01", dup216); - -var select170 = linear_select([ - msg459, - msg460, -]); - -var msg461 = msg("247", dup215); - -var msg462 = msg("247:01", dup216); - -var select171 = linear_select([ - msg461, - msg462, -]); - -var msg463 = msg("248", dup215); - -var msg464 = msg("248:01", dup216); - -var select172 = linear_select([ - msg463, - msg464, -]); - -var msg465 = msg("249", dup215); - -var msg466 = msg("249:01", dup216); - -var select173 = linear_select([ - msg465, - msg466, -]); - -var msg467 = msg("250", dup215); - -var msg468 = msg("250:01", dup216); - -var select174 = linear_select([ - msg467, - msg468, -]); - -var msg469 = msg("251", dup215); - -var msg470 = msg("251:01", dup216); - -var select175 = linear_select([ - msg469, - msg470, -]); - -var msg471 = msg("252", dup196); - -var msg472 = msg("252:01", dup217); - -var select176 = linear_select([ - msg471, - msg472, -]); - -var msg473 = msg("253", dup196); - -var msg474 = msg("253:01", dup217); - -var select177 = linear_select([ - msg473, - msg474, -]); - -var msg475 = msg("254", dup196); - -var msg476 = msg("254:01", dup217); - -var select178 = linear_select([ - msg475, - msg476, -]); - -var msg477 = msg("255", dup196); - -var msg478 = msg("255:01", dup217); - -var select179 = linear_select([ - msg477, - msg478, -]); - -var msg479 = msg("256", dup196); - -var msg480 = msg("256:01", dup217); - -var select180 = linear_select([ - msg479, - msg480, -]); - -var msg481 = msg("257", dup196); - -var msg482 = msg("257:01", dup217); - -var select181 = linear_select([ - msg481, - msg482, -]); - -var msg483 = msg("258", dup218); - -var msg484 = msg("258:01", dup219); - -var select182 = linear_select([ - msg483, - msg484, -]); - -var msg485 = msg("259", dup218); - -var msg486 = msg("259:01", dup219); - -var select183 = linear_select([ - msg485, - msg486, -]); - -var msg487 = msg("260", dup218); - -var msg488 = msg("260:01", dup219); - -var select184 = linear_select([ - msg487, - msg488, -]); - -var msg489 = msg("261", dup218); - -var msg490 = msg("261:01", dup219); - -var select185 = linear_select([ - msg489, - msg490, -]); - -var msg491 = msg("262", dup218); - -var msg492 = msg("262:01", dup219); - -var select186 = linear_select([ - msg491, - msg492, -]); - -var msg493 = msg("264", dup218); - -var msg494 = msg("264:01", dup219); - -var select187 = linear_select([ - msg493, - msg494, -]); - -var msg495 = msg("265", dup218); - -var msg496 = msg("265:01", dup219); - -var select188 = linear_select([ - msg495, - msg496, -]); - -var msg497 = msg("266", dup218); - -var msg498 = msg("266:01", dup219); - -var select189 = linear_select([ - msg497, - msg498, -]); - -var msg499 = msg("267", dup218); - -var msg500 = msg("267:01", dup219); - -var select190 = linear_select([ - msg499, - msg500, -]); - -var msg501 = msg("268", dup198); - -var msg502 = msg("268:01", dup220); - -var select191 = linear_select([ - msg501, - msg502, -]); - -var msg503 = msg("269", dup198); - -var msg504 = msg("269:01", dup220); - -var select192 = linear_select([ - msg503, - msg504, -]); - -var msg505 = msg("270", dup198); - -var msg506 = msg("270:01", dup220); - -var select193 = linear_select([ - msg505, - msg506, -]); - -var msg507 = msg("271", dup198); - -var msg508 = msg("271:01", dup220); - -var select194 = linear_select([ - msg507, - msg508, -]); - -var msg509 = msg("272", dup198); - -var msg510 = msg("272:01", dup220); - -var select195 = linear_select([ - msg509, - msg510, -]); - -var msg511 = msg("273", dup198); - -var msg512 = msg("273:01", dup220); - -var select196 = linear_select([ - msg511, - msg512, -]); - -var msg513 = msg("274", dup198); - -var msg514 = msg("274:01", dup220); - -var select197 = linear_select([ - msg513, - msg514, -]); - -var msg515 = msg("275", dup198); - -var msg516 = msg("275:01", dup220); - -var select198 = linear_select([ - msg515, - msg516, -]); - -var msg517 = msg("276", dup198); - -var msg518 = msg("276:01", dup220); - -var select199 = linear_select([ - msg517, - msg518, -]); - -var msg519 = msg("277", dup198); - -var msg520 = msg("277:01", dup220); - -var select200 = linear_select([ - msg519, - msg520, -]); - -var msg521 = msg("278", dup198); - -var msg522 = msg("278:01", dup220); - -var select201 = linear_select([ - msg521, - msg522, -]); - -var msg523 = msg("279", dup198); - -var msg524 = msg("279:01", dup220); - -var select202 = linear_select([ - msg523, - msg524, -]); - -var msg525 = msg("280", dup198); - -var msg526 = msg("280:01", dup220); - -var select203 = linear_select([ - msg525, - msg526, -]); - -var msg527 = msg("281", dup198); - -var msg528 = msg("281:01", dup220); - -var select204 = linear_select([ - msg527, - msg528, -]); - -var msg529 = msg("282", dup198); - -var msg530 = msg("282:01", dup220); - -var select205 = linear_select([ - msg529, - msg530, -]); - -var msg531 = msg("283", dup197); - -var msg532 = msg("283:01", dup221); - -var select206 = linear_select([ - msg531, - msg532, -]); - -var msg533 = msg("284", dup197); - -var msg534 = msg("284:01", dup221); - -var select207 = linear_select([ - msg533, - msg534, -]); - -var msg535 = msg("285", dup197); - -var msg536 = msg("285:01", dup221); - -var select208 = linear_select([ - msg535, - msg536, -]); - -var msg537 = msg("286", dup197); - -var msg538 = msg("286:01", dup221); - -var select209 = linear_select([ - msg537, - msg538, -]); - -var msg539 = msg("287", dup197); - -var msg540 = msg("287:01", dup221); - -var select210 = linear_select([ - msg539, - msg540, -]); - -var msg541 = msg("288", dup197); - -var msg542 = msg("288:01", dup221); - -var select211 = linear_select([ - msg541, - msg542, -]); - -var msg543 = msg("289", dup197); - -var msg544 = msg("289:01", dup221); - -var select212 = linear_select([ - msg543, - msg544, -]); - -var msg545 = msg("290", dup197); - -var msg546 = msg("290:01", dup221); - -var select213 = linear_select([ - msg545, - msg546, -]); - -var msg547 = msg("291", dup197); - -var msg548 = msg("291:01", dup221); - -var select214 = linear_select([ - msg547, - msg548, -]); - -var msg549 = msg("292", dup197); - -var msg550 = msg("292:01", dup221); - -var select215 = linear_select([ - msg549, - msg550, -]); - -var msg551 = msg("293", dup197); - -var msg552 = msg("293:01", dup221); - -var select216 = linear_select([ - msg551, - msg552, -]); - -var msg553 = msg("295", dup197); - -var msg554 = msg("295:01", dup221); - -var select217 = linear_select([ - msg553, - msg554, -]); - -var msg555 = msg("296", dup197); - -var msg556 = msg("296:01", dup221); - -var select218 = linear_select([ - msg555, - msg556, -]); - -var msg557 = msg("297", dup197); - -var msg558 = msg("297:01", dup221); - -var select219 = linear_select([ - msg557, - msg558, -]); - -var msg559 = msg("298", dup197); - -var msg560 = msg("298:01", dup221); - -var select220 = linear_select([ - msg559, - msg560, -]); - -var msg561 = msg("299", dup197); - -var msg562 = msg("299:01", dup221); - -var select221 = linear_select([ - msg561, - msg562, -]); - -var msg563 = msg("300", dup197); - -var msg564 = msg("300:01", dup221); - -var select222 = linear_select([ - msg563, - msg564, -]); - -var msg565 = msg("301", dup197); - -var msg566 = msg("301:01", dup221); - -var select223 = linear_select([ - msg565, - msg566, -]); - -var msg567 = msg("302", dup197); - -var msg568 = msg("302:01", dup221); - -var select224 = linear_select([ - msg567, - msg568, -]); - -var msg569 = msg("303", dup218); - -var msg570 = msg("303:01", dup219); - -var select225 = linear_select([ - msg569, - msg570, -]); - -var msg571 = msg("304", dup197); - -var msg572 = msg("304:01", dup221); - -var select226 = linear_select([ - msg571, - msg572, -]); - -var msg573 = msg("305", dup197); - -var msg574 = msg("305:01", dup221); - -var select227 = linear_select([ - msg573, - msg574, -]); - -var msg575 = msg("306", dup196); - -var msg576 = msg("306:01", dup217); - -var select228 = linear_select([ - msg575, - msg576, -]); - -var msg577 = msg("307", dup197); - -var msg578 = msg("307:01", dup221); - -var select229 = linear_select([ - msg577, - msg578, -]); - -var msg579 = msg("308", dup197); - -var msg580 = msg("308:01", dup221); - -var select230 = linear_select([ - msg579, - msg580, -]); - -var msg581 = msg("309", dup197); - -var msg582 = msg("309:01", dup221); - -var select231 = linear_select([ - msg581, - msg582, -]); - -var msg583 = msg("310", dup197); - -var msg584 = msg("310:01", dup221); - -var select232 = linear_select([ - msg583, - msg584, -]); - -var msg585 = msg("311", dup197); - -var msg586 = msg("311:01", dup221); - -var select233 = linear_select([ - msg585, - msg586, -]); - -var msg587 = msg("312", dup222); - -var msg588 = msg("312:01", dup223); - -var select234 = linear_select([ - msg587, - msg588, -]); - -var msg589 = msg("313", dup197); - -var msg590 = msg("313:01", dup221); - -var select235 = linear_select([ - msg589, - msg590, -]); - -var msg591 = msg("314", dup218); - -var msg592 = msg("314:01", dup219); - -var select236 = linear_select([ - msg591, - msg592, -]); - -var msg593 = msg("315", dup197); - -var msg594 = msg("315:01", dup221); - -var select237 = linear_select([ - msg593, - msg594, -]); - -var msg595 = msg("316", dup197); - -var msg596 = msg("316:01", dup221); - -var select238 = linear_select([ - msg595, - msg596, -]); - -var msg597 = msg("317", dup197); - -var msg598 = msg("317:01", dup221); - -var select239 = linear_select([ - msg597, - msg598, -]); - -var msg599 = msg("318", dup196); - -var msg600 = msg("318:01", dup217); - -var select240 = linear_select([ - msg599, - msg600, -]); - -var msg601 = msg("319", dup197); - -var msg602 = msg("319:01", dup221); - -var select241 = linear_select([ - msg601, - msg602, -]); - -var msg603 = msg("320", dup205); - -var msg604 = msg("320:01", dup206); - -var select242 = linear_select([ - msg603, - msg604, -]); - -var msg605 = msg("321", dup224); - -var all30 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup87, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg606 = msg("321:01", all30); - -var select243 = linear_select([ - msg605, - msg606, -]); - -var msg607 = msg("322", dup225); - -var msg608 = msg("322:01", dup226); - -var select244 = linear_select([ - msg607, - msg608, -]); - -var msg609 = msg("323", dup225); - -var msg610 = msg("323:01", dup226); - -var select245 = linear_select([ - msg609, - msg610, -]); - -var msg611 = msg("324", dup225); - -var msg612 = msg("324:01", dup226); - -var select246 = linear_select([ - msg611, - msg612, -]); - -var msg613 = msg("325", dup225); - -var msg614 = msg("325:01", dup226); - -var select247 = linear_select([ - msg613, - msg614, -]); - -var msg615 = msg("326", dup225); - -var msg616 = msg("326:01", dup226); - -var select248 = linear_select([ - msg615, - msg616, -]); - -var msg617 = msg("327", dup225); - -var msg618 = msg("327:01", dup226); - -var select249 = linear_select([ - msg617, - msg618, -]); - -var msg619 = msg("328", dup225); - -var msg620 = msg("328:01", dup226); - -var select250 = linear_select([ - msg619, - msg620, -]); - -var msg621 = msg("329", dup225); - -var msg622 = msg("329:01", dup226); - -var select251 = linear_select([ - msg621, - msg622, -]); - -var msg623 = msg("330", dup225); - -var msg624 = msg("330:01", dup226); - -var select252 = linear_select([ - msg623, - msg624, -]); - -var msg625 = msg("331", dup225); - -var msg626 = msg("331:01", dup226); - -var select253 = linear_select([ - msg625, - msg626, -]); - -var msg627 = msg("332", dup225); - -var msg628 = msg("332:01", dup226); - -var select254 = linear_select([ - msg627, - msg628, -]); - -var msg629 = msg("333", dup225); - -var msg630 = msg("333:01", dup226); - -var select255 = linear_select([ - msg629, - msg630, -]); - -var msg631 = msg("334", dup227); - -var msg632 = msg("334:01", dup228); - -var select256 = linear_select([ - msg631, - msg632, -]); - -var msg633 = msg("335", dup227); - -var msg634 = msg("335:01", dup228); - -var select257 = linear_select([ - msg633, - msg634, -]); - -var msg635 = msg("336", dup227); - -var msg636 = msg("336:01", dup228); - -var select258 = linear_select([ - msg635, - msg636, -]); - -var msg637 = msg("337", dup222); - -var msg638 = msg("337:01", dup223); - -var select259 = linear_select([ - msg637, - msg638, -]); - -var msg639 = msg("338", dup227); - -var msg640 = msg("338:01", dup228); - -var select260 = linear_select([ - msg639, - msg640, -]); - -var msg641 = msg("339", dup227); - -var msg642 = msg("339:01", dup228); - -var select261 = linear_select([ - msg641, - msg642, -]); - -var msg643 = msg("340", dup197); - -var msg644 = msg("340:01", dup221); - -var select262 = linear_select([ - msg643, - msg644, -]); - -var msg645 = msg("341", dup197); - -var msg646 = msg("341:01", dup221); - -var select263 = linear_select([ - msg645, - msg646, -]); - -var msg647 = msg("342", dup197); - -var msg648 = msg("342:01", dup221); - -var select264 = linear_select([ - msg647, - msg648, -]); - -var msg649 = msg("343", dup197); - -var msg650 = msg("343:01", dup221); - -var select265 = linear_select([ - msg649, - msg650, -]); - -var msg651 = msg("344", dup197); - -var msg652 = msg("344:01", dup221); - -var select266 = linear_select([ - msg651, - msg652, -]); - -var msg653 = msg("345", dup197); - -var msg654 = msg("345:01", dup221); - -var select267 = linear_select([ - msg653, - msg654, -]); - -var msg655 = msg("346", dup227); - -var msg656 = msg("346:01", dup228); - -var select268 = linear_select([ - msg655, - msg656, -]); - -var msg657 = msg("347", dup227); - -var msg658 = msg("347:01", dup228); - -var select269 = linear_select([ - msg657, - msg658, -]); - -var msg659 = msg("348", dup227); - -var msg660 = msg("348:01", dup228); - -var select270 = linear_select([ - msg659, - msg660, -]); - -var msg661 = msg("349", dup197); - -var msg662 = msg("349:01", dup221); - -var select271 = linear_select([ - msg661, - msg662, -]); - -var msg663 = msg("350", dup197); - -var msg664 = msg("350:01", dup221); - -var select272 = linear_select([ - msg663, - msg664, -]); - -var msg665 = msg("351", dup197); - -var msg666 = msg("351:01", dup221); - -var select273 = linear_select([ - msg665, - msg666, -]); - -var msg667 = msg("352", dup197); - -var msg668 = msg("352:01", dup221); - -var select274 = linear_select([ - msg667, - msg668, -]); - -var msg669 = msg("353", dup194); - -var msg670 = msg("353:01", dup229); - -var select275 = linear_select([ - msg669, - msg670, -]); - -var msg671 = msg("354", dup194); - -var msg672 = msg("354:01", dup229); - -var select276 = linear_select([ - msg671, - msg672, -]); - -var msg673 = msg("355", dup227); - -var msg674 = msg("355:01", dup228); - -var select277 = linear_select([ - msg673, - msg674, -]); - -var msg675 = msg("356", dup227); - -var msg676 = msg("356:01", dup228); - -var select278 = linear_select([ - msg675, - msg676, -]); - -var msg677 = msg("357", dup194); - -var msg678 = msg("357:01", dup229); - -var select279 = linear_select([ - msg677, - msg678, -]); - -var msg679 = msg("358", dup194); - -var msg680 = msg("358:01", dup229); - -var select280 = linear_select([ - msg679, - msg680, -]); - -var all31 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup82, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg681 = msg("359", all31); - -var all32 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup82, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg682 = msg("359:01", all32); - -var select281 = linear_select([ - msg681, - msg682, -]); - -var msg683 = msg("360", dup227); - -var msg684 = msg("360:01", dup228); - -var select282 = linear_select([ - msg683, - msg684, -]); - -var msg685 = msg("361", dup227); - -var msg686 = msg("361:01", dup228); - -var select283 = linear_select([ - msg685, - msg686, -]); - -var msg687 = msg("362", dup227); - -var msg688 = msg("362:01", dup228); - -var select284 = linear_select([ - msg687, - msg688, -]); - -var msg689 = msg("363", dup230); - -var msg690 = msg("363:01", dup231); - -var select285 = linear_select([ - msg689, - msg690, -]); - -var msg691 = msg("364", dup230); - -var msg692 = msg("364:01", dup231); - -var select286 = linear_select([ - msg691, - msg692, -]); - -var msg693 = msg("365", dup232); - -var msg694 = msg("365:01", dup231); - -var select287 = linear_select([ - msg693, - msg694, -]); - -var msg695 = msg("366", dup232); - -var msg696 = msg("366:01", dup231); - -var select288 = linear_select([ - msg695, - msg696, -]); - -var msg697 = msg("368", dup232); - -var msg698 = msg("368:01", dup231); - -var select289 = linear_select([ - msg697, - msg698, -]); - -var msg699 = msg("369", dup232); - -var msg700 = msg("369:01", dup231); - -var select290 = linear_select([ - msg699, - msg700, -]); - -var msg701 = msg("370", dup232); - -var msg702 = msg("370:01", dup231); - -var select291 = linear_select([ - msg701, - msg702, -]); - -var msg703 = msg("371", dup232); - -var msg704 = msg("371:01", dup231); - -var select292 = linear_select([ - msg703, - msg704, -]); - -var msg705 = msg("372", dup232); - -var msg706 = msg("372:01", dup231); - -var select293 = linear_select([ - msg705, - msg706, -]); - -var msg707 = msg("373", dup232); - -var msg708 = msg("373:01", dup231); - -var select294 = linear_select([ - msg707, - msg708, -]); - -var msg709 = msg("374", dup232); - -var msg710 = msg("374:01", dup231); - -var select295 = linear_select([ - msg709, - msg710, -]); - -var msg711 = msg("375", dup232); - -var msg712 = msg("375:01", dup231); - -var select296 = linear_select([ - msg711, - msg712, -]); - -var msg713 = msg("376", dup232); - -var msg714 = msg("376:01", dup233); - -var select297 = linear_select([ - msg713, - msg714, -]); - -var msg715 = msg("377", dup232); - -var msg716 = msg("377:01", dup231); - -var select298 = linear_select([ - msg715, - msg716, -]); - -var msg717 = msg("378", dup232); - -var msg718 = msg("378:01", dup231); - -var select299 = linear_select([ - msg717, - msg718, -]); - -var msg719 = msg("379", dup232); - -var msg720 = msg("379:01", dup231); - -var select300 = linear_select([ - msg719, - msg720, -]); - -var msg721 = msg("380", dup232); - -var msg722 = msg("380:01", dup231); - -var select301 = linear_select([ - msg721, - msg722, -]); - -var msg723 = msg("381", dup232); - -var msg724 = msg("381:01", dup231); - -var select302 = linear_select([ - msg723, - msg724, -]); - -var msg725 = msg("382", dup232); - -var msg726 = msg("382:01", dup231); - -var select303 = linear_select([ - msg725, - msg726, -]); - -var msg727 = msg("384", dup232); - -var msg728 = msg("384:01", dup231); - -var select304 = linear_select([ - msg727, - msg728, -]); - -var msg729 = msg("385", dup232); - -var msg730 = msg("385:01", dup231); - -var select305 = linear_select([ - msg729, - msg730, -]); - -var msg731 = msg("386", dup232); - -var msg732 = msg("386:01", dup231); - -var select306 = linear_select([ - msg731, - msg732, -]); - -var msg733 = msg("387", dup232); - -var msg734 = msg("387:01", dup231); - -var select307 = linear_select([ - msg733, - msg734, -]); - -var msg735 = msg("388", dup232); - -var msg736 = msg("388:01", dup231); - -var select308 = linear_select([ - msg735, - msg736, -]); - -var msg737 = msg("389", dup232); - -var msg738 = msg("389:01", dup231); - -var select309 = linear_select([ - msg737, - msg738, -]); - -var msg739 = msg("390", dup230); - -var msg740 = msg("390:01", dup231); - -var select310 = linear_select([ - msg739, - msg740, -]); - -var msg741 = msg("391", dup232); - -var msg742 = msg("391:01", dup231); - -var select311 = linear_select([ - msg741, - msg742, -]); - -var msg743 = msg("392", dup232); - -var msg744 = msg("392:01", dup231); - -var select312 = linear_select([ - msg743, - msg744, -]); - -var msg745 = msg("393", dup232); - -var msg746 = msg("393:01", dup231); - -var select313 = linear_select([ - msg745, - msg746, -]); - -var msg747 = msg("394", dup232); - -var msg748 = msg("394:01", dup231); - -var select314 = linear_select([ - msg747, - msg748, -]); - -var msg749 = msg("395", dup232); - -var msg750 = msg("395:01", dup231); - -var select315 = linear_select([ - msg749, - msg750, -]); - -var msg751 = msg("396", dup232); - -var msg752 = msg("396:01", dup231); - -var select316 = linear_select([ - msg751, - msg752, -]); - -var msg753 = msg("397", dup232); - -var msg754 = msg("397:01", dup231); - -var select317 = linear_select([ - msg753, - msg754, -]); - -var msg755 = msg("398", dup232); - -var msg756 = msg("398:01", dup231); - -var select318 = linear_select([ - msg755, - msg756, -]); - -var msg757 = msg("399", dup232); - -var msg758 = msg("399:01", dup231); - -var select319 = linear_select([ - msg757, - msg758, -]); - -var msg759 = msg("400", dup232); - -var msg760 = msg("400:01", dup231); - -var select320 = linear_select([ - msg759, - msg760, -]); - -var msg761 = msg("401", dup232); - -var msg762 = msg("401:01", dup231); - -var select321 = linear_select([ - msg761, - msg762, -]); - -var msg763 = msg("402", dup232); - -var msg764 = msg("402:01", dup231); - -var select322 = linear_select([ - msg763, - msg764, -]); - -var msg765 = msg("403", dup232); - -var msg766 = msg("403:01", dup231); - -var select323 = linear_select([ - msg765, - msg766, -]); - -var msg767 = msg("404", dup232); - -var msg768 = msg("404:01", dup231); - -var select324 = linear_select([ - msg767, - msg768, -]); - -var msg769 = msg("405", dup232); - -var msg770 = msg("405:01", dup231); - -var select325 = linear_select([ - msg769, - msg770, -]); - -var msg771 = msg("406", dup232); - -var msg772 = msg("406:01", dup231); - -var select326 = linear_select([ - msg771, - msg772, -]); - -var msg773 = msg("407", dup232); - -var msg774 = msg("407:01", dup231); - -var select327 = linear_select([ - msg773, - msg774, -]); - -var msg775 = msg("408", dup232); - -var msg776 = msg("408:01", dup231); - -var select328 = linear_select([ - msg775, - msg776, -]); - -var msg777 = msg("409", dup232); - -var msg778 = msg("409:01", dup231); - -var select329 = linear_select([ - msg777, - msg778, -]); - -var msg779 = msg("410", dup232); - -var msg780 = msg("410:01", dup231); - -var select330 = linear_select([ - msg779, - msg780, -]); - -var msg781 = msg("411", dup232); - -var msg782 = msg("411:01", dup231); - -var select331 = linear_select([ - msg781, - msg782, -]); - -var msg783 = msg("412", dup232); - -var msg784 = msg("412:01", dup231); - -var select332 = linear_select([ - msg783, - msg784, -]); - -var msg785 = msg("413", dup232); - -var msg786 = msg("413:01", dup231); - -var select333 = linear_select([ - msg785, - msg786, -]); - -var msg787 = msg("414", dup232); - -var msg788 = msg("414:01", dup231); - -var select334 = linear_select([ - msg787, - msg788, -]); - -var msg789 = msg("415", dup232); - -var msg790 = msg("415:01", dup231); - -var select335 = linear_select([ - msg789, - msg790, -]); - -var msg791 = msg("416", dup232); - -var msg792 = msg("416:01", dup231); - -var select336 = linear_select([ - msg791, - msg792, -]); - -var msg793 = msg("417", dup232); - -var msg794 = msg("417:01", dup231); - -var select337 = linear_select([ - msg793, - msg794, -]); - -var msg795 = msg("418", dup232); - -var msg796 = msg("418:01", dup231); - -var select338 = linear_select([ - msg795, - msg796, -]); - -var msg797 = msg("419", dup232); - -var msg798 = msg("419:01", dup231); - -var select339 = linear_select([ - msg797, - msg798, -]); - -var msg799 = msg("420", dup232); - -var msg800 = msg("420:01", dup231); - -var select340 = linear_select([ - msg799, - msg800, -]); - -var msg801 = msg("421", dup232); - -var msg802 = msg("421:01", dup231); - -var select341 = linear_select([ - msg801, - msg802, -]); - -var msg803 = msg("422", dup232); - -var msg804 = msg("422:01", dup231); - -var select342 = linear_select([ - msg803, - msg804, -]); - -var msg805 = msg("423", dup232); - -var msg806 = msg("423:01", dup231); - -var select343 = linear_select([ - msg805, - msg806, -]); - -var msg807 = msg("424", dup232); - -var msg808 = msg("424:01", dup231); - -var select344 = linear_select([ - msg807, - msg808, -]); - -var msg809 = msg("425", dup232); - -var msg810 = msg("425:01", dup231); - -var select345 = linear_select([ - msg809, - msg810, -]); - -var msg811 = msg("426", dup232); - -var msg812 = msg("426:01", dup231); - -var select346 = linear_select([ - msg811, - msg812, -]); - -var msg813 = msg("427", dup232); - -var msg814 = msg("427:01", dup231); - -var select347 = linear_select([ - msg813, - msg814, -]); - -var msg815 = msg("428", dup232); - -var msg816 = msg("428:01", dup231); - -var select348 = linear_select([ - msg815, - msg816, -]); - -var msg817 = msg("429", dup232); - -var msg818 = msg("429:01", dup231); - -var select349 = linear_select([ - msg817, - msg818, -]); - -var msg819 = msg("430", dup232); - -var msg820 = msg("430:01", dup231); - -var select350 = linear_select([ - msg819, - msg820, -]); - -var all33 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg821 = msg("431", all33); - -var all34 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg822 = msg("431:01", all34); - -var select351 = linear_select([ - msg821, - msg822, -]); - -var msg823 = msg("432", dup232); - -var msg824 = msg("432:01", dup231); - -var select352 = linear_select([ - msg823, - msg824, -]); - -var msg825 = msg("433", dup232); - -var msg826 = msg("433:01", dup231); - -var select353 = linear_select([ - msg825, - msg826, -]); - -var msg827 = msg("436", dup232); - -var msg828 = msg("436:01", dup231); - -var select354 = linear_select([ - msg827, - msg828, -]); - -var msg829 = msg("437", dup232); - -var msg830 = msg("437:01", dup231); - -var select355 = linear_select([ - msg829, - msg830, -]); - -var msg831 = msg("438", dup232); - -var msg832 = msg("438:01", dup231); - -var select356 = linear_select([ - msg831, - msg832, -]); - -var msg833 = msg("439", dup232); - -var msg834 = msg("439:01", dup231); - -var select357 = linear_select([ - msg833, - msg834, -]); - -var msg835 = msg("440", dup232); - -var msg836 = msg("440:01", dup231); - -var select358 = linear_select([ - msg835, - msg836, -]); - -var msg837 = msg("441", dup232); - -var msg838 = msg("441:01", dup231); - -var select359 = linear_select([ - msg837, - msg838, -]); - -var msg839 = msg("443", dup232); - -var msg840 = msg("443:01", dup231); - -var select360 = linear_select([ - msg839, - msg840, -]); - -var msg841 = msg("445", dup232); - -var msg842 = msg("445:01", dup231); - -var select361 = linear_select([ - msg841, - msg842, -]); - -var msg843 = msg("446", dup232); - -var msg844 = msg("446:01", dup231); - -var select362 = linear_select([ - msg843, - msg844, -]); - -var msg845 = msg("448", dup232); - -var msg846 = msg("448:01", dup231); - -var select363 = linear_select([ - msg845, - msg846, -]); - -var msg847 = msg("449", dup232); - -var msg848 = msg("449:01", dup231); - -var select364 = linear_select([ - msg847, - msg848, -]); - -var msg849 = msg("450", dup232); - -var msg850 = msg("450:01", dup231); - -var select365 = linear_select([ - msg849, - msg850, -]); - -var msg851 = msg("451", dup232); - -var msg852 = msg("451:01", dup231); - -var select366 = linear_select([ - msg851, - msg852, -]); - -var msg853 = msg("452", dup232); - -var msg854 = msg("452:01", dup231); - -var select367 = linear_select([ - msg853, - msg854, -]); - -var msg855 = msg("453", dup232); - -var msg856 = msg("453:01", dup231); - -var select368 = linear_select([ - msg855, - msg856, -]); - -var msg857 = msg("454", dup232); - -var msg858 = msg("454:01", dup231); - -var select369 = linear_select([ - msg857, - msg858, -]); - -var msg859 = msg("455", dup232); - -var msg860 = msg("455:01", dup231); - -var select370 = linear_select([ - msg859, - msg860, -]); - -var msg861 = msg("456", dup232); - -var msg862 = msg("456:01", dup231); - -var select371 = linear_select([ - msg861, - msg862, -]); - -var msg863 = msg("457", dup232); - -var msg864 = msg("457:01", dup231); - -var select372 = linear_select([ - msg863, - msg864, -]); - -var msg865 = msg("458", dup232); - -var msg866 = msg("458:01", dup231); - -var select373 = linear_select([ - msg865, - msg866, -]); - -var msg867 = msg("459", dup232); - -var msg868 = msg("459:01", dup231); - -var select374 = linear_select([ - msg867, - msg868, -]); - -var msg869 = msg("460", dup232); - -var msg870 = msg("460:01", dup231); - -var select375 = linear_select([ - msg869, - msg870, -]); - -var msg871 = msg("461", dup232); - -var msg872 = msg("461:01", dup231); - -var select376 = linear_select([ - msg871, - msg872, -]); - -var msg873 = msg("462", dup232); - -var msg874 = msg("462:01", dup231); - -var select377 = linear_select([ - msg873, - msg874, -]); - -var msg875 = msg("463", dup232); - -var msg876 = msg("463:01", dup231); - -var select378 = linear_select([ - msg875, - msg876, -]); - -var msg877 = msg("465", dup232); - -var msg878 = msg("465:01", dup231); - -var select379 = linear_select([ - msg877, - msg878, -]); - -var msg879 = msg("466", dup232); - -var msg880 = msg("466:01", dup231); - -var select380 = linear_select([ - msg879, - msg880, -]); - -var msg881 = msg("467", dup232); - -var msg882 = msg("467:01", dup231); - -var select381 = linear_select([ - msg881, - msg882, -]); - -var msg883 = msg("469", dup232); - -var msg884 = msg("469:01", dup231); - -var select382 = linear_select([ - msg883, - msg884, -]); - -var msg885 = msg("471", dup230); - -var msg886 = msg("471:01", dup233); - -var select383 = linear_select([ - msg885, - msg886, -]); - -var msg887 = msg("472", dup232); - -var msg888 = msg("472:01", dup231); - -var select384 = linear_select([ - msg887, - msg888, -]); - -var msg889 = msg("473", dup232); - -var msg890 = msg("473:01", dup231); - -var select385 = linear_select([ - msg889, - msg890, -]); - -var msg891 = msg("474", dup234); - -var msg892 = msg("474:01", dup235); - -var select386 = linear_select([ - msg891, - msg892, -]); - -var msg893 = msg("475", dup232); - -var msg894 = msg("475:01", dup231); - -var select387 = linear_select([ - msg893, - msg894, -]); - -var msg895 = msg("476", dup234); - -var msg896 = msg("476:01", dup235); - -var select388 = linear_select([ - msg895, - msg896, -]); - -var msg897 = msg("477", dup230); - -var msg898 = msg("477:01", dup233); - -var select389 = linear_select([ - msg897, - msg898, -]); - -var msg899 = msg("478", dup194); - -var msg900 = msg("478:01", dup229); - -var select390 = linear_select([ - msg899, - msg900, -]); - -var msg901 = msg("480", dup232); - -var msg902 = msg("480:01", dup231); - -var select391 = linear_select([ - msg901, - msg902, -]); - -var msg903 = msg("481", dup232); - -var msg904 = msg("481:01", dup231); - -var select392 = linear_select([ - msg903, - msg904, -]); - -var msg905 = msg("482", dup232); - -var msg906 = msg("482:01", dup231); - -var select393 = linear_select([ - msg905, - msg906, -]); - -var msg907 = msg("483", dup232); - -var msg908 = msg("483:01", dup231); - -var select394 = linear_select([ - msg907, - msg908, -]); - -var msg909 = msg("484", dup234); - -var msg910 = msg("484:01", dup235); - -var select395 = linear_select([ - msg909, - msg910, -]); - -var msg911 = msg("485", dup232); - -var msg912 = msg("485:01", dup231); - -var select396 = linear_select([ - msg911, - msg912, -]); - -var msg913 = msg("486", dup232); - -var msg914 = msg("486:01", dup231); - -var select397 = linear_select([ - msg913, - msg914, -]); - -var msg915 = msg("487", dup232); - -var msg916 = msg("487:01", dup231); - -var select398 = linear_select([ - msg915, - msg916, -]); - -var msg917 = msg("488", dup196); - -var msg918 = msg("488:01", dup217); - -var select399 = linear_select([ - msg917, - msg918, -]); - -var msg919 = msg("489", dup227); - -var msg920 = msg("489:01", dup228); - -var select400 = linear_select([ - msg919, - msg920, -]); - -var msg921 = msg("490", dup196); - -var msg922 = msg("490:01", dup217); - -var select401 = linear_select([ - msg921, - msg922, -]); - -var msg923 = msg("491", dup227); - -var msg924 = msg("492", dup236); - -var msg925 = msg("492:01", dup237); - -var select402 = linear_select([ - msg924, - msg925, -]); - -var msg926 = msg("493", dup196); - -var msg927 = msg("493:01", dup217); - -var select403 = linear_select([ - msg926, - msg927, -]); - -var msg928 = msg("494", dup196); - -var msg929 = msg("494:01", dup217); - -var select404 = linear_select([ - msg928, - msg929, -]); - -var msg930 = msg("495", dup196); - -var msg931 = msg("495:01", dup217); - -var select405 = linear_select([ - msg930, - msg931, -]); - -var msg932 = msg("496", dup196); - -var msg933 = msg("496:01", dup217); - -var select406 = linear_select([ - msg932, - msg933, -]); - -var msg934 = msg("497", dup196); - -var msg935 = msg("497:01", dup217); - -var select407 = linear_select([ - msg934, - msg935, -]); - -var msg936 = msg("498", dup196); - -var msg937 = msg("498:01", dup217); - -var select408 = linear_select([ - msg936, - msg937, -]); - -var msg938 = msg("499", dup230); - -var msg939 = msg("499:01", dup233); - -var select409 = linear_select([ - msg938, - msg939, -]); - -var msg940 = msg("500", dup196); - -var msg941 = msg("500:01", dup217); - -var select410 = linear_select([ - msg940, - msg941, -]); - -var msg942 = msg("501", dup196); - -var msg943 = msg("501:01", dup217); - -var select411 = linear_select([ - msg942, - msg943, -]); - -var msg944 = msg("502", dup196); - -var msg945 = msg("502:01", dup217); - -var select412 = linear_select([ - msg944, - msg945, -]); - -var msg946 = msg("503", dup196); - -var msg947 = msg("503:01", dup217); - -var select413 = linear_select([ - msg946, - msg947, -]); - -var msg948 = msg("504", dup196); - -var msg949 = msg("504:01", dup217); - -var select414 = linear_select([ - msg948, - msg949, -]); - -var msg950 = msg("505", dup196); - -var msg951 = msg("505:01", dup217); - -var select415 = linear_select([ - msg950, - msg951, -]); - -var msg952 = msg("506", dup238); - -var msg953 = msg("506:01", dup239); - -var select416 = linear_select([ - msg952, - msg953, -]); - -var msg954 = msg("507", dup196); - -var msg955 = msg("507:01", dup217); - -var select417 = linear_select([ - msg954, - msg955, -]); - -var msg956 = msg("508", dup196); - -var msg957 = msg("508:01", dup217); - -var select418 = linear_select([ - msg956, - msg957, -]); - -var msg958 = msg("509", dup240); - -var msg959 = msg("509:01", dup241); - -var select419 = linear_select([ - msg958, - msg959, -]); - -var msg960 = msg("510", dup196); - -var msg961 = msg("510:01", dup217); - -var select420 = linear_select([ - msg960, - msg961, -]); - -var msg962 = msg("511", dup196); - -var msg963 = msg("511:01", dup217); - -var select421 = linear_select([ - msg962, - msg963, -]); - -var msg964 = msg("512", dup236); - -var msg965 = msg("512:01", dup237); - -var select422 = linear_select([ - msg964, - msg965, -]); - -var msg966 = msg("513", dup196); - -var msg967 = msg("513:01", dup217); - -var select423 = linear_select([ - msg966, - msg967, -]); - -var msg968 = msg("514", dup238); - -var msg969 = msg("514:01", dup239); - -var select424 = linear_select([ - msg968, - msg969, -]); - -var msg970 = msg("516", dup242); - -var msg971 = msg("516:01", dup243); - -var select425 = linear_select([ - msg970, - msg971, -]); - -var msg972 = msg("517", dup196); - -var msg973 = msg("517:01", dup217); - -var select426 = linear_select([ - msg972, - msg973, -]); - -var msg974 = msg("518", dup196); - -var msg975 = msg("518:01", dup217); - -var select427 = linear_select([ - msg974, - msg975, -]); - -var msg976 = msg("519", dup196); - -var msg977 = msg("519:01", dup217); - -var select428 = linear_select([ - msg976, - msg977, -]); - -var msg978 = msg("520", dup196); - -var msg979 = msg("520:01", dup217); - -var select429 = linear_select([ - msg978, - msg979, -]); - -var msg980 = msg("521", dup196); - -var msg981 = msg("521:01", dup217); - -var select430 = linear_select([ - msg980, - msg981, -]); - -var msg982 = msg("522", dup196); - -var msg983 = msg("522:01", dup217); - -var select431 = linear_select([ - msg982, - msg983, -]); - -var msg984 = msg("523", dup196); - -var msg985 = msg("523:01", dup217); - -var select432 = linear_select([ - msg984, - msg985, -]); - -var msg986 = msg("524", dup244); - -var msg987 = msg("524:01", dup245); - -var select433 = linear_select([ - msg986, - msg987, -]); - -var msg988 = msg("525", dup196); - -var msg989 = msg("525:01", dup217); - -var select434 = linear_select([ - msg988, - msg989, -]); - -var msg990 = msg("526", dup244); - -var msg991 = msg("526:01", dup245); - -var select435 = linear_select([ - msg990, - msg991, -]); - -var msg992 = msg("527", dup196); - -var msg993 = msg("527:01", dup217); - -var select436 = linear_select([ - msg992, - msg993, -]); - -var msg994 = msg("528", dup196); - -var msg995 = msg("528:01", dup217); - -var select437 = linear_select([ - msg994, - msg995, -]); - -var msg996 = msg("529", dup198); - -var msg997 = msg("529:01", dup220); - -var select438 = linear_select([ - msg996, - msg997, -]); - -var msg998 = msg("530", dup196); - -var msg999 = msg("530:01", dup217); - -var select439 = linear_select([ - msg998, - msg999, -]); - -var msg1000 = msg("532", dup246); - -var msg1001 = msg("532:01", dup247); - -var select440 = linear_select([ - msg1000, - msg1001, -]); - -var msg1002 = msg("533", dup246); - -var msg1003 = msg("533:01", dup247); - -var select441 = linear_select([ - msg1002, - msg1003, -]); - -var msg1004 = msg("534", dup196); - -var msg1005 = msg("534:01", dup217); - -var select442 = linear_select([ - msg1004, - msg1005, -]); - -var msg1006 = msg("535", dup196); - -var msg1007 = msg("535:01", dup217); - -var select443 = linear_select([ - msg1006, - msg1007, -]); - -var msg1008 = msg("536", dup246); - -var msg1009 = msg("536:01", dup247); - -var select444 = linear_select([ - msg1008, - msg1009, -]); - -var msg1010 = msg("537", dup246); - -var msg1011 = msg("537:01", dup247); - -var select445 = linear_select([ - msg1010, - msg1011, -]); - -var msg1012 = msg("538", dup246); - -var msg1013 = msg("538:01", dup247); - -var select446 = linear_select([ - msg1012, - msg1013, -]); - -var msg1014 = msg("539", dup246); - -var msg1015 = msg("539:01", dup247); - -var select447 = linear_select([ - msg1014, - msg1015, -]); - -var msg1016 = msg("540", dup196); - -var msg1017 = msg("540:01", dup217); - -var select448 = linear_select([ - msg1016, - msg1017, -]); - -var msg1018 = msg("541", dup196); - -var msg1019 = msg("541:01", dup217); - -var select449 = linear_select([ - msg1018, - msg1019, -]); - -var msg1020 = msg("542", dup196); - -var msg1021 = msg("542:01", dup217); - -var select450 = linear_select([ - msg1020, - msg1021, -]); - -var msg1022 = msg("543", dup227); - -var msg1023 = msg("543:01", dup228); - -var select451 = linear_select([ - msg1022, - msg1023, -]); - -var msg1024 = msg("544", dup227); - -var msg1025 = msg("544:01", dup228); - -var select452 = linear_select([ - msg1024, - msg1025, -]); - -var msg1026 = msg("545", dup227); - -var msg1027 = msg("545:01", dup228); - -var select453 = linear_select([ - msg1026, - msg1027, -]); - -var msg1028 = msg("546", dup227); - -var msg1029 = msg("546:01", dup228); - -var select454 = linear_select([ - msg1028, - msg1029, -]); - -var msg1030 = msg("547", dup227); - -var msg1031 = msg("547:01", dup228); - -var select455 = linear_select([ - msg1030, - msg1031, -]); - -var msg1032 = msg("548", dup227); - -var msg1033 = msg("548:01", dup228); - -var select456 = linear_select([ - msg1032, - msg1033, -]); - -var msg1034 = msg("549", dup196); - -var msg1035 = msg("549:01", dup217); - -var select457 = linear_select([ - msg1034, - msg1035, -]); - -var msg1036 = msg("550", dup196); - -var msg1037 = msg("550:01", dup217); - -var select458 = linear_select([ - msg1036, - msg1037, -]); - -var msg1038 = msg("551", dup196); - -var msg1039 = msg("551:01", dup217); - -var select459 = linear_select([ - msg1038, - msg1039, -]); - -var msg1040 = msg("552", dup196); - -var msg1041 = msg("552:01", dup217); - -var select460 = linear_select([ - msg1040, - msg1041, -]); - -var msg1042 = msg("553", dup227); - -var msg1043 = msg("553:01", dup228); - -var select461 = linear_select([ - msg1042, - msg1043, -]); - -var msg1044 = msg("554", dup227); - -var msg1045 = msg("554:01", dup228); - -var select462 = linear_select([ - msg1044, - msg1045, -]); - -var msg1046 = msg("555", dup248); - -var msg1047 = msg("555:01", dup249); - -var select463 = linear_select([ - msg1046, - msg1047, -]); - -var msg1048 = msg("556", dup196); - -var msg1049 = msg("556:01", dup217); - -var select464 = linear_select([ - msg1048, - msg1049, -]); - -var msg1050 = msg("557", dup196); - -var msg1051 = msg("557:01", dup217); - -var select465 = linear_select([ - msg1050, - msg1051, -]); - -var msg1052 = msg("558", dup196); - -var msg1053 = msg("558:01", dup217); - -var select466 = linear_select([ - msg1052, - msg1053, -]); - -var msg1054 = msg("559", dup196); - -var msg1055 = msg("559:01", dup217); - -var select467 = linear_select([ - msg1054, - msg1055, -]); - -var msg1056 = msg("560", dup196); - -var msg1057 = msg("560:01", dup217); - -var select468 = linear_select([ - msg1056, - msg1057, -]); - -var msg1058 = msg("561", dup196); - -var msg1059 = msg("561:01", dup217); - -var select469 = linear_select([ - msg1058, - msg1059, -]); - -var msg1060 = msg("562", dup196); - -var msg1061 = msg("562:01", dup217); - -var select470 = linear_select([ - msg1060, - msg1061, -]); - -var msg1062 = msg("563", dup196); - -var msg1063 = msg("563:01", dup217); - -var select471 = linear_select([ - msg1062, - msg1063, -]); - -var msg1064 = msg("564", dup196); - -var msg1065 = msg("564:01", dup217); - -var select472 = linear_select([ - msg1064, - msg1065, -]); - -var msg1066 = msg("565", dup196); - -var msg1067 = msg("565:01", dup217); - -var select473 = linear_select([ - msg1066, - msg1067, -]); - -var msg1068 = msg("566", dup196); - -var msg1069 = msg("566:01", dup217); - -var select474 = linear_select([ - msg1068, - msg1069, -]); - -var msg1070 = msg("567", dup250); - -var msg1071 = msg("567:01", dup251); - -var select475 = linear_select([ - msg1070, - msg1071, -]); - -var msg1072 = msg("568", dup196); - -var msg1073 = msg("568:01", dup217); - -var select476 = linear_select([ - msg1072, - msg1073, -]); - -var msg1074 = msg("569", dup252); - -var all35 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg1075 = msg("569:01", all35); - -var select477 = linear_select([ - msg1074, - msg1075, -]); - -var msg1076 = msg("570", dup197); - -var msg1077 = msg("570:01", dup221); - -var select478 = linear_select([ - msg1076, - msg1077, -]); - -var msg1078 = msg("571", dup197); - -var msg1079 = msg("571:01", dup221); - -var select479 = linear_select([ - msg1078, - msg1079, -]); - -var msg1080 = msg("572", dup198); - -var msg1081 = msg("572:01", dup220); - -var select480 = linear_select([ - msg1080, - msg1081, -]); - -var msg1082 = msg("573", dup197); - -var msg1083 = msg("573:01", dup221); - -var select481 = linear_select([ - msg1082, - msg1083, -]); - -var msg1084 = msg("574", dup253); - -var msg1085 = msg("574:01", dup254); - -var select482 = linear_select([ - msg1084, - msg1085, -]); - -var msg1086 = msg("575", dup255); - -var msg1087 = msg("575:01", dup256); - -var select483 = linear_select([ - msg1086, - msg1087, -]); - -var msg1088 = msg("576", dup255); - -var msg1089 = msg("576:01", dup256); - -var select484 = linear_select([ - msg1088, - msg1089, -]); - -var msg1090 = msg("577", dup255); - -var msg1091 = msg("577:01", dup256); - -var select485 = linear_select([ - msg1090, - msg1091, -]); - -var msg1092 = msg("578", dup255); - -var msg1093 = msg("578:01", dup256); - -var select486 = linear_select([ - msg1092, - msg1093, -]); - -var msg1094 = msg("579", dup255); - -var msg1095 = msg("579:01", dup256); - -var select487 = linear_select([ - msg1094, - msg1095, -]); - -var msg1096 = msg("580", dup255); - -var msg1097 = msg("580:01", dup256); - -var select488 = linear_select([ - msg1096, - msg1097, -]); - -var msg1098 = msg("581", dup257); - -var all36 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup98, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg1099 = msg("581:01", all36); - -var select489 = linear_select([ - msg1098, - msg1099, -]); - -var msg1100 = msg("582", dup255); - -var msg1101 = msg("582:01", dup256); - -var select490 = linear_select([ - msg1100, - msg1101, -]); - -var msg1102 = msg("583", dup255); - -var msg1103 = msg("583:01", dup256); - -var select491 = linear_select([ - msg1102, - msg1103, -]); - -var msg1104 = msg("584", dup255); - -var msg1105 = msg("584:01", dup256); - -var select492 = linear_select([ - msg1104, - msg1105, -]); - -var msg1106 = msg("585", dup255); - -var msg1107 = msg("585:01", dup256); - -var select493 = linear_select([ - msg1106, - msg1107, -]); - -var msg1108 = msg("586", dup255); - -var msg1109 = msg("586:01", dup256); - -var select494 = linear_select([ - msg1108, - msg1109, -]); - -var msg1110 = msg("587", dup255); - -var msg1111 = msg("587:01", dup256); - -var select495 = linear_select([ - msg1110, - msg1111, -]); - -var msg1112 = msg("588", dup255); - -var msg1113 = msg("588:01", dup256); - -var select496 = linear_select([ - msg1112, - msg1113, -]); - -var msg1114 = msg("589", dup255); - -var msg1115 = msg("589:01", dup256); - -var select497 = linear_select([ - msg1114, - msg1115, -]); - -var msg1116 = msg("590", dup255); - -var msg1117 = msg("590:01", dup256); - -var select498 = linear_select([ - msg1116, - msg1117, -]); - -var msg1118 = msg("591", dup255); - -var msg1119 = msg("591:01", dup256); - -var select499 = linear_select([ - msg1118, - msg1119, -]); - -var msg1120 = msg("592", dup255); - -var msg1121 = msg("592:01", dup256); - -var select500 = linear_select([ - msg1120, - msg1121, -]); - -var msg1122 = msg("593", dup255); - -var msg1123 = msg("593:01", dup256); - -var select501 = linear_select([ - msg1122, - msg1123, -]); - -var msg1124 = msg("594", dup255); - -var msg1125 = msg("594:01", dup256); - -var select502 = linear_select([ - msg1124, - msg1125, -]); - -var msg1126 = msg("595", dup258); - -var msg1127 = msg("595:01", dup259); - -var select503 = linear_select([ - msg1126, - msg1127, -]); - -var msg1128 = msg("596", dup255); - -var msg1129 = msg("596:01", dup256); - -var select504 = linear_select([ - msg1128, - msg1129, -]); - -var msg1130 = msg("597", dup255); - -var msg1131 = msg("597:01", dup256); - -var select505 = linear_select([ - msg1130, - msg1131, -]); - -var msg1132 = msg("598", dup258); - -var msg1133 = msg("598:01", dup259); - -var select506 = linear_select([ - msg1132, - msg1133, -]); - -var msg1134 = msg("599", dup258); - -var msg1135 = msg("599:01", dup259); - -var select507 = linear_select([ - msg1134, - msg1135, -]); - -var msg1136 = msg("600", dup255); - -var msg1137 = msg("600:01", dup256); - -var select508 = linear_select([ - msg1136, - msg1137, -]); - -var msg1138 = msg("601", dup196); - -var msg1139 = msg("601:01", dup217); - -var select509 = linear_select([ - msg1138, - msg1139, -]); - -var msg1140 = msg("602", dup196); - -var msg1141 = msg("602:01", dup217); - -var select510 = linear_select([ - msg1140, - msg1141, -]); - -var msg1142 = msg("603", dup196); - -var msg1143 = msg("603:01", dup217); - -var select511 = linear_select([ - msg1142, - msg1143, -]); - -var msg1144 = msg("604", dup196); - -var msg1145 = msg("604:01", dup217); - -var select512 = linear_select([ - msg1144, - msg1145, -]); - -var msg1146 = msg("605", dup236); - -var msg1147 = msg("605:01", dup237); - -var select513 = linear_select([ - msg1146, - msg1147, -]); - -var msg1148 = msg("606", dup196); - -var msg1149 = msg("606:01", dup217); - -var select514 = linear_select([ - msg1148, - msg1149, -]); - -var msg1150 = msg("607", dup196); - -var msg1151 = msg("607:01", dup217); - -var select515 = linear_select([ - msg1150, - msg1151, -]); - -var msg1152 = msg("608", dup196); - -var msg1153 = msg("608:01", dup217); - -var select516 = linear_select([ - msg1152, - msg1153, -]); - -var msg1154 = msg("609", dup196); - -var msg1155 = msg("609:01", dup217); - -var select517 = linear_select([ - msg1154, - msg1155, -]); - -var msg1156 = msg("610", dup196); - -var msg1157 = msg("610:01", dup217); - -var select518 = linear_select([ - msg1156, - msg1157, -]); - -var msg1158 = msg("611", dup236); - -var msg1159 = msg("611:01", dup237); - -var select519 = linear_select([ - msg1158, - msg1159, -]); - -var msg1160 = msg("612", dup255); - -var msg1161 = msg("612:01", dup256); - -var select520 = linear_select([ - msg1160, - msg1161, -]); - -var msg1162 = msg("613", dup194); - -var msg1163 = msg("613:01", dup229); - -var select521 = linear_select([ - msg1162, - msg1163, -]); - -var msg1164 = msg("614", dup205); - -var msg1165 = msg("614:01", dup206); - -var select522 = linear_select([ - msg1164, - msg1165, -]); - -var msg1166 = msg("615", dup194); - -var msg1167 = msg("615:01", dup229); - -var select523 = linear_select([ - msg1166, - msg1167, -]); - -var msg1168 = msg("616", dup194); - -var msg1169 = msg("616:01", dup229); - -var select524 = linear_select([ - msg1168, - msg1169, -]); - -var msg1170 = msg("617", dup194); - -var msg1171 = msg("617:01", dup229); - -var select525 = linear_select([ - msg1170, - msg1171, -]); - -var msg1172 = msg("618", dup194); - -var msg1173 = msg("618:01", dup229); - -var select526 = linear_select([ - msg1172, - msg1173, -]); - -var msg1174 = msg("619", dup194); - -var msg1175 = msg("619:01", dup229); - -var select527 = linear_select([ - msg1174, - msg1175, -]); - -var msg1176 = msg("620", dup194); - -var msg1177 = msg("620:01", dup229); - -var select528 = linear_select([ - msg1176, - msg1177, -]); - -var msg1178 = msg("621", dup194); - -var msg1179 = msg("621:01", dup229); - -var select529 = linear_select([ - msg1178, - msg1179, -]); - -var msg1180 = msg("622", dup194); - -var msg1181 = msg("622:01", dup229); - -var select530 = linear_select([ - msg1180, - msg1181, -]); - -var msg1182 = msg("623", dup194); - -var msg1183 = msg("623:01", dup229); - -var select531 = linear_select([ - msg1182, - msg1183, -]); - -var msg1184 = msg("624", dup194); - -var msg1185 = msg("624:01", dup229); - -var select532 = linear_select([ - msg1184, - msg1185, -]); - -var msg1186 = msg("625", dup194); - -var msg1187 = msg("625:01", dup229); - -var select533 = linear_select([ - msg1186, - msg1187, -]); - -var msg1188 = msg("626", dup194); - -var msg1189 = msg("626:01", dup229); - -var select534 = linear_select([ - msg1188, - msg1189, -]); - -var msg1190 = msg("627", dup194); - -var msg1191 = msg("627:01", dup229); - -var select535 = linear_select([ - msg1190, - msg1191, -]); - -var msg1192 = msg("628", dup234); - -var msg1193 = msg("628:01", dup235); - -var select536 = linear_select([ - msg1192, - msg1193, -]); - -var msg1194 = msg("629", dup225); - -var msg1195 = msg("629:01", dup226); - -var select537 = linear_select([ - msg1194, - msg1195, -]); - -var msg1196 = msg("630", dup234); - -var msg1197 = msg("630:01", dup229); - -var select538 = linear_select([ - msg1196, - msg1197, -]); - -var all37 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg1198 = msg("631", all37); - -var msg1199 = msg("631:01", dup251); - -var select539 = linear_select([ - msg1198, - msg1199, -]); - -var msg1200 = msg("632", dup250); - -var msg1201 = msg("632:01", dup251); - -var select540 = linear_select([ - msg1200, - msg1201, -]); - -var msg1202 = msg("634", dup194); - -var msg1203 = msg("634:01", dup229); - -var select541 = linear_select([ - msg1202, - msg1203, -]); - -var msg1204 = msg("635", dup194); - -var msg1205 = msg("635:01", dup229); - -var select542 = linear_select([ - msg1204, - msg1205, -]); - -var msg1206 = msg("636", dup194); - -var msg1207 = msg("636:01", dup229); - -var select543 = linear_select([ - msg1206, - msg1207, -]); - -var msg1208 = msg("637", dup194); - -var msg1209 = msg("637:01", dup229); - -var select544 = linear_select([ - msg1208, - msg1209, -]); - -var msg1210 = msg("638", dup196); - -var msg1211 = msg("638:01", dup217); - -var select545 = linear_select([ - msg1210, - msg1211, -]); - -var msg1212 = msg("639", dup196); - -var msg1213 = msg("639:01", dup217); - -var select546 = linear_select([ - msg1212, - msg1213, -]); - -var msg1214 = msg("640", dup196); - -var msg1215 = msg("640:01", dup217); - -var select547 = linear_select([ - msg1214, - msg1215, -]); - -var msg1216 = msg("641", dup196); - -var msg1217 = msg("641:01", dup217); - -var select548 = linear_select([ - msg1216, - msg1217, -]); - -var msg1218 = msg("642", dup196); - -var msg1219 = msg("642:01", dup217); - -var select549 = linear_select([ - msg1218, - msg1219, -]); - -var msg1220 = msg("643", dup196); - -var msg1221 = msg("643:01", dup217); - -var select550 = linear_select([ - msg1220, - msg1221, -]); - -var msg1222 = msg("644", dup196); - -var msg1223 = msg("644:01", dup217); - -var select551 = linear_select([ - msg1222, - msg1223, -]); - -var msg1224 = msg("645", dup196); - -var msg1225 = msg("645:01", dup217); - -var select552 = linear_select([ - msg1224, - msg1225, -]); - -var msg1226 = msg("646", dup196); - -var msg1227 = msg("646:01", dup217); - -var select553 = linear_select([ - msg1226, - msg1227, -]); - -var msg1228 = msg("647", dup196); - -var msg1229 = msg("647:01", dup217); - -var select554 = linear_select([ - msg1228, - msg1229, -]); - -var msg1230 = msg("648", dup196); - -var msg1231 = msg("648:01", dup217); - -var select555 = linear_select([ - msg1230, - msg1231, -]); - -var msg1232 = msg("649", dup196); - -var msg1233 = msg("649:01", dup217); - -var select556 = linear_select([ - msg1232, - msg1233, -]); - -var msg1234 = msg("650", dup196); - -var msg1235 = msg("650:01", dup217); - -var select557 = linear_select([ - msg1234, - msg1235, -]); - -var msg1236 = msg("651", dup196); - -var msg1237 = msg("651:01", dup217); - -var select558 = linear_select([ - msg1236, - msg1237, -]); - -var msg1238 = msg("652", dup196); - -var msg1239 = msg("652:01", dup217); - -var select559 = linear_select([ - msg1238, - msg1239, -]); - -var msg1240 = msg("653", dup196); - -var msg1241 = msg("653:01", dup217); - -var select560 = linear_select([ - msg1240, - msg1241, -]); - -var msg1242 = msg("654", dup197); - -var msg1243 = msg("654:01", dup221); - -var select561 = linear_select([ - msg1242, - msg1243, -]); - -var msg1244 = msg("655", dup250); - -var msg1245 = msg("655:01", dup251); - -var select562 = linear_select([ - msg1244, - msg1245, -]); - -var msg1246 = msg("656", dup197); - -var msg1247 = msg("656:01", dup221); - -var select563 = linear_select([ - msg1246, - msg1247, -]); - -var msg1248 = msg("657", dup197); - -var msg1249 = msg("657:01", dup221); - -var select564 = linear_select([ - msg1248, - msg1249, -]); - -var msg1250 = msg("658", dup198); - -var msg1251 = msg("658:01", dup220); - -var select565 = linear_select([ - msg1250, - msg1251, -]); - -var msg1252 = msg("659", dup250); - -var msg1253 = msg("659:01", dup251); - -var select566 = linear_select([ - msg1252, - msg1253, -]); - -var msg1254 = msg("660", dup250); - -var msg1255 = msg("660:01", dup251); - -var select567 = linear_select([ - msg1254, - msg1255, -]); - -var msg1256 = msg("661", dup250); - -var msg1257 = msg("661:01", dup251); - -var select568 = linear_select([ - msg1256, - msg1257, -]); - -var msg1258 = msg("662", dup250); - -var msg1259 = msg("662:01", dup251); - -var select569 = linear_select([ - msg1258, - msg1259, -]); - -var msg1260 = msg("663", dup250); - -var msg1261 = msg("663:01", dup251); - -var select570 = linear_select([ - msg1260, - msg1261, -]); - -var msg1262 = msg("664", dup250); - -var msg1263 = msg("664:01", dup251); - -var select571 = linear_select([ - msg1262, - msg1263, -]); - -var msg1264 = msg("665", dup250); - -var msg1265 = msg("665:01", dup251); - -var select572 = linear_select([ - msg1264, - msg1265, -]); - -var msg1266 = msg("666", dup250); - -var msg1267 = msg("666:01", dup251); - -var select573 = linear_select([ - msg1266, - msg1267, -]); - -var msg1268 = msg("667", dup250); - -var msg1269 = msg("667:01", dup251); - -var select574 = linear_select([ - msg1268, - msg1269, -]); - -var msg1270 = msg("668", dup250); - -var msg1271 = msg("668:01", dup251); - -var select575 = linear_select([ - msg1270, - msg1271, -]); - -var msg1272 = msg("669", dup250); - -var msg1273 = msg("669:01", dup251); - -var select576 = linear_select([ - msg1272, - msg1273, -]); - -var msg1274 = msg("670", dup250); - -var msg1275 = msg("670:01", dup251); - -var select577 = linear_select([ - msg1274, - msg1275, -]); - -var msg1276 = msg("671", dup250); - -var msg1277 = msg("671:01", dup251); - -var select578 = linear_select([ - msg1276, - msg1277, -]); - -var msg1278 = msg("672", dup250); - -var msg1279 = msg("672:01", dup251); - -var select579 = linear_select([ - msg1278, - msg1279, -]); - -var msg1280 = msg("673", dup260); - -var msg1281 = msg("673:01", dup261); - -var select580 = linear_select([ - msg1280, - msg1281, -]); - -var msg1282 = msg("674", dup197); - -var msg1283 = msg("674:01", dup221); - -var select581 = linear_select([ - msg1282, - msg1283, -]); - -var msg1284 = msg("675", dup197); - -var msg1285 = msg("675:01", dup221); - -var select582 = linear_select([ - msg1284, - msg1285, -]); - -var msg1286 = msg("676", dup260); - -var msg1287 = msg("676:01", dup261); - -var select583 = linear_select([ - msg1286, - msg1287, -]); - -var msg1288 = msg("677", dup196); - -var msg1289 = msg("677:01", dup217); - -var select584 = linear_select([ - msg1288, - msg1289, -]); - -var msg1290 = msg("678", dup196); - -var msg1291 = msg("678:01", dup217); - -var select585 = linear_select([ - msg1290, - msg1291, -]); - -var msg1292 = msg("679", dup196); - -var msg1293 = msg("679:01", dup217); - -var select586 = linear_select([ - msg1292, - msg1293, -]); - -var msg1294 = msg("680", dup236); - -var msg1295 = msg("680:01", dup237); - -var select587 = linear_select([ - msg1294, - msg1295, -]); - -var msg1296 = msg("681", dup260); - -var msg1297 = msg("681:01", dup261); - -var select588 = linear_select([ - msg1296, - msg1297, -]); - -var msg1298 = msg("682", dup197); - -var msg1299 = msg("682:01", dup221); - -var select589 = linear_select([ - msg1298, - msg1299, -]); - -var msg1300 = msg("683", dup196); - -var msg1301 = msg("683:01", dup217); - -var select590 = linear_select([ - msg1300, - msg1301, -]); - -var msg1302 = msg("684", dup196); - -var msg1303 = msg("684:01", dup217); - -var select591 = linear_select([ - msg1302, - msg1303, -]); - -var msg1304 = msg("685", dup196); - -var msg1305 = msg("685:01", dup217); - -var select592 = linear_select([ - msg1304, - msg1305, -]); - -var msg1306 = msg("686", dup240); - -var msg1307 = msg("686:01", dup241); - -var select593 = linear_select([ - msg1306, - msg1307, -]); - -var msg1308 = msg("687", dup260); - -var msg1309 = msg("687:01", dup261); - -var select594 = linear_select([ - msg1308, - msg1309, -]); - -var msg1310 = msg("688", dup236); - -var msg1311 = msg("688:01", dup237); - -var select595 = linear_select([ - msg1310, - msg1311, -]); - -var msg1312 = msg("689", dup240); - -var msg1313 = msg("689:01", dup241); - -var select596 = linear_select([ - msg1312, - msg1313, -]); - -var msg1314 = msg("690", dup197); - -var msg1315 = msg("690:01", dup221); - -var select597 = linear_select([ - msg1314, - msg1315, -]); - -var msg1316 = msg("691", dup240); - -var msg1317 = msg("691:01", dup241); - -var select598 = linear_select([ - msg1316, - msg1317, -]); - -var msg1318 = msg("692", dup240); - -var msg1319 = msg("692:01", dup241); - -var select599 = linear_select([ - msg1318, - msg1319, -]); - -var msg1320 = msg("693", dup240); - -var msg1321 = msg("693:01", dup241); - -var select600 = linear_select([ - msg1320, - msg1321, -]); - -var msg1322 = msg("694", dup240); - -var msg1323 = msg("694:01", dup241); - -var select601 = linear_select([ - msg1322, - msg1323, -]); - -var msg1324 = msg("695", dup197); - -var msg1325 = msg("695:01", dup221); - -var select602 = linear_select([ - msg1324, - msg1325, -]); - -var msg1326 = msg("696", dup197); - -var msg1327 = msg("696:01", dup221); - -var select603 = linear_select([ - msg1326, - msg1327, -]); - -var msg1328 = msg("697", dup197); - -var msg1329 = msg("697:01", dup221); - -var select604 = linear_select([ - msg1328, - msg1329, -]); - -var msg1330 = msg("698", dup197); - -var msg1331 = msg("698:01", dup221); - -var select605 = linear_select([ - msg1330, - msg1331, -]); - -var msg1332 = msg("699", dup197); - -var msg1333 = msg("699:01", dup221); - -var select606 = linear_select([ - msg1332, - msg1333, -]); - -var msg1334 = msg("700", dup197); - -var msg1335 = msg("700:01", dup221); - -var select607 = linear_select([ - msg1334, - msg1335, -]); - -var msg1336 = msg("701", dup197); - -var msg1337 = msg("701:01", dup221); - -var select608 = linear_select([ - msg1336, - msg1337, -]); - -var msg1338 = msg("702", dup197); - -var msg1339 = msg("702:01", dup221); - -var select609 = linear_select([ - msg1338, - msg1339, -]); - -var msg1340 = msg("703", dup197); - -var msg1341 = msg("703:01", dup221); - -var select610 = linear_select([ - msg1340, - msg1341, -]); - -var msg1342 = msg("704", dup197); - -var msg1343 = msg("704:01", dup221); - -var select611 = linear_select([ - msg1342, - msg1343, -]); - -var msg1344 = msg("705", dup197); - -var msg1345 = msg("705:01", dup221); - -var select612 = linear_select([ - msg1344, - msg1345, -]); - -var msg1346 = msg("706", dup197); - -var msg1347 = msg("706:01", dup221); - -var select613 = linear_select([ - msg1346, - msg1347, -]); - -var msg1348 = msg("707", dup197); - -var msg1349 = msg("707:01", dup221); - -var select614 = linear_select([ - msg1348, - msg1349, -]); - -var msg1350 = msg("708", dup197); - -var msg1351 = msg("708:01", dup221); - -var select615 = linear_select([ - msg1350, - msg1351, -]); - -var msg1352 = msg("709", dup248); - -var msg1353 = msg("709:01", dup249); - -var select616 = linear_select([ - msg1352, - msg1353, -]); - -var msg1354 = msg("710", dup248); - -var msg1355 = msg("710:01", dup249); - -var select617 = linear_select([ - msg1354, - msg1355, -]); - -var msg1356 = msg("711", dup196); - -var msg1357 = msg("711:01", dup217); - -var select618 = linear_select([ - msg1356, - msg1357, -]); - -var msg1358 = msg("712", dup196); - -var msg1359 = msg("712:01", dup217); - -var select619 = linear_select([ - msg1358, - msg1359, -]); - -var msg1360 = msg("713", dup198); - -var msg1361 = msg("713:01", dup220); - -var select620 = linear_select([ - msg1360, - msg1361, -]); - -var msg1362 = msg("714", dup196); - -var msg1363 = msg("714:01", dup217); - -var select621 = linear_select([ - msg1362, - msg1363, -]); - -var msg1364 = msg("715", dup248); - -var msg1365 = msg("715:01", dup249); - -var select622 = linear_select([ - msg1364, - msg1365, -]); - -var msg1366 = msg("716", dup248); - -var msg1367 = msg("716:01", dup249); - -var select623 = linear_select([ - msg1366, - msg1367, -]); - -var msg1368 = msg("717", dup196); - -var msg1369 = msg("717:01", dup217); - -var select624 = linear_select([ - msg1368, - msg1369, -]); - -var msg1370 = msg("718", dup196); - -var msg1371 = msg("718:01", dup217); - -var select625 = linear_select([ - msg1370, - msg1371, -]); - -var msg1372 = msg("719", dup196); - -var msg1373 = msg("719:01", dup217); - -var select626 = linear_select([ - msg1372, - msg1373, -]); - -var msg1374 = msg("720", dup192); - -var msg1375 = msg("720:01", dup262); - -var select627 = linear_select([ - msg1374, - msg1375, -]); - -var msg1376 = msg("721", dup263); - -var msg1377 = msg("721:01", dup264); - -var select628 = linear_select([ - msg1376, - msg1377, -]); - -var msg1378 = msg("722", dup238); - -var msg1379 = msg("722:01", dup239); - -var select629 = linear_select([ - msg1378, - msg1379, -]); - -var msg1380 = msg("723", dup238); - -var msg1381 = msg("723:01", dup239); - -var select630 = linear_select([ - msg1380, - msg1381, -]); - -var msg1382 = msg("724", dup238); - -var msg1383 = msg("724:01", dup239); - -var select631 = linear_select([ - msg1382, - msg1383, -]); - -var msg1384 = msg("725", dup238); - -var msg1385 = msg("725:01", dup239); - -var select632 = linear_select([ - msg1384, - msg1385, -]); - -var msg1386 = msg("726", dup238); - -var msg1387 = msg("726:01", dup239); - -var select633 = linear_select([ - msg1386, - msg1387, -]); - -var msg1388 = msg("727", dup238); - -var msg1389 = msg("727:01", dup239); - -var select634 = linear_select([ - msg1388, - msg1389, -]); - -var msg1390 = msg("728", dup238); - -var msg1391 = msg("728:01", dup239); - -var select635 = linear_select([ - msg1390, - msg1391, -]); - -var msg1392 = msg("729", dup263); - -var msg1393 = msg("729:01", dup264); - -var select636 = linear_select([ - msg1392, - msg1393, -]); - -var msg1394 = msg("730", dup263); - -var msg1395 = msg("730:01", dup264); - -var select637 = linear_select([ - msg1394, - msg1395, -]); - -var msg1396 = msg("731", dup238); - -var msg1397 = msg("731:01", dup239); - -var select638 = linear_select([ - msg1396, - msg1397, -]); - -var msg1398 = msg("732", dup238); - -var msg1399 = msg("732:01", dup239); - -var select639 = linear_select([ - msg1398, - msg1399, -]); - -var msg1400 = msg("733", dup238); - -var msg1401 = msg("733:01", dup239); - -var select640 = linear_select([ - msg1400, - msg1401, -]); - -var msg1402 = msg("734", dup238); - -var msg1403 = msg("734:01", dup239); - -var select641 = linear_select([ - msg1402, - msg1403, -]); - -var msg1404 = msg("735", dup238); - -var msg1405 = msg("735:01", dup239); - -var select642 = linear_select([ - msg1404, - msg1405, -]); - -var msg1406 = msg("736", dup263); - -var msg1407 = msg("736:01", dup264); - -var select643 = linear_select([ - msg1406, - msg1407, -]); - -var msg1408 = msg("737", dup263); - -var msg1409 = msg("737:01", dup264); - -var select644 = linear_select([ - msg1408, - msg1409, -]); - -var msg1410 = msg("738", dup263); - -var msg1411 = msg("738:01", dup264); - -var select645 = linear_select([ - msg1410, - msg1411, -]); - -var msg1412 = msg("739", dup238); - -var msg1413 = msg("739:01", dup239); - -var select646 = linear_select([ - msg1412, - msg1413, -]); - -var msg1414 = msg("740", dup263); - -var msg1415 = msg("740:01", dup264); - -var select647 = linear_select([ - msg1414, - msg1415, -]); - -var msg1416 = msg("741", dup238); - -var msg1417 = msg("741:01", dup239); - -var select648 = linear_select([ - msg1416, - msg1417, -]); - -var msg1418 = msg("742", dup238); - -var msg1419 = msg("742:01", dup239); - -var select649 = linear_select([ - msg1418, - msg1419, -]); - -var msg1420 = msg("743", dup238); - -var msg1421 = msg("743:01", dup239); - -var select650 = linear_select([ - msg1420, - msg1421, -]); - -var msg1422 = msg("744", dup238); - -var msg1423 = msg("744:01", dup239); - -var select651 = linear_select([ - msg1422, - msg1423, -]); - -var msg1424 = msg("745", dup238); - -var msg1425 = msg("745:01", dup239); - -var select652 = linear_select([ - msg1424, - msg1425, -]); - -var msg1426 = msg("746", dup238); - -var msg1427 = msg("746:01", dup239); - -var select653 = linear_select([ - msg1426, - msg1427, -]); - -var msg1428 = msg("747", dup238); - -var msg1429 = msg("747:01", dup239); - -var select654 = linear_select([ - msg1428, - msg1429, -]); - -var msg1430 = msg("748", dup238); - -var msg1431 = msg("748:01", dup239); - -var select655 = linear_select([ - msg1430, - msg1431, -]); - -var msg1432 = msg("749", dup238); - -var msg1433 = msg("749:01", dup239); - -var select656 = linear_select([ - msg1432, - msg1433, -]); - -var msg1434 = msg("751", dup238); - -var msg1435 = msg("751:01", dup239); - -var select657 = linear_select([ - msg1434, - msg1435, -]); - -var msg1436 = msg("752", dup238); - -var msg1437 = msg("752:01", dup239); - -var select658 = linear_select([ - msg1436, - msg1437, -]); - -var msg1438 = msg("753", dup238); - -var msg1439 = msg("753:01", dup239); - -var select659 = linear_select([ - msg1438, - msg1439, -]); - -var msg1440 = msg("754", dup263); - -var msg1441 = msg("754:01", dup264); - -var select660 = linear_select([ - msg1440, - msg1441, -]); - -var msg1442 = msg("755", dup238); - -var msg1443 = msg("755:01", dup239); - -var select661 = linear_select([ - msg1442, - msg1443, -]); - -var msg1444 = msg("756", dup238); - -var msg1445 = msg("756:01", dup239); - -var select662 = linear_select([ - msg1444, - msg1445, -]); - -var msg1446 = msg("757", dup192); - -var msg1447 = msg("757:01", dup262); - -var select663 = linear_select([ - msg1446, - msg1447, -]); - -var msg1448 = msg("758", dup192); - -var msg1449 = msg("758:01", dup262); - -var select664 = linear_select([ - msg1448, - msg1449, -]); - -var msg1450 = msg("759", dup263); - -var msg1451 = msg("759:01", dup264); - -var select665 = linear_select([ - msg1450, - msg1451, -]); - -var msg1452 = msg("760", dup238); - -var msg1453 = msg("760:01", dup239); - -var select666 = linear_select([ - msg1452, - msg1453, -]); - -var msg1454 = msg("761", dup238); - -var msg1455 = msg("761:01", dup239); - -var select667 = linear_select([ - msg1454, - msg1455, -]); - -var msg1456 = msg("762", dup238); - -var msg1457 = msg("762:01", dup239); - -var select668 = linear_select([ - msg1456, - msg1457, -]); - -var msg1458 = msg("763", dup238); - -var msg1459 = msg("763:01", dup239); - -var select669 = linear_select([ - msg1458, - msg1459, -]); - -var msg1460 = msg("764", dup238); - -var msg1461 = msg("764:01", dup239); - -var select670 = linear_select([ - msg1460, - msg1461, -]); - -var msg1462 = msg("765", dup238); - -var msg1463 = msg("765:01", dup239); - -var select671 = linear_select([ - msg1462, - msg1463, -]); - -var msg1464 = msg("766", dup238); - -var msg1465 = msg("766:01", dup239); - -var select672 = linear_select([ - msg1464, - msg1465, -]); - -var msg1466 = msg("767", dup238); - -var msg1467 = msg("767:01", dup239); - -var select673 = linear_select([ - msg1466, - msg1467, -]); - -var msg1468 = msg("768", dup238); - -var msg1469 = msg("768:01", dup239); - -var select674 = linear_select([ - msg1468, - msg1469, -]); - -var msg1470 = msg("769", dup238); - -var msg1471 = msg("769:01", dup239); - -var select675 = linear_select([ - msg1470, - msg1471, -]); - -var msg1472 = msg("770", dup238); - -var msg1473 = msg("770:01", dup239); - -var select676 = linear_select([ - msg1472, - msg1473, -]); - -var msg1474 = msg("771", dup192); - -var msg1475 = msg("771:01", dup262); - -var select677 = linear_select([ - msg1474, - msg1475, -]); - -var msg1476 = msg("772", dup192); - -var msg1477 = msg("772:01", dup262); - -var select678 = linear_select([ - msg1476, - msg1477, -]); - -var msg1478 = msg("773", dup263); - -var msg1479 = msg("773:01", dup264); - -var select679 = linear_select([ - msg1478, - msg1479, -]); - -var msg1480 = msg("774", dup192); - -var msg1481 = msg("774:01", dup262); - -var select680 = linear_select([ - msg1480, - msg1481, -]); - -var msg1482 = msg("775", dup238); - -var msg1483 = msg("775:01", dup239); - -var select681 = linear_select([ - msg1482, - msg1483, -]); - -var msg1484 = msg("776", dup238); - -var msg1485 = msg("776:01", dup239); - -var select682 = linear_select([ - msg1484, - msg1485, -]); - -var msg1486 = msg("777", dup238); - -var msg1487 = msg("777:01", dup239); - -var select683 = linear_select([ - msg1486, - msg1487, -]); - -var msg1488 = msg("778", dup263); - -var msg1489 = msg("778:01", dup264); - -var select684 = linear_select([ - msg1488, - msg1489, -]); - -var msg1490 = msg("779", dup238); - -var msg1491 = msg("779:01", dup239); - -var select685 = linear_select([ - msg1490, - msg1491, -]); - -var msg1492 = msg("780", dup238); - -var msg1493 = msg("780:01", dup239); - -var select686 = linear_select([ - msg1492, - msg1493, -]); - -var msg1494 = msg("781", dup238); - -var msg1495 = msg("781:01", dup239); - -var select687 = linear_select([ - msg1494, - msg1495, -]); - -var msg1496 = msg("782", dup238); - -var msg1497 = msg("782:01", dup239); - -var select688 = linear_select([ - msg1496, - msg1497, -]); - -var msg1498 = msg("783", dup238); - -var msg1499 = msg("783:01", dup239); - -var select689 = linear_select([ - msg1498, - msg1499, -]); - -var msg1500 = msg("784", dup238); - -var msg1501 = msg("784:01", dup239); - -var select690 = linear_select([ - msg1500, - msg1501, -]); - -var msg1502 = msg("785", dup238); - -var msg1503 = msg("785:01", dup239); - -var select691 = linear_select([ - msg1502, - msg1503, -]); - -var msg1504 = msg("786", dup238); - -var msg1505 = msg("786:01", dup239); - -var select692 = linear_select([ - msg1504, - msg1505, -]); - -var msg1506 = msg("787", dup238); - -var msg1507 = msg("787:01", dup239); - -var select693 = linear_select([ - msg1506, - msg1507, -]); - -var msg1508 = msg("788", dup238); - -var msg1509 = msg("788:01", dup239); - -var select694 = linear_select([ - msg1508, - msg1509, -]); - -var msg1510 = msg("789", dup238); - -var msg1511 = msg("789:01", dup239); - -var select695 = linear_select([ - msg1510, - msg1511, -]); - -var msg1512 = msg("790", dup238); - -var msg1513 = msg("790:01", dup239); - -var select696 = linear_select([ - msg1512, - msg1513, -]); - -var msg1514 = msg("791", dup238); - -var msg1515 = msg("791:01", dup239); - -var select697 = linear_select([ - msg1514, - msg1515, -]); - -var msg1516 = msg("792", dup238); - -var msg1517 = msg("792:01", dup239); - -var select698 = linear_select([ - msg1516, - msg1517, -]); - -var msg1518 = msg("793", dup263); - -var msg1519 = msg("793:01", dup264); - -var select699 = linear_select([ - msg1518, - msg1519, -]); - -var msg1520 = msg("794", dup238); - -var msg1521 = msg("794:01", dup239); - -var select700 = linear_select([ - msg1520, - msg1521, -]); - -var msg1522 = msg("795", dup238); - -var msg1523 = msg("795:01", dup239); - -var select701 = linear_select([ - msg1522, - msg1523, -]); - -var msg1524 = msg("796", dup238); - -var msg1525 = msg("796:01", dup239); - -var select702 = linear_select([ - msg1524, - msg1525, -]); - -var msg1526 = msg("797", dup238); - -var msg1527 = msg("797:01", dup239); - -var select703 = linear_select([ - msg1526, - msg1527, -]); - -var msg1528 = msg("798", dup238); - -var msg1529 = msg("798:01", dup239); - -var select704 = linear_select([ - msg1528, - msg1529, -]); - -var msg1530 = msg("799", dup238); - -var msg1531 = msg("799:01", dup239); - -var select705 = linear_select([ - msg1530, - msg1531, -]); - -var msg1532 = msg("800", dup238); - -var msg1533 = msg("800:01", dup239); - -var select706 = linear_select([ - msg1532, - msg1533, -]); - -var msg1534 = msg("801", dup238); - -var msg1535 = msg("801:01", dup239); - -var select707 = linear_select([ - msg1534, - msg1535, -]); - -var msg1536 = msg("802", dup192); - -var msg1537 = msg("802:01", dup262); - -var select708 = linear_select([ - msg1536, - msg1537, -]); - -var msg1538 = msg("803", dup265); - -var msg1539 = msg("803:01", dup266); - -var select709 = linear_select([ - msg1538, - msg1539, -]); - -var msg1540 = msg("804", dup267); - -var msg1541 = msg("804:01", dup268); - -var select710 = linear_select([ - msg1540, - msg1541, -]); - -var msg1542 = msg("805", dup265); - -var msg1543 = msg("805:01", dup266); - -var select711 = linear_select([ - msg1542, - msg1543, -]); - -var msg1544 = msg("806", dup265); - -var msg1545 = msg("806:01", dup266); - -var select712 = linear_select([ - msg1544, - msg1545, -]); - -var msg1546 = msg("807", dup265); - -var msg1547 = msg("807:01", dup266); - -var select713 = linear_select([ - msg1546, - msg1547, -]); - -var msg1548 = msg("808", dup265); - -var msg1549 = msg("808:01", dup266); - -var select714 = linear_select([ - msg1548, - msg1549, -]); - -var msg1550 = msg("809", dup269); - -var msg1551 = msg("809:01", dup270); - -var select715 = linear_select([ - msg1550, - msg1551, -]); - -var msg1552 = msg("810", dup265); - -var msg1553 = msg("810:01", dup266); - -var select716 = linear_select([ - msg1552, - msg1553, -]); - -var msg1554 = msg("811", dup265); - -var msg1555 = msg("811:01", dup266); - -var select717 = linear_select([ - msg1554, - msg1555, -]); - -var msg1556 = msg("812", dup265); - -var msg1557 = msg("812:01", dup266); - -var select718 = linear_select([ - msg1556, - msg1557, -]); - -var msg1558 = msg("813", dup265); - -var msg1559 = msg("813:01", dup266); - -var select719 = linear_select([ - msg1558, - msg1559, -]); - -var msg1560 = msg("815", dup265); - -var msg1561 = msg("815:01", dup266); - -var select720 = linear_select([ - msg1560, - msg1561, -]); - -var msg1562 = msg("817", dup265); - -var msg1563 = msg("817:01", dup266); - -var select721 = linear_select([ - msg1562, - msg1563, -]); - -var msg1564 = msg("818", dup265); - -var msg1565 = msg("818:01", dup266); - -var select722 = linear_select([ - msg1564, - msg1565, -]); - -var msg1566 = msg("819", dup265); - -var msg1567 = msg("819:01", dup266); - -var select723 = linear_select([ - msg1566, - msg1567, -]); - -var msg1568 = msg("820", dup265); - -var msg1569 = msg("820:01", dup266); - -var select724 = linear_select([ - msg1568, - msg1569, -]); - -var msg1570 = msg("821", dup267); - -var msg1571 = msg("821:01", dup268); - -var select725 = linear_select([ - msg1570, - msg1571, -]); - -var msg1572 = msg("823", dup265); - -var msg1573 = msg("823:01", dup266); - -var select726 = linear_select([ - msg1572, - msg1573, -]); - -var msg1574 = msg("824", dup265); - -var msg1575 = msg("824:01", dup266); - -var select727 = linear_select([ - msg1574, - msg1575, -]); - -var msg1576 = msg("825", dup265); - -var msg1577 = msg("825:01", dup266); - -var select728 = linear_select([ - msg1576, - msg1577, -]); - -var msg1578 = msg("826", dup265); - -var msg1579 = msg("826:01", dup266); - -var select729 = linear_select([ - msg1578, - msg1579, -]); - -var msg1580 = msg("827", dup265); - -var msg1581 = msg("827:01", dup266); - -var select730 = linear_select([ - msg1580, - msg1581, -]); - -var msg1582 = msg("828", dup265); - -var msg1583 = msg("828:01", dup266); - -var select731 = linear_select([ - msg1582, - msg1583, -]); - -var msg1584 = msg("829", dup265); - -var msg1585 = msg("829:01", dup266); - -var select732 = linear_select([ - msg1584, - msg1585, -]); - -var msg1586 = msg("830", dup265); - -var msg1587 = msg("830:01", dup266); - -var select733 = linear_select([ - msg1586, - msg1587, -]); - -var msg1588 = msg("832", dup265); - -var msg1589 = msg("832:01", dup266); - -var select734 = linear_select([ - msg1588, - msg1589, -]); - -var msg1590 = msg("833", dup265); - -var msg1591 = msg("833:01", dup266); - -var select735 = linear_select([ - msg1590, - msg1591, -]); - -var msg1592 = msg("834", dup265); - -var msg1593 = msg("834:01", dup266); - -var select736 = linear_select([ - msg1592, - msg1593, -]); - -var msg1594 = msg("835", dup265); - -var msg1595 = msg("835:01", dup266); - -var select737 = linear_select([ - msg1594, - msg1595, -]); - -var msg1596 = msg("836", dup265); - -var msg1597 = msg("836:01", dup266); - -var select738 = linear_select([ - msg1596, - msg1597, -]); - -var msg1598 = msg("837", dup265); - -var msg1599 = msg("837:01", dup266); - -var select739 = linear_select([ - msg1598, - msg1599, -]); - -var msg1600 = msg("838", dup265); - -var msg1601 = msg("838:01", dup266); - -var select740 = linear_select([ - msg1600, - msg1601, -]); - -var msg1602 = msg("839", dup225); - -var msg1603 = msg("839:01", dup226); - -var select741 = linear_select([ - msg1602, - msg1603, -]); - -var msg1604 = msg("840", dup265); - -var msg1605 = msg("840:01", dup266); - -var select742 = linear_select([ - msg1604, - msg1605, -]); - -var msg1606 = msg("841", dup265); - -var msg1607 = msg("841:01", dup266); - -var select743 = linear_select([ - msg1606, - msg1607, -]); - -var msg1608 = msg("842", dup265); - -var msg1609 = msg("842:01", dup266); - -var select744 = linear_select([ - msg1608, - msg1609, -]); - -var msg1610 = msg("843", dup265); - -var msg1611 = msg("843:01", dup266); - -var select745 = linear_select([ - msg1610, - msg1611, -]); - -var msg1612 = msg("844", dup265); - -var msg1613 = msg("844:01", dup266); - -var select746 = linear_select([ - msg1612, - msg1613, -]); - -var msg1614 = msg("845", dup265); - -var msg1615 = msg("845:01", dup266); - -var select747 = linear_select([ - msg1614, - msg1615, -]); - -var msg1616 = msg("846", dup265); - -var msg1617 = msg("846:01", dup266); - -var select748 = linear_select([ - msg1616, - msg1617, -]); - -var msg1618 = msg("847", dup265); - -var msg1619 = msg("847:01", dup266); - -var select749 = linear_select([ - msg1618, - msg1619, -]); - -var msg1620 = msg("848", dup265); - -var msg1621 = msg("848:01", dup266); - -var select750 = linear_select([ - msg1620, - msg1621, -]); - -var msg1622 = msg("849", dup265); - -var msg1623 = msg("849:01", dup266); - -var select751 = linear_select([ - msg1622, - msg1623, -]); - -var msg1624 = msg("850", dup265); - -var msg1625 = msg("850:01", dup266); - -var select752 = linear_select([ - msg1624, - msg1625, -]); - -var msg1626 = msg("851", dup265); - -var msg1627 = msg("851:01", dup266); - -var select753 = linear_select([ - msg1626, - msg1627, -]); - -var msg1628 = msg("852", dup265); - -var msg1629 = msg("852:01", dup266); - -var select754 = linear_select([ - msg1628, - msg1629, -]); - -var msg1630 = msg("853", dup265); - -var msg1631 = msg("853:01", dup266); - -var select755 = linear_select([ - msg1630, - msg1631, -]); - -var msg1632 = msg("854", dup265); - -var msg1633 = msg("854:01", dup266); - -var select756 = linear_select([ - msg1632, - msg1633, -]); - -var msg1634 = msg("855", dup265); - -var msg1635 = msg("855:01", dup266); - -var select757 = linear_select([ - msg1634, - msg1635, -]); - -var msg1636 = msg("856", dup265); - -var msg1637 = msg("856:01", dup266); - -var select758 = linear_select([ - msg1636, - msg1637, -]); - -var msg1638 = msg("857", dup265); - -var msg1639 = msg("857:01", dup266); - -var select759 = linear_select([ - msg1638, - msg1639, -]); - -var msg1640 = msg("858", dup265); - -var msg1641 = msg("858:01", dup266); - -var select760 = linear_select([ - msg1640, - msg1641, -]); - -var msg1642 = msg("859", dup265); - -var msg1643 = msg("859:01", dup266); - -var select761 = linear_select([ - msg1642, - msg1643, -]); - -var msg1644 = msg("860", dup265); - -var msg1645 = msg("860:01", dup266); - -var select762 = linear_select([ - msg1644, - msg1645, -]); - -var msg1646 = msg("861", dup240); - -var msg1647 = msg("861:01", dup241); - -var select763 = linear_select([ - msg1646, - msg1647, -]); - -var msg1648 = msg("862", dup265); - -var msg1649 = msg("862:01", dup266); - -var select764 = linear_select([ - msg1648, - msg1649, -]); - -var msg1650 = msg("863", dup265); - -var msg1651 = msg("863:01", dup266); - -var select765 = linear_select([ - msg1650, - msg1651, -]); - -var msg1652 = msg("864", dup265); - -var msg1653 = msg("864:01", dup266); - -var select766 = linear_select([ - msg1652, - msg1653, -]); - -var msg1654 = msg("865", dup265); - -var msg1655 = msg("865:01", dup266); - -var select767 = linear_select([ - msg1654, - msg1655, -]); - -var msg1656 = msg("866", dup265); - -var msg1657 = msg("866:01", dup266); - -var select768 = linear_select([ - msg1656, - msg1657, -]); - -var msg1658 = msg("867", dup265); - -var msg1659 = msg("867:01", dup266); - -var select769 = linear_select([ - msg1658, - msg1659, -]); - -var msg1660 = msg("868", dup265); - -var msg1661 = msg("868:01", dup266); - -var select770 = linear_select([ - msg1660, - msg1661, -]); - -var msg1662 = msg("869", dup265); - -var msg1663 = msg("869:01", dup266); - -var select771 = linear_select([ - msg1662, - msg1663, -]); - -var msg1664 = msg("870", dup265); - -var msg1665 = msg("870:01", dup266); - -var select772 = linear_select([ - msg1664, - msg1665, -]); - -var msg1666 = msg("871", dup265); - -var msg1667 = msg("871:01", dup266); - -var select773 = linear_select([ - msg1666, - msg1667, -]); - -var msg1668 = msg("872", dup265); - -var msg1669 = msg("872:01", dup266); - -var select774 = linear_select([ - msg1668, - msg1669, -]); - -var msg1670 = msg("873", dup265); - -var msg1671 = msg("873:01", dup266); - -var select775 = linear_select([ - msg1670, - msg1671, -]); - -var msg1672 = msg("874", dup240); - -var msg1673 = msg("874:01", dup241); - -var select776 = linear_select([ - msg1672, - msg1673, -]); - -var msg1674 = msg("875", dup265); - -var msg1675 = msg("875:01", dup266); - -var select777 = linear_select([ - msg1674, - msg1675, -]); - -var msg1676 = msg("876", dup267); - -var msg1677 = msg("876:01", dup268); - -var select778 = linear_select([ - msg1676, - msg1677, -]); - -var msg1678 = msg("877", dup265); - -var msg1679 = msg("877:01", dup266); - -var select779 = linear_select([ - msg1678, - msg1679, -]); - -var msg1680 = msg("878", dup265); - -var msg1681 = msg("878:01", dup266); - -var select780 = linear_select([ - msg1680, - msg1681, -]); - -var msg1682 = msg("879", dup265); - -var msg1683 = msg("879:01", dup266); - -var select781 = linear_select([ - msg1682, - msg1683, -]); - -var msg1684 = msg("880", dup265); - -var msg1685 = msg("880:01", dup266); - -var select782 = linear_select([ - msg1684, - msg1685, -]); - -var msg1686 = msg("881", dup265); - -var msg1687 = msg("881:01", dup266); - -var select783 = linear_select([ - msg1686, - msg1687, -]); - -var msg1688 = msg("882", dup265); - -var msg1689 = msg("882:01", dup266); - -var select784 = linear_select([ - msg1688, - msg1689, -]); - -var msg1690 = msg("883", dup265); - -var msg1691 = msg("883:01", dup266); - -var select785 = linear_select([ - msg1690, - msg1691, -]); - -var msg1692 = msg("884", dup265); - -var msg1693 = msg("884:01", dup266); - -var select786 = linear_select([ - msg1692, - msg1693, -]); - -var msg1694 = msg("885", dup265); - -var msg1695 = msg("885:01", dup266); - -var select787 = linear_select([ - msg1694, - msg1695, -]); - -var msg1696 = msg("886", dup265); - -var msg1697 = msg("886:01", dup266); - -var select788 = linear_select([ - msg1696, - msg1697, -]); - -var msg1698 = msg("887", dup240); - -var msg1699 = msg("887:01", dup241); - -var select789 = linear_select([ - msg1698, - msg1699, -]); - -var msg1700 = msg("888", dup265); - -var msg1701 = msg("888:01", dup266); - -var select790 = linear_select([ - msg1700, - msg1701, -]); - -var msg1702 = msg("889", dup265); - -var msg1703 = msg("889:01", dup266); - -var select791 = linear_select([ - msg1702, - msg1703, -]); - -var msg1704 = msg("890", dup265); - -var msg1705 = msg("890:01", dup266); - -var select792 = linear_select([ - msg1704, - msg1705, -]); - -var msg1706 = msg("891", dup265); - -var msg1707 = msg("891:01", dup266); - -var select793 = linear_select([ - msg1706, - msg1707, -]); - -var msg1708 = msg("892", dup265); - -var msg1709 = msg("892:01", dup266); - -var select794 = linear_select([ - msg1708, - msg1709, -]); - -var msg1710 = msg("893", dup265); - -var msg1711 = msg("893:01", dup266); - -var select795 = linear_select([ - msg1710, - msg1711, -]); - -var msg1712 = msg("894", dup265); - -var msg1713 = msg("894:01", dup266); - -var select796 = linear_select([ - msg1712, - msg1713, -]); - -var msg1714 = msg("895", dup265); - -var msg1715 = msg("895:01", dup266); - -var select797 = linear_select([ - msg1714, - msg1715, -]); - -var msg1716 = msg("896", dup197); - -var msg1717 = msg("896:01", dup266); - -var select798 = linear_select([ - msg1716, - msg1717, -]); - -var msg1718 = msg("897", dup265); - -var msg1719 = msg("897:01", dup266); - -var select799 = linear_select([ - msg1718, - msg1719, -]); - -var msg1720 = msg("898", dup265); - -var msg1721 = msg("898:01", dup266); - -var select800 = linear_select([ - msg1720, - msg1721, -]); - -var msg1722 = msg("899", dup265); - -var msg1723 = msg("899:01", dup266); - -var select801 = linear_select([ - msg1722, - msg1723, -]); - -var msg1724 = msg("900", dup265); - -var msg1725 = msg("900:01", dup266); - -var select802 = linear_select([ - msg1724, - msg1725, -]); - -var msg1726 = msg("901", dup265); - -var msg1727 = msg("901:01", dup266); - -var select803 = linear_select([ - msg1726, - msg1727, -]); - -var msg1728 = msg("902", dup265); - -var msg1729 = msg("902:01", dup266); - -var select804 = linear_select([ - msg1728, - msg1729, -]); - -var msg1730 = msg("903", dup265); - -var msg1731 = msg("903:01", dup266); - -var select805 = linear_select([ - msg1730, - msg1731, -]); - -var msg1732 = msg("904", dup196); - -var msg1733 = msg("904:01", dup217); - -var select806 = linear_select([ - msg1732, - msg1733, -]); - -var msg1734 = msg("905", dup265); - -var msg1735 = msg("905:01", dup266); - -var select807 = linear_select([ - msg1734, - msg1735, -]); - -var msg1736 = msg("906", dup265); - -var msg1737 = msg("906:01", dup266); - -var select808 = linear_select([ - msg1736, - msg1737, -]); - -var msg1738 = msg("907", dup265); - -var msg1739 = msg("907:01", dup266); - -var select809 = linear_select([ - msg1738, - msg1739, -]); - -var msg1740 = msg("908", dup265); - -var msg1741 = msg("908:01", dup266); - -var select810 = linear_select([ - msg1740, - msg1741, -]); - -var msg1742 = msg("909", dup265); - -var msg1743 = msg("909:01", dup266); - -var select811 = linear_select([ - msg1742, - msg1743, -]); - -var msg1744 = msg("910", dup265); - -var msg1745 = msg("910:01", dup266); - -var select812 = linear_select([ - msg1744, - msg1745, -]); - -var msg1746 = msg("911", dup265); - -var msg1747 = msg("911:01", dup266); - -var select813 = linear_select([ - msg1746, - msg1747, -]); - -var msg1748 = msg("912", dup265); - -var msg1749 = msg("912:01", dup266); - -var select814 = linear_select([ - msg1748, - msg1749, -]); - -var msg1750 = msg("913", dup265); - -var msg1751 = msg("913:01", dup266); - -var select815 = linear_select([ - msg1750, - msg1751, -]); - -var msg1752 = msg("914", dup265); - -var msg1753 = msg("914:01", dup266); - -var select816 = linear_select([ - msg1752, - msg1753, -]); - -var msg1754 = msg("915", dup265); - -var msg1755 = msg("915:01", dup266); - -var select817 = linear_select([ - msg1754, - msg1755, -]); - -var msg1756 = msg("916", dup271); - -var msg1757 = msg("916:01", dup272); - -var select818 = linear_select([ - msg1756, - msg1757, -]); - -var msg1758 = msg("917", dup265); - -var msg1759 = msg("917:01", dup266); - -var select819 = linear_select([ - msg1758, - msg1759, -]); - -var msg1760 = msg("918", dup265); - -var msg1761 = msg("918:01", dup266); - -var select820 = linear_select([ - msg1760, - msg1761, -]); - -var msg1762 = msg("919", dup265); - -var msg1763 = msg("919:01", dup266); - -var select821 = linear_select([ - msg1762, - msg1763, -]); - -var msg1764 = msg("920", dup265); - -var msg1765 = msg("920:01", dup266); - -var select822 = linear_select([ - msg1764, - msg1765, -]); - -var msg1766 = msg("921", dup265); - -var msg1767 = msg("921:01", dup266); - -var select823 = linear_select([ - msg1766, - msg1767, -]); - -var msg1768 = msg("922", dup265); - -var msg1769 = msg("922:01", dup266); - -var select824 = linear_select([ - msg1768, - msg1769, -]); - -var msg1770 = msg("923", dup271); - -var msg1771 = msg("923:01", dup272); - -var select825 = linear_select([ - msg1770, - msg1771, -]); - -var msg1772 = msg("924", dup265); - -var msg1773 = msg("924:01", dup266); - -var select826 = linear_select([ - msg1772, - msg1773, -]); - -var msg1774 = msg("925", dup265); - -var msg1775 = msg("925:01", dup266); - -var select827 = linear_select([ - msg1774, - msg1775, -]); - -var msg1776 = msg("926", dup271); - -var msg1777 = msg("926:01", dup272); - -var select828 = linear_select([ - msg1776, - msg1777, -]); - -var msg1778 = msg("927", dup265); - -var msg1779 = msg("927:01", dup266); - -var select829 = linear_select([ - msg1778, - msg1779, -]); - -var msg1780 = msg("928", dup265); - -var msg1781 = msg("928:01", dup266); - -var select830 = linear_select([ - msg1780, - msg1781, -]); - -var msg1782 = msg("929", dup265); - -var msg1783 = msg("929:01", dup266); - -var select831 = linear_select([ - msg1782, - msg1783, -]); - -var msg1784 = msg("930", dup265); - -var msg1785 = msg("930:01", dup266); - -var select832 = linear_select([ - msg1784, - msg1785, -]); - -var msg1786 = msg("931", dup265); - -var msg1787 = msg("931:01", dup266); - -var select833 = linear_select([ - msg1786, - msg1787, -]); - -var msg1788 = msg("932", dup265); - -var msg1789 = msg("932:01", dup266); - -var select834 = linear_select([ - msg1788, - msg1789, -]); - -var msg1790 = msg("933", dup265); - -var msg1791 = msg("933:01", dup266); - -var select835 = linear_select([ - msg1790, - msg1791, -]); - -var msg1792 = msg("935", dup198); - -var msg1793 = msg("935:01", dup220); - -var select836 = linear_select([ - msg1792, - msg1793, -]); - -var msg1794 = msg("936", dup265); - -var msg1795 = msg("936:01", dup266); - -var select837 = linear_select([ - msg1794, - msg1795, -]); - -var msg1796 = msg("937", dup265); - -var msg1797 = msg("937:01", dup266); - -var select838 = linear_select([ - msg1796, - msg1797, -]); - -var msg1798 = msg("939", dup196); - -var msg1799 = msg("939:01", dup217); - -var select839 = linear_select([ - msg1798, - msg1799, -]); - -var msg1800 = msg("940", dup265); - -var msg1801 = msg("940:01", dup217); - -var select840 = linear_select([ - msg1800, - msg1801, -]); - -var msg1802 = msg("941", dup265); - -var msg1803 = msg("941:01", dup266); - -var select841 = linear_select([ - msg1802, - msg1803, -]); - -var msg1804 = msg("942", dup265); - -var msg1805 = msg("942:01", dup266); - -var select842 = linear_select([ - msg1804, - msg1805, -]); - -var msg1806 = msg("943", dup265); - -var msg1807 = msg("943:01", dup266); - -var select843 = linear_select([ - msg1806, - msg1807, -]); - -var msg1808 = msg("944", dup265); - -var msg1809 = msg("944:01", dup266); - -var select844 = linear_select([ - msg1808, - msg1809, -]); - -var msg1810 = msg("945", dup265); - -var msg1811 = msg("945:01", dup266); - -var select845 = linear_select([ - msg1810, - msg1811, -]); - -var msg1812 = msg("946", dup265); - -var msg1813 = msg("946:01", dup266); - -var select846 = linear_select([ - msg1812, - msg1813, -]); - -var msg1814 = msg("947", dup265); - -var msg1815 = msg("947:01", dup266); - -var select847 = linear_select([ - msg1814, - msg1815, -]); - -var msg1816 = msg("948", dup265); - -var msg1817 = msg("948:01", dup266); - -var select848 = linear_select([ - msg1816, - msg1817, -]); - -var msg1818 = msg("949", dup265); - -var msg1819 = msg("949:01", dup266); - -var select849 = linear_select([ - msg1818, - msg1819, -]); - -var msg1820 = msg("950", dup265); - -var msg1821 = msg("950:01", dup266); - -var select850 = linear_select([ - msg1820, - msg1821, -]); - -var msg1822 = msg("951", dup265); - -var msg1823 = msg("951:01", dup266); - -var select851 = linear_select([ - msg1822, - msg1823, -]); - -var msg1824 = msg("952", dup265); - -var msg1825 = msg("952:01", dup266); - -var select852 = linear_select([ - msg1824, - msg1825, -]); - -var msg1826 = msg("953", dup265); - -var msg1827 = msg("953:01", dup217); - -var select853 = linear_select([ - msg1826, - msg1827, -]); - -var msg1828 = msg("954", dup265); - -var msg1829 = msg("954:01", dup266); - -var select854 = linear_select([ - msg1828, - msg1829, -]); - -var msg1830 = msg("955", dup265); - -var msg1831 = msg("955:01", dup266); - -var select855 = linear_select([ - msg1830, - msg1831, -]); - -var msg1832 = msg("956", dup265); - -var msg1833 = msg("956:01", dup266); - -var select856 = linear_select([ - msg1832, - msg1833, -]); - -var msg1834 = msg("957", dup265); - -var msg1835 = msg("957:01", dup266); - -var select857 = linear_select([ - msg1834, - msg1835, -]); - -var msg1836 = msg("958", dup265); - -var msg1837 = msg("958:01", dup266); - -var select858 = linear_select([ - msg1836, - msg1837, -]); - -var msg1838 = msg("959", dup196); - -var msg1839 = msg("959:01", dup217); - -var select859 = linear_select([ - msg1838, - msg1839, -]); - -var msg1840 = msg("960", dup265); - -var msg1841 = msg("960:01", dup266); - -var select860 = linear_select([ - msg1840, - msg1841, -]); - -var msg1842 = msg("961", dup265); - -var msg1843 = msg("961:01", dup266); - -var select861 = linear_select([ - msg1842, - msg1843, -]); - -var msg1844 = msg("962", dup265); - -var msg1845 = msg("962:01", dup217); - -var select862 = linear_select([ - msg1844, - msg1845, -]); - -var msg1846 = msg("963", dup265); - -var msg1847 = msg("963:01", dup266); - -var select863 = linear_select([ - msg1846, - msg1847, -]); - -var msg1848 = msg("964", dup265); - -var msg1849 = msg("964:01", dup266); - -var select864 = linear_select([ - msg1848, - msg1849, -]); - -var msg1850 = msg("965", dup265); - -var msg1851 = msg("965:01", dup266); - -var select865 = linear_select([ - msg1850, - msg1851, -]); - -var msg1852 = msg("966", dup265); - -var msg1853 = msg("966:01", dup266); - -var select866 = linear_select([ - msg1852, - msg1853, -]); - -var msg1854 = msg("967", dup265); - -var msg1855 = msg("967:01", dup266); - -var select867 = linear_select([ - msg1854, - msg1855, -]); - -var msg1856 = msg("968", dup265); - -var msg1857 = msg("968:01", dup266); - -var select868 = linear_select([ - msg1856, - msg1857, -]); - -var msg1858 = msg("969", dup265); - -var msg1859 = msg("969:01", dup266); - -var select869 = linear_select([ - msg1858, - msg1859, -]); - -var msg1860 = msg("970", dup265); - -var msg1861 = msg("970:01", dup266); - -var select870 = linear_select([ - msg1860, - msg1861, -]); - -var msg1862 = msg("971", dup265); - -var msg1863 = msg("971:01", dup266); - -var select871 = linear_select([ - msg1862, - msg1863, -]); - -var msg1864 = msg("972", dup265); - -var msg1865 = msg("972:01", dup266); - -var select872 = linear_select([ - msg1864, - msg1865, -]); - -var msg1866 = msg("973", dup265); - -var msg1867 = msg("973:01", dup266); - -var select873 = linear_select([ - msg1866, - msg1867, -]); - -var msg1868 = msg("974", dup265); - -var msg1869 = msg("974:01", dup266); - -var select874 = linear_select([ - msg1868, - msg1869, -]); - -var msg1870 = msg("975", dup265); - -var msg1871 = msg("975:01", dup266); - -var select875 = linear_select([ - msg1870, - msg1871, -]); - -var msg1872 = msg("976", dup265); - -var msg1873 = msg("976:01", dup266); - -var select876 = linear_select([ - msg1872, - msg1873, -]); - -var msg1874 = msg("977", dup265); - -var msg1875 = msg("977:01", dup266); - -var select877 = linear_select([ - msg1874, - msg1875, -]); - -var msg1876 = msg("978", dup196); - -var msg1877 = msg("978:01", dup217); - -var select878 = linear_select([ - msg1876, - msg1877, -]); - -var msg1878 = msg("979", dup196); - -var msg1879 = msg("979:01", dup217); - -var select879 = linear_select([ - msg1878, - msg1879, -]); - -var msg1880 = msg("980", dup265); - -var msg1881 = msg("980:01", dup266); - -var select880 = linear_select([ - msg1880, - msg1881, -]); - -var msg1882 = msg("981", dup265); - -var msg1883 = msg("981:01", dup266); - -var select881 = linear_select([ - msg1882, - msg1883, -]); - -var msg1884 = msg("982", dup265); - -var msg1885 = msg("982:01", dup266); - -var select882 = linear_select([ - msg1884, - msg1885, -]); - -var msg1886 = msg("983", dup265); - -var msg1887 = msg("983:01", dup266); - -var select883 = linear_select([ - msg1886, - msg1887, -]); - -var msg1888 = msg("984", dup265); - -var msg1889 = msg("984:01", dup266); - -var select884 = linear_select([ - msg1888, - msg1889, -]); - -var msg1890 = msg("985", dup265); - -var msg1891 = msg("985:01", dup266); - -var select885 = linear_select([ - msg1890, - msg1891, -]); - -var msg1892 = msg("986", dup265); - -var msg1893 = msg("986:01", dup266); - -var select886 = linear_select([ - msg1892, - msg1893, -]); - -var msg1894 = msg("987", dup265); - -var msg1895 = msg("987:01", dup266); - -var select887 = linear_select([ - msg1894, - msg1895, -]); - -var msg1896 = msg("988", dup265); - -var msg1897 = msg("988:01", dup266); - -var select888 = linear_select([ - msg1896, - msg1897, -]); - -var msg1898 = msg("989", dup192); - -var msg1899 = msg("989:01", dup262); - -var select889 = linear_select([ - msg1898, - msg1899, -]); - -var msg1900 = msg("990", dup265); - -var msg1901 = msg("990:01", dup266); - -var select890 = linear_select([ - msg1900, - msg1901, -]); - -var msg1902 = msg("991", dup265); - -var msg1903 = msg("991:01", dup266); - -var select891 = linear_select([ - msg1902, - msg1903, -]); - -var msg1904 = msg("992", dup265); - -var msg1905 = msg("992:01", dup266); - -var select892 = linear_select([ - msg1904, - msg1905, -]); - -var msg1906 = msg("993", dup265); - -var msg1907 = msg("993:01", dup266); - -var select893 = linear_select([ - msg1906, - msg1907, -]); - -var msg1908 = msg("994", dup265); - -var msg1909 = msg("994:01", dup266); - -var select894 = linear_select([ - msg1908, - msg1909, -]); - -var msg1910 = msg("995", dup265); - -var msg1911 = msg("995:01", dup266); - -var select895 = linear_select([ - msg1910, - msg1911, -]); - -var msg1912 = msg("996", dup265); - -var msg1913 = msg("996:01", dup266); - -var select896 = linear_select([ - msg1912, - msg1913, -]); - -var msg1914 = msg("997", dup265); - -var msg1915 = msg("997:01", dup266); - -var select897 = linear_select([ - msg1914, - msg1915, -]); - -var msg1916 = msg("998", dup265); - -var msg1917 = msg("998:01", dup266); - -var select898 = linear_select([ - msg1916, - msg1917, -]); - -var msg1918 = msg("999", dup265); - -var msg1919 = msg("999:01", dup266); - -var select899 = linear_select([ - msg1918, - msg1919, -]); - -var msg1920 = msg("1000", dup265); - -var msg1921 = msg("1000:01", dup266); - -var select900 = linear_select([ - msg1920, - msg1921, -]); - -var msg1922 = msg("1001", dup265); - -var msg1923 = msg("1001:01", dup266); - -var select901 = linear_select([ - msg1922, - msg1923, -]); - -var msg1924 = msg("1002", dup265); - -var msg1925 = msg("1002:01", dup266); - -var select902 = linear_select([ - msg1924, - msg1925, -]); - -var msg1926 = msg("1003", dup265); - -var msg1927 = msg("1003:01", dup266); - -var select903 = linear_select([ - msg1926, - msg1927, -]); - -var msg1928 = msg("1004", dup265); - -var msg1929 = msg("1004:01", dup266); - -var select904 = linear_select([ - msg1928, - msg1929, -]); - -var msg1930 = msg("1005", dup265); - -var msg1931 = msg("1005:01", dup266); - -var select905 = linear_select([ - msg1930, - msg1931, -]); - -var msg1932 = msg("1007", dup265); - -var msg1933 = msg("1007:01", dup266); - -var select906 = linear_select([ - msg1932, - msg1933, -]); - -var msg1934 = msg("1008", dup265); - -var msg1935 = msg("1008:01", dup266); - -var select907 = linear_select([ - msg1934, - msg1935, -]); - -var msg1936 = msg("1009", dup196); - -var msg1937 = msg("1009:01", dup217); - -var select908 = linear_select([ - msg1936, - msg1937, -]); - -var msg1938 = msg("1010", dup265); - -var msg1939 = msg("1010:01", dup266); - -var select909 = linear_select([ - msg1938, - msg1939, -]); - -var msg1940 = msg("1011", dup267); - -var msg1941 = msg("1011:01", dup268); - -var select910 = linear_select([ - msg1940, - msg1941, -]); - -var msg1942 = msg("1012", dup265); - -var msg1943 = msg("1012:01", dup266); - -var select911 = linear_select([ - msg1942, - msg1943, -]); - -var msg1944 = msg("1013", dup265); - -var msg1945 = msg("1013:01", dup266); - -var select912 = linear_select([ - msg1944, - msg1945, -]); - -var msg1946 = msg("1014", dup267); - -var msg1947 = msg("1014:01", dup268); - -var select913 = linear_select([ - msg1946, - msg1947, -]); - -var msg1948 = msg("1015", dup265); - -var msg1949 = msg("1015:01", dup266); - -var select914 = linear_select([ - msg1948, - msg1949, -]); - -var msg1950 = msg("1016", dup265); - -var msg1951 = msg("1016:01", dup266); - -var select915 = linear_select([ - msg1950, - msg1951, -]); - -var msg1952 = msg("1017", dup265); - -var msg1953 = msg("1017:01", dup266); - -var select916 = linear_select([ - msg1952, - msg1953, -]); - -var msg1954 = msg("1018", dup265); - -var msg1955 = msg("1018:01", dup266); - -var select917 = linear_select([ - msg1954, - msg1955, -]); - -var msg1956 = msg("1019", dup265); - -var msg1957 = msg("1019:01", dup266); - -var select918 = linear_select([ - msg1956, - msg1957, -]); - -var msg1958 = msg("1020", dup265); - -var msg1959 = msg("1020:01", dup266); - -var select919 = linear_select([ - msg1958, - msg1959, -]); - -var msg1960 = msg("1021", dup265); - -var msg1961 = msg("1021:01", dup266); - -var select920 = linear_select([ - msg1960, - msg1961, -]); - -var msg1962 = msg("1022", dup265); - -var msg1963 = msg("1022:01", dup266); - -var select921 = linear_select([ - msg1962, - msg1963, -]); - -var msg1964 = msg("1023", dup265); - -var msg1965 = msg("1023:01", dup266); - -var select922 = linear_select([ - msg1964, - msg1965, -]); - -var msg1966 = msg("1024", dup265); - -var msg1967 = msg("1024:01", dup266); - -var select923 = linear_select([ - msg1966, - msg1967, -]); - -var msg1968 = msg("1025", dup265); - -var msg1969 = msg("1025:01", dup266); - -var select924 = linear_select([ - msg1968, - msg1969, -]); - -var msg1970 = msg("1026", dup265); - -var msg1971 = msg("1026:01", dup266); - -var select925 = linear_select([ - msg1970, - msg1971, -]); - -var msg1972 = msg("1027", dup265); - -var msg1973 = msg("1027:01", dup266); - -var select926 = linear_select([ - msg1972, - msg1973, -]); - -var msg1974 = msg("1028", dup265); - -var msg1975 = msg("1028:01", dup266); - -var select927 = linear_select([ - msg1974, - msg1975, -]); - -var msg1976 = msg("1029", dup265); - -var msg1977 = msg("1029:01", dup266); - -var select928 = linear_select([ - msg1976, - msg1977, -]); - -var msg1978 = msg("1030", dup265); - -var msg1979 = msg("1030:01", dup266); - -var select929 = linear_select([ - msg1978, - msg1979, -]); - -var msg1980 = msg("1031", dup265); - -var msg1981 = msg("1031:01", dup266); - -var select930 = linear_select([ - msg1980, - msg1981, -]); - -var msg1982 = msg("1032", dup265); - -var msg1983 = msg("1032:01", dup266); - -var select931 = linear_select([ - msg1982, - msg1983, -]); - -var msg1984 = msg("1033", dup265); - -var msg1985 = msg("1033:01", dup266); - -var select932 = linear_select([ - msg1984, - msg1985, -]); - -var msg1986 = msg("1034", dup265); - -var msg1987 = msg("1034:01", dup266); - -var select933 = linear_select([ - msg1986, - msg1987, -]); - -var msg1988 = msg("1035", dup265); - -var msg1989 = msg("1035:01", dup266); - -var select934 = linear_select([ - msg1988, - msg1989, -]); - -var msg1990 = msg("1036", dup265); - -var msg1991 = msg("1036:01", dup266); - -var select935 = linear_select([ - msg1990, - msg1991, -]); - -var msg1992 = msg("1037", dup265); - -var msg1993 = msg("1037:01", dup266); - -var select936 = linear_select([ - msg1992, - msg1993, -]); - -var msg1994 = msg("1038", dup265); - -var msg1995 = msg("1038:01", dup266); - -var select937 = linear_select([ - msg1994, - msg1995, -]); - -var msg1996 = msg("1039", dup265); - -var msg1997 = msg("1039:01", dup266); - -var select938 = linear_select([ - msg1996, - msg1997, -]); - -var msg1998 = msg("1040", dup265); - -var msg1999 = msg("1040:01", dup266); - -var select939 = linear_select([ - msg1998, - msg1999, -]); - -var msg2000 = msg("1041", dup265); - -var msg2001 = msg("1041:01", dup266); - -var select940 = linear_select([ - msg2000, - msg2001, -]); - -var msg2002 = msg("1042", dup196); - -var msg2003 = msg("1042:01", dup217); - -var select941 = linear_select([ - msg2002, - msg2003, -]); - -var msg2004 = msg("1043", dup265); - -var msg2005 = msg("1043:01", dup266); - -var select942 = linear_select([ - msg2004, - msg2005, -]); - -var msg2006 = msg("1044", dup265); - -var msg2007 = msg("1044:01", dup266); - -var select943 = linear_select([ - msg2006, - msg2007, -]); - -var msg2008 = msg("1045", dup273); - -var all38 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg2009 = msg("1045:01", all38); - -var select944 = linear_select([ - msg2008, - msg2009, -]); - -var msg2010 = msg("1046", dup265); - -var msg2011 = msg("1046:01", dup266); - -var select945 = linear_select([ - msg2010, - msg2011, -]); - -var msg2012 = msg("1047", dup198); - -var msg2013 = msg("1047:01", dup220); - -var select946 = linear_select([ - msg2012, - msg2013, -]); - -var msg2014 = msg("1048", dup265); - -var msg2015 = msg("1048:01", dup266); - -var select947 = linear_select([ - msg2014, - msg2015, -]); - -var msg2016 = msg("1049", dup198); - -var msg2017 = msg("1049:01", dup220); - -var select948 = linear_select([ - msg2016, - msg2017, -]); - -var msg2018 = msg("1050", dup265); - -var msg2019 = msg("1050:01", dup266); - -var select949 = linear_select([ - msg2018, - msg2019, -]); - -var msg2020 = msg("1051", dup265); - -var msg2021 = msg("1051:01", dup266); - -var select950 = linear_select([ - msg2020, - msg2021, -]); - -var msg2022 = msg("1052", dup265); - -var msg2023 = msg("1052:01", dup266); - -var select951 = linear_select([ - msg2022, - msg2023, -]); - -var msg2024 = msg("1053", dup267); - -var msg2025 = msg("1053:01", dup268); - -var select952 = linear_select([ - msg2024, - msg2025, -]); - -var msg2026 = msg("1054", dup265); - -var msg2027 = msg("1054:01", dup266); - -var select953 = linear_select([ - msg2026, - msg2027, -]); - -var msg2028 = msg("1055", dup265); - -var msg2029 = msg("1055:01", dup266); - -var select954 = linear_select([ - msg2028, - msg2029, -]); - -var msg2030 = msg("1056", dup265); - -var msg2031 = msg("1056:01", dup266); - -var select955 = linear_select([ - msg2030, - msg2031, -]); - -var msg2032 = msg("1057", dup265); - -var msg2033 = msg("1057:01", dup266); - -var select956 = linear_select([ - msg2032, - msg2033, -]); - -var msg2034 = msg("1058", dup265); - -var msg2035 = msg("1058:01", dup266); - -var select957 = linear_select([ - msg2034, - msg2035, -]); - -var msg2036 = msg("1059", dup265); - -var msg2037 = msg("1059:01", dup266); - -var select958 = linear_select([ - msg2036, - msg2037, -]); - -var msg2038 = msg("1060", dup265); - -var msg2039 = msg("1060:01", dup266); - -var select959 = linear_select([ - msg2038, - msg2039, -]); - -var msg2040 = msg("1061", dup265); - -var msg2041 = msg("1061:01", dup266); - -var select960 = linear_select([ - msg2040, - msg2041, -]); - -var msg2042 = msg("1062", dup265); - -var msg2043 = msg("1062:01", dup266); - -var select961 = linear_select([ - msg2042, - msg2043, -]); - -var msg2044 = msg("1063", dup267); - -var msg2045 = msg("1063:01", dup268); - -var select962 = linear_select([ - msg2044, - msg2045, -]); - -var msg2046 = msg("1064", dup265); - -var msg2047 = msg("1064:01", dup266); - -var select963 = linear_select([ - msg2046, - msg2047, -]); - -var msg2048 = msg("1065", dup265); - -var msg2049 = msg("1065:01", dup266); - -var select964 = linear_select([ - msg2048, - msg2049, -]); - -var msg2050 = msg("1066", dup248); - -var msg2051 = msg("1066:01", dup249); - -var select965 = linear_select([ - msg2050, - msg2051, -]); - -var msg2052 = msg("1067", dup265); - -var msg2053 = msg("1067:01", dup266); - -var select966 = linear_select([ - msg2052, - msg2053, -]); - -var msg2054 = msg("1068", dup274); - -var msg2055 = msg("1068:01", dup275); - -var select967 = linear_select([ - msg2054, - msg2055, -]); - -var msg2056 = msg("1069", dup265); - -var msg2057 = msg("1069:01", dup266); - -var select968 = linear_select([ - msg2056, - msg2057, -]); - -var msg2058 = msg("1070", dup265); - -var msg2059 = msg("1070:01", dup266); - -var select969 = linear_select([ - msg2058, - msg2059, -]); - -var msg2060 = msg("1071", dup265); - -var msg2061 = msg("1071:01", dup266); - -var select970 = linear_select([ - msg2060, - msg2061, -]); - -var msg2062 = msg("1072", dup265); - -var msg2063 = msg("1072:01", dup266); - -var select971 = linear_select([ - msg2062, - msg2063, -]); - -var msg2064 = msg("1073", dup265); - -var msg2065 = msg("1073:01", dup266); - -var select972 = linear_select([ - msg2064, - msg2065, -]); - -var msg2066 = msg("1075", dup265); - -var msg2067 = msg("1075:01", dup266); - -var select973 = linear_select([ - msg2066, - msg2067, -]); - -var msg2068 = msg("1076", dup265); - -var msg2069 = msg("1076:01", dup266); - -var select974 = linear_select([ - msg2068, - msg2069, -]); - -var msg2070 = msg("1077", dup265); - -var msg2071 = msg("1077:01", dup266); - -var select975 = linear_select([ - msg2070, - msg2071, -]); - -var msg2072 = msg("1078", dup265); - -var msg2073 = msg("1078:01", dup266); - -var select976 = linear_select([ - msg2072, - msg2073, -]); - -var msg2074 = msg("1079", dup265); - -var msg2075 = msg("1079:01", dup266); - -var select977 = linear_select([ - msg2074, - msg2075, -]); - -var msg2076 = msg("1080", dup267); - -var msg2077 = msg("1080:01", dup268); - -var select978 = linear_select([ - msg2076, - msg2077, -]); - -var msg2078 = msg("1081", dup198); - -var msg2079 = msg("1081:01", dup220); - -var select979 = linear_select([ - msg2078, - msg2079, -]); - -var msg2080 = msg("1082", dup196); - -var msg2081 = msg("1082:01", dup217); - -var select980 = linear_select([ - msg2080, - msg2081, -]); - -var msg2082 = msg("1083", dup198); - -var msg2083 = msg("1083:01", dup220); - -var select981 = linear_select([ - msg2082, - msg2083, -]); - -var msg2084 = msg("1084", dup198); - -var msg2085 = msg("1084:01", dup220); - -var select982 = linear_select([ - msg2084, - msg2085, -]); - -var msg2086 = msg("1085", dup197); - -var msg2087 = msg("1085:01", dup221); - -var select983 = linear_select([ - msg2086, - msg2087, -]); - -var msg2088 = msg("1086", dup197); - -var msg2089 = msg("1086:01", dup221); - -var select984 = linear_select([ - msg2088, - msg2089, -]); - -var msg2090 = msg("1087", dup196); - -var msg2091 = msg("1087:01", dup217); - -var select985 = linear_select([ - msg2090, - msg2091, -]); - -var msg2092 = msg("1088", dup265); - -var msg2093 = msg("1088:01", dup266); - -var select986 = linear_select([ - msg2092, - msg2093, -]); - -var msg2094 = msg("1089", dup265); - -var msg2095 = msg("1089:01", dup266); - -var select987 = linear_select([ - msg2094, - msg2095, -]); - -var msg2096 = msg("1090", dup265); - -var msg2097 = msg("1090:01", dup266); - -var select988 = linear_select([ - msg2096, - msg2097, -]); - -var msg2098 = msg("1091", dup198); - -var msg2099 = msg("1091:01", dup220); - -var select989 = linear_select([ - msg2098, - msg2099, -]); - -var msg2100 = msg("1092", dup265); - -var msg2101 = msg("1092:01", dup266); - -var select990 = linear_select([ - msg2100, - msg2101, -]); - -var msg2102 = msg("1093", dup265); - -var msg2103 = msg("1093:01", dup266); - -var select991 = linear_select([ - msg2102, - msg2103, -]); - -var msg2104 = msg("1094", dup265); - -var msg2105 = msg("1094:01", dup266); - -var select992 = linear_select([ - msg2104, - msg2105, -]); - -var msg2106 = msg("1095", dup265); - -var msg2107 = msg("1095:01", dup266); - -var select993 = linear_select([ - msg2106, - msg2107, -]); - -var msg2108 = msg("1096", dup265); - -var msg2109 = msg("1096:01", dup266); - -var select994 = linear_select([ - msg2108, - msg2109, -]); - -var msg2110 = msg("1097", dup267); - -var msg2111 = msg("1097:01", dup268); - -var select995 = linear_select([ - msg2110, - msg2111, -]); - -var msg2112 = msg("1098", dup265); - -var msg2113 = msg("1098:01", dup266); - -var select996 = linear_select([ - msg2112, - msg2113, -]); - -var msg2114 = msg("1099", dup194); - -var msg2115 = msg("1099:01", dup229); - -var select997 = linear_select([ - msg2114, - msg2115, -]); - -var msg2116 = msg("1100", dup196); - -var msg2117 = msg("1100:01", dup217); - -var select998 = linear_select([ - msg2116, - msg2117, -]); - -var msg2118 = msg("1101", dup196); - -var msg2119 = msg("1101:01", dup217); - -var select999 = linear_select([ - msg2118, - msg2119, -]); - -var msg2120 = msg("1102", dup196); - -var msg2121 = msg("1102:01", dup217); - -var select1000 = linear_select([ - msg2120, - msg2121, -]); - -var msg2122 = msg("1103", dup196); - -var msg2123 = msg("1103:01", dup217); - -var select1001 = linear_select([ - msg2122, - msg2123, -]); - -var msg2124 = msg("1104", dup196); - -var msg2125 = msg("1104:01", dup217); - -var select1002 = linear_select([ - msg2124, - msg2125, -]); - -var msg2126 = msg("1105", dup265); - -var msg2127 = msg("1105:01", dup266); - -var select1003 = linear_select([ - msg2126, - msg2127, -]); - -var msg2128 = msg("1106", dup265); - -var msg2129 = msg("1106:01", dup266); - -var select1004 = linear_select([ - msg2128, - msg2129, -]); - -var msg2130 = msg("1107", dup265); - -var msg2131 = msg("1107:01", dup266); - -var select1005 = linear_select([ - msg2130, - msg2131, -]); - -var msg2132 = msg("1108", dup265); - -var msg2133 = msg("1108:01", dup266); - -var select1006 = linear_select([ - msg2132, - msg2133, -]); - -var msg2134 = msg("1109", dup265); - -var msg2135 = msg("1109:01", dup266); - -var select1007 = linear_select([ - msg2134, - msg2135, -]); - -var msg2136 = msg("1110", dup265); - -var msg2137 = msg("1110:01", dup266); - -var select1008 = linear_select([ - msg2136, - msg2137, -]); - -var msg2138 = msg("1111", dup267); - -var msg2139 = msg("1111:01", dup268); - -var select1009 = linear_select([ - msg2138, - msg2139, -]); - -var msg2140 = msg("1112", dup265); - -var msg2141 = msg("1112:01", dup266); - -var select1010 = linear_select([ - msg2140, - msg2141, -]); - -var msg2142 = msg("1113", dup265); - -var msg2143 = msg("1113:01", dup266); - -var select1011 = linear_select([ - msg2142, - msg2143, -]); - -var msg2144 = msg("1114", dup196); - -var msg2145 = msg("1114:01", dup217); - -var select1012 = linear_select([ - msg2144, - msg2145, -]); - -var msg2146 = msg("1115", dup198); - -var msg2147 = msg("1115:01", dup220); - -var select1013 = linear_select([ - msg2146, - msg2147, -]); - -var msg2148 = msg("1116", dup265); - -var msg2149 = msg("1116:01", dup266); - -var select1014 = linear_select([ - msg2148, - msg2149, -]); - -var msg2150 = msg("1117", dup265); - -var msg2151 = msg("1117:01", dup266); - -var select1015 = linear_select([ - msg2150, - msg2151, -]); - -var msg2152 = msg("1118", dup196); - -var msg2153 = msg("1118:01", dup217); - -var select1016 = linear_select([ - msg2152, - msg2153, -]); - -var msg2154 = msg("1119", dup265); - -var msg2155 = msg("1119:01", dup266); - -var select1017 = linear_select([ - msg2154, - msg2155, -]); - -var msg2156 = msg("1120", dup265); - -var msg2157 = msg("1120:01", dup266); - -var select1018 = linear_select([ - msg2156, - msg2157, -]); - -var msg2158 = msg("1121", dup265); - -var msg2159 = msg("1121:01", dup266); - -var select1019 = linear_select([ - msg2158, - msg2159, -]); - -var msg2160 = msg("1122", dup196); - -var msg2161 = msg("1122:01", dup217); - -var select1020 = linear_select([ - msg2160, - msg2161, -]); - -var msg2162 = msg("1123", dup265); - -var msg2163 = msg("1123:01", dup266); - -var select1021 = linear_select([ - msg2162, - msg2163, -]); - -var msg2164 = msg("1124", dup265); - -var msg2165 = msg("1124:01", dup266); - -var select1022 = linear_select([ - msg2164, - msg2165, -]); - -var msg2166 = msg("1125", dup265); - -var msg2167 = msg("1125:01", dup266); - -var select1023 = linear_select([ - msg2166, - msg2167, -]); - -var msg2168 = msg("1126", dup265); - -var msg2169 = msg("1126:01", dup266); - -var select1024 = linear_select([ - msg2168, - msg2169, -]); - -var msg2170 = msg("1127", dup265); - -var msg2171 = msg("1127:01", dup266); - -var select1025 = linear_select([ - msg2170, - msg2171, -]); - -var msg2172 = msg("1128", dup265); - -var msg2173 = msg("1128:01", dup266); - -var select1026 = linear_select([ - msg2172, - msg2173, -]); - -var msg2174 = msg("1129", dup265); - -var msg2175 = msg("1129:01", dup266); - -var select1027 = linear_select([ - msg2174, - msg2175, -]); - -var msg2176 = msg("1130", dup265); - -var msg2177 = msg("1130:01", dup266); - -var select1028 = linear_select([ - msg2176, - msg2177, -]); - -var msg2178 = msg("1131", dup265); - -var msg2179 = msg("1131:01", dup266); - -var select1029 = linear_select([ - msg2178, - msg2179, -]); - -var msg2180 = msg("1132", dup197); - -var msg2181 = msg("1132:01", dup221); - -var select1030 = linear_select([ - msg2180, - msg2181, -]); - -var msg2182 = msg("1133", dup194); - -var msg2183 = msg("1133:01", dup229); - -var select1031 = linear_select([ - msg2182, - msg2183, -]); - -var msg2184 = msg("1134", dup265); - -var msg2185 = msg("1134:01", dup266); - -var select1032 = linear_select([ - msg2184, - msg2185, -]); - -var msg2186 = msg("1136", dup196); - -var msg2187 = msg("1136:01", dup217); - -var select1033 = linear_select([ - msg2186, - msg2187, -]); - -var msg2188 = msg("1137", dup265); - -var msg2189 = msg("1137:01", dup266); - -var select1034 = linear_select([ - msg2188, - msg2189, -]); - -var msg2190 = msg("1138", dup198); - -var msg2191 = msg("1138:01", dup220); - -var select1035 = linear_select([ - msg2190, - msg2191, -]); - -var msg2192 = msg("1139", dup196); - -var msg2193 = msg("1139:01", dup217); - -var select1036 = linear_select([ - msg2192, - msg2193, -]); - -var msg2194 = msg("1140", dup265); - -var msg2195 = msg("1140:01", dup266); - -var select1037 = linear_select([ - msg2194, - msg2195, -]); - -var msg2196 = msg("1141", dup265); - -var msg2197 = msg("1141:01", dup266); - -var select1038 = linear_select([ - msg2196, - msg2197, -]); - -var msg2198 = msg("1142", dup265); - -var msg2199 = msg("1142:01", dup266); - -var select1039 = linear_select([ - msg2198, - msg2199, -]); - -var msg2200 = msg("1143", dup265); - -var msg2201 = msg("1143:01", dup266); - -var select1040 = linear_select([ - msg2200, - msg2201, -]); - -var msg2202 = msg("1144", dup265); - -var msg2203 = msg("1144:01", dup266); - -var select1041 = linear_select([ - msg2202, - msg2203, -]); - -var msg2204 = msg("1145", dup265); - -var msg2205 = msg("1145:01", dup266); - -var select1042 = linear_select([ - msg2204, - msg2205, -]); - -var msg2206 = msg("1146", dup265); - -var msg2207 = msg("1146:01", dup266); - -var select1043 = linear_select([ - msg2206, - msg2207, -]); - -var msg2208 = msg("1147", dup265); - -var msg2209 = msg("1147:01", dup266); - -var select1044 = linear_select([ - msg2208, - msg2209, -]); - -var msg2210 = msg("1148", dup265); - -var msg2211 = msg("1148:01", dup266); - -var select1045 = linear_select([ - msg2210, - msg2211, -]); - -var msg2212 = msg("1149", dup265); - -var msg2213 = msg("1149:01", dup266); - -var select1046 = linear_select([ - msg2212, - msg2213, -]); - -var msg2214 = msg("1150", dup265); - -var msg2215 = msg("1150:01", dup266); - -var select1047 = linear_select([ - msg2214, - msg2215, -]); - -var msg2216 = msg("1151", dup265); - -var msg2217 = msg("1151:01", dup266); - -var select1048 = linear_select([ - msg2216, - msg2217, -]); - -var msg2218 = msg("1152", dup265); - -var msg2219 = msg("1152:01", dup266); - -var select1049 = linear_select([ - msg2218, - msg2219, -]); - -var msg2220 = msg("1153", dup265); - -var msg2221 = msg("1153:01", dup266); - -var select1050 = linear_select([ - msg2220, - msg2221, -]); - -var msg2222 = msg("1154", dup265); - -var msg2223 = msg("1154:01", dup266); - -var select1051 = linear_select([ - msg2222, - msg2223, -]); - -var msg2224 = msg("1155", dup265); - -var msg2225 = msg("1155:01", dup266); - -var select1052 = linear_select([ - msg2224, - msg2225, -]); - -var msg2226 = msg("1156", dup265); - -var msg2227 = msg("1156:01", dup266); - -var select1053 = linear_select([ - msg2226, - msg2227, -]); - -var msg2228 = msg("1157", dup265); - -var msg2229 = msg("1157:01", dup266); - -var select1054 = linear_select([ - msg2228, - msg2229, -]); - -var msg2230 = msg("1158", dup265); - -var msg2231 = msg("1158:01", dup266); - -var select1055 = linear_select([ - msg2230, - msg2231, -]); - -var msg2232 = msg("1159", dup265); - -var msg2233 = msg("1159:01", dup266); - -var select1056 = linear_select([ - msg2232, - msg2233, -]); - -var msg2234 = msg("1160", dup196); - -var msg2235 = msg("1160:01", dup217); - -var select1057 = linear_select([ - msg2234, - msg2235, -]); - -var msg2236 = msg("1161", dup265); - -var msg2237 = msg("1161:01", dup266); - -var select1058 = linear_select([ - msg2236, - msg2237, -]); - -var msg2238 = msg("1162", dup265); - -var msg2239 = msg("1162:01", dup266); - -var select1059 = linear_select([ - msg2238, - msg2239, -]); - -var msg2240 = msg("1163", dup265); - -var msg2241 = msg("1163:01", dup266); - -var select1060 = linear_select([ - msg2240, - msg2241, -]); - -var msg2242 = msg("1164", dup265); - -var msg2243 = msg("1164:01", dup266); - -var select1061 = linear_select([ - msg2242, - msg2243, -]); - -var msg2244 = msg("1165", dup265); - -var msg2245 = msg("1165:01", dup266); - -var select1062 = linear_select([ - msg2244, - msg2245, -]); - -var msg2246 = msg("1166", dup265); - -var msg2247 = msg("1166:01", dup266); - -var select1063 = linear_select([ - msg2246, - msg2247, -]); - -var msg2248 = msg("1167", dup265); - -var msg2249 = msg("1167:01", dup266); - -var select1064 = linear_select([ - msg2248, - msg2249, -]); - -var msg2250 = msg("1168", dup265); - -var msg2251 = msg("1168:01", dup266); - -var select1065 = linear_select([ - msg2250, - msg2251, -]); - -var msg2252 = msg("1171", dup196); - -var msg2253 = msg("1171:01", dup217); - -var select1066 = linear_select([ - msg2252, - msg2253, -]); - -var msg2254 = msg("1172", dup265); - -var msg2255 = msg("1172:01", dup266); - -var select1067 = linear_select([ - msg2254, - msg2255, -]); - -var msg2256 = msg("1173", dup265); - -var msg2257 = msg("1173:01", dup266); - -var select1068 = linear_select([ - msg2256, - msg2257, -]); - -var msg2258 = msg("1174", dup265); - -var msg2259 = msg("1174:01", dup266); - -var select1069 = linear_select([ - msg2258, - msg2259, -]); - -var msg2260 = msg("1175", dup265); - -var msg2261 = msg("1175:01", dup266); - -var select1070 = linear_select([ - msg2260, - msg2261, -]); - -var msg2262 = msg("1176", dup265); - -var msg2263 = msg("1176:01", dup266); - -var select1071 = linear_select([ - msg2262, - msg2263, -]); - -var msg2264 = msg("1177", dup196); - -var msg2265 = msg("1177:01", dup217); - -var select1072 = linear_select([ - msg2264, - msg2265, -]); - -var msg2266 = msg("1178", dup265); - -var msg2267 = msg("1178:01", dup266); - -var select1073 = linear_select([ - msg2266, - msg2267, -]); - -var msg2268 = msg("1179", dup265); - -var msg2269 = msg("1179:01", dup266); - -var select1074 = linear_select([ - msg2268, - msg2269, -]); - -var msg2270 = msg("1180", dup265); - -var msg2271 = msg("1180:01", dup266); - -var select1075 = linear_select([ - msg2270, - msg2271, -]); - -var msg2272 = msg("1181", dup198); - -var msg2273 = msg("1181:01", dup220); - -var select1076 = linear_select([ - msg2272, - msg2273, -]); - -var msg2274 = msg("1182", dup265); - -var msg2275 = msg("1182:01", dup266); - -var select1077 = linear_select([ - msg2274, - msg2275, -]); - -var msg2276 = msg("1183", dup196); - -var msg2277 = msg("1183:01", dup217); - -var select1078 = linear_select([ - msg2276, - msg2277, -]); - -var msg2278 = msg("1184", dup196); - -var msg2279 = msg("1184:01", dup217); - -var select1079 = linear_select([ - msg2278, - msg2279, -]); - -var msg2280 = msg("1185", dup265); - -var msg2281 = msg("1185:01", dup266); - -var select1080 = linear_select([ - msg2280, - msg2281, -]); - -var msg2282 = msg("1186", dup196); - -var msg2283 = msg("1186:01", dup217); - -var select1081 = linear_select([ - msg2282, - msg2283, -]); - -var msg2284 = msg("1187", dup265); - -var msg2285 = msg("1187:01", dup266); - -var select1082 = linear_select([ - msg2284, - msg2285, -]); - -var msg2286 = msg("1188", dup196); - -var msg2287 = msg("1188:01", dup217); - -var select1083 = linear_select([ - msg2286, - msg2287, -]); - -var msg2288 = msg("1189", dup196); - -var msg2289 = msg("1189:01", dup217); - -var select1084 = linear_select([ - msg2288, - msg2289, -]); - -var msg2290 = msg("1190", dup196); - -var msg2291 = msg("1190:01", dup217); - -var select1085 = linear_select([ - msg2290, - msg2291, -]); - -var msg2292 = msg("1191", dup196); - -var msg2293 = msg("1191:01", dup217); - -var select1086 = linear_select([ - msg2292, - msg2293, -]); - -var msg2294 = msg("1192", dup194); - -var msg2295 = msg("1192:01", dup229); - -var select1087 = linear_select([ - msg2294, - msg2295, -]); - -var msg2296 = msg("1193", dup269); - -var msg2297 = msg("1193:01", dup270); - -var select1088 = linear_select([ - msg2296, - msg2297, -]); - -var msg2298 = msg("1194", dup265); - -var msg2299 = msg("1194:01", dup266); - -var select1089 = linear_select([ - msg2298, - msg2299, -]); - -var msg2300 = msg("1195", dup265); - -var msg2301 = msg("1195:01", dup266); - -var select1090 = linear_select([ - msg2300, - msg2301, -]); - -var msg2302 = msg("1196", dup265); - -var msg2303 = msg("1196:01", dup266); - -var select1091 = linear_select([ - msg2302, - msg2303, -]); - -var msg2304 = msg("1197", dup265); - -var msg2305 = msg("1197:01", dup266); - -var select1092 = linear_select([ - msg2304, - msg2305, -]); - -var msg2306 = msg("1198", dup196); - -var msg2307 = msg("1198:01", dup217); - -var select1093 = linear_select([ - msg2306, - msg2307, -]); - -var msg2308 = msg("1199", dup265); - -var msg2309 = msg("1199:01", dup266); - -var select1094 = linear_select([ - msg2308, - msg2309, -]); - -var msg2310 = msg("1200", dup196); - -var msg2311 = msg("1200:01", dup217); - -var select1095 = linear_select([ - msg2310, - msg2311, -]); - -var msg2312 = msg("1201", dup196); - -var msg2313 = msg("1201:01", dup217); - -var select1096 = linear_select([ - msg2312, - msg2313, -]); - -var msg2314 = msg("1202", dup265); - -var msg2315 = msg("1202:01", dup266); - -var select1097 = linear_select([ - msg2314, - msg2315, -]); - -var msg2316 = msg("1204", dup265); - -var msg2317 = msg("1204:01", dup266); - -var select1098 = linear_select([ - msg2316, - msg2317, -]); - -var msg2318 = msg("1205", dup265); - -var msg2319 = msg("1205:01", dup266); - -var select1099 = linear_select([ - msg2318, - msg2319, -]); - -var msg2320 = msg("1206", dup265); - -var msg2321 = msg("1206:01", dup266); - -var select1100 = linear_select([ - msg2320, - msg2321, -]); - -var msg2322 = msg("1207", dup265); - -var msg2323 = msg("1207:01", dup266); - -var select1101 = linear_select([ - msg2322, - msg2323, -]); - -var msg2324 = msg("1208", dup265); - -var msg2325 = msg("1208:01", dup266); - -var select1102 = linear_select([ - msg2324, - msg2325, -]); - -var msg2326 = msg("1209", dup265); - -var msg2327 = msg("1209:01", dup266); - -var select1103 = linear_select([ - msg2326, - msg2327, -]); - -var msg2328 = msg("1211", dup265); - -var msg2329 = msg("1211:01", dup266); - -var select1104 = linear_select([ - msg2328, - msg2329, -]); - -var msg2330 = msg("1212", dup265); - -var msg2331 = msg("1212:01", dup266); - -var select1105 = linear_select([ - msg2330, - msg2331, -]); - -var msg2332 = msg("1213", dup265); - -var msg2333 = msg("1213:01", dup266); - -var select1106 = linear_select([ - msg2332, - msg2333, -]); - -var msg2334 = msg("1214", dup265); - -var msg2335 = msg("1214:01", dup266); - -var select1107 = linear_select([ - msg2334, - msg2335, -]); - -var msg2336 = msg("1215", dup265); - -var msg2337 = msg("1215:01", dup266); - -var select1108 = linear_select([ - msg2336, - msg2337, -]); - -var msg2338 = msg("1216", dup265); - -var msg2339 = msg("1216:01", dup266); - -var select1109 = linear_select([ - msg2338, - msg2339, -]); - -var msg2340 = msg("1217", dup265); - -var msg2341 = msg("1217:01", dup266); - -var select1110 = linear_select([ - msg2340, - msg2341, -]); - -var msg2342 = msg("1218", dup265); - -var msg2343 = msg("1218:01", dup266); - -var select1111 = linear_select([ - msg2342, - msg2343, -]); - -var msg2344 = msg("1219", dup265); - -var msg2345 = msg("1219:01", dup266); - -var select1112 = linear_select([ - msg2344, - msg2345, -]); - -var msg2346 = msg("1220", dup265); - -var msg2347 = msg("1220:01", dup266); - -var select1113 = linear_select([ - msg2346, - msg2347, -]); - -var msg2348 = msg("1221", dup265); - -var msg2349 = msg("1221:01", dup266); - -var select1114 = linear_select([ - msg2348, - msg2349, -]); - -var msg2350 = msg("1222", dup265); - -var msg2351 = msg("1222:01", dup266); - -var select1115 = linear_select([ - msg2350, - msg2351, -]); - -var msg2352 = msg("1224", dup265); - -var msg2353 = msg("1224:01", dup266); - -var select1116 = linear_select([ - msg2352, - msg2353, -]); - -var msg2354 = msg("1225", dup196); - -var msg2355 = msg("1225:01", dup217); - -var select1117 = linear_select([ - msg2354, - msg2355, -]); - -var msg2356 = msg("1226", dup196); - -var msg2357 = msg("1226:01", dup217); - -var select1118 = linear_select([ - msg2356, - msg2357, -]); - -var msg2358 = msg("1227", dup196); - -var msg2359 = msg("1227:01", dup217); - -var select1119 = linear_select([ - msg2358, - msg2359, -]); - -var msg2360 = msg("1228", dup194); - -var msg2361 = msg("1228:01", dup229); - -var select1120 = linear_select([ - msg2360, - msg2361, -]); - -var msg2362 = msg("1229", dup227); - -var msg2363 = msg("1229:01", dup228); - -var select1121 = linear_select([ - msg2362, - msg2363, -]); - -var msg2364 = msg("1230", dup263); - -var msg2365 = msg("1230:01", dup264); - -var select1122 = linear_select([ - msg2364, - msg2365, -]); - -var msg2366 = msg("1231", dup263); - -var msg2367 = msg("1231:01", dup264); - -var select1123 = linear_select([ - msg2366, - msg2367, -]); - -var msg2368 = msg("1232", dup263); - -var msg2369 = msg("1232:01", dup264); - -var select1124 = linear_select([ - msg2368, - msg2369, -]); - -var msg2370 = msg("1233", dup265); - -var msg2371 = msg("1233:01", dup266); - -var select1125 = linear_select([ - msg2370, - msg2371, -]); - -var msg2372 = msg("1234", dup263); - -var msg2373 = msg("1234:01", dup264); - -var select1126 = linear_select([ - msg2372, - msg2373, -]); - -var msg2374 = msg("1235", dup263); - -var msg2375 = msg("1235:01", dup264); - -var select1127 = linear_select([ - msg2374, - msg2375, -]); - -var msg2376 = msg("1236", dup196); - -var msg2377 = msg("1236:01", dup217); - -var select1128 = linear_select([ - msg2376, - msg2377, -]); - -var msg2378 = msg("1237", dup196); - -var msg2379 = msg("1237:01", dup217); - -var select1129 = linear_select([ - msg2378, - msg2379, -]); - -var msg2380 = msg("1238", dup196); - -var msg2381 = msg("1238:01", dup217); - -var select1130 = linear_select([ - msg2380, - msg2381, -]); - -var msg2382 = msg("1239", dup276); - -var msg2383 = msg("1239:01", dup277); - -var select1131 = linear_select([ - msg2382, - msg2383, -]); - -var msg2384 = msg("1240", dup197); - -var msg2385 = msg("1240:01", dup221); - -var select1132 = linear_select([ - msg2384, - msg2385, -]); - -var msg2386 = msg("1241", dup265); - -var msg2387 = msg("1241:01", dup266); - -var select1133 = linear_select([ - msg2386, - msg2387, -]); - -var msg2388 = msg("1242", dup265); - -var msg2389 = msg("1242:01", dup266); - -var select1134 = linear_select([ - msg2388, - msg2389, -]); - -var msg2390 = msg("1243", dup265); - -var msg2391 = msg("1243:01", dup266); - -var select1135 = linear_select([ - msg2390, - msg2391, -]); - -var msg2392 = msg("1244", dup265); - -var msg2393 = msg("1244:01", dup266); - -var select1136 = linear_select([ - msg2392, - msg2393, -]); - -var msg2394 = msg("1245", dup265); - -var msg2395 = msg("1245:01", dup266); - -var select1137 = linear_select([ - msg2394, - msg2395, -]); - -var msg2396 = msg("1246", dup267); - -var msg2397 = msg("1246:01", dup268); - -var select1138 = linear_select([ - msg2396, - msg2397, -]); - -var msg2398 = msg("1247", dup267); - -var msg2399 = msg("1247:01", dup268); - -var select1139 = linear_select([ - msg2398, - msg2399, -]); - -var msg2400 = msg("1248", dup265); - -var msg2401 = msg("1248:01", dup266); - -var select1140 = linear_select([ - msg2400, - msg2401, -]); - -var msg2402 = msg("1249", dup265); - -var msg2403 = msg("1249:01", dup266); - -var select1141 = linear_select([ - msg2402, - msg2403, -]); - -var msg2404 = msg("1250", dup265); - -var msg2405 = msg("1250:01", dup266); - -var select1142 = linear_select([ - msg2404, - msg2405, -]); - -var msg2406 = msg("1251", dup196); - -var msg2407 = msg("1251:01", dup217); - -var select1143 = linear_select([ - msg2406, - msg2407, -]); - -var msg2408 = msg("1252", dup278); - -var msg2409 = msg("1252:01", dup279); - -var select1144 = linear_select([ - msg2408, - msg2409, -]); - -var msg2410 = msg("1253", dup278); - -var msg2411 = msg("1253:01", dup279); - -var select1145 = linear_select([ - msg2410, - msg2411, -]); - -var msg2412 = msg("1254", dup265); - -var msg2413 = msg("1254:01", dup266); - -var select1146 = linear_select([ - msg2412, - msg2413, -]); - -var msg2414 = msg("1255", dup265); - -var msg2415 = msg("1255:01", dup266); - -var select1147 = linear_select([ - msg2414, - msg2415, -]); - -var msg2416 = msg("1256", dup265); - -var msg2417 = msg("1256:01", dup266); - -var select1148 = linear_select([ - msg2416, - msg2417, -]); - -var msg2418 = msg("1257", dup198); - -var msg2419 = msg("1257:01", dup220); - -var select1149 = linear_select([ - msg2418, - msg2419, -]); - -var msg2420 = msg("1258", dup198); - -var msg2421 = msg("1258:01", dup220); - -var select1150 = linear_select([ - msg2420, - msg2421, -]); - -var msg2422 = msg("1259", dup265); - -var msg2423 = msg("1259:01", dup266); - -var select1151 = linear_select([ - msg2422, - msg2423, -]); - -var msg2424 = msg("1260", dup196); - -var msg2425 = msg("1260:01", dup217); - -var select1152 = linear_select([ - msg2424, - msg2425, -]); - -var msg2426 = msg("1261", dup197); - -var msg2427 = msg("1261:01", dup221); - -var select1153 = linear_select([ - msg2426, - msg2427, -]); - -var msg2428 = msg("1262", dup258); - -var msg2429 = msg("1262:01", dup259); - -var select1154 = linear_select([ - msg2428, - msg2429, -]); - -var msg2430 = msg("1263", dup258); - -var msg2431 = msg("1263:01", dup259); - -var select1155 = linear_select([ - msg2430, - msg2431, -]); - -var msg2432 = msg("1264", dup258); - -var msg2433 = msg("1264:01", dup259); - -var select1156 = linear_select([ - msg2432, - msg2433, -]); - -var msg2434 = msg("1265", dup258); - -var msg2435 = msg("1265:01", dup259); - -var select1157 = linear_select([ - msg2434, - msg2435, -]); - -var msg2436 = msg("1266", dup258); - -var msg2437 = msg("1266:01", dup259); - -var select1158 = linear_select([ - msg2436, - msg2437, -]); - -var msg2438 = msg("1267", dup258); - -var msg2439 = msg("1267:01", dup259); - -var select1159 = linear_select([ - msg2438, - msg2439, -]); - -var msg2440 = msg("1268", dup280); - -var all39 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup98, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg2441 = msg("1268:01", all39); - -var select1160 = linear_select([ - msg2440, - msg2441, -]); - -var msg2442 = msg("1269", dup258); - -var msg2443 = msg("1269:01", dup259); - -var select1161 = linear_select([ - msg2442, - msg2443, -]); - -var msg2444 = msg("1270", dup258); - -var msg2445 = msg("1270:01", dup259); - -var select1162 = linear_select([ - msg2444, - msg2445, -]); - -var msg2446 = msg("1271", dup258); - -var msg2447 = msg("1271:01", dup259); - -var select1163 = linear_select([ - msg2446, - msg2447, -]); - -var msg2448 = msg("1272", dup258); - -var msg2449 = msg("1272:01", dup259); - -var select1164 = linear_select([ - msg2448, - msg2449, -]); - -var msg2450 = msg("1273", dup258); - -var msg2451 = msg("1273:01", dup259); - -var select1165 = linear_select([ - msg2450, - msg2451, -]); - -var msg2452 = msg("1274", dup258); - -var msg2453 = msg("1274:01", dup259); - -var select1166 = linear_select([ - msg2452, - msg2453, -]); - -var msg2454 = msg("1275", dup258); - -var msg2455 = msg("1275:01", dup259); - -var select1167 = linear_select([ - msg2454, - msg2455, -]); - -var msg2456 = msg("1276", dup258); - -var msg2457 = msg("1276:01", dup259); - -var select1168 = linear_select([ - msg2456, - msg2457, -]); - -var msg2458 = msg("1277", dup255); - -var msg2459 = msg("1277:01", dup256); - -var select1169 = linear_select([ - msg2458, - msg2459, -]); - -var msg2460 = msg("1278", dup255); - -var msg2461 = msg("1278:01", dup256); - -var select1170 = linear_select([ - msg2460, - msg2461, -]); - -var msg2462 = msg("1279", dup255); - -var msg2463 = msg("1279:01", dup256); - -var select1171 = linear_select([ - msg2462, - msg2463, -]); - -var msg2464 = msg("1280", dup255); - -var msg2465 = msg("1280:01", dup256); - -var select1172 = linear_select([ - msg2464, - msg2465, -]); - -var msg2466 = msg("1281", dup255); - -var msg2467 = msg("1281:01", dup256); - -var select1173 = linear_select([ - msg2466, - msg2467, -]); - -var msg2468 = msg("1282", dup255); - -var msg2469 = msg("1282:01", dup256); - -var select1174 = linear_select([ - msg2468, - msg2469, -]); - -var msg2470 = msg("1283", dup198); - -var msg2471 = msg("1283:01", dup220); - -var select1175 = linear_select([ - msg2470, - msg2471, -]); - -var msg2472 = msg("1284", dup265); - -var msg2473 = msg("1284:01", dup266); - -var select1176 = linear_select([ - msg2472, - msg2473, -]); - -var msg2474 = msg("1285", dup265); - -var msg2475 = msg("1285:01", dup266); - -var select1177 = linear_select([ - msg2474, - msg2475, -]); - -var msg2476 = msg("1286", dup265); - -var msg2477 = msg("1286:01", dup266); - -var select1178 = linear_select([ - msg2476, - msg2477, -]); - -var msg2478 = msg("1287", dup265); - -var msg2479 = msg("1287:01", dup266); - -var select1179 = linear_select([ - msg2478, - msg2479, -]); - -var msg2480 = msg("1288", dup265); - -var msg2481 = msg("1288:01", dup266); - -var select1180 = linear_select([ - msg2480, - msg2481, -]); - -var msg2482 = msg("1289", dup196); - -var msg2483 = msg("1289:01", dup217); - -var select1181 = linear_select([ - msg2482, - msg2483, -]); - -var msg2484 = msg("1290", dup265); - -var msg2485 = msg("1290:01", dup266); - -var select1182 = linear_select([ - msg2484, - msg2485, -]); - -var msg2486 = msg("1291", dup265); - -var msg2487 = msg("1291:01", dup266); - -var select1183 = linear_select([ - msg2486, - msg2487, -]); - -var msg2488 = msg("1292", dup196); - -var msg2489 = msg("1292:01", dup217); - -var select1184 = linear_select([ - msg2488, - msg2489, -]); - -var msg2490 = msg("1293", dup196); - -var msg2491 = msg("1293:01", dup217); - -var select1185 = linear_select([ - msg2490, - msg2491, -]); - -var msg2492 = msg("1294", dup196); - -var msg2493 = msg("1294:01", dup217); - -var select1186 = linear_select([ - msg2492, - msg2493, -]); - -var msg2494 = msg("1295", dup196); - -var msg2495 = msg("1295:01", dup217); - -var select1187 = linear_select([ - msg2494, - msg2495, -]); - -var msg2496 = msg("1296", dup255); - -var msg2497 = msg("1296:01", dup256); - -var select1188 = linear_select([ - msg2496, - msg2497, -]); - -var msg2498 = msg("1297", dup255); - -var msg2499 = msg("1297:01", dup256); - -var select1189 = linear_select([ - msg2498, - msg2499, -]); - -var msg2500 = msg("1298", dup255); - -var msg2501 = msg("1298:01", dup256); - -var select1190 = linear_select([ - msg2500, - msg2501, -]); - -var msg2502 = msg("1299", dup255); - -var msg2503 = msg("1299:01", dup256); - -var select1191 = linear_select([ - msg2502, - msg2503, -]); - -var msg2504 = msg("1300", dup265); - -var msg2505 = msg("1300:01", dup266); - -var select1192 = linear_select([ - msg2504, - msg2505, -]); - -var msg2506 = msg("1301", dup265); - -var msg2507 = msg("1301:01", dup266); - -var select1193 = linear_select([ - msg2506, - msg2507, -]); - -var msg2508 = msg("1302", dup265); - -var msg2509 = msg("1302:01", dup266); - -var select1194 = linear_select([ - msg2508, - msg2509, -]); - -var msg2510 = msg("1303", dup265); - -var msg2511 = msg("1303:01", dup266); - -var select1195 = linear_select([ - msg2510, - msg2511, -]); - -var msg2512 = msg("1304", dup265); - -var msg2513 = msg("1304:01", dup266); - -var select1196 = linear_select([ - msg2512, - msg2513, -]); - -var msg2514 = msg("1305", dup265); - -var msg2515 = msg("1305:01", dup266); - -var select1197 = linear_select([ - msg2514, - msg2515, -]); - -var msg2516 = msg("1306", dup265); - -var msg2517 = msg("1306:01", dup266); - -var select1198 = linear_select([ - msg2516, - msg2517, -]); - -var msg2518 = msg("1307", dup265); - -var msg2519 = msg("1307:01", dup266); - -var select1199 = linear_select([ - msg2518, - msg2519, -]); - -var msg2520 = msg("1308", dup265); - -var msg2521 = msg("1308:01", dup266); - -var select1200 = linear_select([ - msg2520, - msg2521, -]); - -var msg2522 = msg("1309", dup265); - -var msg2523 = msg("1309:01", dup266); - -var select1201 = linear_select([ - msg2522, - msg2523, -]); - -var msg2524 = msg("1310", dup281); - -var msg2525 = msg("1310:01", dup282); - -var select1202 = linear_select([ - msg2524, - msg2525, -]); - -var msg2526 = msg("1311", dup281); - -var msg2527 = msg("1311:01", dup282); - -var select1203 = linear_select([ - msg2526, - msg2527, -]); - -var msg2528 = msg("1312", dup281); - -var msg2529 = msg("1312:01", dup282); - -var select1204 = linear_select([ - msg2528, - msg2529, -]); - -var msg2530 = msg("1313", dup281); - -var msg2531 = msg("1313:01", dup282); - -var select1205 = linear_select([ - msg2530, - msg2531, -]); - -var msg2532 = msg("1314", dup281); - -var msg2533 = msg("1314:01", dup282); - -var select1206 = linear_select([ - msg2532, - msg2533, -]); - -var msg2534 = msg("1315", dup281); - -var msg2535 = msg("1315:01", dup282); - -var select1207 = linear_select([ - msg2534, - msg2535, -]); - -var msg2536 = msg("1316", dup281); - -var msg2537 = msg("1316:01", dup282); - -var select1208 = linear_select([ - msg2536, - msg2537, -]); - -var msg2538 = msg("1317", dup281); - -var msg2539 = msg("1317:01", dup282); - -var select1209 = linear_select([ - msg2538, - msg2539, -]); - -var msg2540 = msg("1318", dup281); - -var msg2541 = msg("1318:01", dup282); - -var select1210 = linear_select([ - msg2540, - msg2541, -]); - -var msg2542 = msg("1319", dup281); - -var msg2543 = msg("1319:01", dup282); - -var select1211 = linear_select([ - msg2542, - msg2543, -]); - -var msg2544 = msg("1320", dup281); - -var msg2545 = msg("1320:01", dup282); - -var select1212 = linear_select([ - msg2544, - msg2545, -]); - -var msg2546 = msg("1321", dup196); - -var msg2547 = msg("1321:01", dup217); - -var select1213 = linear_select([ - msg2546, - msg2547, -]); - -var msg2548 = msg("1322", dup196); - -var msg2549 = msg("1322:01", dup217); - -var select1214 = linear_select([ - msg2548, - msg2549, -]); - -var msg2550 = msg("1323", dup196); - -var msg2551 = msg("1323:01", dup217); - -var select1215 = linear_select([ - msg2550, - msg2551, -]); - -var msg2552 = msg("1324", dup197); - -var msg2553 = msg("1324:01", dup221); - -var select1216 = linear_select([ - msg2552, - msg2553, -]); - -var msg2554 = msg("1325", dup197); - -var msg2555 = msg("1325:01", dup221); - -var select1217 = linear_select([ - msg2554, - msg2555, -]); - -var msg2556 = msg("1326", dup197); - -var msg2557 = msg("1326:01", dup221); - -var select1218 = linear_select([ - msg2556, - msg2557, -]); - -var msg2558 = msg("1327", dup197); - -var msg2559 = msg("1327:01", dup221); - -var select1219 = linear_select([ - msg2558, - msg2559, -]); - -var msg2560 = msg("1328", dup265); - -var msg2561 = msg("1328:01", dup266); - -var select1220 = linear_select([ - msg2560, - msg2561, -]); - -var msg2562 = msg("1329", dup265); - -var msg2563 = msg("1329:01", dup266); - -var select1221 = linear_select([ - msg2562, - msg2563, -]); - -var msg2564 = msg("1330", dup265); - -var msg2565 = msg("1330:01", dup266); - -var select1222 = linear_select([ - msg2564, - msg2565, -]); - -var msg2566 = msg("1331", dup265); - -var msg2567 = msg("1331:01", dup266); - -var select1223 = linear_select([ - msg2566, - msg2567, -]); - -var msg2568 = msg("1332", dup265); - -var msg2569 = msg("1332:01", dup266); - -var select1224 = linear_select([ - msg2568, - msg2569, -]); - -var msg2570 = msg("1333", dup265); - -var msg2571 = msg("1333:01", dup266); - -var select1225 = linear_select([ - msg2570, - msg2571, -]); - -var msg2572 = msg("1334", dup265); - -var msg2573 = msg("1334:01", dup266); - -var select1226 = linear_select([ - msg2572, - msg2573, -]); - -var msg2574 = msg("1335", dup265); - -var msg2575 = msg("1335:01", dup266); - -var select1227 = linear_select([ - msg2574, - msg2575, -]); - -var msg2576 = msg("1336", dup265); - -var msg2577 = msg("1336:01", dup266); - -var select1228 = linear_select([ - msg2576, - msg2577, -]); - -var msg2578 = msg("1337", dup265); - -var msg2579 = msg("1337:01", dup266); - -var select1229 = linear_select([ - msg2578, - msg2579, -]); - -var msg2580 = msg("1338", dup265); - -var msg2581 = msg("1338:01", dup266); - -var select1230 = linear_select([ - msg2580, - msg2581, -]); - -var msg2582 = msg("1339", dup265); - -var msg2583 = msg("1339:01", dup266); - -var select1231 = linear_select([ - msg2582, - msg2583, -]); - -var msg2584 = msg("1340", dup274); - -var msg2585 = msg("1340:01", dup275); - -var select1232 = linear_select([ - msg2584, - msg2585, -]); - -var msg2586 = msg("1341", dup265); - -var msg2587 = msg("1341:01", dup266); - -var select1233 = linear_select([ - msg2586, - msg2587, -]); - -var msg2588 = msg("1342", dup265); - -var msg2589 = msg("1342:01", dup266); - -var select1234 = linear_select([ - msg2588, - msg2589, -]); - -var msg2590 = msg("1343", dup265); - -var msg2591 = msg("1343:01", dup266); - -var select1235 = linear_select([ - msg2590, - msg2591, -]); - -var msg2592 = msg("1344", dup265); - -var msg2593 = msg("1344:01", dup266); - -var select1236 = linear_select([ - msg2592, - msg2593, -]); - -var msg2594 = msg("1345", dup265); - -var msg2595 = msg("1345:01", dup266); - -var select1237 = linear_select([ - msg2594, - msg2595, -]); - -var msg2596 = msg("1346", dup265); - -var msg2597 = msg("1346:01", dup266); - -var select1238 = linear_select([ - msg2596, - msg2597, -]); - -var msg2598 = msg("1347", dup265); - -var msg2599 = msg("1347:01", dup266); - -var select1239 = linear_select([ - msg2598, - msg2599, -]); - -var msg2600 = msg("1348", dup265); - -var msg2601 = msg("1348:01", dup266); - -var select1240 = linear_select([ - msg2600, - msg2601, -]); - -var msg2602 = msg("1349", dup265); - -var msg2603 = msg("1349:01", dup266); - -var select1241 = linear_select([ - msg2602, - msg2603, -]); - -var msg2604 = msg("1350", dup265); - -var msg2605 = msg("1350:01", dup266); - -var select1242 = linear_select([ - msg2604, - msg2605, -]); - -var msg2606 = msg("1351", dup267); - -var msg2607 = msg("1351:01", dup268); - -var select1243 = linear_select([ - msg2606, - msg2607, -]); - -var msg2608 = msg("1352", dup267); - -var msg2609 = msg("1352:01", dup268); - -var select1244 = linear_select([ - msg2608, - msg2609, -]); - -var msg2610 = msg("1353", dup265); - -var msg2611 = msg("1353:01", dup266); - -var select1245 = linear_select([ - msg2610, - msg2611, -]); - -var msg2612 = msg("1354", dup265); - -var msg2613 = msg("1354:01", dup266); - -var select1246 = linear_select([ - msg2612, - msg2613, -]); - -var msg2614 = msg("1355", dup267); - -var msg2615 = msg("1355:01", dup268); - -var select1247 = linear_select([ - msg2614, - msg2615, -]); - -var msg2616 = msg("1356", dup267); - -var msg2617 = msg("1356:01", dup268); - -var select1248 = linear_select([ - msg2616, - msg2617, -]); - -var msg2618 = msg("1357", dup265); - -var msg2619 = msg("1357:01", dup266); - -var select1249 = linear_select([ - msg2618, - msg2619, -]); - -var msg2620 = msg("1358", dup265); - -var msg2621 = msg("1358:01", dup266); - -var select1250 = linear_select([ - msg2620, - msg2621, -]); - -var msg2622 = msg("1359", dup265); - -var msg2623 = msg("1359:01", dup266); - -var select1251 = linear_select([ - msg2622, - msg2623, -]); - -var msg2624 = msg("1360", dup265); - -var msg2625 = msg("1360:01", dup266); - -var select1252 = linear_select([ - msg2624, - msg2625, -]); - -var msg2626 = msg("1361", dup265); - -var msg2627 = msg("1361:01", dup266); - -var select1253 = linear_select([ - msg2626, - msg2627, -]); - -var msg2628 = msg("1362", dup265); - -var msg2629 = msg("1362:01", dup266); - -var select1254 = linear_select([ - msg2628, - msg2629, -]); - -var msg2630 = msg("1363", dup265); - -var msg2631 = msg("1363:01", dup266); - -var select1255 = linear_select([ - msg2630, - msg2631, -]); - -var msg2632 = msg("1364", dup265); - -var msg2633 = msg("1364:01", dup266); - -var select1256 = linear_select([ - msg2632, - msg2633, -]); - -var msg2634 = msg("1365", dup265); - -var msg2635 = msg("1365:01", dup266); - -var select1257 = linear_select([ - msg2634, - msg2635, -]); - -var msg2636 = msg("1366", dup265); - -var msg2637 = msg("1366:01", dup266); - -var select1258 = linear_select([ - msg2636, - msg2637, -]); - -var msg2638 = msg("1367", dup265); - -var msg2639 = msg("1367:01", dup266); - -var select1259 = linear_select([ - msg2638, - msg2639, -]); - -var msg2640 = msg("1368", dup265); - -var msg2641 = msg("1368:01", dup266); - -var select1260 = linear_select([ - msg2640, - msg2641, -]); - -var msg2642 = msg("1369", dup265); - -var msg2643 = msg("1369:01", dup266); - -var select1261 = linear_select([ - msg2642, - msg2643, -]); - -var msg2644 = msg("1370", dup265); - -var msg2645 = msg("1370:01", dup266); - -var select1262 = linear_select([ - msg2644, - msg2645, -]); - -var msg2646 = msg("1371", dup265); - -var msg2647 = msg("1371:01", dup266); - -var select1263 = linear_select([ - msg2646, - msg2647, -]); - -var msg2648 = msg("1372", dup265); - -var msg2649 = msg("1372:01", dup266); - -var select1264 = linear_select([ - msg2648, - msg2649, -]); - -var msg2650 = msg("1373", dup265); - -var msg2651 = msg("1373:01", dup266); - -var select1265 = linear_select([ - msg2650, - msg2651, -]); - -var msg2652 = msg("1374", dup265); - -var msg2653 = msg("1374:01", dup266); - -var select1266 = linear_select([ - msg2652, - msg2653, -]); - -var msg2654 = msg("1375", dup238); - -var msg2655 = msg("1375:01", dup239); - -var select1267 = linear_select([ - msg2654, - msg2655, -]); - -var msg2656 = msg("1376", dup265); - -var msg2657 = msg("1376:01", dup266); - -var select1268 = linear_select([ - msg2656, - msg2657, -]); - -var msg2658 = msg("1377", dup227); - -var msg2659 = msg("1377:01", dup228); - -var select1269 = linear_select([ - msg2658, - msg2659, -]); - -var msg2660 = msg("1378", dup227); - -var msg2661 = msg("1378:01", dup228); - -var select1270 = linear_select([ - msg2660, - msg2661, -]); - -var msg2662 = msg("1379", dup222); - -var msg2663 = msg("1379:01", dup223); - -var select1271 = linear_select([ - msg2662, - msg2663, -]); - -var msg2664 = msg("1380", dup265); - -var msg2665 = msg("1380:01", dup266); - -var select1272 = linear_select([ - msg2664, - msg2665, -]); - -var msg2666 = msg("1381", dup194); - -var msg2667 = msg("1381:01", dup229); - -var select1273 = linear_select([ - msg2666, - msg2667, -]); - -var msg2668 = msg("1382", dup222); - -var msg2669 = msg("1382:01", dup223); - -var select1274 = linear_select([ - msg2668, - msg2669, -]); - -var msg2670 = msg("1383", dup196); - -var msg2671 = msg("1383:01", dup217); - -var select1275 = linear_select([ - msg2670, - msg2671, -]); - -var msg2672 = msg("1384", dup196); - -var msg2673 = msg("1384:01", dup217); - -var select1276 = linear_select([ - msg2672, - msg2673, -]); - -var msg2674 = msg("1385", dup240); - -var msg2675 = msg("1385:01", dup241); - -var select1277 = linear_select([ - msg2674, - msg2675, -]); - -var msg2676 = msg("1386", dup197); - -var msg2677 = msg("1386:01", dup221); - -var select1278 = linear_select([ - msg2676, - msg2677, -]); - -var msg2678 = msg("1387", dup197); - -var msg2679 = msg("1387:01", dup221); - -var select1279 = linear_select([ - msg2678, - msg2679, -]); - -var msg2680 = msg("1388", dup222); - -var msg2681 = msg("1388:01", dup223); - -var select1280 = linear_select([ - msg2680, - msg2681, -]); - -var msg2682 = msg("1389", dup265); - -var msg2683 = msg("1389:01", dup266); - -var select1281 = linear_select([ - msg2682, - msg2683, -]); - -var msg2684 = msg("1390", dup196); - -var msg2685 = msg("1390:01", dup217); - -var select1282 = linear_select([ - msg2684, - msg2685, -]); - -var msg2686 = msg("1391", dup267); - -var msg2687 = msg("1391:01", dup268); - -var select1283 = linear_select([ - msg2686, - msg2687, -]); - -var msg2688 = msg("1392", dup265); - -var msg2689 = msg("1392:01", dup266); - -var select1284 = linear_select([ - msg2688, - msg2689, -]); - -var msg2690 = msg("1393", dup196); - -var msg2691 = msg("1393:01", dup217); - -var select1285 = linear_select([ - msg2690, - msg2691, -]); - -var msg2692 = msg("1394", dup196); - -var msg2693 = msg("1394:01", dup217); - -var select1286 = linear_select([ - msg2692, - msg2693, -]); - -var msg2694 = msg("1395", dup265); - -var msg2695 = msg("1395:01", dup266); - -var select1287 = linear_select([ - msg2694, - msg2695, -]); - -var msg2696 = msg("1396", dup265); - -var msg2697 = msg("1396:01", dup266); - -var select1288 = linear_select([ - msg2696, - msg2697, -]); - -var msg2698 = msg("1397", dup265); - -var msg2699 = msg("1397:01", dup266); - -var select1289 = linear_select([ - msg2698, - msg2699, -]); - -var msg2700 = msg("1398", dup196); - -var msg2701 = msg("1398:01", dup217); - -var select1290 = linear_select([ - msg2700, - msg2701, -]); - -var msg2702 = msg("1399", dup265); - -var msg2703 = msg("1399:01", dup266); - -var select1291 = linear_select([ - msg2702, - msg2703, -]); - -var msg2704 = msg("1400", dup265); - -var msg2705 = msg("1400:01", dup266); - -var select1292 = linear_select([ - msg2704, - msg2705, -]); - -var msg2706 = msg("1401", dup265); - -var msg2707 = msg("1401:01", dup266); - -var select1293 = linear_select([ - msg2706, - msg2707, -]); - -var msg2708 = msg("1402", dup265); - -var msg2709 = msg("1402:01", dup266); - -var select1294 = linear_select([ - msg2708, - msg2709, -]); - -var msg2710 = msg("1403", dup265); - -var msg2711 = msg("1403:01", dup266); - -var select1295 = linear_select([ - msg2710, - msg2711, -]); - -var msg2712 = msg("1404", dup265); - -var msg2713 = msg("1404:01", dup266); - -var select1296 = linear_select([ - msg2712, - msg2713, -]); - -var msg2714 = msg("1405", dup265); - -var msg2715 = msg("1405:01", dup266); - -var select1297 = linear_select([ - msg2714, - msg2715, -]); - -var msg2716 = msg("1406", dup265); - -var msg2717 = msg("1406:01", dup266); - -var select1298 = linear_select([ - msg2716, - msg2717, -]); - -var msg2718 = msg("1407", dup265); - -var msg2719 = msg("1407:01", dup266); - -var select1299 = linear_select([ - msg2718, - msg2719, -]); - -var msg2720 = msg("1408", dup198); - -var msg2721 = msg("1408:01", dup220); - -var select1300 = linear_select([ - msg2720, - msg2721, -]); - -var msg2722 = msg("1409", dup222); - -var msg2723 = msg("1409:01", dup223); - -var select1301 = linear_select([ - msg2722, - msg2723, -]); - -var msg2724 = msg("1410", dup265); - -var msg2725 = msg("1410:01", dup266); - -var select1302 = linear_select([ - msg2724, - msg2725, -]); - -var msg2726 = msg("1411", dup242); - -var msg2727 = msg("1411:01", dup243); - -var select1303 = linear_select([ - msg2726, - msg2727, -]); - -var msg2728 = msg("1412", dup283); - -var msg2729 = msg("1412:01", dup284); - -var select1304 = linear_select([ - msg2728, - msg2729, -]); - -var msg2730 = msg("1413", dup242); - -var msg2731 = msg("1413:01", dup243); - -var select1305 = linear_select([ - msg2730, - msg2731, -]); - -var msg2732 = msg("1414", dup283); - -var msg2733 = msg("1414:01", dup284); - -var select1306 = linear_select([ - msg2732, - msg2733, -]); - -var msg2734 = msg("1415", dup242); - -var msg2735 = msg("1415:01", dup243); - -var select1307 = linear_select([ - msg2734, - msg2735, -]); - -var msg2736 = msg("1416", dup242); - -var msg2737 = msg("1416:01", dup243); - -var select1308 = linear_select([ - msg2736, - msg2737, -]); - -var msg2738 = msg("1417", dup242); - -var msg2739 = msg("1417:01", dup243); - -var select1309 = linear_select([ - msg2738, - msg2739, -]); - -var msg2740 = msg("1418", dup283); - -var msg2741 = msg("1418:01", dup284); - -var select1310 = linear_select([ - msg2740, - msg2741, -]); - -var msg2742 = msg("1419", dup242); - -var msg2743 = msg("1419:01", dup243); - -var select1311 = linear_select([ - msg2742, - msg2743, -]); - -var msg2744 = msg("1420", dup283); - -var msg2745 = msg("1420:01", dup284); - -var select1312 = linear_select([ - msg2744, - msg2745, -]); - -var msg2746 = msg("1421", dup253); - -var msg2747 = msg("1421:01", dup254); - -var select1313 = linear_select([ - msg2746, - msg2747, -]); - -var msg2748 = msg("1422", dup222); - -var msg2749 = msg("1422:01", dup223); - -var select1314 = linear_select([ - msg2748, - msg2749, -]); - -var msg2750 = msg("1423", dup197); - -var msg2751 = msg("1423:01", dup217); - -var select1315 = linear_select([ - msg2750, - msg2751, -]); - -var msg2752 = msg("1424", dup196); - -var msg2753 = msg("1424:01", dup217); - -var select1316 = linear_select([ - msg2752, - msg2753, -]); - -var msg2754 = msg("1425", dup265); - -var msg2755 = msg("1425:01", dup217); - -var select1317 = linear_select([ - msg2754, - msg2755, -]); - -var msg2756 = msg("1426", dup242); - -var msg2757 = msg("1426:01", dup243); - -var select1318 = linear_select([ - msg2756, - msg2757, -]); - -var msg2758 = msg("1427", dup242); - -var msg2759 = msg("1427:01", dup243); - -var select1319 = linear_select([ - msg2758, - msg2759, -]); - -var msg2760 = msg("1428", dup196); - -var msg2761 = msg("1428:01", dup217); - -var select1320 = linear_select([ - msg2760, - msg2761, -]); - -var msg2762 = msg("1429", dup196); - -var msg2763 = msg("1429:01", dup217); - -var select1321 = linear_select([ - msg2762, - msg2763, -]); - -var msg2764 = msg("1430", dup278); - -var msg2765 = msg("1430:01", dup279); - -var select1322 = linear_select([ - msg2764, - msg2765, -]); - -var msg2766 = msg("1431", dup196); - -var msg2767 = msg("1431:01", dup217); - -var select1323 = linear_select([ - msg2766, - msg2767, -]); - -var msg2768 = msg("1432", dup196); - -var msg2769 = msg("1432:01", dup217); - -var select1324 = linear_select([ - msg2768, - msg2769, -]); - -var msg2770 = msg("1433", dup265); - -var msg2771 = msg("1433:01", dup266); - -var select1325 = linear_select([ - msg2770, - msg2771, -]); - -var msg2772 = msg("1434", dup265); - -var msg2773 = msg("1434:01", dup266); - -var select1326 = linear_select([ - msg2772, - msg2773, -]); - -var msg2774 = msg("1435", dup196); - -var msg2775 = msg("1435:01", dup217); - -var select1327 = linear_select([ - msg2774, - msg2775, -]); - -var msg2776 = msg("1436", dup196); - -var msg2777 = msg("1436:01", dup217); - -var select1328 = linear_select([ - msg2776, - msg2777, -]); - -var msg2778 = msg("1437", dup196); - -var msg2779 = msg("1437:01", dup217); - -var select1329 = linear_select([ - msg2778, - msg2779, -]); - -var msg2780 = msg("1438", dup196); - -var msg2781 = msg("1438:01", dup217); - -var select1330 = linear_select([ - msg2780, - msg2781, -]); - -var msg2782 = msg("1439", dup196); - -var msg2783 = msg("1439:01", dup217); - -var select1331 = linear_select([ - msg2782, - msg2783, -]); - -var msg2784 = msg("1440", dup196); - -var msg2785 = msg("1440:01", dup217); - -var select1332 = linear_select([ - msg2784, - msg2785, -]); - -var msg2786 = msg("1441", dup196); - -var msg2787 = msg("1441:01", dup217); - -var select1333 = linear_select([ - msg2786, - msg2787, -]); - -var msg2788 = msg("1442", dup196); - -var msg2789 = msg("1442:01", dup217); - -var select1334 = linear_select([ - msg2788, - msg2789, -]); - -var msg2790 = msg("1443", dup196); - -var msg2791 = msg("1443:01", dup217); - -var select1335 = linear_select([ - msg2790, - msg2791, -]); - -var msg2792 = msg("1444", dup196); - -var msg2793 = msg("1444:01", dup217); - -var select1336 = linear_select([ - msg2792, - msg2793, -]); - -var msg2794 = msg("1445", dup227); - -var msg2795 = msg("1445:01", dup228); - -var select1337 = linear_select([ - msg2794, - msg2795, -]); - -var msg2796 = msg("1446", dup250); - -var msg2797 = msg("1446:01", dup251); - -var select1338 = linear_select([ - msg2796, - msg2797, -]); - -var msg2798 = msg("1447", dup196); - -var msg2799 = msg("1447:01", dup217); - -var select1339 = linear_select([ - msg2798, - msg2799, -]); - -var msg2800 = msg("1448", dup196); - -var msg2801 = msg("1448:01", dup217); - -var select1340 = linear_select([ - msg2800, - msg2801, -]); - -var msg2802 = msg("1449", dup227); - -var msg2803 = msg("1449:01", dup228); - -var select1341 = linear_select([ - msg2802, - msg2803, -]); - -var msg2804 = msg("1450", dup250); - -var msg2805 = msg("1450:01", dup251); - -var select1342 = linear_select([ - msg2804, - msg2805, -]); - -var msg2806 = msg("1451", dup265); - -var msg2807 = msg("1451:01", dup266); - -var select1343 = linear_select([ - msg2806, - msg2807, -]); - -var msg2808 = msg("1452", dup265); - -var msg2809 = msg("1452:01", dup266); - -var select1344 = linear_select([ - msg2808, - msg2809, -]); - -var msg2810 = msg("1453", dup265); - -var msg2811 = msg("1453:01", dup266); - -var select1345 = linear_select([ - msg2810, - msg2811, -]); - -var msg2812 = msg("1454", dup265); - -var msg2813 = msg("1454:01", dup266); - -var select1346 = linear_select([ - msg2812, - msg2813, -]); - -var msg2814 = msg("1455", dup265); - -var msg2815 = msg("1455:01", dup266); - -var select1347 = linear_select([ - msg2814, - msg2815, -]); - -var msg2816 = msg("1456", dup265); - -var msg2817 = msg("1456:01", dup266); - -var select1348 = linear_select([ - msg2816, - msg2817, -]); - -var msg2818 = msg("1457", dup265); - -var msg2819 = msg("1457:01", dup266); - -var select1349 = linear_select([ - msg2818, - msg2819, -]); - -var msg2820 = msg("1458", dup265); - -var msg2821 = msg("1458:01", dup266); - -var select1350 = linear_select([ - msg2820, - msg2821, -]); - -var msg2822 = msg("1459", dup265); - -var msg2823 = msg("1459:01", dup266); - -var select1351 = linear_select([ - msg2822, - msg2823, -]); - -var msg2824 = msg("1460", dup265); - -var msg2825 = msg("1460:01", dup266); - -var select1352 = linear_select([ - msg2824, - msg2825, -]); - -var msg2826 = msg("1461", dup265); - -var msg2827 = msg("1461:01", dup266); - -var select1353 = linear_select([ - msg2826, - msg2827, -]); - -var msg2828 = msg("1462", dup265); - -var msg2829 = msg("1462:01", dup266); - -var select1354 = linear_select([ - msg2828, - msg2829, -]); - -var msg2830 = msg("1463", dup196); - -var msg2831 = msg("1463:01", dup217); - -var select1355 = linear_select([ - msg2830, - msg2831, -]); - -var msg2832 = msg("1464", dup196); - -var msg2833 = msg("1464:01", dup217); - -var select1356 = linear_select([ - msg2832, - msg2833, -]); - -var msg2834 = msg("1465", dup265); - -var msg2835 = msg("1465:01", dup266); - -var select1357 = linear_select([ - msg2834, - msg2835, -]); - -var msg2836 = msg("1466", dup265); - -var msg2837 = msg("1466:01", dup266); - -var select1358 = linear_select([ - msg2836, - msg2837, -]); - -var msg2838 = msg("1467", dup265); - -var msg2839 = msg("1467:01", dup266); - -var select1359 = linear_select([ - msg2838, - msg2839, -]); - -var msg2840 = msg("1468", dup265); - -var msg2841 = msg("1468:01", dup266); - -var select1360 = linear_select([ - msg2840, - msg2841, -]); - -var msg2842 = msg("1469", dup265); - -var msg2843 = msg("1469:01", dup266); - -var select1361 = linear_select([ - msg2842, - msg2843, -]); - -var msg2844 = msg("1470", dup265); - -var msg2845 = msg("1470:01", dup266); - -var select1362 = linear_select([ - msg2844, - msg2845, -]); - -var msg2846 = msg("1471", dup265); - -var msg2847 = msg("1471:01", dup266); - -var select1363 = linear_select([ - msg2846, - msg2847, -]); - -var msg2848 = msg("1472", dup265); - -var msg2849 = msg("1472:01", dup266); - -var select1364 = linear_select([ - msg2848, - msg2849, -]); - -var msg2850 = msg("1473", dup265); - -var msg2851 = msg("1473:01", dup266); - -var select1365 = linear_select([ - msg2850, - msg2851, -]); - -var msg2852 = msg("1474", dup265); - -var msg2853 = msg("1474:01", dup266); - -var select1366 = linear_select([ - msg2852, - msg2853, -]); - -var msg2854 = msg("1475", dup265); - -var msg2855 = msg("1475:01", dup266); - -var select1367 = linear_select([ - msg2854, - msg2855, -]); - -var msg2856 = msg("1476", dup265); - -var msg2857 = msg("1476:01", dup266); - -var select1368 = linear_select([ - msg2856, - msg2857, -]); - -var msg2858 = msg("1477", dup265); - -var msg2859 = msg("1477:01", dup266); - -var select1369 = linear_select([ - msg2858, - msg2859, -]); - -var msg2860 = msg("1478", dup265); - -var msg2861 = msg("1478:01", dup266); - -var select1370 = linear_select([ - msg2860, - msg2861, -]); - -var msg2862 = msg("1479", dup265); - -var msg2863 = msg("1479:01", dup266); - -var select1371 = linear_select([ - msg2862, - msg2863, -]); - -var msg2864 = msg("1480", dup265); - -var msg2865 = msg("1480:01", dup266); - -var select1372 = linear_select([ - msg2864, - msg2865, -]); - -var msg2866 = msg("1481", dup265); - -var msg2867 = msg("1481:01", dup266); - -var select1373 = linear_select([ - msg2866, - msg2867, -]); - -var msg2868 = msg("1482", dup265); - -var msg2869 = msg("1482:01", dup266); - -var select1374 = linear_select([ - msg2868, - msg2869, -]); - -var msg2870 = msg("1483", dup265); - -var msg2871 = msg("1483:01", dup266); - -var select1375 = linear_select([ - msg2870, - msg2871, -]); - -var msg2872 = msg("1484", dup265); - -var msg2873 = msg("1484:01", dup266); - -var select1376 = linear_select([ - msg2872, - msg2873, -]); - -var msg2874 = msg("1485", dup265); - -var msg2875 = msg("1485:01", dup266); - -var select1377 = linear_select([ - msg2874, - msg2875, -]); - -var msg2876 = msg("1486", dup265); - -var msg2877 = msg("1486:01", dup266); - -var select1378 = linear_select([ - msg2876, - msg2877, -]); - -var msg2878 = msg("1487", dup265); - -var msg2879 = msg("1487:01", dup266); - -var select1379 = linear_select([ - msg2878, - msg2879, -]); - -var msg2880 = msg("1488", dup265); - -var msg2881 = msg("1488:01", dup266); - -var select1380 = linear_select([ - msg2880, - msg2881, -]); - -var msg2882 = msg("1489", dup265); - -var msg2883 = msg("1489:01", dup266); - -var select1381 = linear_select([ - msg2882, - msg2883, -]); - -var msg2884 = msg("1490", dup265); - -var msg2885 = msg("1490:01", dup266); - -var select1382 = linear_select([ - msg2884, - msg2885, -]); - -var msg2886 = msg("1491", dup265); - -var msg2887 = msg("1491:01", dup266); - -var select1383 = linear_select([ - msg2886, - msg2887, -]); - -var msg2888 = msg("1492", dup265); - -var msg2889 = msg("1492:01", dup266); - -var select1384 = linear_select([ - msg2888, - msg2889, -]); - -var msg2890 = msg("1493", dup265); - -var msg2891 = msg("1493:01", dup266); - -var select1385 = linear_select([ - msg2890, - msg2891, -]); - -var msg2892 = msg("1494", dup265); - -var msg2893 = msg("1494:01", dup266); - -var select1386 = linear_select([ - msg2892, - msg2893, -]); - -var msg2894 = msg("1495", dup265); - -var msg2895 = msg("1495:01", dup266); - -var select1387 = linear_select([ - msg2894, - msg2895, -]); - -var msg2896 = msg("1496", dup265); - -var msg2897 = msg("1496:01", dup266); - -var select1388 = linear_select([ - msg2896, - msg2897, -]); - -var msg2898 = msg("1497", dup265); - -var msg2899 = msg("1497:01", dup266); - -var select1389 = linear_select([ - msg2898, - msg2899, -]); - -var msg2900 = msg("1498", dup265); - -var msg2901 = msg("1498:01", dup266); - -var select1390 = linear_select([ - msg2900, - msg2901, -]); - -var msg2902 = msg("1499", dup265); - -var msg2903 = msg("1499:01", dup266); - -var select1391 = linear_select([ - msg2902, - msg2903, -]); - -var msg2904 = msg("1500", dup265); - -var msg2905 = msg("1500:01", dup266); - -var select1392 = linear_select([ - msg2904, - msg2905, -]); - -var msg2906 = msg("1501", dup265); - -var msg2907 = msg("1501:01", dup266); - -var select1393 = linear_select([ - msg2906, - msg2907, -]); - -var msg2908 = msg("1502", dup265); - -var msg2909 = msg("1502:01", dup266); - -var select1394 = linear_select([ - msg2908, - msg2909, -]); - -var msg2910 = msg("1503", dup265); - -var msg2911 = msg("1503:01", dup266); - -var select1395 = linear_select([ - msg2910, - msg2911, -]); - -var msg2912 = msg("1504", dup196); - -var msg2913 = msg("1504:01", dup217); - -var select1396 = linear_select([ - msg2912, - msg2913, -]); - -var msg2914 = msg("1505", dup269); - -var msg2915 = msg("1505:01", dup270); - -var select1397 = linear_select([ - msg2914, - msg2915, -]); - -var msg2916 = msg("1506", dup269); - -var msg2917 = msg("1506:01", dup270); - -var select1398 = linear_select([ - msg2916, - msg2917, -]); - -var msg2918 = msg("1507", dup269); - -var msg2919 = msg("1507:01", dup270); - -var select1399 = linear_select([ - msg2918, - msg2919, -]); - -var msg2920 = msg("1508", dup265); - -var msg2921 = msg("1508:01", dup266); - -var select1400 = linear_select([ - msg2920, - msg2921, -]); - -var msg2922 = msg("1509", dup265); - -var msg2923 = msg("1509:01", dup266); - -var select1401 = linear_select([ - msg2922, - msg2923, -]); - -var msg2924 = msg("1510", dup269); - -var msg2925 = msg("1510:01", dup270); - -var select1402 = linear_select([ - msg2924, - msg2925, -]); - -var msg2926 = msg("1511", dup265); - -var msg2927 = msg("1511:01", dup266); - -var select1403 = linear_select([ - msg2926, - msg2927, -]); - -var msg2928 = msg("1512", dup269); - -var msg2929 = msg("1512:01", dup270); - -var select1404 = linear_select([ - msg2928, - msg2929, -]); - -var msg2930 = msg("1513", dup265); - -var msg2931 = msg("1513:01", dup266); - -var select1405 = linear_select([ - msg2930, - msg2931, -]); - -var msg2932 = msg("1514", dup269); - -var msg2933 = msg("1514:01", dup270); - -var select1406 = linear_select([ - msg2932, - msg2933, -]); - -var msg2934 = msg("1515", dup265); - -var msg2935 = msg("1515:01", dup266); - -var select1407 = linear_select([ - msg2934, - msg2935, -]); - -var msg2936 = msg("1516", dup269); - -var msg2937 = msg("1516:01", dup270); - -var select1408 = linear_select([ - msg2936, - msg2937, -]); - -var msg2938 = msg("1517", dup265); - -var msg2939 = msg("1517:01", dup266); - -var select1409 = linear_select([ - msg2938, - msg2939, -]); - -var msg2940 = msg("1518", dup265); - -var msg2941 = msg("1518:01", dup266); - -var select1410 = linear_select([ - msg2940, - msg2941, -]); - -var msg2942 = msg("1519", dup265); - -var msg2943 = msg("1519:01", dup266); - -var select1411 = linear_select([ - msg2942, - msg2943, -]); - -var msg2944 = msg("1520", dup265); - -var msg2945 = msg("1520:01", dup266); - -var select1412 = linear_select([ - msg2944, - msg2945, -]); - -var msg2946 = msg("1521", dup265); - -var msg2947 = msg("1521:01", dup266); - -var select1413 = linear_select([ - msg2946, - msg2947, -]); - -var msg2948 = msg("1522", dup265); - -var msg2949 = msg("1522:01", dup266); - -var select1414 = linear_select([ - msg2948, - msg2949, -]); - -var msg2950 = msg("1523", dup265); - -var msg2951 = msg("1523:01", dup266); - -var select1415 = linear_select([ - msg2950, - msg2951, -]); - -var msg2952 = msg("1524", dup265); - -var msg2953 = msg("1524:01", dup266); - -var select1416 = linear_select([ - msg2952, - msg2953, -]); - -var msg2954 = msg("1525", dup265); - -var msg2955 = msg("1525:01", dup266); - -var select1417 = linear_select([ - msg2954, - msg2955, -]); - -var msg2956 = msg("1526", dup265); - -var msg2957 = msg("1526:01", dup266); - -var select1418 = linear_select([ - msg2956, - msg2957, -]); - -var msg2958 = msg("1527", dup240); - -var msg2959 = msg("1527:01", dup241); - -var select1419 = linear_select([ - msg2958, - msg2959, -]); - -var msg2960 = msg("1528", dup265); - -var msg2961 = msg("1528:01", dup266); - -var select1420 = linear_select([ - msg2960, - msg2961, -]); - -var msg2962 = msg("1529", dup222); - -var msg2963 = msg("1529:01", dup223); - -var select1421 = linear_select([ - msg2962, - msg2963, -]); - -var msg2964 = msg("1530", dup227); - -var msg2965 = msg("1530:01", dup228); - -var select1422 = linear_select([ - msg2964, - msg2965, -]); - -var msg2966 = msg("1531", dup265); - -var msg2967 = msg("1531:01", dup266); - -var select1423 = linear_select([ - msg2966, - msg2967, -]); - -var msg2968 = msg("1532", dup265); - -var msg2969 = msg("1532:01", dup266); - -var select1424 = linear_select([ - msg2968, - msg2969, -]); - -var msg2970 = msg("1533", dup265); - -var msg2971 = msg("1533:01", dup266); - -var select1425 = linear_select([ - msg2970, - msg2971, -]); - -var msg2972 = msg("1534", dup265); - -var msg2973 = msg("1534:01", dup266); - -var select1426 = linear_select([ - msg2972, - msg2973, -]); - -var msg2974 = msg("1535", dup265); - -var msg2975 = msg("1535:01", dup266); - -var select1427 = linear_select([ - msg2974, - msg2975, -]); - -var msg2976 = msg("1536", dup269); - -var msg2977 = msg("1536:01", dup270); - -var select1428 = linear_select([ - msg2976, - msg2977, -]); - -var msg2978 = msg("1537", dup265); - -var msg2979 = msg("1537:01", dup266); - -var select1429 = linear_select([ - msg2978, - msg2979, -]); - -var msg2980 = msg("1538", dup222); - -var msg2981 = msg("1538:01", dup223); - -var select1430 = linear_select([ - msg2980, - msg2981, -]); - -var msg2982 = msg("1539", dup265); - -var msg2983 = msg("1539:01", dup266); - -var select1431 = linear_select([ - msg2982, - msg2983, -]); - -var msg2984 = msg("1540", dup265); - -var msg2985 = msg("1540:01", dup266); - -var select1432 = linear_select([ - msg2984, - msg2985, -]); - -var msg2986 = msg("1541", dup225); - -var msg2987 = msg("1541:01", dup226); - -var select1433 = linear_select([ - msg2986, - msg2987, -]); - -var msg2988 = msg("1542", dup265); - -var msg2989 = msg("1542:01", dup266); - -var select1434 = linear_select([ - msg2988, - msg2989, -]); - -var msg2990 = msg("1543", dup265); - -var msg2991 = msg("1543:01", dup266); - -var select1435 = linear_select([ - msg2990, - msg2991, -]); - -var msg2992 = msg("1544", dup267); - -var msg2993 = msg("1544:01", dup268); - -var select1436 = linear_select([ - msg2992, - msg2993, -]); - -var msg2994 = msg("1545", dup198); - -var msg2995 = msg("1545:01", dup220); - -var select1437 = linear_select([ - msg2994, - msg2995, -]); - -var msg2996 = msg("1546", dup198); - -var msg2997 = msg("1546:01", dup220); - -var select1438 = linear_select([ - msg2996, - msg2997, -]); - -var msg2998 = msg("1547", dup269); - -var msg2999 = msg("1547:01", dup270); - -var select1439 = linear_select([ - msg2998, - msg2999, -]); - -var msg3000 = msg("1548", dup265); - -var msg3001 = msg("1548:01", dup266); - -var select1440 = linear_select([ - msg3000, - msg3001, -]); - -var msg3002 = msg("1549", dup222); - -var msg3003 = msg("1549:01", dup223); - -var select1441 = linear_select([ - msg3002, - msg3003, -]); - -var msg3004 = msg("1550", dup222); - -var msg3005 = msg("1550:01", dup223); - -var select1442 = linear_select([ - msg3004, - msg3005, -]); - -var msg3006 = msg("1551", dup265); - -var msg3007 = msg("1551:01", dup266); - -var select1443 = linear_select([ - msg3006, - msg3007, -]); - -var msg3008 = msg("1552", dup265); - -var msg3009 = msg("1552:01", dup266); - -var select1444 = linear_select([ - msg3008, - msg3009, -]); - -var msg3010 = msg("1553", dup265); - -var msg3011 = msg("1553:01", dup266); - -var select1445 = linear_select([ - msg3010, - msg3011, -]); - -var msg3012 = msg("1554", dup265); - -var msg3013 = msg("1554:01", dup266); - -var select1446 = linear_select([ - msg3012, - msg3013, -]); - -var msg3014 = msg("1555", dup265); - -var msg3015 = msg("1555:01", dup266); - -var select1447 = linear_select([ - msg3014, - msg3015, -]); - -var msg3016 = msg("1556", dup265); - -var msg3017 = msg("1556:01", dup266); - -var select1448 = linear_select([ - msg3016, - msg3017, -]); - -var msg3018 = msg("1557", dup265); - -var msg3019 = msg("1557:01", dup266); - -var select1449 = linear_select([ - msg3018, - msg3019, -]); - -var msg3020 = msg("1558", dup267); - -var msg3021 = msg("1558:01", dup268); - -var select1450 = linear_select([ - msg3020, - msg3021, -]); - -var msg3022 = msg("1559", dup265); - -var msg3023 = msg("1559:01", dup266); - -var select1451 = linear_select([ - msg3022, - msg3023, -]); - -var msg3024 = msg("1560", dup265); - -var msg3025 = msg("1560:01", dup266); - -var select1452 = linear_select([ - msg3024, - msg3025, -]); - -var msg3026 = msg("1561", dup265); - -var msg3027 = msg("1561:01", dup266); - -var select1453 = linear_select([ - msg3026, - msg3027, -]); - -var msg3028 = msg("1562", dup222); - -var msg3029 = msg("1562:01", dup223); - -var select1454 = linear_select([ - msg3028, - msg3029, -]); - -var msg3030 = msg("1563", dup265); - -var msg3031 = msg("1563:01", dup266); - -var select1455 = linear_select([ - msg3030, - msg3031, -]); - -var msg3032 = msg("1564", dup265); - -var msg3033 = msg("1564:01", dup266); - -var select1456 = linear_select([ - msg3032, - msg3033, -]); - -var msg3034 = msg("1565", dup269); - -var msg3035 = msg("1565:01", dup270); - -var select1457 = linear_select([ - msg3034, - msg3035, -]); - -var msg3036 = msg("1566", dup265); - -var msg3037 = msg("1566:01", dup266); - -var select1458 = linear_select([ - msg3036, - msg3037, -]); - -var msg3038 = msg("1567", dup265); - -var msg3039 = msg("1567:01", dup266); - -var select1459 = linear_select([ - msg3038, - msg3039, -]); - -var msg3040 = msg("1568", dup265); - -var msg3041 = msg("1568:01", dup266); - -var select1460 = linear_select([ - msg3040, - msg3041, -]); - -var msg3042 = msg("1569", dup265); - -var msg3043 = msg("1569:01", dup266); - -var select1461 = linear_select([ - msg3042, - msg3043, -]); - -var msg3044 = msg("1570", dup265); - -var msg3045 = msg("1570:01", dup266); - -var select1462 = linear_select([ - msg3044, - msg3045, -]); - -var msg3046 = msg("1571", dup265); - -var msg3047 = msg("1571:01", dup266); - -var select1463 = linear_select([ - msg3046, - msg3047, -]); - -var msg3048 = msg("1572", dup265); - -var msg3049 = msg("1572:01", dup266); - -var select1464 = linear_select([ - msg3048, - msg3049, -]); - -var msg3050 = msg("1573", dup265); - -var msg3051 = msg("1573:01", dup266); - -var select1465 = linear_select([ - msg3050, - msg3051, -]); - -var msg3052 = msg("1574", dup265); - -var msg3053 = msg("1574:01", dup266); - -var select1466 = linear_select([ - msg3052, - msg3053, -]); - -var msg3054 = msg("1575", dup265); - -var msg3055 = msg("1575:01", dup266); - -var select1467 = linear_select([ - msg3054, - msg3055, -]); - -var msg3056 = msg("1576", dup265); - -var msg3057 = msg("1576:01", dup266); - -var select1468 = linear_select([ - msg3056, - msg3057, -]); - -var msg3058 = msg("1577", dup265); - -var msg3059 = msg("1577:01", dup266); - -var select1469 = linear_select([ - msg3058, - msg3059, -]); - -var msg3060 = msg("1578", dup265); - -var msg3061 = msg("1578:01", dup266); - -var select1470 = linear_select([ - msg3060, - msg3061, -]); - -var msg3062 = msg("1579", dup265); - -var msg3063 = msg("1579:01", dup266); - -var select1471 = linear_select([ - msg3062, - msg3063, -]); - -var msg3064 = msg("1580", dup265); - -var msg3065 = msg("1580:01", dup266); - -var select1472 = linear_select([ - msg3064, - msg3065, -]); - -var msg3066 = msg("1581", dup265); - -var msg3067 = msg("1581:01", dup266); - -var select1473 = linear_select([ - msg3066, - msg3067, -]); - -var msg3068 = msg("1582", dup265); - -var msg3069 = msg("1582:01", dup266); - -var select1474 = linear_select([ - msg3068, - msg3069, -]); - -var msg3070 = msg("1583", dup265); - -var msg3071 = msg("1583:01", dup266); - -var select1475 = linear_select([ - msg3070, - msg3071, -]); - -var msg3072 = msg("1584", dup265); - -var msg3073 = msg("1584:01", dup266); - -var select1476 = linear_select([ - msg3072, - msg3073, -]); - -var msg3074 = msg("1585", dup265); - -var msg3075 = msg("1585:01", dup266); - -var select1477 = linear_select([ - msg3074, - msg3075, -]); - -var msg3076 = msg("1586", dup265); - -var msg3077 = msg("1586:01", dup266); - -var select1478 = linear_select([ - msg3076, - msg3077, -]); - -var msg3078 = msg("1587", dup265); - -var msg3079 = msg("1587:01", dup266); - -var select1479 = linear_select([ - msg3078, - msg3079, -]); - -var msg3080 = msg("1588", dup265); - -var msg3081 = msg("1588:01", dup266); - -var select1480 = linear_select([ - msg3080, - msg3081, -]); - -var msg3082 = msg("1589", dup265); - -var msg3083 = msg("1589:01", dup266); - -var select1481 = linear_select([ - msg3082, - msg3083, -]); - -var msg3084 = msg("1590", dup265); - -var msg3085 = msg("1590:01", dup266); - -var select1482 = linear_select([ - msg3084, - msg3085, -]); - -var msg3086 = msg("1591", dup265); - -var msg3087 = msg("1591:01", dup266); - -var select1483 = linear_select([ - msg3086, - msg3087, -]); - -var msg3088 = msg("1592", dup265); - -var msg3089 = msg("1592:01", dup266); - -var select1484 = linear_select([ - msg3088, - msg3089, -]); - -var msg3090 = msg("1593", dup265); - -var msg3091 = msg("1593:01", dup266); - -var select1485 = linear_select([ - msg3090, - msg3091, -]); - -var msg3092 = msg("1594", dup265); - -var msg3093 = msg("1594:01", dup266); - -var select1486 = linear_select([ - msg3092, - msg3093, -]); - -var msg3094 = msg("1595", dup265); - -var msg3095 = msg("1595:01", dup266); - -var select1487 = linear_select([ - msg3094, - msg3095, -]); - -var msg3096 = msg("1597", dup265); - -var msg3097 = msg("1597:01", dup266); - -var select1488 = linear_select([ - msg3096, - msg3097, -]); - -var msg3098 = msg("1598", dup265); - -var msg3099 = msg("1598:01", dup266); - -var select1489 = linear_select([ - msg3098, - msg3099, -]); - -var msg3100 = msg("1599", dup265); - -var msg3101 = msg("1599:01", dup266); - -var select1490 = linear_select([ - msg3100, - msg3101, -]); - -var msg3102 = msg("1600", dup265); - -var msg3103 = msg("1600:01", dup266); - -var select1491 = linear_select([ - msg3102, - msg3103, -]); - -var msg3104 = msg("1601", dup265); - -var msg3105 = msg("1601:01", dup266); - -var select1492 = linear_select([ - msg3104, - msg3105, -]); - -var msg3106 = msg("1602", dup265); - -var msg3107 = msg("1602:01", dup266); - -var select1493 = linear_select([ - msg3106, - msg3107, -]); - -var msg3108 = msg("1603", dup265); - -var msg3109 = msg("1603:01", dup266); - -var select1494 = linear_select([ - msg3108, - msg3109, -]); - -var msg3110 = msg("1604", dup265); - -var msg3111 = msg("1604:01", dup266); - -var select1495 = linear_select([ - msg3110, - msg3111, -]); - -var msg3112 = msg("1605", dup198); - -var msg3113 = msg("1605:01", dup220); - -var select1496 = linear_select([ - msg3112, - msg3113, -]); - -var msg3114 = msg("1606", dup265); - -var msg3115 = msg("1606:01", dup266); - -var select1497 = linear_select([ - msg3114, - msg3115, -]); - -var msg3116 = msg("1607", dup265); - -var msg3117 = msg("1607:01", dup266); - -var select1498 = linear_select([ - msg3116, - msg3117, -]); - -var msg3118 = msg("1608", dup265); - -var msg3119 = msg("1608:01", dup266); - -var select1499 = linear_select([ - msg3118, - msg3119, -]); - -var msg3120 = msg("1609", dup265); - -var msg3121 = msg("1609:01", dup266); - -var select1500 = linear_select([ - msg3120, - msg3121, -]); - -var msg3122 = msg("1610", dup269); - -var msg3123 = msg("1610:01", dup270); - -var select1501 = linear_select([ - msg3122, - msg3123, -]); - -var msg3124 = msg("1611", dup265); - -var msg3125 = msg("1611:01", dup266); - -var select1502 = linear_select([ - msg3124, - msg3125, -]); - -var msg3126 = msg("1612", dup265); - -var msg3127 = msg("1612:01", dup266); - -var select1503 = linear_select([ - msg3126, - msg3127, -]); - -var msg3128 = msg("1613", dup265); - -var msg3129 = msg("1613:01", dup266); - -var select1504 = linear_select([ - msg3128, - msg3129, -]); - -var msg3130 = msg("1614", dup265); - -var msg3131 = msg("1614:01", dup266); - -var select1505 = linear_select([ - msg3130, - msg3131, -]); - -var msg3132 = msg("1615", dup265); - -var msg3133 = msg("1615:01", dup266); - -var select1506 = linear_select([ - msg3132, - msg3133, -]); - -var msg3134 = msg("1616", dup196); - -var msg3135 = msg("1616:01", dup217); - -var select1507 = linear_select([ - msg3134, - msg3135, -]); - -var msg3136 = msg("1617", dup265); - -var msg3137 = msg("1617:01", dup266); - -var select1508 = linear_select([ - msg3136, - msg3137, -]); - -var msg3138 = msg("1618", dup196); - -var msg3139 = msg("1618:01", dup217); - -var select1509 = linear_select([ - msg3138, - msg3139, -]); - -var msg3140 = msg("1619", dup265); - -var msg3141 = msg("1619:01", dup266); - -var select1510 = linear_select([ - msg3140, - msg3141, -]); - -var msg3142 = msg("1620", dup196); - -var msg3143 = msg("1620:01", dup217); - -var select1511 = linear_select([ - msg3142, - msg3143, -]); - -var msg3144 = msg("1621", dup222); - -var msg3145 = msg("1621:01", dup223); - -var select1512 = linear_select([ - msg3144, - msg3145, -]); - -var msg3146 = msg("1622", dup227); - -var msg3147 = msg("1622:01", dup228); - -var select1513 = linear_select([ - msg3146, - msg3147, -]); - -var msg3148 = msg("1623", dup227); - -var msg3149 = msg("1623:01", dup228); - -var select1514 = linear_select([ - msg3148, - msg3149, -]); - -var msg3150 = msg("1624", dup222); - -var msg3151 = msg("1624:01", dup223); - -var select1515 = linear_select([ - msg3150, - msg3151, -]); - -var msg3152 = msg("1625", dup222); - -var msg3153 = msg("1625:01", dup223); - -var select1516 = linear_select([ - msg3152, - msg3153, -]); - -var msg3154 = msg("1626", dup265); - -var msg3155 = msg("1626:01", dup266); - -var select1517 = linear_select([ - msg3154, - msg3155, -]); - -var msg3156 = msg("1627", dup196); - -var msg3157 = msg("1627:01", dup217); - -var select1518 = linear_select([ - msg3156, - msg3157, -]); - -var msg3158 = msg("1628", dup265); - -var msg3159 = msg("1628:01", dup266); - -var select1519 = linear_select([ - msg3158, - msg3159, -]); - -var msg3160 = msg("1629", dup196); - -var msg3161 = msg("1629:01", dup217); - -var select1520 = linear_select([ - msg3160, - msg3161, -]); - -var msg3162 = msg("1630", dup227); - -var msg3163 = msg("1630:01", dup228); - -var select1521 = linear_select([ - msg3162, - msg3163, -]); - -var msg3164 = msg("1631", dup196); - -var msg3165 = msg("1631:01", dup217); - -var select1522 = linear_select([ - msg3164, - msg3165, -]); - -var msg3166 = msg("1632", dup196); - -var msg3167 = msg("1632:01", dup217); - -var select1523 = linear_select([ - msg3166, - msg3167, -]); - -var msg3168 = msg("1633", dup196); - -var msg3169 = msg("1633:01", dup217); - -var select1524 = linear_select([ - msg3168, - msg3169, -]); - -var msg3170 = msg("1634", dup222); - -var msg3171 = msg("1634:01", dup223); - -var select1525 = linear_select([ - msg3170, - msg3171, -]); - -var msg3172 = msg("1635", dup222); - -var msg3173 = msg("1635:01", dup223); - -var select1526 = linear_select([ - msg3172, - msg3173, -]); - -var msg3174 = msg("1636", dup222); - -var msg3175 = msg("1636:01", dup223); - -var select1527 = linear_select([ - msg3174, - msg3175, -]); - -var msg3176 = msg("1637", dup265); - -var msg3177 = msg("1637:01", dup266); - -var select1528 = linear_select([ - msg3176, - msg3177, -]); - -var msg3178 = msg("1638", dup194); - -var msg3179 = msg("1638:01", dup229); - -var select1529 = linear_select([ - msg3178, - msg3179, -]); - -var msg3180 = msg("1639", dup196); - -var msg3181 = msg("1639:01", dup217); - -var select1530 = linear_select([ - msg3180, - msg3181, -]); - -var msg3182 = msg("1640", dup196); - -var msg3183 = msg("1640:01", dup217); - -var select1531 = linear_select([ - msg3182, - msg3183, -]); - -var msg3184 = msg("1641", dup198); - -var msg3185 = msg("1641:01", dup220); - -var select1532 = linear_select([ - msg3184, - msg3185, -]); - -var msg3186 = msg("1642", dup265); - -var msg3187 = msg("1642:01", dup266); - -var select1533 = linear_select([ - msg3186, - msg3187, -]); - -var msg3188 = msg("1643", dup265); - -var msg3189 = msg("1643:01", dup266); - -var select1534 = linear_select([ - msg3188, - msg3189, -]); - -var msg3190 = msg("1644", dup265); - -var msg3191 = msg("1644:01", dup266); - -var select1535 = linear_select([ - msg3190, - msg3191, -]); - -var msg3192 = msg("1645", dup265); - -var msg3193 = msg("1645:01", dup266); - -var select1536 = linear_select([ - msg3192, - msg3193, -]); - -var msg3194 = msg("1646", dup265); - -var msg3195 = msg("1646:01", dup266); - -var select1537 = linear_select([ - msg3194, - msg3195, -]); - -var msg3196 = msg("1647", dup265); - -var msg3197 = msg("1647:01", dup266); - -var select1538 = linear_select([ - msg3196, - msg3197, -]); - -var msg3198 = msg("1648", dup265); - -var msg3199 = msg("1648:01", dup266); - -var select1539 = linear_select([ - msg3198, - msg3199, -]); - -var msg3200 = msg("1649", dup265); - -var msg3201 = msg("1649:01", dup266); - -var select1540 = linear_select([ - msg3200, - msg3201, -]); - -var msg3202 = msg("1650", dup265); - -var msg3203 = msg("1650:01", dup266); - -var select1541 = linear_select([ - msg3202, - msg3203, -]); - -var msg3204 = msg("1651", dup265); - -var msg3205 = msg("1651:01", dup266); - -var select1542 = linear_select([ - msg3204, - msg3205, -]); - -var msg3206 = msg("1652", dup265); - -var msg3207 = msg("1652:01", dup266); - -var select1543 = linear_select([ - msg3206, - msg3207, -]); - -var msg3208 = msg("1653", dup265); - -var msg3209 = msg("1653:01", dup266); - -var select1544 = linear_select([ - msg3208, - msg3209, -]); - -var msg3210 = msg("1654", dup265); - -var msg3211 = msg("1654:01", dup266); - -var select1545 = linear_select([ - msg3210, - msg3211, -]); - -var msg3212 = msg("1655", dup269); - -var msg3213 = msg("1655:01", dup270); - -var select1546 = linear_select([ - msg3212, - msg3213, -]); - -var msg3214 = msg("1656", dup265); - -var msg3215 = msg("1656:01", dup266); - -var select1547 = linear_select([ - msg3214, - msg3215, -]); - -var msg3216 = msg("1657", dup265); - -var msg3217 = msg("1657:01", dup266); - -var select1548 = linear_select([ - msg3216, - msg3217, -]); - -var msg3218 = msg("1658", dup265); - -var msg3219 = msg("1658:01", dup266); - -var select1549 = linear_select([ - msg3218, - msg3219, -]); - -var msg3220 = msg("1659", dup265); - -var msg3221 = msg("1659:01", dup266); - -var select1550 = linear_select([ - msg3220, - msg3221, -]); - -var msg3222 = msg("1660", dup265); - -var msg3223 = msg("1660:01", dup266); - -var select1551 = linear_select([ - msg3222, - msg3223, -]); - -var msg3224 = msg("1661", dup265); - -var msg3225 = msg("1661:01", dup266); - -var select1552 = linear_select([ - msg3224, - msg3225, -]); - -var msg3226 = msg("1662", dup265); - -var msg3227 = msg("1662:01", dup266); - -var select1553 = linear_select([ - msg3226, - msg3227, -]); - -var msg3228 = msg("1663", dup265); - -var msg3229 = msg("1663:01", dup266); - -var select1554 = linear_select([ - msg3228, - msg3229, -]); - -var msg3230 = msg("1664", dup265); - -var msg3231 = msg("1664:01", dup266); - -var select1555 = linear_select([ - msg3230, - msg3231, -]); - -var msg3232 = msg("1665", dup265); - -var msg3233 = msg("1665:01", dup266); - -var select1556 = linear_select([ - msg3232, - msg3233, -]); - -var msg3234 = msg("1666", dup196); - -var msg3235 = msg("1666:01", dup217); - -var select1557 = linear_select([ - msg3234, - msg3235, -]); - -var msg3236 = msg("1667", dup265); - -var msg3237 = msg("1667:01", dup266); - -var select1558 = linear_select([ - msg3236, - msg3237, -]); - -var msg3238 = msg("1668", dup265); - -var msg3239 = msg("1668:01", dup266); - -var select1559 = linear_select([ - msg3238, - msg3239, -]); - -var msg3240 = msg("1669", dup198); - -var msg3241 = msg("1669:01", dup220); - -var select1560 = linear_select([ - msg3240, - msg3241, -]); - -var msg3242 = msg("1670", dup265); - -var msg3243 = msg("1670:01", dup266); - -var select1561 = linear_select([ - msg3242, - msg3243, -]); - -var msg3244 = msg("1671", dup265); - -var msg3245 = msg("1671:01", dup266); - -var select1562 = linear_select([ - msg3244, - msg3245, -]); - -var msg3246 = msg("1672", dup227); - -var msg3247 = msg("1672:01", dup228); - -var select1563 = linear_select([ - msg3246, - msg3247, -]); - -var msg3248 = msg("1673", dup196); - -var msg3249 = msg("1673:01", dup217); - -var select1564 = linear_select([ - msg3248, - msg3249, -]); - -var msg3250 = msg("1674", dup196); - -var msg3251 = msg("1674:01", dup217); - -var select1565 = linear_select([ - msg3250, - msg3251, -]); - -var msg3252 = msg("1675", dup196); - -var msg3253 = msg("1675:01", dup217); - -var select1566 = linear_select([ - msg3252, - msg3253, -]); - -var msg3254 = msg("1676", dup196); - -var msg3255 = msg("1676:01", dup217); - -var select1567 = linear_select([ - msg3254, - msg3255, -]); - -var msg3256 = msg("1677", dup196); - -var msg3257 = msg("1677:01", dup217); - -var select1568 = linear_select([ - msg3256, - msg3257, -]); - -var msg3258 = msg("1678", dup196); - -var msg3259 = msg("1678:01", dup217); - -var select1569 = linear_select([ - msg3258, - msg3259, -]); - -var msg3260 = msg("1679", dup196); - -var msg3261 = msg("1679:01", dup217); - -var select1570 = linear_select([ - msg3260, - msg3261, -]); - -var msg3262 = msg("1680", dup196); - -var msg3263 = msg("1680:01", dup217); - -var select1571 = linear_select([ - msg3262, - msg3263, -]); - -var msg3264 = msg("1681", dup196); - -var msg3265 = msg("1681:01", dup217); - -var select1572 = linear_select([ - msg3264, - msg3265, -]); - -var msg3266 = msg("1682", dup196); - -var msg3267 = msg("1682:01", dup217); - -var select1573 = linear_select([ - msg3266, - msg3267, -]); - -var msg3268 = msg("1683", dup196); - -var msg3269 = msg("1683:01", dup217); - -var select1574 = linear_select([ - msg3268, - msg3269, -]); - -var msg3270 = msg("1684", dup196); - -var msg3271 = msg("1684:01", dup217); - -var select1575 = linear_select([ - msg3270, - msg3271, -]); - -var msg3272 = msg("1685", dup196); - -var msg3273 = msg("1685:01", dup217); - -var select1576 = linear_select([ - msg3272, - msg3273, -]); - -var msg3274 = msg("1686", dup196); - -var msg3275 = msg("1686:01", dup217); - -var select1577 = linear_select([ - msg3274, - msg3275, -]); - -var msg3276 = msg("1687", dup196); - -var msg3277 = msg("1687:01", dup217); - -var select1578 = linear_select([ - msg3276, - msg3277, -]); - -var msg3278 = msg("1688", dup196); - -var msg3279 = msg("1688:01", dup217); - -var select1579 = linear_select([ - msg3278, - msg3279, -]); - -var msg3280 = msg("1689", dup196); - -var msg3281 = msg("1689:01", dup217); - -var select1580 = linear_select([ - msg3280, - msg3281, -]); - -var msg3282 = msg("1690", dup196); - -var msg3283 = msg("1690:01", dup217); - -var select1581 = linear_select([ - msg3282, - msg3283, -]); - -var msg3284 = msg("1691", dup196); - -var msg3285 = msg("1691:01", dup217); - -var select1582 = linear_select([ - msg3284, - msg3285, -]); - -var msg3286 = msg("1692", dup196); - -var msg3287 = msg("1692:01", dup217); - -var select1583 = linear_select([ - msg3286, - msg3287, -]); - -var msg3288 = msg("1693", dup196); - -var msg3289 = msg("1693:01", dup217); - -var select1584 = linear_select([ - msg3288, - msg3289, -]); - -var msg3290 = msg("1694", dup196); - -var msg3291 = msg("1694:01", dup217); - -var select1585 = linear_select([ - msg3290, - msg3291, -]); - -var msg3292 = msg("1695", dup196); - -var msg3293 = msg("1695:01", dup217); - -var select1586 = linear_select([ - msg3292, - msg3293, -]); - -var msg3294 = msg("1696", dup196); - -var msg3295 = msg("1696:01", dup217); - -var select1587 = linear_select([ - msg3294, - msg3295, -]); - -var msg3296 = msg("1697", dup196); - -var msg3297 = msg("1697:01", dup217); - -var select1588 = linear_select([ - msg3296, - msg3297, -]); - -var msg3298 = msg("1698", dup196); - -var msg3299 = msg("1698:01", dup217); - -var select1589 = linear_select([ - msg3298, - msg3299, -]); - -var msg3300 = msg("1699", dup196); - -var msg3301 = msg("1699:01", dup217); - -var select1590 = linear_select([ - msg3300, - msg3301, -]); - -var msg3302 = msg("1700", dup265); - -var msg3303 = msg("1700:01", dup266); - -var select1591 = linear_select([ - msg3302, - msg3303, -]); - -var msg3304 = msg("1701", dup265); - -var msg3305 = msg("1701:01", dup266); - -var select1592 = linear_select([ - msg3304, - msg3305, -]); - -var msg3306 = msg("1702", dup265); - -var msg3307 = msg("1702:01", dup266); - -var select1593 = linear_select([ - msg3306, - msg3307, -]); - -var msg3308 = msg("1703", dup265); - -var msg3309 = msg("1703:01", dup266); - -var select1594 = linear_select([ - msg3308, - msg3309, -]); - -var msg3310 = msg("1704", dup265); - -var msg3311 = msg("1704:01", dup266); - -var select1595 = linear_select([ - msg3310, - msg3311, -]); - -var msg3312 = msg("1705", dup269); - -var msg3313 = msg("1705:01", dup270); - -var select1596 = linear_select([ - msg3312, - msg3313, -]); - -var msg3314 = msg("1706", dup265); - -var msg3315 = msg("1706:01", dup266); - -var select1597 = linear_select([ - msg3314, - msg3315, -]); - -var msg3316 = msg("1707", dup269); - -var msg3317 = msg("1707:01", dup270); - -var select1598 = linear_select([ - msg3316, - msg3317, -]); - -var msg3318 = msg("1708", dup265); - -var msg3319 = msg("1708:01", dup266); - -var select1599 = linear_select([ - msg3318, - msg3319, -]); - -var msg3320 = msg("1709", dup265); - -var msg3321 = msg("1709:01", dup266); - -var select1600 = linear_select([ - msg3320, - msg3321, -]); - -var msg3322 = msg("1710", dup265); - -var msg3323 = msg("1710:01", dup266); - -var select1601 = linear_select([ - msg3322, - msg3323, -]); - -var msg3324 = msg("1711", dup265); - -var msg3325 = msg("1711:01", dup266); - -var select1602 = linear_select([ - msg3324, - msg3325, -]); - -var msg3326 = msg("1712", dup265); - -var msg3327 = msg("1712:01", dup266); - -var select1603 = linear_select([ - msg3326, - msg3327, -]); - -var msg3328 = msg("1713", dup265); - -var msg3329 = msg("1713:01", dup266); - -var select1604 = linear_select([ - msg3328, - msg3329, -]); - -var msg3330 = msg("1714", dup265); - -var msg3331 = msg("1714:01", dup266); - -var select1605 = linear_select([ - msg3330, - msg3331, -]); - -var msg3332 = msg("1715", dup265); - -var msg3333 = msg("1715:01", dup266); - -var select1606 = linear_select([ - msg3332, - msg3333, -]); - -var msg3334 = msg("1716", dup265); - -var msg3335 = msg("1716:01", dup266); - -var select1607 = linear_select([ - msg3334, - msg3335, -]); - -var msg3336 = msg("1717", dup265); - -var msg3337 = msg("1717:01", dup266); - -var select1608 = linear_select([ - msg3336, - msg3337, -]); - -var msg3338 = msg("1718", dup265); - -var msg3339 = msg("1718:01", dup266); - -var select1609 = linear_select([ - msg3338, - msg3339, -]); - -var msg3340 = msg("1719", dup265); - -var msg3341 = msg("1719:01", dup266); - -var select1610 = linear_select([ - msg3340, - msg3341, -]); - -var msg3342 = msg("1720", dup265); - -var msg3343 = msg("1720:01", dup266); - -var select1611 = linear_select([ - msg3342, - msg3343, -]); - -var msg3344 = msg("1721", dup265); - -var msg3345 = msg("1721:01", dup266); - -var select1612 = linear_select([ - msg3344, - msg3345, -]); - -var msg3346 = msg("1722", dup265); - -var msg3347 = msg("1722:01", dup266); - -var select1613 = linear_select([ - msg3346, - msg3347, -]); - -var msg3348 = msg("1723", dup265); - -var msg3349 = msg("1723:01", dup266); - -var select1614 = linear_select([ - msg3348, - msg3349, -]); - -var msg3350 = msg("1724", dup265); - -var msg3351 = msg("1724:01", dup266); - -var select1615 = linear_select([ - msg3350, - msg3351, -]); - -var msg3352 = msg("1725", dup265); - -var msg3353 = msg("1725:01", dup266); - -var select1616 = linear_select([ - msg3352, - msg3353, -]); - -var msg3354 = msg("1726", dup265); - -var msg3355 = msg("1726:01", dup266); - -var select1617 = linear_select([ - msg3354, - msg3355, -]); - -var msg3356 = msg("1727", dup265); - -var msg3357 = msg("1727:01", dup266); - -var select1618 = linear_select([ - msg3356, - msg3357, -]); - -var msg3358 = msg("1728", dup227); - -var msg3359 = msg("1728:01", dup228); - -var select1619 = linear_select([ - msg3358, - msg3359, -]); - -var msg3360 = msg("1729", dup196); - -var msg3361 = msg("1729:01", dup217); - -var select1620 = linear_select([ - msg3360, - msg3361, -]); - -var msg3362 = msg("1730", dup265); - -var msg3363 = msg("1730:01", dup266); - -var select1621 = linear_select([ - msg3362, - msg3363, -]); - -var msg3364 = msg("1731", dup265); - -var msg3365 = msg("1731:01", dup266); - -var select1622 = linear_select([ - msg3364, - msg3365, -]); - -var msg3366 = msg("1732", dup255); - -var msg3367 = msg("1732:01", dup256); - -var select1623 = linear_select([ - msg3366, - msg3367, -]); - -var msg3368 = msg("1733", dup258); - -var msg3369 = msg("1733:01", dup259); - -var select1624 = linear_select([ - msg3368, - msg3369, -]); - -var msg3370 = msg("1734", dup222); - -var msg3371 = msg("1734:01", dup223); - -var select1625 = linear_select([ - msg3370, - msg3371, -]); - -var msg3372 = msg("1735", dup265); - -var msg3373 = msg("1735:01", dup266); - -var select1626 = linear_select([ - msg3372, - msg3373, -]); - -var msg3374 = msg("1736", dup265); - -var msg3375 = msg("1736:01", dup266); - -var select1627 = linear_select([ - msg3374, - msg3375, -]); - -var msg3376 = msg("1737", dup265); - -var msg3377 = msg("1737:01", dup266); - -var select1628 = linear_select([ - msg3376, - msg3377, -]); - -var msg3378 = msg("1738", dup265); - -var msg3379 = msg("1738:01", dup266); - -var select1629 = linear_select([ - msg3378, - msg3379, -]); - -var msg3380 = msg("1739", dup285); - -var msg3381 = msg("1739:01", dup286); - -var select1630 = linear_select([ - msg3380, - msg3381, -]); - -var msg3382 = msg("1740", dup285); - -var msg3383 = msg("1740:01", dup286); - -var select1631 = linear_select([ - msg3382, - msg3383, -]); - -var msg3384 = msg("1741", dup265); - -var msg3385 = msg("1741:01", dup266); - -var select1632 = linear_select([ - msg3384, - msg3385, -]); - -var msg3386 = msg("1742", dup198); - -var msg3387 = msg("1742:01", dup220); - -var select1633 = linear_select([ - msg3386, - msg3387, -]); - -var msg3388 = msg("1743", dup198); - -var msg3389 = msg("1743:01", dup220); - -var select1634 = linear_select([ - msg3388, - msg3389, -]); - -var msg3390 = msg("1744", dup285); - -var msg3391 = msg("1744:01", dup286); - -var select1635 = linear_select([ - msg3390, - msg3391, -]); - -var msg3392 = msg("1745", dup265); - -var msg3393 = msg("1745:01", dup266); - -var select1636 = linear_select([ - msg3392, - msg3393, -]); - -var msg3394 = msg("1746", dup255); - -var msg3395 = msg("1746:01", dup256); - -var select1637 = linear_select([ - msg3394, - msg3395, -]); - -var msg3396 = msg("1747", dup258); - -var msg3397 = msg("1747:01", dup259); - -var select1638 = linear_select([ - msg3396, - msg3397, -]); - -var msg3398 = msg("1748", dup222); - -var msg3399 = msg("1748:01", dup223); - -var select1639 = linear_select([ - msg3398, - msg3399, -]); - -var msg3400 = msg("1749", dup265); - -var msg3401 = msg("1749:01", dup266); - -var select1640 = linear_select([ - msg3400, - msg3401, -]); - -var msg3402 = msg("1750", dup265); - -var msg3403 = msg("1750:01", dup266); - -var select1641 = linear_select([ - msg3402, - msg3403, -]); - -var msg3404 = msg("1751", dup222); - -var msg3405 = msg("1751:01", dup223); - -var select1642 = linear_select([ - msg3404, - msg3405, -]); - -var msg3406 = msg("1752", dup196); - -var msg3407 = msg("1752:01", dup217); - -var select1643 = linear_select([ - msg3406, - msg3407, -]); - -var msg3408 = msg("1753", dup265); - -var msg3409 = msg("1753:01", dup266); - -var select1644 = linear_select([ - msg3408, - msg3409, -]); - -var msg3410 = msg("1754", dup265); - -var msg3411 = msg("1754:01", dup266); - -var select1645 = linear_select([ - msg3410, - msg3411, -]); - -var msg3412 = msg("1755", dup222); - -var msg3413 = msg("1755:01", dup223); - -var select1646 = linear_select([ - msg3412, - msg3413, -]); - -var msg3414 = msg("1756", dup265); - -var msg3415 = msg("1756:01", dup266); - -var select1647 = linear_select([ - msg3414, - msg3415, -]); - -var msg3416 = msg("1757", dup269); - -var msg3417 = msg("1757:01", dup270); - -var select1648 = linear_select([ - msg3416, - msg3417, -]); - -var msg3418 = msg("1758", dup265); - -var msg3419 = msg("1758:01", dup266); - -var select1649 = linear_select([ - msg3418, - msg3419, -]); - -var msg3420 = msg("1759", dup260); - -var msg3421 = msg("1759:01", dup261); - -var select1650 = linear_select([ - msg3420, - msg3421, -]); - -var msg3422 = msg("1760", dup196); - -var msg3423 = msg("1760:01", dup217); - -var select1651 = linear_select([ - msg3422, - msg3423, -]); - -var msg3424 = msg("1761", dup196); - -var msg3425 = msg("1761:01", dup217); - -var select1652 = linear_select([ - msg3424, - msg3425, -]); - -var msg3426 = msg("1762", dup269); - -var msg3427 = msg("1762:01", dup270); - -var select1653 = linear_select([ - msg3426, - msg3427, -]); - -var msg3428 = msg("1763", dup198); - -var msg3429 = msg("1763:01", dup220); - -var select1654 = linear_select([ - msg3428, - msg3429, -]); - -var msg3430 = msg("1764", dup198); - -var msg3431 = msg("1764:01", dup220); - -var select1655 = linear_select([ - msg3430, - msg3431, -]); - -var msg3432 = msg("1765", dup265); - -var msg3433 = msg("1765:01", dup266); - -var select1656 = linear_select([ - msg3432, - msg3433, -]); - -var msg3434 = msg("1766", dup265); - -var msg3435 = msg("1766:01", dup266); - -var select1657 = linear_select([ - msg3434, - msg3435, -]); - -var msg3436 = msg("1767", dup265); - -var msg3437 = msg("1767:01", dup266); - -var select1658 = linear_select([ - msg3436, - msg3437, -]); - -var msg3438 = msg("1768", dup267); - -var msg3439 = msg("1768:01", dup268); - -var select1659 = linear_select([ - msg3438, - msg3439, -]); - -var msg3440 = msg("1769", dup265); - -var msg3441 = msg("1769:01", dup266); - -var select1660 = linear_select([ - msg3440, - msg3441, -]); - -var msg3442 = msg("1770", dup265); - -var msg3443 = msg("1770:01", dup266); - -var select1661 = linear_select([ - msg3442, - msg3443, -]); - -var msg3444 = msg("1771", dup287); - -var msg3445 = msg("1771:01", dup288); - -var select1662 = linear_select([ - msg3444, - msg3445, -]); - -var msg3446 = msg("1772", dup265); - -var msg3447 = msg("1772:01", dup266); - -var select1663 = linear_select([ - msg3446, - msg3447, -]); - -var msg3448 = msg("1773", dup265); - -var msg3449 = msg("1773:01", dup266); - -var select1664 = linear_select([ - msg3448, - msg3449, -]); - -var msg3450 = msg("1774", dup265); - -var msg3451 = msg("1774:01", dup266); - -var select1665 = linear_select([ - msg3450, - msg3451, -]); - -var msg3452 = msg("1775", dup240); - -var msg3453 = msg("1775:01", dup241); - -var select1666 = linear_select([ - msg3452, - msg3453, -]); - -var msg3454 = msg("1776", dup240); - -var msg3455 = msg("1776:01", dup241); - -var select1667 = linear_select([ - msg3454, - msg3455, -]); - -var msg3456 = msg("1777", dup198); - -var msg3457 = msg("1777:01", dup220); - -var select1668 = linear_select([ - msg3456, - msg3457, -]); - -var msg3458 = msg("1778", dup198); - -var msg3459 = msg("1778:01", dup220); - -var select1669 = linear_select([ - msg3458, - msg3459, -]); - -var msg3460 = msg("1779", dup227); - -var msg3461 = msg("1779:01", dup228); - -var select1670 = linear_select([ - msg3460, - msg3461, -]); - -var msg3462 = msg("1780", dup222); - -var msg3463 = msg("1780:01", dup223); - -var select1671 = linear_select([ - msg3462, - msg3463, -]); - -var msg3464 = msg("1781", dup281); - -var msg3465 = msg("1781:01", dup282); - -var select1672 = linear_select([ - msg3464, - msg3465, -]); - -var msg3466 = msg("1782", dup281); - -var msg3467 = msg("1782:01", dup282); - -var select1673 = linear_select([ - msg3466, - msg3467, -]); - -var msg3468 = msg("1783", dup281); - -var msg3469 = msg("1783:01", dup282); - -var select1674 = linear_select([ - msg3468, - msg3469, -]); - -var msg3470 = msg("1784", dup281); - -var msg3471 = msg("1784:01", dup282); - -var select1675 = linear_select([ - msg3470, - msg3471, -]); - -var msg3472 = msg("1785", dup281); - -var msg3473 = msg("1785:01", dup282); - -var select1676 = linear_select([ - msg3472, - msg3473, -]); - -var msg3474 = msg("1786", dup281); - -var msg3475 = msg("1786:01", dup282); - -var select1677 = linear_select([ - msg3474, - msg3475, -]); - -var msg3476 = msg("1787", dup265); - -var msg3477 = msg("1787:01", dup266); - -var select1678 = linear_select([ - msg3476, - msg3477, -]); - -var msg3478 = msg("1788", dup265); - -var msg3479 = msg("1788:01", dup266); - -var select1679 = linear_select([ - msg3478, - msg3479, -]); - -var msg3480 = msg("1789", dup196); - -var msg3481 = msg("1789:01", dup217); - -var select1680 = linear_select([ - msg3480, - msg3481, -]); - -var msg3482 = msg("1790", dup196); - -var msg3483 = msg("1790:01", dup217); - -var select1681 = linear_select([ - msg3482, - msg3483, -]); - -var msg3484 = msg("1791", dup192); - -var msg3485 = msg("1791:01", dup262); - -var select1682 = linear_select([ - msg3484, - msg3485, -]); - -var msg3486 = msg("1792", dup222); - -var msg3487 = msg("1792:01", dup223); - -var select1683 = linear_select([ - msg3486, - msg3487, -]); - -var msg3488 = msg("1793", dup281); - -var msg3489 = msg("1793:01", dup282); - -var select1684 = linear_select([ - msg3488, - msg3489, -]); - -var msg3490 = msg("1794", dup281); - -var msg3491 = msg("1794:01", dup282); - -var select1685 = linear_select([ - msg3490, - msg3491, -]); - -var msg3492 = msg("1795", dup281); - -var msg3493 = msg("1795:01", dup282); - -var select1686 = linear_select([ - msg3492, - msg3493, -]); - -var msg3494 = msg("1796", dup281); - -var msg3495 = msg("1796:01", dup282); - -var select1687 = linear_select([ - msg3494, - msg3495, -]); - -var msg3496 = msg("1797", dup281); - -var msg3497 = msg("1797:01", dup282); - -var select1688 = linear_select([ - msg3496, - msg3497, -]); - -var msg3498 = msg("1798", dup281); - -var msg3499 = msg("1798:01", dup282); - -var select1689 = linear_select([ - msg3498, - msg3499, -]); - -var msg3500 = msg("1799", dup281); - -var msg3501 = msg("1799:01", dup282); - -var select1690 = linear_select([ - msg3500, - msg3501, -]); - -var msg3502 = msg("1800", dup263); - -var msg3503 = msg("1800:01", dup264); - -var select1691 = linear_select([ - msg3502, - msg3503, -]); - -var msg3504 = msg("1801", dup267); - -var msg3505 = msg("1801:01", dup268); - -var select1692 = linear_select([ - msg3504, - msg3505, -]); - -var msg3506 = msg("1802", dup267); - -var msg3507 = msg("1802:01", dup268); - -var select1693 = linear_select([ - msg3506, - msg3507, -]); - -var msg3508 = msg("1803", dup267); - -var msg3509 = msg("1803:01", dup268); - -var select1694 = linear_select([ - msg3508, - msg3509, -]); - -var msg3510 = msg("1804", dup267); - -var msg3511 = msg("1804:01", dup268); - -var select1695 = linear_select([ - msg3510, - msg3511, -]); - -var msg3512 = msg("1805", dup265); - -var msg3513 = msg("1805:01", dup266); - -var select1696 = linear_select([ - msg3512, - msg3513, -]); - -var msg3514 = msg("1806", dup196); - -var msg3515 = msg("1806:01", dup217); - -var select1697 = linear_select([ - msg3514, - msg3515, -]); - -var msg3516 = msg("1807", dup265); - -var msg3517 = msg("1807:01", dup266); - -var select1698 = linear_select([ - msg3516, - msg3517, -]); - -var msg3518 = msg("1808", dup267); - -var msg3519 = msg("1808:01", dup268); - -var select1699 = linear_select([ - msg3518, - msg3519, -]); - -var msg3520 = msg("1809", dup238); - -var msg3521 = msg("1809:01", dup239); - -var select1700 = linear_select([ - msg3520, - msg3521, -]); - -var msg3522 = msg("1810", dup196); - -var msg3523 = msg("1810:01", dup217); - -var select1701 = linear_select([ - msg3522, - msg3523, -]); - -var msg3524 = msg("1811", dup196); - -var msg3525 = msg("1811:01", dup217); - -var select1702 = linear_select([ - msg3524, - msg3525, -]); - -var msg3526 = msg("1812", dup196); - -var msg3527 = msg("1812:01", dup217); - -var select1703 = linear_select([ - msg3526, - msg3527, -]); - -var msg3528 = msg("1813", dup232); - -var msg3529 = msg("1813:01", dup231); - -var select1704 = linear_select([ - msg3528, - msg3529, -]); - -var msg3530 = msg("1814", dup198); - -var msg3531 = msg("1814:01", dup220); - -var select1705 = linear_select([ - msg3530, - msg3531, -]); - -var msg3532 = msg("1815", dup265); - -var msg3533 = msg("1815:01", dup266); - -var select1706 = linear_select([ - msg3532, - msg3533, -]); - -var msg3534 = msg("1816", dup265); - -var msg3535 = msg("1816:01", dup266); - -var select1707 = linear_select([ - msg3534, - msg3535, -]); - -var msg3536 = msg("1817", dup265); - -var msg3537 = msg("1817:01", dup266); - -var select1708 = linear_select([ - msg3536, - msg3537, -]); - -var msg3538 = msg("1818", dup265); - -var msg3539 = msg("1818:01", dup266); - -var select1709 = linear_select([ - msg3538, - msg3539, -]); - -var msg3540 = msg("1819", dup196); - -var msg3541 = msg("1819:01", dup217); - -var select1710 = linear_select([ - msg3540, - msg3541, -]); - -var msg3542 = msg("1820", dup265); - -var msg3543 = msg("1820:01", dup266); - -var select1711 = linear_select([ - msg3542, - msg3543, -]); - -var msg3544 = msg("1821", dup201); - -var msg3545 = msg("1821:01", dup289); - -var select1712 = linear_select([ - msg3544, - msg3545, -]); - -var msg3546 = msg("1822", dup265); - -var msg3547 = msg("1822:01", dup266); - -var select1713 = linear_select([ - msg3546, - msg3547, -]); - -var msg3548 = msg("1823", dup265); - -var msg3549 = msg("1823:01", dup266); - -var select1714 = linear_select([ - msg3548, - msg3549, -]); - -var msg3550 = msg("1824", dup265); - -var msg3551 = msg("1824:01", dup266); - -var select1715 = linear_select([ - msg3550, - msg3551, -]); - -var msg3552 = msg("1825", dup265); - -var msg3553 = msg("1825:01", dup266); - -var select1716 = linear_select([ - msg3552, - msg3553, -]); - -var msg3554 = msg("1826", dup265); - -var msg3555 = msg("1826:01", dup266); - -var select1717 = linear_select([ - msg3554, - msg3555, -]); - -var msg3556 = msg("1827", dup265); - -var msg3557 = msg("1827:01", dup266); - -var select1718 = linear_select([ - msg3556, - msg3557, -]); - -var msg3558 = msg("1828", dup265); - -var msg3559 = msg("1828:01", dup266); - -var select1719 = linear_select([ - msg3558, - msg3559, -]); - -var msg3560 = msg("1829", dup265); - -var msg3561 = msg("1829:01", dup266); - -var select1720 = linear_select([ - msg3560, - msg3561, -]); - -var msg3562 = msg("1830", dup265); - -var msg3563 = msg("1830:01", dup266); - -var select1721 = linear_select([ - msg3562, - msg3563, -]); - -var msg3564 = msg("1831", dup198); - -var msg3565 = msg("1831:01", dup220); - -var select1722 = linear_select([ - msg3564, - msg3565, -]); - -var msg3566 = msg("1832", dup196); - -var msg3567 = msg("1832:01", dup217); - -var select1723 = linear_select([ - msg3566, - msg3567, -]); - -var msg3568 = msg("1833", dup281); - -var msg3569 = msg("1833:01", dup282); - -var select1724 = linear_select([ - msg3568, - msg3569, -]); - -var msg3570 = msg("1834", dup265); - -var msg3571 = msg("1834:01", dup266); - -var select1725 = linear_select([ - msg3570, - msg3571, -]); - -var msg3572 = msg("1835", dup265); - -var msg3573 = msg("1835:01", dup266); - -var select1726 = linear_select([ - msg3572, - msg3573, -]); - -var msg3574 = msg("1836", dup281); - -var msg3575 = msg("1836:01", dup282); - -var select1727 = linear_select([ - msg3574, - msg3575, -]); - -var msg3576 = msg("1837", dup281); - -var msg3577 = msg("1837:01", dup282); - -var select1728 = linear_select([ - msg3576, - msg3577, -]); - -var msg3578 = msg("1838", dup197); - -var msg3579 = msg("1838:01", dup221); - -var select1729 = linear_select([ - msg3578, - msg3579, -]); - -var msg3580 = msg("1839", dup265); - -var msg3581 = msg("1839:01", dup266); - -var select1730 = linear_select([ - msg3580, - msg3581, -]); - -var msg3582 = msg("1840", dup265); - -var msg3583 = msg("1840:01", dup266); - -var select1731 = linear_select([ - msg3582, - msg3583, -]); - -var msg3584 = msg("1841", dup265); - -var msg3585 = msg("1841:01", dup266); - -var select1732 = linear_select([ - msg3584, - msg3585, -]); - -var msg3586 = msg("1842", dup222); - -var msg3587 = msg("1842:01", dup223); - -var select1733 = linear_select([ - msg3586, - msg3587, -]); - -var msg3588 = msg("1843", dup205); - -var msg3589 = msg("1843:01", dup206); - -var select1734 = linear_select([ - msg3588, - msg3589, -]); - -var msg3590 = msg("1844", dup222); - -var msg3591 = msg("1844:01", dup223); - -var select1735 = linear_select([ - msg3590, - msg3591, -]); - -var msg3592 = msg("1845", dup222); - -var msg3593 = msg("1845:01", dup223); - -var select1736 = linear_select([ - msg3592, - msg3593, -]); - -var msg3594 = msg("1846", dup196); - -var msg3595 = msg("1846:01", dup217); - -var select1737 = linear_select([ - msg3594, - msg3595, -]); - -var msg3596 = msg("1847", dup265); - -var msg3597 = msg("1847:01", dup266); - -var select1738 = linear_select([ - msg3596, - msg3597, -]); - -var msg3598 = msg("1848", dup265); - -var msg3599 = msg("1848:01", dup266); - -var select1739 = linear_select([ - msg3598, - msg3599, -]); - -var msg3600 = msg("1849", dup265); - -var msg3601 = msg("1849:01", dup266); - -var select1740 = linear_select([ - msg3600, - msg3601, -]); - -var msg3602 = msg("1850", dup197); - -var msg3603 = msg("1850:01", dup221); - -var select1741 = linear_select([ - msg3602, - msg3603, -]); - -var msg3604 = msg("1851", dup265); - -var msg3605 = msg("1851:01", dup266); - -var select1742 = linear_select([ - msg3604, - msg3605, -]); - -var msg3606 = msg("1852", dup265); - -var msg3607 = msg("1852:01", dup266); - -var select1743 = linear_select([ - msg3606, - msg3607, -]); - -var msg3608 = msg("1853", dup205); - -var msg3609 = msg("1853:01", dup206); - -var select1744 = linear_select([ - msg3608, - msg3609, -]); - -var msg3610 = msg("1854", dup215); - -var msg3611 = msg("1854:01", dup216); - -var select1745 = linear_select([ - msg3610, - msg3611, -]); - -var msg3612 = msg("1855", dup215); - -var msg3613 = msg("1855:01", dup216); - -var select1746 = linear_select([ - msg3612, - msg3613, -]); - -var msg3614 = msg("1856", dup215); - -var msg3615 = msg("1856:01", dup216); - -var select1747 = linear_select([ - msg3614, - msg3615, -]); - -var msg3616 = msg("1857", dup265); - -var msg3617 = msg("1857:01", dup266); - -var select1748 = linear_select([ - msg3616, - msg3617, -]); - -var msg3618 = msg("1858", dup265); - -var msg3619 = msg("1858:01", dup266); - -var select1749 = linear_select([ - msg3618, - msg3619, -]); - -var msg3620 = msg("1859", dup265); - -var msg3621 = msg("1859:01", dup266); - -var select1750 = linear_select([ - msg3620, - msg3621, -]); - -var msg3622 = msg("1860", dup265); - -var msg3623 = msg("1860:01", dup266); - -var select1751 = linear_select([ - msg3622, - msg3623, -]); - -var msg3624 = msg("1861", dup265); - -var msg3625 = msg("1861:01", dup266); - -var select1752 = linear_select([ - msg3624, - msg3625, -]); - -var msg3626 = msg("1862", dup265); - -var msg3627 = msg("1862:01", dup266); - -var select1753 = linear_select([ - msg3626, - msg3627, -]); - -var msg3628 = msg("1863", dup267); - -var msg3629 = msg("1863:01", dup268); - -var select1754 = linear_select([ - msg3628, - msg3629, -]); - -var msg3630 = msg("1864", dup227); - -var msg3631 = msg("1864:01", dup228); - -var select1755 = linear_select([ - msg3630, - msg3631, -]); - -var msg3632 = msg("1865", dup265); - -var msg3633 = msg("1865:01", dup266); - -var select1756 = linear_select([ - msg3632, - msg3633, -]); - -var msg3634 = msg("1866", dup222); - -var msg3635 = msg("1866:01", dup223); - -var select1757 = linear_select([ - msg3634, - msg3635, -]); - -var msg3636 = msg("1867", dup196); - -var msg3637 = msg("1867:01", dup217); - -var select1758 = linear_select([ - msg3636, - msg3637, -]); - -var msg3638 = msg("1868", dup265); - -var msg3639 = msg("1869", dup265); - -var msg3640 = msg("1870", dup265); - -var msg3641 = msg("1870:01", dup266); - -var select1759 = linear_select([ - msg3640, - msg3641, -]); - -var msg3642 = msg("1871", dup240); - -var msg3643 = msg("1871:01", dup241); - -var select1760 = linear_select([ - msg3642, - msg3643, -]); - -var msg3644 = msg("1872", dup265); - -var msg3645 = msg("1872:01", dup266); - -var select1761 = linear_select([ - msg3644, - msg3645, -]); - -var msg3646 = msg("1873", dup265); - -var msg3647 = msg("1873:01", dup266); - -var select1762 = linear_select([ - msg3646, - msg3647, -]); - -var msg3648 = msg("1874", dup265); - -var msg3649 = msg("1874:01", dup266); - -var select1763 = linear_select([ - msg3648, - msg3649, -]); - -var msg3650 = msg("1875", dup265); - -var msg3651 = msg("1875:01", dup266); - -var select1764 = linear_select([ - msg3650, - msg3651, -]); - -var msg3652 = msg("1876", dup265); - -var msg3653 = msg("1876:01", dup266); - -var select1765 = linear_select([ - msg3652, - msg3653, -]); - -var msg3654 = msg("1877", dup265); - -var msg3655 = msg("1877:01", dup266); - -var select1766 = linear_select([ - msg3654, - msg3655, -]); - -var msg3656 = msg("1878", dup265); - -var msg3657 = msg("1878:01", dup266); - -var select1767 = linear_select([ - msg3656, - msg3657, -]); - -var msg3658 = msg("1879", dup269); - -var msg3659 = msg("1879:01", dup270); - -var select1768 = linear_select([ - msg3658, - msg3659, -]); - -var msg3660 = msg("1880", dup265); - -var msg3661 = msg("1880:01", dup266); - -var select1769 = linear_select([ - msg3660, - msg3661, -]); - -var msg3662 = msg("1881", dup238); - -var msg3663 = msg("1881:01", dup239); - -var select1770 = linear_select([ - msg3662, - msg3663, -]); - -var msg3664 = msg("1882", dup196); - -var msg3665 = msg("1882:01", dup217); - -var select1771 = linear_select([ - msg3664, - msg3665, -]); - -var msg3666 = msg("1883", dup196); - -var msg3667 = msg("1883:01", dup217); - -var select1772 = linear_select([ - msg3666, - msg3667, -]); - -var msg3668 = msg("1884", dup196); - -var msg3669 = msg("1884:01", dup217); - -var select1773 = linear_select([ - msg3668, - msg3669, -]); - -var msg3670 = msg("1885", dup196); - -var msg3671 = msg("1885:01", dup217); - -var select1774 = linear_select([ - msg3670, - msg3671, -]); - -var msg3672 = msg("1886", dup196); - -var msg3673 = msg("1886:01", dup217); - -var select1775 = linear_select([ - msg3672, - msg3673, -]); - -var msg3674 = msg("1887", dup238); - -var msg3675 = msg("1887:01", dup239); - -var select1776 = linear_select([ - msg3674, - msg3675, -]); - -var msg3676 = msg("1888", dup222); - -var msg3677 = msg("1888:01", dup223); - -var select1777 = linear_select([ - msg3676, - msg3677, -]); - -var msg3678 = msg("1889", dup290); - -var all40 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg3679 = msg("1889:01", all40); - -var select1778 = linear_select([ - msg3678, - msg3679, -]); - -var msg3680 = msg("1890", dup208); - -var msg3681 = msg("1890:01", dup291); - -var select1779 = linear_select([ - msg3680, - msg3681, -]); - -var msg3682 = msg("1891", dup208); - -var msg3683 = msg("1891:01", dup291); - -var select1780 = linear_select([ - msg3682, - msg3683, -]); - -var msg3684 = msg("1892", dup292); - -var msg3685 = msg("1893", dup292); - -var all41 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg3686 = msg("1893:01", all41); - -var select1781 = linear_select([ - msg3685, - msg3686, -]); - -var msg3687 = msg("1894", dup293); - -var msg3688 = msg("1894:01", dup294); - -var select1782 = linear_select([ - msg3687, - msg3688, -]); - -var msg3689 = msg("1895", dup293); - -var msg3690 = msg("1895:01", dup294); - -var select1783 = linear_select([ - msg3689, - msg3690, -]); - -var msg3691 = msg("1896", dup293); - -var msg3692 = msg("1896:01", dup294); - -var select1784 = linear_select([ - msg3691, - msg3692, -]); - -var msg3693 = msg("1897", dup293); - -var msg3694 = msg("1897:01", dup294); - -var select1785 = linear_select([ - msg3693, - msg3694, -]); - -var msg3695 = msg("1898", dup293); - -var msg3696 = msg("1898:01", dup294); - -var select1786 = linear_select([ - msg3695, - msg3696, -]); - -var msg3697 = msg("1899", dup293); - -var msg3698 = msg("1899:01", dup294); - -var select1787 = linear_select([ - msg3697, - msg3698, -]); - -var msg3699 = msg("1900", dup293); - -var msg3700 = msg("1900:01", dup294); - -var select1788 = linear_select([ - msg3699, - msg3700, -]); - -var msg3701 = msg("1901", dup222); - -var msg3702 = msg("1901:01", dup223); - -var select1789 = linear_select([ - msg3701, - msg3702, -]); - -var msg3703 = msg("1902", dup222); - -var msg3704 = msg("1902:01", dup223); - -var select1790 = linear_select([ - msg3703, - msg3704, -]); - -var msg3705 = msg("1903", dup222); - -var msg3706 = msg("1903:01", dup223); - -var select1791 = linear_select([ - msg3705, - msg3706, -]); - -var msg3707 = msg("1904", dup222); - -var msg3708 = msg("1904:01", dup223); - -var select1792 = linear_select([ - msg3707, - msg3708, -]); - -var msg3709 = msg("1905", dup222); - -var msg3710 = msg("1905:01", dup223); - -var select1793 = linear_select([ - msg3709, - msg3710, -]); - -var msg3711 = msg("1906", dup201); - -var msg3712 = msg("1906:01", dup289); - -var select1794 = linear_select([ - msg3711, - msg3712, -]); - -var msg3713 = msg("1907", dup222); - -var msg3714 = msg("1907:01", dup217); - -var select1795 = linear_select([ - msg3713, - msg3714, -]); - -var msg3715 = msg("1908", dup201); - -var msg3716 = msg("1908:01", dup289); - -var select1796 = linear_select([ - msg3715, - msg3716, -]); - -var msg3717 = msg("1909", dup201); - -var msg3718 = msg("1909:01", dup289); - -var select1797 = linear_select([ - msg3717, - msg3718, -]); - -var msg3719 = msg("1910", dup222); - -var msg3720 = msg("1910:01", dup217); - -var select1798 = linear_select([ - msg3719, - msg3720, -]); - -var msg3721 = msg("1911", dup222); - -var msg3722 = msg("1911:01", dup223); - -var select1799 = linear_select([ - msg3721, - msg3722, -]); - -var msg3723 = msg("1912", dup201); - -var msg3724 = msg("1912:01", dup289); - -var select1800 = linear_select([ - msg3723, - msg3724, -]); - -var msg3725 = msg("1913", dup255); - -var msg3726 = msg("1913:01", dup217); - -var select1801 = linear_select([ - msg3725, - msg3726, -]); - -var msg3727 = msg("1914", dup201); - -var msg3728 = msg("1914:01", dup217); - -var select1802 = linear_select([ - msg3727, - msg3728, -]); - -var msg3729 = msg("1915", dup255); - -var msg3730 = msg("1915:01", dup217); - -var select1803 = linear_select([ - msg3729, - msg3730, -]); - -var msg3731 = msg("1916", dup201); - -var msg3732 = msg("1916:01", dup217); - -var select1804 = linear_select([ - msg3731, - msg3732, -]); - -var msg3733 = msg("1917", dup194); - -var msg3734 = msg("1917:01", dup217); - -var select1805 = linear_select([ - msg3733, - msg3734, -]); - -var msg3735 = msg("1918", dup234); - -var msg3736 = msg("1918:01", dup235); - -var select1806 = linear_select([ - msg3735, - msg3736, -]); - -var msg3737 = msg("1919", dup222); - -var msg3738 = msg("1919:01", dup223); - -var select1807 = linear_select([ - msg3737, - msg3738, -]); - -var msg3739 = msg("1920", dup222); - -var msg3740 = msg("1920:01", dup223); - -var select1808 = linear_select([ - msg3739, - msg3740, -]); - -var msg3741 = msg("1921", dup201); - -var msg3742 = msg("1921:01", dup289); - -var select1809 = linear_select([ - msg3741, - msg3742, -]); - -var msg3743 = msg("1922", dup255); - -var msg3744 = msg("1922:01", dup217); - -var select1810 = linear_select([ - msg3743, - msg3744, -]); - -var msg3745 = msg("1923", dup258); - -var all42 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup85, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg3746 = msg("1923:01", all42); - -var select1811 = linear_select([ - msg3745, - msg3746, -]); - -var msg3747 = msg("1924", dup255); - -var msg3748 = msg("1924:01", dup216); - -var select1812 = linear_select([ - msg3747, - msg3748, -]); - -var msg3749 = msg("1925", dup287); - -var msg3750 = msg("1925:01", dup288); - -var select1813 = linear_select([ - msg3749, - msg3750, -]); - -var msg3751 = msg("1926", dup255); - -var msg3752 = msg("1926:01", dup256); - -var select1814 = linear_select([ - msg3751, - msg3752, -]); - -var msg3753 = msg("1927", dup227); - -var msg3754 = msg("1927:01", dup216); - -var select1815 = linear_select([ - msg3753, - msg3754, -]); - -var msg3755 = msg("1928", dup227); - -var msg3756 = msg("1928:01", dup216); - -var select1816 = linear_select([ - msg3755, - msg3756, -]); - -var msg3757 = msg("1929", dup192); - -var msg3758 = msg("1929:01", dup216); - -var select1817 = linear_select([ - msg3757, - msg3758, -]); - -var msg3759 = msg("1930", dup222); - -var msg3760 = msg("1930:01", dup223); - -var select1818 = linear_select([ - msg3759, - msg3760, -]); - -var msg3761 = msg("1931", dup265); - -var msg3762 = msg("1931:01", dup266); - -var select1819 = linear_select([ - msg3761, - msg3762, -]); - -var msg3763 = msg("1932", dup265); - -var msg3764 = msg("1932:01", dup216); - -var select1820 = linear_select([ - msg3763, - msg3764, -]); - -var msg3765 = msg("1933", dup265); - -var msg3766 = msg("1933:01", dup266); - -var select1821 = linear_select([ - msg3765, - msg3766, -]); - -var msg3767 = msg("1934", dup222); - -var msg3768 = msg("1934:01", dup223); - -var select1822 = linear_select([ - msg3767, - msg3768, -]); - -var msg3769 = msg("1935", dup196); - -var msg3770 = msg("1935:01", dup217); - -var select1823 = linear_select([ - msg3769, - msg3770, -]); - -var msg3771 = msg("1936", dup222); - -var msg3772 = msg("1936:01", dup223); - -var select1824 = linear_select([ - msg3771, - msg3772, -]); - -var msg3773 = msg("1937", dup222); - -var msg3774 = msg("1937:01", dup219); - -var select1825 = linear_select([ - msg3773, - msg3774, -]); - -var msg3775 = msg("1938", dup222); - -var msg3776 = msg("1938:01", dup219); - -var select1826 = linear_select([ - msg3775, - msg3776, -]); - -var msg3777 = msg("1939", dup197); - -var msg3778 = msg("1939:01", dup219); - -var select1827 = linear_select([ - msg3777, - msg3778, -]); - -var msg3779 = msg("1940", dup196); - -var msg3780 = msg("1940:01", dup217); - -var select1828 = linear_select([ - msg3779, - msg3780, -]); - -var msg3781 = msg("1941", dup295); - -var msg3782 = msg("1941:01", dup296); - -var select1829 = linear_select([ - msg3781, - msg3782, -]); - -var msg3783 = msg("1942", dup222); - -var msg3784 = msg("1942:01", dup219); - -var select1830 = linear_select([ - msg3783, - msg3784, -]); - -var msg3785 = msg("1943", dup265); - -var msg3786 = msg("1943:01", dup266); - -var select1831 = linear_select([ - msg3785, - msg3786, -]); - -var msg3787 = msg("1944", dup265); - -var msg3788 = msg("1944:01", dup266); - -var select1832 = linear_select([ - msg3787, - msg3788, -]); - -var msg3789 = msg("1945", dup265); - -var msg3790 = msg("1945:01", dup266); - -var select1833 = linear_select([ - msg3789, - msg3790, -]); - -var msg3791 = msg("1946", dup265); - -var msg3792 = msg("1946:01", dup266); - -var select1834 = linear_select([ - msg3791, - msg3792, -]); - -var msg3793 = msg("1947", dup269); - -var msg3794 = msg("1947:01", dup270); - -var select1835 = linear_select([ - msg3793, - msg3794, -]); - -var msg3795 = msg("1948", dup196); - -var msg3796 = msg("1948:01", dup217); - -var select1836 = linear_select([ - msg3795, - msg3796, -]); - -var msg3797 = msg("1949", dup255); - -var msg3798 = msg("1949:01", dup220); - -var select1837 = linear_select([ - msg3797, - msg3798, -]); - -var msg3799 = msg("1950", dup258); - -var all43 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg3800 = msg("1950:01", all43); - -var select1838 = linear_select([ - msg3799, - msg3800, -]); - -var msg3801 = msg("1951", dup287); - -var msg3802 = msg("1951:01", dup288); - -var select1839 = linear_select([ - msg3801, - msg3802, -]); - -var msg3803 = msg("1952", dup255); - -var msg3804 = msg("1952:01", dup266); - -var select1840 = linear_select([ - msg3803, - msg3804, -]); - -var msg3805 = msg("1953", dup287); - -var msg3806 = msg("1953:01", dup288); - -var select1841 = linear_select([ - msg3805, - msg3806, -]); - -var msg3807 = msg("1954", dup255); - -var msg3808 = msg("1954:01", dup256); - -var select1842 = linear_select([ - msg3807, - msg3808, -]); - -var msg3809 = msg("1955", dup287); - -var msg3810 = msg("1955:01", dup221); - -var select1843 = linear_select([ - msg3809, - msg3810, -]); - -var msg3811 = msg("1956", dup255); - -var msg3812 = msg("1956:01", dup217); - -var select1844 = linear_select([ - msg3811, - msg3812, -]); - -var msg3813 = msg("1957", dup258); - -var msg3814 = msg("1957:01", dup259); - -var select1845 = linear_select([ - msg3813, - msg3814, -]); - -var msg3815 = msg("1958", dup255); - -var msg3816 = msg("1958:01", dup256); - -var select1846 = linear_select([ - msg3815, - msg3816, -]); - -var msg3817 = msg("1959", dup280); - -var msg3818 = msg("1959:01", dup245); - -var select1847 = linear_select([ - msg3817, - msg3818, -]); - -var msg3819 = msg("1960", dup257); - -var msg3820 = msg("1960:01", dup221); - -var select1848 = linear_select([ - msg3819, - msg3820, -]); - -var msg3821 = msg("1961", dup258); - -var all44 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup88, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var msg3822 = msg("1961:01", all44); - -var select1849 = linear_select([ - msg3821, - msg3822, -]); - -var msg3823 = msg("1962", dup255); - -var msg3824 = msg("1962:01", dup226); - -var select1850 = linear_select([ - msg3823, - msg3824, -]); - -var msg3825 = msg("1963", dup222); - -var msg3826 = msg("1963:01", dup223); - -var select1851 = linear_select([ - msg3825, - msg3826, -]); - -var msg3827 = msg("1964", dup222); - -var msg3828 = msg("1964:01", dup223); - -var select1852 = linear_select([ - msg3827, - msg3828, -]); - -var msg3829 = msg("1965", dup201); - -var msg3830 = msg("1965:01", dup226); - -var select1853 = linear_select([ - msg3829, - msg3830, -]); - -var msg3831 = msg("1966", dup196); - -var msg3832 = msg("1966:01", dup226); - -var select1854 = linear_select([ - msg3831, - msg3832, -]); - -var msg3833 = msg("1967", dup265); - -var msg3834 = msg("1967:01", dup226); - -var select1855 = linear_select([ - msg3833, - msg3834, -]); - -var msg3835 = msg("1968", dup265); - -var msg3836 = msg("1968:01", dup226); - -var select1856 = linear_select([ - msg3835, - msg3836, -]); - -var msg3837 = msg("1969", dup265); - -var msg3838 = msg("1969:01", dup228); - -var select1857 = linear_select([ - msg3837, - msg3838, -]); - -var msg3839 = msg("1970", dup297); - -var msg3840 = msg("1970:01", dup228); - -var select1858 = linear_select([ - msg3839, - msg3840, -]); - -var msg3841 = msg("1971", dup227); - -var msg3842 = msg("1971:01", dup223); - -var select1859 = linear_select([ - msg3841, - msg3842, -]); - -var msg3843 = msg("1972", dup222); - -var msg3844 = msg("1972:01", dup223); - -var select1860 = linear_select([ - msg3843, - msg3844, -]); - -var msg3845 = msg("1973", dup222); - -var msg3846 = msg("1973:01", dup228); - -var select1861 = linear_select([ - msg3845, - msg3846, -]); - -var msg3847 = msg("1974", dup222); - -var msg3848 = msg("1974:01", dup223); - -var select1862 = linear_select([ - msg3847, - msg3848, -]); - -var msg3849 = msg("1975", dup222); - -var msg3850 = msg("1975:01", dup228); - -var select1863 = linear_select([ - msg3849, - msg3850, -]); - -var msg3851 = msg("1976", dup222); - -var msg3852 = msg("1976:01", dup223); - -var select1864 = linear_select([ - msg3851, - msg3852, -]); - -var msg3853 = msg("1977", dup265); - -var msg3854 = msg("1977:01", dup223); - -var select1865 = linear_select([ - msg3853, - msg3854, -]); - -var msg3855 = msg("1978", dup265); - -var msg3856 = msg("1978:01", dup266); - -var select1866 = linear_select([ - msg3855, - msg3856, -]); - -var msg3857 = msg("1979", dup265); - -var msg3858 = msg("1979:01", dup266); - -var select1867 = linear_select([ - msg3857, - msg3858, -]); - -var msg3859 = msg("1980", dup192); - -var msg3860 = msg("1980:01", dup262); - -var select1868 = linear_select([ - msg3859, - msg3860, -]); - -var msg3861 = msg("1981", dup192); - -var msg3862 = msg("1981:01", dup262); - -var select1869 = linear_select([ - msg3861, - msg3862, -]); - -var msg3863 = msg("1982", dup192); - -var msg3864 = msg("1982:01", dup262); - -var select1870 = linear_select([ - msg3863, - msg3864, -]); - -var msg3865 = msg("1983", dup192); - -var msg3866 = msg("1983:01", dup262); - -var select1871 = linear_select([ - msg3865, - msg3866, -]); - -var msg3867 = msg("1984", dup192); - -var msg3868 = msg("1984:01", dup262); - -var select1872 = linear_select([ - msg3867, - msg3868, -]); - -var msg3869 = msg("1985", dup192); - -var msg3870 = msg("1985:01", dup262); - -var select1873 = linear_select([ - msg3869, - msg3870, -]); - -var msg3871 = msg("1986", dup196); - -var msg3872 = msg("1986:01", dup217); - -var select1874 = linear_select([ - msg3871, - msg3872, -]); - -var msg3873 = msg("1987", dup222); - -var msg3874 = msg("1987:01", dup223); - -var select1875 = linear_select([ - msg3873, - msg3874, -]); - -var msg3875 = msg("1988", dup196); - -var msg3876 = msg("1988:01", dup217); - -var select1876 = linear_select([ - msg3875, - msg3876, -]); - -var msg3877 = msg("1989", dup196); - -var msg3878 = msg("1989:01", dup217); - -var select1877 = linear_select([ - msg3877, - msg3878, -]); - -var msg3879 = msg("1990", dup196); - -var msg3880 = msg("1990:01", dup217); - -var select1878 = linear_select([ - msg3879, - msg3880, -]); - -var msg3881 = msg("1991", dup196); - -var msg3882 = msg("1991:01", dup217); - -var select1879 = linear_select([ - msg3881, - msg3882, -]); - -var msg3883 = msg("1992", dup227); - -var msg3884 = msg("1992:01", dup228); - -var select1880 = linear_select([ - msg3883, - msg3884, -]); - -var msg3885 = msg("1993", dup222); - -var msg3886 = msg("1993:01", dup223); - -var select1881 = linear_select([ - msg3885, - msg3886, -]); - -var msg3887 = msg("1994", dup265); - -var msg3888 = msg("1994:01", dup266); - -var select1882 = linear_select([ - msg3887, - msg3888, -]); - -var msg3889 = msg("1995", dup265); - -var msg3890 = msg("1995:01", dup266); - -var select1883 = linear_select([ - msg3889, - msg3890, -]); - -var msg3891 = msg("1996", dup265); - -var msg3892 = msg("1996:01", dup266); - -var select1884 = linear_select([ - msg3891, - msg3892, -]); - -var msg3893 = msg("1997", dup265); - -var msg3894 = msg("1997:01", dup266); - -var select1885 = linear_select([ - msg3893, - msg3894, -]); - -var msg3895 = msg("1998", dup265); - -var msg3896 = msg("1998:01", dup266); - -var select1886 = linear_select([ - msg3895, - msg3896, -]); - -var msg3897 = msg("1999", dup265); - -var msg3898 = msg("1999:01", dup266); - -var select1887 = linear_select([ - msg3897, - msg3898, -]); - -var msg3899 = msg("2000", dup265); - -var msg3900 = msg("2000:01", dup266); - -var select1888 = linear_select([ - msg3899, - msg3900, -]); - -var msg3901 = msg("2001", dup265); - -var msg3902 = msg("2001:01", dup266); - -var select1889 = linear_select([ - msg3901, - msg3902, -]); - -var msg3903 = msg("2002", dup196); - -var msg3904 = msg("2002:01", dup217); - -var select1890 = linear_select([ - msg3903, - msg3904, -]); - -var msg3905 = msg("2003", dup238); - -var msg3906 = msg("2003:01", dup239); - -var select1891 = linear_select([ - msg3905, - msg3906, -]); - -var msg3907 = msg("2004", dup238); - -var msg3908 = msg("2004:01", dup239); - -var select1892 = linear_select([ - msg3907, - msg3908, -]); - -var msg3909 = msg("2005", dup258); - -var msg3910 = msg("2005:01", dup259); - -var select1893 = linear_select([ - msg3909, - msg3910, -]); - -var msg3911 = msg("2006", dup255); - -var msg3912 = msg("2006:01", dup256); - -var select1894 = linear_select([ - msg3911, - msg3912, -]); - -var msg3913 = msg("2007", dup255); - -var msg3914 = msg("2007:01", dup256); - -var select1895 = linear_select([ - msg3913, - msg3914, -]); - -var msg3915 = msg("2008", dup196); - -var msg3916 = msg("2008:01", dup217); - -var select1896 = linear_select([ - msg3915, - msg3916, -]); - -var msg3917 = msg("2009", dup196); - -var msg3918 = msg("2009:01", dup217); - -var select1897 = linear_select([ - msg3917, - msg3918, -]); - -var msg3919 = msg("2010", dup196); - -var msg3920 = msg("2010:01", dup217); - -var select1898 = linear_select([ - msg3919, - msg3920, -]); - -var msg3921 = msg("2011", dup196); - -var msg3922 = msg("2011:01", dup217); - -var select1899 = linear_select([ - msg3921, - msg3922, -]); - -var msg3923 = msg("2012", dup196); - -var msg3924 = msg("2012:01", dup217); - -var select1900 = linear_select([ - msg3923, - msg3924, -]); - -var msg3925 = msg("2013", dup196); - -var msg3926 = msg("2013:01", dup217); - -var select1901 = linear_select([ - msg3925, - msg3926, -]); - -var msg3927 = msg("2014", dup255); - -var msg3928 = msg("2014:01", dup256); - -var select1902 = linear_select([ - msg3927, - msg3928, -]); - -var msg3929 = msg("2015", dup258); - -var msg3930 = msg("2015:01", dup259); - -var select1903 = linear_select([ - msg3929, - msg3930, -]); - -var msg3931 = msg("2016", dup255); - -var msg3932 = msg("2016:01", dup256); - -var select1904 = linear_select([ - msg3931, - msg3932, -]); - -var msg3933 = msg("2017", dup258); - -var msg3934 = msg("2017:01", dup259); - -var select1905 = linear_select([ - msg3933, - msg3934, -]); - -var msg3935 = msg("2018", dup287); - -var msg3936 = msg("2018:01", dup288); - -var select1906 = linear_select([ - msg3935, - msg3936, -]); - -var msg3937 = msg("2019", dup255); - -var msg3938 = msg("2019:01", dup256); - -var select1907 = linear_select([ - msg3937, - msg3938, -]); - -var msg3939 = msg("2020", dup287); - -var msg3940 = msg("2020:01", dup288); - -var select1908 = linear_select([ - msg3939, - msg3940, -]); - -var msg3941 = msg("2021", dup255); - -var msg3942 = msg("2021:01", dup256); - -var select1909 = linear_select([ - msg3941, - msg3942, -]); - -var msg3943 = msg("2022", dup287); - -var msg3944 = msg("2022:01", dup288); - -var select1910 = linear_select([ - msg3943, - msg3944, -]); - -var msg3945 = msg("2023", dup255); - -var msg3946 = msg("2023:01", dup256); - -var select1911 = linear_select([ - msg3945, - msg3946, -]); - -var msg3947 = msg("2024", dup222); - -var msg3948 = msg("2024:01", dup223); - -var select1912 = linear_select([ - msg3947, - msg3948, -]); - -var msg3949 = msg("2025", dup222); - -var msg3950 = msg("2025:01", dup223); - -var select1913 = linear_select([ - msg3949, - msg3950, -]); - -var msg3951 = msg("2026", dup222); - -var msg3952 = msg("2026:01", dup223); - -var select1914 = linear_select([ - msg3951, - msg3952, -]); - -var msg3953 = msg("2027", dup222); - -var msg3954 = msg("2027:01", dup223); - -var select1915 = linear_select([ - msg3953, - msg3954, -]); - -var msg3955 = msg("2028", dup222); - -var msg3956 = msg("2028:01", dup223); - -var select1916 = linear_select([ - msg3955, - msg3956, -]); - -var msg3957 = msg("2029", dup222); - -var msg3958 = msg("2029:01", dup223); - -var select1917 = linear_select([ - msg3957, - msg3958, -]); - -var msg3959 = msg("2030", dup222); - -var msg3960 = msg("2030:01", dup223); - -var select1918 = linear_select([ - msg3959, - msg3960, -]); - -var msg3961 = msg("2031", dup255); - -var msg3962 = msg("2031:01", dup256); - -var select1919 = linear_select([ - msg3961, - msg3962, -]); - -var msg3963 = msg("2032", dup255); - -var msg3964 = msg("2032:01", dup256); - -var select1920 = linear_select([ - msg3963, - msg3964, -]); - -var msg3965 = msg("2033", dup255); - -var msg3966 = msg("2033:01", dup256); - -var select1921 = linear_select([ - msg3965, - msg3966, -]); - -var msg3967 = msg("2034", dup255); - -var msg3968 = msg("2034:01", dup256); - -var select1922 = linear_select([ - msg3967, - msg3968, -]); - -var msg3969 = msg("2035", dup258); - -var msg3970 = msg("2035:01", dup259); - -var select1923 = linear_select([ - msg3969, - msg3970, -]); - -var msg3971 = msg("2036", dup255); - -var msg3972 = msg("2036:01", dup256); - -var select1924 = linear_select([ - msg3971, - msg3972, -]); - -var msg3973 = msg("2037", dup255); - -var msg3974 = msg("2037:01", dup256); - -var select1925 = linear_select([ - msg3973, - msg3974, -]); - -var msg3975 = msg("2038", dup255); - -var msg3976 = msg("2038:01", dup256); - -var select1926 = linear_select([ - msg3975, - msg3976, -]); - -var msg3977 = msg("2039", dup196); - -var msg3978 = msg("2039:01", dup217); - -var select1927 = linear_select([ - msg3977, - msg3978, -]); - -var msg3979 = msg("2040", dup196); - -var msg3980 = msg("2040:01", dup217); - -var select1928 = linear_select([ - msg3979, - msg3980, -]); - -var msg3981 = msg("2041", dup236); - -var msg3982 = msg("2041:01", dup237); - -var select1929 = linear_select([ - msg3981, - msg3982, -]); - -var msg3983 = msg("2042", dup196); - -var msg3984 = msg("2042:01", dup217); - -var select1930 = linear_select([ - msg3983, - msg3984, -]); - -var msg3985 = msg("2043", dup236); - -var msg3986 = msg("2043:01", dup237); - -var select1931 = linear_select([ - msg3985, - msg3986, -]); - -var msg3987 = msg("2044", dup196); - -var msg3988 = msg("2044:01", dup217); - -var select1932 = linear_select([ - msg3987, - msg3988, -]); - -var msg3989 = msg("2045", dup222); - -var msg3990 = msg("2045:01", dup223); - -var select1933 = linear_select([ - msg3989, - msg3990, -]); - -var msg3991 = msg("2046", dup222); - -var msg3992 = msg("2046:01", dup223); - -var select1934 = linear_select([ - msg3991, - msg3992, -]); - -var msg3993 = msg("2047", dup196); - -var msg3994 = msg("2047:01", dup217); - -var select1935 = linear_select([ - msg3993, - msg3994, -]); - -var msg3995 = msg("2048", dup222); - -var msg3996 = msg("2048:01", dup223); - -var select1936 = linear_select([ - msg3995, - msg3996, -]); - -var msg3997 = msg("2049", dup240); - -var msg3998 = msg("2049:01", dup241); - -var select1937 = linear_select([ - msg3997, - msg3998, -]); - -var msg3999 = msg("2050", dup260); - -var msg4000 = msg("2050:01", dup261); - -var select1938 = linear_select([ - msg3999, - msg4000, -]); - -var msg4001 = msg("2051", dup265); - -var msg4002 = msg("2051:01", dup266); - -var select1939 = linear_select([ - msg4001, - msg4002, -]); - -var msg4003 = msg("2052", dup197); - -var msg4004 = msg("2052:01", dup221); - -var select1940 = linear_select([ - msg4003, - msg4004, -]); - -var msg4005 = msg("2053", dup265); - -var msg4006 = msg("2053:01", dup266); - -var select1941 = linear_select([ - msg4005, - msg4006, -]); - -var msg4007 = msg("2054", dup265); - -var msg4008 = msg("2054:01", dup266); - -var select1942 = linear_select([ - msg4007, - msg4008, -]); - -var msg4009 = msg("2055", dup265); - -var msg4010 = msg("2055:01", dup266); - -var select1943 = linear_select([ - msg4009, - msg4010, -]); - -var msg4011 = msg("2056", dup265); - -var msg4012 = msg("2056:01", dup266); - -var select1944 = linear_select([ - msg4011, - msg4012, -]); - -var msg4013 = msg("2057", dup265); - -var msg4014 = msg("2057:01", dup266); - -var select1945 = linear_select([ - msg4013, - msg4014, -]); - -var msg4015 = msg("2058", dup265); - -var msg4016 = msg("2058:01", dup266); - -var select1946 = linear_select([ - msg4015, - msg4016, -]); - -var msg4017 = msg("2059", dup265); - -var msg4018 = msg("2059:01", dup266); - -var select1947 = linear_select([ - msg4017, - msg4018, -]); - -var msg4019 = msg("2060", dup265); - -var msg4020 = msg("2060:01", dup266); - -var select1948 = linear_select([ - msg4019, - msg4020, -]); - -var msg4021 = msg("2061", dup265); - -var msg4022 = msg("2061:01", dup266); - -var select1949 = linear_select([ - msg4021, - msg4022, -]); - -var msg4023 = msg("2062", dup265); - -var msg4024 = msg("2062:01", dup266); - -var select1950 = linear_select([ - msg4023, - msg4024, -]); - -var msg4025 = msg("2063", dup260); - -var msg4026 = msg("2063:01", dup261); - -var select1951 = linear_select([ - msg4025, - msg4026, -]); - -var msg4027 = msg("2064", dup265); - -var msg4028 = msg("2064:01", dup266); - -var select1952 = linear_select([ - msg4027, - msg4028, -]); - -var msg4029 = msg("2065", dup265); - -var msg4030 = msg("2065:01", dup266); - -var select1953 = linear_select([ - msg4029, - msg4030, -]); - -var msg4031 = msg("2066", dup265); - -var msg4032 = msg("2066:01", dup266); - -var select1954 = linear_select([ - msg4031, - msg4032, -]); - -var msg4033 = msg("2067", dup265); - -var msg4034 = msg("2067:01", dup266); - -var select1955 = linear_select([ - msg4033, - msg4034, -]); - -var msg4035 = msg("2068", dup265); - -var msg4036 = msg("2068:01", dup266); - -var select1956 = linear_select([ - msg4035, - msg4036, -]); - -var msg4037 = msg("2069", dup265); - -var msg4038 = msg("2069:01", dup266); - -var select1957 = linear_select([ - msg4037, - msg4038, -]); - -var msg4039 = msg("2070", dup265); - -var msg4040 = msg("2070:01", dup266); - -var select1958 = linear_select([ - msg4039, - msg4040, -]); - -var msg4041 = msg("2071", dup265); - -var msg4042 = msg("2071:01", dup266); - -var select1959 = linear_select([ - msg4041, - msg4042, -]); - -var msg4043 = msg("2072", dup265); - -var msg4044 = msg("2072:01", dup266); - -var select1960 = linear_select([ - msg4043, - msg4044, -]); - -var msg4045 = msg("2073", dup265); - -var msg4046 = msg("2073:01", dup266); - -var select1961 = linear_select([ - msg4045, - msg4046, -]); - -var msg4047 = msg("2074", dup265); - -var msg4048 = msg("2074:01", dup266); - -var select1962 = linear_select([ - msg4047, - msg4048, -]); - -var msg4049 = msg("2075", dup265); - -var msg4050 = msg("2075:01", dup266); - -var select1963 = linear_select([ - msg4049, - msg4050, -]); - -var msg4051 = msg("2076", dup265); - -var msg4052 = msg("2076:01", dup266); - -var select1964 = linear_select([ - msg4051, - msg4052, -]); - -var msg4053 = msg("2077", dup265); - -var msg4054 = msg("2077:01", dup266); - -var select1965 = linear_select([ - msg4053, - msg4054, -]); - -var msg4055 = msg("2078", dup265); - -var msg4056 = msg("2078:01", dup266); - -var select1966 = linear_select([ - msg4055, - msg4056, -]); - -var msg4057 = msg("2079", dup258); - -var msg4058 = msg("2079:01", dup259); - -var select1967 = linear_select([ - msg4057, - msg4058, -]); - -var msg4059 = msg("2080", dup255); - -var msg4060 = msg("2080:01", dup256); - -var select1968 = linear_select([ - msg4059, - msg4060, -]); - -var msg4061 = msg("2081", dup258); - -var msg4062 = msg("2081:01", dup259); - -var select1969 = linear_select([ - msg4061, - msg4062, -]); - -var msg4063 = msg("2082", dup255); - -var msg4064 = msg("2082:01", dup256); - -var select1970 = linear_select([ - msg4063, - msg4064, -]); - -var msg4065 = msg("2083", dup255); - -var msg4066 = msg("2083:01", dup256); - -var select1971 = linear_select([ - msg4065, - msg4066, -]); - -var msg4067 = msg("2084", dup255); - -var msg4068 = msg("2084:01", dup256); - -var select1972 = linear_select([ - msg4067, - msg4068, -]); - -var msg4069 = msg("2085", dup265); - -var msg4070 = msg("2085:01", dup266); - -var select1973 = linear_select([ - msg4069, - msg4070, -]); - -var msg4071 = msg("2086", dup265); - -var msg4072 = msg("2086:01", dup266); - -var select1974 = linear_select([ - msg4071, - msg4072, -]); - -var msg4073 = msg("2087", dup222); - -var msg4074 = msg("2087:01", dup223); - -var select1975 = linear_select([ - msg4073, - msg4074, -]); - -var msg4075 = msg("2088", dup255); - -var msg4076 = msg("2088:01", dup256); - -var select1976 = linear_select([ - msg4075, - msg4076, -]); - -var msg4077 = msg("2089", dup255); - -var msg4078 = msg("2089:01", dup256); - -var select1977 = linear_select([ - msg4077, - msg4078, -]); - -var msg4079 = msg("2090", dup267); - -var msg4080 = msg("2090:01", dup268); - -var select1978 = linear_select([ - msg4079, - msg4080, -]); - -var msg4081 = msg("2091", dup194); - -var msg4082 = msg("2091:01", dup229); - -var select1979 = linear_select([ - msg4081, - msg4082, -]); - -var msg4083 = msg("2092", dup222); - -var msg4084 = msg("2092:01", dup223); - -var select1980 = linear_select([ - msg4083, - msg4084, -]); - -var msg4085 = msg("2093", dup222); - -var msg4086 = msg("2093:01", dup223); - -var select1981 = linear_select([ - msg4085, - msg4086, -]); - -var msg4087 = msg("2094", dup222); - -var msg4088 = msg("2094:01", dup223); - -var select1982 = linear_select([ - msg4087, - msg4088, -]); - -var msg4089 = msg("2095", dup201); - -var msg4090 = msg("2095:01", dup289); - -var select1983 = linear_select([ - msg4089, - msg4090, -]); - -var msg4091 = msg("2096", dup192); - -var msg4092 = msg("2096:01", dup262); - -var select1984 = linear_select([ - msg4091, - msg4092, -]); - -var msg4093 = msg("2097", dup192); - -var msg4094 = msg("2097:01", dup262); - -var select1985 = linear_select([ - msg4093, - msg4094, -]); - -var msg4095 = msg("2098", dup192); - -var msg4096 = msg("2098:01", dup262); - -var select1986 = linear_select([ - msg4095, - msg4096, -]); - -var msg4097 = msg("2099", dup192); - -var msg4098 = msg("2099:01", dup262); - -var select1987 = linear_select([ - msg4097, - msg4098, -]); - -var msg4099 = msg("2100", dup192); - -var msg4100 = msg("2100:01", dup262); - -var select1988 = linear_select([ - msg4099, - msg4100, -]); - -var msg4101 = msg("2101", dup198); - -var msg4102 = msg("2101:01", dup220); - -var select1989 = linear_select([ - msg4101, - msg4102, -]); - -var msg4103 = msg("2102", dup198); - -var msg4104 = msg("2102:01", dup220); - -var select1990 = linear_select([ - msg4103, - msg4104, -]); - -var msg4105 = msg("2103", dup276); - -var msg4106 = msg("2103:01", dup277); - -var select1991 = linear_select([ - msg4105, - msg4106, -]); - -var msg4107 = msg("2104", dup197); - -var msg4108 = msg("2104:01", dup221); - -var select1992 = linear_select([ - msg4107, - msg4108, -]); - -var msg4109 = msg("2105", dup222); - -var msg4110 = msg("2105:01", dup223); - -var select1993 = linear_select([ - msg4109, - msg4110, -]); - -var msg4111 = msg("2106", dup222); - -var msg4112 = msg("2106:01", dup223); - -var select1994 = linear_select([ - msg4111, - msg4112, -]); - -var msg4113 = msg("2107", dup222); - -var msg4114 = msg("2107:01", dup223); - -var select1995 = linear_select([ - msg4113, - msg4114, -]); - -var msg4115 = msg("2108", dup222); - -var msg4116 = msg("2108:01", dup223); - -var select1996 = linear_select([ - msg4115, - msg4116, -]); - -var msg4117 = msg("2109", dup222); - -var msg4118 = msg("2109:01", dup223); - -var select1997 = linear_select([ - msg4117, - msg4118, -]); - -var msg4119 = msg("2110", dup222); - -var msg4120 = msg("2110:01", dup223); - -var select1998 = linear_select([ - msg4119, - msg4120, -]); - -var msg4121 = msg("2111", dup222); - -var msg4122 = msg("2111:01", dup223); - -var select1999 = linear_select([ - msg4121, - msg4122, -]); - -var msg4123 = msg("2112", dup222); - -var msg4124 = msg("2112:01", dup223); - -var select2000 = linear_select([ - msg4123, - msg4124, -]); - -var msg4125 = msg("2113", dup222); - -var msg4126 = msg("2113:01", dup223); - -var select2001 = linear_select([ - msg4125, - msg4126, -]); - -var msg4127 = msg("2114", dup222); - -var msg4128 = msg("2114:01", dup223); - -var select2002 = linear_select([ - msg4127, - msg4128, -]); - -var msg4129 = msg("2115", dup265); - -var msg4130 = msg("2115:01", dup266); - -var select2003 = linear_select([ - msg4129, - msg4130, -]); - -var msg4131 = msg("2116", dup265); - -var msg4132 = msg("2116:01", dup266); - -var select2004 = linear_select([ - msg4131, - msg4132, -]); - -var msg4133 = msg("2117", dup265); - -var msg4134 = msg("2117:01", dup266); - -var select2005 = linear_select([ - msg4133, - msg4134, -]); - -var msg4135 = msg("2118", dup222); - -var msg4136 = msg("2118:01", dup223); - -var select2006 = linear_select([ - msg4135, - msg4136, -]); - -var msg4137 = msg("2119", dup222); - -var msg4138 = msg("2119:01", dup223); - -var select2007 = linear_select([ - msg4137, - msg4138, -]); - -var msg4139 = msg("2120", dup222); - -var msg4140 = msg("2120:01", dup223); - -var select2008 = linear_select([ - msg4139, - msg4140, -]); - -var msg4141 = msg("2121", dup298); - -var msg4142 = msg("2121:01", dup299); - -var select2009 = linear_select([ - msg4141, - msg4142, -]); - -var msg4143 = msg("2122", dup298); - -var msg4144 = msg("2122:01", dup299); - -var select2010 = linear_select([ - msg4143, - msg4144, -]); - -var msg4145 = msg("2123", dup196); - -var msg4146 = msg("2123:01", dup217); - -var select2011 = linear_select([ - msg4145, - msg4146, -]); - -var msg4147 = msg("2124", dup192); - -var msg4148 = msg("2124:01", dup262); - -var select2012 = linear_select([ - msg4147, - msg4148, -]); - -var msg4149 = msg("2125", dup227); - -var msg4150 = msg("2125:01", dup228); - -var select2013 = linear_select([ - msg4149, - msg4150, -]); - -var msg4151 = msg("2126", dup222); - -var msg4152 = msg("2126:01", dup223); - -var select2014 = linear_select([ - msg4151, - msg4152, -]); - -var msg4153 = msg("2127", dup265); - -var msg4154 = msg("2127:01", dup266); - -var select2015 = linear_select([ - msg4153, - msg4154, -]); - -var msg4155 = msg("2128", dup265); - -var msg4156 = msg("2128:01", dup266); - -var select2016 = linear_select([ - msg4155, - msg4156, -]); - -var msg4157 = msg("2129", dup265); - -var msg4158 = msg("2129:01", dup266); - -var select2017 = linear_select([ - msg4157, - msg4158, -]); - -var msg4159 = msg("2130", dup265); - -var msg4160 = msg("2130:01", dup266); - -var select2018 = linear_select([ - msg4159, - msg4160, -]); - -var msg4161 = msg("2131", dup265); - -var msg4162 = msg("2131:01", dup266); - -var select2019 = linear_select([ - msg4161, - msg4162, -]); - -var msg4163 = msg("2132", dup265); - -var msg4164 = msg("2132:01", dup266); - -var select2020 = linear_select([ - msg4163, - msg4164, -]); - -var msg4165 = msg("2133", dup265); - -var msg4166 = msg("2133:01", dup266); - -var select2021 = linear_select([ - msg4165, - msg4166, -]); - -var msg4167 = msg("2134", dup265); - -var msg4168 = msg("2134:01", dup266); - -var select2022 = linear_select([ - msg4167, - msg4168, -]); - -var msg4169 = msg("2135", dup265); - -var msg4170 = msg("2135:01", dup266); - -var select2023 = linear_select([ - msg4169, - msg4170, -]); - -var msg4171 = msg("2136", dup285); - -var msg4172 = msg("2136:01", dup286); - -var select2024 = linear_select([ - msg4171, - msg4172, -]); - -var msg4173 = msg("2137", dup265); - -var msg4174 = msg("2137:01", dup266); - -var select2025 = linear_select([ - msg4173, - msg4174, -]); - -var msg4175 = msg("2138", dup265); - -var msg4176 = msg("2138:01", dup266); - -var select2026 = linear_select([ - msg4175, - msg4176, -]); - -var msg4177 = msg("2139", dup265); - -var msg4178 = msg("2139:01", dup266); - -var select2027 = linear_select([ - msg4177, - msg4178, -]); - -var msg4179 = msg("2140", dup265); - -var msg4180 = msg("2140:01", dup266); - -var select2028 = linear_select([ - msg4179, - msg4180, -]); - -var msg4181 = msg("2141", dup265); - -var msg4182 = msg("2141:01", dup266); - -var select2029 = linear_select([ - msg4181, - msg4182, -]); - -var msg4183 = msg("2142", dup265); - -var msg4184 = msg("2142:01", dup266); - -var select2030 = linear_select([ - msg4183, - msg4184, -]); - -var msg4185 = msg("2143", dup265); - -var msg4186 = msg("2143:01", dup266); - -var select2031 = linear_select([ - msg4185, - msg4186, -]); - -var msg4187 = msg("2144", dup265); - -var msg4188 = msg("2144:01", dup266); - -var select2032 = linear_select([ - msg4187, - msg4188, -]); - -var msg4189 = msg("2145", dup265); - -var msg4190 = msg("2145:01", dup266); - -var select2033 = linear_select([ - msg4189, - msg4190, -]); - -var msg4191 = msg("2146", dup265); - -var msg4192 = msg("2146:01", dup266); - -var select2034 = linear_select([ - msg4191, - msg4192, -]); - -var msg4193 = msg("2147", dup265); - -var msg4194 = msg("2147:01", dup266); - -var select2035 = linear_select([ - msg4193, - msg4194, -]); - -var msg4195 = msg("2148", dup265); - -var msg4196 = msg("2148:01", dup266); - -var select2036 = linear_select([ - msg4195, - msg4196, -]); - -var msg4197 = msg("2149", dup265); - -var msg4198 = msg("2149:01", dup266); - -var select2037 = linear_select([ - msg4197, - msg4198, -]); - -var msg4199 = msg("2150", dup265); - -var msg4200 = msg("2150:01", dup266); - -var select2038 = linear_select([ - msg4199, - msg4200, -]); - -var msg4201 = msg("2151", dup265); - -var msg4202 = msg("2151:01", dup266); - -var select2039 = linear_select([ - msg4201, - msg4202, -]); - -var msg4203 = msg("2152", dup265); - -var msg4204 = msg("2152:01", dup266); - -var select2040 = linear_select([ - msg4203, - msg4204, -]); - -var msg4205 = msg("2153", dup265); - -var msg4206 = msg("2153:01", dup266); - -var select2041 = linear_select([ - msg4205, - msg4206, -]); - -var msg4207 = msg("2154", dup265); - -var msg4208 = msg("2154:01", dup266); - -var select2042 = linear_select([ - msg4207, - msg4208, -]); - -var msg4209 = msg("2155", dup265); - -var msg4210 = msg("2155:01", dup266); - -var select2043 = linear_select([ - msg4209, - msg4210, -]); - -var msg4211 = msg("2156", dup265); - -var msg4212 = msg("2156:01", dup266); - -var select2044 = linear_select([ - msg4211, - msg4212, -]); - -var msg4213 = msg("2157", dup265); - -var msg4214 = msg("2157:01", dup266); - -var select2045 = linear_select([ - msg4213, - msg4214, -]); - -var msg4215 = msg("2158", dup196); - -var msg4216 = msg("2158:01", dup217); - -var select2046 = linear_select([ - msg4215, - msg4216, -]); - -var msg4217 = msg("2159", dup196); - -var msg4218 = msg("2159:01", dup217); - -var select2047 = linear_select([ - msg4217, - msg4218, -]); - -var msg4219 = msg("2160", dup263); - -var msg4220 = msg("2160:01", dup264); - -var select2048 = linear_select([ - msg4219, - msg4220, -]); - -var msg4221 = msg("2161", dup263); - -var msg4222 = msg("2161:01", dup264); - -var select2049 = linear_select([ - msg4221, - msg4222, -]); - -var msg4223 = msg("2162", dup263); - -var msg4224 = msg("2162:01", dup264); - -var select2050 = linear_select([ - msg4223, - msg4224, -]); - -var msg4225 = msg("2163", dup263); - -var msg4226 = msg("2163:01", dup264); - -var select2051 = linear_select([ - msg4225, - msg4226, -]); - -var msg4227 = msg("2164", dup263); - -var msg4228 = msg("2164:01", dup264); - -var select2052 = linear_select([ - msg4227, - msg4228, -]); - -var msg4229 = msg("2165", dup263); - -var msg4230 = msg("2165:01", dup264); - -var select2053 = linear_select([ - msg4229, - msg4230, -]); - -var msg4231 = msg("2166", dup263); - -var msg4232 = msg("2166:01", dup264); - -var select2054 = linear_select([ - msg4231, - msg4232, -]); - -var msg4233 = msg("2167", dup263); - -var msg4234 = msg("2167:01", dup264); - -var select2055 = linear_select([ - msg4233, - msg4234, -]); - -var msg4235 = msg("2168", dup263); - -var msg4236 = msg("2168:01", dup264); - -var select2056 = linear_select([ - msg4235, - msg4236, -]); - -var msg4237 = msg("2169", dup263); - -var msg4238 = msg("2169:01", dup264); - -var select2057 = linear_select([ - msg4237, - msg4238, -]); - -var msg4239 = msg("2170", dup263); - -var msg4240 = msg("2170:01", dup264); - -var select2058 = linear_select([ - msg4239, - msg4240, -]); - -var msg4241 = msg("2171", dup263); - -var msg4242 = msg("2171:01", dup264); - -var select2059 = linear_select([ - msg4241, - msg4242, -]); - -var msg4243 = msg("2172", dup263); - -var msg4244 = msg("2172:01", dup264); - -var select2060 = linear_select([ - msg4243, - msg4244, -]); - -var msg4245 = msg("2173", dup263); - -var msg4246 = msg("2173:01", dup264); - -var select2061 = linear_select([ - msg4245, - msg4246, -]); - -var msg4247 = msg("2174", dup276); - -var msg4248 = msg("2174:01", dup277); - -var select2062 = linear_select([ - msg4247, - msg4248, -]); - -var msg4249 = msg("2175", dup276); - -var msg4250 = msg("2175:01", dup277); - -var select2063 = linear_select([ - msg4249, - msg4250, -]); - -var msg4251 = msg("2176", dup246); - -var msg4252 = msg("2176:01", dup247); - -var select2064 = linear_select([ - msg4251, - msg4252, -]); - -var msg4253 = msg("2177", dup246); - -var msg4254 = msg("2177:01", dup247); - -var select2065 = linear_select([ - msg4253, - msg4254, -]); - -var msg4255 = msg("2178", dup227); - -var msg4256 = msg("2178:01", dup228); - -var select2066 = linear_select([ - msg4255, - msg4256, -]); - -var msg4257 = msg("2179", dup227); - -var msg4258 = msg("2179:01", dup228); - -var select2067 = linear_select([ - msg4257, - msg4258, -]); - -var msg4259 = msg("2180", dup196); - -var msg4260 = msg("2180:01", dup217); - -var select2068 = linear_select([ - msg4259, - msg4260, -]); - -var msg4261 = msg("2181", dup196); - -var msg4262 = msg("2181:01", dup217); - -var select2069 = linear_select([ - msg4261, - msg4262, -]); - -var msg4263 = msg("2182", dup192); - -var msg4264 = msg("2182:01", dup262); - -var select2070 = linear_select([ - msg4263, - msg4264, -]); - -var msg4265 = msg("2183", dup222); - -var msg4266 = msg("2183:01", dup223); - -var select2071 = linear_select([ - msg4265, - msg4266, -]); - -var msg4267 = msg("2184", dup201); - -var msg4268 = msg("2184:01", dup289); - -var select2072 = linear_select([ - msg4267, - msg4268, -]); - -var msg4269 = msg("2185", dup222); - -var msg4270 = msg("2185:01", dup223); - -var select2073 = linear_select([ - msg4269, - msg4270, -]); - -var msg4271 = msg("2186", dup196); - -var msg4272 = msg("2186:01", dup217); - -var select2074 = linear_select([ - msg4271, - msg4272, -]); - -var msg4273 = msg("2187", dup196); - -var msg4274 = msg("2187:01", dup217); - -var select2075 = linear_select([ - msg4273, - msg4274, -]); - -var msg4275 = msg("2188", dup196); - -var msg4276 = msg("2188:01", dup217); - -var select2076 = linear_select([ - msg4275, - msg4276, -]); - -var msg4277 = msg("2189", dup196); - -var msg4278 = msg("2189:01", dup217); - -var select2077 = linear_select([ - msg4277, - msg4278, -]); - -var msg4279 = msg("2190", dup276); - -var msg4280 = msg("2190:01", dup277); - -var select2078 = linear_select([ - msg4279, - msg4280, -]); - -var msg4281 = msg("2191", dup276); - -var msg4282 = msg("2191:01", dup277); - -var select2079 = linear_select([ - msg4281, - msg4282, -]); - -var msg4283 = msg("2192", dup276); - -var msg4284 = msg("2192:01", dup277); - -var select2080 = linear_select([ - msg4283, - msg4284, -]); - -var msg4285 = msg("2193", dup276); - -var msg4286 = msg("2193:01", dup277); - -var select2081 = linear_select([ - msg4285, - msg4286, -]); - -var msg4287 = msg("2194", dup265); - -var msg4288 = msg("2194:01", dup266); - -var select2082 = linear_select([ - msg4287, - msg4288, -]); - -var msg4289 = msg("2195", dup265); - -var msg4290 = msg("2195:01", dup266); - -var select2083 = linear_select([ - msg4289, - msg4290, -]); - -var msg4291 = msg("2196", dup265); - -var msg4292 = msg("2196:01", dup266); - -var select2084 = linear_select([ - msg4291, - msg4292, -]); - -var msg4293 = msg("2197", dup265); - -var msg4294 = msg("2197:01", dup266); - -var select2085 = linear_select([ - msg4293, - msg4294, -]); - -var msg4295 = msg("2198", dup265); - -var msg4296 = msg("2198:01", dup266); - -var select2086 = linear_select([ - msg4295, - msg4296, -]); - -var msg4297 = msg("2199", dup265); - -var msg4298 = msg("2199:01", dup266); - -var select2087 = linear_select([ - msg4297, - msg4298, -]); - -var msg4299 = msg("2200", dup265); - -var msg4300 = msg("2200:01", dup266); - -var select2088 = linear_select([ - msg4299, - msg4300, -]); - -var msg4301 = msg("2201", dup265); - -var msg4302 = msg("2201:01", dup266); - -var select2089 = linear_select([ - msg4301, - msg4302, -]); - -var msg4303 = msg("2202", dup265); - -var msg4304 = msg("2202:01", dup266); - -var select2090 = linear_select([ - msg4303, - msg4304, -]); - -var msg4305 = msg("2203", dup265); - -var msg4306 = msg("2203:01", dup266); - -var select2091 = linear_select([ - msg4305, - msg4306, -]); - -var msg4307 = msg("2204", dup265); - -var msg4308 = msg("2204:01", dup266); - -var select2092 = linear_select([ - msg4307, - msg4308, -]); - -var msg4309 = msg("2205", dup265); - -var msg4310 = msg("2205:01", dup266); - -var select2093 = linear_select([ - msg4309, - msg4310, -]); - -var msg4311 = msg("2206", dup265); - -var msg4312 = msg("2206:01", dup266); - -var select2094 = linear_select([ - msg4311, - msg4312, -]); - -var msg4313 = msg("2207", dup265); - -var msg4314 = msg("2207:01", dup266); - -var select2095 = linear_select([ - msg4313, - msg4314, -]); - -var msg4315 = msg("2208", dup265); - -var msg4316 = msg("2208:01", dup266); - -var select2096 = linear_select([ - msg4315, - msg4316, -]); - -var msg4317 = msg("2209", dup265); - -var msg4318 = msg("2209:01", dup266); - -var select2097 = linear_select([ - msg4317, - msg4318, -]); - -var msg4319 = msg("2210", dup265); - -var msg4320 = msg("2210:01", dup266); - -var select2098 = linear_select([ - msg4319, - msg4320, -]); - -var msg4321 = msg("2211", dup265); - -var msg4322 = msg("2211:01", dup266); - -var select2099 = linear_select([ - msg4321, - msg4322, -]); - -var msg4323 = msg("2212", dup265); - -var msg4324 = msg("2212:01", dup266); - -var select2100 = linear_select([ - msg4323, - msg4324, -]); - -var msg4325 = msg("2213", dup265); - -var msg4326 = msg("2213:01", dup266); - -var select2101 = linear_select([ - msg4325, - msg4326, -]); - -var msg4327 = msg("2214", dup265); - -var msg4328 = msg("2214:01", dup266); - -var select2102 = linear_select([ - msg4327, - msg4328, -]); - -var msg4329 = msg("2215", dup265); - -var msg4330 = msg("2215:01", dup266); - -var select2103 = linear_select([ - msg4329, - msg4330, -]); - -var msg4331 = msg("2216", dup265); - -var msg4332 = msg("2216:01", dup266); - -var select2104 = linear_select([ - msg4331, - msg4332, -]); - -var msg4333 = msg("2217", dup265); - -var msg4334 = msg("2217:01", dup266); - -var select2105 = linear_select([ - msg4333, - msg4334, -]); - -var msg4335 = msg("2218", dup265); - -var msg4336 = msg("2218:01", dup266); - -var select2106 = linear_select([ - msg4335, - msg4336, -]); - -var msg4337 = msg("2219", dup265); - -var msg4338 = msg("2219:01", dup266); - -var select2107 = linear_select([ - msg4337, - msg4338, -]); - -var msg4339 = msg("2220", dup265); - -var msg4340 = msg("2220:01", dup266); - -var select2108 = linear_select([ - msg4339, - msg4340, -]); - -var msg4341 = msg("2221", dup265); - -var msg4342 = msg("2221:01", dup266); - -var select2109 = linear_select([ - msg4341, - msg4342, -]); - -var msg4343 = msg("2222", dup194); - -var msg4344 = msg("2222:01", dup229); - -var select2110 = linear_select([ - msg4343, - msg4344, -]); - -var msg4345 = msg("2223", dup265); - -var msg4346 = msg("2223:01", dup266); - -var select2111 = linear_select([ - msg4345, - msg4346, -]); - -var msg4347 = msg("2224", dup265); - -var msg4348 = msg("2224:01", dup266); - -var select2112 = linear_select([ - msg4347, - msg4348, -]); - -var msg4349 = msg("2225", dup265); - -var msg4350 = msg("2225:01", dup266); - -var select2113 = linear_select([ - msg4349, - msg4350, -]); - -var msg4351 = msg("2226", dup265); - -var msg4352 = msg("2226:01", dup266); - -var select2114 = linear_select([ - msg4351, - msg4352, -]); - -var msg4353 = msg("2227", dup265); - -var msg4354 = msg("2227:01", dup266); - -var select2115 = linear_select([ - msg4353, - msg4354, -]); - -var msg4355 = msg("2228", dup240); - -var msg4356 = msg("2228:01", dup241); - -var select2116 = linear_select([ - msg4355, - msg4356, -]); - -var msg4357 = msg("2229", dup265); - -var msg4358 = msg("2229:01", dup266); - -var select2117 = linear_select([ - msg4357, - msg4358, -]); - -var msg4359 = msg("2230", dup265); - -var msg4360 = msg("2230:01", dup266); - -var select2118 = linear_select([ - msg4359, - msg4360, -]); - -var msg4361 = msg("2231", dup265); - -var msg4362 = msg("2231:01", dup266); - -var select2119 = linear_select([ - msg4361, - msg4362, -]); - -var msg4363 = msg("2232", dup265); - -var msg4364 = msg("2232:01", dup266); - -var select2120 = linear_select([ - msg4363, - msg4364, -]); - -var msg4365 = msg("2233", dup265); - -var msg4366 = msg("2233:01", dup266); - -var select2121 = linear_select([ - msg4365, - msg4366, -]); - -var msg4367 = msg("2234", dup265); - -var msg4368 = msg("2234:01", dup266); - -var select2122 = linear_select([ - msg4367, - msg4368, -]); - -var msg4369 = msg("2235", dup265); - -var msg4370 = msg("2235:01", dup266); - -var select2123 = linear_select([ - msg4369, - msg4370, -]); - -var msg4371 = msg("2236", dup265); - -var msg4372 = msg("2236:01", dup266); - -var select2124 = linear_select([ - msg4371, - msg4372, -]); - -var msg4373 = msg("2237", dup265); - -var msg4374 = msg("2237:01", dup266); - -var select2125 = linear_select([ - msg4373, - msg4374, -]); - -var msg4375 = msg("2238", dup265); - -var msg4376 = msg("2238:01", dup266); - -var select2126 = linear_select([ - msg4375, - msg4376, -]); - -var msg4377 = msg("2239", dup265); - -var msg4378 = msg("2239:01", dup266); - -var select2127 = linear_select([ - msg4377, - msg4378, -]); - -var msg4379 = msg("2240", dup265); - -var msg4380 = msg("2240:01", dup266); - -var select2128 = linear_select([ - msg4379, - msg4380, -]); - -var msg4381 = msg("2241", dup265); - -var msg4382 = msg("2241:01", dup266); - -var select2129 = linear_select([ - msg4381, - msg4382, -]); - -var msg4383 = msg("2242", dup265); - -var msg4384 = msg("2242:01", dup266); - -var select2130 = linear_select([ - msg4383, - msg4384, -]); - -var msg4385 = msg("2243", dup265); - -var msg4386 = msg("2243:01", dup266); - -var select2131 = linear_select([ - msg4385, - msg4386, -]); - -var msg4387 = msg("2244", dup265); - -var msg4388 = msg("2244:01", dup266); - -var select2132 = linear_select([ - msg4387, - msg4388, -]); - -var msg4389 = msg("2245", dup265); - -var msg4390 = msg("2245:01", dup266); - -var select2133 = linear_select([ - msg4389, - msg4390, -]); - -var msg4391 = msg("2246", dup265); - -var msg4392 = msg("2246:01", dup266); - -var select2134 = linear_select([ - msg4391, - msg4392, -]); - -var msg4393 = msg("2247", dup265); - -var msg4394 = msg("2247:01", dup266); - -var select2135 = linear_select([ - msg4393, - msg4394, -]); - -var msg4395 = msg("2248", dup265); - -var msg4396 = msg("2248:01", dup266); - -var select2136 = linear_select([ - msg4395, - msg4396, -]); - -var msg4397 = msg("2249", dup265); - -var msg4398 = msg("2249:01", dup266); - -var select2137 = linear_select([ - msg4397, - msg4398, -]); - -var msg4399 = msg("2250", dup298); - -var msg4400 = msg("2250:01", dup299); - -var select2138 = linear_select([ - msg4399, - msg4400, -]); - -var msg4401 = msg("2251", dup276); - -var msg4402 = msg("2251:01", dup277); - -var select2139 = linear_select([ - msg4401, - msg4402, -]); - -var msg4403 = msg("2252", dup276); - -var msg4404 = msg("2252:01", dup277); - -var select2140 = linear_select([ - msg4403, - msg4404, -]); - -var msg4405 = msg("2253", dup222); - -var msg4406 = msg("2253:01", dup223); - -var select2141 = linear_select([ - msg4405, - msg4406, -]); - -var msg4407 = msg("2254", dup222); - -var msg4408 = msg("2254:01", dup223); - -var select2142 = linear_select([ - msg4407, - msg4408, -]); - -var msg4409 = msg("2255", dup255); - -var msg4410 = msg("2255:01", dup256); - -var select2143 = linear_select([ - msg4409, - msg4410, -]); - -var msg4411 = msg("2256", dup255); - -var msg4412 = msg("2256:01", dup256); - -var select2144 = linear_select([ - msg4411, - msg4412, -]); - -var msg4413 = msg("2257", dup276); - -var msg4414 = msg("2257:01", dup277); - -var select2145 = linear_select([ - msg4413, - msg4414, -]); - -var msg4415 = msg("2258", dup276); - -var msg4416 = msg("2258:01", dup277); - -var select2146 = linear_select([ - msg4415, - msg4416, -]); - -var msg4417 = msg("2259", dup222); - -var msg4418 = msg("2259:01", dup223); - -var select2147 = linear_select([ - msg4417, - msg4418, -]); - -var msg4419 = msg("2260", dup222); - -var msg4420 = msg("2260:01", dup223); - -var select2148 = linear_select([ - msg4419, - msg4420, -]); - -var msg4421 = msg("2261", dup194); - -var msg4422 = msg("2261:01", dup229); - -var select2149 = linear_select([ - msg4421, - msg4422, -]); - -var msg4423 = msg("2262", dup194); - -var msg4424 = msg("2262:01", dup229); - -var select2150 = linear_select([ - msg4423, - msg4424, -]); - -var msg4425 = msg("2263", dup194); - -var msg4426 = msg("2263:01", dup229); - -var select2151 = linear_select([ - msg4425, - msg4426, -]); - -var msg4427 = msg("2264", dup194); - -var msg4428 = msg("2264:01", dup229); - -var select2152 = linear_select([ - msg4427, - msg4428, -]); - -var msg4429 = msg("2265", dup194); - -var msg4430 = msg("2265:01", dup229); - -var select2153 = linear_select([ - msg4429, - msg4430, -]); - -var msg4431 = msg("2266", dup194); - -var msg4432 = msg("2266:01", dup229); - -var select2154 = linear_select([ - msg4431, - msg4432, -]); - -var msg4433 = msg("2267", dup194); - -var msg4434 = msg("2267:01", dup229); - -var select2155 = linear_select([ - msg4433, - msg4434, -]); - -var msg4435 = msg("2268", dup194); - -var msg4436 = msg("2268:01", dup229); - -var select2156 = linear_select([ - msg4435, - msg4436, -]); - -var msg4437 = msg("2269", dup194); - -var msg4438 = msg("2269:01", dup229); - -var select2157 = linear_select([ - msg4437, - msg4438, -]); - -var msg4439 = msg("2270", dup194); - -var msg4440 = msg("2270:01", dup229); - -var select2158 = linear_select([ - msg4439, - msg4440, -]); - -var msg4441 = msg("2271", dup192); - -var msg4442 = msg("2271:01", dup262); - -var select2159 = linear_select([ - msg4441, - msg4442, -]); - -var msg4443 = msg("2272", dup222); - -var msg4444 = msg("2272:01", dup223); - -var select2160 = linear_select([ - msg4443, - msg4444, -]); - -var msg4445 = msg("2273", dup196); - -var msg4446 = msg("2273:01", dup217); - -var select2161 = linear_select([ - msg4445, - msg4446, -]); - -var msg4447 = msg("2274", dup298); - -var msg4448 = msg("2274:01", dup299); - -var select2162 = linear_select([ - msg4447, - msg4448, -]); - -var msg4449 = msg("2275", dup250); - -var msg4450 = msg("2275:01", dup251); - -var select2163 = linear_select([ - msg4449, - msg4450, -]); - -var msg4451 = msg("2276", dup265); - -var msg4452 = msg("2276:01", dup266); - -var select2164 = linear_select([ - msg4451, - msg4452, -]); - -var msg4453 = msg("2277", dup265); - -var msg4454 = msg("2277:01", dup266); - -var select2165 = linear_select([ - msg4453, - msg4454, -]); - -var msg4455 = msg("2278", dup265); - -var msg4456 = msg("2278:01", dup266); - -var select2166 = linear_select([ - msg4455, - msg4456, -]); - -var msg4457 = msg("2279", dup265); - -var msg4458 = msg("2279:01", dup266); - -var select2167 = linear_select([ - msg4457, - msg4458, -]); - -var msg4459 = msg("2280", dup265); - -var msg4460 = msg("2280:01", dup266); - -var select2168 = linear_select([ - msg4459, - msg4460, -]); - -var msg4461 = msg("2281", dup265); - -var msg4462 = msg("2281:01", dup266); - -var select2169 = linear_select([ - msg4461, - msg4462, -]); - -var msg4463 = msg("2282", dup265); - -var msg4464 = msg("2282:01", dup266); - -var select2170 = linear_select([ - msg4463, - msg4464, -]); - -var msg4465 = msg("2283", dup265); - -var msg4466 = msg("2283:01", dup266); - -var select2171 = linear_select([ - msg4465, - msg4466, -]); - -var msg4467 = msg("2284", dup265); - -var msg4468 = msg("2284:01", dup266); - -var select2172 = linear_select([ - msg4467, - msg4468, -]); - -var msg4469 = msg("2285", dup265); - -var msg4470 = msg("2285:01", dup266); - -var select2173 = linear_select([ - msg4469, - msg4470, -]); - -var msg4471 = msg("2286", dup265); - -var msg4472 = msg("2286:01", dup266); - -var select2174 = linear_select([ - msg4471, - msg4472, -]); - -var msg4473 = msg("2287", dup265); - -var msg4474 = msg("2287:01", dup266); - -var select2175 = linear_select([ - msg4473, - msg4474, -]); - -var msg4475 = msg("2288", dup265); - -var msg4476 = msg("2288:01", dup266); - -var select2176 = linear_select([ - msg4475, - msg4476, -]); - -var msg4477 = msg("2289", dup265); - -var msg4478 = msg("2289:01", dup266); - -var select2177 = linear_select([ - msg4477, - msg4478, -]); - -var msg4479 = msg("2290", dup265); - -var msg4480 = msg("2290:01", dup266); - -var select2178 = linear_select([ - msg4479, - msg4480, -]); - -var msg4481 = msg("2291", dup265); - -var msg4482 = msg("2291:01", dup266); - -var select2179 = linear_select([ - msg4481, - msg4482, -]); - -var msg4483 = msg("2292", dup265); - -var msg4484 = msg("2292:01", dup266); - -var select2180 = linear_select([ - msg4483, - msg4484, -]); - -var msg4485 = msg("2293", dup265); - -var msg4486 = msg("2293:01", dup266); - -var select2181 = linear_select([ - msg4485, - msg4486, -]); - -var msg4487 = msg("2294", dup265); - -var msg4488 = msg("2294:01", dup266); - -var select2182 = linear_select([ - msg4487, - msg4488, -]); - -var msg4489 = msg("2295", dup265); - -var msg4490 = msg("2295:01", dup266); - -var select2183 = linear_select([ - msg4489, - msg4490, -]); - -var msg4491 = msg("2296", dup265); - -var msg4492 = msg("2296:01", dup266); - -var select2184 = linear_select([ - msg4491, - msg4492, -]); - -var msg4493 = msg("2297", dup265); - -var msg4494 = msg("2297:01", dup266); - -var select2185 = linear_select([ - msg4493, - msg4494, -]); - -var msg4495 = msg("2298", dup265); - -var msg4496 = msg("2298:01", dup266); - -var select2186 = linear_select([ - msg4495, - msg4496, -]); - -var msg4497 = msg("2299", dup265); - -var msg4498 = msg("2299:01", dup266); - -var select2187 = linear_select([ - msg4497, - msg4498, -]); - -var msg4499 = msg("2300", dup265); - -var msg4500 = msg("2300:01", dup266); - -var select2188 = linear_select([ - msg4499, - msg4500, -]); - -var msg4501 = msg("2301", dup265); - -var msg4502 = msg("2301:01", dup266); - -var select2189 = linear_select([ - msg4501, - msg4502, -]); - -var msg4503 = msg("2302", dup265); - -var msg4504 = msg("2302:01", dup266); - -var select2190 = linear_select([ - msg4503, - msg4504, -]); - -var msg4505 = msg("2303", dup265); - -var msg4506 = msg("2303:01", dup266); - -var select2191 = linear_select([ - msg4505, - msg4506, -]); - -var msg4507 = msg("2304", dup265); - -var msg4508 = msg("2304:01", dup266); - -var select2192 = linear_select([ - msg4507, - msg4508, -]); - -var msg4509 = msg("2305", dup265); - -var msg4510 = msg("2305:01", dup266); - -var select2193 = linear_select([ - msg4509, - msg4510, -]); - -var msg4511 = msg("2306", dup265); - -var msg4512 = msg("2306:01", dup266); - -var select2194 = linear_select([ - msg4511, - msg4512, -]); - -var msg4513 = msg("2307", dup265); - -var msg4514 = msg("2307:01", dup266); - -var select2195 = linear_select([ - msg4513, - msg4514, -]); - -var msg4515 = msg("2308", dup276); - -var msg4516 = msg("2308:01", dup277); - -var select2196 = linear_select([ - msg4515, - msg4516, -]); - -var msg4517 = msg("2309", dup276); - -var msg4518 = msg("2309:01", dup277); - -var select2197 = linear_select([ - msg4517, - msg4518, -]); - -var msg4519 = msg("2310", dup276); - -var msg4520 = msg("2310:01", dup277); - -var select2198 = linear_select([ - msg4519, - msg4520, -]); - -var msg4521 = msg("2311", dup276); - -var msg4522 = msg("2311:01", dup277); - -var select2199 = linear_select([ - msg4521, - msg4522, -]); - -var msg4523 = msg("2312", dup196); - -var msg4524 = msg("2312:01", dup217); - -var select2200 = linear_select([ - msg4523, - msg4524, -]); - -var msg4525 = msg("2313", dup196); - -var msg4526 = msg("2313:01", dup217); - -var select2201 = linear_select([ - msg4525, - msg4526, -]); - -var msg4527 = msg("2314", dup196); - -var msg4528 = msg("2314:01", dup217); - -var select2202 = linear_select([ - msg4527, - msg4528, -]); - -var msg4529 = msg("2315", dup276); - -var msg4530 = msg("2315:01", dup277); - -var select2203 = linear_select([ - msg4529, - msg4530, -]); - -var msg4531 = msg("2316", dup276); - -var msg4532 = msg("2316:01", dup277); - -var select2204 = linear_select([ - msg4531, - msg4532, -]); - -var msg4533 = msg("2317", dup196); - -var msg4534 = msg("2317:01", dup217); - -var select2205 = linear_select([ - msg4533, - msg4534, -]); - -var msg4535 = msg("2318", dup196); - -var msg4536 = msg("2318:01", dup217); - -var select2206 = linear_select([ - msg4535, - msg4536, -]); - -var msg4537 = msg("2319", dup222); - -var msg4538 = msg("2319:01", dup223); - -var select2207 = linear_select([ - msg4537, - msg4538, -]); - -var msg4539 = msg("2320", dup222); - -var msg4540 = msg("2320:01", dup223); - -var select2208 = linear_select([ - msg4539, - msg4540, -]); - -var msg4541 = msg("2321", dup265); - -var msg4542 = msg("2321:01", dup266); - -var select2209 = linear_select([ - msg4541, - msg4542, -]); - -var msg4543 = msg("2322", dup265); - -var msg4544 = msg("2322:01", dup266); - -var select2210 = linear_select([ - msg4543, - msg4544, -]); - -var msg4545 = msg("2323", dup265); - -var msg4546 = msg("2323:01", dup266); - -var select2211 = linear_select([ - msg4545, - msg4546, -]); - -var msg4547 = msg("2324", dup265); - -var msg4548 = msg("2324:01", dup266); - -var select2212 = linear_select([ - msg4547, - msg4548, -]); - -var msg4549 = msg("2325", dup265); - -var msg4550 = msg("2325:01", dup266); - -var select2213 = linear_select([ - msg4549, - msg4550, -]); - -var msg4551 = msg("2326", dup265); - -var msg4552 = msg("2326:01", dup266); - -var select2214 = linear_select([ - msg4551, - msg4552, -]); - -var msg4553 = msg("2327", dup265); - -var msg4554 = msg("2327:01", dup266); - -var select2215 = linear_select([ - msg4553, - msg4554, -]); - -var msg4555 = msg("2328", dup265); - -var msg4556 = msg("2328:01", dup266); - -var select2216 = linear_select([ - msg4555, - msg4556, -]); - -var msg4557 = msg("2329", dup260); - -var msg4558 = msg("2329:01", dup261); - -var select2217 = linear_select([ - msg4557, - msg4558, -]); - -var msg4559 = msg("2330", dup222); - -var msg4560 = msg("2330:01", dup223); - -var select2218 = linear_select([ - msg4559, - msg4560, -]); - -var msg4561 = msg("2331", dup265); - -var msg4562 = msg("2331:01", dup266); - -var select2219 = linear_select([ - msg4561, - msg4562, -]); - -var msg4563 = msg("2332", dup227); - -var msg4564 = msg("2332:01", dup228); - -var select2220 = linear_select([ - msg4563, - msg4564, -]); - -var msg4565 = msg("2333", dup227); - -var msg4566 = msg("2333:01", dup228); - -var select2221 = linear_select([ - msg4565, - msg4566, -]); - -var msg4567 = msg("2334", dup227); - -var msg4568 = msg("2334:01", dup228); - -var select2222 = linear_select([ - msg4567, - msg4568, -]); - -var msg4569 = msg("2335", dup227); - -var msg4570 = msg("2335:01", dup228); - -var select2223 = linear_select([ - msg4569, - msg4570, -]); - -var msg4571 = msg("2336", dup274); - -var msg4572 = msg("2336:01", dup275); - -var select2224 = linear_select([ - msg4571, - msg4572, -]); - -var msg4573 = msg("2337", dup295); - -var msg4574 = msg("2337:01", dup296); - -var select2225 = linear_select([ - msg4573, - msg4574, -]); - -var msg4575 = msg("2338", dup222); - -var msg4576 = msg("2338:01", dup223); - -var select2226 = linear_select([ - msg4575, - msg4576, -]); - -var msg4577 = msg("2339", dup274); - -var msg4578 = msg("2339:01", dup275); - -var select2227 = linear_select([ - msg4577, - msg4578, -]); - -var msg4579 = msg("2340", dup222); - -var msg4580 = msg("2340:01", dup223); - -var select2228 = linear_select([ - msg4579, - msg4580, -]); - -var msg4581 = msg("2341", dup265); - -var msg4582 = msg("2341:01", dup266); - -var select2229 = linear_select([ - msg4581, - msg4582, -]); - -var msg4583 = msg("2342", dup265); - -var msg4584 = msg("2342:01", dup266); - -var select2230 = linear_select([ - msg4583, - msg4584, -]); - -var msg4585 = msg("2343", dup222); - -var msg4586 = msg("2343:01", dup223); - -var select2231 = linear_select([ - msg4585, - msg4586, -]); - -var msg4587 = msg("2344", dup222); - -var msg4588 = msg("2344:01", dup223); - -var select2232 = linear_select([ - msg4587, - msg4588, -]); - -var msg4589 = msg("2345", dup265); - -var msg4590 = msg("2345:01", dup266); - -var select2233 = linear_select([ - msg4589, - msg4590, -]); - -var msg4591 = msg("2346", dup265); - -var msg4592 = msg("2346:01", dup266); - -var select2234 = linear_select([ - msg4591, - msg4592, -]); - -var msg4593 = msg("2347", dup265); - -var msg4594 = msg("2347:01", dup266); - -var select2235 = linear_select([ - msg4593, - msg4594, -]); - -var msg4595 = msg("2348", dup276); - -var msg4596 = msg("2348:01", dup277); - -var select2236 = linear_select([ - msg4595, - msg4596, -]); - -var msg4597 = msg("2349", dup276); - -var msg4598 = msg("2349:01", dup277); - -var select2237 = linear_select([ - msg4597, - msg4598, -]); - -var msg4599 = msg("2350", dup276); - -var msg4600 = msg("2350:01", dup277); - -var select2238 = linear_select([ - msg4599, - msg4600, -]); - -var msg4601 = msg("2351", dup276); - -var msg4602 = msg("2351:01", dup277); - -var select2239 = linear_select([ - msg4601, - msg4602, -]); - -var msg4603 = msg("2352", dup276); - -var msg4604 = msg("2352:01", dup277); - -var select2240 = linear_select([ - msg4603, - msg4604, -]); - -var msg4605 = msg("2353", dup196); - -var msg4606 = msg("2353:01", dup217); - -var select2241 = linear_select([ - msg4605, - msg4606, -]); - -var msg4607 = msg("2354", dup196); - -var msg4608 = msg("2354:01", dup217); - -var select2242 = linear_select([ - msg4607, - msg4608, -]); - -var msg4609 = msg("2355", dup196); - -var msg4610 = msg("2355:01", dup217); - -var select2243 = linear_select([ - msg4609, - msg4610, -]); - -var msg4611 = msg("2356", dup196); - -var msg4612 = msg("2356:01", dup217); - -var select2244 = linear_select([ - msg4611, - msg4612, -]); - -var msg4613 = msg("2357", dup196); - -var msg4614 = msg("2357:01", dup217); - -var select2245 = linear_select([ - msg4613, - msg4614, -]); - -var msg4615 = msg("2358", dup196); - -var msg4616 = msg("2358:01", dup217); - -var select2246 = linear_select([ - msg4615, - msg4616, -]); - -var msg4617 = msg("2359", dup196); - -var msg4618 = msg("2359:01", dup217); - -var select2247 = linear_select([ - msg4617, - msg4618, -]); - -var msg4619 = msg("2360", dup196); - -var msg4620 = msg("2360:01", dup217); - -var select2248 = linear_select([ - msg4619, - msg4620, -]); - -var msg4621 = msg("2361", dup196); - -var msg4622 = msg("2361:01", dup217); - -var select2249 = linear_select([ - msg4621, - msg4622, -]); - -var msg4623 = msg("2362", dup196); - -var msg4624 = msg("2362:01", dup217); - -var select2250 = linear_select([ - msg4623, - msg4624, -]); - -var msg4625 = msg("2363", dup265); - -var msg4626 = msg("2363:01", dup266); - -var select2251 = linear_select([ - msg4625, - msg4626, -]); - -var msg4627 = msg("2364", dup265); - -var msg4628 = msg("2364:01", dup266); - -var select2252 = linear_select([ - msg4627, - msg4628, -]); - -var msg4629 = msg("2365", dup265); - -var msg4630 = msg("2365:01", dup266); - -var select2253 = linear_select([ - msg4629, - msg4630, -]); - -var msg4631 = msg("2366", dup265); - -var msg4632 = msg("2366:01", dup266); - -var select2254 = linear_select([ - msg4631, - msg4632, -]); - -var msg4633 = msg("2367", dup265); - -var msg4634 = msg("2367:01", dup266); - -var select2255 = linear_select([ - msg4633, - msg4634, -]); - -var msg4635 = msg("2368", dup265); - -var msg4636 = msg("2368:01", dup266); - -var select2256 = linear_select([ - msg4635, - msg4636, -]); - -var msg4637 = msg("2369", dup265); - -var msg4638 = msg("2369:01", dup266); - -var select2257 = linear_select([ - msg4637, - msg4638, -]); - -var msg4639 = msg("2370", dup265); - -var msg4640 = msg("2370:01", dup266); - -var select2258 = linear_select([ - msg4639, - msg4640, -]); - -var msg4641 = msg("2371", dup265); - -var msg4642 = msg("2371:01", dup266); - -var select2259 = linear_select([ - msg4641, - msg4642, -]); - -var msg4643 = msg("2372", dup265); - -var msg4644 = msg("2372:01", dup266); - -var select2260 = linear_select([ - msg4643, - msg4644, -]); - -var msg4645 = msg("2373", dup222); - -var msg4646 = msg("2373:01", dup266); - -var select2261 = linear_select([ - msg4645, - msg4646, -]); - -var msg4647 = msg("2374", dup222); - -var msg4648 = msg("2374:01", dup266); - -var select2262 = linear_select([ - msg4647, - msg4648, -]); - -var msg4649 = msg("2375", dup192); - -var msg4650 = msg("2375:01", dup266); - -var select2263 = linear_select([ - msg4649, - msg4650, -]); - -var msg4651 = msg("2376", dup222); - -var msg4652 = msg("2376:01", dup266); - -var select2264 = linear_select([ - msg4651, - msg4652, -]); - -var msg4653 = msg("2377", dup222); - -var msg4654 = msg("2377:01", dup217); - -var select2265 = linear_select([ - msg4653, - msg4654, -]); - -var msg4655 = msg("2378", dup222); - -var msg4656 = msg("2378:01", dup266); - -var select2266 = linear_select([ - msg4655, - msg4656, -]); - -var msg4657 = msg("2379", dup222); - -var msg4658 = msg("2379:01", dup266); - -var select2267 = linear_select([ - msg4657, - msg4658, -]); - -var msg4659 = msg("2380", dup222); - -var msg4660 = msg("2380:01", dup217); - -var select2268 = linear_select([ - msg4659, - msg4660, -]); - -var msg4661 = msg("2381", dup267); - -var msg4662 = msg("2381:01", dup268); - -var select2269 = linear_select([ - msg4661, - msg4662, -]); - -var msg4663 = msg("2382", dup276); - -var msg4664 = msg("2382:01", dup266); - -var select2270 = linear_select([ - msg4663, - msg4664, -]); - -var msg4665 = msg("2383", dup276); - -var msg4666 = msg("2383:01", dup266); - -var select2271 = linear_select([ - msg4665, - msg4666, -]); - -var msg4667 = msg("2384", dup276); - -var msg4668 = msg("2384:01", dup266); - -var select2272 = linear_select([ - msg4667, - msg4668, -]); - -var msg4669 = msg("2385", dup276); - -var msg4670 = msg("2385:01", dup266); - -var select2273 = linear_select([ - msg4669, - msg4670, -]); - -var msg4671 = msg("2386", dup194); - -var msg4672 = msg("2386:01", dup266); - -var select2274 = linear_select([ - msg4671, - msg4672, -]); - -var msg4673 = msg("2387", dup265); - -var msg4674 = msg("2387:01", dup266); - -var select2275 = linear_select([ - msg4673, - msg4674, -]); - -var msg4675 = msg("2388", dup265); - -var msg4676 = msg("2388:01", dup266); - -var select2276 = linear_select([ - msg4675, - msg4676, -]); - -var msg4677 = msg("2389", dup222); - -var msg4678 = msg("2389:01", dup266); - -var select2277 = linear_select([ - msg4677, - msg4678, -]); - -var msg4679 = msg("2390", dup222); - -var msg4680 = msg("2390:01", dup266); - -var select2278 = linear_select([ - msg4679, - msg4680, -]); - -var msg4681 = msg("2391", dup222); - -var msg4682 = msg("2391:01", dup266); - -var select2279 = linear_select([ - msg4681, - msg4682, -]); - -var msg4683 = msg("2392", dup222); - -var msg4684 = msg("2392:01", dup266); - -var select2280 = linear_select([ - msg4683, - msg4684, -]); - -var msg4685 = msg("2393", dup265); - -var msg4686 = msg("2393:01", dup266); - -var select2281 = linear_select([ - msg4685, - msg4686, -]); - -var msg4687 = msg("2394", dup198); - -var msg4688 = msg("2394:01", dup266); - -var select2282 = linear_select([ - msg4687, - msg4688, -]); - -var msg4689 = msg("2395", dup265); - -var msg4690 = msg("2395:01", dup266); - -var select2283 = linear_select([ - msg4689, - msg4690, -]); - -var msg4691 = msg("2396", dup269); - -var msg4692 = msg("2396:01", dup266); - -var select2284 = linear_select([ - msg4691, - msg4692, -]); - -var msg4693 = msg("2397", dup265); - -var msg4694 = msg("2397:01", dup266); - -var select2285 = linear_select([ - msg4693, - msg4694, -]); - -var msg4695 = msg("2398", dup265); - -var msg4696 = msg("2398:01", dup266); - -var select2286 = linear_select([ - msg4695, - msg4696, -]); - -var msg4697 = msg("2399", dup265); - -var msg4698 = msg("2399:01", dup300); - -var select2287 = linear_select([ - msg4697, - msg4698, -]); - -var msg4699 = msg("2400", dup265); - -var msg4700 = msg("2400:01", dup266); - -var select2288 = linear_select([ - msg4699, - msg4700, -]); - -var msg4701 = msg("2401", dup276); - -var msg4702 = msg("2401:01", dup266); - -var select2289 = linear_select([ - msg4701, - msg4702, -]); - -var msg4703 = msg("2402", dup276); - -var msg4704 = msg("2402:01", dup277); - -var select2290 = linear_select([ - msg4703, - msg4704, -]); - -var msg4705 = msg("2403", dup276); - -var msg4706 = msg("2403:01", dup266); - -var select2291 = linear_select([ - msg4705, - msg4706, -]); - -var msg4707 = msg("2404", dup276); - -var msg4708 = msg("2404:01", dup266); - -var select2292 = linear_select([ - msg4707, - msg4708, -]); - -var msg4709 = msg("2405", dup265); - -var msg4710 = msg("2405:01", dup266); - -var select2293 = linear_select([ - msg4709, - msg4710, -]); - -var msg4711 = msg("2406", dup248); - -var msg4712 = msg("2406:01", dup266); - -var select2294 = linear_select([ - msg4711, - msg4712, -]); - -var msg4713 = msg("2407", dup265); - -var msg4714 = msg("2407:01", dup266); - -var select2295 = linear_select([ - msg4713, - msg4714, -]); - -var msg4715 = msg("2408", dup265); - -var msg4716 = msg("2408:01", dup266); - -var select2296 = linear_select([ - msg4715, - msg4716, -]); - -var msg4717 = msg("2409", dup222); - -var msg4718 = msg("2409:01", dup268); - -var select2297 = linear_select([ - msg4717, - msg4718, -]); - -var msg4719 = msg("2410", dup265); - -var msg4720 = msg("2410:01", dup229); - -var select2298 = linear_select([ - msg4719, - msg4720, -]); - -var msg4721 = msg("2411", dup267); - -var msg4722 = msg("2411:01", dup266); - -var select2299 = linear_select([ - msg4721, - msg4722, -]); - -var msg4723 = msg("2412", dup287); - -var msg4724 = msg("2412:01", dup266); - -var select2300 = linear_select([ - msg4723, - msg4724, -]); - -var msg4725 = msg("2413", dup196); - -var msg4726 = msg("2413:01", dup266); - -var select2301 = linear_select([ - msg4725, - msg4726, -]); - -var msg4727 = msg("2414", dup196); - -var msg4728 = msg("2414:01", dup266); - -var select2302 = linear_select([ - msg4727, - msg4728, -]); - -var msg4729 = msg("2415", dup196); - -var msg4730 = msg("2415:01", dup266); - -var select2303 = linear_select([ - msg4729, - msg4730, -]); - -var msg4731 = msg("2416", dup227); - -var msg4732 = msg("2416:01", dup266); - -var select2304 = linear_select([ - msg4731, - msg4732, -]); - -var msg4733 = msg("2417", dup227); - -var msg4734 = msg("2417:01", dup266); - -var select2305 = linear_select([ - msg4733, - msg4734, -]); - -var msg4735 = msg("2418", dup196); - -var msg4736 = msg("2418:01", dup266); - -var select2306 = linear_select([ - msg4735, - msg4736, -]); - -var msg4737 = msg("2419", dup196); - -var msg4738 = msg("2419:01", dup266); - -var select2307 = linear_select([ - msg4737, - msg4738, -]); - -var msg4739 = msg("2420", dup196); - -var msg4740 = msg("2420:01", dup266); - -var select2308 = linear_select([ - msg4739, - msg4740, -]); - -var msg4741 = msg("2421", dup196); - -var msg4742 = msg("2421:01", dup270); - -var select2309 = linear_select([ - msg4741, - msg4742, -]); - -var msg4743 = msg("2422", dup196); - -var msg4744 = msg("2422:01", dup266); - -var select2310 = linear_select([ - msg4743, - msg4744, -]); - -var msg4745 = msg("2423", dup196); - -var msg4746 = msg("2423:01", dup217); - -var select2311 = linear_select([ - msg4745, - msg4746, -]); - -var msg4747 = msg("2424", dup222); - -var msg4748 = msg("2424:01", dup223); - -var select2312 = linear_select([ - msg4747, - msg4748, -]); - -var msg4749 = msg("2425", dup222); - -var msg4750 = msg("2425:01", dup223); - -var select2313 = linear_select([ - msg4749, - msg4750, -]); - -var msg4751 = msg("2426", dup222); - -var msg4752 = msg("2426:01", dup266); - -var select2314 = linear_select([ - msg4751, - msg4752, -]); - -var msg4753 = msg("2427", dup222); - -var msg4754 = msg("2427:01", dup266); - -var select2315 = linear_select([ - msg4753, - msg4754, -]); - -var msg4755 = msg("2428", dup222); - -var msg4756 = msg("2428:01", dup266); - -var select2316 = linear_select([ - msg4755, - msg4756, -]); - -var msg4757 = msg("2429", dup222); - -var msg4758 = msg("2429:01", dup266); - -var select2317 = linear_select([ - msg4757, - msg4758, -]); - -var msg4759 = msg("2430", dup222); - -var msg4760 = msg("2430:01", dup266); - -var select2318 = linear_select([ - msg4759, - msg4760, -]); - -var msg4761 = msg("2431", dup222); - -var msg4762 = msg("2431:01", dup266); - -var select2319 = linear_select([ - msg4761, - msg4762, -]); - -var all45 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - setc("eventcategory","1001030303"), - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg4763 = msg("2432", all45); - -var msg4764 = msg("2432:01", dup266); - -var select2320 = linear_select([ - msg4763, - msg4764, -]); - -var msg4765 = msg("2433", dup267); - -var msg4766 = msg("2433:01", dup266); - -var select2321 = linear_select([ - msg4765, - msg4766, -]); - -var msg4767 = msg("2434", dup265); - -var msg4768 = msg("2434:01", dup266); - -var select2322 = linear_select([ - msg4767, - msg4768, -]); - -var msg4769 = msg("2435", dup265); - -var msg4770 = msg("2435:01", dup266); - -var select2323 = linear_select([ - msg4769, - msg4770, -]); - -var msg4771 = msg("2436", dup265); - -var msg4772 = msg("2436:01", dup266); - -var select2324 = linear_select([ - msg4771, - msg4772, -]); - -var msg4773 = msg("2437", dup265); - -var msg4774 = msg("2437:01", dup266); - -var select2325 = linear_select([ - msg4773, - msg4774, -]); - -var msg4775 = msg("2438", dup267); - -var msg4776 = msg("2438:01", dup266); - -var select2326 = linear_select([ - msg4775, - msg4776, -]); - -var msg4777 = msg("2439", dup267); - -var msg4778 = msg("2439:01", dup266); - -var select2327 = linear_select([ - msg4777, - msg4778, -]); - -var msg4779 = msg("2440", dup267); - -var msg4780 = msg("2440:01", dup266); - -var select2328 = linear_select([ - msg4779, - msg4780, -]); - -var msg4781 = msg("2441", dup285); - -var msg4782 = msg("2441:01", dup266); - -var select2329 = linear_select([ - msg4781, - msg4782, -]); - -var msg4783 = msg("2442", dup267); - -var msg4784 = msg("2442:01", dup266); - -var select2330 = linear_select([ - msg4783, - msg4784, -]); - -var msg4785 = msg("2443", dup222); - -var msg4786 = msg("2443:01", dup266); - -var select2331 = linear_select([ - msg4785, - msg4786, -]); - -var msg4787 = msg("2444", dup222); - -var msg4788 = msg("2444:01", dup266); - -var select2332 = linear_select([ - msg4787, - msg4788, -]); - -var msg4789 = msg("2445", dup222); - -var msg4790 = msg("2445:01", dup266); - -var select2333 = linear_select([ - msg4789, - msg4790, -]); - -var msg4791 = msg("2446", dup222); - -var msg4792 = msg("2446:01", dup223); - -var select2334 = linear_select([ - msg4791, - msg4792, -]); - -var msg4793 = msg("2447", dup265); - -var msg4794 = msg("2447:01", dup266); - -var select2335 = linear_select([ - msg4793, - msg4794, -]); - -var msg4795 = msg("2448", dup265); - -var msg4796 = msg("2448:01", dup266); - -var select2336 = linear_select([ - msg4795, - msg4796, -]); - -var msg4797 = msg("2449", dup222); - -var msg4798 = msg("2449:01", dup266); - -var select2337 = linear_select([ - msg4797, - msg4798, -]); - -var msg4799 = msg("2450", dup301); - -var msg4800 = msg("2450:01", dup266); - -var select2338 = linear_select([ - msg4799, - msg4800, -]); - -var msg4801 = msg("2451", dup196); - -var msg4802 = msg("2451:01", dup266); - -var select2339 = linear_select([ - msg4801, - msg4802, -]); - -var msg4803 = msg("2452", dup196); - -var msg4804 = msg("2452:01", dup266); - -var select2340 = linear_select([ - msg4803, - msg4804, -]); - -var msg4805 = msg("2453", dup196); - -var msg4806 = msg("2453:01", dup266); - -var select2341 = linear_select([ - msg4805, - msg4806, -]); - -var msg4807 = msg("2454", dup301); - -var msg4808 = msg("2454:01", dup266); - -var select2342 = linear_select([ - msg4807, - msg4808, -]); - -var msg4809 = msg("2455", dup196); - -var msg4810 = msg("2455:01", dup266); - -var select2343 = linear_select([ - msg4809, - msg4810, -]); - -var msg4811 = msg("2456", dup196); - -var msg4812 = msg("2456:01", dup217); - -var select2344 = linear_select([ - msg4811, - msg4812, -]); - -var msg4813 = msg("2457", dup196); - -var msg4814 = msg("2457:01", dup217); - -var select2345 = linear_select([ - msg4813, - msg4814, -]); - -var msg4815 = msg("2458", dup196); - -var msg4816 = msg("2458:01", dup217); - -var select2346 = linear_select([ - msg4815, - msg4816, -]); - -var msg4817 = msg("2459", dup196); - -var msg4818 = msg("2459:01", dup266); - -var select2347 = linear_select([ - msg4817, - msg4818, -]); - -var msg4819 = msg("2460", dup196); - -var msg4820 = msg("2460:01", dup270); - -var select2348 = linear_select([ - msg4819, - msg4820, -]); - -var msg4821 = msg("2461", dup196); - -var msg4822 = msg("2461:01", dup241); - -var select2349 = linear_select([ - msg4821, - msg4822, -]); - -var msg4823 = msg("2462", dup222); - -var msg4824 = msg("2462:01", dup266); - -var select2350 = linear_select([ - msg4823, - msg4824, -]); - -var msg4825 = msg("2463", dup222); - -var msg4826 = msg("2463:01", dup266); - -var select2351 = linear_select([ - msg4825, - msg4826, -]); - -var msg4827 = msg("2464", dup222); - -var msg4828 = msg("2464:01", dup266); - -var select2352 = linear_select([ - msg4827, - msg4828, -]); - -var msg4829 = msg("2465", dup246); - -var msg4830 = msg("2465:01", dup266); - -var select2353 = linear_select([ - msg4829, - msg4830, -]); - -var msg4831 = msg("2466", dup246); - -var msg4832 = msg("2466:01", dup286); - -var select2354 = linear_select([ - msg4831, - msg4832, -]); - -var msg4833 = msg("2467", dup246); - -var msg4834 = msg("2467:01", dup247); - -var select2355 = linear_select([ - msg4833, - msg4834, -]); - -var msg4835 = msg("2468", dup246); - -var msg4836 = msg("2468:01", dup247); - -var select2356 = linear_select([ - msg4835, - msg4836, -]); - -var msg4837 = msg("2469", dup246); - -var msg4838 = msg("2469:01", dup247); - -var select2357 = linear_select([ - msg4837, - msg4838, -]); - -var msg4839 = msg("2470", dup246); - -var msg4840 = msg("2470:01", dup247); - -var select2358 = linear_select([ - msg4839, - msg4840, -]); - -var msg4841 = msg("2471", dup246); - -var msg4842 = msg("2471:01", dup247); - -var select2359 = linear_select([ - msg4841, - msg4842, -]); - -var msg4843 = msg("2472", dup246); - -var msg4844 = msg("2472:01", dup247); - -var select2360 = linear_select([ - msg4843, - msg4844, -]); - -var msg4845 = msg("2473", dup246); - -var msg4846 = msg("2473:01", dup247); - -var select2361 = linear_select([ - msg4845, - msg4846, -]); - -var msg4847 = msg("2474", dup246); - -var msg4848 = msg("2474:01", dup247); - -var select2362 = linear_select([ - msg4847, - msg4848, -]); - -var msg4849 = msg("2475", dup246); - -var msg4850 = msg("2475:01", dup247); - -var select2363 = linear_select([ - msg4849, - msg4850, -]); - -var msg4851 = msg("2476", dup276); - -var msg4852 = msg("2476:01", dup277); - -var select2364 = linear_select([ - msg4851, - msg4852, -]); - -var msg4853 = msg("2477", dup276); - -var msg4854 = msg("2477:01", dup277); - -var select2365 = linear_select([ - msg4853, - msg4854, -]); - -var msg4855 = msg("2478", dup276); - -var msg4856 = msg("2478:01", dup277); - -var select2366 = linear_select([ - msg4855, - msg4856, -]); - -var msg4857 = msg("2479", dup276); - -var msg4858 = msg("2479:01", dup277); - -var select2367 = linear_select([ - msg4857, - msg4858, -]); - -var msg4859 = msg("2480", dup276); - -var msg4860 = msg("2480:01", dup277); - -var select2368 = linear_select([ - msg4859, - msg4860, -]); - -var msg4861 = msg("2481", dup276); - -var msg4862 = msg("2481:01", dup277); - -var select2369 = linear_select([ - msg4861, - msg4862, -]); - -var msg4863 = msg("2482", dup276); - -var msg4864 = msg("2482:01", dup277); - -var select2370 = linear_select([ - msg4863, - msg4864, -]); - -var msg4865 = msg("2483", dup276); - -var msg4866 = msg("2483:01", dup277); - -var select2371 = linear_select([ - msg4865, - msg4866, -]); - -var msg4867 = msg("2484", dup265); - -var msg4868 = msg("2484:01", dup266); - -var select2372 = linear_select([ - msg4867, - msg4868, -]); - -var msg4869 = msg("2485", dup194); - -var msg4870 = msg("2485:01", dup229); - -var select2373 = linear_select([ - msg4869, - msg4870, -]); - -var msg4871 = msg("2486", dup198); - -var msg4872 = msg("2486:01", dup220); - -var select2374 = linear_select([ - msg4871, - msg4872, -]); - -var msg4873 = msg("2487", dup297); - -var msg4874 = msg("2487:01", dup300); - -var select2375 = linear_select([ - msg4873, - msg4874, -]); - -var msg4875 = msg("2488", dup197); - -var msg4876 = msg("2488:01", dup221); - -var select2376 = linear_select([ - msg4875, - msg4876, -]); - -var msg4877 = msg("2489", dup222); - -var msg4878 = msg("2489:01", dup223); - -var select2377 = linear_select([ - msg4877, - msg4878, -]); - -var msg4879 = msg("2490", dup222); - -var msg4880 = msg("2490:01", dup223); - -var select2378 = linear_select([ - msg4879, - msg4880, -]); - -var msg4881 = msg("2491", dup276); - -var msg4882 = msg("2491:01", dup277); - -var select2379 = linear_select([ - msg4881, - msg4882, -]); - -var msg4883 = msg("2492", dup276); - -var msg4884 = msg("2492:01", dup277); - -var select2380 = linear_select([ - msg4883, - msg4884, -]); - -var msg4885 = msg("2493", dup276); - -var msg4886 = msg("2493:01", dup277); - -var select2381 = linear_select([ - msg4885, - msg4886, -]); - -var msg4887 = msg("2494", dup276); - -var msg4888 = msg("2494:01", dup277); - -var select2382 = linear_select([ - msg4887, - msg4888, -]); - -var msg4889 = msg("2495", dup276); - -var msg4890 = msg("2495:01", dup277); - -var select2383 = linear_select([ - msg4889, - msg4890, -]); - -var msg4891 = msg("2496", dup276); - -var msg4892 = msg("2496:01", dup277); - -var select2384 = linear_select([ - msg4891, - msg4892, -]); - -var msg4893 = msg("2497", dup196); - -var msg4894 = msg("2497:01", dup217); - -var select2385 = linear_select([ - msg4893, - msg4894, -]); - -var msg4895 = msg("2498", dup196); - -var msg4896 = msg("2498:01", dup217); - -var select2386 = linear_select([ - msg4895, - msg4896, -]); - -var msg4897 = msg("2499", dup196); - -var msg4898 = msg("2499:01", dup217); - -var select2387 = linear_select([ - msg4897, - msg4898, -]); - -var msg4899 = msg("2500", dup298); - -var msg4900 = msg("2500:01", dup299); - -var select2388 = linear_select([ - msg4899, - msg4900, -]); - -var msg4901 = msg("2501", dup298); - -var msg4902 = msg("2501:01", dup299); - -var select2389 = linear_select([ - msg4901, - msg4902, -]); - -var msg4903 = msg("2502", dup298); - -var msg4904 = msg("2502:01", dup299); - -var select2390 = linear_select([ - msg4903, - msg4904, -]); - -var msg4905 = msg("2503", dup250); - -var msg4906 = msg("2503:01", dup251); - -var select2391 = linear_select([ - msg4905, - msg4906, -]); - -var msg4907 = msg("2504", dup250); - -var msg4908 = msg("2504:01", dup251); - -var select2392 = linear_select([ - msg4907, - msg4908, -]); - -var msg4909 = msg("2505", dup265); - -var msg4910 = msg("2505:01", dup266); - -var select2393 = linear_select([ - msg4909, - msg4910, -]); - -var msg4911 = msg("2506", dup265); - -var msg4912 = msg("2506:01", dup266); - -var select2394 = linear_select([ - msg4911, - msg4912, -]); - -var msg4913 = msg("2507", dup276); - -var msg4914 = msg("2507:01", dup277); - -var select2395 = linear_select([ - msg4913, - msg4914, -]); - -var msg4915 = msg("2508", dup276); - -var msg4916 = msg("2508:01", dup277); - -var select2396 = linear_select([ - msg4915, - msg4916, -]); - -var msg4917 = msg("2509", dup276); - -var msg4918 = msg("2509:01", dup277); - -var select2397 = linear_select([ - msg4917, - msg4918, -]); - -var msg4919 = msg("2510", dup276); - -var msg4920 = msg("2510:01", dup277); - -var select2398 = linear_select([ - msg4919, - msg4920, -]); - -var msg4921 = msg("2511", dup276); - -var msg4922 = msg("2511:01", dup277); - -var select2399 = linear_select([ - msg4921, - msg4922, -]); - -var msg4923 = msg("2512", dup276); - -var msg4924 = msg("2512:01", dup277); - -var select2400 = linear_select([ - msg4923, - msg4924, -]); - -var msg4925 = msg("2513", dup276); - -var msg4926 = msg("2513:01", dup277); - -var select2401 = linear_select([ - msg4925, - msg4926, -]); - -var msg4927 = msg("2514", dup276); - -var msg4928 = msg("2514:01", dup277); - -var select2402 = linear_select([ - msg4927, - msg4928, -]); - -var msg4929 = msg("2515", dup267); - -var msg4930 = msg("2515:01", dup268); - -var select2403 = linear_select([ - msg4929, - msg4930, -]); - -var msg4931 = msg("2516", dup222); - -var msg4932 = msg("2516:01", dup223); - -var select2404 = linear_select([ - msg4931, - msg4932, -]); - -var msg4933 = msg("2517", dup222); - -var msg4934 = msg("2517:01", dup223); - -var select2405 = linear_select([ - msg4933, - msg4934, -]); - -var msg4935 = msg("2518", dup222); - -var msg4936 = msg("2518:01", dup223); - -var select2406 = linear_select([ - msg4935, - msg4936, -]); - -var msg4937 = msg("2519", dup222); - -var msg4938 = msg("2519:01", dup223); - -var select2407 = linear_select([ - msg4937, - msg4938, -]); - -var msg4939 = msg("2520", dup265); - -var msg4940 = msg("2520:01", dup266); - -var select2408 = linear_select([ - msg4939, - msg4940, -]); - -var msg4941 = msg("2521", dup265); - -var msg4942 = msg("2521:01", dup266); - -var select2409 = linear_select([ - msg4941, - msg4942, -]); - -var msg4943 = msg("2522", dup265); - -var msg4944 = msg("2522:01", dup266); - -var select2410 = linear_select([ - msg4943, - msg4944, -]); - -var msg4945 = msg("2523", dup198); - -var msg4946 = msg("2523:01", dup220); - -var select2411 = linear_select([ - msg4945, - msg4946, -]); - -var msg4947 = msg("2524", dup276); - -var msg4948 = msg("2524:01", dup277); - -var select2412 = linear_select([ - msg4947, - msg4948, -]); - -var msg4949 = msg("2525", dup276); - -var msg4950 = msg("2525:01", dup277); - -var select2413 = linear_select([ - msg4949, - msg4950, -]); - -var msg4951 = msg("2526", dup276); - -var msg4952 = msg("2526:01", dup277); - -var select2414 = linear_select([ - msg4951, - msg4952, -]); - -var msg4953 = msg("2527", dup250); - -var msg4954 = msg("2527:01", dup251); - -var select2415 = linear_select([ - msg4953, - msg4954, -]); - -var msg4955 = msg("2528", dup222); - -var msg4956 = msg("2528:01", dup223); - -var select2416 = linear_select([ - msg4955, - msg4956, -]); - -var msg4957 = msg("2529", dup196); - -var msg4958 = msg("2529:01", dup217); - -var select2417 = linear_select([ - msg4957, - msg4958, -]); - -var msg4959 = msg("2530", dup196); - -var msg4960 = msg("2530:01", dup217); - -var select2418 = linear_select([ - msg4959, - msg4960, -]); - -var msg4961 = msg("2531", dup196); - -var msg4962 = msg("2531:01", dup217); - -var select2419 = linear_select([ - msg4961, - msg4962, -]); - -var msg4963 = msg("2532", dup298); - -var msg4964 = msg("2532:01", dup299); - -var select2420 = linear_select([ - msg4963, - msg4964, -]); - -var msg4965 = msg("2533", dup298); - -var msg4966 = msg("2533:01", dup299); - -var select2421 = linear_select([ - msg4965, - msg4966, -]); - -var msg4967 = msg("2534", dup298); - -var msg4968 = msg("2534:01", dup299); - -var select2422 = linear_select([ - msg4967, - msg4968, -]); - -var msg4969 = msg("2535", dup298); - -var msg4970 = msg("2535:01", dup299); - -var select2423 = linear_select([ - msg4969, - msg4970, -]); - -var msg4971 = msg("2536", dup298); - -var msg4972 = msg("2536:01", dup299); - -var select2424 = linear_select([ - msg4971, - msg4972, -]); - -var msg4973 = msg("2537", dup298); - -var msg4974 = msg("2537:01", dup299); - -var select2425 = linear_select([ - msg4973, - msg4974, -]); - -var msg4975 = msg("2538", dup250); - -var msg4976 = msg("2538:01", dup251); - -var select2426 = linear_select([ - msg4975, - msg4976, -]); - -var msg4977 = msg("2539", dup250); - -var msg4978 = msg("2539:01", dup251); - -var select2427 = linear_select([ - msg4977, - msg4978, -]); - -var msg4979 = msg("2540", dup250); - -var msg4980 = msg("2540:01", dup251); - -var select2428 = linear_select([ - msg4979, - msg4980, -]); - -var msg4981 = msg("2541", dup250); - -var msg4982 = msg("2541:01", dup251); - -var select2429 = linear_select([ - msg4981, - msg4982, -]); - -var msg4983 = msg("2542", dup250); - -var msg4984 = msg("2542:01", dup251); - -var select2430 = linear_select([ - msg4983, - msg4984, -]); - -var msg4985 = msg("2543", dup250); - -var msg4986 = msg("2543:01", dup251); - -var select2431 = linear_select([ - msg4985, - msg4986, -]); - -var msg4987 = msg("2544", dup250); - -var msg4988 = msg("2544:01", dup251); - -var select2432 = linear_select([ - msg4987, - msg4988, -]); - -var msg4989 = msg("2545", dup222); - -var msg4990 = msg("2545:01", dup223); - -var select2433 = linear_select([ - msg4989, - msg4990, -]); - -var msg4991 = msg("2546", dup222); - -var msg4992 = msg("2546:01", dup223); - -var select2434 = linear_select([ - msg4991, - msg4992, -]); - -var msg4993 = msg("2547", dup196); - -var msg4994 = msg("2547:01", dup217); - -var select2435 = linear_select([ - msg4993, - msg4994, -]); - -var msg4995 = msg("2548", dup196); - -var msg4996 = msg("2548:01", dup217); - -var select2436 = linear_select([ - msg4995, - msg4996, -]); - -var msg4997 = msg("2549", dup196); - -var msg4998 = msg("2549:01", dup217); - -var select2437 = linear_select([ - msg4997, - msg4998, -]); - -var msg4999 = msg("2550", dup197); - -var msg5000 = msg("2550:01", dup221); - -var select2438 = linear_select([ - msg4999, - msg5000, -]); - -var msg5001 = msg("2551", dup222); - -var msg5002 = msg("2552", dup222); - -var msg5003 = msg("2553", dup222); - -var msg5004 = msg("2554", dup222); - -var msg5005 = msg("2555", dup222); - -var msg5006 = msg("2556", dup222); - -var msg5007 = msg("2557", dup222); - -var msg5008 = msg("2558", dup222); - -var msg5009 = msg("2559", dup222); - -var msg5010 = msg("2560", dup222); - -var msg5011 = msg("2561", dup196); - -var msg5012 = msg("2562", dup265); - -var msg5013 = msg("2563", dup276); - -var msg5014 = msg("2564", dup276); - -var msg5015 = msg("2565", dup265); - -var msg5016 = msg("2566", dup265); - -var msg5017 = msg("2567", dup265); - -var msg5018 = msg("2568", dup265); - -var msg5019 = msg("2569", dup265); - -var msg5020 = msg("2570", dup196); - -var msg5021 = msg("2571", dup265); - -var msg5022 = msg("2572", dup267); - -var msg5023 = msg("2573", dup265); - -var msg5024 = msg("2574", dup227); - -var msg5025 = msg("2575", dup265); - -var msg5026 = msg("2576", dup222); - -var msg5027 = msg("2577", dup265); - -var msg5028 = msg("2578", dup197); - -var msg5029 = msg("2579", dup197); - -var msg5030 = msg("2580", dup265); - -var msg5031 = msg("2581", dup265); - -var msg5032 = msg("2582", dup265); - -var msg5033 = msg("2583", dup222); - -var msg5034 = msg("2584", dup222); - -var msg5035 = msg("2585", dup196); - -var msg5036 = msg("2586", dup196); - -var msg5037 = msg("2587", dup196); - -var msg5038 = msg("2588", dup265); - -var msg5039 = msg("2589", dup265); - -var msg5040 = msg("2590", dup222); - -var msg5041 = msg("2590:01", dup223); - -var select2439 = linear_select([ - msg5040, - msg5041, -]); - -var msg5042 = msg("2591", dup222); - -var msg5043 = msg("2592", dup222); - -var msg5044 = msg("2593", dup222); - -var msg5045 = msg("2594", dup222); - -var msg5046 = msg("2595", dup222); - -var msg5047 = msg("2596", dup222); - -var msg5048 = msg("2597", dup267); - -var msg5049 = msg("2598", dup267); - -var msg5050 = msg("2599", dup222); - -var msg5051 = msg("2600", dup222); - -var msg5052 = msg("2601", dup222); - -var msg5053 = msg("2602", dup222); - -var msg5054 = msg("2603", dup222); - -var msg5055 = msg("2604", dup222); - -var msg5056 = msg("2605", dup222); - -var msg5057 = msg("2606", dup222); - -var msg5058 = msg("2607", dup222); - -var msg5059 = msg("2608", dup222); - -var msg5060 = msg("2609", dup222); - -var msg5061 = msg("2610", dup222); - -var msg5062 = msg("2611", dup222); - -var msg5063 = msg("2612", dup222); - -var msg5064 = msg("2613", dup222); - -var msg5065 = msg("2614", dup222); - -var msg5066 = msg("2615", dup222); - -var msg5067 = msg("2616", dup222); - -var msg5068 = msg("2617", dup222); - -var msg5069 = msg("2618", dup222); - -var msg5070 = msg("2619", dup222); - -var msg5071 = msg("2620", dup222); - -var msg5072 = msg("2621", dup222); - -var msg5073 = msg("2622", dup222); - -var msg5074 = msg("2623", dup222); - -var msg5075 = msg("2624", dup222); - -var msg5076 = msg("2625", dup222); - -var msg5077 = msg("2626", dup222); - -var msg5078 = msg("2627", dup222); - -var msg5079 = msg("2628", dup222); - -var msg5080 = msg("2629", dup222); - -var msg5081 = msg("2630", dup222); - -var msg5082 = msg("2631", dup222); - -var msg5083 = msg("2632", dup222); - -var msg5084 = msg("2633", dup222); - -var msg5085 = msg("2634", dup222); - -var msg5086 = msg("2635", dup222); - -var msg5087 = msg("2636", dup222); - -var msg5088 = msg("2637", dup222); - -var msg5089 = msg("2638", dup222); - -var msg5090 = msg("2639", dup222); - -var msg5091 = msg("2640", dup222); - -var msg5092 = msg("2641", dup222); - -var msg5093 = msg("2642", dup222); - -var msg5094 = msg("2643", dup222); - -var msg5095 = msg("2644", dup222); - -var msg5096 = msg("2645", dup222); - -var msg5097 = msg("2646", dup222); - -var msg5098 = msg("2647", dup222); - -var msg5099 = msg("2648", dup222); - -var msg5100 = msg("2649", dup222); - -var msg5101 = msg("2650", dup222); - -var msg5102 = msg("2651", dup222); - -var msg5103 = msg("2652", dup222); - -var msg5104 = msg("2653", dup222); - -var msg5105 = msg("2654", dup240); - -var msg5106 = msg("2655", dup196); - -var msg5107 = msg("2656", dup267); - -var msg5108 = msg("2657", dup267); - -var msg5109 = msg("2658", dup265); - -var msg5110 = msg("2659", dup265); - -var msg5111 = msg("2660", dup265); - -var msg5112 = msg("2661", dup265); - -var msg5113 = msg("2662", dup265); - -var msg5114 = msg("2663", dup267); - -var msg5115 = msg("2664", dup196); - -var msg5116 = msg("2665", dup196); - -var msg5117 = msg("2666", dup298); - -var msg5118 = msg("2667", dup265); - -var msg5119 = msg("2668", dup265); - -var msg5120 = msg("2669", dup265); - -var msg5121 = msg("2670", dup265); - -var msg5122 = msg("2671", dup267); - -var msg5123 = msg("2672", dup265); - -var msg5124 = msg("2673", dup267); - -var msg5125 = msg("2674", dup222); - -var msg5126 = msg("2675", dup222); - -var msg5127 = msg("2676", dup222); - -var msg5128 = msg("2677", dup222); - -var msg5129 = msg("2678", dup222); - -var msg5130 = msg("2679", dup222); - -var msg5131 = msg("2680", dup222); - -var msg5132 = msg("2681", dup222); - -var msg5133 = msg("2682", dup222); - -var msg5134 = msg("2683", dup222); - -var msg5135 = msg("2684", dup222); - -var msg5136 = msg("2685", dup222); - -var msg5137 = msg("2686", dup222); - -var msg5138 = msg("2687", dup222); - -var msg5139 = msg("2688", dup222); - -var msg5140 = msg("2689", dup222); - -var msg5141 = msg("2690", dup222); - -var msg5142 = msg("2691", dup222); - -var msg5143 = msg("2692", dup222); - -var msg5144 = msg("2693", dup222); - -var msg5145 = msg("2694", dup222); - -var msg5146 = msg("2695", dup222); - -var msg5147 = msg("2696", dup222); - -var msg5148 = msg("2697", dup222); - -var msg5149 = msg("2698", dup222); - -var msg5150 = msg("2699", dup222); - -var msg5151 = msg("2700", dup222); - -var msg5152 = msg("2701", dup260); - -var msg5153 = msg("2702", dup260); - -var msg5154 = msg("2703", dup260); - -var msg5155 = msg("2704", dup260); - -var msg5156 = msg("2705", dup267); - -var msg5157 = msg("2706", dup196); - -var msg5158 = msg("2707", dup197); - -var msg5159 = msg("2708", dup222); - -var msg5160 = msg("2709", dup222); - -var msg5161 = msg("2710", dup222); - -var msg5162 = msg("2711", dup222); - -var msg5163 = msg("2712", dup222); - -var msg5164 = msg("2713", dup222); - -var msg5165 = msg("2714", dup222); - -var msg5166 = msg("2715", dup222); - -var msg5167 = msg("2716", dup222); - -var msg5168 = msg("2717", dup222); - -var msg5169 = msg("2718", dup222); - -var msg5170 = msg("2719", dup222); - -var msg5171 = msg("2720", dup222); - -var msg5172 = msg("2721", dup222); - -var msg5173 = msg("2722", dup222); - -var msg5174 = msg("2723", dup222); - -var msg5175 = msg("2724", dup222); - -var msg5176 = msg("2725", dup222); - -var msg5177 = msg("2726", dup222); - -var msg5178 = msg("2727", dup222); - -var msg5179 = msg("2728", dup222); - -var msg5180 = msg("2729", dup222); - -var msg5181 = msg("2730", dup222); - -var msg5182 = msg("2731", dup222); - -var msg5183 = msg("2732", dup222); - -var msg5184 = msg("2733", dup222); - -var msg5185 = msg("2734", dup222); - -var msg5186 = msg("2735", dup222); - -var msg5187 = msg("2736", dup222); - -var msg5188 = msg("2737", dup222); - -var msg5189 = msg("2738", dup222); - -var msg5190 = msg("2739", dup222); - -var msg5191 = msg("2740", dup222); - -var msg5192 = msg("2741", dup222); - -var msg5193 = msg("2742", dup222); - -var msg5194 = msg("2743", dup222); - -var msg5195 = msg("2744", dup222); - -var msg5196 = msg("2745", dup222); - -var msg5197 = msg("2746", dup222); - -var msg5198 = msg("2747", dup222); - -var msg5199 = msg("2748", dup222); - -var msg5200 = msg("2749", dup222); - -var msg5201 = msg("2750", dup222); - -var msg5202 = msg("2751", dup222); - -var msg5203 = msg("2752", dup222); - -var msg5204 = msg("2753", dup222); - -var msg5205 = msg("2754", dup222); - -var msg5206 = msg("2755", dup222); - -var msg5207 = msg("2756", dup222); - -var msg5208 = msg("2757", dup222); - -var msg5209 = msg("2758", dup222); - -var msg5210 = msg("2759", dup222); - -var msg5211 = msg("2760", dup222); - -var msg5212 = msg("2761", dup222); - -var msg5213 = msg("2762", dup222); - -var msg5214 = msg("2763", dup222); - -var msg5215 = msg("2764", dup222); - -var msg5216 = msg("2765", dup222); - -var msg5217 = msg("2766", dup222); - -var msg5218 = msg("2767", dup222); - -var msg5219 = msg("2768", dup222); - -var msg5220 = msg("2769", dup222); - -var msg5221 = msg("2770", dup222); - -var msg5222 = msg("2771", dup222); - -var msg5223 = msg("2772", dup222); - -var msg5224 = msg("2773", dup222); - -var msg5225 = msg("2774", dup222); - -var msg5226 = msg("2775", dup222); - -var msg5227 = msg("2776", dup222); - -var msg5228 = msg("2777", dup222); - -var msg5229 = msg("2778", dup222); - -var msg5230 = msg("2779", dup222); - -var msg5231 = msg("2780", dup222); - -var msg5232 = msg("2781", dup222); - -var msg5233 = msg("2782", dup222); - -var msg5234 = msg("2783", dup222); - -var msg5235 = msg("2784", dup222); - -var msg5236 = msg("2785", dup222); - -var msg5237 = msg("2786", dup222); - -var msg5238 = msg("2787", dup222); - -var msg5239 = msg("2788", dup222); - -var msg5240 = msg("2789", dup222); - -var msg5241 = msg("2790", dup222); - -var msg5242 = msg("2791", dup222); - -var msg5243 = msg("2792", dup222); - -var msg5244 = msg("2793", dup222); - -var msg5245 = msg("2794", dup222); - -var msg5246 = msg("2795", dup222); - -var msg5247 = msg("2796", dup222); - -var msg5248 = msg("2797", dup222); - -var msg5249 = msg("2798", dup222); - -var msg5250 = msg("2799", dup222); - -var msg5251 = msg("2800", dup222); - -var msg5252 = msg("2801", dup222); - -var msg5253 = msg("2802", dup222); - -var msg5254 = msg("2803", dup222); - -var msg5255 = msg("2804", dup222); - -var msg5256 = msg("2805", dup222); - -var msg5257 = msg("2806", dup222); - -var msg5258 = msg("2807", dup222); - -var msg5259 = msg("2808", dup222); - -var msg5260 = msg("2809", dup222); - -var msg5261 = msg("2810", dup222); - -var msg5262 = msg("2811", dup222); - -var msg5263 = msg("2812", dup222); - -var msg5264 = msg("2813", dup222); - -var msg5265 = msg("2814", dup222); - -var msg5266 = msg("2815", dup222); - -var msg5267 = msg("2816", dup222); - -var msg5268 = msg("2817", dup222); - -var msg5269 = msg("2818", dup222); - -var msg5270 = msg("2819", dup222); - -var msg5271 = msg("2820", dup222); - -var msg5272 = msg("2821", dup222); - -var msg5273 = msg("2822", dup222); - -var msg5274 = msg("2823", dup222); - -var msg5275 = msg("2824", dup222); - -var msg5276 = msg("2825", dup222); - -var msg5277 = msg("2826", dup222); - -var msg5278 = msg("2827", dup222); - -var msg5279 = msg("2828", dup222); - -var msg5280 = msg("2829", dup222); - -var msg5281 = msg("2830", dup222); - -var msg5282 = msg("2831", dup222); - -var msg5283 = msg("2832", dup222); - -var msg5284 = msg("2833", dup222); - -var msg5285 = msg("2834", dup222); - -var msg5286 = msg("2835", dup222); - -var msg5287 = msg("2836", dup222); - -var msg5288 = msg("2837", dup222); - -var msg5289 = msg("2838", dup222); - -var msg5290 = msg("2839", dup222); - -var msg5291 = msg("2840", dup222); - -var msg5292 = msg("2841", dup222); - -var msg5293 = msg("2842", dup222); - -var msg5294 = msg("2843", dup222); - -var msg5295 = msg("2844", dup222); - -var msg5296 = msg("2845", dup222); - -var msg5297 = msg("2846", dup222); - -var msg5298 = msg("2847", dup222); - -var msg5299 = msg("2848", dup222); - -var msg5300 = msg("2849", dup222); - -var msg5301 = msg("2850", dup222); - -var msg5302 = msg("2851", dup222); - -var msg5303 = msg("2852", dup222); - -var msg5304 = msg("2853", dup222); - -var msg5305 = msg("2854", dup222); - -var msg5306 = msg("2855", dup222); - -var msg5307 = msg("2856", dup222); - -var msg5308 = msg("2857", dup222); - -var msg5309 = msg("2858", dup222); - -var msg5310 = msg("2859", dup222); - -var msg5311 = msg("2860", dup222); - -var msg5312 = msg("2861", dup222); - -var msg5313 = msg("2862", dup222); - -var msg5314 = msg("2863", dup222); - -var msg5315 = msg("2864", dup222); - -var msg5316 = msg("2865", dup222); - -var msg5317 = msg("2866", dup222); - -var msg5318 = msg("2867", dup222); - -var msg5319 = msg("2868", dup222); - -var msg5320 = msg("2869", dup222); - -var msg5321 = msg("2870", dup222); - -var msg5322 = msg("2871", dup222); - -var msg5323 = msg("2872", dup222); - -var msg5324 = msg("2873", dup222); - -var msg5325 = msg("2874", dup222); - -var msg5326 = msg("2875", dup222); - -var msg5327 = msg("2876", dup222); - -var msg5328 = msg("2877", dup222); - -var msg5329 = msg("2878", dup222); - -var msg5330 = msg("2879", dup222); - -var msg5331 = msg("2880", dup222); - -var msg5332 = msg("2881", dup222); - -var msg5333 = msg("2882", dup222); - -var msg5334 = msg("2883", dup222); - -var msg5335 = msg("2884", dup222); - -var msg5336 = msg("2885", dup222); - -var msg5337 = msg("2886", dup222); - -var msg5338 = msg("2887", dup222); - -var msg5339 = msg("2888", dup222); - -var msg5340 = msg("2889", dup222); - -var msg5341 = msg("2890", dup222); - -var msg5342 = msg("2891", dup222); - -var msg5343 = msg("2892", dup222); - -var msg5344 = msg("2893", dup222); - -var msg5345 = msg("2894", dup222); - -var msg5346 = msg("2895", dup222); - -var msg5347 = msg("2896", dup222); - -var msg5348 = msg("2897", dup222); - -var msg5349 = msg("2898", dup222); - -var msg5350 = msg("2899", dup222); - -var msg5351 = msg("2900", dup222); - -var msg5352 = msg("2901", dup222); - -var msg5353 = msg("2902", dup222); - -var msg5354 = msg("2903", dup222); - -var msg5355 = msg("2904", dup222); - -var msg5356 = msg("2905", dup222); - -var msg5357 = msg("2906", dup222); - -var msg5358 = msg("2907", dup222); - -var msg5359 = msg("2908", dup222); - -var msg5360 = msg("2909", dup222); - -var msg5361 = msg("2910", dup222); - -var msg5362 = msg("2911", dup222); - -var msg5363 = msg("2912", dup222); - -var msg5364 = msg("2913", dup222); - -var msg5365 = msg("2914", dup222); - -var msg5366 = msg("2915", dup222); - -var msg5367 = msg("2916", dup222); - -var msg5368 = msg("2917", dup222); - -var msg5369 = msg("2918", dup222); - -var msg5370 = msg("2919", dup222); - -var msg5371 = msg("2921", dup244); - -var msg5372 = msg("2922", dup196); - -var msg5373 = msg("2923", dup236); - -var msg5374 = msg("2924", dup236); - -var msg5375 = msg("2925", dup196); - -var msg5376 = msg("2926", dup196); - -var msg5377 = msg("2927", dup222); - -var msg5378 = msg("2928", dup276); - -var msg5379 = msg("2929", dup276); - -var msg5380 = msg("2930", dup276); - -var msg5381 = msg("2931", dup276); - -var msg5382 = msg("2932", dup276); - -var msg5383 = msg("2933", dup276); - -var msg5384 = msg("2934", dup276); - -var msg5385 = msg("2935", dup276); - -var msg5386 = msg("2936", dup276); - -var msg5387 = msg("2937", dup276); - -var msg5388 = msg("2938", dup276); - -var msg5389 = msg("2939", dup276); - -var msg5390 = msg("2940", dup276); - -var msg5391 = msg("2941", dup276); - -var msg5392 = msg("2942", dup276); - -var msg5393 = msg("2943", dup276); - -var msg5394 = msg("2944", dup276); - -var msg5395 = msg("2945", dup276); - -var msg5396 = msg("2946", dup276); - -var msg5397 = msg("2947", dup276); - -var msg5398 = msg("2948", dup276); - -var msg5399 = msg("2949", dup276); - -var msg5400 = msg("2950", dup197); - -var msg5401 = msg("2951", dup197); - -var msg5402 = msg("2952", dup246); - -var msg5403 = msg("2953", dup246); - -var msg5404 = msg("2954", dup246); - -var msg5405 = msg("2955", dup246); - -var msg5406 = msg("2956", dup276); - -var msg5407 = msg("2957", dup276); - -var msg5408 = msg("2958", dup276); - -var msg5409 = msg("2959", dup276); - -var msg5410 = msg("2960", dup276); - -var msg5411 = msg("2961", dup276); - -var msg5412 = msg("2962", dup276); - -var msg5413 = msg("2963", dup276); - -var msg5414 = msg("2964", dup276); - -var msg5415 = msg("2965", dup276); - -var msg5416 = msg("2966", dup276); - -var msg5417 = msg("2967", dup276); - -var msg5418 = msg("2968", dup276); - -var msg5419 = msg("2969", dup276); - -var msg5420 = msg("2970", dup276); - -var msg5421 = msg("2971", dup276); - -var msg5422 = msg("2972", dup246); - -var msg5423 = msg("2973", dup246); - -var msg5424 = msg("2974", dup246); - -var msg5425 = msg("2975", dup246); - -var msg5426 = msg("2976", dup246); - -var msg5427 = msg("2977", dup246); - -var msg5428 = msg("2978", dup246); - -var msg5429 = msg("2979", dup246); - -var msg5430 = msg("2980", dup246); - -var msg5431 = msg("2981", dup246); - -var msg5432 = msg("2982", dup246); - -var msg5433 = msg("2983", dup246); - -var msg5434 = msg("2984", dup276); - -var msg5435 = msg("2985", dup276); - -var msg5436 = msg("2986", dup276); - -var msg5437 = msg("2987", dup276); - -var msg5438 = msg("2988", dup276); - -var msg5439 = msg("2989", dup276); - -var msg5440 = msg("2990", dup276); - -var msg5441 = msg("2991", dup276); - -var msg5442 = msg("2992", dup276); - -var msg5443 = msg("2993", dup276); - -var msg5444 = msg("2994", dup276); - -var msg5445 = msg("2995", dup276); - -var msg5446 = msg("2996", dup276); - -var msg5447 = msg("2997", dup276); - -var msg5448 = msg("2998", dup276); - -var msg5449 = msg("2999", dup276); - -var msg5450 = msg("3000", dup276); - -var msg5451 = msg("3001", dup276); - -var msg5452 = msg("3002", dup276); - -var msg5453 = msg("3003", dup276); - -var msg5454 = msg("3004", dup276); - -var msg5455 = msg("3005", dup276); - -var msg5456 = msg("3006", dup222); - -var msg5457 = msg("3007", dup222); - -var msg5458 = msg("3008", dup222); - -var msg5459 = msg("3009", dup205); - -var msg5460 = msg("3010", dup205); - -var msg5461 = msg("3011", dup205); - -var msg5462 = msg("3012", dup205); - -var msg5463 = msg("3013", dup205); - -var msg5464 = msg("3014", dup205); - -var msg5465 = msg("3015", dup205); - -var msg5466 = msg("3016", dup205); - -var msg5467 = msg("3017", dup222); - -var msg5468 = msg("3018", dup276); - -var msg5469 = msg("3019", dup276); - -var msg5470 = msg("3020", dup276); - -var msg5471 = msg("3021", dup276); - -var msg5472 = msg("3022", dup276); - -var msg5473 = msg("3023", dup276); - -var msg5474 = msg("3024", dup276); - -var msg5475 = msg("3025", dup276); - -var msg5476 = msg("3026", dup276); - -var msg5477 = msg("3027", dup276); - -var msg5478 = msg("3028", dup276); - -var msg5479 = msg("3029", dup276); - -var msg5480 = msg("3030", dup276); - -var msg5481 = msg("3031", dup276); - -var msg5482 = msg("3032", dup276); - -var msg5483 = msg("3033", dup276); - -var msg5484 = msg("3034", dup276); - -var msg5485 = msg("3035", dup276); - -var msg5486 = msg("3036", dup276); - -var msg5487 = msg("3037", dup276); - -var msg5488 = msg("3038", dup276); - -var msg5489 = msg("3039", dup276); - -var msg5490 = msg("3040", dup276); - -var msg5491 = msg("3041", dup276); - -var msg5492 = msg("3042", dup198); - -var msg5493 = msg("3043", dup198); - -var msg5494 = msg("3044", dup198); - -var msg5495 = msg("3045", dup198); - -var msg5496 = msg("3046", dup198); - -var msg5497 = msg("3047", dup198); - -var msg5498 = msg("3048", dup198); - -var msg5499 = msg("3049", dup198); - -var msg5500 = msg("3050", dup198); - -var msg5501 = msg("3051", dup198); - -var msg5502 = msg("3052", dup198); - -var msg5503 = msg("3053", dup198); - -var msg5504 = msg("3054", dup198); - -var msg5505 = msg("3055", dup198); - -var msg5506 = msg("3056", dup198); - -var msg5507 = msg("3057", dup198); - -var msg5508 = msg("3058", dup222); - -var msg5509 = msg("3059", dup265); - -var msg5510 = msg("3060", dup265); - -var msg5511 = msg("3061", dup196); - -var msg5512 = msg("3062", dup265); - -var msg5513 = msg("3063", dup205); - -var msg5514 = msg("3064", dup205); - -var msg5515 = msg("3065", dup222); - -var msg5516 = msg("3066", dup222); - -var msg5517 = msg("3067", dup222); - -var msg5518 = msg("3068", dup222); - -var msg5519 = msg("3069", dup222); - -var msg5520 = msg("3070", dup222); - -var msg5521 = msg("3071", dup222); - -var msg5522 = msg("3072", dup222); - -var msg5523 = msg("3073", dup222); - -var msg5524 = msg("3074", dup222); - -var msg5525 = msg("3075", dup222); - -var msg5526 = msg("3076", dup222); - -var msg5527 = msg("3077", dup222); - -var msg5528 = msg("3078", dup222); - -var msg5529 = msg("3079", dup197); - -var msg5530 = msg("3080", dup222); - -var msg5531 = msg("3081", dup205); - -var msg5532 = msg("3082", dup205); - -var msg5533 = msg("3083", dup205); - -var msg5534 = msg("3084", dup222); - -var msg5535 = msg("3085", dup222); - -var msg5536 = msg("3086", dup302); - -var msg5537 = msg("3087", dup267); - -var msg5538 = msg("3088", dup267); - -var msg5539 = msg("3089", dup198); - -var msg5540 = msg("3090", dup276); - -var msg5541 = msg("3091", dup276); - -var msg5542 = msg("3092", dup276); - -var msg5543 = msg("3093", dup276); - -var msg5544 = msg("3094", dup276); - -var msg5545 = msg("3095", dup276); - -var msg5546 = msg("3096", dup276); - -var msg5547 = msg("3097", dup276); - -var msg5548 = msg("3098", dup276); - -var msg5549 = msg("3099", dup276); - -var msg5550 = msg("3100", dup276); - -var msg5551 = msg("3101", dup276); - -var msg5552 = msg("3102", dup276); - -var msg5553 = msg("3103", dup276); - -var msg5554 = msg("3104", dup276); - -var msg5555 = msg("3105", dup276); - -var msg5556 = msg("3106", dup276); - -var msg5557 = msg("3107", dup276); - -var msg5558 = msg("3108", dup276); - -var msg5559 = msg("3109", dup276); - -var msg5560 = msg("3110", dup276); - -var msg5561 = msg("3111", dup276); - -var msg5562 = msg("3112", dup276); - -var msg5563 = msg("3113", dup276); - -var msg5564 = msg("3114", dup276); - -var msg5565 = msg("3115", dup276); - -var msg5566 = msg("3116", dup276); - -var msg5567 = msg("3117", dup276); - -var msg5568 = msg("3118", dup276); - -var msg5569 = msg("3119", dup276); - -var msg5570 = msg("3120", dup276); - -var msg5571 = msg("3121", dup276); - -var msg5572 = msg("3122", dup276); - -var msg5573 = msg("3123", dup276); - -var msg5574 = msg("3124", dup276); - -var msg5575 = msg("3125", dup276); - -var msg5576 = msg("3126", dup276); - -var msg5577 = msg("3127", dup276); - -var msg5578 = msg("3128", dup276); - -var msg5579 = msg("3129", dup276); - -var msg5580 = msg("3130", dup197); - -var msg5581 = msg("3131", dup265); - -var msg5582 = msg("3132", dup265); - -var msg5583 = msg("3133", dup265); - -var msg5584 = msg("3134", dup265); - -var msg5585 = msg("3135", dup276); - -var msg5586 = msg("3136", dup276); - -var msg5587 = msg("3137", dup276); - -var msg5588 = msg("3138", dup276); - -var msg5589 = msg("3139", dup276); - -var msg5590 = msg("3140", dup276); - -var msg5591 = msg("3141", dup276); - -var msg5592 = msg("3142", dup276); - -var msg5593 = msg("3143", dup276); - -var msg5594 = msg("3144", dup276); - -var msg5595 = msg("3145", dup276); - -var msg5596 = msg("3146", dup276); - -var msg5597 = msg("3147", dup278); - -var msg5598 = msg("3148", dup265); - -var msg5599 = msg("3149", dup267); - -var msg5600 = msg("3150", dup297); - -var msg5601 = msg("3151", dup225); - -var msg5602 = msg("3152", dup236); - -var msg5603 = msg("3153", dup197); - -var msg5604 = msg("3154", dup197); - -var msg5605 = msg("3155", dup205); - -var msg5606 = msg("3156", dup276); - -var msg5607 = msg("3157", dup276); - -var msg5608 = msg("3158", dup276); - -var msg5609 = msg("3159", dup276); - -var msg5610 = msg("3160", dup276); - -var msg5611 = msg("3161", dup276); - -var msg5612 = msg("3162", dup276); - -var msg5613 = msg("3163", dup276); - -var msg5614 = msg("3164", dup276); - -var msg5615 = msg("3165", dup276); - -var msg5616 = msg("3166", dup201); - -var msg5617 = msg("3167", dup276); - -var msg5618 = msg("3168", dup201); - -var msg5619 = msg("3169", dup201); - -var msg5620 = msg("3170", dup201); - -var msg5621 = msg("3171", dup276); - -var msg5622 = msg("3172", dup276); - -var msg5623 = msg("3173", dup276); - -var msg5624 = msg("3174", dup276); - -var msg5625 = msg("3175", dup276); - -var msg5626 = msg("3176", dup276); - -var msg5627 = msg("3177", dup276); - -var msg5628 = msg("3178", dup276); - -var msg5629 = msg("3179", dup276); - -var msg5630 = msg("3180", dup276); - -var msg5631 = msg("3181", dup276); - -var msg5632 = msg("3182", dup276); - -var msg5633 = msg("3183", dup276); - -var msg5634 = msg("3184", dup276); - -var msg5635 = msg("3185", dup276); - -var msg5636 = msg("3186", dup276); - -var msg5637 = msg("3187", dup276); - -var msg5638 = msg("3188", dup276); - -var msg5639 = msg("3189", dup276); - -var msg5640 = msg("3190", dup276); - -var msg5641 = msg("3191", dup276); - -var msg5642 = msg("3192", dup265); - -var msg5643 = msg("3193", dup267); - -var msg5644 = msg("3194", dup267); - -var msg5645 = msg("3195", dup276); - -var msg5646 = msg("3196", dup276); - -var msg5647 = msg("3197", dup276); - -var msg5648 = msg("3198", dup276); - -var msg5649 = msg("3199", dup222); - -var msg5650 = msg("3200", dup222); - -var msg5651 = msg("3201", dup271); - -var msg5652 = msg("3202", dup276); - -var msg5653 = msg("3203", dup276); - -var msg5654 = msg("3204", dup276); - -var msg5655 = msg("3205", dup276); - -var msg5656 = msg("3206", dup276); - -var msg5657 = msg("3207", dup276); - -var msg5658 = msg("3208", dup276); - -var msg5659 = msg("3209", dup276); - -var msg5660 = msg("3210", dup276); - -var msg5661 = msg("3211", dup276); - -var msg5662 = msg("3212", dup276); - -var msg5663 = msg("3213", dup276); - -var msg5664 = msg("3214", dup276); - -var msg5665 = msg("3215", dup276); - -var msg5666 = msg("3216", dup276); - -var msg5667 = msg("3217", dup276); - -var msg5668 = msg("3218", dup276); - -var msg5669 = msg("3219", dup276); - -var msg5670 = msg("3220", dup276); - -var msg5671 = msg("3221", dup276); - -var msg5672 = msg("3222", dup276); - -var msg5673 = msg("3223", dup276); - -var msg5674 = msg("3224", dup276); - -var msg5675 = msg("3225", dup276); - -var msg5676 = msg("3226", dup276); - -var msg5677 = msg("3227", dup276); - -var msg5678 = msg("3228", dup276); - -var msg5679 = msg("3229", dup276); - -var msg5680 = msg("3230", dup276); - -var msg5681 = msg("3231", dup276); - -var msg5682 = msg("3232", dup276); - -var msg5683 = msg("3233", dup276); - -var msg5684 = msg("3234", dup276); - -var msg5685 = msg("3235", dup276); - -var msg5686 = msg("3236", dup276); - -var msg5687 = msg("3237", dup276); - -var msg5688 = msg("3238", dup201); - -var msg5689 = msg("3239", dup201); - -var msg5690 = msg("3240", dup276); - -var msg5691 = msg("3241", dup276); - -var msg5692 = msg("3242", dup276); - -var msg5693 = msg("3243", dup276); - -var msg5694 = msg("3244", dup276); - -var msg5695 = msg("3245", dup276); - -var msg5696 = msg("3246", dup276); - -var msg5697 = msg("3247", dup276); - -var msg5698 = msg("3248", dup276); - -var msg5699 = msg("3249", dup276); - -var msg5700 = msg("3250", dup276); - -var msg5701 = msg("3251", dup276); - -var msg5702 = msg("3252", dup276); - -var msg5703 = msg("3253", dup276); - -var msg5704 = msg("3254", dup276); - -var msg5705 = msg("3255", dup276); - -var msg5706 = msg("3256", dup201); - -var msg5707 = msg("3257", dup201); - -var msg5708 = msg("3258", dup201); - -var msg5709 = msg("3259", dup201); - -var msg5710 = msg("3260", dup201); - -var msg5711 = msg("3261", dup201); - -var msg5712 = msg("3262", dup276); - -var msg5713 = msg("3263", dup276); - -var msg5714 = msg("3264", dup276); - -var msg5715 = msg("3265", dup276); - -var msg5716 = msg("3266", dup276); - -var msg5717 = msg("3267", dup276); - -var msg5718 = msg("3268", dup276); - -var msg5719 = msg("3269", dup276); - -var msg5720 = msg("3270", dup276); - -var msg5721 = msg("3271", dup276); - -var msg5722 = msg("3272", dup205); - -var msg5723 = msg("3273", dup236); - -var msg5724 = msg("3274", dup278); - -var msg5725 = msg("3275", dup276); - -var msg5726 = msg("3276", dup276); - -var msg5727 = msg("3277", dup255); - -var msg5728 = msg("3278", dup255); - -var msg5729 = msg("3279", dup255); - -var msg5730 = msg("3280", dup255); - -var msg5731 = msg("3281", dup255); - -var msg5732 = msg("3282", dup255); - -var msg5733 = msg("3283", dup255); - -var msg5734 = msg("3284", dup255); - -var msg5735 = msg("3285", dup255); - -var msg5736 = msg("3286", dup255); - -var msg5737 = msg("3287", dup255); - -var msg5738 = msg("3288", dup255); - -var msg5739 = msg("3289", dup255); - -var msg5740 = msg("3290", dup255); - -var msg5741 = msg("3291", dup255); - -var msg5742 = msg("3292", dup255); - -var msg5743 = msg("3293", dup255); - -var msg5744 = msg("3294", dup255); - -var msg5745 = msg("3295", dup255); - -var msg5746 = msg("3296", dup255); - -var msg5747 = msg("3297", dup255); - -var msg5748 = msg("3298", dup255); - -var msg5749 = msg("3299", dup255); - -var msg5750 = msg("3300", dup255); - -var msg5751 = msg("3301", dup255); - -var msg5752 = msg("3302", dup255); - -var msg5753 = msg("3303", dup255); - -var msg5754 = msg("3304", dup255); - -var msg5755 = msg("3305", dup255); - -var msg5756 = msg("3306", dup255); - -var msg5757 = msg("3307", dup255); - -var msg5758 = msg("3308", dup255); - -var msg5759 = msg("3309", dup255); - -var msg5760 = msg("3310", dup255); - -var msg5761 = msg("3311", dup255); - -var msg5762 = msg("3312", dup255); - -var msg5763 = msg("3313", dup255); - -var msg5764 = msg("3314", dup255); - -var msg5765 = msg("3315", dup255); - -var msg5766 = msg("3316", dup255); - -var msg5767 = msg("3317", dup255); - -var msg5768 = msg("3318", dup255); - -var msg5769 = msg("3319", dup255); - -var msg5770 = msg("3320", dup255); - -var msg5771 = msg("3321", dup255); - -var msg5772 = msg("3322", dup255); - -var msg5773 = msg("3323", dup255); - -var msg5774 = msg("3324", dup255); - -var msg5775 = msg("3325", dup255); - -var msg5776 = msg("3326", dup255); - -var msg5777 = msg("3327", dup255); - -var msg5778 = msg("3328", dup255); - -var msg5779 = msg("3329", dup255); - -var msg5780 = msg("3330", dup255); - -var msg5781 = msg("3331", dup255); - -var msg5782 = msg("3332", dup255); - -var msg5783 = msg("3333", dup255); - -var msg5784 = msg("3334", dup255); - -var msg5785 = msg("3335", dup255); - -var msg5786 = msg("3336", dup255); - -var msg5787 = msg("3337", dup255); - -var msg5788 = msg("3338", dup255); - -var msg5789 = msg("3339", dup255); - -var msg5790 = msg("3340", dup255); - -var msg5791 = msg("3341", dup255); - -var msg5792 = msg("3342", dup255); - -var msg5793 = msg("3343", dup255); - -var msg5794 = msg("3344", dup255); - -var msg5795 = msg("3345", dup255); - -var msg5796 = msg("3346", dup255); - -var msg5797 = msg("3347", dup255); - -var msg5798 = msg("3348", dup255); - -var msg5799 = msg("3349", dup255); - -var msg5800 = msg("3350", dup255); - -var msg5801 = msg("3351", dup255); - -var msg5802 = msg("3352", dup255); - -var msg5803 = msg("3353", dup255); - -var msg5804 = msg("3354", dup255); - -var msg5805 = msg("3355", dup255); - -var msg5806 = msg("3356", dup255); - -var msg5807 = msg("3357", dup255); - -var msg5808 = msg("3358", dup255); - -var msg5809 = msg("3359", dup255); - -var msg5810 = msg("3360", dup255); - -var msg5811 = msg("3361", dup255); - -var msg5812 = msg("3362", dup255); - -var msg5813 = msg("3363", dup255); - -var msg5814 = msg("3364", dup255); - -var msg5815 = msg("3365", dup255); - -var msg5816 = msg("3366", dup255); - -var msg5817 = msg("3367", dup255); - -var msg5818 = msg("3368", dup255); - -var msg5819 = msg("3369", dup255); - -var msg5820 = msg("3370", dup255); - -var msg5821 = msg("3371", dup255); - -var msg5822 = msg("3372", dup255); - -var msg5823 = msg("3373", dup255); - -var msg5824 = msg("3374", dup255); - -var msg5825 = msg("3375", dup255); - -var msg5826 = msg("3376", dup255); - -var msg5827 = msg("3377", dup276); - -var msg5828 = msg("3378", dup276); - -var msg5829 = msg("3379", dup276); - -var msg5830 = msg("3380", dup276); - -var msg5831 = msg("3381", dup276); - -var msg5832 = msg("3382", dup276); - -var msg5833 = msg("3383", dup276); - -var msg5834 = msg("3384", dup276); - -var msg5835 = msg("3385", dup276); - -var msg5836 = msg("3386", dup276); - -var msg5837 = msg("3387", dup276); - -var msg5838 = msg("3388", dup276); - -var msg5839 = msg("3389", dup276); - -var msg5840 = msg("3390", dup276); - -var msg5841 = msg("3391", dup276); - -var msg5842 = msg("3392", dup276); - -var msg5843 = msg("3393", dup276); - -var msg5844 = msg("3394", dup276); - -var msg5845 = msg("3395", dup276); - -var msg5846 = msg("3396", dup276); - -var msg5847 = msg("3397", dup276); - -var msg5848 = msg("3398", dup276); - -var msg5849 = msg("3399", dup276); - -var msg5850 = msg("3400", dup276); - -var msg5851 = msg("3401", dup276); - -var msg5852 = msg("3402", dup276); - -var msg5853 = msg("3403", dup276); - -var msg5854 = msg("3404", dup276); - -var msg5855 = msg("3405", dup276); - -var msg5856 = msg("3406", dup276); - -var msg5857 = msg("3407", dup276); - -var msg5858 = msg("3408", dup276); - -var msg5859 = msg("3409", dup276); - -var msg5860 = msg("3410", dup276); - -var msg5861 = msg("3411", dup276); - -var msg5862 = msg("3412", dup276); - -var msg5863 = msg("3413", dup276); - -var msg5864 = msg("3414", dup276); - -var msg5865 = msg("3415", dup276); - -var msg5866 = msg("3416", dup276); - -var msg5867 = msg("3417", dup276); - -var msg5868 = msg("3418", dup276); - -var msg5869 = msg("3419", dup276); - -var msg5870 = msg("3420", dup276); - -var msg5871 = msg("3421", dup276); - -var msg5872 = msg("3422", dup276); - -var msg5873 = msg("3423", dup276); - -var msg5874 = msg("3424", dup276); - -var msg5875 = msg("3425", dup276); - -var msg5876 = msg("3426", dup276); - -var msg5877 = msg("3427", dup276); - -var msg5878 = msg("3428", dup276); - -var msg5879 = msg("3429", dup276); - -var msg5880 = msg("3430", dup276); - -var msg5881 = msg("3431", dup276); - -var msg5882 = msg("3432", dup276); - -var msg5883 = msg("3433", dup276); - -var msg5884 = msg("3434", dup276); - -var msg5885 = msg("3435", dup276); - -var msg5886 = msg("3436", dup276); - -var msg5887 = msg("3437", dup276); - -var msg5888 = msg("3438", dup276); - -var msg5889 = msg("3439", dup276); - -var msg5890 = msg("3440", dup276); - -var msg5891 = msg("3441", dup227); - -var msg5892 = msg("3442", dup198); - -var msg5893 = msg("3443", dup240); - -var msg5894 = msg("3444", dup240); - -var msg5895 = msg("3445", dup240); - -var msg5896 = msg("3446", dup240); - -var msg5897 = msg("3447", dup240); - -var msg5898 = msg("3448", dup240); - -var msg5899 = msg("3449", dup240); - -var msg5900 = msg("3450", dup240); - -var msg5901 = msg("3451", dup240); - -var msg5902 = msg("3452", dup240); - -var msg5903 = msg("3453", dup196); - -var msg5904 = msg("3454", dup196); - -var msg5905 = msg("3455", dup197); - -var msg5906 = msg("3456", dup240); - -var msg5907 = msg("3457", dup222); - -var msg5908 = msg("3458", dup222); - -var msg5909 = msg("3459", dup196); - -var msg5910 = msg("3460", dup227); - -var msg5911 = msg("3461", dup297); - -var msg5912 = msg("3462", dup222); - -var msg5913 = msg("3463", dup265); - -var msg5914 = msg("3464", dup267); - -var msg5915 = msg("3465", dup265); - -var msg5916 = msg("3466", dup267); - -var msg5917 = msg("3467", dup265); - -var msg5918 = msg("3468", dup265); - -var msg5919 = msg("3469", dup198); - -var msg5920 = msg("3470", dup197); - -var msg5921 = msg("3471", dup267); - -var msg5922 = msg("3472", dup197); - -var msg5923 = msg("3473", dup267); - -var msg5924 = msg("3474", dup197); - -var msg5925 = msg("3475", dup197); - -var msg5926 = msg("3476", dup197); - -var msg5927 = msg("3477", dup197); - -var msg5928 = msg("3478", dup197); - -var msg5929 = msg("3479", dup197); - -var msg5930 = msg("3480", dup197); - -var msg5931 = msg("3481", dup197); - -var msg5932 = msg("3482", dup197); - -var msg5933 = msg("3483", dup197); - -var msg5934 = msg("3484", dup197); - -var msg5935 = msg("3485", dup197); - -var msg5936 = msg("3486", dup265); - -var msg5937 = msg("3487", dup196); - -var msg5938 = msg("3488", dup196); - -var msg5939 = msg("3489", dup196); - -var msg5940 = msg("3490", dup196); - -var msg5941 = msg("3491", dup196); - -var msg5942 = msg("3492", dup196); - -var msg5943 = msg("3493", dup250); - -var msg5944 = msg("3494", dup250); - -var msg5945 = msg("3495", dup250); - -var msg5946 = msg("3496", dup250); - -var msg5947 = msg("3497", dup250); - -var msg5948 = msg("3498", dup250); - -var msg5949 = msg("3499", dup298); - -var msg5950 = msg("3500", dup298); - -var msg5951 = msg("3501", dup298); - -var msg5952 = msg("3502", dup298); - -var msg5953 = msg("3503", dup298); - -var msg5954 = msg("3504", dup298); - -var msg5955 = msg("3505", dup298); - -var msg5956 = msg("3506", dup298); - -var msg5957 = msg("3507", dup298); - -var msg5958 = msg("3508", dup298); - -var msg5959 = msg("3509", dup298); - -var msg5960 = msg("3510", dup298); - -var msg5961 = msg("3511", dup222); - -var msg5962 = msg("3512", dup196); - -var msg5963 = msg("3513", dup196); - -var msg5964 = msg("3514", dup196); - -var msg5965 = msg("3515", dup196); - -var msg5966 = msg("3516", dup196); - -var msg5967 = msg("3517", dup222); - -var msg5968 = msg("3518", dup197); - -var msg5969 = msg("3519", dup197); - -var msg5970 = msg("3520", dup222); - -var msg5971 = msg("3521", dup222); - -var msg5972 = msg("3522", dup222); - -var msg5973 = msg("3523", dup227); - -var msg5974 = msg("3524", dup196); - -var msg5975 = msg("3525", dup196); - -var msg5976 = msg("3526", dup222); - -var msg5977 = msg("3527", dup222); - -var msg5978 = msg("3528", dup240); - -var msg5979 = msg("3529", dup222); - -var msg5980 = msg("3530", dup197); - -var msg5981 = msg("3531", dup197); - -var msg5982 = msg("3532", dup222); - -var msg5983 = msg("3533", dup278); - -var msg5984 = msg("3534", dup197); - -var msg5985 = msg("3535", dup196); - -var msg5986 = msg("3536", dup197); - -var msg5987 = msg("3537", dup278); - -var msg5988 = msg("3538", dup222); - -var msg5989 = msg("3539", dup222); - -var msg5990 = msg("3540", dup222); - -var msg5991 = msg("3541", dup222); - -var msg5992 = msg("3542", dup240); - -var msg5993 = msg("3543", dup240); - -var msg5994 = msg("3544", dup265); - -var msg5995 = msg("3545", dup265); - -var msg5996 = msg("3546", dup267); - -var msg5997 = msg("3547", dup267); - -var msg5998 = msg("3548", dup265); - -var msg5999 = msg("3549", dup265); - -var msg6000 = msg("3550", dup267); - -var msg6001 = msg("3551", dup265); - -var msg6002 = msg("3552", dup265); - -var msg6003 = msg("3553", dup265); - -var msg6004 = msg("3554", dup276); - -var msg6005 = msg("3555", dup276); - -var msg6006 = msg("3556", dup276); - -var msg6007 = msg("3557", dup276); - -var msg6008 = msg("3558", dup276); - -var msg6009 = msg("3559", dup276); - -var msg6010 = msg("3560", dup276); - -var msg6011 = msg("3561", dup276); - -var msg6012 = msg("3562", dup276); - -var msg6013 = msg("3563", dup276); - -var msg6014 = msg("3564", dup276); - -var msg6015 = msg("3565", dup276); - -var msg6016 = msg("3566", dup276); - -var msg6017 = msg("3567", dup276); - -var msg6018 = msg("3568", dup276); - -var msg6019 = msg("3569", dup276); - -var msg6020 = msg("3570", dup276); - -var msg6021 = msg("3571", dup276); - -var msg6022 = msg("3572", dup276); - -var msg6023 = msg("3573", dup276); - -var msg6024 = msg("3574", dup276); - -var msg6025 = msg("3575", dup276); - -var msg6026 = msg("3576", dup276); - -var msg6027 = msg("3577", dup276); - -var msg6028 = msg("3578", dup276); - -var msg6029 = msg("3579", dup276); - -var msg6030 = msg("3580", dup276); - -var msg6031 = msg("3581", dup276); - -var msg6032 = msg("3582", dup276); - -var msg6033 = msg("3583", dup276); - -var msg6034 = msg("3584", dup276); - -var msg6035 = msg("3585", dup276); - -var msg6036 = msg("3586", dup276); - -var msg6037 = msg("3587", dup276); - -var msg6038 = msg("3588", dup276); - -var msg6039 = msg("3589", dup276); - -var msg6040 = msg("3590", dup276); - -var msg6041 = msg("3591", dup276); - -var msg6042 = msg("3592", dup276); - -var msg6043 = msg("3593", dup276); - -var msg6044 = msg("3594", dup276); - -var msg6045 = msg("3595", dup276); - -var msg6046 = msg("3596", dup276); - -var msg6047 = msg("3597", dup276); - -var msg6048 = msg("3598", dup276); - -var msg6049 = msg("3599", dup276); - -var msg6050 = msg("3600", dup276); - -var msg6051 = msg("3601", dup276); - -var msg6052 = msg("3602", dup276); - -var msg6053 = msg("3603", dup276); - -var msg6054 = msg("3604", dup276); - -var msg6055 = msg("3605", dup276); - -var msg6056 = msg("3606", dup276); - -var msg6057 = msg("3607", dup276); - -var msg6058 = msg("3608", dup276); - -var msg6059 = msg("3609", dup276); - -var msg6060 = msg("3610", dup276); - -var msg6061 = msg("3611", dup276); - -var msg6062 = msg("3612", dup276); - -var msg6063 = msg("3613", dup276); - -var msg6064 = msg("3614", dup276); - -var msg6065 = msg("3615", dup276); - -var msg6066 = msg("3616", dup276); - -var msg6067 = msg("3617", dup276); - -var msg6068 = msg("3618", dup276); - -var msg6069 = msg("3619", dup276); - -var msg6070 = msg("3620", dup276); - -var msg6071 = msg("3621", dup276); - -var msg6072 = msg("3622", dup276); - -var msg6073 = msg("3623", dup276); - -var msg6074 = msg("3624", dup276); - -var msg6075 = msg("3625", dup276); - -var msg6076 = msg("3626", dup198); - -var msg6077 = msg("3627", dup196); - -var msg6078 = msg("3628", dup196); - -var msg6079 = msg("3629", dup265); - -var msg6080 = msg("3630", dup222); - -var msg6081 = msg("3631", dup222); - -var msg6082 = msg("3632", dup267); - -var msg6083 = msg("3633", dup196); - -var msg6084 = msg("3634", dup267); - -var msg6085 = msg("3635", dup205); - -var msg6086 = msg("3636", dup205); - -var msg6087 = msg("3637", dup196); - -var msg6088 = msg("3638", dup267); - -var msg6089 = msg("3639", dup198); - -var msg6090 = msg("3640", dup198); - -var msg6091 = msg("3641", dup198); - -var msg6092 = msg("3642", dup198); - -var msg6093 = msg("3643", dup198); - -var msg6094 = msg("3644", dup198); - -var msg6095 = msg("3645", dup198); - -var msg6096 = msg("3646", dup198); - -var msg6097 = msg("3647", dup198); - -var msg6098 = msg("3648", dup198); - -var msg6099 = msg("3649", dup198); - -var msg6100 = msg("3650", dup198); - -var msg6101 = msg("3651", dup222); - -var msg6102 = msg("3652", dup222); - -var msg6103 = msg("3653", dup222); - -var msg6104 = msg("3654", dup222); - -var msg6105 = msg("3655", dup222); - -var msg6106 = msg("3656", dup222); - -var msg6107 = msg("3657", dup196); - -var msg6108 = msg("3658", dup222); - -var msg6109 = msg("3659", dup222); - -var msg6110 = msg("3660", dup222); - -var msg6111 = msg("3661", dup222); - -var msg6112 = msg("3662", dup222); - -var msg6113 = msg("3663", dup222); - -var msg6114 = msg("3664", dup222); - -var msg6115 = msg("3665", dup196); - -var msg6116 = msg("3666", dup196); - -var msg6117 = msg("3667", dup285); - -var msg6118 = msg("3668", dup285); - -var msg6119 = msg("3669", dup260); - -var msg6120 = msg("3670", dup260); - -var msg6121 = msg("3671", dup260); - -var msg6122 = msg("3672", dup260); - -var msg6123 = msg("3673", dup198); - -var msg6124 = msg("3674", dup265); - -var msg6125 = msg("3675", dup198); - -var msg6126 = msg("3676", dup265); - -var msg6127 = msg("3677", dup201); - -var msg6128 = msg("3678", dup201); - -var msg6129 = msg("3679", dup201); - -var msg6130 = msg("3680", dup196); - -var msg6131 = msg("3681", dup196); - -var msg6132 = msg("3682", dup250); - -var msg6133 = msg("3683", dup267); - -var msg6134 = msg("3684", dup196); - -var msg6135 = msg("3685", dup201); - -var msg6136 = msg("3686", dup197); - -var msg6137 = msg("3687", dup248); - -var msg6138 = msg("3688", dup248); - -var msg6139 = msg("3689", dup267); - -var msg6140 = msg("3690", dup260); - -var msg6141 = msg("3691", dup196); - -var msg6142 = msg("3692", dup196); - -var msg6143 = msg("3693", dup267); - -var msg6144 = msg("3694", dup265); - -var msg6145 = msg("3695", dup222); - -var msg6146 = msg("3696", dup198); - -var msg6147 = msg("3697", dup276); - -var msg6148 = msg("3698", dup276); - -var msg6149 = msg("3699", dup276); - -var msg6150 = msg("3700", dup276); - -var msg6151 = msg("3701", dup276); - -var msg6152 = msg("3702", dup276); - -var msg6153 = msg("3703", dup276); - -var msg6154 = msg("3704", dup276); - -var msg6155 = msg("3705", dup276); - -var msg6156 = msg("3706", dup276); - -var msg6157 = msg("3707", dup276); - -var msg6158 = msg("3708", dup276); - -var msg6159 = msg("3709", dup276); - -var msg6160 = msg("3710", dup276); - -var msg6161 = msg("3711", dup276); - -var msg6162 = msg("3712", dup276); - -var msg6163 = msg("3713", dup276); - -var msg6164 = msg("3714", dup276); - -var msg6165 = msg("3715", dup276); - -var msg6166 = msg("3716", dup276); - -var msg6167 = msg("3717", dup276); - -var msg6168 = msg("3718", dup276); - -var msg6169 = msg("3719", dup276); - -var msg6170 = msg("3720", dup276); - -var msg6171 = msg("3721", dup276); - -var msg6172 = msg("3722", dup276); - -var msg6173 = msg("3723", dup276); - -var msg6174 = msg("3724", dup276); - -var msg6175 = msg("3725", dup276); - -var msg6176 = msg("3726", dup276); - -var msg6177 = msg("3727", dup276); - -var msg6178 = msg("3728", dup276); - -var msg6179 = msg("3729", dup276); - -var msg6180 = msg("3730", dup276); - -var msg6181 = msg("3731", dup276); - -var msg6182 = msg("3732", dup276); - -var msg6183 = msg("3733", dup276); - -var msg6184 = msg("3734", dup276); - -var msg6185 = msg("3735", dup276); - -var msg6186 = msg("3736", dup276); - -var msg6187 = msg("3737", dup276); - -var msg6188 = msg("3738", dup276); - -var msg6189 = msg("3739", dup276); - -var msg6190 = msg("3740", dup276); - -var msg6191 = msg("3741", dup276); - -var msg6192 = msg("3742", dup276); - -var msg6193 = msg("3743", dup276); - -var msg6194 = msg("3744", dup276); - -var msg6195 = msg("3745", dup276); - -var msg6196 = msg("3746", dup276); - -var msg6197 = msg("3747", dup276); - -var msg6198 = msg("3748", dup276); - -var msg6199 = msg("3749", dup276); - -var msg6200 = msg("3750", dup276); - -var msg6201 = msg("3751", dup276); - -var msg6202 = msg("3752", dup276); - -var msg6203 = msg("3753", dup276); - -var msg6204 = msg("3754", dup276); - -var msg6205 = msg("3755", dup276); - -var msg6206 = msg("3756", dup276); - -var msg6207 = msg("3757", dup276); - -var msg6208 = msg("3758", dup276); - -var msg6209 = msg("3759", dup276); - -var msg6210 = msg("3760", dup276); - -var msg6211 = msg("3761", dup276); - -var msg6212 = msg("3762", dup276); - -var msg6213 = msg("3763", dup276); - -var msg6214 = msg("3764", dup276); - -var msg6215 = msg("3765", dup276); - -var msg6216 = msg("3766", dup276); - -var msg6217 = msg("3767", dup276); - -var msg6218 = msg("3768", dup276); - -var msg6219 = msg("3769", dup276); - -var msg6220 = msg("3770", dup276); - -var msg6221 = msg("3771", dup276); - -var msg6222 = msg("3772", dup276); - -var msg6223 = msg("3773", dup276); - -var msg6224 = msg("3774", dup276); - -var msg6225 = msg("3775", dup276); - -var msg6226 = msg("3776", dup276); - -var msg6227 = msg("3777", dup276); - -var msg6228 = msg("3778", dup276); - -var msg6229 = msg("3779", dup276); - -var msg6230 = msg("3780", dup276); - -var msg6231 = msg("3781", dup276); - -var msg6232 = msg("3782", dup276); - -var msg6233 = msg("3783", dup276); - -var msg6234 = msg("3784", dup276); - -var msg6235 = msg("3785", dup276); - -var msg6236 = msg("3786", dup276); - -var msg6237 = msg("3787", dup276); - -var msg6238 = msg("3788", dup276); - -var msg6239 = msg("3789", dup276); - -var msg6240 = msg("3790", dup276); - -var msg6241 = msg("3791", dup276); - -var msg6242 = msg("3792", dup276); - -var msg6243 = msg("3793", dup276); - -var msg6244 = msg("3794", dup276); - -var msg6245 = msg("3795", dup276); - -var msg6246 = msg("3796", dup276); - -var msg6247 = msg("3797", dup276); - -var msg6248 = msg("3798", dup276); - -var msg6249 = msg("3799", dup276); - -var msg6250 = msg("3800", dup276); - -var msg6251 = msg("3801", dup276); - -var msg6252 = msg("3802", dup276); - -var msg6253 = msg("3803", dup276); - -var msg6254 = msg("3804", dup276); - -var msg6255 = msg("3805", dup276); - -var msg6256 = msg("3806", dup276); - -var msg6257 = msg("3807", dup276); - -var msg6258 = msg("3808", dup276); - -var msg6259 = msg("3809", dup276); - -var msg6260 = msg("3810", dup276); - -var msg6261 = msg("3811", dup276); - -var msg6262 = msg("3812", dup276); - -var msg6263 = msg("3813", dup267); - -var msg6264 = msg("3814", dup265); - -var msg6265 = msg("3815", dup222); - -var msg6266 = msg("3816", dup267); - -var msg6267 = msg("3817", dup295); - -var msg6268 = msg("3818", dup295); - -var msg6269 = msg("3819", dup196); - -var msg6270 = msg("3820", dup265); - -var msg6271 = msg("3821", dup265); - -var msg6272 = msg("3822", dup265); - -var msg6273 = msg("3823", dup267); - -var msg6274 = msg("3824", dup222); - -var msg6275 = msg("3825", dup196); - -var msg6276 = msg("3826", dup196); - -var msg6277 = msg("3827", dup265); - -var msg6278 = msg("3828", dup276); - -var msg6279 = msg("3829", dup276); - -var msg6280 = msg("3830", dup276); - -var msg6281 = msg("3831", dup276); - -var msg6282 = msg("3832", dup276); - -var msg6283 = msg("3833", dup276); - -var msg6284 = msg("3834", dup276); - -var msg6285 = msg("3835", dup276); - -var msg6286 = msg("3836", dup276); - -var msg6287 = msg("3837", dup276); - -var msg6288 = msg("3838", dup276); - -var msg6289 = msg("3839", dup276); - -var msg6290 = msg("3840", dup276); - -var msg6291 = msg("3841", dup276); - -var msg6292 = msg("3842", dup276); - -var msg6293 = msg("3843", dup276); - -var msg6294 = msg("3844", dup276); - -var msg6295 = msg("3845", dup276); - -var msg6296 = msg("3846", dup276); - -var msg6297 = msg("3847", dup276); - -var msg6298 = msg("3848", dup276); - -var msg6299 = msg("3849", dup276); - -var msg6300 = msg("3850", dup276); - -var msg6301 = msg("3851", dup276); - -var msg6302 = msg("3852", dup276); - -var msg6303 = msg("3853", dup276); - -var msg6304 = msg("3854", dup276); - -var msg6305 = msg("3855", dup276); - -var msg6306 = msg("3856", dup276); - -var msg6307 = msg("3857", dup276); - -var msg6308 = msg("3858", dup276); - -var msg6309 = msg("3859", dup276); - -var msg6310 = msg("3860", dup276); - -var msg6311 = msg("3861", dup276); - -var msg6312 = msg("3862", dup276); - -var msg6313 = msg("3863", dup276); - -var msg6314 = msg("3864", dup276); - -var msg6315 = msg("3865", dup276); - -var msg6316 = msg("3866", dup276); - -var msg6317 = msg("3867", dup276); - -var msg6318 = msg("3868", dup276); - -var msg6319 = msg("3869", dup276); - -var msg6320 = msg("3870", dup276); - -var msg6321 = msg("3871", dup276); - -var msg6322 = msg("3872", dup276); - -var msg6323 = msg("3873", dup276); - -var msg6324 = msg("3874", dup276); - -var msg6325 = msg("3875", dup276); - -var msg6326 = msg("3876", dup276); - -var msg6327 = msg("3877", dup276); - -var msg6328 = msg("3878", dup276); - -var msg6329 = msg("3879", dup276); - -var msg6330 = msg("3880", dup276); - -var msg6331 = msg("3881", dup276); - -var msg6332 = msg("3882", dup276); - -var msg6333 = msg("3883", dup276); - -var msg6334 = msg("3884", dup276); - -var msg6335 = msg("3885", dup276); - -var msg6336 = msg("3886", dup276); - -var msg6337 = msg("3887", dup276); - -var msg6338 = msg("3888", dup276); - -var msg6339 = msg("3889", dup276); - -var msg6340 = msg("3890", dup276); - -var msg6341 = msg("3891", dup276); - -var msg6342 = msg("3892", dup276); - -var msg6343 = msg("3893", dup276); - -var msg6344 = msg("3894", dup276); - -var msg6345 = msg("3895", dup276); - -var msg6346 = msg("3896", dup276); - -var msg6347 = msg("3897", dup276); - -var msg6348 = msg("3898", dup276); - -var msg6349 = msg("3899", dup276); - -var msg6350 = msg("3900", dup276); - -var msg6351 = msg("3901", dup276); - -var msg6352 = msg("3902", dup276); - -var msg6353 = msg("3903", dup276); - -var msg6354 = msg("3904", dup276); - -var msg6355 = msg("3905", dup276); - -var msg6356 = msg("3906", dup276); - -var msg6357 = msg("3907", dup276); - -var msg6358 = msg("3908", dup276); - -var msg6359 = msg("3909", dup276); - -var msg6360 = msg("3910", dup276); - -var msg6361 = msg("3911", dup276); - -var msg6362 = msg("3912", dup276); - -var msg6363 = msg("3913", dup276); - -var msg6364 = msg("3914", dup276); - -var msg6365 = msg("3915", dup276); - -var msg6366 = msg("3916", dup276); - -var msg6367 = msg("3917", dup276); - -var msg6368 = msg("3918", dup276); - -var msg6369 = msg("3919", dup276); - -var msg6370 = msg("3920", dup276); - -var msg6371 = msg("3921", dup276); - -var msg6372 = msg("3922", dup276); - -var msg6373 = msg("3923", dup276); - -var msg6374 = msg("3924", dup276); - -var msg6375 = msg("3925", dup276); - -var msg6376 = msg("3926", dup276); - -var msg6377 = msg("3927", dup276); - -var msg6378 = msg("3928", dup276); - -var msg6379 = msg("3929", dup276); - -var msg6380 = msg("3930", dup276); - -var msg6381 = msg("3931", dup276); - -var msg6382 = msg("3932", dup276); - -var msg6383 = msg("3933", dup276); - -var msg6384 = msg("3934", dup276); - -var msg6385 = msg("3935", dup276); - -var msg6386 = msg("3936", dup276); - -var msg6387 = msg("3937", dup276); - -var msg6388 = msg("3938", dup276); - -var msg6389 = msg("3939", dup276); - -var msg6390 = msg("3940", dup276); - -var msg6391 = msg("3941", dup276); - -var msg6392 = msg("3942", dup276); - -var msg6393 = msg("3943", dup276); - -var msg6394 = msg("3944", dup276); - -var msg6395 = msg("3945", dup276); - -var msg6396 = msg("3946", dup276); - -var msg6397 = msg("3947", dup276); - -var msg6398 = msg("3948", dup276); - -var msg6399 = msg("3949", dup276); - -var msg6400 = msg("3950", dup276); - -var msg6401 = msg("3951", dup276); - -var msg6402 = msg("3952", dup276); - -var msg6403 = msg("3953", dup276); - -var msg6404 = msg("3954", dup276); - -var msg6405 = msg("3955", dup276); - -var msg6406 = msg("3956", dup276); - -var msg6407 = msg("3957", dup276); - -var msg6408 = msg("3958", dup276); - -var msg6409 = msg("3959", dup276); - -var msg6410 = msg("3960", dup276); - -var msg6411 = msg("3961", dup276); - -var msg6412 = msg("3962", dup276); - -var msg6413 = msg("3963", dup276); - -var msg6414 = msg("3964", dup276); - -var msg6415 = msg("3965", dup276); - -var msg6416 = msg("3966", dup276); - -var msg6417 = msg("3967", dup276); - -var msg6418 = msg("3968", dup276); - -var msg6419 = msg("3969", dup276); - -var msg6420 = msg("3970", dup276); - -var msg6421 = msg("3971", dup276); - -var msg6422 = msg("3972", dup276); - -var msg6423 = msg("3973", dup276); - -var msg6424 = msg("3974", dup276); - -var msg6425 = msg("3975", dup276); - -var msg6426 = msg("3976", dup276); - -var msg6427 = msg("3977", dup276); - -var msg6428 = msg("3978", dup276); - -var msg6429 = msg("3979", dup276); - -var msg6430 = msg("3980", dup276); - -var msg6431 = msg("3981", dup276); - -var msg6432 = msg("3982", dup276); - -var msg6433 = msg("3983", dup276); - -var msg6434 = msg("3984", dup276); - -var msg6435 = msg("3985", dup276); - -var msg6436 = msg("3986", dup276); - -var msg6437 = msg("3987", dup276); - -var msg6438 = msg("3988", dup276); - -var msg6439 = msg("3989", dup276); - -var msg6440 = msg("3990", dup276); - -var msg6441 = msg("3991", dup276); - -var msg6442 = msg("3992", dup276); - -var msg6443 = msg("3993", dup276); - -var msg6444 = msg("3994", dup276); - -var msg6445 = msg("3995", dup276); - -var msg6446 = msg("3996", dup276); - -var msg6447 = msg("3997", dup276); - -var msg6448 = msg("3998", dup276); - -var msg6449 = msg("3999", dup276); - -var msg6450 = msg("4000", dup276); - -var msg6451 = msg("4001", dup276); - -var msg6452 = msg("4002", dup276); - -var msg6453 = msg("4003", dup276); - -var msg6454 = msg("4004", dup276); - -var msg6455 = msg("4005", dup276); - -var msg6456 = msg("4006", dup276); - -var msg6457 = msg("4007", dup276); - -var msg6458 = msg("4008", dup276); - -var msg6459 = msg("4009", dup276); - -var msg6460 = msg("4010", dup276); - -var msg6461 = msg("4011", dup276); - -var msg6462 = msg("4012", dup276); - -var msg6463 = msg("4013", dup276); - -var msg6464 = msg("4014", dup276); - -var msg6465 = msg("4015", dup276); - -var msg6466 = msg("4016", dup276); - -var msg6467 = msg("4017", dup276); - -var msg6468 = msg("4018", dup276); - -var msg6469 = msg("4019", dup276); - -var msg6470 = msg("4020", dup276); - -var msg6471 = msg("4021", dup276); - -var msg6472 = msg("4022", dup276); - -var msg6473 = msg("4023", dup276); - -var msg6474 = msg("4024", dup276); - -var msg6475 = msg("4025", dup276); - -var msg6476 = msg("4026", dup276); - -var msg6477 = msg("4027", dup276); - -var msg6478 = msg("4028", dup276); - -var msg6479 = msg("4029", dup276); - -var msg6480 = msg("4030", dup276); - -var msg6481 = msg("4031", dup276); - -var msg6482 = msg("4032", dup276); - -var msg6483 = msg("4033", dup276); - -var msg6484 = msg("4034", dup276); - -var msg6485 = msg("4035", dup276); - -var msg6486 = msg("4036", dup276); - -var msg6487 = msg("4037", dup276); - -var msg6488 = msg("4038", dup276); - -var msg6489 = msg("4039", dup276); - -var msg6490 = msg("4040", dup276); - -var msg6491 = msg("4041", dup276); - -var msg6492 = msg("4042", dup276); - -var msg6493 = msg("4043", dup276); - -var msg6494 = msg("4044", dup276); - -var msg6495 = msg("4045", dup276); - -var msg6496 = msg("4046", dup276); - -var msg6497 = msg("4047", dup276); - -var msg6498 = msg("4048", dup276); - -var msg6499 = msg("4049", dup276); - -var msg6500 = msg("4050", dup276); - -var msg6501 = msg("4051", dup276); - -var msg6502 = msg("4052", dup276); - -var msg6503 = msg("4053", dup276); - -var msg6504 = msg("4054", dup276); - -var msg6505 = msg("4055", dup276); - -var msg6506 = msg("4056", dup276); - -var msg6507 = msg("4057", dup276); - -var msg6508 = msg("4058", dup276); - -var msg6509 = msg("4059", dup276); - -var msg6510 = msg("4060", dup196); - -var msg6511 = msg("4061", dup276); - -var msg6512 = msg("4062", dup276); - -var msg6513 = msg("4063", dup276); - -var msg6514 = msg("4064", dup276); - -var msg6515 = msg("4065", dup276); - -var msg6516 = msg("4066", dup276); - -var msg6517 = msg("4067", dup276); - -var msg6518 = msg("4068", dup276); - -var msg6519 = msg("4069", dup276); - -var msg6520 = msg("4070", dup276); - -var msg6521 = msg("4071", dup276); - -var msg6522 = msg("4072", dup276); - -var msg6523 = msg("4073", dup276); - -var msg6524 = msg("4074", dup276); - -var msg6525 = msg("4075", dup276); - -var msg6526 = msg("4076", dup276); - -var msg6527 = msg("4077", dup276); - -var msg6528 = msg("4078", dup276); - -var msg6529 = msg("4079", dup276); - -var msg6530 = msg("4080", dup276); - -var msg6531 = msg("4081", dup276); - -var msg6532 = msg("4082", dup276); - -var msg6533 = msg("4083", dup276); - -var msg6534 = msg("4084", dup276); - -var msg6535 = msg("4085", dup276); - -var msg6536 = msg("4086", dup276); - -var msg6537 = msg("4087", dup276); - -var msg6538 = msg("4088", dup276); - -var msg6539 = msg("4089", dup276); - -var msg6540 = msg("4090", dup276); - -var msg6541 = msg("4091", dup276); - -var msg6542 = msg("4092", dup276); - -var msg6543 = msg("4093", dup276); - -var msg6544 = msg("4094", dup276); - -var msg6545 = msg("4095", dup276); - -var msg6546 = msg("4096", dup276); - -var msg6547 = msg("4097", dup276); - -var msg6548 = msg("4098", dup276); - -var msg6549 = msg("4099", dup276); - -var msg6550 = msg("4100", dup276); - -var msg6551 = msg("4101", dup276); - -var msg6552 = msg("4102", dup276); - -var msg6553 = msg("4103", dup276); - -var msg6554 = msg("4104", dup276); - -var msg6555 = msg("4105", dup276); - -var msg6556 = msg("4106", dup276); - -var msg6557 = msg("4107", dup276); - -var msg6558 = msg("4108", dup276); - -var msg6559 = msg("4109", dup276); - -var msg6560 = msg("4110", dup276); - -var msg6561 = msg("4111", dup276); - -var msg6562 = msg("4112", dup276); - -var msg6563 = msg("4113", dup276); - -var msg6564 = msg("4114", dup276); - -var msg6565 = msg("4115", dup276); - -var msg6566 = msg("4116", dup276); - -var msg6567 = msg("4117", dup276); - -var msg6568 = msg("4118", dup276); - -var msg6569 = msg("4119", dup276); - -var msg6570 = msg("4120", dup276); - -var msg6571 = msg("4121", dup276); - -var msg6572 = msg("4122", dup276); - -var msg6573 = msg("4123", dup276); - -var msg6574 = msg("4124", dup276); - -var msg6575 = msg("4125", dup276); - -var msg6576 = msg("4126", dup196); - -var msg6577 = msg("4127", dup222); - -var msg6578 = msg("4128", dup265); - -var msg6579 = msg("4129", dup198); - -var msg6580 = msg("4130", dup222); - -var msg6581 = msg("4131", dup196); - -var msg6582 = msg("4132", dup265); - -var msg6583 = msg("4133", dup265); - -var msg6584 = msg("4134", dup265); - -var msg6585 = msg("4135", dup267); - -var msg6586 = msg("4136", dup267); - -var msg6587 = msg("4140", dup198); - -var msg6588 = msg("4141", dup198); - -var msg6589 = msg("4142", dup196); - -var msg6590 = msg("4143", dup196); - -var msg6591 = msg("4144", dup196); - -var msg6592 = msg("4145", dup265); - -var msg6593 = msg("4146", dup265); - -var msg6594 = msg("4147", dup265); - -var msg6595 = msg("4148", dup265); - -var msg6596 = msg("4149", dup265); - -var msg6597 = msg("4150", dup265); - -var msg6598 = msg("4151", dup265); - -var msg6599 = msg("4152", dup265); - -var msg6600 = msg("4153", dup265); - -var msg6601 = msg("4154", dup265); - -var msg6602 = msg("4155", dup265); - -var msg6603 = msg("4156", dup265); - -var msg6604 = msg("4157", dup265); - -var msg6605 = msg("4158", dup265); - -var msg6606 = msg("4159", dup265); - -var msg6607 = msg("4160", dup265); - -var msg6608 = msg("4161", dup265); - -var msg6609 = msg("4162", dup265); - -var msg6610 = msg("4163", dup265); - -var msg6611 = msg("4164", dup265); - -var msg6612 = msg("4165", dup265); - -var msg6613 = msg("4166", dup265); - -var msg6614 = msg("4167", dup265); - -var msg6615 = msg("4168", dup265); - -var msg6616 = msg("4169", dup265); - -var msg6617 = msg("4170", dup265); - -var msg6618 = msg("4171", dup265); - -var msg6619 = msg("4172", dup265); - -var msg6620 = msg("4173", dup265); - -var msg6621 = msg("4174", dup265); - -var msg6622 = msg("4175", dup265); - -var msg6623 = msg("4176", dup265); - -var msg6624 = msg("4177", dup265); - -var msg6625 = msg("4178", dup265); - -var msg6626 = msg("4179", dup265); - -var msg6627 = msg("4180", dup194); - -var msg6628 = msg("4181", dup265); - -var msg6629 = msg("4182", dup265); - -var msg6630 = msg("4183", dup265); - -var msg6631 = msg("4184", dup265); - -var msg6632 = msg("4185", dup265); - -var msg6633 = msg("4186", dup265); - -var msg6634 = msg("4187", dup265); - -var msg6635 = msg("4188", dup194); - -var msg6636 = msg("4189", dup265); - -var msg6637 = msg("4190", dup265); - -var msg6638 = msg("4191", dup265); - -var msg6639 = msg("4192", dup265); - -var msg6640 = msg("4193", dup265); - -var msg6641 = msg("4194", dup196); - -var msg6642 = msg("4195", dup265); - -var msg6643 = msg("4196", dup265); - -var msg6644 = msg("4197", dup265); - -var msg6645 = msg("4198", dup265); - -var msg6646 = msg("4199", dup265); - -var msg6647 = msg("4200", dup265); - -var msg6648 = msg("4201", dup265); - -var msg6649 = msg("4202", dup265); - -var msg6650 = msg("4203", dup265); - -var msg6651 = msg("4204", dup265); - -var msg6652 = msg("4205", dup265); - -var msg6653 = msg("4206", dup265); - -var msg6654 = msg("4207", dup265); - -var msg6655 = msg("4208", dup265); - -var msg6656 = msg("4209", dup265); - -var msg6657 = msg("4210", dup265); - -var msg6658 = msg("4211", dup265); - -var msg6659 = msg("4212", dup265); - -var msg6660 = msg("4213", dup265); - -var msg6661 = msg("4214", dup265); - -var msg6662 = msg("4215", dup265); - -var msg6663 = msg("4216", dup265); - -var msg6664 = msg("4217", dup265); - -var msg6665 = msg("4218", dup265); - -var msg6666 = msg("4219", dup265); - -var msg6667 = msg("4220", dup265); - -var msg6668 = msg("4221", dup265); - -var msg6669 = msg("4222", dup265); - -var msg6670 = msg("4223", dup265); - -var msg6671 = msg("4224", dup265); - -var msg6672 = msg("4225", dup265); - -var msg6673 = msg("4226", dup265); - -var msg6674 = msg("4227", dup265); - -var msg6675 = msg("4228", dup265); - -var msg6676 = msg("4229", dup265); - -var msg6677 = msg("4230", dup265); - -var msg6678 = msg("4231", dup265); - -var msg6679 = msg("4232", dup265); - -var msg6680 = msg("4233", dup265); - -var msg6681 = msg("4234", dup265); - -var msg6682 = msg("4235", dup265); - -var msg6683 = msg("4236", dup265); - -var msg6684 = msg("4237", dup276); - -var msg6685 = msg("4238", dup276); - -var msg6686 = msg("4239", dup276); - -var msg6687 = msg("4240", dup276); - -var msg6688 = msg("4241", dup276); - -var msg6689 = msg("4242", dup276); - -var msg6690 = msg("4243", dup276); - -var msg6691 = msg("4244", dup276); - -var msg6692 = msg("4245", dup276); - -var msg6693 = msg("4246", dup276); - -var msg6694 = msg("4247", dup276); - -var msg6695 = msg("4248", dup276); - -var msg6696 = msg("4249", dup276); - -var msg6697 = msg("4250", dup276); - -var msg6698 = msg("4251", dup276); - -var msg6699 = msg("4252", dup276); - -var msg6700 = msg("4253", dup276); - -var msg6701 = msg("4254", dup276); - -var msg6702 = msg("4255", dup276); - -var msg6703 = msg("4256", dup276); - -var msg6704 = msg("4257", dup276); - -var msg6705 = msg("4258", dup276); - -var msg6706 = msg("4259", dup276); - -var msg6707 = msg("4260", dup276); - -var msg6708 = msg("4261", dup276); - -var msg6709 = msg("4262", dup276); - -var msg6710 = msg("4263", dup276); - -var msg6711 = msg("4264", dup276); - -var msg6712 = msg("4265", dup276); - -var msg6713 = msg("4266", dup276); - -var msg6714 = msg("4267", dup276); - -var msg6715 = msg("4268", dup276); - -var msg6716 = msg("4269", dup276); - -var msg6717 = msg("4270", dup276); - -var msg6718 = msg("4271", dup276); - -var msg6719 = msg("4272", dup276); - -var msg6720 = msg("4273", dup276); - -var msg6721 = msg("4274", dup276); - -var msg6722 = msg("4275", dup276); - -var msg6723 = msg("4276", dup276); - -var msg6724 = msg("4277", dup276); - -var msg6725 = msg("4278", dup276); - -var msg6726 = msg("4279", dup276); - -var msg6727 = msg("4280", dup276); - -var msg6728 = msg("4281", dup276); - -var msg6729 = msg("4282", dup276); - -var msg6730 = msg("4283", dup276); - -var msg6731 = msg("4284", dup276); - -var msg6732 = msg("4285", dup276); - -var msg6733 = msg("4286", dup276); - -var msg6734 = msg("4287", dup276); - -var msg6735 = msg("4288", dup276); - -var msg6736 = msg("4289", dup276); - -var msg6737 = msg("4290", dup276); - -var msg6738 = msg("4291", dup276); - -var msg6739 = msg("4292", dup276); - -var msg6740 = msg("4293", dup276); - -var msg6741 = msg("4294", dup276); - -var msg6742 = msg("4295", dup276); - -var msg6743 = msg("4296", dup276); - -var msg6744 = msg("4297", dup276); - -var msg6745 = msg("4298", dup276); - -var msg6746 = msg("4299", dup276); - -var msg6747 = msg("4300", dup276); - -var msg6748 = msg("4301", dup276); - -var msg6749 = msg("4302", dup276); - -var msg6750 = msg("4303", dup276); - -var msg6751 = msg("4304", dup276); - -var msg6752 = msg("4305", dup276); - -var msg6753 = msg("4306", dup276); - -var msg6754 = msg("4307", dup276); - -var msg6755 = msg("4308", dup276); - -var msg6756 = msg("4309", dup276); - -var msg6757 = msg("4310", dup276); - -var msg6758 = msg("4311", dup276); - -var msg6759 = msg("4312", dup276); - -var msg6760 = msg("4313", dup276); - -var msg6761 = msg("4314", dup276); - -var msg6762 = msg("4315", dup276); - -var msg6763 = msg("4316", dup276); - -var msg6764 = msg("4317", dup276); - -var msg6765 = msg("4318", dup276); - -var msg6766 = msg("4319", dup276); - -var msg6767 = msg("4320", dup276); - -var msg6768 = msg("4321", dup276); - -var msg6769 = msg("4322", dup276); - -var msg6770 = msg("4323", dup276); - -var msg6771 = msg("4324", dup276); - -var msg6772 = msg("4325", dup276); - -var msg6773 = msg("4326", dup276); - -var msg6774 = msg("4327", dup276); - -var msg6775 = msg("4328", dup276); - -var msg6776 = msg("4329", dup276); - -var msg6777 = msg("4330", dup276); - -var msg6778 = msg("4331", dup276); - -var msg6779 = msg("4332", dup276); - -var msg6780 = msg("4333", dup276); - -var msg6781 = msg("4334", dup276); - -var msg6782 = msg("4335", dup276); - -var msg6783 = msg("4336", dup276); - -var msg6784 = msg("4337", dup276); - -var msg6785 = msg("4338", dup276); - -var msg6786 = msg("4339", dup276); - -var msg6787 = msg("4340", dup276); - -var msg6788 = msg("4341", dup276); - -var msg6789 = msg("4342", dup276); - -var msg6790 = msg("4343", dup276); - -var msg6791 = msg("4344", dup276); - -var msg6792 = msg("4345", dup276); - -var msg6793 = msg("4346", dup276); - -var msg6794 = msg("4347", dup276); - -var msg6795 = msg("4348", dup276); - -var msg6796 = msg("4349", dup276); - -var msg6797 = msg("4350", dup276); - -var msg6798 = msg("4351", dup276); - -var msg6799 = msg("4352", dup276); - -var msg6800 = msg("4353", dup276); - -var msg6801 = msg("4354", dup276); - -var msg6802 = msg("4355", dup276); - -var msg6803 = msg("4356", dup276); - -var msg6804 = msg("4357", dup276); - -var msg6805 = msg("4358", dup276); - -var msg6806 = msg("4359", dup276); - -var msg6807 = msg("4360", dup276); - -var msg6808 = msg("4361", dup276); - -var msg6809 = msg("4362", dup276); - -var msg6810 = msg("4363", dup276); - -var msg6811 = msg("4364", dup276); - -var msg6812 = msg("4365", dup276); - -var msg6813 = msg("4366", dup276); - -var msg6814 = msg("4367", dup276); - -var msg6815 = msg("4368", dup276); - -var msg6816 = msg("4369", dup276); - -var msg6817 = msg("4370", dup276); - -var msg6818 = msg("4371", dup276); - -var msg6819 = msg("4372", dup276); - -var msg6820 = msg("4373", dup276); - -var msg6821 = msg("4374", dup276); - -var msg6822 = msg("4375", dup276); - -var msg6823 = msg("4376", dup276); - -var msg6824 = msg("4377", dup276); - -var msg6825 = msg("4378", dup276); - -var msg6826 = msg("4379", dup276); - -var msg6827 = msg("4380", dup276); - -var msg6828 = msg("4381", dup276); - -var msg6829 = msg("4382", dup276); - -var msg6830 = msg("4383", dup276); - -var msg6831 = msg("4384", dup276); - -var msg6832 = msg("4385", dup276); - -var msg6833 = msg("4386", dup276); - -var msg6834 = msg("4387", dup276); - -var msg6835 = msg("4388", dup276); - -var msg6836 = msg("4389", dup276); - -var msg6837 = msg("4390", dup276); - -var msg6838 = msg("4391", dup276); - -var msg6839 = msg("4392", dup276); - -var msg6840 = msg("4393", dup276); - -var msg6841 = msg("4394", dup276); - -var msg6842 = msg("4395", dup276); - -var msg6843 = msg("4396", dup276); - -var msg6844 = msg("4397", dup276); - -var msg6845 = msg("4398", dup276); - -var msg6846 = msg("4399", dup276); - -var msg6847 = msg("4400", dup276); - -var msg6848 = msg("4401", dup276); - -var msg6849 = msg("4402", dup276); - -var msg6850 = msg("4403", dup276); - -var msg6851 = msg("4404", dup276); - -var msg6852 = msg("4405", dup276); - -var msg6853 = msg("4406", dup276); - -var msg6854 = msg("4407", dup276); - -var msg6855 = msg("4408", dup276); - -var msg6856 = msg("4409", dup276); - -var msg6857 = msg("4410", dup276); - -var msg6858 = msg("4411", dup276); - -var msg6859 = msg("4412", dup276); - -var msg6860 = msg("4413", dup276); - -var msg6861 = msg("4414", dup276); - -var msg6862 = msg("4415", dup276); - -var msg6863 = msg("4416", dup276); - -var msg6864 = msg("4417", dup276); - -var msg6865 = msg("4418", dup276); - -var msg6866 = msg("4419", dup276); - -var msg6867 = msg("4420", dup276); - -var msg6868 = msg("4421", dup276); - -var msg6869 = msg("4422", dup276); - -var msg6870 = msg("4423", dup276); - -var msg6871 = msg("4424", dup276); - -var msg6872 = msg("4425", dup276); - -var msg6873 = msg("4426", dup276); - -var msg6874 = msg("4427", dup276); - -var msg6875 = msg("4428", dup276); - -var msg6876 = msg("4429", dup276); - -var msg6877 = msg("4430", dup276); - -var msg6878 = msg("4431", dup276); - -var msg6879 = msg("4432", dup276); - -var msg6880 = msg("4433", dup276); - -var msg6881 = msg("4434", dup276); - -var msg6882 = msg("4435", dup276); - -var msg6883 = msg("4436", dup276); - -var msg6884 = msg("4437", dup276); - -var msg6885 = msg("4438", dup276); - -var msg6886 = msg("4439", dup276); - -var msg6887 = msg("4440", dup276); - -var msg6888 = msg("4441", dup276); - -var msg6889 = msg("4442", dup276); - -var msg6890 = msg("4443", dup276); - -var msg6891 = msg("4444", dup276); - -var msg6892 = msg("4445", dup276); - -var msg6893 = msg("4446", dup276); - -var msg6894 = msg("4447", dup276); - -var msg6895 = msg("4448", dup276); - -var msg6896 = msg("4449", dup276); - -var msg6897 = msg("4450", dup276); - -var msg6898 = msg("4451", dup276); - -var msg6899 = msg("4452", dup276); - -var msg6900 = msg("4453", dup276); - -var msg6901 = msg("4454", dup276); - -var msg6902 = msg("4455", dup276); - -var msg6903 = msg("4456", dup276); - -var msg6904 = msg("4457", dup276); - -var msg6905 = msg("4458", dup276); - -var msg6906 = msg("4459", dup276); - -var msg6907 = msg("4460", dup276); - -var msg6908 = msg("4461", dup276); - -var msg6909 = msg("4462", dup276); - -var msg6910 = msg("4463", dup276); - -var msg6911 = msg("4464", dup276); - -var msg6912 = msg("4465", dup276); - -var msg6913 = msg("4466", dup276); - -var msg6914 = msg("4467", dup276); - -var msg6915 = msg("4468", dup276); - -var msg6916 = msg("4469", dup276); - -var msg6917 = msg("4470", dup276); - -var msg6918 = msg("4471", dup276); - -var msg6919 = msg("4472", dup276); - -var msg6920 = msg("4473", dup276); - -var msg6921 = msg("4474", dup276); - -var msg6922 = msg("4475", dup276); - -var msg6923 = msg("4476", dup276); - -var msg6924 = msg("4477", dup276); - -var msg6925 = msg("4478", dup276); - -var msg6926 = msg("4479", dup276); - -var msg6927 = msg("4480", dup276); - -var msg6928 = msg("4481", dup276); - -var msg6929 = msg("4482", dup276); - -var msg6930 = msg("4483", dup276); - -var msg6931 = msg("4484", dup276); - -var msg6932 = msg("4485", dup276); - -var msg6933 = msg("4486", dup276); - -var msg6934 = msg("4487", dup276); - -var msg6935 = msg("4488", dup276); - -var msg6936 = msg("4489", dup276); - -var msg6937 = msg("4490", dup276); - -var msg6938 = msg("4491", dup276); - -var msg6939 = msg("4492", dup276); - -var msg6940 = msg("4493", dup276); - -var msg6941 = msg("4494", dup276); - -var msg6942 = msg("4495", dup276); - -var msg6943 = msg("4496", dup276); - -var msg6944 = msg("4497", dup276); - -var msg6945 = msg("4498", dup276); - -var msg6946 = msg("4499", dup276); - -var msg6947 = msg("4500", dup276); - -var msg6948 = msg("4501", dup276); - -var msg6949 = msg("4502", dup276); - -var msg6950 = msg("4503", dup276); - -var msg6951 = msg("4504", dup276); - -var msg6952 = msg("4505", dup276); - -var msg6953 = msg("4506", dup276); - -var msg6954 = msg("4507", dup276); - -var msg6955 = msg("4508", dup276); - -var msg6956 = msg("4509", dup276); - -var msg6957 = msg("4510", dup276); - -var msg6958 = msg("4511", dup276); - -var msg6959 = msg("4512", dup276); - -var msg6960 = msg("4513", dup276); - -var msg6961 = msg("4514", dup276); - -var msg6962 = msg("4515", dup276); - -var msg6963 = msg("4516", dup276); - -var msg6964 = msg("4517", dup276); - -var msg6965 = msg("4518", dup276); - -var msg6966 = msg("4519", dup276); - -var msg6967 = msg("4520", dup276); - -var msg6968 = msg("4521", dup276); - -var msg6969 = msg("4522", dup276); - -var msg6970 = msg("4523", dup276); - -var msg6971 = msg("4524", dup276); - -var msg6972 = msg("4525", dup276); - -var msg6973 = msg("4526", dup276); - -var msg6974 = msg("4527", dup276); - -var msg6975 = msg("4528", dup276); - -var msg6976 = msg("4529", dup276); - -var msg6977 = msg("4530", dup276); - -var msg6978 = msg("4531", dup276); - -var msg6979 = msg("4532", dup276); - -var msg6980 = msg("4533", dup276); - -var msg6981 = msg("4534", dup276); - -var msg6982 = msg("4535", dup276); - -var msg6983 = msg("4536", dup276); - -var msg6984 = msg("4537", dup276); - -var msg6985 = msg("4538", dup276); - -var msg6986 = msg("4539", dup276); - -var msg6987 = msg("4540", dup276); - -var msg6988 = msg("4541", dup276); - -var msg6989 = msg("4542", dup276); - -var msg6990 = msg("4543", dup276); - -var msg6991 = msg("4544", dup276); - -var msg6992 = msg("4545", dup276); - -var msg6993 = msg("4546", dup276); - -var msg6994 = msg("4547", dup276); - -var msg6995 = msg("4548", dup276); - -var msg6996 = msg("4549", dup276); - -var msg6997 = msg("4550", dup276); - -var msg6998 = msg("4551", dup276); - -var msg6999 = msg("4552", dup276); - -var msg7000 = msg("4553", dup276); - -var msg7001 = msg("4554", dup276); - -var msg7002 = msg("4555", dup276); - -var msg7003 = msg("4556", dup276); - -var msg7004 = msg("4557", dup276); - -var msg7005 = msg("4558", dup276); - -var msg7006 = msg("4559", dup276); - -var msg7007 = msg("4560", dup276); - -var msg7008 = msg("4561", dup276); - -var msg7009 = msg("4562", dup276); - -var msg7010 = msg("4563", dup276); - -var msg7011 = msg("4564", dup276); - -var msg7012 = msg("4565", dup276); - -var msg7013 = msg("4566", dup276); - -var msg7014 = msg("4567", dup276); - -var msg7015 = msg("4568", dup276); - -var msg7016 = msg("4569", dup276); - -var msg7017 = msg("4570", dup276); - -var msg7018 = msg("4571", dup276); - -var msg7019 = msg("4572", dup276); - -var msg7020 = msg("4573", dup276); - -var msg7021 = msg("4574", dup276); - -var msg7022 = msg("4575", dup276); - -var msg7023 = msg("4576", dup276); - -var msg7024 = msg("4577", dup276); - -var msg7025 = msg("4578", dup276); - -var msg7026 = msg("4579", dup276); - -var msg7027 = msg("4580", dup276); - -var msg7028 = msg("4581", dup276); - -var msg7029 = msg("4582", dup276); - -var msg7030 = msg("4583", dup276); - -var msg7031 = msg("4584", dup276); - -var msg7032 = msg("4585", dup276); - -var msg7033 = msg("4586", dup276); - -var msg7034 = msg("4587", dup276); - -var msg7035 = msg("4588", dup276); - -var msg7036 = msg("4589", dup276); - -var msg7037 = msg("4590", dup276); - -var msg7038 = msg("4591", dup276); - -var msg7039 = msg("4592", dup276); - -var msg7040 = msg("4593", dup276); - -var msg7041 = msg("4594", dup276); - -var msg7042 = msg("4595", dup276); - -var msg7043 = msg("4596", dup276); - -var msg7044 = msg("4597", dup276); - -var msg7045 = msg("4598", dup276); - -var msg7046 = msg("4599", dup276); - -var msg7047 = msg("4600", dup276); - -var msg7048 = msg("4601", dup276); - -var msg7049 = msg("4602", dup276); - -var msg7050 = msg("4603", dup276); - -var msg7051 = msg("4604", dup276); - -var msg7052 = msg("4605", dup276); - -var msg7053 = msg("4606", dup276); - -var msg7054 = msg("4607", dup276); - -var msg7055 = msg("4608", dup276); - -var msg7056 = msg("4609", dup276); - -var msg7057 = msg("4610", dup276); - -var msg7058 = msg("4611", dup276); - -var msg7059 = msg("4612", dup276); - -var msg7060 = msg("4613", dup276); - -var msg7061 = msg("4614", dup276); - -var msg7062 = msg("4615", dup276); - -var msg7063 = msg("4616", dup276); - -var msg7064 = msg("4617", dup276); - -var msg7065 = msg("4618", dup276); - -var msg7066 = msg("4619", dup276); - -var msg7067 = msg("4620", dup276); - -var msg7068 = msg("4621", dup276); - -var msg7069 = msg("4622", dup276); - -var msg7070 = msg("4623", dup276); - -var msg7071 = msg("4624", dup276); - -var msg7072 = msg("4625", dup276); - -var msg7073 = msg("4626", dup276); - -var msg7074 = msg("4627", dup276); - -var msg7075 = msg("4628", dup276); - -var msg7076 = msg("4629", dup276); - -var msg7077 = msg("4630", dup276); - -var msg7078 = msg("4631", dup276); - -var msg7079 = msg("4632", dup276); - -var msg7080 = msg("4633", dup276); - -var msg7081 = msg("4634", dup276); - -var msg7082 = msg("4635", dup276); - -var msg7083 = msg("4636", dup276); - -var msg7084 = msg("4637", dup267); - -var msg7085 = msg("4638", dup198); - -var msg7086 = msg("4639", dup222); - -var msg7087 = msg("4640", dup222); - -var msg7088 = msg("4641", dup222); - -var msg7089 = msg("4642", dup222); - -var msg7090 = msg("4643", dup267); - -var msg7091 = msg("4644", dup267); - -var msg7092 = msg("4645", dup196); - -var msg7093 = msg("4646", dup196); - -var msg7094 = msg("4647", dup201); - -var msg7095 = msg("4648", dup265); - -var msg7096 = msg("4649", dup260); - -var msg7097 = msg("4650", dup265); - -var msg7098 = msg("4651", dup276); - -var msg7099 = msg("4652", dup276); - -var msg7100 = msg("4653", dup276); - -var msg7101 = msg("4654", dup276); - -var msg7102 = msg("4655", dup276); - -var msg7103 = msg("4656", dup276); - -var msg7104 = msg("4657", dup276); - -var msg7105 = msg("4658", dup276); - -var msg7106 = msg("4659", dup276); - -var msg7107 = msg("4660", dup276); - -var msg7108 = msg("4661", dup276); - -var msg7109 = msg("4662", dup276); - -var msg7110 = msg("4663", dup276); - -var msg7111 = msg("4664", dup276); - -var msg7112 = msg("4665", dup276); - -var msg7113 = msg("4666", dup276); - -var msg7114 = msg("4667", dup276); - -var msg7115 = msg("4668", dup276); - -var msg7116 = msg("4669", dup276); - -var msg7117 = msg("4670", dup276); - -var msg7118 = msg("4671", dup276); - -var msg7119 = msg("4672", dup276); - -var msg7120 = msg("4673", dup276); - -var msg7121 = msg("4674", dup276); - -var msg7122 = msg("4675", dup267); - -var msg7123 = msg("4676", dup222); - -var msg7124 = msg("4677", dup222); - -var msg7125 = msg("4678", dup196); - -var msg7126 = msg("4679", dup267); - -var msg7127 = msg("4680", dup267); - -var msg7128 = msg("4681", dup265); - -var msg7129 = msg("4682", dup276); - -var msg7130 = msg("4683", dup276); - -var msg7131 = msg("4684", dup276); - -var msg7132 = msg("4685", dup276); - -var msg7133 = msg("4686", dup276); - -var msg7134 = msg("4687", dup276); - -var msg7135 = msg("4688", dup276); - -var msg7136 = msg("4689", dup276); - -var msg7137 = msg("4690", dup276); - -var msg7138 = msg("4691", dup276); - -var msg7139 = msg("4692", dup276); - -var msg7140 = msg("4693", dup276); - -var msg7141 = msg("4694", dup276); - -var msg7142 = msg("4695", dup276); - -var msg7143 = msg("4696", dup276); - -var msg7144 = msg("4697", dup276); - -var msg7145 = msg("4698", dup276); - -var msg7146 = msg("4699", dup276); - -var msg7147 = msg("4700", dup276); - -var msg7148 = msg("4701", dup276); - -var msg7149 = msg("4702", dup276); - -var msg7150 = msg("4703", dup276); - -var msg7151 = msg("4704", dup276); - -var msg7152 = msg("4705", dup276); - -var msg7153 = msg("4706", dup276); - -var msg7154 = msg("4707", dup276); - -var msg7155 = msg("4708", dup276); - -var msg7156 = msg("4709", dup276); - -var msg7157 = msg("4710", dup276); - -var msg7158 = msg("4711", dup276); - -var msg7159 = msg("4712", dup276); - -var msg7160 = msg("4713", dup276); - -var msg7161 = msg("4714", dup276); - -var msg7162 = msg("4715", dup276); - -var msg7163 = msg("4716", dup276); - -var msg7164 = msg("4717", dup276); - -var msg7165 = msg("4718", dup276); - -var msg7166 = msg("4719", dup276); - -var msg7167 = msg("4720", dup276); - -var msg7168 = msg("4721", dup276); - -var msg7169 = msg("4722", dup276); - -var msg7170 = msg("4723", dup276); - -var msg7171 = msg("4724", dup276); - -var msg7172 = msg("4725", dup276); - -var msg7173 = msg("4726", dup276); - -var msg7174 = msg("4727", dup276); - -var msg7175 = msg("4728", dup276); - -var msg7176 = msg("4729", dup276); - -var msg7177 = msg("4730", dup276); - -var msg7178 = msg("4731", dup276); - -var msg7179 = msg("4732", dup276); - -var msg7180 = msg("4733", dup276); - -var msg7181 = msg("4734", dup276); - -var msg7182 = msg("4735", dup276); - -var msg7183 = msg("4736", dup276); - -var msg7184 = msg("4737", dup276); - -var msg7185 = msg("4738", dup276); - -var msg7186 = msg("4739", dup276); - -var msg7187 = msg("4740", dup276); - -var msg7188 = msg("4741", dup276); - -var msg7189 = msg("4742", dup276); - -var msg7190 = msg("4743", dup276); - -var msg7191 = msg("4744", dup276); - -var msg7192 = msg("4745", dup276); - -var msg7193 = msg("4746", dup276); - -var msg7194 = msg("4747", dup276); - -var msg7195 = msg("4748", dup276); - -var msg7196 = msg("4749", dup276); - -var msg7197 = msg("4750", dup276); - -var msg7198 = msg("4751", dup276); - -var msg7199 = msg("4752", dup276); - -var msg7200 = msg("4753", dup276); - -var msg7201 = msg("4754", dup201); - -var msg7202 = msg("4755", dup201); - -var msg7203 = msg("4756", dup201); - -var msg7204 = msg("4757", dup201); - -var msg7205 = msg("4758", dup276); - -var msg7206 = msg("4759", dup276); - -var msg7207 = msg("4760", dup276); - -var msg7208 = msg("4761", dup276); - -var msg7209 = msg("4762", dup276); - -var msg7210 = msg("4763", dup276); - -var msg7211 = msg("4764", dup276); - -var msg7212 = msg("4765", dup276); - -var msg7213 = msg("4766", dup276); - -var msg7214 = msg("4767", dup276); - -var msg7215 = msg("4768", dup276); - -var msg7216 = msg("4769", dup276); - -var msg7217 = msg("4770", dup276); - -var msg7218 = msg("4771", dup276); - -var msg7219 = msg("4772", dup276); - -var msg7220 = msg("4773", dup276); - -var msg7221 = msg("4774", dup276); - -var msg7222 = msg("4775", dup276); - -var msg7223 = msg("4776", dup276); - -var msg7224 = msg("4777", dup276); - -var msg7225 = msg("4778", dup276); - -var msg7226 = msg("4779", dup276); - -var msg7227 = msg("4780", dup276); - -var msg7228 = msg("4781", dup276); - -var msg7229 = msg("4782", dup276); - -var msg7230 = msg("4783", dup276); - -var msg7231 = msg("4784", dup276); - -var msg7232 = msg("4785", dup276); - -var msg7233 = msg("4786", dup276); - -var msg7234 = msg("4787", dup276); - -var msg7235 = msg("4788", dup276); - -var msg7236 = msg("4789", dup276); - -var msg7237 = msg("4790", dup276); - -var msg7238 = msg("4791", dup276); - -var msg7239 = msg("4792", dup276); - -var msg7240 = msg("4793", dup276); - -var msg7241 = msg("4794", dup276); - -var msg7242 = msg("4795", dup276); - -var msg7243 = msg("4796", dup276); - -var msg7244 = msg("4797", dup276); - -var msg7245 = msg("4798", dup276); - -var msg7246 = msg("4799", dup276); - -var msg7247 = msg("4800", dup276); - -var msg7248 = msg("4801", dup276); - -var msg7249 = msg("4802", dup276); - -var msg7250 = msg("4803", dup276); - -var msg7251 = msg("4804", dup276); - -var msg7252 = msg("4805", dup276); - -var msg7253 = msg("4806", dup276); - -var msg7254 = msg("4807", dup276); - -var msg7255 = msg("4808", dup276); - -var msg7256 = msg("4809", dup276); - -var msg7257 = msg("4810", dup276); - -var msg7258 = msg("4811", dup276); - -var msg7259 = msg("4812", dup276); - -var msg7260 = msg("4813", dup276); - -var msg7261 = msg("4814", dup276); - -var msg7262 = msg("4815", dup276); - -var msg7263 = msg("4816", dup276); - -var msg7264 = msg("4817", dup276); - -var msg7265 = msg("4818", dup276); - -var msg7266 = msg("4819", dup276); - -var msg7267 = msg("4820", dup276); - -var msg7268 = msg("4821", dup276); - -var msg7269 = msg("4822", dup201); - -var msg7270 = msg("4823", dup201); - -var msg7271 = msg("4824", dup201); - -var msg7272 = msg("4825", dup201); - -var msg7273 = msg("4826", dup276); - -var msg7274 = msg("4827", dup276); - -var msg7275 = msg("4828", dup276); - -var msg7276 = msg("4829", dup276); - -var msg7277 = msg("4830", dup276); - -var msg7278 = msg("4831", dup276); - -var msg7279 = msg("4832", dup276); - -var msg7280 = msg("4833", dup276); - -var msg7281 = msg("4834", dup276); - -var msg7282 = msg("4835", dup276); - -var msg7283 = msg("4836", dup276); - -var msg7284 = msg("4837", dup276); - -var msg7285 = msg("4838", dup276); - -var msg7286 = msg("4839", dup276); - -var msg7287 = msg("4840", dup276); - -var msg7288 = msg("4841", dup276); - -var msg7289 = msg("4842", dup276); - -var msg7290 = msg("4843", dup276); - -var msg7291 = msg("4844", dup276); - -var msg7292 = msg("4845", dup276); - -var msg7293 = msg("4846", dup276); - -var msg7294 = msg("4847", dup276); - -var msg7295 = msg("4848", dup276); - -var msg7296 = msg("4849", dup276); - -var msg7297 = msg("4850", dup276); - -var msg7298 = msg("4851", dup276); - -var msg7299 = msg("4852", dup276); - -var msg7300 = msg("4853", dup276); - -var msg7301 = msg("4854", dup276); - -var msg7302 = msg("4855", dup276); - -var msg7303 = msg("4856", dup276); - -var msg7304 = msg("4857", dup276); - -var msg7305 = msg("4858", dup276); - -var msg7306 = msg("4859", dup276); - -var msg7307 = msg("4860", dup276); - -var msg7308 = msg("4861", dup276); - -var msg7309 = msg("4862", dup276); - -var msg7310 = msg("4863", dup276); - -var msg7311 = msg("4864", dup276); - -var msg7312 = msg("4865", dup276); - -var msg7313 = msg("4866", dup276); - -var msg7314 = msg("4867", dup276); - -var msg7315 = msg("4868", dup276); - -var msg7316 = msg("4869", dup276); - -var msg7317 = msg("4870", dup276); - -var msg7318 = msg("4871", dup276); - -var msg7319 = msg("4872", dup276); - -var msg7320 = msg("4873", dup276); - -var msg7321 = msg("4874", dup276); - -var msg7322 = msg("4875", dup276); - -var msg7323 = msg("4876", dup276); - -var msg7324 = msg("4877", dup276); - -var msg7325 = msg("4878", dup276); - -var msg7326 = msg("4879", dup276); - -var msg7327 = msg("4880", dup276); - -var msg7328 = msg("4881", dup276); - -var msg7329 = msg("4882", dup276); - -var msg7330 = msg("4883", dup276); - -var msg7331 = msg("4884", dup276); - -var msg7332 = msg("4885", dup276); - -var msg7333 = msg("4886", dup276); - -var msg7334 = msg("4887", dup276); - -var msg7335 = msg("4888", dup276); - -var msg7336 = msg("4889", dup276); - -var msg7337 = msg("4890", dup265); - -var msg7338 = msg("4891", dup265); - -var msg7339 = msg("4892", dup265); - -var msg7340 = msg("4893", dup265); - -var msg7341 = msg("4894", dup265); - -var msg7342 = msg("4895", dup265); - -var msg7343 = msg("4896", dup265); - -var msg7344 = msg("4897", dup265); - -var msg7345 = msg("4898", dup265); - -var msg7346 = msg("4899", dup265); - -var msg7347 = msg("4900", dup265); - -var msg7348 = msg("4901", dup265); - -var msg7349 = msg("4902", dup265); - -var msg7350 = msg("4903", dup265); - -var msg7351 = msg("4904", dup265); - -var msg7352 = msg("4905", dup265); - -var msg7353 = msg("4906", dup265); - -var msg7354 = msg("4907", dup265); - -var msg7355 = msg("4908", dup265); - -var msg7356 = msg("4909", dup265); - -var msg7357 = msg("4910", dup265); - -var msg7358 = msg("4911", dup265); - -var msg7359 = msg("4912", dup265); - -var msg7360 = msg("4913", dup265); - -var msg7361 = msg("4914", dup265); - -var msg7362 = msg("4915", dup265); - -var msg7363 = msg("4916", dup201); - -var msg7364 = msg("4917", dup201); - -var msg7365 = msg("4918", dup198); - -var msg7366 = msg("4919", dup198); - -var msg7367 = msg("4920", dup198); - -var msg7368 = msg("4921", dup198); - -var msg7369 = msg("4922", dup198); - -var msg7370 = msg("4923", dup198); - -var msg7371 = msg("4924", dup198); - -var msg7372 = msg("4925", dup198); - -var msg7373 = msg("4926", dup198); - -var msg7374 = msg("4927", dup198); - -var msg7375 = msg("4928", dup198); - -var msg7376 = msg("4929", dup198); - -var msg7377 = msg("4930", dup198); - -var msg7378 = msg("4931", dup198); - -var msg7379 = msg("4932", dup198); - -var msg7380 = msg("4933", dup198); - -var msg7381 = msg("4934", dup198); - -var msg7382 = msg("4935", dup198); - -var msg7383 = msg("4936", dup198); - -var msg7384 = msg("4937", dup198); - -var msg7385 = msg("4938", dup198); - -var msg7386 = msg("4939", dup198); - -var msg7387 = msg("4940", dup198); - -var msg7388 = msg("4941", dup198); - -var msg7389 = msg("4942", dup198); - -var msg7390 = msg("4943", dup198); - -var msg7391 = msg("4944", dup198); - -var msg7392 = msg("4945", dup198); - -var msg7393 = msg("4946", dup198); - -var msg7394 = msg("4947", dup198); - -var msg7395 = msg("4948", dup198); - -var msg7396 = msg("4949", dup198); - -var msg7397 = msg("4950", dup198); - -var msg7398 = msg("4951", dup198); - -var msg7399 = msg("4952", dup198); - -var msg7400 = msg("4953", dup198); - -var msg7401 = msg("4954", dup198); - -var msg7402 = msg("4955", dup198); - -var msg7403 = msg("4956", dup198); - -var msg7404 = msg("4957", dup198); - -var msg7405 = msg("4958", dup198); - -var msg7406 = msg("4959", dup198); - -var msg7407 = msg("4960", dup198); - -var msg7408 = msg("4961", dup198); - -var msg7409 = msg("4962", dup198); - -var msg7410 = msg("4963", dup198); - -var msg7411 = msg("4964", dup198); - -var msg7412 = msg("4965", dup198); - -var msg7413 = msg("4966", dup198); - -var msg7414 = msg("4967", dup198); - -var msg7415 = msg("4968", dup198); - -var msg7416 = msg("4969", dup198); - -var msg7417 = msg("4970", dup198); - -var msg7418 = msg("4971", dup198); - -var msg7419 = msg("4972", dup198); - -var msg7420 = msg("4973", dup198); - -var msg7421 = msg("4974", dup198); - -var msg7422 = msg("4975", dup198); - -var msg7423 = msg("4976", dup198); - -var msg7424 = msg("4977", dup198); - -var msg7425 = msg("4978", dup198); - -var msg7426 = msg("4979", dup198); - -var msg7427 = msg("4980", dup198); - -var msg7428 = msg("4981", dup198); - -var msg7429 = msg("4982", dup265); - -var msg7430 = msg("4983", dup265); - -var msg7431 = msg("4984", dup236); - -var msg7432 = msg("4985", dup267); - -var msg7433 = msg("4986", dup267); - -var msg7434 = msg("4987", dup267); - -var msg7435 = msg("4988", dup265); - -var msg7436 = msg("4989", dup260); - -var msg7437 = msg("4990", dup260); - -var msg7438 = msg("4991", dup276); - -var msg7439 = msg("4992", dup276); - -var msg7440 = msg("4993", dup276); - -var msg7441 = msg("4994", dup276); - -var msg7442 = msg("4995", dup276); - -var msg7443 = msg("4996", dup276); - -var msg7444 = msg("4997", dup276); - -var msg7445 = msg("4998", dup276); - -var msg7446 = msg("4999", dup276); - -var msg7447 = msg("5000", dup276); - -var msg7448 = msg("5001", dup276); - -var msg7449 = msg("5002", dup276); - -var msg7450 = msg("5003", dup276); - -var msg7451 = msg("5004", dup276); - -var msg7452 = msg("5005", dup276); - -var msg7453 = msg("5006", dup276); - -var msg7454 = msg("5007", dup276); - -var msg7455 = msg("5008", dup276); - -var msg7456 = msg("5009", dup276); - -var msg7457 = msg("5010", dup276); - -var msg7458 = msg("5011", dup276); - -var msg7459 = msg("5012", dup276); - -var msg7460 = msg("5013", dup276); - -var msg7461 = msg("5014", dup276); - -var msg7462 = msg("5015", dup276); - -var msg7463 = msg("5016", dup276); - -var msg7464 = msg("5017", dup276); - -var msg7465 = msg("5018", dup276); - -var msg7466 = msg("5019", dup276); - -var msg7467 = msg("5020", dup276); - -var msg7468 = msg("5021", dup276); - -var msg7469 = msg("5022", dup276); - -var msg7470 = msg("5023", dup276); - -var msg7471 = msg("5024", dup276); - -var msg7472 = msg("5025", dup276); - -var msg7473 = msg("5026", dup276); - -var msg7474 = msg("5027", dup276); - -var msg7475 = msg("5028", dup276); - -var msg7476 = msg("5029", dup276); - -var msg7477 = msg("5030", dup276); - -var msg7478 = msg("5031", dup276); - -var msg7479 = msg("5032", dup276); - -var msg7480 = msg("5033", dup276); - -var msg7481 = msg("5034", dup276); - -var msg7482 = msg("5035", dup276); - -var msg7483 = msg("5036", dup276); - -var msg7484 = msg("5037", dup276); - -var msg7485 = msg("5038", dup276); - -var msg7486 = msg("5039", dup276); - -var msg7487 = msg("5040", dup276); - -var msg7488 = msg("5041", dup276); - -var msg7489 = msg("5042", dup276); - -var msg7490 = msg("5043", dup276); - -var msg7491 = msg("5044", dup276); - -var msg7492 = msg("5045", dup276); - -var msg7493 = msg("5046", dup276); - -var msg7494 = msg("5047", dup276); - -var msg7495 = msg("5048", dup276); - -var msg7496 = msg("5049", dup276); - -var msg7497 = msg("5050", dup276); - -var msg7498 = msg("5051", dup276); - -var msg7499 = msg("5052", dup276); - -var msg7500 = msg("5053", dup276); - -var msg7501 = msg("5054", dup276); - -var msg7502 = msg("5055", dup276); - -var msg7503 = msg("5056", dup276); - -var msg7504 = msg("5057", dup276); - -var msg7505 = msg("5058", dup276); - -var msg7506 = msg("5059", dup276); - -var msg7507 = msg("5060", dup276); - -var msg7508 = msg("5061", dup276); - -var msg7509 = msg("5062", dup276); - -var msg7510 = msg("5063", dup276); - -var msg7511 = msg("5064", dup276); - -var msg7512 = msg("5065", dup276); - -var msg7513 = msg("5066", dup276); - -var msg7514 = msg("5067", dup276); - -var msg7515 = msg("5068", dup276); - -var msg7516 = msg("5069", dup276); - -var msg7517 = msg("5070", dup276); - -var msg7518 = msg("5071", dup276); - -var msg7519 = msg("5072", dup276); - -var msg7520 = msg("5073", dup276); - -var msg7521 = msg("5074", dup276); - -var msg7522 = msg("5075", dup276); - -var msg7523 = msg("5076", dup276); - -var msg7524 = msg("5077", dup276); - -var msg7525 = msg("5078", dup276); - -var msg7526 = msg("5079", dup276); - -var msg7527 = msg("5080", dup276); - -var msg7528 = msg("5081", dup276); - -var msg7529 = msg("5082", dup276); - -var msg7530 = msg("5083", dup276); - -var msg7531 = msg("5084", dup276); - -var msg7532 = msg("5085", dup276); - -var msg7533 = msg("5086", dup276); - -var msg7534 = msg("5087", dup276); - -var msg7535 = msg("5088", dup276); - -var msg7536 = msg("5089", dup276); - -var msg7537 = msg("5090", dup276); - -var msg7538 = msg("5091", dup276); - -var msg7539 = msg("5092", dup276); - -var msg7540 = msg("5093", dup276); - -var msg7541 = msg("5094", dup276); - -var msg7542 = msg("5095", dup276); - -var msg7543 = msg("5096", dup276); - -var msg7544 = msg("5097", dup276); - -var msg7545 = msg("5098", dup276); - -var msg7546 = msg("5099", dup276); - -var msg7547 = msg("5100", dup276); - -var msg7548 = msg("5101", dup276); - -var msg7549 = msg("5102", dup276); - -var msg7550 = msg("5103", dup276); - -var msg7551 = msg("5104", dup276); - -var msg7552 = msg("5105", dup276); - -var msg7553 = msg("5106", dup276); - -var msg7554 = msg("5107", dup276); - -var msg7555 = msg("5108", dup276); - -var msg7556 = msg("5109", dup276); - -var msg7557 = msg("5110", dup276); - -var msg7558 = msg("5111", dup276); - -var msg7559 = msg("5112", dup276); - -var msg7560 = msg("5113", dup276); - -var msg7561 = msg("5114", dup276); - -var msg7562 = msg("5115", dup276); - -var msg7563 = msg("5116", dup276); - -var msg7564 = msg("5117", dup276); - -var msg7565 = msg("5118", dup276); - -var msg7566 = msg("5119", dup276); - -var msg7567 = msg("5120", dup276); - -var msg7568 = msg("5121", dup276); - -var msg7569 = msg("5122", dup276); - -var msg7570 = msg("5123", dup276); - -var msg7571 = msg("5124", dup276); - -var msg7572 = msg("5125", dup276); - -var msg7573 = msg("5126", dup276); - -var msg7574 = msg("5127", dup276); - -var msg7575 = msg("5128", dup276); - -var msg7576 = msg("5129", dup276); - -var msg7577 = msg("5130", dup276); - -var msg7578 = msg("5131", dup276); - -var msg7579 = msg("5132", dup276); - -var msg7580 = msg("5133", dup276); - -var msg7581 = msg("5134", dup276); - -var msg7582 = msg("5135", dup276); - -var msg7583 = msg("5136", dup276); - -var msg7584 = msg("5137", dup276); - -var msg7585 = msg("5138", dup276); - -var msg7586 = msg("5139", dup276); - -var msg7587 = msg("5140", dup276); - -var msg7588 = msg("5141", dup276); - -var msg7589 = msg("5142", dup276); - -var msg7590 = msg("5143", dup276); - -var msg7591 = msg("5144", dup276); - -var msg7592 = msg("5145", dup276); - -var msg7593 = msg("5146", dup276); - -var msg7594 = msg("5147", dup276); - -var msg7595 = msg("5148", dup276); - -var msg7596 = msg("5149", dup276); - -var msg7597 = msg("5150", dup276); - -var msg7598 = msg("5151", dup276); - -var msg7599 = msg("5152", dup276); - -var msg7600 = msg("5153", dup276); - -var msg7601 = msg("5154", dup276); - -var msg7602 = msg("5155", dup276); - -var msg7603 = msg("5156", dup276); - -var msg7604 = msg("5157", dup276); - -var msg7605 = msg("5158", dup276); - -var msg7606 = msg("5159", dup276); - -var msg7607 = msg("5160", dup276); - -var msg7608 = msg("5161", dup276); - -var msg7609 = msg("5162", dup276); - -var msg7610 = msg("5163", dup276); - -var msg7611 = msg("5164", dup276); - -var msg7612 = msg("5165", dup276); - -var msg7613 = msg("5166", dup276); - -var msg7614 = msg("5167", dup276); - -var msg7615 = msg("5168", dup276); - -var msg7616 = msg("5169", dup276); - -var msg7617 = msg("5170", dup276); - -var msg7618 = msg("5171", dup276); - -var msg7619 = msg("5172", dup276); - -var msg7620 = msg("5173", dup276); - -var msg7621 = msg("5174", dup276); - -var msg7622 = msg("5175", dup276); - -var msg7623 = msg("5176", dup276); - -var msg7624 = msg("5177", dup276); - -var msg7625 = msg("5178", dup276); - -var msg7626 = msg("5179", dup276); - -var msg7627 = msg("5180", dup276); - -var msg7628 = msg("5181", dup276); - -var msg7629 = msg("5182", dup276); - -var msg7630 = msg("5183", dup276); - -var msg7631 = msg("5184", dup276); - -var msg7632 = msg("5185", dup276); - -var msg7633 = msg("5186", dup276); - -var msg7634 = msg("5187", dup276); - -var msg7635 = msg("5188", dup276); - -var msg7636 = msg("5189", dup276); - -var msg7637 = msg("5190", dup276); - -var msg7638 = msg("5191", dup276); - -var msg7639 = msg("5192", dup276); - -var msg7640 = msg("5193", dup276); - -var msg7641 = msg("5194", dup276); - -var msg7642 = msg("5195", dup276); - -var msg7643 = msg("5196", dup276); - -var msg7644 = msg("5197", dup276); - -var msg7645 = msg("5198", dup276); - -var msg7646 = msg("5199", dup276); - -var msg7647 = msg("5200", dup276); - -var msg7648 = msg("5201", dup276); - -var msg7649 = msg("5202", dup276); - -var msg7650 = msg("5203", dup276); - -var msg7651 = msg("5204", dup276); - -var msg7652 = msg("5205", dup276); - -var msg7653 = msg("5206", dup276); - -var msg7654 = msg("5207", dup276); - -var msg7655 = msg("5208", dup276); - -var msg7656 = msg("5209", dup276); - -var msg7657 = msg("5210", dup276); - -var msg7658 = msg("5211", dup276); - -var msg7659 = msg("5212", dup276); - -var msg7660 = msg("5213", dup276); - -var msg7661 = msg("5214", dup276); - -var msg7662 = msg("5215", dup276); - -var msg7663 = msg("5216", dup276); - -var msg7664 = msg("5217", dup276); - -var msg7665 = msg("5218", dup276); - -var msg7666 = msg("5219", dup276); - -var msg7667 = msg("5220", dup276); - -var msg7668 = msg("5221", dup276); - -var msg7669 = msg("5222", dup276); - -var msg7670 = msg("5223", dup276); - -var msg7671 = msg("5224", dup276); - -var msg7672 = msg("5225", dup276); - -var msg7673 = msg("5226", dup276); - -var msg7674 = msg("5227", dup276); - -var msg7675 = msg("5228", dup276); - -var msg7676 = msg("5229", dup276); - -var msg7677 = msg("5230", dup276); - -var msg7678 = msg("5231", dup276); - -var msg7679 = msg("5232", dup276); - -var msg7680 = msg("5233", dup276); - -var msg7681 = msg("5234", dup276); - -var msg7682 = msg("5235", dup276); - -var msg7683 = msg("5236", dup276); - -var msg7684 = msg("5237", dup276); - -var msg7685 = msg("5238", dup276); - -var msg7686 = msg("5239", dup276); - -var msg7687 = msg("5240", dup276); - -var msg7688 = msg("5241", dup276); - -var msg7689 = msg("5242", dup276); - -var msg7690 = msg("5243", dup276); - -var msg7691 = msg("5244", dup276); - -var msg7692 = msg("5245", dup276); - -var msg7693 = msg("5246", dup276); - -var msg7694 = msg("5247", dup276); - -var msg7695 = msg("5248", dup276); - -var msg7696 = msg("5249", dup276); - -var msg7697 = msg("5250", dup276); - -var msg7698 = msg("5251", dup276); - -var msg7699 = msg("5252", dup276); - -var msg7700 = msg("5253", dup276); - -var msg7701 = msg("5254", dup276); - -var msg7702 = msg("5255", dup276); - -var msg7703 = msg("5256", dup276); - -var msg7704 = msg("5257", dup276); - -var msg7705 = msg("5258", dup276); - -var msg7706 = msg("5259", dup276); - -var msg7707 = msg("5260", dup276); - -var msg7708 = msg("5261", dup276); - -var msg7709 = msg("5262", dup276); - -var msg7710 = msg("5263", dup276); - -var msg7711 = msg("5264", dup276); - -var msg7712 = msg("5265", dup276); - -var msg7713 = msg("5266", dup276); - -var msg7714 = msg("5267", dup276); - -var msg7715 = msg("5268", dup276); - -var msg7716 = msg("5269", dup276); - -var msg7717 = msg("5270", dup276); - -var msg7718 = msg("5271", dup276); - -var msg7719 = msg("5272", dup276); - -var msg7720 = msg("5273", dup276); - -var msg7721 = msg("5274", dup276); - -var msg7722 = msg("5275", dup276); - -var msg7723 = msg("5276", dup276); - -var msg7724 = msg("5277", dup276); - -var msg7725 = msg("5278", dup276); - -var msg7726 = msg("5279", dup276); - -var msg7727 = msg("5280", dup276); - -var msg7728 = msg("5281", dup276); - -var msg7729 = msg("5282", dup276); - -var msg7730 = msg("5283", dup276); - -var msg7731 = msg("5284", dup276); - -var msg7732 = msg("5285", dup276); - -var msg7733 = msg("5286", dup276); - -var msg7734 = msg("5287", dup276); - -var msg7735 = msg("5288", dup276); - -var msg7736 = msg("5289", dup276); - -var msg7737 = msg("5290", dup276); - -var msg7738 = msg("5291", dup276); - -var msg7739 = msg("5292", dup276); - -var msg7740 = msg("5293", dup276); - -var msg7741 = msg("5294", dup276); - -var msg7742 = msg("5295", dup276); - -var msg7743 = msg("5296", dup276); - -var msg7744 = msg("5297", dup276); - -var msg7745 = msg("5298", dup276); - -var msg7746 = msg("5299", dup276); - -var msg7747 = msg("5300", dup276); - -var msg7748 = msg("5301", dup201); - -var msg7749 = msg("5302", dup276); - -var msg7750 = msg("5303", dup201); - -var msg7751 = msg("5304", dup201); - -var msg7752 = msg("5305", dup276); - -var msg7753 = msg("5306", dup201); - -var msg7754 = msg("5307", dup276); - -var msg7755 = msg("5308", dup276); - -var msg7756 = msg("5309", dup201); - -var msg7757 = msg("5310", dup276); - -var msg7758 = msg("5311", dup201); - -var msg7759 = msg("5312", dup201); - -var msg7760 = msg("5313", dup276); - -var msg7761 = msg("5314", dup201); - -var msg7762 = msg("5315", dup276); - -var msg7763 = msg("5316", dup222); - -var msg7764 = msg("5317", dup222); - -var msg7765 = msg("5318", dup269); - -var msg7766 = msg("5319", dup269); - -var msg7767 = msg("5320", dup263); - -var msg7768 = msg("5321", dup263); - -var msg7769 = msg("5322", dup263); - -var msg7770 = msg("5323", dup263); - -var msg7771 = msg("5324", dup263); - -var msg7772 = msg("5325", dup201); - -var msg7773 = msg("5326", dup201); - -var msg7774 = msg("5327", dup201); - -var msg7775 = msg("5328", dup201); - -var msg7776 = msg("5329", dup201); - -var msg7777 = msg("5330", dup201); - -var msg7778 = msg("5331", dup201); - -var msg7779 = msg("5332", dup201); - -var msg7780 = msg("5333", dup276); - -var msg7781 = msg("5334", dup276); - -var msg7782 = msg("5335", dup276); - -var msg7783 = msg("5336", dup276); - -var msg7784 = msg("5337", dup276); - -var msg7785 = msg("5338", dup276); - -var msg7786 = msg("5339", dup276); - -var msg7787 = msg("5340", dup276); - -var msg7788 = msg("5341", dup276); - -var msg7789 = msg("5342", dup276); - -var msg7790 = msg("5343", dup276); - -var msg7791 = msg("5344", dup276); - -var msg7792 = msg("5345", dup276); - -var msg7793 = msg("5346", dup276); - -var msg7794 = msg("5347", dup276); - -var msg7795 = msg("5348", dup276); - -var msg7796 = msg("5349", dup276); - -var msg7797 = msg("5350", dup276); - -var msg7798 = msg("5351", dup276); - -var msg7799 = msg("5352", dup276); - -var msg7800 = msg("5353", dup276); - -var msg7801 = msg("5354", dup276); - -var msg7802 = msg("5355", dup276); - -var msg7803 = msg("5356", dup276); - -var msg7804 = msg("5357", dup276); - -var msg7805 = msg("5358", dup276); - -var msg7806 = msg("5359", dup276); - -var msg7807 = msg("5360", dup276); - -var msg7808 = msg("5361", dup276); - -var msg7809 = msg("5362", dup276); - -var msg7810 = msg("5363", dup276); - -var msg7811 = msg("5364", dup276); - -var msg7812 = msg("5365", dup276); - -var msg7813 = msg("5366", dup276); - -var msg7814 = msg("5367", dup276); - -var msg7815 = msg("5368", dup276); - -var msg7816 = msg("5369", dup276); - -var msg7817 = msg("5370", dup276); - -var msg7818 = msg("5371", dup276); - -var msg7819 = msg("5372", dup276); - -var msg7820 = msg("5373", dup276); - -var msg7821 = msg("5374", dup276); - -var msg7822 = msg("5375", dup276); - -var msg7823 = msg("5376", dup276); - -var msg7824 = msg("5377", dup276); - -var msg7825 = msg("5378", dup276); - -var msg7826 = msg("5379", dup276); - -var msg7827 = msg("5380", dup276); - -var msg7828 = msg("5381", dup276); - -var msg7829 = msg("5382", dup276); - -var msg7830 = msg("5383", dup276); - -var msg7831 = msg("5384", dup276); - -var msg7832 = msg("5385", dup276); - -var msg7833 = msg("5386", dup276); - -var msg7834 = msg("5387", dup276); - -var msg7835 = msg("5388", dup276); - -var msg7836 = msg("5389", dup276); - -var msg7837 = msg("5390", dup276); - -var msg7838 = msg("5391", dup276); - -var msg7839 = msg("5392", dup276); - -var msg7840 = msg("5393", dup276); - -var msg7841 = msg("5394", dup276); - -var msg7842 = msg("5395", dup276); - -var msg7843 = msg("5396", dup276); - -var msg7844 = msg("5397", dup276); - -var msg7845 = msg("5398", dup276); - -var msg7846 = msg("5399", dup276); - -var msg7847 = msg("5400", dup276); - -var msg7848 = msg("5401", dup276); - -var msg7849 = msg("5402", dup276); - -var msg7850 = msg("5403", dup276); - -var msg7851 = msg("5404", dup276); - -var msg7852 = msg("5405", dup276); - -var msg7853 = msg("5406", dup276); - -var msg7854 = msg("5407", dup276); - -var msg7855 = msg("5408", dup276); - -var msg7856 = msg("5409", dup276); - -var msg7857 = msg("5410", dup276); - -var msg7858 = msg("5411", dup276); - -var msg7859 = msg("5412", dup276); - -var msg7860 = msg("5413", dup276); - -var msg7861 = msg("5414", dup276); - -var msg7862 = msg("5415", dup276); - -var msg7863 = msg("5416", dup276); - -var msg7864 = msg("5417", dup276); - -var msg7865 = msg("5418", dup276); - -var msg7866 = msg("5419", dup276); - -var msg7867 = msg("5420", dup276); - -var msg7868 = msg("5421", dup276); - -var msg7869 = msg("5422", dup276); - -var msg7870 = msg("5423", dup276); - -var msg7871 = msg("5424", dup276); - -var msg7872 = msg("5425", dup276); - -var msg7873 = msg("5426", dup276); - -var msg7874 = msg("5427", dup276); - -var msg7875 = msg("5428", dup276); - -var msg7876 = msg("5429", dup276); - -var msg7877 = msg("5430", dup276); - -var msg7878 = msg("5431", dup276); - -var msg7879 = msg("5432", dup276); - -var msg7880 = msg("5433", dup276); - -var msg7881 = msg("5434", dup276); - -var msg7882 = msg("5435", dup276); - -var msg7883 = msg("5436", dup276); - -var msg7884 = msg("5437", dup276); - -var msg7885 = msg("5438", dup276); - -var msg7886 = msg("5439", dup276); - -var msg7887 = msg("5440", dup276); - -var msg7888 = msg("5441", dup276); - -var msg7889 = msg("5442", dup276); - -var msg7890 = msg("5443", dup276); - -var msg7891 = msg("5444", dup276); - -var msg7892 = msg("5445", dup276); - -var msg7893 = msg("5446", dup276); - -var msg7894 = msg("5447", dup276); - -var msg7895 = msg("5448", dup276); - -var msg7896 = msg("5449", dup276); - -var msg7897 = msg("5450", dup276); - -var msg7898 = msg("5451", dup276); - -var msg7899 = msg("5452", dup276); - -var msg7900 = msg("5453", dup276); - -var msg7901 = msg("5454", dup276); - -var msg7902 = msg("5455", dup276); - -var msg7903 = msg("5456", dup276); - -var msg7904 = msg("5457", dup276); - -var msg7905 = msg("5458", dup276); - -var msg7906 = msg("5459", dup276); - -var msg7907 = msg("5460", dup276); - -var msg7908 = msg("5461", dup276); - -var msg7909 = msg("5462", dup276); - -var msg7910 = msg("5463", dup276); - -var msg7911 = msg("5464", dup276); - -var msg7912 = msg("5465", dup276); - -var msg7913 = msg("5466", dup276); - -var msg7914 = msg("5467", dup276); - -var msg7915 = msg("5468", dup276); - -var msg7916 = msg("5469", dup276); - -var msg7917 = msg("5470", dup276); - -var msg7918 = msg("5471", dup276); - -var msg7919 = msg("5472", dup276); - -var msg7920 = msg("5473", dup276); - -var msg7921 = msg("5474", dup276); - -var msg7922 = msg("5475", dup276); - -var msg7923 = msg("5476", dup276); - -var msg7924 = msg("5477", dup276); - -var msg7925 = msg("5478", dup276); - -var msg7926 = msg("5479", dup276); - -var msg7927 = msg("5480", dup276); - -var msg7928 = msg("5481", dup276); - -var msg7929 = msg("5482", dup276); - -var msg7930 = msg("5483", dup276); - -var msg7931 = msg("5484", dup276); - -var msg7932 = msg("5485", dup276); - -var msg7933 = msg("5486", dup276); - -var msg7934 = msg("5487", dup276); - -var msg7935 = msg("5488", dup276); - -var msg7936 = msg("5489", dup276); - -var msg7937 = msg("5490", dup276); - -var msg7938 = msg("5491", dup276); - -var msg7939 = msg("5492", dup276); - -var msg7940 = msg("5493", dup276); - -var msg7941 = msg("5494", dup276); - -var msg7942 = msg("5495", dup276); - -var msg7943 = msg("5496", dup276); - -var msg7944 = msg("5497", dup276); - -var msg7945 = msg("5498", dup276); - -var msg7946 = msg("5499", dup276); - -var msg7947 = msg("5500", dup276); - -var msg7948 = msg("5501", dup276); - -var msg7949 = msg("5502", dup276); - -var msg7950 = msg("5503", dup276); - -var msg7951 = msg("5504", dup276); - -var msg7952 = msg("5505", dup276); - -var msg7953 = msg("5506", dup276); - -var msg7954 = msg("5507", dup276); - -var msg7955 = msg("5508", dup276); - -var msg7956 = msg("5509", dup276); - -var msg7957 = msg("5510", dup276); - -var msg7958 = msg("5511", dup276); - -var msg7959 = msg("5512", dup276); - -var msg7960 = msg("5513", dup276); - -var msg7961 = msg("5514", dup276); - -var msg7962 = msg("5515", dup276); - -var msg7963 = msg("5516", dup276); - -var msg7964 = msg("5517", dup276); - -var msg7965 = msg("5518", dup276); - -var msg7966 = msg("5519", dup276); - -var msg7967 = msg("5520", dup276); - -var msg7968 = msg("5521", dup276); - -var msg7969 = msg("5522", dup276); - -var msg7970 = msg("5523", dup276); - -var msg7971 = msg("5524", dup276); - -var msg7972 = msg("5525", dup276); - -var msg7973 = msg("5526", dup276); - -var msg7974 = msg("5527", dup276); - -var msg7975 = msg("5528", dup276); - -var msg7976 = msg("5529", dup276); - -var msg7977 = msg("5530", dup276); - -var msg7978 = msg("5531", dup276); - -var msg7979 = msg("5532", dup276); - -var msg7980 = msg("5533", dup276); - -var msg7981 = msg("5534", dup276); - -var msg7982 = msg("5535", dup276); - -var msg7983 = msg("5536", dup276); - -var msg7984 = msg("5537", dup276); - -var msg7985 = msg("5538", dup276); - -var msg7986 = msg("5539", dup276); - -var msg7987 = msg("5540", dup276); - -var msg7988 = msg("5541", dup276); - -var msg7989 = msg("5542", dup276); - -var msg7990 = msg("5543", dup276); - -var msg7991 = msg("5544", dup276); - -var msg7992 = msg("5545", dup276); - -var msg7993 = msg("5546", dup276); - -var msg7994 = msg("5547", dup276); - -var msg7995 = msg("5548", dup276); - -var msg7996 = msg("5549", dup276); - -var msg7997 = msg("5550", dup276); - -var msg7998 = msg("5551", dup276); - -var msg7999 = msg("5552", dup276); - -var msg8000 = msg("5553", dup276); - -var msg8001 = msg("5554", dup276); - -var msg8002 = msg("5555", dup276); - -var msg8003 = msg("5556", dup276); - -var msg8004 = msg("5557", dup276); - -var msg8005 = msg("5558", dup276); - -var msg8006 = msg("5559", dup276); - -var msg8007 = msg("5560", dup276); - -var msg8008 = msg("5561", dup276); - -var msg8009 = msg("5562", dup276); - -var msg8010 = msg("5563", dup276); - -var msg8011 = msg("5564", dup276); - -var msg8012 = msg("5565", dup276); - -var msg8013 = msg("5566", dup276); - -var msg8014 = msg("5567", dup276); - -var msg8015 = msg("5568", dup276); - -var msg8016 = msg("5569", dup276); - -var msg8017 = msg("5570", dup276); - -var msg8018 = msg("5571", dup276); - -var msg8019 = msg("5572", dup276); - -var msg8020 = msg("5573", dup276); - -var msg8021 = msg("5574", dup276); - -var msg8022 = msg("5575", dup276); - -var msg8023 = msg("5576", dup276); - -var msg8024 = msg("5577", dup276); - -var msg8025 = msg("5578", dup276); - -var msg8026 = msg("5579", dup276); - -var msg8027 = msg("5580", dup276); - -var msg8028 = msg("5581", dup276); - -var msg8029 = msg("5582", dup276); - -var msg8030 = msg("5583", dup276); - -var msg8031 = msg("5584", dup276); - -var msg8032 = msg("5585", dup276); - -var msg8033 = msg("5586", dup276); - -var msg8034 = msg("5587", dup276); - -var msg8035 = msg("5588", dup276); - -var msg8036 = msg("5589", dup276); - -var msg8037 = msg("5590", dup276); - -var msg8038 = msg("5591", dup276); - -var msg8039 = msg("5592", dup276); - -var msg8040 = msg("5593", dup276); - -var msg8041 = msg("5594", dup276); - -var msg8042 = msg("5595", dup276); - -var msg8043 = msg("5596", dup276); - -var msg8044 = msg("5597", dup276); - -var msg8045 = msg("5598", dup276); - -var msg8046 = msg("5599", dup276); - -var msg8047 = msg("5600", dup276); - -var msg8048 = msg("5601", dup276); - -var msg8049 = msg("5602", dup276); - -var msg8050 = msg("5603", dup276); - -var msg8051 = msg("5604", dup276); - -var msg8052 = msg("5605", dup276); - -var msg8053 = msg("5606", dup276); - -var msg8054 = msg("5607", dup276); - -var msg8055 = msg("5608", dup276); - -var msg8056 = msg("5609", dup276); - -var msg8057 = msg("5610", dup276); - -var msg8058 = msg("5611", dup276); - -var msg8059 = msg("5612", dup276); - -var msg8060 = msg("5613", dup276); - -var msg8061 = msg("5614", dup276); - -var msg8062 = msg("5615", dup276); - -var msg8063 = msg("5616", dup276); - -var msg8064 = msg("5617", dup276); - -var msg8065 = msg("5618", dup276); - -var msg8066 = msg("5619", dup276); - -var msg8067 = msg("5620", dup276); - -var msg8068 = msg("5621", dup276); - -var msg8069 = msg("5622", dup276); - -var msg8070 = msg("5623", dup276); - -var msg8071 = msg("5624", dup276); - -var msg8072 = msg("5625", dup276); - -var msg8073 = msg("5626", dup276); - -var msg8074 = msg("5627", dup276); - -var msg8075 = msg("5628", dup276); - -var msg8076 = msg("5629", dup276); - -var msg8077 = msg("5630", dup276); - -var msg8078 = msg("5631", dup276); - -var msg8079 = msg("5632", dup276); - -var msg8080 = msg("5633", dup276); - -var msg8081 = msg("5634", dup276); - -var msg8082 = msg("5635", dup276); - -var msg8083 = msg("5636", dup276); - -var msg8084 = msg("5637", dup276); - -var msg8085 = msg("5638", dup276); - -var msg8086 = msg("5639", dup276); - -var msg8087 = msg("5640", dup276); - -var msg8088 = msg("5641", dup276); - -var msg8089 = msg("5642", dup276); - -var msg8090 = msg("5643", dup276); - -var msg8091 = msg("5644", dup276); - -var msg8092 = msg("5645", dup276); - -var msg8093 = msg("5646", dup276); - -var msg8094 = msg("5647", dup276); - -var msg8095 = msg("5648", dup276); - -var msg8096 = msg("5649", dup276); - -var msg8097 = msg("5650", dup276); - -var msg8098 = msg("5651", dup276); - -var msg8099 = msg("5652", dup276); - -var msg8100 = msg("5653", dup276); - -var msg8101 = msg("5654", dup276); - -var msg8102 = msg("5655", dup276); - -var msg8103 = msg("5656", dup276); - -var msg8104 = msg("5657", dup276); - -var msg8105 = msg("5658", dup276); - -var msg8106 = msg("5659", dup276); - -var msg8107 = msg("5660", dup276); - -var msg8108 = msg("5661", dup276); - -var msg8109 = msg("5662", dup276); - -var msg8110 = msg("5663", dup276); - -var msg8111 = msg("5664", dup276); - -var msg8112 = msg("5665", dup276); - -var msg8113 = msg("5666", dup276); - -var msg8114 = msg("5667", dup276); - -var msg8115 = msg("5668", dup276); - -var msg8116 = msg("5669", dup276); - -var msg8117 = msg("5670", dup276); - -var msg8118 = msg("5671", dup276); - -var msg8119 = msg("5672", dup276); - -var msg8120 = msg("5673", dup276); - -var msg8121 = msg("5674", dup276); - -var msg8122 = msg("5675", dup276); - -var msg8123 = msg("5676", dup276); - -var msg8124 = msg("5677", dup276); - -var msg8125 = msg("5678", dup276); - -var msg8126 = msg("5679", dup276); - -var msg8127 = msg("5680", dup276); - -var msg8128 = msg("5681", dup276); - -var msg8129 = msg("5682", dup276); - -var msg8130 = msg("5683", dup276); - -var msg8131 = msg("5684", dup276); - -var msg8132 = msg("5685", dup250); - -var msg8133 = msg("5686", dup250); - -var msg8134 = msg("5687", dup250); - -var msg8135 = msg("5688", dup250); - -var msg8136 = msg("5689", dup250); - -var msg8137 = msg("5690", dup250); - -var msg8138 = msg("5691", dup250); - -var msg8139 = msg("5692", dup196); - -var msg8140 = msg("5693", dup196); - -var msg8141 = msg("5694", dup196); - -var msg8142 = msg("5695", dup267); - -var msg8143 = msg("5696", dup196); - -var msg8144 = msg("5697", dup196); - -var msg8145 = msg("5698", dup196); - -var msg8146 = msg("5699", dup196); - -var msg8147 = msg("5700", dup196); - -var msg8148 = msg("5701", dup196); - -var msg8149 = msg("5702", dup196); - -var msg8150 = msg("5703", dup196); - -var msg8151 = msg("5704", dup222); - -var msg8152 = msg("5705", dup222); - -var msg8153 = msg("5706", dup196); - -var msg8154 = msg("5707", dup196); - -var msg8155 = msg("5708", dup196); - -var msg8156 = msg("5709", dup265); - -var msg8157 = msg("5710", dup267); - -var msg8158 = msg("5711", dup267); - -var msg8159 = msg("5712", dup267); - -var msg8160 = msg("5713", dup197); - -var msg8161 = msg("5714", dup250); - -var msg8162 = msg("5715", dup201); - -var msg8163 = msg("5716", dup198); - -var msg8164 = msg("5717", dup198); - -var msg8165 = msg("5718", dup198); - -var msg8166 = msg("5719", dup198); - -var msg8167 = msg("5720", dup198); - -var msg8168 = msg("5721", dup198); - -var msg8169 = msg("5722", dup198); - -var msg8170 = msg("5723", dup198); - -var msg8171 = msg("5724", dup198); - -var msg8172 = msg("5725", dup198); - -var msg8173 = msg("5726", dup198); - -var msg8174 = msg("5727", dup198); - -var msg8175 = msg("5728", dup198); - -var msg8176 = msg("5729", dup198); - -var msg8177 = msg("5730", dup198); - -var msg8178 = msg("5731", dup198); - -var msg8179 = msg("5732", dup198); - -var msg8180 = msg("5733", dup198); - -var msg8181 = msg("5734", dup198); - -var msg8182 = msg("5735", dup198); - -var msg8183 = msg("5736", dup198); - -var msg8184 = msg("5737", dup198); - -var msg8185 = msg("5738", dup198); - -var msg8186 = msg("5739", dup197); - -var msg8187 = msg("5740", dup265); - -var msg8188 = msg("5741", dup267); - -var msg8189 = msg("5742", dup303); - -var msg8190 = msg("5743", dup303); - -var msg8191 = msg("5744", dup303); - -var msg8192 = msg("5745", dup303); - -var msg8193 = msg("5746", dup303); - -var msg8194 = msg("5747", dup303); - -var msg8195 = msg("5748", dup303); - -var msg8196 = msg("5749", dup303); - -var msg8197 = msg("5750", dup303); - -var msg8198 = msg("5751", dup303); - -var msg8199 = msg("5752", dup303); - -var msg8200 = msg("5753", dup303); - -var msg8201 = msg("5754", dup303); - -var msg8202 = msg("5755", dup303); - -var msg8203 = msg("5756", dup303); - -var msg8204 = msg("5757", dup303); - -var msg8205 = msg("5758", dup303); - -var msg8206 = msg("5759", dup303); - -var msg8207 = msg("5760", dup303); - -var msg8208 = msg("5761", dup303); - -var msg8209 = msg("5762", dup303); - -var msg8210 = msg("5763", dup303); - -var msg8211 = msg("5764", dup303); - -var msg8212 = msg("5765", dup303); - -var msg8213 = msg("5766", dup303); - -var msg8214 = msg("5767", dup303); - -var msg8215 = msg("5768", dup303); - -var msg8216 = msg("5769", dup303); - -var msg8217 = msg("5770", dup303); - -var msg8218 = msg("5771", dup303); - -var msg8219 = msg("5772", dup303); - -var msg8220 = msg("5773", dup303); - -var msg8221 = msg("5774", dup303); - -var msg8222 = msg("5775", dup303); - -var msg8223 = msg("5776", dup303); - -var msg8224 = msg("5777", dup303); - -var msg8225 = msg("5778", dup303); - -var msg8226 = msg("5779", dup303); - -var msg8227 = msg("5780", dup303); - -var msg8228 = msg("5781", dup303); - -var msg8229 = msg("5782", dup303); - -var msg8230 = msg("5783", dup303); - -var msg8231 = msg("5784", dup303); - -var msg8232 = msg("5785", dup303); - -var msg8233 = msg("5786", dup303); - -var msg8234 = msg("5787", dup303); - -var msg8235 = msg("5788", dup303); - -var msg8236 = msg("5789", dup303); - -var msg8237 = msg("5790", dup303); - -var msg8238 = msg("5791", dup303); - -var msg8239 = msg("5792", dup303); - -var msg8240 = msg("5793", dup303); - -var msg8241 = msg("5794", dup303); - -var msg8242 = msg("5795", dup303); - -var msg8243 = msg("5796", dup303); - -var msg8244 = msg("5797", dup303); - -var msg8245 = msg("5798", dup303); - -var msg8246 = msg("5799", dup303); - -var msg8247 = msg("5800", dup303); - -var msg8248 = msg("5801", dup303); - -var msg8249 = msg("5802", dup303); - -var msg8250 = msg("5803", dup303); - -var msg8251 = msg("5804", dup303); - -var msg8252 = msg("5805", dup303); - -var msg8253 = msg("5806", dup303); - -var msg8254 = msg("5807", dup303); - -var msg8255 = msg("5808", dup303); - -var msg8256 = msg("5809", dup303); - -var msg8257 = msg("5810", dup303); - -var msg8258 = msg("5811", dup303); - -var msg8259 = msg("5812", dup303); - -var msg8260 = msg("5813", dup303); - -var msg8261 = msg("5814", dup303); - -var msg8262 = msg("5815", dup303); - -var msg8263 = msg("5816", dup303); - -var msg8264 = msg("5817", dup303); - -var msg8265 = msg("5818", dup303); - -var msg8266 = msg("5819", dup303); - -var msg8267 = msg("5820", dup303); - -var msg8268 = msg("5821", dup303); - -var msg8269 = msg("5822", dup303); - -var msg8270 = msg("5823", dup303); - -var msg8271 = msg("5824", dup303); - -var msg8272 = msg("5825", dup303); - -var msg8273 = msg("5826", dup303); - -var msg8274 = msg("5827", dup303); - -var msg8275 = msg("5828", dup303); - -var msg8276 = msg("5829", dup303); - -var msg8277 = msg("5830", dup303); - -var msg8278 = msg("5831", dup303); - -var msg8279 = msg("5832", dup303); - -var msg8280 = msg("5833", dup303); - -var msg8281 = msg("5834", dup303); - -var msg8282 = msg("5835", dup303); - -var msg8283 = msg("5836", dup303); - -var msg8284 = msg("5837", dup303); - -var msg8285 = msg("5838", dup303); - -var msg8286 = msg("5839", dup303); - -var msg8287 = msg("5840", dup303); - -var msg8288 = msg("5841", dup303); - -var msg8289 = msg("5842", dup303); - -var msg8290 = msg("5843", dup303); - -var msg8291 = msg("5844", dup303); - -var msg8292 = msg("5845", dup303); - -var msg8293 = msg("5846", dup303); - -var msg8294 = msg("5847", dup303); - -var msg8295 = msg("5848", dup303); - -var msg8296 = msg("5849", dup303); - -var msg8297 = msg("5850", dup303); - -var msg8298 = msg("5851", dup303); - -var msg8299 = msg("5852", dup303); - -var msg8300 = msg("5853", dup303); - -var msg8301 = msg("5854", dup303); - -var msg8302 = msg("5855", dup303); - -var msg8303 = msg("5856", dup303); - -var msg8304 = msg("5857", dup303); - -var msg8305 = msg("5858", dup303); - -var msg8306 = msg("5859", dup303); - -var msg8307 = msg("5860", dup303); - -var msg8308 = msg("5861", dup303); - -var msg8309 = msg("5862", dup303); - -var msg8310 = msg("5863", dup303); - -var msg8311 = msg("5864", dup303); - -var msg8312 = msg("5865", dup303); - -var msg8313 = msg("5866", dup303); - -var msg8314 = msg("5867", dup303); - -var msg8315 = msg("5868", dup303); - -var msg8316 = msg("5869", dup303); - -var msg8317 = msg("5870", dup303); - -var msg8318 = msg("5871", dup303); - -var msg8319 = msg("5872", dup303); - -var msg8320 = msg("5873", dup303); - -var msg8321 = msg("5874", dup303); - -var msg8322 = msg("5875", dup303); - -var msg8323 = msg("5876", dup303); - -var msg8324 = msg("5877", dup303); - -var msg8325 = msg("5878", dup303); - -var msg8326 = msg("5879", dup303); - -var msg8327 = msg("5880", dup303); - -var msg8328 = msg("5881", dup303); - -var msg8329 = msg("5882", dup303); - -var msg8330 = msg("5883", dup303); - -var msg8331 = msg("5884", dup303); - -var msg8332 = msg("5885", dup303); - -var msg8333 = msg("5886", dup303); - -var msg8334 = msg("5887", dup303); - -var msg8335 = msg("5888", dup303); - -var msg8336 = msg("5889", dup303); - -var msg8337 = msg("5890", dup303); - -var msg8338 = msg("5891", dup303); - -var msg8339 = msg("5892", dup303); - -var msg8340 = msg("5893", dup303); - -var msg8341 = msg("5894", dup303); - -var msg8342 = msg("5895", dup303); - -var msg8343 = msg("5896", dup303); - -var msg8344 = msg("5897", dup303); - -var msg8345 = msg("5898", dup303); - -var msg8346 = msg("5899", dup303); - -var msg8347 = msg("5900", dup303); - -var msg8348 = msg("5901", dup303); - -var msg8349 = msg("5902", dup303); - -var msg8350 = msg("5903", dup303); - -var msg8351 = msg("5904", dup303); - -var msg8352 = msg("5905", dup303); - -var msg8353 = msg("5906", dup303); - -var msg8354 = msg("5907", dup303); - -var msg8355 = msg("5908", dup303); - -var msg8356 = msg("5909", dup303); - -var msg8357 = msg("5910", dup303); - -var msg8358 = msg("5911", dup303); - -var msg8359 = msg("5912", dup303); - -var msg8360 = msg("5913", dup303); - -var msg8361 = msg("5914", dup303); - -var msg8362 = msg("5915", dup303); - -var msg8363 = msg("5916", dup303); - -var msg8364 = msg("5917", dup303); - -var msg8365 = msg("5918", dup303); - -var msg8366 = msg("5919", dup303); - -var msg8367 = msg("5920", dup303); - -var msg8368 = msg("5921", dup303); - -var msg8369 = msg("5922", dup303); - -var msg8370 = msg("5923", dup303); - -var msg8371 = msg("5924", dup303); - -var msg8372 = msg("5925", dup303); - -var msg8373 = msg("5926", dup303); - -var msg8374 = msg("5927", dup303); - -var msg8375 = msg("5928", dup303); - -var msg8376 = msg("5929", dup303); - -var msg8377 = msg("5930", dup303); - -var msg8378 = msg("5931", dup303); - -var msg8379 = msg("5932", dup303); - -var msg8380 = msg("5933", dup303); - -var msg8381 = msg("5934", dup303); - -var msg8382 = msg("5935", dup303); - -var msg8383 = msg("5936", dup303); - -var msg8384 = msg("5937", dup303); - -var msg8385 = msg("5938", dup303); - -var msg8386 = msg("5939", dup303); - -var msg8387 = msg("5940", dup303); - -var msg8388 = msg("5941", dup303); - -var msg8389 = msg("5942", dup303); - -var msg8390 = msg("5943", dup303); - -var msg8391 = msg("5944", dup303); - -var msg8392 = msg("5945", dup303); - -var msg8393 = msg("5946", dup303); - -var msg8394 = msg("5947", dup303); - -var msg8395 = msg("5948", dup303); - -var msg8396 = msg("5949", dup303); - -var msg8397 = msg("5950", dup303); - -var msg8398 = msg("5951", dup303); - -var msg8399 = msg("5952", dup303); - -var msg8400 = msg("5953", dup303); - -var msg8401 = msg("5954", dup303); - -var msg8402 = msg("5955", dup303); - -var msg8403 = msg("5956", dup303); - -var msg8404 = msg("5957", dup303); - -var msg8405 = msg("5958", dup303); - -var msg8406 = msg("5959", dup303); - -var msg8407 = msg("5960", dup303); - -var msg8408 = msg("5961", dup303); - -var msg8409 = msg("5962", dup303); - -var msg8410 = msg("5963", dup303); - -var msg8411 = msg("5964", dup303); - -var msg8412 = msg("5965", dup303); - -var msg8413 = msg("5966", dup303); - -var msg8414 = msg("5967", dup303); - -var msg8415 = msg("5968", dup303); - -var msg8416 = msg("5969", dup303); - -var msg8417 = msg("5970", dup303); - -var msg8418 = msg("5971", dup303); - -var msg8419 = msg("5972", dup303); - -var msg8420 = msg("5973", dup303); - -var msg8421 = msg("5974", dup303); - -var msg8422 = msg("5975", dup303); - -var msg8423 = msg("5976", dup303); - -var msg8424 = msg("5977", dup303); - -var msg8425 = msg("5978", dup303); - -var msg8426 = msg("5979", dup303); - -var msg8427 = msg("5980", dup303); - -var msg8428 = msg("5981", dup303); - -var msg8429 = msg("5982", dup303); - -var msg8430 = msg("5983", dup303); - -var msg8431 = msg("5984", dup303); - -var msg8432 = msg("5985", dup303); - -var msg8433 = msg("5986", dup303); - -var msg8434 = msg("5987", dup303); - -var msg8435 = msg("5988", dup303); - -var msg8436 = msg("5989", dup303); - -var msg8437 = msg("5990", dup303); - -var msg8438 = msg("5991", dup303); - -var msg8439 = msg("5992", dup303); - -var msg8440 = msg("5993", dup303); - -var msg8441 = msg("5994", dup303); - -var msg8442 = msg("5995", dup303); - -var msg8443 = msg("5996", dup303); - -var msg8444 = msg("5997", dup267); - -var msg8445 = msg("5998", dup196); - -var msg8446 = msg("5999", dup196); - -var msg8447 = msg("6000", dup196); - -var msg8448 = msg("6001", dup196); - -var msg8449 = msg("6002", dup265); - -var msg8450 = msg("6003", dup265); - -var msg8451 = msg("6004", dup265); - -var msg8452 = msg("6005", dup265); - -var msg8453 = msg("6006", dup265); - -var msg8454 = msg("6007", dup265); - -var msg8455 = msg("6008", dup265); - -var msg8456 = msg("6009", dup265); - -var msg8457 = msg("6010", dup196); - -var msg8458 = msg("6011", dup222); - -var msg8459 = msg("6012", dup205); - -var msg8460 = msg("6013", dup205); - -var msg8461 = msg("6014", dup205); - -var msg8462 = msg("6015", dup205); - -var msg8463 = msg("6016", dup205); - -var msg8464 = msg("6017", dup205); - -var msg8465 = msg("6018", dup205); - -var msg8466 = msg("6019", dup205); - -var msg8467 = msg("6020", dup205); - -var msg8468 = msg("6021", dup205); - -var msg8469 = msg("6022", dup205); - -var msg8470 = msg("6023", dup205); - -var msg8471 = msg("6024", dup205); - -var msg8472 = msg("6025", dup205); - -var msg8473 = msg("6026", dup205); - -var msg8474 = msg("6027", dup205); - -var msg8475 = msg("6028", dup205); - -var msg8476 = msg("6029", dup205); - -var msg8477 = msg("6030", dup205); - -var msg8478 = msg("6031", dup205); - -var msg8479 = msg("6032", dup205); - -var msg8480 = msg("6033", dup205); - -var msg8481 = msg("6034", dup205); - -var msg8482 = msg("6035", dup205); - -var msg8483 = msg("6036", dup205); - -var msg8484 = msg("6037", dup205); - -var msg8485 = msg("6038", dup205); - -var msg8486 = msg("6039", dup205); - -var msg8487 = msg("6040", dup205); - -var msg8488 = msg("6041", dup205); - -var msg8489 = msg("6042", dup205); - -var msg8490 = msg("6043", dup205); - -var msg8491 = msg("6044", dup205); - -var msg8492 = msg("6045", dup205); - -var msg8493 = msg("6046", dup205); - -var msg8494 = msg("6047", dup205); - -var msg8495 = msg("6048", dup205); - -var msg8496 = msg("6049", dup205); - -var msg8497 = msg("6050", dup205); - -var msg8498 = msg("6051", dup205); - -var msg8499 = msg("6052", dup205); - -var msg8500 = msg("6053", dup205); - -var msg8501 = msg("6054", dup205); - -var msg8502 = msg("6055", dup205); - -var msg8503 = msg("6056", dup205); - -var msg8504 = msg("6057", dup205); - -var msg8505 = msg("6058", dup205); - -var msg8506 = msg("6059", dup205); - -var all46 = all_match({ - processors: [ - dup66, - dup178, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - date_time({ - dest: "event_time", - args: ["event_time_string"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }), - ]), -}); - -var msg8507 = msg("6060", all46); - -var msg8508 = msg("6061", dup205); - -var msg8509 = msg("6062", dup205); - -var msg8510 = msg("6063", dup205); - -var msg8511 = msg("6064", dup205); - -var msg8512 = msg("6065", dup205); - -var msg8513 = msg("6066", dup205); - -var msg8514 = msg("6067", dup205); - -var msg8515 = msg("6068", dup205); - -var msg8516 = msg("6069", dup205); - -var msg8517 = msg("6070", dup205); - -var msg8518 = msg("6071", dup205); - -var msg8519 = msg("6072", dup205); - -var msg8520 = msg("6073", dup205); - -var msg8521 = msg("6074", dup205); - -var msg8522 = msg("6075", dup205); - -var msg8523 = msg("6076", dup205); - -var msg8524 = msg("6077", dup205); - -var msg8525 = msg("6078", dup205); - -var msg8526 = msg("6079", dup205); - -var msg8527 = msg("6080", dup205); - -var msg8528 = msg("6081", dup205); - -var msg8529 = msg("6082", dup205); - -var msg8530 = msg("6083", dup205); - -var msg8531 = msg("6084", dup205); - -var msg8532 = msg("6085", dup205); - -var msg8533 = msg("6086", dup205); - -var msg8534 = msg("6087", dup205); - -var msg8535 = msg("6088", dup205); - -var msg8536 = msg("6089", dup205); - -var msg8537 = msg("6090", dup205); - -var msg8538 = msg("6091", dup205); - -var msg8539 = msg("6092", dup205); - -var msg8540 = msg("6093", dup205); - -var msg8541 = msg("6094", dup205); - -var msg8542 = msg("6095", dup205); - -var msg8543 = msg("6096", dup205); - -var msg8544 = msg("6097", dup205); - -var msg8545 = msg("6098", dup205); - -var msg8546 = msg("6099", dup205); - -var msg8547 = msg("6100", dup205); - -var msg8548 = msg("6101", dup205); - -var msg8549 = msg("6102", dup205); - -var msg8550 = msg("6103", dup205); - -var msg8551 = msg("6104", dup205); - -var msg8552 = msg("6105", dup205); - -var msg8553 = msg("6106", dup205); - -var msg8554 = msg("6107", dup205); - -var msg8555 = msg("6108", dup205); - -var msg8556 = msg("6109", dup205); - -var msg8557 = msg("6110", dup205); - -var msg8558 = msg("6111", dup205); - -var msg8559 = msg("6112", dup205); - -var msg8560 = msg("6113", dup205); - -var msg8561 = msg("6114", dup205); - -var msg8562 = msg("6115", dup205); - -var msg8563 = msg("6116", dup205); - -var msg8564 = msg("6117", dup205); - -var msg8565 = msg("6118", dup205); - -var msg8566 = msg("6119", dup205); - -var msg8567 = msg("6120", dup205); - -var msg8568 = msg("6121", dup205); - -var msg8569 = msg("6122", dup205); - -var msg8570 = msg("6123", dup205); - -var msg8571 = msg("6124", dup205); - -var msg8572 = msg("6125", dup205); - -var msg8573 = msg("6126", dup205); - -var msg8574 = msg("6127", dup205); - -var msg8575 = msg("6128", dup205); - -var msg8576 = msg("6129", dup205); - -var msg8577 = msg("6130", dup205); - -var msg8578 = msg("6131", dup205); - -var msg8579 = msg("6132", dup205); - -var msg8580 = msg("6133", dup205); - -var msg8581 = msg("6134", dup205); - -var msg8582 = msg("6135", dup205); - -var msg8583 = msg("6136", dup205); - -var msg8584 = msg("6137", dup205); - -var msg8585 = msg("6138", dup205); - -var msg8586 = msg("6139", dup205); - -var msg8587 = msg("6140", dup205); - -var msg8588 = msg("6141", dup205); - -var msg8589 = msg("6142", dup205); - -var msg8590 = msg("6143", dup205); - -var msg8591 = msg("6144", dup205); - -var msg8592 = msg("6145", dup205); - -var msg8593 = msg("6146", dup205); - -var msg8594 = msg("6147", dup205); - -var msg8595 = msg("6148", dup205); - -var msg8596 = msg("6149", dup205); - -var msg8597 = msg("6150", dup205); - -var msg8598 = msg("6151", dup205); - -var msg8599 = msg("6152", dup205); - -var msg8600 = msg("6153", dup205); - -var msg8601 = msg("6154", dup205); - -var msg8602 = msg("6155", dup205); - -var msg8603 = msg("6156", dup205); - -var msg8604 = msg("6157", dup205); - -var msg8605 = msg("6158", dup205); - -var msg8606 = msg("6159", dup205); - -var msg8607 = msg("6160", dup205); - -var msg8608 = msg("6161", dup205); - -var msg8609 = msg("6162", dup205); - -var msg8610 = msg("6163", dup205); - -var msg8611 = msg("6164", dup205); - -var msg8612 = msg("6165", dup205); - -var msg8613 = msg("6166", dup205); - -var msg8614 = msg("6167", dup205); - -var msg8615 = msg("6168", dup205); - -var msg8616 = msg("6169", dup205); - -var msg8617 = msg("6170", dup205); - -var msg8618 = msg("6171", dup205); - -var msg8619 = msg("6172", dup205); - -var msg8620 = msg("6173", dup205); - -var msg8621 = msg("6174", dup205); - -var msg8622 = msg("6175", dup205); - -var msg8623 = msg("6176", dup205); - -var msg8624 = msg("6177", dup205); - -var msg8625 = msg("6178", dup205); - -var msg8626 = msg("6179", dup205); - -var msg8627 = msg("6180", dup205); - -var msg8628 = msg("6181", dup205); - -var msg8629 = msg("6182", dup196); - -var msg8630 = msg("6183", dup303); - -var msg8631 = msg("6184", dup303); - -var msg8632 = msg("6185", dup303); - -var msg8633 = msg("6186", dup303); - -var msg8634 = msg("6187", dup303); - -var msg8635 = msg("6188", dup303); - -var msg8636 = msg("6189", dup303); - -var msg8637 = msg("6190", dup303); - -var msg8638 = msg("6191", dup303); - -var msg8639 = msg("6192", dup303); - -var msg8640 = msg("6193", dup303); - -var msg8641 = msg("6194", dup303); - -var msg8642 = msg("6195", dup303); - -var msg8643 = msg("6196", dup303); - -var msg8644 = msg("6197", dup303); - -var msg8645 = msg("6198", dup303); - -var msg8646 = msg("6199", dup303); - -var msg8647 = msg("6200", dup303); - -var msg8648 = msg("6201", dup303); - -var msg8649 = msg("6202", dup303); - -var msg8650 = msg("6203", dup303); - -var msg8651 = msg("6204", dup303); - -var msg8652 = msg("6205", dup303); - -var msg8653 = msg("6206", dup303); - -var msg8654 = msg("6207", dup303); - -var msg8655 = msg("6208", dup303); - -var msg8656 = msg("6209", dup303); - -var msg8657 = msg("6210", dup303); - -var msg8658 = msg("6211", dup303); - -var msg8659 = msg("6212", dup303); - -var msg8660 = msg("6213", dup303); - -var msg8661 = msg("6214", dup303); - -var msg8662 = msg("6215", dup303); - -var msg8663 = msg("6216", dup303); - -var msg8664 = msg("6217", dup303); - -var msg8665 = msg("6218", dup303); - -var msg8666 = msg("6219", dup303); - -var msg8667 = msg("6220", dup303); - -var msg8668 = msg("6221", dup303); - -var msg8669 = msg("6222", dup303); - -var msg8670 = msg("6223", dup303); - -var msg8671 = msg("6224", dup303); - -var msg8672 = msg("6225", dup303); - -var msg8673 = msg("6226", dup303); - -var msg8674 = msg("6227", dup303); - -var msg8675 = msg("6228", dup303); - -var msg8676 = msg("6229", dup303); - -var msg8677 = msg("6230", dup303); - -var msg8678 = msg("6231", dup303); - -var msg8679 = msg("6232", dup303); - -var msg8680 = msg("6233", dup303); - -var msg8681 = msg("6234", dup303); - -var msg8682 = msg("6235", dup303); - -var msg8683 = msg("6236", dup303); - -var msg8684 = msg("6237", dup303); - -var msg8685 = msg("6238", dup303); - -var msg8686 = msg("6239", dup303); - -var msg8687 = msg("6240", dup303); - -var msg8688 = msg("6241", dup303); - -var msg8689 = msg("6242", dup303); - -var msg8690 = msg("6243", dup303); - -var msg8691 = msg("6244", dup303); - -var msg8692 = msg("6245", dup303); - -var msg8693 = msg("6246", dup303); - -var msg8694 = msg("6247", dup303); - -var msg8695 = msg("6248", dup303); - -var msg8696 = msg("6249", dup303); - -var msg8697 = msg("6250", dup303); - -var msg8698 = msg("6251", dup303); - -var msg8699 = msg("6252", dup303); - -var msg8700 = msg("6253", dup303); - -var msg8701 = msg("6254", dup303); - -var msg8702 = msg("6255", dup303); - -var msg8703 = msg("6256", dup303); - -var msg8704 = msg("6257", dup303); - -var msg8705 = msg("6258", dup303); - -var msg8706 = msg("6259", dup303); - -var msg8707 = msg("6260", dup303); - -var msg8708 = msg("6261", dup303); - -var msg8709 = msg("6262", dup303); - -var msg8710 = msg("6263", dup303); - -var msg8711 = msg("6264", dup303); - -var msg8712 = msg("6265", dup303); - -var msg8713 = msg("6266", dup303); - -var msg8714 = msg("6267", dup303); - -var msg8715 = msg("6268", dup303); - -var msg8716 = msg("6269", dup303); - -var msg8717 = msg("6270", dup303); - -var msg8718 = msg("6271", dup303); - -var msg8719 = msg("6272", dup303); - -var msg8720 = msg("6273", dup303); - -var msg8721 = msg("6274", dup303); - -var msg8722 = msg("6275", dup303); - -var msg8723 = msg("6276", dup303); - -var msg8724 = msg("6277", dup303); - -var msg8725 = msg("6278", dup303); - -var msg8726 = msg("6279", dup303); - -var msg8727 = msg("6280", dup303); - -var msg8728 = msg("6281", dup303); - -var msg8729 = msg("6282", dup303); - -var msg8730 = msg("6283", dup303); - -var msg8731 = msg("6284", dup303); - -var msg8732 = msg("6285", dup205); - -var msg8733 = msg("6286", dup205); - -var msg8734 = msg("6287", dup205); - -var msg8735 = msg("6288", dup205); - -var msg8736 = msg("6289", dup205); - -var msg8737 = msg("6290", dup205); - -var msg8738 = msg("6291", dup205); - -var msg8739 = msg("6292", dup205); - -var msg8740 = msg("6293", dup205); - -var msg8741 = msg("6294", dup205); - -var msg8742 = msg("6295", dup205); - -var msg8743 = msg("6296", dup205); - -var msg8744 = msg("6297", dup205); - -var msg8745 = msg("6298", dup205); - -var msg8746 = msg("6299", dup205); - -var msg8747 = msg("6300", dup205); - -var msg8748 = msg("6301", dup205); - -var msg8749 = msg("6302", dup205); - -var msg8750 = msg("6303", dup205); - -var msg8751 = msg("6304", dup205); - -var msg8752 = msg("6305", dup205); - -var msg8753 = msg("6306", dup205); - -var msg8754 = msg("6307", dup205); - -var msg8755 = msg("6308", dup205); - -var msg8756 = msg("6309", dup205); - -var msg8757 = msg("6310", dup205); - -var msg8758 = msg("6311", dup205); - -var msg8759 = msg("6312", dup205); - -var msg8760 = msg("6313", dup205); - -var msg8761 = msg("6314", dup205); - -var msg8762 = msg("6315", dup205); - -var msg8763 = msg("6316", dup205); - -var msg8764 = msg("6317", dup205); - -var msg8765 = msg("6318", dup205); - -var msg8766 = msg("6319", dup205); - -var msg8767 = msg("6320", dup205); - -var msg8768 = msg("6321", dup205); - -var msg8769 = msg("6322", dup205); - -var msg8770 = msg("6323", dup205); - -var msg8771 = msg("6324", dup205); - -var msg8772 = msg("6325", dup205); - -var msg8773 = msg("6326", dup205); - -var msg8774 = msg("6327", dup205); - -var msg8775 = msg("6328", dup205); - -var msg8776 = msg("6329", dup205); - -var msg8777 = msg("6330", dup205); - -var msg8778 = msg("6331", dup205); - -var msg8779 = msg("6332", dup205); - -var msg8780 = msg("6333", dup205); - -var msg8781 = msg("6334", dup205); - -var msg8782 = msg("6335", dup205); - -var msg8783 = msg("6336", dup205); - -var msg8784 = msg("6337", dup205); - -var msg8785 = msg("6338", dup205); - -var msg8786 = msg("6339", dup205); - -var msg8787 = msg("6340", dup303); - -var msg8788 = msg("6341", dup303); - -var msg8789 = msg("6342", dup303); - -var msg8790 = msg("6343", dup303); - -var msg8791 = msg("6344", dup303); - -var msg8792 = msg("6345", dup303); - -var msg8793 = msg("6346", dup303); - -var msg8794 = msg("6347", dup303); - -var msg8795 = msg("6348", dup303); - -var msg8796 = msg("6349", dup303); - -var msg8797 = msg("6350", dup303); - -var msg8798 = msg("6351", dup303); - -var msg8799 = msg("6352", dup303); - -var msg8800 = msg("6353", dup303); - -var msg8801 = msg("6354", dup303); - -var msg8802 = msg("6355", dup303); - -var msg8803 = msg("6356", dup303); - -var msg8804 = msg("6357", dup303); - -var msg8805 = msg("6358", dup303); - -var msg8806 = msg("6359", dup303); - -var msg8807 = msg("6360", dup303); - -var msg8808 = msg("6361", dup303); - -var msg8809 = msg("6362", dup303); - -var msg8810 = msg("6363", dup303); - -var msg8811 = msg("6364", dup303); - -var msg8812 = msg("6365", dup303); - -var msg8813 = msg("6366", dup303); - -var msg8814 = msg("6367", dup303); - -var msg8815 = msg("6368", dup303); - -var msg8816 = msg("6369", dup303); - -var msg8817 = msg("6370", dup303); - -var msg8818 = msg("6371", dup303); - -var msg8819 = msg("6372", dup303); - -var msg8820 = msg("6373", dup303); - -var msg8821 = msg("6374", dup303); - -var msg8822 = msg("6375", dup303); - -var msg8823 = msg("6376", dup303); - -var msg8824 = msg("6377", dup303); - -var msg8825 = msg("6378", dup303); - -var msg8826 = msg("6379", dup303); - -var msg8827 = msg("6380", dup303); - -var msg8828 = msg("6381", dup303); - -var msg8829 = msg("6382", dup303); - -var msg8830 = msg("6383", dup303); - -var msg8831 = msg("6384", dup303); - -var msg8832 = msg("6385", dup303); - -var msg8833 = msg("6386", dup303); - -var msg8834 = msg("6387", dup303); - -var msg8835 = msg("6388", dup303); - -var msg8836 = msg("6389", dup303); - -var msg8837 = msg("6390", dup303); - -var msg8838 = msg("6391", dup303); - -var msg8839 = msg("6392", dup303); - -var msg8840 = msg("6393", dup303); - -var msg8841 = msg("6394", dup303); - -var msg8842 = msg("6395", dup205); - -var msg8843 = msg("6396", dup205); - -var msg8844 = msg("6397", dup205); - -var msg8845 = msg("6398", dup205); - -var msg8846 = msg("6399", dup205); - -var msg8847 = msg("6400", dup205); - -var msg8848 = msg("6401", dup205); - -var msg8849 = msg("6402", dup205); - -var msg8850 = msg("6403", dup269); - -var msg8851 = msg("6404", dup196); - -var msg8852 = msg("6405", dup222); - -var msg8853 = msg("6406", dup196); - -var msg8854 = msg("6407", dup196); - -var msg8855 = msg("6408", dup196); - -var msg8856 = msg("6409", dup267); - -var msg8857 = msg("6410", dup267); - -var msg8858 = msg("6411", dup267); - -var msg8859 = msg("6412", dup250); - -var msg8860 = msg("6413", dup250); - -var msg8861 = msg("6414", dup267); - -var msg8862 = msg("6415", dup276); - -var msg8863 = msg("6416", dup276); - -var msg8864 = msg("6417", dup276); - -var msg8865 = msg("6418", dup276); - -var msg8866 = msg("6419", dup276); - -var msg8867 = msg("6420", dup276); - -var msg8868 = msg("6421", dup276); - -var msg8869 = msg("6422", dup276); - -var msg8870 = msg("6423", dup276); - -var msg8871 = msg("6424", dup276); - -var msg8872 = msg("6425", dup276); - -var msg8873 = msg("6426", dup276); - -var msg8874 = msg("6427", dup276); - -var msg8875 = msg("6428", dup276); - -var msg8876 = msg("6429", dup276); - -var msg8877 = msg("6430", dup276); - -var msg8878 = msg("6431", dup276); - -var msg8879 = msg("6432", dup276); - -var msg8880 = msg("6433", dup276); - -var msg8881 = msg("6434", dup276); - -var msg8882 = msg("6435", dup276); - -var msg8883 = msg("6436", dup276); - -var msg8884 = msg("6437", dup276); - -var msg8885 = msg("6438", dup276); - -var msg8886 = msg("6439", dup276); - -var msg8887 = msg("6440", dup276); - -var msg8888 = msg("6441", dup276); - -var msg8889 = msg("6442", dup276); - -var msg8890 = msg("6443", dup276); - -var msg8891 = msg("6444", dup276); - -var msg8892 = msg("6445", dup276); - -var msg8893 = msg("6446", dup276); - -var msg8894 = msg("6447", dup276); - -var msg8895 = msg("6448", dup276); - -var msg8896 = msg("6449", dup276); - -var msg8897 = msg("6450", dup276); - -var msg8898 = msg("6451", dup276); - -var msg8899 = msg("6452", dup276); - -var msg8900 = msg("6453", dup276); - -var msg8901 = msg("6454", dup276); - -var msg8902 = msg("6455", dup276); - -var msg8903 = msg("6456", dup276); - -var msg8904 = msg("6457", dup276); - -var msg8905 = msg("6458", dup276); - -var msg8906 = msg("6459", dup276); - -var msg8907 = msg("6460", dup276); - -var msg8908 = msg("6461", dup276); - -var msg8909 = msg("6462", dup276); - -var msg8910 = msg("6463", dup276); - -var msg8911 = msg("6464", dup276); - -var msg8912 = msg("6465", dup276); - -var msg8913 = msg("6466", dup276); - -var msg8914 = msg("6467", dup196); - -var msg8915 = msg("6468", dup196); - -var msg8916 = msg("6469", dup196); - -var msg8917 = msg("6470", dup196); - -var msg8918 = msg("6471", dup285); - -var msg8919 = msg("6472", dup205); - -var msg8920 = msg("6473", dup205); - -var msg8921 = msg("6474", dup205); - -var msg8922 = msg("6475", dup205); - -var msg8923 = msg("6476", dup205); - -var msg8924 = msg("6477", dup303); - -var msg8925 = msg("6478", dup303); - -var msg8926 = msg("6479", dup303); - -var msg8927 = msg("6480", dup303); - -var msg8928 = msg("6481", dup303); - -var msg8929 = msg("6482", dup303); - -var msg8930 = msg("6483", dup303); - -var msg8931 = msg("6484", dup303); - -var msg8932 = msg("6485", dup303); - -var msg8933 = msg("6486", dup303); - -var msg8934 = msg("6487", dup303); - -var msg8935 = msg("6488", dup303); - -var msg8936 = msg("6489", dup303); - -var msg8937 = msg("6490", dup303); - -var msg8938 = msg("6491", dup303); - -var msg8939 = msg("6492", dup205); - -var msg8940 = msg("6493", dup205); - -var msg8941 = msg("6494", dup303); - -var msg8942 = msg("6495", dup303); - -var msg8943 = msg("6496", dup303); - -var msg8944 = msg("6497", dup205); - -var msg8945 = msg("6498", dup205); - -var msg8946 = msg("6499", dup205); - -var msg8947 = msg("6500", dup205); - -var msg8948 = msg("6501", dup205); - -var msg8949 = msg("6502", dup197); - -var msg8950 = msg("6503", dup197); - -var msg8951 = msg("6504", dup194); - -var msg8952 = msg("6505", dup267); - -var msg8953 = msg("6506", dup267); - -var msg8954 = msg("6507", dup267); - -var msg8955 = msg("6508", dup222); - -var msg8956 = msg("6509", dup267); - -var msg8957 = msg("6510", dup267); - -var msg8958 = msg("6511", dup267); - -var msg8959 = msg("6512", dup194); - -var msg8960 = msg("6513", dup222); - -var msg8961 = msg("6514", dup222); - -var msg8962 = msg("6515", dup222); - -var msg8963 = msg("6516", dup265); - -var msg8964 = msg("6517", dup265); - -var msg8965 = msg("6518", dup265); - -var msg8966 = msg("6519", dup265); - -var msg8967 = msg("6520", dup276); - -var msg8968 = msg("6521", dup276); - -var msg8969 = msg("6522", dup276); - -var msg8970 = msg("6523", dup276); - -var msg8971 = msg("6524", dup276); - -var msg8972 = msg("6525", dup276); - -var msg8973 = msg("6526", dup276); - -var msg8974 = msg("6527", dup276); - -var msg8975 = msg("6528", dup276); - -var msg8976 = msg("6529", dup276); - -var msg8977 = msg("6530", dup276); - -var msg8978 = msg("6531", dup276); - -var msg8979 = msg("6532", dup276); - -var msg8980 = msg("6533", dup276); - -var msg8981 = msg("6534", dup276); - -var msg8982 = msg("6535", dup276); - -var msg8983 = msg("6536", dup276); - -var msg8984 = msg("6537", dup276); - -var msg8985 = msg("6538", dup276); - -var msg8986 = msg("6539", dup276); - -var msg8987 = msg("6540", dup276); - -var msg8988 = msg("6541", dup276); - -var msg8989 = msg("6542", dup276); - -var msg8990 = msg("6543", dup276); - -var msg8991 = msg("6544", dup276); - -var msg8992 = msg("6545", dup276); - -var msg8993 = msg("6546", dup276); - -var msg8994 = msg("6547", dup276); - -var msg8995 = msg("6548", dup276); - -var msg8996 = msg("6549", dup276); - -var msg8997 = msg("6550", dup276); - -var msg8998 = msg("6551", dup276); - -var msg8999 = msg("6552", dup276); - -var msg9000 = msg("6553", dup276); - -var msg9001 = msg("6554", dup276); - -var msg9002 = msg("6555", dup276); - -var msg9003 = msg("6556", dup276); - -var msg9004 = msg("6557", dup276); - -var msg9005 = msg("6558", dup276); - -var msg9006 = msg("6559", dup276); - -var msg9007 = msg("6560", dup276); - -var msg9008 = msg("6561", dup276); - -var msg9009 = msg("6562", dup276); - -var msg9010 = msg("6563", dup276); - -var msg9011 = msg("6564", dup276); - -var msg9012 = msg("6565", dup276); - -var msg9013 = msg("6566", dup276); - -var msg9014 = msg("6567", dup276); - -var msg9015 = msg("6568", dup276); - -var msg9016 = msg("6569", dup276); - -var msg9017 = msg("6570", dup276); - -var msg9018 = msg("6571", dup276); - -var msg9019 = msg("6572", dup276); - -var msg9020 = msg("6573", dup276); - -var msg9021 = msg("6574", dup276); - -var msg9022 = msg("6575", dup276); - -var msg9023 = msg("6576", dup276); - -var msg9024 = msg("6577", dup276); - -var msg9025 = msg("6578", dup276); - -var msg9026 = msg("6579", dup276); - -var msg9027 = msg("6580", dup276); - -var msg9028 = msg("6581", dup276); - -var msg9029 = msg("6582", dup276); - -var msg9030 = msg("6583", dup276); - -var msg9031 = msg("6584", dup276); - -var msg9032 = msg("6585", dup276); - -var msg9033 = msg("6586", dup276); - -var msg9034 = msg("6587", dup276); - -var msg9035 = msg("6588", dup276); - -var msg9036 = msg("6589", dup276); - -var msg9037 = msg("6590", dup276); - -var msg9038 = msg("6591", dup276); - -var msg9039 = msg("6592", dup276); - -var msg9040 = msg("6593", dup276); - -var msg9041 = msg("6594", dup276); - -var msg9042 = msg("6595", dup276); - -var msg9043 = msg("6596", dup276); - -var msg9044 = msg("6597", dup276); - -var msg9045 = msg("6598", dup276); - -var msg9046 = msg("6599", dup276); - -var msg9047 = msg("6600", dup276); - -var msg9048 = msg("6601", dup276); - -var msg9049 = msg("6602", dup276); - -var msg9050 = msg("6603", dup276); - -var msg9051 = msg("6604", dup276); - -var msg9052 = msg("6605", dup276); - -var msg9053 = msg("6606", dup276); - -var msg9054 = msg("6607", dup276); - -var msg9055 = msg("6608", dup276); - -var msg9056 = msg("6609", dup276); - -var msg9057 = msg("6610", dup276); - -var msg9058 = msg("6611", dup276); - -var msg9059 = msg("6612", dup276); - -var msg9060 = msg("6613", dup276); - -var msg9061 = msg("6614", dup276); - -var msg9062 = msg("6615", dup276); - -var msg9063 = msg("6616", dup276); - -var msg9064 = msg("6617", dup276); - -var msg9065 = msg("6618", dup276); - -var msg9066 = msg("6619", dup276); - -var msg9067 = msg("6620", dup276); - -var msg9068 = msg("6621", dup276); - -var msg9069 = msg("6622", dup276); - -var msg9070 = msg("6623", dup276); - -var msg9071 = msg("6624", dup276); - -var msg9072 = msg("6625", dup276); - -var msg9073 = msg("6626", dup276); - -var msg9074 = msg("6627", dup276); - -var msg9075 = msg("6628", dup276); - -var msg9076 = msg("6629", dup276); - -var msg9077 = msg("6630", dup276); - -var msg9078 = msg("6631", dup276); - -var msg9079 = msg("6632", dup276); - -var msg9080 = msg("6633", dup276); - -var msg9081 = msg("6634", dup276); - -var msg9082 = msg("6635", dup276); - -var msg9083 = msg("6636", dup276); - -var msg9084 = msg("6637", dup276); - -var msg9085 = msg("6638", dup276); - -var msg9086 = msg("6639", dup276); - -var msg9087 = msg("6640", dup276); - -var msg9088 = msg("6641", dup276); - -var msg9089 = msg("6642", dup276); - -var msg9090 = msg("6643", dup276); - -var msg9091 = msg("6644", dup276); - -var msg9092 = msg("6645", dup276); - -var msg9093 = msg("6646", dup276); - -var msg9094 = msg("6647", dup276); - -var msg9095 = msg("6648", dup276); - -var msg9096 = msg("6649", dup276); - -var msg9097 = msg("6650", dup276); - -var msg9098 = msg("6651", dup276); - -var msg9099 = msg("6652", dup276); - -var msg9100 = msg("6653", dup276); - -var msg9101 = msg("6654", dup276); - -var msg9102 = msg("6655", dup276); - -var msg9103 = msg("6656", dup276); - -var msg9104 = msg("6657", dup276); - -var msg9105 = msg("6658", dup276); - -var msg9106 = msg("6659", dup276); - -var msg9107 = msg("6660", dup276); - -var msg9108 = msg("6661", dup276); - -var msg9109 = msg("6662", dup276); - -var msg9110 = msg("6663", dup276); - -var msg9111 = msg("6664", dup276); - -var msg9112 = msg("6665", dup276); - -var msg9113 = msg("6666", dup276); - -var msg9114 = msg("6667", dup276); - -var msg9115 = msg("6668", dup276); - -var msg9116 = msg("6669", dup276); - -var msg9117 = msg("6670", dup276); - -var msg9118 = msg("6671", dup276); - -var msg9119 = msg("6672", dup276); - -var msg9120 = msg("6673", dup276); - -var msg9121 = msg("6674", dup276); - -var msg9122 = msg("6675", dup276); - -var msg9123 = msg("6676", dup276); - -var msg9124 = msg("6677", dup276); - -var msg9125 = msg("6678", dup276); - -var msg9126 = msg("6679", dup276); - -var msg9127 = msg("6680", dup265); - -var msg9128 = msg("6681", dup265); - -var msg9129 = msg("6682", dup265); - -var msg9130 = msg("6683", dup265); - -var msg9131 = msg("6684", dup265); - -var msg9132 = msg("6685", dup265); - -var msg9133 = msg("6686", dup265); - -var msg9134 = msg("6687", dup265); - -var msg9135 = msg("6688", dup196); - -var msg9136 = msg("6689", dup267); - -var msg9137 = msg("6690", dup267); - -var msg9138 = msg("6691", dup267); - -var msg9139 = msg("6692", dup267); - -var msg9140 = msg("6693", dup267); - -var msg9141 = msg("6694", dup267); - -var msg9142 = msg("6695", dup267); - -var msg9143 = msg("6696", dup267); - -var msg9144 = msg("6697", dup267); - -var msg9145 = msg("6698", dup267); - -var msg9146 = msg("6699", dup267); - -var msg9147 = msg("6700", dup304); - -var msg9148 = msg("6701", dup267); - -var msg9149 = msg("6702", dup276); - -var msg9150 = msg("6703", dup276); - -var msg9151 = msg("6704", dup276); - -var msg9152 = msg("6705", dup276); - -var msg9153 = msg("6706", dup276); - -var msg9154 = msg("6707", dup276); - -var msg9155 = msg("6708", dup276); - -var msg9156 = msg("6709", dup276); - -var msg9157 = msg("6710", dup276); - -var msg9158 = msg("6711", dup276); - -var msg9159 = msg("6712", dup276); - -var msg9160 = msg("6713", dup276); - -var msg9161 = msg("6714", dup276); - -var msg9162 = msg("6715", dup276); - -var msg9163 = msg("6716", dup276); - -var msg9164 = msg("6717", dup276); - -var msg9165 = msg("6718", dup276); - -var msg9166 = msg("6719", dup276); - -var msg9167 = msg("6720", dup276); - -var msg9168 = msg("6721", dup276); - -var msg9169 = msg("6722", dup276); - -var msg9170 = msg("6723", dup276); - -var msg9171 = msg("6724", dup276); - -var msg9172 = msg("6725", dup276); - -var msg9173 = msg("6726", dup276); - -var msg9174 = msg("6727", dup276); - -var msg9175 = msg("6728", dup276); - -var msg9176 = msg("6729", dup276); - -var msg9177 = msg("6730", dup276); - -var msg9178 = msg("6731", dup276); - -var msg9179 = msg("6732", dup276); - -var msg9180 = msg("6733", dup276); - -var msg9181 = msg("6734", dup276); - -var msg9182 = msg("6735", dup276); - -var msg9183 = msg("6736", dup276); - -var msg9184 = msg("6737", dup276); - -var msg9185 = msg("6738", dup276); - -var msg9186 = msg("6739", dup276); - -var msg9187 = msg("6740", dup276); - -var msg9188 = msg("6741", dup276); - -var msg9189 = msg("6742", dup276); - -var msg9190 = msg("6743", dup276); - -var msg9191 = msg("6744", dup276); - -var msg9192 = msg("6745", dup276); - -var msg9193 = msg("6746", dup276); - -var msg9194 = msg("6747", dup276); - -var msg9195 = msg("6748", dup276); - -var msg9196 = msg("6749", dup276); - -var msg9197 = msg("6750", dup276); - -var msg9198 = msg("6751", dup276); - -var msg9199 = msg("6752", dup276); - -var msg9200 = msg("6753", dup276); - -var msg9201 = msg("6754", dup276); - -var msg9202 = msg("6755", dup276); - -var msg9203 = msg("6756", dup276); - -var msg9204 = msg("6757", dup276); - -var msg9205 = msg("6758", dup276); - -var msg9206 = msg("6759", dup276); - -var msg9207 = msg("6760", dup276); - -var msg9208 = msg("6761", dup276); - -var msg9209 = msg("6762", dup276); - -var msg9210 = msg("6763", dup276); - -var msg9211 = msg("6764", dup276); - -var msg9212 = msg("6765", dup276); - -var msg9213 = msg("6766", dup276); - -var msg9214 = msg("6767", dup276); - -var msg9215 = msg("6768", dup276); - -var msg9216 = msg("6769", dup276); - -var msg9217 = msg("6770", dup276); - -var msg9218 = msg("6771", dup276); - -var msg9219 = msg("6772", dup276); - -var msg9220 = msg("6773", dup276); - -var msg9221 = msg("6774", dup276); - -var msg9222 = msg("6775", dup276); - -var msg9223 = msg("6776", dup276); - -var msg9224 = msg("6777", dup276); - -var msg9225 = msg("6778", dup276); - -var msg9226 = msg("6779", dup276); - -var msg9227 = msg("6780", dup276); - -var msg9228 = msg("6781", dup276); - -var msg9229 = msg("6782", dup276); - -var msg9230 = msg("6783", dup276); - -var msg9231 = msg("6784", dup276); - -var msg9232 = msg("6785", dup276); - -var msg9233 = msg("6786", dup276); - -var msg9234 = msg("6787", dup276); - -var msg9235 = msg("6788", dup276); - -var msg9236 = msg("6789", dup276); - -var msg9237 = msg("6790", dup276); - -var msg9238 = msg("6791", dup276); - -var msg9239 = msg("6792", dup276); - -var msg9240 = msg("6793", dup276); - -var msg9241 = msg("6794", dup276); - -var msg9242 = msg("6795", dup276); - -var msg9243 = msg("6796", dup276); - -var msg9244 = msg("6797", dup276); - -var msg9245 = msg("6798", dup276); - -var msg9246 = msg("6799", dup276); - -var msg9247 = msg("6800", dup276); - -var msg9248 = msg("6801", dup276); - -var msg9249 = msg("6802", dup276); - -var msg9250 = msg("6803", dup276); - -var msg9251 = msg("6804", dup276); - -var msg9252 = msg("6805", dup276); - -var msg9253 = msg("6806", dup276); - -var msg9254 = msg("6807", dup276); - -var msg9255 = msg("6808", dup276); - -var msg9256 = msg("6809", dup276); - -var msg9257 = msg("6810", dup276); - -var msg9258 = msg("6811", dup276); - -var msg9259 = msg("6812", dup276); - -var msg9260 = msg("6813", dup276); - -var msg9261 = msg("6814", dup276); - -var msg9262 = msg("6815", dup276); - -var msg9263 = msg("6816", dup276); - -var msg9264 = msg("6817", dup276); - -var msg9265 = msg("6818", dup276); - -var msg9266 = msg("6819", dup276); - -var msg9267 = msg("6820", dup276); - -var msg9268 = msg("6821", dup276); - -var msg9269 = msg("6822", dup276); - -var msg9270 = msg("6823", dup276); - -var msg9271 = msg("6824", dup276); - -var msg9272 = msg("6825", dup276); - -var msg9273 = msg("6826", dup276); - -var msg9274 = msg("6827", dup276); - -var msg9275 = msg("6828", dup276); - -var msg9276 = msg("6829", dup276); - -var msg9277 = msg("6830", dup276); - -var msg9278 = msg("6831", dup276); - -var msg9279 = msg("6832", dup276); - -var msg9280 = msg("6833", dup276); - -var msg9281 = msg("6834", dup276); - -var msg9282 = msg("6835", dup276); - -var msg9283 = msg("6836", dup276); - -var msg9284 = msg("6837", dup276); - -var msg9285 = msg("6838", dup276); - -var msg9286 = msg("6839", dup276); - -var msg9287 = msg("6840", dup276); - -var msg9288 = msg("6841", dup276); - -var msg9289 = msg("6842", dup276); - -var msg9290 = msg("6843", dup276); - -var msg9291 = msg("6844", dup276); - -var msg9292 = msg("6845", dup276); - -var msg9293 = msg("6846", dup276); - -var msg9294 = msg("6847", dup276); - -var msg9295 = msg("6848", dup276); - -var msg9296 = msg("6849", dup276); - -var msg9297 = msg("6850", dup276); - -var msg9298 = msg("6851", dup276); - -var msg9299 = msg("6852", dup276); - -var msg9300 = msg("6853", dup276); - -var msg9301 = msg("6854", dup276); - -var msg9302 = msg("6855", dup276); - -var msg9303 = msg("6856", dup276); - -var msg9304 = msg("6857", dup276); - -var msg9305 = msg("6858", dup276); - -var msg9306 = msg("6859", dup276); - -var msg9307 = msg("6860", dup276); - -var msg9308 = msg("6861", dup276); - -var msg9309 = msg("6862", dup276); - -var msg9310 = msg("6863", dup276); - -var msg9311 = msg("6864", dup276); - -var msg9312 = msg("6865", dup276); - -var msg9313 = msg("6866", dup276); - -var msg9314 = msg("6867", dup276); - -var msg9315 = msg("6868", dup276); - -var msg9316 = msg("6869", dup276); - -var msg9317 = msg("6870", dup276); - -var msg9318 = msg("6871", dup276); - -var msg9319 = msg("6872", dup276); - -var msg9320 = msg("6873", dup276); - -var msg9321 = msg("6874", dup276); - -var msg9322 = msg("6875", dup276); - -var msg9323 = msg("6876", dup276); - -var msg9324 = msg("6877", dup276); - -var msg9325 = msg("6878", dup276); - -var msg9326 = msg("6879", dup276); - -var msg9327 = msg("6880", dup276); - -var msg9328 = msg("6881", dup276); - -var msg9329 = msg("6882", dup276); - -var msg9330 = msg("6883", dup276); - -var msg9331 = msg("6884", dup276); - -var msg9332 = msg("6885", dup276); - -var msg9333 = msg("6886", dup276); - -var msg9334 = msg("6887", dup276); - -var msg9335 = msg("6888", dup276); - -var msg9336 = msg("6889", dup276); - -var msg9337 = msg("6890", dup276); - -var msg9338 = msg("6891", dup276); - -var msg9339 = msg("6892", dup276); - -var msg9340 = msg("6893", dup276); - -var msg9341 = msg("6894", dup276); - -var msg9342 = msg("6895", dup276); - -var msg9343 = msg("6896", dup276); - -var msg9344 = msg("6897", dup276); - -var msg9345 = msg("6898", dup276); - -var msg9346 = msg("6899", dup276); - -var msg9347 = msg("6900", dup276); - -var msg9348 = msg("6901", dup276); - -var msg9349 = msg("6902", dup276); - -var msg9350 = msg("6903", dup276); - -var msg9351 = msg("6904", dup276); - -var msg9352 = msg("6905", dup276); - -var msg9353 = msg("6906", dup276); - -var msg9354 = msg("6907", dup276); - -var msg9355 = msg("6908", dup276); - -var msg9356 = msg("6909", dup276); - -var msg9357 = msg("6910", dup276); - -var msg9358 = msg("6911", dup276); - -var msg9359 = msg("6912", dup276); - -var msg9360 = msg("6913", dup276); - -var msg9361 = msg("6914", dup276); - -var msg9362 = msg("6915", dup276); - -var msg9363 = msg("6916", dup276); - -var msg9364 = msg("6917", dup276); - -var msg9365 = msg("6918", dup276); - -var msg9366 = msg("6919", dup276); - -var msg9367 = msg("6920", dup276); - -var msg9368 = msg("6921", dup276); - -var msg9369 = msg("6922", dup276); - -var msg9370 = msg("6923", dup276); - -var msg9371 = msg("6924", dup276); - -var msg9372 = msg("6925", dup276); - -var msg9373 = msg("6926", dup276); - -var msg9374 = msg("6927", dup276); - -var msg9375 = msg("6928", dup276); - -var msg9376 = msg("6929", dup276); - -var msg9377 = msg("6930", dup276); - -var msg9378 = msg("6931", dup276); - -var msg9379 = msg("6932", dup276); - -var msg9380 = msg("6933", dup276); - -var msg9381 = msg("6934", dup276); - -var msg9382 = msg("6935", dup276); - -var msg9383 = msg("6936", dup276); - -var msg9384 = msg("6937", dup276); - -var msg9385 = msg("6938", dup276); - -var msg9386 = msg("6939", dup276); - -var msg9387 = msg("6940", dup276); - -var msg9388 = msg("6941", dup276); - -var msg9389 = msg("6942", dup276); - -var msg9390 = msg("6943", dup276); - -var msg9391 = msg("6944", dup276); - -var msg9392 = msg("6945", dup276); - -var msg9393 = msg("6946", dup276); - -var msg9394 = msg("6947", dup276); - -var msg9395 = msg("6948", dup276); - -var msg9396 = msg("6949", dup276); - -var msg9397 = msg("6950", dup276); - -var msg9398 = msg("6951", dup276); - -var msg9399 = msg("6952", dup276); - -var msg9400 = msg("6953", dup276); - -var msg9401 = msg("6954", dup276); - -var msg9402 = msg("6955", dup276); - -var msg9403 = msg("6956", dup276); - -var msg9404 = msg("6957", dup276); - -var msg9405 = msg("6958", dup276); - -var msg9406 = msg("6959", dup276); - -var msg9407 = msg("6960", dup276); - -var msg9408 = msg("6961", dup276); - -var msg9409 = msg("6962", dup276); - -var msg9410 = msg("6963", dup276); - -var msg9411 = msg("6964", dup276); - -var msg9412 = msg("6965", dup276); - -var msg9413 = msg("6966", dup276); - -var msg9414 = msg("6967", dup276); - -var msg9415 = msg("6968", dup276); - -var msg9416 = msg("6969", dup276); - -var msg9417 = msg("6970", dup276); - -var msg9418 = msg("6971", dup276); - -var msg9419 = msg("6972", dup276); - -var msg9420 = msg("6973", dup276); - -var msg9421 = msg("6974", dup276); - -var msg9422 = msg("6975", dup276); - -var msg9423 = msg("6976", dup276); - -var msg9424 = msg("6977", dup276); - -var msg9425 = msg("6978", dup276); - -var msg9426 = msg("6979", dup276); - -var msg9427 = msg("6980", dup276); - -var msg9428 = msg("6981", dup276); - -var msg9429 = msg("6982", dup276); - -var msg9430 = msg("6983", dup276); - -var msg9431 = msg("6984", dup276); - -var msg9432 = msg("6985", dup276); - -var msg9433 = msg("6986", dup276); - -var msg9434 = msg("6987", dup276); - -var msg9435 = msg("6988", dup276); - -var msg9436 = msg("6989", dup276); - -var msg9437 = msg("6990", dup276); - -var msg9438 = msg("6991", dup276); - -var msg9439 = msg("6992", dup276); - -var msg9440 = msg("6993", dup276); - -var msg9441 = msg("6994", dup276); - -var msg9442 = msg("6995", dup276); - -var msg9443 = msg("6996", dup276); - -var msg9444 = msg("6997", dup276); - -var msg9445 = msg("6998", dup276); - -var msg9446 = msg("6999", dup276); - -var msg9447 = msg("7000", dup276); - -var msg9448 = msg("7001", dup276); - -var msg9449 = msg("7002", dup267); - -var msg9450 = msg("7003", dup265); - -var msg9451 = msg("7004", dup265); - -var msg9452 = msg("7005", dup265); - -var msg9453 = msg("7006", dup265); - -var msg9454 = msg("7007", dup265); - -var msg9455 = msg("7008", dup265); - -var msg9456 = msg("7009", dup265); - -var msg9457 = msg("7010", dup265); - -var msg9458 = msg("7011", dup265); - -var msg9459 = msg("7012", dup265); - -var msg9460 = msg("7013", dup265); - -var msg9461 = msg("7014", dup265); - -var msg9462 = msg("7015", dup265); - -var msg9463 = msg("7016", dup265); - -var msg9464 = msg("7017", dup265); - -var msg9465 = msg("7018", dup265); - -var msg9466 = msg("7019", dup196); - -var msg9467 = msg("7020", dup265); - -var msg9468 = msg("7021", dup198); - -var msg9469 = msg("7022", dup267); - -var msg9470 = msg("7023", dup196); - -var msg9471 = msg("7024", dup267); - -var msg9472 = msg("7025", dup267); - -var msg9473 = msg("7026", dup265); - -var msg9474 = msg("7027", dup265); - -var msg9475 = msg("7028", dup265); - -var msg9476 = msg("7029", dup265); - -var msg9477 = msg("7030", dup196); - -var msg9478 = msg("7031", dup196); - -var msg9479 = msg("7032", dup196); - -var msg9480 = msg("7033", dup196); - -var msg9481 = msg("7034", dup196); - -var msg9482 = msg("7035", dup276); - -var msg9483 = msg("7036", dup276); - -var msg9484 = msg("7037", dup276); - -var msg9485 = msg("7038", dup276); - -var msg9486 = msg("7039", dup276); - -var msg9487 = msg("7040", dup276); - -var msg9488 = msg("7041", dup276); - -var msg9489 = msg("7042", dup276); - -var msg9490 = msg("7043", dup276); - -var msg9491 = msg("7044", dup276); - -var msg9492 = msg("7045", dup276); - -var msg9493 = msg("7046", dup276); - -var msg9494 = msg("7047", dup267); - -var msg9495 = msg("7048", dup267); - -var msg9496 = msg("7049", dup303); - -var msg9497 = msg("7050", dup303); - -var msg9498 = msg("7051", dup303); - -var msg9499 = msg("7052", dup303); - -var msg9500 = msg("7053", dup303); - -var msg9501 = msg("7054", dup303); - -var msg9502 = msg("7055", dup303); - -var msg9503 = msg("7056", dup205); - -var msg9504 = msg("7057", dup205); - -var msg9505 = msg("7058", dup205); - -var msg9506 = msg("7059", dup205); - -var msg9507 = msg("7060", dup205); - -var msg9508 = msg("7061", dup205); - -var msg9509 = msg("7062", dup205); - -var msg9510 = msg("7063", dup205); - -var msg9511 = msg("7064", dup205); - -var msg9512 = msg("7065", dup205); - -var msg9513 = msg("7066", dup205); - -var msg9514 = msg("7067", dup205); - -var msg9515 = msg("7068", dup205); - -var msg9516 = msg("7069", dup205); - -var msg9517 = msg("7070", dup265); - -var msg9518 = msg("7071", dup265); - -var msg9519 = msg("7072", dup205); - -var msg9520 = msg("7073", dup205); - -var msg9521 = msg("7074", dup205); - -var msg9522 = msg("7075", dup205); - -var msg9523 = msg("7076", dup205); - -var msg9524 = msg("7077", dup205); - -var msg9525 = msg("7078", dup205); - -var msg9526 = msg("7079", dup205); - -var msg9527 = msg("7080", dup205); - -var msg9528 = msg("7081", dup205); - -var msg9529 = msg("7082", dup205); - -var msg9530 = msg("7083", dup205); - -var msg9531 = msg("7084", dup205); - -var msg9532 = msg("7085", dup205); - -var msg9533 = msg("7086", dup205); - -var msg9534 = msg("7087", dup205); - -var msg9535 = msg("7088", dup205); - -var msg9536 = msg("7089", dup205); - -var msg9537 = msg("7090", dup205); - -var msg9538 = msg("7091", dup205); - -var msg9539 = msg("7092", dup205); - -var msg9540 = msg("7093", dup205); - -var msg9541 = msg("7094", dup205); - -var msg9542 = msg("7095", dup205); - -var msg9543 = msg("7096", dup205); - -var msg9544 = msg("7097", dup205); - -var msg9545 = msg("7098", dup205); - -var msg9546 = msg("7099", dup205); - -var msg9547 = msg("7100", dup205); - -var msg9548 = msg("7101", dup205); - -var msg9549 = msg("7102", dup205); - -var msg9550 = msg("7103", dup205); - -var msg9551 = msg("7104", dup205); - -var msg9552 = msg("7105", dup205); - -var msg9553 = msg("7106", dup205); - -var msg9554 = msg("7107", dup205); - -var msg9555 = msg("7108", dup205); - -var msg9556 = msg("7109", dup205); - -var msg9557 = msg("7110", dup205); - -var msg9558 = msg("7111", dup205); - -var msg9559 = msg("7112", dup205); - -var msg9560 = msg("7113", dup205); - -var msg9561 = msg("7114", dup205); - -var msg9562 = msg("7115", dup205); - -var msg9563 = msg("7116", dup205); - -var msg9564 = msg("7117", dup205); - -var msg9565 = msg("7118", dup205); - -var msg9566 = msg("7119", dup205); - -var msg9567 = msg("7120", dup205); - -var msg9568 = msg("7121", dup205); - -var msg9569 = msg("7122", dup205); - -var msg9570 = msg("7123", dup303); - -var msg9571 = msg("7124", dup303); - -var msg9572 = msg("7125", dup303); - -var msg9573 = msg("7126", dup192); - -var msg9574 = msg("7127", dup303); - -var msg9575 = msg("7128", dup303); - -var msg9576 = msg("7129", dup303); - -var msg9577 = msg("7130", dup303); - -var msg9578 = msg("7131", dup303); - -var msg9579 = msg("7132", dup303); - -var msg9580 = msg("7133", dup303); - -var msg9581 = msg("7134", dup303); - -var msg9582 = msg("7135", dup303); - -var msg9583 = msg("7136", dup303); - -var msg9584 = msg("7137", dup303); - -var msg9585 = msg("7138", dup192); - -var msg9586 = msg("7139", dup192); - -var msg9587 = msg("7140", dup303); - -var msg9588 = msg("7141", dup303); - -var msg9589 = msg("7142", dup303); - -var msg9590 = msg("7143", dup303); - -var msg9591 = msg("7144", dup303); - -var msg9592 = msg("7145", dup303); - -var msg9593 = msg("7146", dup303); - -var msg9594 = msg("7147", dup303); - -var msg9595 = msg("7148", dup303); - -var msg9596 = msg("7149", dup303); - -var msg9597 = msg("7150", dup303); - -var msg9598 = msg("7151", dup303); - -var msg9599 = msg("7152", dup303); - -var msg9600 = msg("7153", dup303); - -var msg9601 = msg("7154", dup303); - -var msg9602 = msg("7155", dup303); - -var msg9603 = msg("7156", dup303); - -var msg9604 = msg("7157", dup303); - -var msg9605 = msg("7158", dup303); - -var msg9606 = msg("7159", dup303); - -var msg9607 = msg("7160", dup303); - -var msg9608 = msg("7161", dup303); - -var msg9609 = msg("7162", dup303); - -var msg9610 = msg("7163", dup303); - -var msg9611 = msg("7164", dup303); - -var msg9612 = msg("7165", dup303); - -var msg9613 = msg("7166", dup303); - -var msg9614 = msg("7167", dup303); - -var msg9615 = msg("7168", dup303); - -var msg9616 = msg("7169", dup303); - -var msg9617 = msg("7170", dup303); - -var msg9618 = msg("7171", dup303); - -var msg9619 = msg("7172", dup303); - -var msg9620 = msg("7173", dup303); - -var msg9621 = msg("7174", dup303); - -var msg9622 = msg("7175", dup303); - -var msg9623 = msg("7176", dup303); - -var msg9624 = msg("7177", dup303); - -var msg9625 = msg("7178", dup303); - -var msg9626 = msg("7179", dup303); - -var msg9627 = msg("7180", dup303); - -var msg9628 = msg("7181", dup303); - -var msg9629 = msg("7182", dup303); - -var msg9630 = msg("7183", dup303); - -var msg9631 = msg("7184", dup303); - -var msg9632 = msg("7185", dup303); - -var msg9633 = msg("7186", dup303); - -var msg9634 = msg("7187", dup303); - -var msg9635 = msg("7188", dup303); - -var msg9636 = msg("7189", dup303); - -var msg9637 = msg("7190", dup303); - -var msg9638 = msg("7191", dup303); - -var msg9639 = msg("7192", dup303); - -var msg9640 = msg("7193", dup303); - -var msg9641 = msg("7194", dup303); - -var msg9642 = msg("7195", dup303); - -var msg9643 = msg("7196", dup222); - -var msg9644 = msg("7197", dup265); - -var msg9645 = msg("7198", dup265); - -var msg9646 = msg("7199", dup267); - -var msg9647 = msg("7200", dup267); - -var msg9648 = msg("7201", dup267); - -var msg9649 = msg("7202", dup267); - -var msg9650 = msg("7203", dup267); - -var msg9651 = msg("7204", dup267); - -var msg9652 = msg("7205", dup267); - -var msg9653 = msg("7206", dup196); - -var msg9654 = msg("7207", dup260); - -var msg9655 = msg("7208", dup196); - -var msg9656 = msg("7209", dup276); - -var msg9657 = msg("7210", dup276); - -var msg9658 = msg("7211", dup276); - -var msg9659 = msg("7212", dup276); - -var msg9660 = msg("7213", dup276); - -var msg9661 = msg("7214", dup276); - -var msg9662 = msg("7215", dup276); - -var msg9663 = msg("7216", dup276); - -var msg9664 = msg("7217", dup276); - -var msg9665 = msg("7218", dup276); - -var msg9666 = msg("7219", dup276); - -var msg9667 = msg("7220", dup276); - -var msg9668 = msg("7221", dup276); - -var msg9669 = msg("7222", dup276); - -var msg9670 = msg("7223", dup276); - -var msg9671 = msg("7224", dup276); - -var msg9672 = msg("7225", dup276); - -var msg9673 = msg("7226", dup276); - -var msg9674 = msg("7227", dup276); - -var msg9675 = msg("7228", dup276); - -var msg9676 = msg("7229", dup276); - -var msg9677 = msg("7230", dup276); - -var msg9678 = msg("7231", dup276); - -var msg9679 = msg("7232", dup276); - -var msg9680 = msg("7233", dup276); - -var msg9681 = msg("7234", dup276); - -var msg9682 = msg("7235", dup276); - -var msg9683 = msg("7236", dup276); - -var msg9684 = msg("7237", dup276); - -var msg9685 = msg("7238", dup276); - -var msg9686 = msg("7239", dup276); - -var msg9687 = msg("7240", dup276); - -var msg9688 = msg("7241", dup276); - -var msg9689 = msg("7242", dup276); - -var msg9690 = msg("7243", dup276); - -var msg9691 = msg("7244", dup276); - -var msg9692 = msg("7245", dup276); - -var msg9693 = msg("7246", dup276); - -var msg9694 = msg("7247", dup276); - -var msg9695 = msg("7248", dup276); - -var msg9696 = msg("7249", dup276); - -var msg9697 = msg("7250", dup276); - -var msg9698 = msg("7251", dup276); - -var msg9699 = msg("7252", dup276); - -var msg9700 = msg("7253", dup276); - -var msg9701 = msg("7254", dup276); - -var msg9702 = msg("7255", dup276); - -var msg9703 = msg("7256", dup276); - -var msg9704 = msg("7257", dup276); - -var msg9705 = msg("7258", dup276); - -var msg9706 = msg("7259", dup276); - -var msg9707 = msg("7260", dup276); - -var msg9708 = msg("7261", dup276); - -var msg9709 = msg("7262", dup276); - -var msg9710 = msg("7263", dup276); - -var msg9711 = msg("7264", dup276); - -var msg9712 = msg("7265", dup276); - -var msg9713 = msg("7266", dup276); - -var msg9714 = msg("7267", dup276); - -var msg9715 = msg("7268", dup276); - -var msg9716 = msg("7269", dup276); - -var msg9717 = msg("7270", dup276); - -var msg9718 = msg("7271", dup276); - -var msg9719 = msg("7272", dup276); - -var msg9720 = msg("7273", dup276); - -var msg9721 = msg("7274", dup276); - -var msg9722 = msg("7275", dup276); - -var msg9723 = msg("7276", dup276); - -var msg9724 = msg("7277", dup276); - -var msg9725 = msg("7278", dup276); - -var msg9726 = msg("7279", dup276); - -var msg9727 = msg("7280", dup276); - -var msg9728 = msg("7281", dup276); - -var msg9729 = msg("7282", dup276); - -var msg9730 = msg("7283", dup276); - -var msg9731 = msg("7284", dup276); - -var msg9732 = msg("7285", dup276); - -var msg9733 = msg("7286", dup276); - -var msg9734 = msg("7287", dup276); - -var msg9735 = msg("7288", dup276); - -var msg9736 = msg("7289", dup276); - -var msg9737 = msg("7290", dup276); - -var msg9738 = msg("7291", dup276); - -var msg9739 = msg("7292", dup276); - -var msg9740 = msg("7293", dup276); - -var msg9741 = msg("7294", dup276); - -var msg9742 = msg("7295", dup276); - -var msg9743 = msg("7296", dup276); - -var msg9744 = msg("7297", dup276); - -var msg9745 = msg("7298", dup276); - -var msg9746 = msg("7299", dup276); - -var msg9747 = msg("7300", dup276); - -var msg9748 = msg("7301", dup276); - -var msg9749 = msg("7302", dup276); - -var msg9750 = msg("7303", dup276); - -var msg9751 = msg("7304", dup276); - -var msg9752 = msg("7305", dup276); - -var msg9753 = msg("7306", dup276); - -var msg9754 = msg("7307", dup276); - -var msg9755 = msg("7308", dup276); - -var msg9756 = msg("7309", dup276); - -var msg9757 = msg("7310", dup276); - -var msg9758 = msg("7311", dup276); - -var msg9759 = msg("7312", dup276); - -var msg9760 = msg("7313", dup276); - -var msg9761 = msg("7314", dup276); - -var msg9762 = msg("7315", dup276); - -var msg9763 = msg("7316", dup276); - -var msg9764 = msg("7317", dup276); - -var msg9765 = msg("7318", dup276); - -var msg9766 = msg("7319", dup276); - -var msg9767 = msg("7320", dup276); - -var msg9768 = msg("7321", dup276); - -var msg9769 = msg("7322", dup276); - -var msg9770 = msg("7323", dup276); - -var msg9771 = msg("7324", dup276); - -var msg9772 = msg("7325", dup276); - -var msg9773 = msg("7326", dup276); - -var msg9774 = msg("7327", dup276); - -var msg9775 = msg("7328", dup276); - -var msg9776 = msg("7329", dup276); - -var msg9777 = msg("7330", dup276); - -var msg9778 = msg("7331", dup276); - -var msg9779 = msg("7332", dup276); - -var msg9780 = msg("7333", dup276); - -var msg9781 = msg("7334", dup276); - -var msg9782 = msg("7335", dup276); - -var msg9783 = msg("7336", dup276); - -var msg9784 = msg("7337", dup276); - -var msg9785 = msg("7338", dup276); - -var msg9786 = msg("7339", dup276); - -var msg9787 = msg("7340", dup276); - -var msg9788 = msg("7341", dup276); - -var msg9789 = msg("7342", dup276); - -var msg9790 = msg("7343", dup276); - -var msg9791 = msg("7344", dup276); - -var msg9792 = msg("7345", dup276); - -var msg9793 = msg("7346", dup276); - -var msg9794 = msg("7347", dup276); - -var msg9795 = msg("7348", dup276); - -var msg9796 = msg("7349", dup276); - -var msg9797 = msg("7350", dup276); - -var msg9798 = msg("7351", dup276); - -var msg9799 = msg("7352", dup276); - -var msg9800 = msg("7353", dup276); - -var msg9801 = msg("7354", dup276); - -var msg9802 = msg("7355", dup276); - -var msg9803 = msg("7356", dup276); - -var msg9804 = msg("7357", dup276); - -var msg9805 = msg("7358", dup276); - -var msg9806 = msg("7359", dup276); - -var msg9807 = msg("7360", dup276); - -var msg9808 = msg("7361", dup276); - -var msg9809 = msg("7362", dup276); - -var msg9810 = msg("7363", dup276); - -var msg9811 = msg("7364", dup276); - -var msg9812 = msg("7365", dup276); - -var msg9813 = msg("7366", dup276); - -var msg9814 = msg("7367", dup276); - -var msg9815 = msg("7368", dup276); - -var msg9816 = msg("7369", dup276); - -var msg9817 = msg("7370", dup276); - -var msg9818 = msg("7371", dup276); - -var msg9819 = msg("7372", dup276); - -var msg9820 = msg("7373", dup276); - -var msg9821 = msg("7374", dup276); - -var msg9822 = msg("7375", dup276); - -var msg9823 = msg("7376", dup276); - -var msg9824 = msg("7377", dup276); - -var msg9825 = msg("7378", dup276); - -var msg9826 = msg("7379", dup276); - -var msg9827 = msg("7380", dup276); - -var msg9828 = msg("7381", dup276); - -var msg9829 = msg("7382", dup276); - -var msg9830 = msg("7383", dup276); - -var msg9831 = msg("7384", dup276); - -var msg9832 = msg("7385", dup276); - -var msg9833 = msg("7386", dup276); - -var msg9834 = msg("7387", dup276); - -var msg9835 = msg("7388", dup276); - -var msg9836 = msg("7389", dup276); - -var msg9837 = msg("7390", dup276); - -var msg9838 = msg("7391", dup276); - -var msg9839 = msg("7392", dup276); - -var msg9840 = msg("7393", dup276); - -var msg9841 = msg("7394", dup276); - -var msg9842 = msg("7395", dup276); - -var msg9843 = msg("7396", dup276); - -var msg9844 = msg("7397", dup276); - -var msg9845 = msg("7398", dup276); - -var msg9846 = msg("7399", dup276); - -var msg9847 = msg("7400", dup276); - -var msg9848 = msg("7401", dup276); - -var msg9849 = msg("7402", dup276); - -var msg9850 = msg("7403", dup276); - -var msg9851 = msg("7404", dup276); - -var msg9852 = msg("7405", dup276); - -var msg9853 = msg("7406", dup276); - -var msg9854 = msg("7407", dup276); - -var msg9855 = msg("7408", dup276); - -var msg9856 = msg("7409", dup276); - -var msg9857 = msg("7410", dup276); - -var msg9858 = msg("7411", dup276); - -var msg9859 = msg("7412", dup276); - -var msg9860 = msg("7413", dup276); - -var msg9861 = msg("7414", dup276); - -var msg9862 = msg("7415", dup276); - -var msg9863 = msg("7416", dup276); - -var msg9864 = msg("7417", dup276); - -var msg9865 = msg("7418", dup276); - -var msg9866 = msg("7419", dup276); - -var msg9867 = msg("7420", dup276); - -var msg9868 = msg("7421", dup196); - -var msg9869 = msg("7422", dup287); - -var msg9870 = msg("7423", dup287); - -var msg9871 = msg("7424", dup287); - -var msg9872 = msg("7425", dup265); - -var msg9873 = msg("7426", dup265); - -var msg9874 = msg("7427", dup265); - -var msg9875 = msg("7428", dup265); - -var msg9876 = msg("7429", dup265); - -var msg9877 = msg("7430", dup265); - -var msg9878 = msg("7431", dup265); - -var msg9879 = msg("7432", dup265); - -var msg9880 = msg("7433", dup265); - -var msg9881 = msg("7434", dup265); - -var msg9882 = msg("7435", dup265); - -var msg9883 = msg("7436", dup265); - -var msg9884 = msg("7437", dup265); - -var msg9885 = msg("7438", dup265); - -var msg9886 = msg("7439", dup265); - -var msg9887 = msg("7440", dup265); - -var msg9888 = msg("7441", dup265); - -var msg9889 = msg("7442", dup265); - -var msg9890 = msg("7443", dup265); - -var msg9891 = msg("7444", dup265); - -var msg9892 = msg("7445", dup265); - -var msg9893 = msg("7446", dup265); - -var msg9894 = msg("7447", dup265); - -var msg9895 = msg("7448", dup265); - -var msg9896 = msg("7449", dup265); - -var msg9897 = msg("7450", dup265); - -var msg9898 = msg("7451", dup265); - -var msg9899 = msg("7452", dup265); - -var msg9900 = msg("7453", dup265); - -var msg9901 = msg("7454", dup265); - -var msg9902 = msg("7455", dup265); - -var msg9903 = msg("7456", dup265); - -var msg9904 = msg("7457", dup265); - -var msg9905 = msg("7458", dup265); - -var msg9906 = msg("7459", dup265); - -var msg9907 = msg("7460", dup265); - -var msg9908 = msg("7461", dup265); - -var msg9909 = msg("7462", dup265); - -var msg9910 = msg("7463", dup265); - -var msg9911 = msg("7464", dup265); - -var msg9912 = msg("7465", dup265); - -var msg9913 = msg("7466", dup265); - -var msg9914 = msg("7467", dup265); - -var msg9915 = msg("7468", dup265); - -var msg9916 = msg("7469", dup265); - -var msg9917 = msg("7470", dup265); - -var msg9918 = msg("7471", dup265); - -var msg9919 = msg("7472", dup265); - -var msg9920 = msg("7473", dup265); - -var msg9921 = msg("7474", dup265); - -var msg9922 = msg("7475", dup265); - -var msg9923 = msg("7476", dup265); - -var msg9924 = msg("7477", dup265); - -var msg9925 = msg("7478", dup265); - -var msg9926 = msg("7479", dup265); - -var msg9927 = msg("7480", dup265); - -var msg9928 = msg("7481", dup265); - -var msg9929 = msg("7482", dup265); - -var msg9930 = msg("7483", dup265); - -var msg9931 = msg("7484", dup265); - -var msg9932 = msg("7485", dup265); - -var msg9933 = msg("7486", dup265); - -var msg9934 = msg("7487", dup265); - -var msg9935 = msg("7488", dup265); - -var msg9936 = msg("7489", dup265); - -var msg9937 = msg("7490", dup265); - -var msg9938 = msg("7491", dup265); - -var msg9939 = msg("7492", dup265); - -var msg9940 = msg("7493", dup265); - -var msg9941 = msg("7494", dup265); - -var msg9942 = msg("7495", dup265); - -var msg9943 = msg("7496", dup265); - -var msg9944 = msg("7497", dup265); - -var msg9945 = msg("7498", dup265); - -var msg9946 = msg("7499", dup265); - -var msg9947 = msg("7500", dup265); - -var msg9948 = msg("7501", dup265); - -var msg9949 = msg("7502", dup265); - -var msg9950 = msg("7503", dup265); - -var msg9951 = msg("7504", dup303); - -var msg9952 = msg("7505", dup303); - -var msg9953 = msg("7506", dup303); - -var msg9954 = msg("7507", dup303); - -var msg9955 = msg("7508", dup303); - -var msg9956 = msg("7509", dup303); - -var msg9957 = msg("7510", dup303); - -var msg9958 = msg("7511", dup303); - -var msg9959 = msg("7512", dup303); - -var msg9960 = msg("7513", dup303); - -var msg9961 = msg("7514", dup303); - -var msg9962 = msg("7515", dup303); - -var msg9963 = msg("7516", dup303); - -var msg9964 = msg("7517", dup303); - -var msg9965 = msg("7518", dup303); - -var msg9966 = msg("7519", dup303); - -var msg9967 = msg("7520", dup303); - -var msg9968 = msg("7521", dup303); - -var msg9969 = msg("7522", dup303); - -var msg9970 = msg("7523", dup303); - -var msg9971 = msg("7524", dup303); - -var msg9972 = msg("7525", dup303); - -var msg9973 = msg("7526", dup303); - -var msg9974 = msg("7527", dup303); - -var msg9975 = msg("7528", dup303); - -var msg9976 = msg("7529", dup303); - -var msg9977 = msg("7530", dup303); - -var msg9978 = msg("7531", dup303); - -var msg9979 = msg("7532", dup303); - -var msg9980 = msg("7533", dup303); - -var msg9981 = msg("7534", dup303); - -var msg9982 = msg("7535", dup303); - -var msg9983 = msg("7536", dup303); - -var msg9984 = msg("7537", dup303); - -var msg9985 = msg("7538", dup303); - -var msg9986 = msg("7539", dup303); - -var msg9987 = msg("7540", dup303); - -var msg9988 = msg("7541", dup303); - -var msg9989 = msg("7542", dup303); - -var msg9990 = msg("7543", dup303); - -var msg9991 = msg("7544", dup303); - -var msg9992 = msg("7545", dup303); - -var msg9993 = msg("7546", dup303); - -var msg9994 = msg("7547", dup303); - -var msg9995 = msg("7548", dup303); - -var msg9996 = msg("7549", dup303); - -var msg9997 = msg("7550", dup303); - -var msg9998 = msg("7551", dup303); - -var msg9999 = msg("7552", dup303); - -var msg10000 = msg("7553", dup303); - -var msg10001 = msg("7554", dup303); - -var msg10002 = msg("7555", dup303); - -var msg10003 = msg("7556", dup303); - -var msg10004 = msg("7557", dup303); - -var msg10005 = msg("7558", dup303); - -var msg10006 = msg("7559", dup303); - -var msg10007 = msg("7560", dup303); - -var msg10008 = msg("7561", dup303); - -var msg10009 = msg("7562", dup303); - -var msg10010 = msg("7563", dup303); - -var msg10011 = msg("7564", dup303); - -var msg10012 = msg("7565", dup303); - -var msg10013 = msg("7566", dup303); - -var msg10014 = msg("7567", dup303); - -var msg10015 = msg("7568", dup303); - -var msg10016 = msg("7569", dup303); - -var msg10017 = msg("7570", dup303); - -var msg10018 = msg("7571", dup303); - -var msg10019 = msg("7572", dup303); - -var msg10020 = msg("7573", dup303); - -var msg10021 = msg("7574", dup303); - -var msg10022 = msg("7575", dup303); - -var msg10023 = msg("7576", dup303); - -var msg10024 = msg("7577", dup303); - -var msg10025 = msg("7578", dup303); - -var msg10026 = msg("7579", dup303); - -var msg10027 = msg("7580", dup303); - -var msg10028 = msg("7581", dup303); - -var msg10029 = msg("7582", dup303); - -var msg10030 = msg("7583", dup303); - -var msg10031 = msg("7584", dup303); - -var msg10032 = msg("7585", dup303); - -var msg10033 = msg("7586", dup303); - -var msg10034 = msg("7587", dup303); - -var msg10035 = msg("7588", dup303); - -var msg10036 = msg("7589", dup303); - -var msg10037 = msg("7590", dup303); - -var msg10038 = msg("7591", dup303); - -var msg10039 = msg("7592", dup303); - -var msg10040 = msg("7593", dup303); - -var msg10041 = msg("7594", dup303); - -var msg10042 = msg("7595", dup303); - -var msg10043 = msg("7596", dup303); - -var msg10044 = msg("7597", dup303); - -var msg10045 = msg("7598", dup303); - -var msg10046 = msg("7599", dup303); - -var msg10047 = msg("7600", dup303); - -var msg10048 = msg("7601", dup303); - -var msg10049 = msg("7602", dup303); - -var msg10050 = msg("7603", dup303); - -var msg10051 = msg("7604", dup205); - -var msg10052 = msg("7605", dup205); - -var msg10053 = msg("7606", dup205); - -var msg10054 = msg("7607", dup205); - -var msg10055 = msg("7608", dup205); - -var msg10056 = msg("7609", dup205); - -var msg10057 = msg("7610", dup205); - -var msg10058 = msg("7611", dup205); - -var msg10059 = msg("7612", dup205); - -var msg10060 = msg("7613", dup205); - -var msg10061 = msg("7614", dup205); - -var msg10062 = msg("7615", dup205); - -var msg10063 = msg("7616", dup205); - -var msg10064 = msg("7617", dup205); - -var msg10065 = msg("7618", dup205); - -var msg10066 = msg("7619", dup205); - -var msg10067 = msg("7620", dup205); - -var msg10068 = msg("7621", dup205); - -var msg10069 = msg("7622", dup205); - -var msg10070 = msg("7623", dup205); - -var msg10071 = msg("7624", dup205); - -var msg10072 = msg("7625", dup205); - -var msg10073 = msg("7626", dup205); - -var msg10074 = msg("7627", dup205); - -var msg10075 = msg("7628", dup205); - -var msg10076 = msg("7629", dup205); - -var msg10077 = msg("7630", dup205); - -var msg10078 = msg("7631", dup205); - -var msg10079 = msg("7632", dup205); - -var msg10080 = msg("7633", dup205); - -var msg10081 = msg("7634", dup205); - -var msg10082 = msg("7635", dup205); - -var msg10083 = msg("7636", dup205); - -var msg10084 = msg("7637", dup205); - -var msg10085 = msg("7638", dup205); - -var msg10086 = msg("7639", dup205); - -var msg10087 = msg("7640", dup205); - -var msg10088 = msg("7641", dup205); - -var msg10089 = msg("7642", dup205); - -var msg10090 = msg("7643", dup205); - -var msg10091 = msg("7644", dup205); - -var msg10092 = msg("7645", dup205); - -var msg10093 = msg("7646", dup205); - -var msg10094 = msg("7647", dup205); - -var msg10095 = msg("7648", dup205); - -var msg10096 = msg("7649", dup205); - -var msg10097 = msg("7650", dup205); - -var msg10098 = msg("7651", dup205); - -var msg10099 = msg("7652", dup205); - -var msg10100 = msg("7653", dup205); - -var msg10101 = msg("7654", dup205); - -var msg10102 = msg("7655", dup205); - -var msg10103 = msg("7656", dup205); - -var msg10104 = msg("7657", dup205); - -var msg10105 = msg("7658", dup205); - -var msg10106 = msg("7659", dup205); - -var msg10107 = msg("7660", dup205); - -var msg10108 = msg("7661", dup205); - -var msg10109 = msg("7662", dup205); - -var msg10110 = msg("7663", dup205); - -var msg10111 = msg("7664", dup205); - -var msg10112 = msg("7665", dup205); - -var msg10113 = msg("7666", dup205); - -var msg10114 = msg("7667", dup205); - -var msg10115 = msg("7668", dup205); - -var msg10116 = msg("7669", dup205); - -var msg10117 = msg("7670", dup205); - -var msg10118 = msg("7671", dup205); - -var msg10119 = msg("7672", dup205); - -var msg10120 = msg("7673", dup205); - -var msg10121 = msg("7674", dup205); - -var msg10122 = msg("7675", dup205); - -var msg10123 = msg("7676", dup205); - -var msg10124 = msg("7677", dup205); - -var msg10125 = msg("7678", dup205); - -var msg10126 = msg("7679", dup205); - -var msg10127 = msg("7680", dup205); - -var msg10128 = msg("7681", dup205); - -var msg10129 = msg("7682", dup205); - -var msg10130 = msg("7683", dup205); - -var msg10131 = msg("7684", dup205); - -var msg10132 = msg("7685", dup205); - -var msg10133 = msg("7686", dup205); - -var msg10134 = msg("7687", dup205); - -var msg10135 = msg("7688", dup205); - -var msg10136 = msg("7689", dup205); - -var msg10137 = msg("7690", dup205); - -var msg10138 = msg("7691", dup205); - -var msg10139 = msg("7692", dup205); - -var msg10140 = msg("7693", dup205); - -var msg10141 = msg("7694", dup205); - -var msg10142 = msg("7695", dup205); - -var msg10143 = msg("7696", dup205); - -var msg10144 = msg("7697", dup205); - -var msg10145 = msg("7698", dup205); - -var msg10146 = msg("7699", dup205); - -var msg10147 = msg("7700", dup205); - -var msg10148 = msg("7701", dup205); - -var msg10149 = msg("7702", dup205); - -var msg10150 = msg("7703", dup205); - -var msg10151 = msg("7704", dup205); - -var msg10152 = msg("7705", dup205); - -var msg10153 = msg("7706", dup205); - -var msg10154 = msg("7707", dup205); - -var msg10155 = msg("7708", dup205); - -var msg10156 = msg("7709", dup205); - -var msg10157 = msg("7710", dup205); - -var msg10158 = msg("7711", dup205); - -var msg10159 = msg("7712", dup205); - -var msg10160 = msg("7713", dup205); - -var msg10161 = msg("7714", dup205); - -var msg10162 = msg("7715", dup205); - -var msg10163 = msg("7716", dup205); - -var msg10164 = msg("7717", dup205); - -var msg10165 = msg("7718", dup205); - -var msg10166 = msg("7719", dup205); - -var msg10167 = msg("7720", dup205); - -var msg10168 = msg("7721", dup205); - -var msg10169 = msg("7722", dup205); - -var msg10170 = msg("7723", dup205); - -var msg10171 = msg("7724", dup205); - -var msg10172 = msg("7725", dup205); - -var msg10173 = msg("7726", dup205); - -var msg10174 = msg("7727", dup205); - -var msg10175 = msg("7728", dup205); - -var msg10176 = msg("7729", dup205); - -var msg10177 = msg("7730", dup205); - -var msg10178 = msg("7731", dup205); - -var msg10179 = msg("7732", dup205); - -var msg10180 = msg("7733", dup205); - -var msg10181 = msg("7734", dup205); - -var msg10182 = msg("7735", dup205); - -var msg10183 = msg("7736", dup205); - -var msg10184 = msg("7737", dup205); - -var msg10185 = msg("7738", dup205); - -var msg10186 = msg("7739", dup205); - -var msg10187 = msg("7740", dup205); - -var msg10188 = msg("7741", dup205); - -var msg10189 = msg("7742", dup205); - -var msg10190 = msg("7743", dup205); - -var msg10191 = msg("7744", dup205); - -var msg10192 = msg("7745", dup205); - -var msg10193 = msg("7746", dup205); - -var msg10194 = msg("7747", dup205); - -var msg10195 = msg("7748", dup205); - -var msg10196 = msg("7749", dup205); - -var msg10197 = msg("7750", dup205); - -var msg10198 = msg("7751", dup205); - -var msg10199 = msg("7752", dup205); - -var msg10200 = msg("7753", dup205); - -var msg10201 = msg("7754", dup205); - -var msg10202 = msg("7755", dup205); - -var msg10203 = msg("7756", dup205); - -var msg10204 = msg("7757", dup205); - -var msg10205 = msg("7758", dup205); - -var msg10206 = msg("7759", dup205); - -var msg10207 = msg("7760", dup205); - -var msg10208 = msg("7761", dup205); - -var msg10209 = msg("7762", dup205); - -var msg10210 = msg("7763", dup205); - -var msg10211 = msg("7764", dup205); - -var msg10212 = msg("7765", dup205); - -var msg10213 = msg("7766", dup205); - -var msg10214 = msg("7767", dup205); - -var msg10215 = msg("7768", dup205); - -var msg10216 = msg("7769", dup205); - -var msg10217 = msg("7770", dup205); - -var msg10218 = msg("7771", dup205); - -var msg10219 = msg("7772", dup205); - -var msg10220 = msg("7773", dup205); - -var msg10221 = msg("7774", dup205); - -var msg10222 = msg("7775", dup205); - -var msg10223 = msg("7776", dup205); - -var msg10224 = msg("7777", dup205); - -var msg10225 = msg("7778", dup205); - -var msg10226 = msg("7779", dup205); - -var msg10227 = msg("7780", dup205); - -var msg10228 = msg("7781", dup205); - -var msg10229 = msg("7782", dup205); - -var msg10230 = msg("7783", dup205); - -var msg10231 = msg("7784", dup205); - -var msg10232 = msg("7785", dup205); - -var msg10233 = msg("7786", dup205); - -var msg10234 = msg("7787", dup205); - -var msg10235 = msg("7788", dup205); - -var msg10236 = msg("7789", dup205); - -var msg10237 = msg("7790", dup205); - -var msg10238 = msg("7791", dup205); - -var msg10239 = msg("7792", dup205); - -var msg10240 = msg("7793", dup205); - -var msg10241 = msg("7794", dup205); - -var msg10242 = msg("7795", dup205); - -var msg10243 = msg("7796", dup205); - -var msg10244 = msg("7797", dup205); - -var msg10245 = msg("7798", dup205); - -var msg10246 = msg("7799", dup205); - -var msg10247 = msg("7800", dup205); - -var msg10248 = msg("7801", dup205); - -var msg10249 = msg("7802", dup205); - -var msg10250 = msg("7803", dup205); - -var msg10251 = msg("7804", dup205); - -var msg10252 = msg("7805", dup205); - -var msg10253 = msg("7806", dup205); - -var msg10254 = msg("7807", dup205); - -var msg10255 = msg("7808", dup205); - -var msg10256 = msg("7809", dup205); - -var msg10257 = msg("7810", dup205); - -var msg10258 = msg("7811", dup205); - -var msg10259 = msg("7812", dup205); - -var msg10260 = msg("7813", dup205); - -var msg10261 = msg("7814", dup205); - -var msg10262 = msg("7815", dup205); - -var msg10263 = msg("7816", dup205); - -var msg10264 = msg("7817", dup205); - -var msg10265 = msg("7818", dup205); - -var msg10266 = msg("7819", dup205); - -var msg10267 = msg("7820", dup205); - -var msg10268 = msg("7821", dup205); - -var msg10269 = msg("7822", dup205); - -var msg10270 = msg("7823", dup303); - -var msg10271 = msg("7824", dup303); - -var msg10272 = msg("7825", dup303); - -var msg10273 = msg("7826", dup303); - -var msg10274 = msg("7827", dup303); - -var msg10275 = msg("7828", dup303); - -var msg10276 = msg("7829", dup303); - -var msg10277 = msg("7830", dup303); - -var msg10278 = msg("7831", dup303); - -var msg10279 = msg("7832", dup303); - -var msg10280 = msg("7833", dup303); - -var msg10281 = msg("7834", dup303); - -var msg10282 = msg("7835", dup303); - -var msg10283 = msg("7836", dup303); - -var msg10284 = msg("7837", dup303); - -var msg10285 = msg("7838", dup303); - -var msg10286 = msg("7839", dup303); - -var msg10287 = msg("7840", dup303); - -var msg10288 = msg("7841", dup303); - -var msg10289 = msg("7842", dup303); - -var msg10290 = msg("7843", dup303); - -var msg10291 = msg("7844", dup303); - -var msg10292 = msg("7845", dup303); - -var msg10293 = msg("7846", dup303); - -var msg10294 = msg("7847", dup303); - -var msg10295 = msg("7848", dup303); - -var msg10296 = msg("7849", dup303); - -var msg10297 = msg("7850", dup303); - -var msg10298 = msg("7851", dup303); - -var msg10299 = msg("7852", dup303); - -var msg10300 = msg("7853", dup303); - -var msg10301 = msg("7854", dup303); - -var msg10302 = msg("7855", dup303); - -var msg10303 = msg("7856", dup303); - -var msg10304 = msg("7857", dup303); - -var msg10305 = msg("7858", dup196); - -var msg10306 = msg("7859", dup196); - -var msg10307 = msg("7860", dup196); - -var msg10308 = msg("7861", dup196); - -var msg10309 = msg("7862", dup265); - -var msg10310 = msg("7863", dup265); - -var msg10311 = msg("7864", dup265); - -var msg10312 = msg("7865", dup265); - -var msg10313 = msg("7866", dup265); - -var msg10314 = msg("7867", dup265); - -var msg10315 = msg("7868", dup265); - -var msg10316 = msg("7869", dup265); - -var msg10317 = msg("7870", dup265); - -var msg10318 = msg("7871", dup265); - -var msg10319 = msg("7872", dup265); - -var msg10320 = msg("7873", dup265); - -var msg10321 = msg("7874", dup265); - -var msg10322 = msg("7875", dup265); - -var msg10323 = msg("7876", dup265); - -var msg10324 = msg("7877", dup265); - -var msg10325 = msg("7878", dup265); - -var msg10326 = msg("7879", dup265); - -var msg10327 = msg("7880", dup265); - -var msg10328 = msg("7881", dup265); - -var msg10329 = msg("7882", dup265); - -var msg10330 = msg("7883", dup265); - -var msg10331 = msg("7884", dup265); - -var msg10332 = msg("7885", dup265); - -var msg10333 = msg("7886", dup265); - -var msg10334 = msg("7887", dup265); - -var msg10335 = msg("7888", dup265); - -var msg10336 = msg("7889", dup265); - -var msg10337 = msg("7890", dup265); - -var msg10338 = msg("7891", dup265); - -var msg10339 = msg("7892", dup265); - -var msg10340 = msg("7893", dup265); - -var msg10341 = msg("7894", dup265); - -var msg10342 = msg("7895", dup265); - -var msg10343 = msg("7896", dup265); - -var msg10344 = msg("7897", dup265); - -var msg10345 = msg("7898", dup265); - -var msg10346 = msg("7899", dup265); - -var msg10347 = msg("7900", dup265); - -var msg10348 = msg("7901", dup265); - -var msg10349 = msg("7902", dup265); - -var msg10350 = msg("7903", dup265); - -var msg10351 = msg("7904", dup265); - -var msg10352 = msg("7905", dup265); - -var msg10353 = msg("7906", dup265); - -var msg10354 = msg("7907", dup265); - -var msg10355 = msg("7908", dup265); - -var msg10356 = msg("7909", dup265); - -var msg10357 = msg("7910", dup265); - -var msg10358 = msg("7911", dup265); - -var msg10359 = msg("7912", dup265); - -var msg10360 = msg("7913", dup265); - -var msg10361 = msg("7914", dup265); - -var msg10362 = msg("7915", dup265); - -var msg10363 = msg("7916", dup265); - -var msg10364 = msg("7917", dup265); - -var msg10365 = msg("7918", dup265); - -var msg10366 = msg("7919", dup265); - -var msg10367 = msg("7920", dup265); - -var msg10368 = msg("7921", dup265); - -var msg10369 = msg("7922", dup265); - -var msg10370 = msg("7923", dup265); - -var msg10371 = msg("7924", dup265); - -var msg10372 = msg("7925", dup265); - -var msg10373 = msg("7926", dup265); - -var msg10374 = msg("7927", dup265); - -var msg10375 = msg("7928", dup265); - -var msg10376 = msg("7929", dup265); - -var msg10377 = msg("7930", dup265); - -var msg10378 = msg("7931", dup265); - -var msg10379 = msg("7932", dup265); - -var msg10380 = msg("7933", dup265); - -var msg10381 = msg("7934", dup265); - -var msg10382 = msg("7935", dup265); - -var msg10383 = msg("7936", dup265); - -var msg10384 = msg("7937", dup265); - -var msg10385 = msg("7938", dup265); - -var msg10386 = msg("7939", dup265); - -var msg10387 = msg("7940", dup265); - -var msg10388 = msg("7941", dup265); - -var msg10389 = msg("7942", dup265); - -var msg10390 = msg("7943", dup265); - -var msg10391 = msg("7944", dup265); - -var msg10392 = msg("7945", dup265); - -var msg10393 = msg("7946", dup265); - -var msg10394 = msg("7947", dup265); - -var msg10395 = msg("7948", dup265); - -var msg10396 = msg("7949", dup265); - -var msg10397 = msg("7950", dup265); - -var msg10398 = msg("7951", dup265); - -var msg10399 = msg("7952", dup265); - -var msg10400 = msg("7953", dup265); - -var msg10401 = msg("7954", dup265); - -var msg10402 = msg("7955", dup265); - -var msg10403 = msg("7956", dup265); - -var msg10404 = msg("7957", dup265); - -var msg10405 = msg("7958", dup265); - -var msg10406 = msg("7959", dup265); - -var msg10407 = msg("7960", dup265); - -var msg10408 = msg("7961", dup265); - -var msg10409 = msg("7962", dup265); - -var msg10410 = msg("7963", dup265); - -var msg10411 = msg("7964", dup265); - -var msg10412 = msg("7965", dup265); - -var msg10413 = msg("7966", dup265); - -var msg10414 = msg("7967", dup265); - -var msg10415 = msg("7968", dup265); - -var msg10416 = msg("7969", dup265); - -var msg10417 = msg("7970", dup265); - -var msg10418 = msg("7971", dup265); - -var msg10419 = msg("7972", dup265); - -var msg10420 = msg("7973", dup265); - -var msg10421 = msg("7974", dup265); - -var msg10422 = msg("7975", dup265); - -var msg10423 = msg("7976", dup265); - -var msg10424 = msg("7977", dup265); - -var msg10425 = msg("7978", dup265); - -var msg10426 = msg("7979", dup265); - -var msg10427 = msg("7980", dup265); - -var msg10428 = msg("7981", dup265); - -var msg10429 = msg("7982", dup265); - -var msg10430 = msg("7983", dup265); - -var msg10431 = msg("7984", dup265); - -var msg10432 = msg("7985", dup265); - -var msg10433 = msg("7986", dup265); - -var msg10434 = msg("7987", dup265); - -var msg10435 = msg("7988", dup265); - -var msg10436 = msg("7989", dup265); - -var msg10437 = msg("7990", dup265); - -var msg10438 = msg("7991", dup265); - -var msg10439 = msg("7992", dup265); - -var msg10440 = msg("7993", dup265); - -var msg10441 = msg("7994", dup265); - -var msg10442 = msg("7995", dup265); - -var msg10443 = msg("7996", dup265); - -var msg10444 = msg("7997", dup265); - -var msg10445 = msg("7998", dup265); - -var msg10446 = msg("7999", dup265); - -var msg10447 = msg("8000", dup265); - -var msg10448 = msg("8001", dup265); - -var msg10449 = msg("8002", dup265); - -var msg10450 = msg("8003", dup265); - -var msg10451 = msg("8004", dup265); - -var msg10452 = msg("8005", dup265); - -var msg10453 = msg("8006", dup265); - -var msg10454 = msg("8007", dup265); - -var msg10455 = msg("8008", dup265); - -var msg10456 = msg("8009", dup265); - -var msg10457 = msg("8010", dup265); - -var msg10458 = msg("8011", dup265); - -var msg10459 = msg("8012", dup265); - -var msg10460 = msg("8013", dup265); - -var msg10461 = msg("8014", dup265); - -var msg10462 = msg("8015", dup265); - -var msg10463 = msg("8016", dup265); - -var msg10464 = msg("8017", dup265); - -var msg10465 = msg("8018", dup265); - -var msg10466 = msg("8019", dup265); - -var msg10467 = msg("8020", dup265); - -var msg10468 = msg("8021", dup265); - -var msg10469 = msg("8022", dup265); - -var msg10470 = msg("8023", dup265); - -var msg10471 = msg("8024", dup265); - -var msg10472 = msg("8025", dup265); - -var msg10473 = msg("8026", dup265); - -var msg10474 = msg("8027", dup265); - -var msg10475 = msg("8028", dup265); - -var msg10476 = msg("8029", dup265); - -var msg10477 = msg("8030", dup265); - -var msg10478 = msg("8031", dup265); - -var msg10479 = msg("8032", dup265); - -var msg10480 = msg("8033", dup265); - -var msg10481 = msg("8034", dup265); - -var msg10482 = msg("8035", dup265); - -var msg10483 = msg("8036", dup265); - -var msg10484 = msg("8037", dup265); - -var msg10485 = msg("8038", dup265); - -var msg10486 = msg("8039", dup265); - -var msg10487 = msg("8040", dup265); - -var msg10488 = msg("8041", dup265); - -var msg10489 = msg("8042", dup265); - -var msg10490 = msg("8043", dup265); - -var msg10491 = msg("8044", dup265); - -var msg10492 = msg("8045", dup265); - -var msg10493 = msg("8046", dup265); - -var msg10494 = msg("8047", dup265); - -var msg10495 = msg("8048", dup265); - -var msg10496 = msg("8049", dup265); - -var msg10497 = msg("8050", dup265); - -var msg10498 = msg("8051", dup265); - -var msg10499 = msg("8052", dup265); - -var msg10500 = msg("8053", dup265); - -var msg10501 = msg("8054", dup265); - -var msg10502 = msg("8055", dup265); - -var msg10503 = msg("8056", dup198); - -var msg10504 = msg("8057", dup198); - -var msg10505 = msg("8058", dup265); - -var msg10506 = msg("8059", dup260); - -var msg10507 = msg("8060", dup197); - -var msg10508 = msg("8061", dup265); - -var msg10509 = msg("8062", dup265); - -var msg10510 = msg("8063", dup265); - -var msg10511 = msg("8064", dup265); - -var msg10512 = msg("8065", dup265); - -var msg10513 = msg("8066", dup265); - -var msg10514 = msg("8067", dup265); - -var msg10515 = msg("8068", dup265); - -var msg10516 = msg("8069", dup265); - -var msg10517 = msg("8070", dup265); - -var msg10518 = msg("8071", dup303); - -var msg10519 = msg("8072", dup303); - -var msg10520 = msg("8073", dup303); - -var msg10521 = msg("8074", dup205); - -var msg10522 = msg("8075", dup205); - -var msg10523 = msg("8076", dup205); - -var msg10524 = msg("8077", dup205); - -var msg10525 = msg("8078", dup205); - -var msg10526 = msg("8079", dup205); - -var msg10527 = msg("8080", dup205); - -var msg10528 = msg("8081", dup194); - -var msg10529 = msg("8082", dup196); - -var msg10530 = msg("8083", dup197); - -var msg10531 = msg("8084", dup265); - -var msg10532 = msg("8085", dup267); - -var msg10533 = msg("8086", dup267); - -var msg10534 = msg("8087", dup201); - -var msg10535 = msg("8088", dup267); - -var msg10536 = msg("8089", dup267); - -var msg10537 = msg("8090", dup201); - -var msg10538 = msg("8091", dup267); - -var msg10539 = msg("8092", dup198); - -var msg10540 = msg("8093", dup276); - -var msg10541 = msg("8094", dup276); - -var msg10542 = msg("8095", dup276); - -var msg10543 = msg("8096", dup276); - -var msg10544 = msg("8097", dup276); - -var msg10545 = msg("8098", dup276); - -var msg10546 = msg("8099", dup276); - -var msg10547 = msg("8100", dup276); - -var msg10548 = msg("8101", dup276); - -var msg10549 = msg("8102", dup276); - -var msg10550 = msg("8103", dup276); - -var msg10551 = msg("8104", dup276); - -var msg10552 = msg("8105", dup276); - -var msg10553 = msg("8106", dup276); - -var msg10554 = msg("8107", dup276); - -var msg10555 = msg("8108", dup276); - -var msg10556 = msg("8109", dup276); - -var msg10557 = msg("8110", dup276); - -var msg10558 = msg("8111", dup276); - -var msg10559 = msg("8112", dup276); - -var msg10560 = msg("8113", dup276); - -var msg10561 = msg("8114", dup276); - -var msg10562 = msg("8115", dup276); - -var msg10563 = msg("8116", dup276); - -var msg10564 = msg("8117", dup276); - -var msg10565 = msg("8118", dup276); - -var msg10566 = msg("8119", dup276); - -var msg10567 = msg("8120", dup276); - -var msg10568 = msg("8121", dup276); - -var msg10569 = msg("8122", dup276); - -var msg10570 = msg("8123", dup276); - -var msg10571 = msg("8124", dup276); - -var msg10572 = msg("8125", dup276); - -var msg10573 = msg("8126", dup276); - -var msg10574 = msg("8127", dup276); - -var msg10575 = msg("8128", dup276); - -var msg10576 = msg("8129", dup276); - -var msg10577 = msg("8130", dup276); - -var msg10578 = msg("8131", dup276); - -var msg10579 = msg("8132", dup276); - -var msg10580 = msg("8133", dup276); - -var msg10581 = msg("8134", dup276); - -var msg10582 = msg("8135", dup276); - -var msg10583 = msg("8136", dup276); - -var msg10584 = msg("8137", dup276); - -var msg10585 = msg("8138", dup276); - -var msg10586 = msg("8139", dup276); - -var msg10587 = msg("8140", dup276); - -var msg10588 = msg("8141", dup276); - -var msg10589 = msg("8142", dup276); - -var msg10590 = msg("8143", dup276); - -var msg10591 = msg("8144", dup276); - -var msg10592 = msg("8145", dup276); - -var msg10593 = msg("8146", dup276); - -var msg10594 = msg("8147", dup276); - -var msg10595 = msg("8148", dup276); - -var msg10596 = msg("8149", dup276); - -var msg10597 = msg("8150", dup276); - -var msg10598 = msg("8151", dup276); - -var msg10599 = msg("8152", dup276); - -var msg10600 = msg("8153", dup276); - -var msg10601 = msg("8154", dup276); - -var msg10602 = msg("8155", dup276); - -var msg10603 = msg("8156", dup276); - -var msg10604 = msg("8157", dup276); - -var msg10605 = msg("8158", dup276); - -var msg10606 = msg("8159", dup276); - -var msg10607 = msg("8160", dup276); - -var msg10608 = msg("8161", dup276); - -var msg10609 = msg("8162", dup276); - -var msg10610 = msg("8163", dup276); - -var msg10611 = msg("8164", dup276); - -var msg10612 = msg("8165", dup276); - -var msg10613 = msg("8166", dup276); - -var msg10614 = msg("8167", dup276); - -var msg10615 = msg("8168", dup276); - -var msg10616 = msg("8169", dup276); - -var msg10617 = msg("8170", dup276); - -var msg10618 = msg("8171", dup276); - -var msg10619 = msg("8172", dup276); - -var msg10620 = msg("8173", dup276); - -var msg10621 = msg("8174", dup276); - -var msg10622 = msg("8175", dup276); - -var msg10623 = msg("8176", dup276); - -var msg10624 = msg("8177", dup276); - -var msg10625 = msg("8178", dup276); - -var msg10626 = msg("8179", dup276); - -var msg10627 = msg("8180", dup276); - -var msg10628 = msg("8181", dup276); - -var msg10629 = msg("8182", dup276); - -var msg10630 = msg("8183", dup276); - -var msg10631 = msg("8184", dup276); - -var msg10632 = msg("8185", dup276); - -var msg10633 = msg("8186", dup276); - -var msg10634 = msg("8187", dup276); - -var msg10635 = msg("8188", dup276); - -var msg10636 = msg("8189", dup276); - -var msg10637 = msg("8190", dup276); - -var msg10638 = msg("8191", dup276); - -var msg10639 = msg("8192", dup276); - -var msg10640 = msg("8193", dup276); - -var msg10641 = msg("8194", dup276); - -var msg10642 = msg("8195", dup276); - -var msg10643 = msg("8196", dup276); - -var msg10644 = msg("8197", dup276); - -var msg10645 = msg("8198", dup276); - -var msg10646 = msg("8199", dup276); - -var msg10647 = msg("8200", dup276); - -var msg10648 = msg("8201", dup276); - -var msg10649 = msg("8202", dup276); - -var msg10650 = msg("8203", dup276); - -var msg10651 = msg("8204", dup276); - -var msg10652 = msg("8205", dup276); - -var msg10653 = msg("8206", dup276); - -var msg10654 = msg("8207", dup276); - -var msg10655 = msg("8208", dup276); - -var msg10656 = msg("8209", dup276); - -var msg10657 = msg("8210", dup276); - -var msg10658 = msg("8211", dup276); - -var msg10659 = msg("8212", dup276); - -var msg10660 = msg("8213", dup276); - -var msg10661 = msg("8214", dup276); - -var msg10662 = msg("8215", dup276); - -var msg10663 = msg("8216", dup276); - -var msg10664 = msg("8217", dup276); - -var msg10665 = msg("8218", dup276); - -var msg10666 = msg("8219", dup276); - -var msg10667 = msg("8220", dup276); - -var msg10668 = msg("8221", dup276); - -var msg10669 = msg("8222", dup276); - -var msg10670 = msg("8223", dup276); - -var msg10671 = msg("8224", dup276); - -var msg10672 = msg("8225", dup276); - -var msg10673 = msg("8226", dup276); - -var msg10674 = msg("8227", dup276); - -var msg10675 = msg("8228", dup276); - -var msg10676 = msg("8229", dup276); - -var msg10677 = msg("8230", dup276); - -var msg10678 = msg("8231", dup276); - -var msg10679 = msg("8232", dup276); - -var msg10680 = msg("8233", dup276); - -var msg10681 = msg("8234", dup276); - -var msg10682 = msg("8235", dup276); - -var msg10683 = msg("8236", dup276); - -var msg10684 = msg("8237", dup276); - -var msg10685 = msg("8238", dup276); - -var msg10686 = msg("8239", dup276); - -var msg10687 = msg("8240", dup276); - -var msg10688 = msg("8241", dup276); - -var msg10689 = msg("8242", dup276); - -var msg10690 = msg("8243", dup276); - -var msg10691 = msg("8244", dup276); - -var msg10692 = msg("8245", dup276); - -var msg10693 = msg("8246", dup276); - -var msg10694 = msg("8247", dup276); - -var msg10695 = msg("8248", dup276); - -var msg10696 = msg("8249", dup276); - -var msg10697 = msg("8250", dup276); - -var msg10698 = msg("8251", dup276); - -var msg10699 = msg("8252", dup276); - -var msg10700 = msg("8253", dup276); - -var msg10701 = msg("8254", dup276); - -var msg10702 = msg("8255", dup276); - -var msg10703 = msg("8256", dup276); - -var msg10704 = msg("8257", dup276); - -var msg10705 = msg("8258", dup276); - -var msg10706 = msg("8259", dup276); - -var msg10707 = msg("8260", dup276); - -var msg10708 = msg("8261", dup276); - -var msg10709 = msg("8262", dup276); - -var msg10710 = msg("8263", dup276); - -var msg10711 = msg("8264", dup276); - -var msg10712 = msg("8265", dup276); - -var msg10713 = msg("8266", dup276); - -var msg10714 = msg("8267", dup276); - -var msg10715 = msg("8268", dup276); - -var msg10716 = msg("8269", dup276); - -var msg10717 = msg("8270", dup276); - -var msg10718 = msg("8271", dup276); - -var msg10719 = msg("8272", dup276); - -var msg10720 = msg("8273", dup276); - -var msg10721 = msg("8274", dup276); - -var msg10722 = msg("8275", dup276); - -var msg10723 = msg("8276", dup276); - -var msg10724 = msg("8277", dup276); - -var msg10725 = msg("8278", dup276); - -var msg10726 = msg("8279", dup276); - -var msg10727 = msg("8280", dup276); - -var msg10728 = msg("8281", dup276); - -var msg10729 = msg("8282", dup276); - -var msg10730 = msg("8283", dup276); - -var msg10731 = msg("8284", dup276); - -var msg10732 = msg("8285", dup276); - -var msg10733 = msg("8286", dup276); - -var msg10734 = msg("8287", dup276); - -var msg10735 = msg("8288", dup276); - -var msg10736 = msg("8289", dup276); - -var msg10737 = msg("8290", dup276); - -var msg10738 = msg("8291", dup276); - -var msg10739 = msg("8292", dup276); - -var msg10740 = msg("8293", dup276); - -var msg10741 = msg("8294", dup276); - -var msg10742 = msg("8295", dup276); - -var msg10743 = msg("8296", dup276); - -var msg10744 = msg("8297", dup276); - -var msg10745 = msg("8298", dup276); - -var msg10746 = msg("8299", dup276); - -var msg10747 = msg("8300", dup276); - -var msg10748 = msg("8301", dup276); - -var msg10749 = msg("8302", dup276); - -var msg10750 = msg("8303", dup276); - -var msg10751 = msg("8304", dup276); - -var msg10752 = msg("8305", dup276); - -var msg10753 = msg("8306", dup276); - -var msg10754 = msg("8307", dup276); - -var msg10755 = msg("8308", dup276); - -var msg10756 = msg("8309", dup276); - -var msg10757 = msg("8310", dup276); - -var msg10758 = msg("8311", dup276); - -var msg10759 = msg("8312", dup276); - -var msg10760 = msg("8313", dup276); - -var msg10761 = msg("8314", dup276); - -var msg10762 = msg("8315", dup276); - -var msg10763 = msg("8316", dup276); - -var msg10764 = msg("8317", dup276); - -var msg10765 = msg("8318", dup276); - -var msg10766 = msg("8319", dup276); - -var msg10767 = msg("8320", dup276); - -var msg10768 = msg("8321", dup276); - -var msg10769 = msg("8322", dup276); - -var msg10770 = msg("8323", dup276); - -var msg10771 = msg("8324", dup276); - -var msg10772 = msg("8325", dup276); - -var msg10773 = msg("8326", dup276); - -var msg10774 = msg("8327", dup276); - -var msg10775 = msg("8328", dup276); - -var msg10776 = msg("8329", dup276); - -var msg10777 = msg("8330", dup276); - -var msg10778 = msg("8331", dup276); - -var msg10779 = msg("8332", dup276); - -var msg10780 = msg("8333", dup276); - -var msg10781 = msg("8334", dup276); - -var msg10782 = msg("8335", dup276); - -var msg10783 = msg("8336", dup276); - -var msg10784 = msg("8337", dup276); - -var msg10785 = msg("8338", dup276); - -var msg10786 = msg("8339", dup276); - -var msg10787 = msg("8340", dup276); - -var msg10788 = msg("8341", dup276); - -var msg10789 = msg("8342", dup276); - -var msg10790 = msg("8343", dup276); - -var msg10791 = msg("8344", dup276); - -var msg10792 = msg("8345", dup276); - -var msg10793 = msg("8346", dup276); - -var msg10794 = msg("8347", dup276); - -var msg10795 = msg("8348", dup276); - -var msg10796 = msg("8349", dup265); - -var msg10797 = msg("8350", dup196); - -var msg10798 = msg("8351", dup222); - -var msg10799 = msg("8352", dup303); - -var msg10800 = msg("8353", dup303); - -var msg10801 = msg("8354", dup303); - -var msg10802 = msg("8355", dup303); - -var msg10803 = msg("8356", dup303); - -var msg10804 = msg("8357", dup303); - -var msg10805 = msg("8358", dup303); - -var msg10806 = msg("8359", dup303); - -var msg10807 = msg("8360", dup303); - -var msg10808 = msg("8361", dup205); - -var msg10809 = msg("8362", dup205); - -var msg10810 = msg("8363", dup265); - -var msg10811 = msg("8364", dup265); - -var msg10812 = msg("8365", dup265); - -var msg10813 = msg("8366", dup265); - -var msg10814 = msg("8367", dup265); - -var msg10815 = msg("8368", dup265); - -var msg10816 = msg("8369", dup265); - -var msg10817 = msg("8370", dup265); - -var msg10818 = msg("8371", dup265); - -var msg10819 = msg("8372", dup265); - -var msg10820 = msg("8373", dup265); - -var msg10821 = msg("8374", dup265); - -var msg10822 = msg("8375", dup265); - -var msg10823 = msg("8376", dup265); - -var msg10824 = msg("8377", dup265); - -var msg10825 = msg("8378", dup265); - -var msg10826 = msg("8379", dup265); - -var msg10827 = msg("8380", dup265); - -var msg10828 = msg("8381", dup265); - -var msg10829 = msg("8382", dup265); - -var msg10830 = msg("8383", dup265); - -var msg10831 = msg("8384", dup265); - -var msg10832 = msg("8385", dup265); - -var msg10833 = msg("8386", dup265); - -var msg10834 = msg("8387", dup265); - -var msg10835 = msg("8388", dup265); - -var msg10836 = msg("8389", dup265); - -var msg10837 = msg("8390", dup265); - -var msg10838 = msg("8391", dup265); - -var msg10839 = msg("8392", dup265); - -var msg10840 = msg("8393", dup265); - -var msg10841 = msg("8394", dup265); - -var msg10842 = msg("8395", dup265); - -var msg10843 = msg("8396", dup265); - -var msg10844 = msg("8397", dup265); - -var msg10845 = msg("8398", dup265); - -var msg10846 = msg("8399", dup265); - -var msg10847 = msg("8400", dup265); - -var msg10848 = msg("8401", dup265); - -var msg10849 = msg("8402", dup265); - -var msg10850 = msg("8403", dup265); - -var msg10851 = msg("8404", dup265); - -var msg10852 = msg("8405", dup265); - -var msg10853 = msg("8406", dup265); - -var msg10854 = msg("8407", dup267); - -var msg10855 = msg("8408", dup267); - -var msg10856 = msg("8409", dup265); - -var msg10857 = msg("8410", dup265); - -var msg10858 = msg("8411", dup265); - -var msg10859 = msg("8412", dup265); - -var msg10860 = msg("8413", dup265); - -var msg10861 = msg("8414", dup201); - -var msg10862 = msg("8415", dup222); - -var msg10863 = msg("8416", dup267); - -var msg10864 = msg("8417", dup265); - -var msg10865 = msg("8418", dup265); - -var msg10866 = msg("8419", dup265); - -var msg10867 = msg("8420", dup265); - -var msg10868 = msg("8421", dup265); - -var msg10869 = msg("8422", dup265); - -var msg10870 = msg("8423", dup265); - -var msg10871 = msg("8424", dup265); - -var msg10872 = msg("8425", dup265); - -var msg10873 = msg("8426", dup201); - -var msg10874 = msg("8427", dup201); - -var msg10875 = msg("8428", dup201); - -var msg10876 = msg("8429", dup201); - -var msg10877 = msg("8430", dup201); - -var msg10878 = msg("8431", dup201); - -var msg10879 = msg("8432", dup201); - -var msg10880 = msg("8433", dup201); - -var msg10881 = msg("8434", dup201); - -var msg10882 = msg("8435", dup201); - -var msg10883 = msg("8436", dup201); - -var msg10884 = msg("8437", dup201); - -var msg10885 = msg("8438", dup201); - -var msg10886 = msg("8439", dup201); - -var msg10887 = msg("8440", dup201); - -var msg10888 = msg("8441", dup267); - -var msg10889 = msg("8442", dup250); - -var msg10890 = msg("8443", dup265); - -var msg10891 = msg("8444", dup265); - -var msg10892 = msg("8445", dup265); - -var msg10893 = msg("8446", dup196); - -var msg10894 = msg("8447", dup265); - -var msg10895 = msg("8448", dup267); - -var msg10896 = msg("8449", dup276); - -var msg10897 = msg("8450", dup276); - -var msg10898 = msg("8451", dup276); - -var msg10899 = msg("8452", dup276); - -var msg10900 = msg("8453", dup276); - -var msg10901 = msg("8454", dup276); - -var msg10902 = msg("8455", dup276); - -var msg10903 = msg("8456", dup276); - -var msg10904 = msg("8457", dup276); - -var msg10905 = msg("8458", dup276); - -var msg10906 = msg("8459", dup276); - -var msg10907 = msg("8460", dup276); - -var msg10908 = msg("8461", dup303); - -var msg10909 = msg("8462", dup303); - -var msg10910 = msg("8463", dup303); - -var msg10911 = msg("8464", dup303); - -var msg10912 = msg("8465", dup303); - -var msg10913 = msg("8466", dup303); - -var msg10914 = msg("8467", dup303); - -var msg10915 = msg("8468", dup303); - -var msg10916 = msg("8469", dup303); - -var msg10917 = msg("8470", dup205); - -var msg10918 = msg("8471", dup205); - -var msg10919 = msg("8472", dup205); - -var msg10920 = msg("8473", dup205); - -var msg10921 = msg("8474", dup205); - -var msg10922 = msg("8475", dup205); - -var msg10923 = msg("8476", dup205); - -var msg10924 = msg("8477", dup205); - -var msg10925 = msg("8478", dup265); - -var msg10926 = msg("8479", dup222); - -var msg10927 = msg("8480", dup222); - -var msg10928 = msg("8481", dup198); - -var msg10929 = msg("8482", dup196); - -var msg10930 = msg("8483", dup196); - -var msg10931 = msg("8484", dup301); - -var msg10932 = msg("8485", dup265); - -var msg10933 = msg("8486", dup265); - -var msg10934 = msg("8487", dup265); - -var msg10935 = msg("8488", dup265); - -var msg10936 = msg("8489", dup265); - -var msg10937 = msg("8490", dup265); - -var msg10938 = msg("8491", dup265); - -var msg10939 = msg("8492", dup265); - -var msg10940 = msg("8493", dup265); - -var msg10941 = msg("8494", dup197); - -var msg10942 = msg("8495", dup197); - -var msg10943 = msg("8496", dup240); - -var msg10944 = msg("8497", dup240); - -var msg10945 = msg("8498", dup240); - -var msg10946 = msg("8499", dup240); - -var msg10947 = msg("8500", dup240); - -var msg10948 = msg("8501", dup240); - -var msg10949 = msg("8502", dup240); - -var msg10950 = msg("8503", dup240); - -var msg10951 = msg("8504", dup240); - -var msg10952 = msg("8505", dup240); - -var msg10953 = msg("8506", dup240); - -var msg10954 = msg("8507", dup240); - -var msg10955 = msg("8508", dup240); - -var msg10956 = msg("8509", dup240); - -var msg10957 = msg("8510", dup240); - -var msg10958 = msg("8511", dup240); - -var msg10959 = msg("8512", dup240); - -var msg10960 = msg("8513", dup240); - -var msg10961 = msg("8514", dup240); - -var msg10962 = msg("8515", dup240); - -var msg10963 = msg("8516", dup240); - -var msg10964 = msg("8517", dup240); - -var msg10965 = msg("8518", dup240); - -var msg10966 = msg("8519", dup240); - -var msg10967 = msg("8520", dup240); - -var msg10968 = msg("8521", dup240); - -var msg10969 = msg("8522", dup240); - -var msg10970 = msg("8523", dup240); - -var msg10971 = msg("8524", dup240); - -var msg10972 = msg("8525", dup240); - -var msg10973 = msg("8526", dup240); - -var msg10974 = msg("8527", dup240); - -var msg10975 = msg("8528", dup240); - -var msg10976 = msg("8529", dup240); - -var msg10977 = msg("8530", dup240); - -var msg10978 = msg("8531", dup240); - -var msg10979 = msg("8532", dup240); - -var msg10980 = msg("8533", dup240); - -var msg10981 = msg("8534", dup240); - -var msg10982 = msg("8535", dup240); - -var msg10983 = msg("8536", dup240); - -var msg10984 = msg("8537", dup240); - -var msg10985 = msg("8538", dup240); - -var msg10986 = msg("8539", dup240); - -var msg10987 = msg("8540", dup240); - -var msg10988 = msg("8541", dup222); - -var msg10989 = msg("8542", dup303); - -var msg10990 = msg("8543", dup303); - -var msg10991 = msg("8544", dup303); - -var msg10992 = msg("8545", dup303); - -var msg10993 = msg("8546", dup303); - -var msg10994 = msg("8547", dup205); - -var msg10995 = msg("8548", dup205); - -var msg10996 = msg("8549", dup205); - -var msg10997 = msg("8550", dup222); - -var msg10998 = msg("8551", dup222); - -var msg10999 = msg("8552", dup276); - -var msg11000 = msg("8553", dup276); - -var msg11001 = msg("8554", dup276); - -var msg11002 = msg("8555", dup276); - -var msg11003 = msg("8556", dup276); - -var msg11004 = msg("8557", dup276); - -var msg11005 = msg("8558", dup276); - -var msg11006 = msg("8559", dup276); - -var msg11007 = msg("8560", dup276); - -var msg11008 = msg("8561", dup276); - -var msg11009 = msg("8562", dup276); - -var msg11010 = msg("8563", dup276); - -var msg11011 = msg("8564", dup276); - -var msg11012 = msg("8565", dup276); - -var msg11013 = msg("8566", dup276); - -var msg11014 = msg("8567", dup276); - -var msg11015 = msg("8568", dup276); - -var msg11016 = msg("8569", dup276); - -var msg11017 = msg("8570", dup276); - -var msg11018 = msg("8571", dup276); - -var msg11019 = msg("8572", dup276); - -var msg11020 = msg("8573", dup276); - -var msg11021 = msg("8574", dup276); - -var msg11022 = msg("8575", dup276); - -var msg11023 = msg("8576", dup276); - -var msg11024 = msg("8577", dup276); - -var msg11025 = msg("8578", dup276); - -var msg11026 = msg("8579", dup276); - -var msg11027 = msg("8580", dup276); - -var msg11028 = msg("8581", dup276); - -var msg11029 = msg("8582", dup276); - -var msg11030 = msg("8583", dup276); - -var msg11031 = msg("8584", dup276); - -var msg11032 = msg("8585", dup276); - -var msg11033 = msg("8586", dup276); - -var msg11034 = msg("8587", dup276); - -var msg11035 = msg("8588", dup276); - -var msg11036 = msg("8589", dup276); - -var msg11037 = msg("8590", dup276); - -var msg11038 = msg("8591", dup276); - -var msg11039 = msg("8592", dup276); - -var msg11040 = msg("8593", dup276); - -var msg11041 = msg("8594", dup276); - -var msg11042 = msg("8595", dup276); - -var msg11043 = msg("8596", dup276); - -var msg11044 = msg("8597", dup276); - -var msg11045 = msg("8598", dup276); - -var msg11046 = msg("8599", dup276); - -var msg11047 = msg("8600", dup276); - -var msg11048 = msg("8601", dup276); - -var msg11049 = msg("8602", dup276); - -var msg11050 = msg("8603", dup276); - -var msg11051 = msg("8604", dup276); - -var msg11052 = msg("8605", dup276); - -var msg11053 = msg("8606", dup276); - -var msg11054 = msg("8607", dup276); - -var msg11055 = msg("8608", dup276); - -var msg11056 = msg("8609", dup276); - -var msg11057 = msg("8610", dup276); - -var msg11058 = msg("8611", dup276); - -var msg11059 = msg("8612", dup276); - -var msg11060 = msg("8613", dup276); - -var msg11061 = msg("8614", dup276); - -var msg11062 = msg("8615", dup276); - -var msg11063 = msg("8616", dup276); - -var msg11064 = msg("8617", dup276); - -var msg11065 = msg("8618", dup276); - -var msg11066 = msg("8619", dup276); - -var msg11067 = msg("8620", dup276); - -var msg11068 = msg("8621", dup276); - -var msg11069 = msg("8622", dup276); - -var msg11070 = msg("8623", dup276); - -var msg11071 = msg("8624", dup276); - -var msg11072 = msg("8625", dup276); - -var msg11073 = msg("8626", dup276); - -var msg11074 = msg("8627", dup276); - -var msg11075 = msg("8628", dup276); - -var msg11076 = msg("8629", dup276); - -var msg11077 = msg("8630", dup276); - -var msg11078 = msg("8631", dup276); - -var msg11079 = msg("8632", dup276); - -var msg11080 = msg("8633", dup276); - -var msg11081 = msg("8634", dup276); - -var msg11082 = msg("8635", dup276); - -var msg11083 = msg("8636", dup276); - -var msg11084 = msg("8637", dup276); - -var msg11085 = msg("8638", dup276); - -var msg11086 = msg("8639", dup276); - -var msg11087 = msg("8640", dup276); - -var msg11088 = msg("8641", dup276); - -var msg11089 = msg("8642", dup276); - -var msg11090 = msg("8643", dup276); - -var msg11091 = msg("8644", dup276); - -var msg11092 = msg("8645", dup276); - -var msg11093 = msg("8646", dup276); - -var msg11094 = msg("8647", dup276); - -var msg11095 = msg("8648", dup276); - -var msg11096 = msg("8649", dup276); - -var msg11097 = msg("8650", dup276); - -var msg11098 = msg("8651", dup276); - -var msg11099 = msg("8652", dup276); - -var msg11100 = msg("8653", dup276); - -var msg11101 = msg("8654", dup276); - -var msg11102 = msg("8655", dup276); - -var msg11103 = msg("8656", dup276); - -var msg11104 = msg("8657", dup276); - -var msg11105 = msg("8658", dup276); - -var msg11106 = msg("8659", dup276); - -var msg11107 = msg("8660", dup276); - -var msg11108 = msg("8661", dup276); - -var msg11109 = msg("8662", dup276); - -var msg11110 = msg("8663", dup276); - -var msg11111 = msg("8664", dup276); - -var msg11112 = msg("8665", dup276); - -var msg11113 = msg("8666", dup276); - -var msg11114 = msg("8667", dup276); - -var msg11115 = msg("8668", dup276); - -var msg11116 = msg("8669", dup276); - -var msg11117 = msg("8670", dup276); - -var msg11118 = msg("8671", dup276); - -var msg11119 = msg("8672", dup276); - -var msg11120 = msg("8673", dup276); - -var msg11121 = msg("8674", dup276); - -var msg11122 = msg("8675", dup276); - -var msg11123 = msg("8676", dup276); - -var msg11124 = msg("8677", dup276); - -var msg11125 = msg("8678", dup276); - -var msg11126 = msg("8679", dup276); - -var msg11127 = msg("8680", dup276); - -var msg11128 = msg("8681", dup276); - -var msg11129 = msg("8682", dup276); - -var msg11130 = msg("8683", dup276); - -var msg11131 = msg("8684", dup276); - -var msg11132 = msg("8685", dup276); - -var msg11133 = msg("8686", dup276); - -var msg11134 = msg("8687", dup276); - -var msg11135 = msg("8688", dup276); - -var msg11136 = msg("8689", dup276); - -var msg11137 = msg("8690", dup201); - -var msg11138 = msg("8691", dup276); - -var msg11139 = msg("8692", dup201); - -var msg11140 = msg("8693", dup276); - -var msg11141 = msg("8694", dup201); - -var msg11142 = msg("8695", dup201); - -var msg11143 = msg("8696", dup276); - -var msg11144 = msg("8697", dup201); - -var msg11145 = msg("8698", dup276); - -var msg11146 = msg("8699", dup201); - -var msg11147 = msg("8700", dup265); - -var msg11148 = msg("8701", dup267); - -var msg11149 = msg("8702", dup222); - -var msg11150 = msg("8703", dup222); - -var msg11151 = msg("8704", dup250); - -var msg11152 = msg("8705", dup222); - -var msg11153 = msg("8706", dup222); - -var msg11154 = msg("8707", dup269); - -var msg11155 = msg("8708", dup267); - -var msg11156 = msg("8709", dup198); - -var msg11157 = msg("8710", dup198); - -var msg11158 = msg("8711", dup267); - -var msg11159 = msg("8712", dup269); - -var msg11160 = msg("8713", dup260); - -var msg11161 = msg("8714", dup260); - -var msg11162 = msg("8715", dup260); - -var msg11163 = msg("8716", dup260); - -var msg11164 = msg("8717", dup265); - -var msg11165 = msg("8718", dup265); - -var msg11166 = msg("8719", dup265); - -var msg11167 = msg("8720", dup265); - -var msg11168 = msg("8721", dup265); - -var msg11169 = msg("8722", dup265); - -var msg11170 = msg("8723", dup265); - -var msg11171 = msg("8724", dup265); - -var msg11172 = msg("8725", dup265); - -var msg11173 = msg("8726", dup265); - -var msg11174 = msg("8727", dup265); - -var msg11175 = msg("8728", dup265); - -var msg11176 = msg("8729", dup222); - -var msg11177 = msg("8730", dup198); - -var msg11178 = msg("8731", dup196); - -var msg11179 = msg("8732", dup196); - -var msg11180 = msg("8733", dup196); - -var msg11181 = msg("8734", dup269); - -var msg11182 = msg("8735", dup265); - -var msg11183 = msg("8736", dup265); - -var msg11184 = msg("8737", dup265); - -var msg11185 = msg("8738", dup265); - -var msg11186 = msg("8739", dup265); - -var msg11187 = msg("8740", dup265); - -var msg11188 = msg("8741", dup265); - -var msg11189 = msg("8742", dup265); - -var msg11190 = msg("8743", dup265); - -var msg11191 = msg("8744", dup265); - -var msg11192 = msg("8745", dup265); - -var msg11193 = msg("8746", dup265); - -var msg11194 = msg("8747", dup265); - -var msg11195 = msg("8748", dup265); - -var msg11196 = msg("8749", dup265); - -var msg11197 = msg("8750", dup265); - -var msg11198 = msg("8751", dup265); - -var msg11199 = msg("8752", dup265); - -var msg11200 = msg("8753", dup265); - -var msg11201 = msg("8754", dup265); - -var msg11202 = msg("8755", dup265); - -var msg11203 = msg("8756", dup265); - -var msg11204 = msg("8757", dup265); - -var msg11205 = msg("8758", dup265); - -var msg11206 = msg("8759", dup265); - -var msg11207 = msg("8760", dup265); - -var msg11208 = msg("8761", dup265); - -var msg11209 = msg("8762", dup265); - -var msg11210 = msg("8763", dup265); - -var msg11211 = msg("8764", dup265); - -var msg11212 = msg("8765", dup265); - -var msg11213 = msg("8766", dup265); - -var msg11214 = msg("8767", dup265); - -var msg11215 = msg("8768", dup265); - -var msg11216 = msg("8769", dup265); - -var msg11217 = msg("8770", dup265); - -var msg11218 = msg("8771", dup265); - -var msg11219 = msg("8772", dup265); - -var msg11220 = msg("8773", dup265); - -var msg11221 = msg("8774", dup265); - -var msg11222 = msg("8775", dup265); - -var msg11223 = msg("8776", dup265); - -var msg11224 = msg("8777", dup265); - -var msg11225 = msg("8778", dup265); - -var msg11226 = msg("8779", dup265); - -var msg11227 = msg("8780", dup265); - -var msg11228 = msg("8781", dup265); - -var msg11229 = msg("8782", dup265); - -var msg11230 = msg("8783", dup265); - -var msg11231 = msg("8784", dup265); - -var msg11232 = msg("8785", dup265); - -var msg11233 = msg("8786", dup265); - -var msg11234 = msg("8787", dup265); - -var msg11235 = msg("8788", dup265); - -var msg11236 = msg("8789", dup265); - -var msg11237 = msg("8790", dup265); - -var msg11238 = msg("8791", dup265); - -var msg11239 = msg("8792", dup265); - -var msg11240 = msg("8793", dup265); - -var msg11241 = msg("8794", dup265); - -var msg11242 = msg("8795", dup265); - -var msg11243 = msg("8796", dup265); - -var msg11244 = msg("8797", dup265); - -var msg11245 = msg("8798", dup265); - -var msg11246 = msg("8799", dup265); - -var msg11247 = msg("8800", dup265); - -var msg11248 = msg("8801", dup265); - -var msg11249 = msg("8802", dup265); - -var msg11250 = msg("8803", dup265); - -var msg11251 = msg("8804", dup265); - -var msg11252 = msg("8805", dup265); - -var msg11253 = msg("8806", dup265); - -var msg11254 = msg("8807", dup265); - -var msg11255 = msg("8808", dup265); - -var msg11256 = msg("8809", dup265); - -var msg11257 = msg("8810", dup265); - -var msg11258 = msg("8811", dup265); - -var msg11259 = msg("8812", dup265); - -var msg11260 = msg("8813", dup265); - -var msg11261 = msg("8814", dup265); - -var msg11262 = msg("8815", dup265); - -var msg11263 = msg("8816", dup265); - -var msg11264 = msg("8817", dup265); - -var msg11265 = msg("8818", dup265); - -var msg11266 = msg("8819", dup265); - -var msg11267 = msg("8820", dup265); - -var msg11268 = msg("8821", dup265); - -var msg11269 = msg("8822", dup265); - -var msg11270 = msg("8823", dup265); - -var msg11271 = msg("8824", dup265); - -var msg11272 = msg("8825", dup265); - -var msg11273 = msg("8826", dup265); - -var msg11274 = msg("8827", dup265); - -var msg11275 = msg("8828", dup265); - -var msg11276 = msg("8829", dup265); - -var msg11277 = msg("8830", dup265); - -var msg11278 = msg("8831", dup265); - -var msg11279 = msg("8832", dup265); - -var msg11280 = msg("8833", dup265); - -var msg11281 = msg("8834", dup265); - -var msg11282 = msg("8835", dup265); - -var msg11283 = msg("8836", dup265); - -var msg11284 = msg("8837", dup265); - -var msg11285 = msg("8838", dup265); - -var msg11286 = msg("8839", dup265); - -var msg11287 = msg("8840", dup265); - -var msg11288 = msg("8841", dup265); - -var msg11289 = msg("8842", dup265); - -var msg11290 = msg("8843", dup265); - -var msg11291 = msg("8844", dup265); - -var msg11292 = msg("8845", dup265); - -var msg11293 = msg("8846", dup265); - -var msg11294 = msg("8847", dup265); - -var msg11295 = msg("8848", dup265); - -var msg11296 = msg("8849", dup265); - -var msg11297 = msg("8850", dup265); - -var msg11298 = msg("8851", dup265); - -var msg11299 = msg("8852", dup265); - -var msg11300 = msg("8853", dup265); - -var msg11301 = msg("8854", dup265); - -var msg11302 = msg("8855", dup265); - -var msg11303 = msg("8856", dup265); - -var msg11304 = msg("8857", dup276); - -var msg11305 = msg("8858", dup276); - -var msg11306 = msg("8859", dup276); - -var msg11307 = msg("8860", dup276); - -var msg11308 = msg("8861", dup276); - -var msg11309 = msg("8862", dup276); - -var msg11310 = msg("8863", dup276); - -var msg11311 = msg("8864", dup276); - -var msg11312 = msg("8865", dup276); - -var msg11313 = msg("8866", dup276); - -var msg11314 = msg("8867", dup276); - -var msg11315 = msg("8868", dup276); - -var msg11316 = msg("8869", dup276); - -var msg11317 = msg("8870", dup276); - -var msg11318 = msg("8871", dup276); - -var msg11319 = msg("8872", dup276); - -var msg11320 = msg("8873", dup276); - -var msg11321 = msg("8874", dup276); - -var msg11322 = msg("8875", dup276); - -var msg11323 = msg("8876", dup276); - -var msg11324 = msg("8877", dup276); - -var msg11325 = msg("8878", dup276); - -var msg11326 = msg("8879", dup276); - -var msg11327 = msg("8880", dup276); - -var msg11328 = msg("8881", dup276); - -var msg11329 = msg("8882", dup276); - -var msg11330 = msg("8883", dup276); - -var msg11331 = msg("8884", dup276); - -var msg11332 = msg("8885", dup276); - -var msg11333 = msg("8886", dup276); - -var msg11334 = msg("8887", dup276); - -var msg11335 = msg("8888", dup276); - -var msg11336 = msg("8889", dup276); - -var msg11337 = msg("8890", dup276); - -var msg11338 = msg("8891", dup276); - -var msg11339 = msg("8892", dup276); - -var msg11340 = msg("8893", dup276); - -var msg11341 = msg("8894", dup276); - -var msg11342 = msg("8895", dup276); - -var msg11343 = msg("8896", dup276); - -var msg11344 = msg("8897", dup276); - -var msg11345 = msg("8898", dup276); - -var msg11346 = msg("8899", dup276); - -var msg11347 = msg("8900", dup276); - -var msg11348 = msg("8901", dup276); - -var msg11349 = msg("8902", dup276); - -var msg11350 = msg("8903", dup276); - -var msg11351 = msg("8904", dup276); - -var msg11352 = msg("8905", dup276); - -var msg11353 = msg("8906", dup276); - -var msg11354 = msg("8907", dup276); - -var msg11355 = msg("8908", dup276); - -var msg11356 = msg("8909", dup276); - -var msg11357 = msg("8910", dup276); - -var msg11358 = msg("8911", dup276); - -var msg11359 = msg("8912", dup276); - -var msg11360 = msg("8913", dup276); - -var msg11361 = msg("8914", dup276); - -var msg11362 = msg("8915", dup276); - -var msg11363 = msg("8916", dup276); - -var msg11364 = msg("8917", dup276); - -var msg11365 = msg("8918", dup276); - -var msg11366 = msg("8919", dup276); - -var msg11367 = msg("8920", dup276); - -var msg11368 = msg("8921", dup276); - -var msg11369 = msg("8922", dup276); - -var msg11370 = msg("8923", dup276); - -var msg11371 = msg("8924", dup276); - -var msg11372 = msg("8925", dup276); - -var msg11373 = msg("8926", dup276); - -var msg11374 = msg("8927", dup276); - -var msg11375 = msg("8928", dup276); - -var msg11376 = msg("8929", dup276); - -var msg11377 = msg("8930", dup276); - -var msg11378 = msg("8931", dup276); - -var msg11379 = msg("8932", dup276); - -var msg11380 = msg("8933", dup276); - -var msg11381 = msg("8934", dup276); - -var msg11382 = msg("8935", dup276); - -var msg11383 = msg("8936", dup276); - -var msg11384 = msg("8937", dup276); - -var msg11385 = msg("8938", dup276); - -var msg11386 = msg("8939", dup276); - -var msg11387 = msg("8940", dup276); - -var msg11388 = msg("8941", dup276); - -var msg11389 = msg("8942", dup276); - -var msg11390 = msg("8943", dup276); - -var msg11391 = msg("8944", dup276); - -var msg11392 = msg("8945", dup276); - -var msg11393 = msg("8946", dup276); - -var msg11394 = msg("8947", dup276); - -var msg11395 = msg("8948", dup276); - -var msg11396 = msg("8949", dup276); - -var msg11397 = msg("8950", dup276); - -var msg11398 = msg("8951", dup276); - -var msg11399 = msg("8952", dup276); - -var msg11400 = msg("8953", dup276); - -var msg11401 = msg("8954", dup276); - -var msg11402 = msg("8955", dup276); - -var msg11403 = msg("8956", dup276); - -var msg11404 = msg("8957", dup276); - -var msg11405 = msg("8958", dup276); - -var msg11406 = msg("8959", dup276); - -var msg11407 = msg("8960", dup276); - -var msg11408 = msg("8961", dup276); - -var msg11409 = msg("8962", dup276); - -var msg11410 = msg("8963", dup276); - -var msg11411 = msg("8964", dup276); - -var msg11412 = msg("8965", dup276); - -var msg11413 = msg("8966", dup276); - -var msg11414 = msg("8967", dup276); - -var msg11415 = msg("8968", dup276); - -var msg11416 = msg("8969", dup276); - -var msg11417 = msg("8970", dup276); - -var msg11418 = msg("8971", dup276); - -var msg11419 = msg("8972", dup276); - -var msg11420 = msg("8973", dup276); - -var msg11421 = msg("8974", dup276); - -var msg11422 = msg("8975", dup276); - -var msg11423 = msg("8976", dup276); - -var msg11424 = msg("8977", dup276); - -var msg11425 = msg("8978", dup276); - -var msg11426 = msg("8979", dup276); - -var msg11427 = msg("8980", dup276); - -var msg11428 = msg("8981", dup276); - -var msg11429 = msg("8982", dup276); - -var msg11430 = msg("8983", dup276); - -var msg11431 = msg("8984", dup276); - -var msg11432 = msg("8985", dup276); - -var msg11433 = msg("8986", dup276); - -var msg11434 = msg("8987", dup276); - -var msg11435 = msg("8988", dup276); - -var msg11436 = msg("8989", dup276); - -var msg11437 = msg("8990", dup276); - -var msg11438 = msg("8991", dup276); - -var msg11439 = msg("8992", dup276); - -var msg11440 = msg("8993", dup276); - -var msg11441 = msg("8994", dup276); - -var msg11442 = msg("8995", dup276); - -var msg11443 = msg("8996", dup276); - -var msg11444 = msg("8997", dup276); - -var msg11445 = msg("8998", dup276); - -var msg11446 = msg("8999", dup276); - -var msg11447 = msg("9000", dup276); - -var msg11448 = msg("9001", dup276); - -var msg11449 = msg("9002", dup276); - -var msg11450 = msg("9003", dup276); - -var msg11451 = msg("9004", dup276); - -var msg11452 = msg("9005", dup276); - -var msg11453 = msg("9006", dup276); - -var msg11454 = msg("9007", dup276); - -var msg11455 = msg("9008", dup276); - -var msg11456 = msg("9009", dup276); - -var msg11457 = msg("9010", dup276); - -var msg11458 = msg("9011", dup276); - -var msg11459 = msg("9012", dup276); - -var msg11460 = msg("9013", dup276); - -var msg11461 = msg("9014", dup276); - -var msg11462 = msg("9015", dup276); - -var msg11463 = msg("9016", dup276); - -var msg11464 = msg("9017", dup276); - -var msg11465 = msg("9018", dup276); - -var msg11466 = msg("9019", dup276); - -var msg11467 = msg("9020", dup276); - -var msg11468 = msg("9021", dup276); - -var msg11469 = msg("9022", dup276); - -var msg11470 = msg("9023", dup276); - -var msg11471 = msg("9024", dup276); - -var msg11472 = msg("9025", dup276); - -var msg11473 = msg("9026", dup276); - -var msg11474 = msg("9027", dup276); - -var msg11475 = msg("9028", dup276); - -var msg11476 = msg("9029", dup276); - -var msg11477 = msg("9030", dup276); - -var msg11478 = msg("9031", dup276); - -var msg11479 = msg("9032", dup276); - -var msg11480 = msg("9033", dup276); - -var msg11481 = msg("9034", dup276); - -var msg11482 = msg("9035", dup276); - -var msg11483 = msg("9036", dup276); - -var msg11484 = msg("9037", dup276); - -var msg11485 = msg("9038", dup276); - -var msg11486 = msg("9039", dup276); - -var msg11487 = msg("9040", dup276); - -var msg11488 = msg("9041", dup276); - -var msg11489 = msg("9042", dup276); - -var msg11490 = msg("9043", dup276); - -var msg11491 = msg("9044", dup276); - -var msg11492 = msg("9045", dup276); - -var msg11493 = msg("9046", dup276); - -var msg11494 = msg("9047", dup276); - -var msg11495 = msg("9048", dup276); - -var msg11496 = msg("9049", dup276); - -var msg11497 = msg("9050", dup276); - -var msg11498 = msg("9051", dup276); - -var msg11499 = msg("9052", dup276); - -var msg11500 = msg("9053", dup276); - -var msg11501 = msg("9054", dup276); - -var msg11502 = msg("9055", dup276); - -var msg11503 = msg("9056", dup276); - -var msg11504 = msg("9057", dup276); - -var msg11505 = msg("9058", dup276); - -var msg11506 = msg("9059", dup276); - -var msg11507 = msg("9060", dup276); - -var msg11508 = msg("9061", dup276); - -var msg11509 = msg("9062", dup276); - -var msg11510 = msg("9063", dup276); - -var msg11511 = msg("9064", dup276); - -var msg11512 = msg("9065", dup276); - -var msg11513 = msg("9066", dup276); - -var msg11514 = msg("9067", dup276); - -var msg11515 = msg("9068", dup276); - -var msg11516 = msg("9069", dup276); - -var msg11517 = msg("9070", dup276); - -var msg11518 = msg("9071", dup276); - -var msg11519 = msg("9072", dup276); - -var msg11520 = msg("9073", dup276); - -var msg11521 = msg("9074", dup276); - -var msg11522 = msg("9075", dup276); - -var msg11523 = msg("9076", dup276); - -var msg11524 = msg("9077", dup276); - -var msg11525 = msg("9078", dup276); - -var msg11526 = msg("9079", dup276); - -var msg11527 = msg("9080", dup276); - -var msg11528 = msg("9081", dup276); - -var msg11529 = msg("9082", dup276); - -var msg11530 = msg("9083", dup276); - -var msg11531 = msg("9084", dup276); - -var msg11532 = msg("9085", dup276); - -var msg11533 = msg("9086", dup276); - -var msg11534 = msg("9087", dup276); - -var msg11535 = msg("9088", dup276); - -var msg11536 = msg("9089", dup276); - -var msg11537 = msg("9090", dup276); - -var msg11538 = msg("9091", dup276); - -var msg11539 = msg("9092", dup276); - -var msg11540 = msg("9093", dup276); - -var msg11541 = msg("9094", dup276); - -var msg11542 = msg("9095", dup276); - -var msg11543 = msg("9096", dup276); - -var msg11544 = msg("9097", dup276); - -var msg11545 = msg("9098", dup276); - -var msg11546 = msg("9099", dup276); - -var msg11547 = msg("9100", dup276); - -var msg11548 = msg("9101", dup276); - -var msg11549 = msg("9102", dup276); - -var msg11550 = msg("9103", dup276); - -var msg11551 = msg("9104", dup276); - -var msg11552 = msg("9105", dup276); - -var msg11553 = msg("9106", dup276); - -var msg11554 = msg("9107", dup276); - -var msg11555 = msg("9108", dup276); - -var msg11556 = msg("9109", dup276); - -var msg11557 = msg("9110", dup276); - -var msg11558 = msg("9111", dup276); - -var msg11559 = msg("9112", dup276); - -var msg11560 = msg("9113", dup276); - -var msg11561 = msg("9114", dup276); - -var msg11562 = msg("9115", dup276); - -var msg11563 = msg("9116", dup276); - -var msg11564 = msg("9117", dup276); - -var msg11565 = msg("9118", dup276); - -var msg11566 = msg("9119", dup276); - -var msg11567 = msg("9120", dup276); - -var msg11568 = msg("9121", dup276); - -var msg11569 = msg("9122", dup276); - -var msg11570 = msg("9123", dup276); - -var msg11571 = msg("9124", dup276); - -var msg11572 = msg("9125", dup276); - -var msg11573 = msg("9126", dup276); - -var msg11574 = msg("9127", dup276); - -var msg11575 = msg("9128", dup276); - -var msg11576 = msg("9129", dup265); - -var msg11577 = msg("9130", dup265); - -var msg11578 = msg("9131", dup265); - -var msg11579 = msg("9132", dup276); - -var msg11580 = msg("9133", dup276); - -var msg11581 = msg("9134", dup276); - -var msg11582 = msg("9135", dup276); - -var msg11583 = msg("9136", dup276); - -var msg11584 = msg("9137", dup276); - -var msg11585 = msg("9138", dup276); - -var msg11586 = msg("9139", dup276); - -var msg11587 = msg("9140", dup276); - -var msg11588 = msg("9141", dup276); - -var msg11589 = msg("9142", dup276); - -var msg11590 = msg("9143", dup276); - -var msg11591 = msg("9144", dup276); - -var msg11592 = msg("9145", dup276); - -var msg11593 = msg("9146", dup276); - -var msg11594 = msg("9147", dup276); - -var msg11595 = msg("9148", dup276); - -var msg11596 = msg("9149", dup276); - -var msg11597 = msg("9150", dup276); - -var msg11598 = msg("9151", dup276); - -var msg11599 = msg("9152", dup276); - -var msg11600 = msg("9153", dup276); - -var msg11601 = msg("9154", dup276); - -var msg11602 = msg("9155", dup276); - -var msg11603 = msg("9156", dup276); - -var msg11604 = msg("9157", dup276); - -var msg11605 = msg("9158", dup276); - -var msg11606 = msg("9159", dup276); - -var msg11607 = msg("9160", dup276); - -var msg11608 = msg("9161", dup276); - -var msg11609 = msg("9162", dup276); - -var msg11610 = msg("9163", dup276); - -var msg11611 = msg("9164", dup276); - -var msg11612 = msg("9165", dup276); - -var msg11613 = msg("9166", dup276); - -var msg11614 = msg("9167", dup276); - -var msg11615 = msg("9168", dup276); - -var msg11616 = msg("9169", dup276); - -var msg11617 = msg("9170", dup276); - -var msg11618 = msg("9171", dup276); - -var msg11619 = msg("9172", dup276); - -var msg11620 = msg("9173", dup276); - -var msg11621 = msg("9174", dup276); - -var msg11622 = msg("9175", dup276); - -var msg11623 = msg("9176", dup276); - -var msg11624 = msg("9177", dup276); - -var msg11625 = msg("9178", dup276); - -var msg11626 = msg("9179", dup276); - -var msg11627 = msg("9180", dup276); - -var msg11628 = msg("9181", dup276); - -var msg11629 = msg("9182", dup276); - -var msg11630 = msg("9183", dup276); - -var msg11631 = msg("9184", dup276); - -var msg11632 = msg("9185", dup276); - -var msg11633 = msg("9186", dup276); - -var msg11634 = msg("9187", dup276); - -var msg11635 = msg("9188", dup276); - -var msg11636 = msg("9189", dup276); - -var msg11637 = msg("9190", dup276); - -var msg11638 = msg("9191", dup276); - -var msg11639 = msg("9192", dup276); - -var msg11640 = msg("9193", dup276); - -var msg11641 = msg("9194", dup276); - -var msg11642 = msg("9195", dup276); - -var msg11643 = msg("9196", dup276); - -var msg11644 = msg("9197", dup276); - -var msg11645 = msg("9198", dup276); - -var msg11646 = msg("9199", dup276); - -var msg11647 = msg("9200", dup276); - -var msg11648 = msg("9201", dup276); - -var msg11649 = msg("9202", dup276); - -var msg11650 = msg("9203", dup276); - -var msg11651 = msg("9204", dup276); - -var msg11652 = msg("9205", dup276); - -var msg11653 = msg("9206", dup276); - -var msg11654 = msg("9207", dup276); - -var msg11655 = msg("9208", dup276); - -var msg11656 = msg("9209", dup276); - -var msg11657 = msg("9210", dup276); - -var msg11658 = msg("9211", dup276); - -var msg11659 = msg("9212", dup276); - -var msg11660 = msg("9213", dup276); - -var msg11661 = msg("9214", dup276); - -var msg11662 = msg("9215", dup276); - -var msg11663 = msg("9216", dup276); - -var msg11664 = msg("9217", dup276); - -var msg11665 = msg("9218", dup276); - -var msg11666 = msg("9219", dup276); - -var msg11667 = msg("9220", dup276); - -var msg11668 = msg("9221", dup276); - -var msg11669 = msg("9222", dup276); - -var msg11670 = msg("9223", dup276); - -var msg11671 = msg("9224", dup276); - -var msg11672 = msg("9225", dup276); - -var msg11673 = msg("9226", dup276); - -var msg11674 = msg("9227", dup276); - -var msg11675 = msg("9228", dup276); - -var msg11676 = msg("9229", dup276); - -var msg11677 = msg("9230", dup276); - -var msg11678 = msg("9231", dup276); - -var msg11679 = msg("9232", dup276); - -var msg11680 = msg("9233", dup276); - -var msg11681 = msg("9234", dup276); - -var msg11682 = msg("9235", dup276); - -var msg11683 = msg("9236", dup276); - -var msg11684 = msg("9237", dup276); - -var msg11685 = msg("9238", dup276); - -var msg11686 = msg("9239", dup276); - -var msg11687 = msg("9240", dup276); - -var msg11688 = msg("9241", dup276); - -var msg11689 = msg("9242", dup276); - -var msg11690 = msg("9243", dup276); - -var msg11691 = msg("9244", dup276); - -var msg11692 = msg("9245", dup276); - -var msg11693 = msg("9246", dup276); - -var msg11694 = msg("9247", dup276); - -var msg11695 = msg("9248", dup276); - -var msg11696 = msg("9249", dup276); - -var msg11697 = msg("9250", dup276); - -var msg11698 = msg("9251", dup276); - -var msg11699 = msg("9252", dup276); - -var msg11700 = msg("9253", dup276); - -var msg11701 = msg("9254", dup276); - -var msg11702 = msg("9255", dup276); - -var msg11703 = msg("9256", dup276); - -var msg11704 = msg("9257", dup276); - -var msg11705 = msg("9258", dup276); - -var msg11706 = msg("9259", dup276); - -var msg11707 = msg("9260", dup276); - -var msg11708 = msg("9261", dup276); - -var msg11709 = msg("9262", dup276); - -var msg11710 = msg("9263", dup276); - -var msg11711 = msg("9264", dup276); - -var msg11712 = msg("9265", dup276); - -var msg11713 = msg("9266", dup276); - -var msg11714 = msg("9267", dup276); - -var msg11715 = msg("9268", dup276); - -var msg11716 = msg("9269", dup276); - -var msg11717 = msg("9270", dup276); - -var msg11718 = msg("9271", dup276); - -var msg11719 = msg("9272", dup276); - -var msg11720 = msg("9273", dup276); - -var msg11721 = msg("9274", dup276); - -var msg11722 = msg("9275", dup276); - -var msg11723 = msg("9276", dup276); - -var msg11724 = msg("9277", dup276); - -var msg11725 = msg("9278", dup276); - -var msg11726 = msg("9279", dup276); - -var msg11727 = msg("9280", dup276); - -var msg11728 = msg("9281", dup276); - -var msg11729 = msg("9282", dup276); - -var msg11730 = msg("9283", dup276); - -var msg11731 = msg("9284", dup276); - -var msg11732 = msg("9285", dup276); - -var msg11733 = msg("9286", dup276); - -var msg11734 = msg("9287", dup276); - -var msg11735 = msg("9288", dup276); - -var msg11736 = msg("9289", dup276); - -var msg11737 = msg("9290", dup276); - -var msg11738 = msg("9291", dup276); - -var msg11739 = msg("9292", dup276); - -var msg11740 = msg("9293", dup276); - -var msg11741 = msg("9294", dup276); - -var msg11742 = msg("9295", dup276); - -var msg11743 = msg("9296", dup276); - -var msg11744 = msg("9297", dup276); - -var msg11745 = msg("9298", dup276); - -var msg11746 = msg("9299", dup276); - -var msg11747 = msg("9300", dup276); - -var msg11748 = msg("9301", dup276); - -var msg11749 = msg("9302", dup276); - -var msg11750 = msg("9303", dup276); - -var msg11751 = msg("9304", dup276); - -var msg11752 = msg("9305", dup276); - -var msg11753 = msg("9306", dup276); - -var msg11754 = msg("9307", dup276); - -var msg11755 = msg("9308", dup276); - -var msg11756 = msg("9309", dup276); - -var msg11757 = msg("9310", dup276); - -var msg11758 = msg("9311", dup276); - -var msg11759 = msg("9312", dup276); - -var msg11760 = msg("9313", dup276); - -var msg11761 = msg("9314", dup276); - -var msg11762 = msg("9315", dup276); - -var msg11763 = msg("9316", dup276); - -var msg11764 = msg("9317", dup276); - -var msg11765 = msg("9318", dup276); - -var msg11766 = msg("9319", dup276); - -var msg11767 = msg("9320", dup276); - -var msg11768 = msg("9321", dup276); - -var msg11769 = msg("9322", dup276); - -var msg11770 = msg("9323", dup276); - -var msg11771 = msg("9324", dup196); - -var msg11772 = msg("9325", dup198); - -var msg11773 = msg("9326", dup250); - -var msg11774 = msg("9327", dup250); - -var msg11775 = msg("9328", dup250); - -var msg11776 = msg("9329", dup250); - -var msg11777 = msg("9330", dup250); - -var msg11778 = msg("9331", dup250); - -var msg11779 = msg("9332", dup250); - -var msg11780 = msg("9333", dup250); - -var msg11781 = msg("9334", dup250); - -var msg11782 = msg("9335", dup250); - -var msg11783 = msg("9336", dup250); - -var msg11784 = msg("9337", dup250); - -var msg11785 = msg("9338", dup250); - -var msg11786 = msg("9339", dup196); - -var msg11787 = msg("9340", dup196); - -var msg11788 = msg("9341", dup227); - -var msg11789 = msg("9342", dup250); - -var msg11790 = msg("9343", dup250); - -var msg11791 = msg("9344", dup250); - -var msg11792 = msg("9345", dup287); - -var msg11793 = msg("9346", dup196); - -var msg11794 = msg("9347", dup196); - -var msg11795 = msg("9348", dup250); - -var msg11796 = msg("9349", dup250); - -var msg11797 = msg("9350", dup250); - -var msg11798 = msg("9351", dup196); - -var msg11799 = msg("9352", dup250); - -var msg11800 = msg("9353", dup196); - -var msg11801 = msg("9354", dup196); - -var msg11802 = msg("9355", dup196); - -var msg11803 = msg("9356", dup196); - -var msg11804 = msg("9357", dup196); - -var msg11805 = msg("9358", dup250); - -var msg11806 = msg("9359", dup250); - -var msg11807 = msg("9360", dup250); - -var msg11808 = msg("9361", dup250); - -var msg11809 = msg("9362", dup250); - -var msg11810 = msg("9363", dup196); - -var msg11811 = msg("9364", dup196); - -var msg11812 = msg("9365", dup250); - -var msg11813 = msg("9366", dup250); - -var msg11814 = msg("9367", dup250); - -var msg11815 = msg("9368", dup250); - -var msg11816 = msg("9369", dup250); - -var msg11817 = msg("9370", dup250); - -var msg11818 = msg("9371", dup250); - -var msg11819 = msg("9372", dup250); - -var msg11820 = msg("9373", dup250); - -var msg11821 = msg("9374", dup250); - -var msg11822 = msg("9375", dup250); - -var msg11823 = msg("9376", dup250); - -var msg11824 = msg("9377", dup250); - -var msg11825 = msg("9378", dup250); - -var msg11826 = msg("9379", dup250); - -var msg11827 = msg("9380", dup196); - -var msg11828 = msg("9381", dup250); - -var msg11829 = msg("9382", dup250); - -var msg11830 = msg("9383", dup250); - -var msg11831 = msg("9384", dup250); - -var msg11832 = msg("9385", dup250); - -var msg11833 = msg("9386", dup250); - -var msg11834 = msg("9387", dup196); - -var msg11835 = msg("9388", dup250); - -var msg11836 = msg("9389", dup250); - -var msg11837 = msg("9390", dup196); - -var msg11838 = msg("9391", dup250); - -var msg11839 = msg("9392", dup250); - -var msg11840 = msg("9393", dup250); - -var msg11841 = msg("9394", dup250); - -var msg11842 = msg("9395", dup196); - -var msg11843 = msg("9396", dup196); - -var msg11844 = msg("9397", dup250); - -var msg11845 = msg("9398", dup250); - -var msg11846 = msg("9399", dup250); - -var msg11847 = msg("9400", dup250); - -var msg11848 = msg("9401", dup265); - -var msg11849 = msg("9402", dup274); - -var msg11850 = msg("9403", dup250); - -var msg11851 = msg("9404", dup250); - -var msg11852 = msg("9405", dup250); - -var msg11853 = msg("9406", dup250); - -var msg11854 = msg("9407", dup196); - -var msg11855 = msg("9408", dup250); - -var msg11856 = msg("9409", dup250); - -var msg11857 = msg("9410", dup250); - -var msg11858 = msg("9411", dup250); - -var msg11859 = msg("9412", dup196); - -var msg11860 = msg("9413", dup250); - -var msg11861 = msg("9414", dup250); - -var msg11862 = msg("9415", dup250); - -var msg11863 = msg("9416", dup250); - -var msg11864 = msg("9417", dup250); - -var msg11865 = msg("9418", dup265); - -var msg11866 = msg("9419", dup196); - -var msg11867 = msg("9420", dup196); - -var msg11868 = msg("9421", dup196); - -var msg11869 = msg("9422", dup196); - -var msg11870 = msg("9423", dup196); - -var msg11871 = msg("9424", dup196); - -var msg11872 = msg("9425", dup196); - -var msg11873 = msg("9426", dup196); - -var msg11874 = msg("9427", dup265); - -var msg11875 = msg("9428", dup265); - -var msg11876 = msg("9429", dup265); - -var msg11877 = msg("9430", dup265); - -var msg11878 = msg("9431", dup222); - -var msg11879 = msg("9432", dup267); - -var msg11880 = msg("9433", dup267); - -var msg11881 = msg("9434", dup267); - -var msg11882 = msg("9435", dup267); - -var msg11883 = msg("9436", dup267); - -var msg11884 = msg("9437", dup276); - -var msg11885 = msg("9438", dup276); - -var msg11886 = msg("9439", dup276); - -var msg11887 = msg("9440", dup276); - -var msg11888 = msg("9441", dup276); - -var msg11889 = msg("9442", dup276); - -var msg11890 = msg("9443", dup276); - -var msg11891 = msg("9444", dup276); - -var msg11892 = msg("9445", dup276); - -var msg11893 = msg("9446", dup276); - -var msg11894 = msg("9447", dup276); - -var msg11895 = msg("9448", dup276); - -var msg11896 = msg("9449", dup276); - -var msg11897 = msg("9450", dup276); - -var msg11898 = msg("9451", dup276); - -var msg11899 = msg("9452", dup276); - -var msg11900 = msg("9453", dup276); - -var msg11901 = msg("9454", dup276); - -var msg11902 = msg("9455", dup276); - -var msg11903 = msg("9456", dup276); - -var msg11904 = msg("9457", dup276); - -var msg11905 = msg("9458", dup276); - -var msg11906 = msg("9459", dup276); - -var msg11907 = msg("9460", dup276); - -var msg11908 = msg("9461", dup276); - -var msg11909 = msg("9462", dup276); - -var msg11910 = msg("9463", dup276); - -var msg11911 = msg("9464", dup276); - -var msg11912 = msg("9465", dup276); - -var msg11913 = msg("9466", dup276); - -var msg11914 = msg("9467", dup276); - -var msg11915 = msg("9468", dup276); - -var msg11916 = msg("9469", dup276); - -var msg11917 = msg("9470", dup276); - -var msg11918 = msg("9471", dup276); - -var msg11919 = msg("9472", dup276); - -var msg11920 = msg("9473", dup276); - -var msg11921 = msg("9474", dup276); - -var msg11922 = msg("9475", dup276); - -var msg11923 = msg("9476", dup276); - -var msg11924 = msg("9477", dup276); - -var msg11925 = msg("9478", dup276); - -var msg11926 = msg("9479", dup276); - -var msg11927 = msg("9480", dup276); - -var msg11928 = msg("9481", dup276); - -var msg11929 = msg("9482", dup276); - -var msg11930 = msg("9483", dup276); - -var msg11931 = msg("9484", dup276); - -var msg11932 = msg("9485", dup276); - -var msg11933 = msg("9486", dup276); - -var msg11934 = msg("9487", dup276); - -var msg11935 = msg("9488", dup276); - -var msg11936 = msg("9489", dup276); - -var msg11937 = msg("9490", dup276); - -var msg11938 = msg("9491", dup276); - -var msg11939 = msg("9492", dup276); - -var msg11940 = msg("9493", dup276); - -var msg11941 = msg("9494", dup276); - -var msg11942 = msg("9495", dup276); - -var msg11943 = msg("9496", dup276); - -var msg11944 = msg("9497", dup276); - -var msg11945 = msg("9498", dup276); - -var msg11946 = msg("9499", dup276); - -var msg11947 = msg("9500", dup276); - -var msg11948 = msg("9501", dup276); - -var msg11949 = msg("9502", dup276); - -var msg11950 = msg("9503", dup276); - -var msg11951 = msg("9504", dup276); - -var msg11952 = msg("9505", dup276); - -var msg11953 = msg("9506", dup276); - -var msg11954 = msg("9507", dup276); - -var msg11955 = msg("9508", dup276); - -var msg11956 = msg("9509", dup276); - -var msg11957 = msg("9510", dup276); - -var msg11958 = msg("9511", dup276); - -var msg11959 = msg("9512", dup276); - -var msg11960 = msg("9513", dup276); - -var msg11961 = msg("9514", dup276); - -var msg11962 = msg("9515", dup276); - -var msg11963 = msg("9516", dup276); - -var msg11964 = msg("9517", dup276); - -var msg11965 = msg("9518", dup276); - -var msg11966 = msg("9519", dup276); - -var msg11967 = msg("9520", dup276); - -var msg11968 = msg("9521", dup276); - -var msg11969 = msg("9522", dup276); - -var msg11970 = msg("9523", dup276); - -var msg11971 = msg("9524", dup276); - -var msg11972 = msg("9525", dup276); - -var msg11973 = msg("9526", dup276); - -var msg11974 = msg("9527", dup276); - -var msg11975 = msg("9528", dup276); - -var msg11976 = msg("9529", dup276); - -var msg11977 = msg("9530", dup276); - -var msg11978 = msg("9531", dup276); - -var msg11979 = msg("9532", dup276); - -var msg11980 = msg("9533", dup276); - -var msg11981 = msg("9534", dup276); - -var msg11982 = msg("9535", dup276); - -var msg11983 = msg("9536", dup276); - -var msg11984 = msg("9537", dup276); - -var msg11985 = msg("9538", dup276); - -var msg11986 = msg("9539", dup276); - -var msg11987 = msg("9540", dup276); - -var msg11988 = msg("9541", dup276); - -var msg11989 = msg("9542", dup276); - -var msg11990 = msg("9543", dup276); - -var msg11991 = msg("9544", dup276); - -var msg11992 = msg("9545", dup276); - -var msg11993 = msg("9546", dup276); - -var msg11994 = msg("9547", dup276); - -var msg11995 = msg("9548", dup276); - -var msg11996 = msg("9549", dup276); - -var msg11997 = msg("9550", dup276); - -var msg11998 = msg("9551", dup276); - -var msg11999 = msg("9552", dup276); - -var msg12000 = msg("9553", dup276); - -var msg12001 = msg("9554", dup276); - -var msg12002 = msg("9555", dup276); - -var msg12003 = msg("9556", dup276); - -var msg12004 = msg("9557", dup276); - -var msg12005 = msg("9558", dup276); - -var msg12006 = msg("9559", dup276); - -var msg12007 = msg("9560", dup276); - -var msg12008 = msg("9561", dup276); - -var msg12009 = msg("9562", dup276); - -var msg12010 = msg("9563", dup276); - -var msg12011 = msg("9564", dup276); - -var msg12012 = msg("9565", dup276); - -var msg12013 = msg("9566", dup276); - -var msg12014 = msg("9567", dup276); - -var msg12015 = msg("9568", dup276); - -var msg12016 = msg("9569", dup276); - -var msg12017 = msg("9570", dup276); - -var msg12018 = msg("9571", dup276); - -var msg12019 = msg("9572", dup276); - -var msg12020 = msg("9573", dup276); - -var msg12021 = msg("9574", dup276); - -var msg12022 = msg("9575", dup276); - -var msg12023 = msg("9576", dup276); - -var msg12024 = msg("9577", dup276); - -var msg12025 = msg("9578", dup276); - -var msg12026 = msg("9579", dup276); - -var msg12027 = msg("9580", dup276); - -var msg12028 = msg("9581", dup276); - -var msg12029 = msg("9582", dup276); - -var msg12030 = msg("9583", dup276); - -var msg12031 = msg("9584", dup276); - -var msg12032 = msg("9585", dup276); - -var msg12033 = msg("9586", dup276); - -var msg12034 = msg("9587", dup276); - -var msg12035 = msg("9588", dup276); - -var msg12036 = msg("9589", dup276); - -var msg12037 = msg("9590", dup276); - -var msg12038 = msg("9591", dup276); - -var msg12039 = msg("9592", dup276); - -var msg12040 = msg("9593", dup276); - -var msg12041 = msg("9594", dup276); - -var msg12042 = msg("9595", dup276); - -var msg12043 = msg("9596", dup276); - -var msg12044 = msg("9597", dup276); - -var msg12045 = msg("9598", dup276); - -var msg12046 = msg("9599", dup276); - -var msg12047 = msg("9600", dup276); - -var msg12048 = msg("9601", dup276); - -var msg12049 = msg("9602", dup276); - -var msg12050 = msg("9603", dup276); - -var msg12051 = msg("9604", dup276); - -var msg12052 = msg("9605", dup276); - -var msg12053 = msg("9606", dup276); - -var msg12054 = msg("9607", dup276); - -var msg12055 = msg("9608", dup276); - -var msg12056 = msg("9609", dup276); - -var msg12057 = msg("9610", dup276); - -var msg12058 = msg("9611", dup276); - -var msg12059 = msg("9612", dup276); - -var msg12060 = msg("9613", dup276); - -var msg12061 = msg("9614", dup276); - -var msg12062 = msg("9615", dup276); - -var msg12063 = msg("9616", dup276); - -var msg12064 = msg("9617", dup276); - -var msg12065 = msg("9618", dup276); - -var msg12066 = msg("9619", dup267); - -var msg12067 = msg("9620", dup267); - -var msg12068 = msg("9621", dup295); - -var msg12069 = msg("9622", dup198); - -var msg12070 = msg("9623", dup273); - -var msg12071 = msg("9624", dup273); - -var msg12072 = msg("9625", dup267); - -var msg12073 = msg("9626", dup265); - -var msg12074 = msg("9627", dup265); - -var msg12075 = msg("9628", dup265); - -var msg12076 = msg("9629", dup265); - -var msg12077 = msg("9630", dup265); - -var msg12078 = msg("9631", dup265); - -var msg12079 = msg("9632", dup222); - -var msg12080 = msg("9633", dup222); - -var msg12081 = msg("9634", dup222); - -var msg12082 = msg("9635", dup222); - -var msg12083 = msg("9636", dup222); - -var msg12084 = msg("9637", dup267); - -var msg12085 = msg("9638", dup274); - -var msg12086 = msg("9639", dup265); - -var msg12087 = msg("9640", dup265); - -var msg12088 = msg("9641", dup267); - -var msg12089 = msg("9642", dup267); - -var msg12090 = msg("9643", dup267); - -var msg12091 = msg("9644", dup303); - -var msg12092 = msg("9645", dup303); - -var msg12093 = msg("9646", dup303); - -var msg12094 = msg("9647", dup303); - -var msg12095 = msg("9648", dup303); - -var msg12096 = msg("9649", dup303); - -var msg12097 = msg("9650", dup303); - -var msg12098 = msg("9651", dup303); - -var msg12099 = msg("9652", dup303); - -var msg12100 = msg("9653", dup205); - -var msg12101 = msg("9654", dup205); - -var msg12102 = msg("9655", dup205); - -var msg12103 = msg("9656", dup205); - -var msg12104 = msg("9657", dup205); - -var msg12105 = msg("9658", dup205); - -var msg12106 = msg("9659", dup205); - -var msg12107 = msg("9660", dup205); - -var msg12108 = msg("9661", dup205); - -var msg12109 = msg("9662", dup205); - -var msg12110 = msg("9663", dup205); - -var msg12111 = msg("9664", dup205); - -var msg12112 = msg("9665", dup205); - -var msg12113 = msg("9666", dup205); - -var msg12114 = msg("9667", dup205); - -var msg12115 = msg("9668", dup265); - -var msg12116 = msg("9669", dup265); - -var msg12117 = msg("9670", dup265); - -var msg12118 = msg("9671", dup265); - -var msg12119 = msg("9672", dup265); - -var msg12120 = msg("9673", dup265); - -var msg12121 = msg("9674", dup276); - -var msg12122 = msg("9675", dup276); - -var msg12123 = msg("9676", dup276); - -var msg12124 = msg("9677", dup276); - -var msg12125 = msg("9678", dup276); - -var msg12126 = msg("9679", dup276); - -var msg12127 = msg("9680", dup276); - -var msg12128 = msg("9681", dup276); - -var msg12129 = msg("9682", dup276); - -var msg12130 = msg("9683", dup276); - -var msg12131 = msg("9684", dup276); - -var msg12132 = msg("9685", dup276); - -var msg12133 = msg("9686", dup276); - -var msg12134 = msg("9687", dup276); - -var msg12135 = msg("9688", dup276); - -var msg12136 = msg("9689", dup276); - -var msg12137 = msg("9690", dup276); - -var msg12138 = msg("9691", dup276); - -var msg12139 = msg("9692", dup276); - -var msg12140 = msg("9693", dup276); - -var msg12141 = msg("9694", dup276); - -var msg12142 = msg("9695", dup276); - -var msg12143 = msg("9696", dup276); - -var msg12144 = msg("9697", dup276); - -var msg12145 = msg("9698", dup276); - -var msg12146 = msg("9699", dup276); - -var msg12147 = msg("9700", dup276); - -var msg12148 = msg("9701", dup276); - -var msg12149 = msg("9702", dup276); - -var msg12150 = msg("9703", dup276); - -var msg12151 = msg("9704", dup276); - -var msg12152 = msg("9705", dup276); - -var msg12153 = msg("9706", dup276); - -var msg12154 = msg("9707", dup276); - -var msg12155 = msg("9708", dup276); - -var msg12156 = msg("9709", dup276); - -var msg12157 = msg("9710", dup276); - -var msg12158 = msg("9711", dup276); - -var msg12159 = msg("9712", dup276); - -var msg12160 = msg("9713", dup276); - -var msg12161 = msg("9714", dup276); - -var msg12162 = msg("9715", dup276); - -var msg12163 = msg("9716", dup276); - -var msg12164 = msg("9717", dup276); - -var msg12165 = msg("9718", dup276); - -var msg12166 = msg("9719", dup276); - -var msg12167 = msg("9720", dup276); - -var msg12168 = msg("9721", dup276); - -var msg12169 = msg("9722", dup276); - -var msg12170 = msg("9723", dup276); - -var msg12171 = msg("9724", dup276); - -var msg12172 = msg("9725", dup276); - -var msg12173 = msg("9726", dup276); - -var msg12174 = msg("9727", dup276); - -var msg12175 = msg("9728", dup276); - -var msg12176 = msg("9729", dup276); - -var msg12177 = msg("9730", dup276); - -var msg12178 = msg("9731", dup276); - -var msg12179 = msg("9732", dup276); - -var msg12180 = msg("9733", dup276); - -var msg12181 = msg("9734", dup276); - -var msg12182 = msg("9735", dup276); - -var msg12183 = msg("9736", dup276); - -var msg12184 = msg("9737", dup276); - -var msg12185 = msg("9738", dup276); - -var msg12186 = msg("9739", dup276); - -var msg12187 = msg("9740", dup276); - -var msg12188 = msg("9741", dup276); - -var msg12189 = msg("9742", dup276); - -var msg12190 = msg("9743", dup276); - -var msg12191 = msg("9744", dup276); - -var msg12192 = msg("9745", dup276); - -var msg12193 = msg("9746", dup276); - -var msg12194 = msg("9747", dup276); - -var msg12195 = msg("9748", dup276); - -var msg12196 = msg("9749", dup276); - -var msg12197 = msg("9750", dup276); - -var msg12198 = msg("9751", dup276); - -var msg12199 = msg("9752", dup276); - -var msg12200 = msg("9753", dup276); - -var msg12201 = msg("9754", dup276); - -var msg12202 = msg("9755", dup276); - -var msg12203 = msg("9756", dup276); - -var msg12204 = msg("9757", dup276); - -var msg12205 = msg("9758", dup276); - -var msg12206 = msg("9759", dup276); - -var msg12207 = msg("9760", dup276); - -var msg12208 = msg("9761", dup276); - -var msg12209 = msg("9762", dup276); - -var msg12210 = msg("9763", dup276); - -var msg12211 = msg("9764", dup276); - -var msg12212 = msg("9765", dup276); - -var msg12213 = msg("9766", dup276); - -var msg12214 = msg("9767", dup276); - -var msg12215 = msg("9768", dup201); - -var msg12216 = msg("9769", dup276); - -var msg12217 = msg("9770", dup201); - -var msg12218 = msg("9771", dup276); - -var msg12219 = msg("9772", dup276); - -var msg12220 = msg("9773", dup201); - -var msg12221 = msg("9774", dup201); - -var msg12222 = msg("9775", dup276); - -var msg12223 = msg("9776", dup276); - -var msg12224 = msg("9777", dup276); - -var msg12225 = msg("9778", dup276); - -var msg12226 = msg("9779", dup201); - -var msg12227 = msg("9780", dup276); - -var msg12228 = msg("9781", dup276); - -var msg12229 = msg("9782", dup276); - -var msg12230 = msg("9783", dup201); - -var msg12231 = msg("9784", dup276); - -var msg12232 = msg("9785", dup201); - -var msg12233 = msg("9786", dup276); - -var msg12234 = msg("9787", dup276); - -var msg12235 = msg("9788", dup201); - -var msg12236 = msg("9789", dup276); - -var msg12237 = msg("9790", dup196); - -var msg12238 = msg("9791", dup265); - -var msg12239 = msg("9792", dup222); - -var msg12240 = msg("9793", dup265); - -var msg12241 = msg("9794", dup265); - -var msg12242 = msg("9795", dup194); - -var msg12243 = msg("9796", dup194); - -var msg12244 = msg("9797", dup194); - -var msg12245 = msg("9798", dup194); - -var msg12246 = msg("9799", dup194); - -var msg12247 = msg("9800", dup194); - -var msg12248 = msg("9801", dup198); - -var msg12249 = msg("9802", dup276); - -var msg12250 = msg("9803", dup276); - -var msg12251 = msg("9804", dup276); - -var msg12252 = msg("9805", dup276); - -var msg12253 = msg("9806", dup276); - -var msg12254 = msg("9807", dup276); - -var msg12255 = msg("9808", dup276); - -var msg12256 = msg("9809", dup276); - -var msg12257 = msg("9810", dup276); - -var msg12258 = msg("9811", dup276); - -var msg12259 = msg("9812", dup265); - -var msg12260 = msg("9813", dup222); - -var msg12261 = msg("9814", dup265); - -var msg12262 = msg("9815", dup265); - -var msg12263 = msg("9816", dup265); - -var msg12264 = msg("9817", dup265); - -var msg12265 = msg("9818", dup265); - -var msg12266 = msg("9819", dup265); - -var msg12267 = msg("9820", dup265); - -var msg12268 = msg("9821", dup265); - -var msg12269 = msg("9822", dup265); - -var msg12270 = msg("9823", dup267); - -var msg12271 = msg("9824", dup265); - -var msg12272 = msg("9825", dup265); - -var msg12273 = msg("9826", dup265); - -var msg12274 = msg("9827", dup303); - -var msg12275 = msg("9828", dup303); - -var msg12276 = msg("9829", dup303); - -var msg12277 = msg("9830", dup303); - -var msg12278 = msg("9831", dup303); - -var msg12279 = msg("9832", dup205); - -var msg12280 = msg("9833", dup205); - -var msg12281 = msg("9834", dup205); - -var msg12282 = msg("9835", dup205); - -var msg12283 = msg("9836", dup205); - -var msg12284 = msg("9837", dup205); - -var msg12285 = msg("9838", dup205); - -var msg12286 = msg("9839", dup205); - -var msg12287 = msg("9840", dup265); - -var msg12288 = msg("9841", dup222); - -var msg12289 = msg("9842", dup265); - -var msg12290 = msg("9843", dup265); - -var msg12291 = msg("9844", dup265); - -var msg12292 = msg("9845", dup265); - -var msg12293 = msg("9846", dup265); - -var msg12294 = msg("9847", dup265); - -var msg12295 = msg("9848", dup267); - -var msg12296 = msg("9849", dup267); - -var msg12297 = msg("9850", dup276); - -var msg12298 = msg("9851", dup276); - -var msg12299 = msg("9852", dup276); - -var msg12300 = msg("9853", dup276); - -var msg12301 = msg("9854", dup276); - -var msg12302 = msg("9855", dup276); - -var msg12303 = msg("9856", dup276); - -var msg12304 = msg("9857", dup276); - -var msg12305 = msg("9858", dup276); - -var msg12306 = msg("9859", dup276); - -var msg12307 = msg("9860", dup276); - -var msg12308 = msg("9861", dup276); - -var msg12309 = msg("9862", dup276); - -var msg12310 = msg("9863", dup276); - -var msg12311 = msg("9864", dup276); - -var msg12312 = msg("9865", dup276); - -var msg12313 = msg("9866", dup276); - -var msg12314 = msg("9867", dup276); - -var msg12315 = msg("9868", dup276); - -var msg12316 = msg("9869", dup276); - -var msg12317 = msg("9870", dup276); - -var msg12318 = msg("9871", dup276); - -var msg12319 = msg("9872", dup276); - -var msg12320 = msg("9873", dup276); - -var msg12321 = msg("9874", dup276); - -var msg12322 = msg("9875", dup276); - -var msg12323 = msg("9876", dup276); - -var msg12324 = msg("9877", dup276); - -var msg12325 = msg("9878", dup276); - -var msg12326 = msg("9879", dup276); - -var msg12327 = msg("9880", dup276); - -var msg12328 = msg("9881", dup276); - -var msg12329 = msg("9882", dup276); - -var msg12330 = msg("9883", dup276); - -var msg12331 = msg("9884", dup276); - -var msg12332 = msg("9885", dup276); - -var msg12333 = msg("9886", dup276); - -var msg12334 = msg("9887", dup276); - -var msg12335 = msg("9888", dup276); - -var msg12336 = msg("9889", dup276); - -var msg12337 = msg("9890", dup276); - -var msg12338 = msg("9891", dup276); - -var msg12339 = msg("9892", dup276); - -var msg12340 = msg("9893", dup276); - -var msg12341 = msg("9894", dup276); - -var msg12342 = msg("9895", dup276); - -var msg12343 = msg("9896", dup276); - -var msg12344 = msg("9897", dup276); - -var msg12345 = msg("9898", dup276); - -var msg12346 = msg("9899", dup276); - -var msg12347 = msg("9900", dup276); - -var msg12348 = msg("9901", dup276); - -var msg12349 = msg("9902", dup276); - -var msg12350 = msg("9903", dup276); - -var msg12351 = msg("9904", dup276); - -var msg12352 = msg("9905", dup276); - -var msg12353 = msg("9906", dup276); - -var msg12354 = msg("9907", dup276); - -var msg12355 = msg("9908", dup276); - -var msg12356 = msg("9909", dup276); - -var msg12357 = msg("9910", dup276); - -var msg12358 = msg("9911", dup276); - -var msg12359 = msg("9912", dup276); - -var msg12360 = msg("9913", dup276); - -var msg12361 = msg("9914", dup276); - -var msg12362 = msg("9915", dup276); - -var msg12363 = msg("9916", dup276); - -var msg12364 = msg("9917", dup276); - -var msg12365 = msg("9918", dup276); - -var msg12366 = msg("9919", dup276); - -var msg12367 = msg("9920", dup276); - -var msg12368 = msg("9921", dup276); - -var msg12369 = msg("9922", dup276); - -var msg12370 = msg("9923", dup276); - -var msg12371 = msg("9924", dup276); - -var msg12372 = msg("9925", dup276); - -var msg12373 = msg("9926", dup276); - -var msg12374 = msg("9927", dup276); - -var msg12375 = msg("9928", dup276); - -var msg12376 = msg("9929", dup276); - -var msg12377 = msg("9930", dup276); - -var msg12378 = msg("9931", dup276); - -var msg12379 = msg("9932", dup276); - -var msg12380 = msg("9933", dup276); - -var msg12381 = msg("9934", dup276); - -var msg12382 = msg("9935", dup276); - -var msg12383 = msg("9936", dup276); - -var msg12384 = msg("9937", dup276); - -var msg12385 = msg("9938", dup276); - -var msg12386 = msg("9939", dup276); - -var msg12387 = msg("9940", dup276); - -var msg12388 = msg("9941", dup276); - -var msg12389 = msg("9942", dup276); - -var msg12390 = msg("9943", dup276); - -var msg12391 = msg("9944", dup276); - -var msg12392 = msg("9945", dup276); - -var msg12393 = msg("9946", dup276); - -var msg12394 = msg("9947", dup276); - -var msg12395 = msg("9948", dup276); - -var msg12396 = msg("9949", dup276); - -var msg12397 = msg("9950", dup276); - -var msg12398 = msg("9951", dup276); - -var msg12399 = msg("9952", dup276); - -var msg12400 = msg("9953", dup276); - -var msg12401 = msg("9954", dup276); - -var msg12402 = msg("9955", dup276); - -var msg12403 = msg("9956", dup276); - -var msg12404 = msg("9957", dup276); - -var msg12405 = msg("9958", dup276); - -var msg12406 = msg("9959", dup276); - -var msg12407 = msg("9960", dup276); - -var msg12408 = msg("9961", dup276); - -var msg12409 = msg("9962", dup276); - -var msg12410 = msg("9963", dup276); - -var msg12411 = msg("9964", dup276); - -var msg12412 = msg("9965", dup276); - -var msg12413 = msg("9966", dup276); - -var msg12414 = msg("9967", dup276); - -var msg12415 = msg("9968", dup276); - -var msg12416 = msg("9969", dup276); - -var msg12417 = msg("9970", dup276); - -var msg12418 = msg("9971", dup276); - -var msg12419 = msg("9972", dup276); - -var msg12420 = msg("9973", dup276); - -var msg12421 = msg("9974", dup276); - -var msg12422 = msg("9975", dup276); - -var msg12423 = msg("9976", dup276); - -var msg12424 = msg("9977", dup276); - -var msg12425 = msg("9978", dup276); - -var msg12426 = msg("9979", dup276); - -var msg12427 = msg("9980", dup276); - -var msg12428 = msg("9981", dup276); - -var msg12429 = msg("9982", dup276); - -var msg12430 = msg("9983", dup276); - -var msg12431 = msg("9984", dup276); - -var msg12432 = msg("9985", dup276); - -var msg12433 = msg("9986", dup276); - -var msg12434 = msg("9987", dup276); - -var msg12435 = msg("9988", dup276); - -var msg12436 = msg("9989", dup276); - -var msg12437 = msg("9990", dup276); - -var msg12438 = msg("9991", dup276); - -var msg12439 = msg("9992", dup276); - -var msg12440 = msg("9993", dup276); - -var msg12441 = msg("9994", dup276); - -var msg12442 = msg("9995", dup276); - -var msg12443 = msg("9996", dup276); - -var msg12444 = msg("9997", dup276); - -var msg12445 = msg("9998", dup276); - -var msg12446 = msg("9999", dup276); - -var msg12447 = msg("10000", dup276); - -var msg12448 = msg("10001", dup276); - -var msg12449 = msg("10002", dup276); - -var msg12450 = msg("10003", dup276); - -var msg12451 = msg("10004", dup276); - -var msg12452 = msg("10005", dup276); - -var msg12453 = msg("10006", dup276); - -var msg12454 = msg("10007", dup276); - -var msg12455 = msg("10008", dup276); - -var msg12456 = msg("10009", dup276); - -var msg12457 = msg("10010", dup222); - -var msg12458 = msg("10011", dup222); - -var msg12459 = msg("10012", dup222); - -var msg12460 = msg("10013", dup265); - -var msg12461 = msg("10014", dup265); - -var msg12462 = msg("10015", dup265); - -var msg12463 = msg("10016", dup265); - -var msg12464 = msg("10017", dup265); - -var msg12465 = msg("10018", dup276); - -var msg12466 = msg("10019", dup276); - -var msg12467 = msg("10020", dup276); - -var msg12468 = msg("10021", dup276); - -var msg12469 = msg("10022", dup276); - -var msg12470 = msg("10023", dup276); - -var msg12471 = msg("10024", dup276); - -var msg12472 = msg("10025", dup276); - -var msg12473 = msg("10026", dup276); - -var msg12474 = msg("10027", dup276); - -var msg12475 = msg("10028", dup276); - -var msg12476 = msg("10029", dup276); - -var msg12477 = msg("10030", dup276); - -var msg12478 = msg("10031", dup276); - -var msg12479 = msg("10032", dup276); - -var msg12480 = msg("10033", dup276); - -var msg12481 = msg("10034", dup276); - -var msg12482 = msg("10035", dup276); - -var msg12483 = msg("10036", dup276); - -var msg12484 = msg("10037", dup276); - -var msg12485 = msg("10038", dup276); - -var msg12486 = msg("10039", dup276); - -var msg12487 = msg("10040", dup276); - -var msg12488 = msg("10041", dup276); - -var msg12489 = msg("10042", dup276); - -var msg12490 = msg("10043", dup276); - -var msg12491 = msg("10044", dup276); - -var msg12492 = msg("10045", dup276); - -var msg12493 = msg("10046", dup276); - -var msg12494 = msg("10047", dup276); - -var msg12495 = msg("10048", dup276); - -var msg12496 = msg("10049", dup276); - -var msg12497 = msg("10050", dup276); - -var msg12498 = msg("10051", dup276); - -var msg12499 = msg("10052", dup276); - -var msg12500 = msg("10053", dup276); - -var msg12501 = msg("10054", dup276); - -var msg12502 = msg("10055", dup276); - -var msg12503 = msg("10056", dup276); - -var msg12504 = msg("10057", dup276); - -var msg12505 = msg("10058", dup276); - -var msg12506 = msg("10059", dup276); - -var msg12507 = msg("10060", dup276); - -var msg12508 = msg("10061", dup276); - -var msg12509 = msg("10062", dup267); - -var msg12510 = msg("10063", dup265); - -var msg12511 = msg("10064", dup222); - -var msg12512 = msg("10065", dup192); - -var msg12513 = msg("10066", dup192); - -var msg12514 = msg("10067", dup192); - -var msg12515 = msg("10068", dup192); - -var msg12516 = msg("10069", dup192); - -var msg12517 = msg("10070", dup192); - -var msg12518 = msg("10071", dup192); - -var msg12519 = msg("10072", dup192); - -var msg12520 = msg("10073", dup192); - -var msg12521 = msg("10074", dup192); - -var msg12522 = msg("10075", dup192); - -var msg12523 = msg("10076", dup192); - -var msg12524 = msg("10077", dup192); - -var msg12525 = msg("10078", dup250); - -var msg12526 = msg("10079", dup250); - -var msg12527 = msg("10080", dup250); - -var msg12528 = msg("10081", dup250); - -var msg12529 = msg("10082", dup250); - -var msg12530 = msg("10083", dup250); - -var msg12531 = msg("10084", dup265); - -var msg12532 = msg("10085", dup265); - -var msg12533 = msg("10086", dup265); - -var msg12534 = msg("10087", dup222); - -var msg12535 = msg("10088", dup303); - -var msg12536 = msg("10089", dup303); - -var msg12537 = msg("10090", dup303); - -var msg12538 = msg("10091", dup303); - -var msg12539 = msg("10092", dup303); - -var msg12540 = msg("10093", dup303); - -var msg12541 = msg("10094", dup303); - -var msg12542 = msg("10095", dup303); - -var msg12543 = msg("10096", dup303); - -var msg12544 = msg("10097", dup303); - -var msg12545 = msg("10098", dup303); - -var msg12546 = msg("10099", dup303); - -var msg12547 = msg("10100", dup303); - -var msg12548 = msg("10101", dup205); - -var msg12549 = msg("10102", dup205); - -var msg12550 = msg("10103", dup205); - -var msg12551 = msg("10104", dup205); - -var msg12552 = msg("10105", dup205); - -var msg12553 = msg("10106", dup205); - -var msg12554 = msg("10107", dup205); - -var msg12555 = msg("10108", dup205); - -var msg12556 = msg("10109", dup205); - -var msg12557 = msg("10110", dup205); - -var msg12558 = msg("10111", dup205); - -var msg12559 = msg("10112", dup205); - -var msg12560 = msg("10113", dup192); - -var msg12561 = msg("10114", dup192); - -var msg12562 = msg("10115", dup198); - -var msg12563 = msg("10116", dup265); - -var msg12564 = msg("10117", dup276); - -var msg12565 = msg("10118", dup276); - -var msg12566 = msg("10119", dup276); - -var msg12567 = msg("10120", dup276); - -var msg12568 = msg("10121", dup276); - -var msg12569 = msg("10122", dup276); - -var msg12570 = msg("10123", dup287); - -var msg12571 = msg("10124", dup285); - -var msg12572 = msg("10125", dup222); - -var msg12573 = msg("10126", dup265); - -var msg12574 = msg("10127", dup198); - -var msg12575 = msg("10128", dup265); - -var msg12576 = msg("10129", dup265); - -var msg12577 = msg("10130", dup196); - -var msg12578 = msg("10131", dup269); - -var msg12579 = msg("10132", dup198); - -var msg12580 = msg("10133", dup198); - -var msg12581 = msg("10134", dup222); - -var msg12582 = msg("10135", dup198); - -var msg12583 = msg("10136", dup285); - -var msg12584 = msg("10137", dup265); - -var msg12585 = msg("10138", dup265); - -var msg12586 = msg("10139", dup265); - -var msg12587 = msg("10140", dup265); - -var msg12588 = msg("10141", dup265); - -var msg12589 = msg("10142", dup265); - -var msg12590 = msg("10143", dup265); - -var msg12591 = msg("10144", dup265); - -var msg12592 = msg("10145", dup265); - -var msg12593 = msg("10146", dup265); - -var msg12594 = msg("10147", dup265); - -var msg12595 = msg("10148", dup265); - -var msg12596 = msg("10149", dup265); - -var msg12597 = msg("10150", dup265); - -var msg12598 = msg("10151", dup265); - -var msg12599 = msg("10152", dup265); - -var msg12600 = msg("10153", dup265); - -var msg12601 = msg("10154", dup265); - -var msg12602 = msg("10155", dup265); - -var msg12603 = msg("10156", dup265); - -var msg12604 = msg("10157", dup265); - -var msg12605 = msg("10158", dup276); - -var msg12606 = msg("10159", dup276); - -var msg12607 = msg("10160", dup276); - -var msg12608 = msg("10161", dup276); - -var msg12609 = msg("10162", dup265); - -var msg12610 = msg("10163", dup265); - -var msg12611 = msg("10164", dup303); - -var msg12612 = msg("10165", dup303); - -var msg12613 = msg("10166", dup303); - -var msg12614 = msg("10167", dup303); - -var msg12615 = msg("10168", dup205); - -var msg12616 = msg("10169", dup205); - -var msg12617 = msg("10170", dup265); - -var msg12618 = msg("10171", dup265); - -var msg12619 = msg("10172", dup267); - -var msg12620 = msg("10173", dup194); - -var msg12621 = msg("10174", dup194); - -var msg12622 = msg("10175", dup194); - -var msg12623 = msg("10176", dup224); - -var msg12624 = msg("10177", dup224); - -var msg12625 = msg("10178", dup224); - -var msg12626 = msg("10179", dup303); - -var msg12627 = msg("10180", dup303); - -var msg12628 = msg("10181", dup303); - -var msg12629 = msg("10182", dup303); - -var msg12630 = msg("10183", dup303); - -var msg12631 = msg("10184", dup205); - -var msg12632 = msg("10185", dup205); - -var msg12633 = msg("10186", dup250); - -var msg12634 = msg("10187", dup197); - -var msg12635 = msg("10188", dup222); - -var msg12636 = msg("10189", dup265); - -var msg12637 = msg("10190", dup265); - -var msg12638 = msg("10191", dup265); - -var msg12639 = msg("10192", dup265); - -var msg12640 = msg("10193", dup265); - -var msg12641 = msg("10194", dup265); - -var msg12642 = msg("10195", dup267); - -var msg12643 = msg("10196", dup205); - -var msg12644 = msg("10197", dup205); - -var msg12645 = msg("10198", dup276); - -var msg12646 = msg("10199", dup276); - -var msg12647 = msg("10200", dup276); - -var msg12648 = msg("10201", dup276); - -var msg12649 = msg("10202", dup194); - -var msg12650 = msg("10203", dup194); - -var msg12651 = msg("10204", dup194); - -var msg12652 = msg("10205", dup194); - -var msg12653 = msg("10206", dup194); - -var msg12654 = msg("10207", dup194); - -var msg12655 = msg("10208", dup276); - -var msg12656 = msg("10209", dup276); - -var msg12657 = msg("10210", dup276); - -var msg12658 = msg("10211", dup276); - -var msg12659 = msg("10212", dup276); - -var msg12660 = msg("10213", dup276); - -var msg12661 = msg("10214", dup265); - -var msg12662 = msg("10215", dup265); - -var msg12663 = msg("10216", dup265); - -var msg12664 = msg("10217", dup276); - -var msg12665 = msg("10218", dup276); - -var msg12666 = msg("10219", dup276); - -var msg12667 = msg("10220", dup276); - -var msg12668 = msg("10221", dup276); - -var msg12669 = msg("10222", dup276); - -var msg12670 = msg("10223", dup276); - -var msg12671 = msg("10224", dup276); - -var msg12672 = msg("10225", dup276); - -var msg12673 = msg("10226", dup276); - -var msg12674 = msg("10227", dup276); - -var msg12675 = msg("10228", dup276); - -var msg12676 = msg("10229", dup276); - -var msg12677 = msg("10230", dup276); - -var msg12678 = msg("10231", dup276); - -var msg12679 = msg("10232", dup276); - -var msg12680 = msg("10233", dup276); - -var msg12681 = msg("10234", dup276); - -var msg12682 = msg("10235", dup276); - -var msg12683 = msg("10236", dup276); - -var msg12684 = msg("10237", dup276); - -var msg12685 = msg("10238", dup276); - -var msg12686 = msg("10239", dup276); - -var msg12687 = msg("10240", dup276); - -var msg12688 = msg("10241", dup276); - -var msg12689 = msg("10242", dup276); - -var msg12690 = msg("10243", dup276); - -var msg12691 = msg("10244", dup276); - -var msg12692 = msg("10245", dup276); - -var msg12693 = msg("10246", dup276); - -var msg12694 = msg("10247", dup276); - -var msg12695 = msg("10248", dup276); - -var msg12696 = msg("10249", dup276); - -var msg12697 = msg("10250", dup276); - -var msg12698 = msg("10251", dup276); - -var msg12699 = msg("10252", dup276); - -var msg12700 = msg("10253", dup276); - -var msg12701 = msg("10254", dup276); - -var msg12702 = msg("10255", dup276); - -var msg12703 = msg("10256", dup276); - -var msg12704 = msg("10257", dup276); - -var msg12705 = msg("10258", dup276); - -var msg12706 = msg("10259", dup276); - -var msg12707 = msg("10260", dup276); - -var msg12708 = msg("10261", dup276); - -var msg12709 = msg("10262", dup276); - -var msg12710 = msg("10263", dup276); - -var msg12711 = msg("10264", dup276); - -var msg12712 = msg("10265", dup276); - -var msg12713 = msg("10266", dup276); - -var msg12714 = msg("10267", dup276); - -var msg12715 = msg("10268", dup276); - -var msg12716 = msg("10269", dup276); - -var msg12717 = msg("10270", dup276); - -var msg12718 = msg("10271", dup276); - -var msg12719 = msg("10272", dup276); - -var msg12720 = msg("10273", dup276); - -var msg12721 = msg("10274", dup276); - -var msg12722 = msg("10275", dup276); - -var msg12723 = msg("10276", dup276); - -var msg12724 = msg("10277", dup276); - -var msg12725 = msg("10278", dup276); - -var msg12726 = msg("10279", dup276); - -var msg12727 = msg("10280", dup276); - -var msg12728 = msg("10281", dup276); - -var msg12729 = msg("10282", dup276); - -var msg12730 = msg("10283", dup276); - -var msg12731 = msg("10284", dup276); - -var msg12732 = msg("10285", dup276); - -var msg12733 = msg("10286", dup276); - -var msg12734 = msg("10287", dup276); - -var msg12735 = msg("10288", dup276); - -var msg12736 = msg("10289", dup276); - -var msg12737 = msg("10290", dup276); - -var msg12738 = msg("10291", dup276); - -var msg12739 = msg("10292", dup276); - -var msg12740 = msg("10293", dup276); - -var msg12741 = msg("10294", dup276); - -var msg12742 = msg("10295", dup276); - -var msg12743 = msg("10296", dup276); - -var msg12744 = msg("10297", dup276); - -var msg12745 = msg("10298", dup276); - -var msg12746 = msg("10299", dup276); - -var msg12747 = msg("10300", dup276); - -var msg12748 = msg("10301", dup276); - -var msg12749 = msg("10302", dup276); - -var msg12750 = msg("10303", dup276); - -var msg12751 = msg("10304", dup276); - -var msg12752 = msg("10305", dup276); - -var msg12753 = msg("10306", dup276); - -var msg12754 = msg("10307", dup276); - -var msg12755 = msg("10308", dup276); - -var msg12756 = msg("10309", dup276); - -var msg12757 = msg("10310", dup276); - -var msg12758 = msg("10311", dup276); - -var msg12759 = msg("10312", dup276); - -var msg12760 = msg("10313", dup276); - -var msg12761 = msg("10314", dup276); - -var msg12762 = msg("10315", dup276); - -var msg12763 = msg("10316", dup276); - -var msg12764 = msg("10317", dup276); - -var msg12765 = msg("10318", dup276); - -var msg12766 = msg("10319", dup276); - -var msg12767 = msg("10320", dup276); - -var msg12768 = msg("10321", dup276); - -var msg12769 = msg("10322", dup276); - -var msg12770 = msg("10323", dup276); - -var msg12771 = msg("10324", dup276); - -var msg12772 = msg("10325", dup276); - -var msg12773 = msg("10326", dup276); - -var msg12774 = msg("10327", dup276); - -var msg12775 = msg("10328", dup276); - -var msg12776 = msg("10329", dup276); - -var msg12777 = msg("10330", dup276); - -var msg12778 = msg("10331", dup276); - -var msg12779 = msg("10332", dup276); - -var msg12780 = msg("10333", dup276); - -var msg12781 = msg("10334", dup276); - -var msg12782 = msg("10335", dup276); - -var msg12783 = msg("10336", dup276); - -var msg12784 = msg("10337", dup276); - -var msg12785 = msg("10338", dup276); - -var msg12786 = msg("10339", dup276); - -var msg12787 = msg("10340", dup276); - -var msg12788 = msg("10341", dup276); - -var msg12789 = msg("10342", dup276); - -var msg12790 = msg("10343", dup276); - -var msg12791 = msg("10344", dup276); - -var msg12792 = msg("10345", dup276); - -var msg12793 = msg("10346", dup276); - -var msg12794 = msg("10347", dup276); - -var msg12795 = msg("10348", dup276); - -var msg12796 = msg("10349", dup276); - -var msg12797 = msg("10350", dup276); - -var msg12798 = msg("10351", dup276); - -var msg12799 = msg("10352", dup276); - -var msg12800 = msg("10353", dup276); - -var msg12801 = msg("10354", dup276); - -var msg12802 = msg("10355", dup276); - -var msg12803 = msg("10356", dup276); - -var msg12804 = msg("10357", dup276); - -var msg12805 = msg("10358", dup276); - -var msg12806 = msg("10359", dup276); - -var msg12807 = msg("10360", dup276); - -var msg12808 = msg("10361", dup276); - -var msg12809 = msg("10362", dup276); - -var msg12810 = msg("10363", dup276); - -var msg12811 = msg("10364", dup276); - -var msg12812 = msg("10365", dup276); - -var msg12813 = msg("10366", dup276); - -var msg12814 = msg("10367", dup276); - -var msg12815 = msg("10368", dup276); - -var msg12816 = msg("10369", dup276); - -var msg12817 = msg("10370", dup276); - -var msg12818 = msg("10371", dup276); - -var msg12819 = msg("10372", dup276); - -var msg12820 = msg("10373", dup276); - -var msg12821 = msg("10374", dup276); - -var msg12822 = msg("10375", dup276); - -var msg12823 = msg("10376", dup276); - -var msg12824 = msg("10377", dup276); - -var msg12825 = msg("10378", dup276); - -var msg12826 = msg("10379", dup276); - -var msg12827 = msg("10380", dup276); - -var msg12828 = msg("10381", dup276); - -var msg12829 = msg("10382", dup276); - -var msg12830 = msg("10383", dup276); - -var msg12831 = msg("10384", dup276); - -var msg12832 = msg("10385", dup276); - -var msg12833 = msg("10386", dup276); - -var msg12834 = msg("10387", dup265); - -var msg12835 = msg("10388", dup265); - -var msg12836 = msg("10389", dup265); - -var msg12837 = msg("10390", dup265); - -var msg12838 = msg("10391", dup265); - -var msg12839 = msg("10392", dup265); - -var msg12840 = msg("10393", dup265); - -var msg12841 = msg("10394", dup265); - -var msg12842 = msg("10395", dup265); - -var msg12843 = msg("10396", dup265); - -var msg12844 = msg("10397", dup265); - -var msg12845 = msg("10398", dup265); - -var msg12846 = msg("10399", dup265); - -var msg12847 = msg("10400", dup265); - -var msg12848 = msg("10401", dup265); - -var msg12849 = msg("10402", dup192); - -var msg12850 = msg("10403", dup192); - -var msg12851 = msg("10404", dup265); - -var msg12852 = msg("10405", dup265); - -var msg12853 = msg("10406", dup265); - -var msg12854 = msg("10407", dup222); - -var msg12855 = msg("10408", dup287); - -var msg12856 = msg("10409", dup258); - -var msg12857 = msg("10410", dup287); - -var msg12858 = msg("10411", dup258); - -var msg12859 = msg("10412", dup265); - -var msg12860 = msg("10413", dup265); - -var msg12861 = msg("10414", dup265); - -var msg12862 = msg("10415", dup265); - -var msg12863 = msg("10416", dup265); - -var msg12864 = msg("10417", dup265); - -var msg12865 = msg("10418", dup196); - -var msg12866 = msg("10419", dup265); - -var msg12867 = msg("10420", dup265); - -var msg12868 = msg("10421", dup265); - -var msg12869 = msg("10422", dup265); - -var msg12870 = msg("10423", dup265); - -var msg12871 = msg("10424", dup265); - -var msg12872 = msg("10425", dup265); - -var msg12873 = msg("10426", dup265); - -var msg12874 = msg("10427", dup194); - -var msg12875 = msg("10428", dup194); - -var msg12876 = msg("10429", dup194); - -var msg12877 = msg("10430", dup194); - -var msg12878 = msg("10431", dup194); - -var msg12879 = msg("10432", dup194); - -var msg12880 = msg("10433", dup194); - -var msg12881 = msg("10434", dup194); - -var msg12882 = msg("10435", dup303); - -var msg12883 = msg("10436", dup303); - -var msg12884 = msg("10437", dup303); - -var msg12885 = msg("10438", dup303); - -var msg12886 = msg("10439", dup303); - -var msg12887 = msg("10440", dup303); - -var msg12888 = msg("10441", dup303); - -var msg12889 = msg("10442", dup192); - -var msg12890 = msg("10443", dup192); - -var msg12891 = msg("10444", dup192); - -var msg12892 = msg("10445", dup192); - -var msg12893 = msg("10446", dup192); - -var msg12894 = msg("10447", dup192); - -var msg12895 = msg("10448", dup192); - -var msg12896 = msg("10449", dup192); - -var msg12897 = msg("10450", dup192); - -var msg12898 = msg("10451", dup192); - -var msg12899 = msg("10452", dup192); - -var msg12900 = msg("10453", dup192); - -var msg12901 = msg("10454", dup192); - -var msg12902 = msg("10455", dup192); - -var msg12903 = msg("10456", dup192); - -var msg12904 = msg("10457", dup192); - -var msg12905 = msg("10458", dup192); - -var msg12906 = msg("10459", dup192); - -var msg12907 = msg("10460", dup192); - -var msg12908 = msg("10461", dup192); - -var msg12909 = msg("10462", dup192); - -var msg12910 = msg("10463", dup192); - -var msg12911 = msg("10464", dup285); - -var msg12912 = msg("10465", dup265); - -var msg12913 = msg("10466", dup265); - -var msg12914 = msg("10467", dup265); - -var msg12915 = msg("10468", dup265); - -var msg12916 = msg("10469", dup265); - -var msg12917 = msg("10470", dup265); - -var msg12918 = msg("10471", dup265); - -var msg12919 = msg("10472", dup265); - -var msg12920 = msg("10473", dup265); - -var msg12921 = msg("10474", dup265); - -var msg12922 = msg("10475", dup222); - -var msg12923 = msg("10476", dup265); - -var msg12924 = msg("10477", dup265); - -var msg12925 = msg("10478", dup265); - -var msg12926 = msg("10479", dup265); - -var msg12927 = msg("10480", dup222); - -var msg12928 = msg("10481", dup222); - -var msg12929 = msg("10482", dup287); - -var msg12930 = msg("10483", dup258); - -var msg12931 = msg("10484", dup287); - -var msg12932 = msg("10485", dup258); - -var msg12933 = msg("10486", dup276); - -var msg12934 = msg("10487", dup276); - -var msg12935 = msg("10488", dup276); - -var msg12936 = msg("10489", dup276); - -var msg12937 = msg("10490", dup276); - -var msg12938 = msg("10491", dup276); - -var msg12939 = msg("10492", dup276); - -var msg12940 = msg("10493", dup276); - -var msg12941 = msg("10494", dup276); - -var msg12942 = msg("10495", dup276); - -var msg12943 = msg("10496", dup276); - -var msg12944 = msg("10497", dup276); - -var msg12945 = msg("10498", dup276); - -var msg12946 = msg("10499", dup276); - -var msg12947 = msg("10500", dup276); - -var msg12948 = msg("10501", dup276); - -var msg12949 = msg("10502", dup276); - -var msg12950 = msg("10503", dup276); - -var msg12951 = msg("10504", dup196); - -var msg12952 = msg("10505", dup196); - -var msg12953 = msg("10506", dup196); - -var msg12954 = msg("10507", dup196); - -var msg12955 = msg("10508", dup196); - -var msg12956 = msg("10509", dup196); - -var msg12957 = msg("10510", dup196); - -var msg12958 = msg("10511", dup196); - -var msg12959 = msg("10512", dup196); - -var msg12960 = msg("10513", dup196); - -var msg12961 = msg("10514", dup276); - -var msg12962 = msg("10515", dup276); - -var msg12963 = msg("10516", dup276); - -var msg12964 = msg("10517", dup276); - -var msg12965 = msg("10518", dup276); - -var msg12966 = msg("10519", dup276); - -var msg12967 = msg("10520", dup276); - -var msg12968 = msg("10521", dup276); - -var msg12969 = msg("10522", dup276); - -var msg12970 = msg("10523", dup276); - -var msg12971 = msg("10524", dup276); - -var msg12972 = msg("10525", dup276); - -var msg12973 = msg("10526", dup276); - -var msg12974 = msg("10527", dup276); - -var msg12975 = msg("10528", dup276); - -var msg12976 = msg("10529", dup276); - -var msg12977 = msg("10530", dup276); - -var msg12978 = msg("10531", dup276); - -var msg12979 = msg("10532", dup276); - -var msg12980 = msg("10533", dup276); - -var msg12981 = msg("10534", dup276); - -var msg12982 = msg("10535", dup276); - -var msg12983 = msg("10536", dup276); - -var msg12984 = msg("10537", dup276); - -var msg12985 = msg("10538", dup276); - -var msg12986 = msg("10539", dup276); - -var msg12987 = msg("10540", dup276); - -var msg12988 = msg("10541", dup276); - -var msg12989 = msg("10542", dup276); - -var msg12990 = msg("10543", dup276); - -var msg12991 = msg("10544", dup276); - -var msg12992 = msg("10545", dup276); - -var msg12993 = msg("10546", dup276); - -var msg12994 = msg("10547", dup276); - -var msg12995 = msg("10548", dup276); - -var msg12996 = msg("10549", dup276); - -var msg12997 = msg("10550", dup276); - -var msg12998 = msg("10551", dup276); - -var msg12999 = msg("10552", dup276); - -var msg13000 = msg("10553", dup276); - -var msg13001 = msg("10554", dup276); - -var msg13002 = msg("10555", dup276); - -var msg13003 = msg("10556", dup276); - -var msg13004 = msg("10557", dup276); - -var msg13005 = msg("10558", dup276); - -var msg13006 = msg("10559", dup276); - -var msg13007 = msg("10560", dup276); - -var msg13008 = msg("10561", dup276); - -var msg13009 = msg("10562", dup276); - -var msg13010 = msg("10563", dup276); - -var msg13011 = msg("10564", dup276); - -var msg13012 = msg("10565", dup276); - -var msg13013 = msg("10566", dup276); - -var msg13014 = msg("10567", dup276); - -var msg13015 = msg("10568", dup276); - -var msg13016 = msg("10569", dup276); - -var msg13017 = msg("10570", dup276); - -var msg13018 = msg("10571", dup276); - -var msg13019 = msg("10572", dup276); - -var msg13020 = msg("10573", dup276); - -var msg13021 = msg("10574", dup276); - -var msg13022 = msg("10575", dup276); - -var msg13023 = msg("10576", dup276); - -var msg13024 = msg("10577", dup276); - -var msg13025 = msg("10578", dup276); - -var msg13026 = msg("10579", dup276); - -var msg13027 = msg("10580", dup276); - -var msg13028 = msg("10581", dup276); - -var msg13029 = msg("10582", dup276); - -var msg13030 = msg("10583", dup276); - -var msg13031 = msg("10584", dup276); - -var msg13032 = msg("10585", dup276); - -var msg13033 = msg("10586", dup276); - -var msg13034 = msg("10587", dup276); - -var msg13035 = msg("10588", dup276); - -var msg13036 = msg("10589", dup276); - -var msg13037 = msg("10590", dup276); - -var msg13038 = msg("10591", dup276); - -var msg13039 = msg("10592", dup276); - -var msg13040 = msg("10593", dup276); - -var msg13041 = msg("10594", dup276); - -var msg13042 = msg("10595", dup276); - -var msg13043 = msg("10596", dup276); - -var msg13044 = msg("10597", dup276); - -var msg13045 = msg("10598", dup276); - -var msg13046 = msg("10599", dup276); - -var msg13047 = msg("10600", dup276); - -var msg13048 = msg("10601", dup276); - -var msg13049 = msg("10602", dup276); - -var msg13050 = msg("10603", dup276); - -var msg13051 = msg("10604", dup276); - -var msg13052 = msg("10605", dup276); - -var msg13053 = msg("10606", dup276); - -var msg13054 = msg("10607", dup276); - -var msg13055 = msg("10608", dup276); - -var msg13056 = msg("10609", dup276); - -var msg13057 = msg("10610", dup276); - -var msg13058 = msg("10611", dup276); - -var msg13059 = msg("10612", dup276); - -var msg13060 = msg("10613", dup276); - -var msg13061 = msg("10614", dup276); - -var msg13062 = msg("10615", dup276); - -var msg13063 = msg("10616", dup276); - -var msg13064 = msg("10617", dup276); - -var msg13065 = msg("10618", dup276); - -var msg13066 = msg("10619", dup276); - -var msg13067 = msg("10620", dup276); - -var msg13068 = msg("10621", dup276); - -var msg13069 = msg("10622", dup276); - -var msg13070 = msg("10623", dup276); - -var msg13071 = msg("10624", dup276); - -var msg13072 = msg("10625", dup276); - -var msg13073 = msg("10626", dup276); - -var msg13074 = msg("10627", dup276); - -var msg13075 = msg("10628", dup276); - -var msg13076 = msg("10629", dup276); - -var msg13077 = msg("10630", dup276); - -var msg13078 = msg("10631", dup276); - -var msg13079 = msg("10632", dup276); - -var msg13080 = msg("10633", dup276); - -var msg13081 = msg("10634", dup276); - -var msg13082 = msg("10635", dup276); - -var msg13083 = msg("10636", dup276); - -var msg13084 = msg("10637", dup276); - -var msg13085 = msg("10638", dup276); - -var msg13086 = msg("10639", dup276); - -var msg13087 = msg("10640", dup276); - -var msg13088 = msg("10641", dup276); - -var msg13089 = msg("10642", dup276); - -var msg13090 = msg("10643", dup276); - -var msg13091 = msg("10644", dup276); - -var msg13092 = msg("10645", dup276); - -var msg13093 = msg("10646", dup276); - -var msg13094 = msg("10647", dup276); - -var msg13095 = msg("10648", dup276); - -var msg13096 = msg("10649", dup276); - -var msg13097 = msg("10650", dup276); - -var msg13098 = msg("10651", dup276); - -var msg13099 = msg("10652", dup276); - -var msg13100 = msg("10653", dup276); - -var msg13101 = msg("10654", dup276); - -var msg13102 = msg("10655", dup276); - -var msg13103 = msg("10656", dup276); - -var msg13104 = msg("10657", dup276); - -var msg13105 = msg("10658", dup276); - -var msg13106 = msg("10659", dup276); - -var msg13107 = msg("10660", dup276); - -var msg13108 = msg("10661", dup276); - -var msg13109 = msg("10662", dup276); - -var msg13110 = msg("10663", dup276); - -var msg13111 = msg("10664", dup276); - -var msg13112 = msg("10665", dup276); - -var msg13113 = msg("10666", dup276); - -var msg13114 = msg("10667", dup276); - -var msg13115 = msg("10668", dup276); - -var msg13116 = msg("10669", dup276); - -var msg13117 = msg("10670", dup201); - -var msg13118 = msg("10671", dup276); - -var msg13119 = msg("10672", dup276); - -var msg13120 = msg("10673", dup201); - -var msg13121 = msg("10674", dup276); - -var msg13122 = msg("10675", dup201); - -var msg13123 = msg("10676", dup201); - -var msg13124 = msg("10677", dup201); - -var msg13125 = msg("10678", dup276); - -var msg13126 = msg("10679", dup276); - -var msg13127 = msg("10680", dup201); - -var msg13128 = msg("10681", dup276); - -var msg13129 = msg("10682", dup276); - -var msg13130 = msg("10683", dup201); - -var msg13131 = msg("10684", dup201); - -var msg13132 = msg("10685", dup276); - -var msg13133 = msg("10686", dup276); - -var msg13134 = msg("10687", dup276); - -var msg13135 = msg("10688", dup276); - -var msg13136 = msg("10689", dup201); - -var msg13137 = msg("10690", dup276); - -var msg13138 = msg("10691", dup201); - -var msg13139 = msg("10692", dup276); - -var msg13140 = msg("10693", dup276); - -var msg13141 = msg("10694", dup201); - -var msg13142 = msg("10695", dup201); - -var msg13143 = msg("10696", dup276); - -var msg13144 = msg("10697", dup276); - -var msg13145 = msg("10698", dup276); - -var msg13146 = msg("10699", dup276); - -var msg13147 = msg("10700", dup276); - -var msg13148 = msg("10701", dup276); - -var msg13149 = msg("10702", dup276); - -var msg13150 = msg("10703", dup276); - -var msg13151 = msg("10704", dup276); - -var msg13152 = msg("10705", dup276); - -var msg13153 = msg("10706", dup276); - -var msg13154 = msg("10707", dup276); - -var msg13155 = msg("10708", dup276); - -var msg13156 = msg("10709", dup276); - -var msg13157 = msg("10710", dup276); - -var msg13158 = msg("10711", dup276); - -var msg13159 = msg("10712", dup276); - -var msg13160 = msg("10713", dup276); - -var msg13161 = msg("10714", dup276); - -var msg13162 = msg("10715", dup276); - -var msg13163 = msg("10716", dup276); - -var msg13164 = msg("10717", dup276); - -var msg13165 = msg("10718", dup276); - -var msg13166 = msg("10719", dup276); - -var msg13167 = msg("10720", dup276); - -var msg13168 = msg("10721", dup276); - -var msg13169 = msg("10722", dup276); - -var msg13170 = msg("10723", dup276); - -var msg13171 = msg("10724", dup276); - -var msg13172 = msg("10725", dup276); - -var msg13173 = msg("10726", dup276); - -var msg13174 = msg("10727", dup276); - -var msg13175 = msg("10728", dup276); - -var msg13176 = msg("10729", dup276); - -var msg13177 = msg("10730", dup276); - -var msg13178 = msg("10731", dup276); - -var msg13179 = msg("10732", dup276); - -var msg13180 = msg("10733", dup276); - -var msg13181 = msg("10734", dup276); - -var msg13182 = msg("10735", dup276); - -var msg13183 = msg("10736", dup276); - -var msg13184 = msg("10737", dup276); - -var msg13185 = msg("10738", dup276); - -var msg13186 = msg("10739", dup276); - -var msg13187 = msg("10740", dup276); - -var msg13188 = msg("10741", dup276); - -var msg13189 = msg("10742", dup276); - -var msg13190 = msg("10743", dup276); - -var msg13191 = msg("10744", dup276); - -var msg13192 = msg("10745", dup276); - -var msg13193 = msg("10746", dup276); - -var msg13194 = msg("10747", dup276); - -var msg13195 = msg("10748", dup276); - -var msg13196 = msg("10749", dup276); - -var msg13197 = msg("10750", dup276); - -var msg13198 = msg("10751", dup276); - -var msg13199 = msg("10752", dup276); - -var msg13200 = msg("10753", dup276); - -var msg13201 = msg("10754", dup276); - -var msg13202 = msg("10755", dup276); - -var msg13203 = msg("10756", dup276); - -var msg13204 = msg("10757", dup276); - -var msg13205 = msg("10758", dup276); - -var msg13206 = msg("10759", dup276); - -var msg13207 = msg("10760", dup276); - -var msg13208 = msg("10761", dup276); - -var msg13209 = msg("10762", dup276); - -var msg13210 = msg("10763", dup276); - -var msg13211 = msg("10764", dup276); - -var msg13212 = msg("10765", dup276); - -var msg13213 = msg("10766", dup276); - -var msg13214 = msg("10767", dup276); - -var msg13215 = msg("10768", dup276); - -var msg13216 = msg("10769", dup276); - -var msg13217 = msg("10770", dup276); - -var msg13218 = msg("10771", dup276); - -var msg13219 = msg("10772", dup276); - -var msg13220 = msg("10773", dup276); - -var msg13221 = msg("10774", dup276); - -var msg13222 = msg("10775", dup276); - -var msg13223 = msg("10776", dup276); - -var msg13224 = msg("10777", dup276); - -var msg13225 = msg("10778", dup276); - -var msg13226 = msg("10779", dup276); - -var msg13227 = msg("10780", dup276); - -var msg13228 = msg("10781", dup276); - -var msg13229 = msg("10782", dup276); - -var msg13230 = msg("10783", dup276); - -var msg13231 = msg("10784", dup276); - -var msg13232 = msg("10785", dup276); - -var msg13233 = msg("10786", dup276); - -var msg13234 = msg("10787", dup276); - -var msg13235 = msg("10788", dup276); - -var msg13236 = msg("10789", dup276); - -var msg13237 = msg("10790", dup276); - -var msg13238 = msg("10791", dup276); - -var msg13239 = msg("10792", dup276); - -var msg13240 = msg("10793", dup276); - -var msg13241 = msg("10794", dup276); - -var msg13242 = msg("10795", dup276); - -var msg13243 = msg("10796", dup276); - -var msg13244 = msg("10797", dup276); - -var msg13245 = msg("10798", dup276); - -var msg13246 = msg("10799", dup276); - -var msg13247 = msg("10800", dup276); - -var msg13248 = msg("10801", dup276); - -var msg13249 = msg("10802", dup276); - -var msg13250 = msg("10803", dup276); - -var msg13251 = msg("10804", dup276); - -var msg13252 = msg("10805", dup276); - -var msg13253 = msg("10806", dup276); - -var msg13254 = msg("10807", dup276); - -var msg13255 = msg("10808", dup276); - -var msg13256 = msg("10809", dup276); - -var msg13257 = msg("10810", dup276); - -var msg13258 = msg("10811", dup276); - -var msg13259 = msg("10812", dup276); - -var msg13260 = msg("10813", dup276); - -var msg13261 = msg("10814", dup276); - -var msg13262 = msg("10815", dup276); - -var msg13263 = msg("10816", dup276); - -var msg13264 = msg("10817", dup276); - -var msg13265 = msg("10818", dup276); - -var msg13266 = msg("10819", dup276); - -var msg13267 = msg("10820", dup276); - -var msg13268 = msg("10821", dup276); - -var msg13269 = msg("10822", dup276); - -var msg13270 = msg("10823", dup276); - -var msg13271 = msg("10824", dup276); - -var msg13272 = msg("10825", dup276); - -var msg13273 = msg("10826", dup276); - -var msg13274 = msg("10827", dup276); - -var msg13275 = msg("10828", dup276); - -var msg13276 = msg("10829", dup276); - -var msg13277 = msg("10830", dup276); - -var msg13278 = msg("10831", dup276); - -var msg13279 = msg("10832", dup276); - -var msg13280 = msg("10833", dup276); - -var msg13281 = msg("10834", dup276); - -var msg13282 = msg("10835", dup276); - -var msg13283 = msg("10836", dup276); - -var msg13284 = msg("10837", dup276); - -var msg13285 = msg("10838", dup276); - -var msg13286 = msg("10839", dup276); - -var msg13287 = msg("10840", dup276); - -var msg13288 = msg("10841", dup276); - -var msg13289 = msg("10842", dup276); - -var msg13290 = msg("10843", dup276); - -var msg13291 = msg("10844", dup276); - -var msg13292 = msg("10845", dup276); - -var msg13293 = msg("10846", dup276); - -var msg13294 = msg("10847", dup276); - -var msg13295 = msg("10848", dup276); - -var msg13296 = msg("10849", dup276); - -var msg13297 = msg("10850", dup276); - -var msg13298 = msg("10851", dup276); - -var msg13299 = msg("10852", dup276); - -var msg13300 = msg("10853", dup276); - -var msg13301 = msg("10854", dup276); - -var msg13302 = msg("10855", dup276); - -var msg13303 = msg("10856", dup276); - -var msg13304 = msg("10857", dup276); - -var msg13305 = msg("10858", dup276); - -var msg13306 = msg("10859", dup276); - -var msg13307 = msg("10860", dup276); - -var msg13308 = msg("10861", dup276); - -var msg13309 = msg("10862", dup276); - -var msg13310 = msg("10863", dup276); - -var msg13311 = msg("10864", dup276); - -var msg13312 = msg("10865", dup276); - -var msg13313 = msg("10866", dup276); - -var msg13314 = msg("10867", dup276); - -var msg13315 = msg("10868", dup276); - -var msg13316 = msg("10869", dup276); - -var msg13317 = msg("10870", dup276); - -var msg13318 = msg("10871", dup276); - -var msg13319 = msg("10872", dup276); - -var msg13320 = msg("10873", dup276); - -var msg13321 = msg("10874", dup276); - -var msg13322 = msg("10875", dup276); - -var msg13323 = msg("10876", dup276); - -var msg13324 = msg("10877", dup276); - -var msg13325 = msg("10878", dup276); - -var msg13326 = msg("10879", dup276); - -var msg13327 = msg("10880", dup276); - -var msg13328 = msg("10881", dup276); - -var msg13329 = msg("10882", dup276); - -var msg13330 = msg("10883", dup276); - -var msg13331 = msg("10884", dup276); - -var msg13332 = msg("10885", dup276); - -var msg13333 = msg("10886", dup276); - -var msg13334 = msg("10887", dup276); - -var msg13335 = msg("10888", dup276); - -var msg13336 = msg("10889", dup276); - -var msg13337 = msg("10890", dup276); - -var msg13338 = msg("10891", dup276); - -var msg13339 = msg("10892", dup276); - -var msg13340 = msg("10893", dup276); - -var msg13341 = msg("10894", dup276); - -var msg13342 = msg("10895", dup276); - -var msg13343 = msg("10896", dup276); - -var msg13344 = msg("10897", dup276); - -var msg13345 = msg("10898", dup276); - -var msg13346 = msg("10899", dup276); - -var msg13347 = msg("10900", dup276); - -var msg13348 = msg("10901", dup276); - -var msg13349 = msg("10902", dup276); - -var msg13350 = msg("10903", dup276); - -var msg13351 = msg("10904", dup276); - -var msg13352 = msg("10905", dup276); - -var msg13353 = msg("10906", dup276); - -var msg13354 = msg("10907", dup276); - -var msg13355 = msg("10908", dup276); - -var msg13356 = msg("10909", dup276); - -var msg13357 = msg("10910", dup276); - -var msg13358 = msg("10911", dup276); - -var msg13359 = msg("10912", dup276); - -var msg13360 = msg("10913", dup276); - -var msg13361 = msg("10914", dup276); - -var msg13362 = msg("10915", dup276); - -var msg13363 = msg("10916", dup276); - -var msg13364 = msg("10917", dup276); - -var msg13365 = msg("10918", dup276); - -var msg13366 = msg("10919", dup276); - -var msg13367 = msg("10920", dup276); - -var msg13368 = msg("10921", dup276); - -var msg13369 = msg("10922", dup276); - -var msg13370 = msg("10923", dup276); - -var msg13371 = msg("10924", dup276); - -var msg13372 = msg("10925", dup276); - -var msg13373 = msg("10926", dup276); - -var msg13374 = msg("10927", dup276); - -var msg13375 = msg("10928", dup276); - -var msg13376 = msg("10929", dup276); - -var msg13377 = msg("10930", dup276); - -var msg13378 = msg("10931", dup276); - -var msg13379 = msg("10932", dup276); - -var msg13380 = msg("10933", dup276); - -var msg13381 = msg("10934", dup276); - -var msg13382 = msg("10935", dup276); - -var msg13383 = msg("10936", dup276); - -var msg13384 = msg("10937", dup276); - -var msg13385 = msg("10938", dup276); - -var msg13386 = msg("10939", dup276); - -var msg13387 = msg("10940", dup276); - -var msg13388 = msg("10941", dup276); - -var msg13389 = msg("10942", dup276); - -var msg13390 = msg("10943", dup276); - -var msg13391 = msg("10944", dup276); - -var msg13392 = msg("10945", dup276); - -var msg13393 = msg("10946", dup276); - -var msg13394 = msg("10947", dup276); - -var msg13395 = msg("10948", dup276); - -var msg13396 = msg("10949", dup276); - -var msg13397 = msg("10950", dup276); - -var msg13398 = msg("10951", dup276); - -var msg13399 = msg("10952", dup276); - -var msg13400 = msg("10953", dup276); - -var msg13401 = msg("10954", dup201); - -var msg13402 = msg("10955", dup201); - -var msg13403 = msg("10956", dup201); - -var msg13404 = msg("10957", dup201); - -var msg13405 = msg("10958", dup276); - -var msg13406 = msg("10959", dup201); - -var msg13407 = msg("10960", dup276); - -var msg13408 = msg("10961", dup276); - -var msg13409 = msg("10962", dup276); - -var msg13410 = msg("10963", dup276); - -var msg13411 = msg("10964", dup201); - -var msg13412 = msg("10965", dup276); - -var msg13413 = msg("10966", dup201); - -var msg13414 = msg("10967", dup201); - -var msg13415 = msg("10968", dup276); - -var msg13416 = msg("10969", dup276); - -var msg13417 = msg("10970", dup201); - -var msg13418 = msg("10971", dup201); - -var msg13419 = msg("10972", dup201); - -var msg13420 = msg("10973", dup201); - -var msg13421 = msg("10974", dup276); - -var msg13422 = msg("10975", dup276); - -var msg13423 = msg("10976", dup276); - -var msg13424 = msg("10977", dup276); - -var msg13425 = msg("10978", dup265); - -var msg13426 = msg("10979", dup265); - -var msg13427 = msg("10980", dup265); - -var msg13428 = msg("10981", dup265); - -var msg13429 = msg("10982", dup265); - -var msg13430 = msg("10983", dup265); - -var msg13431 = msg("10984", dup265); - -var msg13432 = msg("10985", dup265); - -var msg13433 = msg("10986", dup265); - -var msg13434 = msg("10987", dup265); - -var msg13435 = msg("10988", dup265); - -var msg13436 = msg("10989", dup265); - -var msg13437 = msg("10990", dup265); - -var msg13438 = msg("10991", dup265); - -var msg13439 = msg("10992", dup265); - -var msg13440 = msg("10993", dup265); - -var msg13441 = msg("10994", dup265); - -var msg13442 = msg("10995", dup198); - -var msg13443 = msg("10996", dup265); - -var msg13444 = msg("10997", dup267); - -var msg13445 = msg("10998", dup197); - -var msg13446 = msg("10999", dup265); - -var msg13447 = msg("11000", dup222); - -var msg13448 = msg("11001", dup222); - -var msg13449 = msg("11002", dup222); - -var msg13450 = msg("11003", dup222); - -var msg13451 = msg("11004", dup197); - -var msg13452 = msg("11005", dup276); - -var msg13453 = msg("11006", dup276); - -var msg13454 = msg("11007", dup276); - -var msg13455 = msg("11008", dup276); - -var msg13456 = msg("11009", dup276); - -var msg13457 = msg("11010", dup276); - -var msg13458 = msg("11011", dup276); - -var msg13459 = msg("11012", dup276); - -var msg13460 = msg("11013", dup276); - -var msg13461 = msg("11014", dup276); - -var msg13462 = msg("11015", dup276); - -var msg13463 = msg("11016", dup276); - -var msg13464 = msg("11017", dup276); - -var msg13465 = msg("11018", dup276); - -var msg13466 = msg("11019", dup276); - -var msg13467 = msg("11020", dup276); - -var msg13468 = msg("11021", dup276); - -var msg13469 = msg("11022", dup276); - -var msg13470 = msg("11023", dup276); - -var msg13471 = msg("11024", dup276); - -var msg13472 = msg("11025", dup276); - -var msg13473 = msg("11026", dup276); - -var msg13474 = msg("11027", dup276); - -var msg13475 = msg("11028", dup276); - -var msg13476 = msg("11029", dup276); - -var msg13477 = msg("11030", dup276); - -var msg13478 = msg("11031", dup276); - -var msg13479 = msg("11032", dup276); - -var msg13480 = msg("11033", dup276); - -var msg13481 = msg("11034", dup276); - -var msg13482 = msg("11035", dup276); - -var msg13483 = msg("11036", dup276); - -var msg13484 = msg("11037", dup276); - -var msg13485 = msg("11038", dup276); - -var msg13486 = msg("11039", dup276); - -var msg13487 = msg("11040", dup276); - -var msg13488 = msg("11041", dup276); - -var msg13489 = msg("11042", dup276); - -var msg13490 = msg("11043", dup276); - -var msg13491 = msg("11044", dup276); - -var msg13492 = msg("11045", dup276); - -var msg13493 = msg("11046", dup276); - -var msg13494 = msg("11047", dup276); - -var msg13495 = msg("11048", dup276); - -var msg13496 = msg("11049", dup276); - -var msg13497 = msg("11050", dup276); - -var msg13498 = msg("11051", dup276); - -var msg13499 = msg("11052", dup276); - -var msg13500 = msg("11053", dup276); - -var msg13501 = msg("11054", dup276); - -var msg13502 = msg("11055", dup276); - -var msg13503 = msg("11056", dup276); - -var msg13504 = msg("11057", dup276); - -var msg13505 = msg("11058", dup276); - -var msg13506 = msg("11059", dup276); - -var msg13507 = msg("11060", dup276); - -var msg13508 = msg("11061", dup276); - -var msg13509 = msg("11062", dup276); - -var msg13510 = msg("11063", dup276); - -var msg13511 = msg("11064", dup276); - -var msg13512 = msg("11065", dup276); - -var msg13513 = msg("11066", dup276); - -var msg13514 = msg("11067", dup276); - -var msg13515 = msg("11068", dup276); - -var msg13516 = msg("11069", dup276); - -var msg13517 = msg("11070", dup276); - -var msg13518 = msg("11071", dup276); - -var msg13519 = msg("11072", dup276); - -var msg13520 = msg("11073", dup276); - -var msg13521 = msg("11074", dup276); - -var msg13522 = msg("11075", dup276); - -var msg13523 = msg("11076", dup276); - -var msg13524 = msg("11077", dup276); - -var msg13525 = msg("11078", dup276); - -var msg13526 = msg("11079", dup276); - -var msg13527 = msg("11080", dup276); - -var msg13528 = msg("11081", dup276); - -var msg13529 = msg("11082", dup276); - -var msg13530 = msg("11083", dup276); - -var msg13531 = msg("11084", dup276); - -var msg13532 = msg("11085", dup276); - -var msg13533 = msg("11086", dup276); - -var msg13534 = msg("11087", dup276); - -var msg13535 = msg("11088", dup276); - -var msg13536 = msg("11089", dup276); - -var msg13537 = msg("11090", dup276); - -var msg13538 = msg("11091", dup276); - -var msg13539 = msg("11092", dup276); - -var msg13540 = msg("11093", dup276); - -var msg13541 = msg("11094", dup276); - -var msg13542 = msg("11095", dup276); - -var msg13543 = msg("11096", dup276); - -var msg13544 = msg("11097", dup276); - -var msg13545 = msg("11098", dup276); - -var msg13546 = msg("11099", dup276); - -var msg13547 = msg("11100", dup276); - -var msg13548 = msg("11101", dup276); - -var msg13549 = msg("11102", dup276); - -var msg13550 = msg("11103", dup276); - -var msg13551 = msg("11104", dup276); - -var msg13552 = msg("11105", dup276); - -var msg13553 = msg("11106", dup276); - -var msg13554 = msg("11107", dup276); - -var msg13555 = msg("11108", dup276); - -var msg13556 = msg("11109", dup276); - -var msg13557 = msg("11110", dup276); - -var msg13558 = msg("11111", dup276); - -var msg13559 = msg("11112", dup276); - -var msg13560 = msg("11113", dup276); - -var msg13561 = msg("11114", dup276); - -var msg13562 = msg("11115", dup276); - -var msg13563 = msg("11116", dup276); - -var msg13564 = msg("11117", dup276); - -var msg13565 = msg("11118", dup276); - -var msg13566 = msg("11119", dup276); - -var msg13567 = msg("11120", dup276); - -var msg13568 = msg("11121", dup276); - -var msg13569 = msg("11122", dup276); - -var msg13570 = msg("11123", dup276); - -var msg13571 = msg("11124", dup276); - -var msg13572 = msg("11125", dup276); - -var msg13573 = msg("11126", dup276); - -var msg13574 = msg("11127", dup276); - -var msg13575 = msg("11128", dup276); - -var msg13576 = msg("11129", dup276); - -var msg13577 = msg("11130", dup276); - -var msg13578 = msg("11131", dup276); - -var msg13579 = msg("11132", dup276); - -var msg13580 = msg("11133", dup276); - -var msg13581 = msg("11134", dup276); - -var msg13582 = msg("11135", dup276); - -var msg13583 = msg("11136", dup276); - -var msg13584 = msg("11137", dup276); - -var msg13585 = msg("11138", dup276); - -var msg13586 = msg("11139", dup276); - -var msg13587 = msg("11140", dup276); - -var msg13588 = msg("11141", dup276); - -var msg13589 = msg("11142", dup276); - -var msg13590 = msg("11143", dup276); - -var msg13591 = msg("11144", dup276); - -var msg13592 = msg("11145", dup276); - -var msg13593 = msg("11146", dup276); - -var msg13594 = msg("11147", dup276); - -var msg13595 = msg("11148", dup276); - -var msg13596 = msg("11149", dup276); - -var msg13597 = msg("11150", dup276); - -var msg13598 = msg("11151", dup276); - -var msg13599 = msg("11152", dup276); - -var msg13600 = msg("11153", dup276); - -var msg13601 = msg("11154", dup276); - -var msg13602 = msg("11155", dup276); - -var msg13603 = msg("11156", dup276); - -var msg13604 = msg("11157", dup276); - -var msg13605 = msg("11158", dup276); - -var msg13606 = msg("11159", dup276); - -var msg13607 = msg("11160", dup276); - -var msg13608 = msg("11161", dup276); - -var msg13609 = msg("11162", dup276); - -var msg13610 = msg("11163", dup276); - -var msg13611 = msg("11164", dup276); - -var msg13612 = msg("11165", dup276); - -var msg13613 = msg("11166", dup276); - -var msg13614 = msg("11167", dup276); - -var msg13615 = msg("11168", dup276); - -var msg13616 = msg("11169", dup276); - -var msg13617 = msg("11170", dup276); - -var msg13618 = msg("11171", dup276); - -var msg13619 = msg("11172", dup276); - -var msg13620 = msg("11173", dup276); - -var msg13621 = msg("11174", dup276); - -var msg13622 = msg("11175", dup201); - -var msg13623 = msg("11176", dup265); - -var msg13624 = msg("11177", dup265); - -var msg13625 = msg("11178", dup265); - -var msg13626 = msg("11179", dup265); - -var msg13627 = msg("11180", dup196); - -var msg13628 = msg("11181", dup265); - -var msg13629 = msg("11182", dup265); - -var msg13630 = msg("11183", dup265); - -var msg13631 = msg("11184", dup265); - -var msg13632 = msg("11185", dup198); - -var msg13633 = msg("11186", dup198); - -var msg13634 = msg("11187", dup265); - -var msg13635 = msg("11188", dup265); - -var msg13636 = msg("11189", dup265); - -var msg13637 = msg("11190", dup265); - -var msg13638 = msg("11191", dup196); - -var msg13639 = msg("11192", dup196); - -var msg13640 = msg("11193", dup240); - -var msg13641 = msg("11194", dup240); - -var msg13642 = msg("11196", dup197); - -var msg13643 = msg("11197", dup265); - -var msg13644 = msg("11198", dup265); - -var msg13645 = msg("11199", dup265); - -var msg13646 = msg("11200", dup265); - -var msg13647 = msg("11201", dup265); - -var msg13648 = msg("11202", dup265); - -var msg13649 = msg("11203", dup196); - -var msg13650 = msg("11204", dup196); - -var msg13651 = msg("11205", dup196); - -var msg13652 = msg("11206", dup265); - -var msg13653 = msg("11207", dup265); - -var msg13654 = msg("11208", dup265); - -var msg13655 = msg("11209", dup265); - -var msg13656 = msg("11210", dup265); - -var msg13657 = msg("11211", dup265); - -var msg13658 = msg("11212", dup265); - -var msg13659 = msg("11213", dup265); - -var msg13660 = msg("11214", dup265); - -var msg13661 = msg("11215", dup265); - -var msg13662 = msg("11216", dup265); - -var msg13663 = msg("11217", dup265); - -var msg13664 = msg("11218", dup265); - -var msg13665 = msg("11219", dup265); - -var msg13666 = msg("11220", dup265); - -var msg13667 = msg("11221", dup265); - -var msg13668 = msg("11222", dup198); - -var msg13669 = msg("11223", dup269); - -var msg13670 = msg("11224", dup265); - -var msg13671 = msg("11225", dup265); - -var msg13672 = msg("11226", dup265); - -var msg13673 = msg("11227", dup265); - -var msg13674 = msg("11228", dup265); - -var msg13675 = msg("11229", dup265); - -var msg13676 = msg("11230", dup265); - -var msg13677 = msg("11231", dup265); - -var msg13678 = msg("11232", dup265); - -var msg13679 = msg("11233", dup265); - -var msg13680 = msg("11234", dup265); - -var msg13681 = msg("11235", dup265); - -var msg13682 = msg("11236", dup265); - -var msg13683 = msg("11237", dup265); - -var msg13684 = msg("11238", dup265); - -var msg13685 = msg("11239", dup265); - -var msg13686 = msg("11240", dup265); - -var msg13687 = msg("11241", dup265); - -var msg13688 = msg("11242", dup265); - -var msg13689 = msg("11243", dup265); - -var msg13690 = msg("11244", dup265); - -var msg13691 = msg("11245", dup265); - -var msg13692 = msg("11246", dup265); - -var msg13693 = msg("11247", dup265); - -var msg13694 = msg("11248", dup265); - -var msg13695 = msg("11249", dup265); - -var msg13696 = msg("11250", dup265); - -var msg13697 = msg("11251", dup265); - -var msg13698 = msg("11252", dup265); - -var msg13699 = msg("11253", dup265); - -var msg13700 = msg("11254", dup265); - -var msg13701 = msg("11255", dup265); - -var msg13702 = msg("11256", dup265); - -var msg13703 = msg("11257", dup267); - -var msg13704 = msg("11258", dup197); - -var msg13705 = msg("11259", dup265); - -var msg13706 = msg("11260", dup265); - -var msg13707 = msg("11261", dup265); - -var msg13708 = msg("11262", dup265); - -var msg13709 = msg("11263", dup198); - -var msg13710 = msg("11264", dup260); - -var msg13711 = msg("11265", dup222); - -var msg13712 = msg("11266", dup222); - -var msg13713 = msg("11267", dup267); - -var msg13714 = msg("11268", dup194); - -var msg13715 = msg("11269", dup194); - -var msg13716 = msg("11270", dup194); - -var msg13717 = msg("11271", dup194); - -var msg13718 = msg("11272", dup267); - -var msg13719 = msg("11273", dup198); - -var msg13720 = msg("11274", dup265); - -var msg13721 = msg("11275", dup265); - -var msg13722 = msg("11276", dup265); - -var msg13723 = msg("11277", dup265); - -var msg13724 = msg("11278", dup265); - -var msg13725 = msg("11279", dup265); - -var msg13726 = msg("11280", dup265); - -var msg13727 = msg("11281", dup265); - -var msg13728 = msg("11282", dup265); - -var msg13729 = msg("11283", dup265); - -var msg13730 = msg("11284", dup265); - -var msg13731 = msg("11285", dup265); - -var msg13732 = msg("11286", dup265); - -var msg13733 = msg("11287", dup265); - -var msg13734 = msg("11288", dup287); - -var msg13735 = msg("11289", dup198); - -var msg13736 = msg("11290", dup197); - -var msg13737 = msg("11291", dup265); - -var msg13738 = msg("11292", dup265); - -var msg13739 = msg("11293", dup265); - -var msg13740 = msg("11294", dup265); - -var msg13741 = msg("11295", dup265); - -var msg13742 = msg("11296", dup265); - -var msg13743 = msg("11297", dup265); - -var msg13744 = msg("11298", dup265); - -var msg13745 = msg("11299", dup265); - -var msg13746 = msg("11300", dup265); - -var msg13747 = msg("11301", dup265); - -var msg13748 = msg("11302", dup265); - -var msg13749 = msg("11303", dup265); - -var msg13750 = msg("11304", dup265); - -var msg13751 = msg("11305", dup303); - -var msg13752 = msg("11306", dup303); - -var msg13753 = msg("11307", dup303); - -var msg13754 = msg("11308", dup303); - -var msg13755 = msg("11309", dup303); - -var msg13756 = msg("11310", dup303); - -var msg13757 = msg("11311", dup303); - -var msg13758 = msg("11312", dup303); - -var msg13759 = msg("11313", dup303); - -var msg13760 = msg("11314", dup192); - -var msg13761 = msg("11315", dup192); - -var msg13762 = msg("11316", dup192); - -var msg13763 = msg("11317", dup192); - -var msg13764 = msg("11318", dup192); - -var msg13765 = msg("11319", dup192); - -var msg13766 = msg("11320", dup192); - -var msg13767 = msg("11321", dup192); - -var msg13768 = msg("11322", dup192); - -var msg13769 = msg("11323", dup192); - -var msg13770 = msg("11324", dup265); - -var msg13771 = msg("11325", dup265); - -var msg13772 = msg("11326", dup276); - -var msg13773 = msg("11327", dup276); - -var msg13774 = msg("11328", dup276); - -var msg13775 = msg("11329", dup276); - -var msg13776 = msg("11330", dup276); - -var msg13777 = msg("11331", dup276); - -var msg13778 = msg("11332", dup276); - -var msg13779 = msg("11333", dup276); - -var msg13780 = msg("11334", dup276); - -var msg13781 = msg("11335", dup276); - -var msg13782 = msg("11336", dup276); - -var msg13783 = msg("11337", dup276); - -var msg13784 = msg("11338", dup276); - -var msg13785 = msg("11339", dup276); - -var msg13786 = msg("11340", dup276); - -var msg13787 = msg("11341", dup276); - -var msg13788 = msg("11342", dup276); - -var msg13789 = msg("11343", dup276); - -var msg13790 = msg("11344", dup276); - -var msg13791 = msg("11345", dup276); - -var msg13792 = msg("11346", dup276); - -var msg13793 = msg("11347", dup276); - -var msg13794 = msg("11348", dup276); - -var msg13795 = msg("11349", dup276); - -var msg13796 = msg("11350", dup276); - -var msg13797 = msg("11351", dup276); - -var msg13798 = msg("11352", dup276); - -var msg13799 = msg("11353", dup276); - -var msg13800 = msg("11354", dup276); - -var msg13801 = msg("11355", dup276); - -var msg13802 = msg("11356", dup276); - -var msg13803 = msg("11357", dup276); - -var msg13804 = msg("11358", dup276); - -var msg13805 = msg("11359", dup276); - -var msg13806 = msg("11360", dup276); - -var msg13807 = msg("11361", dup276); - -var msg13808 = msg("11362", dup276); - -var msg13809 = msg("11363", dup276); - -var msg13810 = msg("11364", dup276); - -var msg13811 = msg("11365", dup276); - -var msg13812 = msg("11366", dup276); - -var msg13813 = msg("11367", dup276); - -var msg13814 = msg("11368", dup276); - -var msg13815 = msg("11369", dup276); - -var msg13816 = msg("11370", dup276); - -var msg13817 = msg("11371", dup276); - -var msg13818 = msg("11372", dup276); - -var msg13819 = msg("11373", dup276); - -var msg13820 = msg("11374", dup276); - -var msg13821 = msg("11375", dup276); - -var msg13822 = msg("11376", dup276); - -var msg13823 = msg("11377", dup276); - -var msg13824 = msg("11378", dup276); - -var msg13825 = msg("11379", dup276); - -var msg13826 = msg("11380", dup276); - -var msg13827 = msg("11381", dup276); - -var msg13828 = msg("11382", dup276); - -var msg13829 = msg("11383", dup276); - -var msg13830 = msg("11384", dup276); - -var msg13831 = msg("11385", dup276); - -var msg13832 = msg("11386", dup276); - -var msg13833 = msg("11387", dup276); - -var msg13834 = msg("11388", dup276); - -var msg13835 = msg("11389", dup276); - -var msg13836 = msg("11390", dup276); - -var msg13837 = msg("11391", dup276); - -var msg13838 = msg("11392", dup276); - -var msg13839 = msg("11393", dup276); - -var msg13840 = msg("11394", dup276); - -var msg13841 = msg("11395", dup276); - -var msg13842 = msg("11396", dup276); - -var msg13843 = msg("11397", dup276); - -var msg13844 = msg("11398", dup276); - -var msg13845 = msg("11399", dup276); - -var msg13846 = msg("11400", dup276); - -var msg13847 = msg("11401", dup276); - -var msg13848 = msg("11402", dup276); - -var msg13849 = msg("11403", dup276); - -var msg13850 = msg("11404", dup276); - -var msg13851 = msg("11405", dup276); - -var msg13852 = msg("11406", dup276); - -var msg13853 = msg("11407", dup276); - -var msg13854 = msg("11408", dup276); - -var msg13855 = msg("11409", dup276); - -var msg13856 = msg("11410", dup276); - -var msg13857 = msg("11411", dup276); - -var msg13858 = msg("11412", dup276); - -var msg13859 = msg("11413", dup276); - -var msg13860 = msg("11414", dup276); - -var msg13861 = msg("11415", dup276); - -var msg13862 = msg("11416", dup276); - -var msg13863 = msg("11417", dup276); - -var msg13864 = msg("11418", dup276); - -var msg13865 = msg("11419", dup276); - -var msg13866 = msg("11420", dup276); - -var msg13867 = msg("11421", dup276); - -var msg13868 = msg("11422", dup276); - -var msg13869 = msg("11423", dup276); - -var msg13870 = msg("11424", dup276); - -var msg13871 = msg("11425", dup276); - -var msg13872 = msg("11426", dup276); - -var msg13873 = msg("11427", dup276); - -var msg13874 = msg("11428", dup276); - -var msg13875 = msg("11429", dup276); - -var msg13876 = msg("11430", dup276); - -var msg13877 = msg("11431", dup276); - -var msg13878 = msg("11432", dup276); - -var msg13879 = msg("11433", dup276); - -var msg13880 = msg("11434", dup276); - -var msg13881 = msg("11435", dup276); - -var msg13882 = msg("11436", dup276); - -var msg13883 = msg("11437", dup276); - -var msg13884 = msg("11438", dup276); - -var msg13885 = msg("11439", dup276); - -var msg13886 = msg("11440", dup276); - -var msg13887 = msg("11441", dup276); - -var msg13888 = msg("11442", dup276); - -var msg13889 = msg("11443", dup276); - -var msg13890 = msg("11444", dup276); - -var msg13891 = msg("11445", dup276); - -var msg13892 = msg("11446", dup276); - -var msg13893 = msg("11447", dup276); - -var msg13894 = msg("11448", dup276); - -var msg13895 = msg("11449", dup276); - -var msg13896 = msg("11450", dup276); - -var msg13897 = msg("11451", dup276); - -var msg13898 = msg("11452", dup276); - -var msg13899 = msg("11453", dup276); - -var msg13900 = msg("11454", dup276); - -var msg13901 = msg("11455", dup276); - -var msg13902 = msg("11456", dup276); - -var msg13903 = msg("11457", dup276); - -var msg13904 = msg("11458", dup276); - -var msg13905 = msg("11459", dup276); - -var msg13906 = msg("11460", dup276); - -var msg13907 = msg("11461", dup276); - -var msg13908 = msg("11462", dup276); - -var msg13909 = msg("11463", dup276); - -var msg13910 = msg("11464", dup276); - -var msg13911 = msg("11465", dup276); - -var msg13912 = msg("11466", dup276); - -var msg13913 = msg("11467", dup276); - -var msg13914 = msg("11468", dup276); - -var msg13915 = msg("11469", dup276); - -var msg13916 = msg("11470", dup276); - -var msg13917 = msg("11471", dup276); - -var msg13918 = msg("11472", dup276); - -var msg13919 = msg("11473", dup276); - -var msg13920 = msg("11474", dup276); - -var msg13921 = msg("11475", dup276); - -var msg13922 = msg("11476", dup276); - -var msg13923 = msg("11477", dup276); - -var msg13924 = msg("11478", dup276); - -var msg13925 = msg("11479", dup276); - -var msg13926 = msg("11480", dup276); - -var msg13927 = msg("11481", dup276); - -var msg13928 = msg("11482", dup276); - -var msg13929 = msg("11483", dup276); - -var msg13930 = msg("11484", dup276); - -var msg13931 = msg("11485", dup276); - -var msg13932 = msg("11486", dup276); - -var msg13933 = msg("11487", dup276); - -var msg13934 = msg("11488", dup276); - -var msg13935 = msg("11489", dup276); - -var msg13936 = msg("11490", dup276); - -var msg13937 = msg("11491", dup276); - -var msg13938 = msg("11492", dup276); - -var msg13939 = msg("11493", dup276); - -var msg13940 = msg("11494", dup276); - -var msg13941 = msg("11495", dup276); - -var msg13942 = msg("11496", dup276); - -var msg13943 = msg("11497", dup276); - -var msg13944 = msg("11498", dup276); - -var msg13945 = msg("11499", dup276); - -var msg13946 = msg("11500", dup276); - -var msg13947 = msg("11501", dup276); - -var msg13948 = msg("11502", dup276); - -var msg13949 = msg("11503", dup276); - -var msg13950 = msg("11504", dup276); - -var msg13951 = msg("11505", dup276); - -var msg13952 = msg("11506", dup276); - -var msg13953 = msg("11507", dup276); - -var msg13954 = msg("11508", dup276); - -var msg13955 = msg("11509", dup276); - -var msg13956 = msg("11510", dup276); - -var msg13957 = msg("11511", dup276); - -var msg13958 = msg("11512", dup276); - -var msg13959 = msg("11513", dup276); - -var msg13960 = msg("11514", dup276); - -var msg13961 = msg("11515", dup276); - -var msg13962 = msg("11516", dup276); - -var msg13963 = msg("11517", dup276); - -var msg13964 = msg("11518", dup276); - -var msg13965 = msg("11519", dup276); - -var msg13966 = msg("11520", dup276); - -var msg13967 = msg("11521", dup276); - -var msg13968 = msg("11522", dup276); - -var msg13969 = msg("11523", dup276); - -var msg13970 = msg("11524", dup276); - -var msg13971 = msg("11525", dup276); - -var msg13972 = msg("11526", dup276); - -var msg13973 = msg("11527", dup276); - -var msg13974 = msg("11528", dup276); - -var msg13975 = msg("11529", dup276); - -var msg13976 = msg("11530", dup276); - -var msg13977 = msg("11531", dup276); - -var msg13978 = msg("11532", dup276); - -var msg13979 = msg("11533", dup276); - -var msg13980 = msg("11534", dup276); - -var msg13981 = msg("11535", dup276); - -var msg13982 = msg("11536", dup276); - -var msg13983 = msg("11537", dup276); - -var msg13984 = msg("11538", dup276); - -var msg13985 = msg("11539", dup276); - -var msg13986 = msg("11540", dup276); - -var msg13987 = msg("11541", dup276); - -var msg13988 = msg("11542", dup276); - -var msg13989 = msg("11543", dup276); - -var msg13990 = msg("11544", dup276); - -var msg13991 = msg("11545", dup276); - -var msg13992 = msg("11546", dup276); - -var msg13993 = msg("11547", dup276); - -var msg13994 = msg("11548", dup276); - -var msg13995 = msg("11549", dup276); - -var msg13996 = msg("11550", dup276); - -var msg13997 = msg("11551", dup276); - -var msg13998 = msg("11552", dup276); - -var msg13999 = msg("11553", dup276); - -var msg14000 = msg("11554", dup276); - -var msg14001 = msg("11555", dup276); - -var msg14002 = msg("11556", dup276); - -var msg14003 = msg("11557", dup276); - -var msg14004 = msg("11558", dup276); - -var msg14005 = msg("11559", dup276); - -var msg14006 = msg("11560", dup276); - -var msg14007 = msg("11561", dup276); - -var msg14008 = msg("11562", dup276); - -var msg14009 = msg("11563", dup276); - -var msg14010 = msg("11564", dup276); - -var msg14011 = msg("11565", dup276); - -var msg14012 = msg("11566", dup276); - -var msg14013 = msg("11567", dup276); - -var msg14014 = msg("11568", dup276); - -var msg14015 = msg("11569", dup276); - -var msg14016 = msg("11570", dup276); - -var msg14017 = msg("11571", dup276); - -var msg14018 = msg("11572", dup276); - -var msg14019 = msg("11573", dup276); - -var msg14020 = msg("11574", dup276); - -var msg14021 = msg("11575", dup276); - -var msg14022 = msg("11576", dup276); - -var msg14023 = msg("11577", dup276); - -var msg14024 = msg("11578", dup276); - -var msg14025 = msg("11579", dup276); - -var msg14026 = msg("11580", dup276); - -var msg14027 = msg("11581", dup276); - -var msg14028 = msg("11582", dup276); - -var msg14029 = msg("11583", dup276); - -var msg14030 = msg("11584", dup276); - -var msg14031 = msg("11585", dup276); - -var msg14032 = msg("11586", dup276); - -var msg14033 = msg("11587", dup276); - -var msg14034 = msg("11588", dup201); - -var msg14035 = msg("11589", dup201); - -var msg14036 = msg("11590", dup201); - -var msg14037 = msg("11591", dup276); - -var msg14038 = msg("11592", dup276); - -var msg14039 = msg("11593", dup276); - -var msg14040 = msg("11594", dup276); - -var msg14041 = msg("11595", dup201); - -var msg14042 = msg("11596", dup201); - -var msg14043 = msg("11597", dup276); - -var msg14044 = msg("11598", dup201); - -var msg14045 = msg("11599", dup276); - -var msg14046 = msg("11600", dup276); - -var msg14047 = msg("11601", dup201); - -var msg14048 = msg("11602", dup276); - -var msg14049 = msg("11603", dup276); - -var msg14050 = msg("11604", dup276); - -var msg14051 = msg("11605", dup201); - -var msg14052 = msg("11606", dup276); - -var msg14053 = msg("11607", dup276); - -var msg14054 = msg("11608", dup276); - -var msg14055 = msg("11609", dup201); - -var msg14056 = msg("11610", dup201); - -var msg14057 = msg("11611", dup276); - -var msg14058 = msg("11612", dup201); - -var msg14059 = msg("11613", dup201); - -var msg14060 = msg("11614", dup276); - -var msg14061 = msg("11615", dup276); - -var msg14062 = msg("11616", dup260); - -var msg14063 = msg("11617", dup197); - -var msg14064 = msg("11618", dup197); - -var msg14065 = msg("11619", dup260); - -var msg14066 = msg("11620", dup265); - -var msg14067 = msg("11621", dup265); - -var msg14068 = msg("11622", dup265); - -var msg14069 = msg("11623", dup265); - -var msg14070 = msg("11624", dup265); - -var msg14071 = msg("11625", dup265); - -var msg14072 = msg("11626", dup265); - -var msg14073 = msg("11627", dup265); - -var msg14074 = msg("11628", dup265); - -var msg14075 = msg("11629", dup265); - -var msg14076 = msg("11630", dup265); - -var msg14077 = msg("11631", dup265); - -var msg14078 = msg("11632", dup265); - -var msg14079 = msg("11633", dup265); - -var msg14080 = msg("11634", dup265); - -var msg14081 = msg("11635", dup265); - -var msg14082 = msg("11636", dup265); - -var msg14083 = msg("11637", dup265); - -var msg14084 = msg("11638", dup265); - -var msg14085 = msg("11639", dup265); - -var msg14086 = msg("11640", dup265); - -var msg14087 = msg("11641", dup265); - -var msg14088 = msg("11642", dup265); - -var msg14089 = msg("11643", dup265); - -var msg14090 = msg("11644", dup265); - -var msg14091 = msg("11645", dup265); - -var msg14092 = msg("11646", dup265); - -var msg14093 = msg("11647", dup265); - -var msg14094 = msg("11648", dup265); - -var msg14095 = msg("11649", dup265); - -var msg14096 = msg("11650", dup265); - -var msg14097 = msg("11651", dup265); - -var msg14098 = msg("11652", dup265); - -var msg14099 = msg("11653", dup265); - -var msg14100 = msg("11654", dup265); - -var msg14101 = msg("11655", dup265); - -var msg14102 = msg("11656", dup265); - -var msg14103 = msg("11657", dup265); - -var msg14104 = msg("11658", dup265); - -var msg14105 = msg("11659", dup265); - -var msg14106 = msg("11660", dup265); - -var msg14107 = msg("11661", dup265); - -var msg14108 = msg("11662", dup265); - -var msg14109 = msg("11663", dup265); - -var msg14110 = msg("11664", dup265); - -var msg14111 = msg("11665", dup265); - -var msg14112 = msg("11666", dup265); - -var msg14113 = msg("11667", dup265); - -var msg14114 = msg("11668", dup267); - -var msg14115 = msg("11669", dup222); - -var msg14116 = msg("11670", dup197); - -var msg14117 = msg("11671", dup265); - -var msg14118 = msg("11672", dup222); - -var msg14119 = msg("11673", dup265); - -var msg14120 = msg("11674", dup265); - -var msg14121 = msg("11675", dup265); - -var msg14122 = msg("11676", dup265); - -var msg14123 = msg("11677", dup265); - -var msg14124 = msg("11678", dup265); - -var msg14125 = msg("11679", dup267); - -var msg14126 = msg("11680", dup222); - -var msg14127 = msg("11681", dup196); - -var msg14128 = msg("11682", dup287); - -var msg14129 = msg("11683", dup260); - -var msg14130 = msg("11684", dup222); - -var msg14131 = msg("11685", dup240); - -var msg14132 = msg("11686", dup222); - -var msg14133 = msg("11687", dup196); - -var msg14134 = msg("11688", dup276); - -var msg14135 = msg("11689", dup276); - -var msg14136 = msg("11690", dup276); - -var msg14137 = msg("11691", dup276); - -var msg14138 = msg("11692", dup276); - -var msg14139 = msg("11693", dup276); - -var msg14140 = msg("11694", dup276); - -var msg14141 = msg("11695", dup276); - -var msg14142 = msg("11696", dup276); - -var msg14143 = msg("11697", dup276); - -var msg14144 = msg("11698", dup276); - -var msg14145 = msg("11699", dup276); - -var msg14146 = msg("11700", dup276); - -var msg14147 = msg("11701", dup276); - -var msg14148 = msg("11702", dup276); - -var msg14149 = msg("11703", dup276); - -var msg14150 = msg("11704", dup276); - -var msg14151 = msg("11705", dup276); - -var msg14152 = msg("11706", dup276); - -var msg14153 = msg("11707", dup276); - -var msg14154 = msg("11708", dup276); - -var msg14155 = msg("11709", dup276); - -var msg14156 = msg("11710", dup276); - -var msg14157 = msg("11711", dup276); - -var msg14158 = msg("11712", dup276); - -var msg14159 = msg("11713", dup276); - -var msg14160 = msg("11714", dup276); - -var msg14161 = msg("11715", dup276); - -var msg14162 = msg("11716", dup276); - -var msg14163 = msg("11717", dup276); - -var msg14164 = msg("11718", dup276); - -var msg14165 = msg("11719", dup276); - -var msg14166 = msg("11720", dup276); - -var msg14167 = msg("11721", dup276); - -var msg14168 = msg("11722", dup276); - -var msg14169 = msg("11723", dup276); - -var msg14170 = msg("11724", dup276); - -var msg14171 = msg("11725", dup276); - -var msg14172 = msg("11726", dup276); - -var msg14173 = msg("11727", dup276); - -var msg14174 = msg("11728", dup276); - -var msg14175 = msg("11729", dup276); - -var msg14176 = msg("11730", dup276); - -var msg14177 = msg("11731", dup276); - -var msg14178 = msg("11732", dup276); - -var msg14179 = msg("11733", dup276); - -var msg14180 = msg("11734", dup276); - -var msg14181 = msg("11735", dup276); - -var msg14182 = msg("11736", dup276); - -var msg14183 = msg("11737", dup276); - -var msg14184 = msg("11738", dup276); - -var msg14185 = msg("11739", dup276); - -var msg14186 = msg("11740", dup276); - -var msg14187 = msg("11741", dup276); - -var msg14188 = msg("11742", dup276); - -var msg14189 = msg("11743", dup276); - -var msg14190 = msg("11744", dup276); - -var msg14191 = msg("11745", dup276); - -var msg14192 = msg("11746", dup276); - -var msg14193 = msg("11747", dup276); - -var msg14194 = msg("11748", dup276); - -var msg14195 = msg("11749", dup276); - -var msg14196 = msg("11750", dup276); - -var msg14197 = msg("11751", dup276); - -var msg14198 = msg("11752", dup276); - -var msg14199 = msg("11753", dup276); - -var msg14200 = msg("11754", dup276); - -var msg14201 = msg("11755", dup276); - -var msg14202 = msg("11756", dup276); - -var msg14203 = msg("11757", dup276); - -var msg14204 = msg("11758", dup276); - -var msg14205 = msg("11759", dup276); - -var msg14206 = msg("11760", dup276); - -var msg14207 = msg("11761", dup276); - -var msg14208 = msg("11762", dup276); - -var msg14209 = msg("11763", dup276); - -var msg14210 = msg("11764", dup276); - -var msg14211 = msg("11765", dup276); - -var msg14212 = msg("11766", dup276); - -var msg14213 = msg("11767", dup276); - -var msg14214 = msg("11768", dup276); - -var msg14215 = msg("11769", dup276); - -var msg14216 = msg("11770", dup276); - -var msg14217 = msg("11771", dup276); - -var msg14218 = msg("11772", dup276); - -var msg14219 = msg("11773", dup276); - -var msg14220 = msg("11774", dup276); - -var msg14221 = msg("11775", dup276); - -var msg14222 = msg("11776", dup276); - -var msg14223 = msg("11777", dup276); - -var msg14224 = msg("11778", dup276); - -var msg14225 = msg("11779", dup276); - -var msg14226 = msg("11780", dup276); - -var msg14227 = msg("11781", dup276); - -var msg14228 = msg("11782", dup276); - -var msg14229 = msg("11783", dup276); - -var msg14230 = msg("11784", dup276); - -var msg14231 = msg("11785", dup276); - -var msg14232 = msg("11786", dup276); - -var msg14233 = msg("11787", dup276); - -var msg14234 = msg("11788", dup276); - -var msg14235 = msg("11789", dup276); - -var msg14236 = msg("11790", dup276); - -var msg14237 = msg("11791", dup276); - -var msg14238 = msg("11792", dup276); - -var msg14239 = msg("11793", dup276); - -var msg14240 = msg("11794", dup276); - -var msg14241 = msg("11795", dup276); - -var msg14242 = msg("11796", dup276); - -var msg14243 = msg("11797", dup276); - -var msg14244 = msg("11798", dup276); - -var msg14245 = msg("11799", dup276); - -var msg14246 = msg("11800", dup276); - -var msg14247 = msg("11801", dup276); - -var msg14248 = msg("11802", dup276); - -var msg14249 = msg("11803", dup276); - -var msg14250 = msg("11804", dup276); - -var msg14251 = msg("11805", dup276); - -var msg14252 = msg("11806", dup276); - -var msg14253 = msg("11807", dup276); - -var msg14254 = msg("11808", dup276); - -var msg14255 = msg("11809", dup276); - -var msg14256 = msg("11810", dup276); - -var msg14257 = msg("11811", dup276); - -var msg14258 = msg("11812", dup276); - -var msg14259 = msg("11813", dup276); - -var msg14260 = msg("11814", dup276); - -var msg14261 = msg("11815", dup276); - -var msg14262 = msg("11816", dup196); - -var msg14263 = msg("11817", dup265); - -var msg14264 = msg("11818", dup265); - -var msg14265 = msg("11819", dup265); - -var msg14266 = msg("11820", dup265); - -var msg14267 = msg("11821", dup265); - -var msg14268 = msg("11822", dup265); - -var msg14269 = msg("11823", dup265); - -var msg14270 = msg("11824", dup265); - -var msg14271 = msg("11825", dup265); - -var msg14272 = msg("11826", dup265); - -var msg14273 = msg("11827", dup265); - -var msg14274 = msg("11828", dup265); - -var msg14275 = msg("11829", dup265); - -var msg14276 = msg("11830", dup265); - -var msg14277 = msg("11831", dup265); - -var msg14278 = msg("11832", dup265); - -var msg14279 = msg("11833", dup265); - -var msg14280 = msg("11834", dup265); - -var msg14281 = msg("11835", dup196); - -var msg14282 = msg("11836", dup196); - -var msg14283 = msg("11837", dup250); - -var msg14284 = msg("11838", dup267); - -var msg14285 = msg("11839", dup265); - -var msg14286 = msg("11840", dup265); - -var msg14287 = msg("11841", dup265); - -var msg14288 = msg("11842", dup265); - -var msg14289 = msg("11843", dup276); - -var msg14290 = msg("11844", dup276); - -var msg14291 = msg("11845", dup276); - -var msg14292 = msg("11846", dup276); - -var msg14293 = msg("11847", dup276); - -var msg14294 = msg("11848", dup276); - -var msg14295 = msg("11849", dup276); - -var msg14296 = msg("11850", dup276); - -var msg14297 = msg("11851", dup276); - -var msg14298 = msg("11852", dup276); - -var msg14299 = msg("11853", dup276); - -var msg14300 = msg("11854", dup276); - -var msg14301 = msg("11855", dup276); - -var msg14302 = msg("11856", dup276); - -var msg14303 = msg("11857", dup276); - -var msg14304 = msg("11858", dup276); - -var msg14305 = msg("11859", dup276); - -var msg14306 = msg("11860", dup276); - -var msg14307 = msg("11861", dup276); - -var msg14308 = msg("11862", dup276); - -var msg14309 = msg("11863", dup276); - -var msg14310 = msg("11864", dup276); - -var msg14311 = msg("11865", dup276); - -var msg14312 = msg("11866", dup276); - -var msg14313 = msg("11867", dup276); - -var msg14314 = msg("11868", dup276); - -var msg14315 = msg("11869", dup276); - -var msg14316 = msg("11870", dup276); - -var msg14317 = msg("11871", dup276); - -var msg14318 = msg("11872", dup276); - -var msg14319 = msg("11873", dup276); - -var msg14320 = msg("11874", dup276); - -var msg14321 = msg("11875", dup276); - -var msg14322 = msg("11876", dup276); - -var msg14323 = msg("11877", dup276); - -var msg14324 = msg("11878", dup276); - -var msg14325 = msg("11879", dup276); - -var msg14326 = msg("11880", dup276); - -var msg14327 = msg("11881", dup276); - -var msg14328 = msg("11882", dup276); - -var msg14329 = msg("11883", dup276); - -var msg14330 = msg("11884", dup276); - -var msg14331 = msg("11885", dup276); - -var msg14332 = msg("11886", dup276); - -var msg14333 = msg("11887", dup276); - -var msg14334 = msg("11888", dup276); - -var msg14335 = msg("11889", dup276); - -var msg14336 = msg("11890", dup276); - -var msg14337 = msg("11891", dup276); - -var msg14338 = msg("11892", dup276); - -var msg14339 = msg("11893", dup276); - -var msg14340 = msg("11894", dup276); - -var msg14341 = msg("11895", dup276); - -var msg14342 = msg("11896", dup276); - -var msg14343 = msg("11897", dup276); - -var msg14344 = msg("11898", dup276); - -var msg14345 = msg("11899", dup276); - -var msg14346 = msg("11900", dup276); - -var msg14347 = msg("11901", dup276); - -var msg14348 = msg("11902", dup276); - -var msg14349 = msg("11903", dup276); - -var msg14350 = msg("11904", dup276); - -var msg14351 = msg("11905", dup276); - -var msg14352 = msg("11906", dup276); - -var msg14353 = msg("11907", dup276); - -var msg14354 = msg("11908", dup276); - -var msg14355 = msg("11909", dup276); - -var msg14356 = msg("11910", dup276); - -var msg14357 = msg("11911", dup276); - -var msg14358 = msg("11912", dup276); - -var msg14359 = msg("11913", dup276); - -var msg14360 = msg("11914", dup276); - -var msg14361 = msg("11915", dup276); - -var msg14362 = msg("11916", dup276); - -var msg14363 = msg("11917", dup276); - -var msg14364 = msg("11918", dup276); - -var msg14365 = msg("11919", dup276); - -var msg14366 = msg("11920", dup276); - -var msg14367 = msg("11921", dup276); - -var msg14368 = msg("11922", dup276); - -var msg14369 = msg("11923", dup276); - -var msg14370 = msg("11924", dup276); - -var msg14371 = msg("11925", dup276); - -var msg14372 = msg("11926", dup276); - -var msg14373 = msg("11927", dup276); - -var msg14374 = msg("11928", dup276); - -var msg14375 = msg("11929", dup276); - -var msg14376 = msg("11930", dup276); - -var msg14377 = msg("11931", dup276); - -var msg14378 = msg("11932", dup276); - -var msg14379 = msg("11933", dup276); - -var msg14380 = msg("11934", dup276); - -var msg14381 = msg("11935", dup276); - -var msg14382 = msg("11936", dup276); - -var msg14383 = msg("11937", dup276); - -var msg14384 = msg("11938", dup276); - -var msg14385 = msg("11939", dup265); - -var msg14386 = msg("11940", dup265); - -var msg14387 = msg("11941", dup265); - -var msg14388 = msg("11942", dup265); - -var msg14389 = msg("11943", dup265); - -var msg14390 = msg("11944", dup265); - -var msg14391 = msg("11945", dup276); - -var msg14392 = msg("11946", dup196); - -var msg14393 = msg("11947", dup196); - -var msg14394 = msg("11948", dup303); - -var msg14395 = msg("11949", dup192); - -var msg14396 = msg("11950", dup192); - -var msg14397 = msg("11951", dup192); - -var msg14398 = msg("11952", dup192); - -var msg14399 = msg("11953", dup192); - -var msg14400 = msg("11954", dup192); - -var msg14401 = msg("11955", dup276); - -var msg14402 = msg("11956", dup276); - -var msg14403 = msg("11957", dup276); - -var msg14404 = msg("11958", dup276); - -var msg14405 = msg("11959", dup276); - -var msg14406 = msg("11960", dup276); - -var msg14407 = msg("11961", dup276); - -var msg14408 = msg("11962", dup276); - -var msg14409 = msg("11963", dup276); - -var msg14410 = msg("11964", dup276); - -var msg14411 = msg("11965", dup265); - -var msg14412 = msg("11966", dup265); - -var msg14413 = msg("11967", dup265); - -var msg14414 = msg("11968", dup196); - -var msg14415 = msg("11969", dup273); - -var msg14416 = msg("11970", dup198); - -var msg14417 = msg("11971", dup201); - -var msg14418 = msg("11972", dup196); - -var msg14419 = msg("11973", dup201); - -var msg14420 = msg("11974", dup287); - -var msg14421 = msg("11975", dup196); - -var msg14422 = msg("11976", dup197); - -var msg14423 = msg("11977", dup197); - -var msg14424 = msg("11978", dup201); - -var msg14425 = msg("11979", dup196); - -var msg14426 = msg("11980", dup201); - -var msg14427 = msg("11981", dup201); - -var msg14428 = msg("11982", dup196); - -var msg14429 = msg("11983", dup196); - -var msg14430 = msg("11984", dup196); - -var msg14431 = msg("11985", dup201); - -var msg14432 = msg("11986", dup287); - -var msg14433 = msg("11987", dup287); - -var msg14434 = msg("11988", dup287); - -var msg14435 = msg("11989", dup287); - -var msg14436 = msg("11990", dup287); - -var msg14437 = msg("11991", dup287); - -var msg14438 = msg("11992", dup297); - -var msg14439 = msg("11993", dup287); - -var msg14440 = msg("11994", dup287); - -var msg14441 = msg("11995", dup297); - -var msg14442 = msg("11996", dup287); - -var msg14443 = msg("11997", dup287); - -var msg14444 = msg("11998", dup287); - -var msg14445 = msg("11999", dup287); - -var msg14446 = msg("12000", dup196); - -var msg14447 = msg("12001", dup201); - -var msg14448 = msg("12002", dup197); - -var msg14449 = msg("12003", dup197); - -var msg14450 = msg("12004", dup196); - -var msg14451 = msg("12005", dup196); - -var msg14452 = msg("12006", dup196); - -var msg14453 = msg("12007", dup273); - -var msg14454 = msg("12008", dup287); - -var msg14455 = msg("12009", dup197); - -var msg14456 = msg("12010", dup265); - -var msg14457 = msg("12011", dup265); - -var msg14458 = msg("12012", dup265); - -var msg14459 = msg("12013", dup265); - -var msg14460 = msg("12014", dup265); - -var msg14461 = msg("12015", dup265); - -var msg14462 = msg("12016", dup265); - -var msg14463 = msg("12017", dup265); - -var msg14464 = msg("12018", dup265); - -var msg14465 = msg("12019", dup265); - -var msg14466 = msg("12020", dup265); - -var msg14467 = msg("12021", dup265); - -var msg14468 = msg("12022", dup265); - -var msg14469 = msg("12023", dup265); - -var msg14470 = msg("12024", dup265); - -var msg14471 = msg("12025", dup265); - -var msg14472 = msg("12026", dup265); - -var msg14473 = msg("12027", dup260); - -var msg14474 = msg("12028", dup250); - -var msg14475 = msg("12029", dup265); - -var msg14476 = msg("12030", dup265); - -var msg14477 = msg("12031", dup197); - -var msg14478 = msg("12032", dup197); - -var msg14479 = msg("12033", dup197); - -var msg14480 = msg("12034", dup197); - -var msg14481 = msg("12035", dup197); - -var msg14482 = msg("12036", dup197); - -var msg14483 = msg("12037", dup197); - -var msg14484 = msg("12038", dup197); - -var msg14485 = msg("12039", dup197); - -var msg14486 = msg("12040", dup197); - -var msg14487 = msg("12041", dup197); - -var msg14488 = msg("12042", dup197); - -var msg14489 = msg("12043", dup198); - -var msg14490 = msg("12044", dup198); - -var msg14491 = msg("12045", dup198); - -var msg14492 = msg("12046", dup273); - -var msg14493 = msg("12047", dup303); - -var msg14494 = msg("12048", dup303); - -var msg14495 = msg("12049", dup303); - -var msg14496 = msg("12050", dup303); - -var msg14497 = msg("12051", dup192); - -var msg14498 = msg("12052", dup192); - -var msg14499 = msg("12053", dup192); - -var msg14500 = msg("12054", dup192); - -var msg14501 = msg("12055", dup192); - -var msg14502 = msg("12056", dup267); - -var msg14503 = msg("12057", dup265); - -var msg14504 = msg("12058", dup222); - -var msg14505 = msg("12059", dup240); - -var msg14506 = msg("12060", dup240); - -var msg14507 = msg("12061", dup287); - -var msg14508 = msg("12062", dup265); - -var msg14509 = msg("12063", dup265); - -var msg14510 = msg("12064", dup265); - -var msg14511 = msg("12065", dup196); - -var msg14512 = msg("12066", dup196); - -var msg14513 = msg("12067", dup196); - -var msg14514 = msg("12068", dup196); - -var msg14515 = msg("12069", dup196); - -var msg14516 = msg("12070", dup196); - -var msg14517 = msg("12072", dup287); - -var msg14518 = msg("12073", dup196); - -var msg14519 = msg("12074", dup196); - -var msg14520 = msg("12075", dup269); - -var msg14521 = msg("12076", dup198); - -var msg14522 = msg("12077", dup192); - -var msg14523 = msg("12078", dup197); - -var msg14524 = msg("12079", dup197); - -var msg14525 = msg("12080", dup196); - -var msg14526 = msg("12081", dup222); - -var msg14527 = msg("12082", dup198); - -var msg14528 = msg("12083", dup265); - -var msg14529 = msg("12084", dup265); - -var msg14530 = msg("12085", dup265); - -var msg14531 = msg("12086", dup265); - -var msg14532 = msg("12087", dup265); - -var msg14533 = msg("12088", dup265); - -var msg14534 = msg("12089", dup265); - -var msg14535 = msg("12090", dup265); - -var msg14536 = msg("12091", dup198); - -var msg14537 = msg("12092", dup198); - -var msg14538 = msg("12093", dup198); - -var msg14539 = msg("12094", dup198); - -var msg14540 = msg("12095", dup265); - -var msg14541 = msg("12096", dup265); - -var msg14542 = msg("12097", dup265); - -var msg14543 = msg("12098", dup265); - -var msg14544 = msg("12099", dup269); - -var msg14545 = msg("12100", dup276); - -var msg14546 = msg("12101", dup276); - -var msg14547 = msg("12102", dup276); - -var msg14548 = msg("12103", dup276); - -var msg14549 = msg("12104", dup276); - -var msg14550 = msg("12105", dup276); - -var msg14551 = msg("12106", dup276); - -var msg14552 = msg("12107", dup276); - -var msg14553 = msg("12108", dup276); - -var msg14554 = msg("12109", dup276); - -var msg14555 = msg("12110", dup276); - -var msg14556 = msg("12111", dup276); - -var msg14557 = msg("12112", dup194); - -var msg14558 = msg("12113", dup197); - -var msg14559 = msg("12114", dup201); - -var msg14560 = msg("12115", dup201); - -var msg14561 = msg("12116", dup265); - -var msg14562 = msg("12117", dup265); - -var msg14563 = msg("12118", dup265); - -var msg14564 = msg("12119", dup265); - -var msg14565 = msg("12120", dup303); - -var msg14566 = msg("12121", dup303); - -var msg14567 = msg("12122", dup303); - -var msg14568 = msg("12123", dup303); - -var msg14569 = msg("12124", dup303); - -var msg14570 = msg("12125", dup303); - -var msg14571 = msg("12126", dup303); - -var msg14572 = msg("12127", dup303); - -var msg14573 = msg("12128", dup303); - -var msg14574 = msg("12129", dup303); - -var msg14575 = msg("12130", dup303); - -var msg14576 = msg("12131", dup303); - -var msg14577 = msg("12132", dup303); - -var msg14578 = msg("12133", dup303); - -var msg14579 = msg("12134", dup303); - -var msg14580 = msg("12135", dup303); - -var msg14581 = msg("12136", dup303); - -var msg14582 = msg("12137", dup303); - -var msg14583 = msg("12138", dup303); - -var msg14584 = msg("12139", dup303); - -var msg14585 = msg("12140", dup303); - -var msg14586 = msg("12141", dup303); - -var msg14587 = msg("12142", dup192); - -var msg14588 = msg("12143", dup192); - -var msg14589 = msg("12144", dup192); - -var msg14590 = msg("12145", dup192); - -var msg14591 = msg("12146", dup192); - -var msg14592 = msg("12147", dup192); - -var msg14593 = msg("12148", dup192); - -var msg14594 = msg("12149", dup192); - -var msg14595 = msg("12150", dup192); - -var msg14596 = msg("12151", dup192); - -var msg14597 = msg("12152", dup192); - -var msg14598 = msg("12153", dup192); - -var msg14599 = msg("12154", dup192); - -var msg14600 = msg("12155", dup192); - -var msg14601 = msg("12156", dup192); - -var msg14602 = msg("12157", dup192); - -var msg14603 = msg("12158", dup192); - -var msg14604 = msg("12159", dup192); - -var msg14605 = msg("12160", dup192); - -var msg14606 = msg("12161", dup192); - -var msg14607 = msg("12162", dup192); - -var msg14608 = msg("12163", dup192); - -var msg14609 = msg("12164", dup192); - -var msg14610 = msg("12165", dup192); - -var msg14611 = msg("12166", dup192); - -var msg14612 = msg("12167", dup196); - -var msg14613 = msg("12168", dup265); - -var msg14614 = msg("12169", dup265); - -var msg14615 = msg("12170", dup287); - -var msg14616 = msg("12171", dup287); - -var msg14617 = msg("12172", dup196); - -var msg14618 = msg("12173", dup196); - -var msg14619 = msg("12174", dup196); - -var msg14620 = msg("12175", dup196); - -var msg14621 = msg("12176", dup196); - -var msg14622 = msg("12177", dup196); - -var msg14623 = msg("12178", dup196); - -var msg14624 = msg("12179", dup196); - -var msg14625 = msg("12180", dup196); - -var msg14626 = msg("12181", dup196); - -var msg14627 = msg("12182", dup196); - -var msg14628 = msg("12183", dup197); - -var msg14629 = msg("12184", dup269); - -var msg14630 = msg("12185", dup287); - -var msg14631 = msg("12186", dup258); - -var msg14632 = msg("12187", dup287); - -var msg14633 = msg("12188", dup253); - -var msg14634 = msg("12189", dup265); - -var msg14635 = msg("12190", dup265); - -var msg14636 = msg("12191", dup265); - -var msg14637 = msg("12192", dup265); - -var msg14638 = msg("12193", dup265); - -var msg14639 = msg("12194", dup265); - -var msg14640 = msg("12195", dup265); - -var msg14641 = msg("12196", dup265); - -var msg14642 = msg("12197", dup222); - -var msg14643 = msg("12198", dup242); - -var msg14644 = msg("12199", dup198); - -var msg14645 = msg("12200", dup265); - -var msg14646 = msg("12201", dup265); - -var msg14647 = msg("12202", dup222); - -var msg14648 = msg("12203", dup265); - -var msg14649 = msg("12204", dup265); - -var msg14650 = msg("12205", dup265); - -var msg14651 = msg("12206", dup265); - -var msg14652 = msg("12207", dup265); - -var msg14653 = msg("12208", dup265); - -var msg14654 = msg("12209", dup196); - -var msg14655 = msg("12210", dup287); - -var msg14656 = msg("12211", dup287); - -var msg14657 = msg("12212", dup201); - -var msg14658 = msg("12213", dup201); - -var msg14659 = msg("12214", dup201); - -var msg14660 = msg("12215", dup201); - -var msg14661 = msg("12216", dup222); - -var msg14662 = msg("12217", dup222); - -var msg14663 = msg("12218", dup222); - -var msg14664 = msg("12219", dup197); - -var msg14665 = msg("12220", dup196); - -var msg14666 = msg("12221", dup265); - -var msg14667 = msg("12222", dup196); - -var msg14668 = msg("12223", dup196); - -var msg14669 = msg("12224", dup303); - -var msg14670 = msg("12225", dup303); - -var msg14671 = msg("12226", dup303); - -var msg14672 = msg("12227", dup303); - -var msg14673 = msg("12228", dup303); - -var msg14674 = msg("12229", dup303); - -var msg14675 = msg("12230", dup303); - -var msg14676 = msg("12231", dup303); - -var msg14677 = msg("12232", dup303); - -var msg14678 = msg("12233", dup192); - -var msg14679 = msg("12234", dup192); - -var msg14680 = msg("12235", dup192); - -var msg14681 = msg("12236", dup192); - -var msg14682 = msg("12237", dup192); - -var msg14683 = msg("12238", dup192); - -var msg14684 = msg("12239", dup192); - -var msg14685 = msg("12240", dup192); - -var msg14686 = msg("12241", dup192); - -var msg14687 = msg("12242", dup192); - -var msg14688 = msg("12243", dup192); - -var msg14689 = msg("12244", dup192); - -var msg14690 = msg("12245", dup192); - -var msg14691 = msg("12246", dup265); - -var msg14692 = msg("12247", dup265); - -var msg14693 = msg("12248", dup265); - -var msg14694 = msg("12249", dup265); - -var msg14695 = msg("12250", dup265); - -var msg14696 = msg("12251", dup265); - -var msg14697 = msg("12252", dup265); - -var msg14698 = msg("12253", dup265); - -var msg14699 = msg("12254", dup196); - -var msg14700 = msg("12255", dup265); - -var msg14701 = msg("12256", dup196); - -var msg14702 = msg("12257", dup265); - -var msg14703 = msg("12258", dup265); - -var msg14704 = msg("12259", dup265); - -var msg14705 = msg("12260", dup265); - -var msg14706 = msg("12261", dup265); - -var msg14707 = msg("12262", dup265); - -var msg14708 = msg("12263", dup265); - -var msg14709 = msg("12264", dup265); - -var msg14710 = msg("12265", dup265); - -var msg14711 = msg("12266", dup265); - -var msg14712 = msg("12267", dup265); - -var msg14713 = msg("12268", dup265); - -var msg14714 = msg("12269", dup265); - -var msg14715 = msg("12270", dup265); - -var msg14716 = msg("12271", dup265); - -var msg14717 = msg("12272", dup265); - -var msg14718 = msg("12273", dup265); - -var msg14719 = msg("12274", dup265); - -var msg14720 = msg("12275", dup265); - -var msg14721 = msg("12276", dup265); - -var msg14722 = msg("12277", dup196); - -var msg14723 = msg("12278", dup196); - -var msg14724 = msg("12279", dup197); - -var msg14725 = msg("12280", dup196); - -var msg14726 = msg("12281", dup196); - -var msg14727 = msg("12282", dup196); - -var msg14728 = msg("12283", dup196); - -var msg14729 = msg("12284", dup267); - -var msg14730 = msg("12285", dup196); - -var msg14731 = msg("12286", dup267); - -var msg14732 = msg("12287", dup303); - -var msg14733 = msg("12288", dup303); - -var msg14734 = msg("12289", dup303); - -var msg14735 = msg("12290", dup303); - -var msg14736 = msg("12291", dup303); - -var msg14737 = msg("12292", dup303); - -var msg14738 = msg("12293", dup303); - -var msg14739 = msg("12294", dup303); - -var msg14740 = msg("12295", dup303); - -var msg14741 = msg("12296", dup303); - -var msg14742 = msg("12297", dup192); - -var msg14743 = msg("12298", dup192); - -var msg14744 = msg("12299", dup196); - -var msg14745 = msg("12300", dup196); - -var msg14746 = msg("12301", dup265); - -var msg14747 = msg("12302", dup265); - -var msg14748 = msg("12303", dup196); - -var msg14749 = msg("12304", dup196); - -var msg14750 = msg("12305", dup196); - -var msg14751 = msg("12306", dup196); - -var msg14752 = msg("12307", dup276); - -var msg14753 = msg("12308", dup276); - -var msg14754 = msg("12309", dup276); - -var msg14755 = msg("12310", dup276); - -var msg14756 = msg("12311", dup276); - -var msg14757 = msg("12312", dup276); - -var msg14758 = msg("12313", dup276); - -var msg14759 = msg("12314", dup276); - -var msg14760 = msg("12315", dup276); - -var msg14761 = msg("12316", dup276); - -var msg14762 = msg("12317", dup276); - -var msg14763 = msg("12318", dup276); - -var msg14764 = msg("12319", dup276); - -var msg14765 = msg("12320", dup276); - -var msg14766 = msg("12321", dup276); - -var msg14767 = msg("12322", dup276); - -var msg14768 = msg("12323", dup276); - -var msg14769 = msg("12324", dup276); - -var msg14770 = msg("12325", dup276); - -var msg14771 = msg("12326", dup276); - -var msg14772 = msg("12327", dup276); - -var msg14773 = msg("12328", dup276); - -var msg14774 = msg("12329", dup276); - -var msg14775 = msg("12330", dup276); - -var msg14776 = msg("12331", dup276); - -var msg14777 = msg("12332", dup276); - -var msg14778 = msg("12333", dup276); - -var msg14779 = msg("12334", dup276); - -var msg14780 = msg("12335", dup276); - -var msg14781 = msg("12336", dup276); - -var msg14782 = msg("12337", dup276); - -var msg14783 = msg("12338", dup276); - -var msg14784 = msg("12339", dup276); - -var msg14785 = msg("12340", dup276); - -var msg14786 = msg("12341", dup276); - -var msg14787 = msg("12342", dup276); - -var msg14788 = msg("12343", dup276); - -var msg14789 = msg("12344", dup276); - -var msg14790 = msg("12345", dup276); - -var msg14791 = msg("12346", dup276); - -var msg14792 = msg("12347", dup276); - -var msg14793 = msg("12348", dup276); - -var msg14794 = msg("12349", dup276); - -var msg14795 = msg("12350", dup276); - -var msg14796 = msg("12351", dup276); - -var msg14797 = msg("12352", dup276); - -var msg14798 = msg("12353", dup276); - -var msg14799 = msg("12354", dup276); - -var msg14800 = msg("12355", dup276); - -var msg14801 = msg("12356", dup276); - -var msg14802 = msg("12357", dup196); - -var msg14803 = msg("12358", dup197); - -var msg14804 = msg("12359", dup197); - -var msg14805 = msg("12360", dup267); - -var msg14806 = msg("12361", dup303); - -var msg14807 = msg("12362", dup197); - -var msg14808 = msg("12363", dup303); - -var msg14809 = msg("12364", dup303); - -var msg14810 = msg("12365", dup303); - -var msg14811 = msg("12366", dup303); - -var msg14812 = msg("12367", dup303); - -var msg14813 = msg("12368", dup303); - -var msg14814 = msg("12369", dup303); - -var msg14815 = msg("12370", dup303); - -var msg14816 = msg("12371", dup303); - -var msg14817 = msg("12372", dup303); - -var msg14818 = msg("12373", dup192); - -var msg14819 = msg("12374", dup192); - -var msg14820 = msg("12375", dup192); - -var msg14821 = msg("12376", dup192); - -var msg14822 = msg("12377", dup192); - -var msg14823 = msg("12378", dup192); - -var msg14824 = msg("12379", dup303); - -var msg14825 = msg("12380", dup265); - -var msg14826 = msg("12381", dup265); - -var msg14827 = msg("12382", dup265); - -var msg14828 = msg("12383", dup265); - -var msg14829 = msg("12384", dup265); - -var msg14830 = msg("12385", dup265); - -var msg14831 = msg("12386", dup265); - -var msg14832 = msg("12387", dup265); - -var msg14833 = msg("12388", dup265); - -var msg14834 = msg("12389", dup265); - -var msg14835 = msg("12390", dup196); - -var msg14836 = msg("12391", dup196); - -var msg14837 = msg("12392", dup196); - -var msg14838 = msg("12393", dup265); - -var msg14839 = msg("12394", dup265); - -var msg14840 = msg("12395", dup265); - -var msg14841 = msg("12396", dup265); - -var msg14842 = msg("12397", dup265); - -var msg14843 = msg("12398", dup265); - -var msg14844 = msg("12399", dup265); - -var msg14845 = msg("12400", dup265); - -var msg14846 = msg("12401", dup265); - -var msg14847 = msg("12402", dup265); - -var msg14848 = msg("12403", dup265); - -var msg14849 = msg("12404", dup265); - -var msg14850 = msg("12405", dup265); - -var msg14851 = msg("12406", dup265); - -var msg14852 = msg("12407", dup265); - -var msg14853 = msg("12408", dup265); - -var msg14854 = msg("12409", dup265); - -var msg14855 = msg("12410", dup265); - -var msg14856 = msg("12411", dup265); - -var msg14857 = msg("12412", dup265); - -var msg14858 = msg("12413", dup265); - -var msg14859 = msg("12414", dup265); - -var msg14860 = msg("12415", dup265); - -var msg14861 = msg("12416", dup265); - -var msg14862 = msg("12417", dup265); - -var msg14863 = msg("12418", dup265); - -var msg14864 = msg("12419", dup265); - -var msg14865 = msg("12420", dup265); - -var msg14866 = msg("12421", dup196); - -var msg14867 = msg("12422", dup196); - -var msg14868 = msg("12423", dup250); - -var msg14869 = msg("12424", dup222); - -var msg14870 = msg("12425", dup196); - -var msg14871 = msg("12426", dup196); - -var msg14872 = msg("12427", dup196); - -var msg14873 = msg("12428", dup265); - -var msg14874 = msg("12429", dup265); - -var msg14875 = msg("12430", dup265); - -var msg14876 = msg("12431", dup265); - -var msg14877 = msg("12432", dup265); - -var msg14878 = msg("12433", dup265); - -var msg14879 = msg("12434", dup265); - -var msg14880 = msg("12435", dup265); - -var msg14881 = msg("12436", dup196); - -var msg14882 = msg("12437", dup196); - -var msg14883 = msg("12438", dup265); - -var msg14884 = msg("12439", dup265); - -var msg14885 = msg("12440", dup265); - -var msg14886 = msg("12441", dup265); - -var msg14887 = msg("12442", dup265); - -var msg14888 = msg("12443", dup265); - -var msg14889 = msg("12444", dup240); - -var msg14890 = msg("12445", dup240); - -var msg14891 = msg("12446", dup240); - -var msg14892 = msg("12447", dup240); - -var msg14893 = msg("12448", dup265); - -var msg14894 = msg("12449", dup265); - -var msg14895 = msg("12450", dup265); - -var msg14896 = msg("12451", dup265); - -var msg14897 = msg("12452", dup265); - -var msg14898 = msg("12453", dup265); - -var msg14899 = msg("12454", dup196); - -var msg14900 = msg("12455", dup196); - -var msg14901 = msg("12456", dup196); - -var msg14902 = msg("12457", dup196); - -var msg14903 = msg("12458", dup287); - -var msg14904 = msg("12459", dup265); - -var msg14905 = msg("12460", dup265); - -var msg14906 = msg("12461", dup265); - -var msg14907 = msg("12462", dup265); - -var msg14908 = msg("12463", dup222); - -var msg14909 = msg("12464", dup222); - -var msg14910 = msg("12465", dup196); - -var msg14911 = msg("12466", dup265); - -var msg14912 = msg("12467", dup265); - -var msg14913 = msg("12468", dup265); - -var msg14914 = msg("12469", dup265); - -var msg14915 = msg("12470", dup265); - -var msg14916 = msg("12471", dup265); - -var msg14917 = msg("12472", dup265); - -var msg14918 = msg("12473", dup265); - -var msg14919 = msg("12474", dup265); - -var msg14920 = msg("12475", dup265); - -var msg14921 = msg("12476", dup265); - -var msg14922 = msg("12477", dup265); - -var msg14923 = msg("12478", dup265); - -var msg14924 = msg("12479", dup265); - -var msg14925 = msg("12480", dup303); - -var msg14926 = msg("12481", dup303); - -var msg14927 = msg("12482", dup303); - -var msg14928 = msg("12483", dup303); - -var msg14929 = msg("12484", dup303); - -var msg14930 = msg("12485", dup303); - -var msg14931 = msg("12486", dup303); - -var msg14932 = msg("12487", dup303); - -var msg14933 = msg("12488", dup303); - -var msg14934 = msg("12489", dup276); - -var msg14935 = msg("12490", dup276); - -var msg14936 = msg("12491", dup276); - -var msg14937 = msg("12492", dup276); - -var msg14938 = msg("12493", dup276); - -var msg14939 = msg("12494", dup276); - -var msg14940 = msg("12495", dup276); - -var msg14941 = msg("12496", dup276); - -var msg14942 = msg("12497", dup276); - -var msg14943 = msg("12498", dup276); - -var msg14944 = msg("12499", dup276); - -var msg14945 = msg("12500", dup276); - -var msg14946 = msg("12501", dup276); - -var msg14947 = msg("12502", dup276); - -var msg14948 = msg("12503", dup276); - -var msg14949 = msg("12504", dup276); - -var msg14950 = msg("12505", dup276); - -var msg14951 = msg("12506", dup276); - -var msg14952 = msg("12507", dup276); - -var msg14953 = msg("12508", dup276); - -var msg14954 = msg("12509", dup276); - -var msg14955 = msg("12510", dup276); - -var msg14956 = msg("12511", dup276); - -var msg14957 = msg("12512", dup276); - -var msg14958 = msg("12513", dup276); - -var msg14959 = msg("12514", dup276); - -var msg14960 = msg("12515", dup276); - -var msg14961 = msg("12516", dup276); - -var msg14962 = msg("12517", dup276); - -var msg14963 = msg("12518", dup276); - -var msg14964 = msg("12519", dup276); - -var msg14965 = msg("12520", dup276); - -var msg14966 = msg("12521", dup276); - -var msg14967 = msg("12522", dup276); - -var msg14968 = msg("12523", dup276); - -var msg14969 = msg("12524", dup276); - -var msg14970 = msg("12525", dup276); - -var msg14971 = msg("12526", dup276); - -var msg14972 = msg("12527", dup276); - -var msg14973 = msg("12528", dup276); - -var msg14974 = msg("12529", dup276); - -var msg14975 = msg("12530", dup276); - -var msg14976 = msg("12531", dup276); - -var msg14977 = msg("12532", dup276); - -var msg14978 = msg("12533", dup276); - -var msg14979 = msg("12534", dup276); - -var msg14980 = msg("12535", dup276); - -var msg14981 = msg("12536", dup276); - -var msg14982 = msg("12537", dup276); - -var msg14983 = msg("12538", dup276); - -var msg14984 = msg("12539", dup276); - -var msg14985 = msg("12540", dup276); - -var msg14986 = msg("12541", dup276); - -var msg14987 = msg("12542", dup276); - -var msg14988 = msg("12543", dup276); - -var msg14989 = msg("12544", dup276); - -var msg14990 = msg("12545", dup276); - -var msg14991 = msg("12546", dup276); - -var msg14992 = msg("12547", dup276); - -var msg14993 = msg("12548", dup276); - -var msg14994 = msg("12549", dup276); - -var msg14995 = msg("12550", dup276); - -var msg14996 = msg("12551", dup276); - -var msg14997 = msg("12552", dup276); - -var msg14998 = msg("12553", dup276); - -var msg14999 = msg("12554", dup276); - -var msg15000 = msg("12555", dup276); - -var msg15001 = msg("12556", dup276); - -var msg15002 = msg("12557", dup276); - -var msg15003 = msg("12558", dup276); - -var msg15004 = msg("12559", dup276); - -var msg15005 = msg("12560", dup276); - -var msg15006 = msg("12561", dup276); - -var msg15007 = msg("12562", dup276); - -var msg15008 = msg("12563", dup276); - -var msg15009 = msg("12564", dup276); - -var msg15010 = msg("12565", dup276); - -var msg15011 = msg("12566", dup276); - -var msg15012 = msg("12567", dup276); - -var msg15013 = msg("12568", dup276); - -var msg15014 = msg("12569", dup276); - -var msg15015 = msg("12570", dup276); - -var msg15016 = msg("12571", dup276); - -var msg15017 = msg("12572", dup276); - -var msg15018 = msg("12573", dup276); - -var msg15019 = msg("12574", dup276); - -var msg15020 = msg("12575", dup276); - -var msg15021 = msg("12576", dup276); - -var msg15022 = msg("12577", dup276); - -var msg15023 = msg("12578", dup276); - -var msg15024 = msg("12579", dup276); - -var msg15025 = msg("12580", dup276); - -var msg15026 = msg("12581", dup276); - -var msg15027 = msg("12582", dup276); - -var msg15028 = msg("12583", dup276); - -var msg15029 = msg("12584", dup276); - -var msg15030 = msg("12585", dup276); - -var msg15031 = msg("12586", dup276); - -var msg15032 = msg("12587", dup276); - -var msg15033 = msg("12588", dup276); - -var msg15034 = msg("12589", dup276); - -var msg15035 = msg("12590", dup276); - -var msg15036 = msg("12591", dup198); - -var msg15037 = msg("12592", dup201); - -var msg15038 = msg("12593", dup196); - -var msg15039 = msg("12594", dup198); - -var msg15040 = msg("12595", dup269); - -var msg15041 = msg("12596", dup222); - -var msg15042 = msg("12597", dup198); - -var msg15043 = msg("12598", dup265); - -var msg15044 = msg("12599", dup265); - -var msg15045 = msg("12600", dup265); - -var msg15046 = msg("12601", dup265); - -var msg15047 = msg("12602", dup265); - -var msg15048 = msg("12603", dup265); - -var msg15049 = msg("12604", dup265); - -var msg15050 = msg("12605", dup265); - -var msg15051 = msg("12606", dup265); - -var msg15052 = msg("12607", dup265); - -var msg15053 = msg("12608", dup258); - -var msg15054 = msg("12609", dup258); - -var msg15055 = msg("12610", dup302); - -var msg15056 = msg("12611", dup196); - -var msg15057 = msg("12612", dup265); - -var msg15058 = msg("12613", dup265); - -var msg15059 = msg("12614", dup265); - -var msg15060 = msg("12615", dup265); - -var msg15061 = msg("12616", dup265); - -var msg15062 = msg("12617", dup265); - -var msg15063 = msg("12618", dup267); - -var msg15064 = msg("12619", dup196); - -var msg15065 = msg("12620", dup303); - -var msg15066 = msg("12621", dup303); - -var msg15067 = msg("12622", dup303); - -var msg15068 = msg("12623", dup303); - -var msg15069 = msg("12624", dup303); - -var msg15070 = msg("12625", dup303); - -var msg15071 = msg("12626", dup258); - -var msg15072 = msg("12627", dup287); - -var msg15073 = msg("12628", dup258); - -var msg15074 = msg("12629", dup265); - -var msg15075 = msg("12630", dup196); - -var msg15076 = msg("12631", dup196); - -var msg15077 = msg("12632", dup196); - -var msg15078 = msg("12633", dup196); - -var msg15079 = msg("12634", dup196); - -var msg15080 = msg("12635", dup198); - -var msg15081 = msg("12636", dup222); - -var msg15082 = msg("12637", dup194); - -var msg15083 = msg("12638", dup194); - -var msg15084 = msg("12639", dup194); - -var msg15085 = msg("12640", dup194); - -var msg15086 = msg("12641", dup196); - -var msg15087 = msg("12642", dup198); - -var msg15088 = msg("12643", dup265); - -var msg15089 = msg("12644", dup265); - -var msg15090 = msg("12645", dup265); - -var msg15091 = msg("12646", dup265); - -var msg15092 = msg("12647", dup265); - -var msg15093 = msg("12648", dup265); - -var msg15094 = msg("12649", dup265); - -var msg15095 = msg("12650", dup265); - -var msg15096 = msg("12651", dup265); - -var msg15097 = msg("12652", dup303); - -var msg15098 = msg("12653", dup303); - -var msg15099 = msg("12654", dup303); - -var msg15100 = msg("12655", dup303); - -var msg15101 = msg("12656", dup303); - -var msg15102 = msg("12657", dup303); - -var msg15103 = msg("12658", dup303); - -var msg15104 = msg("12659", dup303); - -var msg15105 = msg("12660", dup303); - -var msg15106 = msg("12661", dup192); - -var msg15107 = msg("12663", dup265); - -var msg15108 = msg("12664", dup196); - -var msg15109 = msg("12665", dup222); - -var msg15110 = msg("12666", dup222); - -var msg15111 = msg("12667", dup269); - -var msg15112 = msg("12668", dup265); - -var msg15113 = msg("12669", dup265); - -var msg15114 = msg("12670", dup265); - -var msg15115 = msg("12671", dup265); - -var msg15116 = msg("12672", dup303); - -var msg15117 = msg("12673", dup303); - -var msg15118 = msg("12674", dup303); - -var msg15119 = msg("12675", dup192); - -var msg15120 = msg("12676", dup303); - -var msg15121 = msg("12677", dup303); - -var msg15122 = msg("12678", dup303); - -var msg15123 = msg("12679", dup303); - -var msg15124 = msg("12680", dup201); - -var msg15125 = msg("12681", dup197); - -var msg15126 = msg("12682", dup201); - -var msg15127 = msg("12683", dup201); - -var msg15128 = msg("12684", dup192); - -var msg15129 = msg("12685", dup197); - -var msg15130 = msg("12686", dup196); - -var msg15131 = msg("12687", dup267); - -var msg15132 = msg("12688", dup267); - -var msg15133 = msg("12689", dup265); - -var msg15134 = msg("12690", dup265); - -var msg15135 = msg("12691", dup196); - -var msg15136 = msg("12692", dup201); - -var msg15137 = msg("12693", dup303); - -var msg15138 = msg("12694", dup303); - -var msg15139 = msg("12695", dup303); - -var msg15140 = msg("12696", dup303); - -var msg15141 = msg("12697", dup303); - -var msg15142 = msg("12698", dup303); - -var msg15143 = msg("12699", dup192); - -var msg15144 = msg("12700", dup192); - -var msg15145 = msg("12701", dup192); - -var msg15146 = msg("12702", dup192); - -var msg15147 = msg("12703", dup265); - -var msg15148 = msg("12704", dup197); - -var msg15149 = msg("12705", dup197); - -var msg15150 = msg("12706", dup197); - -var msg15151 = msg("12707", dup267); - -var msg15152 = msg("12708", dup222); - -var msg15153 = msg("12709", dup196); - -var msg15154 = msg("12710", dup196); - -var msg15155 = msg("12711", dup265); - -var msg15156 = msg("12712", dup242); - -var msg15157 = msg("12713", dup222); - -var msg15158 = msg("12714", dup265); - -var msg15159 = msg("12715", dup265); - -var msg15160 = msg("12716", dup265); - -var msg15161 = msg("12717", dup265); - -var msg15162 = msg("12718", dup303); - -var msg15163 = msg("12719", dup303); - -var msg15164 = msg("12720", dup303); - -var msg15165 = msg("12721", dup303); - -var msg15166 = msg("12722", dup303); - -var msg15167 = msg("12723", dup303); - -var msg15168 = msg("12724", dup192); - -var msg15169 = msg("12725", dup192); - -var msg15170 = msg("12726", dup192); - -var msg15171 = msg("12727", dup192); - -var msg15172 = msg("12728", dup267); - -var msg15173 = msg("12729", dup265); - -var msg15174 = msg("12730", dup265); - -var msg15175 = msg("12731", dup265); - -var msg15176 = msg("12732", dup265); - -var msg15177 = msg("12733", dup265); - -var msg15178 = msg("12734", dup265); - -var msg15179 = msg("12735", dup265); - -var msg15180 = msg("12736", dup265); - -var msg15181 = msg("12737", dup265); - -var msg15182 = msg("12738", dup265); - -var msg15183 = msg("12739", dup265); - -var msg15184 = msg("12740", dup265); - -var msg15185 = msg("12741", dup201); - -var msg15186 = msg("12742", dup222); - -var msg15187 = msg("12743", dup201); - -var msg15188 = msg("12744", dup267); - -var msg15189 = msg("12745", dup267); - -var msg15190 = msg("12746", dup222); - -var msg15191 = msg("12747", dup194); - -var msg15192 = msg("12748", dup194); - -var msg15193 = msg("12749", dup194); - -var msg15194 = msg("12750", dup194); - -var msg15195 = msg("12751", dup265); - -var msg15196 = msg("12752", dup265); - -var msg15197 = msg("12753", dup265); - -var msg15198 = msg("12754", dup265); - -var msg15199 = msg("12755", dup265); - -var msg15200 = msg("12756", dup265); - -var msg15201 = msg("12757", dup267); - -var msg15202 = msg("12758", dup303); - -var msg15203 = msg("12759", dup303); - -var msg15204 = msg("12760", dup303); - -var msg15205 = msg("12761", dup303); - -var msg15206 = msg("12762", dup265); - -var msg15207 = msg("12763", dup265); - -var msg15208 = msg("12764", dup265); - -var msg15209 = msg("12765", dup265); - -var msg15210 = msg("12766", dup265); - -var msg15211 = msg("12767", dup265); - -var msg15212 = msg("12768", dup265); - -var msg15213 = msg("12769", dup265); - -var msg15214 = msg("12770", dup196); - -var msg15215 = msg("12771", dup196); - -var msg15216 = msg("12772", dup196); - -var msg15217 = msg("12773", dup196); - -var msg15218 = msg("12774", dup196); - -var msg15219 = msg("12775", dup196); - -var msg15220 = msg("12776", dup265); - -var msg15221 = msg("12777", dup265); - -var msg15222 = msg("12778", dup265); - -var msg15223 = msg("12779", dup265); - -var msg15224 = msg("12780", dup265); - -var msg15225 = msg("12781", dup265); - -var msg15226 = msg("12782", dup265); - -var msg15227 = msg("12783", dup265); - -var msg15228 = msg("12784", dup197); - -var msg15229 = msg("12785", dup197); - -var msg15230 = msg("12786", dup222); - -var msg15231 = msg("12787", dup222); - -var msg15232 = msg("12788", dup222); - -var msg15233 = msg("12789", dup303); - -var msg15234 = msg("12790", dup303); - -var msg15235 = msg("12791", dup303); - -var msg15236 = msg("12792", dup303); - -var msg15237 = msg("12793", dup303); - -var msg15238 = msg("12794", dup303); - -var msg15239 = msg("12795", dup303); - -var msg15240 = msg("12796", dup303); - -var msg15241 = msg("12797", dup303); - -var msg15242 = msg("12798", dup196); - -var msg15243 = msg("12799", dup196); - -var msg15244 = msg("12800", dup196); - -var msg15245 = msg("12801", dup196); - -var msg15246 = msg("12802", dup196); - -var msg15247 = msg("12803", dup265); - -var msg15248 = msg("12804", dup265); - -var msg15249 = msg("12805", dup265); - -var msg15250 = msg("12806", dup265); - -var msg15251 = msg("12807", dup250); - -var msg15252 = msg("12808", dup276); - -var msg15253 = msg("12809", dup276); - -var msg15254 = msg("12810", dup276); - -var msg15255 = msg("12811", dup276); - -var msg15256 = msg("12812", dup276); - -var msg15257 = msg("12813", dup276); - -var msg15258 = msg("12814", dup276); - -var msg15259 = msg("12815", dup276); - -var msg15260 = msg("12816", dup276); - -var msg15261 = msg("12817", dup276); - -var msg15262 = msg("12818", dup276); - -var msg15263 = msg("12819", dup276); - -var msg15264 = msg("12820", dup276); - -var msg15265 = msg("12821", dup276); - -var msg15266 = msg("12822", dup276); - -var msg15267 = msg("12823", dup276); - -var msg15268 = msg("12824", dup276); - -var msg15269 = msg("12825", dup276); - -var msg15270 = msg("12826", dup276); - -var msg15271 = msg("12827", dup276); - -var msg15272 = msg("12828", dup276); - -var msg15273 = msg("12829", dup276); - -var msg15274 = msg("12830", dup276); - -var msg15275 = msg("12831", dup276); - -var msg15276 = msg("12832", dup276); - -var msg15277 = msg("12833", dup276); - -var msg15278 = msg("12834", dup276); - -var msg15279 = msg("12835", dup276); - -var msg15280 = msg("12836", dup276); - -var msg15281 = msg("12837", dup276); - -var msg15282 = msg("12838", dup276); - -var msg15283 = msg("12839", dup276); - -var msg15284 = msg("12840", dup276); - -var msg15285 = msg("12841", dup276); - -var msg15286 = msg("12842", dup276); - -var msg15287 = msg("12843", dup276); - -var msg15288 = msg("12844", dup276); - -var msg15289 = msg("12845", dup276); - -var msg15290 = msg("12846", dup276); - -var msg15291 = msg("12847", dup276); - -var msg15292 = msg("12848", dup276); - -var msg15293 = msg("12849", dup276); - -var msg15294 = msg("12850", dup276); - -var msg15295 = msg("12851", dup276); - -var msg15296 = msg("12852", dup276); - -var msg15297 = msg("12853", dup276); - -var msg15298 = msg("12854", dup276); - -var msg15299 = msg("12855", dup276); - -var msg15300 = msg("12856", dup276); - -var msg15301 = msg("12857", dup276); - -var msg15302 = msg("12858", dup276); - -var msg15303 = msg("12859", dup276); - -var msg15304 = msg("12860", dup276); - -var msg15305 = msg("12861", dup276); - -var msg15306 = msg("12862", dup276); - -var msg15307 = msg("12863", dup276); - -var msg15308 = msg("12864", dup276); - -var msg15309 = msg("12865", dup276); - -var msg15310 = msg("12866", dup276); - -var msg15311 = msg("12867", dup276); - -var msg15312 = msg("12868", dup276); - -var msg15313 = msg("12869", dup276); - -var msg15314 = msg("12870", dup276); - -var msg15315 = msg("12871", dup276); - -var msg15316 = msg("12872", dup276); - -var msg15317 = msg("12873", dup276); - -var msg15318 = msg("12874", dup276); - -var msg15319 = msg("12875", dup276); - -var msg15320 = msg("12876", dup276); - -var msg15321 = msg("12877", dup276); - -var msg15322 = msg("12878", dup276); - -var msg15323 = msg("12879", dup276); - -var msg15324 = msg("12880", dup276); - -var msg15325 = msg("12881", dup276); - -var msg15326 = msg("12882", dup276); - -var msg15327 = msg("12883", dup276); - -var msg15328 = msg("12884", dup276); - -var msg15329 = msg("12885", dup276); - -var msg15330 = msg("12886", dup276); - -var msg15331 = msg("12887", dup276); - -var msg15332 = msg("12888", dup276); - -var msg15333 = msg("12889", dup276); - -var msg15334 = msg("12890", dup276); - -var msg15335 = msg("12891", dup276); - -var msg15336 = msg("12892", dup276); - -var msg15337 = msg("12893", dup276); - -var msg15338 = msg("12894", dup276); - -var msg15339 = msg("12895", dup276); - -var msg15340 = msg("12896", dup276); - -var msg15341 = msg("12897", dup276); - -var msg15342 = msg("12898", dup276); - -var msg15343 = msg("12899", dup276); - -var msg15344 = msg("12900", dup276); - -var msg15345 = msg("12901", dup276); - -var msg15346 = msg("12902", dup276); - -var msg15347 = msg("12903", dup276); - -var msg15348 = msg("12904", dup222); - -var msg15349 = msg("12905", dup222); - -var msg15350 = msg("12906", dup276); - -var msg15351 = msg("12907", dup276); - -var msg15352 = msg("12908", dup276); - -var msg15353 = msg("12909", dup276); - -var msg15354 = msg("12910", dup276); - -var msg15355 = msg("12911", dup276); - -var msg15356 = msg("12912", dup276); - -var msg15357 = msg("12913", dup276); - -var msg15358 = msg("12914", dup276); - -var msg15359 = msg("12915", dup276); - -var msg15360 = msg("12916", dup276); - -var msg15361 = msg("12917", dup276); - -var msg15362 = msg("12918", dup276); - -var msg15363 = msg("12919", dup276); - -var msg15364 = msg("12920", dup276); - -var msg15365 = msg("12921", dup276); - -var msg15366 = msg("12922", dup276); - -var msg15367 = msg("12923", dup276); - -var msg15368 = msg("12924", dup276); - -var msg15369 = msg("12925", dup276); - -var msg15370 = msg("12926", dup276); - -var msg15371 = msg("12927", dup276); - -var msg15372 = msg("12928", dup276); - -var msg15373 = msg("12929", dup276); - -var msg15374 = msg("12930", dup276); - -var msg15375 = msg("12931", dup276); - -var msg15376 = msg("12932", dup276); - -var msg15377 = msg("12933", dup276); - -var msg15378 = msg("12934", dup276); - -var msg15379 = msg("12935", dup276); - -var msg15380 = msg("12936", dup276); - -var msg15381 = msg("12937", dup276); - -var msg15382 = msg("12938", dup276); - -var msg15383 = msg("12939", dup276); - -var msg15384 = msg("12940", dup276); - -var msg15385 = msg("12941", dup276); - -var msg15386 = msg("12942", dup276); - -var msg15387 = msg("12943", dup276); - -var msg15388 = msg("12944", dup276); - -var msg15389 = msg("12945", dup276); - -var msg15390 = msg("12946", dup276); - -var msg15391 = msg("12947", dup276); - -var msg15392 = msg("12948", dup265); - -var msg15393 = msg("12949", dup265); - -var msg15394 = msg("12950", dup265); - -var msg15395 = msg("12951", dup265); - -var msg15396 = msg("12952", dup265); - -var msg15397 = msg("12953", dup265); - -var msg15398 = msg("12954", dup265); - -var msg15399 = msg("12955", dup265); - -var msg15400 = msg("12956", dup265); - -var msg15401 = msg("12957", dup265); - -var msg15402 = msg("12958", dup265); - -var msg15403 = msg("12959", dup265); - -var msg15404 = msg("12960", dup265); - -var msg15405 = msg("12961", dup265); - -var msg15406 = msg("12962", dup265); - -var msg15407 = msg("12963", dup265); - -var msg15408 = msg("12964", dup265); - -var msg15409 = msg("12965", dup265); - -var msg15410 = msg("12966", dup265); - -var msg15411 = msg("12967", dup265); - -var msg15412 = msg("12968", dup265); - -var msg15413 = msg("12969", dup265); - -var msg15414 = msg("12970", dup265); - -var msg15415 = msg("12971", dup222); - -var msg15416 = msg("12972", dup265); - -var msg15417 = msg("12973", dup276); - -var msg15418 = msg("12974", dup276); - -var msg15419 = msg("12975", dup276); - -var msg15420 = msg("12976", dup276); - -var msg15421 = msg("12977", dup276); - -var msg15422 = msg("12978", dup276); - -var msg15423 = msg("12979", dup276); - -var msg15424 = msg("12980", dup276); - -var msg15425 = msg("12981", dup276); - -var msg15426 = msg("12982", dup276); - -var msg15427 = msg("12983", dup222); - -var msg15428 = msg("12984", dup276); - -var msg15429 = msg("12985", dup276); - -var msg15430 = msg("12986", dup276); - -var msg15431 = msg("12987", dup276); - -var msg15432 = msg("12988", dup276); - -var msg15433 = msg("12989", dup276); - -var msg15434 = msg("12990", dup276); - -var msg15435 = msg("12991", dup276); - -var msg15436 = msg("12992", dup276); - -var msg15437 = msg("12993", dup276); - -var msg15438 = msg("12994", dup276); - -var msg15439 = msg("12995", dup276); - -var msg15440 = msg("12996", dup276); - -var msg15441 = msg("12997", dup276); - -var msg15442 = msg("12998", dup276); - -var msg15443 = msg("12999", dup276); - -var msg15444 = msg("13000", dup276); - -var msg15445 = msg("13001", dup276); - -var msg15446 = msg("13002", dup276); - -var msg15447 = msg("13003", dup276); - -var msg15448 = msg("13004", dup276); - -var msg15449 = msg("13005", dup276); - -var msg15450 = msg("13006", dup276); - -var msg15451 = msg("13007", dup276); - -var msg15452 = msg("13008", dup276); - -var msg15453 = msg("13009", dup276); - -var msg15454 = msg("13010", dup276); - -var msg15455 = msg("13011", dup276); - -var msg15456 = msg("13012", dup276); - -var msg15457 = msg("13013", dup276); - -var msg15458 = msg("13014", dup276); - -var msg15459 = msg("13015", dup276); - -var msg15460 = msg("13016", dup276); - -var msg15461 = msg("13017", dup276); - -var msg15462 = msg("13018", dup276); - -var msg15463 = msg("13019", dup276); - -var msg15464 = msg("13020", dup276); - -var msg15465 = msg("13021", dup276); - -var msg15466 = msg("13022", dup276); - -var msg15467 = msg("13023", dup276); - -var msg15468 = msg("13024", dup276); - -var msg15469 = msg("13025", dup276); - -var msg15470 = msg("13026", dup276); - -var msg15471 = msg("13027", dup276); - -var msg15472 = msg("13028", dup276); - -var msg15473 = msg("13029", dup276); - -var msg15474 = msg("13030", dup276); - -var msg15475 = msg("13031", dup276); - -var msg15476 = msg("13032", dup276); - -var msg15477 = msg("13033", dup276); - -var msg15478 = msg("13034", dup276); - -var msg15479 = msg("13035", dup276); - -var msg15480 = msg("13036", dup276); - -var msg15481 = msg("13037", dup276); - -var msg15482 = msg("13038", dup276); - -var msg15483 = msg("13039", dup276); - -var msg15484 = msg("13040", dup276); - -var msg15485 = msg("13041", dup276); - -var msg15486 = msg("13042", dup276); - -var msg15487 = msg("13043", dup276); - -var msg15488 = msg("13044", dup276); - -var msg15489 = msg("13045", dup276); - -var msg15490 = msg("13046", dup276); - -var msg15491 = msg("13047", dup276); - -var msg15492 = msg("13048", dup276); - -var msg15493 = msg("13049", dup276); - -var msg15494 = msg("13050", dup276); - -var msg15495 = msg("13051", dup276); - -var msg15496 = msg("13052", dup276); - -var msg15497 = msg("13053", dup276); - -var msg15498 = msg("13054", dup276); - -var msg15499 = msg("13055", dup276); - -var msg15500 = msg("13056", dup276); - -var msg15501 = msg("13057", dup276); - -var msg15502 = msg("13058", dup276); - -var msg15503 = msg("13059", dup276); - -var msg15504 = msg("13060", dup276); - -var msg15505 = msg("13061", dup276); - -var msg15506 = msg("13062", dup276); - -var msg15507 = msg("13063", dup276); - -var msg15508 = msg("13064", dup276); - -var msg15509 = msg("13065", dup276); - -var msg15510 = msg("13066", dup276); - -var msg15511 = msg("13067", dup276); - -var msg15512 = msg("13068", dup276); - -var msg15513 = msg("13069", dup276); - -var msg15514 = msg("13070", dup276); - -var msg15515 = msg("13071", dup276); - -var msg15516 = msg("13072", dup276); - -var msg15517 = msg("13073", dup276); - -var msg15518 = msg("13074", dup276); - -var msg15519 = msg("13075", dup276); - -var msg15520 = msg("13076", dup276); - -var msg15521 = msg("13077", dup276); - -var msg15522 = msg("13078", dup276); - -var msg15523 = msg("13079", dup276); - -var msg15524 = msg("13080", dup276); - -var msg15525 = msg("13081", dup276); - -var msg15526 = msg("13082", dup276); - -var msg15527 = msg("13083", dup276); - -var msg15528 = msg("13084", dup276); - -var msg15529 = msg("13085", dup276); - -var msg15530 = msg("13086", dup276); - -var msg15531 = msg("13087", dup276); - -var msg15532 = msg("13088", dup276); - -var msg15533 = msg("13089", dup276); - -var msg15534 = msg("13090", dup276); - -var msg15535 = msg("13091", dup276); - -var msg15536 = msg("13092", dup276); - -var msg15537 = msg("13093", dup276); - -var msg15538 = msg("13094", dup276); - -var msg15539 = msg("13095", dup276); - -var msg15540 = msg("13096", dup276); - -var msg15541 = msg("13097", dup276); - -var msg15542 = msg("13098", dup276); - -var msg15543 = msg("13099", dup276); - -var msg15544 = msg("13100", dup276); - -var msg15545 = msg("13101", dup276); - -var msg15546 = msg("13102", dup276); - -var msg15547 = msg("13103", dup276); - -var msg15548 = msg("13104", dup276); - -var msg15549 = msg("13105", dup276); - -var msg15550 = msg("13106", dup276); - -var msg15551 = msg("13107", dup276); - -var msg15552 = msg("13108", dup276); - -var msg15553 = msg("13109", dup276); - -var msg15554 = msg("13110", dup276); - -var msg15555 = msg("13111", dup276); - -var msg15556 = msg("13112", dup276); - -var msg15557 = msg("13113", dup276); - -var msg15558 = msg("13114", dup276); - -var msg15559 = msg("13115", dup276); - -var msg15560 = msg("13116", dup276); - -var msg15561 = msg("13117", dup276); - -var msg15562 = msg("13118", dup276); - -var msg15563 = msg("13119", dup276); - -var msg15564 = msg("13120", dup276); - -var msg15565 = msg("13121", dup276); - -var msg15566 = msg("13122", dup276); - -var msg15567 = msg("13123", dup276); - -var msg15568 = msg("13124", dup276); - -var msg15569 = msg("13125", dup276); - -var msg15570 = msg("13126", dup276); - -var msg15571 = msg("13127", dup276); - -var msg15572 = msg("13128", dup276); - -var msg15573 = msg("13129", dup276); - -var msg15574 = msg("13130", dup201); - -var msg15575 = msg("13131", dup276); - -var msg15576 = msg("13132", dup276); - -var msg15577 = msg("13133", dup276); - -var msg15578 = msg("13134", dup201); - -var msg15579 = msg("13135", dup276); - -var msg15580 = msg("13136", dup276); - -var msg15581 = msg("13137", dup276); - -var msg15582 = msg("13138", dup276); - -var msg15583 = msg("13139", dup201); - -var msg15584 = msg("13140", dup201); - -var msg15585 = msg("13141", dup276); - -var msg15586 = msg("13142", dup276); - -var msg15587 = msg("13143", dup201); - -var msg15588 = msg("13144", dup201); - -var msg15589 = msg("13145", dup201); - -var msg15590 = msg("13146", dup276); - -var msg15591 = msg("13147", dup201); - -var msg15592 = msg("13148", dup201); - -var msg15593 = msg("13149", dup276); - -var msg15594 = msg("13150", dup276); - -var msg15595 = msg("13151", dup276); - -var msg15596 = msg("13152", dup201); - -var msg15597 = msg("13153", dup276); - -var msg15598 = msg("13154", dup276); - -var msg15599 = msg("13155", dup201); - -var msg15600 = msg("13156", dup201); - -var msg15601 = msg("13157", dup276); - -var msg15602 = msg("13158", dup222); - -var msg15603 = msg("13159", dup222); - -var msg15604 = msg("13160", dup267); - -var msg15605 = msg("13161", dup222); - -var msg15606 = msg("13162", dup276); - -var msg15607 = msg("13163", dup276); - -var msg15608 = msg("13164", dup276); - -var msg15609 = msg("13165", dup276); - -var msg15610 = msg("13166", dup276); - -var msg15611 = msg("13167", dup276); - -var msg15612 = msg("13168", dup276); - -var msg15613 = msg("13169", dup276); - -var msg15614 = msg("13170", dup276); - -var msg15615 = msg("13171", dup276); - -var msg15616 = msg("13172", dup276); - -var msg15617 = msg("13173", dup276); - -var msg15618 = msg("13174", dup276); - -var msg15619 = msg("13175", dup276); - -var msg15620 = msg("13176", dup276); - -var msg15621 = msg("13177", dup276); - -var msg15622 = msg("13178", dup276); - -var msg15623 = msg("13179", dup276); - -var msg15624 = msg("13180", dup276); - -var msg15625 = msg("13181", dup276); - -var msg15626 = msg("13182", dup276); - -var msg15627 = msg("13183", dup276); - -var msg15628 = msg("13184", dup276); - -var msg15629 = msg("13185", dup276); - -var msg15630 = msg("13186", dup276); - -var msg15631 = msg("13187", dup276); - -var msg15632 = msg("13188", dup276); - -var msg15633 = msg("13189", dup276); - -var msg15634 = msg("13190", dup276); - -var msg15635 = msg("13191", dup276); - -var msg15636 = msg("13192", dup276); - -var msg15637 = msg("13193", dup276); - -var msg15638 = msg("13194", dup276); - -var msg15639 = msg("13195", dup276); - -var msg15640 = msg("13196", dup276); - -var msg15641 = msg("13197", dup276); - -var msg15642 = msg("13198", dup276); - -var msg15643 = msg("13199", dup276); - -var msg15644 = msg("13200", dup276); - -var msg15645 = msg("13201", dup276); - -var msg15646 = msg("13202", dup276); - -var msg15647 = msg("13203", dup276); - -var msg15648 = msg("13204", dup276); - -var msg15649 = msg("13205", dup276); - -var msg15650 = msg("13206", dup276); - -var msg15651 = msg("13207", dup276); - -var msg15652 = msg("13208", dup276); - -var msg15653 = msg("13209", dup276); - -var msg15654 = msg("13210", dup276); - -var msg15655 = msg("13211", dup276); - -var msg15656 = msg("13212", dup276); - -var msg15657 = msg("13213", dup276); - -var msg15658 = msg("13214", dup276); - -var msg15659 = msg("13215", dup276); - -var msg15660 = msg("13216", dup265); - -var msg15661 = msg("13217", dup265); - -var msg15662 = msg("13218", dup265); - -var msg15663 = msg("13219", dup265); - -var msg15664 = msg("13220", dup265); - -var msg15665 = msg("13221", dup222); - -var msg15666 = msg("13222", dup222); - -var msg15667 = msg("13223", dup269); - -var msg15668 = msg("13224", dup265); - -var msg15669 = msg("13225", dup265); - -var msg15670 = msg("13226", dup265); - -var msg15671 = msg("13227", dup265); - -var msg15672 = msg("13228", dup265); - -var msg15673 = msg("13229", dup265); - -var msg15674 = msg("13230", dup265); - -var msg15675 = msg("13231", dup265); - -var msg15676 = msg("13232", dup265); - -var msg15677 = msg("13233", dup265); - -var msg15678 = msg("13234", dup265); - -var msg15679 = msg("13235", dup265); - -var msg15680 = msg("13236", dup303); - -var msg15681 = msg("13237", dup303); - -var msg15682 = msg("13238", dup303); - -var msg15683 = msg("13239", dup303); - -var msg15684 = msg("13240", dup303); - -var msg15685 = msg("13241", dup303); - -var msg15686 = msg("13242", dup303); - -var msg15687 = msg("13243", dup303); - -var msg15688 = msg("13244", dup303); - -var msg15689 = msg("13245", dup192); - -var msg15690 = msg("13246", dup192); - -var msg15691 = msg("13247", dup192); - -var msg15692 = msg("13248", dup192); - -var msg15693 = msg("13249", dup196); - -var msg15694 = msg("13250", dup287); - -var msg15695 = msg("13251", dup258); - -var msg15696 = msg("13252", dup287); - -var msg15697 = msg("13253", dup258); - -var msg15698 = msg("13254", dup287); - -var msg15699 = msg("13255", dup258); - -var msg15700 = msg("13256", dup287); - -var msg15701 = msg("13257", dup258); - -var msg15702 = msg("13258", dup265); - -var msg15703 = msg("13259", dup265); - -var msg15704 = msg("13260", dup265); - -var msg15705 = msg("13261", dup265); - -var msg15706 = msg("13262", dup265); - -var msg15707 = msg("13263", dup265); - -var msg15708 = msg("13264", dup265); - -var msg15709 = msg("13265", dup265); - -var msg15710 = msg("13266", dup265); - -var msg15711 = msg("13267", dup265); - -var msg15712 = msg("13268", dup269); - -var msg15713 = msg("13269", dup196); - -var msg15714 = msg("13270", dup196); - -var msg15715 = msg("13271", dup196); - -var msg15716 = msg("13272", dup196); - -var msg15717 = msg("13273", dup265); - -var msg15718 = msg("13274", dup265); - -var msg15719 = msg("13275", dup265); - -var msg15720 = msg("13276", dup265); - -var msg15721 = msg("13277", dup303); - -var msg15722 = msg("13278", dup303); - -var msg15723 = msg("13279", dup303); - -var msg15724 = msg("13280", dup303); - -var msg15725 = msg("13281", dup303); - -var msg15726 = msg("13282", dup303); - -var msg15727 = msg("13283", dup303); - -var msg15728 = msg("13284", dup303); - -var msg15729 = msg("13285", dup303); - -var msg15730 = msg("13286", dup303); - -var msg15731 = msg("13287", dup201); - -var msg15732 = msg("13288", dup201); - -var msg15733 = msg("13289", dup265); - -var msg15734 = msg("13290", dup265); - -var msg15735 = msg("13291", dup222); - -var msg15736 = msg("13292", dup196); - -var msg15737 = msg("13293", dup267); - -var msg15738 = msg("13294", dup265); - -var msg15739 = msg("13295", dup265); - -var msg15740 = msg("13296", dup265); - -var msg15741 = msg("13297", dup265); - -var msg15742 = msg("13298", dup265); - -var msg15743 = msg("13299", dup265); - -var msg15744 = msg("13300", dup267); - -var msg15745 = msg("13301", dup267); - -var msg15746 = msg("13302", dup265); - -var msg15747 = msg("13303", dup265); - -var msg15748 = msg("13304", dup265); - -var msg15749 = msg("13305", dup265); - -var msg15750 = msg("13306", dup265); - -var msg15751 = msg("13307", dup198); - -var msg15752 = msg("13308", dup265); - -var msg15753 = msg("13309", dup198); - -var msg15754 = msg("13310", dup198); - -var msg15755 = msg("13311", dup198); - -var msg15756 = msg("13312", dup265); - -var msg15757 = msg("13313", dup265); - -var msg15758 = msg("13314", dup265); - -var msg15759 = msg("13315", dup265); - -var msg15760 = msg("13316", dup267); - -var msg15761 = msg("13317", dup267); - -var msg15762 = msg("13318", dup267); - -var msg15763 = msg("13319", dup267); - -var msg15764 = msg("13320", dup267); - -var msg15765 = msg("13321", dup265); - -var msg15766 = msg("13322", dup265); - -var msg15767 = msg("13323", dup265); - -var msg15768 = msg("13324", dup265); - -var msg15769 = msg("13325", dup265); - -var msg15770 = msg("13326", dup265); - -var msg15771 = msg("13327", dup265); - -var msg15772 = msg("13328", dup265); - -var msg15773 = msg("13329", dup265); - -var msg15774 = msg("13330", dup265); - -var msg15775 = msg("13331", dup265); - -var msg15776 = msg("13332", dup265); - -var msg15777 = msg("13333", dup265); - -var msg15778 = msg("13334", dup265); - -var msg15779 = msg("13335", dup265); - -var msg15780 = msg("13336", dup265); - -var msg15781 = msg("13337", dup194); - -var msg15782 = msg("13338", dup194); - -var msg15783 = msg("13339", dup303); - -var msg15784 = msg("13340", dup303); - -var msg15785 = msg("13341", dup303); - -var msg15786 = msg("13342", dup303); - -var msg15787 = msg("13343", dup303); - -var msg15788 = msg("13344", dup303); - -var msg15789 = msg("13345", dup303); - -var msg15790 = msg("13346", dup303); - -var msg15791 = msg("13347", dup303); - -var msg15792 = msg("13348", dup265); - -var msg15793 = msg("13349", dup265); - -var msg15794 = msg("13350", dup265); - -var msg15795 = msg("13351", dup265); - -var msg15796 = msg("13352", dup265); - -var msg15797 = msg("13353", dup265); - -var msg15798 = msg("13354", dup265); - -var msg15799 = msg("13355", dup265); - -var msg15800 = msg("13356", dup260); - -var msg15801 = msg("13357", dup236); - -var msg15802 = msg("13358", dup273); - -var msg15803 = msg("13359", dup236); - -var msg15804 = msg("13360", dup236); - -var msg15805 = msg("13361", dup222); - -var msg15806 = msg("13362", dup222); - -var msg15807 = msg("13363", dup222); - -var msg15808 = msg("13364", dup197); - -var msg15809 = msg("13365", dup222); - -var msg15810 = msg("13366", dup260); - -var msg15811 = msg("13367", dup276); - -var msg15812 = msg("13368", dup276); - -var msg15813 = msg("13369", dup276); - -var msg15814 = msg("13370", dup276); - -var msg15815 = msg("13371", dup276); - -var msg15816 = msg("13372", dup276); - -var msg15817 = msg("13373", dup276); - -var msg15818 = msg("13374", dup276); - -var msg15819 = msg("13375", dup276); - -var msg15820 = msg("13376", dup276); - -var msg15821 = msg("13377", dup276); - -var msg15822 = msg("13378", dup276); - -var msg15823 = msg("13379", dup276); - -var msg15824 = msg("13380", dup276); - -var msg15825 = msg("13381", dup276); - -var msg15826 = msg("13382", dup276); - -var msg15827 = msg("13383", dup276); - -var msg15828 = msg("13384", dup276); - -var msg15829 = msg("13385", dup276); - -var msg15830 = msg("13386", dup276); - -var msg15831 = msg("13387", dup276); - -var msg15832 = msg("13388", dup276); - -var msg15833 = msg("13389", dup276); - -var msg15834 = msg("13390", dup276); - -var msg15835 = msg("13391", dup276); - -var msg15836 = msg("13392", dup276); - -var msg15837 = msg("13393", dup276); - -var msg15838 = msg("13394", dup276); - -var msg15839 = msg("13395", dup276); - -var msg15840 = msg("13396", dup276); - -var msg15841 = msg("13397", dup276); - -var msg15842 = msg("13398", dup276); - -var msg15843 = msg("13399", dup276); - -var msg15844 = msg("13400", dup276); - -var msg15845 = msg("13401", dup276); - -var msg15846 = msg("13402", dup276); - -var msg15847 = msg("13403", dup276); - -var msg15848 = msg("13404", dup276); - -var msg15849 = msg("13405", dup276); - -var msg15850 = msg("13406", dup276); - -var msg15851 = msg("13407", dup276); - -var msg15852 = msg("13408", dup276); - -var msg15853 = msg("13409", dup276); - -var msg15854 = msg("13410", dup276); - -var msg15855 = msg("13411", dup276); - -var msg15856 = msg("13412", dup276); - -var msg15857 = msg("13413", dup276); - -var msg15858 = msg("13414", dup276); - -var msg15859 = msg("13415", dup197); - -var msg15860 = msg("13416", dup198); - -var msg15861 = msg("13417", dup222); - -var msg15862 = msg("13418", dup198); - -var msg15863 = msg("13419", dup265); - -var msg15864 = msg("13420", dup265); - -var msg15865 = msg("13421", dup265); - -var msg15866 = msg("13422", dup265); - -var msg15867 = msg("13423", dup265); - -var msg15868 = msg("13424", dup265); - -var msg15869 = msg("13425", dup198); - -var msg15870 = msg("13426", dup265); - -var msg15871 = msg("13427", dup265); - -var msg15872 = msg("13428", dup265); - -var msg15873 = msg("13429", dup265); - -var msg15874 = msg("13430", dup265); - -var msg15875 = msg("13431", dup265); - -var msg15876 = msg("13432", dup265); - -var msg15877 = msg("13433", dup265); - -var msg15878 = msg("13434", dup265); - -var msg15879 = msg("13435", dup265); - -var msg15880 = msg("13436", dup265); - -var msg15881 = msg("13437", dup265); - -var msg15882 = msg("13438", dup265); - -var msg15883 = msg("13439", dup265); - -var msg15884 = msg("13440", dup265); - -var msg15885 = msg("13441", dup265); - -var msg15886 = msg("13442", dup265); - -var msg15887 = msg("13443", dup265); - -var msg15888 = msg("13444", dup265); - -var msg15889 = msg("13445", dup265); - -var msg15890 = msg("13446", dup265); - -var msg15891 = msg("13447", dup265); - -var msg15892 = msg("13448", dup201); - -var msg15893 = msg("13449", dup201); - -var msg15894 = msg("13450", dup198); - -var msg15895 = msg("13451", dup265); - -var msg15896 = msg("13452", dup265); - -var msg15897 = msg("13453", dup265); - -var msg15898 = msg("13454", dup265); - -var msg15899 = msg("13455", dup265); - -var msg15900 = msg("13456", dup265); - -var msg15901 = msg("13457", dup265); - -var msg15902 = msg("13458", dup265); - -var msg15903 = msg("13459", dup265); - -var msg15904 = msg("13460", dup265); - -var msg15905 = msg("13465", dup265); - -var msg15906 = msg("13466", dup265); - -var msg15907 = msg("13467", dup265); - -var msg15908 = msg("13468", dup265); - -var msg15909 = msg("13469", dup265); - -var msg15910 = msg("13470", dup196); - -var msg15911 = msg("13471", dup196); - -var msg15912 = msg("13472", dup196); - -var msg15913 = msg("13473", dup196); - -var msg15914 = msg("13474", dup267); - -var msg15915 = msg("13475", dup198); - -var msg15916 = msg("13476", dup197); - -var msg15917 = msg("13477", dup196); - -var msg15918 = msg("13478", dup196); - -var msg15919 = msg("13479", dup303); - -var msg15920 = msg("13480", dup303); - -var msg15921 = msg("13481", dup303); - -var msg15922 = msg("13482", dup303); - -var msg15923 = msg("13483", dup303); - -var msg15924 = msg("13484", dup303); - -var msg15925 = msg("13485", dup303); - -var msg15926 = msg("13486", dup303); - -var msg15927 = msg("13487", dup303); - -var msg15928 = msg("13488", dup303); - -var msg15929 = msg("13489", dup303); - -var msg15930 = msg("13490", dup303); - -var msg15931 = msg("13491", dup303); - -var msg15932 = msg("13492", dup303); - -var msg15933 = msg("13493", dup303); - -var msg15934 = msg("13494", dup303); - -var msg15935 = msg("13495", dup303); - -var msg15936 = msg("13496", dup303); - -var msg15937 = msg("13497", dup303); - -var msg15938 = msg("13498", dup303); - -var msg15939 = msg("13499", dup303); - -var msg15940 = msg("13500", dup303); - -var msg15941 = msg("13501", dup303); - -var msg15942 = msg("13502", dup303); - -var msg15943 = msg("13503", dup303); - -var msg15944 = msg("13504", dup303); - -var msg15945 = msg("13505", dup303); - -var msg15946 = msg("13506", dup192); - -var msg15947 = msg("13507", dup192); - -var msg15948 = msg("13508", dup192); - -var msg15949 = msg("13509", dup192); - -var msg15950 = msg("13510", dup222); - -var msg15951 = msg("13511", dup196); - -var msg15952 = msg("13512", dup260); - -var msg15953 = msg("13513", dup260); - -var msg15954 = msg("13514", dup260); - -var msg15955 = msg("13515", dup196); - -var msg15956 = msg("13516", dup197); - -var msg15957 = msg("13517", dup196); - -var msg15958 = msg("13518", dup265); - -var msg15959 = msg("13519", dup222); - -var msg15960 = msg("13520", dup269); - -var msg15961 = msg("13521", dup269); - -var msg15962 = msg("13522", dup197); - -var msg15963 = msg("13523", dup265); - -var msg15964 = msg("13524", dup265); - -var msg15965 = msg("13525", dup265); - -var msg15966 = msg("13526", dup265); - -var msg15967 = msg("13527", dup265); - -var msg15968 = msg("13528", dup265); - -var msg15969 = msg("13529", dup265); - -var msg15970 = msg("13530", dup265); - -var msg15971 = msg("13531", dup265); - -var msg15972 = msg("13532", dup265); - -var msg15973 = msg("13533", dup265); - -var msg15974 = msg("13534", dup265); - -var msg15975 = msg("13535", dup265); - -var msg15976 = msg("13536", dup265); - -var msg15977 = msg("13537", dup265); - -var msg15978 = msg("13538", dup265); - -var msg15979 = msg("13539", dup267); - -var msg15980 = msg("13540", dup267); - -var msg15981 = msg("13541", dup267); - -var msg15982 = msg("13542", dup267); - -var msg15983 = msg("13543", dup265); - -var msg15984 = msg("13544", dup265); - -var msg15985 = msg("13545", dup265); - -var msg15986 = msg("13546", dup265); - -var msg15987 = msg("13547", dup265); - -var msg15988 = msg("13548", dup265); - -var msg15989 = msg("13549", dup265); - -var msg15990 = msg("13550", dup265); - -var msg15991 = msg("13551", dup260); - -var msg15992 = msg("13552", dup222); - -var msg15993 = msg("13553", dup197); - -var msg15994 = msg("13554", dup197); - -var msg15995 = msg("13555", dup197); - -var msg15996 = msg("13556", dup303); - -var msg15997 = msg("13557", dup303); - -var msg15998 = msg("13558", dup303); - -var msg15999 = msg("13559", dup303); - -var msg16000 = msg("13560", dup303); - -var msg16001 = msg("13561", dup303); - -var msg16002 = msg("13562", dup303); - -var msg16003 = msg("13563", dup303); - -var msg16004 = msg("13564", dup303); - -var msg16005 = msg("13565", dup303); - -var msg16006 = msg("13566", dup303); - -var msg16007 = msg("13567", dup303); - -var msg16008 = msg("13568", dup303); - -var msg16009 = msg("13569", dup269); - -var msg16010 = msg("13570", dup265); - -var msg16011 = msg("13571", dup265); - -var msg16012 = msg("13572", dup269); - -var msg16013 = msg("13573", dup265); - -var msg16014 = msg("13580", dup267); - -var msg16015 = msg("13581", dup267); - -var msg16016 = msg("13582", dup265); - -var msg16017 = msg("13583", dup266); - -var msg16018 = msg("13584", dup266); - -var msg16019 = msg("13585", dup217); - -var all47 = all_match({ - processors: [ - dup66, - dup178, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup76, - dup56, - ]), -}); - -var msg16020 = msg("13585:01", all47); - -var select2440 = linear_select([ - msg16019, - msg16020, -]); - -var msg16021 = msg("13586", dup196); - -var msg16022 = msg("13587", dup287); - -var msg16023 = msg("13588", dup287); - -var msg16024 = msg("13589", dup287); - -var msg16025 = msg("13590", dup287); - -var msg16026 = msg("13591", dup194); - -var msg16027 = msg("13592", dup269); - -var msg16028 = msg("13593", dup260); - -var msg16029 = msg("13593:01", dup261); - -var select2441 = linear_select([ - msg16028, - msg16029, -]); - -var msg16030 = msg("13594", dup198); - -var msg16031 = msg("13595", dup266); - -var msg16032 = msg("13596", dup266); - -var msg16033 = msg("13597", dup266); - -var msg16034 = msg("13598", dup266); - -var msg16035 = msg("13599", dup229); - -var msg16036 = msg("13600", dup229); - -var msg16037 = msg("13601", dup229); - -var msg16038 = msg("13602", dup229); - -var msg16039 = msg("13603", dup266); - -var msg16040 = msg("13604", dup266); - -var msg16041 = msg("13605", dup266); - -var msg16042 = msg("13606", dup266); - -var msg16043 = msg("13607", dup266); - -var msg16044 = msg("13608", dup266); - -var msg16045 = msg("13609", dup266); - -var msg16046 = msg("13610", dup266); - -var msg16047 = msg("13611", dup196); - -var msg16048 = msg("13612", dup285); - -var msg16049 = msg("13613", dup285); - -var msg16050 = msg("13614", dup222); - -var msg16051 = msg("13615", dup222); - -var msg16052 = msg("13616", dup197); - -var msg16053 = msg("13617", dup222); - -var msg16054 = msg("13618", dup222); - -var msg16055 = msg("13619", dup196); - -var msg16056 = msg("13620", dup222); - -var msg16057 = msg("13621", dup266); - -var msg16058 = msg("13622", dup266); - -var msg16059 = msg("13623", dup266); - -var msg16060 = msg("13624", dup266); - -var msg16061 = msg("13625", dup262); - -var msg16062 = msg("13626", dup265); - -var msg16063 = msg("13627", dup266); - -var msg16064 = msg("13628", dup265); - -var msg16065 = msg("13628:01", dup266); - -var select2442 = linear_select([ - msg16064, - msg16065, -]); - -var msg16066 = msg("13629", dup265); - -var msg16067 = msg("13630", dup265); - -var msg16068 = msg("13631", dup196); - -var msg16069 = msg("13632", dup266); - -var msg16070 = msg("13633", dup265); - -var msg16071 = msg("13634", dup265); - -var msg16072 = msg("13635", dup192); - -var msg16073 = msg("13636", dup192); - -var msg16074 = msg("13637", dup303); - -var msg16075 = msg("13638", dup303); - -var msg16076 = msg("13639", dup303); - -var msg16077 = msg("13640", dup303); - -var msg16078 = msg("13641", dup303); - -var msg16079 = msg("13642", dup303); - -var msg16080 = msg("13643", dup303); - -var msg16081 = msg("13644", dup303); - -var msg16082 = msg("13645", dup303); - -var msg16083 = msg("13646", dup303); - -var msg16084 = msg("13647", dup303); - -var msg16085 = msg("13648", dup303); - -var msg16086 = msg("13649", dup303); - -var msg16087 = msg("13650", dup303); - -var msg16088 = msg("13651", dup303); - -var msg16089 = msg("13652", dup303); - -var msg16090 = msg("13653", dup303); - -var msg16091 = msg("13654", dup192); - -var msg16092 = msg("13655", dup192); - -var msg16093 = msg("13656", dup267); - -var msg16094 = msg("13657", dup265); - -var msg16095 = msg("13658", dup265); - -var msg16096 = msg("13659", dup265); - -var msg16097 = msg("13660", dup265); - -var msg16098 = msg("13661", dup265); - -var msg16099 = msg("13662", dup265); - -var msg16100 = msg("13663", dup222); - -var msg16101 = msg("13664", dup196); - -var msg16102 = msg("13665", dup267); - -var msg16103 = msg("13666", dup267); - -var msg16104 = msg("13667", dup196); - -var msg16105 = msg("13668", dup265); - -var msg16106 = msg("13669", dup265); - -var msg16107 = msg("13670", dup265); - -var msg16108 = msg("13671", dup265); - -var msg16109 = msg("13672", dup265); - -var msg16110 = msg("13673", dup265); - -var msg16111 = msg("13674", dup265); - -var msg16112 = msg("13675", dup265); - -var msg16113 = msg("13676", dup267); - -var msg16114 = msg("13677", dup265); - -var msg16115 = msg("13678", dup196); - -var msg16116 = msg("13679", dup265); - -var msg16117 = msg("13680", dup265); - -var msg16118 = msg("13681", dup265); - -var msg16119 = msg("13682", dup265); - -var msg16120 = msg("13683", dup265); - -var msg16121 = msg("13684", dup265); - -var msg16122 = msg("13685", dup265); - -var msg16123 = msg("13686", dup265); - -var msg16124 = msg("13687", dup265); - -var msg16125 = msg("13688", dup265); - -var msg16126 = msg("13689", dup265); - -var msg16127 = msg("13690", dup265); - -var msg16128 = msg("13691", dup265); - -var msg16129 = msg("13692", dup265); - -var msg16130 = msg("13693", dup196); - -var msg16131 = msg("13694", dup196); - -var msg16132 = msg("13695", dup196); - -var msg16133 = msg("13696", dup196); - -var msg16134 = msg("13697", dup196); - -var msg16135 = msg("13698", dup196); - -var msg16136 = msg("13699", dup265); - -var msg16137 = msg("13700", dup265); - -var msg16138 = msg("13709", dup240); - -var msg16139 = msg("13710", dup240); - -var msg16140 = msg("13711", dup201); - -var msg16141 = msg("13712", dup260); - -var msg16142 = msg("13713", dup260); - -var msg16143 = msg("13714", dup201); - -var msg16144 = msg("13715", dup267); - -var msg16145 = msg("13716", dup287); - -var msg16146 = msg("13717", dup258); - -var msg16147 = msg("13718", dup222); - -var msg16148 = msg("13719", dup197); - -var msg16149 = msg("13720", dup265); - -var msg16150 = msg("13721", dup265); - -var msg16151 = msg("13722", dup265); - -var msg16152 = msg("13723", dup265); - -var msg16153 = msg("13724", dup265); - -var msg16154 = msg("13725", dup265); - -var msg16155 = msg("13726", dup265); - -var msg16156 = msg("13727", dup265); - -var msg16157 = msg("13728", dup265); - -var msg16158 = msg("13729", dup265); - -var msg16159 = msg("13730", dup265); - -var msg16160 = msg("13731", dup265); - -var msg16161 = msg("13732", dup265); - -var msg16162 = msg("13733", dup265); - -var msg16163 = msg("13734", dup265); - -var msg16164 = msg("13735", dup265); - -var msg16165 = msg("13736", dup265); - -var msg16166 = msg("13737", dup265); - -var msg16167 = msg("13738", dup265); - -var msg16168 = msg("13739", dup265); - -var msg16169 = msg("13740", dup265); - -var msg16170 = msg("13741", dup265); - -var msg16171 = msg("13742", dup265); - -var msg16172 = msg("13743", dup265); - -var msg16173 = msg("13744", dup265); - -var msg16174 = msg("13745", dup265); - -var msg16175 = msg("13746", dup265); - -var msg16176 = msg("13747", dup265); - -var msg16177 = msg("13748", dup265); - -var msg16178 = msg("13749", dup265); - -var msg16179 = msg("13750", dup265); - -var msg16180 = msg("13751", dup265); - -var msg16181 = msg("13752", dup265); - -var msg16182 = msg("13753", dup265); - -var msg16183 = msg("13754", dup265); - -var msg16184 = msg("13755", dup265); - -var msg16185 = msg("13756", dup265); - -var msg16186 = msg("13757", dup265); - -var msg16187 = msg("13758", dup265); - -var msg16188 = msg("13759", dup265); - -var msg16189 = msg("13760", dup265); - -var msg16190 = msg("13761", dup265); - -var msg16191 = msg("13762", dup303); - -var msg16192 = msg("13763", dup303); - -var msg16193 = msg("13764", dup303); - -var msg16194 = msg("13765", dup303); - -var msg16195 = msg("13766", dup303); - -var msg16196 = msg("13767", dup303); - -var msg16197 = msg("13768", dup303); - -var msg16198 = msg("13769", dup303); - -var msg16199 = msg("13770", dup303); - -var msg16200 = msg("13771", dup303); - -var msg16201 = msg("13772", dup303); - -var msg16202 = msg("13773", dup198); - -var msg16203 = msg("13774", dup192); - -var msg16204 = msg("13775", dup192); - -var msg16205 = msg("13776", dup303); - -var msg16206 = msg("13777", dup303); - -var msg16207 = msg("13778", dup303); - -var msg16208 = msg("13779", dup303); - -var msg16209 = msg("13780", dup303); - -var msg16210 = msg("13781", dup303); - -var msg16211 = msg("13782", dup303); - -var msg16212 = msg("13783", dup265); - -var msg16213 = msg("13784", dup265); - -var msg16214 = msg("13785", dup265); - -var msg16215 = msg("13786", dup265); - -var msg16216 = msg("13787", dup265); - -var msg16217 = msg("13788", dup265); - -var msg16218 = msg("13789", dup265); - -var msg16219 = msg("13790", dup267); - -var msg16220 = msg("13791", dup260); - -var msg16221 = msg("13797", dup196); - -var msg16222 = msg("13798", dup198); - -var msg16223 = msg("13799", dup267); - -var msg16224 = msg("13800", dup222); - -var msg16225 = msg("13801", dup196); - -var msg16226 = msg("13802", dup198); - -var msg16227 = msg("13803", dup267); - -var msg16228 = msg("13804", dup222); - -var msg16229 = msg("13805", dup287); - -var msg16230 = msg("13806", dup258); - -var msg16231 = msg("13807", dup267); - -var msg16232 = msg("13808", dup303); - -var msg16233 = msg("13809", dup303); - -var msg16234 = msg("13810", dup303); - -var msg16235 = msg("13811", dup303); - -var msg16236 = msg("13812", dup303); - -var msg16237 = msg("13813", dup303); - -var msg16238 = msg("13814", dup192); - -var msg16239 = msg("13815", dup192); - -var msg16240 = msg("13816", dup255); - -var msg16241 = msg("13817", dup255); - -var msg16242 = msg("13818", dup255); - -var msg16243 = msg("13819", dup267); - -var msg16244 = msg("13820", dup265); - -var msg16245 = msg("13821", dup265); - -var msg16246 = msg("13822", dup265); - -var msg16247 = msg("13823", dup267); - -var msg16248 = msg("13824", dup269); - -var msg16249 = msg("13825", dup198); - -var msg16250 = msg("13826", dup196); - -var msg16251 = msg("13827", dup198); - -var msg16252 = msg("13828", dup265); - -var msg16253 = msg("13829", dup265); - -var msg16254 = msg("13830", dup265); - -var msg16255 = msg("13831", dup265); - -var msg16256 = msg("13832", dup265); - -var msg16257 = msg("13833", dup265); - -var msg16258 = msg("13834", dup265); - -var msg16259 = msg("13835", dup198); - -var msg16260 = msg("13838", dup267); - -var msg16261 = msg("13839", dup196); - -var msg16262 = msg("13840", dup197); - -var msg16263 = msg("13841", dup197); - -var msg16264 = msg("13842", dup197); - -var msg16265 = msg("13843", dup197); - -var msg16266 = msg("13844", dup196); - -var msg16267 = msg("13845", dup196); - -var msg16268 = msg("13846", dup222); - -var msg16269 = msg("13847", dup303); - -var msg16270 = msg("13848", dup303); - -var msg16271 = msg("13849", dup303); - -var msg16272 = msg("13850", dup303); - -var msg16273 = msg("13851", dup303); - -var msg16274 = msg("13852", dup303); - -var msg16275 = msg("13853", dup303); - -var msg16276 = msg("13854", dup303); - -var msg16277 = msg("13855", dup303); - -var msg16278 = msg("13856", dup192); - -var msg16279 = msg("13857", dup265); - -var msg16280 = msg("13858", dup265); - -var msg16281 = msg("13859", dup265); - -var msg16282 = msg("13860", dup265); - -var msg16283 = msg("13861", dup196); - -var msg16284 = msg("13862", dup196); - -var msg16285 = msg("13863", dup301); - -var msg16286 = msg("13864", dup196); - -var msg16287 = msg("13865", dup267); - -var msg16288 = msg("13866", dup303); - -var msg16289 = msg("13867", dup303); - -var msg16290 = msg("13868", dup303); - -var msg16291 = msg("13869", dup303); - -var msg16292 = msg("13870", dup303); - -var msg16293 = msg("13871", dup303); - -var msg16294 = msg("13872", dup303); - -var msg16295 = msg("13873", dup303); - -var msg16296 = msg("13874", dup303); - -var msg16297 = msg("13875", dup303); - -var msg16298 = msg("13876", dup192); - -var msg16299 = msg("13877", dup192); - -var msg16300 = msg("13878", dup192); - -var msg16301 = msg("13879", dup269); - -var msg16302 = msg("13880", dup196); - -var msg16303 = msg("13881", dup196); - -var msg16304 = msg("13882", dup196); - -var msg16305 = msg("13883", dup265); - -var msg16306 = msg("13884", dup265); - -var msg16307 = msg("13885", dup265); - -var msg16308 = msg("13886", dup265); - -var msg16309 = msg("13887", dup196); - -var msg16310 = msg("13888", dup260); - -var msg16311 = msg("13889", dup260); - -var msg16312 = msg("13890", dup260); - -var msg16313 = msg("13891", dup240); - -var msg16314 = msg("13892", dup196); - -var msg16315 = msg("13893", dup265); - -var msg16316 = msg("13894", dup287); - -var msg16317 = msg("13895", dup201); - -var msg16318 = msg("13896", dup196); - -var msg16319 = msg("13897", dup222); - -var msg16320 = msg("13898", dup196); - -var msg16321 = msg("13899", dup196); - -var msg16322 = msg("13900", dup196); - -var msg16323 = msg("13901", dup276); - -var msg16324 = msg("13902", dup201); - -var msg16325 = msg("13903", dup265); - -var msg16326 = msg("13904", dup265); - -var msg16327 = msg("13905", dup265); - -var msg16328 = msg("13906", dup265); - -var msg16329 = msg("13907", dup265); - -var msg16330 = msg("13908", dup265); - -var msg16331 = msg("13909", dup265); - -var msg16332 = msg("13910", dup265); - -var msg16333 = msg("13911", dup265); - -var msg16334 = msg("13912", dup196); - -var msg16335 = msg("13913", dup265); - -var msg16336 = msg("13914", dup265); - -var msg16337 = msg("13915", dup265); - -var msg16338 = msg("13916", dup222); - -var msg16339 = msg("13917", dup267); - -var msg16340 = msg("13918", dup267); - -var msg16341 = msg("13919", dup267); - -var msg16342 = msg("13920", dup267); - -var msg16343 = msg("13921", dup196); - -var msg16344 = msg("13922", dup197); - -var msg16345 = msg("13923", dup198); - -var msg16346 = msg("13924", dup267); - -var msg16347 = msg("13925", dup222); - -var msg16348 = msg("13926", dup197); - -var msg16349 = msg("13927", dup295); - -var msg16350 = msg("13928", dup260); - -var msg16351 = msg("13929", dup260); - -var msg16352 = msg("13930", dup303); - -var msg16353 = msg("13931", dup303); - -var msg16354 = msg("13932", dup303); - -var msg16355 = msg("13933", dup303); - -var msg16356 = msg("13934", dup303); - -var msg16357 = msg("13935", dup303); - -var msg16358 = msg("13936", dup303); - -var msg16359 = msg("13937", dup303); - -var msg16360 = msg("13938", dup303); - -var msg16361 = msg("13939", dup303); - -var msg16362 = msg("13940", dup303); - -var msg16363 = msg("13941", dup192); - -var msg16364 = msg("13942", dup192); - -var msg16365 = msg("13943", dup303); - -var msg16366 = msg("13944", dup192); - -var msg16367 = msg("13945", dup192); - -var msg16368 = msg("13946", dup267); - -var msg16369 = msg("13947", dup267); - -var msg16370 = msg("13948", dup196); - -var msg16371 = msg("13949", dup196); - -var msg16372 = msg("13950", dup267); - -var msg16373 = msg("13951", dup267); - -var msg16374 = msg("13952", dup192); - -var msg16375 = msg("13953", dup192); - -var msg16376 = msg("13954", dup267); - -var msg16377 = msg("13958", dup267); - -var msg16378 = msg("13960", dup267); - -var msg16379 = msg("13961", dup267); - -var msg16380 = msg("13962", dup265); - -var msg16381 = msg("13963", dup267); - -var msg16382 = msg("13964", dup196); - -var msg16383 = msg("13965", dup265); - -var msg16384 = msg("13966", dup265); - -var msg16385 = msg("13967", dup265); - -var msg16386 = msg("13968", dup265); - -var msg16387 = msg("13969", dup267); - -var msg16388 = msg("13970", dup192); - -var msg16389 = msg("13971", dup267); - -var msg16390 = msg("13972", dup269); - -var msg16391 = msg("13973", dup267); - -var msg16392 = msg("13974", dup265); - -var msg16393 = msg("13975", dup265); - -var msg16394 = msg("13976", dup265); - -var msg16395 = msg("13977", dup265); - -var msg16396 = msg("13978", dup265); - -var msg16397 = msg("13979", dup265); - -var msg16398 = msg("13980", dup267); - -var msg16399 = msg("13981", dup269); - -var msg16400 = msg("13982", dup265); - -var msg16401 = msg("13983", dup196); - -var msg16402 = msg("13984", dup255); - -var msg16403 = msg("13985", dup255); - -var msg16404 = msg("13986", dup255); - -var msg16405 = msg("13987", dup260); - -var msg16406 = msg("13988", dup260); - -var msg16407 = msg("13989", dup260); - -var msg16408 = msg("13990", dup260); - -var msg16409 = msg("13991", dup240); - -var msg16410 = msg("13992", dup240); - -var msg16411 = msg("13993", dup240); - -var msg16412 = msg("13994", dup240); - -var msg16413 = msg("13995", dup240); - -var msg16414 = msg("13996", dup240); - -var msg16415 = msg("13997", dup240); - -var msg16416 = msg("13998", dup240); - -var msg16417 = msg("13999", dup260); - -var msg16418 = msg("14000", dup260); - -var msg16419 = msg("14001", dup260); - -var msg16420 = msg("14002", dup260); - -var msg16421 = msg("14003", dup260); - -var msg16422 = msg("14004", dup260); - -var msg16423 = msg("14005", dup260); - -var msg16424 = msg("14006", dup260); - -var msg16425 = msg("14007", dup260); - -var msg16426 = msg("14008", dup260); - -var msg16427 = msg("14013", dup265); - -var msg16428 = msg("14014", dup265); - -var msg16429 = msg("14015", dup265); - -var msg16430 = msg("14016", dup265); - -var msg16431 = msg("14017", dup196); - -var msg16432 = msg("14018", dup196); - -var msg16433 = msg("14019", dup267); - -var msg16434 = msg("14020", dup267); - -var msg16435 = msg("14021", dup265); - -var msg16436 = msg("14022", dup265); - -var msg16437 = msg("14023", dup265); - -var msg16438 = msg("14024", dup265); - -var msg16439 = msg("14025", dup265); - -var msg16440 = msg("14026", dup265); - -var msg16441 = msg("14027", dup265); - -var msg16442 = msg("14028", dup265); - -var msg16443 = msg("14029", dup265); - -var msg16444 = msg("14030", dup265); - -var msg16445 = msg("14031", dup265); - -var msg16446 = msg("14032", dup265); - -var msg16447 = msg("14033", dup265); - -var msg16448 = msg("14034", dup265); - -var msg16449 = msg("14035", dup265); - -var msg16450 = msg("14036", dup265); - -var msg16451 = msg("14037", dup201); - -var msg16452 = msg("14038", dup201); - -var msg16453 = msg("14039", dup222); - -var msg16454 = msg("14040", dup222); - -var msg16455 = msg("14041", dup222); - -var msg16456 = msg("14042", dup265); - -var msg16457 = msg("14043", dup265); - -var msg16458 = msg("14044", dup265); - -var msg16459 = msg("14045", dup265); - -var msg16460 = msg("14046", dup265); - -var msg16461 = msg("14047", dup265); - -var msg16462 = msg("14048", dup265); - -var msg16463 = msg("14049", dup265); - -var msg16464 = msg("14050", dup265); - -var msg16465 = msg("14051", dup265); - -var msg16466 = msg("14052", dup265); - -var msg16467 = msg("14053", dup265); - -var msg16468 = msg("14054", dup303); - -var msg16469 = msg("14055", dup303); - -var msg16470 = msg("14056", dup303); - -var msg16471 = msg("14057", dup303); - -var msg16472 = msg("14058", dup303); - -var msg16473 = msg("14059", dup303); - -var msg16474 = msg("14060", dup303); - -var msg16475 = msg("14061", dup303); - -var msg16476 = msg("14062", dup303); - -var msg16477 = msg("14063", dup303); - -var msg16478 = msg("14064", dup303); - -var msg16479 = msg("14065", dup303); - -var msg16480 = msg("14066", dup303); - -var msg16481 = msg("14067", dup303); - -var msg16482 = msg("14068", dup303); - -var msg16483 = msg("14069", dup303); - -var msg16484 = msg("14070", dup303); - -var msg16485 = msg("14071", dup303); - -var msg16486 = msg("14072", dup303); - -var msg16487 = msg("14073", dup303); - -var msg16488 = msg("14074", dup303); - -var msg16489 = msg("14075", dup303); - -var msg16490 = msg("14076", dup303); - -var msg16491 = msg("14077", dup303); - -var msg16492 = msg("14078", dup303); - -var msg16493 = msg("14079", dup303); - -var msg16494 = msg("14080", dup303); - -var msg16495 = msg("14081", dup192); - -var msg16496 = msg("14082", dup192); - -var msg16497 = msg("14083", dup192); - -var msg16498 = msg("14084", dup192); - -var msg16499 = msg("14085", dup192); - -var msg16500 = msg("14086", dup192); - -var msg16501 = msg("14087", dup192); - -var msg16502 = msg("14088", dup265); - -var msg16503 = msg("14089", dup265); - -var msg16504 = msg("14090", dup265); - -var msg16505 = msg("14091", dup265); - -var msg16506 = msg("14092", dup265); - -var msg16507 = msg("14093", dup265); - -var msg16508 = msg("14094", dup265); - -var msg16509 = msg("14095", dup265); - -var msg16510 = msg("14096", dup265); - -var msg16511 = msg("14097", dup265); - -var msg16512 = msg("14098", dup265); - -var msg16513 = msg("14099", dup265); - -var msg16514 = msg("14100", dup265); - -var msg16515 = msg("14101", dup265); - -var msg16516 = msg("14102", dup265); - -var msg16517 = msg("14103", dup265); - -var msg16518 = msg("14104", dup265); - -var msg16519 = msg("14105", dup265); - -var msg16520 = msg("14106", dup265); - -var msg16521 = msg("14107", dup265); - -var msg16522 = msg("14108", dup265); - -var msg16523 = msg("14109", dup265); - -var msg16524 = msg("14110", dup265); - -var msg16525 = msg("14111", dup265); - -var msg16526 = msg("14112", dup265); - -var msg16527 = msg("14113", dup265); - -var msg16528 = msg("14114", dup265); - -var msg16529 = msg("14115", dup265); - -var msg16530 = msg("14116", dup265); - -var msg16531 = msg("14117", dup265); - -var msg16532 = msg("14118", dup265); - -var msg16533 = msg("14119", dup265); - -var msg16534 = msg("14120", dup265); - -var msg16535 = msg("14121", dup265); - -var msg16536 = msg("14122", dup265); - -var msg16537 = msg("14123", dup265); - -var msg16538 = msg("14124", dup265); - -var msg16539 = msg("14125", dup265); - -var msg16540 = msg("14126", dup265); - -var msg16541 = msg("14127", dup265); - -var msg16542 = msg("14128", dup265); - -var msg16543 = msg("14129", dup265); - -var msg16544 = msg("14130", dup265); - -var msg16545 = msg("14131", dup265); - -var msg16546 = msg("14132", dup265); - -var msg16547 = msg("14133", dup265); - -var msg16548 = msg("14134", dup265); - -var msg16549 = msg("14135", dup265); - -var msg16550 = msg("14136", dup265); - -var msg16551 = msg("14137", dup265); - -var msg16552 = msg("14138", dup265); - -var msg16553 = msg("14139", dup265); - -var msg16554 = msg("14140", dup265); - -var msg16555 = msg("14141", dup265); - -var msg16556 = msg("14142", dup265); - -var msg16557 = msg("14143", dup265); - -var msg16558 = msg("14144", dup265); - -var msg16559 = msg("14145", dup265); - -var msg16560 = msg("14146", dup265); - -var msg16561 = msg("14147", dup265); - -var msg16562 = msg("14148", dup265); - -var msg16563 = msg("14149", dup265); - -var msg16564 = msg("14150", dup265); - -var msg16565 = msg("14151", dup265); - -var msg16566 = msg("14152", dup265); - -var msg16567 = msg("14153", dup265); - -var msg16568 = msg("14154", dup265); - -var msg16569 = msg("14155", dup265); - -var msg16570 = msg("14156", dup265); - -var msg16571 = msg("14157", dup265); - -var msg16572 = msg("14158", dup265); - -var msg16573 = msg("14159", dup265); - -var msg16574 = msg("14160", dup265); - -var msg16575 = msg("14161", dup265); - -var msg16576 = msg("14162", dup265); - -var msg16577 = msg("14163", dup265); - -var msg16578 = msg("14164", dup265); - -var msg16579 = msg("14165", dup265); - -var msg16580 = msg("14166", dup265); - -var msg16581 = msg("14167", dup265); - -var msg16582 = msg("14168", dup265); - -var msg16583 = msg("14169", dup265); - -var msg16584 = msg("14170", dup265); - -var msg16585 = msg("14171", dup265); - -var msg16586 = msg("14172", dup265); - -var msg16587 = msg("14173", dup265); - -var msg16588 = msg("14174", dup265); - -var msg16589 = msg("14175", dup265); - -var msg16590 = msg("14176", dup265); - -var msg16591 = msg("14177", dup265); - -var msg16592 = msg("14178", dup265); - -var msg16593 = msg("14179", dup265); - -var msg16594 = msg("14180", dup265); - -var msg16595 = msg("14181", dup265); - -var msg16596 = msg("14182", dup265); - -var msg16597 = msg("14183", dup265); - -var msg16598 = msg("14184", dup265); - -var msg16599 = msg("14185", dup265); - -var msg16600 = msg("14186", dup265); - -var msg16601 = msg("14187", dup265); - -var msg16602 = msg("14188", dup265); - -var msg16603 = msg("14189", dup265); - -var msg16604 = msg("14190", dup265); - -var msg16605 = msg("14191", dup265); - -var msg16606 = msg("14192", dup265); - -var msg16607 = msg("14193", dup265); - -var msg16608 = msg("14194", dup265); - -var msg16609 = msg("14195", dup265); - -var msg16610 = msg("14196", dup265); - -var msg16611 = msg("14197", dup265); - -var msg16612 = msg("14198", dup265); - -var msg16613 = msg("14199", dup265); - -var msg16614 = msg("14200", dup265); - -var msg16615 = msg("14201", dup265); - -var msg16616 = msg("14202", dup265); - -var msg16617 = msg("14203", dup265); - -var msg16618 = msg("14204", dup265); - -var msg16619 = msg("14205", dup265); - -var msg16620 = msg("14206", dup265); - -var msg16621 = msg("14207", dup265); - -var msg16622 = msg("14208", dup265); - -var msg16623 = msg("14209", dup265); - -var msg16624 = msg("14210", dup265); - -var msg16625 = msg("14211", dup265); - -var msg16626 = msg("14212", dup265); - -var msg16627 = msg("14213", dup265); - -var msg16628 = msg("14214", dup265); - -var msg16629 = msg("14215", dup265); - -var msg16630 = msg("14216", dup265); - -var msg16631 = msg("14217", dup265); - -var msg16632 = msg("14218", dup265); - -var msg16633 = msg("14219", dup265); - -var msg16634 = msg("14220", dup265); - -var msg16635 = msg("14221", dup265); - -var msg16636 = msg("14222", dup265); - -var msg16637 = msg("14223", dup265); - -var msg16638 = msg("14224", dup265); - -var msg16639 = msg("14225", dup265); - -var msg16640 = msg("14226", dup265); - -var msg16641 = msg("14227", dup265); - -var msg16642 = msg("14228", dup265); - -var msg16643 = msg("14229", dup265); - -var msg16644 = msg("14230", dup222); - -var msg16645 = msg("14231", dup265); - -var msg16646 = msg("14232", dup265); - -var msg16647 = msg("14233", dup265); - -var msg16648 = msg("14234", dup265); - -var msg16649 = msg("14235", dup265); - -var msg16650 = msg("14236", dup265); - -var msg16651 = msg("14237", dup265); - -var msg16652 = msg("14238", dup265); - -var msg16653 = msg("14239", dup265); - -var msg16654 = msg("14240", dup265); - -var msg16655 = msg("14241", dup265); - -var msg16656 = msg("14242", dup265); - -var msg16657 = msg("14243", dup265); - -var msg16658 = msg("14244", dup265); - -var msg16659 = msg("14245", dup265); - -var msg16660 = msg("14246", dup265); - -var msg16661 = msg("14247", dup265); - -var msg16662 = msg("14248", dup265); - -var msg16663 = msg("14249", dup265); - -var msg16664 = msg("14250", dup265); - -var msg16665 = msg("14251", dup222); - -var msg16666 = msg("14252", dup269); - -var msg16667 = msg("14253", dup269); - -var msg16668 = msg("14254", dup269); - -var msg16669 = msg("14255", dup265); - -var msg16670 = msg("14256", dup265); - -var msg16671 = msg("14257", dup265); - -var msg16672 = msg("14258", dup265); - -var msg16673 = msg("14259", dup267); - -var msg16674 = msg("14260", dup267); - -var msg16675 = msg("14261", dup267); - -var msg16676 = msg("14262", dup267); - -var msg16677 = msg("14263", dup222); - -var msg16678 = msg("14264", dup196); - -var msg16679 = msg("14265", dup305); - -var msg16680 = msg("14266", dup265); - -var msg16681 = msg("14267", dup265); - -var msg16682 = msg("14268", dup265); - -var msg16683 = msg("14269", dup265); - -var msg16684 = msg("14270", dup265); - -var msg16685 = msg("14271", dup265); - -var msg16686 = msg("14272", dup265); - -var msg16687 = msg("14273", dup265); - -var msg16688 = msg("14274", dup265); - -var msg16689 = msg("14275", dup265); - -var msg16690 = msg("14276", dup265); - -var msg16691 = msg("14277", dup265); - -var msg16692 = msg("14278", dup265); - -var msg16693 = msg("14279", dup265); - -var msg16694 = msg("14280", dup265); - -var msg16695 = msg("14281", dup265); - -var msg16696 = msg("14282", dup265); - -var msg16697 = msg("14283", dup265); - -var msg16698 = msg("14284", dup265); - -var msg16699 = msg("14285", dup265); - -var msg16700 = msg("14286", dup265); - -var msg16701 = msg("14287", dup265); - -var msg16702 = msg("14288", dup265); - -var msg16703 = msg("14289", dup265); - -var msg16704 = msg("14290", dup265); - -var msg16705 = msg("14291", dup265); - -var msg16706 = msg("14292", dup265); - -var msg16707 = msg("14293", dup265); - -var msg16708 = msg("14294", dup265); - -var msg16709 = msg("14295", dup265); - -var msg16710 = msg("14296", dup265); - -var msg16711 = msg("14297", dup265); - -var msg16712 = msg("14298", dup265); - -var msg16713 = msg("14299", dup265); - -var msg16714 = msg("14300", dup265); - -var msg16715 = msg("14301", dup265); - -var msg16716 = msg("14302", dup265); - -var msg16717 = msg("14303", dup265); - -var msg16718 = msg("14304", dup265); - -var msg16719 = msg("14305", dup265); - -var msg16720 = msg("14306", dup265); - -var msg16721 = msg("14307", dup265); - -var msg16722 = msg("14308", dup265); - -var msg16723 = msg("14309", dup265); - -var msg16724 = msg("14310", dup265); - -var msg16725 = msg("14311", dup265); - -var msg16726 = msg("14312", dup265); - -var msg16727 = msg("14313", dup265); - -var msg16728 = msg("14314", dup265); - -var msg16729 = msg("14315", dup265); - -var msg16730 = msg("14316", dup267); - -var msg16731 = msg("14317", dup267); - -var msg16732 = msg("14318", dup267); - -var msg16733 = msg("14319", dup267); - -var msg16734 = msg("14320", dup265); - -var msg16735 = msg("14321", dup265); - -var msg16736 = msg("14322", dup265); - -var msg16737 = msg("14323", dup265); - -var msg16738 = msg("14324", dup265); - -var msg16739 = msg("14325", dup265); - -var msg16740 = msg("14326", dup265); - -var msg16741 = msg("14327", dup265); - -var msg16742 = msg("14328", dup265); - -var msg16743 = msg("14329", dup265); - -var msg16744 = msg("14330", dup265); - -var msg16745 = msg("14331", dup265); - -var msg16746 = msg("14332", dup265); - -var msg16747 = msg("14333", dup265); - -var msg16748 = msg("14334", dup265); - -var msg16749 = msg("14335", dup265); - -var msg16750 = msg("14336", dup265); - -var msg16751 = msg("14337", dup265); - -var msg16752 = msg("14338", dup265); - -var msg16753 = msg("14339", dup265); - -var msg16754 = msg("14340", dup265); - -var msg16755 = msg("14341", dup265); - -var msg16756 = msg("14342", dup265); - -var msg16757 = msg("14343", dup265); - -var msg16758 = msg("14344", dup265); - -var msg16759 = msg("14345", dup265); - -var msg16760 = msg("14346", dup265); - -var msg16761 = msg("14347", dup265); - -var msg16762 = msg("14348", dup265); - -var msg16763 = msg("14349", dup265); - -var msg16764 = msg("14350", dup265); - -var msg16765 = msg("14351", dup265); - -var msg16766 = msg("14352", dup265); - -var msg16767 = msg("14353", dup265); - -var msg16768 = msg("14354", dup265); - -var msg16769 = msg("14355", dup265); - -var msg16770 = msg("14356", dup265); - -var msg16771 = msg("14357", dup265); - -var msg16772 = msg("14358", dup265); - -var msg16773 = msg("14359", dup265); - -var msg16774 = msg("14360", dup265); - -var msg16775 = msg("14361", dup265); - -var msg16776 = msg("14362", dup265); - -var msg16777 = msg("14363", dup265); - -var msg16778 = msg("14364", dup265); - -var msg16779 = msg("14365", dup265); - -var msg16780 = msg("14366", dup265); - -var msg16781 = msg("14367", dup265); - -var msg16782 = msg("14368", dup265); - -var msg16783 = msg("14369", dup265); - -var msg16784 = msg("14370", dup265); - -var msg16785 = msg("14371", dup265); - -var msg16786 = msg("14372", dup265); - -var msg16787 = msg("14373", dup265); - -var msg16788 = msg("14374", dup265); - -var msg16789 = msg("14375", dup265); - -var msg16790 = msg("14376", dup265); - -var msg16791 = msg("14377", dup265); - -var msg16792 = msg("14378", dup265); - -var msg16793 = msg("14379", dup265); - -var msg16794 = msg("14380", dup265); - -var msg16795 = msg("14381", dup265); - -var msg16796 = msg("14382", dup265); - -var msg16797 = msg("14383", dup265); - -var msg16798 = msg("14384", dup265); - -var msg16799 = msg("14385", dup265); - -var msg16800 = msg("14386", dup265); - -var msg16801 = msg("14387", dup265); - -var msg16802 = msg("14388", dup265); - -var msg16803 = msg("14389", dup265); - -var msg16804 = msg("14390", dup265); - -var msg16805 = msg("14391", dup265); - -var msg16806 = msg("14392", dup265); - -var msg16807 = msg("14393", dup265); - -var msg16808 = msg("14394", dup265); - -var msg16809 = msg("14395", dup265); - -var msg16810 = msg("14396", dup265); - -var msg16811 = msg("14397", dup265); - -var msg16812 = msg("14398", dup265); - -var msg16813 = msg("14399", dup265); - -var msg16814 = msg("14400", dup265); - -var msg16815 = msg("14401", dup265); - -var msg16816 = msg("14402", dup265); - -var msg16817 = msg("14403", dup265); - -var msg16818 = msg("14404", dup265); - -var msg16819 = msg("14405", dup265); - -var msg16820 = msg("14406", dup265); - -var msg16821 = msg("14407", dup265); - -var msg16822 = msg("14408", dup265); - -var msg16823 = msg("14409", dup265); - -var msg16824 = msg("14410", dup265); - -var msg16825 = msg("14411", dup265); - -var msg16826 = msg("14412", dup265); - -var msg16827 = msg("14413", dup265); - -var msg16828 = msg("14414", dup265); - -var msg16829 = msg("14415", dup265); - -var msg16830 = msg("14416", dup265); - -var msg16831 = msg("14417", dup265); - -var msg16832 = msg("14418", dup265); - -var msg16833 = msg("14419", dup265); - -var msg16834 = msg("14420", dup265); - -var msg16835 = msg("14421", dup265); - -var msg16836 = msg("14422", dup265); - -var msg16837 = msg("14423", dup265); - -var msg16838 = msg("14424", dup265); - -var msg16839 = msg("14425", dup265); - -var msg16840 = msg("14426", dup265); - -var msg16841 = msg("14427", dup265); - -var msg16842 = msg("14428", dup265); - -var msg16843 = msg("14429", dup265); - -var msg16844 = msg("14430", dup265); - -var msg16845 = msg("14431", dup265); - -var msg16846 = msg("14432", dup265); - -var msg16847 = msg("14433", dup265); - -var msg16848 = msg("14434", dup265); - -var msg16849 = msg("14435", dup265); - -var msg16850 = msg("14436", dup265); - -var msg16851 = msg("14437", dup265); - -var msg16852 = msg("14438", dup265); - -var msg16853 = msg("14439", dup265); - -var msg16854 = msg("14440", dup265); - -var msg16855 = msg("14441", dup265); - -var msg16856 = msg("14442", dup265); - -var msg16857 = msg("14443", dup265); - -var msg16858 = msg("14444", dup265); - -var msg16859 = msg("14445", dup265); - -var msg16860 = msg("14446", dup265); - -var msg16861 = msg("14447", dup265); - -var msg16862 = msg("14448", dup265); - -var msg16863 = msg("14449", dup265); - -var msg16864 = msg("14450", dup265); - -var msg16865 = msg("14451", dup265); - -var msg16866 = msg("14452", dup265); - -var msg16867 = msg("14453", dup265); - -var msg16868 = msg("14454", dup265); - -var msg16869 = msg("14455", dup265); - -var msg16870 = msg("14456", dup265); - -var msg16871 = msg("14457", dup265); - -var msg16872 = msg("14458", dup265); - -var msg16873 = msg("14459", dup265); - -var msg16874 = msg("14460", dup265); - -var msg16875 = msg("14461", dup265); - -var msg16876 = msg("14462", dup265); - -var msg16877 = msg("14463", dup265); - -var msg16878 = msg("14464", dup265); - -var msg16879 = msg("14465", dup265); - -var msg16880 = msg("14466", dup265); - -var msg16881 = msg("14467", dup265); - -var msg16882 = msg("14468", dup265); - -var msg16883 = msg("14469", dup265); - -var msg16884 = msg("14470", dup265); - -var msg16885 = msg("14471", dup265); - -var msg16886 = msg("14472", dup265); - -var msg16887 = msg("14473", dup265); - -var msg16888 = msg("14474", dup265); - -var msg16889 = msg("14475", dup265); - -var msg16890 = msg("14476", dup265); - -var msg16891 = msg("14477", dup265); - -var msg16892 = msg("14478", dup265); - -var msg16893 = msg("14479", dup265); - -var msg16894 = msg("14480", dup265); - -var msg16895 = msg("14481", dup265); - -var msg16896 = msg("14482", dup265); - -var msg16897 = msg("14483", dup265); - -var msg16898 = msg("14484", dup265); - -var msg16899 = msg("14485", dup265); - -var msg16900 = msg("14486", dup265); - -var msg16901 = msg("14487", dup265); - -var msg16902 = msg("14488", dup265); - -var msg16903 = msg("14489", dup265); - -var msg16904 = msg("14490", dup265); - -var msg16905 = msg("14491", dup265); - -var msg16906 = msg("14492", dup265); - -var msg16907 = msg("14493", dup265); - -var msg16908 = msg("14494", dup265); - -var msg16909 = msg("14495", dup265); - -var msg16910 = msg("14496", dup265); - -var msg16911 = msg("14497", dup265); - -var msg16912 = msg("14498", dup265); - -var msg16913 = msg("14499", dup265); - -var msg16914 = msg("14500", dup265); - -var msg16915 = msg("14501", dup265); - -var msg16916 = msg("14502", dup265); - -var msg16917 = msg("14503", dup265); - -var msg16918 = msg("14504", dup265); - -var msg16919 = msg("14505", dup265); - -var msg16920 = msg("14506", dup265); - -var msg16921 = msg("14507", dup265); - -var msg16922 = msg("14508", dup265); - -var msg16923 = msg("14509", dup265); - -var msg16924 = msg("14510", dup265); - -var msg16925 = msg("14511", dup265); - -var msg16926 = msg("14512", dup265); - -var msg16927 = msg("14513", dup265); - -var msg16928 = msg("14514", dup265); - -var msg16929 = msg("14515", dup265); - -var msg16930 = msg("14516", dup265); - -var msg16931 = msg("14517", dup265); - -var msg16932 = msg("14518", dup265); - -var msg16933 = msg("14519", dup265); - -var msg16934 = msg("14520", dup265); - -var msg16935 = msg("14521", dup265); - -var msg16936 = msg("14522", dup265); - -var msg16937 = msg("14523", dup265); - -var msg16938 = msg("14524", dup265); - -var msg16939 = msg("14525", dup265); - -var msg16940 = msg("14526", dup265); - -var msg16941 = msg("14527", dup265); - -var msg16942 = msg("14528", dup265); - -var msg16943 = msg("14529", dup265); - -var msg16944 = msg("14530", dup265); - -var msg16945 = msg("14531", dup265); - -var msg16946 = msg("14532", dup265); - -var msg16947 = msg("14533", dup265); - -var msg16948 = msg("14534", dup265); - -var msg16949 = msg("14535", dup265); - -var msg16950 = msg("14536", dup265); - -var msg16951 = msg("14537", dup265); - -var msg16952 = msg("14538", dup265); - -var msg16953 = msg("14539", dup265); - -var msg16954 = msg("14540", dup265); - -var msg16955 = msg("14541", dup265); - -var msg16956 = msg("14542", dup265); - -var msg16957 = msg("14543", dup265); - -var msg16958 = msg("14544", dup265); - -var msg16959 = msg("14545", dup265); - -var msg16960 = msg("14546", dup265); - -var msg16961 = msg("14547", dup265); - -var msg16962 = msg("14548", dup265); - -var msg16963 = msg("14549", dup265); - -var msg16964 = msg("14550", dup265); - -var msg16965 = msg("14551", dup265); - -var msg16966 = msg("14552", dup265); - -var msg16967 = msg("14553", dup265); - -var msg16968 = msg("14554", dup265); - -var msg16969 = msg("14555", dup265); - -var msg16970 = msg("14556", dup265); - -var msg16971 = msg("14557", dup265); - -var msg16972 = msg("14558", dup265); - -var msg16973 = msg("14559", dup265); - -var msg16974 = msg("14560", dup265); - -var msg16975 = msg("14561", dup265); - -var msg16976 = msg("14562", dup265); - -var msg16977 = msg("14563", dup265); - -var msg16978 = msg("14564", dup265); - -var msg16979 = msg("14565", dup265); - -var msg16980 = msg("14566", dup265); - -var msg16981 = msg("14567", dup265); - -var msg16982 = msg("14568", dup265); - -var msg16983 = msg("14569", dup265); - -var msg16984 = msg("14570", dup265); - -var msg16985 = msg("14571", dup265); - -var msg16986 = msg("14572", dup265); - -var msg16987 = msg("14573", dup265); - -var msg16988 = msg("14574", dup265); - -var msg16989 = msg("14575", dup265); - -var msg16990 = msg("14576", dup265); - -var msg16991 = msg("14577", dup265); - -var msg16992 = msg("14578", dup265); - -var msg16993 = msg("14579", dup265); - -var msg16994 = msg("14580", dup265); - -var msg16995 = msg("14581", dup265); - -var msg16996 = msg("14582", dup265); - -var msg16997 = msg("14583", dup265); - -var msg16998 = msg("14584", dup265); - -var msg16999 = msg("14585", dup265); - -var msg17000 = msg("14586", dup265); - -var msg17001 = msg("14587", dup265); - -var msg17002 = msg("14588", dup265); - -var msg17003 = msg("14589", dup265); - -var msg17004 = msg("14590", dup265); - -var msg17005 = msg("14591", dup265); - -var msg17006 = msg("14592", dup265); - -var msg17007 = msg("14593", dup265); - -var msg17008 = msg("14594", dup265); - -var msg17009 = msg("14595", dup265); - -var msg17010 = msg("14596", dup265); - -var msg17011 = msg("14597", dup265); - -var msg17012 = msg("14598", dup265); - -var msg17013 = msg("14599", dup265); - -var msg17014 = msg("14600", dup222); - -var msg17015 = msg("14601", dup222); - -var msg17016 = msg("14602", dup222); - -var msg17017 = msg("14603", dup265); - -var msg17018 = msg("14604", dup265); - -var msg17019 = msg("14605", dup265); - -var msg17020 = msg("14606", dup265); - -var msg17021 = msg("14607", dup222); - -var msg17022 = msg("14608", dup197); - -var msg17023 = msg("14609", dup197); - -var msg17024 = msg("14610", dup265); - -var msg17025 = msg("14611", dup265); - -var msg17026 = msg("14612", dup265); - -var msg17027 = msg("14613", dup265); - -var msg17028 = msg("14614", dup265); - -var msg17029 = msg("14615", dup196); - -var msg17030 = msg("14616", dup201); - -var msg17031 = msg("14617", dup201); - -var msg17032 = msg("14618", dup201); - -var msg17033 = msg("14619", dup201); - -var msg17034 = msg("14620", dup201); - -var msg17035 = msg("14621", dup201); - -var msg17036 = msg("14622", dup201); - -var msg17037 = msg("14623", dup201); - -var msg17038 = msg("14624", dup201); - -var msg17039 = msg("14625", dup201); - -var msg17040 = msg("14626", dup201); - -var msg17041 = msg("14627", dup201); - -var msg17042 = msg("14628", dup265); - -var msg17043 = msg("14629", dup265); - -var msg17044 = msg("14630", dup265); - -var msg17045 = msg("14631", dup265); - -var msg17046 = msg("14632", dup265); - -var msg17047 = msg("14633", dup265); - -var msg17048 = msg("14634", dup265); - -var msg17049 = msg("14635", dup265); - -var msg17050 = msg("14636", dup265); - -var msg17051 = msg("14637", dup265); - -var msg17052 = msg("14638", dup265); - -var msg17053 = msg("14639", dup265); - -var msg17054 = msg("14640", dup265); - -var msg17055 = msg("14641", dup267); - -var msg17056 = msg("14642", dup196); - -var msg17057 = msg("14643", dup267); - -var msg17058 = msg("14644", dup196); - -var msg17059 = msg("14645", dup267); - -var msg17060 = msg("14646", dup198); - -var msg17061 = msg("14647", dup276); - -var msg17062 = msg("14648", dup276); - -var msg17063 = msg("14649", dup276); - -var msg17064 = msg("14650", dup276); - -var msg17065 = msg("14651", dup276); - -var msg17066 = msg("14652", dup276); - -var msg17067 = msg("14653", dup276); - -var msg17068 = msg("14654", dup276); - -var msg17069 = msg("14655", dup265); - -var msg17070 = msg("14656", dup265); - -var msg17071 = msg("14657", dup265); - -var msg17072 = msg("14661", dup276); - -var msg17073 = msg("14662", dup306); - -var msg17074 = msg("14663", dup306); - -var msg17075 = msg("14664", dup306); - -var msg17076 = msg("14665", dup306); - -var msg17077 = msg("14666", dup306); - -var msg17078 = msg("14667", dup306); - -var msg17079 = msg("14668", dup306); - -var msg17080 = msg("14669", dup306); - -var msg17081 = msg("14670", dup306); - -var msg17082 = msg("14671", dup306); - -var msg17083 = msg("14672", dup306); - -var msg17084 = msg("14673", dup306); - -var msg17085 = msg("14674", dup306); - -var msg17086 = msg("14675", dup306); - -var msg17087 = msg("14676", dup306); - -var msg17088 = msg("14677", dup306); - -var msg17089 = msg("14678", dup306); - -var msg17090 = msg("14679", dup306); - -var msg17091 = msg("14680", dup306); - -var msg17092 = msg("14681", dup306); - -var msg17093 = msg("14682", dup306); - -var msg17094 = msg("14683", dup306); - -var msg17095 = msg("14684", dup306); - -var msg17096 = msg("14685", dup306); - -var msg17097 = msg("14686", dup306); - -var msg17098 = msg("14687", dup306); - -var msg17099 = msg("14688", dup306); - -var msg17100 = msg("14689", dup306); - -var msg17101 = msg("14690", dup306); - -var msg17102 = msg("14691", dup306); - -var msg17103 = msg("14692", dup306); - -var msg17104 = msg("14693", dup306); - -var msg17105 = msg("14694", dup306); - -var msg17106 = msg("14695", dup306); - -var msg17107 = msg("14696", dup306); - -var msg17108 = msg("14697", dup306); - -var msg17109 = msg("14698", dup306); - -var msg17110 = msg("14699", dup306); - -var msg17111 = msg("14700", dup306); - -var msg17112 = msg("14701", dup306); - -var msg17113 = msg("14702", dup306); - -var msg17114 = msg("14703", dup306); - -var msg17115 = msg("14704", dup306); - -var msg17116 = msg("14705", dup306); - -var msg17117 = msg("14706", dup306); - -var msg17118 = msg("14707", dup306); - -var msg17119 = msg("14708", dup306); - -var msg17120 = msg("14709", dup276); - -var msg17121 = msg("14710", dup276); - -var msg17122 = msg("14711", dup276); - -var msg17123 = msg("14712", dup276); - -var msg17124 = msg("14713", dup276); - -var msg17125 = msg("14714", dup276); - -var msg17126 = msg("14715", dup276); - -var msg17127 = msg("14716", dup276); - -var msg17128 = msg("14717", dup276); - -var msg17129 = msg("14718", dup276); - -var msg17130 = msg("14719", dup276); - -var msg17131 = msg("14720", dup276); - -var msg17132 = msg("14721", dup276); - -var msg17133 = msg("14722", dup276); - -var msg17134 = msg("14723", dup276); - -var msg17135 = msg("14724", dup276); - -var msg17136 = msg("14725", dup201); - -var msg17137 = msg("14726", dup201); - -var msg17138 = msg("14727", dup307); - -var msg17139 = msg("14728", dup307); - -var msg17140 = msg("14729", dup307); - -var msg17141 = msg("14730", dup307); - -var msg17142 = msg("14731", dup307); - -var msg17143 = msg("14732", dup307); - -var msg17144 = msg("14733", dup307); - -var msg17145 = msg("14734", dup307); - -var msg17146 = msg("14735", dup307); - -var msg17147 = msg("14736", dup307); - -var msg17148 = msg("14737", dup276); - -var msg17149 = msg("14738", dup308); - -var msg17150 = msg("14739", dup308); - -var msg17151 = msg("14740", dup308); - -var msg17152 = msg("14741", dup273); - -var msg17153 = msg("14742", dup198); - -var msg17154 = msg("14743", dup227); - -var msg17155 = msg("14744", dup265); - -var msg17156 = msg("14745", dup265); - -var msg17157 = msg("14746", dup265); - -var msg17158 = msg("14747", dup265); - -var msg17159 = msg("14748", dup265); - -var msg17160 = msg("14749", dup265); - -var msg17161 = msg("14750", dup265); - -var msg17162 = msg("14751", dup265); - -var msg17163 = msg("14752", dup265); - -var msg17164 = msg("14753", dup265); - -var msg17165 = msg("14754", dup265); - -var msg17166 = msg("14755", dup265); - -var msg17167 = msg("14756", dup240); - -var msg17168 = msg("14757", dup240); - -var msg17169 = msg("14758", dup240); - -var msg17170 = msg("14759", dup240); - -var msg17171 = msg("14760", dup265); - -var msg17172 = msg("14761", dup265); - -var msg17173 = msg("14762", dup265); - -var msg17174 = msg("14763", dup265); - -var msg17175 = msg("14764", dup265); - -var msg17176 = msg("14765", dup265); - -var msg17177 = msg("14766", dup265); - -var msg17178 = msg("14767", dup265); - -var msg17179 = msg("14768", dup285); - -var msg17180 = msg("14769", dup222); - -var msg17181 = msg("14770", dup287); - -var msg17182 = msg("14771", dup197); - -var msg17183 = msg("14772", dup198); - -var msg17184 = msg("14773", dup222); - -var msg17185 = msg("14774", dup196); - -var msg17186 = msg("14775", dup196); - -var msg17187 = msg("14776", dup201); - -var msg17188 = msg("14777", dup196); - -var msg17189 = msg("14778", dup265); - -var msg17190 = msg("14779", dup265); - -var msg17191 = msg("14780", dup265); - -var msg17192 = msg("14781", dup265); - -var msg17193 = msg("14782", dup201); - -var msg17194 = msg("14783", dup201); - -var msg17195 = msg("14784", dup309); - -var msg17196 = msg("14785", dup309); - -var msg17197 = msg("14786", dup309); - -var msg17198 = msg("14787", dup309); - -var msg17199 = msg("14788", dup309); - -var msg17200 = msg("14789", dup309); - -var msg17201 = msg("14790", dup309); - -var msg17202 = msg("14791", dup309); - -var msg17203 = msg("14792", dup309); - -var msg17204 = msg("14793", dup309); - -var msg17205 = msg("14794", dup309); - -var msg17206 = msg("14795", dup309); - -var msg17207 = msg("14796", dup309); - -var msg17208 = msg("14797", dup309); - -var msg17209 = msg("14798", dup309); - -var msg17210 = msg("14799", dup309); - -var msg17211 = msg("14800", dup309); - -var msg17212 = msg("14801", dup309); - -var msg17213 = msg("14802", dup309); - -var msg17214 = msg("14803", dup309); - -var msg17215 = msg("14804", dup309); - -var msg17216 = msg("14805", dup309); - -var msg17217 = msg("14806", dup309); - -var msg17218 = msg("14807", dup309); - -var msg17219 = msg("14808", dup309); - -var msg17220 = msg("14809", dup309); - -var msg17221 = msg("14810", dup309); - -var msg17222 = msg("14811", dup309); - -var msg17223 = msg("14812", dup309); - -var msg17224 = msg("14813", dup309); - -var msg17225 = msg("14814", dup309); - -var msg17226 = msg("14815", dup309); - -var msg17227 = msg("14816", dup309); - -var msg17228 = msg("14817", dup197); - -var msg17229 = msg("14818", dup309); - -var msg17230 = msg("14819", dup309); - -var msg17231 = msg("14820", dup309); - -var msg17232 = msg("14821", dup309); - -var msg17233 = msg("14822", dup309); - -var msg17234 = msg("14823", dup309); - -var msg17235 = msg("14824", dup309); - -var msg17236 = msg("14825", dup309); - -var msg17237 = msg("14826", dup309); - -var msg17238 = msg("14827", dup309); - -var msg17239 = msg("14828", dup309); - -var msg17240 = msg("14829", dup309); - -var msg17241 = msg("14830", dup309); - -var msg17242 = msg("14831", dup309); - -var msg17243 = msg("14832", dup309); - -var msg17244 = msg("14833", dup309); - -var msg17245 = msg("14834", dup309); - -var msg17246 = msg("14835", dup309); - -var msg17247 = msg("14836", dup309); - -var msg17248 = msg("14837", dup309); - -var msg17249 = msg("14838", dup309); - -var msg17250 = msg("14839", dup309); - -var msg17251 = msg("14840", dup309); - -var msg17252 = msg("14841", dup309); - -var msg17253 = msg("14842", dup309); - -var msg17254 = msg("14843", dup309); - -var msg17255 = msg("14844", dup309); - -var msg17256 = msg("14845", dup309); - -var msg17257 = msg("14846", dup309); - -var msg17258 = msg("14847", dup309); - -var msg17259 = msg("14848", dup309); - -var msg17260 = msg("14849", dup309); - -var msg17261 = msg("14850", dup309); - -var msg17262 = msg("14851", dup309); - -var msg17263 = msg("14852", dup309); - -var msg17264 = msg("14853", dup309); - -var msg17265 = msg("14854", dup309); - -var msg17266 = msg("14855", dup309); - -var msg17267 = msg("14856", dup309); - -var msg17268 = msg("14857", dup309); - -var msg17269 = msg("14858", dup309); - -var msg17270 = msg("14859", dup309); - -var msg17271 = msg("14860", dup309); - -var msg17272 = msg("14861", dup309); - -var msg17273 = msg("14862", dup309); - -var msg17274 = msg("14863", dup309); - -var msg17275 = msg("14864", dup309); - -var msg17276 = msg("14865", dup309); - -var msg17277 = msg("14866", dup309); - -var msg17278 = msg("14867", dup309); - -var msg17279 = msg("14868", dup309); - -var msg17280 = msg("14869", dup309); - -var msg17281 = msg("14870", dup309); - -var msg17282 = msg("14871", dup309); - -var msg17283 = msg("14896", dup276); - -var msg17284 = msg("14897", dup265); - -var msg17285 = msg("14898", dup265); - -var msg17286 = msg("14899", dup276); - -var msg17287 = msg("14900", dup276); - -var msg17288 = msg("14986", dup196); - -var msg17289 = msg("14987", dup276); - -var msg17290 = msg("14988", dup276); - -var msg17291 = msg("14989", dup267); - -var msg17292 = msg("14990", dup267); - -var msg17293 = msg("14991", dup260); - -var msg17294 = msg("14992", dup267); - -var msg17295 = msg("14993", dup265); - -var msg17296 = msg("14994", dup265); - -var msg17297 = msg("14995", dup265); - -var msg17298 = msg("14996", dup265); - -var msg17299 = msg("14997", dup265); - -var msg17300 = msg("14998", dup265); - -var msg17301 = msg("14999", dup265); - -var msg17302 = msg("15000", dup265); - -var msg17303 = msg("15001", dup265); - -var msg17304 = msg("15002", dup265); - -var msg17305 = msg("15003", dup265); - -var msg17306 = msg("15004", dup265); - -var msg17307 = msg("15005", dup265); - -var msg17308 = msg("15006", dup265); - -var msg17309 = msg("15007", dup265); - -var msg17310 = msg("15008", dup265); - -var msg17311 = msg("15009", dup276); - -var msg17312 = msg("15010", dup222); - -var msg17313 = msg("15011", dup265); - -var msg17314 = msg("15012", dup265); - -var msg17315 = msg("15013", dup265); - -var msg17316 = msg("15014", dup267); - -var msg17317 = msg("15015", dup201); - -var msg17318 = msg("15016", dup307); - -var msg17319 = msg("15017", dup307); - -var msg17320 = msg("15018", dup307); - -var msg17321 = msg("15019", dup307); - -var msg17322 = msg("15020", dup307); - -var msg17323 = msg("15021", dup309); - -var msg17324 = msg("15022", dup309); - -var msg17325 = msg("15023", dup309); - -var msg17326 = msg("15024", dup309); - -var msg17327 = msg("15025", dup309); - -var msg17328 = msg("15026", dup309); - -var msg17329 = msg("15027", dup309); - -var msg17330 = msg("15028", dup309); - -var msg17331 = msg("15029", dup309); - -var msg17332 = msg("15030", dup309); - -var msg17333 = msg("15031", dup309); - -var msg17334 = msg("15032", dup309); - -var msg17335 = msg("15033", dup309); - -var msg17336 = msg("15034", dup309); - -var msg17337 = msg("15035", dup309); - -var msg17338 = msg("15036", dup309); - -var msg17339 = msg("15037", dup309); - -var msg17340 = msg("15038", dup309); - -var msg17341 = msg("15039", dup309); - -var msg17342 = msg("15040", dup309); - -var msg17343 = msg("15041", dup309); - -var msg17344 = msg("15042", dup309); - -var msg17345 = msg("15043", dup309); - -var msg17346 = msg("15044", dup309); - -var msg17347 = msg("15045", dup309); - -var msg17348 = msg("15046", dup309); - -var msg17349 = msg("15047", dup309); - -var msg17350 = msg("15048", dup309); - -var msg17351 = msg("15049", dup309); - -var msg17352 = msg("15050", dup309); - -var msg17353 = msg("15051", dup309); - -var msg17354 = msg("15052", dup309); - -var msg17355 = msg("15053", dup309); - -var msg17356 = msg("15054", dup309); - -var msg17357 = msg("15055", dup309); - -var msg17358 = msg("15056", dup309); - -var msg17359 = msg("15057", dup309); - -var msg17360 = msg("15058", dup309); - -var msg17361 = msg("15059", dup309); - -var msg17362 = msg("15060", dup309); - -var msg17363 = msg("15061", dup309); - -var msg17364 = msg("15062", dup309); - -var msg17365 = msg("15063", dup309); - -var msg17366 = msg("15064", dup309); - -var msg17367 = msg("15065", dup309); - -var msg17368 = msg("15066", dup309); - -var msg17369 = msg("15067", dup309); - -var msg17370 = msg("15068", dup309); - -var msg17371 = msg("15069", dup265); - -var msg17372 = msg("15070", dup265); - -var msg17373 = msg("15071", dup196); - -var msg17374 = msg("15072", dup196); - -var msg17375 = msg("15073", dup196); - -var msg17376 = msg("15074", dup196); - -var msg17377 = msg("15075", dup196); - -var msg17378 = msg("15076", dup197); - -var msg17379 = msg("15077", dup197); - -var msg17380 = msg("15078", dup222); - -var msg17381 = msg("15079", dup265); - -var msg17382 = msg("15080", dup222); - -var msg17383 = msg("15081", dup267); - -var msg17384 = msg("15082", dup222); - -var msg17385 = msg("15083", dup196); - -var msg17386 = msg("15084", dup265); - -var msg17387 = msg("15085", dup265); - -var msg17388 = msg("15086", dup265); - -var msg17389 = msg("15087", dup265); - -var msg17390 = msg("15088", dup265); - -var msg17391 = msg("15089", dup265); - -var msg17392 = msg("15090", dup265); - -var msg17393 = msg("15091", dup265); - -var msg17394 = msg("15092", dup265); - -var msg17395 = msg("15093", dup265); - -var msg17396 = msg("15094", dup265); - -var msg17397 = msg("15095", dup265); - -var msg17398 = msg("15096", dup265); - -var msg17399 = msg("15097", dup265); - -var msg17400 = msg("15098", dup265); - -var msg17401 = msg("15099", dup265); - -var msg17402 = msg("15100", dup265); - -var msg17403 = msg("15101", dup265); - -var msg17404 = msg("15102", dup265); - -var msg17405 = msg("15103", dup265); - -var msg17406 = msg("15104", dup267); - -var msg17407 = msg("15105", dup267); - -var msg17408 = msg("15106", dup267); - -var msg17409 = msg("15107", dup267); - -var msg17410 = msg("15108", dup267); - -var msg17411 = msg("15109", dup265); - -var msg17412 = msg("15110", dup265); - -var msg17413 = msg("15111", dup265); - -var msg17414 = msg("15112", dup265); - -var msg17415 = msg("15113", dup265); - -var msg17416 = msg("15114", dup267); - -var msg17417 = msg("15115", dup267); - -var msg17418 = msg("15116", dup265); - -var msg17419 = msg("15117", dup269); - -var msg17420 = msg("15118", dup265); - -var msg17421 = msg("15119", dup265); - -var msg17422 = msg("15120", dup265); - -var msg17423 = msg("15121", dup265); - -var msg17424 = msg("15122", dup265); - -var msg17425 = msg("15123", dup265); - -var msg17426 = msg("15124", dup276); - -var msg17427 = msg("15125", dup267); - -var msg17428 = msg("15126", dup265); - -var msg17429 = msg("15127", dup276); - -var msg17430 = msg("15128", dup276); - -var msg17431 = msg("15129", dup276); - -var msg17432 = msg("15130", dup276); - -var msg17433 = msg("15131", dup276); - -var msg17434 = msg("15132", dup276); - -var msg17435 = msg("15133", dup276); - -var msg17436 = msg("15134", dup276); - -var msg17437 = msg("15135", dup276); - -var msg17438 = msg("15136", dup276); - -var msg17439 = msg("15137", dup276); - -var msg17440 = msg("15138", dup276); - -var msg17441 = msg("15139", dup276); - -var msg17442 = msg("15140", dup276); - -var msg17443 = msg("15141", dup276); - -var msg17444 = msg("15142", dup276); - -var msg17445 = msg("15143", dup240); - -var msg17446 = msg("15144", dup240); - -var msg17447 = msg("15145", dup222); - -var msg17448 = msg("15146", dup222); - -var msg17449 = msg("15147", dup222); - -var msg17450 = msg("15148", dup198); - -var msg17451 = msg("15149", dup198); - -var msg17452 = msg("15150", dup285); - -var msg17453 = msg("15151", dup285); - -var msg17454 = msg("15152", dup285); - -var msg17455 = msg("15153", dup285); - -var msg17456 = msg("15154", dup285); - -var msg17457 = msg("15155", dup285); - -var msg17458 = msg("15156", dup285); - -var msg17459 = msg("15157", dup265); - -var msg17460 = msg("15158", dup265); - -var msg17461 = msg("15159", dup265); - -var msg17462 = msg("15160", dup265); - -var msg17463 = msg("15161", dup265); - -var msg17464 = msg("15162", dup265); - -var msg17465 = msg("15163", dup222); - -var msg17466 = msg("15164", dup196); - -var msg17467 = msg("15165", dup192); - -var msg17468 = msg("15166", dup267); - -var msg17469 = msg("15167", dup196); - -var msg17470 = msg("15168", dup196); - -var msg17471 = msg("15169", dup196); - -var msg17472 = msg("15170", dup196); - -var msg17473 = msg("15171", dup265); - -var msg17474 = msg("15172", dup196); - -var msg17475 = msg("15173", dup265); - -var msg17476 = msg("15174", dup265); - -var msg17477 = msg("15175", dup265); - -var msg17478 = msg("15176", dup265); - -var msg17479 = msg("15177", dup265); - -var msg17480 = msg("15178", dup265); - -var msg17481 = msg("15179", dup265); - -var msg17482 = msg("15180", dup265); - -var msg17483 = msg("15181", dup265); - -var msg17484 = msg("15182", dup265); - -var msg17485 = msg("15183", dup265); - -var msg17486 = msg("15184", dup265); - -var msg17487 = msg("15185", dup196); - -var msg17488 = msg("15186", dup201); - -var msg17489 = msg("15187", dup201); - -var msg17490 = msg("15188", dup201); - -var msg17491 = msg("15189", dup201); - -var msg17492 = msg("15190", dup267); - -var msg17493 = msg("15191", dup197); - -var msg17494 = msg("15192", dup265); - -var msg17495 = msg("15193", dup265); - -var msg17496 = msg("15194", dup265); - -var msg17497 = msg("15195", dup265); - -var msg17498 = msg("15196", dup276); - -var msg17499 = msg("15197", dup276); - -var msg17500 = msg("15198", dup276); - -var msg17501 = msg("15199", dup276); - -var msg17502 = msg("15200", dup276); - -var msg17503 = msg("15201", dup276); - -var msg17504 = msg("15202", dup276); - -var msg17505 = msg("15203", dup276); - -var msg17506 = msg("15204", dup276); - -var msg17507 = msg("15205", dup276); - -var msg17508 = msg("15206", dup276); - -var msg17509 = msg("15207", dup276); - -var msg17510 = msg("15208", dup276); - -var msg17511 = msg("15209", dup276); - -var msg17512 = msg("15210", dup276); - -var msg17513 = msg("15211", dup276); - -var msg17514 = msg("15212", dup276); - -var msg17515 = msg("15213", dup276); - -var msg17516 = msg("15214", dup276); - -var msg17517 = msg("15215", dup276); - -var msg17518 = msg("15216", dup276); - -var msg17519 = msg("15217", dup276); - -var msg17520 = msg("15218", dup276); - -var msg17521 = msg("15219", dup276); - -var msg17522 = msg("15220", dup276); - -var msg17523 = msg("15221", dup276); - -var msg17524 = msg("15222", dup276); - -var msg17525 = msg("15223", dup276); - -var msg17526 = msg("15224", dup276); - -var msg17527 = msg("15225", dup276); - -var msg17528 = msg("15226", dup276); - -var msg17529 = msg("15227", dup276); - -var msg17530 = msg("15228", dup265); - -var msg17531 = msg("15229", dup265); - -var msg17532 = msg("15230", dup265); - -var msg17533 = msg("15231", dup265); - -var msg17534 = msg("15232", dup265); - -var msg17535 = msg("15233", dup265); - -var msg17536 = msg("15234", dup265); - -var msg17537 = msg("15235", dup265); - -var msg17538 = msg("15236", dup267); - -var msg17539 = msg("15237", dup265); - -var msg17540 = msg("15238", dup196); - -var msg17541 = msg("15239", dup265); - -var msg17542 = msg("15240", dup265); - -var msg17543 = msg("15241", dup222); - -var msg17544 = msg("15242", dup267); - -var msg17545 = msg("15243", dup265); - -var msg17546 = msg("15244", dup265); - -var msg17547 = msg("15245", dup265); - -var msg17548 = msg("15246", dup265); - -var msg17549 = msg("15247", dup265); - -var msg17550 = msg("15248", dup265); - -var msg17551 = msg("15249", dup265); - -var msg17552 = msg("15250", dup265); - -var msg17553 = msg("15251", dup265); - -var msg17554 = msg("15252", dup265); - -var msg17555 = msg("15253", dup265); - -var msg17556 = msg("15254", dup265); - -var msg17557 = msg("15255", dup222); - -var msg17558 = msg("15256", dup196); - -var msg17559 = msg("15257", dup196); - -var msg17560 = msg("15258", dup196); - -var msg17561 = msg("15259", dup198); - -var msg17562 = msg("15260", dup198); - -var msg17563 = msg("15261", dup196); - -var msg17564 = msg("15262", dup196); - -var msg17565 = msg("15263", dup198); - -var msg17566 = msg("15264", dup267); - -var msg17567 = msg("15265", dup265); - -var msg17568 = msg("15266", dup265); - -var msg17569 = msg("15267", dup265); - -var msg17570 = msg("15268", dup265); - -var msg17571 = msg("15269", dup265); - -var msg17572 = msg("15270", dup265); - -var msg17573 = msg("15271", dup265); - -var msg17574 = msg("15272", dup265); - -var msg17575 = msg("15273", dup265); - -var msg17576 = msg("15274", dup265); - -var msg17577 = msg("15275", dup265); - -var msg17578 = msg("15276", dup265); - -var msg17579 = msg("15277", dup265); - -var msg17580 = msg("15278", dup265); - -var msg17581 = msg("15279", dup265); - -var msg17582 = msg("15280", dup265); - -var msg17583 = msg("15281", dup265); - -var msg17584 = msg("15282", dup265); - -var msg17585 = msg("15283", dup265); - -var msg17586 = msg("15284", dup265); - -var msg17587 = msg("15285", dup265); - -var msg17588 = msg("15286", dup265); - -var msg17589 = msg("15287", dup265); - -var msg17590 = msg("15288", dup265); - -var msg17591 = msg("15289", dup265); - -var msg17592 = msg("15290", dup265); - -var msg17593 = msg("15291", dup265); - -var msg17594 = msg("15292", dup196); - -var msg17595 = msg("15293", dup196); - -var msg17596 = msg("15294", dup265); - -var msg17597 = msg("15295", dup192); - -var msg17598 = msg("15296", dup192); - -var msg17599 = msg("15297", dup192); - -var msg17600 = msg("15298", dup267); - -var msg17601 = msg("15299", dup265); - -var msg17602 = msg("15300", dup267); - -var msg17603 = msg("15301", dup250); - -var msg17604 = msg("15302", dup198); - -var msg17605 = msg("15303", dup269); - -var msg17606 = msg("15304", dup265); - -var msg17607 = msg("15305", dup265); - -var msg17608 = msg("15306", dup267); - -var msg17609 = msg("15307", dup265); - -var msg17610 = msg("15308", dup265); - -var msg17611 = msg("15309", dup265); - -var msg17612 = msg("15310", dup265); - -var msg17613 = msg("15311", dup265); - -var msg17614 = msg("15312", dup265); - -var msg17615 = msg("15313", dup265); - -var msg17616 = msg("15314", dup265); - -var msg17617 = msg("15315", dup265); - -var msg17618 = msg("15316", dup265); - -var msg17619 = msg("15317", dup265); - -var msg17620 = msg("15318", dup265); - -var msg17621 = msg("15319", dup276); - -var msg17622 = msg("15320", dup276); - -var msg17623 = msg("15321", dup276); - -var msg17624 = msg("15322", dup276); - -var msg17625 = msg("15323", dup276); - -var msg17626 = msg("15324", dup276); - -var msg17627 = msg("15325", dup276); - -var msg17628 = msg("15326", dup276); - -var msg17629 = msg("15327", dup218); - -var msg17630 = msg("15328", dup267); - -var msg17631 = msg("15329", dup250); - -var msg17632 = msg("15330", dup265); - -var msg17633 = msg("15331", dup265); - -var msg17634 = msg("15332", dup265); - -var msg17635 = msg("15333", dup265); - -var msg17636 = msg("15334", dup265); - -var msg17637 = msg("15335", dup265); - -var msg17638 = msg("15336", dup265); - -var msg17639 = msg("15337", dup265); - -var msg17640 = msg("15338", dup265); - -var msg17641 = msg("15339", dup265); - -var msg17642 = msg("15340", dup265); - -var msg17643 = msg("15341", dup265); - -var msg17644 = msg("15342", dup265); - -var msg17645 = msg("15343", dup265); - -var msg17646 = msg("15344", dup265); - -var msg17647 = msg("15345", dup265); - -var msg17648 = msg("15346", dup197); - -var msg17649 = msg("15347", dup197); - -var msg17650 = msg("15348", dup197); - -var msg17651 = msg("15349", dup197); - -var msg17652 = msg("15350", dup265); - -var msg17653 = msg("15351", dup265); - -var msg17654 = msg("15352", dup265); - -var msg17655 = msg("15353", dup265); - -var msg17656 = msg("15354", dup250); - -var msg17657 = msg("15355", dup267); - -var msg17658 = msg("15356", dup250); - -var msg17659 = msg("15357", dup267); - -var msg17660 = msg("15358", dup250); - -var msg17661 = msg("15359", dup250); - -var msg17662 = msg("15360", dup250); - -var msg17663 = msg("15361", dup196); - -var msg17664 = msg("15362", dup196); - -var msg17665 = msg("15363", dup265); - -var msg17666 = msg("15364", dup222); - -var msg17667 = msg("15365", dup265); - -var all48 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - setc("eventcategory","1001030300"), - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg17668 = msg("15366", all48); - -var msg17669 = msg("15367", dup201); - -var msg17670 = msg("15368", dup265); - -var msg17671 = msg("15369", dup265); - -var msg17672 = msg("15370", dup265); - -var msg17673 = msg("15371", dup265); - -var msg17674 = msg("15372", dup265); - -var msg17675 = msg("15373", dup265); - -var msg17676 = msg("15374", dup265); - -var msg17677 = msg("15375", dup265); - -var msg17678 = msg("15376", dup265); - -var msg17679 = msg("15377", dup265); - -var msg17680 = msg("15378", dup265); - -var msg17681 = msg("15379", dup265); - -var msg17682 = msg("15380", dup265); - -var msg17683 = msg("15381", dup265); - -var msg17684 = msg("15382", dup222); - -var msg17685 = msg("15383", dup196); - -var msg17686 = msg("15384", dup265); - -var msg17687 = msg("15385", dup265); - -var msg17688 = msg("15386", dup196); - -var msg17689 = msg("15387", dup276); - -var msg17690 = msg("15388", dup222); - -var msg17691 = msg("15389", dup196); - -var msg17692 = msg("15390", dup196); - -var msg17693 = msg("15391", dup196); - -var msg17694 = msg("15392", dup196); - -var msg17695 = msg("15393", dup196); - -var msg17696 = msg("15394", dup196); - -var msg17697 = msg("15395", dup196); - -var msg17698 = msg("15396", dup196); - -var msg17699 = msg("15397", dup196); - -var msg17700 = msg("15398", dup196); - -var msg17701 = msg("15399", dup196); - -var msg17702 = msg("15400", dup196); - -var msg17703 = msg("15401", dup196); - -var msg17704 = msg("15402", dup196); - -var msg17705 = msg("15403", dup196); - -var msg17706 = msg("15404", dup196); - -var msg17707 = msg("15405", dup196); - -var msg17708 = msg("15406", dup196); - -var msg17709 = msg("15407", dup196); - -var msg17710 = msg("15408", dup196); - -var msg17711 = msg("15409", dup196); - -var msg17712 = msg("15410", dup196); - -var msg17713 = msg("15411", dup196); - -var msg17714 = msg("15412", dup222); - -var msg17715 = msg("15413", dup222); - -var msg17716 = msg("15414", dup196); - -var msg17717 = msg("15415", dup196); - -var msg17718 = msg("15416", dup196); - -var msg17719 = msg("15417", dup196); - -var msg17720 = msg("15418", dup196); - -var msg17721 = msg("15420", dup196); - -var msg17722 = msg("15421", dup196); - -var msg17723 = msg("15422", dup222); - -var msg17724 = msg("15423", dup263); - -var msg17725 = msg("15424", dup260); - -var msg17726 = msg("15425", dup260); - -var msg17727 = msg("15426", dup265); - -var msg17728 = msg("15427", dup265); - -var msg17729 = msg("15428", dup265); - -var msg17730 = msg("15429", dup196); - -var msg17731 = msg("15430", dup267); - -var msg17732 = msg("15431", dup222); - -var msg17733 = msg("15432", dup269); - -var msg17734 = msg("15433", dup267); - -var msg17735 = msg("15434", dup267); - -var msg17736 = msg("15435", dup198); - -var msg17737 = msg("15436", dup196); - -var msg17738 = msg("15437", dup196); - -var msg17739 = msg("15438", dup196); - -var msg17740 = msg("15439", dup196); - -var msg17741 = msg("15440", dup196); - -var msg17742 = msg("15441", dup196); - -var msg17743 = msg("15442", dup198); - -var msg17744 = msg("15443", dup198); - -var msg17745 = msg("15444", dup265); - -var msg17746 = msg("15445", dup287); - -var msg17747 = msg("15446", dup267); - -var msg17748 = msg("15447", dup265); - -var msg17749 = msg("15448", dup276); - -var msg17750 = msg("15449", dup196); - -var msg17751 = msg("15450", dup196); - -var msg17752 = msg("15451", dup196); - -var msg17753 = msg("15452", dup196); - -var msg17754 = msg("15453", dup276); - -var msg17755 = msg("15454", dup267); - -var msg17756 = msg("15455", dup222); - -var msg17757 = msg("15456", dup265); - -var msg17758 = msg("15457", dup269); - -var msg17759 = msg("15458", dup196); - -var msg17760 = msg("15459", dup196); - -var msg17761 = msg("15460", dup196); - -var msg17762 = msg("15461", dup196); - -var msg17763 = msg("15462", dup265); - -var msg17764 = msg("15463", dup265); - -var msg17765 = msg("15464", dup265); - -var msg17766 = msg("15465", dup267); - -var msg17767 = msg("15466", dup222); - -var msg17768 = msg("15467", dup222); - -var msg17769 = msg("15468", dup265); - -var msg17770 = msg("15469", dup265); - -var msg17771 = msg("15470", dup269); - -var msg17772 = msg("15471", dup196); - -var msg17773 = msg("15472", dup267); - -var msg17774 = msg("15473", dup267); - -var msg17775 = msg("15474", dup198); - -var msg17776 = msg("15475", dup265); - -var msg17777 = msg("15476", dup263); - -var msg17778 = msg("15477", dup222); - -var msg17779 = msg("15478", dup196); - -var msg17780 = msg("15479", dup222); - -var msg17781 = msg("15480", dup265); - -var msg17782 = msg("15481", dup196); - -var msg17783 = msg("15482", dup273); - -var msg17784 = msg("15483", dup265); - -var msg17785 = msg("15484", dup197); - -var msg17786 = msg("15485", dup197); - -var msg17787 = msg("15486", dup192); - -var msg17788 = msg("15487", dup196); - -var msg17789 = msg("15488", dup196); - -var msg17790 = msg("15489", dup222); - -var msg17791 = msg("15490", dup269); - -var msg17792 = msg("15491", dup222); - -var msg17793 = msg("15492", dup196); - -var msg17794 = msg("15493", dup196); - -var msg17795 = msg("15494", dup250); - -var msg17796 = msg("15495", dup250); - -var msg17797 = msg("15496", dup250); - -var msg17798 = msg("15497", dup250); - -var msg17799 = msg("15498", dup267); - -var msg17800 = msg("15499", dup267); - -var msg17801 = msg("15500", dup196); - -var msg17802 = msg("15501", dup265); - -var msg17803 = msg("15502", dup265); - -var msg17804 = msg("15503", dup196); - -var msg17805 = msg("15504", dup196); - -var msg17806 = msg("15505", dup265); - -var msg17807 = msg("15506", dup267); - -var msg17808 = msg("15507", dup201); - -var msg17809 = msg("15508", dup201); - -var msg17810 = msg("15509", dup198); - -var msg17811 = msg("15510", dup194); - -var msg17812 = msg("15511", dup222); - -var msg17813 = msg("15512", dup276); - -var msg17814 = msg("15513", dup276); - -var msg17815 = msg("15514", dup201); - -var msg17816 = msg("15515", dup260); - -var msg17817 = msg("15516", dup265); - -var msg17818 = msg("15517", dup267); - -var msg17819 = msg("15518", dup265); - -var msg17820 = msg("15519", dup267); - -var msg17821 = msg("15520", dup267); - -var msg17822 = msg("15521", dup267); - -var msg17823 = msg("15522", dup198); - -var msg17824 = msg("15523", dup222); - -var msg17825 = msg("15524", dup196); - -var msg17826 = msg("15525", dup196); - -var msg17827 = msg("15526", dup222); - -var msg17828 = msg("15527", dup198); - -var msg17829 = msg("15528", dup276); - -var msg17830 = msg("15529", dup265); - -var msg17831 = msg("15530", dup310); - -var msg17832 = msg("15531", dup267); - -var msg17833 = msg("15532", dup310); - -var msg17834 = msg("15533", dup310); - -var msg17835 = msg("15534", dup267); - -var msg17836 = msg("15535", dup267); - -var msg17837 = msg("15536", dup267); - -var msg17838 = msg("15537", dup267); - -var msg17839 = msg("15538", dup265); - -var msg17840 = msg("15539", dup267); - -var msg17841 = msg("15540", dup265); - -var msg17842 = msg("15541", dup267); - -var msg17843 = msg("15542", dup267); - -var msg17844 = msg("15543", dup265); - -var msg17845 = msg("15544", dup265); - -var msg17846 = msg("15545", dup265); - -var msg17847 = msg("15546", dup265); - -var msg17848 = msg("15547", dup265); - -var msg17849 = msg("15548", dup265); - -var msg17850 = msg("15549", dup265); - -var msg17851 = msg("15550", dup265); - -var msg17852 = msg("15551", dup265); - -var msg17853 = msg("15552", dup265); - -var msg17854 = msg("15553", dup263); - -var msg17855 = msg("15554", dup196); - -var msg17856 = msg("15555", dup222); - -var msg17857 = msg("15556", dup269); - -var msg17858 = msg("15557", dup265); - -var msg17859 = msg("15558", dup265); - -var msg17860 = msg("15559", dup201); - -var msg17861 = msg("15560", dup196); - -var msg17862 = msg("15561", dup196); - -var msg17863 = msg("15562", dup265); - -var msg17864 = msg("15563", dup192); - -var msg17865 = msg("15564", dup192); - -var msg17866 = msg("15565", dup192); - -var msg17867 = msg("15566", dup303); - -var msg17868 = msg("15567", dup303); - -var msg17869 = msg("15568", dup196); - -var msg17870 = msg("15569", dup196); - -var msg17871 = msg("15570", dup196); - -var msg17872 = msg("15571", dup222); - -var msg17873 = msg("15572", dup198); - -var msg17874 = msg("15573", dup222); - -var msg17875 = msg("15574", dup222); - -var msg17876 = msg("15575", dup196); - -var msg17877 = msg("15576", dup196); - -var msg17878 = msg("15577", dup196); - -var msg17879 = msg("15578", dup198); - -var msg17880 = msg("15579", dup198); - -var msg17881 = msg("15580", dup196); - -var msg17882 = msg("15581", dup198); - -var msg17883 = msg("15582", dup265); - -var msg17884 = msg("15583", dup194); - -var msg17885 = msg("15584", dup260); - -var msg17886 = msg("15585", dup265); - -var msg17887 = msg("15586", dup265); - -var msg17888 = msg("15587", dup265); - -var msg17889 = msg("15588", dup265); - -var msg17890 = msg("15589", dup265); - -var msg17891 = msg("15590", dup265); - -var msg17892 = msg("15591", dup265); - -var msg17893 = msg("15592", dup265); - -var msg17894 = msg("15593", dup265); - -var msg17895 = msg("15594", dup265); - -var msg17896 = msg("15595", dup265); - -var msg17897 = msg("15596", dup265); - -var msg17898 = msg("15597", dup265); - -var msg17899 = msg("15598", dup265); - -var msg17900 = msg("15599", dup265); - -var msg17901 = msg("15600", dup265); - -var msg17902 = msg("15601", dup265); - -var msg17903 = msg("15602", dup265); - -var msg17904 = msg("15603", dup265); - -var msg17905 = msg("15604", dup265); - -var msg17906 = msg("15605", dup265); - -var msg17907 = msg("15606", dup265); - -var msg17908 = msg("15607", dup265); - -var msg17909 = msg("15608", dup265); - -var msg17910 = msg("15609", dup265); - -var msg17911 = msg("15610", dup265); - -var msg17912 = msg("15611", dup265); - -var msg17913 = msg("15612", dup265); - -var msg17914 = msg("15613", dup265); - -var msg17915 = msg("15614", dup265); - -var msg17916 = msg("15615", dup265); - -var msg17917 = msg("15616", dup265); - -var msg17918 = msg("15617", dup265); - -var msg17919 = msg("15618", dup265); - -var msg17920 = msg("15619", dup265); - -var msg17921 = msg("15620", dup265); - -var msg17922 = msg("15621", dup265); - -var msg17923 = msg("15622", dup265); - -var msg17924 = msg("15623", dup265); - -var msg17925 = msg("15624", dup265); - -var msg17926 = msg("15625", dup265); - -var msg17927 = msg("15626", dup265); - -var msg17928 = msg("15627", dup265); - -var msg17929 = msg("15628", dup265); - -var msg17930 = msg("15629", dup265); - -var msg17931 = msg("15630", dup265); - -var msg17932 = msg("15631", dup265); - -var msg17933 = msg("15632", dup265); - -var msg17934 = msg("15633", dup265); - -var msg17935 = msg("15634", dup265); - -var msg17936 = msg("15635", dup265); - -var msg17937 = msg("15636", dup265); - -var msg17938 = msg("15637", dup265); - -var msg17939 = msg("15638", dup265); - -var msg17940 = msg("15639", dup265); - -var msg17941 = msg("15640", dup265); - -var msg17942 = msg("15641", dup265); - -var msg17943 = msg("15642", dup265); - -var msg17944 = msg("15643", dup265); - -var msg17945 = msg("15644", dup265); - -var msg17946 = msg("15645", dup265); - -var msg17947 = msg("15646", dup265); - -var msg17948 = msg("15647", dup265); - -var msg17949 = msg("15648", dup265); - -var msg17950 = msg("15649", dup265); - -var msg17951 = msg("15650", dup265); - -var msg17952 = msg("15651", dup265); - -var msg17953 = msg("15652", dup265); - -var msg17954 = msg("15653", dup265); - -var msg17955 = msg("15654", dup265); - -var msg17956 = msg("15655", dup265); - -var msg17957 = msg("15656", dup265); - -var msg17958 = msg("15657", dup265); - -var msg17959 = msg("15658", dup265); - -var msg17960 = msg("15659", dup265); - -var msg17961 = msg("15660", dup265); - -var msg17962 = msg("15661", dup265); - -var msg17963 = msg("15662", dup265); - -var msg17964 = msg("15663", dup265); - -var msg17965 = msg("15664", dup265); - -var msg17966 = msg("15665", dup265); - -var msg17967 = msg("15666", dup265); - -var msg17968 = msg("15667", dup265); - -var msg17969 = msg("15668", dup265); - -var msg17970 = msg("15669", dup265); - -var msg17971 = msg("15670", dup265); - -var msg17972 = msg("15671", dup265); - -var msg17973 = msg("15672", dup265); - -var msg17974 = msg("15673", dup265); - -var msg17975 = msg("15674", dup265); - -var msg17976 = msg("15675", dup265); - -var msg17977 = msg("15676", dup265); - -var msg17978 = msg("15677", dup265); - -var msg17979 = msg("15678", dup196); - -var msg17980 = msg("15679", dup196); - -var msg17981 = msg("15680", dup196); - -var msg17982 = msg("15681", dup269); - -var msg17983 = msg("15682", dup265); - -var msg17984 = msg("15683", dup285); - -var msg17985 = msg("15684", dup196); - -var msg17986 = msg("15685", dup265); - -var msg17987 = msg("15686", dup265); - -var msg17988 = msg("15687", dup265); - -var msg17989 = msg("15688", dup265); - -var msg17990 = msg("15689", dup265); - -var msg17991 = msg("15690", dup265); - -var msg17992 = msg("15691", dup265); - -var msg17993 = msg("15692", dup265); - -var msg17994 = msg("15693", dup267); - -var msg17995 = msg("15694", dup267); - -var msg17996 = msg("15695", dup267); - -var msg17997 = msg("15696", dup287); - -var msg17998 = msg("15697", dup265); - -var msg17999 = msg("15698", dup265); - -var msg18000 = msg("15699", dup222); - -var msg18001 = msg("15700", dup222); - -var msg18002 = msg("15701", dup285); - -var msg18003 = msg("15702", dup201); - -var msg18004 = msg("15703", dup267); - -var msg18005 = msg("15704", dup267); - -var msg18006 = msg("15705", dup267); - -var msg18007 = msg("15706", dup267); - -var msg18008 = msg("15707", dup267); - -var msg18009 = msg("15708", dup222); - -var msg18010 = msg("15709", dup267); - -var msg18011 = msg("15710", dup276); - -var msg18012 = msg("15711", dup222); - -var msg18013 = msg("15712", dup196); - -var msg18014 = msg("15713", dup196); - -var msg18015 = msg("15714", dup196); - -var msg18016 = msg("15715", dup197); - -var msg18017 = msg("15716", dup196); - -var msg18018 = msg("15717", dup196); - -var msg18019 = msg("15718", dup196); - -var msg18020 = msg("15719", dup196); - -var msg18021 = msg("15720", dup196); - -var msg18022 = msg("15721", dup196); - -var msg18023 = msg("15722", dup201); - -var msg18024 = msg("15723", dup260); - -var msg18025 = msg("15724", dup260); - -var msg18026 = msg("15725", dup260); - -var msg18027 = msg("15726", dup222); - -var msg18028 = msg("15727", dup196); - -var msg18029 = msg("15728", dup287); - -var msg18030 = msg("15729", dup287); - -var msg18031 = msg("15730", dup192); - -var msg18032 = msg("15731", dup269); - -var msg18033 = msg("15732", dup196); - -var msg18034 = msg("15733", dup196); - -var msg18035 = msg("15734", dup198); - -var msg18036 = msg("15847", dup276); - -var msg18037 = msg("15848", dup196); - -var msg18038 = msg("15849", dup196); - -var msg18039 = msg("15850", dup196); - -var all49 = all_match({ - processors: [ - dup177, - dup116, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg18040 = msg("15851", all49); - -var msg18041 = msg("15852", dup265); - -var msg18042 = msg("15853", dup265); - -var msg18043 = msg("15854", dup265); - -var msg18044 = msg("15855", dup265); - -var msg18045 = msg("15856", dup265); - -var msg18046 = msg("15857", dup196); - -var msg18047 = msg("15858", dup265); - -var msg18048 = msg("15859", dup265); - -var msg18049 = msg("15860", dup276); - -var msg18050 = msg("15861", dup265); - -var msg18051 = msg("15862", dup265); - -var msg18052 = msg("15863", dup265); - -var msg18053 = msg("15864", dup265); - -var msg18054 = msg("15865", dup265); - -var msg18055 = msg("15866", dup267); - -var msg18056 = msg("15867", dup265); - -var msg18057 = msg("15868", dup197); - -var msg18058 = msg("15869", dup267); - -var msg18059 = msg("15870", dup265); - -var msg18060 = msg("15871", dup265); - -var msg18061 = msg("15872", dup265); - -var msg18062 = msg("15873", dup196); - -var msg18063 = msg("15874", dup260); - -var msg18064 = msg("15875", dup260); - -var msg18065 = msg("15876", dup260); - -var msg18066 = msg("15877", dup260); - -var msg18067 = msg("15878", dup265); - -var msg18068 = msg("15879", dup265); - -var msg18069 = msg("15880", dup196); - -var msg18070 = msg("15881", dup276); - -var msg18071 = msg("15882", dup196); - -var msg18072 = msg("15883", dup222); - -var msg18073 = msg("15884", dup222); - -var msg18074 = msg("15885", dup222); - -var msg18075 = msg("15886", dup222); - -var msg18076 = msg("15887", dup222); - -var msg18077 = msg("15888", dup222); - -var msg18078 = msg("15889", dup222); - -var msg18079 = msg("15890", dup222); - -var msg18080 = msg("15891", dup222); - -var msg18081 = msg("15892", dup222); - -var msg18082 = msg("15893", dup196); - -var msg18083 = msg("15894", dup196); - -var msg18084 = msg("15895", dup222); - -var msg18085 = msg("15896", dup198); - -var msg18086 = msg("15897", dup267); - -var msg18087 = msg("15898", dup265); - -var msg18088 = msg("15899", dup265); - -var msg18089 = msg("15900", dup265); - -var msg18090 = msg("15901", dup222); - -var msg18091 = msg("15902", dup196); - -var msg18092 = msg("15903", dup196); - -var msg18093 = msg("15904", dup265); - -var msg18094 = msg("15905", dup265); - -var msg18095 = msg("15906", dup222); - -var msg18096 = msg("15907", dup222); - -var msg18097 = msg("15908", dup194); - -var msg18098 = msg("15909", dup265); - -var msg18099 = msg("15910", dup196); - -var msg18100 = msg("15911", dup276); - -var msg18101 = msg("15912", dup196); - -var msg18102 = msg("15913", dup265); - -var msg18103 = msg("15914", dup265); - -var msg18104 = msg("15915", dup265); - -var msg18105 = msg("15916", dup265); - -var msg18106 = msg("15917", dup297); - -var msg18107 = msg("15918", dup265); - -var msg18108 = msg("15919", dup265); - -var msg18109 = msg("15920", dup265); - -var msg18110 = msg("15921", dup265); - -var msg18111 = msg("15922", dup265); - -var msg18112 = msg("15923", dup265); - -var msg18113 = msg("15924", dup265); - -var msg18114 = msg("15925", dup265); - -var msg18115 = msg("15926", dup265); - -var msg18116 = msg("15927", dup265); - -var msg18117 = msg("15928", dup265); - -var msg18118 = msg("15929", dup265); - -var msg18119 = msg("15930", dup198); - -var msg18120 = msg("15931", dup196); - -var msg18121 = msg("15932", dup198); - -var msg18122 = msg("15933", dup265); - -var msg18123 = msg("15934", dup196); - -var msg18124 = msg("15935", dup196); - -var msg18125 = msg("15936", dup196); - -var msg18126 = msg("15937", dup197); - -var msg18127 = msg("15938", dup192); - -var msg18128 = msg("15939", dup196); - -var msg18129 = msg("15940", dup201); - -var msg18130 = msg("15941", dup198); - -var msg18131 = msg("15942", dup201); - -var msg18132 = msg("15943", dup201); - -var msg18133 = msg("15944", dup198); - -var msg18134 = msg("15945", dup265); - -var msg18135 = msg("15946", dup267); - -var msg18136 = msg("15947", dup287); - -var msg18137 = msg("15948", dup222); - -var msg18138 = msg("15949", dup222); - -var msg18139 = msg("15950", dup222); - -var msg18140 = msg("15951", dup260); - -var msg18141 = msg("15952", dup269); - -var msg18142 = msg("15953", dup265); - -var msg18143 = msg("15954", dup198); - -var msg18144 = msg("15955", dup196); - -var msg18145 = msg("15956", dup265); - -var msg18146 = msg("15957", dup198); - -var msg18147 = msg("15958", dup267); - -var msg18148 = msg("15959", dup198); - -var msg18149 = msg("15960", dup198); - -var msg18150 = msg("15961", dup196); - -var msg18151 = msg("15962", dup222); - -var msg18152 = msg("15963", dup218); - -var msg18153 = msg("15964", dup196); - -var msg18154 = msg("15965", dup222); - -var msg18155 = msg("15966", dup194); - -var msg18156 = msg("15967", dup222); - -var msg18157 = msg("15968", dup201); - -var msg18158 = msg("15969", dup198); - -var msg18159 = msg("15970", dup222); - -var msg18160 = msg("15971", dup196); - -var msg18161 = msg("15972", dup196); - -var msg18162 = msg("15973", dup222); - -var msg18163 = msg("15974", dup197); - -var msg18164 = msg("15975", dup267); - -var msg18165 = msg("15976", dup267); - -var msg18166 = msg("15977", dup201); - -var msg18167 = msg("15978", dup267); - -var msg18168 = msg("15979", dup222); - -var msg18169 = msg("15980", dup265); - -var msg18170 = msg("15981", dup198); - -var msg18171 = msg("15982", dup198); - -var msg18172 = msg("15983", dup196); - -var msg18173 = msg("15984", dup198); - -var msg18174 = msg("15985", dup196); - -var msg18175 = msg("15986", dup222); - -var msg18176 = msg("15987", dup265); - -var msg18177 = msg("15988", dup196); - -var msg18178 = msg("15989", dup198); - -var msg18179 = msg("15990", dup265); - -var msg18180 = msg("15991", dup198); - -var msg18181 = msg("15992", dup194); - -var msg18182 = msg("15993", dup201); - -var msg18183 = msg("15994", dup198); - -var msg18184 = msg("15995", dup269); - -var msg18185 = msg("15996", dup222); - -var msg18186 = msg("15997", dup196); - -var msg18187 = msg("15998", dup196); - -var msg18188 = msg("15999", dup287); - -var msg18189 = msg("16000", dup265); - -var msg18190 = msg("16001", dup196); - -var msg18191 = msg("16002", dup267); - -var msg18192 = msg("16003", dup267); - -var msg18193 = msg("16004", dup267); - -var msg18194 = msg("16005", dup201); - -var msg18195 = msg("16006", dup196); - -var msg18196 = msg("16007", dup196); - -var all50 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg18197 = msg("16008", all50); - -var msg18198 = msg("16009", dup222); - -var msg18199 = msg("16010", dup287); - -var msg18200 = msg("16011", dup196); - -var msg18201 = msg("16012", dup265); - -var msg18202 = msg("16013", dup196); - -var msg18203 = msg("16014", dup198); - -var msg18204 = msg("16015", dup222); - -var msg18205 = msg("16016", dup222); - -var msg18206 = msg("16017", dup222); - -var msg18207 = msg("16018", dup197); - -var msg18208 = msg("16019", dup222); - -var msg18209 = msg("16020", dup240); - -var msg18210 = msg("16021", dup265); - -var msg18211 = msg("16022", dup196); - -var msg18212 = msg("16023", dup196); - -var msg18213 = msg("16024", dup201); - -var msg18214 = msg("16025", dup222); - -var msg18215 = msg("16026", dup265); - -var msg18216 = msg("16027", dup267); - -var msg18217 = msg("16028", dup196); - -var msg18218 = msg("16029", dup197); - -var msg18219 = msg("16030", dup197); - -var msg18220 = msg("16031", dup265); - -var msg18221 = msg("16032", dup265); - -var msg18222 = msg("16033", dup196); - -var msg18223 = msg("16034", dup222); - -var msg18224 = msg("16035", dup196); - -var msg18225 = msg("16036", dup196); - -var msg18226 = msg("16037", dup222); - -var msg18227 = msg("16038", dup201); - -var msg18228 = msg("16039", dup198); - -var msg18229 = msg("16040", dup196); - -var msg18230 = msg("16041", dup222); - -var msg18231 = msg("16042", dup287); - -var msg18232 = msg("16043", dup265); - -var msg18233 = msg("16044", dup267); - -var msg18234 = msg("16045", dup196); - -var msg18235 = msg("16046", dup196); - -var msg18236 = msg("16047", dup196); - -var msg18237 = msg("16048", dup265); - -var msg18238 = msg("16049", dup260); - -var msg18239 = msg("16050", dup265); - -var msg18240 = msg("16051", dup196); - -var msg18241 = msg("16052", dup198); - -var msg18242 = msg("16053", dup267); - -var msg18243 = msg("16054", dup197); - -var msg18244 = msg("16055", dup222); - -var msg18245 = msg("16056", dup285); - -var msg18246 = msg("16057", dup222); - -var msg18247 = msg("16058", dup222); - -var msg18248 = msg("16059", dup196); - -var msg18249 = msg("16060", dup196); - -var msg18250 = msg("16061", dup196); - -var msg18251 = msg("16062", dup222); - -var msg18252 = msg("16063", dup267); - -var msg18253 = msg("16064", dup196); - -var msg18254 = msg("16065", dup196); - -var msg18255 = msg("16066", dup198); - -var msg18256 = msg("16067", dup196); - -var msg18257 = msg("16068", dup196); - -var msg18258 = msg("16069", dup222); - -var msg18259 = msg("16070", dup222); - -var msg18260 = msg("16071", dup198); - -var msg18261 = msg("16072", dup222); - -var msg18262 = msg("16073", dup197); - -var msg18263 = msg("16074", dup196); - -var msg18264 = msg("16075", dup196); - -var msg18265 = msg("16076", dup201); - -var msg18266 = msg("16077", dup201); - -var msg18267 = msg("16078", dup196); - -var msg18268 = msg("16079", dup267); - -var msg18269 = msg("16080", dup196); - -var msg18270 = msg("16081", dup201); - -var msg18271 = msg("16082", dup252); - -var msg18272 = msg("16083", dup287); - -var msg18273 = msg("16084", dup258); - -var msg18274 = msg("16085", dup201); - -var msg18275 = msg("16086", dup252); - -var msg18276 = msg("16087", dup263); - -var msg18277 = msg("16089", dup222); - -var msg18278 = msg("16090", dup267); - -var msg18279 = msg("16091", dup198); - -var msg18280 = msg("16092", dup192); - -var msg18281 = msg("16093", dup192); - -var msg18282 = msg("16094", dup192); - -var msg18283 = msg("16095", dup192); - -var msg18284 = msg("16096", dup192); - -var msg18285 = msg("16097", dup192); - -var msg18286 = msg("16098", dup192); - -var msg18287 = msg("16099", dup192); - -var msg18288 = msg("16100", dup192); - -var msg18289 = msg("16101", dup192); - -var msg18290 = msg("16102", dup192); - -var msg18291 = msg("16103", dup192); - -var msg18292 = msg("16104", dup192); - -var msg18293 = msg("16105", dup192); - -var msg18294 = msg("16106", dup192); - -var msg18295 = msg("16107", dup192); - -var msg18296 = msg("16108", dup192); - -var msg18297 = msg("16109", dup192); - -var msg18298 = msg("16110", dup192); - -var msg18299 = msg("16111", dup192); - -var msg18300 = msg("16112", dup192); - -var msg18301 = msg("16113", dup192); - -var msg18302 = msg("16114", dup303); - -var msg18303 = msg("16115", dup303); - -var msg18304 = msg("16116", dup303); - -var msg18305 = msg("16117", dup303); - -var msg18306 = msg("16118", dup303); - -var msg18307 = msg("16119", dup303); - -var msg18308 = msg("16120", dup303); - -var msg18309 = msg("16121", dup303); - -var msg18310 = msg("16122", dup303); - -var msg18311 = msg("16123", dup303); - -var msg18312 = msg("16124", dup192); - -var msg18313 = msg("16125", dup303); - -var msg18314 = msg("16126", dup303); - -var msg18315 = msg("16127", dup303); - -var msg18316 = msg("16128", dup303); - -var msg18317 = msg("16129", dup303); - -var msg18318 = msg("16130", dup303); - -var msg18319 = msg("16131", dup192); - -var msg18320 = msg("16132", dup303); - -var msg18321 = msg("16133", dup303); - -var msg18322 = msg("16134", dup303); - -var msg18323 = msg("16135", dup303); - -var msg18324 = msg("16136", dup303); - -var msg18325 = msg("16137", dup303); - -var msg18326 = msg("16138", dup303); - -var msg18327 = msg("16139", dup192); - -var msg18328 = msg("16140", dup192); - -var msg18329 = msg("16141", dup192); - -var msg18330 = msg("16142", dup196); - -var msg18331 = msg("16143", dup196); - -var msg18332 = msg("16144", dup196); - -var msg18333 = msg("16145", dup222); - -var msg18334 = msg("16146", dup311); - -var msg18335 = msg("16147", dup198); - -var msg18336 = msg("16148", dup196); - -var msg18337 = msg("16149", dup196); - -var msg18338 = msg("16150", dup196); - -var msg18339 = msg("16151", dup265); - -var msg18340 = msg("16152", dup196); - -var msg18341 = msg("16153", dup196); - -var msg18342 = msg("16154", dup196); - -var msg18343 = msg("16155", dup196); - -var msg18344 = msg("16156", dup196); - -var msg18345 = msg("16157", dup196); - -var msg18346 = msg("16158", dup196); - -var msg18347 = msg("16159", dup240); - -var msg18348 = msg("16160", dup240); - -var msg18349 = msg("16161", dup240); - -var msg18350 = msg("16162", dup240); - -var msg18351 = msg("16163", dup240); - -var msg18352 = msg("16164", dup240); - -var msg18353 = msg("16165", dup240); - -var msg18354 = msg("16166", dup240); - -var msg18355 = msg("16167", dup240); - -var msg18356 = msg("16168", dup198); - -var msg18357 = msg("16169", dup265); - -var msg18358 = msg("16170", dup267); - -var msg18359 = msg("16171", dup267); - -var msg18360 = msg("16172", dup196); - -var msg18361 = msg("16173", dup196); - -var msg18362 = msg("16174", dup196); - -var msg18363 = msg("16175", dup198); - -var msg18364 = msg("16176", dup196); - -var msg18365 = msg("16177", dup196); - -var msg18366 = msg("16178", dup196); - -var msg18367 = msg("16179", dup287); - -var msg18368 = msg("16180", dup265); - -var msg18369 = msg("16181", dup267); - -var msg18370 = msg("16182", dup196); - -var msg18371 = msg("16183", dup196); - -var msg18372 = msg("16184", dup222); - -var msg18373 = msg("16185", dup196); - -var msg18374 = msg("16186", dup267); - -var msg18375 = msg("16187", dup269); - -var msg18376 = msg("16188", dup265); - -var msg18377 = msg("16189", dup260); - -var msg18378 = msg("16190", dup196); - -var msg18379 = msg("16191", dup285); - -var msg18380 = msg("16192", dup285); - -var msg18381 = msg("16193", dup222); - -var msg18382 = msg("16194", dup267); - -var msg18383 = msg("16195", dup267); - -var msg18384 = msg("16196", dup273); - -var msg18385 = msg("16197", dup198); - -var msg18386 = msg("16198", dup260); - -var msg18387 = msg("16199", dup198); - -var msg18388 = msg("16200", dup196); - -var msg18389 = msg("16201", dup201); - -var msg18390 = msg("16202", dup198); - -var msg18391 = msg("16203", dup198); - -var msg18392 = msg("16204", dup267); - -var msg18393 = msg("16205", dup265); - -var msg18394 = msg("16206", dup196); - -var msg18395 = msg("16207", dup267); - -var msg18396 = msg("16208", dup260); - -var msg18397 = msg("16209", dup198); - -var msg18398 = msg("16210", dup198); - -var msg18399 = msg("16211", dup198); - -var msg18400 = msg("16212", dup198); - -var msg18401 = msg("16213", dup267); - -var msg18402 = msg("16214", dup198); - -var msg18403 = msg("16215", dup287); - -var msg18404 = msg("16216", dup265); - -var msg18405 = msg("16217", dup197); - -var msg18406 = msg("16218", dup265); - -var msg18407 = msg("16219", dup196); - -var msg18408 = msg("16220", dup265); - -var msg18409 = msg("16221", dup198); - -var msg18410 = msg("16222", dup269); - -var msg18411 = msg("16223", dup265); - -var msg18412 = msg("16224", dup265); - -var msg18413 = msg("16225", dup196); - -var msg18414 = msg("16226", dup196); - -var msg18415 = msg("16227", dup265); - -var msg18416 = msg("16228", dup269); - -var msg18417 = msg("16229", dup265); - -var msg18418 = msg("16230", dup265); - -var msg18419 = msg("16231", dup267); - -var msg18420 = msg("16232", dup267); - -var msg18421 = msg("16233", dup267); - -var msg18422 = msg("16234", dup267); - -var msg18423 = msg("16235", dup196); - -var msg18424 = msg("16236", dup196); - -var msg18425 = msg("16237", dup198); - -var msg18426 = msg("16238", dup201); - -var msg18427 = msg("16239", dup201); - -var msg18428 = msg("16240", dup196); - -var msg18429 = msg("16241", dup267); - -var msg18430 = msg("16242", dup192); - -var msg18431 = msg("16243", dup192); - -var msg18432 = msg("16244", dup192); - -var msg18433 = msg("16245", dup192); - -var msg18434 = msg("16246", dup192); - -var msg18435 = msg("16247", dup192); - -var msg18436 = msg("16248", dup192); - -var msg18437 = msg("16249", dup192); - -var msg18438 = msg("16250", dup192); - -var msg18439 = msg("16251", dup192); - -var msg18440 = msg("16252", dup192); - -var msg18441 = msg("16253", dup192); - -var msg18442 = msg("16254", dup192); - -var msg18443 = msg("16255", dup192); - -var msg18444 = msg("16256", dup192); - -var msg18445 = msg("16257", dup192); - -var msg18446 = msg("16258", dup192); - -var msg18447 = msg("16259", dup192); - -var msg18448 = msg("16260", dup192); - -var msg18449 = msg("16261", dup192); - -var msg18450 = msg("16262", dup192); - -var msg18451 = msg("16263", dup192); - -var msg18452 = msg("16264", dup192); - -var msg18453 = msg("16265", dup192); - -var msg18454 = msg("16266", dup192); - -var msg18455 = msg("16267", dup192); - -var msg18456 = msg("16268", dup192); - -var msg18457 = msg("16269", dup192); - -var msg18458 = msg("16270", dup192); - -var msg18459 = msg("16271", dup192); - -var msg18460 = msg("16272", dup192); - -var msg18461 = msg("16273", dup192); - -var msg18462 = msg("16274", dup192); - -var msg18463 = msg("16275", dup192); - -var msg18464 = msg("16276", dup303); - -var msg18465 = msg("16277", dup303); - -var msg18466 = msg("16278", dup303); - -var msg18467 = msg("16279", dup192); - -var msg18468 = msg("16280", dup192); - -var msg18469 = msg("16281", dup196); - -var msg18470 = msg("16282", dup196); - -var msg18471 = msg("16283", dup267); - -var msg18472 = msg("16284", dup196); - -var msg18473 = msg("16285", dup222); - -var msg18474 = msg("16286", dup265); - -var msg18475 = msg("16287", dup198); - -var msg18476 = msg("16288", dup222); - -var msg18477 = msg("16289", dup192); - -var msg18478 = msg("16290", dup260); - -var msg18479 = msg("16291", dup267); - -var msg18480 = msg("16292", dup222); - -var msg18481 = msg("16293", dup265); - -var msg18482 = msg("16294", dup201); - -var msg18483 = msg("16295", dup194); - -var msg18484 = msg("16296", dup194); - -var msg18485 = msg("16297", dup196); - -var msg18486 = msg("16298", dup196); - -var msg18487 = msg("16299", dup196); - -var msg18488 = msg("16300", dup265); - -var msg18489 = msg("16301", dup265); - -var msg18490 = msg("16302", dup196); - -var msg18491 = msg("16303", dup196); - -var msg18492 = msg("16304", dup196); - -var msg18493 = msg("16305", dup265); - -var msg18494 = msg("16306", dup265); - -var msg18495 = msg("16307", dup265); - -var msg18496 = msg("16308", dup265); - -var msg18497 = msg("16309", dup222); - -var msg18498 = msg("16310", dup269); - -var msg18499 = msg("16311", dup269); - -var msg18500 = msg("16312", dup269); - -var msg18501 = msg("16313", dup196); - -var msg18502 = msg("16314", dup222); - -var msg18503 = msg("16315", dup265); - -var msg18504 = msg("16316", dup265); - -var msg18505 = msg("16317", dup196); - -var msg18506 = msg("16318", dup265); - -var msg18507 = msg("16319", dup265); - -var msg18508 = msg("16320", dup267); - -var msg18509 = msg("16321", dup265); - -var msg18510 = msg("16322", dup265); - -var msg18511 = msg("16323", dup196); - -var msg18512 = msg("16324", dup265); - -var msg18513 = msg("16325", dup196); - -var msg18514 = msg("16326", dup196); - -var msg18515 = msg("16327", dup201); - -var msg18516 = msg("16328", dup196); - -var msg18517 = msg("16329", dup285); - -var msg18518 = msg("16330", dup265); - -var msg18519 = msg("16331", dup267); - -var msg18520 = msg("16332", dup269); - -var msg18521 = msg("16333", dup265); - -var msg18522 = msg("16334", dup196); - -var msg18523 = msg("16335", dup197); - -var msg18524 = msg("16336", dup267); - -var msg18525 = msg("16337", dup196); - -var msg18526 = msg("16338", dup265); - -var msg18527 = msg("16339", dup265); - -var msg18528 = msg("16340", dup196); - -var msg18529 = msg("16341", dup198); - -var msg18530 = msg("16342", dup265); - -var msg18531 = msg("16343", dup196); - -var msg18532 = msg("16344", dup287); - -var msg18533 = msg("16345", dup267); - -var msg18534 = msg("16346", dup267); - -var msg18535 = msg("16347", dup196); - -var msg18536 = msg("16348", dup198); - -var msg18537 = msg("16349", dup198); - -var msg18538 = msg("16350", dup198); - -var msg18539 = msg("16351", dup201); - -var all51 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - setc("eventcategory","1001020302"), - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg18540 = msg("16352", all51); - -var msg18541 = msg("16353", dup265); - -var msg18542 = msg("16354", dup197); - -var msg18543 = msg("16355", dup267); - -var msg18544 = msg("16356", dup201); - -var msg18545 = msg("16357", dup201); - -var msg18546 = msg("16358", dup192); - -var msg18547 = msg("16359", dup267); - -var msg18548 = msg("16360", dup265); - -var msg18549 = msg("16361", dup267); - -var msg18550 = msg("16362", dup196); - -var msg18551 = msg("16363", dup227); - -var msg18552 = msg("16364", dup198); - -var msg18553 = msg("16365", dup192); - -var msg18554 = msg("16366", dup222); - -var msg18555 = msg("16367", dup265); - -var msg18556 = msg("16368", dup196); - -var msg18557 = msg("16369", dup196); - -var msg18558 = msg("16370", dup265); - -var msg18559 = msg("16371", dup265); - -var msg18560 = msg("16372", dup265); - -var msg18561 = msg("16373", dup267); - -var msg18562 = msg("16374", dup196); - -var msg18563 = msg("16375", dup222); - -var msg18564 = msg("16376", dup196); - -var msg18565 = msg("16377", dup196); - -var msg18566 = msg("16378", dup267); - -var msg18567 = msg("16379", dup265); - -var msg18568 = msg("16380", dup265); - -var msg18569 = msg("16381", dup246); - -var msg18570 = msg("16382", dup265); - -var msg18571 = msg("16383", dup196); - -var msg18572 = msg("16384", dup198); - -var msg18573 = msg("16385", dup260); - -var msg18574 = msg("16386", dup265); - -var msg18575 = msg("16387", dup265); - -var msg18576 = msg("16388", dup265); - -var msg18577 = msg("16389", dup265); - -var msg18578 = msg("16390", dup196); - -var msg18579 = msg("16391", dup192); - -var msg18580 = msg("16392", dup273); - -var msg18581 = msg("16393", dup197); - -var msg18582 = msg("16394", dup198); - -var msg18583 = msg("16395", dup276); - -var msg18584 = msg("16396", dup276); - -var msg18585 = msg("16397", dup246); - -var msg18586 = msg("16398", dup246); - -var msg18587 = msg("16399", dup246); - -var msg18588 = msg("16400", dup246); - -var msg18589 = msg("16401", dup246); - -var msg18590 = msg("16402", dup246); - -var msg18591 = msg("16403", dup246); - -var msg18592 = msg("16404", dup246); - -var msg18593 = msg("16405", dup201); - -var msg18594 = msg("16406", dup265); - -var msg18595 = msg("16407", dup265); - -var msg18596 = msg("16408", dup198); - -var msg18597 = msg("16409", dup267); - -var msg18598 = msg("16410", dup265); - -var msg18599 = msg("16411", dup267); - -var msg18600 = msg("16412", dup267); - -var msg18601 = msg("16413", dup267); - -var msg18602 = msg("16414", dup267); - -var msg18603 = msg("16415", dup265); - -var msg18604 = msg("16416", dup196); - -var msg18605 = msg("16417", dup276); - -var msg18606 = msg("16418", dup276); - -var msg18607 = msg("16419", dup265); - -var msg18608 = msg("16420", dup265); - -var msg18609 = msg("16421", dup196); - -var msg18610 = msg("16422", dup196); - -var msg18611 = msg("16423", dup267); - -var msg18612 = msg("16424", dup265); - -var msg18613 = msg("16425", dup267); - -var msg18614 = msg("16426", dup267); - -var msg18615 = msg("16427", dup267); - -var msg18616 = msg("16428", dup222); - -var msg18617 = msg("16429", dup267); - -var msg18618 = msg("16430", dup267); - -var msg18619 = msg("16431", dup260); - -var msg18620 = msg("16432", dup265); - -var msg18621 = msg("16433", dup198); - -var msg18622 = msg("16434", dup196); - -var msg18623 = msg("16435", dup196); - -var msg18624 = msg("16436", dup196); - -var msg18625 = msg("16437", dup222); - -var msg18626 = msg("16438", dup269); - -var msg18627 = msg("16439", dup196); - -var msg18628 = msg("16440", dup196); - -var msg18629 = msg("16441", dup196); - -var msg18630 = msg("16442", dup196); - -var msg18631 = msg("16443", dup196); - -var msg18632 = msg("16444", dup196); - -var msg18633 = msg("16445", dup198); - -var msg18634 = msg("16446", dup287); - -var msg18635 = msg("16447", dup258); - -var msg18636 = msg("16448", dup201); - -var msg18637 = msg("16449", dup252); - -var msg18638 = msg("16450", dup260); - -var msg18639 = msg("16451", dup198); - -var msg18640 = msg("16452", dup265); - -var msg18641 = msg("16453", dup198); - -var msg18642 = msg("16454", dup198); - -var msg18643 = msg("16455", dup303); - -var msg18644 = msg("16456", dup303); - -var msg18645 = msg("16457", dup192); - -var msg18646 = msg("16458", dup267); - -var msg18647 = msg("16459", dup192); - -var msg18648 = msg("16460", dup297); - -var msg18649 = msg("16461", dup196); - -var msg18650 = msg("16462", dup196); - -var msg18651 = msg("16463", dup196); - -var msg18652 = msg("16464", dup267); - -var msg18653 = msg("16465", dup267); - -var msg18654 = msg("16466", dup196); - -var msg18655 = msg("16467", dup196); - -var msg18656 = msg("16468", dup196); - -var msg18657 = msg("16469", dup305); - -var msg18658 = msg("16470", dup267); - -var msg18659 = msg("16471", dup267); - -var msg18660 = msg("16472", dup267); - -var msg18661 = msg("16473", dup265); - -var msg18662 = msg("16474", dup196); - -var msg18663 = msg("16475", dup196); - -var msg18664 = msg("16476", dup265); - -var msg18665 = msg("16477", dup265); - -var msg18666 = msg("16478", dup265); - -var msg18667 = msg("16479", dup196); - -var msg18668 = msg("16480", dup196); - -var msg18669 = msg("16481", dup267); - -var msg18670 = msg("16482", dup310); - -var msg18671 = msg("16483", dup238); - -var msg18672 = msg("16484", dup196); - -var msg18673 = msg("16485", dup196); - -var msg18674 = msg("16486", dup192); - -var msg18675 = msg("16487", dup192); - -var msg18676 = msg("16488", dup192); - -var msg18677 = msg("16489", dup303); - -var msg18678 = msg("16490", dup196); - -var msg18679 = msg("16492", dup196); - -var msg18680 = msg("16493", dup196); - -var msg18681 = msg("16494", dup196); - -var msg18682 = msg("16495", dup196); - -var msg18683 = msg("16496", dup196); - -var msg18684 = msg("16497", dup196); - -var msg18685 = msg("16498", dup196); - -var msg18686 = msg("16499", dup196); - -var msg18687 = msg("16500", dup196); - -var msg18688 = msg("16501", dup196); - -var msg18689 = msg("16502", dup196); - -var msg18690 = msg("16503", dup267); - -var msg18691 = msg("16504", dup267); - -var msg18692 = msg("16505", dup267); - -var msg18693 = msg("16506", dup267); - -var msg18694 = msg("16507", dup267); - -var msg18695 = msg("16508", dup267); - -var msg18696 = msg("16509", dup267); - -var msg18697 = msg("16510", dup197); - -var msg18698 = msg("16511", dup197); - -var msg18699 = msg("16512", dup267); - -var msg18700 = msg("16513", dup196); - -var msg18701 = msg("16514", dup196); - -var msg18702 = msg("16515", dup196); - -var msg18703 = msg("16516", dup196); - -var msg18704 = msg("16517", dup196); - -var msg18705 = msg("16518", dup196); - -var msg18706 = msg("16519", dup196); - -var msg18707 = msg("16520", dup196); - -var msg18708 = msg("16521", dup196); - -var msg18709 = msg("16522", dup196); - -var msg18710 = msg("16523", dup196); - -var msg18711 = msg("16524", dup196); - -var msg18712 = msg("16525", dup196); - -var msg18713 = msg("16526", dup196); - -var msg18714 = msg("16527", dup196); - -var msg18715 = msg("16528", dup196); - -var msg18716 = msg("16529", dup196); - -var msg18717 = msg("16530", dup265); - -var msg18718 = msg("16531", dup276); - -var msg18719 = msg("16532", dup276); - -var msg18720 = msg("16533", dup267); - -var msg18721 = msg("16534", dup250); - -var msg18722 = msg("16535", dup267); - -var msg18723 = msg("16536", dup267); - -var msg18724 = msg("16537", dup267); - -var msg18725 = msg("16538", dup196); - -var msg18726 = msg("16539", dup197); - -var msg18727 = msg("16540", dup276); - -var msg18728 = msg("16541", dup197); - -var msg18729 = msg("16542", dup197); - -var msg18730 = msg("16543", dup267); - -var msg18731 = msg("16544", dup311); - -var msg18732 = msg("16545", dup267); - -var msg18733 = msg("16546", dup197); - -var msg18734 = msg("16547", dup196); - -var msg18735 = msg("16548", dup196); - -var msg18736 = msg("16549", dup196); - -var msg18737 = msg("16550", dup196); - -var msg18738 = msg("16551", dup196); - -var msg18739 = msg("16552", dup196); - -var msg18740 = msg("16553", dup267); - -var msg18741 = msg("16554", dup196); - -var msg18742 = msg("16555", dup196); - -var msg18743 = msg("16556", dup196); - -var msg18744 = msg("16557", dup196); - -var msg18745 = msg("16558", dup196); - -var msg18746 = msg("16559", dup309); - -var msg18747 = msg("16560", dup265); - -var msg18748 = msg("16561", dup267); - -var msg18749 = msg("16562", dup267); - -var msg18750 = msg("16563", dup267); - -var msg18751 = msg("16564", dup267); - -var msg18752 = msg("16565", dup265); - -var msg18753 = msg("16566", dup265); - -var msg18754 = msg("16567", dup265); - -var msg18755 = msg("16568", dup265); - -var msg18756 = msg("16569", dup265); - -var msg18757 = msg("16570", dup265); - -var msg18758 = msg("16571", dup265); - -var msg18759 = msg("16572", dup265); - -var msg18760 = msg("16573", dup196); - -var msg18761 = msg("16574", dup196); - -var msg18762 = msg("16575", dup222); - -var msg18763 = msg("16576", dup222); - -var msg18764 = msg("16577", dup276); - -var msg18765 = msg("16578", dup222); - -var msg18766 = msg("16579", dup222); - -var msg18767 = msg("16580", dup202); - -var msg18768 = msg("16581", dup202); - -var msg18769 = msg("16582", dup267); - -var msg18770 = msg("16583", dup267); - -var msg18771 = msg("16584", dup267); - -var msg18772 = msg("16585", dup267); - -var msg18773 = msg("16586", dup267); - -var msg18774 = msg("16587", dup201); - -var msg18775 = msg("16588", dup196); - -var msg18776 = msg("16589", dup222); - -var msg18777 = msg("16590", dup196); - -var msg18778 = msg("16591", dup196); - -var msg18779 = msg("16592", dup196); - -var msg18780 = msg("16593", dup267); - -var msg18781 = msg("16594", dup298); - -var msg18782 = msg("16595", dup267); - -var msg18783 = msg("16596", dup267); - -var msg18784 = msg("16597", dup222); - -var msg18785 = msg("16598", dup197); - -var msg18786 = msg("16599", dup222); - -var msg18787 = msg("16600", dup192); - -var msg18788 = msg("16601", dup267); - -var msg18789 = msg("16602", dup196); - -var msg18790 = msg("16603", dup197); - -var msg18791 = msg("16604", dup267); - -var msg18792 = msg("16605", dup267); - -var msg18793 = msg("16606", dup222); - -var msg18794 = msg("16607", dup196); - -var msg18795 = msg("16608", dup197); - -var msg18796 = msg("16609", dup197); - -var msg18797 = msg("16610", dup222); - -var msg18798 = msg("16611", dup267); - -var msg18799 = msg("16612", dup267); - -var msg18800 = msg("16613", dup192); - -var msg18801 = msg("16614", dup192); - -var msg18802 = msg("16615", dup192); - -var msg18803 = msg("16616", dup192); - -var msg18804 = msg("16617", dup192); - -var msg18805 = msg("16618", dup192); - -var msg18806 = msg("16619", dup192); - -var msg18807 = msg("16620", dup192); - -var msg18808 = msg("16621", dup192); - -var msg18809 = msg("16622", dup192); - -var msg18810 = msg("16623", dup192); - -var msg18811 = msg("16624", dup192); - -var msg18812 = msg("16625", dup192); - -var msg18813 = msg("16626", dup192); - -var msg18814 = msg("16627", dup192); - -var msg18815 = msg("16628", dup192); - -var msg18816 = msg("16629", dup196); - -var msg18817 = msg("16630", dup196); - -var msg18818 = msg("16631", dup196); - -var msg18819 = msg("16632", dup196); - -var msg18820 = msg("16633", dup267); - -var msg18821 = msg("16634", dup267); - -var msg18822 = msg("16635", dup265); - -var msg18823 = msg("16636", dup196); - -var msg18824 = msg("16637", dup196); - -var msg18825 = msg("16638", dup267); - -var msg18826 = msg("16639", dup267); - -var msg18827 = msg("16640", dup267); - -var msg18828 = msg("16641", dup267); - -var msg18829 = msg("16642", dup196); - -var msg18830 = msg("16643", dup267); - -var msg18831 = msg("16644", dup196); - -var msg18832 = msg("16645", dup196); - -var msg18833 = msg("16646", dup222); - -var msg18834 = msg("16647", dup267); - -var msg18835 = msg("16648", dup196); - -var msg18836 = msg("16649", dup267); - -var msg18837 = msg("16650", dup267); - -var msg18838 = msg("16651", dup267); - -var msg18839 = msg("16652", dup267); - -var msg18840 = msg("16653", dup267); - -var msg18841 = msg("16654", dup267); - -var msg18842 = msg("16655", dup267); - -var msg18843 = msg("16656", dup267); - -var msg18844 = msg("16657", dup267); - -var msg18845 = msg("16658", dup267); - -var msg18846 = msg("16659", dup196); - -var msg18847 = msg("16660", dup198); - -var msg18848 = msg("16661", dup196); - -var msg18849 = msg("16662", dup267); - -var msg18850 = msg("16663", dup267); - -var msg18851 = msg("16664", dup196); - -var msg18852 = msg("16665", dup265); - -var msg18853 = msg("16666", dup196); - -var msg18854 = msg("16667", dup196); - -var msg18855 = msg("16668", dup202); - -var msg18856 = msg("16669", dup303); - -var msg18857 = msg("16670", dup303); - -var msg18858 = msg("16671", dup267); - -var msg18859 = msg("16672", dup197); - -var msg18860 = msg("16673", dup267); - -var msg18861 = msg("16674", dup267); - -var msg18862 = msg("16675", dup196); - -var msg18863 = msg("16676", dup196); - -var msg18864 = msg("16677", dup196); - -var msg18865 = msg("16678", dup265); - -var msg18866 = msg("16679", dup201); - -var msg18867 = msg("16680", dup196); - -var msg18868 = msg("16681", dup267); - -var msg18869 = msg("16682", dup265); - -var msg18870 = msg("16683", dup267); - -var msg18871 = msg("16684", dup198); - -var msg18872 = msg("16685", dup222); - -var msg18873 = msg("16686", dup267); - -var msg18874 = msg("16687", dup201); - -var msg18875 = msg("16688", dup196); - -var msg18876 = msg("16689", dup265); - -var msg18877 = msg("16690", dup196); - -var msg18878 = msg("16691", dup265); - -var msg18879 = msg("16692", dup197); - -var msg18880 = msg("16693", dup303); - -var msg18881 = msg("16694", dup198); - -var msg18882 = msg("16695", dup303); - -var msg18883 = msg("16696", dup197); - -var msg18884 = msg("16697", dup198); - -var msg18885 = msg("16698", dup198); - -var msg18886 = msg("16699", dup257); - -var msg18887 = msg("16700", dup257); - -var msg18888 = msg("16701", dup257); - -var msg18889 = msg("16702", dup257); - -var msg18890 = msg("16703", dup260); - -var msg18891 = msg("16704", dup197); - -var msg18892 = msg("16705", dup222); - -var msg18893 = msg("16706", dup201); - -var msg18894 = msg("16707", dup260); - -var msg18895 = msg("16708", dup260); - -var msg18896 = msg("16709", dup198); - -var msg18897 = msg("16710", dup287); - -var msg18898 = msg("16711", dup201); - -var msg18899 = msg("16712", dup267); - -var msg18900 = msg("16713", dup267); - -var msg18901 = msg("16714", dup222); - -var msg18902 = msg("16715", dup267); - -var msg18903 = msg("16716", dup197); - -var msg18904 = msg("16717", dup287); - -var msg18905 = msg("16718", dup196); - -var msg18906 = msg("16719", dup201); - -var msg18907 = msg("16720", dup197); - -var msg18908 = msg("16721", dup197); - -var msg18909 = msg("16722", dup260); - -var msg18910 = msg("16723", dup260); - -var msg18911 = msg("16724", dup222); - -var msg18912 = msg("16725", dup197); - -var msg18913 = msg("16726", dup197); - -var msg18914 = msg("16727", dup201); - -var msg18915 = msg("16728", dup276); - -var msg18916 = msg("16729", dup197); - -var msg18917 = msg("16730", dup197); - -var msg18918 = msg("16731", dup197); - -var msg18919 = msg("16732", dup201); - -var msg18920 = msg("16733", dup197); - -var msg18921 = msg("16734", dup197); - -var msg18922 = msg("16735", dup222); - -var msg18923 = msg("16736", dup201); - -var msg18924 = msg("16737", dup197); - -var msg18925 = msg("16738", dup197); - -var msg18926 = msg("16739", dup201); - -var msg18927 = msg("16740", dup267); - -var msg18928 = msg("16741", dup267); - -var msg18929 = msg("16742", dup265); - -var msg18930 = msg("16743", dup197); - -var msg18931 = msg("16744", dup199); - -var msg18932 = msg("16745", dup197); - -var msg18933 = msg("16746", dup265); - -var msg18934 = msg("16747", dup265); - -var msg18935 = msg("16748", dup265); - -var msg18936 = msg("16749", dup265); - -var msg18937 = msg("16750", dup197); - -var msg18938 = msg("16751", dup197); - -var msg18939 = msg("16752", dup197); - -var msg18940 = msg("16753", dup197); - -var msg18941 = msg("16754", dup276); - -var msg18942 = msg("16755", dup276); - -var msg18943 = msg("16756", dup276); - -var msg18944 = msg("16757", dup276); - -var msg18945 = msg("16758", dup276); - -var msg18946 = msg("16759", dup276); - -var msg18947 = msg("16760", dup276); - -var msg18948 = msg("16761", dup276); - -var msg18949 = msg("16762", dup197); - -var msg18950 = msg("16763", dup197); - -var msg18951 = msg("16764", dup197); - -var msg18952 = msg("16765", dup197); - -var msg18953 = msg("16766", dup197); - -var msg18954 = msg("16767", dup265); - -var msg18955 = msg("16768", dup265); - -var msg18956 = msg("16769", dup265); - -var msg18957 = msg("16770", dup265); - -var msg18958 = msg("16771", dup197); - -var msg18959 = msg("16772", dup265); - -var msg18960 = msg("16773", dup265); - -var msg18961 = msg("16774", dup265); - -var msg18962 = msg("16775", dup265); - -var msg18963 = msg("16776", dup201); - -var msg18964 = msg("16777", dup198); - -var msg18965 = msg("16778", dup198); - -var msg18966 = msg("16779", dup265); - -var msg18967 = msg("16780", dup265); - -var msg18968 = msg("16781", dup265); - -var msg18969 = msg("16782", dup265); - -var msg18970 = msg("16783", dup265); - -var msg18971 = msg("16784", dup265); - -var msg18972 = msg("16785", dup267); - -var msg18973 = msg("16786", dup197); - -var msg18974 = msg("16787", dup201); - -var msg18975 = msg("16788", dup267); - -var msg18976 = msg("16789", dup267); - -var msg18977 = msg("16790", dup267); - -var msg18978 = msg("16791", dup265); - -var msg18979 = msg("16792", dup265); - -var msg18980 = msg("16793", dup265); - -var msg18981 = msg("16794", dup265); - -var msg18982 = msg("16795", dup227); - -var msg18983 = msg("16796", dup255); - -var msg18984 = msg("16797", dup201); - -var msg18985 = msg("16798", dup197); - -var msg18986 = msg("16799", dup197); - -var msg18987 = msg("16800", dup197); - -var msg18988 = msg("16801", dup267); - -var msg18989 = msg("16802", dup265); - -var msg18990 = msg("16803", dup265); - -var msg18991 = msg("16804", dup192); - -var msg18992 = msg("16805", dup192); - -var msg18993 = msg("16806", dup227); - -var msg18994 = msg("16807", dup227); - -var msg18995 = msg("16808", dup192); - -var msg18996 = msg("16809", dup202); - -var msg18997 = msg("16810", dup202); - -var msg18998 = msg("16811", dup202); - -var msg18999 = msg("16812", dup202); - -var msg19000 = msg("16813", dup202); - -var msg19001 = msg("16814", dup202); - -var msg19002 = msg("16815", dup202); - -var msg19003 = msg("16816", dup202); - -var msg19004 = msg("16817", dup202); - -var msg19005 = msg("16818", dup202); - -var msg19006 = msg("16819", dup202); - -var msg19007 = msg("16820", dup202); - -var msg19008 = msg("16821", dup202); - -var msg19009 = msg("16822", dup202); - -var msg19010 = msg("16823", dup202); - -var msg19011 = msg("16824", dup202); - -var msg19012 = msg("16825", dup202); - -var msg19013 = msg("16826", dup202); - -var msg19014 = msg("16827", dup202); - -var msg19015 = msg("16828", dup202); - -var msg19016 = msg("16829", dup202); - -var msg19017 = msg("16830", dup202); - -var msg19018 = msg("16831", dup202); - -var msg19019 = msg("16832", dup202); - -var msg19020 = msg("16833", dup202); - -var msg19021 = msg("16834", dup263); - -var msg19022 = msg("16835", dup263); - -var msg19023 = msg("16836", dup263); - -var msg19024 = msg("16837", dup263); - -var msg19025 = msg("16838", dup263); - -var msg19026 = msg("16839", dup263); - -var msg19027 = msg("16840", dup263); - -var msg19028 = msg("16841", dup263); - -var msg19029 = msg("16842", dup263); - -var msg19030 = msg("16843", dup263); - -var msg19031 = msg("16844", dup263); - -var msg19032 = msg("16845", dup263); - -var msg19033 = msg("16846", dup263); - -var msg19034 = msg("16847", dup263); - -var msg19035 = msg("16848", dup263); - -var msg19036 = msg("16849", dup263); - -var msg19037 = msg("16850", dup263); - -var msg19038 = msg("16851", dup263); - -var msg19039 = msg("16852", dup263); - -var msg19040 = msg("16853", dup263); - -var msg19041 = msg("16854", dup263); - -var msg19042 = msg("16855", dup263); - -var msg19043 = msg("16856", dup263); - -var msg19044 = msg("16857", dup263); - -var msg19045 = msg("16858", dup263); - -var msg19046 = msg("16859", dup263); - -var msg19047 = msg("16860", dup263); - -var msg19048 = msg("16861", dup263); - -var msg19049 = msg("16862", dup263); - -var msg19050 = msg("16863", dup263); - -var msg19051 = msg("16864", dup263); - -var msg19052 = msg("16865", dup263); - -var msg19053 = msg("16866", dup263); - -var msg19054 = msg("16867", dup263); - -var msg19055 = msg("16868", dup263); - -var msg19056 = msg("16869", dup263); - -var msg19057 = msg("16870", dup263); - -var msg19058 = msg("16871", dup263); - -var msg19059 = msg("16872", dup263); - -var msg19060 = msg("16873", dup263); - -var msg19061 = msg("16874", dup263); - -var msg19062 = msg("16875", dup263); - -var msg19063 = msg("16876", dup263); - -var msg19064 = msg("16877", dup263); - -var msg19065 = msg("16878", dup263); - -var msg19066 = msg("16879", dup263); - -var msg19067 = msg("16880", dup263); - -var msg19068 = msg("16881", dup263); - -var msg19069 = msg("16882", dup263); - -var msg19070 = msg("16883", dup263); - -var msg19071 = msg("16884", dup263); - -var msg19072 = msg("16885", dup263); - -var msg19073 = msg("16886", dup263); - -var msg19074 = msg("16887", dup263); - -var msg19075 = msg("16888", dup263); - -var msg19076 = msg("16889", dup263); - -var msg19077 = msg("16890", dup263); - -var msg19078 = msg("16891", dup263); - -var msg19079 = msg("16892", dup263); - -var msg19080 = msg("16893", dup263); - -var msg19081 = msg("16894", dup263); - -var msg19082 = msg("16895", dup263); - -var msg19083 = msg("16896", dup263); - -var msg19084 = msg("16897", dup263); - -var msg19085 = msg("16898", dup263); - -var msg19086 = msg("16899", dup263); - -var msg19087 = msg("16900", dup263); - -var msg19088 = msg("16901", dup263); - -var msg19089 = msg("16902", dup263); - -var msg19090 = msg("16903", dup263); - -var msg19091 = msg("16904", dup263); - -var msg19092 = msg("16905", dup263); - -var msg19093 = msg("16906", dup263); - -var msg19094 = msg("16907", dup263); - -var msg19095 = msg("16908", dup263); - -var msg19096 = msg("16909", dup263); - -var msg19097 = msg("16910", dup263); - -var msg19098 = msg("16911", dup269); - -var msg19099 = msg("16912", dup269); - -var msg19100 = msg("16913", dup269); - -var msg19101 = msg("16914", dup269); - -var msg19102 = msg("16915", dup269); - -var msg19103 = msg("16916", dup269); - -var msg19104 = msg("16917", dup269); - -var msg19105 = msg("16918", dup269); - -var msg19106 = msg("16919", dup269); - -var msg19107 = msg("16920", dup269); - -var msg19108 = msg("16921", dup269); - -var msg19109 = msg("16922", dup269); - -var msg19110 = msg("16923", dup269); - -var msg19111 = msg("16924", dup269); - -var msg19112 = msg("16925", dup269); - -var msg19113 = msg("16926", dup255); - -var msg19114 = msg("16927", dup269); - -var msg19115 = msg("16928", dup269); - -var msg19116 = msg("16929", dup269); - -var msg19117 = msg("16930", dup269); - -var msg19118 = msg("16931", dup269); - -var msg19119 = msg("16932", dup269); - -var msg19120 = msg("16933", dup269); - -var msg19121 = msg("16934", dup312); - -var msg19122 = msg("16935", dup312); - -var msg19123 = msg("16936", dup312); - -var msg19124 = msg("16937", dup312); - -var msg19125 = msg("16938", dup312); - -var msg19126 = msg("16939", dup312); - -var msg19127 = msg("16940", dup312); - -var msg19128 = msg("16941", dup312); - -var msg19129 = msg("16942", dup312); - -var msg19130 = msg("16943", dup312); - -var msg19131 = msg("16944", dup312); - -var msg19132 = msg("16945", dup312); - -var msg19133 = msg("16946", dup312); - -var msg19134 = msg("16947", dup312); - -var msg19135 = msg("16948", dup312); - -var msg19136 = msg("16949", dup312); - -var msg19137 = msg("16950", dup312); - -var msg19138 = msg("16951", dup312); - -var msg19139 = msg("16952", dup312); - -var msg19140 = msg("16953", dup312); - -var msg19141 = msg("16954", dup312); - -var msg19142 = msg("16955", dup312); - -var msg19143 = msg("16956", dup312); - -var msg19144 = msg("16957", dup312); - -var msg19145 = msg("16958", dup312); - -var msg19146 = msg("16959", dup312); - -var msg19147 = msg("16960", dup312); - -var msg19148 = msg("16961", dup312); - -var msg19149 = msg("16962", dup312); - -var msg19150 = msg("16963", dup312); - -var msg19151 = msg("16964", dup312); - -var msg19152 = msg("16965", dup312); - -var msg19153 = msg("16966", dup312); - -var msg19154 = msg("16967", dup312); - -var msg19155 = msg("16968", dup312); - -var msg19156 = msg("16969", dup312); - -var msg19157 = msg("16970", dup312); - -var msg19158 = msg("16971", dup312); - -var msg19159 = msg("16972", dup312); - -var msg19160 = msg("16973", dup312); - -var msg19161 = msg("16974", dup312); - -var msg19162 = msg("16975", dup312); - -var msg19163 = msg("16976", dup312); - -var msg19164 = msg("16977", dup312); - -var msg19165 = msg("16978", dup312); - -var msg19166 = msg("16979", dup312); - -var msg19167 = msg("16980", dup312); - -var msg19168 = msg("16981", dup312); - -var msg19169 = msg("16982", dup312); - -var msg19170 = msg("16983", dup312); - -var msg19171 = msg("16984", dup312); - -var msg19172 = msg("16985", dup312); - -var msg19173 = msg("16986", dup312); - -var msg19174 = msg("16987", dup312); - -var msg19175 = msg("16988", dup312); - -var msg19176 = msg("16989", dup312); - -var msg19177 = msg("16990", dup312); - -var msg19178 = msg("16991", dup312); - -var msg19179 = msg("16992", dup312); - -var msg19180 = msg("16993", dup312); - -var msg19181 = msg("16994", dup312); - -var msg19182 = msg("16995", dup312); - -var msg19183 = msg("16996", dup312); - -var msg19184 = msg("16997", dup312); - -var msg19185 = msg("16998", dup312); - -var msg19186 = msg("16999", dup312); - -var msg19187 = msg("17000", dup312); - -var msg19188 = msg("17001", dup312); - -var msg19189 = msg("17002", dup312); - -var msg19190 = msg("17003", dup312); - -var msg19191 = msg("17004", dup312); - -var msg19192 = msg("17005", dup312); - -var msg19193 = msg("17006", dup312); - -var msg19194 = msg("17007", dup312); - -var msg19195 = msg("17008", dup312); - -var msg19196 = msg("17009", dup312); - -var msg19197 = msg("17010", dup312); - -var msg19198 = msg("17011", dup312); - -var msg19199 = msg("17012", dup312); - -var msg19200 = msg("17013", dup312); - -var msg19201 = msg("17014", dup312); - -var msg19202 = msg("17015", dup312); - -var msg19203 = msg("17016", dup312); - -var msg19204 = msg("17017", dup312); - -var msg19205 = msg("17018", dup312); - -var msg19206 = msg("17019", dup312); - -var msg19207 = msg("17020", dup312); - -var msg19208 = msg("17021", dup312); - -var msg19209 = msg("17022", dup312); - -var msg19210 = msg("17023", dup312); - -var msg19211 = msg("17024", dup312); - -var msg19212 = msg("17025", dup312); - -var msg19213 = msg("17026", dup312); - -var msg19214 = msg("17027", dup312); - -var msg19215 = msg("17028", dup312); - -var msg19216 = msg("17029", dup312); - -var msg19217 = msg("17030", dup312); - -var msg19218 = msg("17031", dup312); - -var msg19219 = msg("17032", dup312); - -var msg19220 = msg("17033", dup312); - -var msg19221 = msg("17034", dup267); - -var msg19222 = msg("17035", dup267); - -var msg19223 = msg("17036", dup267); - -var msg19224 = msg("17037", dup267); - -var msg19225 = msg("17038", dup267); - -var msg19226 = msg("17039", dup267); - -var msg19227 = msg("17041", dup265); - -var msg19228 = msg("17042", dup265); - -var msg19229 = msg("17043", dup202); - -var msg19230 = msg("17044", dup240); - -var msg19231 = msg("17045", dup197); - -var msg19232 = msg("17046", dup197); - -var msg19233 = msg("17047", dup255); - -var msg19234 = msg("17048", dup201); - -var msg19235 = msg("17049", dup265); - -var msg19236 = msg("17050", dup265); - -var msg19237 = msg("17051", dup265); - -var msg19238 = msg("17052", dup265); - -var msg19239 = msg("17053", dup265); - -var msg19240 = msg("17054", dup265); - -var msg19241 = msg("17055", dup198); - -var msg19242 = msg("17056", dup201); - -var msg19243 = msg("17057", dup267); - -var msg19244 = msg("17058", dup287); - -var msg19245 = msg("17059", dup227); - -var msg19246 = msg("17060", dup197); - -var msg19247 = msg("17061", dup265); - -var msg19248 = msg("17062", dup265); - -var msg19249 = msg("17063", dup265); - -var msg19250 = msg("17064", dup265); - -var msg19251 = msg("17065", dup265); - -var msg19252 = msg("17066", dup265); - -var msg19253 = msg("17067", dup265); - -var msg19254 = msg("17068", dup265); - -var msg19255 = msg("17069", dup265); - -var msg19256 = msg("17070", dup265); - -var msg19257 = msg("17071", dup265); - -var msg19258 = msg("17072", dup265); - -var msg19259 = msg("17073", dup265); - -var msg19260 = msg("17074", dup265); - -var msg19261 = msg("17075", dup265); - -var msg19262 = msg("17076", dup265); - -var msg19263 = msg("17077", dup197); - -var msg19264 = msg("17078", dup265); - -var msg19265 = msg("17079", dup265); - -var msg19266 = msg("17080", dup265); - -var msg19267 = msg("17081", dup265); - -var msg19268 = msg("17082", dup265); - -var msg19269 = msg("17083", dup265); - -var msg19270 = msg("17084", dup265); - -var msg19271 = msg("17085", dup265); - -var msg19272 = msg("17086", dup197); - -var msg19273 = msg("17087", dup265); - -var msg19274 = msg("17088", dup265); - -var msg19275 = msg("17089", dup265); - -var msg19276 = msg("17090", dup265); - -var msg19277 = msg("17091", dup197); - -var msg19278 = msg("17092", dup265); - -var msg19279 = msg("17093", dup265); - -var msg19280 = msg("17094", dup265); - -var msg19281 = msg("17095", dup265); - -var msg19282 = msg("17096", dup265); - -var msg19283 = msg("17097", dup265); - -var msg19284 = msg("17098", dup197); - -var msg19285 = msg("17099", dup250); - -var msg19286 = msg("17100", dup250); - -var msg19287 = msg("17101", dup250); - -var msg19288 = msg("17102", dup250); - -var msg19289 = msg("17103", dup265); - -var msg19290 = msg("17104", dup197); - -var msg19291 = msg("17105", dup197); - -var msg19292 = msg("17106", dup269); - -var msg19293 = msg("17107", dup197); - -var msg19294 = msg("17108", dup197); - -var msg19295 = msg("17109", dup267); - -var msg19296 = msg("17110", dup202); - -var msg19297 = msg("17111", dup197); - -var msg19298 = msg("17112", dup255); - -var msg19299 = msg("17113", dup202); - -var msg19300 = msg("17114", dup267); - -var msg19301 = msg("17115", dup265); - -var msg19302 = msg("17116", dup265); - -var msg19303 = msg("17117", dup267); - -var msg19304 = msg("17118", dup267); - -var msg19305 = msg("17119", dup197); - -var msg19306 = msg("17120", dup267); - -var msg19307 = msg("17121", dup267); - -var msg19308 = msg("17122", dup267); - -var msg19309 = msg("17123", dup267); - -var msg19310 = msg("17124", dup267); - -var msg19311 = msg("17125", dup197); - -var msg19312 = msg("17126", dup202); - -var msg19313 = msg("17127", dup276); - -var msg19314 = msg("17128", dup267); - -var msg19315 = msg("17129", dup267); - -var msg19316 = msg("17130", dup267); - -var msg19317 = msg("17131", dup267); - -var msg19318 = msg("17132", dup267); - -var msg19319 = msg("17133", dup265); - -var msg19320 = msg("17134", dup197); - -var msg19321 = msg("17135", dup197); - -var msg19322 = msg("17136", dup267); - -var msg19323 = msg("17137", dup265); - -var msg19324 = msg("17138", dup201); - -var msg19325 = msg("17139", dup267); - -var msg19326 = msg("17140", dup197); - -var msg19327 = msg("17141", dup267); - -var msg19328 = msg("17142", dup201); - -var msg19329 = msg("17143", dup197); - -var msg19330 = msg("17144", dup197); - -var msg19331 = msg("17145", dup197); - -var msg19332 = msg("17146", dup197); - -var msg19333 = msg("17147", dup197); - -var msg19334 = msg("17148", dup201); - -var msg19335 = msg("17149", dup201); - -var msg19336 = msg("17150", dup201); - -var msg19337 = msg("17151", dup198); - -var msg19338 = msg("17152", dup198); - -var msg19339 = msg("17153", dup267); - -var msg19340 = msg("17154", dup267); - -var msg19341 = msg("17155", dup201); - -var msg19342 = msg("17156", dup267); - -var msg19343 = msg("17157", dup265); - -var msg19344 = msg("17158", dup265); - -var msg19345 = msg("17159", dup265); - -var msg19346 = msg("17160", dup197); - -var msg19347 = msg("17161", dup265); - -var msg19348 = msg("17162", dup265); - -var msg19349 = msg("17163", dup265); - -var msg19350 = msg("17164", dup265); - -var msg19351 = msg("17165", dup265); - -var msg19352 = msg("17166", dup201); - -var msg19353 = msg("17167", dup265); - -var msg19354 = msg("17168", dup265); - -var msg19355 = msg("17169", dup265); - -var msg19356 = msg("17170", dup265); - -var msg19357 = msg("17171", dup265); - -var msg19358 = msg("17172", dup265); - -var msg19359 = msg("17173", dup265); - -var msg19360 = msg("17174", dup265); - -var msg19361 = msg("17175", dup265); - -var msg19362 = msg("17176", dup265); - -var msg19363 = msg("17177", dup265); - -var msg19364 = msg("17178", dup265); - -var msg19365 = msg("17179", dup267); - -var msg19366 = msg("17180", dup267); - -var msg19367 = msg("17181", dup267); - -var msg19368 = msg("17182", dup267); - -var msg19369 = msg("17183", dup267); - -var msg19370 = msg("17184", dup267); - -var msg19371 = msg("17185", dup267); - -var msg19372 = msg("17186", dup267); - -var msg19373 = msg("17187", dup267); - -var msg19374 = msg("17188", dup267); - -var msg19375 = msg("17189", dup267); - -var msg19376 = msg("17190", dup267); - -var msg19377 = msg("17191", dup267); - -var msg19378 = msg("17192", dup267); - -var msg19379 = msg("17193", dup267); - -var msg19380 = msg("17194", dup267); - -var msg19381 = msg("17195", dup311); - -var msg19382 = msg("17196", dup267); - -var msg19383 = msg("17197", dup267); - -var msg19384 = msg("17198", dup267); - -var msg19385 = msg("17199", dup197); - -var msg19386 = msg("17200", dup197); - -var msg19387 = msg("17201", dup197); - -var msg19388 = msg("17202", dup197); - -var msg19389 = msg("17203", dup197); - -var msg19390 = msg("17204", dup197); - -var msg19391 = msg("17205", dup201); - -var msg19392 = msg("17206", dup201); - -var msg19393 = msg("17207", dup267); - -var msg19394 = msg("17208", dup267); - -var msg19395 = msg("17209", dup197); - -var msg19396 = msg("17210", dup267); - -var msg19397 = msg("17211", dup267); - -var msg19398 = msg("17212", dup201); - -var msg19399 = msg("17213", dup265); - -var msg19400 = msg("17214", dup197); - -var msg19401 = msg("17215", dup197); - -var msg19402 = msg("17216", dup267); - -var msg19403 = msg("17217", dup267); - -var msg19404 = msg("17218", dup267); - -var msg19405 = msg("17219", dup197); - -var msg19406 = msg("17220", dup197); - -var msg19407 = msg("17221", dup197); - -var msg19408 = msg("17222", dup197); - -var msg19409 = msg("17223", dup267); - -var msg19410 = msg("17224", dup250); - -var msg19411 = msg("17225", dup202); - -var msg19412 = msg("17226", dup202); - -var msg19413 = msg("17227", dup267); - -var msg19414 = msg("17228", dup267); - -var msg19415 = msg("17229", dup202); - -var msg19416 = msg("17230", dup202); - -var msg19417 = msg("17231", dup202); - -var msg19418 = msg("17232", dup202); - -var msg19419 = msg("17233", dup267); - -var msg19420 = msg("17234", dup238); - -var msg19421 = msg("17235", dup238); - -var msg19422 = msg("17236", dup267); - -var msg19423 = msg("17237", dup202); - -var msg19424 = msg("17238", dup197); - -var msg19425 = msg("17239", dup197); - -var msg19426 = msg("17240", dup197); - -var msg19427 = msg("17241", dup265); - -var msg19428 = msg("17242", dup267); - -var msg19429 = msg("17243", dup267); - -var msg19430 = msg("17244", dup197); - -var msg19431 = msg("17245", dup267); - -var msg19432 = msg("17246", dup287); - -var msg19433 = msg("17247", dup287); - -var msg19434 = msg("17248", dup287); - -var msg19435 = msg("17249", dup197); - -var msg19436 = msg("17250", dup197); - -var msg19437 = msg("17251", dup267); - -var msg19438 = msg("17252", dup276); - -var msg19439 = msg("17253", dup306); - -var msg19440 = msg("17254", dup265); - -var msg19441 = msg("17255", dup197); - -var msg19442 = msg("17256", dup267); - -var msg19443 = msg("17257", dup267); - -var msg19444 = msg("17258", dup267); - -var msg19445 = msg("17259", dup265); - -var msg19446 = msg("17260", dup201); - -var msg19447 = msg("17261", dup267); - -var msg19448 = msg("17262", dup267); - -var msg19449 = msg("17263", dup267); - -var msg19450 = msg("17264", dup267); - -var msg19451 = msg("17265", dup265); - -var msg19452 = msg("17266", dup287); - -var msg19453 = msg("17267", dup287); - -var msg19454 = msg("17268", dup267); - -var msg19455 = msg("17269", dup197); - -var msg19456 = msg("17270", dup260); - -var msg19457 = msg("17271", dup201); - -var msg19458 = msg("17272", dup197); - -var msg19459 = msg("17273", dup197); - -var msg19460 = msg("17274", dup197); - -var msg19461 = msg("17275", dup287); - -var msg19462 = msg("17276", dup287); - -var msg19463 = msg("17277", dup265); - -var msg19464 = msg("17278", dup265); - -var msg19465 = msg("17279", dup265); - -var msg19466 = msg("17280", dup265); - -var msg19467 = msg("17281", dup197); - -var msg19468 = msg("17282", dup197); - -var msg19469 = msg("17283", dup197); - -var msg19470 = msg("17284", dup201); - -var msg19471 = msg("17285", dup267); - -var msg19472 = msg("17286", dup197); - -var msg19473 = msg("17287", dup267); - -var msg19474 = msg("17288", dup197); - -var msg19475 = msg("17289", dup201); - -var msg19476 = msg("17290", dup202); - -var msg19477 = msg("17291", dup202); - -var msg19478 = msg("17292", dup267); - -var msg19479 = msg("17293", dup197); - -var msg19480 = msg("17294", dup197); - -var msg19481 = msg("17295", dup197); - -var msg19482 = msg("17296", dup265); - -var msg19483 = msg("17297", dup197); - -var msg19484 = msg("17298", dup197); - -var msg19485 = msg("17299", dup198); - -var msg19486 = msg("17300", dup197); - -var msg19487 = msg("17301", dup267); - -var msg19488 = msg("17302", dup198); - -var msg19489 = msg("17303", dup267); - -var msg19490 = msg("17304", dup197); - -var msg19491 = msg("17305", dup197); - -var msg19492 = msg("17306", dup198); - -var msg19493 = msg("17307", dup260); - -var msg19494 = msg("17308", dup267); - -var msg19495 = msg("17309", dup197); - -var msg19496 = msg("17310", dup267); - -var msg19497 = msg("17311", dup269); - -var msg19498 = msg("17312", dup269); - -var msg19499 = msg("17313", dup202); - -var msg19500 = msg("17314", dup202); - -var msg19501 = msg("17315", dup197); - -var msg19502 = msg("17316", dup267); - -var msg19503 = msg("17317", dup198); - -var msg19504 = msg("17318", dup267); - -var msg19505 = msg("17319", dup267); - -var msg19506 = msg("17320", dup267); - -var msg19507 = msg("17321", dup201); - -var msg19508 = msg("17322", dup202); - -var msg19509 = msg("17323", dup202); - -var msg19510 = msg("17324", dup199); - -var msg19511 = msg("17325", dup202); - -var msg19512 = msg("17326", dup197); - -var msg19513 = msg("17327", dup202); - -var msg19514 = msg("17328", dup197); - -var msg19515 = msg("17329", dup227); - -var msg19516 = msg("17330", dup265); - -var msg19517 = msg("17331", dup197); - -var msg19518 = msg("17332", dup250); - -var msg19519 = msg("17333", dup197); - -var msg19520 = msg("17334", dup197); - -var msg19521 = msg("17335", dup199); - -var msg19522 = msg("17336", dup199); - -var msg19523 = msg("17337", dup202); - -var msg19524 = msg("17338", dup202); - -var msg19525 = msg("17339", dup202); - -var msg19526 = msg("17340", dup202); - -var msg19527 = msg("17341", dup199); - -var msg19528 = msg("17342", dup199); - -var msg19529 = msg("17343", dup199); - -var msg19530 = msg("17344", dup199); - -var msg19531 = msg("17345", dup199); - -var msg19532 = msg("17346", dup267); - -var msg19533 = msg("17347", dup197); - -var msg19534 = msg("17348", dup197); - -var msg19535 = msg("17349", dup197); - -var msg19536 = msg("17350", dup267); - -var msg19537 = msg("17351", dup197); - -var msg19538 = msg("17352", dup197); - -var msg19539 = msg("17353", dup267); - -var msg19540 = msg("17354", dup198); - -var msg19541 = msg("17355", dup267); - -var msg19542 = msg("17356", dup197); - -var msg19543 = msg("17357", dup197); - -var msg19544 = msg("17358", dup197); - -var msg19545 = msg("17359", dup265); - -var msg19546 = msg("17360", dup197); - -var msg19547 = msg("17361", dup198); - -var msg19548 = msg("17362", dup197); - -var msg19549 = msg("17363", dup267); - -var msg19550 = msg("17364", dup202); - -var msg19551 = msg("17365", dup197); - -var msg19552 = msg("17366", dup197); - -var msg19553 = msg("17367", dup227); - -var msg19554 = msg("17368", dup267); - -var msg19555 = msg("17369", dup197); - -var msg19556 = msg("17370", dup265); - -var msg19557 = msg("17371", dup265); - -var msg19558 = msg("17372", dup197); - -var msg19559 = msg("17373", dup197); - -var msg19560 = msg("17374", dup197); - -var msg19561 = msg("17375", dup197); - -var msg19562 = msg("17376", dup267); - -var msg19563 = msg("17377", dup267); - -var msg19564 = msg("17378", dup197); - -var msg19565 = msg("17379", dup197); - -var msg19566 = msg("17380", dup265); - -var msg19567 = msg("17381", dup197); - -var msg19568 = msg("17382", dup267); - -var msg19569 = msg("17383", dup267); - -var msg19570 = msg("17384", dup197); - -var msg19571 = msg("17385", dup197); - -var msg19572 = msg("17386", dup267); - -var msg19573 = msg("17387", dup265); - -var msg19574 = msg("17388", dup197); - -var msg19575 = msg("17389", dup267); - -var msg19576 = msg("17390", dup198); - -var msg19577 = msg("17391", dup265); - -var msg19578 = msg("17392", dup199); - -var msg19579 = msg("17393", dup199); - -var msg19580 = msg("17394", dup265); - -var msg19581 = msg("17395", dup197); - -var msg19582 = msg("17396", dup267); - -var msg19583 = msg("17397", dup197); - -var msg19584 = msg("17398", dup267); - -var msg19585 = msg("17399", dup267); - -var msg19586 = msg("17400", dup263); - -var msg19587 = msg("17401", dup267); - -var msg19588 = msg("17402", dup267); - -var msg19589 = msg("17403", dup197); - -var msg19590 = msg("17404", dup197); - -var msg19591 = msg("17405", dup197); - -var msg19592 = msg("17406", dup197); - -var msg19593 = msg("17407", dup265); - -var msg19594 = msg("17408", dup197); - -var msg19595 = msg("17409", dup267); - -var msg19596 = msg("17410", dup197); - -var msg19597 = msg("17411", dup267); - -var msg19598 = msg("17412", dup260); - -var msg19599 = msg("17413", dup197); - -var msg19600 = msg("17414", dup287); - -var msg19601 = msg("17415", dup287); - -var msg19602 = msg("17416", dup198); - -var msg19603 = msg("17417", dup198); - -var msg19604 = msg("17418", dup202); - -var msg19605 = msg("17419", dup240); - -var msg19606 = msg("17420", dup265); - -var msg19607 = msg("17421", dup201); - -var msg19608 = msg("17422", dup267); - -var msg19609 = msg("17423", dup197); - -var msg19610 = msg("17424", dup201); - -var msg19611 = msg("17425", dup197); - -var msg19612 = msg("17426", dup265); - -var msg19613 = msg("17427", dup202); - -var msg19614 = msg("17428", dup202); - -var msg19615 = msg("17429", dup265); - -var msg19616 = msg("17430", dup267); - -var msg19617 = msg("17431", dup267); - -var msg19618 = msg("17432", dup197); - -var msg19619 = msg("17433", dup267); - -var msg19620 = msg("17434", dup267); - -var msg19621 = msg("17435", dup255); - -var msg19622 = msg("17436", dup255); - -var msg19623 = msg("17437", dup255); - -var msg19624 = msg("17438", dup255); - -var msg19625 = msg("17439", dup267); - -var msg19626 = msg("17440", dup197); - -var msg19627 = msg("17441", dup265); - -var msg19628 = msg("17442", dup267); - -var msg19629 = msg("17443", dup197); - -var msg19630 = msg("17444", dup197); - -var msg19631 = msg("17445", dup267); - -var msg19632 = msg("17446", dup227); - -var msg19633 = msg("17447", dup202); - -var msg19634 = msg("17448", dup267); - -var msg19635 = msg("17449", dup260); - -var msg19636 = msg("17450", dup197); - -var msg19637 = msg("17451", dup265); - -var msg19638 = msg("17452", dup265); - -var msg19639 = msg("17453", dup265); - -var msg19640 = msg("17454", dup265); - -var msg19641 = msg("17455", dup265); - -var msg19642 = msg("17456", dup265); - -var msg19643 = msg("17457", dup267); - -var msg19644 = msg("17458", dup201); - -var msg19645 = msg("17459", dup201); - -var msg19646 = msg("17460", dup201); - -var msg19647 = msg("17461", dup201); - -var msg19648 = msg("17462", dup267); - -var msg19649 = msg("17463", dup269); - -var msg19650 = msg("17464", dup265); - -var msg19651 = msg("17465", dup265); - -var msg19652 = msg("17466", dup267); - -var msg19653 = msg("17467", dup267); - -var msg19654 = msg("17468", dup267); - -var msg19655 = msg("17469", dup197); - -var msg19656 = msg("17470", dup267); - -var msg19657 = msg("17471", dup201); - -var msg19658 = msg("17472", dup201); - -var msg19659 = msg("17473", dup267); - -var msg19660 = msg("17474", dup201); - -var msg19661 = msg("17475", dup201); - -var msg19662 = msg("17476", dup267); - -var msg19663 = msg("17477", dup201); - -var msg19664 = msg("17478", dup267); - -var msg19665 = msg("17479", dup267); - -var msg19666 = msg("17480", dup201); - -var msg19667 = msg("17481", dup197); - -var msg19668 = msg("17482", dup197); - -var msg19669 = msg("17483", dup198); - -var msg19670 = msg("17484", dup198); - -var msg19671 = msg("17485", dup313); - -var msg19672 = msg("17486", dup197); - -var msg19673 = msg("17487", dup265); - -var msg19674 = msg("17488", dup267); - -var msg19675 = msg("17489", dup197); - -var msg19676 = msg("17490", dup267); - -var msg19677 = msg("17491", dup267); - -var msg19678 = msg("17492", dup267); - -var msg19679 = msg("17493", dup197); - -var msg19680 = msg("17494", dup197); - -var msg19681 = msg("17495", dup267); - -var msg19682 = msg("17496", dup267); - -var msg19683 = msg("17497", dup267); - -var msg19684 = msg("17498", dup265); - -var msg19685 = msg("17499", dup265); - -var msg19686 = msg("17500", dup265); - -var msg19687 = msg("17501", dup265); - -var msg19688 = msg("17502", dup265); - -var msg19689 = msg("17503", dup202); - -var msg19690 = msg("17504", dup197); - -var msg19691 = msg("17505", dup267); - -var msg19692 = msg("17506", dup267); - -var msg19693 = msg("17507", dup267); - -var msg19694 = msg("17508", dup265); - -var msg19695 = msg("17509", dup265); - -var msg19696 = msg("17510", dup265); - -var msg19697 = msg("17511", dup267); - -var msg19698 = msg("17512", dup201); - -var msg19699 = msg("17513", dup201); - -var msg19700 = msg("17514", dup201); - -var msg19701 = msg("17515", dup201); - -var msg19702 = msg("17516", dup201); - -var msg19703 = msg("17517", dup267); - -var msg19704 = msg("17518", dup227); - -var msg19705 = msg("17519", dup197); - -var msg19706 = msg("17520", dup267); - -var msg19707 = msg("17521", dup227); - -var msg19708 = msg("17522", dup197); - -var msg19709 = msg("17523", dup197); - -var msg19710 = msg("17524", dup197); - -var msg19711 = msg("17525", dup202); - -var msg19712 = msg("17526", dup197); - -var msg19713 = msg("17527", dup197); - -var msg19714 = msg("17528", dup197); - -var msg19715 = msg("17529", dup267); - -var msg19716 = msg("17530", dup197); - -var msg19717 = msg("17531", dup197); - -var msg19718 = msg("17532", dup267); - -var msg19719 = msg("17533", dup265); - -var msg19720 = msg("17534", dup202); - -var msg19721 = msg("17535", dup201); - -var msg19722 = msg("17536", dup197); - -var msg19723 = msg("17537", dup267); - -var msg19724 = msg("17538", dup267); - -var msg19725 = msg("17539", dup267); - -var msg19726 = msg("17540", dup202); - -var msg19727 = msg("17541", dup197); - -var msg19728 = msg("17542", dup267); - -var msg19729 = msg("17543", dup267); - -var msg19730 = msg("17544", dup197); - -var msg19731 = msg("17545", dup197); - -var msg19732 = msg("17546", dup202); - -var msg19733 = msg("17547", dup202); - -var msg19734 = msg("17548", dup197); - -var msg19735 = msg("17549", dup267); - -var msg19736 = msg("17550", dup197); - -var msg19737 = msg("17551", dup267); - -var msg19738 = msg("17552", dup265); - -var msg19739 = msg("17553", dup197); - -var msg19740 = msg("17554", dup267); - -var msg19741 = msg("17555", dup267); - -var msg19742 = msg("17556", dup267); - -var msg19743 = msg("17557", dup197); - -var msg19744 = msg("17558", dup197); - -var msg19745 = msg("17559", dup197); - -var msg19746 = msg("17560", dup197); - -var msg19747 = msg("17561", dup197); - -var msg19748 = msg("17562", dup197); - -var msg19749 = msg("17563", dup197); - -var msg19750 = msg("17564", dup202); - -var msg19751 = msg("17565", dup267); - -var msg19752 = msg("17566", dup267); - -var msg19753 = msg("17567", dup309); - -var msg19754 = msg("17568", dup197); - -var msg19755 = msg("17569", dup201); - -var msg19756 = msg("17570", dup267); - -var msg19757 = msg("17571", dup269); - -var msg19758 = msg("17572", dup265); - -var msg19759 = msg("17573", dup197); - -var msg19760 = msg("17574", dup197); - -var msg19761 = msg("17575", dup265); - -var msg19762 = msg("17576", dup265); - -var msg19763 = msg("17577", dup202); - -var msg19764 = msg("17578", dup197); - -var msg19765 = msg("17579", dup267); - -var msg19766 = msg("17580", dup267); - -var msg19767 = msg("17581", dup267); - -var msg19768 = msg("17582", dup265); - -var msg19769 = msg("17583", dup265); - -var msg19770 = msg("17584", dup202); - -var msg19771 = msg("17585", dup267); - -var msg19772 = msg("17586", dup269); - -var msg19773 = msg("17587", dup267); - -var msg19774 = msg("17588", dup265); - -var msg19775 = msg("17589", dup265); - -var msg19776 = msg("17590", dup260); - -var msg19777 = msg("17591", dup267); - -var msg19778 = msg("17592", dup265); - -var msg19779 = msg("17593", dup265); - -var msg19780 = msg("17594", dup265); - -var msg19781 = msg("17595", dup265); - -var msg19782 = msg("17596", dup265); - -var msg19783 = msg("17597", dup265); - -var msg19784 = msg("17598", dup202); - -var msg19785 = msg("17599", dup198); - -var msg19786 = msg("17600", dup202); - -var msg19787 = msg("17601", dup267); - -var msg19788 = msg("17602", dup198); - -var msg19789 = msg("17603", dup267); - -var msg19790 = msg("17604", dup267); - -var msg19791 = msg("17605", dup197); - -var msg19792 = msg("17606", dup267); - -var msg19793 = msg("17607", dup309); - -var msg19794 = msg("17608", dup267); - -var msg19795 = msg("17609", dup197); - -var msg19796 = msg("17610", dup201); - -var msg19797 = msg("17611", dup201); - -var msg19798 = msg("17612", dup201); - -var msg19799 = msg("17613", dup267); - -var msg19800 = msg("17614", dup265); - -var msg19801 = msg("17616", dup265); - -var msg19802 = msg("17618", dup267); - -var msg19803 = msg("17619", dup267); - -var msg19804 = msg("17620", dup197); - -var msg19805 = msg("17621", dup197); - -var msg19806 = msg("17622", dup267); - -var msg19807 = msg("17623", dup197); - -var msg19808 = msg("17624", dup197); - -var msg19809 = msg("17625", dup198); - -var msg19810 = msg("17626", dup197); - -var msg19811 = msg("17628", dup267); - -var msg19812 = msg("17629", dup265); - -var msg19813 = msg("17630", dup267); - -var msg19814 = msg("17631", dup197); - -var msg19815 = msg("17632", dup309); - -var msg19816 = msg("17633", dup197); - -var msg19817 = msg("17634", dup201); - -var msg19818 = msg("17635", dup201); - -var msg19819 = msg("17636", dup201); - -var msg19820 = msg("17637", dup201); - -var msg19821 = msg("17638", dup199); - -var msg19822 = msg("17639", dup306); - -var msg19823 = msg("17640", dup201); - -var msg19824 = msg("17641", dup197); - -var msg19825 = msg("17642", dup267); - -var msg19826 = msg("17643", dup314); - -var msg19827 = msg("17644", dup267); - -var msg19828 = msg("17645", dup267); - -var msg19829 = msg("17646", dup267); - -var msg19830 = msg("17647", dup267); - -var msg19831 = msg("17648", dup265); - -var msg19832 = msg("17649", dup197); - -var msg19833 = msg("17650", dup197); - -var msg19834 = msg("17651", dup287); - -var msg19835 = msg("17652", dup265); - -var msg19836 = msg("17653", dup265); - -var msg19837 = msg("17654", dup267); - -var msg19838 = msg("17655", dup267); - -var msg19839 = msg("17656", dup197); - -var msg19840 = msg("17657", dup311); - -var msg19841 = msg("17658", dup267); - -var msg19842 = msg("17659", dup197); - -var msg19843 = msg("17660", dup267); - -var msg19844 = msg("17661", dup309); - -var msg19845 = msg("17662", dup267); - -var msg19846 = msg("17663", dup197); - -var msg19847 = msg("17664", dup267); - -var msg19848 = msg("17665", dup201); - -var msg19849 = msg("17666", dup197); - -var msg19850 = msg("17667", dup198); - -var msg19851 = msg("17668", dup202); - -var msg19852 = msg("17669", dup267); - -var msg19853 = msg("17670", dup265); - -var msg19854 = msg("17671", dup265); - -var msg19855 = msg("17672", dup265); - -var msg19856 = msg("17673", dup265); - -var msg19857 = msg("17674", dup265); - -var msg19858 = msg("17675", dup265); - -var msg19859 = msg("17676", dup265); - -var msg19860 = msg("17677", dup265); - -var msg19861 = msg("17678", dup197); - -var msg19862 = msg("17679", dup265); - -var msg19863 = msg("17680", dup198); - -var msg19864 = msg("17685", dup267); - -var msg19865 = msg("17686", dup267); - -var msg19866 = msg("17687", dup267); - -var msg19867 = msg("17688", dup267); - -var msg19868 = msg("17689", dup267); - -var msg19869 = msg("17690", dup267); - -var msg19870 = msg("17691", dup267); - -var msg19871 = msg("17692", dup267); - -var msg19872 = msg("17693", dup309); - -var msg19873 = msg("17694", dup309); - -var msg19874 = msg("17695", dup197); - -var msg19875 = msg("17696", dup267); - -var msg19876 = msg("17697", dup309); - -var msg19877 = msg("17698", dup197); - -var msg19878 = msg("17699", dup315); - -var msg19879 = msg("17700", dup197); - -var msg19880 = msg("17701", dup267); - -var msg19881 = msg("17702", dup255); - -var msg19882 = msg("17703", dup267); - -var msg19883 = msg("17704", dup197); - -var msg19884 = msg("17705", dup197); - -var msg19885 = msg("17706", dup267); - -var msg19886 = msg("17707", dup201); - -var msg19887 = msg("17708", dup197); - -var msg19888 = msg("17709", dup267); - -var msg19889 = msg("17710", dup197); - -var msg19890 = msg("17711", dup267); - -var msg19891 = msg("17712", dup267); - -var msg19892 = msg("17713", dup197); - -var msg19893 = msg("17714", dup255); - -var msg19894 = msg("17715", dup255); - -var msg19895 = msg("17716", dup197); - -var msg19896 = msg("17717", dup197); - -var msg19897 = msg("17718", dup267); - -var msg19898 = msg("17719", dup267); - -var msg19899 = msg("17720", dup197); - -var msg19900 = msg("17721", dup267); - -var msg19901 = msg("17722", dup197); - -var msg19902 = msg("17723", dup276); - -var msg19903 = msg("17724", dup269); - -var msg19904 = msg("17725", dup197); - -var msg19905 = msg("17726", dup267); - -var msg19906 = msg("17727", dup197); - -var msg19907 = msg("17728", dup197); - -var msg19908 = msg("17729", dup267); - -var msg19909 = msg("17730", dup267); - -var msg19910 = msg("17731", dup202); - -var msg19911 = msg("17732", dup265); - -var msg19912 = msg("17733", dup265); - -var msg19913 = msg("17734", dup265); - -var msg19914 = msg("17735", dup197); - -var msg19915 = msg("17736", dup197); - -var msg19916 = msg("17737", dup197); - -var msg19917 = msg("17738", dup267); - -var msg19918 = msg("17739", dup202); - -var msg19919 = msg("17740", dup197); - -var msg19920 = msg("17741", dup311); - -var msg19921 = msg("17742", dup267); - -var msg19922 = msg("17743", dup267); - -var msg19923 = msg("17745", dup276); - -var msg19924 = msg("17746", dup197); - -var msg19925 = msg("17747", dup197); - -var msg19926 = msg("17748", dup202); - -var msg19927 = msg("17749", dup255); - -var msg19928 = msg("17750", dup198); - -var msg19929 = msg("17751", dup265); - -var msg19930 = msg("17752", dup267); - -var msg19931 = msg("17753", dup267); - -var msg19932 = msg("17754", dup267); - -var msg19933 = msg("17755", dup267); - -var msg19934 = msg("17756", dup197); - -var msg19935 = msg("17757", dup197); - -var msg19936 = msg("17758", dup267); - -var msg19937 = msg("17759", dup267); - -var msg19938 = msg("17760", dup267); - -var msg19939 = msg("17762", dup267); - -var msg19940 = msg("17763", dup267); - -var msg19941 = msg("17764", dup267); - -var msg19942 = msg("17765", dup197); - -var msg19943 = msg("17766", dup267); - -var msg19944 = msg("17767", dup267); - -var msg19945 = msg("17768", dup267); - -var msg19946 = msg("17769", dup267); - -var msg19947 = msg("17770", dup265); - -var msg19948 = msg("17771", dup267); - -var msg19949 = msg("17772", dup265); - -var msg19950 = msg("17773", dup267); - -var msg19951 = msg("17774", dup267); - -var msg19952 = msg("17775", dup316); - -var msg19953 = msg("17776", dup197); - -var msg19954 = msg("17777", dup197); - -var msg19955 = msg("17778", dup201); - -var msg19956 = msg("17779", dup260); - -var msg19957 = msg("17780", dup197); - -var msg19958 = msg("17781", dup267); - -var msg19959 = msg("17782", dup202); - -var msg19960 = msg("17783", dup202); - -var msg19961 = msg("17784", dup202); - -var msg19962 = msg("17785", dup202); - -var msg19963 = msg("17786", dup202); - -var msg19964 = msg("17787", dup202); - -var msg19965 = msg("17788", dup202); - -var msg19966 = msg("17789", dup202); - -var msg19967 = msg("17790", dup202); - -var msg19968 = msg("17791", dup202); - -var msg19969 = msg("17792", dup202); - -var msg19970 = msg("17793", dup202); - -var msg19971 = msg("17794", dup202); - -var msg19972 = msg("17795", dup202); - -var msg19973 = msg("17796", dup202); - -var msg19974 = msg("17797", dup202); - -var msg19975 = msg("17798", dup202); - -var msg19976 = msg("17799", dup202); - -var msg19977 = msg("17800", dup202); - -var msg19978 = msg("17801", dup202); - -var msg19979 = msg("17802", dup202); - -var msg19980 = msg("17803", dup267); - -var msg19981 = msg("17804", dup267); - -var msg19982 = msg("17805", dup238); - -var msg19983 = msg("17806", dup267); - -var msg19984 = msg("17807", dup267); - -var msg19985 = msg("17808", dup267); - -var msg19986 = msg("17809", dup202); - -var msg19987 = msg("17810", dup263); - -var msg19988 = msg("17811", dup263); - -var msg19989 = msg("17812", dup269); - -var msg19990 = msg("17813", dup263); - -var msg19991 = msg("17814", dup263); - -var msg19992 = msg("17815", dup263); - -var msg19993 = msg("17816", dup263); - -var msg19994 = msg("17817", dup263); - -var msg19995 = msg("17818", dup263); - -var msg19996 = msg("17819", dup263); - -var msg19997 = msg("17820", dup263); - -var msg19998 = msg("17821", dup263); - -var msg19999 = msg("17822", dup263); - -var msg20000 = msg("17823", dup263); - -var msg20001 = msg("17824", dup263); - -var msg20002 = msg("17825", dup263); - -var msg20003 = msg("17826", dup263); - -var msg20004 = msg("17827", dup263); - -var msg20005 = msg("17828", dup263); - -var msg20006 = msg("17829", dup263); - -var msg20007 = msg("17830", dup263); - -var msg20008 = msg("17831", dup263); - -var msg20009 = msg("17832", dup263); - -var msg20010 = msg("17833", dup263); - -var msg20011 = msg("17834", dup263); - -var msg20012 = msg("17835", dup263); - -var msg20013 = msg("17836", dup263); - -var msg20014 = msg("17837", dup263); - -var msg20015 = msg("17838", dup263); - -var msg20016 = msg("17839", dup263); - -var msg20017 = msg("17840", dup263); - -var msg20018 = msg("17841", dup263); - -var msg20019 = msg("17842", dup263); - -var msg20020 = msg("17843", dup263); - -var msg20021 = msg("17844", dup263); - -var msg20022 = msg("17845", dup263); - -var msg20023 = msg("17846", dup263); - -var msg20024 = msg("17847", dup263); - -var msg20025 = msg("17848", dup263); - -var msg20026 = msg("17849", dup263); - -var msg20027 = msg("17850", dup263); - -var msg20028 = msg("17851", dup263); - -var msg20029 = msg("17852", dup263); - -var msg20030 = msg("17853", dup263); - -var msg20031 = msg("17854", dup263); - -var msg20032 = msg("17855", dup263); - -var msg20033 = msg("17856", dup263); - -var msg20034 = msg("17857", dup263); - -var msg20035 = msg("17858", dup263); - -var msg20036 = msg("17859", dup263); - -var msg20037 = msg("17860", dup263); - -var msg20038 = msg("17861", dup263); - -var msg20039 = msg("17862", dup263); - -var msg20040 = msg("17863", dup263); - -var msg20041 = msg("17864", dup263); - -var msg20042 = msg("17865", dup263); - -var msg20043 = msg("17866", dup263); - -var msg20044 = msg("17867", dup263); - -var msg20045 = msg("17868", dup263); - -var msg20046 = msg("17869", dup263); - -var msg20047 = msg("17870", dup263); - -var msg20048 = msg("17871", dup263); - -var msg20049 = msg("17872", dup263); - -var msg20050 = msg("17873", dup263); - -var msg20051 = msg("17874", dup263); - -var msg20052 = msg("17875", dup197); - -var msg20053 = msg("17876", dup263); - -var msg20054 = msg("17877", dup263); - -var msg20055 = msg("17878", dup263); - -var msg20056 = msg("17879", dup263); - -var msg20057 = msg("17880", dup263); - -var msg20058 = msg("17881", dup263); - -var msg20059 = msg("17882", dup263); - -var msg20060 = msg("17883", dup263); - -var msg20061 = msg("17884", dup263); - -var msg20062 = msg("17885", dup263); - -var msg20063 = msg("17886", dup263); - -var msg20064 = msg("17887", dup263); - -var msg20065 = msg("17888", dup263); - -var msg20066 = msg("17889", dup263); - -var msg20067 = msg("17890", dup263); - -var msg20068 = msg("17891", dup263); - -var msg20069 = msg("17892", dup263); - -var msg20070 = msg("17893", dup263); - -var msg20071 = msg("17894", dup263); - -var msg20072 = msg("17895", dup263); - -var msg20073 = msg("17896", dup263); - -var msg20074 = msg("17897", dup263); - -var msg20075 = msg("17898", dup269); - -var msg20076 = msg("17899", dup269); - -var msg20077 = msg("17900", dup269); - -var msg20078 = msg("17901", dup269); - -var msg20079 = msg("17902", dup269); - -var msg20080 = msg("17903", dup269); - -var msg20081 = msg("17904", dup269); - -var msg20082 = msg("17905", dup269); - -var msg20083 = msg("17906", dup269); - -var msg20084 = msg("17907", dup269); - -var msg20085 = msg("17908", dup269); - -var msg20086 = msg("17909", dup269); - -var msg20087 = msg("17910", dup269); - -var msg20088 = msg("17911", dup269); - -var msg20089 = msg("17912", dup269); - -var msg20090 = msg("17913", dup269); - -var msg20091 = msg("17914", dup269); - -var msg20092 = msg("17915", dup269); - -var msg20093 = msg("17916", dup269); - -var msg20094 = msg("17917", dup269); - -var msg20095 = msg("17918", dup312); - -var msg20096 = msg("17919", dup312); - -var msg20097 = msg("17920", dup312); - -var msg20098 = msg("17921", dup312); - -var msg20099 = msg("17922", dup312); - -var msg20100 = msg("17923", dup312); - -var msg20101 = msg("17924", dup312); - -var msg20102 = msg("17925", dup312); - -var msg20103 = msg("17926", dup312); - -var msg20104 = msg("17927", dup312); - -var msg20105 = msg("17928", dup312); - -var msg20106 = msg("17929", dup312); - -var msg20107 = msg("17930", dup312); - -var msg20108 = msg("17931", dup312); - -var msg20109 = msg("17932", dup312); - -var msg20110 = msg("17933", dup312); - -var msg20111 = msg("17934", dup312); - -var msg20112 = msg("17935", dup312); - -var msg20113 = msg("17936", dup312); - -var msg20114 = msg("17937", dup312); - -var msg20115 = msg("17938", dup312); - -var msg20116 = msg("17939", dup312); - -var msg20117 = msg("17940", dup312); - -var msg20118 = msg("17941", dup312); - -var msg20119 = msg("17942", dup312); - -var msg20120 = msg("17943", dup312); - -var msg20121 = msg("17944", dup312); - -var msg20122 = msg("17945", dup312); - -var msg20123 = msg("17946", dup312); - -var msg20124 = msg("17947", dup312); - -var msg20125 = msg("17948", dup312); - -var msg20126 = msg("17949", dup312); - -var msg20127 = msg("17950", dup312); - -var msg20128 = msg("17951", dup312); - -var msg20129 = msg("17952", dup312); - -var msg20130 = msg("17953", dup312); - -var msg20131 = msg("17954", dup312); - -var msg20132 = msg("17955", dup312); - -var msg20133 = msg("17956", dup312); - -var msg20134 = msg("17957", dup312); - -var msg20135 = msg("17958", dup312); - -var msg20136 = msg("17959", dup312); - -var msg20137 = msg("17960", dup312); - -var msg20138 = msg("17961", dup312); - -var msg20139 = msg("17962", dup312); - -var msg20140 = msg("17963", dup312); - -var msg20141 = msg("17964", dup312); - -var msg20142 = msg("17965", dup312); - -var msg20143 = msg("17966", dup312); - -var msg20144 = msg("17967", dup312); - -var msg20145 = msg("17968", dup312); - -var msg20146 = msg("17969", dup312); - -var msg20147 = msg("17970", dup312); - -var msg20148 = msg("17971", dup312); - -var msg20149 = msg("17972", dup312); - -var msg20150 = msg("17973", dup287); - -var msg20151 = msg("17974", dup312); - -var msg20152 = msg("17975", dup312); - -var msg20153 = msg("17976", dup312); - -var msg20154 = msg("17977", dup312); - -var msg20155 = msg("17978", dup312); - -var msg20156 = msg("17979", dup312); - -var msg20157 = msg("17980", dup312); - -var msg20158 = msg("17981", dup312); - -var msg20159 = msg("17982", dup312); - -var msg20160 = msg("17983", dup312); - -var msg20161 = msg("17984", dup312); - -var msg20162 = msg("17985", dup312); - -var msg20163 = msg("17986", dup312); - -var msg20164 = msg("17987", dup312); - -var msg20165 = msg("17988", dup312); - -var msg20166 = msg("17989", dup312); - -var msg20167 = msg("17990", dup312); - -var msg20168 = msg("17991", dup312); - -var msg20169 = msg("17992", dup312); - -var msg20170 = msg("17993", dup312); - -var msg20171 = msg("17994", dup312); - -var msg20172 = msg("17995", dup312); - -var msg20173 = msg("17996", dup312); - -var msg20174 = msg("17997", dup312); - -var msg20175 = msg("17998", dup312); - -var msg20176 = msg("17999", dup312); - -var msg20177 = msg("18000", dup312); - -var msg20178 = msg("18001", dup312); - -var msg20179 = msg("18002", dup312); - -var msg20180 = msg("18003", dup312); - -var msg20181 = msg("18004", dup287); - -var msg20182 = msg("18005", dup312); - -var msg20183 = msg("18006", dup312); - -var msg20184 = msg("18007", dup312); - -var msg20185 = msg("18008", dup312); - -var msg20186 = msg("18009", dup312); - -var msg20187 = msg("18010", dup312); - -var msg20188 = msg("18011", dup312); - -var msg20189 = msg("18012", dup312); - -var msg20190 = msg("18013", dup312); - -var msg20191 = msg("18014", dup312); - -var msg20192 = msg("18015", dup312); - -var msg20193 = msg("18016", dup312); - -var msg20194 = msg("18017", dup312); - -var msg20195 = msg("18018", dup312); - -var msg20196 = msg("18019", dup312); - -var msg20197 = msg("18020", dup312); - -var msg20198 = msg("18021", dup312); - -var msg20199 = msg("18022", dup312); - -var msg20200 = msg("18023", dup312); - -var msg20201 = msg("18024", dup312); - -var msg20202 = msg("18025", dup312); - -var msg20203 = msg("18026", dup312); - -var msg20204 = msg("18027", dup312); - -var msg20205 = msg("18028", dup312); - -var msg20206 = msg("18029", dup312); - -var msg20207 = msg("18030", dup312); - -var msg20208 = msg("18031", dup312); - -var msg20209 = msg("18032", dup312); - -var msg20210 = msg("18033", dup312); - -var msg20211 = msg("18034", dup312); - -var msg20212 = msg("18035", dup312); - -var msg20213 = msg("18036", dup312); - -var msg20214 = msg("18037", dup312); - -var msg20215 = msg("18038", dup312); - -var msg20216 = msg("18039", dup312); - -var msg20217 = msg("18040", dup312); - -var msg20218 = msg("18041", dup312); - -var msg20219 = msg("18042", dup312); - -var msg20220 = msg("18043", dup312); - -var msg20221 = msg("18044", dup312); - -var msg20222 = msg("18045", dup312); - -var msg20223 = msg("18046", dup312); - -var msg20224 = msg("18047", dup312); - -var msg20225 = msg("18048", dup312); - -var msg20226 = msg("18049", dup312); - -var msg20227 = msg("18050", dup312); - -var msg20228 = msg("18051", dup265); - -var msg20229 = msg("18052", dup265); - -var msg20230 = msg("18053", dup312); - -var msg20231 = msg("18054", dup312); - -var msg20232 = msg("18055", dup312); - -var msg20233 = msg("18056", dup312); - -var msg20234 = msg("18057", dup312); - -var msg20235 = msg("18058", dup312); - -var msg20236 = msg("18059", dup312); - -var msg20237 = msg("18060", dup312); - -var msg20238 = msg("18061", dup312); - -var msg20239 = msg("18062", dup267); - -var msg20240 = msg("18063", dup267); - -var msg20241 = msg("18064", dup267); - -var msg20242 = msg("18065", dup267); - -var msg20243 = msg("18066", dup267); - -var msg20244 = msg("18067", dup267); - -var msg20245 = msg("18068", dup267); - -var msg20246 = msg("18069", dup265); - -var msg20247 = msg("18070", dup276); - -var msg20248 = msg("18071", dup267); - -var msg20249 = msg("18072", dup265); - -var msg20250 = msg("18073", dup267); - -var msg20251 = msg("18074", dup265); - -var msg20252 = msg("18076", dup265); - -var msg20253 = msg("18077", dup197); - -var msg20254 = msg("18078", dup197); - -var msg20255 = msg("18079", dup263); - -var msg20256 = msg("18080", dup263); - -var msg20257 = msg("18081", dup263); - -var msg20258 = msg("18082", dup263); - -var msg20259 = msg("18083", dup263); - -var msg20260 = msg("18084", dup263); - -var msg20261 = msg("18085", dup263); - -var msg20262 = msg("18086", dup263); - -var msg20263 = msg("18087", dup263); - -var msg20264 = msg("18088", dup263); - -var msg20265 = msg("18089", dup263); - -var msg20266 = msg("18090", dup263); - -var msg20267 = msg("18091", dup263); - -var msg20268 = msg("18092", dup263); - -var msg20269 = msg("18093", dup263); - -var msg20270 = msg("18094", dup263); - -var msg20271 = msg("18095", dup263); - -var msg20272 = msg("18096", dup265); - -var msg20273 = msg("18097", dup265); - -var msg20274 = msg("18098", dup269); - -var msg20275 = msg("18099", dup269); - -var msg20276 = msg("18100", dup263); - -var msg20277 = msg("18101", dup267); - -var msg20278 = msg("18102", dup202); - -var msg20279 = msg("18103", dup263); - -var msg20280 = msg("18104", dup263); - -var msg20281 = msg("18105", dup263); - -var msg20282 = msg("18106", dup263); - -var msg20283 = msg("18107", dup263); - -var msg20284 = msg("18108", dup263); - -var msg20285 = msg("18109", dup263); - -var msg20286 = msg("18110", dup263); - -var msg20287 = msg("18111", dup263); - -var msg20288 = msg("18112", dup263); - -var msg20289 = msg("18113", dup263); - -var msg20290 = msg("18114", dup263); - -var msg20291 = msg("18115", dup263); - -var msg20292 = msg("18116", dup263); - -var msg20293 = msg("18117", dup263); - -var msg20294 = msg("18118", dup263); - -var msg20295 = msg("18119", dup263); - -var msg20296 = msg("18120", dup263); - -var msg20297 = msg("18121", dup263); - -var msg20298 = msg("18122", dup263); - -var msg20299 = msg("18123", dup263); - -var msg20300 = msg("18124", dup263); - -var msg20301 = msg("18125", dup263); - -var msg20302 = msg("18126", dup263); - -var msg20303 = msg("18127", dup263); - -var msg20304 = msg("18128", dup263); - -var msg20305 = msg("18129", dup263); - -var msg20306 = msg("18130", dup263); - -var msg20307 = msg("18131", dup263); - -var msg20308 = msg("18132", dup263); - -var msg20309 = msg("18133", dup263); - -var msg20310 = msg("18134", dup263); - -var msg20311 = msg("18135", dup263); - -var msg20312 = msg("18136", dup263); - -var msg20313 = msg("18137", dup263); - -var msg20314 = msg("18138", dup263); - -var msg20315 = msg("18139", dup263); - -var msg20316 = msg("18140", dup263); - -var msg20317 = msg("18141", dup263); - -var msg20318 = msg("18142", dup263); - -var msg20319 = msg("18143", dup263); - -var msg20320 = msg("18144", dup263); - -var msg20321 = msg("18145", dup263); - -var msg20322 = msg("18146", dup263); - -var msg20323 = msg("18147", dup263); - -var msg20324 = msg("18148", dup263); - -var msg20325 = msg("18149", dup263); - -var msg20326 = msg("18150", dup263); - -var msg20327 = msg("18151", dup263); - -var msg20328 = msg("18152", dup263); - -var msg20329 = msg("18153", dup263); - -var msg20330 = msg("18154", dup263); - -var msg20331 = msg("18155", dup263); - -var msg20332 = msg("18156", dup263); - -var msg20333 = msg("18157", dup263); - -var msg20334 = msg("18158", dup263); - -var msg20335 = msg("18159", dup263); - -var msg20336 = msg("18160", dup263); - -var msg20337 = msg("18161", dup263); - -var msg20338 = msg("18162", dup263); - -var msg20339 = msg("18163", dup263); - -var msg20340 = msg("18164", dup263); - -var msg20341 = msg("18165", dup263); - -var msg20342 = msg("18166", dup263); - -var msg20343 = msg("18167", dup265); - -var msg20344 = msg("18168", dup265); - -var msg20345 = msg("18169", dup265); - -var msg20346 = msg("18170", dup267); - -var msg20347 = msg("18171", dup201); - -var msg20348 = msg("18172", dup201); - -var msg20349 = msg("18173", dup201); - -var msg20350 = msg("18174", dup267); - -var msg20351 = msg("18175", dup267); - -var msg20352 = msg("18176", dup267); - -var msg20353 = msg("18177", dup267); - -var msg20354 = msg("18178", dup267); - -var msg20355 = msg("18179", dup194); - -var msg20356 = msg("18180", dup307); - -var msg20357 = msg("18181", dup227); - -var msg20358 = msg("18182", dup227); - -var msg20359 = msg("18183", dup263); - -var msg20360 = msg("18184", dup263); - -var msg20361 = msg("18185", dup263); - -var msg20362 = msg("18186", dup267); - -var msg20363 = msg("18187", dup267); - -var msg20364 = msg("18188", dup287); - -var msg20365 = msg("18189", dup255); - -var msg20366 = msg("18190", dup255); - -var msg20367 = msg("18191", dup255); - -var msg20368 = msg("18192", dup255); - -var msg20369 = msg("18193", dup269); - -var msg20370 = msg("18194", dup269); - -var msg20371 = msg("18195", dup198); - -var msg20372 = msg("18196", dup265); - -var msg20373 = msg("18197", dup267); - -var msg20374 = msg("18198", dup267); - -var msg20375 = msg("18199", dup267); - -var msg20376 = msg("18200", dup197); - -var msg20377 = msg("18201", dup267); - -var msg20378 = msg("18202", dup269); - -var msg20379 = msg("18203", dup269); - -var msg20380 = msg("18204", dup269); - -var msg20381 = msg("18205", dup269); - -var msg20382 = msg("18206", dup269); - -var msg20383 = msg("18207", dup269); - -var msg20384 = msg("18208", dup267); - -var msg20385 = msg("18209", dup276); - -var msg20386 = msg("18210", dup267); - -var msg20387 = msg("18211", dup306); - -var msg20388 = msg("18212", dup197); - -var msg20389 = msg("18213", dup267); - -var msg20390 = msg("18214", dup267); - -var msg20391 = msg("18215", dup255); - -var msg20392 = msg("18216", dup265); - -var msg20393 = msg("18217", dup267); - -var msg20394 = msg("18218", dup287); - -var msg20395 = msg("18219", dup267); - -var msg20396 = msg("18220", dup267); - -var msg20397 = msg("18221", dup267); - -var msg20398 = msg("18222", dup267); - -var msg20399 = msg("18223", dup267); - -var msg20400 = msg("18224", dup267); - -var msg20401 = msg("18225", dup276); - -var msg20402 = msg("18226", dup276); - -var msg20403 = msg("18227", dup276); - -var msg20404 = msg("18228", dup202); - -var msg20405 = msg("18229", dup197); - -var msg20406 = msg("18230", dup267); - -var msg20407 = msg("18231", dup265); - -var msg20408 = msg("18232", dup202); - -var msg20409 = msg("18233", dup267); - -var msg20410 = msg("18234", dup265); - -var msg20411 = msg("18235", dup267); - -var msg20412 = msg("18236", dup267); - -var msg20413 = msg("18237", dup267); - -var msg20414 = msg("18238", dup267); - -var msg20415 = msg("18239", dup269); - -var msg20416 = msg("18240", dup265); - -var msg20417 = msg("18241", dup265); - -var msg20418 = msg("18242", dup265); - -var msg20419 = msg("18243", dup227); - -var msg20420 = msg("18244", dup197); - -var msg20421 = msg("18245", dup197); - -var msg20422 = msg("18246", dup197); - -var msg20423 = msg("18247", dup269); - -var msg20424 = msg("18248", dup197); - -var msg20425 = msg("18249", dup201); - -var msg20426 = msg("18250", dup197); - -var msg20427 = msg("18251", dup263); - -var msg20428 = msg("18252", dup255); - -var msg20429 = msg("18253", dup263); - -var msg20430 = msg("18254", dup263); - -var msg20431 = msg("18255", dup263); - -var msg20432 = msg("18256", dup263); - -var msg20433 = msg("18257", dup263); - -var msg20434 = msg("18258", dup263); - -var msg20435 = msg("18259", dup263); - -var msg20436 = msg("18260", dup263); - -var msg20437 = msg("18261", dup267); - -var msg20438 = msg("18262", dup267); - -var msg20439 = msg("18263", dup287); - -var msg20440 = msg("18264", dup287); - -var msg20441 = msg("18265", dup265); - -var msg20442 = msg("18266", dup255); - -var msg20443 = msg("18267", dup255); - -var msg20444 = msg("18268", dup263); - -var msg20445 = msg("18269", dup263); - -var msg20446 = msg("18270", dup263); - -var msg20447 = msg("18271", dup263); - -var msg20448 = msg("18272", dup263); - -var msg20449 = msg("18273", dup265); - -var msg20450 = msg("18274", dup265); - -var msg20451 = msg("18275", dup265); - -var msg20452 = msg("18276", dup202); - -var msg20453 = msg("18277", dup267); - -var msg20454 = msg("18278", dup276); - -var msg20455 = msg("18279", dup192); - -var msg20456 = msg("18280", dup267); - -var msg20457 = msg("18281", dup192); - -var msg20458 = msg("18282", dup267); - -var msg20459 = msg("18283", dup197); - -var msg20460 = msg("18284", dup197); - -var msg20461 = msg("18285", dup197); - -var msg20462 = msg("18286", dup267); - -var msg20463 = msg("18287", dup197); - -var msg20464 = msg("18288", dup197); - -var msg20465 = msg("18289", dup197); - -var msg20466 = msg("18290", dup197); - -var msg20467 = msg("18291", dup197); - -var msg20468 = msg("18292", dup197); - -var msg20469 = msg("18293", dup199); - -var msg20470 = msg("18294", dup197); - -var msg20471 = msg("18295", dup197); - -var msg20472 = msg("18296", dup267); - -var msg20473 = msg("18297", dup197); - -var msg20474 = msg("18298", dup267); - -var msg20475 = msg("18299", dup265); - -var msg20476 = msg("18300", dup199); - -var msg20477 = msg("18301", dup267); - -var msg20478 = msg("18302", dup267); - -var msg20479 = msg("18303", dup201); - -var msg20480 = msg("18304", dup267); - -var msg20481 = msg("18305", dup267); - -var msg20482 = msg("18306", dup267); - -var msg20483 = msg("18307", dup267); - -var msg20484 = msg("18308", dup197); - -var msg20485 = msg("18309", dup197); - -var msg20486 = msg("18310", dup267); - -var msg20487 = msg("18311", dup265); - -var msg20488 = msg("18312", dup197); - -var msg20489 = msg("18313", dup267); - -var msg20490 = msg("18314", dup201); - -var msg20491 = msg("18315", dup201); - -var msg20492 = msg("18316", dup255); - -var msg20493 = msg("18317", dup201); - -var msg20494 = msg("18318", dup202); - -var msg20495 = msg("18319", dup201); - -var msg20496 = msg("18320", dup197); - -var msg20497 = msg("18321", dup265); - -var msg20498 = msg("18322", dup265); - -var msg20499 = msg("18323", dup265); - -var msg20500 = msg("18324", dup265); - -var msg20501 = msg("18325", dup265); - -var msg20502 = msg("18326", dup227); - -var msg20503 = msg("18327", dup197); - -var msg20504 = msg("18328", dup267); - -var msg20505 = msg("18329", dup265); - -var msg20506 = msg("18330", dup276); - -var msg20507 = msg("18331", dup197); - -var msg20508 = msg("18332", dup267); - -var msg20509 = msg("18333", dup267); - -var msg20510 = msg("18334", dup267); - -var msg20511 = msg("18335", dup265); - -var msg20512 = msg("18336", dup269); - -var msg20513 = msg("18337", dup269); - -var msg20514 = msg("18338", dup269); - -var msg20515 = msg("18339", dup269); - -var msg20516 = msg("18340", dup269); - -var msg20517 = msg("18341", dup269); - -var msg20518 = msg("18342", dup269); - -var msg20519 = msg("18343", dup269); - -var msg20520 = msg("18344", dup269); - -var msg20521 = msg("18345", dup269); - -var msg20522 = msg("18346", dup269); - -var msg20523 = msg("18347", dup269); - -var msg20524 = msg("18348", dup269); - -var msg20525 = msg("18349", dup269); - -var msg20526 = msg("18350", dup269); - -var msg20527 = msg("18351", dup269); - -var msg20528 = msg("18352", dup269); - -var msg20529 = msg("18353", dup269); - -var msg20530 = msg("18354", dup269); - -var msg20531 = msg("18355", dup269); - -var msg20532 = msg("18356", dup269); - -var msg20533 = msg("18357", dup269); - -var msg20534 = msg("18358", dup269); - -var msg20535 = msg("18359", dup269); - -var msg20536 = msg("18360", dup269); - -var msg20537 = msg("18361", dup269); - -var msg20538 = msg("18362", dup269); - -var msg20539 = msg("18363", dup269); - -var msg20540 = msg("18364", dup269); - -var msg20541 = msg("18365", dup269); - -var msg20542 = msg("18366", dup269); - -var msg20543 = msg("18367", dup269); - -var msg20544 = msg("18368", dup269); - -var msg20545 = msg("18369", dup269); - -var msg20546 = msg("18370", dup269); - -var msg20547 = msg("18371", dup269); - -var msg20548 = msg("18372", dup269); - -var msg20549 = msg("18373", dup269); - -var msg20550 = msg("18374", dup269); - -var msg20551 = msg("18375", dup269); - -var msg20552 = msg("18376", dup269); - -var msg20553 = msg("18377", dup269); - -var msg20554 = msg("18378", dup269); - -var msg20555 = msg("18379", dup269); - -var msg20556 = msg("18380", dup269); - -var msg20557 = msg("18381", dup269); - -var msg20558 = msg("18382", dup269); - -var msg20559 = msg("18383", dup269); - -var msg20560 = msg("18384", dup269); - -var msg20561 = msg("18385", dup269); - -var msg20562 = msg("18386", dup269); - -var msg20563 = msg("18387", dup269); - -var msg20564 = msg("18388", dup269); - -var msg20565 = msg("18389", dup269); - -var msg20566 = msg("18390", dup269); - -var msg20567 = msg("18391", dup269); - -var msg20568 = msg("18392", dup269); - -var msg20569 = msg("18393", dup269); - -var msg20570 = msg("18394", dup269); - -var msg20571 = msg("18395", dup269); - -var msg20572 = msg("18396", dup265); - -var msg20573 = msg("18397", dup267); - -var msg20574 = msg("18398", dup265); - -var msg20575 = msg("18399", dup267); - -var msg20576 = msg("18400", dup202); - -var msg20577 = msg("18401", dup201); - -var msg20578 = msg("18402", dup267); - -var msg20579 = msg("18403", dup197); - -var msg20580 = msg("18404", dup267); - -var msg20581 = msg("18405", dup197); - -var msg20582 = msg("18406", dup201); - -var msg20583 = msg("18407", dup287); - -var msg20584 = msg("18408", dup267); - -var msg20585 = msg("18409", dup267); - -var msg20586 = msg("18410", dup267); - -var msg20587 = msg("18411", dup202); - -var msg20588 = msg("18412", dup202); - -var msg20589 = msg("18413", dup267); - -var msg20590 = msg("18414", dup265); - -var msg20591 = msg("18415", dup202); - -var msg20592 = msg("18416", dup197); - -var msg20593 = msg("18417", dup197); - -var msg20594 = msg("18418", dup267); - -var msg20595 = msg("18419", dup267); - -var msg20596 = msg("18420", dup201); - -var msg20597 = msg("18421", dup267); - -var msg20598 = msg("18422", dup306); - -var msg20599 = msg("18423", dup306); - -var msg20600 = msg("18424", dup306); - -var msg20601 = msg("18425", dup306); - -var msg20602 = msg("18426", dup260); - -var msg20603 = msg("18427", dup311); - -var msg20604 = msg("18428", dup311); - -var msg20605 = msg("18429", dup311); - -var msg20606 = msg("18430", dup311); - -var msg20607 = msg("18431", dup260); - -var msg20608 = msg("18432", dup267); - -var msg20609 = msg("18433", dup276); - -var msg20610 = msg("18434", dup276); - -var msg20611 = msg("18435", dup276); - -var msg20612 = msg("18436", dup276); - -var msg20613 = msg("18437", dup276); - -var msg20614 = msg("18438", dup276); - -var msg20615 = msg("18439", dup267); - -var msg20616 = msg("18440", dup267); - -var msg20617 = msg("18441", dup267); - -var msg20618 = msg("18442", dup267); - -var msg20619 = msg("18443", dup267); - -var msg20620 = msg("18444", dup202); - -var msg20621 = msg("18445", dup267); - -var msg20622 = msg("18446", dup276); - -var msg20623 = msg("18447", dup267); - -var msg20624 = msg("18448", dup267); - -var msg20625 = msg("18449", dup267); - -var msg20626 = msg("18450", dup202); - -var msg20627 = msg("18451", dup197); - -var msg20628 = msg("18452", dup267); - -var msg20629 = msg("18453", dup267); - -var msg20630 = msg("18454", dup267); - -var msg20631 = msg("18455", dup202); - -var msg20632 = msg("18456", dup265); - -var msg20633 = msg("18457", dup197); - -var msg20634 = msg("18458", dup202); - -var msg20635 = msg("18459", dup202); - -var msg20636 = msg("18460", dup197); - -var msg20637 = msg("18461", dup197); - -var msg20638 = msg("18462", dup197); - -var msg20639 = msg("18463", dup267); - -var msg20640 = msg("18464", dup265); - -var msg20641 = msg("18465", dup267); - -var msg20642 = msg("18466", dup267); - -var msg20643 = msg("18467", dup267); - -var msg20644 = msg("18468", dup197); - -var msg20645 = msg("18469", dup255); - -var msg20646 = msg("18470", dup198); - -var msg20647 = msg("18471", dup198); - -var msg20648 = msg("18472", dup201); - -var msg20649 = msg("18473", dup232); - -var msg20650 = msg("18474", dup232); - -var msg20651 = msg("18475", dup197); - -var msg20652 = msg("18476", dup197); - -var msg20653 = msg("18477", dup197); - -var msg20654 = msg("18478", dup265); - -var msg20655 = msg("18479", dup265); - -var msg20656 = msg("18480", dup197); - -var msg20657 = msg("18481", dup197); - -var msg20658 = msg("18482", dup267); - -var msg20659 = msg("18483", dup197); - -var msg20660 = msg("18484", dup197); - -var msg20661 = msg("18485", dup267); - -var msg20662 = msg("18486", dup267); - -var msg20663 = msg("18487", dup197); - -var msg20664 = msg("18488", dup267); - -var msg20665 = msg("18489", dup276); - -var msg20666 = msg("18490", dup265); - -var msg20667 = msg("18491", dup265); - -var msg20668 = msg("18492", dup263); - -var msg20669 = msg("18493", dup265); - -var msg20670 = msg("18494", dup276); - -var msg20671 = msg("18495", dup267); - -var msg20672 = msg("18496", dup267); - -var msg20673 = msg("18497", dup276); - -var msg20674 = msg("18498", dup267); - -var msg20675 = msg("18499", dup267); - -var msg20676 = msg("18500", dup276); - -var msg20677 = msg("18501", dup263); - -var msg20678 = msg("18502", dup287); - -var msg20679 = msg("18503", dup267); - -var msg20680 = msg("18504", dup197); - -var msg20681 = msg("18505", dup197); - -var msg20682 = msg("18506", dup197); - -var msg20683 = msg("18507", dup197); - -var msg20684 = msg("18508", dup267); - -var msg20685 = msg("18509", dup267); - -var msg20686 = msg("18510", dup197); - -var msg20687 = msg("18511", dup198); - -var msg20688 = msg("18512", dup197); - -var msg20689 = msg("18513", dup260); - -var msg20690 = msg("18514", dup267); - -var msg20691 = msg("18515", dup267); - -var msg20692 = msg("18516", dup202); - -var msg20693 = msg("18517", dup197); - -var msg20694 = msg("18518", dup269); - -var msg20695 = msg("18519", dup269); - -var msg20696 = msg("18520", dup267); - -var msg20697 = msg("18521", dup269); - -var msg20698 = msg("18522", dup269); - -var msg20699 = msg("18523", dup267); - -var msg20700 = msg("18524", dup287); - -var msg20701 = msg("18525", dup197); - -var msg20702 = msg("18526", dup267); - -var msg20703 = msg("18527", dup267); - -var msg20704 = msg("18528", dup265); - -var msg20705 = msg("18529", dup311); - -var msg20706 = msg("18530", dup311); - -var msg20707 = msg("18531", dup201); - -var msg20708 = msg("18532", dup201); - -var msg20709 = msg("18533", dup198); - -var msg20710 = msg("18534", dup198); - -var msg20711 = msg("18535", dup201); - -var msg20712 = msg("18536", dup202); - -var msg20713 = msg("18537", dup197); - -var msg20714 = msg("18538", dup267); - -var msg20715 = msg("18539", dup267); - -var msg20716 = msg("18540", dup267); - -var msg20717 = msg("18541", dup202); - -var msg20718 = msg("18542", dup267); - -var msg20719 = msg("18543", dup202); - -var msg20720 = msg("18544", dup202); - -var msg20721 = msg("18545", dup202); - -var msg20722 = msg("18546", dup202); - -var msg20723 = msg("18547", dup202); - -var msg20724 = msg("18548", dup202); - -var msg20725 = msg("18549", dup202); - -var msg20726 = msg("18550", dup202); - -var msg20727 = msg("18551", dup250); - -var msg20728 = msg("18552", dup250); - -var msg20729 = msg("18553", dup250); - -var msg20730 = msg("18554", dup250); - -var msg20731 = msg("18555", dup267); - -var msg20732 = msg("18556", dup260); - -var msg20733 = msg("18557", dup255); - -var msg20734 = msg("18558", dup255); - -var msg20735 = msg("18559", dup267); - -var msg20736 = msg("18560", dup267); - -var msg20737 = msg("18561", dup197); - -var msg20738 = msg("18562", dup303); - -var msg20739 = msg("18563", dup192); - -var msg20740 = msg("18564", dup303); - -var msg20741 = msg("18565", dup265); - -var msg20742 = msg("18566", dup265); - -var msg20743 = msg("18567", dup265); - -var msg20744 = msg("18568", dup265); - -var msg20745 = msg("18569", dup265); - -var msg20746 = msg("18570", dup265); - -var msg20747 = msg("18571", dup265); - -var msg20748 = msg("18572", dup265); - -var msg20749 = msg("18573", dup265); - -var msg20750 = msg("18574", dup197); - -var msg20751 = msg("18575", dup227); - -var msg20752 = msg("18576", dup265); - -var msg20753 = msg("18577", dup192); - -var msg20754 = msg("18578", dup197); - -var msg20755 = msg("18579", dup197); - -var msg20756 = msg("18580", dup227); - -var msg20757 = msg("18581", dup265); - -var msg20758 = msg("18582", dup265); - -var msg20759 = msg("18583", dup197); - -var msg20760 = msg("18584", dup197); - -var msg20761 = msg("18585", dup267); - -var msg20762 = msg("18586", dup260); - -var msg20763 = msg("18587", dup197); - -var msg20764 = msg("18588", dup227); - -var msg20765 = msg("18589", dup267); - -var msg20766 = msg("18590", dup197); - -var msg20767 = msg("18591", dup197); - -var msg20768 = msg("18592", dup267); - -var msg20769 = msg("18593", dup265); - -var msg20770 = msg("18594", dup202); - -var msg20771 = msg("18595", dup202); - -var msg20772 = msg("18596", dup197); - -var msg20773 = msg("18597", dup197); - -var msg20774 = msg("18598", dup227); - -var msg20775 = msg("18599", dup197); - -var msg20776 = msg("18600", dup197); - -var msg20777 = msg("18601", dup202); - -var msg20778 = msg("18602", dup260); - -var msg20779 = msg("18603", dup197); - -var msg20780 = msg("18604", dup201); - -var msg20781 = msg("18605", dup197); - -var msg20782 = msg("18606", dup202); - -var msg20783 = msg("18607", dup202); - -var msg20784 = msg("18608", dup202); - -var msg20785 = msg("18609", dup202); - -var msg20786 = msg("18610", dup197); - -var msg20787 = msg("18611", dup309); - -var msg20788 = msg("18612", dup309); - -var msg20789 = msg("18613", dup309); - -var msg20790 = msg("18614", dup202); - -var msg20791 = msg("18615", dup197); - -var msg20792 = msg("18616", dup197); - -var msg20793 = msg("18617", dup202); - -var msg20794 = msg("18618", dup202); - -var msg20795 = msg("18619", dup267); - -var msg20796 = msg("18620", dup267); - -var msg20797 = msg("18621", dup267); - -var msg20798 = msg("18622", dup267); - -var msg20799 = msg("18623", dup267); - -var msg20800 = msg("18624", dup267); - -var msg20801 = msg("18625", dup276); - -var msg20802 = msg("18626", dup276); - -var msg20803 = msg("18627", dup276); - -var msg20804 = msg("18628", dup276); - -var msg20805 = msg("18629", dup276); - -var msg20806 = msg("18630", dup197); - -var msg20807 = msg("18631", dup197); - -var msg20808 = msg("18632", dup267); - -var msg20809 = msg("18633", dup267); - -var msg20810 = msg("18634", dup267); - -var msg20811 = msg("18635", dup202); - -var msg20812 = msg("18636", dup267); - -var msg20813 = msg("18637", dup267); - -var msg20814 = msg("18638", dup267); - -var msg20815 = msg("18639", dup267); - -var msg20816 = msg("18640", dup265); - -var msg20817 = msg("18641", dup267); - -var msg20818 = msg("18642", dup197); - -var msg20819 = msg("18643", dup197); - -var msg20820 = msg("18644", dup267); - -var msg20821 = msg("18645", dup267); - -var msg20822 = msg("18646", dup267); - -var msg20823 = msg("18647", dup311); - -var msg20824 = msg("18648", dup202); - -var msg20825 = msg("18649", dup197); - -var msg20826 = msg("18650", dup276); - -var msg20827 = msg("18651", dup197); - -var msg20828 = msg("18652", dup197); - -var msg20829 = msg("18653", dup314); - -var msg20830 = msg("18654", dup202); - -var msg20831 = msg("18655", dup267); - -var msg20832 = msg("18656", dup197); - -var msg20833 = msg("18657", dup267); - -var msg20834 = msg("18658", dup197); - -var msg20835 = msg("18659", dup197); - -var msg20836 = msg("18660", dup197); - -var msg20837 = msg("18661", dup267); - -var msg20838 = msg("18662", dup267); - -var msg20839 = msg("18663", dup267); - -var msg20840 = msg("18664", dup267); - -var msg20841 = msg("18665", dup267); - -var msg20842 = msg("18666", dup267); - -var msg20843 = msg("18667", dup267); - -var msg20844 = msg("18668", dup265); - -var msg20845 = msg("18669", dup265); - -var msg20846 = msg("18670", dup267); - -var msg20847 = msg("18671", dup267); - -var msg20848 = msg("18672", dup265); - -var msg20849 = msg("18673", dup267); - -var msg20850 = msg("18674", dup265); - -var msg20851 = msg("18675", dup265); - -var msg20852 = msg("18676", dup197); - -var msg20853 = msg("18677", dup309); - -var msg20854 = msg("18678", dup267); - -var msg20855 = msg("18679", dup267); - -var msg20856 = msg("18680", dup202); - -var msg20857 = msg("18681", dup202); - -var msg20858 = msg("18682", dup202); - -var msg20859 = msg("18683", dup202); - -var msg20860 = msg("18684", dup202); - -var msg20861 = msg("18685", dup202); - -var msg20862 = msg("18686", dup192); - -var msg20863 = msg("18687", dup192); - -var msg20864 = msg("18688", dup192); - -var msg20865 = msg("18689", dup192); - -var msg20866 = msg("18690", dup192); - -var msg20867 = msg("18691", dup202); - -var msg20868 = msg("18700", dup202); - -var msg20869 = msg("18701", dup250); - -var msg20870 = msg("18702", dup250); - -var msg20871 = msg("18703", dup250); - -var msg20872 = msg("18704", dup250); - -var msg20873 = msg("18705", dup250); - -var msg20874 = msg("18706", dup202); - -var msg20875 = msg("18707", dup303); - -var msg20876 = msg("18708", dup263); - -var msg20877 = msg("18709", dup192); - -var msg20878 = msg("18710", dup197); - -var msg20879 = msg("18711", dup303); - -var msg20880 = msg("18712", dup263); - -var msg20881 = msg("18713", dup198); - -var msg20882 = msg("18714", dup198); - -var msg20883 = msg("18715", dup303); - -var msg20884 = msg("18716", dup192); - -var msg20885 = msg("18717", dup192); - -var msg20886 = msg("18718", dup303); - -var msg20887 = msg("18719", dup192); - -var msg20888 = msg("18720", dup192); - -var msg20889 = msg("18721", dup197); - -var msg20890 = msg("18722", dup197); - -var msg20891 = msg("18723", dup303); - -var msg20892 = msg("18724", dup303); - -var msg20893 = msg("18725", dup197); - -var msg20894 = msg("18726", dup197); - -var msg20895 = msg("18727", dup197); - -var msg20896 = msg("18728", dup197); - -var msg20897 = msg("18729", dup197); - -var msg20898 = msg("18730", dup197); - -var msg20899 = msg("18731", dup197); - -var msg20900 = msg("18732", dup197); - -var msg20901 = msg("18733", dup197); - -var msg20902 = msg("18734", dup197); - -var msg20903 = msg("18735", dup197); - -var msg20904 = msg("18736", dup197); - -var msg20905 = msg("18737", dup197); - -var msg20906 = msg("18738", dup197); - -var msg20907 = msg("18739", dup238); - -var msg20908 = msg("18740", dup267); - -var msg20909 = msg("18741", dup265); - -var msg20910 = msg("18742", dup267); - -var msg20911 = msg("18743", dup267); - -var msg20912 = msg("18744", dup197); - -var msg20913 = msg("18745", dup197); - -var msg20914 = msg("18746", dup197); - -var msg20915 = msg("18747", dup197); - -var msg20916 = msg("18748", dup197); - -var msg20917 = msg("18749", dup197); - -var msg20918 = msg("18750", dup201); - -var msg20919 = msg("18751", dup197); - -var msg20920 = msg("18752", dup197); - -var msg20921 = msg("18753", dup267); - -var msg20922 = msg("18754", dup267); - -var msg20923 = msg("18755", dup267); - -var msg20924 = msg("18756", dup267); - -var msg20925 = msg("18757", dup267); - -var msg20926 = msg("18758", dup287); - -var msg20927 = msg("18759", dup197); - -var msg20928 = msg("18760", dup197); - -var msg20929 = msg("18761", dup265); - -var msg20930 = msg("18762", dup269); - -var msg20931 = msg("18763", dup197); - -var msg20932 = msg("18764", dup201); - -var msg20933 = msg("18765", dup250); - -var msg20934 = msg("18766", dup267); - -var msg20935 = msg("18767", dup201); - -var msg20936 = msg("18768", dup197); - -var msg20937 = msg("18769", dup197); - -var msg20938 = msg("18770", dup267); - -var msg20939 = msg("18771", dup267); - -var msg20940 = msg("18772", dup267); - -var msg20941 = msg("18773", dup269); - -var msg20942 = msg("18774", dup269); - -var msg20943 = msg("18775", dup269); - -var msg20944 = msg("18776", dup267); - -var msg20945 = msg("18777", dup198); - -var msg20946 = msg("18778", dup197); - -var msg20947 = msg("18779", dup197); - -var msg20948 = msg("18780", dup197); - -var msg20949 = msg("18781", dup197); - -var msg20950 = msg("18782", dup269); - -var msg20951 = msg("18783", dup197); - -var msg20952 = msg("18784", dup197); - -var msg20953 = msg("18785", dup197); - -var msg20954 = msg("18786", dup197); - -var msg20955 = msg("18787", dup197); - -var msg20956 = msg("18788", dup197); - -var msg20957 = msg("18789", dup197); - -var msg20958 = msg("18790", dup201); - -var msg20959 = msg("18791", dup197); - -var msg20960 = msg("18792", dup267); - -var msg20961 = msg("18793", dup267); - -var msg20962 = msg("18794", dup265); - -var msg20963 = msg("18795", dup267); - -var msg20964 = msg("18796", dup197); - -var msg20965 = msg("18797", dup267); - -var msg20966 = msg("18798", dup198); - -var msg20967 = msg("18799", dup198); - -var msg20968 = msg("18800", dup202); - -var msg20969 = msg("18801", dup267); - -var msg20970 = msg("18802", dup265); - -var msg20971 = msg("18803", dup197); - -var msg20972 = msg("18804", dup267); - -var msg20973 = msg("18805", dup267); - -var msg20974 = msg("18806", dup267); - -var msg20975 = msg("18807", dup198); - -var msg20976 = msg("18808", dup201); - -var msg20977 = msg("18809", dup197); - -var msg20978 = msg("18810", dup265); - -var msg20979 = msg("18811", dup250); - -var msg20980 = msg("18812", dup250); - -var msg20981 = msg("18813", dup250); - -var msg20982 = msg("18814", dup250); - -var msg20983 = msg("18815", dup250); - -var msg20984 = msg("18816", dup250); - -var msg20985 = msg("18817", dup250); - -var msg20986 = msg("18818", dup250); - -var msg20987 = msg("18819", dup250); - -var msg20988 = msg("18820", dup250); - -var msg20989 = msg("18821", dup250); - -var msg20990 = msg("18822", dup250); - -var msg20991 = msg("18823", dup250); - -var msg20992 = msg("18824", dup250); - -var msg20993 = msg("18825", dup250); - -var msg20994 = msg("18826", dup250); - -var msg20995 = msg("18827", dup250); - -var msg20996 = msg("18828", dup250); - -var msg20997 = msg("18829", dup250); - -var msg20998 = msg("18830", dup250); - -var msg20999 = msg("18831", dup250); - -var msg21000 = msg("18832", dup250); - -var msg21001 = msg("18833", dup250); - -var msg21002 = msg("18834", dup250); - -var msg21003 = msg("18835", dup250); - -var msg21004 = msg("18836", dup250); - -var msg21005 = msg("18837", dup250); - -var msg21006 = msg("18838", dup250); - -var msg21007 = msg("18839", dup250); - -var msg21008 = msg("18840", dup250); - -var msg21009 = msg("18841", dup250); - -var msg21010 = msg("18842", dup250); - -var msg21011 = msg("18843", dup250); - -var msg21012 = msg("18844", dup250); - -var msg21013 = msg("18845", dup250); - -var msg21014 = msg("18846", dup250); - -var msg21015 = msg("18847", dup250); - -var msg21016 = msg("18848", dup250); - -var msg21017 = msg("18849", dup250); - -var msg21018 = msg("18850", dup250); - -var msg21019 = msg("18851", dup250); - -var msg21020 = msg("18852", dup250); - -var msg21021 = msg("18853", dup250); - -var msg21022 = msg("18854", dup250); - -var msg21023 = msg("18855", dup250); - -var msg21024 = msg("18856", dup250); - -var msg21025 = msg("18857", dup250); - -var msg21026 = msg("18858", dup250); - -var msg21027 = msg("18859", dup250); - -var msg21028 = msg("18860", dup250); - -var msg21029 = msg("18861", dup250); - -var msg21030 = msg("18862", dup250); - -var msg21031 = msg("18863", dup250); - -var msg21032 = msg("18864", dup250); - -var msg21033 = msg("18865", dup250); - -var msg21034 = msg("18866", dup250); - -var msg21035 = msg("18867", dup250); - -var msg21036 = msg("18868", dup250); - -var msg21037 = msg("18869", dup250); - -var msg21038 = msg("18870", dup250); - -var msg21039 = msg("18871", dup250); - -var msg21040 = msg("18872", dup250); - -var msg21041 = msg("18873", dup250); - -var msg21042 = msg("18874", dup250); - -var msg21043 = msg("18875", dup250); - -var msg21044 = msg("18876", dup250); - -var msg21045 = msg("18877", dup250); - -var msg21046 = msg("18878", dup250); - -var msg21047 = msg("18879", dup250); - -var msg21048 = msg("18880", dup250); - -var msg21049 = msg("18881", dup250); - -var msg21050 = msg("18882", dup250); - -var msg21051 = msg("18883", dup250); - -var msg21052 = msg("18884", dup250); - -var msg21053 = msg("18885", dup250); - -var msg21054 = msg("18886", dup250); - -var msg21055 = msg("18887", dup250); - -var msg21056 = msg("18888", dup250); - -var msg21057 = msg("18889", dup250); - -var msg21058 = msg("18890", dup250); - -var msg21059 = msg("18891", dup250); - -var msg21060 = msg("18892", dup250); - -var msg21061 = msg("18893", dup250); - -var msg21062 = msg("18894", dup250); - -var msg21063 = msg("18895", dup250); - -var msg21064 = msg("18896", dup250); - -var msg21065 = msg("18897", dup250); - -var msg21066 = msg("18898", dup250); - -var msg21067 = msg("18899", dup250); - -var msg21068 = msg("18900", dup269); - -var msg21069 = msg("18901", dup267); - -var msg21070 = msg("18902", dup267); - -var msg21071 = msg("18903", dup267); - -var msg21072 = msg("18904", dup265); - -var msg21073 = msg("18905", dup197); - -var msg21074 = msg("18906", dup197); - -var msg21075 = msg("18907", dup197); - -var msg21076 = msg("18908", dup197); - -var msg21077 = msg("18909", dup197); - -var msg21078 = msg("18910", dup197); - -var msg21079 = msg("18911", dup197); - -var msg21080 = msg("18912", dup197); - -var msg21081 = msg("18913", dup197); - -var msg21082 = msg("18914", dup197); - -var msg21083 = msg("18915", dup197); - -var msg21084 = msg("18916", dup197); - -var msg21085 = msg("18917", dup197); - -var msg21086 = msg("18918", dup197); - -var msg21087 = msg("18919", dup197); - -var msg21088 = msg("18920", dup197); - -var msg21089 = msg("18921", dup197); - -var msg21090 = msg("18922", dup197); - -var msg21091 = msg("18923", dup197); - -var msg21092 = msg("18924", dup197); - -var msg21093 = msg("18925", dup197); - -var msg21094 = msg("18926", dup201); - -var msg21095 = msg("18927", dup265); - -var msg21096 = msg("18928", dup197); - -var msg21097 = msg("18929", dup199); - -var msg21098 = msg("18930", dup267); - -var msg21099 = msg("18931", dup267); - -var msg21100 = msg("18932", dup265); - -var msg21101 = msg("18933", dup274); - -var msg21102 = msg("18934", dup197); - -var msg21103 = msg("18935", dup198); - -var msg21104 = msg("18936", dup269); - -var msg21105 = msg("18937", dup269); - -var msg21106 = msg("18938", dup269); - -var msg21107 = msg("18939", dup202); - -var msg21108 = msg("18940", dup269); - -var msg21109 = msg("18941", dup202); - -var msg21110 = msg("18942", dup269); - -var msg21111 = msg("18943", dup269); - -var msg21112 = msg("18944", dup269); - -var msg21113 = msg("18945", dup263); - -var msg21114 = msg("18946", dup192); - -var msg21115 = msg("18947", dup192); - -var msg21116 = msg("18948", dup267); - -var msg21117 = msg("18949", dup267); - -var msg21118 = msg("18950", dup267); - -var msg21119 = msg("18951", dup267); - -var msg21120 = msg("18952", dup267); - -var msg21121 = msg("18953", dup267); - -var msg21122 = msg("18954", dup267); - -var msg21123 = msg("18955", dup201); - -var msg21124 = msg("18956", dup201); - -var msg21125 = msg("18957", dup267); - -var msg21126 = msg("18958", dup267); - -var msg21127 = msg("18959", dup267); - -var msg21128 = msg("18960", dup267); - -var msg21129 = msg("18961", dup265); - -var msg21130 = msg("18962", dup265); - -var msg21131 = msg("18963", dup201); - -var msg21132 = msg("18964", dup267); - -var msg21133 = msg("18965", dup201); - -var msg21134 = msg("18966", dup267); - -var msg21135 = msg("18967", dup287); - -var msg21136 = msg("18968", dup201); - -var msg21137 = msg("18969", dup201); - -var msg21138 = msg("18970", dup202); - -var msg21139 = msg("18971", dup202); - -var msg21140 = msg("18972", dup199); - -var msg21141 = msg("18973", dup267); - -var msg21142 = msg("18974", dup265); - -var msg21143 = msg("18975", dup265); - -var msg21144 = msg("18976", dup202); - -var msg21145 = msg("18977", dup192); - -var msg21146 = msg("18978", dup192); - -var msg21147 = msg("18979", dup238); - -var msg21148 = msg("18980", dup303); - -var msg21149 = msg("18981", dup303); - -var msg21150 = msg("18982", dup303); - -var msg21151 = msg("18983", dup267); - -var msg21152 = msg("18984", dup269); - -var msg21153 = msg("18985", dup265); - -var msg21154 = msg("18986", dup267); - -var msg21155 = msg("18987", dup267); - -var msg21156 = msg("18988", dup267); - -var msg21157 = msg("18989", dup267); - -var msg21158 = msg("18990", dup267); - -var msg21159 = msg("18991", dup267); - -var msg21160 = msg("18992", dup267); - -var msg21161 = msg("18993", dup267); - -var msg21162 = msg("18994", dup197); - -var msg21163 = msg("18995", dup202); - -var msg21164 = msg("18996", dup202); - -var msg21165 = msg("18997", dup198); - -var msg21166 = msg("18998", dup197); - -var msg21167 = msg("18999", dup197); - -var msg21168 = msg("19000", dup240); - -var msg21169 = msg("19001", dup240); - -var msg21170 = msg("19002", dup197); - -var msg21171 = msg("19003", dup202); - -var msg21172 = msg("19004", dup202); - -var msg21173 = msg("19005", dup267); - -var msg21174 = msg("19006", dup197); - -var msg21175 = msg("19007", dup197); - -var msg21176 = msg("19008", dup267); - -var msg21177 = msg("19009", dup267); - -var msg21178 = msg("19010", dup267); - -var msg21179 = msg("19011", dup197); - -var msg21180 = msg("19012", dup197); - -var msg21181 = msg("19013", dup295); - -var msg21182 = msg("19014", dup295); - -var msg21183 = msg("19015", dup312); - -var msg21184 = msg("19016", dup192); - -var msg21185 = msg("19017", dup192); - -var msg21186 = msg("19018", dup192); - -var msg21187 = msg("19019", dup192); - -var msg21188 = msg("19020", dup267); - -var msg21189 = msg("19021", dup192); - -var msg21190 = msg("19022", dup192); - -var msg21191 = msg("19023", dup192); - -var msg21192 = msg("19024", dup192); - -var msg21193 = msg("19025", dup192); - -var msg21194 = msg("19026", dup303); - -var msg21195 = msg("19027", dup202); - -var msg21196 = msg("19028", dup192); - -var msg21197 = msg("19029", dup192); - -var msg21198 = msg("19030", dup192); - -var msg21199 = msg("19031", dup202); - -var msg21200 = msg("19032", dup192); - -var msg21201 = msg("19033", dup192); - -var msg21202 = msg("19034", dup192); - -var msg21203 = msg("19035", dup192); - -var msg21204 = msg("19036", dup192); - -var msg21205 = msg("19037", dup192); - -var msg21206 = msg("19038", dup192); - -var msg21207 = msg("19039", dup192); - -var msg21208 = msg("19040", dup192); - -var msg21209 = msg("19041", dup192); - -var msg21210 = msg("19042", dup192); - -var msg21211 = msg("19043", dup303); - -var msg21212 = msg("19044", dup303); - -var msg21213 = msg("19045", dup192); - -var msg21214 = msg("19046", dup303); - -var msg21215 = msg("19047", dup303); - -var msg21216 = msg("19048", dup192); - -var msg21217 = msg("19049", dup192); - -var msg21218 = msg("19050", dup192); - -var msg21219 = msg("19051", dup192); - -var msg21220 = msg("19052", dup265); - -var msg21221 = msg("19053", dup238); - -var msg21222 = msg("19054", dup192); - -var msg21223 = msg("19055", dup192); - -var msg21224 = msg("19056", dup192); - -var msg21225 = msg("19057", dup192); - -var msg21226 = msg("19058", dup238); - -var msg21227 = msg("19059", dup303); - -var msg21228 = msg("19060", dup192); - -var msg21229 = msg("19061", dup263); - -var msg21230 = msg("19062", dup192); - -var msg21231 = msg("19063", dup197); - -var msg21232 = msg("19064", dup267); - -var msg21233 = msg("19065", dup202); - -var msg21234 = msg("19066", dup202); - -var msg21235 = msg("19067", dup202); - -var msg21236 = msg("19068", dup202); - -var msg21237 = msg("19069", dup202); - -var msg21238 = msg("19070", dup202); - -var msg21239 = msg("19071", dup267); - -var msg21240 = msg("19072", dup197); - -var msg21241 = msg("19073", dup198); - -var msg21242 = msg("19074", dup265); - -var msg21243 = msg("19075", dup202); - -var msg21244 = msg("19076", dup202); - -var msg21245 = msg("19077", dup202); - -var msg21246 = msg("19078", dup267); - -var msg21247 = msg("19079", dup267); - -var msg21248 = msg("19080", dup267); - -var msg21249 = msg("19081", dup267); - -var msg21250 = msg("19082", dup267); - -var msg21251 = msg("19083", dup267); - -var msg21252 = msg("19084", dup267); - -var msg21253 = msg("19085", dup265); - -var msg21254 = msg("19086", dup202); - -var msg21255 = msg("19087", dup197); - -var msg21256 = msg("19088", dup197); - -var msg21257 = msg("19089", dup197); - -var msg21258 = msg("19090", dup197); - -var msg21259 = msg("19091", dup202); - -var msg21260 = msg("19092", dup202); - -var msg21261 = msg("19093", dup240); - -var msg21262 = msg("19094", dup240); - -var msg21263 = msg("19095", dup267); - -var msg21264 = msg("19096", dup267); - -var msg21265 = msg("19097", dup267); - -var msg21266 = msg("19098", dup202); - -var msg21267 = msg("19099", dup267); - -var msg21268 = msg("19100", dup197); - -var msg21269 = msg("19101", dup198); - -var msg21270 = msg("19102", dup265); - -var msg21271 = msg("19103", dup265); - -var msg21272 = msg("19104", dup197); - -var msg21273 = msg("19105", dup197); - -var msg21274 = msg("19106", dup303); - -var msg21275 = msg("19107", dup267); - -var msg21276 = msg("19108", dup265); - -var msg21277 = msg("19109", dup265); - -var msg21278 = msg("19110", dup265); - -var msg21279 = msg("19111", dup198); - -var msg21280 = msg("19112", dup197); - -var msg21281 = msg("19113", dup197); - -var msg21282 = msg("19114", dup197); - -var msg21283 = msg("19115", dup197); - -var msg21284 = msg("19116", dup267); - -var msg21285 = msg("19117", dup197); - -var msg21286 = msg("19118", dup201); - -var msg21287 = msg("19119", dup267); - -var msg21288 = msg("19120", dup197); - -var msg21289 = msg("19121", dup197); - -var msg21290 = msg("19122", dup312); - -var msg21291 = msg("19123", dup202); - -var msg21292 = msg("19124", dup267); - -var msg21293 = msg("19125", dup197); - -var msg21294 = msg("19126", dup197); - -var msg21295 = msg("19127", dup197); - -var msg21296 = msg("19128", dup202); - -var msg21297 = msg("19129", dup202); - -var msg21298 = msg("19130", dup267); - -var msg21299 = msg("19131", dup197); - -var msg21300 = msg("19132", dup197); - -var msg21301 = msg("19133", dup202); - -var msg21302 = msg("19134", dup267); - -var msg21303 = msg("19135", dup192); - -var msg21304 = msg("19136", dup201); - -var msg21305 = msg("19137", dup197); - -var msg21306 = msg("19138", dup197); - -var msg21307 = msg("19139", dup197); - -var msg21308 = msg("19140", dup197); - -var msg21309 = msg("19141", dup267); - -var msg21310 = msg("19142", dup260); - -var msg21311 = msg("19143", dup267); - -var msg21312 = msg("19144", dup267); - -var msg21313 = msg("19145", dup267); - -var msg21314 = msg("19146", dup267); - -var msg21315 = msg("19147", dup267); - -var msg21316 = msg("19148", dup267); - -var msg21317 = msg("19149", dup267); - -var msg21318 = msg("19150", dup267); - -var msg21319 = msg("19151", dup265); - -var msg21320 = msg("19152", dup265); - -var msg21321 = msg("19153", dup267); - -var msg21322 = msg("19154", dup202); - -var msg21323 = msg("19155", dup197); - -var msg21324 = msg("19156", dup197); - -var msg21325 = msg("19157", dup265); - -var msg21326 = msg("19158", dup202); - -var msg21327 = msg("19159", dup198); - -var msg21328 = msg("19160", dup197); - -var msg21329 = msg("19161", dup197); - -var msg21330 = msg("19162", dup202); - -var msg21331 = msg("19163", dup202); - -var msg21332 = msg("19164", dup192); - -var msg21333 = msg("19165", dup269); - -var msg21334 = msg("19166", dup202); - -var msg21335 = msg("19167", dup197); - -var msg21336 = msg("19168", dup197); - -var msg21337 = msg("19169", dup267); - -var msg21338 = msg("19170", dup267); - -var msg21339 = msg("19171", dup267); - -var msg21340 = msg("19172", dup276); - -var msg21341 = msg("19173", dup255); - -var msg21342 = msg("19174", dup267); - -var msg21343 = msg("19175", dup269); - -var msg21344 = msg("19176", dup265); - -var msg21345 = msg("19177", dup265); - -var msg21346 = msg("19178", dup202); - -var msg21347 = msg("19179", dup202); - -var msg21348 = msg("19180", dup267); - -var msg21349 = msg("19181", dup267); - -var msg21350 = msg("19182", dup197); - -var msg21351 = msg("19183", dup197); - -var msg21352 = msg("19184", dup267); - -var msg21353 = msg("19185", dup267); - -var msg21354 = msg("19186", dup265); - -var msg21355 = msg("19187", dup267); - -var msg21356 = msg("19188", dup267); - -var msg21357 = msg("19189", dup197); - -var msg21358 = msg("19190", dup246); - -var msg21359 = msg("19191", dup276); - -var msg21360 = msg("19192", dup198); - -var msg21361 = msg("19193", dup265); - -var msg21362 = msg("19194", dup265); - -var msg21363 = msg("19195", dup202); - -var msg21364 = msg("19196", dup267); - -var msg21365 = msg("19197", dup265); - -var msg21366 = msg("19198", dup265); - -var msg21367 = msg("19199", dup276); - -var msg21368 = msg("19200", dup267); - -var msg21369 = msg("19201", dup260); - -var msg21370 = msg("19202", dup260); - -var msg21371 = msg("19203", dup267); - -var msg21372 = msg("19204", dup267); - -var msg21373 = msg("19205", dup198); - -var msg21374 = msg("19206", dup197); - -var msg21375 = msg("19207", dup197); - -var msg21376 = msg("19208", dup197); - -var msg21377 = msg("19209", dup197); - -var msg21378 = msg("19210", dup197); - -var msg21379 = msg("19211", dup202); - -var msg21380 = msg("19212", dup197); - -var msg21381 = msg("19213", dup197); - -var msg21382 = msg("19214", dup265); - -var msg21383 = msg("19215", dup202); - -var msg21384 = msg("19216", dup267); - -var msg21385 = msg("19217", dup267); - -var msg21386 = msg("19218", dup265); - -var msg21387 = msg("19219", dup267); - -var msg21388 = msg("19220", dup267); - -var msg21389 = msg("19221", dup197); - -var msg21390 = msg("19222", dup267); - -var msg21391 = msg("19223", dup267); - -var msg21392 = msg("19224", dup202); - -var msg21393 = msg("19225", dup267); - -var msg21394 = msg("19226", dup197); - -var msg21395 = msg("19227", dup197); - -var msg21396 = msg("19228", dup199); - -var msg21397 = msg("19229", dup267); - -var msg21398 = msg("19230", dup267); - -var msg21399 = msg("19231", dup267); - -var msg21400 = msg("19232", dup267); - -var msg21401 = msg("19233", dup265); - -var msg21402 = msg("19234", dup265); - -var msg21403 = msg("19235", dup267); - -var msg21404 = msg("19236", dup267); - -var msg21405 = msg("19237", dup267); - -var msg21406 = msg("19238", dup267); - -var msg21407 = msg("19239", dup265); - -var msg21408 = msg("19240", dup265); - -var msg21409 = msg("19241", dup202); - -var msg21410 = msg("19242", dup202); - -var msg21411 = msg("19243", dup267); - -var msg21412 = msg("19244", dup265); - -var msg21413 = msg("19245", dup265); - -var msg21414 = msg("19246", dup265); - -var msg21415 = msg("19247", dup267); - -var msg21416 = msg("19248", dup197); - -var msg21417 = msg("19249", dup267); - -var msg21418 = msg("19250", dup197); - -var msg21419 = msg("19251", dup267); - -var msg21420 = msg("19252", dup265); - -var msg21421 = msg("19253", dup265); - -var msg21422 = msg("19254", dup201); - -var msg21423 = msg("19255", dup201); - -var msg21424 = msg("19256", dup269); - -var msg21425 = msg("19257", dup267); - -var msg21426 = msg("19258", dup267); - -var msg21427 = msg("19259", dup267); - -var msg21428 = msg("19260", dup202); - -var msg21429 = msg("19261", dup267); - -var msg21430 = msg("19262", dup267); - -var msg21431 = msg("19263", dup267); - -var msg21432 = msg("19264", dup267); - -var msg21433 = msg("19265", dup267); - -var msg21434 = msg("19266", dup267); - -var msg21435 = msg("19267", dup199); - -var msg21436 = msg("19268", dup202); - -var msg21437 = msg("19269", dup250); - -var msg21438 = msg("19270", dup250); - -var msg21439 = msg("19271", dup250); - -var msg21440 = msg("19272", dup250); - -var msg21441 = msg("19273", dup250); - -var msg21442 = msg("19274", dup250); - -var msg21443 = msg("19275", dup298); - -var msg21444 = msg("19276", dup298); - -var msg21445 = msg("19277", dup298); - -var msg21446 = msg("19278", dup298); - -var msg21447 = msg("19279", dup298); - -var msg21448 = msg("19280", dup298); - -var msg21449 = msg("19281", dup199); - -var msg21450 = msg("19282", dup199); - -var msg21451 = msg("19283", dup199); - -var msg21452 = msg("19284", dup199); - -var msg21453 = msg("19285", dup199); - -var msg21454 = msg("19286", dup199); - -var msg21455 = msg("19287", dup199); - -var msg21456 = msg("19288", dup199); - -var msg21457 = msg("19289", dup265); - -var msg21458 = msg("19290", dup276); - -var msg21459 = msg("19291", dup276); - -var msg21460 = msg("19292", dup202); - -var msg21461 = msg("19293", dup267); - -var msg21462 = msg("19294", dup267); - -var msg21463 = msg("19295", dup267); - -var msg21464 = msg("19296", dup267); - -var msg21465 = msg("19297", dup201); - -var msg21466 = msg("19298", dup201); - -var msg21467 = msg("19299", dup267); - -var msg21468 = msg("19300", dup267); - -var msg21469 = msg("19301", dup287); - -var msg21470 = msg("19302", dup287); - -var msg21471 = msg("19303", dup267); - -var msg21472 = msg("19304", dup265); - -var msg21473 = msg("19305", dup265); - -var msg21474 = msg("19306", dup267); - -var msg21475 = msg("19307", dup265); - -var msg21476 = msg("19308", dup197); - -var msg21477 = msg("19309", dup303); - -var msg21478 = msg("19310", dup192); - -var msg21479 = msg("19311", dup303); - -var msg21480 = msg("19312", dup192); - -var msg21481 = msg("19313", dup198); - -var msg21482 = msg("19314", dup276); - -var msg21483 = msg("19315", dup267); - -var msg21484 = msg("19316", dup267); - -var msg21485 = msg("19317", dup197); - -var msg21486 = msg("19318", dup267); - -var msg21487 = msg("19319", dup267); - -var msg21488 = msg("19320", dup267); - -var msg21489 = msg("19321", dup197); - -var msg21490 = msg("19322", dup202); - -var msg21491 = msg("19323", dup201); - -var msg21492 = msg("19324", dup303); - -var msg21493 = msg("19325", dup303); - -var msg21494 = msg("19326", dup192); - -var msg21495 = msg("19327", dup192); - -var msg21496 = msg("19328", dup192); - -var msg21497 = msg("19329", dup192); - -var msg21498 = msg("19330", dup192); - -var msg21499 = msg("19331", dup192); - -var msg21500 = msg("19332", dup192); - -var msg21501 = msg("19333", dup197); - -var msg21502 = msg("19334", dup197); - -var msg21503 = msg("19335", dup297); - -var msg21504 = msg("19336", dup297); - -var msg21505 = msg("19337", dup202); - -var msg21506 = msg("19338", dup202); - -var msg21507 = msg("19339", dup192); - -var msg21508 = msg("19340", dup263); - -var msg21509 = msg("19341", dup238); - -var msg21510 = msg("19342", dup263); - -var msg21511 = msg("19343", dup263); - -var msg21512 = msg("19344", dup263); - -var msg21513 = msg("19345", dup192); - -var msg21514 = msg("19346", dup192); - -var msg21515 = msg("19347", dup192); - -var msg21516 = msg("19348", dup192); - -var msg21517 = msg("19349", dup192); - -var msg21518 = msg("19350", dup197); - -var msg21519 = msg("19351", dup192); - -var msg21520 = msg("19352", dup192); - -var msg21521 = msg("19353", dup192); - -var msg21522 = msg("19354", dup192); - -var msg21523 = msg("19355", dup192); - -var msg21524 = msg("19356", dup202); - -var msg21525 = msg("19357", dup238); - -var msg21526 = msg("19358", dup202); - -var msg21527 = msg("19359", dup192); - -var msg21528 = msg("19360", dup192); - -var msg21529 = msg("19361", dup192); - -var msg21530 = msg("19362", dup192); - -var msg21531 = msg("19363", dup192); - -var msg21532 = msg("19364", dup202); - -var msg21533 = msg("19365", dup202); - -var msg21534 = msg("19366", dup192); - -var msg21535 = msg("19367", dup238); - -var msg21536 = msg("19368", dup192); - -var msg21537 = msg("19369", dup192); - -var msg21538 = msg("19370", dup192); - -var msg21539 = msg("19371", dup192); - -var msg21540 = msg("19372", dup269); - -var msg21541 = msg("19373", dup201); - -var msg21542 = msg("19374", dup201); - -var msg21543 = msg("19375", dup287); - -var msg21544 = msg("19376", dup287); - -var msg21545 = msg("19377", dup202); - -var msg21546 = msg("19378", dup202); - -var msg21547 = msg("19379", dup201); - -var msg21548 = msg("19380", dup201); - -var msg21549 = msg("19381", dup287); - -var msg21550 = msg("19382", dup287); - -var msg21551 = msg("19383", dup287); - -var msg21552 = msg("19384", dup287); - -var msg21553 = msg("19385", dup201); - -var msg21554 = msg("19386", dup201); - -var msg21555 = msg("19387", dup287); - -var msg21556 = msg("19388", dup287); - -var msg21557 = msg("19389", dup197); - -var msg21558 = msg("19390", dup197); - -var msg21559 = msg("19391", dup303); - -var msg21560 = msg("19392", dup303); - -var msg21561 = msg("19393", dup303); - -var msg21562 = msg("19394", dup192); - -var msg21563 = msg("19395", dup192); - -var msg21564 = msg("19396", dup192); - -var msg21565 = msg("19397", dup192); - -var msg21566 = msg("19398", dup192); - -var msg21567 = msg("19399", dup238); - -var msg21568 = msg("19400", dup238); - -var msg21569 = msg("19401", dup238); - -var msg21570 = msg("19402", dup238); - -var msg21571 = msg("19403", dup267); - -var msg21572 = msg("19404", dup192); - -var msg21573 = msg("19405", dup267); - -var msg21574 = msg("19406", dup267); - -var msg21575 = msg("19407", dup267); - -var msg21576 = msg("19408", dup267); - -var msg21577 = msg("19409", dup202); - -var msg21578 = msg("19410", dup202); - -var msg21579 = msg("19411", dup269); - -var msg21580 = msg("19412", dup267); - -var msg21581 = msg("19413", dup197); - -var msg21582 = msg("19414", dup197); - -var msg21583 = msg("19415", dup227); - -var msg21584 = msg("19416", dup265); - -var msg21585 = msg("19417", dup265); - -var msg21586 = msg("19418", dup265); - -var msg21587 = msg("19419", dup265); - -var msg21588 = msg("19420", dup197); - -var msg21589 = msg("19421", dup197); - -var msg21590 = msg("19422", dup265); - -var msg21591 = msg("19423", dup265); - -var msg21592 = msg("19424", dup265); - -var msg21593 = msg("19425", dup265); - -var msg21594 = msg("19426", dup192); - -var msg21595 = msg("19427", dup192); - -var msg21596 = msg("19428", dup192); - -var msg21597 = msg("19429", dup198); - -var msg21598 = msg("19430", dup265); - -var msg21599 = msg("19431", dup197); - -var msg21600 = msg("19432", dup197); - -var msg21601 = msg("19433", dup192); - -var msg21602 = msg("19434", dup269); - -var msg21603 = msg("19435", dup192); - -var msg21604 = msg("19436", dup267); - -var msg21605 = msg("19437", dup260); - -var msg21606 = msg("19438", dup260); - -var msg21607 = msg("19439", dup260); - -var msg21608 = msg("19440", dup260); - -var msg21609 = msg("19441", dup199); - -var msg21610 = msg("19442", dup267); - -var msg21611 = msg("19443", dup267); - -var msg21612 = msg("19444", dup265); - -var msg21613 = msg("19445", dup265); - -var msg21614 = msg("19446", dup265); - -var msg21615 = msg("19447", dup265); - -var msg21616 = msg("19448", dup265); - -var msg21617 = msg("19449", dup265); - -var msg21618 = msg("19450", dup265); - -var msg21619 = msg("19451", dup199); - -var msg21620 = msg("19452", dup199); - -var msg21621 = msg("19453", dup192); - -var msg21622 = msg("19454", dup192); - -var msg21623 = msg("19455", dup238); - -var msg21624 = msg("19456", dup192); - -var msg21625 = msg("19457", dup192); - -var msg21626 = msg("19458", dup197); - -var msg21627 = msg("19459", dup197); - -var msg21628 = msg("19460", dup265); - -var msg21629 = msg("19461", dup265); - -var msg21630 = msg("19462", dup267); - -var msg21631 = msg("19463", dup265); - -var msg21632 = msg("19464", dup197); - -var msg21633 = msg("19465", dup276); - -var msg21634 = msg("19466", dup267); - -var msg21635 = msg("19467", dup202); - -var msg21636 = msg("19468", dup267); - -var msg21637 = msg("19469", dup202); - -var msg21638 = msg("19470", dup263); - -var msg21639 = msg("19471", dup317); - -var msg21640 = msg("19472", dup317); - -var msg21641 = msg("19473", dup317); - -var msg21642 = msg("19474", dup202); - -var msg21643 = msg("19475", dup202); - -var msg21644 = msg("19476", dup267); - -var msg21645 = msg("19477", dup192); - -var msg21646 = msg("19478", dup238); - -var msg21647 = msg("19479", dup238); - -var msg21648 = msg("19480", dup198); - -var msg21649 = msg("19481", dup238); - -var msg21650 = msg("19482", dup269); - -var msg21651 = msg("19483", dup192); - -var msg21652 = msg("19484", dup192); - -var msg21653 = msg("19485", dup303); - -var msg21654 = msg("19486", dup303); - -var msg21655 = msg("19487", dup192); - -var msg21656 = msg("19488", dup238); - -var msg21657 = msg("19489", dup192); - -var msg21658 = msg("19490", dup192); - -var msg21659 = msg("19491", dup192); - -var msg21660 = msg("19492", dup192); - -var msg21661 = msg("19493", dup269); - -var msg21662 = msg("19494", dup192); - -var msg21663 = msg("19495", dup238); - -var msg21664 = msg("19496", dup263); - -var msg21665 = msg("19497", dup263); - -var msg21666 = msg("19498", dup263); - -var msg21667 = msg("19499", dup263); - -var msg21668 = msg("19500", dup263); - -var msg21669 = msg("19501", dup263); - -var msg21670 = msg("19502", dup263); - -var msg21671 = msg("19503", dup263); - -var msg21672 = msg("19504", dup263); - -var msg21673 = msg("19505", dup263); - -var msg21674 = msg("19506", dup263); - -var msg21675 = msg("19507", dup263); - -var msg21676 = msg("19508", dup263); - -var msg21677 = msg("19509", dup263); - -var msg21678 = msg("19510", dup263); - -var msg21679 = msg("19511", dup263); - -var msg21680 = msg("19512", dup263); - -var msg21681 = msg("19513", dup263); - -var msg21682 = msg("19514", dup263); - -var msg21683 = msg("19515", dup263); - -var msg21684 = msg("19516", dup263); - -var msg21685 = msg("19517", dup263); - -var msg21686 = msg("19518", dup263); - -var msg21687 = msg("19519", dup263); - -var msg21688 = msg("19520", dup263); - -var msg21689 = msg("19521", dup263); - -var msg21690 = msg("19522", dup263); - -var msg21691 = msg("19523", dup263); - -var msg21692 = msg("19524", dup263); - -var msg21693 = msg("19525", dup263); - -var msg21694 = msg("19526", dup263); - -var msg21695 = msg("19527", dup263); - -var msg21696 = msg("19528", dup263); - -var msg21697 = msg("19529", dup263); - -var msg21698 = msg("19530", dup263); - -var msg21699 = msg("19531", dup263); - -var msg21700 = msg("19532", dup263); - -var msg21701 = msg("19533", dup263); - -var msg21702 = msg("19534", dup263); - -var msg21703 = msg("19535", dup263); - -var msg21704 = msg("19536", dup263); - -var msg21705 = msg("19537", dup263); - -var msg21706 = msg("19538", dup263); - -var msg21707 = msg("19539", dup263); - -var msg21708 = msg("19540", dup263); - -var msg21709 = msg("19541", dup263); - -var msg21710 = msg("19542", dup263); - -var msg21711 = msg("19543", dup263); - -var msg21712 = msg("19544", dup263); - -var msg21713 = msg("19545", dup263); - -var msg21714 = msg("19546", dup263); - -var msg21715 = msg("19547", dup263); - -var msg21716 = msg("19548", dup263); - -var msg21717 = msg("19549", dup263); - -var msg21718 = msg("19550", dup263); - -var msg21719 = msg("19551", dup202); - -var msg21720 = msg("19552", dup267); - -var msg21721 = msg("19553", dup267); - -var msg21722 = msg("19554", dup263); - -var msg21723 = msg("19555", dup192); - -var msg21724 = msg("19556", dup192); - -var msg21725 = msg("19557", dup192); - -var msg21726 = msg("19558", dup267); - -var msg21727 = msg("19559", dup192); - -var msg21728 = msg("19560", dup197); - -var msg21729 = msg("19561", dup265); - -var msg21730 = msg("19562", dup265); - -var msg21731 = msg("19563", dup265); - -var msg21732 = msg("19564", dup265); - -var msg21733 = msg("19565", dup265); - -var msg21734 = msg("19566", dup303); - -var msg21735 = msg("19567", dup303); - -var msg21736 = msg("19568", dup192); - -var msg21737 = msg("19569", dup192); - -var msg21738 = msg("19570", dup263); - -var msg21739 = msg("19571", dup263); - -var msg21740 = msg("19572", dup192); - -var msg21741 = msg("19573", dup290); - -var msg21742 = msg("19574", dup290); - -var msg21743 = msg("19575", dup290); - -var msg21744 = msg("19576", dup263); - -var msg21745 = msg("19577", dup205); - -var msg21746 = msg("19578", dup303); - -var msg21747 = msg("19579", dup192); - -var msg21748 = msg("19580", dup238); - -var msg21749 = msg("19581", dup192); - -var msg21750 = msg("19582", dup192); - -var msg21751 = msg("19583", dup192); - -var msg21752 = msg("19584", dup238); - -var msg21753 = msg("19585", dup238); - -var msg21754 = msg("19586", dup192); - -var msg21755 = msg("19587", dup192); - -var msg21756 = msg("19588", dup192); - -var msg21757 = msg("19589", dup269); - -var msg21758 = msg("19590", dup192); - -var msg21759 = msg("19591", dup192); - -var msg21760 = msg("19592", dup192); - -var msg21761 = msg("19593", dup238); - -var msg21762 = msg("19594", dup303); - -var msg21763 = msg("19595", dup269); - -var msg21764 = msg("19596", dup192); - -var msg21765 = msg("19597", dup192); - -var msg21766 = msg("19598", dup303); - -var msg21767 = msg("19599", dup260); - -var msg21768 = msg("19600", dup260); - -var msg21769 = msg("19601", dup276); - -var msg21770 = msg("19602", dup276); - -var msg21771 = msg("19603", dup267); - -var msg21772 = msg("19604", dup267); - -var msg21773 = msg("19605", dup267); - -var msg21774 = msg("19606", dup267); - -var msg21775 = msg("19607", dup267); - -var msg21776 = msg("19608", dup192); - -var msg21777 = msg("19609", dup267); - -var msg21778 = msg("19610", dup265); - -var msg21779 = msg("19611", dup269); - -var msg21780 = msg("19612", dup192); - -var msg21781 = msg("19613", dup192); - -var msg21782 = msg("19614", dup192); - -var msg21783 = msg("19615", dup192); - -var msg21784 = msg("19616", dup192); - -var msg21785 = msg("19617", dup276); - -var msg21786 = msg("19618", dup276); - -var msg21787 = msg("19619", dup267); - -var msg21788 = msg("19620", dup267); - -var msg21789 = msg("19621", dup197); - -var msg21790 = msg("19622", dup269); - -var msg21791 = msg("19623", dup269); - -var msg21792 = msg("19624", dup269); - -var msg21793 = msg("19625", dup269); - -var msg21794 = msg("19626", dup269); - -var msg21795 = msg("19627", dup269); - -var msg21796 = msg("19628", dup269); - -var msg21797 = msg("19629", dup269); - -var msg21798 = msg("19630", dup269); - -var msg21799 = msg("19631", dup269); - -var msg21800 = msg("19632", dup269); - -var msg21801 = msg("19633", dup269); - -var msg21802 = msg("19634", dup269); - -var msg21803 = msg("19635", dup269); - -var msg21804 = msg("19636", dup269); - -var msg21805 = msg("19637", dup269); - -var msg21806 = msg("19638", dup269); - -var msg21807 = msg("19639", dup263); - -var msg21808 = msg("19640", dup263); - -var msg21809 = msg("19641", dup263); - -var msg21810 = msg("19642", dup263); - -var msg21811 = msg("19643", dup263); - -var msg21812 = msg("19644", dup263); - -var msg21813 = msg("19645", dup201); - -var msg21814 = msg("19646", dup267); - -var msg21815 = msg("19647", dup267); - -var msg21816 = msg("19648", dup267); - -var msg21817 = msg("19649", dup197); - -var msg21818 = msg("19650", dup265); - -var msg21819 = msg("19651", dup265); - -var msg21820 = msg("19652", dup202); - -var msg21821 = msg("19653", dup267); - -var msg21822 = msg("19654", dup192); - -var msg21823 = msg("19655", dup192); - -var msg21824 = msg("19656", dup192); - -var msg21825 = msg("19657", dup202); - -var msg21826 = msg("19658", dup192); - -var msg21827 = msg("19659", dup192); - -var msg21828 = msg("19660", dup192); - -var msg21829 = msg("19661", dup267); - -var msg21830 = msg("19662", dup263); - -var msg21831 = msg("19663", dup263); - -var msg21832 = msg("19664", dup263); - -var msg21833 = msg("19665", dup201); - -var msg21834 = msg("19666", dup267); - -var msg21835 = msg("19667", dup267); - -var msg21836 = msg("19668", dup276); - -var msg21837 = msg("19669", dup248); - -var msg21838 = msg("19670", dup278); - -var msg21839 = msg("19671", dup267); - -var msg21840 = msg("19672", dup267); - -var msg21841 = msg("19673", dup276); - -var msg21842 = msg("19674", dup267); - -var msg21843 = msg("19675", dup267); - -var msg21844 = msg("19676", dup267); - -var msg21845 = msg("19677", dup267); - -var msg21846 = msg("19678", dup267); - -var msg21847 = msg("19679", dup267); - -var msg21848 = msg("19680", dup267); - -var msg21849 = msg("19681", dup265); - -var msg21850 = msg("19682", dup201); - -var msg21851 = msg("19683", dup201); - -var msg21852 = msg("19684", dup267); - -var msg21853 = msg("19685", dup197); - -var msg21854 = msg("19686", dup267); - -var msg21855 = msg("19687", dup265); - -var msg21856 = msg("19688", dup201); - -var msg21857 = msg("19689", dup287); - -var msg21858 = msg("19690", dup267); - -var msg21859 = msg("19691", dup201); - -var msg21860 = msg("19692", dup265); - -var msg21861 = msg("19693", dup197); - -var msg21862 = msg("19694", dup265); - -var msg21863 = msg("19695", dup192); - -var msg21864 = msg("19696", dup192); - -var msg21865 = msg("19697", dup192); - -var msg21866 = msg("19698", dup192); - -var msg21867 = msg("19699", dup192); - -var msg21868 = msg("19700", dup192); - -var msg21869 = msg("19701", dup192); - -var msg21870 = msg("19702", dup192); - -var msg21871 = msg("19703", dup238); - -var msg21872 = msg("19704", dup192); - -var msg21873 = msg("19705", dup192); - -var msg21874 = msg("19706", dup192); - -var msg21875 = msg("19707", dup197); - -var msg21876 = msg("19708", dup267); - -var msg21877 = msg("19709", dup198); - -var msg21878 = msg("19710", dup267); - -var msg21879 = msg("19711", dup192); - -var msg21880 = msg("19712", dup192); - -var msg21881 = msg("19713", dup197); - -var msg21882 = msg("19714", dup197); - -var msg21883 = msg("19715", dup192); - -var msg21884 = msg("19716", dup192); - -var msg21885 = msg("19717", dup263); - -var msg21886 = msg("19718", dup192); - -var msg21887 = msg("19719", dup238); - -var msg21888 = msg("19720", dup192); - -var msg21889 = msg("19721", dup192); - -var msg21890 = msg("19722", dup192); - -var msg21891 = msg("19723", dup202); - -var msg21892 = msg("19724", dup192); - -var msg21893 = msg("19725", dup202); - -var msg21894 = msg("19726", dup202); - -var msg21895 = msg("19727", dup192); - -var msg21896 = msg("19728", dup202); - -var msg21897 = msg("19729", dup202); - -var msg21898 = msg("19730", dup202); - -var msg21899 = msg("19731", dup202); - -var msg21900 = msg("19732", dup202); - -var msg21901 = msg("19733", dup192); - -var msg21902 = msg("19734", dup263); - -var msg21903 = msg("19735", dup202); - -var msg21904 = msg("19736", dup202); - -var msg21905 = msg("19737", dup202); - -var msg21906 = msg("19738", dup263); - -var msg21907 = msg("19739", dup192); - -var msg21908 = msg("19740", dup238); - -var msg21909 = msg("19741", dup303); - -var msg21910 = msg("19742", dup192); - -var msg21911 = msg("19743", dup192); - -var msg21912 = msg("19744", dup238); - -var msg21913 = msg("19745", dup192); - -var msg21914 = msg("19746", dup192); - -var msg21915 = msg("19747", dup192); - -var msg21916 = msg("19748", dup192); - -var msg21917 = msg("19749", dup192); - -var msg21918 = msg("19750", dup192); - -var msg21919 = msg("19751", dup238); - -var msg21920 = msg("19752", dup192); - -var msg21921 = msg("19753", dup192); - -var msg21922 = msg("19754", dup192); - -var msg21923 = msg("19755", dup192); - -var msg21924 = msg("19756", dup269); - -var msg21925 = msg("19757", dup192); - -var msg21926 = msg("19758", dup192); - -var msg21927 = msg("19759", dup192); - -var msg21928 = msg("19760", dup192); - -var msg21929 = msg("19761", dup227); - -var msg21930 = msg("19762", dup192); - -var msg21931 = msg("19763", dup192); - -var msg21932 = msg("19764", dup192); - -var msg21933 = msg("19765", dup192); - -var msg21934 = msg("19766", dup238); - -var msg21935 = msg("19767", dup192); - -var msg21936 = msg("19768", dup263); - -var msg21937 = msg("19769", dup198); - -var msg21938 = msg("19770", dup198); - -var msg21939 = msg("19771", dup198); - -var msg21940 = msg("19772", dup263); - -var msg21941 = msg("19773", dup263); - -var msg21942 = msg("19774", dup192); - -var msg21943 = msg("19775", dup303); - -var msg21944 = msg("19776", dup192); - -var msg21945 = msg("19777", dup263); - -var msg21946 = msg("19778", dup269); - -var msg21947 = msg("19779", dup260); - -var msg21948 = msg("19780", dup202); - -var msg21949 = msg("19781", dup192); - -var msg21950 = msg("19782", dup192); - -var msg21951 = msg("19783", dup192); - -var msg21952 = msg("19784", dup238); - -var msg21953 = msg("19785", dup192); - -var msg21954 = msg("19786", dup263); - -var msg21955 = msg("19787", dup267); - -var msg21956 = msg("19788", dup192); - -var msg21957 = msg("19789", dup238); - -var msg21958 = msg("19790", dup238); - -var msg21959 = msg("19791", dup192); - -var msg21960 = msg("19792", dup192); - -var msg21961 = msg("19793", dup192); - -var msg21962 = msg("19794", dup192); - -var msg21963 = msg("19795", dup263); - -var msg21964 = msg("19796", dup192); - -var msg21965 = msg("19797", dup192); - -var msg21966 = msg("19798", dup192); - -var msg21967 = msg("19799", dup192); - -var msg21968 = msg("19800", dup192); - -var msg21969 = msg("19801", dup192); - -var msg21970 = msg("19802", dup192); - -var msg21971 = msg("19803", dup192); - -var msg21972 = msg("19804", dup192); - -var msg21973 = msg("19805", dup192); - -var msg21974 = msg("19806", dup267); - -var msg21975 = msg("19807", dup267); - -var msg21976 = msg("19808", dup267); - -var msg21977 = msg("19809", dup267); - -var msg21978 = msg("19810", dup260); - -var msg21979 = msg("19811", dup202); - -var msg21980 = msg("19812", dup267); - -var msg21981 = msg("19813", dup197); - -var msg21982 = msg("19814", dup267); - -var msg21983 = msg("19815", dup267); - -var msg21984 = msg("19816", dup276); - -var msg21985 = msg("19817", dup201); - -var msg21986 = msg("19818", dup265); - -var msg21987 = msg("19819", dup192); - -var msg21988 = msg("19820", dup192); - -var msg21989 = msg("19821", dup238); - -var msg21990 = msg("19822", dup192); - -var msg21991 = msg("19823", dup303); - -var msg21992 = msg("19824", dup192); - -var msg21993 = msg("19825", dup198); - -var msg21994 = msg("19826", dup267); - -var msg21995 = msg("19827", dup303); - -var msg21996 = msg("19828", dup192); - -var msg21997 = msg("19829", dup192); - -var msg21998 = msg("19830", dup192); - -var msg21999 = msg("19831", dup192); - -var msg22000 = msg("19832", dup192); - -var msg22001 = msg("19833", dup192); - -var msg22002 = msg("19834", dup192); - -var msg22003 = msg("19835", dup303); - -var msg22004 = msg("19836", dup192); - -var msg22005 = msg("19837", dup303); - -var msg22006 = msg("19838", dup303); - -var msg22007 = msg("19839", dup263); - -var msg22008 = msg("19840", dup303); - -var msg22009 = msg("19841", dup303); - -var msg22010 = msg("19842", dup263); - -var msg22011 = msg("19843", dup263); - -var msg22012 = msg("19844", dup192); - -var msg22013 = msg("19845", dup192); - -var msg22014 = msg("19846", dup192); - -var msg22015 = msg("19847", dup192); - -var msg22016 = msg("19848", dup263); - -var msg22017 = msg("19849", dup263); - -var msg22018 = msg("19850", dup238); - -var msg22019 = msg("19851", dup238); - -var msg22020 = msg("19852", dup192); - -var msg22021 = msg("19853", dup303); - -var msg22022 = msg("19854", dup192); - -var msg22023 = msg("19855", dup192); - -var msg22024 = msg("19856", dup192); - -var msg22025 = msg("19857", dup192); - -var msg22026 = msg("19858", dup192); - -var msg22027 = msg("19859", dup303); - -var msg22028 = msg("19860", dup303); - -var msg22029 = msg("19861", dup192); - -var msg22030 = msg("19862", dup192); - -var msg22031 = msg("19863", dup265); - -var msg22032 = msg("19864", dup192); - -var msg22033 = msg("19865", dup192); - -var msg22034 = msg("19866", dup192); - -var msg22035 = msg("19867", dup287); - -var msg22036 = msg("19868", dup263); - -var msg22037 = msg("19869", dup198); - -var msg22038 = msg("19870", dup198); - -var msg22039 = msg("19871", dup197); - -var msg22040 = msg("19872", dup267); - -var msg22041 = msg("19873", dup267); - -var msg22042 = msg("19874", dup263); - -var msg22043 = msg("19875", dup263); - -var msg22044 = msg("19876", dup263); - -var msg22045 = msg("19877", dup263); - -var msg22046 = msg("19878", dup263); - -var msg22047 = msg("19879", dup263); - -var msg22048 = msg("19880", dup263); - -var msg22049 = msg("19881", dup263); - -var msg22050 = msg("19882", dup269); - -var msg22051 = msg("19883", dup197); - -var msg22052 = msg("19884", dup287); - -var msg22053 = msg("19885", dup197); - -var msg22054 = msg("19886", dup267); - -var msg22055 = msg("19887", dup287); - -var msg22056 = msg("19888", dup287); - -var msg22057 = msg("19889", dup202); - -var msg22058 = msg("19890", dup255); - -var msg22059 = msg("19891", dup197); - -var msg22060 = msg("19892", dup197); - -var msg22061 = msg("19893", dup197); - -var msg22062 = msg("19894", dup267); - -var msg22063 = msg("19895", dup205); - -var msg22064 = msg("19896", dup263); - -var msg22065 = msg("19897", dup263); - -var msg22066 = msg("19898", dup205); - -var msg22067 = msg("19899", dup303); - -var msg22068 = msg("19900", dup303); - -var msg22069 = msg("19901", dup303); - -var msg22070 = msg("19902", dup303); - -var msg22071 = msg("19903", dup303); - -var msg22072 = msg("19904", dup303); - -var msg22073 = msg("19905", dup205); - -var msg22074 = msg("19906", dup202); - -var msg22075 = msg("19907", dup202); - -var msg22076 = msg("19908", dup197); - -var msg22077 = msg("19909", dup202); - -var msg22078 = msg("19910", dup265); - -var msg22079 = msg("19911", dup197); - -var msg22080 = msg("19912", dup263); - -var msg22081 = msg("19914", dup263); - -var msg22082 = msg("19915", dup205); - -var msg22083 = msg("19916", dup192); - -var msg22084 = msg("19917", dup205); - -var msg22085 = msg("19918", dup238); - -var msg22086 = msg("19919", dup205); - -var msg22087 = msg("19920", dup205); - -var msg22088 = msg("19921", dup192); - -var msg22089 = msg("19922", dup205); - -var msg22090 = msg("19923", dup263); - -var msg22091 = msg("19924", dup192); - -var msg22092 = msg("19925", dup201); - -var msg22093 = msg("19926", dup197); - -var msg22094 = msg("19927", dup318); - -var msg22095 = msg("19928", dup318); - -var msg22096 = msg("19929", dup318); - -var msg22097 = msg("19930", dup318); - -var msg22098 = msg("19931", dup205); - -var msg22099 = msg("19932", dup265); - -var msg22100 = msg("19933", dup265); - -var msg22101 = msg("19934", dup269); - -var msg22102 = msg("19935", dup205); - -var msg22103 = msg("19936", dup205); - -var msg22104 = msg("19937", dup267); - -var msg22105 = msg("19938", dup197); - -var msg22106 = msg("19939", dup303); - -var msg22107 = msg("19940", dup205); - -var msg22108 = msg("19941", dup205); - -var msg22109 = msg("19942", dup205); - -var msg22110 = msg("19943", dup267); - -var msg22111 = msg("19944", dup205); - -var msg22112 = msg("19945", dup205); - -var msg22113 = msg("19946", dup205); - -var msg22114 = msg("19947", dup205); - -var msg22115 = msg("19948", dup205); - -var msg22116 = msg("19949", dup205); - -var msg22117 = msg("19950", dup192); - -var msg22118 = msg("19951", dup263); - -var msg22119 = msg("19952", dup192); - -var msg22120 = msg("19953", dup205); - -var msg22121 = msg("19954", dup192); - -var msg22122 = msg("19955", dup192); - -var msg22123 = msg("19956", dup197); - -var msg22124 = msg("19957", dup267); - -var msg22125 = msg("19958", dup205); - -var msg22126 = msg("19959", dup205); - -var msg22127 = msg("19960", dup205); - -var msg22128 = msg("19961", dup205); - -var msg22129 = msg("19962", dup290); - -var msg22130 = msg("19963", dup205); - -var msg22131 = msg("19964", dup318); - -var msg22132 = msg("19965", dup205); - -var msg22133 = msg("19966", dup263); - -var msg22134 = msg("19967", dup205); - -var msg22135 = msg("19968", dup205); - -var msg22136 = msg("19969", dup205); - -var msg22137 = msg("19970", dup205); - -var msg22138 = msg("19971", dup303); - -var msg22139 = msg("19972", dup197); - -var msg22140 = msg("19973", dup290); - -var msg22141 = msg("19974", dup205); - -var msg22142 = msg("19975", dup205); - -var msg22143 = msg("19976", dup238); - -var msg22144 = msg("19977", dup205); - -var msg22145 = msg("19978", dup290); - -var msg22146 = msg("19979", dup263); - -var msg22147 = msg("19980", dup263); - -var msg22148 = msg("19981", dup192); - -var msg22149 = msg("19982", dup205); - -var msg22150 = msg("19983", dup205); - -var msg22151 = msg("19984", dup263); - -var msg22152 = msg("19985", dup263); - -var msg22153 = msg("19986", dup263); - -var msg22154 = msg("19987", dup303); - -var msg22155 = msg("19988", dup205); - -var msg22156 = msg("19989", dup303); - -var msg22157 = msg("19990", dup303); - -var msg22158 = msg("19991", dup205); - -var msg22159 = msg("19992", dup205); - -var msg22160 = msg("19993", dup192); - -var msg22161 = msg("19994", dup263); - -var msg22162 = msg("19995", dup202); - -var msg22163 = msg("19996", dup238); - -var msg22164 = msg("19997", dup192); - -var msg22165 = msg("19998", dup192); - -var msg22166 = msg("19999", dup303); - -var msg22167 = msg("20000", dup202); - -var msg22168 = msg("20001", dup192); - -var msg22169 = msg("20002", dup192); - -var msg22170 = msg("20003", dup192); - -var msg22171 = msg("20004", dup192); - -var msg22172 = msg("20005", dup192); - -var msg22173 = msg("20006", dup238); - -var msg22174 = msg("20007", dup303); - -var msg22175 = msg("20008", dup202); - -var msg22176 = msg("20009", dup269); - -var msg22177 = msg("20010", dup287); - -var msg22178 = msg("20011", dup202); - -var msg22179 = msg("20012", dup269); - -var msg22180 = msg("20013", dup197); - -var msg22181 = msg("20014", dup192); - -var msg22182 = msg("20015", dup192); - -var msg22183 = msg("20016", dup192); - -var msg22184 = msg("20017", dup238); - -var msg22185 = msg("20018", dup238); - -var msg22186 = msg("20019", dup238); - -var msg22187 = msg("20020", dup263); - -var msg22188 = msg("20021", dup269); - -var msg22189 = msg("20022", dup238); - -var msg22190 = msg("20023", dup263); - -var msg22191 = msg("20024", dup192); - -var msg22192 = msg("20025", dup263); - -var msg22193 = msg("20026", dup192); - -var msg22194 = msg("20027", dup263); - -var msg22195 = msg("20028", dup263); - -var msg22196 = msg("20029", dup267); - -var msg22197 = msg("20030", dup202); - -var msg22198 = msg("20031", dup267); - -var msg22199 = msg("20032", dup265); - -var msg22200 = msg("20033", dup265); - -var msg22201 = msg("20034", dup201); - -var msg22202 = msg("20035", dup192); - -var msg22203 = msg("20036", dup192); - -var msg22204 = msg("20037", dup192); - -var msg22205 = msg("20038", dup192); - -var msg22206 = msg("20039", dup269); - -var msg22207 = msg("20040", dup192); - -var msg22208 = msg("20041", dup263); - -var msg22209 = msg("20042", dup192); - -var msg22210 = msg("20043", dup263); - -var msg22211 = msg("20044", dup265); - -var msg22212 = msg("20045", dup260); - -var msg22213 = msg("20046", dup260); - -var msg22214 = msg("20047", dup260); - -var msg22215 = msg("20048", dup267); - -var msg22216 = msg("20049", dup267); - -var msg22217 = msg("20050", dup267); - -var msg22218 = msg("20051", dup197); - -var msg22219 = msg("20052", dup197); - -var msg22220 = msg("20053", dup240); - -var msg22221 = msg("20054", dup198); - -var msg22222 = msg("20055", dup197); - -var msg22223 = msg("20056", dup265); - -var msg22224 = msg("20057", dup202); - -var msg22225 = msg("20058", dup267); - -var msg22226 = msg("20059", dup267); - -var msg22227 = msg("20060", dup197); - -var msg22228 = msg("20061", dup201); - -var msg22229 = msg("20062", dup267); - -var msg22230 = msg("20063", dup303); - -var msg22231 = msg("20064", dup263); - -var msg22232 = msg("20065", dup192); - -var msg22233 = msg("20066", dup192); - -var msg22234 = msg("20067", dup192); - -var msg22235 = msg("20068", dup269); - -var msg22236 = msg("20069", dup192); - -var msg22237 = msg("20070", dup265); - -var msg22238 = msg("20071", dup265); - -var msg22239 = msg("20072", dup265); - -var msg22240 = msg("20073", dup267); - -var msg22241 = msg("20074", dup192); - -var msg22242 = msg("20075", dup192); - -var msg22243 = msg("20076", dup192); - -var msg22244 = msg("20077", dup192); - -var msg22245 = msg("20078", dup192); - -var msg22246 = msg("20079", dup192); - -var msg22247 = msg("20080", dup192); - -var msg22248 = msg("20081", dup192); - -var msg22249 = msg("20082", dup192); - -var msg22250 = msg("20083", dup192); - -var msg22251 = msg("20084", dup197); - -var msg22252 = msg("20085", dup192); - -var msg22253 = msg("20086", dup192); - -var msg22254 = msg("20087", dup192); - -var msg22255 = msg("20088", dup192); - -var msg22256 = msg("20089", dup202); - -var msg22257 = msg("20090", dup202); - -var msg22258 = msg("20091", dup202); - -var msg22259 = msg("20092", dup202); - -var msg22260 = msg("20093", dup202); - -var msg22261 = msg("20094", dup202); - -var msg22262 = msg("20095", dup313); - -var msg22263 = msg("20096", dup192); - -var msg22264 = msg("20097", dup192); - -var msg22265 = msg("20098", dup192); - -var msg22266 = msg("20099", dup192); - -var msg22267 = msg("20100", dup263); - -var msg22268 = msg("20101", dup263); - -var msg22269 = msg("20102", dup263); - -var msg22270 = msg("20103", dup263); - -var msg22271 = msg("20104", dup269); - -var msg22272 = msg("20105", dup269); - -var msg22273 = msg("20106", dup269); - -var msg22274 = msg("20107", dup192); - -var msg22275 = msg("20108", dup192); - -var msg22276 = msg("20109", dup192); - -var msg22277 = msg("20110", dup267); - -var msg22278 = msg("20111", dup267); - -var msg22279 = msg("20112", dup267); - -var msg22280 = msg("20113", dup267); - -var msg22281 = msg("20114", dup201); - -var msg22282 = msg("20115", dup267); - -var msg22283 = msg("20116", dup201); - -var msg22284 = msg("20117", dup267); - -var msg22285 = msg("20118", dup276); - -var msg22286 = msg("20119", dup267); - -var msg22287 = msg("20120", dup267); - -var msg22288 = msg("20121", dup202); - -var msg22289 = msg("20122", dup202); - -var msg22290 = msg("20123", dup202); - -var msg22291 = msg("20124", dup202); - -var msg22292 = msg("20125", dup202); - -var msg22293 = msg("20126", dup202); - -var msg22294 = msg("20127", dup267); - -var msg22295 = msg("20128", dup202); - -var msg22296 = msg("20129", dup202); - -var msg22297 = msg("20130", dup267); - -var msg22298 = msg("20131", dup287); - -var msg22299 = msg("20132", dup198); - -var msg22300 = msg("20133", dup265); - -var msg22301 = msg("20134", dup197); - -var msg22302 = msg("20135", dup197); - -var msg22303 = msg("20136", dup202); - -var msg22304 = msg("20137", dup265); - -var msg22305 = msg("20138", dup287); - -var msg22306 = msg("20139", dup197); - -var msg22307 = msg("20140", dup197); - -var msg22308 = msg("20141", dup197); - -var msg22309 = msg("20142", dup267); - -var msg22310 = msg("20143", dup263); - -var msg22311 = msg("20144", dup267); - -var msg22312 = msg("20145", dup267); - -var msg22313 = msg("20146", dup202); - -var msg22314 = msg("20147", dup267); - -var msg22315 = msg("20148", dup267); - -var msg22316 = msg("20149", dup267); - -var msg22317 = msg("20150", dup267); - -var msg22318 = msg("20151", dup202); - -var msg22319 = msg("20152", dup267); - -var msg22320 = msg("20153", dup267); - -var msg22321 = msg("20154", dup267); - -var msg22322 = msg("20155", dup267); - -var msg22323 = msg("20156", dup267); - -var msg22324 = msg("20157", dup202); - -var msg22325 = msg("20158", dup265); - -var msg22326 = msg("20159", dup265); - -var msg22327 = msg("20160", dup265); - -var msg22328 = msg("20161", dup265); - -var msg22329 = msg("20162", dup265); - -var msg22330 = msg("20163", dup197); - -var msg22331 = msg("20164", dup197); - -var msg22332 = msg("20165", dup197); - -var msg22333 = msg("20166", dup197); - -var msg22334 = msg("20167", dup197); - -var msg22335 = msg("20168", dup267); - -var msg22336 = msg("20169", dup267); - -var msg22337 = msg("20170", dup267); - -var msg22338 = msg("20171", dup267); - -var msg22339 = msg("20172", dup202); - -var msg22340 = msg("20173", dup202); - -var msg22341 = msg("20174", dup202); - -var msg22342 = msg("20175", dup265); - -var msg22343 = msg("20176", dup197); - -var msg22344 = msg("20177", dup197); - -var msg22345 = msg("20178", dup198); - -var msg22346 = msg("20179", dup197); - -var msg22347 = msg("20180", dup197); - -var msg22348 = msg("20181", dup265); - -var msg22349 = msg("20182", dup265); - -var msg22350 = msg("20183", dup202); - -var msg22351 = msg("20184", dup199); - -var msg22352 = msg("20185", dup199); - -var msg22353 = msg("20186", dup199); - -var msg22354 = msg("20187", dup199); - -var msg22355 = msg("20188", dup199); - -var msg22356 = msg("20189", dup199); - -var msg22357 = msg("20190", dup199); - -var msg22358 = msg("20191", dup199); - -var msg22359 = msg("20192", dup199); - -var msg22360 = msg("20193", dup199); - -var msg22361 = msg("20194", dup199); - -var msg22362 = msg("20195", dup199); - -var msg22363 = msg("20196", dup199); - -var msg22364 = msg("20197", dup199); - -var msg22365 = msg("20198", dup199); - -var msg22366 = msg("20199", dup199); - -var msg22367 = msg("20200", dup199); - -var msg22368 = msg("20201", dup269); - -var msg22369 = msg("20202", dup202); - -var msg22370 = msg("20203", dup263); - -var msg22371 = msg("20204", dup192); - -var msg22372 = msg("20205", dup202); - -var msg22373 = msg("20206", dup202); - -var msg22374 = msg("20207", dup197); - -var msg22375 = msg("20208", dup197); - -var msg22376 = msg("20209", dup197); - -var msg22377 = msg("20210", dup197); - -var msg22378 = msg("20211", dup197); - -var msg22379 = msg("20212", dup202); - -var msg22380 = msg("20213", dup202); - -var msg22381 = msg("20214", dup267); - -var msg22382 = msg("20215", dup202); - -var msg22383 = msg("20216", dup198); - -var msg22384 = msg("20217", dup198); - -var msg22385 = msg("20218", dup198); - -var msg22386 = msg("20219", dup192); - -var msg22387 = msg("20220", dup263); - -var msg22388 = msg("20221", dup192); - -var msg22389 = msg("20222", dup192); - -var msg22390 = msg("20223", dup265); - -var msg22391 = msg("20224", dup197); - -var msg22392 = msg("20225", dup246); - -var msg22393 = msg("20226", dup197); - -var msg22394 = msg("20227", dup267); - -var msg22395 = msg("20228", dup202); - -var msg22396 = msg("20229", dup202); - -var msg22397 = msg("20230", dup269); - -var msg22398 = msg("20231", dup269); - -var msg22399 = msg("20232", dup192); - -var msg22400 = msg("20233", dup192); - -var msg22401 = msg("20234", dup192); - -var msg22402 = msg("20235", dup192); - -var msg22403 = msg("20236", dup197); - -var msg22404 = msg("20237", dup197); - -var msg22405 = msg("20238", dup267); - -var msg22406 = msg("20239", dup197); - -var msg22407 = msg("20240", dup197); - -var msg22408 = msg("20241", dup197); - -var msg22409 = msg("20242", dup197); - -var msg22410 = msg("20243", dup202); - -var msg22411 = msg("20244", dup202); - -var msg22412 = msg("20245", dup202); - -var msg22413 = msg("20246", dup267); - -var msg22414 = msg("20247", dup267); - -var msg22415 = msg("20248", dup255); - -var msg22416 = msg("20249", dup267); - -var msg22417 = msg("20250", dup197); - -var msg22418 = msg("20251", dup198); - -var msg22419 = msg("20252", dup202); - -var msg22420 = msg("20253", dup276); - -var msg22421 = msg("20254", dup267); - -var msg22422 = msg("20255", dup202); - -var msg22423 = msg("20256", dup267); - -var msg22424 = msg("20257", dup265); - -var msg22425 = msg("20258", dup201); - -var msg22426 = msg("20259", dup265); - -var msg22427 = msg("20260", dup265); - -var msg22428 = msg("20261", dup265); - -var msg22429 = msg("20262", dup265); - -var msg22430 = msg("20263", dup265); - -var msg22431 = msg("20264", dup267); - -var msg22432 = msg("20265", dup202); - -var msg22433 = msg("20266", dup267); - -var msg22434 = msg("20267", dup267); - -var msg22435 = msg("20268", dup269); - -var msg22436 = msg("20269", dup265); - -var msg22437 = msg("20270", dup267); - -var msg22438 = msg("20271", dup198); - -var msg22439 = msg("20272", dup197); - -var msg22440 = msg("20273", dup267); - -var msg22441 = msg("20274", dup255); - -var msg22442 = msg("20275", dup201); - -var msg22443 = msg("20276", dup202); - -var msg22444 = msg("20277", dup265); - -var msg22445 = msg("20278", dup265); - -var msg22446 = msg("20279", dup265); - -var msg22447 = msg("20280", dup202); - -var msg22448 = msg("20281", dup202); - -var msg22449 = msg("20282", dup265); - -var msg22450 = msg("20283", dup197); - -var msg22451 = msg("20284", dup197); - -var msg22452 = msg("20285", dup265); - -var msg22453 = msg("20286", dup265); - -var msg22454 = msg("20287", dup265); - -var msg22455 = msg("20288", dup197); - -var msg22456 = msg("20289", dup198); - -var msg22457 = msg("20290", dup198); - -var msg22458 = msg("20291", dup192); - -var msg22459 = msg("20292", dup192); - -var msg22460 = msg("20293", dup269); - -var msg22461 = msg("20294", dup267); - -var msg22462 = msg("20295", dup267); - -var msg22463 = msg("20296", dup202); - -var msg22464 = msg("20297", dup202); - -var msg22465 = msg("20298", dup287); - -var msg22466 = msg("20299", dup287); - -var msg22467 = msg("20300", dup201); - -var msg22468 = msg("20301", dup201); - -var msg22469 = msg("20302", dup202); - -var msg22470 = msg("20303", dup287); - -var msg22471 = msg("20304", dup287); - -var msg22472 = msg("20305", dup287); - -var msg22473 = msg("20306", dup287); - -var msg22474 = msg("20307", dup287); - -var msg22475 = msg("20308", dup287); - -var msg22476 = msg("20309", dup202); - -var msg22477 = msg("20310", dup202); - -var msg22478 = msg("20311", dup202); - -var msg22479 = msg("20312", dup287); - -var msg22480 = msg("20313", dup202); - -var msg22481 = msg("20314", dup287); - -var msg22482 = msg("20315", dup287); - -var msg22483 = msg("20316", dup202); - -var msg22484 = msg("20317", dup202); - -var msg22485 = msg("20318", dup287); - -var msg22486 = msg("20319", dup287); - -var msg22487 = msg("20320", dup201); - -var msg22488 = msg("20321", dup201); - -var msg22489 = msg("20322", dup287); - -var msg22490 = msg("20323", dup287); - -var msg22491 = msg("20324", dup287); - -var msg22492 = msg("20325", dup287); - -var msg22493 = msg("20326", dup287); - -var msg22494 = msg("20327", dup287); - -var msg22495 = msg("20328", dup202); - -var msg22496 = msg("20329", dup202); - -var msg22497 = msg("20330", dup202); - -var msg22498 = msg("20331", dup202); - -var msg22499 = msg("20332", dup202); - -var msg22500 = msg("20333", dup287); - -var msg22501 = msg("20334", dup201); - -var msg22502 = msg("20335", dup201); - -var msg22503 = msg("20336", dup287); - -var msg22504 = msg("20337", dup287); - -var msg22505 = msg("20338", dup287); - -var msg22506 = msg("20339", dup287); - -var msg22507 = msg("20340", dup287); - -var msg22508 = msg("20341", dup287); - -var msg22509 = msg("20342", dup202); - -var msg22510 = msg("20343", dup202); - -var msg22511 = msg("20344", dup202); - -var msg22512 = msg("20345", dup202); - -var msg22513 = msg("20346", dup202); - -var msg22514 = msg("20347", dup202); - -var msg22515 = msg("20348", dup201); - -var msg22516 = msg("20349", dup201); - -var msg22517 = msg("20350", dup287); - -var msg22518 = msg("20351", dup287); - -var msg22519 = msg("20352", dup201); - -var msg22520 = msg("20353", dup287); - -var msg22521 = msg("20354", dup287); - -var msg22522 = msg("20355", dup287); - -var msg22523 = msg("20356", dup201); - -var msg22524 = msg("20357", dup201); - -var msg22525 = msg("20358", dup287); - -var msg22526 = msg("20359", dup287); - -var msg22527 = msg("20360", dup202); - -var msg22528 = msg("20361", dup202); - -var msg22529 = msg("20362", dup202); - -var msg22530 = msg("20363", dup202); - -var msg22531 = msg("20364", dup287); - -var msg22532 = msg("20365", dup287); - -var msg22533 = msg("20366", dup201); - -var msg22534 = msg("20367", dup201); - -var msg22535 = msg("20368", dup287); - -var msg22536 = msg("20369", dup287); - -var msg22537 = msg("20370", dup287); - -var msg22538 = msg("20371", dup287); - -var msg22539 = msg("20372", dup287); - -var msg22540 = msg("20373", dup287); - -var msg22541 = msg("20374", dup202); - -var msg22542 = msg("20375", dup202); - -var msg22543 = msg("20376", dup287); - -var msg22544 = msg("20377", dup287); - -var msg22545 = msg("20378", dup287); - -var msg22546 = msg("20379", dup287); - -var msg22547 = msg("20380", dup287); - -var msg22548 = msg("20381", dup202); - -var msg22549 = msg("20382", dup202); - -var msg22550 = msg("20383", dup202); - -var msg22551 = msg("20384", dup202); - -var msg22552 = msg("20385", dup201); - -var msg22553 = msg("20386", dup202); - -var msg22554 = msg("20387", dup201); - -var msg22555 = msg("20388", dup201); - -var msg22556 = msg("20389", dup201); - -var msg22557 = msg("20390", dup202); - -var msg22558 = msg("20391", dup201); - -var msg22559 = msg("20392", dup201); - -var msg22560 = msg("20393", dup197); - -var msg22561 = msg("20394", dup197); - -var msg22562 = msg("20395", dup197); - -var msg22563 = msg("20396", dup197); - -var msg22564 = msg("20397", dup197); - -var msg22565 = msg("20398", dup197); - -var msg22566 = msg("20399", dup197); - -var msg22567 = msg("20400", dup197); - -var msg22568 = msg("20401", dup197); - -var msg22569 = msg("20402", dup197); - -var msg22570 = msg("20403", dup197); - -var msg22571 = msg("20404", dup202); - -var msg22572 = msg("20405", dup287); - -var msg22573 = msg("20406", dup202); - -var msg22574 = msg("20407", dup202); - -var msg22575 = msg("20408", dup202); - -var msg22576 = msg("20409", dup202); - -var msg22577 = msg("20410", dup273); - -var msg22578 = msg("20411", dup202); - -var msg22579 = msg("20412", dup202); - -var msg22580 = msg("20413", dup202); - -var msg22581 = msg("20414", dup287); - -var msg22582 = msg("20415", dup202); - -var msg22583 = msg("20416", dup202); - -var msg22584 = msg("20417", dup202); - -var msg22585 = msg("20418", dup202); - -var msg22586 = msg("20419", dup273); - -var msg22587 = msg("20420", dup202); - -var msg22588 = msg("20421", dup202); - -var msg22589 = msg("20422", dup287); - -var msg22590 = msg("20423", dup287); - -var msg22591 = msg("20424", dup287); - -var msg22592 = msg("20425", dup287); - -var msg22593 = msg("20426", dup201); - -var msg22594 = msg("20427", dup287); - -var msg22595 = msg("20428", dup192); - -var msg22596 = msg("20429", dup267); - -var msg22597 = msg("20430", dup265); - -var msg22598 = msg("20431", dup197); - -var msg22599 = msg("20432", dup192); - -var msg22600 = msg("20433", dup303); - -var msg22601 = msg("20434", dup263); - -var msg22602 = msg("20435", dup192); - -var msg22603 = msg("20436", dup198); - -var msg22604 = msg("20437", dup198); - -var msg22605 = msg("20438", dup198); - -var msg22606 = msg("20439", dup198); - -var msg22607 = msg("20440", dup197); - -var msg22608 = msg("20441", dup197); - -var msg22609 = msg("20442", dup197); - -var msg22610 = msg("20443", dup202); - -var msg22611 = msg("20444", dup197); - -var msg22612 = msg("20445", dup197); - -var msg22613 = msg("20446", dup197); - -var msg22614 = msg("20447", dup192); - -var msg22615 = msg("20448", dup192); - -var msg22616 = msg("20449", dup238); - -var msg22617 = msg("20450", dup202); - -var msg22618 = msg("20451", dup202); - -var msg22619 = msg("20452", dup287); - -var msg22620 = msg("20453", dup287); - -var msg22621 = msg("20454", dup287); - -var msg22622 = msg("20455", dup202); - -var msg22623 = msg("20456", dup202); - -var msg22624 = msg("20457", dup202); - -var msg22625 = msg("20458", dup287); - -var msg22626 = msg("20459", dup202); - -var msg22627 = msg("20460", dup202); - -var msg22628 = msg("20461", dup202); - -var msg22629 = msg("20462", dup202); - -var msg22630 = msg("20463", dup287); - -var msg22631 = msg("20464", dup287); - -var msg22632 = msg("20465", dup287); - -var msg22633 = msg("20466", dup287); - -var msg22634 = msg("20467", dup287); - -var msg22635 = msg("20468", dup287); - -var msg22636 = msg("20469", dup287); - -var msg22637 = msg("20470", dup202); - -var msg22638 = msg("20471", dup202); - -var msg22639 = msg("20472", dup202); - -var msg22640 = msg("20473", dup202); - -var msg22641 = msg("20474", dup202); - -var msg22642 = msg("20475", dup202); - -var msg22643 = msg("20476", dup202); - -var msg22644 = msg("20477", dup202); - -var msg22645 = msg("20478", dup202); - -var msg22646 = msg("20479", dup202); - -var msg22647 = msg("20480", dup202); - -var msg22648 = msg("20481", dup202); - -var msg22649 = msg("20482", dup202); - -var msg22650 = msg("20483", dup202); - -var msg22651 = msg("20484", dup202); - -var msg22652 = msg("20485", dup287); - -var msg22653 = msg("20486", dup202); - -var msg22654 = msg("20487", dup287); - -var msg22655 = msg("20488", dup202); - -var msg22656 = msg("20489", dup202); - -var msg22657 = msg("20490", dup202); - -var msg22658 = msg("20491", dup202); - -var msg22659 = msg("20492", dup202); - -var msg22660 = msg("20493", dup202); - -var msg22661 = msg("20494", dup202); - -var msg22662 = msg("20495", dup202); - -var msg22663 = msg("20496", dup202); - -var msg22664 = msg("20497", dup202); - -var msg22665 = msg("20498", dup202); - -var msg22666 = msg("20499", dup202); - -var msg22667 = msg("20500", dup202); - -var msg22668 = msg("20501", dup202); - -var msg22669 = msg("20502", dup202); - -var msg22670 = msg("20503", dup202); - -var msg22671 = msg("20504", dup202); - -var msg22672 = msg("20505", dup202); - -var msg22673 = msg("20506", dup202); - -var msg22674 = msg("20507", dup202); - -var msg22675 = msg("20508", dup202); - -var msg22676 = msg("20509", dup202); - -var msg22677 = msg("20510", dup202); - -var msg22678 = msg("20511", dup202); - -var msg22679 = msg("20512", dup202); - -var msg22680 = msg("20513", dup202); - -var msg22681 = msg("20514", dup202); - -var msg22682 = msg("20515", dup202); - -var msg22683 = msg("20516", dup202); - -var msg22684 = msg("20517", dup202); - -var msg22685 = msg("20518", dup202); - -var msg22686 = msg("20519", dup202); - -var msg22687 = msg("20520", dup202); - -var msg22688 = msg("20521", dup202); - -var msg22689 = msg("20522", dup202); - -var msg22690 = msg("20523", dup269); - -var msg22691 = msg("20524", dup269); - -var msg22692 = msg("20525", dup192); - -var msg22693 = msg("20526", dup263); - -var msg22694 = msg("20527", dup202); - -var msg22695 = msg("20528", dup265); - -var msg22696 = msg("20529", dup267); - -var msg22697 = msg("20530", dup265); - -var msg22698 = msg("20531", dup265); - -var msg22699 = msg("20532", dup197); - -var msg22700 = msg("20533", dup265); - -var msg22701 = msg("20534", dup201); - -var msg22702 = msg("20535", dup265); - -var msg22703 = msg("20536", dup265); - -var msg22704 = msg("20537", dup265); - -var msg22705 = msg("20538", dup265); - -var msg22706 = msg("20539", dup265); - -var msg22707 = msg("20540", dup202); - -var msg22708 = msg("20541", dup276); - -var msg22709 = msg("20542", dup267); - -var msg22710 = msg("20543", dup201); - -var msg22711 = msg("20544", dup202); - -var msg22712 = msg("20545", dup202); - -var msg22713 = msg("20546", dup197); - -var msg22714 = msg("20547", dup197); - -var msg22715 = msg("20548", dup319); - -var msg22716 = msg("20549", dup287); - -var msg22717 = msg("20550", dup201); - -var msg22718 = msg("20551", dup197); - -var msg22719 = msg("20552", dup197); - -var msg22720 = msg("20553", dup197); - -var msg22721 = msg("20554", dup267); - -var msg22722 = msg("20555", dup197); - -var msg22723 = msg("20556", dup202); - -var msg22724 = msg("20557", dup197); - -var msg22725 = msg("20558", dup269); - -var msg22726 = msg("20559", dup197); - -var msg22727 = msg("20560", dup201); - -var msg22728 = msg("20561", dup192); - -var msg22729 = msg("20562", dup192); - -var msg22730 = msg("20563", dup202); - -var msg22731 = msg("20564", dup202); - -var msg22732 = msg("20565", dup197); - -var msg22733 = msg("20566", dup197); - -var msg22734 = msg("20567", dup267); - -var msg22735 = msg("20568", dup201); - -var msg22736 = msg("20569", dup202); - -var msg22737 = msg("20570", dup202); - -var msg22738 = msg("20571", dup202); - -var msg22739 = msg("20572", dup197); - -var msg22740 = msg("20573", dup265); - -var msg22741 = msg("20574", dup265); - -var msg22742 = msg("20575", dup267); - -var msg22743 = msg("20576", dup197); - -var msg22744 = msg("20577", dup267); - -var msg22745 = msg("20578", dup197); - -var msg22746 = msg("20579", dup267); - -var msg22747 = msg("20580", dup265); - -var msg22748 = msg("20581", dup267); - -var msg22749 = msg("20582", dup267); - -var msg22750 = msg("20583", dup265); - -var msg22751 = msg("20584", dup265); - -var msg22752 = msg("20585", dup265); - -var msg22753 = msg("20586", dup265); - -var msg22754 = msg("20587", dup192); - -var msg22755 = msg("20588", dup202); - -var msg22756 = msg("20589", dup202); - -var msg22757 = msg("20590", dup267); - -var msg22758 = msg("20591", dup265); - -var msg22759 = msg("20592", dup265); - -var msg22760 = msg("20593", dup265); - -var msg22761 = msg("20594", dup197); - -var msg22762 = msg("20595", dup192); - -var msg22763 = msg("20596", dup267); - -var msg22764 = msg("20597", dup267); - -var msg22765 = msg("20598", dup267); - -var msg22766 = msg("20599", dup267); - -var msg22767 = msg("20600", dup202); - -var msg22768 = msg("20601", dup202); - -var msg22769 = msg("20602", dup202); - -var msg22770 = msg("20603", dup197); - -var msg22771 = msg("20604", dup192); - -var msg22772 = msg("20605", dup192); - -var msg22773 = msg("20606", dup192); - -var msg22774 = msg("20607", dup197); - -var msg22775 = msg("20608", dup197); - -var msg22776 = msg("20609", dup197); - -var msg22777 = msg("20610", dup267); - -var msg22778 = msg("20611", dup197); - -var msg22779 = msg("20612", dup198); - -var msg22780 = msg("20613", dup198); - -var msg22781 = msg("20614", dup267); - -var msg22782 = msg("20615", dup260); - -var msg22783 = msg("20616", dup197); - -var msg22784 = msg("20617", dup267); - -var msg22785 = msg("20618", dup267); - -var msg22786 = msg("20619", dup197); - -var msg22787 = msg("20620", dup197); - -var msg22788 = msg("20621", dup202); - -var msg22789 = msg("20622", dup201); - -var msg22790 = msg("20623", dup260); - -var msg22791 = msg("20624", dup260); - -var msg22792 = msg("20625", dup260); - -var msg22793 = msg("20626", dup192); - -var msg22794 = msg("20627", dup192); - -var msg22795 = msg("20628", dup260); - -var msg22796 = msg("20629", dup260); - -var msg22797 = msg("20630", dup202); - -var msg22798 = msg("20631", dup202); - -var msg22799 = msg("20632", dup202); - -var msg22800 = msg("20633", dup202); - -var msg22801 = msg("20634", dup198); - -var msg22802 = msg("20635", dup260); - -var msg22803 = msg("20636", dup267); - -var msg22804 = msg("20637", dup267); - -var msg22805 = msg("20638", dup267); - -var msg22806 = msg("20639", dup263); - -var msg22807 = msg("20640", dup260); - -var msg22808 = msg("20641", dup260); - -var msg22809 = msg("20642", dup260); - -var msg22810 = msg("20643", dup260); - -var msg22811 = msg("20644", dup260); - -var msg22812 = msg("20645", dup260); - -var msg22813 = msg("20646", dup260); - -var msg22814 = msg("20647", dup260); - -var msg22815 = msg("20648", dup260); - -var msg22816 = msg("20649", dup260); - -var msg22817 = msg("20650", dup202); - -var msg22818 = msg("20651", dup202); - -var msg22819 = msg("20652", dup202); - -var msg22820 = msg("20653", dup197); - -var msg22821 = msg("20654", dup202); - -var msg22822 = msg("20655", dup267); - -var msg22823 = msg("20656", dup202); - -var msg22824 = msg("20657", dup202); - -var msg22825 = msg("20658", dup202); - -var msg22826 = msg("20659", dup267); - -var msg22827 = msg("20660", dup201); - -var msg22828 = msg("20661", dup202); - -var msg22829 = msg("20662", dup197); - -var msg22830 = msg("20663", dup202); - -var msg22831 = msg("20664", dup265); - -var msg22832 = msg("20665", dup265); - -var msg22833 = msg("20666", dup197); - -var msg22834 = msg("20667", dup197); - -var msg22835 = msg("20668", dup269); - -var msg22836 = msg("20669", dup269); - -var msg22837 = msg("20670", dup197); - -var msg22838 = msg("20671", dup267); - -var msg22839 = msg("20672", dup202); - -var msg22840 = msg("20673", dup267); - -var msg22841 = msg("20674", dup267); - -var msg22842 = msg("20675", dup267); - -var msg22843 = msg("20676", dup192); - -var msg22844 = msg("20677", dup192); - -var msg22845 = msg("20678", dup192); - -var msg22846 = msg("20679", dup192); - -var msg22847 = msg("20680", dup202); - -var msg22848 = msg("20681", dup192); - -var msg22849 = msg("20682", dup192); - -var msg22850 = msg("20683", dup202); - -var msg22851 = msg("20684", dup202); - -var msg22852 = msg("20685", dup192); - -var msg22853 = msg("20686", dup192); - -var msg22854 = msg("20687", dup192); - -var msg22855 = msg("20688", dup192); - -var msg22856 = msg("20689", dup192); - -var msg22857 = msg("20690", dup198); - -var msg22858 = msg("20691", dup265); - -var msg22859 = msg("20692", dup265); - -var msg22860 = msg("20693", dup192); - -var msg22861 = msg("20694", dup192); - -var msg22862 = msg("20695", dup192); - -var msg22863 = msg("20696", dup192); - -var msg22864 = msg("20697", dup192); - -var msg22865 = msg("20698", dup199); - -var msg22866 = msg("20699", dup267); - -var msg22867 = msg("20700", dup276); - -var msg22868 = msg("20701", dup276); - -var msg22869 = msg("20702", dup267); - -var msg22870 = msg("20703", dup267); - -var msg22871 = msg("20704", dup267); - -var msg22872 = msg("20705", dup265); - -var msg22873 = msg("20706", dup265); - -var msg22874 = msg("20707", dup265); - -var msg22875 = msg("20708", dup265); - -var msg22876 = msg("20709", dup265); - -var msg22877 = msg("20710", dup265); - -var msg22878 = msg("20711", dup265); - -var msg22879 = msg("20712", dup265); - -var msg22880 = msg("20713", dup265); - -var msg22881 = msg("20714", dup265); - -var msg22882 = msg("20715", dup265); - -var msg22883 = msg("20716", dup265); - -var msg22884 = msg("20717", dup202); - -var msg22885 = msg("20718", dup267); - -var msg22886 = msg("20719", dup267); - -var msg22887 = msg("20720", dup267); - -var msg22888 = msg("20721", dup267); - -var msg22889 = msg("20722", dup201); - -var msg22890 = msg("20723", dup202); - -var msg22891 = msg("20724", dup202); - -var msg22892 = msg("20725", dup198); - -var msg22893 = msg("20726", dup197); - -var msg22894 = msg("20727", dup265); - -var msg22895 = msg("20728", dup202); - -var msg22896 = msg("20729", dup267); - -var msg22897 = msg("20730", dup202); - -var msg22898 = msg("20731", dup202); - -var msg22899 = msg("20732", dup202); - -var msg22900 = msg("20733", dup202); - -var msg22901 = msg("20734", dup197); - -var msg22902 = msg("20735", dup202); - -var msg22903 = msg("20736", dup265); - -var msg22904 = msg("20737", dup285); - -var msg22905 = msg("20738", dup197); - -var msg22906 = msg("20739", dup265); - -var msg22907 = msg("20740", dup197); - -var msg22908 = msg("20741", dup198); - -var msg22909 = msg("20742", dup201); - -var msg22910 = msg("20743", dup201); - -var msg22911 = msg("20744", dup267); - -var msg22912 = msg("20745", dup197); - -var msg22913 = msg("20746", dup197); - -var msg22914 = msg("20747", dup197); - -var msg22915 = msg("20748", dup267); - -var msg22916 = msg("20749", dup197); - -var msg22917 = msg("20750", dup202); - -var msg22918 = msg("20751", dup202); - -var msg22919 = msg("20752", dup303); - -var msg22920 = msg("20753", dup303); - -var msg22921 = msg("20754", dup202); - -var msg22922 = msg("20755", dup202); - -var msg22923 = msg("20756", dup202); - -var msg22924 = msg("20757", dup202); - -var msg22925 = msg("20758", dup287); - -var msg22926 = msg("20759", dup192); - -var msg22927 = msg("20760", dup269); - -var msg22928 = msg("20761", dup197); - -var msg22929 = msg("20762", dup202); - -var msg22930 = msg("20763", dup192); - -var msg22931 = msg("20764", dup197); - -var msg22932 = msg("20765", dup265); - -var msg22933 = msg("20766", dup267); - -var msg22934 = msg("20767", dup267); - -var msg22935 = msg("20768", dup267); - -var msg22936 = msg("20769", dup267); - -var msg22937 = msg("20770", dup267); - -var msg22938 = msg("20771", dup267); - -var msg22939 = msg("20772", dup267); - -var msg22940 = msg("20773", dup267); - -var msg22941 = msg("20774", dup267); - -var msg22942 = msg("20775", dup267); - -var msg22943 = msg("20776", dup267); - -var msg22944 = msg("20777", dup267); - -var msg22945 = msg("20778", dup287); - -var msg22946 = msg("20779", dup287); - -var msg22947 = msg("20780", dup287); - -var msg22948 = msg("20781", dup287); - -var msg22949 = msg("20782", dup287); - -var msg22950 = msg("20783", dup287); - -var msg22951 = msg("20784", dup287); - -var msg22952 = msg("20785", dup287); - -var msg22953 = msg("20786", dup267); - -var msg22954 = msg("20787", dup267); - -var msg22955 = msg("20788", dup267); - -var msg22956 = msg("20789", dup267); - -var msg22957 = msg("20790", dup267); - -var msg22958 = msg("20791", dup202); - -var msg22959 = msg("20792", dup202); - -var msg22960 = msg("20793", dup202); - -var msg22961 = msg("20794", dup202); - -var msg22962 = msg("20795", dup202); - -var msg22963 = msg("20796", dup202); - -var msg22964 = msg("20797", dup202); - -var msg22965 = msg("20798", dup202); - -var msg22966 = msg("20799", dup202); - -var msg22967 = msg("20800", dup202); - -var msg22968 = msg("20801", dup202); - -var msg22969 = msg("20802", dup267); - -var msg22970 = msg("20803", dup287); - -var msg22971 = msg("20804", dup267); - -var msg22972 = msg("20805", dup267); - -var msg22973 = msg("20806", dup267); - -var msg22974 = msg("20807", dup267); - -var msg22975 = msg("20808", dup267); - -var msg22976 = msg("20809", dup267); - -var msg22977 = msg("20810", dup267); - -var msg22978 = msg("20811", dup267); - -var msg22979 = msg("20812", dup197); - -var msg22980 = msg("20813", dup197); - -var msg22981 = msg("20814", dup201); - -var msg22982 = msg("20815", dup202); - -var msg22983 = msg("20816", dup202); - -var msg22984 = msg("20817", dup202); - -var msg22985 = msg("20818", dup202); - -var msg22986 = msg("20819", dup265); - -var msg22987 = msg("20820", dup267); - -var msg22988 = msg("20821", dup267); - -var msg22989 = msg("20822", dup267); - -var msg22990 = msg("20823", dup267); - -var msg22991 = msg("20824", dup267); - -var msg22992 = msg("20825", dup267); - -var msg22993 = msg("20826", dup201); - -var msg22994 = msg("20827", dup267); - -var msg22995 = msg("20828", dup265); - -var msg22996 = msg("20829", dup265); - -var msg22997 = msg("20830", dup192); - -var msg22998 = msg("20831", dup201); - -var msg22999 = msg("20832", dup260); - -var msg23000 = msg("20833", dup263); - -var msg23001 = msg("20834", dup267); - -var msg23002 = msg("20835", dup267); - -var msg23003 = msg("20836", dup202); - -var msg23004 = msg("20837", dup192); - -var msg23005 = msg("20838", dup192); - -var msg23006 = msg("20839", dup202); - -var msg23007 = msg("20840", dup202); - -var msg23008 = msg("20841", dup202); - -var msg23009 = msg("20842", dup197); - -var msg23010 = msg("20843", dup197); - -var msg23011 = msg("20844", dup202); - -var msg23012 = msg("20845", dup267); - -var msg23013 = msg("20846", dup197); - -var msg23014 = msg("20847", dup197); - -var msg23015 = msg("20848", dup202); - -var msg23016 = msg("20849", dup202); - -var msg23017 = msg("20850", dup202); - -var msg23018 = msg("20851", dup202); - -var msg23019 = msg("20852", dup287); - -var msg23020 = msg("20853", dup201); - -var msg23021 = msg("20854", dup202); - -var msg23022 = msg("20855", dup202); - -var msg23023 = msg("20856", dup202); - -var msg23024 = msg("20857", dup202); - -var msg23025 = msg("20858", dup197); - -var msg23026 = msg("20859", dup287); - -var msg23027 = msg("20860", dup202); - -var msg23028 = msg("20861", dup201); - -var msg23029 = msg("20862", dup265); - -var msg23030 = msg("20863", dup265); - -var msg23031 = msg("20864", dup265); - -var msg23032 = msg("20865", dup265); - -var msg23033 = msg("20866", dup265); - -var msg23034 = msg("20867", dup265); - -var msg23035 = msg("20868", dup265); - -var msg23036 = msg("20869", dup287); - -var msg23037 = msg("20870", dup201); - -var msg23038 = msg("20871", dup267); - -var msg23039 = msg("20872", dup267); - -var msg23040 = msg("20873", dup202); - -var msg23041 = msg("20874", dup267); - -var msg23042 = msg("20875", dup265); - -var msg23043 = msg("20876", dup267); - -var msg23044 = msg("20877", dup238); - -var msg23045 = msg("20878", dup276); - -var msg23046 = msg("20879", dup267); - -var msg23047 = msg("20880", dup267); - -var msg23048 = msg("20881", dup202); - -var msg23049 = msg("20882", dup202); - -var msg23050 = msg("20883", dup265); - -var msg23051 = msg("20884", dup267); - -var msg23052 = msg("20885", dup202); - -var msg23053 = msg("20886", dup202); - -var msg23054 = msg("20887", dup202); - -var msg23055 = msg("20888", dup202); - -var msg23056 = msg("20889", dup197); - -var msg23057 = msg("20890", dup202); - -var msg23058 = msg("20891", dup202); - -var msg23059 = msg("20892", dup238); - -var msg23060 = msg("20893", dup202); - -var msg23061 = msg("20894", dup202); - -var msg23062 = msg("20895", dup287); - -var msg23063 = msg("20896", dup287); - -var msg23064 = msg("20897", dup202); - -var msg23065 = msg("20898", dup202); - -var msg23066 = msg("20899", dup202); - -var msg23067 = msg("20900", dup197); - -var msg23068 = msg("20901", dup267); - -var msg23069 = msg("20902", dup197); - -var msg23070 = msg("20903", dup197); - -var msg23071 = msg("20904", dup197); - -var msg23072 = msg("20905", dup202); - -var msg23073 = msg("20906", dup202); - -var msg23074 = msg("20907", dup202); - -var msg23075 = msg("20908", dup202); - -var msg23076 = msg("20909", dup269); - -var msg23077 = msg("20910", dup269); - -var msg23078 = msg("20911", dup202); - -var msg23079 = msg("20912", dup202); - -var msg23080 = msg("20913", dup202); - -var msg23081 = msg("20914", dup202); - -var msg23082 = msg("20915", dup202); - -var msg23083 = msg("20916", dup202); - -var msg23084 = msg("20917", dup202); - -var msg23085 = msg("20918", dup202); - -var msg23086 = msg("20919", dup267); - -var msg23087 = msg("20920", dup267); - -var msg23088 = msg("20921", dup197); - -var msg23089 = msg("20922", dup197); - -var msg23090 = msg("20923", dup197); - -var msg23091 = msg("20924", dup202); - -var msg23092 = msg("20925", dup202); - -var msg23093 = msg("20926", dup202); - -var msg23094 = msg("20927", dup192); - -var msg23095 = msg("20928", dup202); - -var msg23096 = msg("20929", dup202); - -var msg23097 = msg("20930", dup202); - -var msg23098 = msg("20931", dup202); - -var msg23099 = msg("20932", dup202); - -var msg23100 = msg("20933", dup202); - -var msg23101 = msg("20934", dup202); - -var msg23102 = msg("20935", dup202); - -var msg23103 = msg("20936", dup202); - -var msg23104 = msg("20937", dup202); - -var msg23105 = msg("20938", dup202); - -var msg23106 = msg("20939", dup202); - -var msg23107 = msg("20940", dup202); - -var msg23108 = msg("20941", dup202); - -var msg23109 = msg("20942", dup202); - -var msg23110 = msg("20943", dup202); - -var msg23111 = msg("20944", dup202); - -var msg23112 = msg("20945", dup202); - -var msg23113 = msg("20946", dup202); - -var msg23114 = msg("20947", dup202); - -var msg23115 = msg("20948", dup202); - -var msg23116 = msg("20949", dup265); - -var msg23117 = msg("20950", dup202); - -var msg23118 = msg("20951", dup202); - -var msg23119 = msg("20952", dup202); - -var msg23120 = msg("20953", dup202); - -var msg23121 = msg("20954", dup202); - -var msg23122 = msg("20955", dup202); - -var msg23123 = msg("20956", dup202); - -var msg23124 = msg("20957", dup202); - -var msg23125 = msg("20958", dup202); - -var msg23126 = msg("20959", dup202); - -var msg23127 = msg("20960", dup202); - -var msg23128 = msg("20961", dup202); - -var msg23129 = msg("20962", dup202); - -var msg23130 = msg("20963", dup202); - -var msg23131 = msg("20964", dup202); - -var msg23132 = msg("20965", dup202); - -var msg23133 = msg("20966", dup202); - -var msg23134 = msg("20967", dup202); - -var msg23135 = msg("20968", dup202); - -var msg23136 = msg("20969", dup202); - -var msg23137 = msg("20970", dup202); - -var msg23138 = msg("20971", dup202); - -var msg23139 = msg("20972", dup202); - -var msg23140 = msg("20973", dup202); - -var msg23141 = msg("20974", dup202); - -var msg23142 = msg("20975", dup202); - -var msg23143 = msg("20976", dup202); - -var msg23144 = msg("20977", dup202); - -var msg23145 = msg("20978", dup202); - -var msg23146 = msg("20979", dup202); - -var msg23147 = msg("20980", dup202); - -var msg23148 = msg("20981", dup202); - -var msg23149 = msg("20982", dup202); - -var msg23150 = msg("20983", dup202); - -var msg23151 = msg("20984", dup202); - -var msg23152 = msg("20985", dup202); - -var msg23153 = msg("20986", dup202); - -var msg23154 = msg("20987", dup202); - -var msg23155 = msg("20988", dup267); - -var msg23156 = msg("20989", dup199); - -var msg23157 = msg("20990", dup199); - -var msg23158 = msg("20991", dup202); - -var msg23159 = msg("20992", dup202); - -var msg23160 = msg("20993", dup197); - -var msg23161 = msg("20994", dup197); - -var msg23162 = msg("20995", dup202); - -var msg23163 = msg("20996", dup202); - -var msg23164 = msg("20997", dup267); - -var msg23165 = msg("20998", dup267); - -var msg23166 = msg("20999", dup202); - -var msg23167 = msg("21000", dup202); - -var msg23168 = msg("21001", dup202); - -var msg23169 = msg("21002", dup202); - -var msg23170 = msg("21003", dup202); - -var msg23171 = msg("21004", dup202); - -var msg23172 = msg("21005", dup202); - -var msg23173 = msg("21006", dup202); - -var msg23174 = msg("21007", dup202); - -var msg23175 = msg("21008", dup202); - -var msg23176 = msg("21009", dup202); - -var msg23177 = msg("21010", dup202); - -var msg23178 = msg("21011", dup202); - -var msg23179 = msg("21012", dup202); - -var msg23180 = msg("21013", dup202); - -var msg23181 = msg("21014", dup202); - -var msg23182 = msg("21015", dup202); - -var msg23183 = msg("21016", dup202); - -var msg23184 = msg("21017", dup202); - -var msg23185 = msg("21018", dup202); - -var msg23186 = msg("21019", dup197); - -var msg23187 = msg("21020", dup197); - -var msg23188 = msg("21021", dup197); - -var msg23189 = msg("21022", dup265); - -var msg23190 = msg("21023", dup265); - -var msg23191 = msg("21024", dup265); - -var msg23192 = msg("21025", dup202); - -var msg23193 = msg("21026", dup265); - -var msg23194 = msg("21027", dup202); - -var msg23195 = msg("21028", dup192); - -var msg23196 = msg("21029", dup265); - -var msg23197 = msg("21030", dup265); - -var msg23198 = msg("21031", dup265); - -var msg23199 = msg("21032", dup265); - -var msg23200 = msg("21033", dup265); - -var msg23201 = msg("21034", dup265); - -var msg23202 = msg("21035", dup202); - -var msg23203 = msg("21036", dup202); - -var msg23204 = msg("21037", dup287); - -var msg23205 = msg("21038", dup287); - -var msg23206 = msg("21039", dup287); - -var msg23207 = msg("21040", dup287); - -var msg23208 = msg("21041", dup202); - -var msg23209 = msg("21042", dup202); - -var msg23210 = msg("21043", dup202); - -var msg23211 = msg("21044", dup202); - -var msg23212 = msg("21045", dup202); - -var msg23213 = msg("21046", dup269); - -var msg23214 = msg("21047", dup269); - -var msg23215 = msg("21048", dup263); - -var msg23216 = msg("21049", dup263); - -var msg23217 = msg("21050", dup197); - -var msg23218 = msg("21051", dup267); - -var msg23219 = msg("21052", dup202); - -var msg23220 = msg("21053", dup202); - -var msg23221 = msg("21054", dup202); - -var msg23222 = msg("21055", dup192); - -var msg23223 = msg("21056", dup202); - -var msg23224 = msg("21057", dup201); - -var msg23225 = msg("21058", dup202); - -var msg23226 = msg("21059", dup202); - -var msg23227 = msg("21060", dup267); - -var msg23228 = msg("21061", dup202); - -var msg23229 = msg("21062", dup202); - -var msg23230 = msg("21063", dup265); - -var msg23231 = msg("21064", dup265); - -var msg23232 = msg("21065", dup201); - -var msg23233 = msg("21066", dup201); - -var msg23234 = msg("21067", dup201); - -var msg23235 = msg("21068", dup267); - -var msg23236 = msg("21069", dup267); - -var msg23237 = msg("21070", dup267); - -var msg23238 = msg("21071", dup267); - -var msg23239 = msg("21072", dup267); - -var msg23240 = msg("21073", dup267); - -var msg23241 = msg("21074", dup267); - -var msg23242 = msg("21075", dup267); - -var msg23243 = msg("21076", dup265); - -var msg23244 = msg("21077", dup202); - -var msg23245 = msg("21078", dup267); - -var msg23246 = msg("21079", dup202); - -var msg23247 = msg("21080", dup267); - -var msg23248 = msg("21081", dup267); - -var msg23249 = msg("21082", dup202); - -var msg23250 = msg("21083", dup202); - -var msg23251 = msg("21084", dup260); - -var msg23252 = msg("21085", dup260); - -var msg23253 = msg("21086", dup267); - -var msg23254 = msg("21087", dup238); - -var msg23255 = msg("21088", dup267); - -var msg23256 = msg("21089", dup267); - -var msg23257 = msg("21090", dup267); - -var msg23258 = msg("21091", dup267); - -var msg23259 = msg("21092", dup267); - -var msg23260 = msg("21093", dup267); - -var msg23261 = msg("21094", dup265); - -var msg23262 = msg("21095", dup265); - -var msg23263 = msg("21096", dup267); - -var msg23264 = msg("21097", dup267); - -var msg23265 = msg("21098", dup267); - -var msg23266 = msg("21099", dup267); - -var msg23267 = msg("21100", dup197); - -var msg23268 = msg("21101", dup287); - -var msg23269 = msg("21102", dup287); - -var msg23270 = msg("21103", dup287); - -var msg23271 = msg("21104", dup198); - -var msg23272 = msg("21105", dup197); - -var msg23273 = msg("21106", dup202); - -var msg23274 = msg("21107", dup197); - -var msg23275 = msg("21108", dup267); - -var msg23276 = msg("21109", dup202); - -var msg23277 = msg("21110", dup202); - -var msg23278 = msg("21111", dup202); - -var msg23279 = msg("21112", dup267); - -var msg23280 = msg("21113", dup202); - -var msg23281 = msg("21114", dup202); - -var msg23282 = msg("21115", dup202); - -var msg23283 = msg("21116", dup267); - -var msg23284 = msg("21117", dup192); - -var msg23285 = msg("21118", dup192); - -var msg23286 = msg("21119", dup192); - -var msg23287 = msg("21120", dup192); - -var msg23288 = msg("21121", dup192); - -var msg23289 = msg("21122", dup202); - -var msg23290 = msg("21123", dup202); - -var msg23291 = msg("21124", dup202); - -var msg23292 = msg("21125", dup202); - -var msg23293 = msg("21126", dup202); - -var msg23294 = msg("21127", dup202); - -var msg23295 = msg("21128", dup202); - -var msg23296 = msg("21129", dup192); - -var msg23297 = msg("21130", dup192); - -var msg23298 = msg("21131", dup192); - -var msg23299 = msg("21132", dup192); - -var msg23300 = msg("21133", dup192); - -var msg23301 = msg("21134", dup192); - -var msg23302 = msg("21135", dup192); - -var msg23303 = msg("21136", dup192); - -var msg23304 = msg("21137", dup192); - -var msg23305 = msg("21138", dup192); - -var msg23306 = msg("21139", dup192); - -var msg23307 = msg("21140", dup192); - -var msg23308 = msg("21141", dup267); - -var msg23309 = msg("21142", dup202); - -var msg23310 = msg("21143", dup202); - -var msg23311 = msg("21144", dup202); - -var msg23312 = msg("21145", dup202); - -var msg23313 = msg("21146", dup197); - -var msg23314 = msg("21147", dup197); - -var msg23315 = msg("21148", dup197); - -var msg23316 = msg("21149", dup197); - -var msg23317 = msg("21150", dup198); - -var msg23318 = msg("21151", dup202); - -var msg23319 = msg("21152", dup202); - -var msg23320 = msg("21153", dup202); - -var msg23321 = msg("21154", dup197); - -var msg23322 = msg("21155", dup197); - -var msg23323 = msg("21156", dup267); - -var msg23324 = msg("21157", dup267); - -var msg23325 = msg("21158", dup267); - -var msg23326 = msg("21159", dup267); - -var msg23327 = msg("21160", dup197); - -var msg23328 = msg("21161", dup265); - -var msg23329 = msg("21162", dup197); - -var msg23330 = msg("21163", dup197); - -var msg23331 = msg("21164", dup201); - -var msg23332 = msg("21165", dup265); - -var msg23333 = msg("21166", dup267); - -var msg23334 = msg("21167", dup267); - -var msg23335 = msg("21168", dup197); - -var msg23336 = msg("21169", dup303); - -var msg23337 = msg("21170", dup267); - -var msg23338 = msg("21171", dup320); - -var msg23339 = msg("21172", dup320); - -var msg23340 = msg("21173", dup320); - -var msg23341 = msg("21174", dup202); - -var msg23342 = msg("21175", dup269); - -var msg23343 = msg("21176", dup303); - -var msg23344 = msg("21177", dup192); - -var msg23345 = msg("21178", dup192); - -var msg23346 = msg("21179", dup192); - -var msg23347 = msg("21180", dup238); - -var msg23348 = msg("21181", dup192); - -var msg23349 = msg("21182", dup192); - -var msg23350 = msg("21183", dup192); - -var msg23351 = msg("21184", dup303); - -var msg23352 = msg("21185", dup238); - -var msg23353 = msg("21186", dup267); - -var msg23354 = msg("21187", dup192); - -var msg23355 = msg("21188", dup269); - -var msg23356 = msg("21189", dup267); - -var msg23357 = msg("21190", dup287); - -var msg23358 = msg("21191", dup276); - -var msg23359 = msg("21192", dup192); - -var msg23360 = msg("21193", dup192); - -var msg23361 = msg("21194", dup192); - -var msg23362 = msg("21195", dup192); - -var msg23363 = msg("21196", dup192); - -var msg23364 = msg("21197", dup192); - -var msg23365 = msg("21198", dup192); - -var msg23366 = msg("21199", dup192); - -var msg23367 = msg("21200", dup192); - -var msg23368 = msg("21201", dup192); - -var msg23369 = msg("21202", dup192); - -var msg23370 = msg("21203", dup263); - -var msg23371 = msg("21204", dup263); - -var msg23372 = msg("21205", dup263); - -var msg23373 = msg("21206", dup269); - -var msg23374 = msg("21207", dup192); - -var msg23375 = msg("21208", dup192); - -var msg23376 = msg("21209", dup192); - -var msg23377 = msg("21210", dup192); - -var msg23378 = msg("21211", dup192); - -var msg23379 = msg("21212", dup192); - -var msg23380 = msg("21213", dup238); - -var msg23381 = msg("21214", dup265); - -var msg23382 = msg("21215", dup192); - -var msg23383 = msg("21216", dup192); - -var msg23384 = msg("21217", dup192); - -var msg23385 = msg("21218", dup192); - -var msg23386 = msg("21219", dup192); - -var msg23387 = msg("21220", dup192); - -var msg23388 = msg("21221", dup192); - -var msg23389 = msg("21222", dup202); - -var msg23390 = msg("21223", dup192); - -var msg23391 = msg("21224", dup192); - -var msg23392 = msg("21225", dup269); - -var msg23393 = msg("21226", dup202); - -var msg23394 = msg("21227", dup192); - -var msg23395 = msg("21228", dup202); - -var msg23396 = msg("21229", dup198); - -var msg23397 = msg("21230", dup192); - -var msg23398 = msg("21231", dup202); - -var msg23399 = msg("21232", dup202); - -var msg23400 = msg("21233", dup265); - -var msg23401 = msg("21234", dup309); - -var msg23402 = msg("21235", dup197); - -var msg23403 = msg("21236", dup197); - -var msg23404 = msg("21237", dup197); - -var msg23405 = msg("21238", dup197); - -var msg23406 = msg("21239", dup202); - -var msg23407 = msg("21240", dup192); - -var msg23408 = msg("21241", dup192); - -var msg23409 = msg("21242", dup192); - -var msg23410 = msg("21243", dup267); - -var msg23411 = msg("21244", dup267); - -var msg23412 = msg("21245", dup263); - -var msg23413 = msg("21246", dup269); - -var msg23414 = msg("21247", dup197); - -var msg23415 = msg("21248", dup197); - -var msg23416 = msg("21249", dup192); - -var msg23417 = msg("21250", dup192); - -var msg23418 = msg("21251", dup192); - -var msg23419 = msg("21252", dup192); - -var msg23420 = msg("21253", dup267); - -var msg23421 = msg("21254", dup265); - -var msg23422 = msg("21255", dup227); - -var msg23423 = msg("21256", dup227); - -var msg23424 = msg("21257", dup194); - -var msg23425 = msg("21258", dup199); - -var msg23426 = msg("21259", dup267); - -var msg23427 = msg("21260", dup198); - -var msg23428 = msg("21261", dup197); - -var msg23429 = msg("21262", dup255); - -var msg23430 = msg("21263", dup197); - -var msg23431 = msg("21264", dup202); - -var msg23432 = msg("21265", dup199); - -var msg23433 = msg("21266", dup269); - -var msg23434 = msg("21267", dup287); - -var msg23435 = msg("21268", dup267); - -var msg23436 = msg("21269", dup202); - -var msg23437 = msg("21270", dup201); - -var msg23438 = msg("21271", dup260); - -var msg23439 = msg("21272", dup267); - -var msg23440 = msg("21273", dup202); - -var msg23441 = msg("21274", dup202); - -var msg23442 = msg("21275", dup192); - -var msg23443 = msg("21276", dup192); - -var msg23444 = msg("21277", dup192); - -var msg23445 = msg("21278", dup269); - -var msg23446 = msg("21279", dup192); - -var msg23447 = msg("21280", dup192); - -var msg23448 = msg("21281", dup267); - -var msg23449 = msg("21282", dup202); - -var msg23450 = msg("21283", dup202); - -var msg23451 = msg("21284", dup202); - -var msg23452 = msg("21285", dup202); - -var msg23453 = msg("21286", dup202); - -var msg23454 = msg("21287", dup202); - -var msg23455 = msg("21288", dup202); - -var msg23456 = msg("21289", dup276); - -var msg23457 = msg("21290", dup267); - -var msg23458 = msg("21291", dup202); - -var msg23459 = msg("21292", dup267); - -var msg23460 = msg("21293", dup267); - -var msg23461 = msg("21294", dup192); - -var msg23462 = msg("21295", dup202); - -var msg23463 = msg("21296", dup202); - -var msg23464 = msg("21297", dup265); - -var msg23465 = msg("21298", dup265); - -var msg23466 = msg("21299", dup267); - -var msg23467 = msg("21300", dup265); - -var msg23468 = msg("21301", dup267); - -var msg23469 = msg("21302", dup267); - -var msg23470 = msg("21303", dup192); - -var msg23471 = msg("21304", dup192); - -var msg23472 = msg("21305", dup197); - -var msg23473 = msg("21306", dup202); - -var msg23474 = msg("21307", dup267); - -var msg23475 = msg("21308", dup267); - -var msg23476 = msg("21309", dup276); - -var msg23477 = msg("21310", dup267); - -var msg23478 = msg("21311", dup202); - -var msg23479 = msg("21312", dup202); - -var msg23480 = msg("21313", dup202); - -var msg23481 = msg("21314", dup265); - -var msg23482 = msg("21315", dup198); - -var msg23483 = msg("21316", dup267); - -var msg23484 = msg("21317", dup197); - -var msg23485 = msg("21318", dup202); - -var msg23486 = msg("21319", dup276); - -var msg23487 = msg("21320", dup276); - -var msg23488 = msg("21321", dup276); - -var msg23489 = msg("21322", dup267); - -var msg23490 = msg("21323", dup267); - -var msg23491 = msg("21324", dup267); - -var msg23492 = msg("21325", dup202); - -var msg23493 = msg("21326", dup267); - -var msg23494 = msg("21327", dup194); - -var msg23495 = msg("21328", dup201); - -var msg23496 = msg("21329", dup201); - -var msg23497 = msg("21330", dup201); - -var msg23498 = msg("21331", dup201); - -var msg23499 = msg("21332", dup202); - -var msg23500 = msg("21333", dup265); - -var msg23501 = msg("21334", dup265); - -var msg23502 = msg("21335", dup287); - -var msg23503 = msg("21336", dup202); - -var msg23504 = msg("21337", dup265); - -var msg23505 = msg("21338", dup202); - -var msg23506 = msg("21339", dup267); - -var msg23507 = msg("21340", dup267); - -var msg23508 = msg("21341", dup267); - -var msg23509 = msg("21342", dup267); - -var msg23510 = msg("21343", dup267); - -var msg23511 = msg("21344", dup267); - -var msg23512 = msg("21345", dup267); - -var msg23513 = msg("21346", dup267); - -var msg23514 = msg("21347", dup202); - -var msg23515 = msg("21348", dup202); - -var msg23516 = msg("21349", dup197); - -var msg23517 = msg("21350", dup197); - -var msg23518 = msg("21351", dup267); - -var msg23519 = msg("21352", dup267); - -var msg23520 = msg("21353", dup269); - -var msg23521 = msg("21354", dup313); - -var msg23522 = msg("21355", dup313); - -var msg23523 = msg("21356", dup265); - -var msg23524 = msg("21357", dup267); - -var msg23525 = msg("21358", dup201); - -var msg23526 = msg("21359", dup192); - -var msg23527 = msg("21360", dup192); - -var msg23528 = msg("21361", dup238); - -var msg23529 = msg("21362", dup192); - -var msg23530 = msg("21363", dup202); - -var msg23531 = msg("21364", dup192); - -var msg23532 = msg("21365", dup192); - -var msg23533 = msg("21366", dup192); - -var msg23534 = msg("21367", dup192); - -var msg23535 = msg("21368", dup202); - -var msg23536 = msg("21369", dup202); - -var msg23537 = msg("21370", dup197); - -var msg23538 = msg("21371", dup197); - -var msg23539 = msg("21372", dup263); - -var msg23540 = msg("21373", dup263); - -var msg23541 = msg("21374", dup192); - -var msg23542 = msg("21375", dup267); - -var msg23543 = msg("21376", dup192); - -var msg23544 = msg("21377", dup260); - -var msg23545 = msg("21378", dup201); - -var msg23546 = msg("21379", dup202); - -var msg23547 = msg("21380", dup202); - -var msg23548 = msg("21381", dup202); - -var msg23549 = msg("21382", dup202); - -var msg23550 = msg("21383", dup202); - -var msg23551 = msg("21384", dup202); - -var msg23552 = msg("21385", dup265); - -var msg23553 = msg("21386", dup202); - -var msg23554 = msg("21387", dup267); - -var msg23555 = msg("21388", dup265); - -var msg23556 = msg("21389", dup265); - -var msg23557 = msg("21390", dup202); - -var msg23558 = msg("21391", dup202); - -var msg23559 = msg("21392", dup267); - -var msg23560 = msg("21393", dup197); - -var msg23561 = msg("21394", dup267); - -var msg23562 = msg("21395", dup260); - -var msg23563 = msg("21396", dup260); - -var msg23564 = msg("21397", dup197); - -var msg23565 = msg("21398", dup202); - -var msg23566 = msg("21399", dup267); - -var msg23567 = msg("21400", dup192); - -var msg23568 = msg("21401", dup192); - -var msg23569 = msg("21402", dup192); - -var msg23570 = msg("21403", dup238); - -var msg23571 = msg("21404", dup238); - -var msg23572 = msg("21405", dup267); - -var msg23573 = msg("21406", dup265); - -var msg23574 = msg("21407", dup201); - -var msg23575 = msg("21408", dup265); - -var msg23576 = msg("21409", dup201); - -var msg23577 = msg("21410", dup202); - -var msg23578 = msg("21411", dup202); - -var msg23579 = msg("21412", dup202); - -var msg23580 = msg("21413", dup201); - -var msg23581 = msg("21414", dup267); - -var msg23582 = msg("21415", dup267); - -var msg23583 = msg("21416", dup192); - -var msg23584 = msg("21417", dup267); - -var msg23585 = msg("21418", dup192); - -var msg23586 = msg("21419", dup197); - -var msg23587 = msg("21420", dup197); - -var msg23588 = msg("21421", dup197); - -var msg23589 = msg("21422", dup267); - -var msg23590 = msg("21423", dup267); - -var msg23591 = msg("21424", dup192); - -var msg23592 = msg("21425", dup192); - -var msg23593 = msg("21426", dup192); - -var msg23594 = msg("21427", dup192); - -var msg23595 = msg("21428", dup192); - -var msg23596 = msg("21429", dup269); - -var msg23597 = msg("21430", dup192); - -var msg23598 = msg("21431", dup267); - -var msg23599 = msg("21432", dup202); - -var msg23600 = msg("21433", dup202); - -var msg23601 = msg("21434", dup192); - -var msg23602 = msg("21435", dup192); - -var msg23603 = msg("21436", dup192); - -var msg23604 = msg("21437", dup197); - -var msg23605 = msg("21438", dup267); - -var msg23606 = msg("21439", dup267); - -var msg23607 = msg("21440", dup192); - -var msg23608 = msg("21441", dup202); - -var msg23609 = msg("21442", dup269); - -var msg23610 = msg("21443", dup202); - -var msg23611 = msg("21444", dup202); - -var msg23612 = msg("21445", dup227); - -var msg23613 = msg("21446", dup202); - -var msg23614 = msg("21447", dup202); - -var msg23615 = msg("21448", dup192); - -var msg23616 = msg("21449", dup192); - -var msg23617 = msg("21450", dup192); - -var msg23618 = msg("21451", dup269); - -var msg23619 = msg("21452", dup192); - -var msg23620 = msg("21453", dup269); - -var msg23621 = msg("21454", dup192); - -var msg23622 = msg("21455", dup269); - -var msg23623 = msg("21456", dup202); - -var msg23624 = msg("21457", dup267); - -var msg23625 = msg("21458", dup267); - -var msg23626 = msg("21459", dup260); - -var msg23627 = msg("21460", dup202); - -var msg23628 = msg("21461", dup202); - -var msg23629 = msg("21462", dup202); - -var msg23630 = msg("21463", dup202); - -var msg23631 = msg("21464", dup202); - -var msg23632 = msg("21465", dup265); - -var msg23633 = msg("21466", dup202); - -var msg23634 = msg("21467", dup202); - -var msg23635 = msg("21468", dup192); - -var msg23636 = msg("21469", dup269); - -var msg23637 = msg("21470", dup192); - -var msg23638 = msg("21471", dup202); - -var msg23639 = msg("21472", dup192); - -var msg23640 = msg("21473", dup192); - -var msg23641 = msg("21474", dup192); - -var msg23642 = msg("21475", dup269); - -var msg23643 = msg("21476", dup269); - -var msg23644 = msg("21477", dup192); - -var msg23645 = msg("21478", dup202); - -var msg23646 = msg("21479", dup202); - -var msg23647 = msg("21480", dup202); - -var msg23648 = msg("21481", dup267); - -var msg23649 = msg("21482", dup199); - -var msg23650 = msg("21483", dup197); - -var msg23651 = msg("21484", dup201); - -var msg23652 = msg("21485", dup198); - -var msg23653 = msg("21486", dup192); - -var msg23654 = msg("21487", dup192); - -var msg23655 = msg("21488", dup269); - -var msg23656 = msg("21489", dup267); - -var msg23657 = msg("21490", dup202); - -var msg23658 = msg("21491", dup197); - -var msg23659 = msg("21492", dup202); - -var msg23660 = msg("21493", dup265); - -var msg23661 = msg("21494", dup192); - -var msg23662 = msg("21495", dup192); - -var msg23663 = msg("21496", dup192); - -var msg23664 = msg("21497", dup192); - -var msg23665 = msg("21498", dup202); - -var msg23666 = msg("21499", dup202); - -var msg23667 = msg("21500", dup202); - -var msg23668 = msg("21501", dup265); - -var msg23669 = msg("21502", dup192); - -var msg23670 = msg("21503", dup267); - -var msg23671 = msg("21504", dup267); - -var msg23672 = msg("21505", dup267); - -var msg23673 = msg("21506", dup267); - -var msg23674 = msg("21507", dup267); - -var msg23675 = msg("21508", dup267); - -var msg23676 = msg("21509", dup267); - -var msg23677 = msg("21510", dup267); - -var msg23678 = msg("21511", dup192); - -var msg23679 = msg("21512", dup192); - -var msg23680 = msg("21513", dup198); - -var msg23681 = msg("21514", dup192); - -var msg23682 = msg("21515", dup265); - -var msg23683 = msg("21516", dup265); - -var msg23684 = msg("21517", dup265); - -var msg23685 = msg("21518", dup192); - -var msg23686 = msg("21519", dup202); - -var msg23687 = msg("21520", dup192); - -var msg23688 = msg("21521", dup192); - -var msg23689 = msg("21522", dup267); - -var msg23690 = msg("21523", dup192); - -var msg23691 = msg("21524", dup267); - -var msg23692 = msg("21525", dup192); - -var msg23693 = msg("21526", dup269); - -var msg23694 = msg("21527", dup192); - -var msg23695 = msg("21528", dup192); - -var msg23696 = msg("21529", dup197); - -var msg23697 = msg("21530", dup287); - -var msg23698 = msg("21531", dup265); - -var msg23699 = msg("21532", dup265); - -var msg23700 = msg("21533", dup287); - -var msg23701 = msg("21534", dup201); - -var msg23702 = msg("21535", dup201); - -var msg23703 = msg("21536", dup265); - -var msg23704 = msg("21537", dup269); - -var msg23705 = msg("21538", dup202); - -var msg23706 = msg("21539", dup202); - -var msg23707 = msg("21540", dup192); - -var msg23708 = msg("21541", dup192); - -var msg23709 = msg("21542", dup192); - -var msg23710 = msg("21543", dup192); - -var msg23711 = msg("21544", dup313); - -var msg23712 = msg("21545", dup313); - -var all52 = all_match({ - processors: [ - dup66, - dup178, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup120, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg23713 = msg("21546", all52); - -var msg23714 = msg("21547", dup192); - -var msg23715 = msg("21548", dup202); - -var msg23716 = msg("21549", dup202); - -var msg23717 = msg("21550", dup192); - -var msg23718 = msg("21551", dup192); - -var msg23719 = msg("21552", dup192); - -var msg23720 = msg("21553", dup192); - -var msg23721 = msg("21554", dup192); - -var msg23722 = msg("21555", dup205); - -var msg23723 = msg("21556", dup202); - -var msg23724 = msg("21557", dup201); - -var msg23725 = msg("21558", dup265); - -var msg23726 = msg("21559", dup265); - -var msg23727 = msg("21560", dup265); - -var msg23728 = msg("21561", dup265); - -var msg23729 = msg("21562", dup192); - -var msg23730 = msg("21563", dup192); - -var msg23731 = msg("21564", dup192); - -var msg23732 = msg("21565", dup192); - -var msg23733 = msg("21566", dup276); - -var msg23734 = msg("21567", dup267); - -var msg23735 = msg("21568", dup198); - -var msg23736 = msg("21569", dup265); - -var msg23737 = msg("21570", dup197); - -var msg23738 = msg("21571", dup267); - -var msg23739 = msg("21572", dup267); - -var msg23740 = msg("21573", dup202); - -var msg23741 = msg("21574", dup202); - -var msg23742 = msg("21575", dup202); - -var msg23743 = msg("21576", dup202); - -var msg23744 = msg("21577", dup202); - -var msg23745 = msg("21578", dup202); - -var msg23746 = msg("21579", dup202); - -var msg23747 = msg("21580", dup202); - -var msg23748 = msg("21581", dup202); - -var msg23749 = msg("21582", dup202); - -var msg23750 = msg("21583", dup269); - -var msg23751 = msg("21584", dup202); - -var msg23752 = msg("21585", dup202); - -var msg23753 = msg("21586", dup202); - -var msg23754 = msg("21587", dup267); - -var msg23755 = msg("21588", dup263); - -var msg23756 = msg("21589", dup265); - -var msg23757 = msg("21590", dup265); - -var msg23758 = msg("21591", dup263); - -var msg23759 = msg("21592", dup267); - -var msg23760 = msg("21593", dup192); - -var msg23761 = msg("21594", dup267); - -var msg23762 = msg("21595", dup202); - -var msg23763 = msg("21596", dup202); - -var msg23764 = msg("21597", dup202); - -var msg23765 = msg("21598", dup202); - -var msg23766 = msg("21599", dup201); - -var msg23767 = msg("21600", dup201); - -var msg23768 = msg("21601", dup201); - -var msg23769 = msg("21602", dup201); - -var msg23770 = msg("21603", dup201); - -var msg23771 = msg("21604", dup201); - -var msg23772 = msg("21605", dup201); - -var msg23773 = msg("21606", dup201); - -var msg23774 = msg("21607", dup267); - -var msg23775 = msg("21608", dup198); - -var msg23776 = msg("21609", dup267); - -var msg23777 = msg("21610", dup192); - -var msg23778 = msg("21611", dup202); - -var msg23779 = msg("21612", dup202); - -var msg23780 = msg("21613", dup202); - -var msg23781 = msg("21614", dup202); - -var msg23782 = msg("21615", dup202); - -var msg23783 = msg("21616", dup202); - -var msg23784 = msg("21617", dup202); - -var msg23785 = msg("21618", dup202); - -var msg23786 = msg("21619", dup267); - -var msg23787 = msg("21620", dup202); - -var msg23788 = msg("21621", dup202); - -var msg23789 = msg("21622", dup192); - -var msg23790 = msg("21623", dup202); - -var msg23791 = msg("21624", dup202); - -var msg23792 = msg("21625", dup202); - -var msg23793 = msg("21626", dup202); - -var msg23794 = msg("21627", dup202); - -var msg23795 = msg("21628", dup202); - -var msg23796 = msg("21629", dup265); - -var msg23797 = msg("21630", dup265); - -var msg23798 = msg("21631", dup192); - -var msg23799 = msg("21632", dup192); - -var msg23800 = msg("21633", dup276); - -var msg23801 = msg("21634", dup267); - -var msg23802 = msg("21635", dup192); - -var msg23803 = msg("21636", dup263); - -var msg23804 = msg("21637", dup312); - -var msg23805 = msg("21638", dup192); - -var msg23806 = msg("21639", dup263); - -var msg23807 = msg("21640", dup267); - -var msg23808 = msg("21641", dup192); - -var msg23809 = msg("21642", dup269); - -var msg23810 = msg("21643", dup192); - -var msg23811 = msg("21644", dup263); - -var msg23812 = msg("21645", dup263); - -var msg23813 = msg("21646", dup202); - -var msg23814 = msg("21647", dup202); - -var msg23815 = msg("21648", dup202); - -var msg23816 = msg("21649", dup202); - -var msg23817 = msg("21650", dup202); - -var msg23818 = msg("21651", dup202); - -var msg23819 = msg("21652", dup202); - -var msg23820 = msg("21653", dup265); - -var msg23821 = msg("21654", dup202); - -var msg23822 = msg("21655", dup267); - -var msg23823 = msg("21656", dup267); - -var msg23824 = msg("21657", dup202); - -var msg23825 = msg("21658", dup202); - -var msg23826 = msg("21659", dup202); - -var msg23827 = msg("21660", dup202); - -var msg23828 = msg("21661", dup202); - -var msg23829 = msg("21662", dup248); - -var msg23830 = msg("21663", dup260); - -var msg23831 = msg("21664", dup202); - -var msg23832 = msg("21665", dup202); - -var msg23833 = msg("21666", dup202); - -var msg23834 = msg("21667", dup265); - -var msg23835 = msg("21668", dup267); - -var msg23836 = msg("21669", dup287); - -var msg23837 = msg("21670", dup267); - -var msg23838 = msg("21671", dup201); - -var msg23839 = msg("21672", dup201); - -var msg23840 = msg("21673", dup287); - -var msg23841 = msg("21674", dup197); - -var msg23842 = msg("21675", dup197); - -var msg23843 = msg("21676", dup197); - -var msg23844 = msg("21677", dup197); - -var msg23845 = msg("21678", dup267); - -var msg23846 = msg("21679", dup267); - -var msg23847 = msg("21680", dup267); - -var msg23848 = msg("21681", dup267); - -var msg23849 = msg("21682", dup267); - -var msg23850 = msg("21683", dup267); - -var msg23851 = msg("21684", dup267); - -var msg23852 = msg("21685", dup267); - -var msg23853 = msg("21686", dup267); - -var msg23854 = msg("21687", dup202); - -var msg23855 = msg("21688", dup202); - -var msg23856 = msg("21689", dup202); - -var msg23857 = msg("21690", dup202); - -var msg23858 = msg("21691", dup202); - -var msg23859 = msg("21692", dup202); - -var msg23860 = msg("21693", dup202); - -var msg23861 = msg("21694", dup202); - -var msg23862 = msg("21695", dup202); - -var msg23863 = msg("21696", dup202); - -var msg23864 = msg("21697", dup202); - -var msg23865 = msg("21698", dup202); - -var msg23866 = msg("21699", dup202); - -var msg23867 = msg("21700", dup202); - -var msg23868 = msg("21701", dup202); - -var msg23869 = msg("21702", dup202); - -var msg23870 = msg("21703", dup202); - -var msg23871 = msg("21704", dup202); - -var msg23872 = msg("21705", dup202); - -var msg23873 = msg("21706", dup202); - -var msg23874 = msg("21707", dup202); - -var msg23875 = msg("21708", dup202); - -var msg23876 = msg("21709", dup202); - -var msg23877 = msg("21710", dup202); - -var msg23878 = msg("21711", dup202); - -var msg23879 = msg("21712", dup202); - -var msg23880 = msg("21713", dup202); - -var msg23881 = msg("21714", dup202); - -var msg23882 = msg("21715", dup202); - -var msg23883 = msg("21716", dup202); - -var msg23884 = msg("21717", dup202); - -var msg23885 = msg("21718", dup202); - -var msg23886 = msg("21719", dup202); - -var msg23887 = msg("21720", dup202); - -var msg23888 = msg("21721", dup202); - -var msg23889 = msg("21722", dup202); - -var msg23890 = msg("21723", dup202); - -var msg23891 = msg("21724", dup202); - -var msg23892 = msg("21725", dup202); - -var msg23893 = msg("21726", dup202); - -var msg23894 = msg("21727", dup202); - -var msg23895 = msg("21728", dup202); - -var msg23896 = msg("21729", dup202); - -var msg23897 = msg("21730", dup202); - -var msg23898 = msg("21731", dup202); - -var msg23899 = msg("21732", dup202); - -var msg23900 = msg("21733", dup202); - -var msg23901 = msg("21734", dup202); - -var msg23902 = msg("21735", dup202); - -var msg23903 = msg("21736", dup202); - -var msg23904 = msg("21737", dup202); - -var msg23905 = msg("21738", dup202); - -var msg23906 = msg("21739", dup202); - -var msg23907 = msg("21740", dup202); - -var msg23908 = msg("21741", dup202); - -var msg23909 = msg("21742", dup202); - -var msg23910 = msg("21743", dup202); - -var msg23911 = msg("21744", dup202); - -var msg23912 = msg("21745", dup202); - -var msg23913 = msg("21746", dup202); - -var msg23914 = msg("21747", dup202); - -var msg23915 = msg("21748", dup202); - -var msg23916 = msg("21749", dup202); - -var msg23917 = msg("21750", dup202); - -var msg23918 = msg("21751", dup202); - -var msg23919 = msg("21752", dup197); - -var msg23920 = msg("21753", dup197); - -var msg23921 = msg("21754", dup265); - -var msg23922 = msg("21755", dup202); - -var msg23923 = msg("21756", dup202); - -var msg23924 = msg("21757", dup202); - -var msg23925 = msg("21758", dup202); - -var msg23926 = msg("21759", dup197); - -var msg23927 = msg("21760", dup202); - -var msg23928 = msg("21761", dup202); - -var msg23929 = msg("21762", dup197); - -var msg23930 = msg("21763", dup198); - -var msg23931 = msg("21764", dup197); - -var msg23932 = msg("21765", dup202); - -var msg23933 = msg("21766", dup267); - -var msg23934 = msg("21767", dup287); - -var msg23935 = msg("21768", dup287); - -var msg23936 = msg("21769", dup192); - -var msg23937 = msg("21770", dup197); - -var msg23938 = msg("21771", dup197); - -var msg23939 = msg("21772", dup197); - -var msg23940 = msg("21773", dup197); - -var msg23941 = msg("21774", dup197); - -var msg23942 = msg("21775", dup197); - -var msg23943 = msg("21776", dup198); - -var msg23944 = msg("21777", dup260); - -var msg23945 = msg("21778", dup260); - -var msg23946 = msg("21779", dup260); - -var msg23947 = msg("21780", dup260); - -var msg23948 = msg("21781", dup260); - -var msg23949 = msg("21782", dup267); - -var msg23950 = msg("21783", dup267); - -var msg23951 = msg("21784", dup267); - -var msg23952 = msg("21785", dup201); - -var msg23953 = msg("21786", dup201); - -var msg23954 = msg("21787", dup201); - -var msg23955 = msg("21788", dup260); - -var msg23956 = msg("21789", dup260); - -var msg23957 = msg("21790", dup269); - -var msg23958 = msg("21791", dup265); - -var msg23959 = msg("21792", dup202); - -var msg23960 = msg("21793", dup265); - -var msg23961 = msg("21794", dup197); - -var msg23962 = msg("21795", dup285); - -var msg23963 = msg("21796", dup265); - -var msg23964 = msg("21797", dup197); - -var msg23965 = msg("21798", dup197); - -var msg23966 = msg("21799", dup197); - -var msg23967 = msg("21800", dup197); - -var msg23968 = msg("21801", dup197); - -var msg23969 = msg("21802", dup202); - -var msg23970 = msg("21803", dup202); - -var msg23971 = msg("21804", dup202); - -var msg23972 = msg("21805", dup197); - -var msg23973 = msg("21806", dup276); - -var msg23974 = msg("21807", dup202); - -var msg23975 = msg("21808", dup202); - -var msg23976 = msg("21809", dup202); - -var msg23977 = msg("21810", dup202); - -var msg23978 = msg("21811", dup202); - -var msg23979 = msg("21812", dup202); - -var msg23980 = msg("21813", dup202); - -var msg23981 = msg("21814", dup202); - -var msg23982 = msg("21815", dup202); - -var msg23983 = msg("21816", dup202); - -var msg23984 = msg("21817", dup198); - -var msg23985 = msg("21818", dup265); - -var msg23986 = msg("21819", dup265); - -var msg23987 = msg("21820", dup265); - -var msg23988 = msg("21821", dup265); - -var msg23989 = msg("21822", dup265); - -var msg23990 = msg("21823", dup265); - -var msg23991 = msg("21824", dup265); - -var msg23992 = msg("21825", dup265); - -var msg23993 = msg("21826", dup265); - -var msg23994 = msg("21827", dup265); - -var msg23995 = msg("21828", dup265); - -var msg23996 = msg("21829", dup265); - -var msg23997 = msg("21830", dup265); - -var msg23998 = msg("21831", dup265); - -var msg23999 = msg("21832", dup265); - -var msg24000 = msg("21833", dup265); - -var msg24001 = msg("21834", dup265); - -var msg24002 = msg("21835", dup265); - -var msg24003 = msg("21836", dup265); - -var msg24004 = msg("21837", dup265); - -var msg24005 = msg("21838", dup265); - -var msg24006 = msg("21839", dup265); - -var msg24007 = msg("21840", dup265); - -var msg24008 = msg("21841", dup265); - -var msg24009 = msg("21842", dup265); - -var msg24010 = msg("21843", dup265); - -var msg24011 = msg("21844", dup265); - -var msg24012 = msg("21845", dup202); - -var msg24013 = msg("21846", dup202); - -var msg24014 = msg("21847", dup202); - -var msg24015 = msg("21848", dup202); - -var msg24016 = msg("21849", dup202); - -var msg24017 = msg("21850", dup202); - -var msg24018 = msg("21851", dup202); - -var msg24019 = msg("21852", dup192); - -var msg24020 = msg("21853", dup230); - -var msg24021 = msg("21854", dup202); - -var msg24022 = msg("21855", dup202); - -var msg24023 = msg("21856", dup287); - -var msg24024 = msg("21857", dup287); - -var msg24025 = msg("21858", dup267); - -var msg24026 = msg("21859", dup267); - -var msg24027 = msg("21860", dup267); - -var msg24028 = msg("21861", dup202); - -var msg24029 = msg("21862", dup202); - -var msg24030 = msg("21863", dup202); - -var msg24031 = msg("21864", dup202); - -var msg24032 = msg("21865", dup202); - -var msg24033 = msg("21866", dup202); - -var msg24034 = msg("21867", dup202); - -var msg24035 = msg("21868", dup202); - -var msg24036 = msg("21869", dup202); - -var msg24037 = msg("21870", dup202); - -var msg24038 = msg("21871", dup202); - -var msg24039 = msg("21872", dup202); - -var msg24040 = msg("21873", dup202); - -var msg24041 = msg("21874", dup267); - -var msg24042 = msg("21875", dup267); - -var msg24043 = msg("21876", dup267); - -var msg24044 = msg("21877", dup202); - -var msg24045 = msg("21878", dup197); - -var msg24046 = msg("21879", dup202); - -var msg24047 = msg("21880", dup202); - -var msg24048 = msg("21881", dup287); - -var msg24049 = msg("21882", dup265); - -var msg24050 = msg("21883", dup265); - -var msg24051 = msg("21884", dup202); - -var msg24052 = msg("21885", dup202); - -var msg24053 = msg("21886", dup202); - -var msg24054 = msg("21887", dup202); - -var msg24055 = msg("21888", dup202); - -var msg24056 = msg("21889", dup202); - -var msg24057 = msg("21890", dup202); - -var msg24058 = msg("21891", dup202); - -var msg24059 = msg("21892", dup202); - -var msg24060 = msg("21893", dup202); - -var msg24061 = msg("21894", dup202); - -var msg24062 = msg("21895", dup202); - -var msg24063 = msg("21896", dup197); - -var msg24064 = msg("21897", dup197); - -var msg24065 = msg("21898", dup197); - -var msg24066 = msg("21899", dup197); - -var msg24067 = msg("21900", dup197); - -var msg24068 = msg("21901", dup197); - -var msg24069 = msg("21902", dup197); - -var msg24070 = msg("21903", dup197); - -var msg24071 = msg("21904", dup197); - -var msg24072 = msg("21905", dup197); - -var msg24073 = msg("21906", dup197); - -var msg24074 = msg("21907", dup197); - -var msg24075 = msg("21908", dup267); - -var msg24076 = msg("21909", dup267); - -var msg24077 = msg("21910", dup263); - -var msg24078 = msg("21911", dup202); - -var msg24079 = msg("21912", dup202); - -var msg24080 = msg("21913", dup265); - -var msg24081 = msg("21914", dup197); - -var msg24082 = msg("21915", dup267); - -var msg24083 = msg("21916", dup267); - -var msg24084 = msg("21917", dup197); - -var msg24085 = msg("21918", dup197); - -var msg24086 = msg("21919", dup197); - -var msg24087 = msg("21920", dup197); - -var msg24088 = msg("21921", dup197); - -var msg24089 = msg("21922", dup197); - -var msg24090 = msg("21923", dup265); - -var msg24091 = msg("21924", dup263); - -var msg24092 = msg("21925", dup269); - -var msg24093 = msg("21926", dup265); - -var msg24094 = msg("21927", dup197); - -var msg24095 = msg("21928", dup197); - -var msg24096 = msg("21929", dup305); - -var msg24097 = msg("21930", dup305); - -var msg24098 = msg("21931", dup197); - -var msg24099 = msg("21932", dup197); - -var msg24100 = msg("21933", dup197); - -var msg24101 = msg("21934", dup303); - -var msg24102 = msg("21935", dup197); - -var msg24103 = msg("21937", dup197); - -var msg24104 = msg("21938", dup192); - -var msg24105 = msg("21939", dup202); - -var msg24106 = msg("21940", dup202); - -var msg24107 = msg("21941", dup202); - -var msg24108 = msg("21942", dup197); - -var msg24109 = msg("21943", dup197); - -var msg24110 = msg("21944", dup265); - -var msg24111 = msg("21945", dup192); - -var msg24112 = msg("21946", dup192); - -var msg24113 = msg("21947", dup192); - -var msg24114 = msg("21948", dup269); - -var msg24115 = msg("21949", dup201); - -var msg24116 = msg("21950", dup265); - -var msg24117 = msg("21951", dup265); - -var msg24118 = msg("21952", dup197); - -var msg24119 = msg("21953", dup287); - -var msg24120 = msg("21954", dup287); - -var msg24121 = msg("21955", dup202); - -var msg24122 = msg("21956", dup202); - -var msg24123 = msg("21957", dup202); - -var msg24124 = msg("21958", dup202); - -var msg24125 = msg("21959", dup202); - -var msg24126 = msg("21960", dup202); - -var msg24127 = msg("21961", dup287); - -var msg24128 = msg("21962", dup202); - -var msg24129 = msg("21963", dup202); - -var msg24130 = msg("21964", dup202); - -var msg24131 = msg("21965", dup269); - -var msg24132 = msg("21966", dup192); - -var msg24133 = msg("21967", dup287); - -var msg24134 = msg("21968", dup192); - -var msg24135 = msg("21969", dup192); - -var msg24136 = msg("21970", dup192); - -var msg24137 = msg("21971", dup192); - -var msg24138 = msg("21972", dup192); - -var msg24139 = msg("21973", dup192); - -var msg24140 = msg("21974", dup269); - -var msg24141 = msg("21975", dup269); - -var msg24142 = msg("21976", dup192); - -var msg24143 = msg("21977", dup192); - -var msg24144 = msg("21978", dup192); - -var msg24145 = msg("21979", dup192); - -var msg24146 = msg("21980", dup192); - -var msg24147 = msg("21981", dup192); - -var msg24148 = msg("21982", dup192); - -var msg24149 = msg("21983", dup192); - -var msg24150 = msg("21984", dup192); - -var msg24151 = msg("21985", dup197); - -var msg24152 = msg("21986", dup197); - -var msg24153 = msg("21987", dup197); - -var msg24154 = msg("21988", dup197); - -var msg24155 = msg("21989", dup197); - -var msg24156 = msg("21990", dup197); - -var msg24157 = msg("21991", dup267); - -var msg24158 = msg("21992", dup267); - -var msg24159 = msg("21993", dup267); - -var msg24160 = msg("21994", dup267); - -var msg24161 = msg("21995", dup202); - -var msg24162 = msg("21996", dup202); - -var msg24163 = msg("21997", dup192); - -var msg24164 = msg("21998", dup192); - -var msg24165 = msg("21999", dup202); - -var msg24166 = msg("22000", dup238); - -var msg24167 = msg("22001", dup238); - -var msg24168 = msg("22002", dup202); - -var msg24169 = msg("22003", dup265); - -var msg24170 = msg("22004", dup276); - -var msg24171 = msg("22005", dup276); - -var msg24172 = msg("22006", dup276); - -var msg24173 = msg("22007", dup276); - -var msg24174 = msg("22008", dup276); - -var msg24175 = msg("22009", dup276); - -var msg24176 = msg("22010", dup276); - -var msg24177 = msg("22011", dup276); - -var msg24178 = msg("22012", dup276); - -var msg24179 = msg("22013", dup202); - -var msg24180 = msg("22014", dup202); - -var msg24181 = msg("22015", dup202); - -var msg24182 = msg("22016", dup202); - -var msg24183 = msg("22017", dup202); - -var msg24184 = msg("22018", dup202); - -var msg24185 = msg("22019", dup202); - -var msg24186 = msg("22020", dup202); - -var msg24187 = msg("22021", dup202); - -var msg24188 = msg("22022", dup202); - -var msg24189 = msg("22023", dup202); - -var msg24190 = msg("22024", dup202); - -var msg24191 = msg("22025", dup202); - -var msg24192 = msg("22026", dup202); - -var msg24193 = msg("22027", dup202); - -var msg24194 = msg("22028", dup202); - -var msg24195 = msg("22029", dup197); - -var msg24196 = msg("22030", dup197); - -var msg24197 = msg("22031", dup197); - -var msg24198 = msg("22032", dup197); - -var msg24199 = msg("22033", dup263); - -var msg24200 = msg("22034", dup263); - -var msg24201 = msg("22035", dup197); - -var msg24202 = msg("22036", dup197); - -var msg24203 = msg("22037", dup197); - -var msg24204 = msg("22038", dup265); - -var msg24205 = msg("22039", dup202); - -var msg24206 = msg("22040", dup202); - -var msg24207 = msg("22041", dup202); - -var msg24208 = msg("22042", dup202); - -var msg24209 = msg("22043", dup202); - -var msg24210 = msg("22044", dup202); - -var msg24211 = msg("22045", dup202); - -var msg24212 = msg("22046", dup202); - -var msg24213 = msg("22047", dup192); - -var msg24214 = msg("22048", dup192); - -var msg24215 = msg("22049", dup265); - -var msg24216 = msg("22050", dup202); - -var msg24217 = msg("22051", dup263); - -var msg24218 = msg("22052", dup197); - -var msg24219 = msg("22053", dup192); - -var msg24220 = msg("22054", dup192); - -var msg24221 = msg("22055", dup202); - -var msg24222 = msg("22056", dup192); - -var msg24223 = msg("22057", dup192); - -var msg24224 = msg("22058", dup192); - -var msg24225 = msg("22059", dup192); - -var msg24226 = msg("22060", dup192); - -var msg24227 = msg("22061", dup269); - -var msg24228 = msg("22062", dup192); - -var msg24229 = msg("22063", dup302); - -var msg24230 = msg("22064", dup199); - -var msg24231 = msg("22065", dup192); - -var msg24232 = msg("22066", dup197); - -var msg24233 = msg("22067", dup202); - -var msg24234 = msg("22068", dup202); - -var msg24235 = msg("22069", dup202); - -var msg24236 = msg("22070", dup202); - -var msg24237 = msg("22071", dup314); - -var msg24238 = msg("22072", dup314); - -var msg24239 = msg("22073", dup314); - -var msg24240 = msg("22074", dup314); - -var msg24241 = msg("22075", dup197); - -var msg24242 = msg("22076", dup197); - -var msg24243 = msg("22077", dup197); - -var msg24244 = msg("22078", dup197); - -var msg24245 = msg("22079", dup267); - -var msg24246 = msg("22080", dup269); - -var msg24247 = msg("22081", dup197); - -var msg24248 = msg("22082", dup202); - -var msg24249 = msg("22083", dup202); - -var msg24250 = msg("22084", dup202); - -var msg24251 = msg("22085", dup197); - -var msg24252 = msg("22086", dup197); - -var msg24253 = msg("22087", dup197); - -var msg24254 = msg("22088", dup267); - -var msg24255 = msg("22089", dup265); - -var msg24256 = msg("22090", dup269); - -var msg24257 = msg("22091", dup197); - -var msg24258 = msg("22092", dup197); - -var msg24259 = msg("22093", dup197); - -var msg24260 = msg("22094", dup197); - -var msg24261 = msg("22095", dup192); - -var msg24262 = msg("22096", dup263); - -var msg24263 = msg("22097", dup199); - -var msg24264 = msg("22098", dup202); - -var msg24265 = msg("22099", dup192); - -var msg24266 = msg("22100", dup192); - -var msg24267 = msg("22101", dup197); - -var msg24268 = msg("22102", dup197); - -var msg24269 = msg("22103", dup192); - -var msg24270 = msg("22104", dup197); - -var msg24271 = msg("22105", dup197); - -var msg24272 = msg("22106", dup197); - -var msg24273 = msg("22107", dup197); - -var msg24274 = msg("22108", dup197); - -var msg24275 = msg("22109", dup197); - -var msg24276 = msg("22110", dup267); - -var msg24277 = msg("22111", dup267); - -var msg24278 = msg("22112", dup267); - -var msg24279 = msg("22113", dup267); - -var msg24280 = msg("22114", dup267); - -var msg24281 = msg("22115", dup267); - -var msg24282 = msg("22116", dup263); - -var msg24283 = msg("22117", dup263); - -var msg24284 = msg("22118", dup263); - -var msg24285 = msg("22119", dup263); - -var msg24286 = msg("22120", dup263); - -var msg24287 = msg("22121", dup263); - -var msg24288 = msg("22122", dup263); - -var msg24289 = msg("22123", dup263); - -var msg24290 = msg("22124", dup263); - -var msg24291 = msg("22125", dup263); - -var msg24292 = msg("22126", dup263); - -var msg24293 = msg("22127", dup263); - -var msg24294 = msg("22128", dup263); - -var msg24295 = msg("22129", dup263); - -var msg24296 = msg("22130", dup263); - -var msg24297 = msg("22131", dup263); - -var msg24298 = msg("22132", dup263); - -var msg24299 = msg("22133", dup263); - -var msg24300 = msg("22134", dup263); - -var msg24301 = msg("22135", dup263); - -var msg24302 = msg("22136", dup263); - -var msg24303 = msg("22137", dup263); - -var msg24304 = msg("22138", dup263); - -var msg24305 = msg("22139", dup263); - -var msg24306 = msg("22140", dup263); - -var msg24307 = msg("22141", dup263); - -var msg24308 = msg("22142", dup263); - -var msg24309 = msg("22143", dup263); - -var msg24310 = msg("22144", dup263); - -var msg24311 = msg("22145", dup263); - -var msg24312 = msg("22146", dup263); - -var msg24313 = msg("22147", dup263); - -var msg24314 = msg("22148", dup263); - -var msg24315 = msg("22149", dup263); - -var msg24316 = msg("22150", dup263); - -var msg24317 = msg("22151", dup263); - -var msg24318 = msg("22152", dup263); - -var msg24319 = msg("22153", dup263); - -var msg24320 = msg("22154", dup263); - -var msg24321 = msg("22155", dup263); - -var msg24322 = msg("22156", dup263); - -var msg24323 = msg("22157", dup263); - -var msg24324 = msg("22158", dup263); - -var msg24325 = msg("22159", dup263); - -var msg24326 = msg("22160", dup263); - -var msg24327 = msg("22161", dup263); - -var msg24328 = msg("22162", dup263); - -var msg24329 = msg("22163", dup263); - -var msg24330 = msg("22164", dup263); - -var msg24331 = msg("22165", dup263); - -var msg24332 = msg("22166", dup263); - -var msg24333 = msg("22167", dup263); - -var msg24334 = msg("22168", dup263); - -var msg24335 = msg("22169", dup263); - -var msg24336 = msg("22170", dup263); - -var msg24337 = msg("22171", dup263); - -var msg24338 = msg("22172", dup263); - -var msg24339 = msg("22173", dup263); - -var msg24340 = msg("22174", dup263); - -var msg24341 = msg("22175", dup263); - -var msg24342 = msg("22176", dup263); - -var msg24343 = msg("22177", dup263); - -var msg24344 = msg("22178", dup263); - -var msg24345 = msg("22179", dup263); - -var msg24346 = msg("22180", dup263); - -var msg24347 = msg("22181", dup263); - -var msg24348 = msg("22182", dup263); - -var msg24349 = msg("22183", dup263); - -var msg24350 = msg("22184", dup263); - -var msg24351 = msg("22185", dup263); - -var msg24352 = msg("22186", dup263); - -var msg24353 = msg("22187", dup263); - -var msg24354 = msg("22188", dup263); - -var msg24355 = msg("22189", dup263); - -var msg24356 = msg("22190", dup263); - -var msg24357 = msg("22191", dup263); - -var msg24358 = msg("22192", dup263); - -var msg24359 = msg("22193", dup263); - -var msg24360 = msg("22194", dup263); - -var msg24361 = msg("22195", dup263); - -var msg24362 = msg("22196", dup263); - -var msg24363 = msg("22197", dup263); - -var msg24364 = msg("22198", dup263); - -var msg24365 = msg("22199", dup263); - -var msg24366 = msg("22200", dup263); - -var msg24367 = msg("22201", dup263); - -var msg24368 = msg("22202", dup263); - -var msg24369 = msg("22203", dup263); - -var msg24370 = msg("22204", dup263); - -var msg24371 = msg("22205", dup263); - -var msg24372 = msg("22206", dup263); - -var msg24373 = msg("22207", dup263); - -var msg24374 = msg("22208", dup263); - -var msg24375 = msg("22209", dup263); - -var msg24376 = msg("22210", dup263); - -var msg24377 = msg("22211", dup263); - -var msg24378 = msg("22212", dup263); - -var msg24379 = msg("22213", dup263); - -var msg24380 = msg("22214", dup263); - -var msg24381 = msg("22215", dup263); - -var msg24382 = msg("22216", dup263); - -var msg24383 = msg("22217", dup263); - -var msg24384 = msg("22218", dup263); - -var msg24385 = msg("22219", dup263); - -var msg24386 = msg("22220", dup263); - -var msg24387 = msg("22221", dup263); - -var msg24388 = msg("22222", dup263); - -var msg24389 = msg("22223", dup263); - -var msg24390 = msg("22224", dup263); - -var msg24391 = msg("22225", dup263); - -var msg24392 = msg("22226", dup263); - -var msg24393 = msg("22227", dup263); - -var msg24394 = msg("22228", dup263); - -var msg24395 = msg("22229", dup263); - -var msg24396 = msg("22230", dup263); - -var msg24397 = msg("22231", dup263); - -var msg24398 = msg("22232", dup263); - -var msg24399 = msg("22233", dup263); - -var msg24400 = msg("22234", dup263); - -var msg24401 = msg("22235", dup263); - -var msg24402 = msg("22236", dup263); - -var msg24403 = msg("22237", dup263); - -var msg24404 = msg("22238", dup263); - -var msg24405 = msg("22239", dup263); - -var msg24406 = msg("22240", dup263); - -var msg24407 = msg("22241", dup263); - -var msg24408 = msg("22242", dup263); - -var msg24409 = msg("22243", dup263); - -var msg24410 = msg("22244", dup263); - -var msg24411 = msg("22245", dup263); - -var msg24412 = msg("22246", dup263); - -var msg24413 = msg("22247", dup269); - -var msg24414 = msg("22248", dup263); - -var msg24415 = msg("22249", dup263); - -var msg24416 = msg("22250", dup263); - -var msg24417 = msg("22251", dup263); - -var msg24418 = msg("22252", dup263); - -var msg24419 = msg("22253", dup263); - -var msg24420 = msg("22254", dup263); - -var msg24421 = msg("22255", dup263); - -var msg24422 = msg("22256", dup263); - -var msg24423 = msg("22257", dup263); - -var msg24424 = msg("22258", dup263); - -var msg24425 = msg("22259", dup263); - -var msg24426 = msg("22260", dup263); - -var msg24427 = msg("22261", dup263); - -var msg24428 = msg("22262", dup263); - -var msg24429 = msg("22263", dup263); - -var msg24430 = msg("22264", dup263); - -var msg24431 = msg("22265", dup263); - -var msg24432 = msg("22266", dup263); - -var msg24433 = msg("22267", dup263); - -var msg24434 = msg("22268", dup263); - -var msg24435 = msg("22269", dup263); - -var msg24436 = msg("22270", dup263); - -var msg24437 = msg("22271", dup263); - -var msg24438 = msg("22272", dup263); - -var msg24439 = msg("22273", dup263); - -var msg24440 = msg("22274", dup263); - -var msg24441 = msg("22275", dup263); - -var msg24442 = msg("22276", dup263); - -var msg24443 = msg("22277", dup263); - -var msg24444 = msg("22278", dup263); - -var msg24445 = msg("22279", dup263); - -var msg24446 = msg("22280", dup263); - -var msg24447 = msg("22281", dup263); - -var msg24448 = msg("22282", dup263); - -var msg24449 = msg("22283", dup263); - -var msg24450 = msg("22284", dup263); - -var msg24451 = msg("22285", dup263); - -var msg24452 = msg("22286", dup263); - -var msg24453 = msg("22287", dup263); - -var msg24454 = msg("22288", dup263); - -var msg24455 = msg("22289", dup263); - -var msg24456 = msg("22290", dup263); - -var msg24457 = msg("22291", dup263); - -var msg24458 = msg("22292", dup263); - -var msg24459 = msg("22293", dup263); - -var msg24460 = msg("22294", dup263); - -var msg24461 = msg("22295", dup263); - -var msg24462 = msg("22296", dup263); - -var msg24463 = msg("22297", dup263); - -var msg24464 = msg("22298", dup263); - -var msg24465 = msg("22299", dup263); - -var msg24466 = msg("22300", dup263); - -var msg24467 = msg("22301", dup263); - -var msg24468 = msg("22302", dup263); - -var msg24469 = msg("22303", dup263); - -var msg24470 = msg("22304", dup263); - -var msg24471 = msg("22305", dup263); - -var msg24472 = msg("22306", dup263); - -var msg24473 = msg("22307", dup263); - -var msg24474 = msg("22308", dup269); - -var msg24475 = msg("22309", dup263); - -var msg24476 = msg("22310", dup263); - -var msg24477 = msg("22311", dup263); - -var msg24478 = msg("22312", dup263); - -var msg24479 = msg("22313", dup263); - -var msg24480 = msg("22314", dup263); - -var msg24481 = msg("22315", dup263); - -var msg24482 = msg("22316", dup263); - -var msg24483 = msg("22317", dup263); - -var msg24484 = msg("22318", dup263); - -var msg24485 = msg("22319", dup263); - -var msg24486 = msg("22320", dup263); - -var msg24487 = msg("22321", dup263); - -var msg24488 = msg("22322", dup263); - -var msg24489 = msg("22323", dup263); - -var msg24490 = msg("22324", dup263); - -var msg24491 = msg("22325", dup263); - -var msg24492 = msg("22326", dup263); - -var msg24493 = msg("22327", dup263); - -var msg24494 = msg("22328", dup263); - -var msg24495 = msg("22329", dup263); - -var msg24496 = msg("22330", dup263); - -var msg24497 = msg("22331", dup263); - -var msg24498 = msg("22332", dup263); - -var msg24499 = msg("22333", dup263); - -var msg24500 = msg("22334", dup263); - -var msg24501 = msg("22335", dup263); - -var msg24502 = msg("22336", dup263); - -var msg24503 = msg("22337", dup263); - -var msg24504 = msg("22338", dup263); - -var msg24505 = msg("22339", dup227); - -var msg24506 = msg("22340", dup227); - -var msg24507 = msg("22341", dup263); - -var msg24508 = msg("22342", dup263); - -var msg24509 = msg("22343", dup263); - -var msg24510 = msg("22344", dup263); - -var msg24511 = msg("22345", dup263); - -var msg24512 = msg("22346", dup263); - -var msg24513 = msg("22347", dup263); - -var msg24514 = msg("22348", dup263); - -var msg24515 = msg("22349", dup263); - -var msg24516 = msg("22350", dup263); - -var msg24517 = msg("22351", dup263); - -var msg24518 = msg("22352", dup263); - -var msg24519 = msg("22353", dup263); - -var msg24520 = msg("22354", dup263); - -var msg24521 = msg("22355", dup263); - -var msg24522 = msg("22356", dup263); - -var msg24523 = msg("22357", dup263); - -var msg24524 = msg("22358", dup263); - -var msg24525 = msg("22359", dup263); - -var msg24526 = msg("22360", dup263); - -var msg24527 = msg("22361", dup263); - -var msg24528 = msg("22362", dup263); - -var msg24529 = msg("22363", dup263); - -var msg24530 = msg("22364", dup263); - -var msg24531 = msg("22365", dup263); - -var msg24532 = msg("22366", dup263); - -var msg24533 = msg("22367", dup263); - -var msg24534 = msg("22368", dup263); - -var msg24535 = msg("22369", dup263); - -var msg24536 = msg("22370", dup263); - -var msg24537 = msg("22371", dup263); - -var msg24538 = msg("22372", dup263); - -var msg24539 = msg("22373", dup263); - -var msg24540 = msg("22374", dup263); - -var msg24541 = msg("22375", dup263); - -var msg24542 = msg("22376", dup263); - -var msg24543 = msg("22377", dup263); - -var msg24544 = msg("22378", dup263); - -var msg24545 = msg("22379", dup263); - -var msg24546 = msg("22380", dup263); - -var msg24547 = msg("22381", dup263); - -var msg24548 = msg("22382", dup263); - -var msg24549 = msg("22383", dup263); - -var msg24550 = msg("22384", dup263); - -var msg24551 = msg("22385", dup263); - -var msg24552 = msg("22386", dup263); - -var msg24553 = msg("22387", dup263); - -var msg24554 = msg("22388", dup263); - -var msg24555 = msg("22389", dup263); - -var msg24556 = msg("22390", dup263); - -var msg24557 = msg("22391", dup263); - -var msg24558 = msg("22392", dup263); - -var msg24559 = msg("22393", dup263); - -var msg24560 = msg("22394", dup263); - -var msg24561 = msg("22395", dup263); - -var msg24562 = msg("22396", dup263); - -var msg24563 = msg("22397", dup263); - -var msg24564 = msg("22398", dup263); - -var msg24565 = msg("22399", dup263); - -var msg24566 = msg("22400", dup263); - -var msg24567 = msg("22401", dup263); - -var msg24568 = msg("22402", dup263); - -var msg24569 = msg("22403", dup263); - -var msg24570 = msg("22404", dup263); - -var msg24571 = msg("22405", dup263); - -var msg24572 = msg("22406", dup263); - -var msg24573 = msg("22407", dup227); - -var msg24574 = msg("22408", dup263); - -var msg24575 = msg("22409", dup263); - -var msg24576 = msg("22410", dup263); - -var msg24577 = msg("22411", dup263); - -var msg24578 = msg("22412", dup263); - -var msg24579 = msg("22413", dup263); - -var msg24580 = msg("22414", dup263); - -var msg24581 = msg("22415", dup263); - -var msg24582 = msg("22416", dup263); - -var msg24583 = msg("22417", dup263); - -var msg24584 = msg("22418", dup263); - -var msg24585 = msg("22419", dup263); - -var msg24586 = msg("22420", dup263); - -var msg24587 = msg("22421", dup263); - -var msg24588 = msg("22422", dup263); - -var msg24589 = msg("22423", dup263); - -var msg24590 = msg("22424", dup263); - -var msg24591 = msg("22425", dup263); - -var msg24592 = msg("22426", dup263); - -var msg24593 = msg("22427", dup263); - -var msg24594 = msg("22428", dup263); - -var msg24595 = msg("22429", dup263); - -var msg24596 = msg("22430", dup263); - -var msg24597 = msg("22431", dup263); - -var msg24598 = msg("22432", dup263); - -var msg24599 = msg("22433", dup263); - -var msg24600 = msg("22434", dup263); - -var msg24601 = msg("22435", dup263); - -var msg24602 = msg("22436", dup263); - -var msg24603 = msg("22437", dup263); - -var msg24604 = msg("22438", dup263); - -var msg24605 = msg("22439", dup263); - -var msg24606 = msg("22440", dup263); - -var msg24607 = msg("22441", dup263); - -var msg24608 = msg("22442", dup263); - -var msg24609 = msg("22443", dup263); - -var msg24610 = msg("22444", dup263); - -var msg24611 = msg("22445", dup263); - -var msg24612 = msg("22446", dup263); - -var msg24613 = msg("22447", dup263); - -var msg24614 = msg("22448", dup263); - -var msg24615 = msg("22449", dup263); - -var msg24616 = msg("22450", dup263); - -var msg24617 = msg("22451", dup263); - -var msg24618 = msg("22452", dup263); - -var msg24619 = msg("22453", dup263); - -var msg24620 = msg("22454", dup263); - -var msg24621 = msg("22455", dup263); - -var msg24622 = msg("22456", dup263); - -var msg24623 = msg("22457", dup263); - -var msg24624 = msg("22458", dup263); - -var msg24625 = msg("22459", dup263); - -var msg24626 = msg("22460", dup263); - -var msg24627 = msg("22461", dup263); - -var msg24628 = msg("22462", dup263); - -var msg24629 = msg("22463", dup263); - -var msg24630 = msg("22464", dup263); - -var msg24631 = msg("22465", dup263); - -var msg24632 = msg("22466", dup263); - -var msg24633 = msg("22467", dup263); - -var msg24634 = msg("22468", dup263); - -var msg24635 = msg("22469", dup263); - -var msg24636 = msg("22470", dup263); - -var msg24637 = msg("22471", dup263); - -var msg24638 = msg("22472", dup263); - -var msg24639 = msg("22473", dup263); - -var msg24640 = msg("22474", dup263); - -var msg24641 = msg("22475", dup263); - -var msg24642 = msg("22476", dup263); - -var msg24643 = msg("22477", dup263); - -var msg24644 = msg("22478", dup263); - -var msg24645 = msg("22479", dup263); - -var msg24646 = msg("22480", dup263); - -var msg24647 = msg("22481", dup263); - -var msg24648 = msg("22482", dup263); - -var msg24649 = msg("22483", dup263); - -var msg24650 = msg("22484", dup263); - -var msg24651 = msg("22485", dup263); - -var msg24652 = msg("22486", dup263); - -var msg24653 = msg("22487", dup263); - -var msg24654 = msg("22488", dup263); - -var msg24655 = msg("22489", dup263); - -var msg24656 = msg("22490", dup263); - -var msg24657 = msg("22491", dup263); - -var msg24658 = msg("22492", dup263); - -var msg24659 = msg("22493", dup263); - -var msg24660 = msg("22494", dup263); - -var msg24661 = msg("22495", dup263); - -var msg24662 = msg("22496", dup263); - -var msg24663 = msg("22497", dup263); - -var msg24664 = msg("22498", dup263); - -var msg24665 = msg("22499", dup263); - -var msg24666 = msg("22500", dup263); - -var msg24667 = msg("22501", dup263); - -var msg24668 = msg("22502", dup263); - -var msg24669 = msg("22503", dup263); - -var msg24670 = msg("22504", dup263); - -var msg24671 = msg("22505", dup263); - -var msg24672 = msg("22506", dup263); - -var msg24673 = msg("22507", dup263); - -var msg24674 = msg("22508", dup263); - -var msg24675 = msg("22509", dup263); - -var msg24676 = msg("22510", dup263); - -var msg24677 = msg("22511", dup263); - -var msg24678 = msg("22512", dup263); - -var msg24679 = msg("22513", dup263); - -var msg24680 = msg("22514", dup263); - -var msg24681 = msg("22515", dup263); - -var msg24682 = msg("22516", dup263); - -var msg24683 = msg("22517", dup263); - -var msg24684 = msg("22518", dup263); - -var msg24685 = msg("22519", dup263); - -var msg24686 = msg("22520", dup263); - -var msg24687 = msg("22521", dup263); - -var msg24688 = msg("22522", dup263); - -var msg24689 = msg("22523", dup263); - -var msg24690 = msg("22524", dup263); - -var msg24691 = msg("22525", dup263); - -var msg24692 = msg("22526", dup263); - -var msg24693 = msg("22527", dup263); - -var msg24694 = msg("22528", dup263); - -var msg24695 = msg("22529", dup263); - -var msg24696 = msg("22530", dup263); - -var msg24697 = msg("22531", dup263); - -var msg24698 = msg("22532", dup263); - -var msg24699 = msg("22533", dup263); - -var msg24700 = msg("22534", dup263); - -var msg24701 = msg("22535", dup263); - -var msg24702 = msg("22536", dup263); - -var msg24703 = msg("22537", dup263); - -var msg24704 = msg("22538", dup263); - -var msg24705 = msg("22539", dup263); - -var msg24706 = msg("22540", dup263); - -var msg24707 = msg("22541", dup263); - -var msg24708 = msg("22542", dup263); - -var msg24709 = msg("22543", dup263); - -var msg24710 = msg("22544", dup263); - -var msg24711 = msg("22545", dup263); - -var msg24712 = msg("22546", dup263); - -var msg24713 = msg("22547", dup263); - -var msg24714 = msg("22548", dup263); - -var msg24715 = msg("22549", dup263); - -var msg24716 = msg("22550", dup263); - -var msg24717 = msg("22551", dup263); - -var msg24718 = msg("22552", dup263); - -var msg24719 = msg("22553", dup263); - -var msg24720 = msg("22554", dup263); - -var msg24721 = msg("22555", dup263); - -var msg24722 = msg("22556", dup263); - -var msg24723 = msg("22557", dup263); - -var msg24724 = msg("22558", dup263); - -var msg24725 = msg("22559", dup263); - -var msg24726 = msg("22560", dup263); - -var msg24727 = msg("22561", dup263); - -var msg24728 = msg("22562", dup263); - -var msg24729 = msg("22563", dup263); - -var msg24730 = msg("22564", dup263); - -var msg24731 = msg("22565", dup263); - -var msg24732 = msg("22566", dup263); - -var msg24733 = msg("22567", dup263); - -var msg24734 = msg("22568", dup263); - -var msg24735 = msg("22569", dup263); - -var msg24736 = msg("22570", dup263); - -var msg24737 = msg("22571", dup263); - -var msg24738 = msg("22572", dup263); - -var msg24739 = msg("22573", dup263); - -var msg24740 = msg("22574", dup263); - -var msg24741 = msg("22575", dup263); - -var msg24742 = msg("22576", dup263); - -var msg24743 = msg("22577", dup263); - -var msg24744 = msg("22578", dup298); - -var msg24745 = msg("22579", dup298); - -var msg24746 = msg("22580", dup263); - -var msg24747 = msg("22581", dup263); - -var msg24748 = msg("22582", dup263); - -var msg24749 = msg("22583", dup263); - -var msg24750 = msg("22584", dup263); - -var msg24751 = msg("22585", dup263); - -var msg24752 = msg("22586", dup263); - -var msg24753 = msg("22587", dup263); - -var msg24754 = msg("22588", dup263); - -var msg24755 = msg("22589", dup263); - -var msg24756 = msg("22590", dup263); - -var msg24757 = msg("22591", dup263); - -var msg24758 = msg("22592", dup250); - -var msg24759 = msg("22593", dup263); - -var msg24760 = msg("22594", dup263); - -var msg24761 = msg("22595", dup263); - -var msg24762 = msg("22596", dup263); - -var msg24763 = msg("22597", dup263); - -var msg24764 = msg("22598", dup263); - -var msg24765 = msg("22599", dup263); - -var msg24766 = msg("22600", dup263); - -var msg24767 = msg("22601", dup263); - -var msg24768 = msg("22602", dup263); - -var msg24769 = msg("22603", dup263); - -var msg24770 = msg("22604", dup263); - -var msg24771 = msg("22605", dup263); - -var msg24772 = msg("22606", dup263); - -var msg24773 = msg("22607", dup263); - -var msg24774 = msg("22608", dup263); - -var msg24775 = msg("22609", dup263); - -var msg24776 = msg("22610", dup263); - -var msg24777 = msg("22611", dup263); - -var msg24778 = msg("22612", dup263); - -var msg24779 = msg("22613", dup263); - -var msg24780 = msg("22614", dup263); - -var msg24781 = msg("22615", dup263); - -var msg24782 = msg("22616", dup263); - -var msg24783 = msg("22617", dup263); - -var msg24784 = msg("22618", dup263); - -var msg24785 = msg("22619", dup263); - -var msg24786 = msg("22620", dup263); - -var msg24787 = msg("22621", dup263); - -var msg24788 = msg("22622", dup263); - -var msg24789 = msg("22623", dup263); - -var msg24790 = msg("22624", dup263); - -var msg24791 = msg("22625", dup263); - -var msg24792 = msg("22626", dup263); - -var msg24793 = msg("22627", dup263); - -var msg24794 = msg("22628", dup263); - -var msg24795 = msg("22629", dup263); - -var msg24796 = msg("22630", dup263); - -var msg24797 = msg("22631", dup263); - -var msg24798 = msg("22632", dup263); - -var msg24799 = msg("22633", dup263); - -var msg24800 = msg("22634", dup263); - -var msg24801 = msg("22635", dup263); - -var msg24802 = msg("22636", dup263); - -var msg24803 = msg("22637", dup263); - -var msg24804 = msg("22638", dup263); - -var msg24805 = msg("22639", dup263); - -var msg24806 = msg("22640", dup263); - -var msg24807 = msg("22641", dup263); - -var msg24808 = msg("22642", dup263); - -var msg24809 = msg("22643", dup263); - -var msg24810 = msg("22644", dup263); - -var msg24811 = msg("22645", dup263); - -var msg24812 = msg("22646", dup263); - -var msg24813 = msg("22647", dup263); - -var msg24814 = msg("22648", dup263); - -var msg24815 = msg("22649", dup263); - -var msg24816 = msg("22650", dup263); - -var msg24817 = msg("22651", dup263); - -var msg24818 = msg("22652", dup263); - -var msg24819 = msg("22653", dup263); - -var msg24820 = msg("22654", dup263); - -var msg24821 = msg("22655", dup263); - -var msg24822 = msg("22656", dup250); - -var msg24823 = msg("22657", dup250); - -var msg24824 = msg("22658", dup263); - -var msg24825 = msg("22659", dup263); - -var msg24826 = msg("22660", dup263); - -var msg24827 = msg("22661", dup263); - -var msg24828 = msg("22662", dup263); - -var msg24829 = msg("22663", dup263); - -var msg24830 = msg("22664", dup263); - -var msg24831 = msg("22665", dup263); - -var msg24832 = msg("22666", dup263); - -var msg24833 = msg("22667", dup263); - -var msg24834 = msg("22668", dup263); - -var msg24835 = msg("22669", dup263); - -var msg24836 = msg("22670", dup263); - -var msg24837 = msg("22671", dup263); - -var msg24838 = msg("22672", dup263); - -var msg24839 = msg("22673", dup263); - -var msg24840 = msg("22674", dup263); - -var msg24841 = msg("22675", dup263); - -var msg24842 = msg("22676", dup263); - -var msg24843 = msg("22677", dup263); - -var msg24844 = msg("22678", dup263); - -var msg24845 = msg("22679", dup263); - -var msg24846 = msg("22680", dup263); - -var msg24847 = msg("22681", dup263); - -var msg24848 = msg("22682", dup263); - -var msg24849 = msg("22683", dup263); - -var msg24850 = msg("22684", dup263); - -var msg24851 = msg("22685", dup263); - -var msg24852 = msg("22686", dup263); - -var msg24853 = msg("22687", dup263); - -var msg24854 = msg("22688", dup263); - -var msg24855 = msg("22689", dup263); - -var msg24856 = msg("22690", dup263); - -var msg24857 = msg("22691", dup263); - -var msg24858 = msg("22692", dup263); - -var msg24859 = msg("22693", dup263); - -var msg24860 = msg("22694", dup263); - -var msg24861 = msg("22695", dup263); - -var msg24862 = msg("22696", dup263); - -var msg24863 = msg("22697", dup263); - -var msg24864 = msg("22698", dup263); - -var msg24865 = msg("22699", dup263); - -var msg24866 = msg("22700", dup263); - -var msg24867 = msg("22701", dup263); - -var msg24868 = msg("22702", dup263); - -var msg24869 = msg("22703", dup263); - -var msg24870 = msg("22704", dup263); - -var msg24871 = msg("22705", dup263); - -var msg24872 = msg("22706", dup263); - -var msg24873 = msg("22707", dup263); - -var msg24874 = msg("22708", dup263); - -var msg24875 = msg("22709", dup263); - -var msg24876 = msg("22710", dup263); - -var msg24877 = msg("22711", dup263); - -var msg24878 = msg("22712", dup263); - -var msg24879 = msg("22713", dup263); - -var msg24880 = msg("22714", dup263); - -var msg24881 = msg("22715", dup263); - -var msg24882 = msg("22716", dup263); - -var msg24883 = msg("22717", dup263); - -var msg24884 = msg("22718", dup263); - -var msg24885 = msg("22719", dup263); - -var msg24886 = msg("22720", dup263); - -var msg24887 = msg("22721", dup263); - -var msg24888 = msg("22722", dup263); - -var msg24889 = msg("22723", dup263); - -var msg24890 = msg("22724", dup263); - -var msg24891 = msg("22725", dup263); - -var msg24892 = msg("22726", dup263); - -var msg24893 = msg("22727", dup263); - -var msg24894 = msg("22728", dup263); - -var msg24895 = msg("22729", dup263); - -var msg24896 = msg("22730", dup263); - -var msg24897 = msg("22731", dup263); - -var msg24898 = msg("22732", dup263); - -var msg24899 = msg("22733", dup263); - -var msg24900 = msg("22734", dup263); - -var msg24901 = msg("22735", dup263); - -var msg24902 = msg("22736", dup263); - -var msg24903 = msg("22737", dup263); - -var msg24904 = msg("22738", dup263); - -var msg24905 = msg("22739", dup263); - -var msg24906 = msg("22740", dup263); - -var msg24907 = msg("22741", dup263); - -var msg24908 = msg("22742", dup263); - -var msg24909 = msg("22743", dup263); - -var msg24910 = msg("22744", dup263); - -var msg24911 = msg("22745", dup263); - -var msg24912 = msg("22746", dup263); - -var msg24913 = msg("22747", dup263); - -var msg24914 = msg("22748", dup263); - -var msg24915 = msg("22749", dup263); - -var msg24916 = msg("22750", dup263); - -var msg24917 = msg("22751", dup263); - -var msg24918 = msg("22752", dup263); - -var msg24919 = msg("22753", dup263); - -var msg24920 = msg("22754", dup263); - -var msg24921 = msg("22755", dup263); - -var msg24922 = msg("22756", dup263); - -var msg24923 = msg("22757", dup263); - -var msg24924 = msg("22758", dup263); - -var msg24925 = msg("22759", dup263); - -var msg24926 = msg("22760", dup263); - -var msg24927 = msg("22761", dup263); - -var msg24928 = msg("22762", dup263); - -var msg24929 = msg("22763", dup263); - -var msg24930 = msg("22764", dup263); - -var msg24931 = msg("22765", dup263); - -var msg24932 = msg("22766", dup263); - -var msg24933 = msg("22767", dup263); - -var msg24934 = msg("22768", dup263); - -var msg24935 = msg("22769", dup263); - -var msg24936 = msg("22770", dup263); - -var msg24937 = msg("22771", dup263); - -var msg24938 = msg("22772", dup263); - -var msg24939 = msg("22773", dup263); - -var msg24940 = msg("22774", dup263); - -var msg24941 = msg("22775", dup263); - -var msg24942 = msg("22776", dup263); - -var msg24943 = msg("22777", dup263); - -var msg24944 = msg("22778", dup263); - -var msg24945 = msg("22779", dup263); - -var msg24946 = msg("22780", dup263); - -var msg24947 = msg("22781", dup263); - -var msg24948 = msg("22782", dup263); - -var msg24949 = msg("22783", dup263); - -var msg24950 = msg("22784", dup263); - -var msg24951 = msg("22785", dup263); - -var msg24952 = msg("22786", dup263); - -var msg24953 = msg("22787", dup263); - -var msg24954 = msg("22788", dup263); - -var msg24955 = msg("22789", dup263); - -var msg24956 = msg("22790", dup263); - -var msg24957 = msg("22791", dup263); - -var msg24958 = msg("22792", dup263); - -var msg24959 = msg("22793", dup263); - -var msg24960 = msg("22794", dup263); - -var msg24961 = msg("22795", dup263); - -var msg24962 = msg("22796", dup263); - -var msg24963 = msg("22797", dup263); - -var msg24964 = msg("22798", dup263); - -var msg24965 = msg("22799", dup263); - -var msg24966 = msg("22800", dup263); - -var msg24967 = msg("22801", dup263); - -var msg24968 = msg("22802", dup263); - -var msg24969 = msg("22803", dup263); - -var msg24970 = msg("22804", dup263); - -var msg24971 = msg("22805", dup263); - -var msg24972 = msg("22806", dup263); - -var msg24973 = msg("22807", dup263); - -var msg24974 = msg("22808", dup263); - -var msg24975 = msg("22809", dup263); - -var msg24976 = msg("22810", dup263); - -var msg24977 = msg("22811", dup263); - -var msg24978 = msg("22812", dup263); - -var msg24979 = msg("22813", dup263); - -var msg24980 = msg("22814", dup263); - -var msg24981 = msg("22815", dup263); - -var msg24982 = msg("22816", dup263); - -var msg24983 = msg("22817", dup263); - -var msg24984 = msg("22818", dup263); - -var msg24985 = msg("22819", dup263); - -var msg24986 = msg("22820", dup263); - -var msg24987 = msg("22821", dup263); - -var msg24988 = msg("22822", dup263); - -var msg24989 = msg("22823", dup263); - -var msg24990 = msg("22824", dup263); - -var msg24991 = msg("22825", dup263); - -var msg24992 = msg("22826", dup263); - -var msg24993 = msg("22827", dup263); - -var msg24994 = msg("22828", dup263); - -var msg24995 = msg("22829", dup263); - -var msg24996 = msg("22830", dup263); - -var msg24997 = msg("22831", dup263); - -var msg24998 = msg("22832", dup263); - -var msg24999 = msg("22833", dup263); - -var msg25000 = msg("22834", dup263); - -var msg25001 = msg("22835", dup263); - -var msg25002 = msg("22836", dup263); - -var msg25003 = msg("22837", dup263); - -var msg25004 = msg("22838", dup263); - -var msg25005 = msg("22839", dup263); - -var msg25006 = msg("22840", dup263); - -var msg25007 = msg("22841", dup263); - -var msg25008 = msg("22842", dup263); - -var msg25009 = msg("22843", dup263); - -var msg25010 = msg("22844", dup263); - -var msg25011 = msg("22845", dup263); - -var msg25012 = msg("22846", dup263); - -var msg25013 = msg("22847", dup263); - -var msg25014 = msg("22848", dup263); - -var msg25015 = msg("22849", dup263); - -var msg25016 = msg("22850", dup263); - -var msg25017 = msg("22851", dup263); - -var msg25018 = msg("22852", dup263); - -var msg25019 = msg("22853", dup263); - -var msg25020 = msg("22854", dup263); - -var msg25021 = msg("22855", dup263); - -var msg25022 = msg("22856", dup263); - -var msg25023 = msg("22857", dup263); - -var msg25024 = msg("22858", dup263); - -var msg25025 = msg("22859", dup263); - -var msg25026 = msg("22860", dup263); - -var msg25027 = msg("22861", dup263); - -var msg25028 = msg("22862", dup263); - -var msg25029 = msg("22863", dup263); - -var msg25030 = msg("22864", dup263); - -var msg25031 = msg("22865", dup263); - -var msg25032 = msg("22866", dup263); - -var msg25033 = msg("22867", dup263); - -var msg25034 = msg("22868", dup263); - -var msg25035 = msg("22869", dup263); - -var msg25036 = msg("22870", dup263); - -var msg25037 = msg("22871", dup263); - -var msg25038 = msg("22872", dup263); - -var msg25039 = msg("22873", dup263); - -var msg25040 = msg("22874", dup263); - -var msg25041 = msg("22875", dup250); - -var msg25042 = msg("22876", dup263); - -var msg25043 = msg("22877", dup263); - -var msg25044 = msg("22878", dup263); - -var msg25045 = msg("22879", dup263); - -var msg25046 = msg("22880", dup263); - -var msg25047 = msg("22881", dup263); - -var msg25048 = msg("22882", dup263); - -var msg25049 = msg("22883", dup263); - -var msg25050 = msg("22884", dup263); - -var msg25051 = msg("22885", dup263); - -var msg25052 = msg("22886", dup263); - -var msg25053 = msg("22887", dup263); - -var msg25054 = msg("22888", dup263); - -var msg25055 = msg("22889", dup263); - -var msg25056 = msg("22890", dup263); - -var msg25057 = msg("22891", dup263); - -var msg25058 = msg("22892", dup263); - -var msg25059 = msg("22893", dup263); - -var msg25060 = msg("22894", dup263); - -var msg25061 = msg("22895", dup263); - -var msg25062 = msg("22896", dup263); - -var msg25063 = msg("22897", dup263); - -var msg25064 = msg("22898", dup263); - -var msg25065 = msg("22899", dup263); - -var msg25066 = msg("22900", dup263); - -var msg25067 = msg("22901", dup263); - -var msg25068 = msg("22902", dup263); - -var msg25069 = msg("22903", dup263); - -var msg25070 = msg("22904", dup263); - -var msg25071 = msg("22905", dup263); - -var msg25072 = msg("22906", dup263); - -var msg25073 = msg("22907", dup263); - -var msg25074 = msg("22908", dup263); - -var msg25075 = msg("22909", dup263); - -var msg25076 = msg("22910", dup263); - -var msg25077 = msg("22911", dup263); - -var msg25078 = msg("22912", dup263); - -var msg25079 = msg("22913", dup263); - -var msg25080 = msg("22914", dup263); - -var msg25081 = msg("22915", dup202); - -var msg25082 = msg("22916", dup202); - -var msg25083 = msg("22917", dup192); - -var msg25084 = msg("22918", dup192); - -var msg25085 = msg("22919", dup192); - -var msg25086 = msg("22920", dup192); - -var msg25087 = msg("22921", dup192); - -var msg25088 = msg("22922", dup192); - -var msg25089 = msg("22923", dup192); - -var msg25090 = msg("22924", dup227); - -var msg25091 = msg("22925", dup192); - -var msg25092 = msg("22926", dup192); - -var msg25093 = msg("22927", dup192); - -var msg25094 = msg("22928", dup192); - -var msg25095 = msg("22929", dup192); - -var msg25096 = msg("22930", dup192); - -var msg25097 = msg("22931", dup192); - -var msg25098 = msg("22932", dup192); - -var msg25099 = msg("22933", dup192); - -var msg25100 = msg("22934", dup192); - -var msg25101 = msg("22935", dup192); - -var msg25102 = msg("22936", dup192); - -var msg25103 = msg("22937", dup192); - -var msg25104 = msg("22938", dup197); - -var msg25105 = msg("22939", dup269); - -var msg25106 = msg("22940", dup202); - -var msg25107 = msg("22941", dup269); - -var msg25108 = msg("22942", dup285); - -var msg25109 = msg("22943", dup202); - -var msg25110 = msg("22944", dup202); - -var msg25111 = msg("22945", dup202); - -var msg25112 = msg("22946", dup202); - -var msg25113 = msg("22947", dup197); - -var msg25114 = msg("22948", dup201); - -var msg25115 = msg("22949", dup202); - -var msg25116 = msg("22950", dup197); - -var msg25117 = msg("22951", dup197); - -var msg25118 = msg("22952", dup199); - -var msg25119 = msg("22953", dup198); - -var msg25120 = msg("22954", dup197); - -var msg25121 = msg("22955", dup202); - -var msg25122 = msg("22956", dup202); - -var msg25123 = msg("22957", dup263); - -var msg25124 = msg("22958", dup263); - -var msg25125 = msg("22959", dup263); - -var msg25126 = msg("22960", dup263); - -var msg25127 = msg("22961", dup202); - -var msg25128 = msg("22962", dup202); - -var msg25129 = msg("22963", dup202); - -var msg25130 = msg("22964", dup202); - -var msg25131 = msg("22965", dup202); - -var msg25132 = msg("22966", dup202); - -var msg25133 = msg("22967", dup202); - -var msg25134 = msg("22968", dup202); - -var msg25135 = msg("22969", dup202); - -var msg25136 = msg("22970", dup202); - -var msg25137 = msg("22971", dup202); - -var msg25138 = msg("22972", dup202); - -var msg25139 = msg("22973", dup202); - -var msg25140 = msg("22974", dup202); - -var msg25141 = msg("22975", dup202); - -var msg25142 = msg("22976", dup202); - -var msg25143 = msg("22977", dup202); - -var msg25144 = msg("22978", dup202); - -var msg25145 = msg("22979", dup202); - -var msg25146 = msg("22980", dup202); - -var msg25147 = msg("22981", dup202); - -var msg25148 = msg("22982", dup202); - -var msg25149 = msg("22983", dup202); - -var msg25150 = msg("22984", dup202); - -var msg25151 = msg("22985", dup202); - -var msg25152 = msg("22986", dup202); - -var msg25153 = msg("22987", dup202); - -var msg25154 = msg("22988", dup202); - -var msg25155 = msg("22989", dup202); - -var msg25156 = msg("22990", dup202); - -var msg25157 = msg("22991", dup202); - -var msg25158 = msg("22992", dup202); - -var msg25159 = msg("22993", dup202); - -var msg25160 = msg("22994", dup202); - -var msg25161 = msg("22995", dup202); - -var msg25162 = msg("22996", dup202); - -var msg25163 = msg("22997", dup202); - -var msg25164 = msg("22998", dup202); - -var msg25165 = msg("22999", dup202); - -var msg25166 = msg("23000", dup202); - -var msg25167 = msg("23001", dup202); - -var msg25168 = msg("23002", dup202); - -var msg25169 = msg("23003", dup202); - -var msg25170 = msg("23004", dup197); - -var msg25171 = msg("23005", dup197); - -var msg25172 = msg("23006", dup197); - -var msg25173 = msg("23007", dup197); - -var msg25174 = msg("23008", dup201); - -var msg25175 = msg("23009", dup197); - -var msg25176 = msg("23010", dup197); - -var msg25177 = msg("23011", dup202); - -var msg25178 = msg("23012", dup202); - -var msg25179 = msg("23013", dup202); - -var msg25180 = msg("23014", dup197); - -var msg25181 = msg("23015", dup265); - -var msg25182 = msg("23016", dup192); - -var msg25183 = msg("23017", dup202); - -var msg25184 = msg("23018", dup202); - -var msg25185 = msg("23019", dup269); - -var msg25186 = msg("23020", dup263); - -var msg25187 = msg("23021", dup263); - -var msg25188 = msg("23022", dup263); - -var msg25189 = msg("23023", dup263); - -var msg25190 = msg("23024", dup263); - -var msg25191 = msg("23025", dup263); - -var msg25192 = msg("23026", dup263); - -var msg25193 = msg("23027", dup263); - -var msg25194 = msg("23028", dup263); - -var msg25195 = msg("23029", dup263); - -var msg25196 = msg("23030", dup263); - -var msg25197 = msg("23031", dup263); - -var msg25198 = msg("23032", dup263); - -var msg25199 = msg("23033", dup263); - -var msg25200 = msg("23034", dup263); - -var msg25201 = msg("23035", dup263); - -var msg25202 = msg("23036", dup263); - -var msg25203 = msg("23037", dup263); - -var msg25204 = msg("23038", dup263); - -var msg25205 = msg("23039", dup287); - -var msg25206 = msg("23040", dup287); - -var msg25207 = msg("23041", dup202); - -var msg25208 = msg("23042", dup269); - -var msg25209 = msg("23043", dup269); - -var msg25210 = msg("23044", dup269); - -var msg25211 = msg("23045", dup269); - -var msg25212 = msg("23046", dup267); - -var msg25213 = msg("23047", dup267); - -var msg25214 = msg("23048", dup265); - -var msg25215 = msg("23049", dup265); - -var msg25216 = msg("23050", dup265); - -var msg25217 = msg("23051", dup202); - -var msg25218 = msg("23054", dup267); - -var msg25219 = msg("23055", dup227); - -var msg25220 = msg("23056", dup197); - -var msg25221 = msg("23057", dup263); - -var msg25222 = msg("23058", dup202); - -var msg25223 = msg("23059", dup197); - -var msg25224 = msg("23060", dup267); - -var msg25225 = msg("23061", dup263); - -var msg25226 = msg("23062", dup263); - -var msg25227 = msg("23063", dup263); - -var msg25228 = msg("23064", dup263); - -var msg25229 = msg("23065", dup263); - -var msg25230 = msg("23066", dup263); - -var msg25231 = msg("23067", dup263); - -var msg25232 = msg("23068", dup263); - -var msg25233 = msg("23069", dup263); - -var msg25234 = msg("23070", dup263); - -var msg25235 = msg("23071", dup263); - -var msg25236 = msg("23072", dup263); - -var msg25237 = msg("23073", dup263); - -var msg25238 = msg("23074", dup263); - -var msg25239 = msg("23075", dup263); - -var msg25240 = msg("23076", dup263); - -var msg25241 = msg("23077", dup263); - -var msg25242 = msg("23078", dup263); - -var msg25243 = msg("23079", dup263); - -var msg25244 = msg("23080", dup263); - -var msg25245 = msg("23081", dup263); - -var msg25246 = msg("23082", dup263); - -var msg25247 = msg("23083", dup263); - -var msg25248 = msg("23084", dup263); - -var msg25249 = msg("23085", dup202); - -var msg25250 = msg("23086", dup202); - -var msg25251 = msg("23087", dup202); - -var msg25252 = msg("23088", dup202); - -var msg25253 = msg("23089", dup202); - -var msg25254 = msg("23090", dup265); - -var msg25255 = msg("23091", dup197); - -var msg25256 = msg("23092", dup197); - -var msg25257 = msg("23093", dup197); - -var msg25258 = msg("23094", dup197); - -var msg25259 = msg("23095", dup197); - -var msg25260 = msg("23096", dup267); - -var msg25261 = msg("23097", dup198); - -var msg25262 = msg("23098", dup197); - -var msg25263 = msg("23099", dup198); - -var msg25264 = msg("23100", dup197); - -var msg25265 = msg("23101", dup197); - -var msg25266 = msg("23102", dup192); - -var msg25267 = msg("23103", dup192); - -var msg25268 = msg("23104", dup192); - -var msg25269 = msg("23105", dup197); - -var msg25270 = msg("23106", dup192); - -var msg25271 = msg("23107", dup265); - -var msg25272 = msg("23108", dup192); - -var msg25273 = msg("23109", dup192); - -var msg25274 = msg("23110", dup197); - -var msg25275 = msg("23111", dup304); - -var msg25276 = msg("23112", dup198); - -var msg25277 = msg("23113", dup269); - -var msg25278 = msg("23114", dup269); - -var msg25279 = msg("23115", dup240); - -var msg25280 = msg("23116", dup265); - -var msg25281 = msg("23117", dup265); - -var msg25282 = msg("23118", dup265); - -var msg25283 = msg("23119", dup202); - -var msg25284 = msg("23120", dup202); - -var msg25285 = msg("23121", dup265); - -var msg25286 = msg("23122", dup265); - -var msg25287 = msg("23123", dup265); - -var msg25288 = msg("23124", dup267); - -var msg25289 = msg("23125", dup267); - -var msg25290 = msg("23126", dup267); - -var msg25291 = msg("23127", dup267); - -var msg25292 = msg("23128", dup265); - -var msg25293 = msg("23129", dup202); - -var msg25294 = msg("23130", dup202); - -var msg25295 = msg("23131", dup202); - -var msg25296 = msg("23132", dup202); - -var msg25297 = msg("23133", dup197); - -var msg25298 = msg("23134", dup265); - -var msg25299 = msg("23135", dup267); - -var msg25300 = msg("23136", dup267); - -var msg25301 = msg("23137", dup267); - -var msg25302 = msg("23138", dup201); - -var msg25303 = msg("23139", dup201); - -var msg25304 = msg("23140", dup269); - -var msg25305 = msg("23141", dup267); - -var msg25306 = msg("23142", dup265); - -var msg25307 = msg("23143", dup265); - -var msg25308 = msg("23144", dup265); - -var msg25309 = msg("23145", dup265); - -var msg25310 = msg("23146", dup265); - -var msg25311 = msg("23147", dup267); - -var msg25312 = msg("23148", dup202); - -var msg25313 = msg("23149", dup267); - -var msg25314 = msg("23150", dup197); - -var msg25315 = msg("23151", dup197); - -var msg25316 = msg("23152", dup197); - -var msg25317 = msg("23153", dup197); - -var msg25318 = msg("23154", dup197); - -var msg25319 = msg("23155", dup197); - -var msg25320 = msg("23156", dup267); - -var msg25321 = msg("23157", dup267); - -var msg25322 = msg("23158", dup202); - -var msg25323 = msg("23159", dup202); - -var msg25324 = msg("23160", dup202); - -var msg25325 = msg("23161", dup202); - -var msg25326 = msg("23162", dup276); - -var msg25327 = msg("23163", dup276); - -var msg25328 = msg("23164", dup267); - -var msg25329 = msg("23165", dup267); - -var msg25330 = msg("23166", dup202); - -var msg25331 = msg("23167", dup202); - -var msg25332 = msg("23168", dup202); - -var msg25333 = msg("23169", dup202); - -var msg25334 = msg("23170", dup197); - -var msg25335 = msg("23171", dup202); - -var msg25336 = msg("23172", dup265); - -var msg25337 = msg("23173", dup192); - -var msg25338 = msg("23174", dup197); - -var msg25339 = msg("23175", dup197); - -var msg25340 = msg("23176", dup202); - -var msg25341 = msg("23177", dup267); - -var msg25342 = msg("23178", dup197); - -var msg25343 = msg("23179", dup269); - -var msg25344 = msg("23180", dup250); - -var msg25345 = msg("23181", dup202); - -var msg25346 = msg("23182", dup267); - -var msg25347 = msg("23183", dup202); - -var msg25348 = msg("23184", dup202); - -var msg25349 = msg("23185", dup202); - -var msg25350 = msg("23186", dup265); - -var msg25351 = msg("23187", dup202); - -var msg25352 = msg("23188", dup202); - -var msg25353 = msg("23189", dup202); - -var msg25354 = msg("23190", dup202); - -var msg25355 = msg("23191", dup202); - -var msg25356 = msg("23192", dup202); - -var msg25357 = msg("23193", dup202); - -var msg25358 = msg("23194", dup202); - -var msg25359 = msg("23195", dup202); - -var msg25360 = msg("23196", dup202); - -var msg25361 = msg("23197", dup202); - -var msg25362 = msg("23198", dup202); - -var msg25363 = msg("23199", dup202); - -var msg25364 = msg("23200", dup202); - -var msg25365 = msg("23201", dup202); - -var msg25366 = msg("23202", dup202); - -var msg25367 = msg("23203", dup202); - -var msg25368 = msg("23204", dup202); - -var msg25369 = msg("23205", dup202); - -var msg25370 = msg("23206", dup202); - -var msg25371 = msg("23207", dup202); - -var msg25372 = msg("23208", dup202); - -var msg25373 = msg("23209", dup267); - -var msg25374 = msg("23210", dup267); - -var msg25375 = msg("23211", dup197); - -var msg25376 = msg("23212", dup265); - -var msg25377 = msg("23213", dup260); - -var msg25378 = msg("23214", dup192); - -var msg25379 = msg("23215", dup192); - -var msg25380 = msg("23216", dup260); - -var msg25381 = msg("23217", dup199); - -var msg25382 = msg("23218", dup267); - -var msg25383 = msg("23219", dup267); - -var msg25384 = msg("23220", dup267); - -var msg25385 = msg("23221", dup202); - -var msg25386 = msg("23222", dup202); - -var msg25387 = msg("23223", dup202); - -var msg25388 = msg("23224", dup202); - -var msg25389 = msg("23225", dup202); - -var msg25390 = msg("23226", dup202); - -var msg25391 = msg("23227", dup197); - -var msg25392 = msg("23228", dup265); - -var msg25393 = msg("23229", dup265); - -var msg25394 = msg("23230", dup197); - -var msg25395 = msg("23231", dup197); - -var msg25396 = msg("23232", dup197); - -var msg25397 = msg("23233", dup197); - -var msg25398 = msg("23234", dup202); - -var msg25399 = msg("23235", dup202); - -var msg25400 = msg("23236", dup199); - -var msg25401 = msg("23237", dup276); - -var msg25402 = msg("23238", dup276); - -var msg25403 = msg("23239", dup267); - -var msg25404 = msg("23240", dup276); - -var msg25405 = msg("23241", dup260); - -var msg25406 = msg("23242", dup202); - -var msg25407 = msg("23243", dup201); - -var msg25408 = msg("23244", dup192); - -var msg25409 = msg("23245", dup192); - -var msg25410 = msg("23246", dup303); - -var msg25411 = msg("23247", dup303); - -var msg25412 = msg("23248", dup267); - -var msg25413 = msg("23249", dup267); - -var msg25414 = msg("23250", dup202); - -var msg25415 = msg("23251", dup192); - -var msg25416 = msg("23252", dup202); - -var msg25417 = msg("23253", dup265); - -var msg25418 = msg("23254", dup192); - -var msg25419 = msg("23255", dup192); - -var msg25420 = msg("23256", dup202); - -var msg25421 = msg("23257", dup192); - -var msg25422 = msg("23258", dup267); - -var msg25423 = msg("23259", dup267); - -var msg25424 = msg("23260", dup267); - -var msg25425 = msg("23261", dup202); - -var msg25426 = msg("23262", dup192); - -var msg25427 = msg("23263", dup267); - -var msg25428 = msg("23264", dup267); - -var msg25429 = msg("23265", dup267); - -var msg25430 = msg("23266", dup197); - -var msg25431 = msg("23267", dup197); - -var msg25432 = msg("23268", dup197); - -var msg25433 = msg("23269", dup197); - -var msg25434 = msg("23270", dup197); - -var msg25435 = msg("23271", dup197); - -var msg25436 = msg("23272", dup197); - -var msg25437 = msg("23273", dup267); - -var msg25438 = msg("23274", dup267); - -var msg25439 = msg("23275", dup267); - -var msg25440 = msg("23276", dup267); - -var msg25441 = msg("23277", dup267); - -var msg25442 = msg("23278", dup265); - -var msg25443 = msg("23279", dup267); - -var msg25444 = msg("23280", dup265); - -var msg25445 = msg("23281", dup265); - -var msg25446 = msg("23282", dup265); - -var msg25447 = msg("23283", dup265); - -var msg25448 = msg("23284", dup265); - -var msg25449 = msg("23285", dup265); - -var msg25450 = msg("23286", dup265); - -var msg25451 = msg("23287", dup265); - -var msg25452 = msg("23288", dup265); - -var msg25453 = msg("23289", dup265); - -var msg25454 = msg("23290", dup265); - -var msg25455 = msg("23291", dup265); - -var msg25456 = msg("23292", dup265); - -var msg25457 = msg("23293", dup265); - -var msg25458 = msg("23294", dup265); - -var msg25459 = msg("23295", dup265); - -var msg25460 = msg("23296", dup265); - -var msg25461 = msg("23297", dup265); - -var msg25462 = msg("23298", dup265); - -var msg25463 = msg("23299", dup265); - -var msg25464 = msg("23300", dup265); - -var msg25465 = msg("23301", dup265); - -var msg25466 = msg("23302", dup265); - -var msg25467 = msg("23303", dup265); - -var msg25468 = msg("23304", dup265); - -var msg25469 = msg("23305", dup197); - -var msg25470 = msg("23306", dup192); - -var msg25471 = msg("23307", dup192); - -var msg25472 = msg("23308", dup192); - -var msg25473 = msg("23309", dup267); - -var msg25474 = msg("23310", dup267); - -var msg25475 = msg("23311", dup267); - -var msg25476 = msg("23312", dup267); - -var msg25477 = msg("23313", dup267); - -var msg25478 = msg("23314", dup276); - -var msg25479 = msg("23315", dup276); - -var msg25480 = msg("23316", dup267); - -var msg25481 = msg("23317", dup192); - -var msg25482 = msg("23318", dup287); - -var msg25483 = msg("23319", dup202); - -var msg25484 = msg("23320", dup202); - -var msg25485 = msg("23321", dup202); - -var msg25486 = msg("23322", dup202); - -var msg25487 = msg("23323", dup287); - -var msg25488 = msg("23324", dup287); - -var msg25489 = msg("23325", dup287); - -var msg25490 = msg("23326", dup287); - -var msg25491 = msg("23327", dup287); - -var msg25492 = msg("23328", dup287); - -var msg25493 = msg("23329", dup287); - -var msg25494 = msg("23330", dup197); - -var msg25495 = msg("23331", dup192); - -var msg25496 = msg("23332", dup192); - -var msg25497 = msg("23333", dup192); - -var msg25498 = msg("23334", dup192); - -var msg25499 = msg("23335", dup192); - -var msg25500 = msg("23336", dup192); - -var msg25501 = msg("23337", dup192); - -var msg25502 = msg("23338", dup192); - -var msg25503 = msg("23339", dup192); - -var msg25504 = msg("23340", dup192); - -var msg25505 = msg("23341", dup192); - -var msg25506 = msg("23342", dup192); - -var msg25507 = msg("23343", dup192); - -var msg25508 = msg("23344", dup192); - -var msg25509 = msg("23345", dup192); - -var msg25510 = msg("23346", dup197); - -var msg25511 = msg("23347", dup202); - -var msg25512 = msg("23348", dup202); - -var msg25513 = msg("23349", dup202); - -var msg25514 = msg("23350", dup202); - -var msg25515 = msg("23351", dup287); - -var msg25516 = msg("23352", dup265); - -var msg25517 = msg("23353", dup265); - -var msg25518 = msg("23354", dup197); - -var msg25519 = msg("23355", dup197); - -var msg25520 = msg("23356", dup197); - -var msg25521 = msg("23357", dup287); - -var msg25522 = msg("23358", dup287); - -var msg25523 = msg("23359", dup287); - -var msg25524 = msg("23360", dup265); - -var msg25525 = msg("23361", dup265); - -var msg25526 = msg("23362", dup265); - -var msg25527 = msg("23363", dup197); - -var msg25528 = msg("23364", dup197); - -var msg25529 = msg("23365", dup197); - -var msg25530 = msg("23366", dup197); - -var msg25531 = msg("23367", dup197); - -var msg25532 = msg("23368", dup274); - -var msg25533 = msg("23369", dup263); - -var msg25534 = msg("23370", dup197); - -var msg25535 = msg("23371", dup197); - -var msg25536 = msg("23372", dup265); - -var msg25537 = msg("23373", dup265); - -var msg25538 = msg("23374", dup265); - -var msg25539 = msg("23375", dup265); - -var msg25540 = msg("23376", dup265); - -var msg25541 = msg("23377", dup269); - -var msg25542 = msg("23378", dup269); - -var msg25543 = msg("23379", dup192); - -var msg25544 = msg("23380", dup192); - -var msg25545 = msg("23381", dup192); - -var msg25546 = msg("23382", dup192); - -var msg25547 = msg("23383", dup192); - -var msg25548 = msg("23384", dup267); - -var msg25549 = msg("23385", dup267); - -var msg25550 = msg("23386", dup197); - -var msg25551 = msg("23387", dup192); - -var msg25552 = msg("23388", dup192); - -var msg25553 = msg("23389", dup192); - -var msg25554 = msg("23390", dup192); - -var msg25555 = msg("23391", dup192); - -var msg25556 = msg("23392", dup198); - -var msg25557 = msg("23393", dup202); - -var msg25558 = msg("23394", dup192); - -var msg25559 = msg("23395", dup265); - -var msg25560 = msg("23396", dup265); - -var msg25561 = msg("23397", dup197); - -var msg25562 = msg("23398", dup197); - -var msg25563 = msg("23399", dup192); - -var msg25564 = msg("23400", dup202); - -var msg25565 = msg("23401", dup265); - -var msg25566 = msg("23402", dup265); - -var msg25567 = msg("23403", dup265); - -var msg25568 = msg("23404", dup197); - -var msg25569 = msg("23405", dup260); - -var msg25570 = msg("23406", dup260); - -var msg25571 = msg("23407", dup267); - -var msg25572 = msg("23408", dup265); - -var msg25573 = msg("23409", dup267); - -var msg25574 = msg("23410", dup267); - -var msg25575 = msg("23411", dup267); - -var msg25576 = msg("23412", dup267); - -var msg25577 = msg("23413", dup267); - -var msg25578 = msg("23414", dup267); - -var msg25579 = msg("23415", dup267); - -var msg25580 = msg("23416", dup267); - -var msg25581 = msg("23417", dup267); - -var msg25582 = msg("23418", dup267); - -var msg25583 = msg("23419", dup267); - -var msg25584 = msg("23420", dup267); - -var msg25585 = msg("23421", dup267); - -var msg25586 = msg("23422", dup267); - -var msg25587 = msg("23423", dup267); - -var msg25588 = msg("23424", dup267); - -var msg25589 = msg("23425", dup267); - -var msg25590 = msg("23426", dup267); - -var msg25591 = msg("23427", dup267); - -var msg25592 = msg("23428", dup267); - -var msg25593 = msg("23429", dup267); - -var msg25594 = msg("23430", dup267); - -var msg25595 = msg("23431", dup267); - -var msg25596 = msg("23432", dup267); - -var msg25597 = msg("23433", dup267); - -var msg25598 = msg("23434", dup267); - -var msg25599 = msg("23435", dup202); - -var msg25600 = msg("23436", dup267); - -var msg25601 = msg("23437", dup267); - -var msg25602 = msg("23438", dup265); - -var msg25603 = msg("23439", dup265); - -var msg25604 = msg("23440", dup265); - -var msg25605 = msg("23441", dup265); - -var msg25606 = msg("23442", dup199); - -var msg25607 = msg("23443", dup199); - -var msg25608 = msg("23444", dup197); - -var msg25609 = msg("23445", dup267); - -var msg25610 = msg("23446", dup192); - -var msg25611 = msg("23447", dup192); - -var msg25612 = msg("23448", dup238); - -var msg25613 = msg("23449", dup192); - -var msg25614 = msg("23450", dup192); - -var msg25615 = msg("23451", dup287); - -var msg25616 = msg("23452", dup263); - -var msg25617 = msg("23453", dup263); - -var msg25618 = msg("23454", dup263); - -var msg25619 = msg("23455", dup263); - -var msg25620 = msg("23456", dup197); - -var msg25621 = msg("23457", dup197); - -var msg25622 = msg("23458", dup197); - -var msg25623 = msg("23459", dup197); - -var msg25624 = msg("23460", dup192); - -var msg25625 = msg("23461", dup197); - -var msg25626 = msg("23462", dup197); - -var msg25627 = msg("23463", dup197); - -var msg25628 = msg("23464", dup201); - -var msg25629 = msg("23465", dup197); - -var msg25630 = msg("23466", dup265); - -var msg25631 = msg("23467", dup202); - -var msg25632 = msg("23468", dup192); - -var msg25633 = msg("23469", dup192); - -var msg25634 = msg("23470", dup265); - -var msg25635 = msg("23471", dup265); - -var msg25636 = msg("23472", dup303); - -var msg25637 = msg("23473", dup202); - -var msg25638 = msg("23474", dup202); - -var msg25639 = msg("23475", dup202); - -var msg25640 = msg("23476", dup202); - -var msg25641 = msg("23477", dup202); - -var msg25642 = msg("23478", dup197); - -var msg25643 = msg("23479", dup197); - -var msg25644 = msg("23480", dup265); - -var msg25645 = msg("23481", dup202); - -var msg25646 = msg("23482", dup202); - -var msg25647 = msg("23483", dup192); - -var msg25648 = msg("23484", dup202); - -var msg25649 = msg("23485", dup265); - -var msg25650 = msg("23486", dup202); - -var msg25651 = msg("23487", dup202); - -var msg25652 = msg("23488", dup202); - -var msg25653 = msg("23489", dup197); - -var msg25654 = msg("23490", dup267); - -var msg25655 = msg("23491", dup192); - -var msg25656 = msg("23492", dup192); - -var msg25657 = msg("23493", dup192); - -var msg25658 = msg("23494", dup192); - -var msg25659 = msg("23495", dup192); - -var all53 = all_match({ - processors: [ - dup177, - dup116, - dup173, - dup174, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg25660 = msg("23496", all53); - -var msg25661 = msg("23497", dup202); - -var msg25662 = msg("23498", dup202); - -var msg25663 = msg("23499", dup197); - -var msg25664 = msg("23500", dup267); - -var msg25665 = msg("23501", dup201); - -var msg25666 = msg("23502", dup201); - -var msg25667 = msg("23503", dup201); - -var msg25668 = msg("23504", dup267); - -var msg25669 = msg("23505", dup267); - -var msg25670 = msg("23506", dup267); - -var msg25671 = msg("23507", dup197); - -var msg25672 = msg("23508", dup197); - -var msg25673 = msg("23509", dup267); - -var msg25674 = msg("23510", dup267); - -var msg25675 = msg("23511", dup267); - -var msg25676 = msg("23512", dup267); - -var msg25677 = msg("23513", dup267); - -var msg25678 = msg("23514", dup267); - -var msg25679 = msg("23515", dup267); - -var msg25680 = msg("23516", dup267); - -var msg25681 = msg("23517", dup197); - -var msg25682 = msg("23518", dup197); - -var msg25683 = msg("23519", dup269); - -var msg25684 = msg("23520", dup269); - -var msg25685 = msg("23521", dup269); - -var msg25686 = msg("23522", dup267); - -var msg25687 = msg("23523", dup267); - -var msg25688 = msg("23524", dup267); - -var msg25689 = msg("23525", dup197); - -var msg25690 = msg("23526", dup197); - -var msg25691 = msg("23527", dup197); - -var msg25692 = msg("23528", dup197); - -var msg25693 = msg("23529", dup197); - -var msg25694 = msg("23530", dup197); - -var msg25695 = msg("23531", dup197); - -var msg25696 = msg("23532", dup197); - -var msg25697 = msg("23533", dup197); - -var msg25698 = msg("23534", dup197); - -var msg25699 = msg("23535", dup197); - -var msg25700 = msg("23536", dup197); - -var msg25701 = msg("23537", dup197); - -var msg25702 = msg("23538", dup197); - -var msg25703 = msg("23539", dup197); - -var msg25704 = msg("23540", dup197); - -var msg25705 = msg("23541", dup197); - -var msg25706 = msg("23542", dup197); - -var msg25707 = msg("23543", dup197); - -var msg25708 = msg("23544", dup197); - -var msg25709 = msg("23545", dup197); - -var msg25710 = msg("23546", dup197); - -var msg25711 = msg("23547", dup197); - -var msg25712 = msg("23548", dup197); - -var msg25713 = msg("23549", dup197); - -var msg25714 = msg("23550", dup197); - -var msg25715 = msg("23551", dup197); - -var msg25716 = msg("23552", dup197); - -var msg25717 = msg("23553", dup197); - -var msg25718 = msg("23554", dup197); - -var msg25719 = msg("23555", dup197); - -var msg25720 = msg("23556", dup197); - -var msg25721 = msg("23557", dup197); - -var msg25722 = msg("23558", dup197); - -var msg25723 = msg("23559", dup197); - -var msg25724 = msg("23560", dup201); - -var msg25725 = msg("23561", dup202); - -var msg25726 = msg("23562", dup202); - -var msg25727 = msg("23563", dup202); - -var msg25728 = msg("23564", dup197); - -var msg25729 = msg("23565", dup197); - -var msg25730 = msg("23566", dup197); - -var msg25731 = msg("23567", dup267); - -var msg25732 = msg("23568", dup267); - -var msg25733 = msg("23569", dup267); - -var msg25734 = msg("23570", dup202); - -var msg25735 = msg("23571", dup202); - -var msg25736 = msg("23572", dup202); - -var msg25737 = msg("23573", dup297); - -var msg25738 = msg("23574", dup202); - -var msg25739 = msg("23575", dup202); - -var msg25740 = msg("23576", dup202); - -var msg25741 = msg("23577", dup197); - -var msg25742 = msg("23578", dup267); - -var msg25743 = msg("23579", dup267); - -var msg25744 = msg("23580", dup197); - -var msg25745 = msg("23581", dup197); - -var msg25746 = msg("23582", dup197); - -var msg25747 = msg("23583", dup197); - -var msg25748 = msg("23584", dup197); - -var msg25749 = msg("23585", dup201); - -var msg25750 = msg("23586", dup197); - -var msg25751 = msg("23587", dup197); - -var msg25752 = msg("23588", dup197); - -var msg25753 = msg("23589", dup197); - -var msg25754 = msg("23590", dup197); - -var msg25755 = msg("23591", dup267); - -var msg25756 = msg("23592", dup267); - -var msg25757 = msg("23593", dup192); - -var msg25758 = msg("23594", dup192); - -var msg25759 = msg("23595", dup192); - -var msg25760 = msg("23596", dup269); - -var msg25761 = msg("23597", dup192); - -var msg25762 = msg("23598", dup202); - -var msg25763 = msg("23599", dup202); - -var msg25764 = msg("23600", dup192); - -var msg25765 = msg("23601", dup194); - -var msg25766 = msg("23602", dup194); - -var msg25767 = msg("23603", dup194); - -var msg25768 = msg("23604", dup194); - -var msg25769 = msg("23605", dup202); - -var msg25770 = msg("23606", dup192); - -var msg25771 = msg("23607", dup192); - -var msg25772 = msg("23608", dup313); - -var msg25773 = msg("23609", dup265); - -var msg25774 = msg("23610", dup238); - -var msg25775 = msg("23611", dup202); - -var msg25776 = msg("23612", dup202); - -var msg25777 = msg("23613", dup265); - -var msg25778 = msg("23614", dup201); - -var msg25779 = msg("23615", dup303); - -var msg25780 = msg("23616", dup202); - -var msg25781 = msg("23617", dup287); - -var msg25782 = msg("23618", dup202); - -var msg25783 = msg("23619", dup202); - -var msg25784 = msg("23620", dup202); - -var msg25785 = msg("23621", dup202); - -var msg25786 = msg("23622", dup202); - -var msg25787 = msg("23623", dup267); - -var msg25788 = msg("23624", dup265); - -var msg25789 = msg("23625", dup265); - -var msg25790 = msg("23626", dup310); - -var msg25791 = msg("23627", dup269); - -var msg25792 = msg("23628", dup192); - -var msg25793 = msg("23629", dup263); - -var msg25794 = msg("23630", dup192); - -var msg25795 = msg("23631", dup267); - -var msg25796 = msg("23632", dup197); - -var msg25797 = msg("23633", dup287); - -var msg25798 = msg("23634", dup287); - -var msg25799 = msg("23635", dup192); - -var msg25800 = msg("23636", dup202); - -var msg25801 = msg("23637", dup202); - -var msg25802 = msg("23638", dup202); - -var msg25803 = msg("23639", dup202); - -var msg25804 = msg("23640", dup202); - -var msg25805 = msg("23641", dup287); - -var msg25806 = msg("23642", dup287); - -var msg25807 = msg("23643", dup287); - -var msg25808 = msg("23644", dup202); - -var msg25809 = msg("23645", dup202); - -var msg25810 = msg("23646", dup287); - -var msg25811 = msg("23647", dup202); - -var msg25812 = msg("23648", dup202); - -var msg25813 = msg("23649", dup202); - -var msg25814 = msg("23650", dup202); - -var msg25815 = msg("23651", dup287); - -var msg25816 = msg("23652", dup287); - -var msg25817 = msg("23653", dup287); - -var msg25818 = msg("23654", dup287); - -var msg25819 = msg("23655", dup287); - -var msg25820 = msg("23656", dup287); - -var msg25821 = msg("23657", dup287); - -var msg25822 = msg("23658", dup202); - -var msg25823 = msg("23659", dup202); - -var msg25824 = msg("23660", dup202); - -var msg25825 = msg("23661", dup202); - -var msg25826 = msg("23662", dup202); - -var msg25827 = msg("23663", dup202); - -var msg25828 = msg("23664", dup202); - -var msg25829 = msg("23665", dup202); - -var msg25830 = msg("23666", dup202); - -var msg25831 = msg("23667", dup202); - -var msg25832 = msg("23668", dup202); - -var msg25833 = msg("23669", dup287); - -var msg25834 = msg("23670", dup202); - -var msg25835 = msg("23671", dup287); - -var msg25836 = msg("23672", dup202); - -var msg25837 = msg("23673", dup202); - -var msg25838 = msg("23674", dup202); - -var msg25839 = msg("23675", dup202); - -var msg25840 = msg("23676", dup202); - -var msg25841 = msg("23677", dup202); - -var msg25842 = msg("23678", dup202); - -var msg25843 = msg("23679", dup202); - -var msg25844 = msg("23680", dup202); - -var msg25845 = msg("23681", dup202); - -var msg25846 = msg("23682", dup202); - -var msg25847 = msg("23683", dup202); - -var msg25848 = msg("23684", dup202); - -var msg25849 = msg("23685", dup202); - -var msg25850 = msg("23686", dup202); - -var msg25851 = msg("23687", dup202); - -var msg25852 = msg("23688", dup202); - -var msg25853 = msg("23689", dup202); - -var msg25854 = msg("23690", dup202); - -var msg25855 = msg("23691", dup202); - -var msg25856 = msg("23692", dup202); - -var msg25857 = msg("23693", dup202); - -var msg25858 = msg("23694", dup202); - -var msg25859 = msg("23695", dup202); - -var msg25860 = msg("23696", dup202); - -var msg25861 = msg("23697", dup202); - -var msg25862 = msg("23698", dup269); - -var msg25863 = msg("23699", dup202); - -var msg25864 = msg("23700", dup202); - -var msg25865 = msg("23701", dup202); - -var msg25866 = msg("23702", dup202); - -var msg25867 = msg("23703", dup269); - -var msg25868 = msg("23704", dup267); - -var msg25869 = msg("23705", dup267); - -var msg25870 = msg("23706", dup267); - -var msg25871 = msg("23707", dup202); - -var msg25872 = msg("23708", dup202); - -var msg25873 = msg("23709", dup202); - -var msg25874 = msg("23710", dup202); - -var msg25875 = msg("23711", dup202); - -var msg25876 = msg("23712", dup202); - -var msg25877 = msg("23713", dup202); - -var msg25878 = msg("23714", dup202); - -var msg25879 = msg("23715", dup202); - -var msg25880 = msg("23716", dup202); - -var msg25881 = msg("23717", dup202); - -var msg25882 = msg("23718", dup202); - -var msg25883 = msg("23719", dup267); - -var msg25884 = msg("23720", dup202); - -var msg25885 = msg("23721", dup202); - -var msg25886 = msg("23722", dup202); - -var msg25887 = msg("23723", dup202); - -var msg25888 = msg("23724", dup202); - -var msg25889 = msg("23725", dup267); - -var msg25890 = msg("23726", dup267); - -var msg25891 = msg("23727", dup202); - -var msg25892 = msg("23728", dup202); - -var msg25893 = msg("23729", dup202); - -var msg25894 = msg("23730", dup202); - -var msg25895 = msg("23731", dup202); - -var msg25896 = msg("23732", dup269); - -var msg25897 = msg("23733", dup202); - -var msg25898 = msg("23734", dup202); - -var msg25899 = msg("23735", dup202); - -var msg25900 = msg("23736", dup202); - -var msg25901 = msg("23737", dup202); - -var msg25902 = msg("23738", dup202); - -var msg25903 = msg("23739", dup202); - -var msg25904 = msg("23740", dup202); - -var msg25905 = msg("23741", dup202); - -var msg25906 = msg("23742", dup202); - -var msg25907 = msg("23743", dup202); - -var msg25908 = msg("23744", dup202); - -var msg25909 = msg("23745", dup202); - -var msg25910 = msg("23746", dup202); - -var msg25911 = msg("23747", dup202); - -var msg25912 = msg("23748", dup202); - -var msg25913 = msg("23749", dup202); - -var msg25914 = msg("23750", dup202); - -var msg25915 = msg("23751", dup202); - -var msg25916 = msg("23752", dup202); - -var msg25917 = msg("23753", dup202); - -var msg25918 = msg("23754", dup202); - -var msg25919 = msg("23755", dup202); - -var msg25920 = msg("23756", dup267); - -var msg25921 = msg("23757", dup202); - -var msg25922 = msg("23758", dup202); - -var msg25923 = msg("23759", dup202); - -var msg25924 = msg("23760", dup202); - -var msg25925 = msg("23761", dup202); - -var msg25926 = msg("23762", dup202); - -var msg25927 = msg("23763", dup202); - -var msg25928 = msg("23764", dup202); - -var msg25929 = msg("23765", dup202); - -var msg25930 = msg("23766", dup202); - -var msg25931 = msg("23767", dup202); - -var msg25932 = msg("23768", dup202); - -var msg25933 = msg("23769", dup202); - -var msg25934 = msg("23770", dup202); - -var msg25935 = msg("23771", dup202); - -var msg25936 = msg("23772", dup202); - -var msg25937 = msg("23773", dup202); - -var msg25938 = msg("23774", dup202); - -var msg25939 = msg("23775", dup202); - -var msg25940 = msg("23776", dup202); - -var msg25941 = msg("23777", dup202); - -var msg25942 = msg("23778", dup192); - -var msg25943 = msg("23779", dup265); - -var msg25944 = msg("23780", dup192); - -var msg25945 = msg("23781", dup202); - -var msg25946 = msg("23782", dup192); - -var msg25947 = msg("23783", dup199); - -var msg25948 = msg("23784", dup260); - -var msg25949 = msg("23785", dup202); - -var msg25950 = msg("23786", dup202); - -var msg25951 = msg("23787", dup192); - -var msg25952 = msg("23788", dup192); - -var msg25953 = msg("23789", dup267); - -var msg25954 = msg("23790", dup267); - -var msg25955 = msg("23791", dup265); - -var msg25956 = msg("23792", dup265); - -var msg25957 = msg("23793", dup250); - -var msg25958 = msg("23794", dup202); - -var msg25959 = msg("23795", dup263); - -var msg25960 = msg("23796", dup197); - -var msg25961 = msg("23797", dup202); - -var msg25962 = msg("23798", dup202); - -var msg25963 = msg("23799", dup263); - -var msg25964 = msg("23800", dup263); - -var msg25965 = msg("23801", dup263); - -var msg25966 = msg("23802", dup263); - -var msg25967 = msg("23803", dup263); - -var msg25968 = msg("23804", dup263); - -var msg25969 = msg("23805", dup267); - -var msg25970 = msg("23806", dup197); - -var msg25971 = msg("23807", dup202); - -var msg25972 = msg("23808", dup202); - -var msg25973 = msg("23809", dup202); - -var msg25974 = msg("23810", dup202); - -var msg25975 = msg("23811", dup202); - -var msg25976 = msg("23812", dup202); - -var msg25977 = msg("23813", dup202); - -var msg25978 = msg("23814", dup202); - -var msg25979 = msg("23815", dup202); - -var msg25980 = msg("23816", dup202); - -var msg25981 = msg("23817", dup202); - -var msg25982 = msg("23818", dup202); - -var msg25983 = msg("23819", dup202); - -var msg25984 = msg("23820", dup202); - -var msg25985 = msg("23821", dup202); - -var msg25986 = msg("23822", dup202); - -var msg25987 = msg("23823", dup202); - -var msg25988 = msg("23824", dup263); - -var msg25989 = msg("23825", dup202); - -var msg25990 = msg("23826", dup202); - -var msg25991 = msg("23827", dup265); - -var msg25992 = msg("23828", dup265); - -var msg25993 = msg("23829", dup202); - -var msg25994 = msg("23830", dup202); - -var msg25995 = msg("23831", dup265); - -var msg25996 = msg("23832", dup265); - -var msg25997 = msg("23833", dup202); - -var msg25998 = msg("23834", dup267); - -var msg25999 = msg("23835", dup267); - -var msg26000 = msg("23836", dup265); - -var msg26001 = msg("23837", dup276); - -var msg26002 = msg("23838", dup276); - -var msg26003 = msg("23839", dup197); - -var msg26004 = msg("23840", dup267); - -var msg26005 = msg("23841", dup267); - -var msg26006 = msg("23842", dup197); - -var msg26007 = msg("23843", dup197); - -var msg26008 = msg("23844", dup201); - -var msg26009 = msg("23845", dup201); - -var msg26010 = msg("23846", dup267); - -var msg26011 = msg("23847", dup276); - -var msg26012 = msg("23848", dup202); - -var msg26013 = msg("23849", dup202); - -var msg26014 = msg("23850", dup202); - -var msg26015 = msg("23851", dup269); - -var msg26016 = msg("23852", dup269); - -var msg26017 = msg("23853", dup267); - -var msg26018 = msg("23854", dup267); - -var msg26019 = msg("23855", dup267); - -var msg26020 = msg("23856", dup267); - -var msg26021 = msg("23857", dup250); - -var msg26022 = msg("23858", dup250); - -var msg26023 = msg("23859", dup250); - -var msg26024 = msg("23860", dup265); - -var msg26025 = msg("23861", dup265); - -var msg26026 = msg("23862", dup265); - -var msg26027 = msg("23863", dup303); - -var msg26028 = msg("23864", dup202); - -var msg26029 = msg("23865", dup202); - -var msg26030 = msg("23866", dup202); - -var msg26031 = msg("23867", dup202); - -var msg26032 = msg("23868", dup202); - -var msg26033 = msg("23869", dup202); - -var msg26034 = msg("23870", dup202); - -var msg26035 = msg("23871", dup202); - -var msg26036 = msg("23872", dup201); - -var msg26037 = msg("23873", dup201); - -var msg26038 = msg("23874", dup201); - -var msg26039 = msg("23875", dup201); - -var msg26040 = msg("23876", dup192); - -var msg26041 = msg("23877", dup192); - -var msg26042 = msg("23878", dup265); - -var msg26043 = msg("23879", dup197); - -var msg26044 = msg("23880", dup197); - -var msg26045 = msg("23881", dup202); - -var msg26046 = msg("23882", dup202); - -var msg26047 = msg("23883", dup202); - -var msg26048 = msg("23884", dup202); - -var msg26049 = msg("23885", dup202); - -var msg26050 = msg("23886", dup202); - -var msg26051 = msg("23887", dup202); - -var msg26052 = msg("23888", dup202); - -var msg26053 = msg("23889", dup202); - -var msg26054 = msg("23890", dup202); - -var msg26055 = msg("23891", dup202); - -var msg26056 = msg("23892", dup202); - -var msg26057 = msg("23893", dup192); - -var msg26058 = msg("23894", dup250); - -var msg26059 = msg("23895", dup265); - -var msg26060 = msg("23896", dup265); - -var msg26061 = msg("23897", dup287); - -var msg26062 = msg("23898", dup222); - -var msg26063 = msg("23899", dup201); - -var msg26064 = msg("23900", dup201); - -var msg26065 = msg("23901", dup201); - -var msg26066 = msg("23902", dup201); - -var msg26067 = msg("23903", dup269); - -var msg26068 = msg("23904", dup263); - -var msg26069 = msg("23905", dup267); - -var msg26070 = msg("23906", dup267); - -var msg26071 = msg("23907", dup267); - -var msg26072 = msg("23908", dup267); - -var msg26073 = msg("23909", dup267); - -var msg26074 = msg("23910", dup267); - -var msg26075 = msg("23911", dup267); - -var msg26076 = msg("23912", dup267); - -var msg26077 = msg("23913", dup267); - -var msg26078 = msg("23914", dup267); - -var msg26079 = msg("23915", dup267); - -var msg26080 = msg("23916", dup267); - -var msg26081 = msg("23917", dup267); - -var msg26082 = msg("23918", dup267); - -var msg26083 = msg("23919", dup267); - -var msg26084 = msg("23920", dup267); - -var msg26085 = msg("23921", dup267); - -var msg26086 = msg("23922", dup267); - -var msg26087 = msg("23923", dup267); - -var msg26088 = msg("23924", dup267); - -var msg26089 = msg("23925", dup267); - -var msg26090 = msg("23926", dup267); - -var msg26091 = msg("23927", dup267); - -var msg26092 = msg("23928", dup267); - -var msg26093 = msg("23929", dup267); - -var msg26094 = msg("23930", dup267); - -var msg26095 = msg("23931", dup267); - -var msg26096 = msg("23932", dup267); - -var msg26097 = msg("23933", dup267); - -var msg26098 = msg("23934", dup260); - -var msg26099 = msg("23935", dup192); - -var msg26100 = msg("23936", dup192); - -var msg26101 = msg("23937", dup265); - -var msg26102 = msg("23938", dup192); - -var msg26103 = msg("23939", dup317); - -var msg26104 = msg("23940", dup317); - -var msg26105 = msg("23941", dup192); - -var msg26106 = msg("23942", dup192); - -var msg26107 = msg("23943", dup197); - -var msg26108 = msg("23944", dup265); - -var msg26109 = msg("23945", dup192); - -var msg26110 = msg("23946", dup192); - -var msg26111 = msg("23947", dup260); - -var msg26112 = msg("23948", dup192); - -var msg26113 = msg("23949", dup192); - -var msg26114 = msg("23950", dup267); - -var msg26115 = msg("23951", dup267); - -var msg26116 = msg("23952", dup197); - -var msg26117 = msg("23953", dup192); - -var msg26118 = msg("23954", dup303); - -var msg26119 = msg("23955", dup202); - -var msg26120 = msg("23956", dup197); - -var msg26121 = msg("23957", dup197); - -var msg26122 = msg("23958", dup197); - -var msg26123 = msg("23959", dup197); - -var msg26124 = msg("23960", dup197); - -var msg26125 = msg("23961", dup197); - -var msg26126 = msg("23962", dup202); - -var msg26127 = msg("23963", dup192); - -var msg26128 = msg("23964", dup267); - -var msg26129 = msg("23965", dup267); - -var msg26130 = msg("23966", dup287); - -var msg26131 = msg("23967", dup267); - -var msg26132 = msg("23968", dup192); - -var msg26133 = msg("23969", dup303); - -var msg26134 = msg("23970", dup202); - -var msg26135 = msg("23971", dup192); - -var msg26136 = msg("23972", dup192); - -var msg26137 = msg("23973", dup192); - -var msg26138 = msg("23974", dup197); - -var msg26139 = msg("23975", dup197); - -var msg26140 = msg("23976", dup192); - -var msg26141 = msg("23977", dup192); - -var msg26142 = msg("23978", dup192); - -var msg26143 = msg("23979", dup197); - -var msg26144 = msg("23980", dup197); - -var msg26145 = msg("23981", dup197); - -var msg26146 = msg("23982", dup197); - -var msg26147 = msg("23983", dup197); - -var msg26148 = msg("23984", dup265); - -var msg26149 = msg("23985", dup197); - -var msg26150 = msg("23986", dup197); - -var msg26151 = msg("23987", dup192); - -var msg26152 = msg("23988", dup265); - -var msg26153 = msg("23989", dup197); - -var msg26154 = msg("23990", dup202); - -var msg26155 = msg("23991", dup202); - -var msg26156 = msg("23992", dup197); - -var msg26157 = msg("23993", dup197); - -var msg26158 = msg("23994", dup265); - -var msg26159 = msg("23995", dup265); - -var msg26160 = msg("23996", dup267); - -var msg26161 = msg("23997", dup267); - -var msg26162 = msg("23998", dup197); - -var msg26163 = msg("23999", dup267); - -var msg26164 = msg("24000", dup267); - -var msg26165 = msg("24001", dup267); - -var msg26166 = msg("24002", dup267); - -var msg26167 = msg("24003", dup267); - -var msg26168 = msg("24004", dup197); - -var msg26169 = msg("24005", dup197); - -var msg26170 = msg("24006", dup201); - -var msg26171 = msg("24007", dup197); - -var msg26172 = msg("24008", dup267); - -var msg26173 = msg("24009", dup263); - -var msg26174 = msg("24010", dup192); - -var msg26175 = msg("24011", dup192); - -var msg26176 = msg("24012", dup192); - -var msg26177 = msg("24013", dup192); - -var msg26178 = msg("24014", dup192); - -var msg26179 = msg("24015", dup192); - -var msg26180 = msg("24016", dup192); - -var msg26181 = msg("24017", dup269); - -var msg26182 = msg("24018", dup269); - -var msg26183 = msg("24019", dup269); - -var msg26184 = msg("24020", dup267); - -var msg26185 = msg("24021", dup267); - -var msg26186 = msg("24022", dup267); - -var msg26187 = msg("24023", dup267); - -var msg26188 = msg("24024", dup267); - -var msg26189 = msg("24025", dup267); - -var msg26190 = msg("24026", dup267); - -var msg26191 = msg("24027", dup267); - -var msg26192 = msg("24028", dup267); - -var msg26193 = msg("24029", dup197); - -var msg26194 = msg("24030", dup197); - -var msg26195 = msg("24031", dup263); - -var msg26196 = msg("24032", dup263); - -var msg26197 = msg("24033", dup263); - -var msg26198 = msg("24034", dup263); - -var msg26199 = msg("24035", dup202); - -var msg26200 = msg("24036", dup267); - -var msg26201 = msg("24037", dup267); - -var msg26202 = msg("24038", dup267); - -var msg26203 = msg("24039", dup265); - -var msg26204 = msg("24040", dup265); - -var msg26205 = msg("24041", dup265); - -var msg26206 = msg("24042", dup265); - -var msg26207 = msg("24043", dup265); - -var msg26208 = msg("24044", dup265); - -var msg26209 = msg("24045", dup202); - -var msg26210 = msg("24046", dup202); - -var msg26211 = msg("24047", dup202); - -var msg26212 = msg("24048", dup202); - -var msg26213 = msg("24049", dup202); - -var msg26214 = msg("24050", dup202); - -var msg26215 = msg("24051", dup267); - -var msg26216 = msg("24052", dup267); - -var msg26217 = msg("24053", dup202); - -var msg26218 = msg("24054", dup202); - -var msg26219 = msg("24055", dup267); - -var msg26220 = msg("24056", dup267); - -var msg26221 = msg("24057", dup267); - -var msg26222 = msg("24058", dup267); - -var msg26223 = msg("24059", dup197); - -var msg26224 = msg("24060", dup197); - -var msg26225 = msg("24061", dup197); - -var msg26226 = msg("24062", dup192); - -var msg26227 = msg("24063", dup267); - -var msg26228 = msg("24064", dup267); - -var msg26229 = msg("24065", dup267); - -var msg26230 = msg("24066", dup267); - -var msg26231 = msg("24067", dup269); - -var msg26232 = msg("24068", dup269); - -var msg26233 = msg("24069", dup269); - -var msg26234 = msg("24070", dup269); - -var msg26235 = msg("24071", dup287); - -var msg26236 = msg("24072", dup287); - -var msg26237 = msg("24073", dup287); - -var msg26238 = msg("24074", dup202); - -var msg26239 = msg("24075", dup202); - -var msg26240 = msg("24076", dup202); - -var msg26241 = msg("24077", dup263); - -var msg26242 = msg("24078", dup202); - -var msg26243 = msg("24079", dup202); - -var msg26244 = msg("24080", dup202); - -var msg26245 = msg("24081", dup202); - -var msg26246 = msg("24082", dup263); - -var msg26247 = msg("24083", dup201); - -var msg26248 = msg("24084", dup267); - -var msg26249 = msg("24085", dup267); - -var msg26250 = msg("24086", dup263); - -var msg26251 = msg("24087", dup287); - -var msg26252 = msg("24088", dup230); - -var msg26253 = msg("24089", dup265); - -var msg26254 = msg("24090", dup267); - -var msg26255 = msg("24091", dup199); - -var msg26256 = msg("24092", dup263); - -var msg26257 = msg("24093", dup265); - -var msg26258 = msg("24094", dup202); - -var msg26259 = msg("24095", dup202); - -var msg26260 = msg("24096", dup202); - -var msg26261 = msg("24097", dup202); - -var msg26262 = msg("24098", dup202); - -var msg26263 = msg("24099", dup263); - -var msg26264 = msg("24100", dup202); - -var msg26265 = msg("24101", dup202); - -var msg26266 = msg("24102", dup263); - -var msg26267 = msg("24103", dup265); - -var msg26268 = msg("24104", dup265); - -var msg26269 = msg("24105", dup265); - -var msg26270 = msg("24106", dup265); - -var msg26271 = msg("24107", dup265); - -var msg26272 = msg("24108", dup265); - -var msg26273 = msg("24109", dup265); - -var msg26274 = msg("24110", dup265); - -var msg26275 = msg("24111", dup269); - -var msg26276 = msg("24112", dup260); - -var msg26277 = msg("24113", dup265); - -var msg26278 = msg("24114", dup199); - -var msg26279 = msg("24115", dup263); - -var msg26280 = msg("24116", dup263); - -var msg26281 = msg("24117", dup263); - -var msg26282 = msg("24118", dup263); - -var msg26283 = msg("24119", dup263); - -var msg26284 = msg("24120", dup263); - -var msg26285 = msg("24121", dup263); - -var msg26286 = msg("24122", dup263); - -var msg26287 = msg("24123", dup263); - -var msg26288 = msg("24124", dup267); - -var msg26289 = msg("24125", dup267); - -var msg26290 = msg("24126", dup267); - -var msg26291 = msg("24127", dup192); - -var msg26292 = msg("24128", dup265); - -var msg26293 = msg("24129", dup197); - -var msg26294 = msg("24130", dup197); - -var msg26295 = msg("24131", dup267); - -var msg26296 = msg("24132", dup267); - -var msg26297 = msg("24133", dup267); - -var msg26298 = msg("24134", dup267); - -var msg26299 = msg("24135", dup267); - -var msg26300 = msg("24136", dup267); - -var msg26301 = msg("24137", dup267); - -var msg26302 = msg("24138", dup202); - -var msg26303 = msg("24139", dup202); - -var msg26304 = msg("24140", dup202); - -var msg26305 = msg("24141", dup202); - -var msg26306 = msg("24142", dup202); - -var msg26307 = msg("24143", dup263); - -var msg26308 = msg("24144", dup263); - -var msg26309 = msg("24145", dup263); - -var msg26310 = msg("24146", dup263); - -var msg26311 = msg("24147", dup201); - -var msg26312 = msg("24148", dup269); - -var msg26313 = msg("24149", dup269); - -var msg26314 = msg("24150", dup202); - -var msg26315 = msg("24151", dup202); - -var msg26316 = msg("24152", dup267); - -var msg26317 = msg("24153", dup267); - -var msg26318 = msg("24154", dup198); - -var msg26319 = msg("24155", dup198); - -var msg26320 = msg("24156", dup202); - -var msg26321 = msg("24157", dup202); - -var msg26322 = msg("24158", dup202); - -var msg26323 = msg("24159", dup197); - -var msg26324 = msg("24160", dup197); - -var msg26325 = msg("24161", dup197); - -var msg26326 = msg("24162", dup197); - -var msg26327 = msg("24163", dup197); - -var msg26328 = msg("24164", dup197); - -var msg26329 = msg("24165", dup197); - -var msg26330 = msg("24166", dup197); - -var msg26331 = msg("24167", dup202); - -var msg26332 = msg("24168", dup269); - -var msg26333 = msg("24169", dup263); - -var msg26334 = msg("24170", dup267); - -var msg26335 = msg("24171", dup267); - -var msg26336 = msg("24172", dup260); - -var msg26337 = msg("24173", dup263); - -var msg26338 = msg("24174", dup263); - -var msg26339 = msg("24175", dup263); - -var msg26340 = msg("24176", dup201); - -var msg26341 = msg("24177", dup201); - -var msg26342 = msg("24178", dup201); - -var msg26343 = msg("24179", dup201); - -var msg26344 = msg("24180", dup201); - -var msg26345 = msg("24181", dup201); - -var msg26346 = msg("24182", dup263); - -var msg26347 = msg("24183", dup263); - -var msg26348 = msg("24184", dup263); - -var msg26349 = msg("24185", dup263); - -var msg26350 = msg("24186", dup197); - -var msg26351 = msg("24187", dup197); - -var msg26352 = msg("24188", dup197); - -var msg26353 = msg("24189", dup197); - -var msg26354 = msg("24190", dup202); - -var msg26355 = msg("24191", dup263); - -var msg26356 = msg("24192", dup197); - -var msg26357 = msg("24193", dup197); - -var msg26358 = msg("24194", dup197); - -var msg26359 = msg("24195", dup197); - -var msg26360 = msg("24196", dup265); - -var msg26361 = msg("24197", dup265); - -var msg26362 = msg("24198", dup197); - -var msg26363 = msg("24199", dup267); - -var msg26364 = msg("24200", dup267); - -var msg26365 = msg("24201", dup267); - -var msg26366 = msg("24202", dup267); - -var msg26367 = msg("24203", dup267); - -var msg26368 = msg("24204", dup267); - -var msg26369 = msg("24205", dup267); - -var msg26370 = msg("24206", dup202); - -var msg26371 = msg("24207", dup197); - -var msg26372 = msg("24208", dup197); - -var msg26373 = msg("24209", dup197); - -var msg26374 = msg("24210", dup267); - -var msg26375 = msg("24211", dup263); - -var msg26376 = msg("24212", dup267); - -var msg26377 = msg("24213", dup202); - -var msg26378 = msg("24214", dup263); - -var msg26379 = msg("24215", dup263); - -var msg26380 = msg("24216", dup263); - -var msg26381 = msg("24217", dup263); - -var msg26382 = msg("24218", dup202); - -var msg26383 = msg("24219", dup202); - -var msg26384 = msg("24220", dup197); - -var msg26385 = msg("24221", dup267); - -var msg26386 = msg("24222", dup267); - -var msg26387 = msg("24223", dup267); - -var msg26388 = msg("24224", dup263); - -var msg26389 = msg("24225", dup269); - -var msg26390 = msg("24226", dup267); - -var msg26391 = msg("24227", dup267); - -var msg26392 = msg("24228", dup267); - -var msg26393 = msg("24229", dup201); - -var msg26394 = msg("24230", dup201); - -var msg26395 = msg("24231", dup267); - -var msg26396 = msg("24232", dup267); - -var msg26397 = msg("24233", dup267); - -var msg26398 = msg("24234", dup267); - -var msg26399 = msg("24235", dup263); - -var msg26400 = msg("24236", dup263); - -var msg26401 = msg("24237", dup197); - -var msg26402 = msg("24238", dup197); - -var msg26403 = msg("24239", dup197); - -var msg26404 = msg("24240", dup197); - -var msg26405 = msg("24241", dup197); - -var msg26406 = msg("24242", dup197); - -var msg26407 = msg("24243", dup269); - -var msg26408 = msg("24244", dup197); - -var msg26409 = msg("24245", dup197); - -var msg26410 = msg("24246", dup265); - -var msg26411 = msg("24247", dup265); - -var msg26412 = msg("24248", dup265); - -var msg26413 = msg("24249", dup265); - -var msg26414 = msg("24250", dup202); - -var msg26415 = msg("24251", dup263); - -var msg26416 = msg("24252", dup267); - -var msg26417 = msg("24253", dup202); - -var msg26418 = msg("24254", dup202); - -var msg26419 = msg("24255", dup263); - -var msg26420 = msg("24256", dup265); - -var msg26421 = msg("24257", dup263); - -var msg26422 = msg("24258", dup263); - -var msg26423 = msg("24259", dup263); - -var msg26424 = msg("24260", dup263); - -var msg26425 = msg("24261", dup263); - -var msg26426 = msg("24262", dup263); - -var msg26427 = msg("24263", dup269); - -var msg26428 = msg("24264", dup269); - -var msg26429 = msg("24265", dup269); - -var msg26430 = msg("24266", dup197); - -var msg26431 = msg("24267", dup197); - -var msg26432 = msg("24268", dup197); - -var msg26433 = msg("24269", dup197); - -var msg26434 = msg("24270", dup287); - -var msg26435 = msg("24271", dup263); - -var msg26436 = msg("24272", dup197); - -var msg26437 = msg("24273", dup197); - -var msg26438 = msg("24274", dup265); - -var msg26439 = msg("24275", dup265); - -var msg26440 = msg("24276", dup265); - -var msg26441 = msg("24277", dup267); - -var msg26442 = msg("24278", dup267); - -var msg26443 = msg("24279", dup267); - -var msg26444 = msg("24280", dup267); - -var msg26445 = msg("24281", dup265); - -var msg26446 = msg("24282", dup265); - -var msg26447 = msg("24283", dup267); - -var msg26448 = msg("24284", dup197); - -var msg26449 = msg("24285", dup263); - -var msg26450 = msg("24286", dup263); - -var msg26451 = msg("24287", dup263); - -var msg26452 = msg("24288", dup263); - -var msg26453 = msg("24289", dup267); - -var msg26454 = msg("24290", dup267); - -var msg26455 = msg("24291", dup265); - -var msg26456 = msg("24292", dup265); - -var msg26457 = msg("24293", dup255); - -var msg26458 = msg("24294", dup197); - -var all54 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg26459 = msg("24295", all54); - -var msg26460 = msg("24296", dup232); - -var msg26461 = msg("24297", dup232); - -var msg26462 = msg("24298", dup232); - -var msg26463 = msg("24299", dup232); - -var msg26464 = msg("24300", dup197); - -var msg26465 = msg("24301", dup232); - -var msg26466 = msg("24302", dup232); - -var msg26467 = msg("24303", dup232); - -var msg26468 = msg("24304", dup313); - -var msg26469 = msg("24305", dup232); - -var msg26470 = msg("24306", dup265); - -var msg26471 = msg("24307", dup263); - -var msg26472 = msg("24308", dup263); - -var msg26473 = msg("24309", dup263); - -var msg26474 = msg("24310", dup263); - -var msg26475 = msg("24311", dup263); - -var msg26476 = msg("24312", dup263); - -var msg26477 = msg("24313", dup265); - -var msg26478 = msg("24314", dup197); - -var msg26479 = msg("24315", dup197); - -var msg26480 = msg("24316", dup197); - -var msg26481 = msg("24317", dup197); - -var msg26482 = msg("24318", dup197); - -var msg26483 = msg("24319", dup197); - -var msg26484 = msg("24320", dup197); - -var msg26485 = msg("24321", dup197); - -var msg26486 = msg("24322", dup265); - -var msg26487 = msg("24323", dup265); - -var msg26488 = msg("24324", dup197); - -var msg26489 = msg("24325", dup197); - -var msg26490 = msg("24326", dup197); - -var msg26491 = msg("24327", dup197); - -var msg26492 = msg("24328", dup197); - -var msg26493 = msg("24329", dup197); - -var msg26494 = msg("24330", dup197); - -var msg26495 = msg("24331", dup197); - -var msg26496 = msg("24332", dup197); - -var msg26497 = msg("24333", dup197); - -var msg26498 = msg("24334", dup269); - -var msg26499 = msg("24335", dup197); - -var msg26500 = msg("24336", dup197); - -var msg26501 = msg("24337", dup198); - -var msg26502 = msg("24338", dup197); - -var msg26503 = msg("24339", dup255); - -var msg26504 = msg("24340", dup263); - -var msg26505 = msg("24341", dup263); - -var msg26506 = msg("24342", dup265); - -var msg26507 = msg("24343", dup265); - -var msg26508 = msg("24344", dup267); - -var msg26509 = msg("24345", dup263); - -var msg26510 = msg("24346", dup263); - -var msg26511 = msg("24347", dup263); - -var msg26512 = msg("24348", dup265); - -var msg26513 = msg("24349", dup263); - -var msg26514 = msg("24350", dup263); - -var msg26515 = msg("24351", dup197); - -var msg26516 = msg("24352", dup197); - -var msg26517 = msg("24353", dup197); - -var msg26518 = msg("24354", dup197); - -var msg26519 = msg("24355", dup267); - -var msg26520 = msg("24356", dup267); - -var msg26521 = msg("24357", dup197); - -var msg26522 = msg("24358", dup197); - -var msg26523 = msg("24359", dup276); - -var msg26524 = msg("24360", dup276); - -var msg26525 = msg("24361", dup263); - -var msg26526 = msg("24362", dup202); - -var msg26527 = msg("24363", dup202); - -var msg26528 = msg("24364", dup202); - -var msg26529 = msg("24365", dup202); - -var msg26530 = msg("24366", dup319); - -var msg26531 = msg("24367", dup319); - -var msg26532 = msg("24368", dup260); - -var msg26533 = msg("24369", dup260); - -var msg26534 = msg("24370", dup197); - -var msg26535 = msg("24371", dup197); - -var msg26536 = msg("24372", dup198); - -var msg26537 = msg("24373", dup263); - -var msg26538 = msg("24374", dup263); - -var msg26539 = msg("24375", dup263); - -var msg26540 = msg("24376", dup263); - -var msg26541 = msg("24377", dup263); - -var msg26542 = msg("24378", dup287); - -var msg26543 = msg("24379", dup197); - -var msg26544 = msg("24380", dup197); - -var msg26545 = msg("24381", dup263); - -var msg26546 = msg("24382", dup263); - -var msg26547 = msg("24383", dup263); - -var msg26548 = msg("24384", dup263); - -var msg26549 = msg("24385", dup263); - -var msg26550 = msg("24386", dup287); - -var msg26551 = msg("24387", dup287); - -var msg26552 = msg("24388", dup202); - -var msg26553 = msg("24389", dup202); - -var msg26554 = msg("24390", dup202); - -var msg26555 = msg("24391", dup202); - -var msg26556 = msg("24392", dup202); - -var msg26557 = msg("24393", dup267); - -var msg26558 = msg("24394", dup267); - -var msg26559 = msg("24395", dup197); - -var msg26560 = msg("24396", dup197); - -var msg26561 = msg("24397", dup202); - -var msg26562 = msg("24398", dup263); - -var msg26563 = msg("24399", dup263); - -var msg26564 = msg("24400", dup263); - -var msg26565 = msg("24401", dup197); - -var msg26566 = msg("24402", dup263); - -var msg26567 = msg("24403", dup263); - -var msg26568 = msg("24404", dup263); - -var msg26569 = msg("24405", dup263); - -var msg26570 = msg("24406", dup263); - -var msg26571 = msg("24407", dup263); - -var msg26572 = msg("24408", dup263); - -var msg26573 = msg("24409", dup263); - -var msg26574 = msg("24410", dup263); - -var msg26575 = msg("24411", dup263); - -var msg26576 = msg("24412", dup202); - -var msg26577 = msg("24413", dup202); - -var msg26578 = msg("24414", dup197); - -var msg26579 = msg("24415", dup197); - -var msg26580 = msg("24416", dup263); - -var msg26581 = msg("24417", dup263); - -var msg26582 = msg("24418", dup263); - -var msg26583 = msg("24419", dup263); - -var msg26584 = msg("24420", dup263); - -var msg26585 = msg("24421", dup260); - -var msg26586 = msg("24422", dup260); - -var msg26587 = msg("24423", dup240); - -var msg26588 = msg("24424", dup240); - -var msg26589 = msg("24425", dup199); - -var msg26590 = msg("24426", dup263); - -var msg26591 = msg("24427", dup263); - -var msg26592 = msg("24428", dup201); - -var msg26593 = msg("24429", dup201); - -var msg26594 = msg("24430", dup201); - -var msg26595 = msg("24431", dup201); - -var msg26596 = msg("24432", dup202); - -var msg26597 = msg("24433", dup202); - -var msg26598 = msg("24434", dup202); - -var msg26599 = msg("24435", dup265); - -var msg26600 = msg("24436", dup265); - -var msg26601 = msg("24437", dup263); - -var msg26602 = msg("24438", dup263); - -var msg26603 = msg("24439", dup269); - -var msg26604 = msg("24440", dup287); - -var msg26605 = msg("24441", dup269); - -var msg26606 = msg("24442", dup269); - -var msg26607 = msg("24443", dup263); - -var msg26608 = msg("24444", dup263); - -var msg26609 = msg("24445", dup263); - -var msg26610 = msg("24446", dup255); - -var msg26611 = msg("24447", dup202); - -var msg26612 = msg("24448", dup202); - -var msg26613 = msg("24449", dup267); - -var msg26614 = msg("24450", dup263); - -var msg26615 = msg("24451", dup263); - -var msg26616 = msg("24452", dup197); - -var msg26617 = msg("24453", dup202); - -var msg26618 = msg("24454", dup202); - -var msg26619 = msg("24455", dup202); - -var msg26620 = msg("24456", dup202); - -var msg26621 = msg("24457", dup202); - -var msg26622 = msg("24458", dup202); - -var msg26623 = msg("24459", dup202); - -var msg26624 = msg("24460", dup202); - -var msg26625 = msg("24461", dup202); - -var msg26626 = msg("24462", dup202); - -var msg26627 = msg("24463", dup202); - -var msg26628 = msg("24464", dup202); - -var msg26629 = msg("24465", dup202); - -var msg26630 = msg("24466", dup202); - -var msg26631 = msg("24467", dup202); - -var msg26632 = msg("24468", dup202); - -var msg26633 = msg("24469", dup202); - -var msg26634 = msg("24470", dup202); - -var msg26635 = msg("24471", dup202); - -var msg26636 = msg("24472", dup202); - -var msg26637 = msg("24473", dup202); - -var msg26638 = msg("24474", dup202); - -var msg26639 = msg("24475", dup267); - -var msg26640 = msg("24476", dup197); - -var msg26641 = msg("24477", dup197); - -var msg26642 = msg("24478", dup197); - -var msg26643 = msg("24479", dup197); - -var msg26644 = msg("24480", dup197); - -var msg26645 = msg("24481", dup197); - -var msg26646 = msg("24482", dup263); - -var msg26647 = msg("24483", dup202); - -var msg26648 = msg("24484", dup202); - -var msg26649 = msg("24485", dup197); - -var msg26650 = msg("24486", dup197); - -var msg26651 = msg("24487", dup197); - -var msg26652 = msg("24488", dup267); - -var msg26653 = msg("24489", dup267); - -var msg26654 = msg("24490", dup267); - -var msg26655 = msg("24491", dup321); - -var msg26656 = msg("24492", dup321); - -var msg26657 = msg("24493", dup321); - -var msg26658 = msg("24494", dup321); - -var msg26659 = msg("24495", dup321); - -var msg26660 = msg("24496", dup321); - -var msg26661 = msg("24497", dup321); - -var msg26662 = msg("24498", dup311); - -var msg26663 = msg("24499", dup311); - -var msg26664 = msg("24500", dup314); - -var msg26665 = msg("24501", dup311); - -var msg26666 = msg("24502", dup311); - -var msg26667 = msg("24503", dup308); - -var msg26668 = msg("24504", dup321); - -var msg26669 = msg("24505", dup321); - -var msg26670 = msg("24506", dup314); - -var msg26671 = msg("24507", dup309); - -var msg26672 = msg("24508", dup309); - -var msg26673 = msg("24509", dup314); - -var msg26674 = msg("24510", dup311); - -var msg26675 = msg("24511", dup311); - -var msg26676 = msg("24512", dup309); - -var msg26677 = msg("24513", dup309); - -var msg26678 = msg("24514", dup321); - -var msg26679 = msg("24515", dup321); - -var msg26680 = msg("24516", dup321); - -var msg26681 = msg("24517", dup322); - -var msg26682 = msg("24518", dup311); - -var msg26683 = msg("24519", dup311); - -var msg26684 = msg("24520", dup323); - -var msg26685 = msg("24521", dup314); - -var msg26686 = msg("24522", dup308); - -var msg26687 = msg("24523", dup321); - -var msg26688 = msg("24524", dup324); - -var msg26689 = msg("24525", dup311); - -var msg26690 = msg("24526", dup311); - -var msg26691 = msg("24527", dup311); - -var msg26692 = msg("24528", dup311); - -var msg26693 = msg("24529", dup321); - -var msg26694 = msg("24530", dup321); - -var msg26695 = msg("24531", dup321); - -var msg26696 = msg("24532", dup321); - -var msg26697 = msg("24533", dup321); - -var msg26698 = msg("24534", dup321); - -var msg26699 = msg("24535", dup309); - -var msg26700 = msg("24536", dup309); - -var msg26701 = msg("24537", dup309); - -var msg26702 = msg("24538", dup309); - -var msg26703 = msg("24539", dup321); - -var msg26704 = msg("24540", dup321); - -var msg26705 = msg("24541", dup321); - -var msg26706 = msg("24542", dup321); - -var msg26707 = msg("24543", dup311); - -var msg26708 = msg("24544", dup311); - -var msg26709 = msg("24545", dup321); - -var msg26710 = msg("24546", dup311); - -var msg26711 = msg("24547", dup311); - -var msg26712 = msg("24548", dup311); - -var msg26713 = msg("24549", dup309); - -var msg26714 = msg("24550", dup309); - -var msg26715 = msg("24551", dup309); - -var msg26716 = msg("24552", dup309); - -var msg26717 = msg("24553", dup309); - -var msg26718 = msg("24554", dup314); - -var msg26719 = msg("24555", dup314); - -var msg26720 = msg("24556", dup309); - -var msg26721 = msg("24557", dup309); - -var msg26722 = msg("24558", dup309); - -var msg26723 = msg("24559", dup314); - -var msg26724 = msg("24560", dup314); - -var msg26725 = msg("24561", dup311); - -var msg26726 = msg("24562", dup321); - -var msg26727 = msg("24563", dup321); - -var msg26728 = msg("24564", dup321); - -var msg26729 = msg("24565", dup321); - -var msg26730 = msg("24566", dup321); - -var msg26731 = msg("24567", dup321); - -var msg26732 = msg("24568", dup325); - -var msg26733 = msg("24569", dup321); - -var msg26734 = msg("24570", dup314); - -var msg26735 = msg("24571", dup314); - -var msg26736 = msg("24572", dup314); - -var msg26737 = msg("24573", dup314); - -var msg26738 = msg("24574", dup314); - -var msg26739 = msg("24575", dup325); - -var msg26740 = msg("24576", dup321); - -var msg26741 = msg("24577", dup325); - -var msg26742 = msg("24578", dup314); - -var msg26743 = msg("24579", dup314); - -var msg26744 = msg("24580", dup314); - -var msg26745 = msg("24581", dup314); - -var msg26746 = msg("24582", dup314); - -var msg26747 = msg("24583", dup314); - -var msg26748 = msg("24584", dup314); - -var msg26749 = msg("24585", dup314); - -var msg26750 = msg("24586", dup321); - -var msg26751 = msg("24587", dup309); - -var msg26752 = msg("24588", dup309); - -var msg26753 = msg("24589", dup311); - -var msg26754 = msg("24590", dup311); - -var msg26755 = msg("24591", dup311); - -var msg26756 = msg("24592", dup311); - -var msg26757 = msg("24593", dup311); - -var msg26758 = msg("24594", dup321); - -var msg26759 = msg("24595", dup311); - -var msg26760 = msg("24596", dup311); - -var msg26761 = msg("24597", dup311); - -var msg26762 = msg("24598", dup326); - -var msg26763 = msg("24599", dup314); - -var msg26764 = msg("24600", dup311); - -var msg26765 = msg("24601", dup311); - -var msg26766 = msg("24602", dup311); - -var msg26767 = msg("24603", dup311); - -var msg26768 = msg("24604", dup311); - -var msg26769 = msg("24605", dup311); - -var msg26770 = msg("24606", dup311); - -var msg26771 = msg("24607", dup311); - -var msg26772 = msg("24608", dup311); - -var msg26773 = msg("24609", dup311); - -var msg26774 = msg("24610", dup311); - -var msg26775 = msg("24611", dup311); - -var msg26776 = msg("24612", dup311); - -var msg26777 = msg("24613", dup311); - -var msg26778 = msg("24614", dup311); - -var msg26779 = msg("24615", dup311); - -var msg26780 = msg("24616", dup311); - -var msg26781 = msg("24617", dup311); - -var msg26782 = msg("24618", dup311); - -var msg26783 = msg("24619", dup311); - -var msg26784 = msg("24620", dup311); - -var msg26785 = msg("24621", dup311); - -var msg26786 = msg("24622", dup311); - -var msg26787 = msg("24623", dup325); - -var msg26788 = msg("24624", dup321); - -var msg26789 = msg("24625", dup309); - -var msg26790 = msg("24626", dup309); - -var msg26791 = msg("24627", dup324); - -var msg26792 = msg("24628", dup316); - -var msg26793 = msg("24629", dup322); - -var msg26794 = msg("24630", dup321); - -var msg26795 = msg("24631", dup325); - -var msg26796 = msg("24632", dup325); - -var msg26797 = msg("24633", dup325); - -var msg26798 = msg("24634", dup325); - -var msg26799 = msg("24635", dup321); - -var msg26800 = msg("24636", dup311); - -var msg26801 = msg("24637", dup311); - -var msg26802 = msg("24638", dup311); - -var msg26803 = msg("24639", dup308); - -var msg26804 = msg("24640", dup309); - -var msg26805 = msg("24641", dup309); - -var msg26806 = msg("24642", dup311); - -var msg26807 = msg("24643", dup314); - -var msg26808 = msg("24644", dup314); - -var msg26809 = msg("24645", dup314); - -var msg26810 = msg("24646", dup314); - -var msg26811 = msg("24647", dup309); - -var msg26812 = msg("24648", dup311); - -var msg26813 = msg("24649", dup309); - -var msg26814 = msg("24650", dup309); - -var msg26815 = msg("24651", dup323); - -var msg26816 = msg("24652", dup311); - -var msg26817 = msg("24653", dup325); - -var msg26818 = msg("24654", dup325); - -var msg26819 = msg("24655", dup311); - -var msg26820 = msg("24656", dup311); - -var msg26821 = msg("24657", dup309); - -var msg26822 = msg("24658", dup309); - -var msg26823 = msg("24659", dup309); - -var msg26824 = msg("24660", dup325); - -var msg26825 = msg("24661", dup325); - -var msg26826 = msg("24662", dup311); - -var msg26827 = msg("24663", dup311); - -var msg26828 = msg("24664", dup311); - -var msg26829 = msg("24665", dup311); - -var msg26830 = msg("24666", dup309); - -var msg26831 = msg("24667", dup311); - -var msg26832 = msg("24668", dup311); - -var msg26833 = msg("24669", dup311); - -var msg26834 = msg("24670", dup311); - -var msg26835 = msg("24671", dup311); - -var msg26836 = msg("24672", dup309); - -var msg26837 = msg("24673", dup309); - -var msg26838 = msg("24674", dup309); - -var msg26839 = msg("24675", dup307); - -var msg26840 = msg("24676", dup307); - -var msg26841 = msg("24677", dup324); - -var msg26842 = msg("24678", dup309); - -var msg26843 = msg("24679", dup309); - -var msg26844 = msg("24680", dup309); - -var msg26845 = msg("24681", dup309); - -var msg26846 = msg("24682", dup309); - -var msg26847 = msg("24683", dup309); - -var msg26848 = msg("24684", dup309); - -var msg26849 = msg("24685", dup309); - -var msg26850 = msg("24686", dup309); - -var msg26851 = msg("24687", dup311); - -var msg26852 = msg("24688", dup311); - -var msg26853 = msg("24689", dup314); - -var msg26854 = msg("24690", dup314); - -var msg26855 = msg("24691", dup314); - -var msg26856 = msg("24692", dup314); - -var msg26857 = msg("24693", dup309); - -var msg26858 = msg("24694", dup311); - -var msg26859 = msg("24695", dup311); - -var msg26860 = msg("24696", dup308); - -var msg26861 = msg("24697", dup324); - -var msg26862 = msg("24698", dup324); - -var msg26863 = msg("24699", dup307); - -var msg26864 = msg("24700", dup307); - -var msg26865 = msg("24701", dup309); - -var msg26866 = msg("24702", dup324); - -var msg26867 = msg("24703", dup324); - -var msg26868 = msg("24704", dup322); - -var msg26869 = msg("24705", dup322); - -var msg26870 = msg("24706", dup309); - -var msg26871 = msg("24707", dup309); - -var msg26872 = msg("24708", dup314); - -var msg26873 = msg("24709", dup314); - -var msg26874 = msg("24710", dup314); - -var msg26875 = msg("24711", dup309); - -var msg26876 = msg("24712", dup309); - -var msg26877 = msg("24713", dup309); - -var msg26878 = msg("24714", dup309); - -var msg26879 = msg("24715", dup309); - -var msg26880 = msg("24716", dup309); - -var msg26881 = msg("24717", dup309); - -var msg26882 = msg("24718", dup309); - -var msg26883 = msg("24719", dup314); - -var msg26884 = msg("24720", dup323); - -var msg26885 = msg("24721", dup314); - -var msg26886 = msg("24722", dup314); - -var msg26887 = msg("24723", dup314); - -var msg26888 = msg("24724", dup314); - -var msg26889 = msg("24725", dup314); - -var msg26890 = msg("24726", dup314); - -var msg26891 = msg("24727", dup311); - -var msg26892 = msg("24728", dup311); - -var msg26893 = msg("24729", dup311); - -var msg26894 = msg("24730", dup311); - -var msg26895 = msg("24731", dup311); - -var msg26896 = msg("24732", dup311); - -var msg26897 = msg("24733", dup311); - -var msg26898 = msg("24734", dup311); - -var msg26899 = msg("24735", dup311); - -var msg26900 = msg("24736", dup311); - -var msg26901 = msg("24737", dup311); - -var msg26902 = msg("24738", dup309); - -var msg26903 = msg("24739", dup307); - -var msg26904 = msg("24740", dup327); - -var msg26905 = msg("24741", dup307); - -var msg26906 = msg("24742", dup307); - -var msg26907 = msg("24743", dup307); - -var msg26908 = msg("24744", dup307); - -var msg26909 = msg("24745", dup307); - -var msg26910 = msg("24746", dup307); - -var msg26911 = msg("24747", dup307); - -var msg26912 = msg("24748", dup307); - -var msg26913 = msg("24749", dup307); - -var msg26914 = msg("24750", dup307); - -var msg26915 = msg("24751", dup307); - -var msg26916 = msg("24752", dup307); - -var msg26917 = msg("24753", dup307); - -var msg26918 = msg("24754", dup307); - -var msg26919 = msg("24755", dup307); - -var msg26920 = msg("24756", dup307); - -var msg26921 = msg("24757", dup307); - -var msg26922 = msg("24758", dup307); - -var msg26923 = msg("24759", dup307); - -var msg26924 = msg("24760", dup307); - -var msg26925 = msg("24761", dup324); - -var msg26926 = msg("24762", dup324); - -var msg26927 = msg("24763", dup309); - -var msg26928 = msg("24764", dup309); - -var msg26929 = msg("24765", dup309); - -var msg26930 = msg("24766", dup314); - -var msg26931 = msg("24767", dup314); - -var msg26932 = msg("24768", dup309); - -var msg26933 = msg("24769", dup311); - -var msg26934 = msg("24770", dup311); - -var msg26935 = msg("24771", dup309); - -var msg26936 = msg("24772", dup309); - -var msg26937 = msg("24773", dup309); - -var msg26938 = msg("24774", dup323); - -var msg26939 = msg("24775", dup323); - -var msg26940 = msg("24776", dup323); - -var msg26941 = msg("24777", dup323); - -var msg26942 = msg("24778", dup311); - -var msg26943 = msg("24779", dup311); - -var msg26944 = msg("24780", dup311); - -var msg26945 = msg("24781", dup311); - -var msg26946 = msg("24782", dup311); - -var msg26947 = msg("24783", dup311); - -var msg26948 = msg("24784", dup311); - -var msg26949 = msg("24785", dup311); - -var msg26950 = msg("24786", dup311); - -var msg26951 = msg("24787", dup311); - -var msg26952 = msg("24788", dup311); - -var msg26953 = msg("24789", dup311); - -var msg26954 = msg("24790", dup311); - -var msg26955 = msg("24791", dup311); - -var msg26956 = msg("24792", dup325); - -var msg26957 = msg("24793", dup311); - -var msg26958 = msg("24794", dup311); - -var msg26959 = msg("24795", dup311); - -var msg26960 = msg("24796", dup311); - -var msg26961 = msg("24797", dup311); - -var msg26962 = msg("24798", dup311); - -var msg26963 = msg("24799", dup311); - -var msg26964 = msg("24800", dup311); - -var msg26965 = msg("24801", dup322); - -var msg26966 = msg("24802", dup309); - -var msg26967 = msg("24803", dup314); - -var msg26968 = msg("24804", dup307); - -var msg26969 = msg("24805", dup310); - -var msg26970 = msg("24806", dup314); - -var msg26971 = msg("24807", dup314); - -var msg26972 = msg("24808", dup325); - -var msg26973 = msg("24809", dup325); - -var msg26974 = msg("24810", dup314); - -var msg26975 = msg("24811", dup314); - -var msg26976 = msg("24812", dup314); - -var msg26977 = msg("24813", dup314); - -var msg26978 = msg("24814", dup315); - -var msg26979 = msg("24815", dup309); - -var msg26980 = msg("24816", dup314); - -var msg26981 = msg("24817", dup314); - -var msg26982 = msg("24818", dup314); - -var msg26983 = msg("24819", dup314); - -var msg26984 = msg("24820", dup314); - -var msg26985 = msg("24821", dup314); - -var msg26986 = msg("24822", dup314); - -var msg26987 = msg("24823", dup309); - -var msg26988 = msg("24824", dup314); - -var msg26989 = msg("24825", dup314); - -var msg26990 = msg("24826", dup314); - -var msg26991 = msg("24827", dup309); - -var msg26992 = msg("24828", dup309); - -var msg26993 = msg("24829", dup309); - -var msg26994 = msg("24830", dup309); - -var msg26995 = msg("24831", dup309); - -var msg26996 = msg("24832", dup309); - -var msg26997 = msg("24833", dup309); - -var msg26998 = msg("24834", dup309); - -var msg26999 = msg("24835", dup309); - -var msg27000 = msg("24836", dup309); - -var msg27001 = msg("24837", dup311); - -var msg27002 = msg("24838", dup311); - -var msg27003 = msg("24839", dup311); - -var msg27004 = msg("24840", dup311); - -var msg27005 = msg("24841", dup311); - -var msg27006 = msg("24842", dup321); - -var msg27007 = msg("24843", dup321); - -var msg27008 = msg("24844", dup321); - -var msg27009 = msg("24845", dup321); - -var msg27010 = msg("24846", dup321); - -var msg27011 = msg("24847", dup321); - -var msg27012 = msg("24848", dup321); - -var msg27013 = msg("24849", dup321); - -var msg27014 = msg("24850", dup321); - -var msg27015 = msg("24851", dup321); - -var msg27016 = msg("24852", dup321); - -var msg27017 = msg("24853", dup321); - -var msg27018 = msg("24854", dup321); - -var msg27019 = msg("24855", dup321); - -var msg27020 = msg("24856", dup321); - -var msg27021 = msg("24857", dup321); - -var msg27022 = msg("24858", dup321); - -var msg27023 = msg("24859", dup321); - -var msg27024 = msg("24860", dup311); - -var msg27025 = msg("24861", dup311); - -var msg27026 = msg("24862", dup311); - -var msg27027 = msg("24863", dup311); - -var msg27028 = msg("24864", dup311); - -var msg27029 = msg("24865", dup311); - -var msg27030 = msg("24866", dup314); - -var msg27031 = msg("24867", dup314); - -var msg27032 = msg("24868", dup309); - -var msg27033 = msg("24869", dup311); - -var msg27034 = msg("24870", dup311); - -var msg27035 = msg("24871", dup311); - -var msg27036 = msg("24872", dup311); - -var msg27037 = msg("24873", dup321); - -var msg27038 = msg("24874", dup307); - -var msg27039 = msg("24875", dup307); - -var msg27040 = msg("24876", dup307); - -var msg27041 = msg("24877", dup307); - -var msg27042 = msg("24878", dup314); - -var msg27043 = msg("24879", dup314); - -var msg27044 = msg("24880", dup314); - -var msg27045 = msg("24881", dup314); - -var msg27046 = msg("24882", dup314); - -var msg27047 = msg("24883", dup311); - -var msg27048 = msg("24884", dup311); - -var msg27049 = msg("24885", dup321); - -var msg27050 = msg("24886", dup321); - -var msg27051 = msg("24887", dup321); - -var msg27052 = msg("24888", dup311); - -var msg27053 = msg("24889", dup309); - -var msg27054 = msg("24890", dup309); - -var msg27055 = msg("24891", dup309); - -var msg27056 = msg("24892", dup309); - -var msg27057 = msg("24893", dup309); - -var msg27058 = msg("24894", dup309); - -var msg27059 = msg("24895", dup323); - -var msg27060 = msg("24896", dup323); - -var msg27061 = msg("24897", dup322); - -var msg27062 = msg("24898", dup307); - -var msg27063 = msg("24899", dup311); - -var msg27064 = msg("24900", dup311); - -var msg27065 = msg("24901", dup314); - -var msg27066 = msg("24902", dup314); - -var msg27067 = msg("24903", dup314); - -var msg27068 = msg("24904", dup309); - -var msg27069 = msg("24905", dup309); - -var msg27070 = msg("24906", dup309); - -var msg27071 = msg("24907", dup316); - -var msg27072 = msg("24908", dup328); - -var msg27073 = msg("24909", dup328); - -var msg27074 = msg("24910", dup322); - -var msg27075 = msg("24911", dup309); - -var msg27076 = msg("24912", dup309); - -var msg27077 = msg("24913", dup309); - -var msg27078 = msg("24914", dup309); - -var msg27079 = msg("24915", dup309); - -var msg27080 = msg("24916", dup321); - -var msg27081 = msg("24917", dup321); - -var msg27082 = msg("24918", dup321); - -var msg27083 = msg("24955", dup309); - -var msg27084 = msg("24956", dup311); - -var msg27085 = msg("24957", dup314); - -var msg27086 = msg("24958", dup314); - -var msg27087 = msg("24959", dup314); - -var msg27088 = msg("24960", dup314); - -var msg27089 = msg("24961", dup314); - -var msg27090 = msg("24962", dup314); - -var msg27091 = msg("24963", dup314); - -var msg27092 = msg("24964", dup309); - -var msg27093 = msg("24965", dup309); - -var msg27094 = msg("24966", dup309); - -var msg27095 = msg("24967", dup309); - -var msg27096 = msg("24968", dup309); - -var msg27097 = msg("24969", dup309); - -var msg27098 = msg("24970", dup309); - -var msg27099 = msg("24971", dup311); - -var all55 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup95, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg27100 = msg("24972", all55); - -var msg27101 = msg("24973", dup309); - -var msg27102 = msg("24974", dup309); - -var msg27103 = msg("24975", dup309); - -var msg27104 = msg("24976", dup321); - -var msg27105 = msg("24977", dup311); - -var msg27106 = msg("24978", dup311); - -var msg27107 = msg("24979", dup311); - -var msg27108 = msg("24980", dup323); - -var msg27109 = msg("24981", dup323); - -var msg27110 = msg("24982", dup323); - -var msg27111 = msg("24983", dup323); - -var msg27112 = msg("24984", dup314); - -var msg27113 = msg("24985", dup309); - -var msg27114 = msg("24986", dup309); - -var msg27115 = msg("24987", dup323); - -var msg27116 = msg("24988", dup309); - -var msg27117 = msg("24989", dup314); - -var msg27118 = msg("24990", dup314); - -var msg27119 = msg("24991", dup309); - -var msg27120 = msg("24992", dup309); - -var msg27121 = msg("24993", dup311); - -var msg27122 = msg("24994", dup314); - -var msg27123 = msg("24995", dup309); - -var msg27124 = msg("24996", dup309); - -var msg27125 = msg("24997", dup309); - -var msg27126 = msg("24998", dup309); - -var msg27127 = msg("24999", dup309); - -var msg27128 = msg("25000", dup309); - -var msg27129 = msg("25001", dup321); - -var msg27130 = msg("25002", dup321); - -var msg27131 = msg("25003", dup309); - -var msg27132 = msg("25004", dup311); - -var msg27133 = msg("25005", dup311); - -var msg27134 = msg("25006", dup307); - -var msg27135 = msg("25007", dup321); - -var msg27136 = msg("25008", dup311); - -var msg27137 = msg("25009", dup325); - -var msg27138 = msg("25010", dup321); - -var msg27139 = msg("25011", dup321); - -var msg27140 = msg("25012", dup309); - -var msg27141 = msg("25013", dup309); - -var msg27142 = msg("25014", dup323); - -var msg27143 = msg("25015", dup321); - -var msg27144 = msg("25016", dup321); - -var msg27145 = msg("25017", dup311); - -var msg27146 = msg("25018", dup321); - -var msg27147 = msg("25019", dup316); - -var msg27148 = msg("25020", dup316); - -var msg27149 = msg("25021", dup321); - -var msg27150 = msg("25022", dup321); - -var msg27151 = msg("25023", dup321); - -var msg27152 = msg("25024", dup321); - -var msg27153 = msg("25025", dup321); - -var msg27154 = msg("25026", dup321); - -var msg27155 = msg("25027", dup321); - -var msg27156 = msg("25028", dup321); - -var msg27157 = msg("25029", dup321); - -var msg27158 = msg("25030", dup321); - -var msg27159 = msg("25031", dup321); - -var msg27160 = msg("25032", dup314); - -var msg27161 = msg("25033", dup314); - -var msg27162 = msg("25034", dup314); - -var msg27163 = msg("25035", dup314); - -var msg27164 = msg("25036", dup324); - -var msg27165 = msg("25037", dup311); - -var msg27166 = msg("25038", dup311); - -var msg27167 = msg("25039", dup311); - -var msg27168 = msg("25040", dup311); - -var msg27169 = msg("25041", dup311); - -var msg27170 = msg("25042", dup311); - -var msg27171 = msg("25043", dup311); - -var msg27172 = msg("25044", dup311); - -var msg27173 = msg("25045", dup311); - -var msg27174 = msg("25046", dup311); - -var msg27175 = msg("25047", dup311); - -var msg27176 = msg("25048", dup311); - -var msg27177 = msg("25049", dup321); - -var msg27178 = msg("25050", dup321); - -var msg27179 = msg("25051", dup311); - -var msg27180 = msg("25052", dup311); - -var msg27181 = msg("25053", dup311); - -var msg27182 = msg("25054", dup321); - -var msg27183 = msg("25055", dup311); - -var msg27184 = msg("25056", dup311); - -var msg27185 = msg("25057", dup314); - -var msg27186 = msg("25058", dup311); - -var msg27187 = msg("25059", dup309); - -var msg27188 = msg("25060", dup314); - -var msg27189 = msg("25061", dup314); - -var msg27190 = msg("25062", dup314); - -var msg27191 = msg("25063", dup309); - -var msg27192 = msg("25064", dup309); - -var msg27193 = msg("25065", dup309); - -var msg27194 = msg("25066", dup309); - -var msg27195 = msg("25067", dup321); - -var msg27196 = msg("25068", dup321); - -var msg27197 = msg("25069", dup321); - -var msg27198 = msg("25070", dup321); - -var msg27199 = msg("25071", dup321); - -var msg27200 = msg("25072", dup321); - -var msg27201 = msg("25073", dup321); - -var msg27202 = msg("25074", dup321); - -var msg27203 = msg("25075", dup321); - -var msg27204 = msg("25076", dup321); - -var msg27205 = msg("25077", dup321); - -var msg27206 = msg("25078", dup311); - -var msg27207 = msg("25079", dup311); - -var msg27208 = msg("25080", dup329); - -var msg27209 = msg("25081", dup329); - -var msg27210 = msg("25082", dup314); - -var msg27211 = msg("25083", dup314); - -var msg27212 = msg("25084", dup311); - -var msg27213 = msg("25085", dup311); - -var msg27214 = msg("25086", dup311); - -var msg27215 = msg("25087", dup311); - -var msg27216 = msg("25088", dup311); - -var msg27217 = msg("25089", dup311); - -var msg27218 = msg("25090", dup311); - -var msg27219 = msg("25091", dup311); - -var msg27220 = msg("25092", dup311); - -var msg27221 = msg("25093", dup311); - -var msg27222 = msg("25094", dup311); - -var msg27223 = msg("25095", dup311); - -var msg27224 = msg("25096", dup311); - -var msg27225 = msg("25097", dup311); - -var msg27226 = msg("25098", dup321); - -var msg27227 = msg("25099", dup321); - -var msg27228 = msg("25100", dup321); - -var msg27229 = msg("25101", dup309); - -var msg27230 = msg("25102", dup307); - -var msg27231 = msg("25103", dup311); - -var msg27232 = msg("25104", dup314); - -var msg27233 = msg("25105", dup314); - -var msg27234 = msg("25106", dup311); - -var msg27235 = msg("25107", dup321); - -var msg27236 = msg("25108", dup321); - -var msg27237 = msg("25109", dup321); - -var msg27238 = msg("25110", dup321); - -var msg27239 = msg("25111", dup309); - -var msg27240 = msg("25112", dup309); - -var msg27241 = msg("25113", dup309); - -var msg27242 = msg("25114", dup309); - -var msg27243 = msg("25115", dup309); - -var msg27244 = msg("25116", dup309); - -var msg27245 = msg("25117", dup309); - -var msg27246 = msg("25118", dup309); - -var msg27247 = msg("25119", dup325); - -var msg27248 = msg("25120", dup314); - -var msg27249 = msg("25121", dup311); - -var msg27250 = msg("25122", dup311); - -var msg27251 = msg("25123", dup311); - -var msg27252 = msg("25124", dup311); - -var msg27253 = msg("25125", dup325); - -var msg27254 = msg("25126", dup325); - -var msg27255 = msg("25127", dup325); - -var msg27256 = msg("25128", dup325); - -var msg27257 = msg("25129", dup325); - -var msg27258 = msg("25130", dup325); - -var msg27259 = msg("25131", dup325); - -var msg27260 = msg("25132", dup325); - -var msg27261 = msg("25133", dup325); - -var msg27262 = msg("25134", dup325); - -var msg27263 = msg("25135", dup311); - -var msg27264 = msg("25136", dup311); - -var msg27265 = msg("25137", dup311); - -var msg27266 = msg("25138", dup311); - -var msg27267 = msg("25139", dup311); - -var msg27268 = msg("25140", dup311); - -var msg27269 = msg("25141", dup321); - -var msg27270 = msg("25142", dup321); - -var msg27271 = msg("25143", dup321); - -var msg27272 = msg("25144", dup321); - -var msg27273 = msg("25145", dup321); - -var msg27274 = msg("25146", dup321); - -var msg27275 = msg("25147", dup321); - -var msg27276 = msg("25148", dup321); - -var msg27277 = msg("25149", dup321); - -var msg27278 = msg("25150", dup321); - -var msg27279 = msg("25151", dup321); - -var msg27280 = msg("25152", dup321); - -var msg27281 = msg("25153", dup321); - -var msg27282 = msg("25154", dup321); - -var msg27283 = msg("25155", dup321); - -var msg27284 = msg("25156", dup321); - -var msg27285 = msg("25157", dup321); - -var msg27286 = msg("25158", dup321); - -var msg27287 = msg("25159", dup321); - -var msg27288 = msg("25160", dup321); - -var msg27289 = msg("25161", dup321); - -var msg27290 = msg("25162", dup321); - -var msg27291 = msg("25163", dup321); - -var msg27292 = msg("25164", dup321); - -var msg27293 = msg("25165", dup321); - -var msg27294 = msg("25166", dup321); - -var msg27295 = msg("25167", dup321); - -var msg27296 = msg("25168", dup321); - -var msg27297 = msg("25169", dup321); - -var msg27298 = msg("25170", dup321); - -var msg27299 = msg("25171", dup321); - -var msg27300 = msg("25172", dup321); - -var msg27301 = msg("25173", dup321); - -var msg27302 = msg("25174", dup321); - -var msg27303 = msg("25175", dup321); - -var msg27304 = msg("25176", dup321); - -var msg27305 = msg("25177", dup321); - -var msg27306 = msg("25178", dup308); - -var msg27307 = msg("25179", dup321); - -var msg27308 = msg("25180", dup321); - -var msg27309 = msg("25181", dup321); - -var msg27310 = msg("25182", dup321); - -var msg27311 = msg("25183", dup321); - -var msg27312 = msg("25184", dup321); - -var msg27313 = msg("25185", dup321); - -var msg27314 = msg("25186", dup321); - -var msg27315 = msg("25187", dup321); - -var msg27316 = msg("25188", dup321); - -var msg27317 = msg("25189", dup321); - -var msg27318 = msg("25190", dup321); - -var msg27319 = msg("25191", dup321); - -var msg27320 = msg("25192", dup321); - -var msg27321 = msg("25193", dup321); - -var msg27322 = msg("25194", dup321); - -var msg27323 = msg("25195", dup321); - -var msg27324 = msg("25196", dup321); - -var msg27325 = msg("25197", dup321); - -var msg27326 = msg("25198", dup321); - -var msg27327 = msg("25199", dup321); - -var msg27328 = msg("25200", dup321); - -var msg27329 = msg("25201", dup321); - -var msg27330 = msg("25202", dup321); - -var msg27331 = msg("25203", dup321); - -var msg27332 = msg("25204", dup321); - -var msg27333 = msg("25205", dup321); - -var msg27334 = msg("25206", dup321); - -var msg27335 = msg("25207", dup321); - -var msg27336 = msg("25208", dup321); - -var msg27337 = msg("25209", dup321); - -var msg27338 = msg("25210", dup321); - -var msg27339 = msg("25211", dup321); - -var msg27340 = msg("25212", dup321); - -var msg27341 = msg("25213", dup321); - -var msg27342 = msg("25214", dup321); - -var msg27343 = msg("25215", dup321); - -var msg27344 = msg("25216", dup321); - -var msg27345 = msg("25217", dup321); - -var msg27346 = msg("25218", dup321); - -var msg27347 = msg("25219", dup321); - -var msg27348 = msg("25220", dup321); - -var msg27349 = msg("25221", dup321); - -var msg27350 = msg("25222", dup321); - -var msg27351 = msg("25223", dup321); - -var msg27352 = msg("25224", dup321); - -var msg27353 = msg("25225", dup325); - -var msg27354 = msg("25226", dup325); - -var msg27355 = msg("25227", dup314); - -var msg27356 = msg("25228", dup314); - -var msg27357 = msg("25229", dup321); - -var msg27358 = msg("25230", dup321); - -var msg27359 = msg("25231", dup321); - -var msg27360 = msg("25232", dup311); - -var msg27361 = msg("25233", dup311); - -var msg27362 = msg("25234", dup325); - -var msg27363 = msg("25235", dup325); - -var msg27364 = msg("25236", dup311); - -var msg27365 = msg("25237", dup321); - -var msg27366 = msg("25238", dup311); - -var msg27367 = msg("25239", dup321); - -var msg27368 = msg("25240", dup321); - -var msg27369 = msg("25241", dup321); - -var msg27370 = msg("25242", dup321); - -var msg27371 = msg("25243", dup325); - -var msg27372 = msg("25244", dup321); - -var msg27373 = msg("25245", dup325); - -var msg27374 = msg("25246", dup311); - -var msg27375 = msg("25247", dup309); - -var msg27376 = msg("25248", dup309); - -var msg27377 = msg("25249", dup321); - -var msg27378 = msg("25250", dup314); - -var msg27379 = msg("25251", dup314); - -var msg27380 = msg("25252", dup309); - -var msg27381 = msg("25253", dup309); - -var msg27382 = msg("25254", dup314); - -var msg27383 = msg("25255", dup311); - -var msg27384 = msg("25256", dup321); - -var msg27385 = msg("25257", dup321); - -var msg27386 = msg("25258", dup321); - -var msg27387 = msg("25259", dup321); - -var msg27388 = msg("25260", dup325); - -var msg27389 = msg("25261", dup325); - -var msg27390 = msg("25262", dup325); - -var msg27391 = msg("25263", dup314); - -var msg27392 = msg("25264", dup314); - -var msg27393 = msg("25265", dup314); - -var msg27394 = msg("25266", dup311); - -var msg27395 = msg("25267", dup311); - -var msg27396 = msg("25268", dup321); - -var msg27397 = msg("25269", dup321); - -var msg27398 = msg("25270", dup309); - -var msg27399 = msg("25271", dup321); - -var msg27400 = msg("25272", dup311); - -var msg27401 = msg("25273", dup311); - -var msg27402 = msg("25274", dup324); - -var msg27403 = msg("25275", dup311); - -var msg27404 = msg("25276", dup311); - -var msg27405 = msg("25277", dup321); - -var msg27406 = msg("25278", dup321); - -var msg27407 = msg("25279", dup321); - -var msg27408 = msg("25280", dup321); - -var msg27409 = msg("25281", dup321); - -var msg27410 = msg("25282", dup321); - -var msg27411 = msg("25283", dup321); - -var msg27412 = msg("25284", dup321); - -var msg27413 = msg("25285", dup322); - -var msg27414 = msg("25286", dup314); - -var msg27415 = msg("25287", dup311); - -var msg27416 = msg("25288", dup311); - -var msg27417 = msg("25289", dup323); - -var msg27418 = msg("25290", dup323); - -var msg27419 = msg("25291", dup323); - -var msg27420 = msg("25292", dup323); - -var msg27421 = msg("25293", dup307); - -var msg27422 = msg("25294", dup307); - -var msg27423 = msg("25295", dup307); - -var msg27424 = msg("25296", dup307); - -var msg27425 = msg("25297", dup311); - -var msg27426 = msg("25298", dup311); - -var msg27427 = msg("25299", dup314); - -var msg27428 = msg("25300", dup314); - -var msg27429 = msg("25301", dup311); - -var msg27430 = msg("25302", dup311); - -var msg27431 = msg("25303", dup311); - -var msg27432 = msg("25304", dup311); - -var msg27433 = msg("25305", dup314); - -var msg27434 = msg("25306", dup314); - -var msg27435 = msg("25307", dup314); - -var msg27436 = msg("25308", dup314); - -var msg27437 = msg("25309", dup309); - -var msg27438 = msg("25310", dup309); - -var msg27439 = msg("25311", dup309); - -var msg27440 = msg("25312", dup311); - -var msg27441 = msg("25313", dup311); - -var msg27442 = msg("25314", dup324); - -var msg27443 = msg("25315", dup314); - -var msg27444 = msg("25316", dup309); - -var msg27445 = msg("25317", dup314); - -var msg27446 = msg("25318", dup314); - -var msg27447 = msg("25319", dup314); - -var msg27448 = msg("25320", dup311); - -var msg27449 = msg("25321", dup309); - -var msg27450 = msg("25322", dup311); - -var msg27451 = msg("25323", dup311); - -var msg27452 = msg("25324", dup311); - -var msg27453 = msg("25325", dup311); - -var msg27454 = msg("25326", dup311); - -var msg27455 = msg("25327", dup311); - -var msg27456 = msg("25328", dup311); - -var msg27457 = msg("25329", dup311); - -var msg27458 = msg("25330", dup309); - -var msg27459 = msg("25331", dup309); - -var msg27460 = msg("25332", dup309); - -var msg27461 = msg("25333", dup309); - -var msg27462 = msg("25334", dup309); - -var msg27463 = msg("25335", dup309); - -var msg27464 = msg("25336", dup309); - -var msg27465 = msg("25337", dup309); - -var msg27466 = msg("25338", dup309); - -var msg27467 = msg("25339", dup309); - -var msg27468 = msg("25340", dup309); - -var msg27469 = msg("25341", dup311); - -var msg27470 = msg("25342", dup324); - -var msg27471 = msg("25343", dup311); - -var msg27472 = msg("25344", dup311); - -var msg27473 = msg("25345", dup311); - -var msg27474 = msg("25346", dup311); - -var msg27475 = msg("25347", dup311); - -var msg27476 = msg("25348", dup311); - -var msg27477 = msg("25349", dup311); - -var msg27478 = msg("25350", dup311); - -var msg27479 = msg("25351", dup311); - -var msg27480 = msg("25352", dup311); - -var msg27481 = msg("25353", dup309); - -var msg27482 = msg("25354", dup309); - -var msg27483 = msg("25355", dup307); - -var msg27484 = msg("25356", dup309); - -var msg27485 = msg("25357", dup311); - -var msg27486 = msg("25358", dup311); - -var msg27487 = msg("25359", dup311); - -var msg27488 = msg("25360", dup311); - -var msg27489 = msg("25361", dup311); - -var msg27490 = msg("25362", dup311); - -var msg27491 = msg("25363", dup311); - -var msg27492 = msg("25364", dup311); - -var msg27493 = msg("25365", dup311); - -var msg27494 = msg("25366", dup309); - -var msg27495 = msg("25367", dup309); - -var msg27496 = msg("25368", dup321); - -var msg27497 = msg("25369", dup307); - -var msg27498 = msg("25370", dup311); - -var msg27499 = msg("25371", dup321); - -var msg27500 = msg("25372", dup325); - -var msg27501 = msg("25373", dup314); - -var msg27502 = msg("25374", dup314); - -var msg27503 = msg("25375", dup314); - -var msg27504 = msg("25376", dup309); - -var msg27505 = msg("25377", dup309); - -var msg27506 = msg("25378", dup309); - -var msg27507 = msg("25379", dup309); - -var msg27508 = msg("25380", dup309); - -var msg27509 = msg("25381", dup311); - -var msg27510 = msg("25382", dup311); - -var msg27511 = msg("25383", dup311); - -var msg27512 = msg("25384", dup311); - -var msg27513 = msg("25385", dup311); - -var msg27514 = msg("25386", dup311); - -var msg27515 = msg("25387", dup311); - -var msg27516 = msg("25388", dup311); - -var msg27517 = msg("25389", dup311); - -var msg27518 = msg("25390", dup311); - -var msg27519 = msg("25391", dup311); - -var msg27520 = msg("25392", dup307); - -var msg27521 = msg("25393", dup309); - -var msg27522 = msg("25394", dup314); - -var msg27523 = msg("25395", dup314); - -var msg27524 = msg("25396", dup314); - -var msg27525 = msg("25397", dup314); - -var msg27526 = msg("25398", dup314); - -var msg27527 = msg("25399", dup314); - -var msg27528 = msg("25400", dup314); - -var msg27529 = msg("25401", dup321); - -var msg27530 = msg("25402", dup321); - -var msg27531 = msg("25403", dup321); - -var msg27532 = msg("25404", dup321); - -var msg27533 = msg("25405", dup321); - -var msg27534 = msg("25406", dup321); - -var msg27535 = msg("25407", dup321); - -var msg27536 = msg("25408", dup321); - -var msg27537 = msg("25409", dup321); - -var msg27538 = msg("25410", dup321); - -var msg27539 = msg("25411", dup321); - -var msg27540 = msg("25412", dup321); - -var msg27541 = msg("25413", dup321); - -var msg27542 = msg("25414", dup321); - -var msg27543 = msg("25415", dup321); - -var msg27544 = msg("25416", dup321); - -var msg27545 = msg("25417", dup321); - -var msg27546 = msg("25418", dup321); - -var msg27547 = msg("25419", dup321); - -var msg27548 = msg("25420", dup321); - -var msg27549 = msg("25421", dup321); - -var msg27550 = msg("25422", dup321); - -var msg27551 = msg("25423", dup321); - -var msg27552 = msg("25424", dup321); - -var msg27553 = msg("25425", dup321); - -var msg27554 = msg("25426", dup321); - -var msg27555 = msg("25427", dup321); - -var msg27556 = msg("25428", dup321); - -var msg27557 = msg("25429", dup321); - -var msg27558 = msg("25430", dup321); - -var msg27559 = msg("25431", dup321); - -var msg27560 = msg("25432", dup321); - -var msg27561 = msg("25433", dup321); - -var msg27562 = msg("25434", dup321); - -var msg27563 = msg("25435", dup321); - -var msg27564 = msg("25436", dup321); - -var msg27565 = msg("25437", dup321); - -var msg27566 = msg("25438", dup321); - -var msg27567 = msg("25439", dup321); - -var msg27568 = msg("25440", dup321); - -var msg27569 = msg("25441", dup321); - -var msg27570 = msg("25442", dup321); - -var msg27571 = msg("25443", dup321); - -var msg27572 = msg("25444", dup321); - -var msg27573 = msg("25445", dup321); - -var msg27574 = msg("25446", dup321); - -var msg27575 = msg("25447", dup321); - -var msg27576 = msg("25448", dup321); - -var msg27577 = msg("25449", dup323); - -var msg27578 = msg("25450", dup323); - -var msg27579 = msg("25451", dup314); - -var msg27580 = msg("25452", dup314); - -var msg27581 = msg("25453", dup314); - -var msg27582 = msg("25454", dup314); - -var msg27583 = msg("25455", dup314); - -var msg27584 = msg("25456", dup314); - -var msg27585 = msg("25457", dup314); - -var msg27586 = msg("25458", dup314); - -var msg27587 = msg("25459", dup309); - -var msg27588 = msg("25460", dup309); - -var msg27589 = msg("25461", dup309); - -var msg27590 = msg("25462", dup309); - -var msg27591 = msg("25463", dup309); - -var msg27592 = msg("25464", dup309); - -var msg27593 = msg("25465", dup321); - -var msg27594 = msg("25466", dup324); - -var msg27595 = msg("25467", dup324); - -var msg27596 = msg("25468", dup324); - -var msg27597 = msg("25469", dup324); - -var msg27598 = msg("25470", dup321); - -var msg27599 = msg("25471", dup321); - -var msg27600 = msg("25472", dup311); - -var msg27601 = msg("25473", dup311); - -var msg27602 = msg("25474", dup314); - -var msg27603 = msg("25475", dup323); - -var msg27604 = msg("25476", dup325); - -var msg27605 = msg("25477", dup321); - -var msg27606 = msg("25478", dup314); - -var msg27607 = msg("25479", dup314); - -var msg27608 = msg("25502", dup309); - -var msg27609 = msg("25503", dup321); - -var msg27610 = msg("25504", dup321); - -var msg27611 = msg("25505", dup311); - -var msg27612 = msg("25506", dup311); - -var msg27613 = msg("25507", dup311); - -var msg27614 = msg("25508", dup311); - -var msg27615 = msg("25509", dup311); - -var msg27616 = msg("25510", dup311); - -var msg27617 = msg("25511", dup321); - -var msg27618 = msg("25512", dup321); - -var msg27619 = msg("25513", dup311); - -var msg27620 = msg("25514", dup311); - -var msg27621 = msg("25515", dup311); - -var msg27622 = msg("25516", dup314); - -var msg27623 = msg("25517", dup314); - -var msg27624 = msg("25518", dup323); - -var msg27625 = msg("25519", dup323); - -var msg27626 = msg("25520", dup323); - -var msg27627 = msg("25521", dup314); - -var msg27628 = msg("25522", dup314); - -var msg27629 = msg("25523", dup314); - -var msg27630 = msg("25524", dup314); - -var msg27631 = msg("25525", dup314); - -var msg27632 = msg("25526", dup307); - -var msg27633 = msg("25527", dup309); - -var msg27634 = msg("25528", dup311); - -var msg27635 = msg("25529", dup321); - -var msg27636 = msg("25530", dup321); - -var msg27637 = msg("25531", dup321); - -var msg27638 = msg("25532", dup321); - -var msg27639 = msg("25533", dup325); - -var msg27640 = msg("25534", dup330); - -var msg27641 = msg("25535", dup311); - -var msg27642 = msg("25536", dup314); - -var msg27643 = msg("25537", dup314); - -var msg27644 = msg("25538", dup311); - -var msg27645 = msg("25539", dup311); - -var msg27646 = msg("25540", dup311); - -var msg27647 = msg("25541", dup321); - -var msg27648 = msg("25542", dup308); - -var msg27649 = msg("25543", dup321); - -var msg27650 = msg("25544", dup325); - -var msg27651 = msg("25545", dup321); - -var msg27652 = msg("25546", dup321); - -var msg27653 = msg("25547", dup321); - -var msg27654 = msg("25548", dup321); - -var msg27655 = msg("25549", dup309); - -var msg27656 = msg("25550", dup309); - -var msg27657 = msg("25551", dup321); - -var msg27658 = msg("25552", dup314); - -var msg27659 = msg("25553", dup321); - -var msg27660 = msg("25554", dup321); - -var msg27661 = msg("25555", dup321); - -var msg27662 = msg("25556", dup314); - -var msg27663 = msg("25557", dup316); - -var msg27664 = msg("25558", dup311); - -var msg27665 = msg("25559", dup311); - -var msg27666 = msg("25560", dup311); - -var msg27667 = msg("25561", dup311); - -var msg27668 = msg("25562", dup314); - -var msg27669 = msg("25563", dup309); - -var msg27670 = msg("25564", dup309); - -var msg27671 = msg("25565", dup314); - -var msg27672 = msg("25566", dup314); - -var msg27673 = msg("25567", dup311); - -var msg27674 = msg("25568", dup311); - -var msg27675 = msg("25569", dup311); - -var msg27676 = msg("25570", dup321); - -var msg27677 = msg("25571", dup321); - -var msg27678 = msg("25572", dup321); - -var msg27679 = msg("25573", dup311); - -var msg27680 = msg("25574", dup311); - -var msg27681 = msg("25575", dup311); - -var msg27682 = msg("25576", dup311); - -var msg27683 = msg("25577", dup321); - -var msg27684 = msg("25578", dup311); - -var msg27685 = msg("25579", dup311); - -var msg27686 = msg("25580", dup311); - -var msg27687 = msg("25581", dup316); - -var msg27688 = msg("25582", dup316); - -var msg27689 = msg("25583", dup316); - -var msg27690 = msg("25584", dup316); - -var msg27691 = msg("25585", dup316); - -var msg27692 = msg("25586", dup309); - -var msg27693 = msg("25587", dup309); - -var msg27694 = msg("25588", dup309); - -var msg27695 = msg("25589", dup309); - -var msg27696 = msg("25590", dup311); - -var msg27697 = msg("25591", dup311); - -var msg27698 = msg("25592", dup314); - -var msg27699 = msg("25593", dup311); - -var msg27700 = msg("25594", dup311); - -var msg27701 = msg("25595", dup311); - -var msg27702 = msg("25596", dup311); - -var msg27703 = msg("25597", dup311); - -var msg27704 = msg("25598", dup311); - -var msg27705 = msg("25599", dup321); - -var msg27706 = msg("25600", dup321); - -var msg27707 = msg("25601", dup309); - -var msg27708 = msg("25602", dup314); - -var msg27709 = msg("25603", dup311); - -var msg27710 = msg("25604", dup314); - -var msg27711 = msg("25605", dup314); - -var msg27712 = msg("25606", dup314); - -var msg27713 = msg("25607", dup309); - -var msg27714 = msg("25608", dup309); - -var msg27715 = msg("25609", dup321); - -var msg27716 = msg("25610", dup321); - -var msg27717 = msg("25611", dup311); - -var msg27718 = msg("25612", dup309); - -var msg27719 = msg("25613", dup314); - -var msg27720 = msg("25614", dup314); - -var msg27721 = msg("25615", dup314); - -var msg27722 = msg("25616", dup314); - -var msg27723 = msg("25617", dup309); - -var msg27724 = msg("25618", dup309); - -var msg27725 = msg("25619", dup309); - -var msg27726 = msg("25620", dup309); - -var msg27727 = msg("25621", dup314); - -var msg27728 = msg("25622", dup314); - -var msg27729 = msg("25623", dup321); - -var msg27730 = msg("25624", dup321); - -var msg27731 = msg("25625", dup321); - -var msg27732 = msg("25626", dup321); - -var msg27733 = msg("25627", dup321); - -var msg27734 = msg("25628", dup321); - -var msg27735 = msg("25630", dup309); - -var msg27736 = msg("25631", dup309); - -var msg27737 = msg("25632", dup321); - -var msg27738 = msg("25633", dup321); - -var msg27739 = msg("25634", dup316); - -var msg27740 = msg("25635", dup316); - -var msg27741 = msg("25636", dup316); - -var msg27742 = msg("25637", dup316); - -var msg27743 = msg("25638", dup316); - -var msg27744 = msg("25639", dup316); - -var msg27745 = msg("25640", dup316); - -var msg27746 = msg("25641", dup316); - -var msg27747 = msg("25642", dup316); - -var msg27748 = msg("25643", dup316); - -var msg27749 = msg("25644", dup309); - -var msg27750 = msg("25645", dup309); - -var msg27751 = msg("25646", dup309); - -var msg27752 = msg("25647", dup309); - -var msg27753 = msg("25648", dup309); - -var msg27754 = msg("25649", dup309); - -var msg27755 = msg("25650", dup309); - -var msg27756 = msg("25651", dup311); - -var msg27757 = msg("25652", dup321); - -var msg27758 = msg("25653", dup314); - -var msg27759 = msg("25654", dup309); - -var msg27760 = msg("25655", dup309); - -var msg27761 = msg("25656", dup309); - -var msg27762 = msg("25657", dup314); - -var msg27763 = msg("25658", dup314); - -var msg27764 = msg("25659", dup325); - -var msg27765 = msg("25660", dup321); - -var msg27766 = msg("25661", dup321); - -var msg27767 = msg("25662", dup321); - -var msg27768 = msg("25663", dup321); - -var msg27769 = msg("25664", dup309); - -var msg27770 = msg("25665", dup321); - -var msg27771 = msg("25666", dup321); - -var msg27772 = msg("25667", dup321); - -var msg27773 = msg("25668", dup321); - -var msg27774 = msg("25669", dup321); - -var msg27775 = msg("25670", dup321); - -var msg27776 = msg("25671", dup321); - -var msg27777 = msg("25672", dup321); - -var msg27778 = msg("25673", dup321); - -var msg27779 = msg("25674", dup321); - -var msg27780 = msg("25675", dup321); - -var msg27781 = msg("25676", dup311); - -var msg27782 = msg("25677", dup311); - -var msg27783 = msg("25678", dup311); - -var msg27784 = msg("25679", dup311); - -var msg27785 = msg("25680", dup314); - -var msg27786 = msg("25681", dup309); - -var msg27787 = msg("25682", dup314); - -var msg27788 = msg("25683", dup309); - -var msg27789 = msg("25684", dup321); - -var msg27790 = msg("25685", dup321); - -var msg27791 = msg("25686", dup321); - -var msg27792 = msg("25687", dup321); - -var msg27793 = msg("25688", dup321); - -var msg27794 = msg("25689", dup321); - -var msg27795 = msg("25690", dup321); - -var msg27796 = msg("25691", dup321); - -var msg27797 = msg("25692", dup321); - -var msg27798 = msg("25693", dup321); - -var msg27799 = msg("25694", dup321); - -var msg27800 = msg("25695", dup321); - -var msg27801 = msg("25696", dup321); - -var msg27802 = msg("25697", dup321); - -var msg27803 = msg("25698", dup321); - -var msg27804 = msg("25699", dup321); - -var msg27805 = msg("25700", dup321); - -var msg27806 = msg("25701", dup321); - -var msg27807 = msg("25702", dup321); - -var msg27808 = msg("25703", dup321); - -var msg27809 = msg("25704", dup321); - -var msg27810 = msg("25705", dup321); - -var msg27811 = msg("25706", dup321); - -var msg27812 = msg("25707", dup321); - -var msg27813 = msg("25708", dup321); - -var msg27814 = msg("25709", dup321); - -var msg27815 = msg("25710", dup321); - -var msg27816 = msg("25711", dup321); - -var msg27817 = msg("25712", dup321); - -var msg27818 = msg("25713", dup321); - -var msg27819 = msg("25714", dup321); - -var msg27820 = msg("25715", dup321); - -var msg27821 = msg("25716", dup321); - -var msg27822 = msg("25717", dup321); - -var msg27823 = msg("25718", dup321); - -var msg27824 = msg("25719", dup321); - -var msg27825 = msg("25720", dup321); - -var msg27826 = msg("25721", dup321); - -var msg27827 = msg("25722", dup321); - -var msg27828 = msg("25723", dup321); - -var msg27829 = msg("25724", dup321); - -var msg27830 = msg("25725", dup321); - -var msg27831 = msg("25726", dup321); - -var msg27832 = msg("25727", dup321); - -var msg27833 = msg("25728", dup321); - -var msg27834 = msg("25729", dup321); - -var msg27835 = msg("25730", dup321); - -var msg27836 = msg("25731", dup321); - -var msg27837 = msg("25732", dup321); - -var msg27838 = msg("25733", dup321); - -var msg27839 = msg("25734", dup321); - -var msg27840 = msg("25735", dup321); - -var msg27841 = msg("25736", dup321); - -var msg27842 = msg("25737", dup321); - -var msg27843 = msg("25738", dup321); - -var msg27844 = msg("25739", dup321); - -var msg27845 = msg("25740", dup321); - -var msg27846 = msg("25741", dup321); - -var msg27847 = msg("25742", dup321); - -var msg27848 = msg("25743", dup321); - -var msg27849 = msg("25744", dup321); - -var msg27850 = msg("25745", dup321); - -var msg27851 = msg("25746", dup321); - -var msg27852 = msg("25747", dup321); - -var msg27853 = msg("25748", dup321); - -var msg27854 = msg("25749", dup321); - -var msg27855 = msg("25750", dup321); - -var msg27856 = msg("25751", dup321); - -var msg27857 = msg("25752", dup321); - -var msg27858 = msg("25753", dup321); - -var msg27859 = msg("25754", dup321); - -var msg27860 = msg("25755", dup321); - -var msg27861 = msg("25756", dup321); - -var msg27862 = msg("25757", dup321); - -var msg27863 = msg("25758", dup321); - -var msg27864 = msg("25759", dup321); - -var msg27865 = msg("25760", dup321); - -var msg27866 = msg("25761", dup321); - -var msg27867 = msg("25762", dup321); - -var msg27868 = msg("25763", dup321); - -var msg27869 = msg("25764", dup321); - -var msg27870 = msg("25765", dup321); - -var msg27871 = msg("25766", dup321); - -var msg27872 = msg("25767", dup314); - -var msg27873 = msg("25768", dup309); - -var msg27874 = msg("25769", dup314); - -var msg27875 = msg("25770", dup311); - -var msg27876 = msg("25771", dup325); - -var msg27877 = msg("25772", dup325); - -var msg27878 = msg("25773", dup325); - -var msg27879 = msg("25774", dup323); - -var msg27880 = msg("25775", dup325); - -var msg27881 = msg("25776", dup311); - -var msg27882 = msg("25777", dup311); - -var msg27883 = msg("25778", dup325); - -var msg27884 = msg("25779", dup311); - -var msg27885 = msg("25780", dup309); - -var msg27886 = msg("25781", dup311); - -var msg27887 = msg("25782", dup311); - -var msg27888 = msg("25783", dup322); - -var msg27889 = msg("25784", dup325); - -var msg27890 = msg("25785", dup325); - -var msg27891 = msg("25786", dup311); - -var msg27892 = msg("25787", dup311); - -var msg27893 = msg("25788", dup325); - -var msg27894 = msg("25789", dup325); - -var msg27895 = msg("25790", dup325); - -var msg27896 = msg("25791", dup325); - -var msg27897 = msg("25792", dup325); - -var msg27898 = msg("25793", dup325); - -var msg27899 = msg("25794", dup325); - -var msg27900 = msg("25795", dup309); - -var msg27901 = msg("25796", dup309); - -var msg27902 = msg("25797", dup311); - -var msg27903 = msg("25798", dup307); - -var msg27904 = msg("25799", dup311); - -var msg27905 = msg("25800", dup307); - -var msg27906 = msg("25801", dup311); - -var msg27907 = msg("25802", dup311); - -var msg27908 = msg("25803", dup311); - -var msg27909 = msg("25804", dup311); - -var msg27910 = msg("25805", dup311); - -var msg27911 = msg("25806", dup311); - -var msg27912 = msg("25807", dup321); - -var msg27913 = msg("25808", dup311); - -var msg27914 = msg("25809", dup321); - -var msg27915 = msg("25810", dup311); - -var msg27916 = msg("25811", dup311); - -var msg27917 = msg("25812", dup311); - -var msg27918 = msg("25813", dup311); - -var msg27919 = msg("25814", dup314); - -var msg27920 = msg("25815", dup309); - -var msg27921 = msg("25816", dup309); - -var msg27922 = msg("25817", dup321); - -var msg27923 = msg("25818", dup325); - -var msg27924 = msg("25819", dup325); - -var msg27925 = msg("25820", dup311); - -var msg27926 = msg("25821", dup311); - -var msg27927 = msg("25822", dup311); - -var msg27928 = msg("25823", dup311); - -var msg27929 = msg("25824", dup311); - -var msg27930 = msg("25825", dup314); - -var msg27931 = msg("25826", dup314); - -var msg27932 = msg("25827", dup314); - -var msg27933 = msg("25828", dup314); - -var msg27934 = msg("25829", dup321); - -var msg27935 = msg("25830", dup325); - -var msg27936 = msg("25831", dup311); - -var msg27937 = msg("25832", dup311); - -var msg27938 = msg("25833", dup325); - -var msg27939 = msg("25834", dup311); - -var msg27940 = msg("25835", dup307); - -var msg27941 = msg("25836", dup325); - -var msg27942 = msg("25837", dup325); - -var msg27943 = msg("25838", dup325); - -var msg27944 = msg("25839", dup325); - -var msg27945 = msg("25840", dup325); - -var msg27946 = msg("25841", dup325); - -var msg27947 = msg("25842", dup325); - -var msg27948 = msg("25843", dup325); - -var msg27949 = msg("25844", dup325); - -var msg27950 = msg("25845", dup325); - -var msg27951 = msg("25846", dup325); - -var msg27952 = msg("25847", dup325); - -var msg27953 = msg("25848", dup325); - -var msg27954 = msg("25849", dup314); - -var msg27955 = msg("25850", dup314); - -var msg27956 = msg("25851", dup314); - -var msg27957 = msg("25852", dup314); - -var msg27958 = msg("25853", dup309); - -var msg27959 = msg("25854", dup321); - -var msg27960 = msg("25855", dup311); - -var msg27961 = msg("25856", dup309); - -var msg27962 = msg("25857", dup311); - -var msg27963 = msg("25858", dup311); - -var msg27964 = msg("25859", dup311); - -var msg27965 = msg("25860", dup311); - -var msg27966 = msg("25861", dup311); - -var msg27967 = msg("25862", dup311); - -var msg27968 = msg("25863", dup321); - -var msg27969 = msg("25864", dup321); - -var msg27970 = msg("25865", dup321); - -var msg27971 = msg("25866", dup321); - -var msg27972 = msg("25867", dup321); - -var msg27973 = msg("25868", dup321); - -var msg27974 = msg("25869", dup309); - -var msg27975 = msg("25870", dup309); - -var msg27976 = msg("25871", dup309); - -var msg27977 = msg("25872", dup309); - -var msg27978 = msg("25873", dup309); - -var msg27979 = msg("25874", dup309); - -var msg27980 = msg("25875", dup309); - -var msg27981 = msg("25876", dup309); - -var msg27982 = msg("25877", dup309); - -var msg27983 = msg("25878", dup309); - -var msg27984 = msg("25879", dup309); - -var msg27985 = msg("25880", dup309); - -var msg27986 = msg("25881", dup309); - -var msg27987 = msg("25882", dup309); - -var msg27988 = msg("25883", dup309); - -var msg27989 = msg("25884", dup309); - -var msg27990 = msg("25885", dup309); - -var msg27991 = msg("25886", dup309); - -var msg27992 = msg("25887", dup309); - -var msg27993 = msg("25888", dup309); - -var msg27994 = msg("25889", dup309); - -var msg27995 = msg("25890", dup309); - -var msg27996 = msg("25891", dup309); - -var msg27997 = msg("25892", dup309); - -var msg27998 = msg("25893", dup309); - -var msg27999 = msg("25894", dup309); - -var msg28000 = msg("25895", dup309); - -var msg28001 = msg("25896", dup309); - -var msg28002 = msg("25897", dup309); - -var msg28003 = msg("25898", dup309); - -var msg28004 = msg("25899", dup309); - -var msg28005 = msg("25900", dup309); - -var msg28006 = msg("25901", dup309); - -var msg28007 = msg("25902", dup309); - -var msg28008 = msg("25903", dup309); - -var msg28009 = msg("25904", dup309); - -var msg28010 = msg("25905", dup309); - -var msg28011 = msg("25906", dup309); - -var msg28012 = msg("25907", dup314); - -var msg28013 = msg("25908", dup309); - -var msg28014 = msg("25909", dup309); - -var msg28015 = msg("25910", dup309); - -var msg28016 = msg("25911", dup309); - -var msg28017 = msg("25912", dup309); - -var msg28018 = msg("25913", dup309); - -var msg28019 = msg("25914", dup309); - -var msg28020 = msg("25915", dup309); - -var msg28021 = msg("25916", dup309); - -var msg28022 = msg("25917", dup309); - -var msg28023 = msg("25918", dup309); - -var msg28024 = msg("25919", dup309); - -var msg28025 = msg("25920", dup309); - -var msg28026 = msg("25921", dup309); - -var msg28027 = msg("25922", dup309); - -var msg28028 = msg("25923", dup309); - -var msg28029 = msg("25924", dup309); - -var msg28030 = msg("25925", dup309); - -var msg28031 = msg("25926", dup309); - -var msg28032 = msg("25927", dup309); - -var msg28033 = msg("25928", dup314); - -var msg28034 = msg("25929", dup314); - -var msg28035 = msg("25930", dup314); - -var msg28036 = msg("25931", dup314); - -var msg28037 = msg("25932", dup314); - -var msg28038 = msg("25933", dup314); - -var msg28039 = msg("25934", dup314); - -var msg28040 = msg("25935", dup314); - -var msg28041 = msg("25936", dup314); - -var msg28042 = msg("25937", dup314); - -var msg28043 = msg("25938", dup314); - -var msg28044 = msg("25939", dup314); - -var msg28045 = msg("25940", dup314); - -var msg28046 = msg("25941", dup314); - -var msg28047 = msg("25942", dup314); - -var msg28048 = msg("25943", dup314); - -var msg28049 = msg("25944", dup314); - -var msg28050 = msg("25945", dup314); - -var msg28051 = msg("25946", dup321); - -var msg28052 = msg("25947", dup314); - -var msg28053 = msg("25948", dup311); - -var msg28054 = msg("25949", dup321); - -var msg28055 = msg("25950", dup311); - -var msg28056 = msg("25951", dup311); - -var msg28057 = msg("25952", dup311); - -var msg28058 = msg("25953", dup311); - -var msg28059 = msg("25954", dup311); - -var msg28060 = msg("25955", dup311); - -var msg28061 = msg("25956", dup311); - -var msg28062 = msg("25957", dup311); - -var msg28063 = msg("25958", dup311); - -var msg28064 = msg("25959", dup311); - -var msg28065 = msg("25960", dup311); - -var msg28066 = msg("25961", dup311); - -var msg28067 = msg("25962", dup311); - -var msg28068 = msg("25963", dup311); - -var msg28069 = msg("25964", dup311); - -var msg28070 = msg("25965", dup311); - -var msg28071 = msg("25966", dup311); - -var msg28072 = msg("25967", dup311); - -var msg28073 = msg("25968", dup311); - -var msg28074 = msg("25969", dup309); - -var msg28075 = msg("25970", dup314); - -var msg28076 = msg("25971", dup311); - -var msg28077 = msg("25972", dup311); - -var msg28078 = msg("25973", dup321); - -var msg28079 = msg("25974", dup321); - -var msg28080 = msg("25975", dup314); - -var msg28081 = msg("25976", dup314); - -var msg28082 = msg("25977", dup314); - -var msg28083 = msg("25978", dup321); - -var msg28084 = msg("25979", dup321); - -var msg28085 = msg("25980", dup325); - -var msg28086 = msg("25981", dup314); - -var msg28087 = msg("25982", dup311); - -var msg28088 = msg("25983", dup327); - -var msg28089 = msg("25984", dup311); - -var msg28090 = msg("25985", dup311); - -var msg28091 = msg("25986", dup311); - -var msg28092 = msg("25987", dup321); - -var msg28093 = msg("25988", dup311); - -var msg28094 = msg("25989", dup311); - -var msg28095 = msg("25990", dup321); - -var msg28096 = msg("25991", dup321); - -var msg28097 = msg("25992", dup321); - -var msg28098 = msg("25993", dup321); - -var msg28099 = msg("25994", dup321); - -var msg28100 = msg("25995", dup321); - -var msg28101 = msg("25996", dup321); - -var msg28102 = msg("25997", dup321); - -var msg28103 = msg("25998", dup321); - -var msg28104 = msg("25999", dup321); - -var msg28105 = msg("26000", dup307); - -var msg28106 = msg("26001", dup307); - -var msg28107 = msg("26002", dup307); - -var msg28108 = msg("26003", dup307); - -var msg28109 = msg("26004", dup307); - -var msg28110 = msg("26005", dup307); - -var msg28111 = msg("26006", dup307); - -var msg28112 = msg("26007", dup307); - -var msg28113 = msg("26008", dup316); - -var msg28114 = msg("26009", dup316); - -var msg28115 = msg("26010", dup321); - -var msg28116 = msg("26011", dup309); - -var msg28117 = msg("26012", dup311); - -var msg28118 = msg("26013", dup311); - -var msg28119 = msg("26014", dup311); - -var msg28120 = msg("26015", dup321); - -var msg28121 = msg("26016", dup321); - -var msg28122 = msg("26017", dup321); - -var msg28123 = msg("26018", dup321); - -var msg28124 = msg("26019", dup321); - -var msg28125 = msg("26020", dup311); - -var msg28126 = msg("26021", dup314); - -var msg28127 = msg("26022", dup314); - -var msg28128 = msg("26023", dup321); - -var msg28129 = msg("26024", dup321); - -var msg28130 = msg("26025", dup314); - -var msg28131 = msg("26026", dup321); - -var msg28132 = msg("26027", dup309); - -var msg28133 = msg("26028", dup311); - -var msg28134 = msg("26029", dup311); - -var msg28135 = msg("26030", dup325); - -var msg28136 = msg("26031", dup311); - -var msg28137 = msg("26032", dup311); - -var msg28138 = msg("26033", dup311); - -var msg28139 = msg("26034", dup311); - -var msg28140 = msg("26035", dup311); - -var msg28141 = msg("26036", dup311); - -var msg28142 = msg("26037", dup311); - -var msg28143 = msg("26038", dup311); - -var msg28144 = msg("26039", dup311); - -var msg28145 = msg("26040", dup311); - -var msg28146 = msg("26041", dup311); - -var msg28147 = msg("26042", dup311); - -var msg28148 = msg("26043", dup311); - -var msg28149 = msg("26044", dup311); - -var msg28150 = msg("26045", dup311); - -var msg28151 = msg("26046", dup311); - -var msg28152 = msg("26047", dup311); - -var msg28153 = msg("26048", dup311); - -var msg28154 = msg("26049", dup311); - -var msg28155 = msg("26050", dup311); - -var msg28156 = msg("26051", dup311); - -var msg28157 = msg("26052", dup311); - -var msg28158 = msg("26053", dup311); - -var msg28159 = msg("26054", dup311); - -var msg28160 = msg("26055", dup311); - -var msg28161 = msg("26056", dup311); - -var msg28162 = msg("26057", dup323); - -var msg28163 = msg("26058", dup323); - -var msg28164 = msg("26059", dup314); - -var msg28165 = msg("26060", dup314); - -var msg28166 = msg("26061", dup314); - -var msg28167 = msg("26062", dup314); - -var msg28168 = msg("26063", dup314); - -var msg28169 = msg("26064", dup314); - -var msg28170 = msg("26065", dup314); - -var msg28171 = msg("26066", dup311); - -var msg28172 = msg("26067", dup311); - -var msg28173 = msg("26068", dup311); - -var msg28174 = msg("26069", dup311); - -var msg28175 = msg("26070", dup311); - -var msg28176 = msg("26071", dup311); - -var msg28177 = msg("26072", dup321); - -var msg28178 = msg("26073", dup309); - -var msg28179 = msg("26074", dup309); - -var msg28180 = msg("26075", dup321); - -var msg28181 = msg("26076", dup323); - -var msg28182 = msg("26077", dup323); - -var msg28183 = msg("26078", dup314); - -var msg28184 = msg("26079", dup314); - -var msg28185 = msg("26080", dup309); - -var msg28186 = msg("26081", dup325); - -var msg28187 = msg("26082", dup309); - -var msg28188 = msg("26083", dup314); - -var msg28189 = msg("26084", dup314); - -var msg28190 = msg("26085", dup314); - -var msg28191 = msg("26086", dup321); - -var msg28192 = msg("26087", dup321); - -var msg28193 = msg("26088", dup321); - -var msg28194 = msg("26089", dup309); - -var msg28195 = msg("26090", dup311); - -var msg28196 = msg("26091", dup311); - -var msg28197 = msg("26092", dup311); - -var msg28198 = msg("26093", dup311); - -var msg28199 = msg("26094", dup311); - -var msg28200 = msg("26095", dup311); - -var msg28201 = msg("26096", dup311); - -var msg28202 = msg("26097", dup311); - -var msg28203 = msg("26098", dup311); - -var msg28204 = msg("26099", dup311); - -var msg28205 = msg("26100", dup311); - -var msg28206 = msg("26101", dup314); - -var msg28207 = msg("26102", dup321); - -var msg28208 = msg("26103", dup309); - -var msg28209 = msg("26104", dup321); - -var msg28210 = msg("26105", dup309); - -var msg28211 = msg("26106", dup321); - -var msg28212 = msg("26107", dup316); - -var msg28213 = msg("26108", dup316); - -var msg28214 = msg("26109", dup309); - -var msg28215 = msg("26110", dup311); - -var msg28216 = msg("26111", dup311); - -var msg28217 = msg("26112", dup311); - -var msg28218 = msg("26113", dup311); - -var msg28219 = msg("26114", dup321); - -var msg28220 = msg("26115", dup321); - -var msg28221 = msg("26116", dup321); - -var msg28222 = msg("26117", dup321); - -var msg28223 = msg("26118", dup321); - -var msg28224 = msg("26119", dup321); - -var msg28225 = msg("26120", dup321); - -var msg28226 = msg("26121", dup321); - -var msg28227 = msg("26122", dup309); - -var msg28228 = msg("26123", dup309); - -var msg28229 = msg("26124", dup311); - -var msg28230 = msg("26125", dup325); - -var msg28231 = msg("26126", dup325); - -var msg28232 = msg("26127", dup325); - -var msg28233 = msg("26128", dup325); - -var msg28234 = msg("26129", dup325); - -var msg28235 = msg("26130", dup325); - -var msg28236 = msg("26131", dup311); - -var msg28237 = msg("26132", dup325); - -var msg28238 = msg("26133", dup325); - -var msg28239 = msg("26134", dup311); - -var msg28240 = msg("26135", dup325); - -var msg28241 = msg("26136", dup325); - -var msg28242 = msg("26137", dup325); - -var msg28243 = msg("26138", dup325); - -var msg28244 = msg("26139", dup321); - -var msg28245 = msg("26140", dup321); - -var msg28246 = msg("26141", dup321); - -var msg28247 = msg("26142", dup321); - -var msg28248 = msg("26143", dup321); - -var msg28249 = msg("26144", dup321); - -var msg28250 = msg("26145", dup321); - -var msg28251 = msg("26146", dup321); - -var msg28252 = msg("26147", dup321); - -var msg28253 = msg("26148", dup321); - -var msg28254 = msg("26149", dup321); - -var msg28255 = msg("26150", dup321); - -var msg28256 = msg("26151", dup321); - -var msg28257 = msg("26152", dup321); - -var msg28258 = msg("26153", dup321); - -var msg28259 = msg("26154", dup321); - -var msg28260 = msg("26155", dup321); - -var msg28261 = msg("26156", dup321); - -var msg28262 = msg("26157", dup325); - -var msg28263 = msg("26158", dup325); - -var msg28264 = msg("26159", dup325); - -var msg28265 = msg("26160", dup325); - -var msg28266 = msg("26161", dup325); - -var msg28267 = msg("26162", dup325); - -var msg28268 = msg("26163", dup309); - -var msg28269 = msg("26164", dup309); - -var msg28270 = msg("26165", dup314); - -var msg28271 = msg("26166", dup314); - -var msg28272 = msg("26167", dup314); - -var msg28273 = msg("26168", dup325); - -var msg28274 = msg("26169", dup325); - -var msg28275 = msg("26170", dup309); - -var msg28276 = msg("26171", dup309); - -var msg28277 = msg("26172", dup309); - -var msg28278 = msg("26173", dup309); - -var msg28279 = msg("26174", dup309); - -var msg28280 = msg("26175", dup309); - -var msg28281 = msg("26176", dup309); - -var msg28282 = msg("26177", dup309); - -var msg28283 = msg("26178", dup321); - -var msg28284 = msg("26179", dup331); - -var msg28285 = msg("26180", dup309); - -var msg28286 = msg("26181", dup314); - -var msg28287 = msg("26182", dup314); - -var msg28288 = msg("26183", dup314); - -var msg28289 = msg("26184", dup314); - -var msg28290 = msg("26185", dup314); - -var msg28291 = msg("26186", dup314); - -var msg28292 = msg("26187", dup314); - -var msg28293 = msg("26188", dup309); - -var msg28294 = msg("26189", dup321); - -var msg28295 = msg("26190", dup321); - -var msg28296 = msg("26191", dup314); - -var msg28297 = msg("26192", dup321); - -var msg28298 = msg("26193", dup311); - -var msg28299 = msg("26194", dup311); - -var msg28300 = msg("26195", dup309); - -var msg28301 = msg("26196", dup309); - -var msg28302 = msg("26197", dup309); - -var msg28303 = msg("26198", dup309); - -var msg28304 = msg("26199", dup309); - -var msg28305 = msg("26200", dup309); - -var msg28306 = msg("26201", dup321); - -var msg28307 = msg("26202", dup321); - -var msg28308 = msg("26203", dup321); - -var msg28309 = msg("26204", dup321); - -var msg28310 = msg("26205", dup321); - -var msg28311 = msg("26206", dup314); - -var msg28312 = msg("26207", dup314); - -var msg28313 = msg("26208", dup314); - -var msg28314 = msg("26209", dup309); - -var msg28315 = msg("26210", dup309); - -var msg28316 = msg("26211", dup321); - -var msg28317 = msg("26212", dup321); - -var msg28318 = msg("26213", dup311); - -var msg28319 = msg("26214", dup311); - -var msg28320 = msg("26215", dup311); - -var msg28321 = msg("26216", dup325); - -var msg28322 = msg("26217", dup325); - -var msg28323 = msg("26218", dup325); - -var msg28324 = msg("26219", dup325); - -var msg28325 = msg("26220", dup325); - -var msg28326 = msg("26221", dup325); - -var msg28327 = msg("26222", dup325); - -var msg28328 = msg("26223", dup325); - -var msg28329 = msg("26224", dup325); - -var msg28330 = msg("26225", dup325); - -var msg28331 = msg("26226", dup311); - -var msg28332 = msg("26227", dup311); - -var msg28333 = msg("26228", dup311); - -var msg28334 = msg("26229", dup311); - -var msg28335 = msg("26230", dup307); - -var msg28336 = msg("26231", dup311); - -var msg28337 = msg("26232", dup311); - -var msg28338 = msg("26233", dup311); - -var msg28339 = msg("26234", dup311); - -var msg28340 = msg("26235", dup311); - -var msg28341 = msg("26236", dup311); - -var msg28342 = msg("26237", dup311); - -var msg28343 = msg("26238", dup321); - -var msg28344 = msg("26239", dup321); - -var msg28345 = msg("26240", dup321); - -var msg28346 = msg("26241", dup314); - -var msg28347 = msg("26242", dup309); - -var msg28348 = msg("26243", dup309); - -var msg28349 = msg("26244", dup321); - -var msg28350 = msg("26245", dup321); - -var msg28351 = msg("26246", dup321); - -var msg28352 = msg("26247", dup321); - -var msg28353 = msg("26248", dup325); - -var msg28354 = msg("26249", dup321); - -var msg28355 = msg("26250", dup311); - -var msg28356 = msg("26251", dup314); - -var msg28357 = msg("26252", dup311); - -var msg28358 = msg("26253", dup311); - -var msg28359 = msg("26254", dup311); - -var msg28360 = msg("26255", dup311); - -var msg28361 = msg("26256", dup311); - -var msg28362 = msg("26257", dup311); - -var msg28363 = msg("26258", dup314); - -var msg28364 = msg("26259", dup314); - -var msg28365 = msg("26260", dup321); - -var msg28366 = msg("26261", dup311); - -var msg28367 = msg("26262", dup316); - -var msg28368 = msg("26263", dup311); - -var msg28369 = msg("26264", dup321); - -var msg28370 = msg("26265", dup321); - -var msg28371 = msg("26266", dup321); - -var msg28372 = msg("26267", dup321); - -var msg28373 = msg("26268", dup321); - -var msg28374 = msg("26269", dup321); - -var msg28375 = msg("26270", dup321); - -var msg28376 = msg("26271", dup321); - -var msg28377 = msg("26272", dup321); - -var msg28378 = msg("26273", dup321); - -var msg28379 = msg("26274", dup311); - -var msg28380 = msg("26275", dup311); - -var msg28381 = msg("26276", dup311); - -var msg28382 = msg("26277", dup311); - -var msg28383 = msg("26278", dup332); - -var msg28384 = msg("26279", dup332); - -var msg28385 = msg("26280", dup309); - -var msg28386 = msg("26281", dup309); - -var msg28387 = msg("26282", dup309); - -var msg28388 = msg("26283", dup309); - -var msg28389 = msg("26284", dup321); - -var msg28390 = msg("26285", dup321); - -var msg28391 = msg("26286", dup329); - -var msg28392 = msg("26287", dup314); - -var msg28393 = msg("26288", dup321); - -var msg28394 = msg("26289", dup321); - -var msg28395 = msg("26290", dup321); - -var msg28396 = msg("26291", dup321); - -var msg28397 = msg("26292", dup314); - -var msg28398 = msg("26293", dup311); - -var msg28399 = msg("26294", dup314); - -var msg28400 = msg("26295", dup314); - -var msg28401 = msg("26296", dup311); - -var msg28402 = msg("26297", dup311); - -var msg28403 = msg("26298", dup307); - -var msg28404 = msg("26299", dup322); - -var msg28405 = msg("26300", dup322); - -var msg28406 = msg("26301", dup307); - -var msg28407 = msg("26302", dup322); - -var msg28408 = msg("26303", dup322); - -var msg28409 = msg("26304", dup322); - -var msg28410 = msg("26305", dup307); - -var msg28411 = msg("26306", dup322); - -var msg28412 = msg("26307", dup322); - -var msg28413 = msg("26308", dup322); - -var msg28414 = msg("26309", dup307); - -var msg28415 = msg("26310", dup322); - -var msg28416 = msg("26311", dup322); - -var msg28417 = msg("26312", dup322); - -var msg28418 = msg("26313", dup307); - -var msg28419 = msg("26314", dup311); - -var msg28420 = msg("26315", dup311); - -var msg28421 = msg("26316", dup311); - -var msg28422 = msg("26317", dup309); - -var msg28423 = msg("26318", dup309); - -var msg28424 = msg("26319", dup321); - -var msg28425 = msg("26320", dup316); - -var msg28426 = msg("26321", dup306); - -var msg28427 = msg("26322", dup306); - -var msg28428 = msg("26323", dup311); - -var msg28429 = msg("26324", dup324); - -var msg28430 = msg("26325", dup321); - -var msg28431 = msg("26326", dup321); - -var msg28432 = msg("26327", dup321); - -var msg28433 = msg("26328", dup321); - -var msg28434 = msg("26329", dup309); - -var msg28435 = msg("26330", dup309); - -var msg28436 = msg("26331", dup321); - -var msg28437 = msg("26332", dup321); - -var msg28438 = msg("26333", dup309); - -var msg28439 = msg("26334", dup309); - -var msg28440 = msg("26335", dup321); - -var msg28441 = msg("26336", dup309); - -var msg28442 = msg("26337", dup311); - -var msg28443 = msg("26338", dup311); - -var msg28444 = msg("26339", dup311); - -var msg28445 = msg("26340", dup309); - -var msg28446 = msg("26341", dup311); - -var msg28447 = msg("26342", dup311); - -var msg28448 = msg("26343", dup311); - -var msg28449 = msg("26344", dup311); - -var msg28450 = msg("26345", dup311); - -var msg28451 = msg("26346", dup311); - -var msg28452 = msg("26347", dup311); - -var msg28453 = msg("26348", dup311); - -var msg28454 = msg("26349", dup311); - -var msg28455 = msg("26350", dup311); - -var msg28456 = msg("26351", dup311); - -var msg28457 = msg("26352", dup311); - -var msg28458 = msg("26353", dup323); - -var msg28459 = msg("26354", dup311); - -var msg28460 = msg("26355", dup314); - -var msg28461 = msg("26356", dup314); - -var msg28462 = msg("26357", dup314); - -var msg28463 = msg("26358", dup314); - -var msg28464 = msg("26359", dup314); - -var msg28465 = msg("26360", dup314); - -var msg28466 = msg("26361", dup314); - -var msg28467 = msg("26362", dup314); - -var msg28468 = msg("26363", dup314); - -var msg28469 = msg("26364", dup314); - -var msg28470 = msg("26365", dup314); - -var msg28471 = msg("26366", dup311); - -var msg28472 = msg("26367", dup311); - -var msg28473 = msg("26368", dup311); - -var msg28474 = msg("26369", dup321); - -var msg28475 = msg("26370", dup321); - -var msg28476 = msg("26371", dup321); - -var msg28477 = msg("26372", dup324); - -var msg28478 = msg("26373", dup324); - -var msg28479 = msg("26374", dup324); - -var msg28480 = msg("26375", dup314); - -var msg28481 = msg("26376", dup314); - -var msg28482 = msg("26377", dup311); - -var msg28483 = msg("26378", dup314); - -var msg28484 = msg("26379", dup324); - -var msg28485 = msg("26380", dup323); - -var msg28486 = msg("26381", dup323); - -var msg28487 = msg("26382", dup323); - -var msg28488 = msg("26383", dup311); - -var msg28489 = msg("26384", dup311); - -var msg28490 = msg("26385", dup311); - -var msg28491 = msg("26386", dup330); - -var msg28492 = msg("26387", dup321); - -var msg28493 = msg("26388", dup321); - -var msg28494 = msg("26389", dup314); - -var msg28495 = msg("26390", dup314); - -var msg28496 = msg("26391", dup309); - -var msg28497 = msg("26392", dup314); - -var msg28498 = msg("26393", dup314); - -var msg28499 = msg("26394", dup309); - -var msg28500 = msg("26395", dup321); - -var msg28501 = msg("26396", dup321); - -var msg28502 = msg("26397", dup323); - -var msg28503 = msg("26398", dup321); - -var msg28504 = msg("26399", dup321); - -var msg28505 = msg("26400", dup321); - -var msg28506 = msg("26401", dup321); - -var msg28507 = msg("26402", dup321); - -var msg28508 = msg("26403", dup321); - -var msg28509 = msg("26404", dup321); - -var msg28510 = msg("26405", dup321); - -var msg28511 = msg("26406", dup321); - -var msg28512 = msg("26407", dup321); - -var msg28513 = msg("26408", dup321); - -var msg28514 = msg("26409", dup321); - -var msg28515 = msg("26410", dup323); - -var msg28516 = msg("26411", dup321); - -var msg28517 = msg("26412", dup311); - -var msg28518 = msg("26413", dup321); - -var msg28519 = msg("26414", dup311); - -var msg28520 = msg("26415", dup314); - -var msg28521 = msg("26416", dup314); - -var msg28522 = msg("26417", dup314); - -var msg28523 = msg("26418", dup307); - -var msg28524 = msg("26419", dup325); - -var msg28525 = msg("26420", dup325); - -var msg28526 = msg("26421", dup309); - -var msg28527 = msg("26422", dup314); - -var msg28528 = msg("26423", dup314); - -var msg28529 = msg("26424", dup314); - -var msg28530 = msg("26425", dup307); - -var msg28531 = msg("26426", dup307); - -var msg28532 = msg("26427", dup324); - -var msg28533 = msg("26428", dup321); - -var msg28534 = msg("26429", dup314); - -var msg28535 = msg("26430", dup314); - -var msg28536 = msg("26431", dup311); - -var msg28537 = msg("26432", dup309); - -var msg28538 = msg("26433", dup309); - -var msg28539 = msg("26434", dup311); - -var msg28540 = msg("26435", dup321); - -var msg28541 = msg("26436", dup314); - -var msg28542 = msg("26437", dup314); - -var msg28543 = msg("26438", dup314); - -var msg28544 = msg("26439", dup325); - -var msg28545 = msg("26440", dup323); - -var msg28546 = msg("26441", dup323); - -var msg28547 = msg("26442", dup321); - -var msg28548 = msg("26443", dup321); - -var msg28549 = msg("26444", dup321); - -var msg28550 = msg("26445", dup321); - -var msg28551 = msg("26446", dup321); - -var msg28552 = msg("26447", dup321); - -var msg28553 = msg("26448", dup321); - -var msg28554 = msg("26449", dup321); - -var msg28555 = msg("26450", dup321); - -var msg28556 = msg("26451", dup323); - -var msg28557 = msg("26452", dup321); - -var msg28558 = msg("26453", dup309); - -var msg28559 = msg("26454", dup309); - -var msg28560 = msg("26455", dup309); - -var msg28561 = msg("26456", dup314); - -var msg28562 = msg("26457", dup314); - -var msg28563 = msg("26458", dup314); - -var msg28564 = msg("26459", dup309); - -var msg28565 = msg("26460", dup309); - -var msg28566 = msg("26461", dup309); - -var msg28567 = msg("26462", dup309); - -var msg28568 = msg("26463", dup321); - -var msg28569 = msg("26464", dup321); - -var msg28570 = msg("26465", dup314); - -var msg28571 = msg("26466", dup314); - -var msg28572 = msg("26467", dup321); - -var msg28573 = msg("26468", dup311); - -var msg28574 = msg("26469", dup311); - -var msg28575 = msg("26470", dup310); - -var msg28576 = msg("26471", dup333); - -var msg28577 = msg("26472", dup311); - -var msg28578 = msg("26473", dup309); - -var msg28579 = msg("26474", dup309); - -var msg28580 = msg("26475", dup309); - -var msg28581 = msg("26476", dup309); - -var msg28582 = msg("26477", dup309); - -var msg28583 = msg("26478", dup309); - -var msg28584 = msg("26479", dup309); - -var msg28585 = msg("26480", dup321); - -var msg28586 = msg("26481", dup321); - -var msg28587 = msg("26482", dup321); - -var msg28588 = msg("26483", dup323); - -var msg28589 = msg("26484", dup311); - -var msg28590 = msg("26485", dup311); - -var msg28591 = msg("26486", dup311); - -var msg28592 = msg("26487", dup311); - -var msg28593 = msg("26488", dup314); - -var msg28594 = msg("26489", dup309); - -var msg28595 = msg("26490", dup309); - -var msg28596 = msg("26491", dup311); - -var msg28597 = msg("26492", dup314); - -var msg28598 = msg("26493", dup314); - -var msg28599 = msg("26494", dup314); - -var msg28600 = msg("26495", dup309); - -var msg28601 = msg("26496", dup309); - -var msg28602 = msg("26497", dup314); - -var msg28603 = msg("26498", dup314); - -var msg28604 = msg("26499", dup311); - -var msg28605 = msg("26500", dup311); - -var msg28606 = msg("26501", dup309); - -var msg28607 = msg("26502", dup309); - -var msg28608 = msg("26503", dup309); - -var msg28609 = msg("26504", dup309); - -var msg28610 = msg("26505", dup314); - -var msg28611 = msg("26506", dup311); - -var msg28612 = msg("26507", dup311); - -var msg28613 = msg("26508", dup307); - -var msg28614 = msg("26509", dup307); - -var msg28615 = msg("26510", dup311); - -var msg28616 = msg("26511", dup311); - -var msg28617 = msg("26512", dup311); - -var msg28618 = msg("26513", dup323); - -var msg28619 = msg("26514", dup314); - -var msg28620 = msg("26515", dup314); - -var msg28621 = msg("26516", dup314); - -var msg28622 = msg("26517", dup314); - -var msg28623 = msg("26518", dup314); - -var msg28624 = msg("26519", dup314); - -var msg28625 = msg("26520", dup311); - -var msg28626 = msg("26521", dup311); - -var msg28627 = msg("26522", dup325); - -var msg28628 = msg("26523", dup314); - -var msg28629 = msg("26524", dup314); - -var msg28630 = msg("26525", dup314); - -var msg28631 = msg("26526", dup311); - -var msg28632 = msg("26527", dup311); - -var msg28633 = msg("26528", dup200); - -var msg28634 = msg("26529", dup200); - -var msg28635 = msg("26530", dup200); - -var msg28636 = msg("26531", dup321); - -var msg28637 = msg("26532", dup321); - -var msg28638 = msg("26533", dup321); - -var msg28639 = msg("26534", dup311); - -var msg28640 = msg("26535", dup311); - -var msg28641 = msg("26536", dup311); - -var msg28642 = msg("26537", dup311); - -var msg28643 = msg("26538", dup311); - -var msg28644 = msg("26539", dup311); - -var msg28645 = msg("26540", dup311); - -var msg28646 = msg("26541", dup311); - -var msg28647 = msg("26542", dup325); - -var msg28648 = msg("26543", dup314); - -var msg28649 = msg("26544", dup314); - -var msg28650 = msg("26545", dup314); - -var msg28651 = msg("26546", dup314); - -var msg28652 = msg("26547", dup311); - -var msg28653 = msg("26548", dup309); - -var msg28654 = msg("26549", dup311); - -var msg28655 = msg("26550", dup311); - -var msg28656 = msg("26551", dup311); - -var msg28657 = msg("26552", dup311); - -var msg28658 = msg("26553", dup321); - -var msg28659 = msg("26554", dup321); - -var msg28660 = msg("26555", dup321); - -var msg28661 = msg("26556", dup321); - -var msg28662 = msg("26557", dup314); - -var msg28663 = msg("26558", dup325); - -var msg28664 = msg("26559", dup307); - -var msg28665 = msg("26560", dup321); - -var msg28666 = msg("26561", dup321); - -var msg28667 = msg("26562", dup311); - -var msg28668 = msg("26563", dup321); - -var msg28669 = msg("26564", dup307); - -var msg28670 = msg("26565", dup314); - -var msg28671 = msg("26566", dup314); - -var msg28672 = msg("26567", dup314); - -var msg28673 = msg("26568", dup314); - -var msg28674 = msg("26569", dup325); - -var msg28675 = msg("26570", dup325); - -var msg28676 = msg("26571", dup325); - -var msg28677 = msg("26572", dup325); - -var msg28678 = msg("26573", dup311); - -var msg28679 = msg("26574", dup311); - -var msg28680 = msg("26575", dup324); - -var msg28681 = msg("26576", dup311); - -var msg28682 = msg("26577", dup325); - -var msg28683 = msg("26578", dup321); - -var msg28684 = msg("26579", dup321); - -var msg28685 = msg("26580", dup321); - -var msg28686 = msg("26581", dup321); - -var msg28687 = msg("26582", dup321); - -var msg28688 = msg("26583", dup321); - -var msg28689 = msg("26584", dup325); - -var msg28690 = msg("26585", dup314); - -var msg28691 = msg("26586", dup316); - -var msg28692 = msg("26587", dup314); - -var msg28693 = msg("26588", dup314); - -var msg28694 = msg("26589", dup321); - -var msg28695 = msg("26590", dup311); - -var msg28696 = msg("26591", dup307); - -var msg28697 = msg("26592", dup314); - -var msg28698 = msg("26593", dup309); - -var msg28699 = msg("26594", dup307); - -var msg28700 = msg("26595", dup323); - -var msg28701 = msg("26596", dup323); - -var msg28702 = msg("26597", dup309); - -var msg28703 = msg("26598", dup323); - -var msg28704 = msg("26599", dup311); - -var msg28705 = msg("26600", dup311); - -var msg28706 = msg("26601", dup311); - -var msg28707 = msg("26602", dup309); - -var msg28708 = msg("26603", dup321); - -var msg28709 = msg("26604", dup321); - -var msg28710 = msg("26605", dup321); - -var msg28711 = msg("26606", dup321); - -var msg28712 = msg("26607", dup321); - -var msg28713 = msg("26608", dup321); - -var msg28714 = msg("26609", dup321); - -var msg28715 = msg("26610", dup321); - -var msg28716 = msg("26611", dup321); - -var msg28717 = msg("26612", dup321); - -var msg28718 = msg("26613", dup321); - -var msg28719 = msg("26614", dup321); - -var msg28720 = msg("26615", dup323); - -var msg28721 = msg("26616", dup323); - -var msg28722 = msg("26617", dup311); - -var msg28723 = msg("26618", dup311); - -var msg28724 = msg("26619", dup325); - -var msg28725 = msg("26620", dup325); - -var msg28726 = msg("26621", dup314); - -var msg28727 = msg("26622", dup314); - -var msg28728 = msg("26623", dup314); - -var msg28729 = msg("26624", dup323); - -var msg28730 = msg("26625", dup323); - -var msg28731 = msg("26626", dup309); - -var msg28732 = msg("26627", dup309); - -var msg28733 = msg("26628", dup309); - -var msg28734 = msg("26629", dup325); - -var msg28735 = msg("26630", dup325); - -var msg28736 = msg("26631", dup325); - -var msg28737 = msg("26632", dup324); - -var msg28738 = msg("26633", dup314); - -var msg28739 = msg("26634", dup311); - -var msg28740 = msg("26635", dup311); - -var msg28741 = msg("26636", dup325); - -var msg28742 = msg("26637", dup325); - -var msg28743 = msg("26638", dup311); - -var msg28744 = msg("26639", dup314); - -var msg28745 = msg("26640", dup314); - -var msg28746 = msg("26641", dup311); - -var msg28747 = msg("26642", dup311); - -var msg28748 = msg("26643", dup324); - -var msg28749 = msg("26644", dup314); - -var msg28750 = msg("26645", dup314); - -var msg28751 = msg("26646", dup314); - -var msg28752 = msg("26647", dup314); - -var msg28753 = msg("26648", dup311); - -var msg28754 = msg("26649", dup311); - -var msg28755 = msg("26650", dup323); - -var msg28756 = msg("26651", dup309); - -var msg28757 = msg("26652", dup309); - -var msg28758 = msg("26653", dup311); - -var msg28759 = msg("26654", dup321); - -var msg28760 = msg("26655", dup321); - -var msg28761 = msg("26656", dup321); - -var msg28762 = msg("26657", dup321); - -var msg28763 = msg("26658", dup314); - -var msg28764 = msg("26659", dup314); - -var msg28765 = msg("26660", dup311); - -var msg28766 = msg("26661", dup311); - -var msg28767 = msg("26662", dup311); - -var msg28768 = msg("26663", dup309); - -var msg28769 = msg("26664", dup314); - -var msg28770 = msg("26665", dup314); - -var msg28771 = msg("26666", dup325); - -var msg28772 = msg("26667", dup309); - -var msg28773 = msg("26668", dup325); - -var msg28774 = msg("26669", dup314); - -var msg28775 = msg("26670", dup321); - -var msg28776 = msg("26671", dup321); - -var msg28777 = msg("26672", dup309); - -var msg28778 = msg("26673", dup309); - -var msg28779 = msg("26674", dup309); - -var msg28780 = msg("26675", dup309); - -var msg28781 = msg("26676", dup309); - -var msg28782 = msg("26677", dup321); - -var msg28783 = msg("26678", dup321); - -var msg28784 = msg("26679", dup321); - -var msg28785 = msg("26680", dup321); - -var msg28786 = msg("26681", dup321); - -var msg28787 = msg("26682", dup314); - -var msg28788 = msg("26683", dup321); - -var msg28789 = msg("26684", dup321); - -var msg28790 = msg("26685", dup325); - -var msg28791 = msg("26686", dup325); - -var msg28792 = msg("26687", dup314); - -var msg28793 = msg("26688", dup314); - -var msg28794 = msg("26689", dup321); - -var msg28795 = msg("26690", dup321); - -var msg28796 = msg("26691", dup321); - -var msg28797 = msg("26692", dup321); - -var msg28798 = msg("26693", dup321); - -var msg28799 = msg("26694", dup311); - -var msg28800 = msg("26695", dup321); - -var msg28801 = msg("26696", dup321); - -var msg28802 = msg("26697", dup321); - -var msg28803 = msg("26698", dup311); - -var msg28804 = msg("26699", dup309); - -var msg28805 = msg("26700", dup309); - -var msg28806 = msg("26701", dup309); - -var msg28807 = msg("26702", dup325); - -var msg28808 = msg("26703", dup321); - -var msg28809 = msg("26704", dup314); - -var msg28810 = msg("26705", dup321); - -var msg28811 = msg("26706", dup309); - -var msg28812 = msg("26707", dup309); - -var msg28813 = msg("26708", dup309); - -var msg28814 = msg("26709", dup309); - -var msg28815 = msg("26710", dup309); - -var msg28816 = msg("26711", dup309); - -var msg28817 = msg("26712", dup321); - -var msg28818 = msg("26713", dup321); - -var msg28819 = msg("26714", dup321); - -var msg28820 = msg("26715", dup321); - -var msg28821 = msg("26716", dup311); - -var msg28822 = msg("26717", dup311); - -var msg28823 = msg("26718", dup321); - -var msg28824 = msg("26719", dup321); - -var msg28825 = msg("26720", dup321); - -var msg28826 = msg("26721", dup321); - -var msg28827 = msg("26722", dup321); - -var msg28828 = msg("26723", dup321); - -var msg28829 = msg("26724", dup309); - -var msg28830 = msg("26725", dup321); - -var msg28831 = msg("26726", dup321); - -var msg28832 = msg("26727", dup321); - -var msg28833 = msg("26728", dup321); - -var msg28834 = msg("26729", dup321); - -var msg28835 = msg("26730", dup321); - -var msg28836 = msg("26731", dup321); - -var msg28837 = msg("26732", dup321); - -var msg28838 = msg("26733", dup321); - -var msg28839 = msg("26734", dup321); - -var msg28840 = msg("26735", dup321); - -var msg28841 = msg("26736", dup334); - -var msg28842 = msg("26737", dup321); - -var msg28843 = msg("26738", dup321); - -var msg28844 = msg("26739", dup321); - -var msg28845 = msg("26740", dup321); - -var msg28846 = msg("26741", dup311); - -var msg28847 = msg("26742", dup321); - -var msg28848 = msg("26743", dup324); - -var msg28849 = msg("26744", dup321); - -var msg28850 = msg("26745", dup333); - -var msg28851 = msg("26746", dup321); - -var msg28852 = msg("26747", dup324); - -var msg28853 = msg("26748", dup321); - -var msg28854 = msg("26749", dup321); - -var msg28855 = msg("26750", dup321); - -var msg28856 = msg("26751", dup325); - -var msg28857 = msg("26752", dup310); - -var msg28858 = msg("26753", dup325); - -var msg28859 = msg("26754", dup325); - -var msg28860 = msg("26755", dup309); - -var msg28861 = msg("26756", dup321); - -var msg28862 = msg("26757", dup321); - -var msg28863 = msg("26758", dup321); - -var msg28864 = msg("26759", dup323); - -var msg28865 = msg("26760", dup321); - -var msg28866 = msg("26761", dup321); - -var msg28867 = msg("26762", dup321); - -var msg28868 = msg("26763", dup321); - -var msg28869 = msg("26764", dup314); - -var msg28870 = msg("26765", dup314); - -var msg28871 = msg("26766", dup314); - -var msg28872 = msg("26767", dup314); - -var msg28873 = msg("26768", dup321); - -var msg28874 = msg("26769", dup324); - -var msg28875 = msg("26770", dup321); - -var msg28876 = msg("26771", dup321); - -var msg28877 = msg("26772", dup311); - -var msg28878 = msg("26773", dup321); - -var msg28879 = msg("26774", dup321); - -var msg28880 = msg("26775", dup321); - -var msg28881 = msg("26776", dup321); - -var msg28882 = msg("26777", dup321); - -var msg28883 = msg("26778", dup321); - -var msg28884 = msg("26779", dup321); - -var msg28885 = msg("26780", dup310); - -var msg28886 = msg("26781", dup321); - -var msg28887 = msg("26782", dup321); - -var msg28888 = msg("26783", dup321); - -var msg28889 = msg("26784", dup321); - -var msg28890 = msg("26785", dup321); - -var msg28891 = msg("26786", dup316); - -var msg28892 = msg("26787", dup316); - -var msg28893 = msg("26788", dup316); - -var msg28894 = msg("26789", dup316); - -var msg28895 = msg("26790", dup316); - -var msg28896 = msg("26791", dup316); - -var msg28897 = msg("26792", dup321); - -var msg28898 = msg("26793", dup321); - -var msg28899 = msg("26794", dup314); - -var msg28900 = msg("26795", dup321); - -var msg28901 = msg("26796", dup321); - -var msg28902 = msg("26797", dup314); - -var msg28903 = msg("26798", dup314); - -var msg28904 = msg("26799", dup309); - -var msg28905 = msg("26800", dup309); - -var msg28906 = msg("26801", dup309); - -var msg28907 = msg("26802", dup335); - -var msg28908 = msg("26803", dup321); - -var msg28909 = msg("26804", dup311); - -var msg28910 = msg("26805", dup311); - -var msg28911 = msg("26806", dup311); - -var msg28912 = msg("26807", dup311); - -var msg28913 = msg("26808", dup311); - -var msg28914 = msg("26809", dup321); - -var msg28915 = msg("26810", dup321); - -var msg28916 = msg("26811", dup321); - -var msg28917 = msg("26812", dup321); - -var msg28918 = msg("26813", dup321); - -var msg28919 = msg("26814", dup311); - -var msg28920 = msg("26815", dup321); - -var msg28921 = msg("26816", dup321); - -var msg28922 = msg("26817", dup323); - -var msg28923 = msg("26818", dup321); - -var msg28924 = msg("26819", dup321); - -var msg28925 = msg("26820", dup321); - -var msg28926 = msg("26821", dup321); - -var msg28927 = msg("26822", dup321); - -var msg28928 = msg("26823", dup321); - -var msg28929 = msg("26824", dup311); - -var msg28930 = msg("26825", dup311); - -var msg28931 = msg("26826", dup321); - -var msg28932 = msg("26827", dup321); - -var msg28933 = msg("26828", dup321); - -var msg28934 = msg("26829", dup322); - -var msg28935 = msg("26830", dup309); - -var msg28936 = msg("26831", dup309); - -var msg28937 = msg("26832", dup309); - -var msg28938 = msg("26833", dup309); - -var msg28939 = msg("26834", dup311); - -var msg28940 = msg("26835", dup321); - -var msg28941 = msg("26836", dup321); - -var msg28942 = msg("26837", dup321); - -var msg28943 = msg("26838", dup311); - -var msg28944 = msg("26839", dup321); - -var msg28945 = msg("26840", dup321); - -var msg28946 = msg("26841", dup321); - -var msg28947 = msg("26842", dup321); - -var msg28948 = msg("26843", dup314); - -var msg28949 = msg("26844", dup311); - -var msg28950 = msg("26845", dup325); - -var msg28951 = msg("26846", dup325); - -var msg28952 = msg("26847", dup325); - -var msg28953 = msg("26848", dup325); - -var msg28954 = msg("26849", dup323); - -var msg28955 = msg("26850", dup314); - -var msg28956 = msg("26851", dup314); - -var msg28957 = msg("26852", dup311); - -var msg28958 = msg("26853", dup311); - -var msg28959 = msg("26854", dup309); - -var msg28960 = msg("26855", dup309); - -var msg28961 = msg("26856", dup309); - -var msg28962 = msg("26857", dup309); - -var msg28963 = msg("26858", dup309); - -var msg28964 = msg("26859", dup309); - -var msg28965 = msg("26860", dup309); - -var msg28966 = msg("26861", dup309); - -var msg28967 = msg("26862", dup309); - -var msg28968 = msg("26863", dup309); - -var msg28969 = msg("26864", dup309); - -var msg28970 = msg("26865", dup307); - -var msg28971 = msg("26866", dup309); - -var msg28972 = msg("26867", dup325); - -var msg28973 = msg("26868", dup325); - -var msg28974 = msg("26869", dup311); - -var msg28975 = msg("26870", dup311); - -var msg28976 = msg("26871", dup311); - -var msg28977 = msg("26872", dup311); - -var msg28978 = msg("26873", dup325); - -var msg28979 = msg("26874", dup325); - -var msg28980 = msg("26875", dup325); - -var msg28981 = msg("26876", dup325); - -var msg28982 = msg("26877", dup323); - -var msg28983 = msg("26878", dup325); - -var msg28984 = msg("26879", dup314); - -var msg28985 = msg("26880", dup321); - -var msg28986 = msg("26881", dup321); - -var msg28987 = msg("26882", dup325); - -var msg28988 = msg("26883", dup325); - -var msg28989 = msg("26884", dup325); - -var msg28990 = msg("26885", dup325); - -var msg28991 = msg("26886", dup325); - -var msg28992 = msg("26887", dup325); - -var msg28993 = msg("26888", dup311); - -var msg28994 = msg("26889", dup311); - -var msg28995 = msg("26890", dup325); - -var msg28996 = msg("26891", dup311); - -var msg28997 = msg("26892", dup311); - -var msg28998 = msg("26893", dup311); - -var msg28999 = msg("26894", dup311); - -var msg29000 = msg("26895", dup311); - -var msg29001 = msg("26896", dup311); - -var msg29002 = msg("26897", dup311); - -var msg29003 = msg("26898", dup322); - -var msg29004 = msg("26899", dup322); - -var msg29005 = msg("26900", dup322); - -var msg29006 = msg("26901", dup322); - -var msg29007 = msg("26902", dup314); - -var msg29008 = msg("26903", dup314); - -var msg29009 = msg("26904", dup314); - -var msg29010 = msg("26905", dup324); - -var msg29011 = msg("26906", dup311); - -var msg29012 = msg("26907", dup311); - -var msg29013 = msg("26908", dup311); - -var msg29014 = msg("26909", dup314); - -var msg29015 = msg("26910", dup321); - -var msg29016 = msg("26911", dup321); - -var msg29017 = msg("26912", dup321); - -var msg29018 = msg("26913", dup321); - -var msg29019 = msg("26914", dup321); - -var msg29020 = msg("26915", dup321); - -var msg29021 = msg("26916", dup321); - -var msg29022 = msg("26917", dup321); - -var msg29023 = msg("26918", dup321); - -var msg29024 = msg("26919", dup321); - -var msg29025 = msg("26920", dup321); - -var msg29026 = msg("26921", dup321); - -var msg29027 = msg("26922", dup311); - -var msg29028 = msg("26923", dup321); - -var msg29029 = msg("26924", dup321); - -var msg29030 = msg("26925", dup322); - -var msg29031 = msg("26926", dup323); - -var msg29032 = msg("26927", dup309); - -var msg29033 = msg("26928", dup309); - -var msg29034 = msg("26929", dup311); - -var msg29035 = msg("26930", dup321); - -var msg29036 = msg("26931", dup321); - -var msg29037 = msg("26932", dup321); - -var msg29038 = msg("26933", dup321); - -var msg29039 = msg("26934", dup321); - -var msg29040 = msg("26935", dup311); - -var msg29041 = msg("26936", dup311); - -var msg29042 = msg("26937", dup311); - -var msg29043 = msg("26938", dup314); - -var msg29044 = msg("26939", dup314); - -var msg29045 = msg("26940", dup323); - -var msg29046 = msg("26941", dup323); - -var msg29047 = msg("26942", dup323); - -var msg29048 = msg("26943", dup321); - -var msg29049 = msg("26944", dup321); - -var msg29050 = msg("26945", dup321); - -var msg29051 = msg("26946", dup321); - -var msg29052 = msg("26947", dup311); - -var msg29053 = msg("26948", dup311); - -var msg29054 = msg("26949", dup311); - -var msg29055 = msg("26950", dup311); - -var msg29056 = msg("26951", dup311); - -var msg29057 = msg("26952", dup321); - -var msg29058 = msg("26953", dup311); - -var msg29059 = msg("26954", dup321); - -var msg29060 = msg("26955", dup321); - -var msg29061 = msg("26956", dup311); - -var msg29062 = msg("26957", dup311); - -var msg29063 = msg("26958", dup311); - -var msg29064 = msg("26959", dup311); - -var msg29065 = msg("26960", dup311); - -var msg29066 = msg("26961", dup311); - -var msg29067 = msg("26962", dup311); - -var msg29068 = msg("26963", dup311); - -var msg29069 = msg("26964", dup311); - -var msg29070 = msg("26965", dup321); - -var msg29071 = msg("26966", dup321); - -var msg29072 = msg("26967", dup321); - -var msg29073 = msg("26968", dup321); - -var msg29074 = msg("26969", dup321); - -var msg29075 = msg("26970", dup321); - -var msg29076 = msg("26971", dup321); - -var msg29077 = msg("26972", dup307); - -var msg29078 = msg("26973", dup309); - -var msg29079 = msg("26974", dup314); - -var msg29080 = msg("26975", dup314); - -var msg29081 = msg("26976", dup309); - -var msg29082 = msg("26977", dup309); - -var msg29083 = msg("26978", dup309); - -var msg29084 = msg("26979", dup309); - -var msg29085 = msg("26980", dup315); - -var msg29086 = msg("26981", dup324); - -var msg29087 = msg("26982", dup311); - -var msg29088 = msg("26983", dup311); - -var msg29089 = msg("26984", dup321); - -var msg29090 = msg("26985", dup311); - -var msg29091 = msg("26986", dup321); - -var msg29092 = msg("26987", dup321); - -var msg29093 = msg("26988", dup325); - -var msg29094 = msg("26989", dup323); - -var msg29095 = msg("26990", dup311); - -var msg29096 = msg("26991", dup311); - -var msg29097 = msg("26992", dup311); - -var msg29098 = msg("26993", dup314); - -var msg29099 = msg("26994", dup314); - -var msg29100 = msg("26995", dup321); - -var msg29101 = msg("26996", dup321); - -var msg29102 = msg("26997", dup321); - -var msg29103 = msg("26998", dup321); - -var msg29104 = msg("26999", dup321); - -var msg29105 = msg("27000", dup321); - -var msg29106 = msg("27001", dup309); - -var msg29107 = msg("27002", dup321); - -var msg29108 = msg("27003", dup321); - -var msg29109 = msg("27004", dup311); - -var msg29110 = msg("27005", dup311); - -var msg29111 = msg("27006", dup309); - -var msg29112 = msg("27007", dup321); - -var msg29113 = msg("27008", dup321); - -var msg29114 = msg("27009", dup321); - -var msg29115 = msg("27010", dup321); - -var msg29116 = msg("27011", dup321); - -var msg29117 = msg("27012", dup321); - -var msg29118 = msg("27013", dup321); - -var msg29119 = msg("27014", dup323); - -var msg29120 = msg("27015", dup325); - -var msg29121 = msg("27016", dup314); - -var msg29122 = msg("27017", dup321); - -var msg29123 = msg("27018", dup314); - -var msg29124 = msg("27019", dup314); - -var msg29125 = msg("27020", dup314); - -var msg29126 = msg("27021", dup321); - -var msg29127 = msg("27022", dup321); - -var msg29128 = msg("27023", dup321); - -var msg29129 = msg("27024", dup321); - -var msg29130 = msg("27025", dup321); - -var msg29131 = msg("27026", dup311); - -var msg29132 = msg("27027", dup311); - -var msg29133 = msg("27028", dup314); - -var msg29134 = msg("27029", dup314); - -var msg29135 = msg("27030", dup314); - -var msg29136 = msg("27031", dup314); - -var msg29137 = msg("27032", dup314); - -var msg29138 = msg("27033", dup321); - -var msg29139 = msg("27034", dup321); - -var msg29140 = msg("27035", dup321); - -var msg29141 = msg("27036", dup314); - -var msg29142 = msg("27037", dup314); - -var msg29143 = msg("27038", dup314); - -var msg29144 = msg("27039", dup321); - -var msg29145 = msg("27040", dup311); - -var msg29146 = msg("27041", dup311); - -var msg29147 = msg("27042", dup311); - -var msg29148 = msg("27043", dup321); - -var msg29149 = msg("27044", dup325); - -var msg29150 = msg("27045", dup321); - -var msg29151 = msg("27046", dup327); - -var msg29152 = msg("27047", dup314); - -var msg29153 = msg("27048", dup323); - -var msg29154 = msg("27049", dup321); - -var msg29155 = msg("27050", dup321); - -var msg29156 = msg("27051", dup321); - -var msg29157 = msg("27052", dup321); - -var msg29158 = msg("27053", dup321); - -var msg29159 = msg("27054", dup321); - -var msg29160 = msg("27055", dup321); - -var msg29161 = msg("27056", dup321); - -var msg29162 = msg("27057", dup321); - -var msg29163 = msg("27058", dup321); - -var msg29164 = msg("27059", dup321); - -var msg29165 = msg("27060", dup321); - -var msg29166 = msg("27061", dup311); - -var msg29167 = msg("27062", dup311); - -var msg29168 = msg("27063", dup311); - -var msg29169 = msg("27064", dup314); - -var msg29170 = msg("27065", dup321); - -var msg29171 = msg("27066", dup321); - -var msg29172 = msg("27067", dup311); - -var msg29173 = msg("27068", dup311); - -var msg29174 = msg("27069", dup311); - -var msg29175 = msg("27070", dup311); - -var msg29176 = msg("27071", dup311); - -var msg29177 = msg("27072", dup311); - -var msg29178 = msg("27073", dup311); - -var msg29179 = msg("27074", dup311); - -var msg29180 = msg("27075", dup311); - -var msg29181 = msg("27076", dup314); - -var msg29182 = msg("27077", dup314); - -var msg29183 = msg("27078", dup311); - -var msg29184 = msg("27079", dup311); - -var msg29185 = msg("27080", dup311); - -var msg29186 = msg("27081", dup311); - -var msg29187 = msg("27082", dup311); - -var msg29188 = msg("27083", dup311); - -var msg29189 = msg("27084", dup311); - -var msg29190 = msg("27085", dup307); - -var msg29191 = msg("27086", dup311); - -var msg29192 = msg("27087", dup311); - -var msg29193 = msg("27088", dup311); - -var msg29194 = msg("27089", dup309); - -var msg29195 = msg("27090", dup309); - -var msg29196 = msg("27091", dup321); - -var msg29197 = msg("27092", dup311); - -var msg29198 = msg("27093", dup321); - -var msg29199 = msg("27094", dup200); - -var msg29200 = msg("27095", dup200); - -var msg29201 = msg("27096", dup311); - -var msg29202 = msg("27097", dup200); - -var msg29203 = msg("27098", dup200); - -var msg29204 = msg("27099", dup200); - -var msg29205 = msg("27100", dup311); - -var msg29206 = msg("27101", dup311); - -var msg29207 = msg("27102", dup309); - -var msg29208 = msg("27103", dup309); - -var msg29209 = msg("27104", dup316); - -var msg29210 = msg("27105", dup316); - -var msg29211 = msg("27106", dup311); - -var msg29212 = msg("27107", dup311); - -var msg29213 = msg("27108", dup307); - -var msg29214 = msg("27109", dup311); - -var msg29215 = msg("27110", dup311); - -var msg29216 = msg("27111", dup314); - -var msg29217 = msg("27112", dup314); - -var msg29218 = msg("27113", dup311); - -var msg29219 = msg("27114", dup321); - -var msg29220 = msg("27115", dup311); - -var msg29221 = msg("27116", dup314); - -var msg29222 = msg("27117", dup314); - -var msg29223 = msg("27118", dup314); - -var msg29224 = msg("27119", dup307); - -var msg29225 = msg("27120", dup321); - -var msg29226 = msg("27121", dup314); - -var msg29227 = msg("27122", dup309); - -var msg29228 = msg("27123", dup309); - -var msg29229 = msg("27124", dup309); - -var msg29230 = msg("27125", dup309); - -var msg29231 = msg("27126", dup325); - -var msg29232 = msg("27127", dup325); - -var msg29233 = msg("27128", dup325); - -var msg29234 = msg("27129", dup325); - -var msg29235 = msg("27130", dup325); - -var msg29236 = msg("27131", dup325); - -var msg29237 = msg("27132", dup325); - -var msg29238 = msg("27133", dup325); - -var msg29239 = msg("27134", dup325); - -var msg29240 = msg("27135", dup325); - -var msg29241 = msg("27136", dup311); - -var msg29242 = msg("27137", dup311); - -var msg29243 = msg("27138", dup311); - -var msg29244 = msg("27139", dup311); - -var msg29245 = msg("27140", dup311); - -var msg29246 = msg("27141", dup311); - -var msg29247 = msg("27142", dup311); - -var msg29248 = msg("27143", dup311); - -var msg29249 = msg("27144", dup311); - -var msg29250 = msg("27145", dup321); - -var msg29251 = msg("27146", dup321); - -var msg29252 = msg("27147", dup325); - -var msg29253 = msg("27148", dup325); - -var msg29254 = msg("27149", dup325); - -var msg29255 = msg("27150", dup325); - -var msg29256 = msg("27151", dup325); - -var msg29257 = msg("27152", dup325); - -var msg29258 = msg("27153", dup325); - -var msg29259 = msg("27154", dup325); - -var msg29260 = msg("27155", dup321); - -var msg29261 = msg("27156", dup309); - -var msg29262 = msg("27157", dup309); - -var msg29263 = msg("27158", dup321); - -var msg29264 = msg("27159", dup321); - -var msg29265 = msg("27160", dup321); - -var msg29266 = msg("27161", dup311); - -var msg29267 = msg("27162", dup311); - -var msg29268 = msg("27163", dup311); - -var msg29269 = msg("27164", dup311); - -var msg29270 = msg("27165", dup314); - -var msg29271 = msg("27166", dup309); - -var msg29272 = msg("27167", dup309); - -var msg29273 = msg("27168", dup309); - -var msg29274 = msg("27169", dup321); - -var msg29275 = msg("27170", dup309); - -var msg29276 = msg("27171", dup325); - -var msg29277 = msg("27172", dup325); - -var msg29278 = msg("27173", dup314); - -var msg29279 = msg("27174", dup314); - -var msg29280 = msg("27175", dup314); - -var msg29281 = msg("27176", dup314); - -var msg29282 = msg("27177", dup314); - -var msg29283 = msg("27178", dup321); - -var all56 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup111, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg29284 = msg("27179", all56); - -var msg29285 = msg("27180", dup321); - -var msg29286 = msg("27181", dup321); - -var msg29287 = msg("27182", dup325); - -var msg29288 = msg("27183", dup325); - -var msg29289 = msg("27184", dup325); - -var msg29290 = msg("27185", dup325); - -var msg29291 = msg("27186", dup325); - -var msg29292 = msg("27187", dup325); - -var msg29293 = msg("27188", dup314); - -var msg29294 = msg("27189", dup314); - -var msg29295 = msg("27190", dup314); - -var msg29296 = msg("27191", dup314); - -var msg29297 = msg("27192", dup314); - -var msg29298 = msg("27193", dup324); - -var msg29299 = msg("27194", dup324); - -var msg29300 = msg("27195", dup324); - -var msg29301 = msg("27196", dup314); - -var msg29302 = msg("27197", dup321); - -var msg29303 = msg("27198", dup321); - -var msg29304 = msg("27199", dup321); - -var msg29305 = msg("27200", dup321); - -var msg29306 = msg("27201", dup321); - -var msg29307 = msg("27202", dup310); - -var msg29308 = msg("27203", dup314); - -var msg29309 = msg("27204", dup321); - -var msg29310 = msg("27205", dup309); - -var msg29311 = msg("27206", dup314); - -var msg29312 = msg("27207", dup314); - -var msg29313 = msg("27208", dup309); - -var msg29314 = msg("27209", dup311); - -var msg29315 = msg("27210", dup323); - -var msg29316 = msg("27211", dup309); - -var msg29317 = msg("27212", dup309); - -var msg29318 = msg("27213", dup309); - -var msg29319 = msg("27214", dup309); - -var msg29320 = msg("27215", dup309); - -var msg29321 = msg("27216", dup309); - -var msg29322 = msg("27217", dup309); - -var msg29323 = msg("27218", dup314); - -var msg29324 = msg("27219", dup314); - -var msg29325 = msg("27220", dup311); - -var msg29326 = msg("27221", dup311); - -var msg29327 = msg("27222", dup311); - -var msg29328 = msg("27223", dup314); - -var msg29329 = msg("27224", dup314); - -var msg29330 = msg("27225", dup324); - -var msg29331 = msg("27226", dup314); - -var msg29332 = msg("27227", dup328); - -var msg29333 = msg("27228", dup321); - -var msg29334 = msg("27229", dup311); - -var msg29335 = msg("27230", dup314); - -var msg29336 = msg("27231", dup314); - -var msg29337 = msg("27232", dup309); - -var msg29338 = msg("27233", dup309); - -var msg29339 = msg("27234", dup324); - -var msg29340 = msg("27235", dup311); - -var msg29341 = msg("27236", dup309); - -var msg29342 = msg("27237", dup314); - -var msg29343 = msg("27238", dup314); - -var msg29344 = msg("27239", dup314); - -var msg29345 = msg("27240", dup323); - -var msg29346 = msg("27241", dup311); - -var msg29347 = msg("27242", dup311); - -var msg29348 = msg("27243", dup314); - -var msg29349 = msg("27244", dup314); - -var msg29350 = msg("27245", dup311); - -var msg29351 = msg("27246", dup321); - -var msg29352 = msg("27247", dup321); - -var msg29353 = msg("27248", dup321); - -var msg29354 = msg("27249", dup309); - -var msg29355 = msg("27250", dup309); - -var msg29356 = msg("27251", dup309); - -var msg29357 = msg("27252", dup321); - -var msg29358 = msg("27253", dup321); - -var msg29359 = msg("27254", dup321); - -var msg29360 = msg("27255", dup200); - -var msg29361 = msg("27256", dup321); - -var msg29362 = msg("27257", dup321); - -var msg29363 = msg("27258", dup314); - -var msg29364 = msg("27259", dup314); - -var msg29365 = msg("27260", dup321); - -var msg29366 = msg("27261", dup309); - -var msg29367 = msg("27262", dup309); - -var msg29368 = msg("27263", dup325); - -var msg29369 = msg("27264", dup309); - -var msg29370 = msg("27265", dup309); - -var msg29371 = msg("27266", dup309); - -var msg29372 = msg("27267", dup307); - -var msg29373 = msg("27268", dup307); - -var msg29374 = msg("27269", dup333); - -var msg29375 = msg("27270", dup333); - -var msg29376 = msg("27271", dup311); - -var msg29377 = msg("27272", dup314); - -var msg29378 = msg("27273", dup311); - -var msg29379 = msg("27274", dup311); - -var msg29380 = msg("27275", dup314); - -var msg29381 = msg("27276", dup314); - -var msg29382 = msg("27277", dup314); - -var msg29383 = msg("27278", dup309); - -var msg29384 = msg("27279", dup309); - -var msg29385 = msg("27280", dup309); - -var msg29386 = msg("27281", dup309); - -var msg29387 = msg("27282", dup314); - -var msg29388 = msg("27283", dup314); - -var msg29389 = msg("27284", dup314); - -var msg29390 = msg("27285", dup322); - -var msg29391 = msg("27286", dup322); - -var msg29392 = msg("27287", dup322); - -var msg29393 = msg("27288", dup322); - -var msg29394 = msg("27289", dup321); - -var msg29395 = msg("27290", dup321); - -var msg29396 = msg("27291", dup321); - -var msg29397 = msg("27292", dup321); - -var msg29398 = msg("27293", dup321); - -var msg29399 = msg("27294", dup321); - -var msg29400 = msg("27295", dup321); - -var msg29401 = msg("27296", dup321); - -var msg29402 = msg("27297", dup321); - -var msg29403 = msg("27298", dup321); - -var msg29404 = msg("27299", dup321); - -var msg29405 = msg("27300", dup321); - -var msg29406 = msg("27301", dup321); - -var msg29407 = msg("27302", dup321); - -var msg29408 = msg("27303", dup321); - -var msg29409 = msg("27304", dup321); - -var msg29410 = msg("27305", dup321); - -var msg29411 = msg("27306", dup321); - -var msg29412 = msg("27307", dup321); - -var msg29413 = msg("27308", dup321); - -var msg29414 = msg("27309", dup321); - -var msg29415 = msg("27310", dup321); - -var msg29416 = msg("27311", dup321); - -var msg29417 = msg("27312", dup321); - -var msg29418 = msg("27313", dup321); - -var msg29419 = msg("27314", dup321); - -var msg29420 = msg("27315", dup321); - -var msg29421 = msg("27316", dup321); - -var msg29422 = msg("27317", dup321); - -var msg29423 = msg("27318", dup321); - -var msg29424 = msg("27319", dup321); - -var msg29425 = msg("27320", dup321); - -var msg29426 = msg("27321", dup321); - -var msg29427 = msg("27322", dup321); - -var msg29428 = msg("27323", dup321); - -var msg29429 = msg("27324", dup321); - -var msg29430 = msg("27325", dup321); - -var msg29431 = msg("27326", dup321); - -var msg29432 = msg("27327", dup321); - -var msg29433 = msg("27328", dup321); - -var msg29434 = msg("27329", dup321); - -var msg29435 = msg("27330", dup321); - -var msg29436 = msg("27331", dup321); - -var msg29437 = msg("27332", dup321); - -var msg29438 = msg("27333", dup321); - -var msg29439 = msg("27334", dup321); - -var msg29440 = msg("27335", dup321); - -var msg29441 = msg("27336", dup321); - -var msg29442 = msg("27337", dup321); - -var msg29443 = msg("27338", dup321); - -var msg29444 = msg("27339", dup321); - -var msg29445 = msg("27340", dup321); - -var msg29446 = msg("27341", dup321); - -var msg29447 = msg("27342", dup321); - -var msg29448 = msg("27343", dup321); - -var msg29449 = msg("27344", dup321); - -var msg29450 = msg("27345", dup321); - -var msg29451 = msg("27346", dup321); - -var msg29452 = msg("27347", dup321); - -var msg29453 = msg("27348", dup321); - -var msg29454 = msg("27349", dup321); - -var msg29455 = msg("27350", dup321); - -var msg29456 = msg("27351", dup321); - -var msg29457 = msg("27352", dup321); - -var msg29458 = msg("27353", dup321); - -var msg29459 = msg("27354", dup321); - -var msg29460 = msg("27355", dup321); - -var msg29461 = msg("27356", dup321); - -var msg29462 = msg("27357", dup321); - -var msg29463 = msg("27358", dup321); - -var msg29464 = msg("27359", dup321); - -var msg29465 = msg("27360", dup321); - -var msg29466 = msg("27361", dup321); - -var msg29467 = msg("27362", dup321); - -var msg29468 = msg("27363", dup321); - -var msg29469 = msg("27364", dup321); - -var msg29470 = msg("27365", dup321); - -var msg29471 = msg("27366", dup321); - -var msg29472 = msg("27367", dup321); - -var msg29473 = msg("27368", dup321); - -var msg29474 = msg("27369", dup321); - -var msg29475 = msg("27370", dup321); - -var msg29476 = msg("27371", dup321); - -var msg29477 = msg("27372", dup321); - -var msg29478 = msg("27373", dup321); - -var msg29479 = msg("27374", dup321); - -var msg29480 = msg("27375", dup321); - -var msg29481 = msg("27376", dup321); - -var msg29482 = msg("27377", dup321); - -var msg29483 = msg("27378", dup321); - -var msg29484 = msg("27379", dup321); - -var msg29485 = msg("27380", dup321); - -var msg29486 = msg("27381", dup321); - -var msg29487 = msg("27382", dup321); - -var msg29488 = msg("27383", dup321); - -var msg29489 = msg("27384", dup321); - -var msg29490 = msg("27385", dup321); - -var msg29491 = msg("27386", dup321); - -var msg29492 = msg("27387", dup321); - -var msg29493 = msg("27388", dup321); - -var msg29494 = msg("27389", dup321); - -var msg29495 = msg("27390", dup321); - -var msg29496 = msg("27391", dup321); - -var msg29497 = msg("27392", dup321); - -var msg29498 = msg("27393", dup321); - -var msg29499 = msg("27394", dup321); - -var msg29500 = msg("27395", dup321); - -var msg29501 = msg("27396", dup321); - -var msg29502 = msg("27397", dup321); - -var msg29503 = msg("27398", dup321); - -var msg29504 = msg("27399", dup321); - -var msg29505 = msg("27400", dup321); - -var msg29506 = msg("27401", dup321); - -var msg29507 = msg("27402", dup321); - -var msg29508 = msg("27403", dup321); - -var msg29509 = msg("27404", dup321); - -var msg29510 = msg("27405", dup321); - -var msg29511 = msg("27406", dup321); - -var msg29512 = msg("27407", dup321); - -var msg29513 = msg("27408", dup321); - -var msg29514 = msg("27409", dup321); - -var msg29515 = msg("27410", dup321); - -var msg29516 = msg("27411", dup321); - -var msg29517 = msg("27412", dup321); - -var msg29518 = msg("27413", dup321); - -var msg29519 = msg("27414", dup321); - -var msg29520 = msg("27415", dup321); - -var msg29521 = msg("27416", dup321); - -var msg29522 = msg("27417", dup321); - -var msg29523 = msg("27418", dup321); - -var msg29524 = msg("27419", dup321); - -var msg29525 = msg("27420", dup321); - -var msg29526 = msg("27421", dup321); - -var msg29527 = msg("27422", dup321); - -var msg29528 = msg("27423", dup321); - -var msg29529 = msg("27424", dup321); - -var msg29530 = msg("27425", dup321); - -var msg29531 = msg("27426", dup321); - -var msg29532 = msg("27427", dup321); - -var msg29533 = msg("27428", dup321); - -var msg29534 = msg("27429", dup321); - -var msg29535 = msg("27430", dup321); - -var msg29536 = msg("27431", dup321); - -var msg29537 = msg("27432", dup321); - -var msg29538 = msg("27433", dup321); - -var msg29539 = msg("27434", dup321); - -var msg29540 = msg("27435", dup321); - -var msg29541 = msg("27436", dup321); - -var msg29542 = msg("27437", dup321); - -var msg29543 = msg("27438", dup321); - -var msg29544 = msg("27439", dup321); - -var msg29545 = msg("27440", dup321); - -var msg29546 = msg("27441", dup321); - -var msg29547 = msg("27442", dup321); - -var msg29548 = msg("27443", dup321); - -var msg29549 = msg("27444", dup321); - -var msg29550 = msg("27445", dup321); - -var msg29551 = msg("27446", dup321); - -var msg29552 = msg("27447", dup321); - -var msg29553 = msg("27448", dup321); - -var msg29554 = msg("27449", dup321); - -var msg29555 = msg("27450", dup321); - -var msg29556 = msg("27451", dup321); - -var msg29557 = msg("27452", dup321); - -var msg29558 = msg("27453", dup321); - -var msg29559 = msg("27454", dup321); - -var msg29560 = msg("27455", dup321); - -var msg29561 = msg("27456", dup321); - -var msg29562 = msg("27457", dup321); - -var msg29563 = msg("27458", dup321); - -var msg29564 = msg("27459", dup321); - -var msg29565 = msg("27460", dup321); - -var msg29566 = msg("27461", dup321); - -var msg29567 = msg("27462", dup321); - -var msg29568 = msg("27463", dup321); - -var msg29569 = msg("27464", dup321); - -var msg29570 = msg("27465", dup321); - -var msg29571 = msg("27466", dup321); - -var msg29572 = msg("27467", dup321); - -var msg29573 = msg("27468", dup321); - -var msg29574 = msg("27469", dup321); - -var msg29575 = msg("27470", dup321); - -var msg29576 = msg("27471", dup321); - -var msg29577 = msg("27472", dup321); - -var msg29578 = msg("27473", dup321); - -var msg29579 = msg("27474", dup321); - -var msg29580 = msg("27475", dup321); - -var msg29581 = msg("27476", dup321); - -var msg29582 = msg("27477", dup321); - -var msg29583 = msg("27478", dup321); - -var msg29584 = msg("27479", dup321); - -var msg29585 = msg("27480", dup321); - -var msg29586 = msg("27481", dup321); - -var msg29587 = msg("27482", dup321); - -var msg29588 = msg("27483", dup321); - -var msg29589 = msg("27484", dup321); - -var msg29590 = msg("27485", dup321); - -var msg29591 = msg("27486", dup321); - -var msg29592 = msg("27487", dup321); - -var msg29593 = msg("27488", dup321); - -var msg29594 = msg("27489", dup321); - -var msg29595 = msg("27490", dup321); - -var msg29596 = msg("27491", dup321); - -var msg29597 = msg("27492", dup321); - -var msg29598 = msg("27493", dup321); - -var msg29599 = msg("27494", dup321); - -var msg29600 = msg("27495", dup321); - -var msg29601 = msg("27496", dup321); - -var msg29602 = msg("27497", dup321); - -var msg29603 = msg("27498", dup321); - -var msg29604 = msg("27499", dup321); - -var msg29605 = msg("27500", dup321); - -var msg29606 = msg("27501", dup321); - -var msg29607 = msg("27502", dup321); - -var msg29608 = msg("27503", dup321); - -var msg29609 = msg("27504", dup321); - -var msg29610 = msg("27505", dup321); - -var msg29611 = msg("27506", dup321); - -var msg29612 = msg("27507", dup321); - -var msg29613 = msg("27508", dup321); - -var msg29614 = msg("27509", dup321); - -var msg29615 = msg("27510", dup321); - -var msg29616 = msg("27511", dup321); - -var msg29617 = msg("27512", dup321); - -var msg29618 = msg("27513", dup321); - -var msg29619 = msg("27514", dup321); - -var msg29620 = msg("27515", dup321); - -var msg29621 = msg("27516", dup321); - -var msg29622 = msg("27517", dup321); - -var msg29623 = msg("27518", dup321); - -var msg29624 = msg("27519", dup321); - -var msg29625 = msg("27520", dup321); - -var msg29626 = msg("27521", dup321); - -var msg29627 = msg("27522", dup321); - -var msg29628 = msg("27523", dup321); - -var msg29629 = msg("27524", dup321); - -var msg29630 = msg("27525", dup309); - -var msg29631 = msg("27526", dup309); - -var msg29632 = msg("27527", dup309); - -var msg29633 = msg("27528", dup309); - -var msg29634 = msg("27529", dup309); - -var msg29635 = msg("27530", dup309); - -var msg29636 = msg("27531", dup325); - -var msg29637 = msg("27532", dup311); - -var msg29638 = msg("27533", dup321); - -var msg29639 = msg("27534", dup321); - -var msg29640 = msg("27535", dup321); - -var msg29641 = msg("27536", dup323); - -var msg29642 = msg("27537", dup321); - -var msg29643 = msg("27538", dup321); - -var msg29644 = msg("27539", dup309); - -var msg29645 = msg("27540", dup329); - -var msg29646 = msg("27541", dup329); - -var msg29647 = msg("27542", dup314); - -var msg29648 = msg("27543", dup314); - -var msg29649 = msg("27544", dup321); - -var msg29650 = msg("27545", dup321); - -var msg29651 = msg("27546", dup321); - -var msg29652 = msg("27547", dup321); - -var msg29653 = msg("27548", dup321); - -var msg29654 = msg("27549", dup321); - -var msg29655 = msg("27550", dup311); - -var msg29656 = msg("27551", dup321); - -var msg29657 = msg("27552", dup311); - -var msg29658 = msg("27553", dup311); - -var msg29659 = msg("27554", dup311); - -var msg29660 = msg("27555", dup311); - -var msg29661 = msg("27556", dup311); - -var msg29662 = msg("27557", dup311); - -var msg29663 = msg("27558", dup321); - -var msg29664 = msg("27559", dup321); - -var msg29665 = msg("27560", dup321); - -var msg29666 = msg("27561", dup321); - -var msg29667 = msg("27562", dup321); - -var msg29668 = msg("27563", dup321); - -var msg29669 = msg("27564", dup333); - -var msg29670 = msg("27565", dup311); - -var msg29671 = msg("27566", dup321); - -var msg29672 = msg("27567", dup325); - -var msg29673 = msg("27568", dup311); - -var msg29674 = msg("27569", dup307); - -var msg29675 = msg("27570", dup314); - -var msg29676 = msg("27571", dup309); - -var msg29677 = msg("27572", dup311); - -var msg29678 = msg("27573", dup311); - -var msg29679 = msg("27574", dup311); - -var msg29680 = msg("27575", dup311); - -var msg29681 = msg("27576", dup309); - -var msg29682 = msg("27577", dup321); - -var msg29683 = msg("27578", dup200); - -var msg29684 = msg("27579", dup311); - -var msg29685 = msg("27580", dup307); - -var msg29686 = msg("27581", dup307); - -var msg29687 = msg("27582", dup307); - -var msg29688 = msg("27583", dup307); - -var msg29689 = msg("27584", dup307); - -var msg29690 = msg("27585", dup307); - -var msg29691 = msg("27586", dup307); - -var msg29692 = msg("27587", dup307); - -var msg29693 = msg("27588", dup307); - -var msg29694 = msg("27589", dup307); - -var msg29695 = msg("27590", dup307); - -var msg29696 = msg("27591", dup307); - -var msg29697 = msg("27592", dup311); - -var msg29698 = msg("27593", dup314); - -var msg29699 = msg("27594", dup321); - -var msg29700 = msg("27595", dup321); - -var msg29701 = msg("27596", dup321); - -var msg29702 = msg("27597", dup311); - -var msg29703 = msg("27598", dup316); - -var msg29704 = msg("27599", dup321); - -var msg29705 = msg("27600", dup321); - -var msg29706 = msg("27601", dup321); - -var msg29707 = msg("27602", dup311); - -var msg29708 = msg("27603", dup311); - -var msg29709 = msg("27604", dup326); - -var msg29710 = msg("27605", dup325); - -var msg29711 = msg("27606", dup325); - -var msg29712 = msg("27607", dup325); - -var msg29713 = msg("27608", dup309); - -var msg29714 = msg("27609", dup314); - -var msg29715 = msg("27610", dup334); - -var msg29716 = msg("27611", dup334); - -var msg29717 = msg("27612", dup325); - -var msg29718 = msg("27613", dup325); - -var msg29719 = msg("27614", dup325); - -var msg29720 = msg("27615", dup325); - -var msg29721 = msg("27616", dup325); - -var msg29722 = msg("27617", dup309); - -var msg29723 = msg("27618", dup309); - -var msg29724 = msg("27619", dup309); - -var msg29725 = msg("27620", dup325); - -var msg29726 = msg("27621", dup311); - -var msg29727 = msg("27622", dup311); - -var msg29728 = msg("27623", dup311); - -var msg29729 = msg("27624", dup334); - -var msg29730 = msg("27625", dup321); - -var msg29731 = msg("27626", dup333); - -var msg29732 = msg("27627", dup321); - -var msg29733 = msg("27628", dup321); - -var msg29734 = msg("27629", dup321); - -var msg29735 = msg("27630", dup321); - -var msg29736 = msg("27631", dup321); - -var msg29737 = msg("27632", dup321); - -var msg29738 = msg("27633", dup321); - -var msg29739 = msg("27634", dup309); - -var msg29740 = msg("27635", dup309); - -var msg29741 = msg("27636", dup321); - -var msg29742 = msg("27637", dup321); - -var msg29743 = msg("27638", dup314); - -var msg29744 = msg("27639", dup323); - -var msg29745 = msg("27640", dup321); - -var msg29746 = msg("27641", dup321); - -var msg29747 = msg("27642", dup321); - -var msg29748 = msg("27643", dup321); - -var msg29749 = msg("27644", dup321); - -var msg29750 = msg("27645", dup321); - -var msg29751 = msg("27646", dup309); - -var msg29752 = msg("27647", dup321); - -var msg29753 = msg("27648", dup321); - -var msg29754 = msg("27649", dup321); - -var msg29755 = msg("27650", dup321); - -var msg29756 = msg("27651", dup321); - -var msg29757 = msg("27652", dup321); - -var msg29758 = msg("27653", dup321); - -var msg29759 = msg("27654", dup321); - -var msg29760 = msg("27655", dup321); - -var msg29761 = msg("27656", dup311); - -var msg29762 = msg("27657", dup311); - -var msg29763 = msg("27658", dup311); - -var msg29764 = msg("27659", dup321); - -var msg29765 = msg("27660", dup321); - -var msg29766 = msg("27661", dup321); - -var msg29767 = msg("27662", dup321); - -var msg29768 = msg("27663", dup325); - -var msg29769 = msg("27664", dup321); - -var msg29770 = msg("27665", dup321); - -var msg29771 = msg("27666", dup324); - -var msg29772 = msg("27667", dup314); - -var msg29773 = msg("27668", dup314); - -var msg29774 = msg("27669", dup314); - -var msg29775 = msg("27670", dup321); - -var msg29776 = msg("27671", dup309); - -var msg29777 = msg("27672", dup311); - -var msg29778 = msg("27673", dup311); - -var msg29779 = msg("27674", dup311); - -var msg29780 = msg("27675", dup311); - -var msg29781 = msg("27676", dup311); - -var msg29782 = msg("27677", dup311); - -var msg29783 = msg("27678", dup321); - -var msg29784 = msg("27679", dup321); - -var msg29785 = msg("27680", dup321); - -var msg29786 = msg("27681", dup322); - -var msg29787 = msg("27682", dup322); - -var msg29788 = msg("27683", dup322); - -var msg29789 = msg("27684", dup322); - -var msg29790 = msg("27685", dup322); - -var msg29791 = msg("27686", dup322); - -var msg29792 = msg("27687", dup322); - -var msg29793 = msg("27688", dup314); - -var msg29794 = msg("27689", dup330); - -var msg29795 = msg("27690", dup330); - -var msg29796 = msg("27691", dup309); - -var msg29797 = msg("27692", dup309); - -var msg29798 = msg("27693", dup309); - -var msg29799 = msg("27694", dup309); - -var msg29800 = msg("27695", dup311); - -var msg29801 = msg("27696", dup311); - -var msg29802 = msg("27697", dup311); - -var msg29803 = msg("27698", dup333); - -var msg29804 = msg("27699", dup321); - -var msg29805 = msg("27700", dup327); - -var msg29806 = msg("27701", dup311); - -var msg29807 = msg("27702", dup311); - -var msg29808 = msg("27703", dup311); - -var msg29809 = msg("27704", dup311); - -var msg29810 = msg("27705", dup311); - -var msg29811 = msg("27706", dup311); - -var msg29812 = msg("27707", dup321); - -var msg29813 = msg("27708", dup321); - -var msg29814 = msg("27709", dup325); - -var msg29815 = msg("27710", dup325); - -var msg29816 = msg("27711", dup321); - -var msg29817 = msg("27712", dup311); - -var msg29818 = msg("27713", dup311); - -var msg29819 = msg("27714", dup311); - -var msg29820 = msg("27715", dup311); - -var msg29821 = msg("27716", dup311); - -var msg29822 = msg("27717", dup311); - -var msg29823 = msg("27718", dup309); - -var msg29824 = msg("27719", dup309); - -var msg29825 = msg("27720", dup321); - -var msg29826 = msg("27721", dup311); - -var msg29827 = msg("27722", dup311); - -var msg29828 = msg("27723", dup322); - -var msg29829 = msg("27724", dup322); - -var msg29830 = msg("27725", dup335); - -var msg29831 = msg("27726", dup324); - -var msg29832 = msg("27727", dup324); - -var msg29833 = msg("27728", dup324); - -var msg29834 = msg("27729", dup314); - -var msg29835 = msg("27730", dup314); - -var msg29836 = msg("27731", dup314); - -var msg29837 = msg("27732", dup314); - -var msg29838 = msg("27733", dup307); - -var msg29839 = msg("27734", dup307); - -var msg29840 = msg("27735", dup311); - -var msg29841 = msg("27736", dup311); - -var msg29842 = msg("27737", dup311); - -var msg29843 = msg("27738", dup307); - -var msg29844 = msg("27739", dup307); - -var msg29845 = msg("27740", dup307); - -var msg29846 = msg("27741", dup307); - -var msg29847 = msg("27742", dup309); - -var msg29848 = msg("27743", dup309); - -var msg29849 = msg("27744", dup309); - -var msg29850 = msg("27745", dup309); - -var msg29851 = msg("27746", dup321); - -var msg29852 = msg("27747", dup321); - -var msg29853 = msg("27748", dup322); - -var msg29854 = msg("27749", dup322); - -var msg29855 = msg("27750", dup309); - -var msg29856 = msg("27751", dup309); - -var msg29857 = msg("27752", dup322); - -var msg29858 = msg("27753", dup322); - -var msg29859 = msg("27754", dup309); - -var msg29860 = msg("27755", dup309); - -var msg29861 = msg("27756", dup311); - -var msg29862 = msg("27757", dup314); - -var msg29863 = msg("27758", dup314); - -var msg29864 = msg("27759", dup321); - -var msg29865 = msg("27760", dup314); - -var msg29866 = msg("27761", dup314); - -var msg29867 = msg("27762", dup314); - -var msg29868 = msg("27763", dup314); - -var msg29869 = msg("27764", dup309); - -var msg29870 = msg("27765", dup309); - -var msg29871 = msg("27766", dup314); - -var msg29872 = msg("27767", dup314); - -var msg29873 = msg("27768", dup314); - -var msg29874 = msg("27769", dup309); - -var msg29875 = msg("27770", dup309); - -var msg29876 = msg("27771", dup309); - -var msg29877 = msg("27772", dup309); - -var msg29878 = msg("27773", dup309); - -var msg29879 = msg("27774", dup321); - -var msg29880 = msg("27775", dup321); - -var msg29881 = msg("27776", dup307); - -var msg29882 = msg("27777", dup311); - -var msg29883 = msg("27778", dup307); - -var msg29884 = msg("27779", dup307); - -var msg29885 = msg("27780", dup307); - -var msg29886 = msg("27781", dup314); - -var msg29887 = msg("27782", dup314); - -var msg29888 = msg("27783", dup311); - -var msg29889 = msg("27784", dup311); - -var msg29890 = msg("27785", dup311); - -var msg29891 = msg("27786", dup309); - -var msg29892 = msg("27787", dup309); - -var msg29893 = msg("27788", dup314); - -var msg29894 = msg("27789", dup314); - -var msg29895 = msg("27790", dup314); - -var msg29896 = msg("27791", dup314); - -var msg29897 = msg("27792", dup314); - -var msg29898 = msg("27793", dup314); - -var msg29899 = msg("27794", dup314); - -var msg29900 = msg("27795", dup314); - -var msg29901 = msg("27796", dup322); - -var msg29902 = msg("27797", dup322); - -var msg29903 = msg("27798", dup314); - -var msg29904 = msg("27799", dup314); - -var msg29905 = msg("27800", dup314); - -var msg29906 = msg("27801", dup321); - -var msg29907 = msg("27802", dup321); - -var msg29908 = msg("27803", dup321); - -var msg29909 = msg("27804", dup321); - -var msg29910 = msg("27805", dup321); - -var msg29911 = msg("27806", dup321); - -var msg29912 = msg("27807", dup311); - -var msg29913 = msg("27808", dup311); - -var msg29914 = msg("27809", dup311); - -var msg29915 = msg("27810", dup311); - -var msg29916 = msg("27811", dup321); - -var msg29917 = msg("27812", dup321); - -var msg29918 = msg("27813", dup311); - -var msg29919 = msg("27814", dup311); - -var msg29920 = msg("27815", dup311); - -var msg29921 = msg("27816", dup307); - -var msg29922 = msg("27817", dup321); - -var msg29923 = msg("27818", dup324); - -var msg29924 = msg("27819", dup324); - -var msg29925 = msg("27820", dup309); - -var msg29926 = msg("27821", dup309); - -var msg29927 = msg("27822", dup311); - -var msg29928 = msg("27823", dup325); - -var msg29929 = msg("27824", dup309); - -var msg29930 = msg("27825", dup309); - -var msg29931 = msg("27826", dup311); - -var msg29932 = msg("27827", dup311); - -var msg29933 = msg("27828", dup311); - -var msg29934 = msg("27829", dup325); - -var msg29935 = msg("27830", dup325); - -var msg29936 = msg("27831", dup323); - -var msg29937 = msg("27832", dup323); - -var msg29938 = msg("27833", dup323); - -var msg29939 = msg("27834", dup323); - -var msg29940 = msg("27835", dup325); - -var msg29941 = msg("27836", dup325); - -var msg29942 = msg("27837", dup325); - -var msg29943 = msg("27838", dup325); - -var msg29944 = msg("27839", dup325); - -var msg29945 = msg("27840", dup325); - -var msg29946 = msg("27841", dup325); - -var msg29947 = msg("27842", dup325); - -var msg29948 = msg("27843", dup325); - -var msg29949 = msg("27844", dup325); - -var msg29950 = msg("27845", dup311); - -var msg29951 = msg("27846", dup311); - -var msg29952 = msg("27847", dup314); - -var msg29953 = msg("27848", dup314); - -var msg29954 = msg("27849", dup314); - -var msg29955 = msg("27850", dup309); - -var msg29956 = msg("27851", dup309); - -var msg29957 = msg("27852", dup309); - -var msg29958 = msg("27853", dup309); - -var msg29959 = msg("27854", dup309); - -var msg29960 = msg("27855", dup309); - -var msg29961 = msg("27856", dup309); - -var msg29962 = msg("27857", dup309); - -var msg29963 = msg("27858", dup309); - -var msg29964 = msg("27859", dup309); - -var msg29965 = msg("27860", dup324); - -var msg29966 = msg("27861", dup314); - -var msg29967 = msg("27862", dup323); - -var msg29968 = msg("27863", dup311); - -var msg29969 = msg("27864", dup321); - -var msg29970 = msg("27865", dup311); - -var msg29971 = msg("27866", dup311); - -var msg29972 = msg("27867", dup321); - -var msg29973 = msg("27868", dup325); - -var msg29974 = msg("27869", dup314); - -var msg29975 = msg("27870", dup314); - -var msg29976 = msg("27871", dup314); - -var msg29977 = msg("27872", dup314); - -var msg29978 = msg("27873", dup311); - -var msg29979 = msg("27874", dup311); - -var msg29980 = msg("27875", dup311); - -var msg29981 = msg("27876", dup311); - -var msg29982 = msg("27877", dup311); - -var msg29983 = msg("27878", dup311); - -var msg29984 = msg("27879", dup311); - -var msg29985 = msg("27880", dup311); - -var msg29986 = msg("27881", dup311); - -var msg29987 = msg("27882", dup311); - -var msg29988 = msg("27883", dup311); - -var msg29989 = msg("27884", dup311); - -var msg29990 = msg("27885", dup311); - -var msg29991 = msg("27886", dup311); - -var msg29992 = msg("27887", dup311); - -var msg29993 = msg("27888", dup311); - -var msg29994 = msg("27889", dup311); - -var msg29995 = msg("27890", dup311); - -var msg29996 = msg("27891", dup311); - -var msg29997 = msg("27892", dup311); - -var msg29998 = msg("27893", dup311); - -var msg29999 = msg("27894", dup307); - -var msg30000 = msg("27895", dup307); - -var msg30001 = msg("27896", dup307); - -var msg30002 = msg("27897", dup307); - -var msg30003 = msg("27898", dup307); - -var msg30004 = msg("27899", dup323); - -var msg30005 = msg("27900", dup323); - -var msg30006 = msg("27901", dup311); - -var msg30007 = msg("27902", dup323); - -var msg30008 = msg("27903", dup311); - -var msg30009 = msg("27904", dup323); - -var msg30010 = msg("27905", dup321); - -var msg30011 = msg("27906", dup311); - -var msg30012 = msg("27907", dup311); - -var msg30013 = msg("27908", dup325); - -var msg30014 = msg("27909", dup325); - -var msg30015 = msg("27910", dup321); - -var msg30016 = msg("27911", dup311); - -var msg30017 = msg("27912", dup311); - -var msg30018 = msg("27913", dup321); - -var msg30019 = msg("27914", dup321); - -var msg30020 = msg("27915", dup321); - -var msg30021 = msg("27916", dup321); - -var msg30022 = msg("27917", dup321); - -var msg30023 = msg("27918", dup321); - -var msg30024 = msg("27919", dup321); - -var msg30025 = msg("27920", dup311); - -var msg30026 = msg("27921", dup316); - -var msg30027 = msg("27922", dup314); - -var msg30028 = msg("27923", dup314); - -var msg30029 = msg("27924", dup314); - -var msg30030 = msg("27925", dup314); - -var msg30031 = msg("27926", dup314); - -var msg30032 = msg("27927", dup314); - -var msg30033 = msg("27928", dup314); - -var msg30034 = msg("27929", dup314); - -var msg30035 = msg("27930", dup329); - -var msg30036 = msg("27931", dup329); - -var msg30037 = msg("27932", dup329); - -var msg30038 = msg("27933", dup314); - -var msg30039 = msg("27934", dup314); - -var msg30040 = msg("27935", dup311); - -var msg30041 = msg("27936", dup311); - -var msg30042 = msg("27937", dup314); - -var msg30043 = msg("27938", dup329); - -var msg30044 = msg("27939", dup321); - -var msg30045 = msg("27940", dup324); - -var msg30046 = msg("27941", dup314); - -var msg30047 = msg("27942", dup311); - -var msg30048 = msg("27943", dup311); - -var msg30049 = msg("27944", dup311); - -var msg30050 = msg("27945", dup309); - -var msg30051 = msg("27946", dup321); - -var msg30052 = msg("27947", dup309); - -var msg30053 = msg("27948", dup309); - -var msg30054 = msg("27949", dup321); - -var msg30055 = msg("27950", dup321); - -var msg30056 = msg("27951", dup321); - -var msg30057 = msg("27952", dup321); - -var msg30058 = msg("27953", dup321); - -var msg30059 = msg("27954", dup321); - -var msg30060 = msg("27955", dup321); - -var msg30061 = msg("27956", dup321); - -var msg30062 = msg("27957", dup321); - -var msg30063 = msg("27958", dup321); - -var msg30064 = msg("27959", dup321); - -var msg30065 = msg("27960", dup321); - -var msg30066 = msg("27961", dup321); - -var msg30067 = msg("27962", dup321); - -var msg30068 = msg("27963", dup321); - -var msg30069 = msg("27964", dup321); - -var msg30070 = msg("27965", dup321); - -var msg30071 = msg("27966", dup321); - -var msg30072 = msg("27967", dup321); - -var msg30073 = msg("27968", dup321); - -var msg30074 = msg("27969", dup321); - -var msg30075 = msg("27970", dup321); - -var msg30076 = msg("27971", dup321); - -var msg30077 = msg("27972", dup321); - -var msg30078 = msg("27973", dup321); - -var msg30079 = msg("27974", dup321); - -var msg30080 = msg("27975", dup321); - -var msg30081 = msg("27976", dup321); - -var msg30082 = msg("27977", dup321); - -var msg30083 = msg("27978", dup321); - -var msg30084 = msg("27979", dup321); - -var msg30085 = msg("27980", dup325); - -var msg30086 = msg("27981", dup325); - -var msg30087 = msg("27982", dup311); - -var msg30088 = msg("27983", dup323); - -var msg30089 = msg("27984", dup329); - -var msg30090 = msg("27985", dup329); - -var msg30091 = msg("27986", dup329); - -var msg30092 = msg("27987", dup329); - -var msg30093 = msg("27988", dup329); - -var msg30094 = msg("27989", dup329); - -var msg30095 = msg("27990", dup329); - -var msg30096 = msg("27991", dup329); - -var msg30097 = msg("27992", dup329); - -var msg30098 = msg("27993", dup329); - -var msg30099 = msg("27994", dup329); - -var msg30100 = msg("27995", dup329); - -var msg30101 = msg("27996", dup329); - -var msg30102 = msg("27997", dup329); - -var msg30103 = msg("27998", dup329); - -var msg30104 = msg("27999", dup314); - -var msg30105 = msg("28000", dup311); - -var msg30106 = msg("28001", dup323); - -var msg30107 = msg("28002", dup336); - -var msg30108 = msg("28003", dup336); - -var msg30109 = msg("28004", dup321); - -var msg30110 = msg("28005", dup321); - -var msg30111 = msg("28006", dup321); - -var msg30112 = msg("28007", dup321); - -var msg30113 = msg("28008", dup321); - -var msg30114 = msg("28009", dup321); - -var msg30115 = msg("28010", dup321); - -var msg30116 = msg("28011", dup321); - -var msg30117 = msg("28012", dup321); - -var msg30118 = msg("28013", dup311); - -var msg30119 = msg("28014", dup311); - -var msg30120 = msg("28015", dup337); - -var msg30121 = msg("28016", dup311); - -var msg30122 = msg("28017", dup311); - -var msg30123 = msg("28018", dup311); - -var msg30124 = msg("28019", dup311); - -var msg30125 = msg("28020", dup311); - -var msg30126 = msg("28021", dup311); - -var msg30127 = msg("28022", dup311); - -var msg30128 = msg("28023", dup311); - -var msg30129 = msg("28024", dup307); - -var msg30130 = msg("28025", dup307); - -var msg30131 = msg("28026", dup311); - -var msg30132 = msg("28027", dup311); - -var msg30133 = msg("28028", dup311); - -var msg30134 = msg("28029", dup311); - -var msg30135 = msg("28030", dup311); - -var msg30136 = msg("28031", dup311); - -var msg30137 = msg("28032", dup311); - -var msg30138 = msg("28033", dup321); - -var msg30139 = msg("28034", dup321); - -var msg30140 = msg("28035", dup321); - -var msg30141 = msg("28036", dup321); - -var msg30142 = msg("28037", dup311); - -var msg30143 = msg("28038", dup311); - -var msg30144 = msg("28039", dup337); - -var msg30145 = msg("28040", dup321); - -var msg30146 = msg("28041", dup310); - -var msg30147 = msg("28042", dup321); - -var msg30148 = msg("28043", dup311); - -var msg30149 = msg("28044", dup321); - -var msg30150 = msg("28045", dup321); - -var msg30151 = msg("28046", dup314); - -var msg30152 = msg("28047", dup307); - -var msg30153 = msg("28048", dup311); - -var msg30154 = msg("28049", dup311); - -var msg30155 = msg("28050", dup311); - -var msg30156 = msg("28051", dup311); - -var msg30157 = msg("28052", dup311); - -var msg30158 = msg("28053", dup321); - -var msg30159 = msg("28054", dup307); - -var msg30160 = msg("28055", dup200); - -var msg30161 = msg("28056", dup200); - -var msg30162 = msg("28057", dup200); - -var msg30163 = msg("28058", dup321); - -var msg30164 = msg("28059", dup321); - -var msg30165 = msg("28060", dup321); - -var msg30166 = msg("28061", dup321); - -var msg30167 = msg("28062", dup321); - -var msg30168 = msg("28063", dup321); - -var msg30169 = msg("28064", dup321); - -var msg30170 = msg("28065", dup321); - -var msg30171 = msg("28066", dup321); - -var msg30172 = msg("28067", dup321); - -var msg30173 = msg("28068", dup314); - -var msg30174 = msg("28069", dup321); - -var msg30175 = msg("28070", dup321); - -var msg30176 = msg("28071", dup310); - -var msg30177 = msg("28072", dup321); - -var msg30178 = msg("28073", dup321); - -var msg30179 = msg("28074", dup321); - -var msg30180 = msg("28075", dup321); - -var msg30181 = msg("28076", dup314); - -var msg30182 = msg("28077", dup321); - -var msg30183 = msg("28078", dup321); - -var msg30184 = msg("28079", dup321); - -var msg30185 = msg("28080", dup321); - -var msg30186 = msg("28081", dup200); - -var msg30187 = msg("28082", dup200); - -var msg30188 = msg("28083", dup311); - -var msg30189 = msg("28084", dup321); - -var msg30190 = msg("28085", dup321); - -var msg30191 = msg("28086", dup200); - -var msg30192 = msg("28087", dup200); - -var msg30193 = msg("28088", dup309); - -var msg30194 = msg("28089", dup323); - -var msg30195 = msg("28090", dup323); - -var msg30196 = msg("28093", dup314); - -var msg30197 = msg("28094", dup321); - -var msg30198 = msg("28095", dup321); - -var msg30199 = msg("28096", dup321); - -var msg30200 = msg("28097", dup321); - -var msg30201 = msg("28098", dup322); - -var msg30202 = msg("28099", dup322); - -var msg30203 = msg("28100", dup322); - -var msg30204 = msg("28101", dup322); - -var msg30205 = msg("28102", dup322); - -var msg30206 = msg("28103", dup309); - -var msg30207 = msg("28104", dup321); - -var msg30208 = msg("28105", dup321); - -var msg30209 = msg("28106", dup321); - -var msg30210 = msg("28107", dup321); - -var msg30211 = msg("28108", dup311); - -var msg30212 = msg("28109", dup311); - -var msg30213 = msg("28110", dup311); - -var msg30214 = msg("28111", dup311); - -var msg30215 = msg("28112", dup325); - -var msg30216 = msg("28113", dup309); - -var msg30217 = msg("28114", dup321); - -var msg30218 = msg("28115", dup321); - -var msg30219 = msg("28116", dup321); - -var msg30220 = msg("28117", dup321); - -var msg30221 = msg("28118", dup321); - -var msg30222 = msg("28119", dup321); - -var msg30223 = msg("28120", dup321); - -var msg30224 = msg("28121", dup321); - -var msg30225 = msg("28122", dup321); - -var msg30226 = msg("28123", dup321); - -var msg30227 = msg("28124", dup309); - -var msg30228 = msg("28125", dup321); - -var msg30229 = msg("28126", dup314); - -var msg30230 = msg("28127", dup314); - -var msg30231 = msg("28128", dup309); - -var msg30232 = msg("28129", dup309); - -var msg30233 = msg("28130", dup309); - -var msg30234 = msg("28131", dup309); - -var msg30235 = msg("28132", dup309); - -var msg30236 = msg("28133", dup309); - -var msg30237 = msg("28134", dup321); - -var msg30238 = msg("28135", dup309); - -var msg30239 = msg("28136", dup309); - -var msg30240 = msg("28137", dup309); - -var msg30241 = msg("28138", dup337); - -var msg30242 = msg("28139", dup311); - -var msg30243 = msg("28140", dup321); - -var msg30244 = msg("28141", dup321); - -var msg30245 = msg("28142", dup321); - -var msg30246 = msg("28143", dup321); - -var msg30247 = msg("28144", dup321); - -var msg30248 = msg("28145", dup314); - -var msg30249 = msg("28146", dup321); - -var msg30250 = msg("28147", dup321); - -var msg30251 = msg("28148", dup321); - -var msg30252 = msg("28149", dup314); - -var msg30253 = msg("28150", dup314); - -var msg30254 = msg("28151", dup325); - -var msg30255 = msg("28152", dup321); - -var msg30256 = msg("28153", dup321); - -var msg30257 = msg("28154", dup321); - -var msg30258 = msg("28155", dup321); - -var msg30259 = msg("28156", dup321); - -var msg30260 = msg("28157", dup311); - -var msg30261 = msg("28158", dup325); - -var msg30262 = msg("28159", dup325); - -var msg30263 = msg("28160", dup325); - -var msg30264 = msg("28161", dup324); - -var msg30265 = msg("28162", dup324); - -var msg30266 = msg("28163", dup311); - -var msg30267 = msg("28164", dup321); - -var msg30268 = msg("28165", dup323); - -var msg30269 = msg("28166", dup321); - -var msg30270 = msg("28167", dup321); - -var msg30271 = msg("28168", dup321); - -var msg30272 = msg("28169", dup321); - -var msg30273 = msg("28170", dup321); - -var msg30274 = msg("28171", dup321); - -var msg30275 = msg("28172", dup321); - -var msg30276 = msg("28173", dup321); - -var msg30277 = msg("28174", dup321); - -var msg30278 = msg("28175", dup321); - -var msg30279 = msg("28176", dup321); - -var msg30280 = msg("28177", dup321); - -var msg30281 = msg("28178", dup321); - -var msg30282 = msg("28179", dup321); - -var msg30283 = msg("28180", dup321); - -var msg30284 = msg("28181", dup321); - -var msg30285 = msg("28182", dup321); - -var msg30286 = msg("28183", dup321); - -var msg30287 = msg("28184", dup321); - -var msg30288 = msg("28185", dup321); - -var msg30289 = msg("28186", dup321); - -var msg30290 = msg("28187", dup321); - -var msg30291 = msg("28188", dup321); - -var msg30292 = msg("28189", dup321); - -var msg30293 = msg("28190", dup311); - -var msg30294 = msg("28191", dup325); - -var msg30295 = msg("28192", dup321); - -var msg30296 = msg("28193", dup321); - -var msg30297 = msg("28194", dup311); - -var msg30298 = msg("28195", dup311); - -var msg30299 = msg("28196", dup311); - -var msg30300 = msg("28197", dup311); - -var msg30301 = msg("28198", dup311); - -var msg30302 = msg("28199", dup311); - -var msg30303 = msg("28200", dup311); - -var msg30304 = msg("28201", dup314); - -var msg30305 = msg("28202", dup324); - -var msg30306 = msg("28203", dup324); - -var msg30307 = msg("28204", dup311); - -var msg30308 = msg("28205", dup309); - -var msg30309 = msg("28206", dup309); - -var msg30310 = msg("28207", dup311); - -var msg30311 = msg("28208", dup311); - -var msg30312 = msg("28209", dup321); - -var msg30313 = msg("28210", dup321); - -var msg30314 = msg("28211", dup321); - -var msg30315 = msg("28212", dup321); - -var msg30316 = msg("28213", dup311); - -var msg30317 = msg("28214", dup311); - -var msg30318 = msg("28215", dup311); - -var msg30319 = msg("28216", dup333); - -var msg30320 = msg("28217", dup321); - -var msg30321 = msg("28218", dup321); - -var msg30322 = msg("28219", dup321); - -var msg30323 = msg("28220", dup321); - -var msg30324 = msg("28221", dup321); - -var msg30325 = msg("28222", dup321); - -var msg30326 = msg("28223", dup321); - -var msg30327 = msg("28224", dup321); - -var msg30328 = msg("28225", dup321); - -var msg30329 = msg("28226", dup321); - -var msg30330 = msg("28227", dup309); - -var msg30331 = msg("28228", dup309); - -var msg30332 = msg("28229", dup321); - -var msg30333 = msg("28230", dup321); - -var msg30334 = msg("28231", dup323); - -var msg30335 = msg("28232", dup323); - -var msg30336 = msg("28233", dup311); - -var msg30337 = msg("28234", dup321); - -var msg30338 = msg("28235", dup311); - -var msg30339 = msg("28236", dup311); - -var msg30340 = msg("28237", dup311); - -var msg30341 = msg("28238", dup307); - -var msg30342 = msg("28239", dup321); - -var msg30343 = msg("28240", dup200); - -var msg30344 = msg("28241", dup321); - -var msg30345 = msg("28242", dup321); - -var msg30346 = msg("28243", dup321); - -var msg30347 = msg("28244", dup321); - -var msg30348 = msg("28245", dup314); - -var msg30349 = msg("28246", dup314); - -var msg30350 = msg("28247", dup321); - -var msg30351 = msg("28248", dup321); - -var msg30352 = msg("28249", dup321); - -var msg30353 = msg("28250", dup321); - -var msg30354 = msg("28251", dup322); - -var msg30355 = msg("28252", dup309); - -var msg30356 = msg("28253", dup321); - -var msg30357 = msg("28254", dup321); - -var msg30358 = msg("28255", dup321); - -var msg30359 = msg("28256", dup309); - -var msg30360 = msg("28257", dup311); - -var msg30361 = msg("28258", dup311); - -var msg30362 = msg("28259", dup311); - -var msg30363 = msg("28260", dup311); - -var msg30364 = msg("28261", dup309); - -var msg30365 = msg("28262", dup309); - -var msg30366 = msg("28263", dup309); - -var msg30367 = msg("28264", dup311); - -var msg30368 = msg("28265", dup311); - -var msg30369 = msg("28266", dup309); - -var msg30370 = msg("28267", dup325); - -var msg30371 = msg("28268", dup325); - -var msg30372 = msg("28269", dup325); - -var msg30373 = msg("28270", dup325); - -var msg30374 = msg("28271", dup325); - -var msg30375 = msg("28272", dup325); - -var msg30376 = msg("28273", dup311); - -var msg30377 = msg("28274", dup311); - -var msg30378 = msg("28275", dup311); - -var msg30379 = msg("28276", dup311); - -var msg30380 = msg("28277", dup311); - -var msg30381 = msg("28278", dup322); - -var msg30382 = msg("28279", dup321); - -var msg30383 = msg("28280", dup321); - -var msg30384 = msg("28281", dup321); - -var msg30385 = msg("28282", dup321); - -var msg30386 = msg("28283", dup321); - -var msg30387 = msg("28284", dup311); - -var msg30388 = msg("28285", dup321); - -var msg30389 = msg("28286", dup309); - -var msg30390 = msg("28287", dup311); - -var msg30391 = msg("28288", dup311); - -var msg30392 = msg("28289", dup311); - -var msg30393 = msg("28290", dup311); - -var msg30394 = msg("28291", dup311); - -var msg30395 = msg("28292", dup334); - -var msg30396 = msg("28293", dup324); - -var msg30397 = msg("28294", dup324); - -var msg30398 = msg("28295", dup324); - -var msg30399 = msg("28296", dup324); - -var msg30400 = msg("28297", dup321); - -var msg30401 = msg("28298", dup311); - -var msg30402 = msg("28299", dup322); - -var msg30403 = msg("28300", dup321); - -var msg30404 = msg("28303", dup309); - -var msg30405 = msg("28304", dup311); - -var msg30406 = msg("28305", dup321); - -var msg30407 = msg("28306", dup325); - -var msg30408 = msg("28309", dup311); - -var msg30409 = msg("28315", dup309); - -var msg30410 = msg("28323", dup321); - -var msg30411 = msg("28325", dup321); - -var msg30412 = msg("28326", dup321); - -var msg30413 = msg("28327", dup321); - -var msg30414 = msg("28328", dup321); - -var msg30415 = msg("28329", dup321); - -var msg30416 = msg("28330", dup321); - -var msg30417 = msg("28331", dup309); - -var msg30418 = msg("28332", dup309); - -var msg30419 = msg("28333", dup309); - -var msg30420 = msg("28334", dup309); - -var msg30421 = msg("28335", dup309); - -var msg30422 = msg("28336", dup309); - -var msg30423 = msg("28337", dup309); - -var msg30424 = msg("28338", dup309); - -var msg30425 = msg("28339", dup309); - -var msg30426 = msg("28340", dup309); - -var msg30427 = msg("28341", dup309); - -var msg30428 = msg("28342", dup309); - -var msg30429 = msg("28343", dup309); - -var msg30430 = msg("28344", dup322); - -var msg30431 = msg("28345", dup311); - -var msg30432 = msg("28346", dup311); - -var msg30433 = msg("28347", dup321); - -var msg30434 = msg("28348", dup321); - -var msg30435 = msg("28349", dup314); - -var msg30436 = msg("28350", dup314); - -var msg30437 = msg("28351", dup314); - -var msg30438 = msg("28352", dup311); - -var msg30439 = msg("28353", dup311); - -var msg30440 = msg("28354", dup311); - -var msg30441 = msg("28355", dup311); - -var msg30442 = msg("28356", dup311); - -var msg30443 = msg("28357", dup311); - -var msg30444 = msg("28358", dup311); - -var msg30445 = msg("28359", dup311); - -var msg30446 = msg("28360", dup311); - -var msg30447 = msg("28361", dup311); - -var msg30448 = msg("28362", dup325); - -var msg30449 = msg("28363", dup325); - -var msg30450 = msg("28364", dup325); - -var msg30451 = msg("28365", dup321); - -var msg30452 = msg("28366", dup321); - -var msg30453 = msg("28367", dup314); - -var msg30454 = msg("28368", dup314); - -var msg30455 = msg("28369", dup314); - -var msg30456 = msg("28370", dup314); - -var msg30457 = msg("28371", dup321); - -var msg30458 = msg("28372", dup321); - -var msg30459 = msg("28373", dup321); - -var msg30460 = msg("28374", dup311); - -var msg30461 = msg("28375", dup311); - -var msg30462 = msg("28376", dup311); - -var msg30463 = msg("28377", dup311); - -var msg30464 = msg("28378", dup311); - -var msg30465 = msg("28379", dup311); - -var msg30466 = msg("28380", dup311); - -var msg30467 = msg("28381", dup321); - -var msg30468 = msg("28382", dup314); - -var msg30469 = msg("28383", dup314); - -var msg30470 = msg("28384", dup314); - -var msg30471 = msg("28385", dup311); - -var msg30472 = msg("28386", dup314); - -var msg30473 = msg("28387", dup314); - -var msg30474 = msg("28388", dup311); - -var msg30475 = msg("28389", dup311); - -var msg30476 = msg("28390", dup309); - -var msg30477 = msg("28391", dup309); - -var msg30478 = msg("28392", dup309); - -var msg30479 = msg("28393", dup311); - -var msg30480 = msg("28394", dup311); - -var msg30481 = msg("28395", dup311); - -var msg30482 = msg("28396", dup311); - -var msg30483 = msg("28397", dup311); - -var msg30484 = msg("28398", dup311); - -var msg30485 = msg("28399", dup321); - -var msg30486 = msg("28400", dup321); - -var msg30487 = msg("28401", dup200); - -var msg30488 = msg("28402", dup200); - -var msg30489 = msg("28403", dup200); - -var msg30490 = msg("28404", dup321); - -var msg30491 = msg("28405", dup321); - -var msg30492 = msg("28406", dup321); - -var msg30493 = msg("28407", dup314); - -var msg30494 = msg("28408", dup311); - -var msg30495 = msg("28409", dup311); - -var msg30496 = msg("28410", dup321); - -var msg30497 = msg("28411", dup321); - -var msg30498 = msg("28412", dup311); - -var msg30499 = msg("28413", dup311); - -var msg30500 = msg("28414", dup311); - -var msg30501 = msg("28415", dup321); - -var msg30502 = msg("28416", dup321); - -var msg30503 = msg("28417", dup321); - -var msg30504 = msg("28418", dup321); - -var msg30505 = msg("28419", dup321); - -var msg30506 = msg("28420", dup311); - -var msg30507 = msg("28421", dup311); - -var msg30508 = msg("28422", dup311); - -var msg30509 = msg("28423", dup307); - -var msg30510 = msg("28424", dup311); - -var msg30511 = msg("28425", dup314); - -var msg30512 = msg("28426", dup311); - -var msg30513 = msg("28427", dup311); - -var msg30514 = msg("28428", dup311); - -var msg30515 = msg("28429", dup311); - -var msg30516 = msg("28430", dup307); - -var msg30517 = msg("28431", dup307); - -var msg30518 = msg("28432", dup307); - -var msg30519 = msg("28433", dup307); - -var msg30520 = msg("28434", dup307); - -var msg30521 = msg("28435", dup314); - -var msg30522 = msg("28436", dup314); - -var msg30523 = msg("28437", dup314); - -var msg30524 = msg("28438", dup314); - -var msg30525 = msg("28439", dup321); - -var msg30526 = msg("28440", dup309); - -var msg30527 = msg("28441", dup309); - -var msg30528 = msg("28442", dup309); - -var msg30529 = msg("28443", dup309); - -var msg30530 = msg("28444", dup321); - -var msg30531 = msg("28445", dup321); - -var msg30532 = msg("28446", dup321); - -var msg30533 = msg("28447", dup311); - -var msg30534 = msg("28448", dup314); - -var msg30535 = msg("28449", dup311); - -var msg30536 = msg("28450", dup311); - -var msg30537 = msg("28451", dup311); - -var msg30538 = msg("28452", dup311); - -var msg30539 = msg("28453", dup311); - -var msg30540 = msg("28454", dup311); - -var msg30541 = msg("28455", dup311); - -var msg30542 = msg("28456", dup311); - -var msg30543 = msg("28457", dup311); - -var msg30544 = msg("28458", dup311); - -var msg30545 = msg("28459", dup311); - -var msg30546 = msg("28460", dup311); - -var msg30547 = msg("28461", dup309); - -var msg30548 = msg("28462", dup309); - -var msg30549 = msg("28463", dup309); - -var msg30550 = msg("28464", dup309); - -var msg30551 = msg("28465", dup309); - -var msg30552 = msg("28466", dup309); - -var msg30553 = msg("28467", dup309); - -var msg30554 = msg("28468", dup309); - -var msg30555 = msg("28469", dup309); - -var msg30556 = msg("28470", dup309); - -var msg30557 = msg("28471", dup309); - -var msg30558 = msg("28472", dup309); - -var msg30559 = msg("28473", dup309); - -var msg30560 = msg("28474", dup311); - -var msg30561 = msg("28475", dup311); - -var msg30562 = msg("28476", dup311); - -var msg30563 = msg("28477", dup311); - -var msg30564 = msg("28478", dup311); - -var msg30565 = msg("28479", dup321); - -var msg30566 = msg("28480", dup333); - -var msg30567 = msg("28481", dup321); - -var msg30568 = msg("28482", dup321); - -var msg30569 = msg("28483", dup321); - -var msg30570 = msg("28484", dup321); - -var msg30571 = msg("28485", dup321); - -var msg30572 = msg("28486", dup321); - -var msg30573 = msg("28487", dup311); - -var msg30574 = msg("28488", dup311); - -var msg30575 = msg("28489", dup325); - -var msg30576 = msg("28490", dup311); - -var msg30577 = msg("28491", dup325); - -var msg30578 = msg("28492", dup325); - -var msg30579 = msg("28493", dup321); - -var msg30580 = msg("28494", dup311); - -var msg30581 = msg("28495", dup311); - -var msg30582 = msg("28496", dup325); - -var msg30583 = msg("28497", dup314); - -var msg30584 = msg("28498", dup309); - -var msg30585 = msg("28499", dup309); - -var msg30586 = msg("28500", dup314); - -var msg30587 = msg("28501", dup314); - -var msg30588 = msg("28502", dup309); - -var msg30589 = msg("28503", dup309); - -var msg30590 = msg("28504", dup325); - -var msg30591 = msg("28505", dup314); - -var msg30592 = msg("28506", dup314); - -var msg30593 = msg("28507", dup314); - -var msg30594 = msg("28508", dup314); - -var msg30595 = msg("28509", dup309); - -var msg30596 = msg("28510", dup309); - -var msg30597 = msg("28511", dup309); - -var msg30598 = msg("28512", dup309); - -var msg30599 = msg("28513", dup309); - -var msg30600 = msg("28514", dup309); - -var msg30601 = msg("28515", dup309); - -var msg30602 = msg("28516", dup309); - -var msg30603 = msg("28517", dup309); - -var msg30604 = msg("28518", dup309); - -var msg30605 = msg("28519", dup309); - -var msg30606 = msg("28520", dup309); - -var msg30607 = msg("28521", dup309); - -var msg30608 = msg("28522", dup325); - -var msg30609 = msg("28523", dup325); - -var msg30610 = msg("28524", dup325); - -var msg30611 = msg("28525", dup309); - -var msg30612 = msg("28526", dup309); - -var msg30613 = msg("28527", dup321); - -var msg30614 = msg("28528", dup321); - -var msg30615 = msg("28529", dup321); - -var msg30616 = msg("28530", dup314); - -var msg30617 = msg("28531", dup321); - -var msg30618 = msg("28532", dup324); - -var msg30619 = msg("28533", dup321); - -var msg30620 = msg("28534", dup307); - -var msg30621 = msg("28535", dup307); - -var msg30622 = msg("28536", dup307); - -var msg30623 = msg("28537", dup307); - -var msg30624 = msg("28538", dup321); - -var msg30625 = msg("28539", dup321); - -var msg30626 = msg("28540", dup321); - -var msg30627 = msg("28541", dup321); - -var msg30628 = msg("28542", dup321); - -var msg30629 = msg("28543", dup321); - -var msg30630 = msg("28544", dup309); - -var msg30631 = msg("28545", dup309); - -var msg30632 = msg("28546", dup309); - -var msg30633 = msg("28547", dup321); - -var msg30634 = msg("28548", dup321); - -var msg30635 = msg("28549", dup309); - -var msg30636 = msg("28550", dup309); - -var msg30637 = msg("28551", dup333); - -var msg30638 = msg("28552", dup336); - -var msg30639 = msg("28553", dup321); - -var msg30640 = msg("28554", dup321); - -var msg30641 = msg("28555", dup328); - -var msg30642 = msg("28556", dup329); - -var msg30643 = msg("28557", dup329); - -var msg30644 = msg("28558", dup325); - -var msg30645 = msg("28559", dup321); - -var msg30646 = msg("28560", dup333); - -var msg30647 = msg("28561", dup321); - -var msg30648 = msg("28562", dup321); - -var msg30649 = msg("28563", dup321); - -var msg30650 = msg("28564", dup321); - -var msg30651 = msg("28565", dup321); - -var msg30652 = msg("28566", dup314); - -var msg30653 = msg("28567", dup314); - -var msg30654 = msg("28568", dup311); - -var msg30655 = msg("28569", dup311); - -var msg30656 = msg("28570", dup314); - -var msg30657 = msg("28571", dup314); - -var msg30658 = msg("28572", dup314); - -var msg30659 = msg("28573", dup314); - -var msg30660 = msg("28574", dup314); - -var msg30661 = msg("28575", dup311); - -var msg30662 = msg("28576", dup311); - -var msg30663 = msg("28577", dup314); - -var msg30664 = msg("28578", dup314); - -var msg30665 = msg("28579", dup323); - -var msg30666 = msg("28580", dup323); - -var msg30667 = msg("28581", dup323); - -var msg30668 = msg("28582", dup323); - -var msg30669 = msg("28583", dup323); - -var msg30670 = msg("28584", dup323); - -var msg30671 = msg("28585", dup309); - -var msg30672 = msg("28586", dup309); - -var msg30673 = msg("28587", dup314); - -var msg30674 = msg("28588", dup314); - -var msg30675 = msg("28589", dup311); - -var msg30676 = msg("28590", dup311); - -var msg30677 = msg("28591", dup311); - -var msg30678 = msg("28592", dup311); - -var msg30679 = msg("28593", dup307); - -var msg30680 = msg("28594", dup311); - -var msg30681 = msg("28595", dup311); - -var msg30682 = msg("28596", dup311); - -var msg30683 = msg("28597", dup314); - -var msg30684 = msg("28598", dup314); - -var msg30685 = msg("28599", dup321); - -var msg30686 = msg("28600", dup314); - -var msg30687 = msg("28601", dup314); - -var msg30688 = msg("28602", dup314); - -var msg30689 = msg("28603", dup314); - -var msg30690 = msg("28604", dup321); - -var msg30691 = msg("28605", dup321); - -var msg30692 = msg("28606", dup321); - -var msg30693 = msg("28607", dup321); - -var msg30694 = msg("28608", dup311); - -var msg30695 = msg("28609", dup311); - -var msg30696 = msg("28610", dup311); - -var msg30697 = msg("28611", dup311); - -var msg30698 = msg("28612", dup311); - -var msg30699 = msg("28613", dup311); - -var msg30700 = msg("28614", dup311); - -var msg30701 = msg("28615", dup311); - -var msg30702 = msg("28616", dup311); - -var msg30703 = msg("28617", dup324); - -var msg30704 = msg("28618", dup324); - -var msg30705 = msg("28619", dup311); - -var msg30706 = msg("28620", dup311); - -var msg30707 = msg("28621", dup309); - -var msg30708 = msg("28622", dup311); - -var msg30709 = msg("28623", dup309); - -var msg30710 = msg("28624", dup309); - -var msg30711 = msg("28625", dup309); - -var msg30712 = msg("28626", dup309); - -var msg30713 = msg("28627", dup311); - -var msg30714 = msg("28628", dup311); - -var msg30715 = msg("28629", dup323); - -var msg30716 = msg("28630", dup323); - -var msg30717 = msg("28631", dup309); - -var msg30718 = msg("28632", dup309); - -var msg30719 = msg("28633", dup311); - -var msg30720 = msg("28634", dup309); - -var msg30721 = msg("28635", dup309); - -var msg30722 = msg("28636", dup311); - -var msg30723 = msg("28637", dup311); - -var msg30724 = msg("28638", dup309); - -var msg30725 = msg("28639", dup309); - -var msg30726 = msg("28640", dup309); - -var msg30727 = msg("28641", dup309); - -var msg30728 = msg("28642", dup311); - -var msg30729 = msg("28643", dup311); - -var msg30730 = msg("28644", dup311); - -var msg30731 = msg("28645", dup311); - -var msg30732 = msg("28646", dup311); - -var msg30733 = msg("28647", dup311); - -var msg30734 = msg("28648", dup311); - -var msg30735 = msg("28649", dup311); - -var msg30736 = msg("28650", dup311); - -var msg30737 = msg("28651", dup311); - -var msg30738 = msg("28652", dup311); - -var msg30739 = msg("28653", dup311); - -var msg30740 = msg("28654", dup311); - -var msg30741 = msg("28655", dup311); - -var msg30742 = msg("28656", dup311); - -var msg30743 = msg("28657", dup311); - -var msg30744 = msg("28658", dup314); - -var msg30745 = msg("28659", dup311); - -var msg30746 = msg("28660", dup311); - -var msg30747 = msg("28661", dup311); - -var msg30748 = msg("28662", dup311); - -var msg30749 = msg("28663", dup311); - -var msg30750 = msg("28664", dup309); - -var msg30751 = msg("28665", dup309); - -var msg30752 = msg("28666", dup309); - -var msg30753 = msg("28667", dup311); - -var msg30754 = msg("28668", dup311); - -var msg30755 = msg("28669", dup311); - -var msg30756 = msg("28670", dup311); - -var msg30757 = msg("28671", dup311); - -var msg30758 = msg("28672", dup311); - -var msg30759 = msg("28673", dup311); - -var msg30760 = msg("28674", dup311); - -var msg30761 = msg("28675", dup311); - -var msg30762 = msg("28676", dup311); - -var msg30763 = msg("28677", dup311); - -var msg30764 = msg("28678", dup311); - -var msg30765 = msg("28679", dup311); - -var msg30766 = msg("28680", dup311); - -var msg30767 = msg("28681", dup311); - -var msg30768 = msg("28682", dup311); - -var msg30769 = msg("28683", dup311); - -var msg30770 = msg("28684", dup311); - -var msg30771 = msg("28685", dup311); - -var msg30772 = msg("28686", dup311); - -var msg30773 = msg("28687", dup307); - -var msg30774 = msg("28688", dup307); - -var msg30775 = msg("28689", dup307); - -var msg30776 = msg("28690", dup307); - -var msg30777 = msg("28691", dup311); - -var msg30778 = msg("28692", dup311); - -var msg30779 = msg("28693", dup311); - -var msg30780 = msg("28694", dup311); - -var msg30781 = msg("28695", dup323); - -var msg30782 = msg("28696", dup323); - -var msg30783 = msg("28697", dup323); - -var msg30784 = msg("28698", dup323); - -var msg30785 = msg("28699", dup311); - -var msg30786 = msg("28700", dup311); - -var msg30787 = msg("28701", dup311); - -var msg30788 = msg("28702", dup311); - -var msg30789 = msg("28703", dup311); - -var msg30790 = msg("28704", dup311); - -var msg30791 = msg("28705", dup311); - -var msg30792 = msg("28706", dup311); - -var msg30793 = msg("28707", dup311); - -var msg30794 = msg("28708", dup311); - -var msg30795 = msg("28709", dup311); - -var msg30796 = msg("28710", dup309); - -var msg30797 = msg("28711", dup309); - -var msg30798 = msg("28712", dup309); - -var msg30799 = msg("28713", dup309); - -var msg30800 = msg("28714", dup309); - -var msg30801 = msg("28715", dup309); - -var msg30802 = msg("28716", dup311); - -var msg30803 = msg("28717", dup311); - -var msg30804 = msg("28718", dup311); - -var msg30805 = msg("28719", dup311); - -var msg30806 = msg("28720", dup311); - -var msg30807 = msg("28721", dup311); - -var msg30808 = msg("28722", dup323); - -var msg30809 = msg("28723", dup323); - -var msg30810 = msg("28724", dup321); - -var msg30811 = msg("28725", dup309); - -var msg30812 = msg("28726", dup309); - -var msg30813 = msg("28727", dup309); - -var msg30814 = msg("28728", dup311); - -var msg30815 = msg("28729", dup311); - -var msg30816 = msg("28730", dup311); - -var msg30817 = msg("28731", dup311); - -var msg30818 = msg("28732", dup311); - -var msg30819 = msg("28733", dup311); - -var msg30820 = msg("28734", dup311); - -var msg30821 = msg("28735", dup311); - -var msg30822 = msg("28736", dup311); - -var msg30823 = msg("28737", dup311); - -var msg30824 = msg("28738", dup311); - -var msg30825 = msg("28739", dup311); - -var msg30826 = msg("28740", dup311); - -var msg30827 = msg("28741", dup311); - -var msg30828 = msg("28742", dup311); - -var msg30829 = msg("28743", dup311); - -var msg30830 = msg("28744", dup309); - -var msg30831 = msg("28745", dup309); - -var msg30832 = msg("28746", dup311); - -var msg30833 = msg("28747", dup311); - -var msg30834 = msg("28748", dup311); - -var msg30835 = msg("28749", dup314); - -var msg30836 = msg("28750", dup314); - -var msg30837 = msg("28751", dup314); - -var msg30838 = msg("28752", dup314); - -var msg30839 = msg("28753", dup314); - -var msg30840 = msg("28754", dup314); - -var msg30841 = msg("28755", dup314); - -var msg30842 = msg("28756", dup314); - -var msg30843 = msg("28757", dup314); - -var msg30844 = msg("28758", dup314); - -var msg30845 = msg("28759", dup314); - -var msg30846 = msg("28760", dup314); - -var msg30847 = msg("28761", dup314); - -var msg30848 = msg("28762", dup314); - -var msg30849 = msg("28763", dup314); - -var msg30850 = msg("28764", dup314); - -var msg30851 = msg("28765", dup314); - -var msg30852 = msg("28766", dup314); - -var msg30853 = msg("28767", dup314); - -var msg30854 = msg("28768", dup314); - -var msg30855 = msg("28769", dup314); - -var msg30856 = msg("28770", dup314); - -var msg30857 = msg("28771", dup314); - -var msg30858 = msg("28772", dup314); - -var msg30859 = msg("28773", dup314); - -var msg30860 = msg("28774", dup314); - -var msg30861 = msg("28775", dup314); - -var msg30862 = msg("28776", dup314); - -var msg30863 = msg("28777", dup314); - -var msg30864 = msg("28778", dup314); - -var msg30865 = msg("28779", dup314); - -var msg30866 = msg("28780", dup314); - -var msg30867 = msg("28781", dup314); - -var msg30868 = msg("28782", dup314); - -var msg30869 = msg("28783", dup314); - -var msg30870 = msg("28784", dup314); - -var msg30871 = msg("28785", dup314); - -var msg30872 = msg("28786", dup314); - -var msg30873 = msg("28787", dup314); - -var msg30874 = msg("28788", dup314); - -var msg30875 = msg("28789", dup314); - -var msg30876 = msg("28790", dup311); - -var msg30877 = msg("28791", dup314); - -var msg30878 = msg("28792", dup314); - -var msg30879 = msg("28793", dup314); - -var msg30880 = msg("28794", dup309); - -var msg30881 = msg("28795", dup311); - -var msg30882 = msg("28796", dup311); - -var msg30883 = msg("28797", dup307); - -var msg30884 = msg("28798", dup307); - -var msg30885 = msg("28799", dup321); - -var msg30886 = msg("28800", dup321); - -var msg30887 = msg("28801", dup321); - -var msg30888 = msg("28802", dup321); - -var msg30889 = msg("28803", dup321); - -var msg30890 = msg("28804", dup321); - -var msg30891 = msg("28805", dup321); - -var msg30892 = msg("28806", dup321); - -var msg30893 = msg("28807", dup321); - -var msg30894 = msg("28808", dup321); - -var msg30895 = msg("28809", dup321); - -var msg30896 = msg("28810", dup321); - -var msg30897 = msg("28811", dup311); - -var msg30898 = msg("28812", dup311); - -var msg30899 = msg("28813", dup321); - -var msg30900 = msg("28814", dup321); - -var msg30901 = msg("28815", dup321); - -var msg30902 = msg("28816", dup321); - -var msg30903 = msg("28817", dup321); - -var msg30904 = msg("28818", dup307); - -var msg30905 = msg("28819", dup307); - -var msg30906 = msg("28820", dup323); - -var msg30907 = msg("28821", dup314); - -var msg30908 = msg("28822", dup314); - -var msg30909 = msg("28823", dup314); - -var msg30910 = msg("28824", dup314); - -var msg30911 = msg("28825", dup314); - -var msg30912 = msg("28826", dup314); - -var msg30913 = msg("28827", dup314); - -var msg30914 = msg("28828", dup321); - -var msg30915 = msg("28829", dup321); - -var msg30916 = msg("28830", dup321); - -var msg30917 = msg("28831", dup311); - -var msg30918 = msg("28832", dup311); - -var msg30919 = msg("28833", dup307); - -var msg30920 = msg("28834", dup307); - -var msg30921 = msg("28835", dup307); - -var msg30922 = msg("28836", dup311); - -var msg30923 = msg("28837", dup311); - -var msg30924 = msg("28838", dup311); - -var msg30925 = msg("28839", dup307); - -var msg30926 = msg("28840", dup307); - -var msg30927 = msg("28841", dup307); - -var msg30928 = msg("28842", dup311); - -var msg30929 = msg("28843", dup323); - -var msg30930 = msg("28844", dup323); - -var msg30931 = msg("28845", dup323); - -var msg30932 = msg("28846", dup323); - -var msg30933 = msg("28847", dup323); - -var msg30934 = msg("28848", dup323); - -var msg30935 = msg("28849", dup308); - -var msg30936 = msg("28850", dup311); - -var msg30937 = msg("28851", dup311); - -var msg30938 = msg("28852", dup325); - -var msg30939 = msg("28853", dup323); - -var msg30940 = msg("28854", dup311); - -var msg30941 = msg("28855", dup311); - -var msg30942 = msg("28856", dup321); - -var msg30943 = msg("28857", dup321); - -var msg30944 = msg("28858", dup321); - -var msg30945 = msg("28859", dup325); - -var msg30946 = msg("28860", dup325); - -var msg30947 = msg("28861", dup321); - -var msg30948 = msg("28862", dup325); - -var msg30949 = msg("28863", dup325); - -var msg30950 = msg("28864", dup321); - -var msg30951 = msg("28865", dup325); - -var msg30952 = msg("28866", dup325); - -var msg30953 = msg("28867", dup314); - -var msg30954 = msg("28868", dup314); - -var msg30955 = msg("28869", dup314); - -var msg30956 = msg("28870", dup314); - -var msg30957 = msg("28871", dup314); - -var msg30958 = msg("28872", dup314); - -var msg30959 = msg("28873", dup325); - -var msg30960 = msg("28874", dup325); - -var msg30961 = msg("28875", dup325); - -var msg30962 = msg("28876", dup325); - -var msg30963 = msg("28877", dup325); - -var msg30964 = msg("28878", dup325); - -var msg30965 = msg("28879", dup321); - -var msg30966 = msg("28880", dup311); - -var msg30967 = msg("28881", dup325); - -var msg30968 = msg("28882", dup325); - -var msg30969 = msg("28883", dup321); - -var msg30970 = msg("28884", dup321); - -var msg30971 = msg("28885", dup321); - -var msg30972 = msg("28886", dup321); - -var msg30973 = msg("28887", dup311); - -var msg30974 = msg("28888", dup311); - -var msg30975 = msg("28889", dup311); - -var msg30976 = msg("28890", dup311); - -var msg30977 = msg("28891", dup321); - -var msg30978 = msg("28892", dup321); - -var msg30979 = msg("28893", dup314); - -var msg30980 = msg("28894", dup314); - -var msg30981 = msg("28895", dup314); - -var msg30982 = msg("28896", dup314); - -var msg30983 = msg("28897", dup314); - -var msg30984 = msg("28898", dup314); - -var msg30985 = msg("28899", dup314); - -var msg30986 = msg("28900", dup314); - -var msg30987 = msg("28901", dup314); - -var msg30988 = msg("28902", dup309); - -var msg30989 = msg("28903", dup309); - -var msg30990 = msg("28904", dup309); - -var msg30991 = msg("28905", dup309); - -var msg30992 = msg("28906", dup309); - -var msg30993 = msg("28907", dup309); - -var msg30994 = msg("28908", dup322); - -var msg30995 = msg("28909", dup314); - -var msg30996 = msg("28910", dup311); - -var msg30997 = msg("28911", dup311); - -var msg30998 = msg("28912", dup314); - -var msg30999 = msg("28913", dup321); - -var msg31000 = msg("28914", dup321); - -var msg31001 = msg("28915", dup309); - -var msg31002 = msg("28916", dup309); - -var msg31003 = msg("28917", dup314); - -var msg31004 = msg("28918", dup321); - -var msg31005 = msg("28919", dup321); - -var msg31006 = msg("28920", dup311); - -var msg31007 = msg("28921", dup311); - -var msg31008 = msg("28922", dup311); - -var msg31009 = msg("28923", dup311); - -var msg31010 = msg("28924", dup311); - -var msg31011 = msg("28925", dup311); - -var msg31012 = msg("28926", dup309); - -var msg31013 = msg("28927", dup309); - -var msg31014 = msg("28928", dup321); - -var msg31015 = msg("28929", dup321); - -var msg31016 = msg("28930", dup321); - -var msg31017 = msg("28931", dup325); - -var msg31018 = msg("28932", dup325); - -var msg31019 = msg("28933", dup321); - -var msg31020 = msg("28934", dup321); - -var msg31021 = msg("28935", dup321); - -var msg31022 = msg("28936", dup314); - -var msg31023 = msg("28937", dup311); - -var msg31024 = msg("28938", dup321); - -var msg31025 = msg("28939", dup321); - -var msg31026 = msg("28940", dup325); - -var msg31027 = msg("28941", dup311); - -var msg31028 = msg("28942", dup314); - -var msg31029 = msg("28943", dup314); - -var msg31030 = msg("28944", dup314); - -var msg31031 = msg("28945", dup314); - -var msg31032 = msg("28946", dup311); - -var msg31033 = msg("28947", dup321); - -var msg31034 = msg("28948", dup321); - -var msg31035 = msg("28949", dup321); - -var msg31036 = msg("28950", dup325); - -var msg31037 = msg("28951", dup325); - -var msg31038 = msg("28952", dup311); - -var msg31039 = msg("28953", dup311); - -var msg31040 = msg("28954", dup321); - -var msg31041 = msg("28955", dup310); - -var msg31042 = msg("28956", dup314); - -var msg31043 = msg("28957", dup314); - -var msg31044 = msg("28958", dup321); - -var msg31045 = msg("28959", dup321); - -var msg31046 = msg("28960", dup321); - -var msg31047 = msg("28961", dup309); - -var msg31048 = msg("28962", dup309); - -var msg31049 = msg("28963", dup311); - -var msg31050 = msg("28964", dup307); - -var msg31051 = msg("28965", dup307); - -var msg31052 = msg("28966", dup311); - -var msg31053 = msg("28967", dup311); - -var msg31054 = msg("28968", dup311); - -var msg31055 = msg("28969", dup311); - -var msg31056 = msg("28970", dup314); - -var msg31057 = msg("28971", dup314); - -var msg31058 = msg("28972", dup311); - -var msg31059 = msg("28973", dup311); - -var msg31060 = msg("28974", dup311); - -var msg31061 = msg("28975", dup311); - -var msg31062 = msg("28976", dup321); - -var msg31063 = msg("28977", dup321); - -var msg31064 = msg("28978", dup321); - -var msg31065 = msg("28979", dup321); - -var msg31066 = msg("28980", dup321); - -var msg31067 = msg("28981", dup321); - -var msg31068 = msg("28982", dup321); - -var msg31069 = msg("28983", dup311); - -var msg31070 = msg("28984", dup311); - -var msg31071 = msg("28985", dup311); - -var msg31072 = msg("28986", dup321); - -var msg31073 = msg("28987", dup321); - -var msg31074 = msg("28988", dup321); - -var msg31075 = msg("28989", dup321); - -var msg31076 = msg("28990", dup321); - -var msg31077 = msg("28991", dup333); - -var msg31078 = msg("28992", dup321); - -var msg31079 = msg("28993", dup323); - -var msg31080 = msg("28994", dup321); - -var msg31081 = msg("28995", dup321); - -var msg31082 = msg("28996", dup321); - -var msg31083 = msg("28997", dup325); - -var msg31084 = msg("28998", dup314); - -var msg31085 = msg("28999", dup314); - -var msg31086 = msg("29000", dup314); - -var msg31087 = msg("29001", dup311); - -var msg31088 = msg("29002", dup311); - -var msg31089 = msg("29003", dup311); - -var msg31090 = msg("29004", dup311); - -var msg31091 = msg("29005", dup309); - -var msg31092 = msg("29006", dup314); - -var msg31093 = msg("29007", dup314); - -var msg31094 = msg("29008", dup314); - -var msg31095 = msg("29009", dup309); - -var msg31096 = msg("29010", dup309); - -var msg31097 = msg("29011", dup321); - -var msg31098 = msg("29012", dup321); - -var msg31099 = msg("29013", dup321); - -var msg31100 = msg("29014", dup309); - -var msg31101 = msg("29015", dup321); - -var msg31102 = msg("29016", dup321); - -var msg31103 = msg("29017", dup314); - -var msg31104 = msg("29018", dup322); - -var msg31105 = msg("29019", dup314); - -var msg31106 = msg("29020", dup321); - -var msg31107 = msg("29021", dup321); - -var msg31108 = msg("29022", dup321); - -var msg31109 = msg("29023", dup311); - -var msg31110 = msg("29024", dup311); - -var msg31111 = msg("29025", dup311); - -var msg31112 = msg("29026", dup321); - -var msg31113 = msg("29027", dup311); - -var msg31114 = msg("29028", dup328); - -var msg31115 = msg("29029", dup328); - -var msg31116 = msg("29030", dup321); - -var msg31117 = msg("29031", dup321); - -var msg31118 = msg("29032", dup309); - -var msg31119 = msg("29033", dup309); - -var msg31120 = msg("29034", dup325); - -var msg31121 = msg("29035", dup325); - -var msg31122 = msg("29036", dup311); - -var msg31123 = msg("29037", dup325); - -var msg31124 = msg("29038", dup321); - -var msg31125 = msg("29039", dup321); - -var msg31126 = msg("29040", dup311); - -var msg31127 = msg("29041", dup314); - -var msg31128 = msg("29042", dup314); - -var msg31129 = msg("29043", dup321); - -var msg31130 = msg("29044", dup321); - -var msg31131 = msg("29045", dup321); - -var msg31132 = msg("29046", dup325); - -var msg31133 = msg("29047", dup311); - -var msg31134 = msg("29048", dup311); - -var msg31135 = msg("29049", dup311); - -var msg31136 = msg("29050", dup311); - -var msg31137 = msg("29051", dup311); - -var msg31138 = msg("29052", dup311); - -var msg31139 = msg("29053", dup311); - -var msg31140 = msg("29054", dup311); - -var msg31141 = msg("29055", dup321); - -var msg31142 = msg("29056", dup321); - -var msg31143 = msg("29057", dup321); - -var msg31144 = msg("29058", dup321); - -var msg31145 = msg("29059", dup314); - -var msg31146 = msg("29060", dup314); - -var msg31147 = msg("29061", dup311); - -var msg31148 = msg("29062", dup314); - -var msg31149 = msg("29063", dup314); - -var msg31150 = msg("29064", dup314); - -var msg31151 = msg("29065", dup314); - -var msg31152 = msg("29066", dup311); - -var msg31153 = msg("29067", dup321); - -var msg31154 = msg("29068", dup321); - -var msg31155 = msg("29069", dup321); - -var msg31156 = msg("29070", dup321); - -var msg31157 = msg("29071", dup321); - -var msg31158 = msg("29072", dup321); - -var msg31159 = msg("29073", dup321); - -var msg31160 = msg("29074", dup321); - -var msg31161 = msg("29075", dup321); - -var msg31162 = msg("29076", dup321); - -var msg31163 = msg("29077", dup321); - -var msg31164 = msg("29078", dup321); - -var msg31165 = msg("29079", dup321); - -var msg31166 = msg("29080", dup333); - -var msg31167 = msg("29081", dup321); - -var msg31168 = msg("29082", dup321); - -var msg31169 = msg("29083", dup321); - -var msg31170 = msg("29084", dup321); - -var msg31171 = msg("29085", dup321); - -var msg31172 = msg("29086", dup321); - -var msg31173 = msg("29087", dup321); - -var msg31174 = msg("29088", dup321); - -var msg31175 = msg("29089", dup321); - -var msg31176 = msg("29090", dup311); - -var msg31177 = msg("29091", dup321); - -var msg31178 = msg("29092", dup314); - -var msg31179 = msg("29093", dup321); - -var msg31180 = msg("29094", dup321); - -var msg31181 = msg("29095", dup333); - -var msg31182 = msg("29096", dup333); - -var msg31183 = msg("29097", dup314); - -var msg31184 = msg("29098", dup314); - -var msg31185 = msg("29099", dup314); - -var msg31186 = msg("29100", dup314); - -var msg31187 = msg("29101", dup314); - -var msg31188 = msg("29102", dup314); - -var msg31189 = msg("29103", dup321); - -var msg31190 = msg("29104", dup321); - -var msg31191 = msg("29105", dup314); - -var msg31192 = msg("29106", dup321); - -var msg31193 = msg("29107", dup321); - -var msg31194 = msg("29108", dup321); - -var msg31195 = msg("29109", dup321); - -var msg31196 = msg("29110", dup314); - -var msg31197 = msg("29111", dup321); - -var msg31198 = msg("29112", dup321); - -var msg31199 = msg("29113", dup321); - -var msg31200 = msg("29114", dup321); - -var msg31201 = msg("29115", dup321); - -var msg31202 = msg("29116", dup321); - -var msg31203 = msg("29117", dup321); - -var msg31204 = msg("29118", dup314); - -var msg31205 = msg("29119", dup321); - -var msg31206 = msg("29120", dup321); - -var msg31207 = msg("29121", dup321); - -var msg31208 = msg("29122", dup321); - -var msg31209 = msg("29123", dup321); - -var msg31210 = msg("29124", dup321); - -var msg31211 = msg("29125", dup321); - -var msg31212 = msg("29126", dup321); - -var msg31213 = msg("29127", dup321); - -var msg31214 = msg("29128", dup311); - -var msg31215 = msg("29129", dup311); - -var msg31216 = msg("29130", dup311); - -var msg31217 = msg("29131", dup311); - -var msg31218 = msg("29132", dup321); - -var msg31219 = msg("29133", dup321); - -var msg31220 = msg("29134", dup321); - -var msg31221 = msg("29135", dup324); - -var msg31222 = msg("29136", dup321); - -var msg31223 = msg("29137", dup321); - -var msg31224 = msg("29138", dup321); - -var msg31225 = msg("29139", dup325); - -var msg31226 = msg("29140", dup321); - -var msg31227 = msg("29141", dup314); - -var msg31228 = msg("29142", dup314); - -var msg31229 = msg("29143", dup325); - -var msg31230 = msg("29144", dup321); - -var msg31231 = msg("29145", dup321); - -var msg31232 = msg("29146", dup321); - -var msg31233 = msg("29147", dup321); - -var msg31234 = msg("29148", dup321); - -var msg31235 = msg("29149", dup321); - -var msg31236 = msg("29150", dup311); - -var msg31237 = msg("29151", dup321); - -var msg31238 = msg("29152", dup321); - -var msg31239 = msg("29153", dup321); - -var msg31240 = msg("29154", dup321); - -var msg31241 = msg("29155", dup321); - -var msg31242 = msg("29156", dup321); - -var msg31243 = msg("29157", dup311); - -var msg31244 = msg("29158", dup311); - -var msg31245 = msg("29159", dup311); - -var msg31246 = msg("29160", dup311); - -var msg31247 = msg("29161", dup321); - -var msg31248 = msg("29162", dup314); - -var msg31249 = msg("29163", dup311); - -var msg31250 = msg("29164", dup311); - -var msg31251 = msg("29165", dup311); - -var msg31252 = msg("29166", dup311); - -var msg31253 = msg("29167", dup311); - -var msg31254 = msg("29168", dup311); - -var msg31255 = msg("29169", dup311); - -var msg31256 = msg("29170", dup314); - -var msg31257 = msg("29171", dup321); - -var msg31258 = msg("29172", dup321); - -var msg31259 = msg("29173", dup321); - -var msg31260 = msg("29174", dup325); - -var msg31261 = msg("29175", dup321); - -var msg31262 = msg("29176", dup321); - -var msg31263 = msg("29177", dup321); - -var msg31264 = msg("29178", dup321); - -var msg31265 = msg("29179", dup321); - -var msg31266 = msg("29180", dup325); - -var msg31267 = msg("29181", dup321); - -var msg31268 = msg("29182", dup309); - -var msg31269 = msg("29183", dup309); - -var msg31270 = msg("29184", dup309); - -var msg31271 = msg("29185", dup309); - -var msg31272 = msg("29186", dup311); - -var msg31273 = msg("29187", dup311); - -var msg31274 = msg("29188", dup311); - -var msg31275 = msg("29189", dup311); - -var msg31276 = msg("29190", dup307); - -var msg31277 = msg("29191", dup311); - -var msg31278 = msg("29192", dup311); - -var msg31279 = msg("29193", dup311); - -var msg31280 = msg("29194", dup309); - -var msg31281 = msg("29195", dup309); - -var msg31282 = msg("29196", dup309); - -var msg31283 = msg("29197", dup309); - -var msg31284 = msg("29198", dup309); - -var msg31285 = msg("29199", dup309); - -var msg31286 = msg("29200", dup314); - -var msg31287 = msg("29201", dup309); - -var msg31288 = msg("29202", dup309); - -var msg31289 = msg("29203", dup314); - -var msg31290 = msg("29204", dup314); - -var msg31291 = msg("29205", dup314); - -var msg31292 = msg("29206", dup314); - -var msg31293 = msg("29207", dup309); - -var msg31294 = msg("29208", dup309); - -var msg31295 = msg("29209", dup309); - -var msg31296 = msg("29210", dup309); - -var msg31297 = msg("29211", dup309); - -var msg31298 = msg("29212", dup309); - -var msg31299 = msg("29213", dup314); - -var msg31300 = msg("29214", dup311); - -var msg31301 = msg("29215", dup309); - -var msg31302 = msg("29216", dup321); - -var msg31303 = msg("29217", dup321); - -var msg31304 = msg("29218", dup311); - -var msg31305 = msg("29219", dup311); - -var msg31306 = msg("29220", dup321); - -var msg31307 = msg("29221", dup325); - -var msg31308 = msg("29222", dup325); - -var msg31309 = msg("29223", dup325); - -var msg31310 = msg("29224", dup314); - -var msg31311 = msg("29225", dup314); - -var msg31312 = msg("29226", dup325); - -var msg31313 = msg("29227", dup325); - -var msg31314 = msg("29228", dup325); - -var msg31315 = msg("29229", dup325); - -var msg31316 = msg("29230", dup325); - -var msg31317 = msg("29231", dup325); - -var msg31318 = msg("29232", dup325); - -var msg31319 = msg("29233", dup325); - -var msg31320 = msg("29234", dup325); - -var msg31321 = msg("29235", dup325); - -var msg31322 = msg("29236", dup325); - -var msg31323 = msg("29237", dup325); - -var msg31324 = msg("29238", dup325); - -var msg31325 = msg("29239", dup325); - -var msg31326 = msg("29240", dup325); - -var msg31327 = msg("29241", dup325); - -var msg31328 = msg("29242", dup325); - -var msg31329 = msg("29243", dup325); - -var msg31330 = msg("29244", dup325); - -var msg31331 = msg("29245", dup325); - -var msg31332 = msg("29246", dup325); - -var msg31333 = msg("29247", dup325); - -var msg31334 = msg("29248", dup325); - -var msg31335 = msg("29249", dup325); - -var msg31336 = msg("29250", dup325); - -var msg31337 = msg("29251", dup325); - -var msg31338 = msg("29252", dup325); - -var msg31339 = msg("29253", dup325); - -var msg31340 = msg("29254", dup325); - -var msg31341 = msg("29255", dup325); - -var msg31342 = msg("29256", dup325); - -var msg31343 = msg("29257", dup325); - -var msg31344 = msg("29258", dup314); - -var msg31345 = msg("29259", dup321); - -var msg31346 = msg("29260", dup321); - -var msg31347 = msg("29261", dup321); - -var msg31348 = msg("29262", dup321); - -var msg31349 = msg("29263", dup321); - -var msg31350 = msg("29264", dup309); - -var msg31351 = msg("29265", dup311); - -var msg31352 = msg("29266", dup314); - -var msg31353 = msg("29267", dup311); - -var msg31354 = msg("29268", dup309); - -var msg31355 = msg("29269", dup309); - -var msg31356 = msg("29270", dup311); - -var msg31357 = msg("29271", dup311); - -var msg31358 = msg("29272", dup311); - -var msg31359 = msg("29273", dup311); - -var msg31360 = msg("29274", dup314); - -var msg31361 = msg("29275", dup314); - -var msg31362 = msg("29276", dup314); - -var msg31363 = msg("29277", dup309); - -var msg31364 = msg("29278", dup309); - -var msg31365 = msg("29279", dup309); - -var msg31366 = msg("29280", dup309); - -var msg31367 = msg("29281", dup311); - -var msg31368 = msg("29282", dup311); - -var msg31369 = msg("29283", dup311); - -var msg31370 = msg("29284", dup311); - -var msg31371 = msg("29285", dup311); - -var msg31372 = msg("29286", dup311); - -var msg31373 = msg("29287", dup311); - -var msg31374 = msg("29288", dup311); - -var msg31375 = msg("29289", dup321); - -var msg31376 = msg("29290", dup321); - -var msg31377 = msg("29291", dup321); - -var msg31378 = msg("29292", dup321); - -var msg31379 = msg("29293", dup321); - -var msg31380 = msg("29294", dup321); - -var msg31381 = msg("29295", dup321); - -var msg31382 = msg("29296", dup314); - -var msg31383 = msg("29297", dup314); - -var msg31384 = msg("29298", dup321); - -var msg31385 = msg("29299", dup321); - -var msg31386 = msg("29300", dup321); - -var msg31387 = msg("29301", dup321); - -var msg31388 = msg("29302", dup321); - -var msg31389 = msg("29303", dup321); - -var msg31390 = msg("29304", dup321); - -var msg31391 = msg("29305", dup321); - -var msg31392 = msg("29306", dup321); - -var msg31393 = msg("29307", dup321); - -var msg31394 = msg("29313", dup321); - -var msg31395 = msg("29314", dup336); - -var msg31396 = msg("29315", dup336); - -var msg31397 = msg("29316", dup336); - -var msg31398 = msg("29317", dup314); - -var msg31399 = msg("29318", dup314); - -var msg31400 = msg("29319", dup314); - -var msg31401 = msg("29320", dup314); - -var msg31402 = msg("29321", dup314); - -var msg31403 = msg("29322", dup314); - -var msg31404 = msg("29323", dup329); - -var msg31405 = msg("29324", dup321); - -var msg31406 = msg("29325", dup321); - -var msg31407 = msg("29326", dup309); - -var msg31408 = msg("29327", dup309); - -var msg31409 = msg("29328", dup309); - -var msg31410 = msg("29329", dup309); - -var msg31411 = msg("29330", dup321); - -var msg31412 = msg("29331", dup321); - -var msg31413 = msg("29332", dup321); - -var msg31414 = msg("29333", dup321); - -var msg31415 = msg("29334", dup321); - -var msg31416 = msg("29335", dup321); - -var msg31417 = msg("29336", dup321); - -var msg31418 = msg("29337", dup321); - -var msg31419 = msg("29338", dup321); - -var msg31420 = msg("29339", dup321); - -var msg31421 = msg("29340", dup321); - -var msg31422 = msg("29341", dup325); - -var msg31423 = msg("29342", dup321); - -var msg31424 = msg("29343", dup321); - -var msg31425 = msg("29344", dup321); - -var msg31426 = msg("29345", dup321); - -var msg31427 = msg("29346", dup311); - -var msg31428 = msg("29347", dup321); - -var msg31429 = msg("29348", dup321); - -var msg31430 = msg("29349", dup321); - -var msg31431 = msg("29350", dup321); - -var msg31432 = msg("29351", dup321); - -var msg31433 = msg("29352", dup321); - -var msg31434 = msg("29353", dup321); - -var msg31435 = msg("29354", dup336); - -var msg31436 = msg("29355", dup321); - -var msg31437 = msg("29356", dup321); - -var all57 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup123, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg31438 = msg("29357", all57); - -var msg31439 = msg("29358", dup325); - -var msg31440 = msg("29359", dup321); - -var msg31441 = msg("29360", dup311); - -var msg31442 = msg("29361", dup311); - -var msg31443 = msg("29362", dup324); - -var msg31444 = msg("29363", dup321); - -var msg31445 = msg("29364", dup321); - -var msg31446 = msg("29365", dup321); - -var msg31447 = msg("29366", dup321); - -var msg31448 = msg("29367", dup321); - -var msg31449 = msg("29368", dup321); - -var msg31450 = msg("29369", dup321); - -var msg31451 = msg("29370", dup321); - -var msg31452 = msg("29371", dup325); - -var msg31453 = msg("29372", dup321); - -var msg31454 = msg("29373", dup321); - -var msg31455 = msg("29374", dup324); - -var msg31456 = msg("29375", dup324); - -var msg31457 = msg("29376", dup321); - -var msg31458 = msg("29377", dup321); - -var msg31459 = msg("29378", dup321); - -var msg31460 = msg("29379", dup321); - -var msg31461 = msg("29380", dup321); - -var msg31462 = msg("29381", dup329); - -var msg31463 = msg("29382", dup329); - -var msg31464 = msg("29383", dup329); - -var msg31465 = msg("29384", dup314); - -var msg31466 = msg("29385", dup314); - -var msg31467 = msg("29386", dup314); - -var msg31468 = msg("29387", dup311); - -var msg31469 = msg("29388", dup321); - -var msg31470 = msg("29389", dup321); - -var msg31471 = msg("29390", dup314); - -var msg31472 = msg("29391", dup314); - -var msg31473 = msg("29392", dup314); - -var msg31474 = msg("29393", dup324); - -var msg31475 = msg("29394", dup309); - -var msg31476 = msg("29395", dup321); - -var msg31477 = msg("29396", dup311); - -var msg31478 = msg("29397", dup311); - -var msg31479 = msg("29398", dup311); - -var msg31480 = msg("29399", dup311); - -var msg31481 = msg("29400", dup314); - -var msg31482 = msg("29401", dup311); - -var msg31483 = msg("29402", dup311); - -var msg31484 = msg("29403", dup311); - -var msg31485 = msg("29404", dup309); - -var msg31486 = msg("29405", dup314); - -var msg31487 = msg("29406", dup314); - -var msg31488 = msg("29407", dup314); - -var msg31489 = msg("29408", dup321); - -var msg31490 = msg("29409", dup323); - -var msg31491 = msg("29410", dup323); - -var msg31492 = msg("29411", dup311); - -var msg31493 = msg("29412", dup311); - -var msg31494 = msg("29413", dup311); - -var msg31495 = msg("29414", dup311); - -var msg31496 = msg("29415", dup321); - -var msg31497 = msg("29416", dup321); - -var msg31498 = msg("29417", dup321); - -var msg31499 = msg("29418", dup314); - -var msg31500 = msg("29419", dup314); - -var msg31501 = msg("29420", dup333); - -var msg31502 = msg("29421", dup333); - -var msg31503 = msg("29422", dup321); - -var msg31504 = msg("29423", dup324); - -var msg31505 = msg("29424", dup321); - -var msg31506 = msg("29425", dup321); - -var msg31507 = msg("29426", dup321); - -var msg31508 = msg("29427", dup321); - -var msg31509 = msg("29428", dup321); - -var msg31510 = msg("29429", dup321); - -var msg31511 = msg("29430", dup321); - -var msg31512 = msg("29431", dup325); - -var msg31513 = msg("29432", dup321); - -var msg31514 = msg("29433", dup314); - -var msg31515 = msg("29434", dup309); - -var msg31516 = msg("29435", dup311); - -var msg31517 = msg("29436", dup311); - -var msg31518 = msg("29437", dup314); - -var msg31519 = msg("29438", dup314); - -var msg31520 = msg("29439", dup314); - -var msg31521 = msg("29440", dup321); - -var msg31522 = msg("29442", dup311); - -var msg31523 = msg("29443", dup311); - -var msg31524 = msg("29444", dup311); - -var msg31525 = msg("29445", dup311); - -var msg31526 = msg("29446", dup311); - -var msg31527 = msg("29447", dup307); - -var msg31528 = msg("29448", dup311); - -var msg31529 = msg("29449", dup311); - -var msg31530 = msg("29450", dup311); - -var msg31531 = msg("29451", dup311); - -var msg31532 = msg("29452", dup311); - -var msg31533 = msg("29453", dup311); - -var msg31534 = msg("29454", dup334); - -var msg31535 = msg("29455", dup334); - -var msg31536 = msg("29456", dup334); - -var msg31537 = msg("29457", dup334); - -var msg31538 = msg("29458", dup321); - -var msg31539 = msg("29459", dup321); - -var msg31540 = msg("29460", dup321); - -var msg31541 = msg("29461", dup321); - -var msg31542 = msg("29462", dup325); - -var msg31543 = msg("29463", dup321); - -var msg31544 = msg("29464", dup321); - -var msg31545 = msg("29465", dup309); - -var msg31546 = msg("29466", dup309); - -var msg31547 = msg("29467", dup309); - -var msg31548 = msg("29468", dup309); - -var msg31549 = msg("29469", dup321); - -var msg31550 = msg("29470", dup321); - -var msg31551 = msg("29471", dup321); - -var msg31552 = msg("29472", dup321); - -var msg31553 = msg("29473", dup321); - -var msg31554 = msg("29474", dup321); - -var msg31555 = msg("29475", dup321); - -var msg31556 = msg("29476", dup321); - -var msg31557 = msg("29477", dup321); - -var msg31558 = msg("29478", dup321); - -var msg31559 = msg("29479", dup321); - -var msg31560 = msg("29480", dup321); - -var msg31561 = msg("29481", dup321); - -var msg31562 = msg("29482", dup321); - -var msg31563 = msg("29483", dup321); - -var msg31564 = msg("29484", dup321); - -var msg31565 = msg("29485", dup314); - -var msg31566 = msg("29486", dup314); - -var msg31567 = msg("29487", dup314); - -var msg31568 = msg("29488", dup314); - -var msg31569 = msg("29489", dup321); - -var msg31570 = msg("29490", dup309); - -var msg31571 = msg("29491", dup309); - -var msg31572 = msg("29492", dup321); - -var msg31573 = msg("29493", dup321); - -var msg31574 = msg("29494", dup321); - -var msg31575 = msg("29495", dup321); - -var msg31576 = msg("29496", dup321); - -var msg31577 = msg("29497", dup321); - -var msg31578 = msg("29498", dup314); - -var msg31579 = msg("29499", dup314); - -var msg31580 = msg("29500", dup321); - -var msg31581 = msg("29501", dup311); - -var msg31582 = msg("29502", dup309); - -var msg31583 = msg("29503", dup314); - -var msg31584 = msg("29504", dup314); - -var msg31585 = msg("29505", dup311); - -var msg31586 = msg("29506", dup314); - -var msg31587 = msg("29507", dup314); - -var msg31588 = msg("29508", dup314); - -var msg31589 = msg("29509", dup323); - -var msg31590 = msg("29510", dup323); - -var msg31591 = msg("29511", dup309); - -var msg31592 = msg("29512", dup314); - -var msg31593 = msg("29513", dup309); - -var msg31594 = msg("29514", dup314); - -var msg31595 = msg("29515", dup309); - -var msg31596 = msg("29516", dup314); - -var msg31597 = msg("29517", dup314); - -var msg31598 = msg("29518", dup311); - -var msg31599 = msg("29519", dup314); - -var msg31600 = msg("29520", dup311); - -var msg31601 = msg("29521", dup311); - -var msg31602 = msg("29522", dup307); - -var msg31603 = msg("29523", dup309); - -var msg31604 = msg("29524", dup314); - -var msg31605 = msg("29525", dup314); - -var msg31606 = msg("29526", dup309); - -var msg31607 = msg("29527", dup309); - -var msg31608 = msg("29528", dup309); - -var msg31609 = msg("29529", dup309); - -var msg31610 = msg("29530", dup309); - -var msg31611 = msg("29531", dup309); - -var msg31612 = msg("29532", dup309); - -var msg31613 = msg("29533", dup314); - -var msg31614 = msg("29534", dup314); - -var msg31615 = msg("29535", dup307); - -var msg31616 = msg("29536", dup306); - -var msg31617 = msg("29537", dup314); - -var msg31618 = msg("29538", dup314); - -var msg31619 = msg("29539", dup309); - -var msg31620 = msg("29540", dup309); - -var msg31621 = msg("29541", dup309); - -var msg31622 = msg("29542", dup309); - -var msg31623 = msg("29543", dup309); - -var msg31624 = msg("29544", dup309); - -var msg31625 = msg("29545", dup309); - -var msg31626 = msg("29546", dup309); - -var msg31627 = msg("29547", dup311); - -var msg31628 = msg("29548", dup311); - -var msg31629 = msg("29549", dup316); - -var msg31630 = msg("29550", dup321); - -var msg31631 = msg("29551", dup311); - -var msg31632 = msg("29552", dup311); - -var msg31633 = msg("29553", dup311); - -var msg31634 = msg("29554", dup311); - -var msg31635 = msg("29555", dup321); - -var msg31636 = msg("29556", dup321); - -var msg31637 = msg("29557", dup321); - -var msg31638 = msg("29558", dup321); - -var msg31639 = msg("29559", dup321); - -var msg31640 = msg("29560", dup321); - -var msg31641 = msg("29561", dup321); - -var msg31642 = msg("29562", dup321); - -var msg31643 = msg("29563", dup321); - -var msg31644 = msg("29564", dup321); - -var msg31645 = msg("29565", dup321); - -var msg31646 = msg("29566", dup321); - -var msg31647 = msg("29567", dup321); - -var msg31648 = msg("29568", dup321); - -var msg31649 = msg("29569", dup321); - -var msg31650 = msg("29570", dup309); - -var msg31651 = msg("29571", dup309); - -var msg31652 = msg("29572", dup309); - -var msg31653 = msg("29573", dup309); - -var msg31654 = msg("29574", dup309); - -var msg31655 = msg("29575", dup309); - -var msg31656 = msg("29576", dup309); - -var msg31657 = msg("29577", dup309); - -var msg31658 = msg("29578", dup329); - -var msg31659 = msg("29579", dup311); - -var msg31660 = msg("29580", dup311); - -var msg31661 = msg("29581", dup308); - -var msg31662 = msg("29582", dup311); - -var msg31663 = msg("29583", dup314); - -var msg31664 = msg("29584", dup322); - -var msg31665 = msg("29585", dup309); - -var msg31666 = msg("29586", dup309); - -var msg31667 = msg("29587", dup309); - -var msg31668 = msg("29588", dup309); - -var msg31669 = msg("29589", dup309); - -var msg31670 = msg("29590", dup309); - -var msg31671 = msg("29591", dup309); - -var msg31672 = msg("29592", dup311); - -var msg31673 = msg("29593", dup323); - -var msg31674 = msg("29594", dup323); - -var msg31675 = msg("29595", dup323); - -var msg31676 = msg("29596", dup311); - -var msg31677 = msg("29597", dup311); - -var msg31678 = msg("29598", dup323); - -var msg31679 = msg("29599", dup323); - -var msg31680 = msg("29600", dup323); - -var msg31681 = msg("29601", dup323); - -var msg31682 = msg("29602", dup311); - -var msg31683 = msg("29603", dup311); - -var msg31684 = msg("29604", dup324); - -var msg31685 = msg("29605", dup309); - -var msg31686 = msg("29606", dup309); - -var msg31687 = msg("29607", dup307); - -var msg31688 = msg("29608", dup322); - -var msg31689 = msg("29609", dup322); - -var msg31690 = msg("29610", dup309); - -var msg31691 = msg("29611", dup309); - -var msg31692 = msg("29612", dup314); - -var msg31693 = msg("29613", dup314); - -var msg31694 = msg("29614", dup314); - -var msg31695 = msg("29615", dup321); - -var msg31696 = msg("29616", dup321); - -var msg31697 = msg("29617", dup314); - -var msg31698 = msg("29618", dup314); - -var msg31699 = msg("29619", dup314); - -var msg31700 = msg("29620", dup309); - -var msg31701 = msg("29621", dup307); - -var msg31702 = msg("29622", dup311); - -var msg31703 = msg("29623", dup311); - -var msg31704 = msg("29624", dup309); - -var msg31705 = msg("29625", dup309); - -var msg31706 = msg("29626", dup307); - -var msg31707 = msg("29627", dup307); - -var msg31708 = msg("29628", dup307); - -var msg31709 = msg("29629", dup307); - -var msg31710 = msg("29630", dup311); - -var msg31711 = msg("29631", dup314); - -var msg31712 = msg("29632", dup314); - -var msg31713 = msg("29633", dup314); - -var msg31714 = msg("29634", dup314); - -var msg31715 = msg("29635", dup321); - -var msg31716 = msg("29636", dup321); - -var msg31717 = msg("29637", dup321); - -var msg31718 = msg("29638", dup321); - -var msg31719 = msg("29639", dup311); - -var msg31720 = msg("29640", dup309); - -var msg31721 = msg("29641", dup309); - -var msg31722 = msg("29642", dup309); - -var msg31723 = msg("29643", dup309); - -var msg31724 = msg("29644", dup321); - -var msg31725 = msg("29645", dup325); - -var msg31726 = msg("29646", dup311); - -var msg31727 = msg("29647", dup311); - -var msg31728 = msg("29648", dup311); - -var msg31729 = msg("29649", dup314); - -var msg31730 = msg("29650", dup325); - -var msg31731 = msg("29651", dup325); - -var msg31732 = msg("29652", dup325); - -var msg31733 = msg("29653", dup321); - -var msg31734 = msg("29654", dup321); - -var msg31735 = msg("29655", dup325); - -var msg31736 = msg("29656", dup321); - -var msg31737 = msg("29657", dup321); - -var msg31738 = msg("29658", dup321); - -var msg31739 = msg("29659", dup321); - -var msg31740 = msg("29660", dup324); - -var msg31741 = msg("29661", dup324); - -var msg31742 = msg("29662", dup333); - -var msg31743 = msg("29663", dup321); - -var msg31744 = msg("29664", dup321); - -var msg31745 = msg("29665", dup321); - -var msg31746 = msg("29666", dup321); - -var msg31747 = msg("29667", dup325); - -var msg31748 = msg("29668", dup325); - -var msg31749 = msg("29669", dup311); - -var msg31750 = msg("29670", dup321); - -var msg31751 = msg("29671", dup325); - -var msg31752 = msg("29672", dup325); - -var msg31753 = msg("29673", dup325); - -var msg31754 = msg("29674", dup325); - -var msg31755 = msg("29675", dup325); - -var msg31756 = msg("29676", dup325); - -var msg31757 = msg("29677", dup325); - -var msg31758 = msg("29678", dup325); - -var msg31759 = msg("29679", dup325); - -var msg31760 = msg("29680", dup314); - -var msg31761 = msg("29681", dup314); - -var msg31762 = msg("29682", dup314); - -var msg31763 = msg("29683", dup314); - -var msg31764 = msg("29684", dup314); - -var msg31765 = msg("29685", dup314); - -var msg31766 = msg("29686", dup314); - -var msg31767 = msg("29687", dup314); - -var msg31768 = msg("29688", dup314); - -var msg31769 = msg("29689", dup314); - -var msg31770 = msg("29690", dup314); - -var msg31771 = msg("29691", dup314); - -var msg31772 = msg("29692", dup314); - -var msg31773 = msg("29693", dup314); - -var msg31774 = msg("29694", dup314); - -var msg31775 = msg("29695", dup314); - -var msg31776 = msg("29696", dup314); - -var msg31777 = msg("29697", dup314); - -var msg31778 = msg("29698", dup314); - -var msg31779 = msg("29699", dup314); - -var msg31780 = msg("29700", dup314); - -var msg31781 = msg("29701", dup314); - -var msg31782 = msg("29702", dup314); - -var msg31783 = msg("29703", dup314); - -var msg31784 = msg("29704", dup314); - -var msg31785 = msg("29705", dup314); - -var msg31786 = msg("29706", dup325); - -var msg31787 = msg("29707", dup325); - -var msg31788 = msg("29708", dup325); - -var msg31789 = msg("29709", dup311); - -var msg31790 = msg("29710", dup311); - -var msg31791 = msg("29711", dup325); - -var msg31792 = msg("29712", dup325); - -var msg31793 = msg("29713", dup311); - -var msg31794 = msg("29714", dup311); - -var msg31795 = msg("29715", dup324); - -var msg31796 = msg("29716", dup311); - -var msg31797 = msg("29717", dup325); - -var msg31798 = msg("29718", dup325); - -var msg31799 = msg("29719", dup325); - -var msg31800 = msg("29720", dup325); - -var msg31801 = msg("29721", dup325); - -var msg31802 = msg("29722", dup325); - -var msg31803 = msg("29723", dup309); - -var msg31804 = msg("29724", dup309); - -var msg31805 = msg("29725", dup309); - -var msg31806 = msg("29726", dup309); - -var msg31807 = msg("29727", dup325); - -var msg31808 = msg("29728", dup325); - -var msg31809 = msg("29729", dup325); - -var msg31810 = msg("29730", dup325); - -var msg31811 = msg("29731", dup325); - -var msg31812 = msg("29732", dup325); - -var msg31813 = msg("29733", dup311); - -var msg31814 = msg("29734", dup311); - -var msg31815 = msg("29735", dup325); - -var msg31816 = msg("29736", dup325); - -var msg31817 = msg("29737", dup325); - -var msg31818 = msg("29738", dup325); - -var msg31819 = msg("29739", dup321); - -var msg31820 = msg("29740", dup321); - -var msg31821 = msg("29741", dup311); - -var msg31822 = msg("29742", dup311); - -var msg31823 = msg("29743", dup325); - -var msg31824 = msg("29744", dup325); - -var msg31825 = msg("29745", dup314); - -var msg31826 = msg("29746", dup314); - -var msg31827 = msg("29747", dup314); - -var msg31828 = msg("29748", dup314); - -var msg31829 = msg("29749", dup314); - -var msg31830 = msg("29750", dup330); - -var msg31831 = msg("29751", dup330); - -var msg31832 = msg("29752", dup330); - -var msg31833 = msg("29753", dup311); - -var msg31834 = msg("29754", dup311); - -var msg31835 = msg("29755", dup311); - -var msg31836 = msg("29756", dup322); - -var msg31837 = msg("29757", dup311); - -var msg31838 = msg("29758", dup311); - -var msg31839 = msg("29759", dup324); - -var msg31840 = msg("29760", dup325); - -var msg31841 = msg("29761", dup321); - -var msg31842 = msg("29762", dup321); - -var msg31843 = msg("29763", dup321); - -var msg31844 = msg("29764", dup321); - -var msg31845 = msg("29765", dup321); - -var msg31846 = msg("29766", dup333); - -var msg31847 = msg("29767", dup321); - -var msg31848 = msg("29768", dup321); - -var msg31849 = msg("29769", dup321); - -var msg31850 = msg("29770", dup321); - -var msg31851 = msg("29771", dup321); - -var msg31852 = msg("29772", dup321); - -var msg31853 = msg("29773", dup321); - -var msg31854 = msg("29774", dup321); - -var msg31855 = msg("29775", dup321); - -var msg31856 = msg("29776", dup321); - -var msg31857 = msg("29777", dup321); - -var msg31858 = msg("29778", dup321); - -var msg31859 = msg("29779", dup321); - -var msg31860 = msg("29780", dup321); - -var msg31861 = msg("29781", dup333); - -var msg31862 = msg("29782", dup333); - -var msg31863 = msg("29783", dup321); - -var msg31864 = msg("29784", dup321); - -var msg31865 = msg("29785", dup321); - -var msg31866 = msg("29786", dup321); - -var msg31867 = msg("29787", dup321); - -var msg31868 = msg("29788", dup321); - -var msg31869 = msg("29789", dup321); - -var msg31870 = msg("29790", dup321); - -var msg31871 = msg("29791", dup321); - -var msg31872 = msg("29792", dup307); - -var msg31873 = msg("29793", dup307); - -var msg31874 = msg("29794", dup323); - -var msg31875 = msg("29795", dup323); - -var msg31876 = msg("29796", dup325); - -var msg31877 = msg("29797", dup325); - -var msg31878 = msg("29798", dup314); - -var msg31879 = msg("29799", dup314); - -var msg31880 = msg("29800", dup311); - -var msg31881 = msg("29801", dup311); - -var msg31882 = msg("29802", dup311); - -var msg31883 = msg("29803", dup311); - -var msg31884 = msg("29804", dup311); - -var msg31885 = msg("29805", dup311); - -var msg31886 = msg("29806", dup311); - -var msg31887 = msg("29807", dup314); - -var msg31888 = msg("29808", dup311); - -var msg31889 = msg("29809", dup314); - -var msg31890 = msg("29810", dup314); - -var msg31891 = msg("29811", dup314); - -var msg31892 = msg("29812", dup314); - -var msg31893 = msg("29813", dup314); - -var msg31894 = msg("29814", dup324); - -var msg31895 = msg("29815", dup316); - -var msg31896 = msg("29816", dup321); - -var msg31897 = msg("29817", dup321); - -var msg31898 = msg("29818", dup321); - -var msg31899 = msg("29819", dup325); - -var msg31900 = msg("29820", dup325); - -var msg31901 = msg("29821", dup325); - -var msg31902 = msg("29822", dup325); - -var msg31903 = msg("29823", dup311); - -var msg31904 = msg("29824", dup325); - -var msg31905 = msg("29825", dup321); - -var msg31906 = msg("29826", dup321); - -var msg31907 = msg("29827", dup321); - -var msg31908 = msg("29828", dup321); - -var msg31909 = msg("29829", dup311); - -var msg31910 = msg("29830", dup311); - -var msg31911 = msg("29831", dup311); - -var msg31912 = msg("29832", dup321); - -var msg31913 = msg("29833", dup321); - -var msg31914 = msg("29834", dup314); - -var msg31915 = msg("29835", dup323); - -var msg31916 = msg("29836", dup323); - -var msg31917 = msg("29837", dup321); - -var msg31918 = msg("29838", dup321); - -var msg31919 = msg("29839", dup321); - -var msg31920 = msg("29840", dup321); - -var msg31921 = msg("29841", dup321); - -var msg31922 = msg("29842", dup321); - -var msg31923 = msg("29843", dup321); - -var msg31924 = msg("29844", dup321); - -var msg31925 = msg("29845", dup321); - -var msg31926 = msg("29846", dup321); - -var msg31927 = msg("29847", dup321); - -var msg31928 = msg("29848", dup321); - -var msg31929 = msg("29849", dup321); - -var msg31930 = msg("29850", dup321); - -var msg31931 = msg("29851", dup321); - -var msg31932 = msg("29852", dup321); - -var msg31933 = msg("29853", dup321); - -var msg31934 = msg("29854", dup321); - -var msg31935 = msg("29855", dup321); - -var msg31936 = msg("29856", dup321); - -var msg31937 = msg("29857", dup321); - -var msg31938 = msg("29858", dup321); - -var msg31939 = msg("29859", dup314); - -var msg31940 = msg("29860", dup321); - -var msg31941 = msg("29861", dup321); - -var msg31942 = msg("29862", dup321); - -var msg31943 = msg("29863", dup321); - -var msg31944 = msg("29864", dup311); - -var msg31945 = msg("29865", dup321); - -var msg31946 = msg("29866", dup324); - -var msg31947 = msg("29867", dup321); - -var msg31948 = msg("29868", dup321); - -var msg31949 = msg("29869", dup311); - -var msg31950 = msg("29870", dup310); - -var msg31951 = msg("29871", dup311); - -var msg31952 = msg("29872", dup321); - -var msg31953 = msg("29873", dup321); - -var msg31954 = msg("29874", dup321); - -var msg31955 = msg("29875", dup321); - -var msg31956 = msg("29876", dup324); - -var msg31957 = msg("29877", dup324); - -var msg31958 = msg("29878", dup322); - -var msg31959 = msg("29879", dup322); - -var msg31960 = msg("29880", dup322); - -var msg31961 = msg("29881", dup322); - -var msg31962 = msg("29882", dup321); - -var msg31963 = msg("29883", dup321); - -var msg31964 = msg("29884", dup321); - -var msg31965 = msg("29885", dup321); - -var msg31966 = msg("29886", dup321); - -var msg31967 = msg("29887", dup325); - -var msg31968 = msg("29888", dup324); - -var msg31969 = msg("29889", dup324); - -var msg31970 = msg("29890", dup311); - -var msg31971 = msg("29891", dup321); - -var msg31972 = msg("29892", dup321); - -var msg31973 = msg("29893", dup321); - -var msg31974 = msg("29894", dup321); - -var msg31975 = msg("29895", dup321); - -var msg31976 = msg("29896", dup324); - -var msg31977 = msg("29897", dup325); - -var msg31978 = msg("29898", dup321); - -var msg31979 = msg("29899", dup321); - -var msg31980 = msg("29900", dup321); - -var msg31981 = msg("29901", dup321); - -var msg31982 = msg("29902", dup314); - -var msg31983 = msg("29903", dup314); - -var msg31984 = msg("29904", dup314); - -var msg31985 = msg("29905", dup314); - -var msg31986 = msg("29906", dup324); - -var msg31987 = msg("29907", dup324); - -var msg31988 = msg("29909", dup311); - -var msg31989 = msg("29910", dup321); - -var msg31990 = msg("29911", dup321); - -var msg31991 = msg("29912", dup321); - -var msg31992 = msg("29913", dup321); - -var msg31993 = msg("29914", dup321); - -var msg31994 = msg("29915", dup321); - -var msg31995 = msg("29916", dup321); - -var msg31996 = msg("29917", dup321); - -var msg31997 = msg("29918", dup321); - -var msg31998 = msg("29919", dup321); - -var msg31999 = msg("29920", dup321); - -var msg32000 = msg("29921", dup321); - -var msg32001 = msg("29922", dup321); - -var msg32002 = msg("29923", dup321); - -var msg32003 = msg("29924", dup321); - -var msg32004 = msg("29925", dup321); - -var msg32005 = msg("29926", dup309); - -var msg32006 = msg("29927", dup309); - -var msg32007 = msg("29928", dup314); - -var msg32008 = msg("29929", dup314); - -var msg32009 = msg("29930", dup314); - -var msg32010 = msg("29931", dup314); - -var msg32011 = msg("29932", dup325); - -var msg32012 = msg("29933", dup325); - -var msg32013 = msg("29934", dup309); - -var msg32014 = msg("29935", dup324); - -var msg32015 = msg("29936", dup311); - -var msg32016 = msg("29937", dup309); - -var msg32017 = msg("29938", dup309); - -var msg32018 = msg("29939", dup309); - -var msg32019 = msg("29940", dup309); - -var msg32020 = msg("29941", dup309); - -var msg32021 = msg("29942", dup309); - -var msg32022 = msg("29943", dup311); - -var msg32023 = msg("29944", dup307); - -var msg32024 = msg("29945", dup307); - -var msg32025 = msg("29946", dup309); - -var msg32026 = msg("29947", dup309); - -var msg32027 = msg("29948", dup309); - -var msg32028 = msg("29949", dup316); - -var msg32029 = msg("29950", dup324); - -var msg32030 = msg("29951", dup309); - -var msg32031 = msg("29952", dup309); - -var msg32032 = msg("29953", dup309); - -var msg32033 = msg("29954", dup309); - -var msg32034 = msg("29955", dup311); - -var msg32035 = msg("29956", dup311); - -var msg32036 = msg("29957", dup309); - -var msg32037 = msg("29958", dup309); - -var msg32038 = msg("29959", dup309); - -var msg32039 = msg("29960", dup324); - -var msg32040 = msg("29961", dup324); - -var msg32041 = msg("29962", dup324); - -var msg32042 = msg("29963", dup324); - -var msg32043 = msg("29964", dup314); - -var msg32044 = msg("29965", dup324); - -var msg32045 = msg("29966", dup309); - -var msg32046 = msg("29967", dup309); - -var msg32047 = msg("29968", dup309); - -var msg32048 = msg("29969", dup311); - -var msg32049 = msg("29970", dup311); - -var msg32050 = msg("29971", dup311); - -var msg32051 = msg("29972", dup311); - -var msg32052 = msg("29973", dup321); - -var msg32053 = msg("29974", dup321); - -var msg32054 = msg("29975", dup321); - -var msg32055 = msg("29976", dup321); - -var msg32056 = msg("29977", dup321); - -var msg32057 = msg("29978", dup321); - -var msg32058 = msg("29979", dup311); - -var msg32059 = msg("29980", dup321); - -var msg32060 = msg("29981", dup321); - -var msg32061 = msg("29982", dup321); - -var msg32062 = msg("29983", dup325); - -var msg32063 = msg("29984", dup325); - -var msg32064 = msg("29985", dup321); - -var msg32065 = msg("29986", dup321); - -var msg32066 = msg("29987", dup321); - -var msg32067 = msg("29988", dup325); - -var msg32068 = msg("29989", dup325); - -var msg32069 = msg("29990", dup321); - -var msg32070 = msg("29991", dup321); - -var msg32071 = msg("29992", dup309); - -var msg32072 = msg("29993", dup321); - -var msg32073 = msg("29994", dup321); - -var msg32074 = msg("29995", dup321); - -var msg32075 = msg("29996", dup321); - -var msg32076 = msg("29997", dup321); - -var msg32077 = msg("29998", dup321); - -var msg32078 = msg("29999", dup325); - -var msg32079 = msg("30000", dup311); - -var msg32080 = msg("30001", dup311); - -var msg32081 = msg("30002", dup311); - -var msg32082 = msg("30003", dup311); - -var msg32083 = msg("30004", dup311); - -var msg32084 = msg("30005", dup311); - -var msg32085 = msg("30006", dup311); - -var msg32086 = msg("30007", dup311); - -var msg32087 = msg("30008", dup311); - -var msg32088 = msg("30009", dup311); - -var msg32089 = msg("30010", dup314); - -var msg32090 = msg("30011", dup311); - -var msg32091 = msg("30012", dup314); - -var msg32092 = msg("30013", dup314); - -var msg32093 = msg("30014", dup314); - -var msg32094 = msg("30015", dup314); - -var msg32095 = msg("30016", dup314); - -var msg32096 = msg("30017", dup314); - -var msg32097 = msg("30018", dup314); - -var msg32098 = msg("30019", dup309); - -var msg32099 = msg("30020", dup309); - -var msg32100 = msg("30021", dup309); - -var msg32101 = msg("30022", dup309); - -var msg32102 = msg("30023", dup309); - -var msg32103 = msg("30024", dup309); - -var msg32104 = msg("30025", dup309); - -var msg32105 = msg("30026", dup309); - -var msg32106 = msg("30027", dup309); - -var msg32107 = msg("30028", dup309); - -var msg32108 = msg("30029", dup309); - -var msg32109 = msg("30030", dup309); - -var msg32110 = msg("30031", dup309); - -var msg32111 = msg("30032", dup309); - -var msg32112 = msg("30033", dup314); - -var msg32113 = msg("30034", dup321); - -var msg32114 = msg("30035", dup321); - -var msg32115 = msg("30036", dup321); - -var msg32116 = msg("30037", dup321); - -var msg32117 = msg("30038", dup314); - -var msg32118 = msg("30039", dup321); - -var msg32119 = msg("30040", dup322); - -var msg32120 = msg("30041", dup322); - -var msg32121 = msg("30042", dup316); - -var msg32122 = msg("30043", dup321); - -var msg32123 = msg("30044", dup321); - -var msg32124 = msg("30045", dup321); - -var msg32125 = msg("30046", dup321); - -var msg32126 = msg("30047", dup321); - -var msg32127 = msg("30048", dup309); - -var msg32128 = msg("30049", dup309); - -var msg32129 = msg("30050", dup314); - -var msg32130 = msg("30051", dup314); - -var msg32131 = msg("30052", dup309); - -var msg32132 = msg("30053", dup309); - -var msg32133 = msg("30054", dup333); - -var msg32134 = msg("30055", dup333); - -var msg32135 = msg("30056", dup321); - -var msg32136 = msg("30057", dup321); - -var msg32137 = msg("30058", dup333); - -var msg32138 = msg("30059", dup321); - -var msg32139 = msg("30060", dup321); - -var msg32140 = msg("30061", dup321); - -var msg32141 = msg("30062", dup321); - -var msg32142 = msg("30063", dup321); - -var msg32143 = msg("30064", dup321); - -var msg32144 = msg("30065", dup314); - -var msg32145 = msg("30066", dup325); - -var msg32146 = msg("30067", dup321); - -var msg32147 = msg("30068", dup321); - -var msg32148 = msg("30069", dup321); - -var msg32149 = msg("30070", dup321); - -var msg32150 = msg("30071", dup321); - -var msg32151 = msg("30072", dup321); - -var msg32152 = msg("30073", dup321); - -var msg32153 = msg("30074", dup321); - -var msg32154 = msg("30075", dup321); - -var msg32155 = msg("30076", dup321); - -var msg32156 = msg("30077", dup321); - -var msg32157 = msg("30078", dup321); - -var msg32158 = msg("30079", dup325); - -var msg32159 = msg("30080", dup325); - -var msg32160 = msg("30081", dup325); - -var msg32161 = msg("30082", dup325); - -var msg32162 = msg("30083", dup321); - -var msg32163 = msg("30084", dup321); - -var msg32164 = msg("30085", dup321); - -var msg32165 = msg("30086", dup321); - -var msg32166 = msg("30087", dup321); - -var msg32167 = msg("30088", dup321); - -var msg32168 = msg("30089", dup321); - -var msg32169 = msg("30090", dup321); - -var msg32170 = msg("30091", dup321); - -var msg32171 = msg("30092", dup314); - -var msg32172 = msg("30093", dup314); - -var msg32173 = msg("30094", dup309); - -var msg32174 = msg("30095", dup309); - -var msg32175 = msg("30096", dup309); - -var msg32176 = msg("30097", dup309); - -var msg32177 = msg("30098", dup333); - -var msg32178 = msg("30099", dup321); - -var msg32179 = msg("30100", dup333); - -var msg32180 = msg("30101", dup333); - -var msg32181 = msg("30102", dup325); - -var msg32182 = msg("30103", dup325); - -var msg32183 = msg("30104", dup325); - -var msg32184 = msg("30105", dup325); - -var msg32185 = msg("30106", dup325); - -var msg32186 = msg("30107", dup325); - -var msg32187 = msg("30108", dup325); - -var msg32188 = msg("30109", dup325); - -var msg32189 = msg("30110", dup325); - -var msg32190 = msg("30111", dup325); - -var msg32191 = msg("30112", dup325); - -var msg32192 = msg("30113", dup325); - -var msg32193 = msg("30114", dup309); - -var msg32194 = msg("30115", dup309); - -var msg32195 = msg("30116", dup325); - -var msg32196 = msg("30117", dup325); - -var msg32197 = msg("30118", dup325); - -var msg32198 = msg("30119", dup325); - -var msg32199 = msg("30120", dup325); - -var msg32200 = msg("30121", dup325); - -var msg32201 = msg("30122", dup311); - -var msg32202 = msg("30123", dup325); - -var msg32203 = msg("30124", dup325); - -var msg32204 = msg("30125", dup325); - -var msg32205 = msg("30126", dup325); - -var msg32206 = msg("30127", dup311); - -var msg32207 = msg("30128", dup311); - -var msg32208 = msg("30129", dup325); - -var msg32209 = msg("30130", dup325); - -var msg32210 = msg("30131", dup325); - -var msg32211 = msg("30132", dup325); - -var msg32212 = msg("30133", dup311); - -var msg32213 = msg("30134", dup311); - -var msg32214 = msg("30135", dup311); - -var msg32215 = msg("30136", dup311); - -var msg32216 = msg("30137", dup321); - -var msg32217 = msg("30138", dup321); - -var msg32218 = msg("30139", dup314); - -var msg32219 = msg("30140", dup325); - -var msg32220 = msg("30141", dup325); - -var msg32221 = msg("30142", dup325); - -var msg32222 = msg("30143", dup325); - -var msg32223 = msg("30144", dup309); - -var msg32224 = msg("30145", dup309); - -var msg32225 = msg("30146", dup314); - -var msg32226 = msg("30147", dup314); - -var msg32227 = msg("30148", dup314); - -var msg32228 = msg("30149", dup314); - -var msg32229 = msg("30150", dup311); - -var msg32230 = msg("30151", dup311); - -var msg32231 = msg("30152", dup311); - -var msg32232 = msg("30153", dup309); - -var msg32233 = msg("30154", dup309); - -var msg32234 = msg("30155", dup309); - -var msg32235 = msg("30156", dup309); - -var msg32236 = msg("30157", dup309); - -var msg32237 = msg("30158", dup309); - -var msg32238 = msg("30159", dup309); - -var msg32239 = msg("30160", dup309); - -var msg32240 = msg("30161", dup309); - -var msg32241 = msg("30162", dup309); - -var msg32242 = msg("30163", dup309); - -var msg32243 = msg("30164", dup309); - -var msg32244 = msg("30165", dup309); - -var msg32245 = msg("30166", dup309); - -var msg32246 = msg("30167", dup321); - -var msg32247 = msg("30168", dup321); - -var msg32248 = msg("30169", dup325); - -var msg32249 = msg("30170", dup321); - -var msg32250 = msg("30171", dup321); - -var msg32251 = msg("30172", dup321); - -var msg32252 = msg("30173", dup321); - -var msg32253 = msg("30174", dup321); - -var msg32254 = msg("30175", dup321); - -var msg32255 = msg("30176", dup321); - -var msg32256 = msg("30177", dup321); - -var msg32257 = msg("30178", dup321); - -var msg32258 = msg("30179", dup321); - -var msg32259 = msg("30180", dup321); - -var msg32260 = msg("30181", dup321); - -var msg32261 = msg("30182", dup321); - -var msg32262 = msg("30183", dup321); - -var msg32263 = msg("30184", dup321); - -var msg32264 = msg("30185", dup321); - -var msg32265 = msg("30186", dup321); - -var msg32266 = msg("30187", dup321); - -var msg32267 = msg("30188", dup321); - -var msg32268 = msg("30189", dup321); - -var msg32269 = msg("30190", dup321); - -var msg32270 = msg("30191", dup321); - -var msg32271 = msg("30192", dup321); - -var msg32272 = msg("30193", dup321); - -var msg32273 = msg("30194", dup311); - -var msg32274 = msg("30195", dup314); - -var msg32275 = msg("30196", dup321); - -var msg32276 = msg("30197", dup321); - -var msg32277 = msg("30198", dup321); - -var msg32278 = msg("30199", dup324); - -var msg32279 = msg("30200", dup324); - -var msg32280 = msg("30201", dup325); - -var msg32281 = msg("30202", dup309); - -var msg32282 = msg("30203", dup321); - -var msg32283 = msg("30204", dup321); - -var msg32284 = msg("30205", dup309); - -var msg32285 = msg("30206", dup309); - -var msg32286 = msg("30207", dup309); - -var msg32287 = msg("30208", dup321); - -var msg32288 = msg("30209", dup324); - -var msg32289 = msg("30210", dup325); - -var msg32290 = msg("30211", dup321); - -var msg32291 = msg("30212", dup309); - -var msg32292 = msg("30213", dup309); - -var msg32293 = msg("30214", dup321); - -var msg32294 = msg("30215", dup309); - -var msg32295 = msg("30216", dup321); - -var msg32296 = msg("30217", dup311); - -var msg32297 = msg("30218", dup311); - -var msg32298 = msg("30219", dup311); - -var msg32299 = msg("30220", dup311); - -var msg32300 = msg("30221", dup316); - -var msg32301 = msg("30222", dup316); - -var msg32302 = msg("30223", dup316); - -var msg32303 = msg("30224", dup316); - -var msg32304 = msg("30225", dup316); - -var msg32305 = msg("30226", dup316); - -var msg32306 = msg("30227", dup316); - -var msg32307 = msg("30228", dup316); - -var msg32308 = msg("30229", dup316); - -var msg32309 = msg("30230", dup311); - -var msg32310 = msg("30231", dup321); - -var msg32311 = msg("30232", dup311); - -var msg32312 = msg("30233", dup311); - -var msg32313 = msg("30234", dup321); - -var msg32314 = msg("30235", dup321); - -var msg32315 = msg("30236", dup311); - -var msg32316 = msg("30237", dup321); - -var msg32317 = msg("30238", dup321); - -var msg32318 = msg("30239", dup321); - -var msg32319 = msg("30240", dup324); - -var msg32320 = msg("30241", dup324); - -var msg32321 = msg("30242", dup309); - -var msg32322 = msg("30243", dup309); - -var msg32323 = msg("30244", dup338); - -var msg32324 = msg("30245", dup309); - -var msg32325 = msg("30246", dup309); - -var msg32326 = msg("30247", dup338); - -var msg32327 = msg("30248", dup338); - -var msg32328 = msg("30249", dup314); - -var msg32329 = msg("30250", dup325); - -var msg32330 = msg("30251", dup321); - -var msg32331 = msg("30252", dup314); - -var msg32332 = msg("30253", dup314); - -var msg32333 = msg("30254", dup314); - -var msg32334 = msg("30255", dup310); - -var msg32335 = msg("30256", dup310); - -var msg32336 = msg("30257", dup325); - -var msg32337 = msg("30258", dup321); - -var msg32338 = msg("30259", dup321); - -var msg32339 = msg("30260", dup321); - -var msg32340 = msg("30261", dup321); - -var msg32341 = msg("30262", dup321); - -var msg32342 = msg("30263", dup314); - -var msg32343 = msg("30264", dup314); - -var msg32344 = msg("30265", dup314); - -var msg32345 = msg("30266", dup314); - -var msg32346 = msg("30267", dup314); - -var msg32347 = msg("30268", dup314); - -var msg32348 = msg("30269", dup321); - -var msg32349 = msg("30270", dup321); - -var msg32350 = msg("30271", dup321); - -var msg32351 = msg("30272", dup321); - -var msg32352 = msg("30273", dup321); - -var msg32353 = msg("30274", dup311); - -var msg32354 = msg("30275", dup321); - -var msg32355 = msg("30276", dup321); - -var msg32356 = msg("30277", dup321); - -var msg32357 = msg("30278", dup321); - -var msg32358 = msg("30279", dup321); - -var msg32359 = msg("30280", dup311); - -var msg32360 = msg("30281", dup311); - -var msg32361 = msg("30282", dup323); - -var msg32362 = msg("30283", dup323); - -var msg32363 = msg("30284", dup321); - -var msg32364 = msg("30285", dup321); - -var msg32365 = msg("30286", dup321); - -var msg32366 = msg("30287", dup307); - -var msg32367 = msg("30288", dup321); - -var msg32368 = msg("30289", dup325); - -var msg32369 = msg("30290", dup325); - -var msg32370 = msg("30291", dup309); - -var msg32371 = msg("30292", dup309); - -var msg32372 = msg("30293", dup309); - -var msg32373 = msg("30294", dup322); - -var msg32374 = msg("30295", dup322); - -var msg32375 = msg("30296", dup322); - -var msg32376 = msg("30297", dup314); - -var msg32377 = msg("30298", dup321); - -var msg32378 = msg("30299", dup321); - -var msg32379 = msg("30300", dup321); - -var msg32380 = msg("30301", dup325); - -var msg32381 = msg("30302", dup321); - -var msg32382 = msg("30303", dup321); - -var msg32383 = msg("30304", dup321); - -var msg32384 = msg("30305", dup311); - -var msg32385 = msg("30306", dup311); - -var msg32386 = msg("30307", dup314); - -var msg32387 = msg("30308", dup325); - -var msg32388 = msg("30309", dup325); - -var msg32389 = msg("30310", dup321); - -var msg32390 = msg("30311", dup321); - -var msg32391 = msg("30312", dup311); - -var msg32392 = msg("30313", dup311); - -var msg32393 = msg("30314", dup325); - -var msg32394 = msg("30315", dup325); - -var msg32395 = msg("30316", dup311); - -var msg32396 = msg("30317", dup311); - -var msg32397 = msg("30318", dup311); - -var msg32398 = msg("30319", dup311); - -var msg32399 = msg("30320", dup321); - -var msg32400 = msg("30321", dup321); - -var msg32401 = msg("30322", dup321); - -var msg32402 = msg("30323", dup321); - -var msg32403 = msg("30324", dup311); - -var msg32404 = msg("30325", dup311); - -var msg32405 = msg("30326", dup324); - -var msg32406 = msg("30327", dup325); - -var msg32407 = msg("30328", dup325); - -var msg32408 = msg("30329", dup314); - -var msg32409 = msg("30330", dup314); - -var msg32410 = msg("30331", dup325); - -var msg32411 = msg("30332", dup321); - -var msg32412 = msg("30333", dup321); - -var msg32413 = msg("30334", dup321); - -var msg32414 = msg("30335", dup321); - -var msg32415 = msg("30336", dup321); - -var msg32416 = msg("30337", dup324); - -var msg32417 = msg("30338", dup309); - -var all58 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup96, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg32418 = msg("30339", all58); - -var msg32419 = msg("30340", dup324); - -var msg32420 = msg("30341", dup309); - -var msg32421 = msg("30342", dup310); - -var msg32422 = msg("30343", dup322); - -var msg32423 = msg("30344", dup325); - -var msg32424 = msg("30345", dup325); - -var msg32425 = msg("30347", dup309); - -var msg32426 = msg("30348", dup309); - -var msg32427 = msg("30349", dup309); - -var msg32428 = msg("30350", dup316); - -var msg32429 = msg("30351", dup316); - -var msg32430 = msg("30352", dup316); - -var msg32431 = msg("30353", dup316); - -var msg32432 = msg("30354", dup316); - -var msg32433 = msg("30355", dup316); - -var msg32434 = msg("30356", dup316); - -var msg32435 = msg("30357", dup316); - -var msg32436 = msg("30358", dup316); - -var msg32437 = msg("30359", dup316); - -var msg32438 = msg("30360", dup316); - -var msg32439 = msg("30361", dup316); - -var msg32440 = msg("30362", dup316); - -var msg32441 = msg("30363", dup316); - -var msg32442 = msg("30364", dup316); - -var msg32443 = msg("30365", dup316); - -var msg32444 = msg("30366", dup316); - -var msg32445 = msg("30367", dup316); - -var msg32446 = msg("30368", dup316); - -var msg32447 = msg("30369", dup316); - -var msg32448 = msg("30370", dup316); - -var msg32449 = msg("30371", dup316); - -var msg32450 = msg("30372", dup316); - -var msg32451 = msg("30373", dup316); - -var msg32452 = msg("30374", dup316); - -var msg32453 = msg("30375", dup316); - -var msg32454 = msg("30376", dup316); - -var msg32455 = msg("30377", dup316); - -var msg32456 = msg("30378", dup316); - -var msg32457 = msg("30379", dup316); - -var msg32458 = msg("30380", dup316); - -var msg32459 = msg("30381", dup316); - -var msg32460 = msg("30382", dup316); - -var msg32461 = msg("30383", dup316); - -var msg32462 = msg("30384", dup316); - -var msg32463 = msg("30385", dup316); - -var msg32464 = msg("30386", dup316); - -var msg32465 = msg("30387", dup316); - -var msg32466 = msg("30388", dup316); - -var msg32467 = msg("30389", dup316); - -var msg32468 = msg("30390", dup316); - -var msg32469 = msg("30391", dup316); - -var msg32470 = msg("30392", dup316); - -var msg32471 = msg("30393", dup316); - -var msg32472 = msg("30394", dup316); - -var msg32473 = msg("30395", dup316); - -var msg32474 = msg("30396", dup316); - -var msg32475 = msg("30397", dup316); - -var msg32476 = msg("30398", dup316); - -var msg32477 = msg("30399", dup316); - -var msg32478 = msg("30400", dup316); - -var msg32479 = msg("30401", dup316); - -var msg32480 = msg("30402", dup316); - -var msg32481 = msg("30403", dup316); - -var msg32482 = msg("30404", dup316); - -var msg32483 = msg("30405", dup316); - -var msg32484 = msg("30406", dup316); - -var msg32485 = msg("30407", dup316); - -var msg32486 = msg("30408", dup316); - -var msg32487 = msg("30409", dup316); - -var msg32488 = msg("30410", dup316); - -var msg32489 = msg("30411", dup316); - -var msg32490 = msg("30412", dup316); - -var msg32491 = msg("30413", dup316); - -var msg32492 = msg("30414", dup316); - -var msg32493 = msg("30415", dup316); - -var msg32494 = msg("30416", dup316); - -var msg32495 = msg("30417", dup316); - -var msg32496 = msg("30418", dup316); - -var msg32497 = msg("30419", dup316); - -var msg32498 = msg("30420", dup316); - -var msg32499 = msg("30421", dup316); - -var msg32500 = msg("30422", dup316); - -var msg32501 = msg("30423", dup316); - -var msg32502 = msg("30424", dup316); - -var msg32503 = msg("30425", dup316); - -var msg32504 = msg("30426", dup316); - -var msg32505 = msg("30427", dup316); - -var msg32506 = msg("30428", dup316); - -var msg32507 = msg("30429", dup316); - -var msg32508 = msg("30430", dup316); - -var msg32509 = msg("30431", dup316); - -var msg32510 = msg("30432", dup316); - -var msg32511 = msg("30433", dup316); - -var msg32512 = msg("30434", dup316); - -var msg32513 = msg("30435", dup316); - -var msg32514 = msg("30436", dup316); - -var msg32515 = msg("30437", dup316); - -var msg32516 = msg("30438", dup316); - -var msg32517 = msg("30439", dup316); - -var msg32518 = msg("30440", dup316); - -var msg32519 = msg("30441", dup316); - -var msg32520 = msg("30442", dup316); - -var msg32521 = msg("30443", dup316); - -var msg32522 = msg("30444", dup316); - -var msg32523 = msg("30445", dup316); - -var msg32524 = msg("30446", dup316); - -var msg32525 = msg("30447", dup316); - -var msg32526 = msg("30448", dup316); - -var msg32527 = msg("30449", dup316); - -var msg32528 = msg("30450", dup316); - -var msg32529 = msg("30451", dup316); - -var msg32530 = msg("30452", dup316); - -var msg32531 = msg("30453", dup316); - -var msg32532 = msg("30454", dup316); - -var msg32533 = msg("30455", dup316); - -var msg32534 = msg("30456", dup316); - -var msg32535 = msg("30457", dup316); - -var msg32536 = msg("30458", dup316); - -var msg32537 = msg("30459", dup316); - -var msg32538 = msg("30460", dup316); - -var msg32539 = msg("30461", dup316); - -var msg32540 = msg("30462", dup316); - -var msg32541 = msg("30463", dup316); - -var msg32542 = msg("30464", dup316); - -var msg32543 = msg("30465", dup316); - -var msg32544 = msg("30466", dup316); - -var msg32545 = msg("30467", dup316); - -var msg32546 = msg("30468", dup316); - -var msg32547 = msg("30469", dup316); - -var msg32548 = msg("30470", dup316); - -var msg32549 = msg("30471", dup316); - -var msg32550 = msg("30472", dup316); - -var msg32551 = msg("30473", dup316); - -var msg32552 = msg("30474", dup316); - -var msg32553 = msg("30475", dup316); - -var msg32554 = msg("30476", dup316); - -var msg32555 = msg("30477", dup316); - -var msg32556 = msg("30478", dup316); - -var msg32557 = msg("30479", dup316); - -var msg32558 = msg("30480", dup316); - -var msg32559 = msg("30481", dup321); - -var msg32560 = msg("30482", dup321); - -var msg32561 = msg("30483", dup321); - -var msg32562 = msg("30484", dup321); - -var msg32563 = msg("30485", dup314); - -var msg32564 = msg("30486", dup314); - -var msg32565 = msg("30487", dup309); - -var msg32566 = msg("30488", dup309); - -var msg32567 = msg("30489", dup309); - -var msg32568 = msg("30490", dup311); - -var msg32569 = msg("30491", dup311); - -var msg32570 = msg("30492", dup321); - -var msg32571 = msg("30493", dup321); - -var msg32572 = msg("30494", dup321); - -var msg32573 = msg("30495", dup321); - -var msg32574 = msg("30496", dup321); - -var msg32575 = msg("30497", dup325); - -var msg32576 = msg("30498", dup325); - -var msg32577 = msg("30499", dup311); - -var msg32578 = msg("30500", dup311); - -var msg32579 = msg("30501", dup325); - -var msg32580 = msg("30502", dup325); - -var msg32581 = msg("30503", dup325); - -var msg32582 = msg("30504", dup325); - -var msg32583 = msg("30505", dup325); - -var msg32584 = msg("30506", dup325); - -var msg32585 = msg("30507", dup309); - -var msg32586 = msg("30508", dup325); - -var msg32587 = msg("30509", dup325); - -var msg32588 = msg("30510", dup316); - -var msg32589 = msg("30511", dup316); - -var msg32590 = msg("30512", dup316); - -var msg32591 = msg("30513", dup316); - -var msg32592 = msg("30514", dup316); - -var msg32593 = msg("30515", dup316); - -var msg32594 = msg("30516", dup316); - -var msg32595 = msg("30517", dup316); - -var msg32596 = msg("30518", dup325); - -var msg32597 = msg("30519", dup321); - -var msg32598 = msg("30520", dup309); - -var msg32599 = msg("30521", dup309); - -var msg32600 = msg("30522", dup309); - -var msg32601 = msg("30523", dup309); - -var all59 = all_match({ - processors: [ - dup66, - dup179, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg32602 = msg("30524", all59); - -var msg32603 = msg("30525", dup309); - -var msg32604 = msg("30526", dup311); - -var msg32605 = msg("30527", dup311); - -var msg32606 = msg("30528", dup323); - -var msg32607 = msg("30529", dup323); - -var msg32608 = msg("30530", dup309); - -var msg32609 = msg("30531", dup309); - -var msg32610 = msg("30532", dup314); - -var msg32611 = msg("30533", dup309); - -var msg32612 = msg("30534", dup309); - -var msg32613 = msg("30535", dup314); - -var msg32614 = msg("30536", dup314); - -var msg32615 = msg("30537", dup314); - -var msg32616 = msg("30538", dup314); - -var msg32617 = msg("30539", dup314); - -var msg32618 = msg("30540", dup314); - -var msg32619 = msg("30541", dup321); - -var msg32620 = msg("30542", dup321); - -var msg32621 = msg("30543", dup321); - -var msg32622 = msg("30544", dup321); - -var msg32623 = msg("30545", dup321); - -var msg32624 = msg("30546", dup321); - -var msg32625 = msg("30547", dup321); - -var msg32626 = msg("30548", dup321); - -var msg32627 = msg("30549", dup311); - -var msg32628 = msg("30550", dup321); - -var msg32629 = msg("30551", dup325); - -var msg32630 = msg("30552", dup325); - -var msg32631 = msg("30553", dup314); - -var msg32632 = msg("30554", dup314); - -var msg32633 = msg("30555", dup314); - -var msg32634 = msg("30556", dup314); - -var msg32635 = msg("30562", dup309); - -var msg32636 = msg("30566", dup321); - -var msg32637 = msg("30570", dup321); - -var msg32638 = msg("30711", dup309); - -var msg32639 = msg("30712", dup309); - -var msg32640 = msg("30713", dup309); - -var msg32641 = msg("30714", dup309); - -var msg32642 = msg("30715", dup309); - -var msg32643 = msg("30716", dup309); - -var msg32644 = msg("30717", dup309); - -var msg32645 = msg("30718", dup309); - -var msg32646 = msg("30719", dup314); - -var msg32647 = msg("30720", dup314); - -var msg32648 = msg("30721", dup314); - -var msg32649 = msg("30722", dup314); - -var msg32650 = msg("30723", dup314); - -var msg32651 = msg("30724", dup314); - -var msg32652 = msg("30725", dup314); - -var msg32653 = msg("30726", dup314); - -var msg32654 = msg("30727", dup309); - -var msg32655 = msg("30728", dup309); - -var msg32656 = msg("30729", dup309); - -var msg32657 = msg("30730", dup309); - -var msg32658 = msg("30731", dup309); - -var msg32659 = msg("30732", dup309); - -var msg32660 = msg("30733", dup309); - -var msg32661 = msg("30734", dup309); - -var msg32662 = msg("30735", dup314); - -var msg32663 = msg("30736", dup314); - -var msg32664 = msg("30737", dup314); - -var msg32665 = msg("30738", dup314); - -var msg32666 = msg("30739", dup314); - -var msg32667 = msg("30740", dup314); - -var msg32668 = msg("30741", dup314); - -var msg32669 = msg("30742", dup314); - -var msg32670 = msg("30743", dup321); - -var msg32671 = msg("30744", dup321); - -var msg32672 = msg("30745", dup321); - -var msg32673 = msg("30746", dup321); - -var msg32674 = msg("30747", dup321); - -var msg32675 = msg("30748", dup321); - -var msg32676 = msg("30749", dup321); - -var msg32677 = msg("30750", dup321); - -var msg32678 = msg("30751", dup321); - -var msg32679 = msg("30752", dup321); - -var msg32680 = msg("30753", dup321); - -var msg32681 = msg("30754", dup311); - -var msg32682 = msg("30755", dup311); - -var msg32683 = msg("30756", dup314); - -var msg32684 = msg("30757", dup314); - -var msg32685 = msg("30758", dup314); - -var msg32686 = msg("30759", dup314); - -var msg32687 = msg("30760", dup314); - -var msg32688 = msg("30761", dup309); - -var msg32689 = msg("30762", dup309); - -var msg32690 = msg("30763", dup309); - -var msg32691 = msg("30764", dup309); - -var msg32692 = msg("30765", dup314); - -var msg32693 = msg("30766", dup311); - -var msg32694 = msg("30767", dup311); - -var msg32695 = msg("30768", dup311); - -var msg32696 = msg("30777", dup314); - -var msg32697 = msg("30778", dup314); - -var msg32698 = msg("30779", dup314); - -var msg32699 = msg("30780", dup314); - -var msg32700 = msg("30781", dup314); - -var msg32701 = msg("30782", dup314); - -var msg32702 = msg("30783", dup314); - -var msg32703 = msg("30784", dup314); - -var msg32704 = msg("30785", dup314); - -var msg32705 = msg("30786", dup314); - -var msg32706 = msg("30787", dup314); - -var msg32707 = msg("30788", dup314); - -var msg32708 = msg("30789", dup311); - -var msg32709 = msg("30790", dup314); - -var msg32710 = msg("30791", dup314); - -var msg32711 = msg("30792", dup314); - -var msg32712 = msg("30793", dup314); - -var msg32713 = msg("30794", dup325); - -var msg32714 = msg("30795", dup321); - -var msg32715 = msg("30796", dup321); - -var msg32716 = msg("30797", dup309); - -var msg32717 = msg("30798", dup309); - -var msg32718 = msg("30799", dup309); - -var msg32719 = msg("30800", dup309); - -var msg32720 = msg("30801", dup309); - -var msg32721 = msg("30802", dup309); - -var msg32722 = msg("30803", dup325); - -var msg32723 = msg("30804", dup321); - -var msg32724 = msg("30805", dup321); - -var msg32725 = msg("30806", dup321); - -var msg32726 = msg("30807", dup321); - -var msg32727 = msg("30808", dup321); - -var msg32728 = msg("30809", dup321); - -var msg32729 = msg("30810", dup321); - -var msg32730 = msg("30811", dup321); - -var msg32731 = msg("30812", dup321); - -var msg32732 = msg("30813", dup321); - -var msg32733 = msg("30814", dup321); - -var msg32734 = msg("30815", dup321); - -var msg32735 = msg("30816", dup314); - -var msg32736 = msg("30817", dup314); - -var msg32737 = msg("30818", dup314); - -var msg32738 = msg("30819", dup314); - -var msg32739 = msg("30820", dup314); - -var msg32740 = msg("30821", dup314); - -var msg32741 = msg("30822", dup314); - -var msg32742 = msg("30823", dup314); - -var msg32743 = msg("30824", dup321); - -var msg32744 = msg("30825", dup321); - -var msg32745 = msg("30826", dup321); - -var msg32746 = msg("30827", dup321); - -var msg32747 = msg("30828", dup321); - -var msg32748 = msg("30829", dup321); - -var msg32749 = msg("30830", dup321); - -var msg32750 = msg("30831", dup321); - -var msg32751 = msg("30832", dup321); - -var msg32752 = msg("30833", dup321); - -var msg32753 = msg("30834", dup321); - -var msg32754 = msg("30835", dup321); - -var msg32755 = msg("30836", dup321); - -var msg32756 = msg("30837", dup321); - -var msg32757 = msg("30838", dup321); - -var msg32758 = msg("30839", dup321); - -var msg32759 = msg("30840", dup321); - -var msg32760 = msg("30841", dup321); - -var msg32761 = msg("30842", dup321); - -var msg32762 = msg("30843", dup311); - -var msg32763 = msg("30844", dup311); - -var msg32764 = msg("30845", dup307); - -var msg32765 = msg("30846", dup307); - -var msg32766 = msg("30847", dup325); - -var msg32767 = msg("30848", dup325); - -var msg32768 = msg("30849", dup325); - -var msg32769 = msg("30850", dup325); - -var msg32770 = msg("30851", dup325); - -var msg32771 = msg("30852", dup311); - -var msg32772 = msg("30853", dup329); - -var msg32773 = msg("30854", dup329); - -var msg32774 = msg("30855", dup329); - -var msg32775 = msg("30856", dup329); - -var msg32776 = msg("30857", dup329); - -var msg32777 = msg("30858", dup329); - -var msg32778 = msg("30859", dup329); - -var msg32779 = msg("30860", dup329); - -var msg32780 = msg("30861", dup329); - -var msg32781 = msg("30862", dup329); - -var msg32782 = msg("30863", dup329); - -var msg32783 = msg("30864", dup329); - -var msg32784 = msg("30865", dup329); - -var msg32785 = msg("30866", dup329); - -var msg32786 = msg("30867", dup329); - -var msg32787 = msg("30868", dup329); - -var msg32788 = msg("30869", dup329); - -var msg32789 = msg("30870", dup329); - -var msg32790 = msg("30871", dup329); - -var msg32791 = msg("30872", dup329); - -var msg32792 = msg("30873", dup329); - -var msg32793 = msg("30874", dup329); - -var msg32794 = msg("30875", dup329); - -var msg32795 = msg("30876", dup309); - -var msg32796 = msg("30877", dup309); - -var msg32797 = msg("30878", dup311); - -var msg32798 = msg("30879", dup321); - -var msg32799 = msg("30880", dup200); - -var msg32800 = msg("30881", dup329); - -var msg32801 = msg("30882", dup321); - -var msg32802 = msg("30883", dup321); - -var msg32803 = msg("30884", dup324); - -var msg32804 = msg("30885", dup307); - -var msg32805 = msg("30886", dup307); - -var msg32806 = msg("30887", dup316); - -var msg32807 = msg("30888", dup316); - -var msg32808 = msg("30889", dup309); - -var msg32809 = msg("30890", dup309); - -var msg32810 = msg("30891", dup321); - -var msg32811 = msg("30892", dup325); - -var msg32812 = msg("30893", dup325); - -var msg32813 = msg("30894", dup325); - -var msg32814 = msg("30895", dup325); - -var msg32815 = msg("30896", dup321); - -var msg32816 = msg("30897", dup321); - -var msg32817 = msg("30898", dup314); - -var msg32818 = msg("30899", dup321); - -var msg32819 = msg("30900", dup321); - -var msg32820 = msg("30901", dup325); - -var msg32821 = msg("30902", dup311); - -var msg32822 = msg("30903", dup311); - -var msg32823 = msg("30904", dup311); - -var msg32824 = msg("30905", dup311); - -var msg32825 = msg("30906", dup311); - -var msg32826 = msg("30907", dup311); - -var msg32827 = msg("30908", dup311); - -var msg32828 = msg("30909", dup311); - -var msg32829 = msg("30910", dup314); - -var msg32830 = msg("30911", dup314); - -var msg32831 = msg("30912", dup311); - -var msg32832 = msg("30913", dup311); - -var msg32833 = msg("30914", dup321); - -var msg32834 = msg("30915", dup321); - -var msg32835 = msg("30916", dup333); - -var msg32836 = msg("30917", dup321); - -var msg32837 = msg("30918", dup325); - -var msg32838 = msg("30919", dup321); - -var msg32839 = msg("30920", dup307); - -var msg32840 = msg("30921", dup311); - -var msg32841 = msg("30922", dup311); - -var msg32842 = msg("30923", dup321); - -var msg32843 = msg("30924", dup321); - -var msg32844 = msg("30925", dup321); - -var msg32845 = msg("30926", dup321); - -var msg32846 = msg("30927", dup321); - -var msg32847 = msg("30928", dup314); - -var msg32848 = msg("30929", dup310); - -var msg32849 = msg("30930", dup321); - -var msg32850 = msg("30931", dup310); - -var msg32851 = msg("30932", dup311); - -var msg32852 = msg("30933", dup311); - -var msg32853 = msg("30934", dup311); - -var msg32854 = msg("30935", dup311); - -var msg32855 = msg("30936", dup311); - -var msg32856 = msg("30937", dup311); - -var msg32857 = msg("30938", dup321); - -var msg32858 = msg("30939", dup311); - -var msg32859 = msg("30940", dup311); - -var msg32860 = msg("30941", dup309); - -var msg32861 = msg("30942", dup311); - -var msg32862 = msg("30943", dup311); - -var msg32863 = msg("30944", dup314); - -var msg32864 = msg("30945", dup333); - -var msg32865 = msg("30946", dup321); - -var msg32866 = msg("30947", dup321); - -var msg32867 = msg("30948", dup321); - -var msg32868 = msg("30949", dup321); - -var msg32869 = msg("30950", dup311); - -var msg32870 = msg("30951", dup314); - -var msg32871 = msg("30952", dup321); - -var msg32872 = msg("30953", dup321); - -var msg32873 = msg("30954", dup321); - -var msg32874 = msg("30955", dup321); - -var msg32875 = msg("30956", dup311); - -var msg32876 = msg("30957", dup311); - -var msg32877 = msg("30958", dup311); - -var msg32878 = msg("30959", dup311); - -var msg32879 = msg("30960", dup311); - -var msg32880 = msg("30961", dup325); - -var msg32881 = msg("30962", dup325); - -var msg32882 = msg("30963", dup325); - -var msg32883 = msg("30964", dup325); - -var msg32884 = msg("30965", dup311); - -var msg32885 = msg("30966", dup311); - -var msg32886 = msg("30967", dup311); - -var msg32887 = msg("30968", dup311); - -var msg32888 = msg("30969", dup311); - -var msg32889 = msg("30970", dup311); - -var msg32890 = msg("30971", dup311); - -var msg32891 = msg("30972", dup311); - -var msg32892 = msg("30973", dup311); - -var msg32893 = msg("30974", dup307); - -var msg32894 = msg("30975", dup311); - -var msg32895 = msg("30976", dup311); - -var msg32896 = msg("30977", dup321); - -var msg32897 = msg("30978", dup321); - -var msg32898 = msg("30979", dup321); - -var msg32899 = msg("30980", dup321); - -var msg32900 = msg("30981", dup321); - -var msg32901 = msg("30982", dup321); - -var msg32902 = msg("30983", dup321); - -var msg32903 = msg("30984", dup321); - -var msg32904 = msg("30985", dup321); - -var msg32905 = msg("30986", dup321); - -var msg32906 = msg("30987", dup321); - -var msg32907 = msg("30988", dup321); - -var msg32908 = msg("30989", dup321); - -var msg32909 = msg("30990", dup311); - -var msg32910 = msg("30991", dup311); - -var msg32911 = msg("30992", dup314); - -var msg32912 = msg("30993", dup314); - -var msg32913 = msg("30994", dup314); - -var msg32914 = msg("30995", dup314); - -var msg32915 = msg("30996", dup314); - -var msg32916 = msg("30997", dup321); - -var msg32917 = msg("30998", dup321); - -var msg32918 = msg("30999", dup321); - -var msg32919 = msg("31000", dup321); - -var msg32920 = msg("31001", dup321); - -var msg32921 = msg("31002", dup321); - -var msg32922 = msg("31003", dup321); - -var msg32923 = msg("31004", dup321); - -var msg32924 = msg("31005", dup321); - -var msg32925 = msg("31006", dup321); - -var msg32926 = msg("31007", dup323); - -var msg32927 = msg("31008", dup309); - -var msg32928 = msg("31009", dup309); - -var msg32929 = msg("31010", dup321); - -var msg32930 = msg("31011", dup314); - -var msg32931 = msg("31012", dup314); - -var msg32932 = msg("31013", dup314); - -var msg32933 = msg("31014", dup321); - -var msg32934 = msg("31015", dup309); - -var msg32935 = msg("31016", dup309); - -var msg32936 = msg("31017", dup325); - -var msg32937 = msg("31018", dup325); - -var msg32938 = msg("31019", dup321); - -var msg32939 = msg("31020", dup321); - -var msg32940 = msg("31021", dup311); - -var msg32941 = msg("31022", dup311); - -var msg32942 = msg("31023", dup311); - -var msg32943 = msg("31024", dup311); - -var msg32944 = msg("31025", dup311); - -var msg32945 = msg("31026", dup311); - -var msg32946 = msg("31027", dup309); - -var msg32947 = msg("31028", dup309); - -var msg32948 = msg("31029", dup309); - -var msg32949 = msg("31030", dup309); - -var msg32950 = msg("31031", dup309); - -var msg32951 = msg("31032", dup309); - -var msg32952 = msg("31033", dup321); - -var msg32953 = msg("31034", dup321); - -var msg32954 = msg("31035", dup321); - -var msg32955 = msg("31036", dup321); - -var msg32956 = msg("31037", dup309); - -var msg32957 = msg("31038", dup309); - -var msg32958 = msg("31039", dup309); - -var msg32959 = msg("31040", dup309); - -var msg32960 = msg("31041", dup309); - -var msg32961 = msg("31042", dup321); - -var msg32962 = msg("31043", dup314); - -var msg32963 = msg("31044", dup314); - -var msg32964 = msg("31045", dup330); - -var msg32965 = msg("31046", dup311); - -var msg32966 = msg("31048", dup321); - -var msg32967 = msg("31049", dup321); - -var msg32968 = msg("31050", dup321); - -var msg32969 = msg("31051", dup321); - -var msg32970 = msg("31052", dup321); - -var msg32971 = msg("31053", dup321); - -var msg32972 = msg("31054", dup321); - -var msg32973 = msg("31055", dup321); - -var msg32974 = msg("31056", dup315); - -var msg32975 = msg("31057", dup315); - -var msg32976 = msg("31058", dup315); - -var msg32977 = msg("31059", dup315); - -var msg32978 = msg("31060", dup325); - -var msg32979 = msg("31061", dup325); - -var msg32980 = msg("31062", dup325); - -var msg32981 = msg("31063", dup333); - -var msg32982 = msg("31064", dup321); - -var msg32983 = msg("31065", dup321); - -var msg32984 = msg("31066", dup321); - -var msg32985 = msg("31067", dup322); - -var msg32986 = msg("31068", dup307); - -var msg32987 = msg("31069", dup307); - -var msg32988 = msg("31070", dup321); - -var msg32989 = msg("31071", dup335); - -var msg32990 = msg("31072", dup321); - -var msg32991 = msg("31073", dup321); - -var msg32992 = msg("31074", dup321); - -var msg32993 = msg("31075", dup325); - -var msg32994 = msg("31076", dup314); - -var msg32995 = msg("31077", dup321); - -var msg32996 = msg("31078", dup321); - -var msg32997 = msg("31079", dup321); - -var msg32998 = msg("31080", dup321); - -var msg32999 = msg("31081", dup321); - -var msg33000 = msg("31082", dup323); - -var msg33001 = msg("31083", dup321); - -var msg33002 = msg("31084", dup321); - -var msg33003 = msg("31085", dup314); - -var msg33004 = msg("31086", dup314); - -var msg33005 = msg("31087", dup311); - -var msg33006 = msg("31088", dup311); - -var msg33007 = msg("31089", dup321); - -var msg33008 = msg("31090", dup325); - -var msg33009 = msg("31091", dup321); - -var msg33010 = msg("31092", dup311); - -var msg33011 = msg("31093", dup311); - -var msg33012 = msg("31094", dup311); - -var msg33013 = msg("31095", dup315); - -var msg33014 = msg("31096", dup315); - -var msg33015 = msg("31097", dup315); - -var msg33016 = msg("31098", dup315); - -var msg33017 = msg("31099", dup315); - -var msg33018 = msg("31100", dup315); - -var msg33019 = msg("31101", dup314); - -var msg33020 = msg("31102", dup321); - -var msg33021 = msg("31103", dup309); - -var msg33022 = msg("31104", dup309); - -var msg33023 = msg("31105", dup309); - -var msg33024 = msg("31106", dup309); - -var msg33025 = msg("31107", dup321); - -var msg33026 = msg("31108", dup321); - -var msg33027 = msg("31109", dup321); - -var msg33028 = msg("31110", dup321); - -var msg33029 = msg("31111", dup321); - -var msg33030 = msg("31112", dup321); - -var msg33031 = msg("31113", dup321); - -var msg33032 = msg("31114", dup321); - -var msg33033 = msg("31115", dup321); - -var msg33034 = msg("31116", dup321); - -var msg33035 = msg("31117", dup321); - -var msg33036 = msg("31118", dup321); - -var msg33037 = msg("31119", dup321); - -var msg33038 = msg("31120", dup321); - -var msg33039 = msg("31121", dup321); - -var msg33040 = msg("31122", dup325); - -var msg33041 = msg("31123", dup321); - -var msg33042 = msg("31124", dup321); - -var msg33043 = msg("31125", dup309); - -var msg33044 = msg("31126", dup309); - -var msg33045 = msg("31127", dup309); - -var msg33046 = msg("31128", dup333); - -var msg33047 = msg("31129", dup311); - -var msg33048 = msg("31130", dup311); - -var msg33049 = msg("31131", dup321); - -var msg33050 = msg("31132", dup321); - -var msg33051 = msg("31133", dup321); - -var msg33052 = msg("31134", dup321); - -var msg33053 = msg("31135", dup321); - -var msg33054 = msg("31136", dup321); - -var msg33055 = msg("31137", dup321); - -var msg33056 = msg("31138", dup321); - -var msg33057 = msg("31139", dup321); - -var msg33058 = msg("31140", dup321); - -var msg33059 = msg("31141", dup321); - -var msg33060 = msg("31142", dup321); - -var msg33061 = msg("31143", dup314); - -var msg33062 = msg("31144", dup321); - -var msg33063 = msg("31145", dup321); - -var msg33064 = msg("31146", dup321); - -var msg33065 = msg("31167", dup321); - -var msg33066 = msg("31176", dup309); - -var msg33067 = msg("31177", dup309); - -var msg33068 = msg("31178", dup309); - -var msg33069 = msg("31179", dup309); - -var msg33070 = msg("31180", dup324); - -var msg33071 = msg("31181", dup324); - -var msg33072 = msg("31182", dup309); - -var msg33073 = msg("31183", dup321); - -var msg33074 = msg("31184", dup321); - -var msg33075 = msg("31185", dup321); - -var msg33076 = msg("31186", dup321); - -var msg33077 = msg("31187", dup321); - -var msg33078 = msg("31188", dup309); - -var msg33079 = msg("31189", dup309); - -var msg33080 = msg("31190", dup325); - -var msg33081 = msg("31191", dup325); - -var msg33082 = msg("31192", dup325); - -var msg33083 = msg("31193", dup325); - -var msg33084 = msg("31194", dup325); - -var msg33085 = msg("31195", dup314); - -var msg33086 = msg("31196", dup325); - -var msg33087 = msg("31197", dup325); - -var msg33088 = msg("31198", dup325); - -var msg33089 = msg("31199", dup325); - -var msg33090 = msg("31200", dup325); - -var msg33091 = msg("31201", dup325); - -var msg33092 = msg("31202", dup325); - -var msg33093 = msg("31203", dup325); - -var msg33094 = msg("31204", dup325); - -var msg33095 = msg("31205", dup325); - -var msg33096 = msg("31206", dup325); - -var msg33097 = msg("31207", dup325); - -var msg33098 = msg("31208", dup325); - -var msg33099 = msg("31209", dup325); - -var msg33100 = msg("31210", dup309); - -var msg33101 = msg("31211", dup309); - -var msg33102 = msg("31212", dup310); - -var msg33103 = msg("31213", dup310); - -var msg33104 = msg("31214", dup321); - -var msg33105 = msg("31215", dup325); - -var msg33106 = msg("31216", dup325); - -var msg33107 = msg("31217", dup314); - -var msg33108 = msg("31218", dup321); - -var msg33109 = msg("31219", dup325); - -var msg33110 = msg("31220", dup325); - -var msg33111 = msg("31221", dup321); - -var msg33112 = msg("31222", dup321); - -var msg33113 = msg("31223", dup321); - -var msg33114 = msg("31224", dup321); - -var msg33115 = msg("31225", dup325); - -var msg33116 = msg("31226", dup321); - -var msg33117 = msg("31227", dup321); - -var msg33118 = msg("31228", dup321); - -var msg33119 = msg("31229", dup311); - -var msg33120 = msg("31230", dup311); - -var msg33121 = msg("31231", dup311); - -var msg33122 = msg("31232", dup311); - -var msg33123 = msg("31233", dup321); - -var msg33124 = msg("31234", dup321); - -var msg33125 = msg("31235", dup321); - -var msg33126 = msg("31236", dup321); - -var msg33127 = msg("31237", dup311); - -var msg33128 = msg("31238", dup311); - -var msg33129 = msg("31239", dup321); - -var msg33130 = msg("31240", dup324); - -var msg33131 = msg("31241", dup324); - -var msg33132 = msg("31242", dup321); - -var msg33133 = msg("31243", dup321); - -var msg33134 = msg("31244", dup321); - -var msg33135 = msg("31245", dup311); - -var msg33136 = msg("31246", dup311); - -var msg33137 = msg("31247", dup321); - -var msg33138 = msg("31248", dup321); - -var msg33139 = msg("31249", dup321); - -var msg33140 = msg("31250", dup321); - -var msg33141 = msg("31251", dup321); - -var msg33142 = msg("31252", dup321); - -var msg33143 = msg("31253", dup321); - -var msg33144 = msg("31254", dup321); - -var msg33145 = msg("31255", dup321); - -var msg33146 = msg("31256", dup321); - -var msg33147 = msg("31257", dup321); - -var msg33148 = msg("31258", dup321); - -var msg33149 = msg("31259", dup314); - -var msg33150 = msg("31260", dup310); - -var msg33151 = msg("31261", dup321); - -var msg33152 = msg("31262", dup321); - -var msg33153 = msg("31263", dup321); - -var msg33154 = msg("31264", dup321); - -var msg33155 = msg("31265", dup321); - -var msg33156 = msg("31266", dup321); - -var msg33157 = msg("31267", dup321); - -var msg33158 = msg("31268", dup321); - -var msg33159 = msg("31269", dup321); - -var msg33160 = msg("31270", dup321); - -var msg33161 = msg("31271", dup321); - -var msg33162 = msg("31272", dup321); - -var msg33163 = msg("31273", dup321); - -var msg33164 = msg("31274", dup311); - -var msg33165 = msg("31275", dup311); - -var msg33166 = msg("31276", dup311); - -var msg33167 = msg("31277", dup311); - -var msg33168 = msg("31278", dup311); - -var msg33169 = msg("31279", dup311); - -var msg33170 = msg("31280", dup311); - -var msg33171 = msg("31281", dup314); - -var msg33172 = msg("31282", dup314); - -var msg33173 = msg("31283", dup325); - -var msg33174 = msg("31284", dup325); - -var msg33175 = msg("31285", dup325); - -var msg33176 = msg("31286", dup325); - -var msg33177 = msg("31287", dup321); - -var msg33178 = msg("31288", dup321); - -var msg33179 = msg("31289", dup314); - -var msg33180 = msg("31290", dup321); - -var msg33181 = msg("31291", dup311); - -var msg33182 = msg("31292", dup311); - -var msg33183 = msg("31293", dup321); - -var msg33184 = msg("31294", dup321); - -var msg33185 = msg("31295", dup321); - -var msg33186 = msg("31296", dup325); - -var msg33187 = msg("31297", dup324); - -var msg33188 = msg("31298", dup311); - -var msg33189 = msg("31299", dup321); - -var msg33190 = msg("31300", dup322); - -var msg33191 = msg("31301", dup311); - -var msg33192 = msg("31302", dup314); - -var msg33193 = msg("31303", dup321); - -var msg33194 = msg("31304", dup314); - -var msg33195 = msg("31305", dup314); - -var msg33196 = msg("31306", dup321); - -var msg33197 = msg("31307", dup321); - -var msg33198 = msg("31308", dup311); - -var msg33199 = msg("31309", dup311); - -var msg33200 = msg("31310", dup309); - -var msg33201 = msg("31311", dup309); - -var msg33202 = msg("31312", dup309); - -var msg33203 = msg("31313", dup321); - -var msg33204 = msg("31314", dup321); - -var msg33205 = msg("31315", dup321); - -var msg33206 = msg("31316", dup321); - -var msg33207 = msg("31317", dup321); - -var msg33208 = msg("31318", dup321); - -var msg33209 = msg("31319", dup321); - -var msg33210 = msg("31320", dup307); - -var msg33211 = msg("31321", dup307); - -var msg33212 = msg("31322", dup307); - -var msg33213 = msg("31323", dup311); - -var msg33214 = msg("31324", dup311); - -var msg33215 = msg("31325", dup311); - -var msg33216 = msg("31326", dup321); - -var msg33217 = msg("31327", dup321); - -var msg33218 = msg("31328", dup321); - -var msg33219 = msg("31329", dup321); - -var msg33220 = msg("31330", dup316); - -var msg33221 = msg("31331", dup311); - -var msg33222 = msg("31332", dup311); - -var msg33223 = msg("31333", dup314); - -var msg33224 = msg("31334", dup314); - -var msg33225 = msg("31335", dup314); - -var msg33226 = msg("31336", dup314); - -var msg33227 = msg("31337", dup311); - -var msg33228 = msg("31338", dup309); - -var msg33229 = msg("31339", dup314); - -var msg33230 = msg("31340", dup314); - -var msg33231 = msg("31341", dup314); - -var msg33232 = msg("31342", dup314); - -var msg33233 = msg("31343", dup321); - -var msg33234 = msg("31344", dup321); - -var msg33235 = msg("31345", dup321); - -var msg33236 = msg("31346", dup321); - -var msg33237 = msg("31347", dup311); - -var msg33238 = msg("31348", dup311); - -var msg33239 = msg("31349", dup311); - -var msg33240 = msg("31350", dup311); - -var msg33241 = msg("31351", dup311); - -var msg33242 = msg("31352", dup311); - -var msg33243 = msg("31353", dup311); - -var msg33244 = msg("31354", dup311); - -var msg33245 = msg("31355", dup321); - -var msg33246 = msg("31356", dup311); - -var msg33247 = msg("31357", dup321); - -var msg33248 = msg("31358", dup321); - -var msg33249 = msg("31359", dup321); - -var msg33250 = msg("31360", dup311); - -var msg33251 = msg("31361", dup309); - -var msg33252 = msg("31362", dup311); - -var msg33253 = msg("31363", dup314); - -var msg33254 = msg("31364", dup323); - -var msg33255 = msg("31365", dup311); - -var msg33256 = msg("31366", dup314); - -var msg33257 = msg("31367", dup314); - -var msg33258 = msg("31368", dup311); - -var msg33259 = msg("31369", dup311); - -var msg33260 = msg("31370", dup311); - -var msg33261 = msg("31371", dup311); - -var msg33262 = msg("31372", dup311); - -var msg33263 = msg("31373", dup309); - -var msg33264 = msg("31374", dup309); - -var msg33265 = msg("31375", dup309); - -var msg33266 = msg("31376", dup314); - -var msg33267 = msg("31377", dup314); - -var msg33268 = msg("31378", dup309); - -var msg33269 = msg("31379", dup309); - -var msg33270 = msg("31380", dup311); - -var msg33271 = msg("31381", dup311); - -var msg33272 = msg("31382", dup325); - -var msg33273 = msg("31383", dup325); - -var msg33274 = msg("31384", dup325); - -var msg33275 = msg("31385", dup325); - -var msg33276 = msg("31386", dup325); - -var msg33277 = msg("31387", dup325); - -var msg33278 = msg("31388", dup311); - -var msg33279 = msg("31389", dup311); - -var msg33280 = msg("31390", dup325); - -var msg33281 = msg("31391", dup325); - -var msg33282 = msg("31392", dup311); - -var msg33283 = msg("31393", dup311); - -var msg33284 = msg("31394", dup311); - -var msg33285 = msg("31395", dup311); - -var msg33286 = msg("31396", dup311); - -var msg33287 = msg("31397", dup311); - -var msg33288 = msg("31398", dup311); - -var msg33289 = msg("31399", dup314); - -var msg33290 = msg("31400", dup314); - -var msg33291 = msg("31401", dup314); - -var msg33292 = msg("31402", dup311); - -var msg33293 = msg("31403", dup325); - -var msg33294 = msg("31404", dup325); - -var all60 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg33295 = msg("31405", all60); - -var msg33296 = msg("31406", dup324); - -var msg33297 = msg("31407", dup314); - -var msg33298 = msg("31408", dup314); - -var msg33299 = msg("31409", dup314); - -var msg33300 = msg("31410", dup314); - -var msg33301 = msg("31411", dup311); - -var msg33302 = msg("31412", dup311); - -var msg33303 = msg("31413", dup311); - -var msg33304 = msg("31414", dup311); - -var msg33305 = msg("31415", dup311); - -var msg33306 = msg("31416", dup311); - -var msg33307 = msg("31417", dup325); - -var msg33308 = msg("31418", dup321); - -var msg33309 = msg("31419", dup311); - -var msg33310 = msg("31420", dup309); - -var msg33311 = msg("31421", dup309); - -var msg33312 = msg("31422", dup325); - -var msg33313 = msg("31423", dup321); - -var msg33314 = msg("31424", dup321); - -var msg33315 = msg("31425", dup314); - -var msg33316 = msg("31426", dup322); - -var msg33317 = msg("31427", dup311); - -var msg33318 = msg("31428", dup311); - -var msg33319 = msg("31429", dup311); - -var msg33320 = msg("31433", dup321); - -var msg33321 = msg("31434", dup309); - -var msg33322 = msg("31435", dup309); - -var msg33323 = msg("31436", dup309); - -var msg33324 = msg("31437", dup309); - -var msg33325 = msg("31438", dup311); - -var msg33326 = msg("31439", dup309); - -var msg33327 = msg("31440", dup309); - -var msg33328 = msg("31441", dup309); - -var msg33329 = msg("31442", dup321); - -var msg33330 = msg("31443", dup309); - -var msg33331 = msg("31444", dup321); - -var msg33332 = msg("31445", dup321); - -var msg33333 = msg("31446", dup321); - -var msg33334 = msg("31447", dup321); - -var msg33335 = msg("31448", dup321); - -var msg33336 = msg("31449", dup321); - -var msg33337 = msg("31450", dup321); - -var msg33338 = msg("31451", dup311); - -var msg33339 = msg("31452", dup321); - -var msg33340 = msg("31453", dup321); - -var msg33341 = msg("31454", dup321); - -var msg33342 = msg("31455", dup311); - -var msg33343 = msg("31456", dup321); - -var msg33344 = msg("31457", dup321); - -var msg33345 = msg("31458", dup321); - -var msg33346 = msg("31459", dup321); - -var msg33347 = msg("31460", dup309); - -var msg33348 = msg("31461", dup309); - -var msg33349 = msg("31462", dup309); - -var msg33350 = msg("31463", dup321); - -var msg33351 = msg("31464", dup321); - -var msg33352 = msg("31465", dup321); - -var msg33353 = msg("31466", dup321); - -var msg33354 = msg("31467", dup321); - -var msg33355 = msg("31468", dup321); - -var msg33356 = msg("31469", dup325); - -var msg33357 = msg("31470", dup325); - -var msg33358 = msg("31471", dup325); - -var msg33359 = msg("31472", dup321); - -var msg33360 = msg("31473", dup309); - -var msg33361 = msg("31474", dup309); - -var msg33362 = msg("31475", dup309); - -var msg33363 = msg("31476", dup309); - -var msg33364 = msg("31477", dup307); - -var msg33365 = msg("31478", dup307); - -var msg33366 = msg("31479", dup307); - -var msg33367 = msg("31480", dup307); - -var msg33368 = msg("31481", dup307); - -var msg33369 = msg("31482", dup307); - -var msg33370 = msg("31483", dup307); - -var msg33371 = msg("31484", dup307); - -var msg33372 = msg("31485", dup325); - -var msg33373 = msg("31486", dup325); - -var msg33374 = msg("31487", dup311); - -var msg33375 = msg("31488", dup311); - -var msg33376 = msg("31489", dup314); - -var msg33377 = msg("31490", dup314); - -var msg33378 = msg("31491", dup314); - -var msg33379 = msg("31492", dup314); - -var msg33380 = msg("31493", dup314); - -var msg33381 = msg("31494", dup314); - -var msg33382 = msg("31495", dup325); - -var msg33383 = msg("31496", dup325); - -var msg33384 = msg("31497", dup314); - -var msg33385 = msg("31498", dup314); - -var msg33386 = msg("31499", dup314); - -var msg33387 = msg("31500", dup314); - -var msg33388 = msg("31501", dup314); - -var msg33389 = msg("31502", dup314); - -var msg33390 = msg("31503", dup314); - -var msg33391 = msg("31504", dup311); - -var msg33392 = msg("31505", dup316); - -var msg33393 = msg("31506", dup316); - -var msg33394 = msg("31507", dup321); - -var msg33395 = msg("31508", dup321); - -var msg33396 = msg("31509", dup321); - -var msg33397 = msg("31510", dup321); - -var msg33398 = msg("31511", dup311); - -var msg33399 = msg("31512", dup311); - -var msg33400 = msg("31513", dup323); - -var msg33401 = msg("31514", dup321); - -var msg33402 = msg("31515", dup321); - -var msg33403 = msg("31516", dup321); - -var msg33404 = msg("31517", dup321); - -var msg33405 = msg("31518", dup321); - -var msg33406 = msg("31519", dup309); - -var msg33407 = msg("31520", dup309); - -var msg33408 = msg("31521", dup309); - -var msg33409 = msg("31522", dup309); - -var msg33410 = msg("31523", dup309); - -var msg33411 = msg("31524", dup309); - -var msg33412 = msg("31525", dup314); - -var msg33413 = msg("31526", dup314); - -var msg33414 = msg("31527", dup321); - -var msg33415 = msg("31528", dup321); - -var msg33416 = msg("31529", dup307); - -var msg33417 = msg("31530", dup321); - -var msg33418 = msg("31531", dup314); - -var msg33419 = msg("31532", dup314); - -var msg33420 = msg("31533", dup325); - -var msg33421 = msg("31534", dup309); - -var msg33422 = msg("31535", dup309); - -var msg33423 = msg("31536", dup309); - -var msg33424 = msg("31537", dup309); - -var msg33425 = msg("31538", dup314); - -var msg33426 = msg("31539", dup314); - -var msg33427 = msg("31540", dup309); - -var msg33428 = msg("31541", dup309); - -var msg33429 = msg("31542", dup307); - -var msg33430 = msg("31543", dup325); - -var msg33431 = msg("31544", dup321); - -var msg33432 = msg("31545", dup321); - -var msg33433 = msg("31546", dup307); - -var msg33434 = msg("31547", dup321); - -var msg33435 = msg("31548", dup321); - -var msg33436 = msg("31549", dup314); - -var msg33437 = msg("31550", dup314); - -var msg33438 = msg("31551", dup314); - -var msg33439 = msg("31552", dup314); - -var msg33440 = msg("31553", dup314); - -var msg33441 = msg("31554", dup314); - -var msg33442 = msg("31555", dup311); - -var msg33443 = msg("31556", dup310); - -var msg33444 = msg("31557", dup325); - -var msg33445 = msg("31558", dup321); - -var msg33446 = msg("31559", dup321); - -var msg33447 = msg("31560", dup314); - -var msg33448 = msg("31561", dup314); - -var msg33449 = msg("31562", dup309); - -var msg33450 = msg("31563", dup321); - -var msg33451 = msg("31564", dup333); - -var msg33452 = msg("31565", dup314); - -var msg33453 = msg("31566", dup314); - -var msg33454 = msg("31567", dup316); - -var msg33455 = msg("31568", dup314); - -var msg33456 = msg("31569", dup311); - -var msg33457 = msg("31570", dup322); - -var msg33458 = msg("31571", dup309); - -var msg33459 = msg("31572", dup309); - -var msg33460 = msg("31573", dup309); - -var msg33461 = msg("31574", dup309); - -var msg33462 = msg("31575", dup309); - -var msg33463 = msg("31576", dup309); - -var msg33464 = msg("31577", dup315); - -var msg33465 = msg("31578", dup315); - -var msg33466 = msg("31579", dup309); - -var msg33467 = msg("31580", dup311); - -var msg33468 = msg("31581", dup311); - -var msg33469 = msg("31582", dup311); - -var msg33470 = msg("31583", dup311); - -var msg33471 = msg("31584", dup323); - -var msg33472 = msg("31585", dup323); - -var msg33473 = msg("31586", dup321); - -var msg33474 = msg("31587", dup314); - -var msg33475 = msg("31588", dup307); - -var msg33476 = msg("31589", dup309); - -var msg33477 = msg("31590", dup309); - -var msg33478 = msg("31591", dup309); - -var msg33479 = msg("31592", dup309); - -var msg33480 = msg("31593", dup321); - -var msg33481 = msg("31594", dup314); - -var msg33482 = msg("31595", dup314); - -var msg33483 = msg("31596", dup314); - -var msg33484 = msg("31597", dup314); - -var msg33485 = msg("31598", dup314); - -var msg33486 = msg("31599", dup314); - -var all61 = all_match({ - processors: [ - dup66, - dup179, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg33487 = msg("31600", all61); - -var msg33488 = msg("31601", dup321); - -var msg33489 = msg("31602", dup321); - -var msg33490 = msg("31603", dup321); - -var msg33491 = msg("31604", dup321); - -var msg33492 = msg("31605", dup321); - -var msg33493 = msg("31606", dup321); - -var msg33494 = msg("31607", dup321); - -var msg33495 = msg("31608", dup311); - -var msg33496 = msg("31609", dup311); - -var msg33497 = msg("31610", dup311); - -var msg33498 = msg("31611", dup311); - -var msg33499 = msg("31612", dup324); - -var msg33500 = msg("31613", dup324); - -var msg33501 = msg("31614", dup314); - -var msg33502 = msg("31615", dup324); - -var msg33503 = msg("31616", dup324); - -var msg33504 = msg("31617", dup325); - -var msg33505 = msg("31618", dup325); - -var msg33506 = msg("31619", dup325); - -var msg33507 = msg("31620", dup325); - -var msg33508 = msg("31621", dup325); - -var msg33509 = msg("31622", dup325); - -var msg33510 = msg("31623", dup325); - -var msg33511 = msg("31624", dup325); - -var msg33512 = msg("31625", dup325); - -var msg33513 = msg("31626", dup325); - -var msg33514 = msg("31627", dup325); - -var msg33515 = msg("31628", dup325); - -var msg33516 = msg("31629", dup325); - -var msg33517 = msg("31630", dup325); - -var msg33518 = msg("31631", dup321); - -var msg33519 = msg("31632", dup321); - -var msg33520 = msg("31633", dup321); - -var msg33521 = msg("31634", dup309); - -var msg33522 = msg("31635", dup309); - -var msg33523 = msg("31636", dup322); - -var msg33524 = msg("31637", dup323); - -var msg33525 = msg("31638", dup314); - -var msg33526 = msg("31639", dup321); - -var msg33527 = msg("31640", dup321); - -var msg33528 = msg("31641", dup321); - -var msg33529 = msg("31642", dup321); - -var msg33530 = msg("31643", dup321); - -var msg33531 = msg("31644", dup321); - -var msg33532 = msg("31645", dup325); - -var msg33533 = msg("31646", dup325); - -var msg33534 = msg("31647", dup316); - -var msg33535 = msg("31648", dup316); - -var msg33536 = msg("31649", dup321); - -var msg33537 = msg("31650", dup311); - -var msg33538 = msg("31651", dup316); - -var msg33539 = msg("31652", dup316); - -var msg33540 = msg("31653", dup321); - -var msg33541 = msg("31654", dup321); - -var msg33542 = msg("31655", dup321); - -var msg33543 = msg("31656", dup321); - -var msg33544 = msg("31657", dup321); - -var msg33545 = msg("31658", dup321); - -var msg33546 = msg("31659", dup321); - -var msg33547 = msg("31660", dup321); - -var msg33548 = msg("31661", dup321); - -var msg33549 = msg("31662", dup321); - -var msg33550 = msg("31663", dup321); - -var msg33551 = msg("31664", dup328); - -var msg33552 = msg("31665", dup328); - -var msg33553 = msg("31666", dup328); - -var msg33554 = msg("31667", dup328); - -var msg33555 = msg("31668", dup311); - -var msg33556 = msg("31669", dup321); - -var msg33557 = msg("31670", dup309); - -var msg33558 = msg("31671", dup309); - -var msg33559 = msg("31672", dup324); - -var msg33560 = msg("31673", dup311); - -var msg33561 = msg("31674", dup311); - -var msg33562 = msg("31675", dup311); - -var msg33563 = msg("31676", dup311); - -var msg33564 = msg("31677", dup311); - -var msg33565 = msg("31678", dup314); - -var msg33566 = msg("31679", dup314); - -var msg33567 = msg("31680", dup321); - -var msg33568 = msg("31681", dup321); - -var msg33569 = msg("31682", dup321); - -var msg33570 = msg("31683", dup321); - -var msg33571 = msg("31684", dup314); - -var msg33572 = msg("31685", dup314); - -var msg33573 = msg("31686", dup309); - -var msg33574 = msg("31687", dup309); - -var msg33575 = msg("31688", dup325); - -var msg33576 = msg("31689", dup321); - -var msg33577 = msg("31690", dup333); - -var msg33578 = msg("31691", dup321); - -var msg33579 = msg("31692", dup311); - -var msg33580 = msg("31693", dup321); - -var msg33581 = msg("31694", dup311); - -var msg33582 = msg("31695", dup311); - -var msg33583 = msg("31696", dup314); - -var msg33584 = msg("31697", dup314); - -var msg33585 = msg("31698", dup314); - -var msg33586 = msg("31699", dup311); - -var msg33587 = msg("31700", dup311); - -var msg33588 = msg("31701", dup311); - -var msg33589 = msg("31702", dup314); - -var msg33590 = msg("31703", dup314); - -var msg33591 = msg("31704", dup311); - -var msg33592 = msg("31705", dup329); - -var msg33593 = msg("31706", dup321); - -var msg33594 = msg("31707", dup314); - -var msg33595 = msg("31708", dup314); - -var msg33596 = msg("31709", dup314); - -var msg33597 = msg("31710", dup321); - -var msg33598 = msg("31711", dup333); - -var msg33599 = msg("31712", dup321); - -var msg33600 = msg("31713", dup321); - -var msg33601 = msg("31714", dup321); - -var msg33602 = msg("31715", dup321); - -var msg33603 = msg("31716", dup321); - -var msg33604 = msg("31717", dup321); - -var msg33605 = msg("31718", dup321); - -var msg33606 = msg("31719", dup307); - -var msg33607 = msg("31720", dup321); - -var msg33608 = msg("31721", dup321); - -var msg33609 = msg("31722", dup321); - -var msg33610 = msg("31723", dup314); - -var msg33611 = msg("31724", dup314); - -var msg33612 = msg("31725", dup314); - -var msg33613 = msg("31726", dup314); - -var msg33614 = msg("31727", dup314); - -var msg33615 = msg("31728", dup322); - -var msg33616 = msg("31729", dup322); - -var msg33617 = msg("31730", dup322); - -var msg33618 = msg("31731", dup322); - -var msg33619 = msg("31732", dup314); - -var msg33620 = msg("31733", dup314); - -var msg33621 = msg("31734", dup311); - -var msg33622 = msg("31735", dup325); - -var msg33623 = msg("31736", dup325); - -var msg33624 = msg("31737", dup321); - -var msg33625 = msg("31738", dup329); - -var msg33626 = msg("31739", dup314); - -var msg33627 = msg("31740", dup314); - -var msg33628 = msg("31741", dup316); - -var msg33629 = msg("31742", dup333); - -var msg33630 = msg("31743", dup311); - -var msg33631 = msg("31744", dup321); - -var msg33632 = msg("31745", dup316); - -var msg33633 = msg("31746", dup321); - -var msg33634 = msg("31747", dup316); - -var msg33635 = msg("31748", dup321); - -var msg33636 = msg("31749", dup323); - -var msg33637 = msg("31750", dup323); - -var msg33638 = msg("31751", dup309); - -var msg33639 = msg("31752", dup309); - -var msg33640 = msg("31753", dup321); - -var msg33641 = msg("31754", dup321); - -var msg33642 = msg("31755", dup321); - -var msg33643 = msg("31756", dup314); - -var msg33644 = msg("31757", dup314); - -var msg33645 = msg("31758", dup314); - -var msg33646 = msg("31759", dup314); - -var msg33647 = msg("31760", dup325); - -var msg33648 = msg("31761", dup325); - -var msg33649 = msg("31762", dup325); - -var msg33650 = msg("31763", dup325); - -var msg33651 = msg("31764", dup324); - -var msg33652 = msg("31765", dup324); - -var msg33653 = msg("31766", dup314); - -var msg33654 = msg("31767", dup311); - -var msg33655 = msg("31768", dup321); - -var msg33656 = msg("31769", dup311); - -var msg33657 = msg("31770", dup311); - -var msg33658 = msg("31771", dup314); - -var msg33659 = msg("31772", dup321); - -var msg33660 = msg("31773", dup314); - -var msg33661 = msg("31774", dup314); - -var msg33662 = msg("31775", dup314); - -var msg33663 = msg("31776", dup314); - -var msg33664 = msg("31777", dup309); - -var msg33665 = msg("31778", dup309); - -var msg33666 = msg("31779", dup309); - -var msg33667 = msg("31780", dup309); - -var msg33668 = msg("31781", dup321); - -var msg33669 = msg("31782", dup325); - -var msg33670 = msg("31783", dup325); - -var msg33671 = msg("31784", dup325); - -var msg33672 = msg("31785", dup325); - -var msg33673 = msg("31786", dup325); - -var msg33674 = msg("31787", dup325); - -var msg33675 = msg("31788", dup325); - -var msg33676 = msg("31789", dup325); - -var msg33677 = msg("31790", dup325); - -var msg33678 = msg("31791", dup325); - -var msg33679 = msg("31792", dup325); - -var msg33680 = msg("31793", dup325); - -var msg33681 = msg("31794", dup325); - -var msg33682 = msg("31795", dup325); - -var msg33683 = msg("31796", dup325); - -var msg33684 = msg("31797", dup325); - -var msg33685 = msg("31798", dup314); - -var msg33686 = msg("31799", dup311); - -var msg33687 = msg("31800", dup311); - -var msg33688 = msg("31801", dup325); - -var msg33689 = msg("31802", dup325); - -var msg33690 = msg("31803", dup321); - -var msg33691 = msg("31804", dup321); - -var msg33692 = msg("31805", dup321); - -var msg33693 = msg("31806", dup321); - -var msg33694 = msg("31807", dup321); - -var msg33695 = msg("31808", dup323); - -var msg33696 = msg("31809", dup309); - -var msg33697 = msg("31810", dup309); - -var msg33698 = msg("31811", dup325); - -var msg33699 = msg("31812", dup325); - -var msg33700 = msg("31813", dup325); - -var msg33701 = msg("31814", dup321); - -var msg33702 = msg("31815", dup321); - -var msg33703 = msg("31816", dup321); - -var msg33704 = msg("31817", dup321); - -var msg33705 = msg("31818", dup314); - -var msg33706 = msg("31819", dup314); - -var msg33707 = msg("31820", dup321); - -var msg33708 = msg("31821", dup307); - -var msg33709 = msg("31822", dup307); - -var msg33710 = msg("31823", dup316); - -var msg33711 = msg("31824", dup321); - -var msg33712 = msg("31825", dup321); - -var msg33713 = msg("31826", dup310); - -var msg33714 = msg("31827", dup321); - -var msg33715 = msg("31828", dup321); - -var msg33716 = msg("31829", dup321); - -var msg33717 = msg("31830", dup333); - -var msg33718 = msg("31831", dup333); - -var msg33719 = msg("31832", dup321); - -var msg33720 = msg("31833", dup321); - -var msg33721 = msg("31834", dup321); - -var msg33722 = msg("31835", dup321); - -var msg33723 = msg("31836", dup321); - -var msg33724 = msg("31837", dup321); - -var msg33725 = msg("31838", dup314); - -var msg33726 = msg("31839", dup314); - -var msg33727 = msg("31840", dup314); - -var msg33728 = msg("31841", dup314); - -var msg33729 = msg("31842", dup314); - -var msg33730 = msg("31843", dup309); - -var msg33731 = msg("31844", dup309); - -var msg33732 = msg("31845", dup309); - -var msg33733 = msg("31846", dup332); - -var msg33734 = msg("31847", dup309); - -var msg33735 = msg("31848", dup309); - -var msg33736 = msg("31849", dup309); - -var msg33737 = msg("31850", dup309); - -var msg33738 = msg("31851", dup315); - -var msg33739 = msg("31852", dup315); - -var msg33740 = msg("31853", dup315); - -var msg33741 = msg("31854", dup315); - -var msg33742 = msg("31855", dup315); - -var msg33743 = msg("31856", dup315); - -var msg33744 = msg("31857", dup311); - -var msg33745 = msg("31858", dup311); - -var msg33746 = msg("31859", dup311); - -var msg33747 = msg("31860", dup311); - -var msg33748 = msg("31861", dup314); - -var msg33749 = msg("31862", dup314); - -var msg33750 = msg("31863", dup321); - -var msg33751 = msg("31864", dup321); - -var msg33752 = msg("31865", dup314); - -var msg33753 = msg("31866", dup314); - -var msg33754 = msg("31867", dup314); - -var msg33755 = msg("31868", dup314); - -var msg33756 = msg("31869", dup314); - -var msg33757 = msg("31870", dup314); - -var msg33758 = msg("31871", dup314); - -var msg33759 = msg("31872", dup321); - -var msg33760 = msg("31873", dup314); - -var msg33761 = msg("31874", dup314); - -var msg33762 = msg("31875", dup309); - -var msg33763 = msg("31876", dup309); - -var msg33764 = msg("31877", dup311); - -var msg33765 = msg("31878", dup311); - -var msg33766 = msg("31879", dup311); - -var msg33767 = msg("31880", dup311); - -var msg33768 = msg("31881", dup311); - -var msg33769 = msg("31882", dup311); - -var msg33770 = msg("31883", dup321); - -var msg33771 = msg("31884", dup321); - -var msg33772 = msg("31885", dup321); - -var msg33773 = msg("31886", dup311); - -var msg33774 = msg("31887", dup311); - -var msg33775 = msg("31888", dup311); - -var msg33776 = msg("31889", dup316); - -var msg33777 = msg("31890", dup316); - -var msg33778 = msg("31891", dup311); - -var msg33779 = msg("31892", dup311); - -var msg33780 = msg("31893", dup321); - -var msg33781 = msg("31894", dup321); - -var msg33782 = msg("31895", dup321); - -var msg33783 = msg("31896", dup321); - -var msg33784 = msg("31897", dup321); - -var msg33785 = msg("31898", dup311); - -var msg33786 = msg("31899", dup316); - -var msg33787 = msg("31900", dup316); - -var msg33788 = msg("31901", dup316); - -var msg33789 = msg("31902", dup307); - -var msg33790 = msg("31903", dup307); - -var msg33791 = msg("31904", dup321); - -var msg33792 = msg("31905", dup314); - -var msg33793 = msg("31906", dup314); - -var msg33794 = msg("31907", dup321); - -var msg33795 = msg("31908", dup321); - -var msg33796 = msg("31909", dup321); - -var msg33797 = msg("31910", dup321); - -var msg33798 = msg("31911", dup321); - -var msg33799 = msg("31912", dup311); - -var msg33800 = msg("31913", dup321); - -var msg33801 = msg("31914", dup311); - -var msg33802 = msg("31915", dup321); - -var msg33803 = msg("31916", dup321); - -var msg33804 = msg("31917", dup321); - -var msg33805 = msg("31918", dup321); - -var msg33806 = msg("31919", dup321); - -var msg33807 = msg("31920", dup321); - -var msg33808 = msg("31921", dup321); - -var msg33809 = msg("31922", dup321); - -var msg33810 = msg("31923", dup310); - -var msg33811 = msg("31924", dup321); - -var msg33812 = msg("31925", dup321); - -var msg33813 = msg("31926", dup309); - -var msg33814 = msg("31927", dup309); - -var msg33815 = msg("31928", dup321); - -var msg33816 = msg("31929", dup321); - -var msg33817 = msg("31930", dup321); - -var msg33818 = msg("31931", dup321); - -var msg33819 = msg("31932", dup321); - -var msg33820 = msg("31933", dup321); - -var msg33821 = msg("31934", dup321); - -var msg33822 = msg("31935", dup321); - -var msg33823 = msg("31936", dup321); - -var msg33824 = msg("31937", dup321); - -var msg33825 = msg("31938", dup321); - -var msg33826 = msg("31939", dup314); - -var msg33827 = msg("31940", dup314); - -var msg33828 = msg("31941", dup321); - -var msg33829 = msg("31942", dup314); - -var msg33830 = msg("31943", dup314); - -var msg33831 = msg("31944", dup321); - -var msg33832 = msg("31945", dup316); - -var msg33833 = msg("31946", dup311); - -var msg33834 = msg("31947", dup325); - -var msg33835 = msg("31948", dup325); - -var msg33836 = msg("31949", dup325); - -var msg33837 = msg("31950", dup321); - -var msg33838 = msg("31951", dup321); - -var msg33839 = msg("31952", dup321); - -var msg33840 = msg("31953", dup321); - -var msg33841 = msg("31954", dup321); - -var msg33842 = msg("31955", dup321); - -var msg33843 = msg("31956", dup316); - -var msg33844 = msg("31957", dup321); - -var msg33845 = msg("31958", dup321); - -var msg33846 = msg("31959", dup321); - -var msg33847 = msg("31960", dup325); - -var msg33848 = msg("31961", dup321); - -var msg33849 = msg("31962", dup321); - -var msg33850 = msg("31963", dup321); - -var msg33851 = msg("31964", dup321); - -var msg33852 = msg("31965", dup311); - -var msg33853 = msg("31966", dup311); - -var msg33854 = msg("31967", dup311); - -var msg33855 = msg("31968", dup311); - -var msg33856 = msg("31969", dup311); - -var msg33857 = msg("31970", dup311); - -var msg33858 = msg("31971", dup307); - -var msg33859 = msg("31972", dup311); - -var msg33860 = msg("31973", dup321); - -var msg33861 = msg("31974", dup321); - -var msg33862 = msg("31975", dup311); - -var msg33863 = msg("31976", dup311); - -var msg33864 = msg("31977", dup337); - -var msg33865 = msg("31978", dup337); - -var msg33866 = msg("31979", dup323); - -var msg33867 = msg("31980", dup324); - -var msg33868 = msg("31981", dup324); - -var msg33869 = msg("31982", dup329); - -var msg33870 = msg("31983", dup309); - -var msg33871 = msg("31984", dup324); - -var msg33872 = msg("31985", dup311); - -var msg33873 = msg("31986", dup309); - -var msg33874 = msg("31987", dup309); - -var msg33875 = msg("31988", dup311); - -var msg33876 = msg("31989", dup321); - -var msg33877 = msg("31990", dup325); - -var msg33878 = msg("31991", dup325); - -var msg33879 = msg("31992", dup200); - -var msg33880 = msg("31993", dup200); - -var msg33881 = msg("31994", dup200); - -var msg33882 = msg("31995", dup200); - -var msg33883 = msg("31996", dup200); - -var msg33884 = msg("31997", dup200); - -var msg33885 = msg("31998", dup200); - -var msg33886 = msg("31999", dup200); - -var msg33887 = msg("32000", dup200); - -var msg33888 = msg("32001", dup200); - -var msg33889 = msg("32002", dup321); - -var msg33890 = msg("32003", dup324); - -var msg33891 = msg("32004", dup324); - -var msg33892 = msg("32005", dup321); - -var msg33893 = msg("32006", dup321); - -var msg33894 = msg("32007", dup332); - -var msg33895 = msg("32008", dup311); - -var msg33896 = msg("32009", dup309); - -var msg33897 = msg("32010", dup309); - -var msg33898 = msg("32011", dup309); - -var msg33899 = msg("32012", dup323); - -var msg33900 = msg("32013", dup321); - -var msg33901 = msg("32014", dup311); - -var msg33902 = msg("32015", dup321); - -var msg33903 = msg("32016", dup321); - -var msg33904 = msg("32017", dup321); - -var msg33905 = msg("32018", dup321); - -var msg33906 = msg("32019", dup325); - -var msg33907 = msg("32020", dup321); - -var msg33908 = msg("32021", dup309); - -var msg33909 = msg("32022", dup309); - -var msg33910 = msg("32023", dup321); - -var msg33911 = msg("32024", dup314); - -var msg33912 = msg("32025", dup314); - -var msg33913 = msg("32026", dup314); - -var msg33914 = msg("32027", dup314); - -var msg33915 = msg("32028", dup321); - -var msg33916 = msg("32029", dup314); - -var msg33917 = msg("32030", dup325); - -var msg33918 = msg("32031", dup321); - -var msg33919 = msg("32032", dup321); - -var msg33920 = msg("32033", dup321); - -var msg33921 = msg("32034", dup321); - -var msg33922 = msg("32035", dup321); - -var msg33923 = msg("32036", dup321); - -var msg33924 = msg("32037", dup321); - -var msg33925 = msg("32038", dup311); - -var msg33926 = msg("32039", dup311); - -var msg33927 = msg("32040", dup321); - -var msg33928 = msg("32041", dup311); - -var msg33929 = msg("32042", dup311); - -var msg33930 = msg("32043", dup311); - -var msg33931 = msg("32044", dup314); - -var msg33932 = msg("32045", dup324); - -var msg33933 = msg("32046", dup324); - -var msg33934 = msg("32047", dup324); - -var msg33935 = msg("32048", dup321); - -var msg33936 = msg("32049", dup324); - -var msg33937 = msg("32050", dup321); - -var msg33938 = msg("32051", dup321); - -var msg33939 = msg("32052", dup314); - -var msg33940 = msg("32053", dup321); - -var msg33941 = msg("32054", dup321); - -var msg33942 = msg("32055", dup321); - -var msg33943 = msg("32056", dup314); - -var msg33944 = msg("32057", dup323); - -var msg33945 = msg("32058", dup321); - -var msg33946 = msg("32059", dup309); - -var msg33947 = msg("32060", dup325); - -var msg33948 = msg("32061", dup321); - -var msg33949 = msg("32062", dup309); - -var msg33950 = msg("32063", dup309); - -var msg33951 = msg("32064", dup309); - -var msg33952 = msg("32065", dup321); - -var msg33953 = msg("32066", dup321); - -var msg33954 = msg("32067", dup321); - -var msg33955 = msg("32068", dup314); - -var msg33956 = msg("32069", dup311); - -var msg33957 = msg("32070", dup321); - -var msg33958 = msg("32071", dup321); - -var msg33959 = msg("32072", dup321); - -var msg33960 = msg("32073", dup321); - -var msg33961 = msg("32074", dup321); - -var msg33962 = msg("32075", dup321); - -var msg33963 = msg("32076", dup314); - -var msg33964 = msg("32077", dup314); - -var msg33965 = msg("32078", dup321); - -var msg33966 = msg("32079", dup321); - -var msg33967 = msg("32080", dup321); - -var msg33968 = msg("32081", dup321); - -var msg33969 = msg("32082", dup309); - -var msg33970 = msg("32083", dup309); - -var msg33971 = msg("32084", dup309); - -var msg33972 = msg("32085", dup309); - -var msg33973 = msg("32086", dup321); - -var msg33974 = msg("32087", dup309); - -var msg33975 = msg("32088", dup309); - -var msg33976 = msg("32089", dup309); - -var msg33977 = msg("32090", dup321); - -var msg33978 = msg("32091", dup321); - -var msg33979 = msg("32092", dup325); - -var msg33980 = msg("32093", dup321); - -var msg33981 = msg("32094", dup309); - -var msg33982 = msg("32095", dup309); - -var msg33983 = msg("32096", dup321); - -var msg33984 = msg("32097", dup309); - -var msg33985 = msg("32098", dup309); - -var msg33986 = msg("32099", dup309); - -var msg33987 = msg("32100", dup309); - -var msg33988 = msg("32101", dup311); - -var msg33989 = msg("32102", dup311); - -var msg33990 = msg("32103", dup311); - -var msg33991 = msg("32104", dup311); - -var msg33992 = msg("32105", dup311); - -var msg33993 = msg("32106", dup316); - -var msg33994 = msg("32107", dup314); - -var msg33995 = msg("32108", dup314); - -var msg33996 = msg("32109", dup309); - -var msg33997 = msg("32110", dup324); - -var msg33998 = msg("32111", dup324); - -var msg33999 = msg("32112", dup324); - -var msg34000 = msg("32113", dup324); - -var msg34001 = msg("32114", dup308); - -var msg34002 = msg("32115", dup328); - -var msg34003 = msg("32116", dup328); - -var msg34004 = msg("32117", dup321); - -var msg34005 = msg("32118", dup321); - -var msg34006 = msg("32119", dup321); - -var msg34007 = msg("32120", dup321); - -var msg34008 = msg("32121", dup321); - -var msg34009 = msg("32122", dup309); - -var msg34010 = msg("32123", dup321); - -var msg34011 = msg("32124", dup200); - -var msg34012 = msg("32125", dup325); - -var msg34013 = msg("32126", dup321); - -var msg34014 = msg("32127", dup316); - -var msg34015 = msg("32128", dup316); - -var msg34016 = msg("32129", dup321); - -var msg34017 = msg("32130", dup321); - -var msg34018 = msg("32131", dup309); - -var msg34019 = msg("32132", dup309); - -var msg34020 = msg("32133", dup309); - -var msg34021 = msg("32134", dup314); - -var msg34022 = msg("32135", dup314); - -var msg34023 = msg("32136", dup307); - -var msg34024 = msg("32137", dup325); - -var msg34025 = msg("32138", dup325); - -var msg34026 = msg("32139", dup325); - -var msg34027 = msg("32140", dup325); - -var msg34028 = msg("32141", dup311); - -var msg34029 = msg("32142", dup311); - -var msg34030 = msg("32143", dup311); - -var msg34031 = msg("32144", dup311); - -var msg34032 = msg("32145", dup311); - -var msg34033 = msg("32146", dup311); - -var msg34034 = msg("32147", dup309); - -var msg34035 = msg("32148", dup309); - -var msg34036 = msg("32149", dup311); - -var msg34037 = msg("32150", dup311); - -var msg34038 = msg("32151", dup311); - -var msg34039 = msg("32152", dup311); - -var msg34040 = msg("32153", dup325); - -var msg34041 = msg("32154", dup325); - -var msg34042 = msg("32155", dup325); - -var msg34043 = msg("32156", dup325); - -var msg34044 = msg("32157", dup325); - -var msg34045 = msg("32158", dup325); - -var msg34046 = msg("32159", dup325); - -var msg34047 = msg("32160", dup325); - -var msg34048 = msg("32161", dup323); - -var msg34049 = msg("32162", dup323); - -var msg34050 = msg("32163", dup314); - -var msg34051 = msg("32164", dup314); - -var msg34052 = msg("32165", dup314); - -var msg34053 = msg("32166", dup311); - -var msg34054 = msg("32167", dup311); - -var msg34055 = msg("32168", dup325); - -var msg34056 = msg("32169", dup325); - -var msg34057 = msg("32170", dup309); - -var msg34058 = msg("32171", dup309); - -var msg34059 = msg("32172", dup321); - -var msg34060 = msg("32173", dup321); - -var msg34061 = msg("32174", dup321); - -var msg34062 = msg("32175", dup321); - -var msg34063 = msg("32176", dup321); - -var msg34064 = msg("32177", dup321); - -var msg34065 = msg("32178", dup321); - -var msg34066 = msg("32179", dup321); - -var msg34067 = msg("32180", dup321); - -var msg34068 = msg("32181", dup321); - -var msg34069 = msg("32182", dup311); - -var msg34070 = msg("32183", dup311); - -var msg34071 = msg("32184", dup311); - -var msg34072 = msg("32185", dup311); - -var msg34073 = msg("32186", dup314); - -var msg34074 = msg("32187", dup314); - -var msg34075 = msg("32188", dup321); - -var msg34076 = msg("32189", dup321); - -var msg34077 = msg("32190", dup311); - -var msg34078 = msg("32191", dup311); - -var msg34079 = msg("32192", dup321); - -var msg34080 = msg("32193", dup321); - -var msg34081 = msg("32194", dup321); - -var msg34082 = msg("32195", dup321); - -var msg34083 = msg("32196", dup321); - -var msg34084 = msg("32197", dup321); - -var msg34085 = msg("32198", dup321); - -var msg34086 = msg("32199", dup314); - -var msg34087 = msg("32200", dup321); - -var msg34088 = msg("32201", dup321); - -var msg34089 = msg("32202", dup321); - -var msg34090 = msg("32203", dup316); - -var msg34091 = msg("32204", dup314); - -var msg34092 = msg("32205", dup314); - -var msg34093 = msg("32206", dup309); - -var msg34094 = msg("32207", dup309); - -var msg34095 = msg("32208", dup309); - -var msg34096 = msg("32209", dup309); - -var msg34097 = msg("32210", dup309); - -var msg34098 = msg("32211", dup309); - -var msg34099 = msg("32212", dup309); - -var msg34100 = msg("32213", dup309); - -var msg34101 = msg("32214", dup309); - -var msg34102 = msg("32215", dup309); - -var msg34103 = msg("32216", dup309); - -var msg34104 = msg("32217", dup307); - -var msg34105 = msg("32218", dup307); - -var msg34106 = msg("32219", dup321); - -var msg34107 = msg("32220", dup321); - -var msg34108 = msg("32221", dup321); - -var msg34109 = msg("32222", dup321); - -var msg34110 = msg("32223", dup309); - -var msg34111 = msg("32224", dup309); - -var msg34112 = msg("32225", dup321); - -var msg34113 = msg("32226", dup309); - -var msg34114 = msg("32227", dup309); - -var msg34115 = msg("32228", dup309); - -var msg34116 = msg("32229", dup309); - -var msg34117 = msg("32230", dup311); - -var msg34118 = msg("32231", dup311); - -var msg34119 = msg("32232", dup311); - -var msg34120 = msg("32233", dup311); - -var msg34121 = msg("32234", dup311); - -var msg34122 = msg("32235", dup311); - -var msg34123 = msg("32236", dup311); - -var msg34124 = msg("32237", dup311); - -var msg34125 = msg("32238", dup311); - -var msg34126 = msg("32239", dup311); - -var msg34127 = msg("32240", dup314); - -var msg34128 = msg("32241", dup321); - -var msg34129 = msg("32242", dup321); - -var msg34130 = msg("32243", dup321); - -var msg34131 = msg("32244", dup323); - -var msg34132 = msg("32245", dup307); - -var msg34133 = msg("32246", dup307); - -var msg34134 = msg("32247", dup311); - -var msg34135 = msg("32248", dup321); - -var msg34136 = msg("32249", dup321); - -var msg34137 = msg("32250", dup321); - -var msg34138 = msg("32251", dup314); - -var msg34139 = msg("32252", dup314); - -var msg34140 = msg("32253", dup314); - -var msg34141 = msg("32254", dup314); - -var msg34142 = msg("32255", dup314); - -var msg34143 = msg("32256", dup314); - -var msg34144 = msg("32257", dup314); - -var msg34145 = msg("32258", dup314); - -var msg34146 = msg("32259", dup321); - -var msg34147 = msg("32260", dup321); - -var msg34148 = msg("32261", dup316); - -var msg34149 = msg("32262", dup325); - -var msg34150 = msg("32263", dup325); - -var msg34151 = msg("32264", dup314); - -var msg34152 = msg("32265", dup314); - -var msg34153 = msg("32266", dup325); - -var msg34154 = msg("32267", dup325); - -var msg34155 = msg("32268", dup316); - -var msg34156 = msg("32269", dup316); - -var msg34157 = msg("32270", dup321); - -var msg34158 = msg("32271", dup321); - -var msg34159 = msg("32272", dup321); - -var msg34160 = msg("32273", dup321); - -var msg34161 = msg("32274", dup314); - -var msg34162 = msg("32275", dup314); - -var msg34163 = msg("32276", dup311); - -var msg34164 = msg("32277", dup314); - -var msg34165 = msg("32278", dup321); - -var msg34166 = msg("32279", dup321); - -var msg34167 = msg("32280", dup321); - -var msg34168 = msg("32281", dup321); - -var msg34169 = msg("32282", dup321); - -var msg34170 = msg("32283", dup321); - -var msg34171 = msg("32284", dup321); - -var msg34172 = msg("32285", dup321); - -var msg34173 = msg("32286", dup321); - -var msg34174 = msg("32287", dup321); - -var msg34175 = msg("32288", dup321); - -var msg34176 = msg("32289", dup321); - -var msg34177 = msg("32290", dup321); - -var msg34178 = msg("32291", dup321); - -var msg34179 = msg("32292", dup321); - -var msg34180 = msg("32293", dup321); - -var msg34181 = msg("32294", dup325); - -var msg34182 = msg("32295", dup325); - -var msg34183 = msg("32296", dup325); - -var msg34184 = msg("32297", dup321); - -var msg34185 = msg("32298", dup321); - -var msg34186 = msg("32299", dup321); - -var msg34187 = msg("32300", dup321); - -var msg34188 = msg("32301", dup324); - -var msg34189 = msg("32302", dup324); - -var msg34190 = msg("32303", dup324); - -var msg34191 = msg("32304", dup324); - -var msg34192 = msg("32305", dup324); - -var msg34193 = msg("32306", dup324); - -var msg34194 = msg("32307", dup324); - -var msg34195 = msg("32308", dup324); - -var msg34196 = msg("32309", dup333); - -var msg34197 = msg("32310", dup321); - -var msg34198 = msg("32311", dup321); - -var msg34199 = msg("32312", dup321); - -var msg34200 = msg("32313", dup314); - -var msg34201 = msg("32314", dup314); - -var msg34202 = msg("32315", dup314); - -var msg34203 = msg("32316", dup314); - -var msg34204 = msg("32319", dup314); - -var msg34205 = msg("32320", dup314); - -var msg34206 = msg("32334", dup321); - -var msg34207 = msg("32335", dup311); - -var msg34208 = msg("32336", dup311); - -var msg34209 = msg("32337", dup311); - -var msg34210 = msg("32338", dup321); - -var msg34211 = msg("32342", dup316); - -var msg34212 = msg("32343", dup321); - -var msg34213 = msg("32344", dup321); - -var msg34214 = msg("32345", dup314); - -var msg34215 = msg("32346", dup314); - -var msg34216 = msg("32347", dup314); - -var msg34217 = msg("32348", dup314); - -var msg34218 = msg("32349", dup314); - -var msg34219 = msg("32350", dup323); - -var msg34220 = msg("32351", dup323); - -var msg34221 = msg("32352", dup316); - -var msg34222 = msg("32353", dup322); - -var msg34223 = msg("32354", dup321); - -var msg34224 = msg("32355", dup314); - -var msg34225 = msg("32356", dup308); - -var msg34226 = msg("32357", dup321); - -var msg34227 = msg("32358", dup311); - -var msg34228 = msg("32359", dup314); - -var msg34229 = msg("32360", dup314); - -var msg34230 = msg("32361", dup309); - -var msg34231 = msg("32362", dup325); - -var msg34232 = msg("32363", dup325); - -var msg34233 = msg("32364", dup311); - -var msg34234 = msg("32365", dup311); - -var msg34235 = msg("32366", dup311); - -var msg34236 = msg("32367", dup321); - -var msg34237 = msg("32368", dup321); - -var msg34238 = msg("32369", dup309); - -var msg34239 = msg("32370", dup309); - -var msg34240 = msg("32371", dup309); - -var msg34241 = msg("32372", dup321); - -var msg34242 = msg("32373", dup321); - -var msg34243 = msg("32374", dup321); - -var msg34244 = msg("32375", dup314); - -var msg34245 = msg("32376", dup309); - -var msg34246 = msg("32377", dup309); - -var msg34247 = msg("32378", dup314); - -var msg34248 = msg("32379", dup321); - -var msg34249 = msg("32380", dup314); - -var msg34250 = msg("32381", dup309); - -var msg34251 = msg("32382", dup309); - -var msg34252 = msg("32383", dup325); - -var msg34253 = msg("32384", dup325); - -var msg34254 = msg("32385", dup321); - -var msg34255 = msg("32386", dup311); - -var msg34256 = msg("32387", dup311); - -var msg34257 = msg("32388", dup311); - -var msg34258 = msg("32389", dup311); - -var msg34259 = msg("32390", dup311); - -var msg34260 = msg("32391", dup321); - -var msg34261 = msg("32392", dup321); - -var msg34262 = msg("32393", dup321); - -var msg34263 = msg("32394", dup321); - -var msg34264 = msg("32395", dup321); - -var msg34265 = msg("32396", dup321); - -var msg34266 = msg("32397", dup321); - -var msg34267 = msg("32398", dup314); - -var msg34268 = msg("32399", dup311); - -var msg34269 = msg("32400", dup321); - -var msg34270 = msg("32401", dup321); - -var msg34271 = msg("32402", dup325); - -var msg34272 = msg("32403", dup309); - -var msg34273 = msg("32404", dup314); - -var msg34274 = msg("32405", dup314); - -var msg34275 = msg("32406", dup314); - -var msg34276 = msg("32407", dup314); - -var msg34277 = msg("32408", dup314); - -var msg34278 = msg("32409", dup314); - -var msg34279 = msg("32410", dup314); - -var msg34280 = msg("32411", dup314); - -var msg34281 = msg("32412", dup314); - -var msg34282 = msg("32413", dup314); - -var msg34283 = msg("32414", dup309); - -var msg34284 = msg("32415", dup309); - -var msg34285 = msg("32416", dup309); - -var msg34286 = msg("32417", dup309); - -var msg34287 = msg("32418", dup309); - -var msg34288 = msg("32419", dup309); - -var msg34289 = msg("32420", dup309); - -var msg34290 = msg("32421", dup309); - -var msg34291 = msg("32422", dup309); - -var msg34292 = msg("32423", dup314); - -var msg34293 = msg("32424", dup311); - -var msg34294 = msg("32425", dup311); - -var msg34295 = msg("32426", dup325); - -var msg34296 = msg("32427", dup325); - -var msg34297 = msg("32428", dup309); - -var msg34298 = msg("32429", dup309); - -var msg34299 = msg("32430", dup311); - -var msg34300 = msg("32431", dup311); - -var msg34301 = msg("32432", dup309); - -var msg34302 = msg("32433", dup309); - -var msg34303 = msg("32434", dup309); - -var msg34304 = msg("32435", dup309); - -var msg34305 = msg("32436", dup325); - -var msg34306 = msg("32437", dup325); - -var msg34307 = msg("32438", dup325); - -var msg34308 = msg("32439", dup325); - -var msg34309 = msg("32440", dup325); - -var msg34310 = msg("32441", dup325); - -var msg34311 = msg("32442", dup325); - -var msg34312 = msg("32443", dup325); - -var msg34313 = msg("32444", dup314); - -var msg34314 = msg("32445", dup314); - -var msg34315 = msg("32446", dup321); - -var msg34316 = msg("32447", dup321); - -var msg34317 = msg("32448", dup321); - -var msg34318 = msg("32449", dup321); - -var msg34319 = msg("32450", dup321); - -var msg34320 = msg("32451", dup321); - -var msg34321 = msg("32452", dup321); - -var msg34322 = msg("32453", dup321); - -var msg34323 = msg("32454", dup321); - -var msg34324 = msg("32455", dup325); - -var msg34325 = msg("32456", dup321); - -var msg34326 = msg("32457", dup321); - -var msg34327 = msg("32458", dup323); - -var msg34328 = msg("32459", dup323); - -var msg34329 = msg("32460", dup311); - -var msg34330 = msg("32461", dup311); - -var msg34331 = msg("32462", dup307); - -var msg34332 = msg("32463", dup321); - -var msg34333 = msg("32464", dup321); - -var msg34334 = msg("32465", dup324); - -var msg34335 = msg("32466", dup324); - -var msg34336 = msg("32467", dup324); - -var msg34337 = msg("32468", dup324); - -var msg34338 = msg("32469", dup321); - -var msg34339 = msg("32470", dup309); - -var msg34340 = msg("32471", dup309); - -var msg34341 = msg("32472", dup309); - -var msg34342 = msg("32473", dup309); - -var msg34343 = msg("32474", dup311); - -var msg34344 = msg("32475", dup311); - -var msg34345 = msg("32476", dup309); - -var msg34346 = msg("32477", dup309); - -var msg34347 = msg("32478", dup325); - -var msg34348 = msg("32479", dup325); - -var msg34349 = msg("32480", dup314); - -var msg34350 = msg("32481", dup314); - -var msg34351 = msg("32482", dup325); - -var msg34352 = msg("32483", dup325); - -var msg34353 = msg("32484", dup325); - -var msg34354 = msg("32485", dup325); - -var msg34355 = msg("32486", dup321); - -var msg34356 = msg("32487", dup321); - -var msg34357 = msg("32488", dup325); - -var msg34358 = msg("32489", dup323); - -var msg34359 = msg("32490", dup323); - -var msg34360 = msg("32491", dup325); - -var msg34361 = msg("32492", dup325); - -var msg34362 = msg("32493", dup321); - -var msg34363 = msg("32494", dup321); - -var msg34364 = msg("32495", dup325); - -var msg34365 = msg("32496", dup325); - -var msg34366 = msg("32497", dup325); - -var msg34367 = msg("32498", dup325); - -var msg34368 = msg("32499", dup325); - -var msg34369 = msg("32500", dup325); - -var msg34370 = msg("32501", dup314); - -var msg34371 = msg("32502", dup314); - -var msg34372 = msg("32503", dup325); - -var msg34373 = msg("32504", dup321); - -var msg34374 = msg("32505", dup321); - -var msg34375 = msg("32506", dup321); - -var msg34376 = msg("32507", dup325); - -var msg34377 = msg("32508", dup309); - -var msg34378 = msg("32509", dup309); - -var msg34379 = msg("32510", dup321); - -var msg34380 = msg("32511", dup321); - -var msg34381 = msg("32512", dup321); - -var msg34382 = msg("32513", dup321); - -var msg34383 = msg("32514", dup309); - -var msg34384 = msg("32515", dup309); - -var msg34385 = msg("32516", dup309); - -var msg34386 = msg("32517", dup309); - -var msg34387 = msg("32518", dup311); - -var msg34388 = msg("32519", dup311); - -var msg34389 = msg("32520", dup314); - -var msg34390 = msg("32521", dup321); - -var msg34391 = msg("32522", dup321); - -var msg34392 = msg("32523", dup316); - -var msg34393 = msg("32524", dup316); - -var msg34394 = msg("32525", dup333); - -var msg34395 = msg("32526", dup314); - -var msg34396 = msg("32527", dup314); - -var msg34397 = msg("32528", dup314); - -var msg34398 = msg("32529", dup321); - -var msg34399 = msg("32530", dup309); - -var msg34400 = msg("32531", dup321); - -var msg34401 = msg("32532", dup311); - -var msg34402 = msg("32533", dup311); - -var msg34403 = msg("32534", dup324); - -var msg34404 = msg("32535", dup324); - -var msg34405 = msg("32536", dup324); - -var msg34406 = msg("32537", dup324); - -var msg34407 = msg("32538", dup324); - -var msg34408 = msg("32539", dup324); - -var msg34409 = msg("32540", dup324); - -var msg34410 = msg("32541", dup324); - -var msg34411 = msg("32542", dup324); - -var msg34412 = msg("32543", dup324); - -var msg34413 = msg("32544", dup324); - -var msg34414 = msg("32545", dup324); - -var msg34415 = msg("32546", dup307); - -var msg34416 = msg("32547", dup307); - -var msg34417 = msg("32548", dup321); - -var msg34418 = msg("32549", dup321); - -var msg34419 = msg("32550", dup321); - -var msg34420 = msg("32551", dup321); - -var msg34421 = msg("32552", dup324); - -var msg34422 = msg("32553", dup324); - -var msg34423 = msg("32554", dup311); - -var msg34424 = msg("32555", dup311); - -var msg34425 = msg("32556", dup321); - -var msg34426 = msg("32557", dup321); - -var msg34427 = msg("32558", dup311); - -var msg34428 = msg("32559", dup311); - -var msg34429 = msg("32560", dup311); - -var msg34430 = msg("32561", dup311); - -var msg34431 = msg("32562", dup309); - -var msg34432 = msg("32563", dup314); - -var msg34433 = msg("32564", dup309); - -var msg34434 = msg("32565", dup309); - -var msg34435 = msg("32566", dup314); - -var msg34436 = msg("32567", dup309); - -var msg34437 = msg("32568", dup309); - -var msg34438 = msg("32569", dup309); - -var msg34439 = msg("32570", dup309); - -var msg34440 = msg("32571", dup309); - -var msg34441 = msg("32572", dup309); - -var msg34442 = msg("32573", dup309); - -var msg34443 = msg("32574", dup309); - -var msg34444 = msg("32575", dup309); - -var msg34445 = msg("32576", dup309); - -var msg34446 = msg("32577", dup321); - -var msg34447 = msg("32578", dup321); - -var msg34448 = msg("32579", dup314); - -var msg34449 = msg("32580", dup314); - -var msg34450 = msg("32581", dup311); - -var msg34451 = msg("32582", dup311); - -var msg34452 = msg("32583", dup321); - -var msg34453 = msg("32584", dup321); - -var msg34454 = msg("32585", dup321); - -var msg34455 = msg("32586", dup321); - -var msg34456 = msg("32587", dup309); - -var msg34457 = msg("32588", dup309); - -var msg34458 = msg("32589", dup309); - -var msg34459 = msg("32590", dup314); - -var msg34460 = msg("32591", dup314); - -var msg34461 = msg("32592", dup314); - -var msg34462 = msg("32593", dup314); - -var msg34463 = msg("32594", dup314); - -var msg34464 = msg("32595", dup314); - -var msg34465 = msg("32596", dup314); - -var msg34466 = msg("32597", dup314); - -var msg34467 = msg("32598", dup323); - -var msg34468 = msg("32599", dup321); - -var msg34469 = msg("32600", dup323); - -var msg34470 = msg("32601", dup309); - -var msg34471 = msg("32602", dup314); - -var msg34472 = msg("32603", dup314); - -var msg34473 = msg("32604", dup321); - -var msg34474 = msg("32605", dup321); - -var msg34475 = msg("32606", dup321); - -var msg34476 = msg("32607", dup310); - -var msg34477 = msg("32608", dup310); - -var msg34478 = msg("32609", dup321); - -var msg34479 = msg("32610", dup321); - -var msg34480 = msg("32611", dup314); - -var msg34481 = msg("32612", dup321); - -var msg34482 = msg("32613", dup321); - -var msg34483 = msg("32614", dup321); - -var msg34484 = msg("32615", dup316); - -var msg34485 = msg("32616", dup314); - -var msg34486 = msg("32617", dup314); - -var msg34487 = msg("32618", dup314); - -var msg34488 = msg("32619", dup309); - -var msg34489 = msg("32620", dup309); - -var msg34490 = msg("32621", dup321); - -var msg34491 = msg("32622", dup321); - -var msg34492 = msg("32623", dup321); - -var msg34493 = msg("32624", dup321); - -var msg34494 = msg("32625", dup309); - -var msg34495 = msg("32626", dup314); - -var msg34496 = msg("32627", dup314); - -var msg34497 = msg("32628", dup309); - -var msg34498 = msg("32629", dup309); - -var msg34499 = msg("32630", dup309); - -var msg34500 = msg("32631", dup309); - -var msg34501 = msg("32632", dup314); - -var msg34502 = msg("32633", dup314); - -var msg34503 = msg("32634", dup314); - -var msg34504 = msg("32635", dup314); - -var msg34505 = msg("32636", dup311); - -var msg34506 = msg("32637", dup331); - -var msg34507 = msg("32638", dup311); - -var msg34508 = msg("32639", dup311); - -var msg34509 = msg("32640", dup311); - -var msg34510 = msg("32641", dup311); - -var msg34511 = msg("32642", dup314); - -var msg34512 = msg("32643", dup309); - -var msg34513 = msg("32644", dup309); - -var msg34514 = msg("32645", dup325); - -var msg34515 = msg("32646", dup321); - -var msg34516 = msg("32647", dup328); - -var msg34517 = msg("32648", dup328); - -var msg34518 = msg("32649", dup328); - -var msg34519 = msg("32650", dup328); - -var msg34520 = msg("32651", dup328); - -var msg34521 = msg("32652", dup321); - -var msg34522 = msg("32653", dup321); - -var msg34523 = msg("32654", dup321); - -var msg34524 = msg("32655", dup321); - -var msg34525 = msg("32656", dup321); - -var msg34526 = msg("32657", dup321); - -var msg34527 = msg("32658", dup321); - -var msg34528 = msg("32659", dup321); - -var msg34529 = msg("32660", dup321); - -var msg34530 = msg("32661", dup321); - -var msg34531 = msg("32662", dup321); - -var msg34532 = msg("32663", dup321); - -var msg34533 = msg("32664", dup321); - -var msg34534 = msg("32665", dup321); - -var msg34535 = msg("32666", dup321); - -var msg34536 = msg("32667", dup321); - -var msg34537 = msg("32668", dup314); - -var msg34538 = msg("32669", dup314); - -var msg34539 = msg("32670", dup321); - -var msg34540 = msg("32671", dup309); - -var msg34541 = msg("32672", dup333); - -var msg34542 = msg("32673", dup311); - -var msg34543 = msg("32674", dup321); - -var msg34544 = msg("32675", dup325); - -var msg34545 = msg("32676", dup321); - -var msg34546 = msg("32677", dup321); - -var msg34547 = msg("32678", dup321); - -var msg34548 = msg("32679", dup325); - -var msg34549 = msg("32680", dup325); - -var msg34550 = msg("32681", dup311); - -var msg34551 = msg("32682", dup311); - -var msg34552 = msg("32683", dup309); - -var msg34553 = msg("32684", dup309); - -var msg34554 = msg("32685", dup325); - -var msg34555 = msg("32686", dup325); - -var msg34556 = msg("32687", dup309); - -var msg34557 = msg("32688", dup309); - -var msg34558 = msg("32689", dup325); - -var msg34559 = msg("32690", dup325); - -var msg34560 = msg("32691", dup325); - -var msg34561 = msg("32692", dup325); - -var msg34562 = msg("32693", dup309); - -var msg34563 = msg("32694", dup309); - -var msg34564 = msg("32695", dup325); - -var msg34565 = msg("32696", dup325); - -var msg34566 = msg("32697", dup325); - -var msg34567 = msg("32698", dup325); - -var msg34568 = msg("32699", dup325); - -var msg34569 = msg("32700", dup325); - -var msg34570 = msg("32701", dup325); - -var msg34571 = msg("32702", dup325); - -var msg34572 = msg("32703", dup323); - -var msg34573 = msg("32704", dup323); - -var msg34574 = msg("32705", dup314); - -var msg34575 = msg("32706", dup321); - -var msg34576 = msg("32707", dup309); - -var msg34577 = msg("32708", dup309); - -var msg34578 = msg("32709", dup323); - -var msg34579 = msg("32710", dup325); - -var msg34580 = msg("32711", dup309); - -var msg34581 = msg("32712", dup309); - -var msg34582 = msg("32713", dup311); - -var msg34583 = msg("32714", dup311); - -var msg34584 = msg("32715", dup311); - -var msg34585 = msg("32716", dup311); - -var msg34586 = msg("32717", dup311); - -var msg34587 = msg("32718", dup309); - -var msg34588 = msg("32719", dup309); - -var msg34589 = msg("32720", dup325); - -var msg34590 = msg("32721", dup325); - -var msg34591 = msg("32722", dup325); - -var msg34592 = msg("32723", dup325); - -var msg34593 = msg("32724", dup325); - -var msg34594 = msg("32725", dup325); - -var msg34595 = msg("32726", dup321); - -var msg34596 = msg("32727", dup321); - -var msg34597 = msg("32728", dup321); - -var msg34598 = msg("32729", dup314); - -var msg34599 = msg("32730", dup311); - -var msg34600 = msg("32731", dup309); - -var msg34601 = msg("32732", dup309); - -var msg34602 = msg("32733", dup321); - -var msg34603 = msg("32734", dup321); - -var msg34604 = msg("32735", dup321); - -var msg34605 = msg("32736", dup321); - -var msg34606 = msg("32737", dup322); - -var msg34607 = msg("32738", dup307); - -var msg34608 = msg("32739", dup307); - -var msg34609 = msg("32740", dup314); - -var msg34610 = msg("32741", dup314); - -var msg34611 = msg("32742", dup311); - -var msg34612 = msg("32743", dup321); - -var msg34613 = msg("32744", dup314); - -var msg34614 = msg("32745", dup314); - -var msg34615 = msg("32746", dup314); - -var msg34616 = msg("32747", dup321); - -var msg34617 = msg("32748", dup309); - -var msg34618 = msg("32749", dup311); - -var msg34619 = msg("32750", dup311); - -var msg34620 = msg("32751", dup311); - -var msg34621 = msg("32752", dup311); - -var msg34622 = msg("32753", dup311); - -var msg34623 = msg("32754", dup328); - -var msg34624 = msg("32755", dup314); - -var msg34625 = msg("32756", dup314); - -var msg34626 = msg("32757", dup314); - -var msg34627 = msg("32758", dup314); - -var msg34628 = msg("32759", dup314); - -var msg34629 = msg("32760", dup314); - -var msg34630 = msg("32761", dup322); - -var msg34631 = msg("32762", dup325); - -var msg34632 = msg("32763", dup325); - -var msg34633 = msg("32764", dup323); - -var msg34634 = msg("32765", dup323); - -var msg34635 = msg("32766", dup323); - -var msg34636 = msg("32767", dup323); - -var msg34637 = msg("32768", dup322); - -var msg34638 = msg("32769", dup321); - -var msg34639 = msg("32770", dup321); - -var msg34640 = msg("32771", dup321); - -var msg34641 = msg("32772", dup321); - -var msg34642 = msg("32773", dup311); - -var msg34643 = msg("32774", dup200); - -var msg34644 = msg("32775", dup314); - -var msg34645 = msg("32776", dup321); - -var msg34646 = msg("32777", dup325); - -var msg34647 = msg("32778", dup325); - -var msg34648 = msg("32779", dup321); - -var msg34649 = msg("32780", dup321); - -var msg34650 = msg("32781", dup321); - -var msg34651 = msg("32782", dup309); - -var msg34652 = msg("32783", dup309); - -var msg34653 = msg("32784", dup309); - -var msg34654 = msg("32785", dup309); - -var msg34655 = msg("32786", dup311); - -var msg34656 = msg("32787", dup307); - -var msg34657 = msg("32788", dup307); - -var msg34658 = msg("32789", dup307); - -var msg34659 = msg("32790", dup307); - -var msg34660 = msg("32791", dup321); - -var msg34661 = msg("32792", dup321); - -var msg34662 = msg("32793", dup309); - -var msg34663 = msg("32794", dup309); - -var msg34664 = msg("32795", dup314); - -var msg34665 = msg("32796", dup314); - -var msg34666 = msg("32797", dup314); - -var msg34667 = msg("32798", dup314); - -var msg34668 = msg("32799", dup314); - -var msg34669 = msg("32800", dup314); - -var msg34670 = msg("32801", dup314); - -var msg34671 = msg("32802", dup314); - -var msg34672 = msg("32803", dup311); - -var msg34673 = msg("32804", dup311); - -var msg34674 = msg("32805", dup309); - -var msg34675 = msg("32806", dup309); - -var msg34676 = msg("32807", dup309); - -var msg34677 = msg("32808", dup309); - -var msg34678 = msg("32809", dup309); - -var msg34679 = msg("32810", dup309); - -var msg34680 = msg("32811", dup309); - -var msg34681 = msg("32812", dup309); - -var msg34682 = msg("32813", dup314); - -var msg34683 = msg("32814", dup314); - -var msg34684 = msg("32815", dup311); - -var msg34685 = msg("32816", dup311); - -var msg34686 = msg("32817", dup324); - -var msg34687 = msg("32818", dup324); - -var msg34688 = msg("32819", dup311); - -var msg34689 = msg("32820", dup311); - -var msg34690 = msg("32821", dup325); - -var msg34691 = msg("32822", dup325); - -var msg34692 = msg("32823", dup321); - -var msg34693 = msg("32824", dup321); - -var msg34694 = msg("32825", dup321); - -var msg34695 = msg("32826", dup321); - -var msg34696 = msg("32827", dup321); - -var msg34697 = msg("32828", dup309); - -var msg34698 = msg("32829", dup309); - -var msg34699 = msg("32830", dup309); - -var msg34700 = msg("32831", dup309); - -var msg34701 = msg("32832", dup309); - -var msg34702 = msg("32833", dup309); - -var msg34703 = msg("32834", dup309); - -var msg34704 = msg("32835", dup309); - -var msg34705 = msg("32836", dup309); - -var msg34706 = msg("32837", dup309); - -var msg34707 = msg("32838", dup314); - -var msg34708 = msg("32839", dup314); - -var msg34709 = msg("32840", dup314); - -var msg34710 = msg("32841", dup314); - -var msg34711 = msg("32842", dup314); - -var msg34712 = msg("32843", dup325); - -var msg34713 = msg("32844", dup311); - -var msg34714 = msg("32845", dup314); - -var msg34715 = msg("32846", dup314); - -var msg34716 = msg("32847", dup314); - -var msg34717 = msg("32848", dup314); - -var msg34718 = msg("32849", dup314); - -var msg34719 = msg("32850", dup314); - -var msg34720 = msg("32851", dup314); - -var msg34721 = msg("32852", dup321); - -var msg34722 = msg("32853", dup321); - -var msg34723 = msg("32854", dup321); - -var msg34724 = msg("32855", dup314); - -var msg34725 = msg("32856", dup314); - -var msg34726 = msg("32857", dup309); - -var msg34727 = msg("32858", dup309); - -var msg34728 = msg("32859", dup309); - -var msg34729 = msg("32860", dup309); - -var msg34730 = msg("32861", dup309); - -var msg34731 = msg("32862", dup309); - -var msg34732 = msg("32863", dup309); - -var msg34733 = msg("32864", dup306); - -var msg34734 = msg("32865", dup329); - -var msg34735 = msg("32866", dup314); - -var msg34736 = msg("32867", dup314); - -var msg34737 = msg("32868", dup314); - -var msg34738 = msg("32869", dup311); - -var msg34739 = msg("32870", dup311); - -var msg34740 = msg("32871", dup307); - -var msg34741 = msg("32872", dup309); - -var msg34742 = msg("32873", dup314); - -var msg34743 = msg("32874", dup314); - -var msg34744 = msg("32875", dup321); - -var msg34745 = msg("32876", dup311); - -var msg34746 = msg("32877", dup311); - -var msg34747 = msg("32878", dup311); - -var msg34748 = msg("32879", dup311); - -var msg34749 = msg("32880", dup311); - -var msg34750 = msg("32881", dup321); - -var msg34751 = msg("32882", dup321); - -var msg34752 = msg("32883", dup314); - -var msg34753 = msg("32884", dup314); - -var msg34754 = msg("32885", dup311); - -var msg34755 = msg("32886", dup311); - -var msg34756 = msg("32887", dup307); - -var msg34757 = msg("32888", dup321); - -var msg34758 = msg("32889", dup307); - -var msg34759 = msg("32890", dup309); - -var msg34760 = msg("32891", dup321); - -var msg34761 = msg("32892", dup321); - -var msg34762 = msg("32893", dup321); - -var msg34763 = msg("32894", dup314); - -var msg34764 = msg("32895", dup314); - -var msg34765 = msg("32896", dup314); - -var msg34766 = msg("32897", dup314); - -var msg34767 = msg("32898", dup309); - -var msg34768 = msg("32899", dup309); - -var msg34769 = msg("32900", dup314); - -var msg34770 = msg("32901", dup309); - -var msg34771 = msg("32902", dup309); - -var msg34772 = msg("32903", dup309); - -var msg34773 = msg("32904", dup309); - -var msg34774 = msg("32905", dup311); - -var msg34775 = msg("32906", dup311); - -var msg34776 = msg("32907", dup314); - -var msg34777 = msg("32908", dup321); - -var msg34778 = msg("32909", dup321); - -var msg34779 = msg("32910", dup321); - -var msg34780 = msg("32911", dup323); - -var msg34781 = msg("32912", dup323); - -var msg34782 = msg("32913", dup323); - -var msg34783 = msg("32914", dup323); - -var msg34784 = msg("32915", dup323); - -var msg34785 = msg("32916", dup323); - -var msg34786 = msg("32917", dup323); - -var msg34787 = msg("32918", dup323); - -var msg34788 = msg("32919", dup323); - -var msg34789 = msg("32920", dup323); - -var msg34790 = msg("32921", dup323); - -var msg34791 = msg("32922", dup323); - -var msg34792 = msg("32923", dup323); - -var msg34793 = msg("32924", dup323); - -var msg34794 = msg("32925", dup323); - -var msg34795 = msg("32926", dup323); - -var msg34796 = msg("32927", dup323); - -var msg34797 = msg("32928", dup323); - -var msg34798 = msg("32929", dup323); - -var msg34799 = msg("32930", dup323); - -var msg34800 = msg("32931", dup323); - -var msg34801 = msg("32932", dup323); - -var msg34802 = msg("32933", dup323); - -var msg34803 = msg("32934", dup323); - -var msg34804 = msg("32935", dup323); - -var msg34805 = msg("32936", dup323); - -var msg34806 = msg("32937", dup323); - -var msg34807 = msg("32938", dup323); - -var msg34808 = msg("32939", dup311); - -var msg34809 = msg("32940", dup309); - -var msg34810 = msg("32941", dup309); - -var msg34811 = msg("32942", dup309); - -var msg34812 = msg("32943", dup309); - -var msg34813 = msg("32944", dup325); - -var msg34814 = msg("32945", dup311); - -var msg34815 = msg("32946", dup311); - -var msg34816 = msg("32947", dup311); - -var msg34817 = msg("32948", dup311); - -var msg34818 = msg("32949", dup311); - -var msg34819 = msg("32950", dup321); - -var msg34820 = msg("32951", dup311); - -var msg34821 = msg("32952", dup314); - -var msg34822 = msg("32953", dup311); - -var msg34823 = msg("32954", dup311); - -var msg34824 = msg("32955", dup311); - -var msg34825 = msg("32956", dup321); - -var msg34826 = msg("32957", dup321); - -var msg34827 = msg("32958", dup321); - -var msg34828 = msg("32959", dup309); - -var msg34829 = msg("32960", dup309); - -var msg34830 = msg("32961", dup309); - -var msg34831 = msg("32962", dup314); - -var msg34832 = msg("32963", dup314); - -var msg34833 = msg("32964", dup314); - -var msg34834 = msg("32965", dup330); - -var msg34835 = msg("32966", dup330); - -var msg34836 = msg("32967", dup314); - -var msg34837 = msg("32968", dup323); - -var msg34838 = msg("32969", dup323); - -var msg34839 = msg("32970", dup323); - -var msg34840 = msg("32971", dup307); - -var msg34841 = msg("32972", dup321); - -var msg34842 = msg("32973", dup321); - -var msg34843 = msg("32974", dup314); - -var msg34844 = msg("32975", dup314); - -var msg34845 = msg("32976", dup321); - -var msg34846 = msg("32977", dup321); - -var msg34847 = msg("32978", dup325); - -var msg34848 = msg("32979", dup325); - -var msg34849 = msg("32980", dup325); - -var msg34850 = msg("32981", dup321); - -var msg34851 = msg("32982", dup321); - -var msg34852 = msg("32983", dup321); - -var msg34853 = msg("32984", dup321); - -var msg34854 = msg("32985", dup321); - -var msg34855 = msg("32986", dup321); - -var msg34856 = msg("32987", dup321); - -var msg34857 = msg("32988", dup321); - -var msg34858 = msg("32989", dup321); - -var msg34859 = msg("32990", dup321); - -var msg34860 = msg("32991", dup311); - -var msg34861 = msg("32992", dup311); - -var msg34862 = msg("32993", dup314); - -var msg34863 = msg("32994", dup314); - -var msg34864 = msg("32995", dup311); - -var msg34865 = msg("32996", dup309); - -var msg34866 = msg("32997", dup311); - -var msg34867 = msg("32998", dup311); - -var msg34868 = msg("32999", dup311); - -var msg34869 = msg("33000", dup311); - -var msg34870 = msg("33001", dup311); - -var msg34871 = msg("33002", dup311); - -var msg34872 = msg("33003", dup314); - -var msg34873 = msg("33004", dup314); - -var msg34874 = msg("33005", dup309); - -var msg34875 = msg("33006", dup309); - -var msg34876 = msg("33007", dup309); - -var msg34877 = msg("33008", dup309); - -var msg34878 = msg("33009", dup309); - -var msg34879 = msg("33010", dup309); - -var msg34880 = msg("33011", dup309); - -var msg34881 = msg("33012", dup309); - -var msg34882 = msg("33013", dup314); - -var msg34883 = msg("33014", dup314); - -var msg34884 = msg("33015", dup311); - -var msg34885 = msg("33016", dup309); - -var msg34886 = msg("33017", dup309); - -var msg34887 = msg("33018", dup309); - -var msg34888 = msg("33019", dup309); - -var msg34889 = msg("33020", dup309); - -var msg34890 = msg("33021", dup309); - -var msg34891 = msg("33022", dup309); - -var msg34892 = msg("33023", dup309); - -var msg34893 = msg("33024", dup311); - -var msg34894 = msg("33025", dup311); - -var msg34895 = msg("33026", dup314); - -var msg34896 = msg("33027", dup314); - -var msg34897 = msg("33028", dup314); - -var msg34898 = msg("33029", dup309); - -var msg34899 = msg("33030", dup309); - -var msg34900 = msg("33031", dup309); - -var msg34901 = msg("33032", dup309); - -var msg34902 = msg("33033", dup309); - -var msg34903 = msg("33034", dup309); - -var msg34904 = msg("33035", dup309); - -var msg34905 = msg("33036", dup309); - -var msg34906 = msg("33037", dup309); - -var msg34907 = msg("33038", dup309); - -var msg34908 = msg("33039", dup309); - -var msg34909 = msg("33040", dup309); - -var msg34910 = msg("33041", dup309); - -var msg34911 = msg("33042", dup309); - -var msg34912 = msg("33043", dup307); - -var msg34913 = msg("33044", dup314); - -var msg34914 = msg("33045", dup314); - -var msg34915 = msg("33046", dup314); - -var msg34916 = msg("33047", dup325); - -var msg34917 = msg("33048", dup314); - -var msg34918 = msg("33049", dup314); - -var msg34919 = msg("33050", dup309); - -var msg34920 = msg("33051", dup314); - -var msg34921 = msg("33052", dup314); - -var msg34922 = msg("33053", dup324); - -var msg34923 = msg("33054", dup321); - -var msg34924 = msg("33055", dup321); - -var msg34925 = msg("33056", dup321); - -var msg34926 = msg("33057", dup321); - -var msg34927 = msg("33058", dup321); - -var msg34928 = msg("33059", dup321); - -var msg34929 = msg("33060", dup321); - -var msg34930 = msg("33061", dup321); - -var msg34931 = msg("33062", dup333); - -var msg34932 = msg("33063", dup333); - -var msg34933 = msg("33064", dup321); - -var msg34934 = msg("33065", dup321); - -var msg34935 = msg("33066", dup321); - -var msg34936 = msg("33067", dup321); - -var msg34937 = msg("33068", dup321); - -var msg34938 = msg("33069", dup321); - -var msg34939 = msg("33070", dup333); - -var msg34940 = msg("33071", dup333); - -var msg34941 = msg("33072", dup333); - -var msg34942 = msg("33073", dup333); - -var msg34943 = msg("33074", dup323); - -var msg34944 = msg("33075", dup323); - -var msg34945 = msg("33076", dup323); - -var msg34946 = msg("33077", dup324); - -var msg34947 = msg("33078", dup324); - -var msg34948 = msg("33079", dup324); - -var msg34949 = msg("33080", dup324); - -var msg34950 = msg("33081", dup321); - -var msg34951 = msg("33082", dup321); - -var msg34952 = msg("33083", dup321); - -var msg34953 = msg("33084", dup321); - -var msg34954 = msg("33085", dup325); - -var msg34955 = msg("33086", dup325); - -var msg34956 = msg("33087", dup309); - -var msg34957 = msg("33088", dup311); - -var msg34958 = msg("33089", dup311); - -var msg34959 = msg("33090", dup311); - -var msg34960 = msg("33091", dup311); - -var msg34961 = msg("33092", dup311); - -var msg34962 = msg("33093", dup325); - -var msg34963 = msg("33094", dup325); - -var msg34964 = msg("33095", dup325); - -var msg34965 = msg("33096", dup325); - -var msg34966 = msg("33097", dup325); - -var msg34967 = msg("33098", dup325); - -var msg34968 = msg("33099", dup325); - -var msg34969 = msg("33100", dup314); - -var msg34970 = msg("33101", dup314); - -var msg34971 = msg("33102", dup314); - -var msg34972 = msg("33103", dup314); - -var msg34973 = msg("33104", dup323); - -var msg34974 = msg("33105", dup336); - -var msg34975 = msg("33106", dup336); - -var msg34976 = msg("33107", dup336); - -var msg34977 = msg("33108", dup336); - -var msg34978 = msg("33109", dup314); - -var msg34979 = msg("33110", dup314); - -var msg34980 = msg("33111", dup314); - -var msg34981 = msg("33112", dup314); - -var msg34982 = msg("33113", dup311); - -var msg34983 = msg("33114", dup311); - -var msg34984 = msg("33115", dup309); - -var msg34985 = msg("33116", dup309); - -var msg34986 = msg("33117", dup321); - -var msg34987 = msg("33118", dup321); - -var msg34988 = msg("33119", dup321); - -var msg34989 = msg("33120", dup321); - -var msg34990 = msg("33121", dup321); - -var msg34991 = msg("33122", dup321); - -var msg34992 = msg("33123", dup321); - -var msg34993 = msg("33124", dup321); - -var msg34994 = msg("33125", dup321); - -var msg34995 = msg("33126", dup321); - -var msg34996 = msg("33127", dup321); - -var msg34997 = msg("33128", dup321); - -var msg34998 = msg("33129", dup321); - -var msg34999 = msg("33130", dup321); - -var msg35000 = msg("33131", dup321); - -var msg35001 = msg("33132", dup321); - -var msg35002 = msg("33133", dup321); - -var msg35003 = msg("33134", dup321); - -var msg35004 = msg("33135", dup321); - -var msg35005 = msg("33136", dup321); - -var msg35006 = msg("33137", dup321); - -var msg35007 = msg("33138", dup321); - -var msg35008 = msg("33139", dup321); - -var msg35009 = msg("33140", dup321); - -var msg35010 = msg("33141", dup321); - -var msg35011 = msg("33142", dup321); - -var msg35012 = msg("33143", dup321); - -var msg35013 = msg("33144", dup321); - -var msg35014 = msg("33145", dup321); - -var msg35015 = msg("33146", dup321); - -var msg35016 = msg("33147", dup335); - -var msg35017 = msg("33148", dup335); - -var msg35018 = msg("33149", dup321); - -var msg35019 = msg("33150", dup321); - -var msg35020 = msg("33151", dup321); - -var msg35021 = msg("33152", dup321); - -var msg35022 = msg("33153", dup321); - -var msg35023 = msg("33154", dup321); - -var msg35024 = msg("33155", dup314); - -var msg35025 = msg("33156", dup314); - -var msg35026 = msg("33157", dup307); - -var msg35027 = msg("33158", dup307); - -var msg35028 = msg("33159", dup324); - -var msg35029 = msg("33160", dup324); - -var msg35030 = msg("33161", dup321); - -var msg35031 = msg("33162", dup325); - -var msg35032 = msg("33163", dup325); - -var msg35033 = msg("33164", dup309); - -var msg35034 = msg("33165", dup321); - -var msg35035 = msg("33166", dup311); - -var msg35036 = msg("33167", dup311); - -var msg35037 = msg("33168", dup311); - -var msg35038 = msg("33169", dup311); - -var msg35039 = msg("33170", dup333); - -var msg35040 = msg("33171", dup333); - -var msg35041 = msg("33172", dup333); - -var msg35042 = msg("33173", dup333); - -var msg35043 = msg("33174", dup333); - -var msg35044 = msg("33175", dup333); - -var msg35045 = msg("33176", dup311); - -var msg35046 = msg("33177", dup311); - -var msg35047 = msg("33178", dup309); - -var msg35048 = msg("33179", dup309); - -var msg35049 = msg("33180", dup309); - -var msg35050 = msg("33181", dup309); - -var msg35051 = msg("33182", dup311); - -var msg35052 = msg("33183", dup311); - -var msg35053 = msg("33184", dup311); - -var msg35054 = msg("33185", dup311); - -var msg35055 = msg("33186", dup311); - -var msg35056 = msg("33187", dup311); - -var msg35057 = msg("33188", dup321); - -var msg35058 = msg("33189", dup316); - -var msg35059 = msg("33190", dup316); - -var msg35060 = msg("33191", dup325); - -var msg35061 = msg("33192", dup325); - -var msg35062 = msg("33193", dup325); - -var msg35063 = msg("33194", dup325); - -var msg35064 = msg("33195", dup325); - -var msg35065 = msg("33196", dup325); - -var msg35066 = msg("33197", dup314); - -var msg35067 = msg("33198", dup309); - -var msg35068 = msg("33199", dup321); - -var msg35069 = msg("33200", dup321); - -var msg35070 = msg("33201", dup311); - -var msg35071 = msg("33202", dup311); - -var msg35072 = msg("33203", dup311); - -var msg35073 = msg("33204", dup311); - -var msg35074 = msg("33205", dup311); - -var msg35075 = msg("33206", dup311); - -var msg35076 = msg("33207", dup325); - -var msg35077 = msg("33208", dup321); - -var msg35078 = msg("33209", dup321); - -var msg35079 = msg("33210", dup321); - -var msg35080 = msg("33211", dup321); - -var msg35081 = msg("33212", dup333); - -var msg35082 = msg("33213", dup311); - -var msg35083 = msg("33214", dup311); - -var msg35084 = msg("33215", dup321); - -var msg35085 = msg("33216", dup321); - -var msg35086 = msg("33217", dup321); - -var msg35087 = msg("33218", dup321); - -var msg35088 = msg("33219", dup321); - -var msg35089 = msg("33220", dup321); - -var msg35090 = msg("33221", dup321); - -var msg35091 = msg("33222", dup321); - -var msg35092 = msg("33223", dup321); - -var msg35093 = msg("33224", dup200); - -var msg35094 = msg("33225", dup309); - -var msg35095 = msg("33226", dup309); - -var msg35096 = msg("33227", dup321); - -var msg35097 = msg("33228", dup321); - -var msg35098 = msg("33229", dup311); - -var msg35099 = msg("33230", dup325); - -var msg35100 = msg("33231", dup325); - -var msg35101 = msg("33232", dup325); - -var msg35102 = msg("33233", dup325); - -var msg35103 = msg("33234", dup325); - -var msg35104 = msg("33235", dup325); - -var msg35105 = msg("33236", dup325); - -var msg35106 = msg("33237", dup325); - -var msg35107 = msg("33238", dup325); - -var msg35108 = msg("33239", dup325); - -var msg35109 = msg("33240", dup325); - -var msg35110 = msg("33241", dup325); - -var msg35111 = msg("33242", dup325); - -var msg35112 = msg("33243", dup325); - -var msg35113 = msg("33244", dup325); - -var msg35114 = msg("33245", dup325); - -var msg35115 = msg("33246", dup325); - -var msg35116 = msg("33247", dup325); - -var msg35117 = msg("33248", dup325); - -var msg35118 = msg("33249", dup325); - -var msg35119 = msg("33250", dup325); - -var msg35120 = msg("33251", dup325); - -var msg35121 = msg("33252", dup325); - -var msg35122 = msg("33253", dup325); - -var msg35123 = msg("33254", dup325); - -var msg35124 = msg("33255", dup325); - -var msg35125 = msg("33256", dup325); - -var msg35126 = msg("33257", dup325); - -var msg35127 = msg("33258", dup325); - -var msg35128 = msg("33259", dup325); - -var msg35129 = msg("33260", dup325); - -var msg35130 = msg("33261", dup314); - -var msg35131 = msg("33262", dup314); - -var msg35132 = msg("33263", dup314); - -var msg35133 = msg("33264", dup314); - -var msg35134 = msg("33265", dup314); - -var msg35135 = msg("33266", dup314); - -var msg35136 = msg("33267", dup314); - -var msg35137 = msg("33268", dup314); - -var msg35138 = msg("33269", dup314); - -var msg35139 = msg("33270", dup314); - -var msg35140 = msg("33271", dup311); - -var msg35141 = msg("33272", dup311); - -var msg35142 = msg("33273", dup311); - -var msg35143 = msg("33274", dup311); - -var msg35144 = msg("33275", dup309); - -var msg35145 = msg("33276", dup316); - -var msg35146 = msg("33277", dup316); - -var msg35147 = msg("33278", dup316); - -var msg35148 = msg("33279", dup311); - -var msg35149 = msg("33280", dup321); - -var msg35150 = msg("33281", dup321); - -var msg35151 = msg("33282", dup321); - -var msg35152 = msg("33283", dup321); - -var msg35153 = msg("33284", dup321); - -var msg35154 = msg("33285", dup321); - -var msg35155 = msg("33286", dup311); - -var msg35156 = msg("33287", dup325); - -var msg35157 = msg("33288", dup325); - -var msg35158 = msg("33289", dup321); - -var msg35159 = msg("33290", dup314); - -var msg35160 = msg("33291", dup314); - -var msg35161 = msg("33292", dup311); - -var msg35162 = msg("33293", dup314); - -var msg35163 = msg("33294", dup314); - -var msg35164 = msg("33295", dup309); - -var msg35165 = msg("33296", dup309); - -var msg35166 = msg("33297", dup309); - -var msg35167 = msg("33298", dup309); - -var msg35168 = msg("33299", dup321); - -var msg35169 = msg("33300", dup324); - -var msg35170 = msg("33301", dup324); - -var msg35171 = msg("33302", dup324); - -var msg35172 = msg("33303", dup324); - -var msg35173 = msg("33304", dup321); - -var msg35174 = msg("33305", dup321); - -var msg35175 = msg("33306", dup321); - -var msg35176 = msg("33307", dup311); - -var msg35177 = msg("33308", dup311); - -var msg35178 = msg("33309", dup309); - -var msg35179 = msg("33310", dup309); - -var msg35180 = msg("33311", dup321); - -var msg35181 = msg("33312", dup311); - -var msg35182 = msg("33313", dup311); - -var msg35183 = msg("33314", dup325); - -var msg35184 = msg("33315", dup325); - -var msg35185 = msg("33316", dup325); - -var msg35186 = msg("33317", dup325); - -var msg35187 = msg("33318", dup325); - -var msg35188 = msg("33319", dup325); - -var msg35189 = msg("33320", dup325); - -var msg35190 = msg("33321", dup325); - -var msg35191 = msg("33322", dup325); - -var msg35192 = msg("33323", dup311); - -var msg35193 = msg("33324", dup325); - -var msg35194 = msg("33325", dup325); - -var msg35195 = msg("33326", dup321); - -var msg35196 = msg("33327", dup321); - -var msg35197 = msg("33328", dup321); - -var msg35198 = msg("33329", dup321); - -var msg35199 = msg("33330", dup321); - -var msg35200 = msg("33331", dup325); - -var msg35201 = msg("33332", dup325); - -var msg35202 = msg("33333", dup325); - -var msg35203 = msg("33334", dup325); - -var msg35204 = msg("33335", dup325); - -var msg35205 = msg("33336", dup325); - -var msg35206 = msg("33337", dup325); - -var msg35207 = msg("33338", dup325); - -var msg35208 = msg("33339", dup316); - -var msg35209 = msg("33340", dup325); - -var msg35210 = msg("33341", dup325); - -var msg35211 = msg("33342", dup321); - -var msg35212 = msg("33343", dup314); - -var msg35213 = msg("33344", dup314); - -var msg35214 = msg("33345", dup325); - -var msg35215 = msg("33346", dup325); - -var msg35216 = msg("33347", dup325); - -var msg35217 = msg("33348", dup325); - -var msg35218 = msg("33349", dup325); - -var msg35219 = msg("33350", dup309); - -var msg35220 = msg("33351", dup309); - -var msg35221 = msg("33352", dup311); - -var msg35222 = msg("33353", dup325); - -var msg35223 = msg("33354", dup325); - -var msg35224 = msg("33355", dup314); - -var msg35225 = msg("33356", dup325); - -var msg35226 = msg("33357", dup325); - -var msg35227 = msg("33358", dup325); - -var msg35228 = msg("33359", dup325); - -var msg35229 = msg("33360", dup325); - -var msg35230 = msg("33361", dup325); - -var msg35231 = msg("33362", dup309); - -var msg35232 = msg("33363", dup314); - -var msg35233 = msg("33364", dup314); - -var msg35234 = msg("33365", dup325); - -var msg35235 = msg("33366", dup325); - -var msg35236 = msg("33367", dup314); - -var msg35237 = msg("33368", dup314); - -var msg35238 = msg("33369", dup314); - -var msg35239 = msg("33370", dup314); - -var msg35240 = msg("33371", dup314); - -var msg35241 = msg("33372", dup314); - -var msg35242 = msg("33373", dup314); - -var msg35243 = msg("33374", dup314); - -var msg35244 = msg("33375", dup314); - -var msg35245 = msg("33376", dup314); - -var msg35246 = msg("33377", dup314); - -var msg35247 = msg("33378", dup314); - -var msg35248 = msg("33379", dup314); - -var msg35249 = msg("33380", dup314); - -var msg35250 = msg("33381", dup314); - -var msg35251 = msg("33382", dup314); - -var msg35252 = msg("33383", dup314); - -var msg35253 = msg("33384", dup314); - -var msg35254 = msg("33385", dup314); - -var msg35255 = msg("33386", dup314); - -var msg35256 = msg("33387", dup314); - -var msg35257 = msg("33388", dup314); - -var msg35258 = msg("33389", dup314); - -var msg35259 = msg("33390", dup314); - -var msg35260 = msg("33391", dup314); - -var msg35261 = msg("33392", dup314); - -var msg35262 = msg("33393", dup314); - -var msg35263 = msg("33394", dup314); - -var msg35264 = msg("33395", dup314); - -var msg35265 = msg("33396", dup314); - -var msg35266 = msg("33397", dup314); - -var msg35267 = msg("33398", dup314); - -var msg35268 = msg("33399", dup314); - -var msg35269 = msg("33400", dup314); - -var msg35270 = msg("33401", dup314); - -var msg35271 = msg("33402", dup314); - -var msg35272 = msg("33403", dup314); - -var msg35273 = msg("33404", dup314); - -var msg35274 = msg("33405", dup314); - -var msg35275 = msg("33406", dup314); - -var msg35276 = msg("33407", dup314); - -var msg35277 = msg("33408", dup314); - -var msg35278 = msg("33409", dup314); - -var msg35279 = msg("33410", dup314); - -var msg35280 = msg("33411", dup321); - -var msg35281 = msg("33412", dup311); - -var msg35282 = msg("33413", dup325); - -var msg35283 = msg("33414", dup325); - -var msg35284 = msg("33415", dup325); - -var msg35285 = msg("33416", dup325); - -var msg35286 = msg("33417", dup325); - -var msg35287 = msg("33418", dup325); - -var msg35288 = msg("33419", dup325); - -var msg35289 = msg("33420", dup325); - -var msg35290 = msg("33421", dup311); - -var msg35291 = msg("33422", dup311); - -var msg35292 = msg("33423", dup325); - -var msg35293 = msg("33424", dup325); - -var msg35294 = msg("33425", dup325); - -var msg35295 = msg("33426", dup325); - -var msg35296 = msg("33427", dup325); - -var msg35297 = msg("33428", dup325); - -var msg35298 = msg("33429", dup311); - -var msg35299 = msg("33430", dup314); - -var msg35300 = msg("33431", dup321); - -var msg35301 = msg("33432", dup321); - -var msg35302 = msg("33433", dup321); - -var msg35303 = msg("33434", dup321); - -var msg35304 = msg("33435", dup321); - -var msg35305 = msg("33436", dup309); - -var msg35306 = msg("33437", dup309); - -var msg35307 = msg("33438", dup321); - -var msg35308 = msg("33439", dup321); - -var msg35309 = msg("33440", dup311); - -var msg35310 = msg("33441", dup309); - -var msg35311 = msg("33442", dup309); - -var msg35312 = msg("33443", dup321); - -var msg35313 = msg("33444", dup321); - -var msg35314 = msg("33445", dup323); - -var msg35315 = msg("33446", dup316); - -var msg35316 = msg("33447", dup316); - -var msg35317 = msg("33448", dup316); - -var msg35318 = msg("33449", dup323); - -var msg35319 = msg("33450", dup321); - -var msg35320 = msg("33451", dup309); - -var msg35321 = msg("33452", dup314); - -var msg35322 = msg("33453", dup321); - -var msg35323 = msg("33454", dup309); - -var msg35324 = msg("33455", dup309); - -var msg35325 = msg("33456", dup321); - -var msg35326 = msg("33457", dup321); - -var msg35327 = msg("33458", dup311); - -var msg35328 = msg("33459", dup311); - -var msg35329 = msg("33460", dup311); - -var msg35330 = msg("33461", dup311); - -var msg35331 = msg("33462", dup311); - -var msg35332 = msg("33463", dup311); - -var msg35333 = msg("33464", dup321); - -var msg35334 = msg("33465", dup309); - -var msg35335 = msg("33466", dup309); - -var msg35336 = msg("33467", dup309); - -var msg35337 = msg("33468", dup309); - -var msg35338 = msg("33469", dup311); - -var msg35339 = msg("33470", dup311); - -var msg35340 = msg("33471", dup311); - -var msg35341 = msg("33472", dup311); - -var msg35342 = msg("33473", dup311); - -var msg35343 = msg("33474", dup311); - -var msg35344 = msg("33475", dup314); - -var msg35345 = msg("33476", dup314); - -var msg35346 = msg("33477", dup314); - -var msg35347 = msg("33478", dup314); - -var msg35348 = msg("33564", dup309); - -var msg35349 = msg("33565", dup311); - -var msg35350 = msg("33566", dup309); - -var msg35351 = msg("33567", dup309); - -var msg35352 = msg("33568", dup309); - -var msg35353 = msg("33569", dup311); - -var msg35354 = msg("33570", dup311); - -var msg35355 = msg("33571", dup311); - -var msg35356 = msg("33572", dup311); - -var msg35357 = msg("33573", dup323); - -var msg35358 = msg("33574", dup323); - -var msg35359 = msg("33575", dup311); - -var msg35360 = msg("33576", dup311); - -var msg35361 = msg("33577", dup311); - -var msg35362 = msg("33578", dup311); - -var msg35363 = msg("33579", dup314); - -var msg35364 = msg("33580", dup321); - -var msg35365 = msg("33581", dup314); - -var msg35366 = msg("33582", dup309); - -var msg35367 = msg("33583", dup324); - -var msg35368 = msg("33584", dup311); - -var msg35369 = msg("33585", dup311); - -var msg35370 = msg("33586", dup311); - -var msg35371 = msg("33587", dup309); - -var msg35372 = msg("33588", dup309); - -var msg35373 = msg("33589", dup309); - -var msg35374 = msg("33590", dup309); - -var msg35375 = msg("33591", dup309); - -var msg35376 = msg("33592", dup309); - -var msg35377 = msg("33593", dup309); - -var msg35378 = msg("33594", dup321); - -var msg35379 = msg("33595", dup309); - -var msg35380 = msg("33596", dup309); - -var msg35381 = msg("33597", dup314); - -var msg35382 = msg("33598", dup314); - -var msg35383 = msg("33599", dup314); - -var msg35384 = msg("33600", dup321); - -var msg35385 = msg("33601", dup311); - -var msg35386 = msg("33602", dup311); - -var msg35387 = msg("33603", dup311); - -var msg35388 = msg("33604", dup311); - -var msg35389 = msg("33605", dup325); - -var msg35390 = msg("33606", dup325); - -var msg35391 = msg("33607", dup314); - -var msg35392 = msg("33608", dup314); - -var msg35393 = msg("33609", dup310); - -var msg35394 = msg("33610", dup310); - -var msg35395 = msg("33611", dup310); - -var msg35396 = msg("33612", dup314); - -var msg35397 = msg("33613", dup314); - -var msg35398 = msg("33614", dup314); - -var msg35399 = msg("33615", dup311); - -var msg35400 = msg("33618", dup321); - -var msg35401 = msg("33619", dup321); - -var msg35402 = msg("33620", dup321); - -var msg35403 = msg("33621", dup321); - -var msg35404 = msg("33622", dup324); - -var msg35405 = msg("33623", dup324); - -var msg35406 = msg("33624", dup324); - -var msg35407 = msg("33625", dup324); - -var msg35408 = msg("33626", dup324); - -var msg35409 = msg("33627", dup324); - -var msg35410 = msg("33628", dup324); - -var msg35411 = msg("33629", dup324); - -var msg35412 = msg("33630", dup324); - -var msg35413 = msg("33631", dup324); - -var msg35414 = msg("33632", dup316); - -var msg35415 = msg("33633", dup325); - -var msg35416 = msg("33634", dup324); - -var msg35417 = msg("33635", dup324); - -var msg35418 = msg("33636", dup308); - -var msg35419 = msg("33637", dup322); - -var msg35420 = msg("33638", dup324); - -var msg35421 = msg("33639", dup324); - -var msg35422 = msg("33640", dup314); - -var msg35423 = msg("33641", dup314); - -var msg35424 = msg("33642", dup314); - -var msg35425 = msg("33643", dup309); - -var msg35426 = msg("33644", dup309); - -var msg35427 = msg("33645", dup321); - -var msg35428 = msg("33646", dup324); - -var msg35429 = msg("33647", dup324); - -var msg35430 = msg("33648", dup324); - -var msg35431 = msg("33649", dup325); - -var msg35432 = msg("33650", dup321); - -var msg35433 = msg("33651", dup322); - -var msg35434 = msg("33652", dup322); - -var msg35435 = msg("33653", dup322); - -var all62 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup122, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg35436 = msg("33654", all62); - -var msg35437 = msg("33655", dup310); - -var msg35438 = msg("33656", dup321); - -var msg35439 = msg("33657", dup307); - -var msg35440 = msg("33658", dup307); - -var msg35441 = msg("33659", dup307); - -var msg35442 = msg("33660", dup321); - -var msg35443 = msg("33661", dup314); - -var msg35444 = msg("33662", dup314); - -var msg35445 = msg("33663", dup311); - -var msg35446 = msg("33664", dup314); - -var msg35447 = msg("33665", dup316); - -var msg35448 = msg("33666", dup314); - -var msg35449 = msg("33667", dup314); - -var msg35450 = msg("33668", dup314); - -var msg35451 = msg("33669", dup311); - -var msg35452 = msg("33670", dup324); - -var msg35453 = msg("33671", dup324); - -var msg35454 = msg("33672", dup324); - -var msg35455 = msg("33673", dup321); - -var msg35456 = msg("33674", dup321); - -var msg35457 = msg("33675", dup321); - -var msg35458 = msg("33676", dup316); - -var msg35459 = msg("33677", dup321); - -var msg35460 = msg("33678", dup321); - -var msg35461 = msg("33679", dup324); - -var msg35462 = msg("33680", dup324); - -var msg35463 = msg("33681", dup321); - -var msg35464 = msg("33682", dup314); - -var msg35465 = msg("33683", dup314); - -var msg35466 = msg("33684", dup311); - -var msg35467 = msg("33685", dup311); - -var msg35468 = msg("33686", dup323); - -var msg35469 = msg("33687", dup323); - -var msg35470 = msg("33688", dup323); - -var msg35471 = msg("33689", dup323); - -var msg35472 = msg("33690", dup323); - -var msg35473 = msg("33691", dup323); - -var msg35474 = msg("33692", dup323); - -var msg35475 = msg("33693", dup323); - -var msg35476 = msg("33694", dup323); - -var msg35477 = msg("33695", dup323); - -var msg35478 = msg("33696", dup323); - -var msg35479 = msg("33697", dup323); - -var msg35480 = msg("33698", dup323); - -var msg35481 = msg("33699", dup323); - -var msg35482 = msg("33700", dup323); - -var msg35483 = msg("33701", dup323); - -var msg35484 = msg("33702", dup323); - -var msg35485 = msg("33703", dup323); - -var msg35486 = msg("33704", dup321); - -var msg35487 = msg("33705", dup309); - -var msg35488 = msg("33706", dup309); - -var msg35489 = msg("33707", dup325); - -var msg35490 = msg("33708", dup325); - -var msg35491 = msg("33709", dup323); - -var msg35492 = msg("33710", dup323); - -var msg35493 = msg("33711", dup314); - -var msg35494 = msg("33712", dup314); - -var msg35495 = msg("33713", dup309); - -var msg35496 = msg("33714", dup309); - -var msg35497 = msg("33715", dup309); - -var msg35498 = msg("33716", dup309); - -var msg35499 = msg("33717", dup314); - -var msg35500 = msg("33718", dup311); - -var msg35501 = msg("33719", dup311); - -var msg35502 = msg("33720", dup325); - -var msg35503 = msg("33721", dup325); - -var msg35504 = msg("33722", dup309); - -var msg35505 = msg("33723", dup309); - -var msg35506 = msg("33724", dup311); - -var msg35507 = msg("33725", dup311); - -var msg35508 = msg("33726", dup325); - -var msg35509 = msg("33727", dup325); - -var msg35510 = msg("33728", dup314); - -var msg35511 = msg("33729", dup314); - -var msg35512 = msg("33730", dup325); - -var msg35513 = msg("33731", dup325); - -var msg35514 = msg("33732", dup314); - -var msg35515 = msg("33733", dup314); - -var msg35516 = msg("33734", dup309); - -var msg35517 = msg("33735", dup309); - -var msg35518 = msg("33736", dup325); - -var msg35519 = msg("33737", dup325); - -var msg35520 = msg("33738", dup325); - -var msg35521 = msg("33739", dup325); - -var msg35522 = msg("33740", dup314); - -var msg35523 = msg("33741", dup325); - -var msg35524 = msg("33742", dup325); - -var msg35525 = msg("33743", dup309); - -var msg35526 = msg("33744", dup309); - -var msg35527 = msg("33745", dup321); - -var msg35528 = msg("33746", dup321); - -var msg35529 = msg("33747", dup321); - -var msg35530 = msg("33748", dup321); - -var msg35531 = msg("33749", dup321); - -var msg35532 = msg("33750", dup321); - -var msg35533 = msg("33751", dup321); - -var msg35534 = msg("33752", dup321); - -var msg35535 = msg("33753", dup321); - -var msg35536 = msg("33754", dup321); - -var msg35537 = msg("33755", dup321); - -var msg35538 = msg("33756", dup321); - -var msg35539 = msg("33757", dup321); - -var msg35540 = msg("33758", dup321); - -var msg35541 = msg("33759", dup321); - -var msg35542 = msg("33760", dup325); - -var msg35543 = msg("33761", dup325); - -var msg35544 = msg("33762", dup311); - -var msg35545 = msg("33763", dup325); - -var msg35546 = msg("33764", dup325); - -var msg35547 = msg("33765", dup323); - -var msg35548 = msg("33766", dup323); - -var msg35549 = msg("33767", dup314); - -var msg35550 = msg("33768", dup314); - -var msg35551 = msg("33769", dup314); - -var msg35552 = msg("33770", dup314); - -var msg35553 = msg("33771", dup314); - -var msg35554 = msg("33772", dup314); - -var msg35555 = msg("33773", dup314); - -var msg35556 = msg("33774", dup314); - -var msg35557 = msg("33775", dup325); - -var msg35558 = msg("33776", dup325); - -var msg35559 = msg("33777", dup323); - -var msg35560 = msg("33778", dup323); - -var msg35561 = msg("33779", dup323); - -var msg35562 = msg("33780", dup323); - -var msg35563 = msg("33781", dup323); - -var msg35564 = msg("33782", dup323); - -var msg35565 = msg("33783", dup323); - -var msg35566 = msg("33784", dup323); - -var msg35567 = msg("33785", dup323); - -var msg35568 = msg("33786", dup323); - -var msg35569 = msg("33787", dup323); - -var msg35570 = msg("33788", dup323); - -var msg35571 = msg("33789", dup323); - -var msg35572 = msg("33790", dup323); - -var msg35573 = msg("33791", dup323); - -var msg35574 = msg("33792", dup323); - -var msg35575 = msg("33793", dup323); - -var msg35576 = msg("33794", dup323); - -var msg35577 = msg("33795", dup323); - -var msg35578 = msg("33796", dup323); - -var msg35579 = msg("33797", dup323); - -var msg35580 = msg("33798", dup323); - -var msg35581 = msg("33799", dup323); - -var msg35582 = msg("33800", dup323); - -var msg35583 = msg("33801", dup323); - -var msg35584 = msg("33802", dup323); - -var msg35585 = msg("33803", dup323); - -var msg35586 = msg("33804", dup323); - -var msg35587 = msg("33805", dup323); - -var msg35588 = msg("33806", dup323); - -var msg35589 = msg("33807", dup316); - -var msg35590 = msg("33808", dup314); - -var msg35591 = msg("33809", dup314); - -var msg35592 = msg("33810", dup311); - -var msg35593 = msg("33811", dup314); - -var msg35594 = msg("33812", dup311); - -var msg35595 = msg("33813", dup310); - -var msg35596 = msg("33814", dup307); - -var msg35597 = msg("33815", dup321); - -var msg35598 = msg("33816", dup321); - -var msg35599 = msg("33817", dup310); - -var msg35600 = msg("33818", dup321); - -var msg35601 = msg("33819", dup321); - -var msg35602 = msg("33820", dup321); - -var msg35603 = msg("33821", dup321); - -var msg35604 = msg("33822", dup321); - -var msg35605 = msg("33823", dup321); - -var msg35606 = msg("33824", dup311); - -var msg35607 = msg("33825", dup314); - -var msg35608 = msg("33826", dup324); - -var msg35609 = msg("33827", dup311); - -var msg35610 = msg("33828", dup311); - -var msg35611 = msg("33829", dup311); - -var msg35612 = msg("33830", dup307); - -var msg35613 = msg("33831", dup325); - -var msg35614 = msg("33832", dup316); - -var msg35615 = msg("33833", dup321); - -var msg35616 = msg("33834", dup321); - -var msg35617 = msg("33835", dup321); - -var msg35618 = msg("33836", dup321); - -var msg35619 = msg("33837", dup321); - -var msg35620 = msg("33838", dup321); - -var msg35621 = msg("33839", dup321); - -var msg35622 = msg("33840", dup321); - -var msg35623 = msg("33841", dup321); - -var msg35624 = msg("33842", dup321); - -var msg35625 = msg("33843", dup321); - -var msg35626 = msg("33844", dup321); - -var msg35627 = msg("33845", dup321); - -var msg35628 = msg("33846", dup321); - -var msg35629 = msg("33847", dup321); - -var msg35630 = msg("33848", dup321); - -var msg35631 = msg("33849", dup321); - -var msg35632 = msg("33850", dup321); - -var msg35633 = msg("33851", dup321); - -var msg35634 = msg("33852", dup321); - -var msg35635 = msg("33853", dup307); - -var msg35636 = msg("33854", dup321); - -var msg35637 = msg("33855", dup325); - -var msg35638 = msg("33856", dup314); - -var msg35639 = msg("33857", dup321); - -var msg35640 = msg("33858", dup314); - -var msg35641 = msg("33859", dup321); - -var msg35642 = msg("33860", dup321); - -var msg35643 = msg("33861", dup321); - -var msg35644 = msg("33862", dup321); - -var msg35645 = msg("33863", dup321); - -var msg35646 = msg("33864", dup321); - -var msg35647 = msg("33865", dup321); - -var msg35648 = msg("33866", dup321); - -var msg35649 = msg("33867", dup321); - -var msg35650 = msg("33868", dup321); - -var msg35651 = msg("33869", dup323); - -var msg35652 = msg("33870", dup323); - -var msg35653 = msg("33871", dup332); - -var msg35654 = msg("33872", dup321); - -var msg35655 = msg("33873", dup321); - -var msg35656 = msg("33874", dup321); - -var msg35657 = msg("33875", dup314); - -var msg35658 = msg("33876", dup321); - -var msg35659 = msg("33877", dup321); - -var msg35660 = msg("33878", dup321); - -var msg35661 = msg("33879", dup321); - -var msg35662 = msg("33880", dup321); - -var msg35663 = msg("33881", dup321); - -var msg35664 = msg("33882", dup321); - -var msg35665 = msg("33883", dup321); - -var msg35666 = msg("33884", dup325); - -var msg35667 = msg("33885", dup321); - -var msg35668 = msg("33886", dup321); - -var msg35669 = msg("33887", dup316); - -var msg35670 = msg("33888", dup316); - -var msg35671 = msg("33889", dup316); - -var msg35672 = msg("33890", dup316); - -var msg35673 = msg("33891", dup321); - -var msg35674 = msg("33892", dup321); - -var msg35675 = msg("33893", dup321); - -var msg35676 = msg("33894", dup311); - -var msg35677 = msg("33895", dup311); - -var msg35678 = msg("33896", dup311); - -var msg35679 = msg("33897", dup307); - -var msg35680 = msg("33898", dup307); - -var msg35681 = msg("33899", dup311); - -var msg35682 = msg("33900", dup311); - -var msg35683 = msg("33901", dup311); - -var msg35684 = msg("33902", dup311); - -var msg35685 = msg("33903", dup307); - -var msg35686 = msg("33904", dup307); - -var msg35687 = msg("33905", dup311); - -var msg35688 = msg("33906", dup311); - -var msg35689 = msg("33907", dup325); - -var msg35690 = msg("33908", dup309); - -var msg35691 = msg("33909", dup309); - -var msg35692 = msg("33910", dup324); - -var msg35693 = msg("33911", dup324); - -var msg35694 = msg("33912", dup321); - -var msg35695 = msg("33913", dup321); - -var msg35696 = msg("33914", dup325); - -var msg35697 = msg("33915", dup314); - -var msg35698 = msg("33916", dup314); - -var msg35699 = msg("33917", dup314); - -var msg35700 = msg("33918", dup314); - -var msg35701 = msg("33919", dup314); - -var msg35702 = msg("33920", dup314); - -var msg35703 = msg("33921", dup314); - -var msg35704 = msg("33922", dup307); - -var msg35705 = msg("33923", dup309); - -var msg35706 = msg("33924", dup309); - -var msg35707 = msg("33925", dup309); - -var msg35708 = msg("33926", dup309); - -var msg35709 = msg("33927", dup334); - -var msg35710 = msg("33928", dup324); - -var msg35711 = msg("33929", dup324); - -var msg35712 = msg("33930", dup321); - -var msg35713 = msg("33931", dup321); - -var msg35714 = msg("33932", dup321); - -var msg35715 = msg("33933", dup321); - -var msg35716 = msg("33934", dup314); - -var msg35717 = msg("33935", dup314); - -var msg35718 = msg("33936", dup316); - -var msg35719 = msg("33937", dup316); - -var msg35720 = msg("33938", dup316); - -var msg35721 = msg("33939", dup311); - -var msg35722 = msg("33940", dup311); - -var msg35723 = msg("33941", dup311); - -var msg35724 = msg("33942", dup311); - -var msg35725 = msg("33943", dup311); - -var msg35726 = msg("33944", dup309); - -var msg35727 = msg("33945", dup309); - -var msg35728 = msg("33946", dup309); - -var msg35729 = msg("33947", dup309); - -var msg35730 = msg("33948", dup309); - -var msg35731 = msg("33949", dup309); - -var msg35732 = msg("33950", dup309); - -var msg35733 = msg("33951", dup309); - -var msg35734 = msg("33952", dup309); - -var msg35735 = msg("33953", dup309); - -var msg35736 = msg("33954", dup309); - -var msg35737 = msg("33955", dup309); - -var msg35738 = msg("33956", dup309); - -var msg35739 = msg("33957", dup309); - -var msg35740 = msg("33958", dup309); - -var msg35741 = msg("33959", dup309); - -var msg35742 = msg("33960", dup311); - -var msg35743 = msg("33961", dup311); - -var msg35744 = msg("33962", dup314); - -var msg35745 = msg("33963", dup314); - -var msg35746 = msg("33964", dup314); - -var msg35747 = msg("33965", dup321); - -var msg35748 = msg("33966", dup321); - -var msg35749 = msg("33967", dup311); - -var msg35750 = msg("33968", dup311); - -var msg35751 = msg("33969", dup311); - -var msg35752 = msg("33970", dup311); - -var msg35753 = msg("33971", dup314); - -var msg35754 = msg("33972", dup314); - -var msg35755 = msg("33973", dup314); - -var msg35756 = msg("33974", dup314); - -var msg35757 = msg("33975", dup314); - -var msg35758 = msg("33976", dup314); - -var msg35759 = msg("33977", dup314); - -var msg35760 = msg("33978", dup314); - -var msg35761 = msg("33979", dup309); - -var msg35762 = msg("33980", dup309); - -var msg35763 = msg("33981", dup311); - -var msg35764 = msg("33982", dup311); - -var msg35765 = msg("33983", dup311); - -var msg35766 = msg("33984", dup316); - -var msg35767 = msg("33985", dup321); - -var msg35768 = msg("33986", dup314); - -var msg35769 = msg("33987", dup311); - -var msg35770 = msg("33988", dup321); - -var msg35771 = msg("33989", dup321); - -var msg35772 = msg("33990", dup321); - -var msg35773 = msg("33991", dup321); - -var msg35774 = msg("33992", dup321); - -var msg35775 = msg("33993", dup321); - -var msg35776 = msg("33994", dup321); - -var msg35777 = msg("33995", dup321); - -var msg35778 = msg("33996", dup321); - -var msg35779 = msg("33997", dup321); - -var msg35780 = msg("33998", dup311); - -var msg35781 = msg("33999", dup311); - -var msg35782 = msg("34000", dup311); - -var msg35783 = msg("34001", dup321); - -var msg35784 = msg("34002", dup321); - -var msg35785 = msg("34003", dup321); - -var msg35786 = msg("34004", dup325); - -var msg35787 = msg("34005", dup325); - -var msg35788 = msg("34006", dup325); - -var msg35789 = msg("34007", dup325); - -var msg35790 = msg("34008", dup325); - -var msg35791 = msg("34009", dup325); - -var msg35792 = msg("34010", dup325); - -var msg35793 = msg("34011", dup325); - -var msg35794 = msg("34012", dup325); - -var msg35795 = msg("34013", dup321); - -var msg35796 = msg("34014", dup314); - -var msg35797 = msg("34015", dup314); - -var msg35798 = msg("34016", dup314); - -var msg35799 = msg("34017", dup314); - -var msg35800 = msg("34018", dup316); - -var msg35801 = msg("34019", dup316); - -var msg35802 = msg("34020", dup311); - -var msg35803 = msg("34021", dup311); - -var msg35804 = msg("34022", dup323); - -var msg35805 = msg("34023", dup323); - -var msg35806 = msg("34024", dup314); - -var msg35807 = msg("34025", dup321); - -var msg35808 = msg("34026", dup321); - -var msg35809 = msg("34027", dup309); - -var msg35810 = msg("34028", dup321); - -var msg35811 = msg("34029", dup321); - -var msg35812 = msg("34030", dup321); - -var msg35813 = msg("34031", dup321); - -var msg35814 = msg("34032", dup321); - -var msg35815 = msg("34033", dup321); - -var msg35816 = msg("34034", dup321); - -var msg35817 = msg("34035", dup321); - -var msg35818 = msg("34036", dup321); - -var msg35819 = msg("34037", dup321); - -var msg35820 = msg("34038", dup321); - -var msg35821 = msg("34039", dup321); - -var msg35822 = msg("34040", dup321); - -var msg35823 = msg("34041", dup321); - -var msg35824 = msg("34042", dup321); - -var msg35825 = msg("34043", dup321); - -var msg35826 = msg("34044", dup321); - -var msg35827 = msg("34045", dup321); - -var msg35828 = msg("34046", dup325); - -var msg35829 = msg("34047", dup321); - -var msg35830 = msg("34048", dup324); - -var msg35831 = msg("34049", dup321); - -var msg35832 = msg("34050", dup321); - -var msg35833 = msg("34051", dup324); - -var msg35834 = msg("34052", dup321); - -var msg35835 = msg("34053", dup314); - -var msg35836 = msg("34054", dup314); - -var msg35837 = msg("34055", dup314); - -var msg35838 = msg("34056", dup314); - -var msg35839 = msg("34057", dup309); - -var msg35840 = msg("34058", dup309); - -var msg35841 = msg("34059", dup325); - -var msg35842 = msg("34060", dup325); - -var msg35843 = msg("34061", dup309); - -var msg35844 = msg("34062", dup309); - -var msg35845 = msg("34063", dup309); - -var msg35846 = msg("34064", dup325); - -var msg35847 = msg("34065", dup325); - -var msg35848 = msg("34066", dup309); - -var msg35849 = msg("34067", dup309); - -var msg35850 = msg("34068", dup325); - -var msg35851 = msg("34069", dup325); - -var msg35852 = msg("34070", dup325); - -var msg35853 = msg("34071", dup325); - -var msg35854 = msg("34072", dup325); - -var msg35855 = msg("34073", dup325); - -var msg35856 = msg("34074", dup325); - -var msg35857 = msg("34075", dup325); - -var msg35858 = msg("34076", dup325); - -var msg35859 = msg("34077", dup325); - -var msg35860 = msg("34078", dup311); - -var msg35861 = msg("34079", dup311); - -var msg35862 = msg("34080", dup311); - -var msg35863 = msg("34081", dup311); - -var msg35864 = msg("34082", dup311); - -var msg35865 = msg("34083", dup311); - -var msg35866 = msg("34084", dup325); - -var msg35867 = msg("34085", dup325); - -var msg35868 = msg("34086", dup309); - -var msg35869 = msg("34087", dup309); - -var msg35870 = msg("34088", dup314); - -var msg35871 = msg("34089", dup325); - -var msg35872 = msg("34090", dup325); - -var msg35873 = msg("34091", dup311); - -var msg35874 = msg("34092", dup311); - -var msg35875 = msg("34093", dup309); - -var msg35876 = msg("34094", dup309); - -var msg35877 = msg("34095", dup314); - -var msg35878 = msg("34096", dup314); - -var msg35879 = msg("34097", dup311); - -var msg35880 = msg("34098", dup311); - -var msg35881 = msg("34099", dup314); - -var msg35882 = msg("34100", dup309); - -var msg35883 = msg("34101", dup309); - -var msg35884 = msg("34102", dup309); - -var msg35885 = msg("34103", dup309); - -var msg35886 = msg("34104", dup314); - -var msg35887 = msg("34105", dup314); - -var msg35888 = msg("34106", dup314); - -var msg35889 = msg("34107", dup321); - -var msg35890 = msg("34108", dup321); - -var msg35891 = msg("34109", dup307); - -var msg35892 = msg("34110", dup307); - -var msg35893 = msg("34111", dup321); - -var msg35894 = msg("34112", dup324); - -var msg35895 = msg("34113", dup321); - -var msg35896 = msg("34114", dup324); - -var msg35897 = msg("34115", dup321); - -var msg35898 = msg("34116", dup321); - -var msg35899 = msg("34117", dup321); - -var msg35900 = msg("34118", dup323); - -var msg35901 = msg("34119", dup321); - -var msg35902 = msg("34120", dup321); - -var msg35903 = msg("34121", dup321); - -var msg35904 = msg("34122", dup321); - -var msg35905 = msg("34123", dup314); - -var msg35906 = msg("34124", dup314); - -var msg35907 = msg("34125", dup321); - -var msg35908 = msg("34126", dup321); - -var msg35909 = msg("34127", dup321); - -var msg35910 = msg("34128", dup321); - -var msg35911 = msg("34129", dup321); - -var msg35912 = msg("34130", dup321); - -var msg35913 = msg("34131", dup309); - -var msg35914 = msg("34132", dup321); - -var msg35915 = msg("34133", dup309); - -var msg35916 = msg("34134", dup309); - -var msg35917 = msg("34135", dup314); - -var msg35918 = msg("34136", dup328); - -var msg35919 = msg("34137", dup321); - -var msg35920 = msg("34138", dup321); - -var msg35921 = msg("34139", dup314); - -var msg35922 = msg("34140", dup321); - -var msg35923 = msg("34141", dup309); - -var msg35924 = msg("34142", dup309); - -var msg35925 = msg("34143", dup321); - -var msg35926 = msg("34144", dup321); - -var msg35927 = msg("34145", dup321); - -var msg35928 = msg("34146", dup321); - -var msg35929 = msg("34147", dup314); - -var msg35930 = msg("34148", dup314); - -var msg35931 = msg("34149", dup314); - -var msg35932 = msg("34150", dup314); - -var msg35933 = msg("34151", dup314); - -var msg35934 = msg("34152", dup314); - -var msg35935 = msg("34153", dup314); - -var msg35936 = msg("34154", dup314); - -var msg35937 = msg("34155", dup321); - -var msg35938 = msg("34156", dup311); - -var msg35939 = msg("34157", dup311); - -var msg35940 = msg("34158", dup311); - -var msg35941 = msg("34159", dup311); - -var msg35942 = msg("34160", dup324); - -var msg35943 = msg("34161", dup321); - -var msg35944 = msg("34162", dup309); - -var msg35945 = msg("34163", dup309); - -var msg35946 = msg("34164", dup309); - -var msg35947 = msg("34165", dup309); - -var msg35948 = msg("34166", dup314); - -var msg35949 = msg("34167", dup314); - -var msg35950 = msg("34168", dup314); - -var msg35951 = msg("34169", dup314); - -var msg35952 = msg("34170", dup311); - -var msg35953 = msg("34171", dup311); - -var msg35954 = msg("34172", dup314); - -var msg35955 = msg("34173", dup314); - -var msg35956 = msg("34174", dup314); - -var msg35957 = msg("34175", dup314); - -var msg35958 = msg("34176", dup314); - -var msg35959 = msg("34177", dup314); - -var msg35960 = msg("34178", dup314); - -var msg35961 = msg("34179", dup314); - -var msg35962 = msg("34180", dup311); - -var msg35963 = msg("34181", dup321); - -var msg35964 = msg("34182", dup321); - -var msg35965 = msg("34183", dup321); - -var msg35966 = msg("34184", dup311); - -var msg35967 = msg("34185", dup311); - -var msg35968 = msg("34186", dup311); - -var msg35969 = msg("34187", dup311); - -var msg35970 = msg("34188", dup311); - -var msg35971 = msg("34189", dup311); - -var msg35972 = msg("34190", dup314); - -var msg35973 = msg("34191", dup314); - -var msg35974 = msg("34192", dup314); - -var msg35975 = msg("34193", dup314); - -var msg35976 = msg("34194", dup314); - -var msg35977 = msg("34195", dup325); - -var msg35978 = msg("34196", dup325); - -var msg35979 = msg("34197", dup325); - -var msg35980 = msg("34198", dup325); - -var msg35981 = msg("34199", dup325); - -var msg35982 = msg("34200", dup325); - -var msg35983 = msg("34201", dup325); - -var msg35984 = msg("34202", dup325); - -var msg35985 = msg("34203", dup325); - -var msg35986 = msg("34204", dup325); - -var msg35987 = msg("34205", dup325); - -var msg35988 = msg("34206", dup325); - -var msg35989 = msg("34207", dup325); - -var msg35990 = msg("34208", dup325); - -var msg35991 = msg("34209", dup325); - -var msg35992 = msg("34210", dup325); - -var msg35993 = msg("34211", dup325); - -var msg35994 = msg("34212", dup325); - -var msg35995 = msg("34213", dup324); - -var msg35996 = msg("34214", dup321); - -var msg35997 = msg("34215", dup311); - -var msg35998 = msg("34216", dup321); - -var msg35999 = msg("34217", dup321); - -var msg36000 = msg("34218", dup321); - -var msg36001 = msg("34219", dup321); - -var msg36002 = msg("34220", dup316); - -var msg36003 = msg("34221", dup316); - -var msg36004 = msg("34222", dup316); - -var msg36005 = msg("34223", dup321); - -var msg36006 = msg("34224", dup316); - -var msg36007 = msg("34225", dup333); - -var msg36008 = msg("34226", dup323); - -var msg36009 = msg("34227", dup323); - -var msg36010 = msg("34228", dup311); - -var msg36011 = msg("34229", dup311); - -var msg36012 = msg("34230", dup311); - -var msg36013 = msg("34231", dup311); - -var msg36014 = msg("34232", dup314); - -var msg36015 = msg("34233", dup314); - -var msg36016 = msg("34234", dup314); - -var msg36017 = msg("34235", dup314); - -var msg36018 = msg("34236", dup321); - -var msg36019 = msg("34237", dup321); - -var msg36020 = msg("34238", dup307); - -var msg36021 = msg("34239", dup307); - -var msg36022 = msg("34240", dup314); - -var msg36023 = msg("34241", dup314); - -var msg36024 = msg("34242", dup314); - -var msg36025 = msg("34243", dup314); - -var msg36026 = msg("34244", dup314); - -var msg36027 = msg("34245", dup314); - -var msg36028 = msg("34246", dup321); - -var msg36029 = msg("34247", dup314); - -var msg36030 = msg("34248", dup314); - -var msg36031 = msg("34249", dup314); - -var msg36032 = msg("34250", dup314); - -var msg36033 = msg("34251", dup324); - -var msg36034 = msg("34252", dup324); - -var msg36035 = msg("34253", dup324); - -var msg36036 = msg("34254", dup324); - -var msg36037 = msg("34255", dup314); - -var msg36038 = msg("34256", dup314); - -var msg36039 = msg("34257", dup314); - -var msg36040 = msg("34258", dup314); - -var msg36041 = msg("34259", dup314); - -var msg36042 = msg("34260", dup314); - -var msg36043 = msg("34261", dup324); - -var msg36044 = msg("34262", dup324); - -var msg36045 = msg("34263", dup324); - -var msg36046 = msg("34264", dup309); - -var msg36047 = msg("34265", dup309); - -var msg36048 = msg("34266", dup309); - -var msg36049 = msg("34267", dup309); - -var msg36050 = msg("34268", dup309); - -var msg36051 = msg("34269", dup309); - -var msg36052 = msg("34270", dup309); - -var msg36053 = msg("34271", dup309); - -var msg36054 = msg("34272", dup314); - -var msg36055 = msg("34273", dup314); - -var msg36056 = msg("34274", dup314); - -var msg36057 = msg("34275", dup314); - -var msg36058 = msg("34276", dup309); - -var msg36059 = msg("34277", dup309); - -var msg36060 = msg("34278", dup309); - -var msg36061 = msg("34279", dup309); - -var msg36062 = msg("34280", dup321); - -var msg36063 = msg("34281", dup321); - -var msg36064 = msg("34282", dup321); - -var msg36065 = msg("34283", dup321); - -var msg36066 = msg("34284", dup311); - -var msg36067 = msg("34285", dup311); - -var msg36068 = msg("34286", dup321); - -var msg36069 = msg("34287", dup314); - -var msg36070 = msg("34288", dup324); - -var msg36071 = msg("34289", dup321); - -var msg36072 = msg("34290", dup321); - -var msg36073 = msg("34291", dup325); - -var msg36074 = msg("34292", dup321); - -var msg36075 = msg("34293", dup309); - -var msg36076 = msg("34294", dup309); - -var msg36077 = msg("34295", dup322); - -var msg36078 = msg("34296", dup321); - -var msg36079 = msg("34297", dup321); - -var msg36080 = msg("34298", dup314); - -var msg36081 = msg("34299", dup325); - -var msg36082 = msg("34300", dup307); - -var msg36083 = msg("34301", dup314); - -var msg36084 = msg("34302", dup311); - -var msg36085 = msg("34303", dup311); - -var msg36086 = msg("34304", dup311); - -var msg36087 = msg("34305", dup311); - -var msg36088 = msg("34306", dup310); - -var msg36089 = msg("34307", dup321); - -var msg36090 = msg("34308", dup321); - -var msg36091 = msg("34309", dup321); - -var msg36092 = msg("34310", dup321); - -var msg36093 = msg("34311", dup321); - -var msg36094 = msg("34312", dup321); - -var msg36095 = msg("34313", dup321); - -var msg36096 = msg("34314", dup321); - -var msg36097 = msg("34315", dup321); - -var msg36098 = msg("34316", dup321); - -var msg36099 = msg("34317", dup321); - -var msg36100 = msg("34318", dup321); - -var msg36101 = msg("34319", dup321); - -var msg36102 = msg("34320", dup325); - -var msg36103 = msg("34321", dup325); - -var msg36104 = msg("34322", dup321); - -var msg36105 = msg("34323", dup321); - -var msg36106 = msg("34324", dup321); - -var msg36107 = msg("34325", dup321); - -var msg36108 = msg("34326", dup321); - -var msg36109 = msg("34327", dup321); - -var msg36110 = msg("34328", dup314); - -var msg36111 = msg("34329", dup321); - -var msg36112 = msg("34330", dup311); - -var msg36113 = msg("34331", dup311); - -var msg36114 = msg("34332", dup311); - -var msg36115 = msg("34333", dup311); - -var msg36116 = msg("34334", dup311); - -var msg36117 = msg("34335", dup311); - -var msg36118 = msg("34336", dup321); - -var msg36119 = msg("34337", dup321); - -var msg36120 = msg("34338", dup321); - -var msg36121 = msg("34339", dup321); - -var msg36122 = msg("34340", dup314); - -var msg36123 = msg("34341", dup314); - -var msg36124 = msg("34342", dup314); - -var msg36125 = msg("34343", dup309); - -var msg36126 = msg("34344", dup309); - -var msg36127 = msg("34345", dup314); - -var msg36128 = msg("34346", dup321); - -var msg36129 = msg("34347", dup321); - -var msg36130 = msg("34348", dup311); - -var msg36131 = msg("34349", dup309); - -var msg36132 = msg("34350", dup309); - -var msg36133 = msg("34351", dup309); - -var msg36134 = msg("34352", dup309); - -var msg36135 = msg("34353", dup309); - -var msg36136 = msg("34354", dup311); - -var msg36137 = msg("34355", dup311); - -var msg36138 = msg("34356", dup311); - -var msg36139 = msg("34357", dup311); - -var msg36140 = msg("34358", dup311); - -var msg36141 = msg("34359", dup314); - -var msg36142 = msg("34360", dup314); - -var msg36143 = msg("34361", dup314); - -var msg36144 = msg("34362", dup321); - -var msg36145 = msg("34363", dup322); - -var msg36146 = msg("34364", dup314); - -var msg36147 = msg("34365", dup311); - -var msg36148 = msg("34366", dup321); - -var msg36149 = msg("34367", dup321); - -var msg36150 = msg("34368", dup321); - -var msg36151 = msg("34369", dup316); - -var msg36152 = msg("34370", dup321); - -var msg36153 = msg("34371", dup311); - -var msg36154 = msg("34372", dup311); - -var msg36155 = msg("34373", dup307); - -var msg36156 = msg("34374", dup307); - -var msg36157 = msg("34375", dup307); - -var msg36158 = msg("34376", dup307); - -var msg36159 = msg("34377", dup314); - -var msg36160 = msg("34378", dup314); - -var msg36161 = msg("34379", dup325); - -var msg36162 = msg("34380", dup325); - -var msg36163 = msg("34381", dup325); - -var msg36164 = msg("34382", dup325); - -var msg36165 = msg("34383", dup311); - -var msg36166 = msg("34384", dup311); - -var msg36167 = msg("34385", dup311); - -var msg36168 = msg("34386", dup311); - -var msg36169 = msg("34387", dup314); - -var msg36170 = msg("34388", dup314); - -var msg36171 = msg("34389", dup314); - -var msg36172 = msg("34390", dup314); - -var msg36173 = msg("34391", dup325); - -var msg36174 = msg("34392", dup325); - -var msg36175 = msg("34393", dup323); - -var msg36176 = msg("34394", dup323); - -var msg36177 = msg("34395", dup314); - -var msg36178 = msg("34396", dup314); - -var msg36179 = msg("34397", dup314); - -var msg36180 = msg("34398", dup314); - -var msg36181 = msg("34399", dup311); - -var msg36182 = msg("34400", dup311); - -var msg36183 = msg("34401", dup311); - -var msg36184 = msg("34402", dup311); - -var msg36185 = msg("34403", dup314); - -var msg36186 = msg("34404", dup314); - -var msg36187 = msg("34405", dup325); - -var msg36188 = msg("34406", dup325); - -var msg36189 = msg("34407", dup325); - -var msg36190 = msg("34408", dup325); - -var msg36191 = msg("34409", dup325); - -var msg36192 = msg("34410", dup325); - -var msg36193 = msg("34411", dup325); - -var msg36194 = msg("34412", dup325); - -var msg36195 = msg("34413", dup314); - -var msg36196 = msg("34414", dup314); - -var msg36197 = msg("34415", dup325); - -var msg36198 = msg("34416", dup325); - -var msg36199 = msg("34417", dup325); - -var msg36200 = msg("34418", dup325); - -var msg36201 = msg("34419", dup325); - -var msg36202 = msg("34420", dup325); - -var msg36203 = msg("34421", dup325); - -var msg36204 = msg("34422", dup325); - -var msg36205 = msg("34423", dup325); - -var msg36206 = msg("34424", dup325); - -var msg36207 = msg("34425", dup325); - -var msg36208 = msg("34426", dup314); - -var msg36209 = msg("34427", dup314); - -var msg36210 = msg("34428", dup309); - -var msg36211 = msg("34429", dup309); - -var msg36212 = msg("34430", dup325); - -var msg36213 = msg("34431", dup325); - -var msg36214 = msg("34432", dup325); - -var msg36215 = msg("34433", dup325); - -var msg36216 = msg("34434", dup324); - -var msg36217 = msg("34435", dup324); - -var msg36218 = msg("34436", dup325); - -var msg36219 = msg("34437", dup325); - -var msg36220 = msg("34438", dup309); - -var msg36221 = msg("34439", dup309); - -var msg36222 = msg("34440", dup314); - -var msg36223 = msg("34441", dup314); - -var msg36224 = msg("34442", dup314); - -var msg36225 = msg("34443", dup314); - -var msg36226 = msg("34444", dup325); - -var msg36227 = msg("34445", dup325); - -var msg36228 = msg("34446", dup321); - -var msg36229 = msg("34447", dup333); - -var msg36230 = msg("34448", dup314); - -var msg36231 = msg("34449", dup314); - -var msg36232 = msg("34450", dup314); - -var msg36233 = msg("34451", dup314); - -var msg36234 = msg("34452", dup321); - -var msg36235 = msg("34453", dup321); - -var msg36236 = msg("34454", dup314); - -var msg36237 = msg("34455", dup314); - -var msg36238 = msg("34456", dup314); - -var msg36239 = msg("34457", dup314); - -var msg36240 = msg("34458", dup321); - -var msg36241 = msg("34459", dup321); - -var msg36242 = msg("34460", dup321); - -var msg36243 = msg("34461", dup321); - -var msg36244 = msg("34462", dup321); - -var msg36245 = msg("34463", dup314); - -var msg36246 = msg("34464", dup311); - -var msg36247 = msg("34465", dup325); - -var msg36248 = msg("34466", dup311); - -var msg36249 = msg("34467", dup311); - -var msg36250 = msg("34468", dup321); - -var msg36251 = msg("34469", dup321); - -var msg36252 = msg("34470", dup321); - -var msg36253 = msg("34471", dup314); - -var msg36254 = msg("34472", dup322); - -var msg36255 = msg("34473", dup314); - -var msg36256 = msg("34474", dup314); - -var all63 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup87, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg36257 = msg("34475", all63); - -var msg36258 = msg("34476", dup323); - -var msg36259 = msg("34477", dup314); - -var msg36260 = msg("34478", dup314); - -var msg36261 = msg("34479", dup311); - -var msg36262 = msg("34480", dup311); - -var msg36263 = msg("34481", dup309); - -var msg36264 = msg("34482", dup309); - -var msg36265 = msg("34483", dup309); - -var msg36266 = msg("34484", dup309); - -var msg36267 = msg("34485", dup309); - -var msg36268 = msg("34486", dup309); - -var msg36269 = msg("34487", dup309); - -var msg36270 = msg("34488", dup309); - -var msg36271 = msg("34489", dup321); - -var msg36272 = msg("34490", dup321); - -var msg36273 = msg("34491", dup321); - -var msg36274 = msg("34492", dup314); - -var msg36275 = msg("34493", dup314); - -var msg36276 = msg("34494", dup314); - -var msg36277 = msg("34495", dup314); - -var msg36278 = msg("34496", dup327); - -var msg36279 = msg("34497", dup327); - -var msg36280 = msg("34498", dup314); - -var msg36281 = msg("34499", dup314); - -var msg36282 = msg("34500", dup321); - -var msg36283 = msg("34501", dup321); - -var msg36284 = msg("34502", dup311); - -var msg36285 = msg("34503", dup311); - -var msg36286 = msg("34504", dup311); - -var msg36287 = msg("34505", dup311); - -var msg36288 = msg("34506", dup311); - -var msg36289 = msg("34507", dup311); - -var msg36290 = msg("34508", dup311); - -var msg36291 = msg("34509", dup311); - -var msg36292 = msg("34510", dup311); - -var msg36293 = msg("34511", dup311); - -var msg36294 = msg("34512", dup311); - -var msg36295 = msg("34513", dup311); - -var msg36296 = msg("34514", dup314); - -var msg36297 = msg("34515", dup314); - -var msg36298 = msg("34516", dup314); - -var msg36299 = msg("34517", dup314); - -var msg36300 = msg("34518", dup311); - -var msg36301 = msg("34519", dup311); - -var msg36302 = msg("34520", dup311); - -var msg36303 = msg("34521", dup311); - -var msg36304 = msg("34522", dup311); - -var msg36305 = msg("34523", dup311); - -var msg36306 = msg("34524", dup311); - -var msg36307 = msg("34525", dup311); - -var msg36308 = msg("34526", dup311); - -var msg36309 = msg("34527", dup311); - -var msg36310 = msg("34528", dup314); - -var msg36311 = msg("34529", dup314); - -var msg36312 = msg("34530", dup323); - -var msg36313 = msg("34531", dup323); - -var msg36314 = msg("34532", dup325); - -var msg36315 = msg("34533", dup325); - -var msg36316 = msg("34534", dup314); - -var msg36317 = msg("34535", dup314); - -var msg36318 = msg("34536", dup314); - -var msg36319 = msg("34537", dup314); - -var msg36320 = msg("34538", dup314); - -var msg36321 = msg("34539", dup314); - -var msg36322 = msg("34540", dup321); - -var msg36323 = msg("34541", dup321); - -var msg36324 = msg("34542", dup314); - -var msg36325 = msg("34543", dup314); - -var msg36326 = msg("34544", dup314); - -var msg36327 = msg("34545", dup314); - -var msg36328 = msg("34546", dup314); - -var msg36329 = msg("34547", dup314); - -var msg36330 = msg("34548", dup314); - -var msg36331 = msg("34549", dup314); - -var msg36332 = msg("34550", dup307); - -var msg36333 = msg("34551", dup307); - -var msg36334 = msg("34552", dup311); - -var msg36335 = msg("34553", dup309); - -var msg36336 = msg("34554", dup309); - -var msg36337 = msg("34555", dup309); - -var msg36338 = msg("34556", dup309); - -var msg36339 = msg("34557", dup307); - -var msg36340 = msg("34558", dup307); - -var msg36341 = msg("34559", dup314); - -var msg36342 = msg("34560", dup314); - -var msg36343 = msg("34561", dup311); - -var msg36344 = msg("34562", dup311); - -var msg36345 = msg("34563", dup311); - -var msg36346 = msg("34564", dup311); - -var msg36347 = msg("34565", dup311); - -var msg36348 = msg("34566", dup309); - -var msg36349 = msg("34567", dup321); - -var msg36350 = msg("34568", dup314); - -var msg36351 = msg("34569", dup314); - -var msg36352 = msg("34570", dup321); - -var msg36353 = msg("34571", dup321); - -var msg36354 = msg("34572", dup321); - -var msg36355 = msg("34573", dup314); - -var msg36356 = msg("34574", dup314); - -var msg36357 = msg("34575", dup314); - -var msg36358 = msg("34576", dup314); - -var msg36359 = msg("34577", dup314); - -var msg36360 = msg("34578", dup314); - -var msg36361 = msg("34579", dup314); - -var msg36362 = msg("34580", dup314); - -var msg36363 = msg("34581", dup321); - -var msg36364 = msg("34582", dup314); - -var msg36365 = msg("34583", dup314); - -var msg36366 = msg("34584", dup314); - -var msg36367 = msg("34585", dup314); - -var msg36368 = msg("34586", dup314); - -var msg36369 = msg("34587", dup314); - -var msg36370 = msg("34588", dup314); - -var msg36371 = msg("34589", dup314); - -var msg36372 = msg("34590", dup314); - -var msg36373 = msg("34591", dup314); - -var msg36374 = msg("34592", dup314); - -var msg36375 = msg("34593", dup314); - -var msg36376 = msg("34594", dup314); - -var msg36377 = msg("34595", dup314); - -var msg36378 = msg("34596", dup339); - -var msg36379 = msg("34597", dup339); - -var msg36380 = msg("34598", dup339); - -var msg36381 = msg("34599", dup339); - -var msg36382 = msg("34600", dup339); - -var msg36383 = msg("34601", dup339); - -var msg36384 = msg("34602", dup340); - -var msg36385 = msg("34603", dup341); - -var msg36386 = msg("34604", dup340); - -var msg36387 = msg("34605", dup340); - -var msg36388 = msg("34606", dup340); - -var msg36389 = msg("34607", dup342); - -var msg36390 = msg("34608", dup339); - -var msg36391 = msg("34609", dup339); - -var msg36392 = msg("34610", dup339); - -var msg36393 = msg("34611", dup339); - -var msg36394 = msg("34612", dup343); - -var msg36395 = msg("34613", dup343); - -var msg36396 = msg("34614", dup339); - -var msg36397 = msg("34615", dup344); - -var msg36398 = msg("34616", dup344); - -var msg36399 = msg("34617", dup344); - -var msg36400 = msg("34618", dup344); - -var msg36401 = msg("34619", dup340); - -var msg36402 = msg("34620", dup340); - -var msg36403 = msg("34621", dup340); - -var msg36404 = msg("34622", dup339); - -var msg36405 = msg("34623", dup341); - -var msg36406 = msg("34624", dup339); - -var msg36407 = msg("34625", dup343); - -var msg36408 = msg("34626", dup343); - -var msg36409 = msg("34627", dup343); - -var msg36410 = msg("34628", dup343); - -var msg36411 = msg("34629", dup340); - -var msg36412 = msg("34630", dup340); - -var msg36413 = msg("34631", dup340); - -var msg36414 = msg("34632", dup341); - -var msg36415 = msg("34633", dup340); - -var msg36416 = msg("34634", dup340); - -var msg36417 = msg("34635", dup340); - -var msg36418 = msg("34636", dup339); - -var msg36419 = msg("34637", dup339); - -var msg36420 = msg("34638", dup340); - -var msg36421 = msg("34639", dup340); - -var msg36422 = msg("34640", dup340); - -var msg36423 = msg("34641", dup345); - -var msg36424 = msg("34642", dup345); - -var msg36425 = msg("34643", dup340); - -var msg36426 = msg("34644", dup340); - -var msg36427 = msg("34645", dup341); - -var msg36428 = msg("34646", dup346); - -var msg36429 = msg("34647", dup346); - -var msg36430 = msg("34648", dup346); - -var msg36431 = msg("34649", dup345); - -var msg36432 = msg("34650", dup341); - -var msg36433 = msg("34651", dup341); - -var msg36434 = msg("34652", dup340); - -var msg36435 = msg("34653", dup340); - -var msg36436 = msg("34654", dup339); - -var msg36437 = msg("34655", dup339); - -var msg36438 = msg("34656", dup339); - -var msg36439 = msg("34657", dup339); - -var msg36440 = msg("34658", dup339); - -var msg36441 = msg("34659", dup339); - -var msg36442 = msg("34660", dup339); - -var msg36443 = msg("34661", dup339); - -var msg36444 = msg("34662", dup339); - -var msg36445 = msg("34663", dup339); - -var msg36446 = msg("34664", dup339); - -var msg36447 = msg("34665", dup339); - -var msg36448 = msg("34666", dup339); - -var msg36449 = msg("34667", dup339); - -var msg36450 = msg("34668", dup339); - -var msg36451 = msg("34669", dup339); - -var msg36452 = msg("34670", dup339); - -var msg36453 = msg("34671", dup339); - -var msg36454 = msg("34672", dup339); - -var msg36455 = msg("34673", dup339); - -var msg36456 = msg("34674", dup339); - -var msg36457 = msg("34675", dup339); - -var msg36458 = msg("34676", dup339); - -var msg36459 = msg("34677", dup339); - -var msg36460 = msg("34678", dup339); - -var msg36461 = msg("34679", dup339); - -var msg36462 = msg("34680", dup339); - -var msg36463 = msg("34681", dup339); - -var msg36464 = msg("34682", dup339); - -var msg36465 = msg("34683", dup339); - -var msg36466 = msg("34684", dup339); - -var msg36467 = msg("34685", dup339); - -var msg36468 = msg("34686", dup339); - -var msg36469 = msg("34687", dup339); - -var msg36470 = msg("34688", dup339); - -var msg36471 = msg("34689", dup339); - -var msg36472 = msg("34690", dup339); - -var msg36473 = msg("34691", dup339); - -var msg36474 = msg("34692", dup339); - -var msg36475 = msg("34693", dup339); - -var msg36476 = msg("34694", dup339); - -var msg36477 = msg("34695", dup339); - -var msg36478 = msg("34696", dup339); - -var msg36479 = msg("34697", dup339); - -var msg36480 = msg("34698", dup339); - -var msg36481 = msg("34699", dup339); - -var msg36482 = msg("34700", dup339); - -var msg36483 = msg("34701", dup339); - -var msg36484 = msg("34702", dup339); - -var msg36485 = msg("34703", dup339); - -var msg36486 = msg("34704", dup339); - -var msg36487 = msg("34705", dup339); - -var msg36488 = msg("34706", dup339); - -var msg36489 = msg("34707", dup339); - -var msg36490 = msg("34708", dup339); - -var msg36491 = msg("34709", dup345); - -var msg36492 = msg("34710", dup347); - -var msg36493 = msg("34711", dup339); - -var msg36494 = msg("34712", dup339); - -var msg36495 = msg("34713", dup339); - -var msg36496 = msg("34714", dup341); - -var msg36497 = msg("34715", dup341); - -var msg36498 = msg("34716", dup340); - -var msg36499 = msg("34717", dup340); - -var msg36500 = msg("34718", dup340); - -var msg36501 = msg("34719", dup347); - -var msg36502 = msg("34720", dup347); - -var msg36503 = msg("34721", dup342); - -var msg36504 = msg("34722", dup342); - -var msg36505 = msg("34723", dup342); - -var msg36506 = msg("34724", dup342); - -var msg36507 = msg("34725", dup342); - -var msg36508 = msg("34726", dup342); - -var msg36509 = msg("34727", dup342); - -var msg36510 = msg("34728", dup342); - -var msg36511 = msg("34729", dup347); - -var msg36512 = msg("34730", dup347); - -var msg36513 = msg("34731", dup341); - -var msg36514 = msg("34732", dup341); - -var msg36515 = msg("34733", dup342); - -var msg36516 = msg("34734", dup342); - -var msg36517 = msg("34735", dup342); - -var msg36518 = msg("34736", dup342); - -var msg36519 = msg("34737", dup341); - -var msg36520 = msg("34738", dup341); - -var msg36521 = msg("34739", dup341); - -var msg36522 = msg("34740", dup341); - -var msg36523 = msg("34741", dup340); - -var msg36524 = msg("34742", dup340); - -var msg36525 = msg("34743", dup341); - -var msg36526 = msg("34744", dup341); - -var msg36527 = msg("34745", dup342); - -var msg36528 = msg("34746", dup342); - -var msg36529 = msg("34747", dup342); - -var msg36530 = msg("34748", dup342); - -var msg36531 = msg("34749", dup342); - -var msg36532 = msg("34750", dup342); - -var msg36533 = msg("34751", dup342); - -var msg36534 = msg("34752", dup342); - -var msg36535 = msg("34753", dup342); - -var msg36536 = msg("34754", dup342); - -var msg36537 = msg("34755", dup347); - -var msg36538 = msg("34756", dup347); - -var msg36539 = msg("34757", dup347); - -var msg36540 = msg("34758", dup347); - -var msg36541 = msg("34759", dup342); - -var msg36542 = msg("34760", dup342); - -var msg36543 = msg("34761", dup343); - -var msg36544 = msg("34762", dup343); - -var msg36545 = msg("34763", dup341); - -var msg36546 = msg("34764", dup341); - -var msg36547 = msg("34765", dup342); - -var msg36548 = msg("34766", dup342); - -var msg36549 = msg("34767", dup342); - -var msg36550 = msg("34768", dup342); - -var msg36551 = msg("34769", dup347); - -var msg36552 = msg("34770", dup340); - -var msg36553 = msg("34771", dup340); - -var msg36554 = msg("34772", dup342); - -var msg36555 = msg("34773", dup342); - -var msg36556 = msg("34774", dup347); - -var msg36557 = msg("34775", dup347); - -var msg36558 = msg("34776", dup340); - -var msg36559 = msg("34777", dup340); - -var msg36560 = msg("34778", dup342); - -var msg36561 = msg("34779", dup342); - -var msg36562 = msg("34780", dup347); - -var msg36563 = msg("34781", dup347); - -var msg36564 = msg("34782", dup340); - -var msg36565 = msg("34783", dup340); - -var msg36566 = msg("34784", dup340); - -var msg36567 = msg("34785", dup340); - -var msg36568 = msg("34786", dup347); - -var msg36569 = msg("34787", dup347); - -var msg36570 = msg("34788", dup340); - -var msg36571 = msg("34789", dup340); - -var msg36572 = msg("34790", dup342); - -var msg36573 = msg("34791", dup342); - -var msg36574 = msg("34792", dup340); - -var msg36575 = msg("34793", dup340); - -var msg36576 = msg("34794", dup347); - -var msg36577 = msg("34795", dup347); - -var msg36578 = msg("34796", dup347); - -var msg36579 = msg("34797", dup347); - -var msg36580 = msg("34798", dup341); - -var msg36581 = msg("34799", dup348); - -var msg36582 = msg("34800", dup346); - -var msg36583 = msg("34801", dup346); - -var msg36584 = msg("34802", dup345); - -var msg36585 = msg("34803", dup340); - -var msg36586 = msg("34804", dup340); - -var msg36587 = msg("34805", dup340); - -var msg36588 = msg("34806", dup340); - -var msg36589 = msg("34807", dup347); - -var msg36590 = msg("34808", dup347); - -var msg36591 = msg("34809", dup347); - -var msg36592 = msg("34810", dup347); - -var msg36593 = msg("34811", dup340); - -var msg36594 = msg("34812", dup340); - -var msg36595 = msg("34813", dup340); - -var msg36596 = msg("34814", dup340); - -var msg36597 = msg("34815", dup340); - -var msg36598 = msg("34816", dup347); - -var msg36599 = msg("34817", dup347); - -var msg36600 = msg("34818", dup339); - -var msg36601 = msg("34819", dup340); - -var msg36602 = msg("34820", dup340); - -var msg36603 = msg("34821", dup340); - -var msg36604 = msg("34822", dup340); - -var msg36605 = msg("34823", dup340); - -var msg36606 = msg("34824", dup342); - -var msg36607 = msg("34825", dup342); - -var msg36608 = msg("34826", dup339); - -var msg36609 = msg("34827", dup339); - -var msg36610 = msg("34828", dup339); - -var msg36611 = msg("34829", dup339); - -var msg36612 = msg("34830", dup339); - -var msg36613 = msg("34831", dup339); - -var msg36614 = msg("34832", dup339); - -var msg36615 = msg("34833", dup339); - -var all64 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg36616 = msg("34834", all64); - -var msg36617 = msg("34835", dup339); - -var msg36618 = msg("34836", dup347); - -var msg36619 = msg("34837", dup347); - -var msg36620 = msg("34838", dup347); - -var msg36621 = msg("34839", dup347); - -var msg36622 = msg("34840", dup347); - -var msg36623 = msg("34841", dup347); - -var msg36624 = msg("34842", dup347); - -var msg36625 = msg("34843", dup342); - -var msg36626 = msg("34844", dup339); - -var msg36627 = msg("34845", dup340); - -var msg36628 = msg("34846", dup340); - -var msg36629 = msg("34847", dup339); - -var msg36630 = msg("34848", dup341); - -var msg36631 = msg("34849", dup341); - -var msg36632 = msg("34850", dup341); - -var msg36633 = msg("34851", dup341); - -var msg36634 = msg("34852", dup339); - -var msg36635 = msg("34853", dup340); - -var msg36636 = msg("34854", dup340); - -var msg36637 = msg("34855", dup340); - -var msg36638 = msg("34856", dup340); - -var msg36639 = msg("34857", dup339); - -var msg36640 = msg("34858", dup340); - -var msg36641 = msg("34859", dup340); - -var msg36642 = msg("34860", dup340); - -var msg36643 = msg("34861", dup340); - -var msg36644 = msg("34862", dup339); - -var msg36645 = msg("34863", dup339); - -var msg36646 = msg("34864", dup340); - -var msg36647 = msg("34865", dup339); - -var msg36648 = msg("34866", dup339); - -var msg36649 = msg("34867", dup339); - -var msg36650 = msg("34868", dup339); - -var msg36651 = msg("34869", dup339); - -var msg36652 = msg("34870", dup339); - -var msg36653 = msg("34871", dup339); - -var msg36654 = msg("34872", dup339); - -var msg36655 = msg("34873", dup342); - -var msg36656 = msg("34874", dup342); - -var msg36657 = msg("34875", dup340); - -var msg36658 = msg("34876", dup339); - -var msg36659 = msg("34877", dup339); - -var msg36660 = msg("34878", dup342); - -var msg36661 = msg("34879", dup342); - -var msg36662 = msg("34880", dup342); - -var msg36663 = msg("34881", dup340); - -var msg36664 = msg("34882", dup340); - -var msg36665 = msg("34883", dup340); - -var msg36666 = msg("34884", dup343); - -var msg36667 = msg("34885", dup343); - -var msg36668 = msg("34886", dup339); - -var msg36669 = msg("34887", dup339); - -var msg36670 = msg("34888", dup339); - -var msg36671 = msg("34889", dup341); - -var msg36672 = msg("34890", dup347); - -var msg36673 = msg("34891", dup347); - -var msg36674 = msg("34892", dup347); - -var msg36675 = msg("34893", dup347); - -var msg36676 = msg("34894", dup347); - -var msg36677 = msg("34895", dup347); - -var msg36678 = msg("34896", dup347); - -var msg36679 = msg("34897", dup347); - -var msg36680 = msg("34898", dup347); - -var msg36681 = msg("34899", dup347); - -var msg36682 = msg("34900", dup347); - -var msg36683 = msg("34901", dup347); - -var msg36684 = msg("34902", dup344); - -var msg36685 = msg("34903", dup347); - -var msg36686 = msg("34904", dup347); - -var msg36687 = msg("34905", dup347); - -var msg36688 = msg("34906", dup347); - -var msg36689 = msg("34907", dup347); - -var msg36690 = msg("34908", dup347); - -var msg36691 = msg("34909", dup344); - -var msg36692 = msg("34910", dup344); - -var msg36693 = msg("34911", dup347); - -var msg36694 = msg("34912", dup347); - -var msg36695 = msg("34913", dup347); - -var msg36696 = msg("34914", dup347); - -var msg36697 = msg("34915", dup349); - -var msg36698 = msg("34916", dup349); - -var msg36699 = msg("34917", dup339); - -var msg36700 = msg("34918", dup340); - -var msg36701 = msg("34919", dup340); - -var msg36702 = msg("34920", dup340); - -var msg36703 = msg("34921", dup340); - -var msg36704 = msg("34922", dup340); - -var msg36705 = msg("34923", dup340); - -var msg36706 = msg("34924", dup341); - -var msg36707 = msg("34925", dup341); - -var msg36708 = msg("34926", dup339); - -var msg36709 = msg("34927", dup339); - -var msg36710 = msg("34928", dup339); - -var msg36711 = msg("34929", dup339); - -var msg36712 = msg("34930", dup339); - -var msg36713 = msg("34931", dup339); - -var msg36714 = msg("34932", dup339); - -var msg36715 = msg("34933", dup347); - -var msg36716 = msg("34934", dup339); - -var msg36717 = msg("34935", dup339); - -var msg36718 = msg("34936", dup339); - -var msg36719 = msg("34937", dup341); - -var msg36720 = msg("34938", dup341); - -var msg36721 = msg("34939", dup341); - -var msg36722 = msg("34940", dup341); - -var msg36723 = msg("34941", dup341); - -var msg36724 = msg("34942", dup341); - -var msg36725 = msg("34943", dup341); - -var msg36726 = msg("34944", dup340); - -var msg36727 = msg("34945", dup339); - -var msg36728 = msg("34946", dup340); - -var msg36729 = msg("34947", dup340); - -var msg36730 = msg("34948", dup347); - -var msg36731 = msg("34949", dup347); - -var msg36732 = msg("34950", dup339); - -var msg36733 = msg("34951", dup340); - -var msg36734 = msg("34952", dup345); - -var msg36735 = msg("34953", dup345); - -var msg36736 = msg("34954", dup345); - -var msg36737 = msg("34955", dup345); - -var msg36738 = msg("34956", dup345); - -var msg36739 = msg("34957", dup339); - -var msg36740 = msg("34958", dup339); - -var msg36741 = msg("34959", dup339); - -var msg36742 = msg("34960", dup340); - -var msg36743 = msg("34961", dup340); - -var msg36744 = msg("34962", dup340); - -var msg36745 = msg("34963", dup339); - -var msg36746 = msg("34964", dup339); - -var msg36747 = msg("34965", dup339); - -var msg36748 = msg("34966", dup339); - -var msg36749 = msg("34967", dup341); - -var msg36750 = msg("34968", dup340); - -var msg36751 = msg("34969", dup347); - -var msg36752 = msg("34970", dup347); - -var msg36753 = msg("34971", dup340); - -var msg36754 = msg("34972", dup340); - -var msg36755 = msg("34973", dup341); - -var msg36756 = msg("34974", dup341); - -var msg36757 = msg("34975", dup341); - -var msg36758 = msg("34976", dup340); - -var msg36759 = msg("34977", dup340); - -var msg36760 = msg("34978", dup340); - -var msg36761 = msg("34979", dup340); - -var msg36762 = msg("34980", dup340); - -var msg36763 = msg("34981", dup340); - -var msg36764 = msg("34982", dup339); - -var msg36765 = msg("34983", dup340); - -var msg36766 = msg("34984", dup341); - -var msg36767 = msg("34985", dup341); - -var msg36768 = msg("34986", dup341); - -var msg36769 = msg("34987", dup341); - -var msg36770 = msg("34988", dup341); - -var msg36771 = msg("34989", dup341); - -var msg36772 = msg("34990", dup347); - -var msg36773 = msg("34991", dup347); - -var msg36774 = msg("34992", dup347); - -var msg36775 = msg("34993", dup339); - -var msg36776 = msg("34994", dup339); - -var msg36777 = msg("34995", dup339); - -var msg36778 = msg("34996", dup339); - -var msg36779 = msg("34997", dup350); - -var msg36780 = msg("34998", dup339); - -var msg36781 = msg("34999", dup346); - -var msg36782 = msg("35000", dup346); - -var msg36783 = msg("35001", dup340); - -var msg36784 = msg("35002", dup340); - -var msg36785 = msg("35003", dup339); - -var msg36786 = msg("35004", dup339); - -var msg36787 = msg("35005", dup339); - -var msg36788 = msg("35006", dup347); - -var msg36789 = msg("35007", dup347); - -var msg36790 = msg("35008", dup347); - -var msg36791 = msg("35009", dup347); - -var msg36792 = msg("35010", dup347); - -var msg36793 = msg("35011", dup347); - -var msg36794 = msg("35012", dup342); - -var msg36795 = msg("35013", dup342); - -var msg36796 = msg("35014", dup346); - -var msg36797 = msg("35015", dup346); - -var msg36798 = msg("35016", dup346); - -var msg36799 = msg("35017", dup346); - -var msg36800 = msg("35018", dup341); - -var msg36801 = msg("35019", dup341); - -var msg36802 = msg("35020", dup341); - -var msg36803 = msg("35021", dup341); - -var msg36804 = msg("35022", dup340); - -var msg36805 = msg("35023", dup340); - -var msg36806 = msg("35024", dup348); - -var msg36807 = msg("35025", dup348); - -var msg36808 = msg("35026", dup348); - -var msg36809 = msg("35027", dup342); - -var msg36810 = msg("35028", dup339); - -var msg36811 = msg("35029", dup339); - -var msg36812 = msg("35030", dup339); - -var msg36813 = msg("35031", dup339); - -var msg36814 = msg("35032", dup340); - -var msg36815 = msg("35033", dup340); - -var msg36816 = msg("35034", dup339); - -var msg36817 = msg("35035", dup339); - -var msg36818 = msg("35036", dup339); - -var msg36819 = msg("35037", dup339); - -var msg36820 = msg("35038", dup340); - -var msg36821 = msg("35039", dup339); - -var msg36822 = msg("35040", dup347); - -var msg36823 = msg("35041", dup347); - -var msg36824 = msg("35042", dup340); - -var msg36825 = msg("35043", dup340); - -var msg36826 = msg("35044", dup347); - -var msg36827 = msg("35045", dup347); - -var msg36828 = msg("35046", dup339); - -var msg36829 = msg("35047", dup339); - -var msg36830 = msg("35048", dup340); - -var msg36831 = msg("35049", dup340); - -var msg36832 = msg("35050", dup339); - -var msg36833 = msg("35051", dup340); - -var msg36834 = msg("35052", dup340); - -var msg36835 = msg("35053", dup342); - -var msg36836 = msg("35062", dup339); - -var msg36837 = msg("35063", dup339); - -var msg36838 = msg("35064", dup339); - -var msg36839 = msg("35065", dup339); - -var msg36840 = msg("35066", dup339); - -var msg36841 = msg("35067", dup339); - -var msg36842 = msg("35068", dup339); - -var msg36843 = msg("35069", dup339); - -var msg36844 = msg("35070", dup340); - -var msg36845 = msg("35071", dup340); - -var msg36846 = msg("35072", dup340); - -var msg36847 = msg("35073", dup340); - -var msg36848 = msg("35074", dup340); - -var msg36849 = msg("35075", dup340); - -var msg36850 = msg("35076", dup339); - -var msg36851 = msg("35077", dup346); - -var msg36852 = msg("35078", dup346); - -var msg36853 = msg("35079", dup346); - -var msg36854 = msg("35080", dup339); - -var msg36855 = msg("35081", dup339); - -var msg36856 = msg("35082", dup339); - -var msg36857 = msg("35083", dup339); - -var msg36858 = msg("35084", dup347); - -var msg36859 = msg("35085", dup347); - -var msg36860 = msg("35086", dup347); - -var msg36861 = msg("35087", dup347); - -var msg36862 = msg("35088", dup347); - -var msg36863 = msg("35089", dup347); - -var msg36864 = msg("35090", dup341); - -var msg36865 = msg("35091", dup341); - -var msg36866 = msg("35092", dup341); - -var msg36867 = msg("35093", dup341); - -var msg36868 = msg("35094", dup343); - -var msg36869 = msg("35095", dup347); - -var msg36870 = msg("35096", dup347); - -var msg36871 = msg("35097", dup343); - -var msg36872 = msg("35098", dup343); - -var msg36873 = msg("35099", dup339); - -var msg36874 = msg("35100", dup339); - -var msg36875 = msg("35101", dup339); - -var msg36876 = msg("35102", dup339); - -var msg36877 = msg("35103", dup339); - -var msg36878 = msg("35104", dup339); - -var msg36879 = msg("35105", dup340); - -var msg36880 = msg("35106", dup340); - -var msg36881 = msg("35107", dup340); - -var msg36882 = msg("35108", dup340); - -var msg36883 = msg("35109", dup347); - -var msg36884 = msg("35110", dup347); - -var msg36885 = msg("35111", dup340); - -var msg36886 = msg("35112", dup343); - -var msg36887 = msg("35113", dup343); - -var msg36888 = msg("35114", dup347); - -var msg36889 = msg("35115", dup347); - -var msg36890 = msg("35116", dup342); - -var msg36891 = msg("35117", dup342); - -var msg36892 = msg("35118", dup340); - -var msg36893 = msg("35119", dup342); - -var msg36894 = msg("35120", dup342); - -var msg36895 = msg("35121", dup342); - -var msg36896 = msg("35122", dup342); - -var msg36897 = msg("35123", dup342); - -var msg36898 = msg("35124", dup342); - -var msg36899 = msg("35125", dup342); - -var msg36900 = msg("35126", dup342); - -var msg36901 = msg("35127", dup342); - -var msg36902 = msg("35128", dup342); - -var msg36903 = msg("35129", dup341); - -var msg36904 = msg("35130", dup341); - -var msg36905 = msg("35131", dup340); - -var msg36906 = msg("35132", dup340); - -var msg36907 = msg("35133", dup342); - -var msg36908 = msg("35134", dup342); - -var msg36909 = msg("35135", dup347); - -var msg36910 = msg("35136", dup347); - -var msg36911 = msg("35137", dup341); - -var msg36912 = msg("35138", dup341); - -var msg36913 = msg("35139", dup342); - -var msg36914 = msg("35140", dup342); - -var msg36915 = msg("35141", dup341); - -var msg36916 = msg("35142", dup341); - -var msg36917 = msg("35143", dup341); - -var msg36918 = msg("35144", dup341); - -var msg36919 = msg("35145", dup342); - -var msg36920 = msg("35146", dup342); - -var msg36921 = msg("35147", dup342); - -var msg36922 = msg("35148", dup342); - -var msg36923 = msg("35149", dup340); - -var msg36924 = msg("35150", dup340); - -var msg36925 = msg("35151", dup341); - -var msg36926 = msg("35152", dup342); - -var msg36927 = msg("35153", dup342); - -var msg36928 = msg("35154", dup342); - -var msg36929 = msg("35155", dup342); - -var msg36930 = msg("35156", dup342); - -var msg36931 = msg("35157", dup342); - -var msg36932 = msg("35158", dup342); - -var msg36933 = msg("35159", dup342); - -var msg36934 = msg("35160", dup341); - -var msg36935 = msg("35161", dup341); - -var msg36936 = msg("35162", dup341); - -var msg36937 = msg("35163", dup341); - -var msg36938 = msg("35164", dup342); - -var msg36939 = msg("35165", dup342); - -var msg36940 = msg("35166", dup341); - -var msg36941 = msg("35167", dup341); - -var msg36942 = msg("35168", dup341); - -var msg36943 = msg("35169", dup341); - -var msg36944 = msg("35170", dup342); - -var msg36945 = msg("35171", dup342); - -var msg36946 = msg("35172", dup342); - -var msg36947 = msg("35173", dup342); - -var msg36948 = msg("35174", dup351); - -var msg36949 = msg("35175", dup351); - -var msg36950 = msg("35176", dup341); - -var msg36951 = msg("35177", dup341); - -var msg36952 = msg("35178", dup342); - -var msg36953 = msg("35179", dup342); - -var msg36954 = msg("35180", dup340); - -var msg36955 = msg("35181", dup340); - -var msg36956 = msg("35182", dup342); - -var msg36957 = msg("35183", dup342); - -var msg36958 = msg("35184", dup342); - -var msg36959 = msg("35185", dup342); - -var msg36960 = msg("35186", dup342); - -var msg36961 = msg("35187", dup342); - -var msg36962 = msg("35188", dup342); - -var msg36963 = msg("35189", dup342); - -var msg36964 = msg("35190", dup341); - -var msg36965 = msg("35191", dup341); - -var msg36966 = msg("35192", dup342); - -var msg36967 = msg("35193", dup342); - -var msg36968 = msg("35194", dup342); - -var msg36969 = msg("35195", dup342); - -var msg36970 = msg("35196", dup342); - -var msg36971 = msg("35197", dup342); - -var msg36972 = msg("35198", dup346); - -var msg36973 = msg("35199", dup342); - -var msg36974 = msg("35200", dup342); - -var msg36975 = msg("35201", dup341); - -var msg36976 = msg("35202", dup341); - -var msg36977 = msg("35203", dup342); - -var msg36978 = msg("35204", dup342); - -var msg36979 = msg("35205", dup342); - -var msg36980 = msg("35206", dup342); - -var msg36981 = msg("35207", dup342); - -var msg36982 = msg("35208", dup342); - -var msg36983 = msg("35209", dup342); - -var msg36984 = msg("35210", dup342); - -var msg36985 = msg("35211", dup342); - -var msg36986 = msg("35212", dup342); - -var msg36987 = msg("35213", dup343); - -var msg36988 = msg("35214", dup343); - -var msg36989 = msg("35215", dup347); - -var msg36990 = msg("35216", dup347); - -var msg36991 = msg("35217", dup340); - -var msg36992 = msg("35218", dup340); - -var msg36993 = msg("35219", dup340); - -var msg36994 = msg("35220", dup340); - -var msg36995 = msg("35221", dup339); - -var msg36996 = msg("35222", dup342); - -var msg36997 = msg("35223", dup340); - -var msg36998 = msg("35224", dup340); - -var msg36999 = msg("35225", dup340); - -var msg37000 = msg("35226", dup340); - -var msg37001 = msg("35227", dup340); - -var msg37002 = msg("35228", dup340); - -var msg37003 = msg("35229", dup340); - -var msg37004 = msg("35230", dup340); - -var msg37005 = msg("35231", dup340); - -var msg37006 = msg("35232", dup340); - -var msg37007 = msg("35233", dup340); - -var msg37008 = msg("35234", dup340); - -var msg37009 = msg("35235", dup340); - -var msg37010 = msg("35236", dup340); - -var msg37011 = msg("35237", dup340); - -var msg37012 = msg("35238", dup340); - -var msg37013 = msg("35239", dup340); - -var msg37014 = msg("35240", dup340); - -var msg37015 = msg("35241", dup340); - -var msg37016 = msg("35242", dup340); - -var msg37017 = msg("35243", dup348); - -var msg37018 = msg("35244", dup348); - -var msg37019 = msg("35245", dup348); - -var msg37020 = msg("35246", dup348); - -var msg37021 = msg("35247", dup340); - -var msg37022 = msg("35248", dup340); - -var msg37023 = msg("35249", dup340); - -var msg37024 = msg("35250", dup340); - -var msg37025 = msg("35251", dup341); - -var msg37026 = msg("35252", dup341); - -var msg37027 = msg("35253", dup340); - -var msg37028 = msg("35254", dup339); - -var msg37029 = msg("35255", dup339); - -var msg37030 = msg("35256", dup347); - -var msg37031 = msg("35257", dup348); - -var msg37032 = msg("35258", dup348); - -var msg37033 = msg("35259", dup348); - -var msg37034 = msg("35260", dup348); - -var msg37035 = msg("35261", dup347); - -var msg37036 = msg("35262", dup347); - -var msg37037 = msg("35263", dup347); - -var msg37038 = msg("35264", dup347); - -var msg37039 = msg("35265", dup347); - -var msg37040 = msg("35266", dup347); - -var msg37041 = msg("35267", dup340); - -var msg37042 = msg("35268", dup340); - -var msg37043 = msg("35269", dup340); - -var msg37044 = msg("35270", dup340); - -var msg37045 = msg("35271", dup340); - -var msg37046 = msg("35272", dup340); - -var msg37047 = msg("35273", dup340); - -var msg37048 = msg("35274", dup340); - -var msg37049 = msg("35275", dup340); - -var msg37050 = msg("35276", dup340); - -var msg37051 = msg("35277", dup340); - -var msg37052 = msg("35278", dup340); - -var msg37053 = msg("35279", dup346); - -var msg37054 = msg("35280", dup346); - -var msg37055 = msg("35281", dup346); - -var msg37056 = msg("35282", dup340); - -var msg37057 = msg("35283", dup340); - -var msg37058 = msg("35284", dup340); - -var msg37059 = msg("35285", dup340); - -var msg37060 = msg("35286", dup340); - -var msg37061 = msg("35287", dup340); - -var msg37062 = msg("35288", dup340); - -var msg37063 = msg("35289", dup340); - -var msg37064 = msg("35290", dup340); - -var msg37065 = msg("35291", dup340); - -var msg37066 = msg("35292", dup340); - -var msg37067 = msg("35293", dup340); - -var msg37068 = msg("35294", dup340); - -var msg37069 = msg("35295", dup340); - -var msg37070 = msg("35296", dup340); - -var msg37071 = msg("35297", dup340); - -var msg37072 = msg("35298", dup340); - -var msg37073 = msg("35299", dup340); - -var msg37074 = msg("35300", dup339); - -var msg37075 = msg("35301", dup339); - -var msg37076 = msg("35302", dup340); - -var msg37077 = msg("35303", dup339); - -var msg37078 = msg("35304", dup341); - -var msg37079 = msg("35305", dup341); - -var msg37080 = msg("35306", dup339); - -var msg37081 = msg("35307", dup340); - -var msg37082 = msg("35308", dup341); - -var msg37083 = msg("35309", dup341); - -var msg37084 = msg("35310", dup348); - -var msg37085 = msg("35311", dup348); - -var msg37086 = msg("35312", dup339); - -var msg37087 = msg("35313", dup339); - -var msg37088 = msg("35314", dup350); - -var msg37089 = msg("35315", dup339); - -var msg37090 = msg("35316", dup342); - -var msg37091 = msg("35317", dup339); - -var msg37092 = msg("35318", dup339); - -var msg37093 = msg("35319", dup340); - -var msg37094 = msg("35320", dup340); - -var msg37095 = msg("35321", dup340); - -var msg37096 = msg("35322", dup340); - -var msg37097 = msg("35323", dup340); - -var msg37098 = msg("35324", dup340); - -var msg37099 = msg("35325", dup341); - -var msg37100 = msg("35326", dup341); - -var msg37101 = msg("35327", dup340); - -var msg37102 = msg("35328", dup340); - -var msg37103 = msg("35329", dup340); - -var msg37104 = msg("35330", dup340); - -var msg37105 = msg("35331", dup343); - -var msg37106 = msg("35332", dup343); - -var msg37107 = msg("35333", dup347); - -var msg37108 = msg("35334", dup347); - -var msg37109 = msg("35335", dup347); - -var msg37110 = msg("35336", dup352); - -var msg37111 = msg("35337", dup352); - -var msg37112 = msg("35338", dup352); - -var msg37113 = msg("35339", dup352); - -var msg37114 = msg("35340", dup352); - -var msg37115 = msg("35341", dup352); - -var msg37116 = msg("35342", dup352); - -var msg37117 = msg("35343", dup352); - -var msg37118 = msg("35344", dup339); - -var msg37119 = msg("35345", dup347); - -var msg37120 = msg("35346", dup347); - -var msg37121 = msg("35347", dup340); - -var msg37122 = msg("35348", dup339); - -var msg37123 = msg("35349", dup340); - -var msg37124 = msg("35350", dup340); - -var msg37125 = msg("35351", dup340); - -var msg37126 = msg("35352", dup340); - -var msg37127 = msg("35353", dup339); - -var msg37128 = msg("35354", dup346); - -var msg37129 = msg("35355", dup339); - -var msg37130 = msg("35356", dup344); - -var msg37131 = msg("35357", dup344); - -var msg37132 = msg("35358", dup340); - -var msg37133 = msg("35359", dup346); - -var msg37134 = msg("35360", dup341); - -var msg37135 = msg("35361", dup341); - -var msg37136 = msg("35362", dup341); - -var msg37137 = msg("35363", dup341); - -var msg37138 = msg("35364", dup340); - -var msg37139 = msg("35365", dup340); - -var msg37140 = msg("35366", dup340); - -var msg37141 = msg("35367", dup340); - -var msg37142 = msg("35368", dup339); - -var msg37143 = msg("35369", dup339); - -var msg37144 = msg("35370", dup339); - -var msg37145 = msg("35371", dup339); - -var msg37146 = msg("35372", dup348); - -var msg37147 = msg("35373", dup348); - -var msg37148 = msg("35374", dup348); - -var msg37149 = msg("35375", dup348); - -var msg37150 = msg("35376", dup340); - -var msg37151 = msg("35377", dup340); - -var msg37152 = msg("35378", dup340); - -var msg37153 = msg("35379", dup340); - -var msg37154 = msg("35380", dup343); - -var msg37155 = msg("35381", dup343); - -var msg37156 = msg("35382", dup343); - -var msg37157 = msg("35383", dup343); - -var msg37158 = msg("35384", dup339); - -var msg37159 = msg("35385", dup339); - -var msg37160 = msg("35386", dup339); - -var msg37161 = msg("35387", dup339); - -var msg37162 = msg("35388", dup339); - -var msg37163 = msg("35389", dup339); - -var msg37164 = msg("35390", dup339); - -var msg37165 = msg("35391", dup339); - -var msg37166 = msg("35392", dup339); - -var msg37167 = msg("35393", dup339); - -var msg37168 = msg("35394", dup339); - -var msg37169 = msg("35395", dup340); - -var msg37170 = msg("35396", dup340); - -var msg37171 = msg("35397", dup340); - -var msg37172 = msg("35398", dup340); - -var msg37173 = msg("35399", dup348); - -var msg37174 = msg("35400", dup339); - -var msg37175 = msg("35401", dup340); - -var msg37176 = msg("35402", dup340); - -var msg37177 = msg("35403", dup340); - -var msg37178 = msg("35404", dup340); - -var msg37179 = msg("35405", dup340); - -var msg37180 = msg("35406", dup341); - -var msg37181 = msg("35407", dup340); - -var msg37182 = msg("35408", dup340); - -var msg37183 = msg("35409", dup340); - -var msg37184 = msg("35410", dup340); - -var msg37185 = msg("35411", dup348); - -var msg37186 = msg("35412", dup348); - -var msg37187 = msg("35413", dup344); - -var msg37188 = msg("35414", dup344); - -var msg37189 = msg("35415", dup339); - -var msg37190 = msg("35416", dup339); - -var msg37191 = msg("35417", dup324); - -var msg37192 = msg("35418", dup324); - -var msg37193 = msg("35419", dup309); - -var msg37194 = msg("35420", dup309); - -var msg37195 = msg("35421", dup309); - -var msg37196 = msg("35422", dup309); - -var msg37197 = msg("35423", dup314); - -var msg37198 = msg("35424", dup324); - -var msg37199 = msg("35425", dup324); - -var msg37200 = msg("35426", dup321); - -var msg37201 = msg("35427", dup322); - -var msg37202 = msg("35428", dup322); - -var msg37203 = msg("35429", dup322); - -var msg37204 = msg("35430", dup314); - -var msg37205 = msg("35431", dup314); - -var msg37206 = msg("35432", dup314); - -var msg37207 = msg("35433", dup314); - -var msg37208 = msg("35434", dup309); - -var msg37209 = msg("35435", dup309); - -var msg37210 = msg("35436", dup321); - -var msg37211 = msg("35437", dup321); - -var msg37212 = msg("35438", dup307); - -var msg37213 = msg("35439", dup307); - -var msg37214 = msg("35440", dup309); - -var msg37215 = msg("35441", dup309); - -var msg37216 = msg("35442", dup309); - -var msg37217 = msg("35443", dup309); - -var msg37218 = msg("35444", dup314); - -var msg37219 = msg("35445", dup314); - -var msg37220 = msg("35446", dup314); - -var msg37221 = msg("35447", dup314); - -var msg37222 = msg("35448", dup321); - -var msg37223 = msg("35449", dup314); - -var msg37224 = msg("35450", dup314); - -var msg37225 = msg("35451", dup314); - -var msg37226 = msg("35452", dup314); - -var msg37227 = msg("35453", dup314); - -var msg37228 = msg("35454", dup314); - -var msg37229 = msg("35455", dup314); - -var msg37230 = msg("35456", dup314); - -var msg37231 = msg("35457", dup314); - -var msg37232 = msg("35458", dup314); - -var msg37233 = msg("35459", dup314); - -var msg37234 = msg("35460", dup311); - -var msg37235 = msg("35461", dup311); - -var msg37236 = msg("35462", dup321); - -var msg37237 = msg("35463", dup314); - -var msg37238 = msg("35464", dup314); - -var msg37239 = msg("35465", dup314); - -var msg37240 = msg("35466", dup314); - -var msg37241 = msg("35467", dup314); - -var msg37242 = msg("35468", dup314); - -var msg37243 = msg("35469", dup314); - -var msg37244 = msg("35470", dup321); - -var msg37245 = msg("35471", dup321); - -var msg37246 = msg("35472", dup321); - -var msg37247 = msg("35473", dup325); - -var msg37248 = msg("35474", dup325); - -var msg37249 = msg("35475", dup325); - -var msg37250 = msg("35476", dup325); - -var msg37251 = msg("35477", dup325); - -var msg37252 = msg("35478", dup325); - -var msg37253 = msg("35479", dup311); - -var msg37254 = msg("35480", dup311); - -var msg37255 = msg("35481", dup325); - -var msg37256 = msg("35482", dup325); - -var msg37257 = msg("35483", dup311); - -var msg37258 = msg("35484", dup311); - -var msg37259 = msg("35485", dup311); - -var msg37260 = msg("35486", dup311); - -var msg37261 = msg("35487", dup314); - -var msg37262 = msg("35488", dup314); - -var msg37263 = msg("35489", dup311); - -var msg37264 = msg("35490", dup311); - -var msg37265 = msg("35491", dup311); - -var msg37266 = msg("35492", dup311); - -var msg37267 = msg("35493", dup325); - -var msg37268 = msg("35494", dup325); - -var msg37269 = msg("35495", dup311); - -var msg37270 = msg("35496", dup311); - -var msg37271 = msg("35497", dup309); - -var msg37272 = msg("35498", dup309); - -var msg37273 = msg("35499", dup309); - -var msg37274 = msg("35500", dup309); - -var msg37275 = msg("35501", dup309); - -var msg37276 = msg("35502", dup309); - -var msg37277 = msg("35503", dup309); - -var msg37278 = msg("35504", dup309); - -var msg37279 = msg("35505", dup309); - -var msg37280 = msg("35506", dup309); - -var msg37281 = msg("35507", dup311); - -var msg37282 = msg("35508", dup311); - -var msg37283 = msg("35509", dup309); - -var msg37284 = msg("35510", dup309); - -var msg37285 = msg("35511", dup309); - -var msg37286 = msg("35512", dup309); - -var msg37287 = msg("35513", dup314); - -var msg37288 = msg("35514", dup314); - -var msg37289 = msg("35515", dup314); - -var msg37290 = msg("35516", dup314); - -var msg37291 = msg("35517", dup314); - -var msg37292 = msg("35518", dup314); - -var msg37293 = msg("35519", dup314); - -var msg37294 = msg("35520", dup314); - -var msg37295 = msg("35521", dup309); - -var msg37296 = msg("35522", dup309); - -var msg37297 = msg("35523", dup314); - -var msg37298 = msg("35524", dup314); - -var msg37299 = msg("35525", dup314); - -var msg37300 = msg("35526", dup314); - -var msg37301 = msg("35527", dup314); - -var msg37302 = msg("35528", dup314); - -var msg37303 = msg("35529", dup311); - -var msg37304 = msg("35530", dup311); - -var msg37305 = msg("35531", dup310); - -var msg37306 = msg("35532", dup310); - -var msg37307 = msg("35533", dup322); - -var msg37308 = msg("35534", dup322); - -var msg37309 = msg("35535", dup322); - -var msg37310 = msg("35536", dup311); - -var msg37311 = msg("35537", dup311); - -var msg37312 = msg("35538", dup314); - -var msg37313 = msg("35539", dup314); - -var msg37314 = msg("35540", dup322); - -var msg37315 = msg("35541", dup322); - -var msg37316 = msg("35542", dup311); - -var msg37317 = msg("35543", dup311); - -var msg37318 = msg("35544", dup311); - -var msg37319 = msg("35545", dup311); - -var msg37320 = msg("35546", dup311); - -var msg37321 = msg("35547", dup311); - -var msg37322 = msg("35548", dup311); - -var msg37323 = msg("35549", dup321); - -var msg37324 = msg("35550", dup311); - -var msg37325 = msg("35551", dup321); - -var msg37326 = msg("35552", dup311); - -var msg37327 = msg("35553", dup311); - -var msg37328 = msg("35554", dup311); - -var msg37329 = msg("35555", dup311); - -var msg37330 = msg("35556", dup314); - -var msg37331 = msg("35557", dup314); - -var msg37332 = msg("35558", dup314); - -var msg37333 = msg("35559", dup314); - -var msg37334 = msg("35560", dup314); - -var msg37335 = msg("35561", dup311); - -var msg37336 = msg("35562", dup311); - -var msg37337 = msg("35563", dup314); - -var msg37338 = msg("35564", dup314); - -var msg37339 = msg("35565", dup314); - -var msg37340 = msg("35566", dup314); - -var msg37341 = msg("35567", dup314); - -var msg37342 = msg("35568", dup314); - -var msg37343 = msg("35569", dup325); - -var msg37344 = msg("35570", dup321); - -var msg37345 = msg("35571", dup314); - -var msg37346 = msg("35572", dup314); - -var msg37347 = msg("35573", dup322); - -var msg37348 = msg("35574", dup314); - -var msg37349 = msg("35575", dup314); - -var msg37350 = msg("35576", dup314); - -var msg37351 = msg("35577", dup314); - -var msg37352 = msg("35578", dup309); - -var msg37353 = msg("35579", dup309); - -var msg37354 = msg("35580", dup309); - -var msg37355 = msg("35581", dup309); - -var msg37356 = msg("35582", dup311); - -var msg37357 = msg("35583", dup311); - -var msg37358 = msg("35584", dup314); - -var msg37359 = msg("35585", dup314); - -var msg37360 = msg("35586", dup314); - -var msg37361 = msg("35587", dup314); - -var msg37362 = msg("35588", dup314); - -var msg37363 = msg("35589", dup314); - -var msg37364 = msg("35590", dup314); - -var msg37365 = msg("35591", dup314); - -var msg37366 = msg("35592", dup309); - -var msg37367 = msg("35593", dup309); - -var msg37368 = msg("35594", dup309); - -var msg37369 = msg("35595", dup321); - -var msg37370 = msg("35596", dup321); - -var msg37371 = msg("35597", dup321); - -var msg37372 = msg("35598", dup314); - -var msg37373 = msg("35599", dup314); - -var msg37374 = msg("35600", dup314); - -var msg37375 = msg("35601", dup314); - -var msg37376 = msg("35602", dup314); - -var msg37377 = msg("35603", dup314); - -var msg37378 = msg("35604", dup314); - -var msg37379 = msg("35605", dup314); - -var msg37380 = msg("35606", dup314); - -var msg37381 = msg("35607", dup314); - -var msg37382 = msg("35608", dup314); - -var msg37383 = msg("35609", dup314); - -var msg37384 = msg("35610", dup314); - -var msg37385 = msg("35611", dup314); - -var msg37386 = msg("35612", dup314); - -var msg37387 = msg("35613", dup314); - -var msg37388 = msg("35614", dup311); - -var msg37389 = msg("35615", dup311); - -var msg37390 = msg("35616", dup311); - -var msg37391 = msg("35617", dup311); - -var msg37392 = msg("35618", dup323); - -var msg37393 = msg("35619", dup323); - -var msg37394 = msg("35620", dup323); - -var msg37395 = msg("35621", dup323); - -var msg37396 = msg("35622", dup323); - -var msg37397 = msg("35623", dup323); - -var msg37398 = msg("35628", dup309); - -var msg37399 = msg("35629", dup309); - -var msg37400 = msg("35630", dup324); - -var msg37401 = msg("35631", dup324); - -var msg37402 = msg("35632", dup314); - -var msg37403 = msg("35633", dup314); - -var msg37404 = msg("35634", dup314); - -var msg37405 = msg("35635", dup314); - -var msg37406 = msg("35636", dup309); - -var msg37407 = msg("35637", dup309); - -var msg37408 = msg("35638", dup314); - -var msg37409 = msg("35639", dup314); - -var msg37410 = msg("35640", dup314); - -var msg37411 = msg("35641", dup314); - -var msg37412 = msg("35642", dup314); - -var msg37413 = msg("35643", dup314); - -var msg37414 = msg("35644", dup314); - -var msg37415 = msg("35645", dup314); - -var msg37416 = msg("35646", dup314); - -var msg37417 = msg("35647", dup314); - -var msg37418 = msg("35648", dup314); - -var msg37419 = msg("35649", dup314); - -var msg37420 = msg("35650", dup314); - -var msg37421 = msg("35651", dup314); - -var msg37422 = msg("35652", dup314); - -var msg37423 = msg("35653", dup314); - -var msg37424 = msg("35654", dup314); - -var msg37425 = msg("35655", dup314); - -var msg37426 = msg("35656", dup314); - -var msg37427 = msg("35657", dup314); - -var msg37428 = msg("35658", dup314); - -var msg37429 = msg("35659", dup314); - -var msg37430 = msg("35660", dup314); - -var msg37431 = msg("35661", dup314); - -var msg37432 = msg("35662", dup314); - -var msg37433 = msg("35663", dup314); - -var msg37434 = msg("35664", dup314); - -var msg37435 = msg("35665", dup314); - -var msg37436 = msg("35666", dup311); - -var msg37437 = msg("35667", dup311); - -var msg37438 = msg("35668", dup311); - -var msg37439 = msg("35669", dup311); - -var msg37440 = msg("35670", dup314); - -var msg37441 = msg("35671", dup314); - -var msg37442 = msg("35672", dup314); - -var msg37443 = msg("35673", dup314); - -var msg37444 = msg("35674", dup314); - -var msg37445 = msg("35675", dup314); - -var msg37446 = msg("35676", dup314); - -var msg37447 = msg("35677", dup314); - -var msg37448 = msg("35678", dup314); - -var msg37449 = msg("35679", dup314); - -var msg37450 = msg("35680", dup314); - -var msg37451 = msg("35681", dup330); - -var msg37452 = msg("35682", dup314); - -var msg37453 = msg("35683", dup314); - -var msg37454 = msg("35684", dup314); - -var msg37455 = msg("35685", dup314); - -var msg37456 = msg("35686", dup314); - -var msg37457 = msg("35687", dup311); - -var msg37458 = msg("35691", dup314); - -var msg37459 = msg("35692", dup314); - -var msg37460 = msg("35693", dup314); - -var msg37461 = msg("35694", dup314); - -var msg37462 = msg("35695", dup314); - -var msg37463 = msg("35696", dup314); - -var msg37464 = msg("35697", dup314); - -var msg37465 = msg("35698", dup314); - -var msg37466 = msg("35699", dup314); - -var msg37467 = msg("35700", dup314); - -var msg37468 = msg("35701", dup322); - -var msg37469 = msg("35702", dup322); - -var msg37470 = msg("35703", dup322); - -var msg37471 = msg("35704", dup314); - -var msg37472 = msg("35705", dup314); - -var msg37473 = msg("35706", dup314); - -var msg37474 = msg("35707", dup314); - -var msg37475 = msg("35708", dup314); - -var msg37476 = msg("35709", dup314); - -var msg37477 = msg("35710", dup325); - -var msg37478 = msg("35719", dup311); - -var msg37479 = msg("35720", dup311); - -var msg37480 = msg("35723", dup311); - -var msg37481 = msg("35724", dup311); - -var msg37482 = msg("35731", dup311); - -var msg37483 = msg("35732", dup321); - -var msg37484 = msg("35733", dup321); - -var msg37485 = msg("35734", dup330); - -var msg37486 = msg("35735", dup314); - -var msg37487 = msg("35736", dup314); - -var msg37488 = msg("35737", dup307); - -var msg37489 = msg("35738", dup307); - -var msg37490 = msg("35739", dup307); - -var msg37491 = msg("35740", dup307); - -var msg37492 = msg("35741", dup314); - -var msg37493 = msg("35742", dup314); - -var msg37494 = msg("35743", dup314); - -var msg37495 = msg("35744", dup314); - -var msg37496 = msg("35745", dup311); - -var msg37497 = msg("35746", dup321); - -var msg37498 = msg("35747", dup325); - -var msg37499 = msg("35748", dup325); - -var msg37500 = msg("35749", dup321); - -var msg37501 = msg("35750", dup321); - -var msg37502 = msg("35751", dup309); - -var msg37503 = msg("35752", dup309); - -var msg37504 = msg("35753", dup314); - -var msg37505 = msg("35754", dup314); - -var msg37506 = msg("35755", dup314); - -var msg37507 = msg("35756", dup314); - -var msg37508 = msg("35757", dup314); - -var msg37509 = msg("35758", dup314); - -var msg37510 = msg("35759", dup314); - -var msg37511 = msg("35760", dup314); - -var msg37512 = msg("35761", dup314); - -var msg37513 = msg("35762", dup314); - -var msg37514 = msg("35763", dup324); - -var msg37515 = msg("35764", dup324); - -var msg37516 = msg("35765", dup324); - -var msg37517 = msg("35766", dup324); - -var msg37518 = msg("35767", dup314); - -var msg37519 = msg("35768", dup314); - -var msg37520 = msg("35769", dup321); - -var msg37521 = msg("35770", dup321); - -var msg37522 = msg("35771", dup325); - -var msg37523 = msg("35772", dup325); - -var msg37524 = msg("35779", dup314); - -var msg37525 = msg("35780", dup314); - -var msg37526 = msg("35781", dup314); - -var msg37527 = msg("35782", dup314); - -var msg37528 = msg("35783", dup321); - -var msg37529 = msg("35784", dup314); - -var msg37530 = msg("35785", dup314); - -var msg37531 = msg("35786", dup314); - -var msg37532 = msg("35787", dup314); - -var msg37533 = msg("35788", dup321); - -var msg37534 = msg("35789", dup321); - -var msg37535 = msg("35790", dup321); - -var msg37536 = msg("35791", dup321); - -var msg37537 = msg("35792", dup321); - -var msg37538 = msg("35793", dup321); - -var msg37539 = msg("35794", dup321); - -var msg37540 = msg("35795", dup314); - -var msg37541 = msg("35796", dup314); - -var msg37542 = msg("35797", dup314); - -var msg37543 = msg("35798", dup311); - -var msg37544 = msg("35799", dup311); - -var msg37545 = msg("35800", dup321); - -var msg37546 = msg("35801", dup321); - -var msg37547 = msg("35802", dup321); - -var msg37548 = msg("35803", dup321); - -var msg37549 = msg("35804", dup321); - -var msg37550 = msg("35805", dup311); - -var msg37551 = msg("35806", dup311); - -var msg37552 = msg("35807", dup314); - -var msg37553 = msg("35808", dup314); - -var msg37554 = msg("35809", dup323); - -var msg37555 = msg("35810", dup323); - -var msg37556 = msg("35811", dup323); - -var msg37557 = msg("35812", dup323); - -var msg37558 = msg("35813", dup314); - -var msg37559 = msg("35814", dup314); - -var msg37560 = msg("35815", dup314); - -var msg37561 = msg("35816", dup314); - -var msg37562 = msg("35817", dup314); - -var msg37563 = msg("35818", dup314); - -var msg37564 = msg("35819", dup322); - -var msg37565 = msg("35820", dup314); - -var msg37566 = msg("35821", dup314); - -var msg37567 = msg("35822", dup314); - -var msg37568 = msg("35823", dup314); - -var msg37569 = msg("35824", dup314); - -var msg37570 = msg("35825", dup314); - -var msg37571 = msg("35826", dup314); - -var msg37572 = msg("35827", dup314); - -var msg37573 = msg("35831", dup307); - -var msg37574 = msg("35836", dup325); - -var msg37575 = msg("35837", dup325); - -var msg37576 = msg("35838", dup321); - -var msg37577 = msg("35839", dup321); - -var msg37578 = msg("35840", dup321); - -var msg37579 = msg("35841", dup321); - -var msg37580 = msg("35842", dup321); - -var msg37581 = msg("35843", dup314); - -var msg37582 = msg("35844", dup314); - -var msg37583 = msg("35845", dup311); - -var msg37584 = msg("35846", dup311); - -var msg37585 = msg("35847", dup314); - -var msg37586 = msg("35848", dup309); - -var msg37587 = msg("35849", dup314); - -var msg37588 = msg("35850", dup314); - -var msg37589 = msg("35851", dup311); - -var msg37590 = msg("35852", dup314); - -var msg37591 = msg("35853", dup309); - -var msg37592 = msg("35854", dup309); - -var msg37593 = msg("35855", dup309); - -var msg37594 = msg("35856", dup309); - -var msg37595 = msg("35857", dup311); - -var msg37596 = msg("35858", dup311); - -var msg37597 = msg("35859", dup314); - -var msg37598 = msg("35860", dup314); - -var msg37599 = msg("35861", dup314); - -var msg37600 = msg("35862", dup314); - -var msg37601 = msg("35863", dup314); - -var msg37602 = msg("35864", dup314); - -var msg37603 = msg("35865", dup311); - -var msg37604 = msg("35866", dup311); - -var msg37605 = msg("35867", dup311); - -var msg37606 = msg("35868", dup325); - -var msg37607 = msg("35869", dup325); - -var msg37608 = msg("35870", dup325); - -var msg37609 = msg("35871", dup325); - -var msg37610 = msg("35872", dup314); - -var msg37611 = msg("35873", dup314); - -var msg37612 = msg("35874", dup314); - -var msg37613 = msg("35875", dup314); - -var msg37614 = msg("35876", dup311); - -var msg37615 = msg("35877", dup323); - -var msg37616 = msg("35878", dup323); - -var msg37617 = msg("35879", dup323); - -var msg37618 = msg("35880", dup323); - -var msg37619 = msg("35881", dup314); - -var msg37620 = msg("35882", dup314); - -var msg37621 = msg("35883", dup307); - -var msg37622 = msg("35884", dup314); - -var msg37623 = msg("35885", dup314); - -var msg37624 = msg("35886", dup314); - -var msg37625 = msg("35887", dup322); - -var msg37626 = msg("35888", dup314); - -var msg37627 = msg("35889", dup311); - -var msg37628 = msg("35890", dup322); - -var msg37629 = msg("35891", dup322); - -var msg37630 = msg("35892", dup314); - -var msg37631 = msg("35893", dup314); - -var msg37632 = msg("35894", dup316); - -var msg37633 = msg("35895", dup309); - -var msg37634 = msg("35896", dup309); - -var msg37635 = msg("35897", dup316); - -var msg37636 = msg("35898", dup309); - -var msg37637 = msg("35899", dup309); - -var msg37638 = msg("35900", dup309); - -var msg37639 = msg("35901", dup309); - -var msg37640 = msg("35902", dup316); - -var msg37641 = msg("35903", dup309); - -var msg37642 = msg("35904", dup309); - -var msg37643 = msg("35905", dup314); - -var msg37644 = msg("35906", dup309); - -var msg37645 = msg("35907", dup314); - -var msg37646 = msg("35908", dup309); - -var msg37647 = msg("35909", dup309); - -var msg37648 = msg("35910", dup314); - -var msg37649 = msg("35911", dup309); - -var msg37650 = msg("35912", dup309); - -var msg37651 = msg("35913", dup314); - -var msg37652 = msg("35914", dup314); - -var msg37653 = msg("35915", dup314); - -var msg37654 = msg("35916", dup314); - -var msg37655 = msg("35917", dup314); - -var msg37656 = msg("35918", dup309); - -var msg37657 = msg("35919", dup311); - -var msg37658 = msg("35920", dup314); - -var msg37659 = msg("35921", dup325); - -var msg37660 = msg("35922", dup309); - -var msg37661 = msg("35923", dup314); - -var msg37662 = msg("35924", dup311); - -var msg37663 = msg("35925", dup311); - -var msg37664 = msg("35926", dup330); - -var msg37665 = msg("35927", dup311); - -var msg37666 = msg("35928", dup311); - -var msg37667 = msg("35929", dup322); - -var msg37668 = msg("35930", dup322); - -var msg37669 = msg("35931", dup322); - -var msg37670 = msg("35932", dup322); - -var msg37671 = msg("35933", dup314); - -var msg37672 = msg("35934", dup314); - -var msg37673 = msg("35935", dup314); - -var msg37674 = msg("35936", dup314); - -var msg37675 = msg("35937", dup314); - -var msg37676 = msg("35938", dup314); - -var msg37677 = msg("35939", dup309); - -var msg37678 = msg("35940", dup309); - -var msg37679 = msg("35941", dup314); - -var msg37680 = msg("35942", dup324); - -var msg37681 = msg("35943", dup324); - -var msg37682 = msg("35944", dup309); - -var msg37683 = msg("35945", dup311); - -var msg37684 = msg("35946", dup311); - -var msg37685 = msg("35947", dup311); - -var msg37686 = msg("35948", dup311); - -var msg37687 = msg("35949", dup311); - -var msg37688 = msg("35950", dup311); - -var msg37689 = msg("35951", dup311); - -var msg37690 = msg("35952", dup311); - -var msg37691 = msg("35953", dup311); - -var msg37692 = msg("35954", dup311); - -var msg37693 = msg("35955", dup314); - -var msg37694 = msg("35956", dup314); - -var msg37695 = msg("35957", dup314); - -var msg37696 = msg("35958", dup314); - -var msg37697 = msg("35959", dup323); - -var msg37698 = msg("35960", dup323); - -var msg37699 = msg("35961", dup311); - -var msg37700 = msg("35962", dup311); - -var msg37701 = msg("35963", dup325); - -var msg37702 = msg("35964", dup325); - -var msg37703 = msg("35965", dup311); - -var msg37704 = msg("35966", dup311); - -var msg37705 = msg("35967", dup314); - -var msg37706 = msg("35968", dup314); - -var msg37707 = msg("35969", dup325); - -var msg37708 = msg("35970", dup325); - -var msg37709 = msg("35971", dup325); - -var msg37710 = msg("35972", dup325); - -var msg37711 = msg("35973", dup314); - -var msg37712 = msg("35974", dup314); - -var msg37713 = msg("35975", dup325); - -var msg37714 = msg("35976", dup325); - -var msg37715 = msg("35977", dup314); - -var msg37716 = msg("35978", dup314); - -var msg37717 = msg("35979", dup314); - -var msg37718 = msg("35980", dup314); - -var msg37719 = msg("35981", dup314); - -var msg37720 = msg("35982", dup311); - -var msg37721 = msg("35983", dup311); - -var msg37722 = msg("35984", dup324); - -var msg37723 = msg("35985", dup324); - -var msg37724 = msg("35986", dup314); - -var msg37725 = msg("35987", dup314); - -var msg37726 = msg("35988", dup309); - -var msg37727 = msg("35989", dup309); - -var msg37728 = msg("35990", dup311); - -var msg37729 = msg("35991", dup311); - -var msg37730 = msg("35992", dup325); - -var msg37731 = msg("35993", dup325); - -var msg37732 = msg("35994", dup314); - -var msg37733 = msg("35995", dup314); - -var msg37734 = msg("35996", dup309); - -var msg37735 = msg("35997", dup309); - -var msg37736 = msg("35998", dup311); - -var msg37737 = msg("35999", dup311); - -var msg37738 = msg("36000", dup309); - -var msg37739 = msg("36001", dup309); - -var msg37740 = msg("36002", dup309); - -var msg37741 = msg("36003", dup309); - -var msg37742 = msg("36004", dup325); - -var msg37743 = msg("36005", dup325); - -var msg37744 = msg("36006", dup325); - -var msg37745 = msg("36007", dup325); - -var msg37746 = msg("36008", dup325); - -var msg37747 = msg("36009", dup325); - -var msg37748 = msg("36010", dup314); - -var msg37749 = msg("36011", dup314); - -var msg37750 = msg("36012", dup314); - -var msg37751 = msg("36013", dup314); - -var msg37752 = msg("36014", dup309); - -var msg37753 = msg("36015", dup309); - -var msg37754 = msg("36016", dup314); - -var msg37755 = msg("36017", dup314); - -var msg37756 = msg("36018", dup325); - -var msg37757 = msg("36019", dup325); - -var msg37758 = msg("36020", dup325); - -var msg37759 = msg("36021", dup325); - -var msg37760 = msg("36022", dup314); - -var msg37761 = msg("36023", dup314); - -var msg37762 = msg("36024", dup314); - -var msg37763 = msg("36025", dup314); - -var msg37764 = msg("36026", dup309); - -var msg37765 = msg("36027", dup309); - -var msg37766 = msg("36028", dup314); - -var msg37767 = msg("36029", dup314); - -var msg37768 = msg("36030", dup316); - -var msg37769 = msg("36031", dup316); - -var msg37770 = msg("36032", dup316); - -var msg37771 = msg("36033", dup316); - -var msg37772 = msg("36034", dup314); - -var msg37773 = msg("36035", dup314); - -var msg37774 = msg("36036", dup314); - -var msg37775 = msg("36037", dup311); - -var msg37776 = msg("36038", dup311); - -var msg37777 = msg("36039", dup311); - -var msg37778 = msg("36040", dup311); - -var msg37779 = msg("36041", dup322); - -var msg37780 = msg("36042", dup322); - -var msg37781 = msg("36043", dup322); - -var msg37782 = msg("36044", dup321); - -var msg37783 = msg("36045", dup321); - -var msg37784 = msg("36046", dup321); - -var msg37785 = msg("36047", dup321); - -var msg37786 = msg("36048", dup321); - -var msg37787 = msg("36049", dup322); - -var msg37788 = msg("36050", dup322); - -var msg37789 = msg("36051", dup322); - -var msg37790 = msg("36052", dup314); - -var msg37791 = msg("36053", dup316); - -var msg37792 = msg("36054", dup321); - -var msg37793 = msg("36055", dup329); - -var msg37794 = msg("36056", dup329); - -var msg37795 = msg("36057", dup314); - -var msg37796 = msg("36058", dup314); - -var msg37797 = msg("36059", dup324); - -var msg37798 = msg("36060", dup321); - -var msg37799 = msg("36061", dup322); - -var msg37800 = msg("36062", dup314); - -var msg37801 = msg("36063", dup314); - -var msg37802 = msg("36064", dup321); - -var msg37803 = msg("36065", dup321); - -var msg37804 = msg("36066", dup321); - -var msg37805 = msg("36067", dup307); - -var msg37806 = msg("36068", dup309); - -var msg37807 = msg("36069", dup309); - -var msg37808 = msg("36070", dup314); - -var msg37809 = msg("36071", dup311); - -var msg37810 = msg("36072", dup324); - -var msg37811 = msg("36073", dup324); - -var msg37812 = msg("36074", dup324); - -var msg37813 = msg("36075", dup324); - -var msg37814 = msg("36076", dup324); - -var msg37815 = msg("36077", dup324); - -var msg37816 = msg("36078", dup324); - -var msg37817 = msg("36079", dup324); - -var msg37818 = msg("36080", dup324); - -var msg37819 = msg("36081", dup324); - -var msg37820 = msg("36082", dup324); - -var msg37821 = msg("36083", dup324); - -var msg37822 = msg("36084", dup324); - -var msg37823 = msg("36085", dup324); - -var msg37824 = msg("36086", dup324); - -var msg37825 = msg("36087", dup324); - -var msg37826 = msg("36088", dup324); - -var msg37827 = msg("36089", dup324); - -var msg37828 = msg("36090", dup324); - -var msg37829 = msg("36091", dup324); - -var msg37830 = msg("36092", dup324); - -var msg37831 = msg("36093", dup324); - -var msg37832 = msg("36094", dup324); - -var msg37833 = msg("36095", dup324); - -var msg37834 = msg("36096", dup324); - -var msg37835 = msg("36097", dup322); - -var msg37836 = msg("36098", dup322); - -var msg37837 = msg("36099", dup322); - -var msg37838 = msg("36100", dup314); - -var msg37839 = msg("36101", dup325); - -var msg37840 = msg("36102", dup325); - -var msg37841 = msg("36103", dup321); - -var msg37842 = msg("36104", dup314); - -var msg37843 = msg("36105", dup321); - -var msg37844 = msg("36106", dup321); - -var msg37845 = msg("36107", dup321); - -var msg37846 = msg("36108", dup321); - -var msg37847 = msg("36109", dup314); - -var msg37848 = msg("36110", dup314); - -var msg37849 = msg("36111", dup314); - -var msg37850 = msg("36112", dup314); - -var msg37851 = msg("36113", dup309); - -var msg37852 = msg("36114", dup309); - -var msg37853 = msg("36115", dup321); - -var msg37854 = msg("36116", dup314); - -var msg37855 = msg("36117", dup314); - -var msg37856 = msg("36118", dup314); - -var msg37857 = msg("36119", dup314); - -var msg37858 = msg("36120", dup309); - -var msg37859 = msg("36121", dup309); - -var msg37860 = msg("36122", dup309); - -var msg37861 = msg("36123", dup309); - -var msg37862 = msg("36124", dup314); - -var msg37863 = msg("36125", dup314); - -var msg37864 = msg("36126", dup314); - -var msg37865 = msg("36127", dup314); - -var msg37866 = msg("36128", dup314); - -var msg37867 = msg("36129", dup314); - -var msg37868 = msg("36130", dup329); - -var msg37869 = msg("36131", dup325); - -var msg37870 = msg("36132", dup321); - -var msg37871 = msg("36133", dup321); - -var msg37872 = msg("36134", dup321); - -var msg37873 = msg("36135", dup311); - -var msg37874 = msg("36136", dup311); - -var msg37875 = msg("36137", dup311); - -var msg37876 = msg("36138", dup311); - -var msg37877 = msg("36139", dup311); - -var msg37878 = msg("36140", dup311); - -var msg37879 = msg("36141", dup311); - -var msg37880 = msg("36142", dup311); - -var msg37881 = msg("36143", dup311); - -var msg37882 = msg("36144", dup311); - -var msg37883 = msg("36145", dup311); - -var msg37884 = msg("36146", dup311); - -var msg37885 = msg("36147", dup309); - -var msg37886 = msg("36148", dup309); - -var msg37887 = msg("36149", dup311); - -var msg37888 = msg("36150", dup311); - -var msg37889 = msg("36151", dup311); - -var msg37890 = msg("36152", dup311); - -var msg37891 = msg("36153", dup309); - -var msg37892 = msg("36154", dup314); - -var msg37893 = msg("36155", dup314); - -var msg37894 = msg("36156", dup314); - -var msg37895 = msg("36157", dup314); - -var msg37896 = msg("36158", dup311); - -var msg37897 = msg("36159", dup311); - -var msg37898 = msg("36160", dup309); - -var msg37899 = msg("36161", dup309); - -var msg37900 = msg("36162", dup309); - -var msg37901 = msg("36163", dup309); - -var msg37902 = msg("36164", dup309); - -var msg37903 = msg("36165", dup309); - -var msg37904 = msg("36166", dup309); - -var msg37905 = msg("36167", dup309); - -var msg37906 = msg("36168", dup309); - -var msg37907 = msg("36169", dup309); - -var msg37908 = msg("36170", dup309); - -var msg37909 = msg("36171", dup309); - -var msg37910 = msg("36172", dup309); - -var msg37911 = msg("36173", dup309); - -var msg37912 = msg("36174", dup309); - -var msg37913 = msg("36175", dup309); - -var msg37914 = msg("36176", dup309); - -var msg37915 = msg("36177", dup309); - -var msg37916 = msg("36178", dup316); - -var msg37917 = msg("36179", dup316); - -var msg37918 = msg("36180", dup316); - -var msg37919 = msg("36181", dup316); - -var msg37920 = msg("36182", dup311); - -var msg37921 = msg("36183", dup309); - -var msg37922 = msg("36184", dup311); - -var msg37923 = msg("36185", dup321); - -var msg37924 = msg("36186", dup321); - -var msg37925 = msg("36187", dup314); - -var msg37926 = msg("36188", dup314); - -var msg37927 = msg("36189", dup314); - -var msg37928 = msg("36190", dup314); - -var msg37929 = msg("36191", dup309); - -var msg37930 = msg("36192", dup309); - -var msg37931 = msg("36193", dup311); - -var msg37932 = msg("36194", dup309); - -var msg37933 = msg("36195", dup309); - -var msg37934 = msg("36196", dup309); - -var msg37935 = msg("36197", dup316); - -var msg37936 = msg("36198", dup321); - -var msg37937 = msg("36199", dup321); - -var msg37938 = msg("36200", dup321); - -var msg37939 = msg("36201", dup311); - -var msg37940 = msg("36202", dup321); - -var msg37941 = msg("36203", dup309); - -var msg37942 = msg("36204", dup309); - -var msg37943 = msg("36205", dup321); - -var msg37944 = msg("36206", dup321); - -var msg37945 = msg("36207", dup321); - -var msg37946 = msg("36208", dup314); - -var msg37947 = msg("36209", dup314); - -var msg37948 = msg("36224", dup323); - -var msg37949 = msg("36231", dup321); - -var msg37950 = msg("36232", dup321); - -var msg37951 = msg("36233", dup321); - -var msg37952 = msg("36234", dup321); - -var msg37953 = msg("36235", dup325); - -var msg37954 = msg("36236", dup325); - -var msg37955 = msg("36237", dup325); - -var msg37956 = msg("36238", dup325); - -var msg37957 = msg("36239", dup314); - -var msg37958 = msg("36240", dup314); - -var msg37959 = msg("36241", dup321); - -var msg37960 = msg("36242", dup314); - -var msg37961 = msg("36243", dup314); - -var msg37962 = msg("36244", dup309); - -var msg37963 = msg("36245", dup309); - -var msg37964 = msg("36246", dup323); - -var msg37965 = msg("36247", dup311); - -var msg37966 = msg("36248", dup311); - -var msg37967 = msg("36249", dup311); - -var msg37968 = msg("36250", dup309); - -var msg37969 = msg("36251", dup311); - -var msg37970 = msg("36252", dup324); - -var msg37971 = msg("36253", dup314); - -var msg37972 = msg("36254", dup311); - -var msg37973 = msg("36255", dup311); - -var msg37974 = msg("36256", dup314); - -var msg37975 = msg("36257", dup309); - -var msg37976 = msg("36258", dup309); - -var msg37977 = msg("36259", dup309); - -var msg37978 = msg("36260", dup309); - -var msg37979 = msg("36261", dup324); - -var msg37980 = msg("36262", dup324); - -var msg37981 = msg("36263", dup314); - -var msg37982 = msg("36264", dup314); - -var msg37983 = msg("36265", dup314); - -var msg37984 = msg("36266", dup314); - -var msg37985 = msg("36267", dup321); - -var msg37986 = msg("36268", dup321); - -var msg37987 = msg("36269", dup321); - -var msg37988 = msg("36270", dup316); - -var msg37989 = msg("36271", dup311); - -var msg37990 = msg("36272", dup314); - -var msg37991 = msg("36273", dup321); - -var msg37992 = msg("36274", dup321); - -var msg37993 = msg("36275", dup321); - -var msg37994 = msg("36276", dup321); - -var msg37995 = msg("36277", dup323); - -var msg37996 = msg("36278", dup323); - -var msg37997 = msg("36279", dup323); - -var msg37998 = msg("36280", dup323); - -var msg37999 = msg("36281", dup311); - -var msg38000 = msg("36282", dup314); - -var msg38001 = msg("36283", dup322); - -var msg38002 = msg("36284", dup322); - -var msg38003 = msg("36285", dup322); - -var msg38004 = msg("36286", dup311); - -var msg38005 = msg("36287", dup314); - -var msg38006 = msg("36288", dup314); - -var msg38007 = msg("36289", dup314); - -var msg38008 = msg("36290", dup314); - -var msg38009 = msg("36291", dup314); - -var msg38010 = msg("36292", dup314); - -var msg38011 = msg("36293", dup321); - -var msg38012 = msg("36294", dup321); - -var msg38013 = msg("36295", dup311); - -var msg38014 = msg("36296", dup311); - -var msg38015 = msg("36297", dup314); - -var msg38016 = msg("36298", dup314); - -var msg38017 = msg("36299", dup314); - -var msg38018 = msg("36300", dup314); - -var msg38019 = msg("36301", dup314); - -var msg38020 = msg("36302", dup314); - -var msg38021 = msg("36303", dup321); - -var msg38022 = msg("36304", dup321); - -var msg38023 = msg("36305", dup309); - -var msg38024 = msg("36306", dup309); - -var msg38025 = msg("36307", dup309); - -var msg38026 = msg("36308", dup309); - -var msg38027 = msg("36309", dup309); - -var msg38028 = msg("36310", dup309); - -var msg38029 = msg("36311", dup314); - -var msg38030 = msg("36312", dup314); - -var msg38031 = msg("36313", dup314); - -var msg38032 = msg("36314", dup314); - -var msg38033 = msg("36315", dup311); - -var msg38034 = msg("36316", dup314); - -var msg38035 = msg("36317", dup314); - -var msg38036 = msg("36318", dup314); - -var msg38037 = msg("36319", dup314); - -var msg38038 = msg("36320", dup314); - -var msg38039 = msg("36321", dup314); - -var msg38040 = msg("36322", dup314); - -var msg38041 = msg("36323", dup314); - -var msg38042 = msg("36324", dup314); - -var msg38043 = msg("36325", dup321); - -var msg38044 = msg("36326", dup321); - -var msg38045 = msg("36327", dup321); - -var msg38046 = msg("36328", dup321); - -var msg38047 = msg("36329", dup321); - -var msg38048 = msg("36330", dup314); - -var msg38049 = msg("36331", dup321); - -var msg38050 = msg("36332", dup311); - -var msg38051 = msg("36333", dup314); - -var msg38052 = msg("36334", dup314); - -var msg38053 = msg("36335", dup314); - -var msg38054 = msg("36336", dup314); - -var msg38055 = msg("36337", dup314); - -var msg38056 = msg("36338", dup310); - -var msg38057 = msg("36339", dup311); - -var msg38058 = msg("36340", dup311); - -var msg38059 = msg("36341", dup311); - -var msg38060 = msg("36342", dup311); - -var msg38061 = msg("36343", dup311); - -var msg38062 = msg("36344", dup311); - -var msg38063 = msg("36345", dup311); - -var msg38064 = msg("36346", dup311); - -var msg38065 = msg("36347", dup311); - -var msg38066 = msg("36348", dup311); - -var msg38067 = msg("36349", dup314); - -var msg38068 = msg("36350", dup314); - -var msg38069 = msg("36351", dup314); - -var msg38070 = msg("36352", dup314); - -var msg38071 = msg("36353", dup314); - -var msg38072 = msg("36354", dup314); - -var msg38073 = msg("36355", dup314); - -var msg38074 = msg("36356", dup314); - -var msg38075 = msg("36357", dup314); - -var msg38076 = msg("36358", dup314); - -var msg38077 = msg("36359", dup311); - -var msg38078 = msg("36360", dup311); - -var msg38079 = msg("36361", dup311); - -var msg38080 = msg("36362", dup311); - -var msg38081 = msg("36363", dup311); - -var msg38082 = msg("36364", dup311); - -var msg38083 = msg("36365", dup311); - -var msg38084 = msg("36366", dup311); - -var msg38085 = msg("36367", dup309); - -var msg38086 = msg("36368", dup309); - -var msg38087 = msg("36369", dup309); - -var msg38088 = msg("36370", dup309); - -var msg38089 = msg("36371", dup311); - -var msg38090 = msg("36372", dup311); - -var msg38091 = msg("36373", dup311); - -var msg38092 = msg("36374", dup311); - -var msg38093 = msg("36375", dup310); - -var msg38094 = msg("36376", dup309); - -var msg38095 = msg("36377", dup324); - -var msg38096 = msg("36378", dup324); - -var msg38097 = msg("36379", dup327); - -var msg38098 = msg("36380", dup314); - -var msg38099 = msg("36381", dup321); - -var msg38100 = msg("36382", dup321); - -var msg38101 = msg("36383", dup314); - -var msg38102 = msg("36384", dup314); - -var msg38103 = msg("36389", dup321); - -var msg38104 = msg("36390", dup321); - -var msg38105 = msg("36391", dup321); - -var msg38106 = msg("36392", dup321); - -var msg38107 = msg("36393", dup321); - -var msg38108 = msg("36394", dup321); - -var msg38109 = msg("36395", dup321); - -var msg38110 = msg("36396", dup321); - -var msg38111 = msg("36397", dup321); - -var msg38112 = msg("36398", dup311); - -var msg38113 = msg("36399", dup311); - -var msg38114 = msg("36400", dup311); - -var msg38115 = msg("36401", dup325); - -var msg38116 = msg("36402", dup325); - -var msg38117 = msg("36403", dup314); - -var msg38118 = msg("36404", dup314); - -var msg38119 = msg("36405", dup314); - -var msg38120 = msg("36406", dup314); - -var msg38121 = msg("36407", dup311); - -var msg38122 = msg("36408", dup311); - -var msg38123 = msg("36409", dup311); - -var msg38124 = msg("36410", dup311); - -var msg38125 = msg("36411", dup325); - -var msg38126 = msg("36412", dup325); - -var msg38127 = msg("36413", dup325); - -var msg38128 = msg("36414", dup325); - -var msg38129 = msg("36415", dup311); - -var msg38130 = msg("36416", dup311); - -var msg38131 = msg("36417", dup325); - -var msg38132 = msg("36418", dup325); - -var msg38133 = msg("36419", dup314); - -var msg38134 = msg("36420", dup314); - -var msg38135 = msg("36421", dup314); - -var msg38136 = msg("36422", dup314); - -var msg38137 = msg("36423", dup325); - -var msg38138 = msg("36424", dup325); - -var msg38139 = msg("36425", dup309); - -var msg38140 = msg("36426", dup309); - -var msg38141 = msg("36427", dup309); - -var msg38142 = msg("36428", dup309); - -var msg38143 = msg("36429", dup309); - -var msg38144 = msg("36430", dup309); - -var msg38145 = msg("36431", dup311); - -var msg38146 = msg("36432", dup311); - -var msg38147 = msg("36433", dup325); - -var msg38148 = msg("36434", dup325); - -var msg38149 = msg("36435", dup314); - -var msg38150 = msg("36436", dup325); - -var msg38151 = msg("36437", dup325); - -var msg38152 = msg("36438", dup325); - -var msg38153 = msg("36439", dup325); - -var msg38154 = msg("36440", dup325); - -var msg38155 = msg("36441", dup311); - -var msg38156 = msg("36442", dup311); - -var msg38157 = msg("36443", dup325); - -var msg38158 = msg("36444", dup325); - -var msg38159 = msg("36445", dup314); - -var msg38160 = msg("36446", dup314); - -var msg38161 = msg("36447", dup309); - -var msg38162 = msg("36448", dup309); - -var msg38163 = msg("36449", dup308); - -var msg38164 = msg("36450", dup325); - -var msg38165 = msg("36451", dup325); - -var msg38166 = msg("36452", dup311); - -var msg38167 = msg("36453", dup311); - -var msg38168 = msg("36454", dup311); - -var msg38169 = msg("36455", dup311); - -var msg38170 = msg("36456", dup309); - -var msg38171 = msg("36457", dup311); - -var msg38172 = msg("36458", dup323); - -var msg38173 = msg("36459", dup323); - -var msg38174 = msg("36460", dup321); - -var msg38175 = msg("36461", dup309); - -var msg38176 = msg("36462", dup309); - -var msg38177 = msg("36463", dup309); - -var msg38178 = msg("36464", dup321); - -var msg38179 = msg("36465", dup321); - -var msg38180 = msg("36466", dup321); - -var msg38181 = msg("36467", dup321); - -var msg38182 = msg("36468", dup321); - -var msg38183 = msg("36469", dup321); - -var msg38184 = msg("36470", dup321); - -var msg38185 = msg("36471", dup321); - -var msg38186 = msg("36472", dup314); - -var msg38187 = msg("36473", dup314); - -var msg38188 = msg("36474", dup314); - -var msg38189 = msg("36475", dup314); - -var msg38190 = msg("36476", dup314); - -var msg38191 = msg("36477", dup314); - -var msg38192 = msg("36478", dup314); - -var msg38193 = msg("36479", dup314); - -var msg38194 = msg("36480", dup314); - -var msg38195 = msg("36481", dup314); - -var msg38196 = msg("36482", dup314); - -var msg38197 = msg("36483", dup314); - -var msg38198 = msg("36484", dup314); - -var msg38199 = msg("36485", dup314); - -var msg38200 = msg("36486", dup314); - -var msg38201 = msg("36487", dup314); - -var msg38202 = msg("36488", dup314); - -var msg38203 = msg("36489", dup314); - -var msg38204 = msg("36490", dup314); - -var msg38205 = msg("36491", dup314); - -var msg38206 = msg("36492", dup311); - -var msg38207 = msg("36493", dup309); - -var msg38208 = msg("36494", dup323); - -var msg38209 = msg("36495", dup314); - -var msg38210 = msg("36496", dup314); - -var msg38211 = msg("36497", dup321); - -var msg38212 = msg("36498", dup309); - -var msg38213 = msg("36499", dup309); - -var msg38214 = msg("36500", dup309); - -var msg38215 = msg("36501", dup309); - -var msg38216 = msg("36502", dup314); - -var msg38217 = msg("36503", dup314); - -var msg38218 = msg("36504", dup314); - -var msg38219 = msg("36505", dup314); - -var msg38220 = msg("36506", dup321); - -var msg38221 = msg("36507", dup323); - -var msg38222 = msg("36508", dup323); - -var msg38223 = msg("36509", dup323); - -var msg38224 = msg("36510", dup323); - -var msg38225 = msg("36511", dup314); - -var msg38226 = msg("36512", dup314); - -var msg38227 = msg("36513", dup314); - -var msg38228 = msg("36514", dup314); - -var msg38229 = msg("36515", dup314); - -var msg38230 = msg("36516", dup314); - -var msg38231 = msg("36517", dup314); - -var msg38232 = msg("36518", dup321); - -var msg38233 = msg("36519", dup321); - -var msg38234 = msg("36520", dup321); - -var msg38235 = msg("36521", dup321); - -var msg38236 = msg("36522", dup321); - -var msg38237 = msg("36523", dup311); - -var msg38238 = msg("36524", dup309); - -var msg38239 = msg("36525", dup309); - -var msg38240 = msg("36526", dup321); - -var msg38241 = msg("36527", dup311); - -var msg38242 = msg("36528", dup311); - -var msg38243 = msg("36529", dup311); - -var msg38244 = msg("36530", dup311); - -var msg38245 = msg("36531", dup314); - -var msg38246 = msg("36532", dup311); - -var msg38247 = msg("36533", dup314); - -var msg38248 = msg("36534", dup314); - -var msg38249 = msg("36535", dup311); - -var msg38250 = msg("36536", dup309); - -var msg38251 = msg("36537", dup321); - -var msg38252 = msg("36538", dup321); - -var msg38253 = msg("36539", dup321); - -var msg38254 = msg("36540", dup321); - -var msg38255 = msg("36541", dup314); - -var msg38256 = msg("36542", dup309); - -var msg38257 = msg("36543", dup311); - -var msg38258 = msg("36544", dup323); - -var msg38259 = msg("36545", dup311); - -var msg38260 = msg("36546", dup311); - -var msg38261 = msg("36547", dup311); - -var msg38262 = msg("36548", dup311); - -var msg38263 = msg("36549", dup314); - -var msg38264 = msg("36550", dup314); - -var msg38265 = msg("36551", dup314); - -var msg38266 = msg("36552", dup314); - -var msg38267 = msg("36553", dup314); - -var msg38268 = msg("36554", dup314); - -var msg38269 = msg("36555", dup314); - -var msg38270 = msg("36556", dup314); - -var msg38271 = msg("36557", dup324); - -var msg38272 = msg("36558", dup324); - -var msg38273 = msg("36559", dup311); - -var msg38274 = msg("36560", dup311); - -var msg38275 = msg("36561", dup314); - -var msg38276 = msg("600009", dup196); - -var msg38277 = msg("600010", dup265); - -var msg38278 = msg("600015", dup265); - -var msg38279 = msg("6000022", dup353); - -var msg38280 = msg("600023", dup196); - -var msg38281 = msg("6000025", dup353); - -var msg38282 = msg("1000001", dup246); - -var msg38283 = msg("1000002", dup246); - -var msg38284 = msg("1000003", dup196); - -var all65 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var msg38285 = msg("1000003:01", all65); - -var select2443 = linear_select([ - msg38284, - msg38285, -]); - -var msg38286 = msg("1000004", dup196); - -var msg38287 = msg("1000005", dup196); - -var msg38288 = msg("1000007", dup265); - -var msg38289 = msg("1000010", dup230); - -var msg38290 = msg("1000012", dup196); - -var msg38291 = msg("1000014", dup265); - -var msg38292 = msg("1000015", dup297); - -var msg38293 = msg("1000016", dup242); - -var msg38294 = msg("1000020", dup192); - -var msg38295 = msg("1000021", dup276); - -var msg38296 = msg("1000022", dup276); - -var msg38297 = msg("1000023", dup196); - -var msg38298 = msg("1000024", dup196); - -var msg38299 = msg("1000026", dup192); - -var msg38300 = msg("1000028", dup196); - -var msg38301 = msg("1000029", dup265); - -var msg38302 = msg("1000030", dup196); - -var msg38303 = msg("1000031", dup265); - -var msg38304 = msg("1000032", dup285); - -var msg38305 = msg("1000033", dup265); - -var msg38306 = msg("1000034", dup265); - -var msg38307 = msg("1000035", dup265); - -var msg38308 = msg("1000036", dup196); - -var msg38309 = msg("1000037", dup196); - -var msg38310 = msg("1000038", dup196); - -var msg38311 = msg("1000039", dup265); - -var msg38312 = msg("1000040", dup265); - -var msg38313 = msg("1000041", dup196); - -var msg38314 = msg("1000043", dup265); - -var msg38315 = msg("1000044", dup196); - -var msg38316 = msg("1000045", dup196); - -var msg38317 = msg("1000046", dup196); - -var msg38318 = msg("1000047", dup196); - -var msg38319 = msg("1000048", dup196); - -var msg38320 = msg("1000049", dup265); - -var msg38321 = msg("1000050", dup265); - -var msg38322 = msg("1000054", dup196); - -var msg38323 = msg("1000055", dup196); - -var msg38324 = msg("1000056", dup196); - -var msg38325 = msg("1000057", dup196); - -var msg38326 = msg("2000480", dup230); - -var msg38327 = msg("2000538", dup194); - -var msg38328 = msg("2000540", dup194); - -var msg38329 = msg("2000562", dup263); - -var msg38330 = msg("2000648", dup196); - -var msg38331 = msg("2000716", dup248); - -var msg38332 = msg("2000969", dup265); - -var msg38333 = msg("2000971", dup265); - -var msg38334 = msg("2000974", dup265); - -var msg38335 = msg("2000976", dup265); - -var msg38336 = msg("2000977", dup265); - -var msg38337 = msg("2000987", dup265); - -var msg38338 = msg("2000990", dup265); - -var msg38339 = msg("2000993", dup265); - -var msg38340 = msg("2000997", dup265); - -var msg38341 = msg("2001002", dup265); - -var msg38342 = msg("2001010", dup265); - -var msg38343 = msg("2001012", dup265); - -var msg38344 = msg("2001013", dup265); - -var msg38345 = msg("2001023", dup265); - -var msg38346 = msg("2001025", dup265); - -var msg38347 = msg("2001030", dup265); - -var msg38348 = msg("2001040", dup265); - -var msg38349 = msg("2001042", dup196); - -var msg38350 = msg("2001244", dup265); - -var msg38351 = msg("2001245", dup265); - -var msg38352 = msg("2001286", dup265); - -var msg38353 = msg("2001287", dup265); - -var msg38354 = msg("2001288", dup265); - -var msg38355 = msg("2001367", dup265); - -var msg38356 = msg("2001400", dup265); - -var msg38357 = msg("2001402", dup265); - -var msg38358 = msg("2001411", dup242); - -var msg38359 = msg("2001417", dup242); - -var msg38360 = msg("2001419", dup242); - -var msg38361 = msg("2001567", dup265); - -var msg38362 = msg("2001568", dup265); - -var msg38363 = msg("2001569", dup194); - -var msg38364 = msg("2001579", dup194); - -var msg38365 = msg("2001581", dup194); - -var msg38366 = msg("2001726", dup265); - -var msg38367 = msg("2001801", dup267); - -var msg38368 = msg("2001852", dup265); - -var msg38369 = msg("2001893", dup242); - -var msg38370 = msg("2001904", dup194); - -var msg38371 = msg("2001945", dup265); - -var msg38372 = msg("2001970", dup297); - -var msg38373 = msg("2001972", dup194); - -var msg38374 = msg("2002032", dup192); - -var msg38375 = msg("2002134", dup265); - -var msg38376 = msg("2002170", dup196); - -var msg38377 = msg("2002176", dup265); - -var msg38378 = msg("2002190", dup265); - -var msg38379 = msg("2002196", dup196); - -var msg38380 = msg("2002200", dup265); - -var msg38381 = msg("2002205", dup303); - -var msg38382 = msg("2002910", dup194); - -var msg38383 = msg("2002911", dup194); - -var msg38384 = msg("2002992", dup194); - -var msg38385 = msg("2002993", dup194); - -var msg38386 = msg("2002994", dup194); - -var msg38387 = msg("2003157", dup192); - -var msg38388 = msg("2003183", dup192); - -var msg38389 = msg("2003380", dup192); - -var msg38390 = msg("2003642", dup192); - -var msg38391 = msg("2003870", dup194); - -var msg38392 = msg("2007142", dup192); - -var msg38393 = msg("2007585", dup192); - -var msg38394 = msg("2007588", dup192); - -var msg38395 = msg("2007594", dup192); - -var msg38396 = msg("2007688", dup192); - -var msg38397 = msg("2007702", dup192); - -var msg38398 = msg("2007724", dup192); - -var msg38399 = msg("2007920", dup192); - -var msg38400 = msg("2007962", dup192); - -var msg38401 = msg("2007963", dup265); - -var msg38402 = msg("2007964", dup192); - -var msg38403 = msg("2008010", dup192); - -var msg38404 = msg("2008056", dup192); - -var msg38405 = msg("2008059", dup192); - -var msg38406 = msg("2008082", dup192); - -var msg38407 = msg("2008109", dup192); - -var msg38408 = msg("2008124", dup192); - -var msg38409 = msg("2008143", dup192); - -var msg38410 = msg("2008182", dup192); - -var msg38411 = msg("2008194", dup192); - -var msg38412 = msg("2008335", dup192); - -var msg38413 = msg("2008373", dup196); - -var msg38414 = msg("2008384", dup192); - -var msg38415 = msg("2008386", dup192); - -var msg38416 = msg("2008420", dup192); - -var msg38417 = msg("2008475", dup196); - -var msg38418 = msg("2008480", dup192); - -var msg38419 = msg("2008505", dup196); - -var msg38420 = msg("2404003", dup196); - -var msg38421 = msg("2404011", dup196); - -var msg38422 = msg("2404013", dup196); - -var msg38423 = msg("2404015", dup196); - -var msg38424 = msg("2404016", dup196); - -var msg38425 = msg("3000005", dup194); - -var msg38426 = msg("3404269", dup194); - -var msg38427 = msg("3404272", dup194); - -var msg38428 = msg("8888888", dup314); - -var msg38429 = msg("8888889", dup314); - -var msg38430 = msg("100000121", dup265); - -var msg38431 = msg("100000122", dup267); - -var msg38432 = msg("100000137", dup287); - -var msg38433 = msg("100000138", dup265); - -var msg38434 = msg("100000160", dup197); - -var msg38435 = msg("100000161", dup287); - -var msg38436 = msg("100000185", dup265); - -var msg38437 = msg("100000211", dup265); - -var msg38438 = msg("100000213", dup265); - -var msg38439 = msg("100000219", dup250); - -var msg38440 = msg("100000241", dup196); - -var msg38441 = msg("100000262", dup196); - -var msg38442 = msg("100000266", dup196); - -var msg38443 = msg("100000272", dup196); - -var msg38444 = msg("100000273", dup196); - -var msg38445 = msg("100000274", dup194); - -var msg38446 = msg("100000275", dup194); - -var msg38447 = msg("100000277", dup196); - -var msg38448 = msg("100000278", dup196); - -var msg38449 = msg("100000550", dup265); - -var msg38450 = msg("100000687", dup198); - -var msg38451 = msg("100000689", dup250); - -var all66 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup127, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg38452 = msg("snort-sid-template", all66); - -var part13 = match("MESSAGE#38452:spp_portscan/0", "nwparser.payload", "PORTSCAN DETECTED from %{p0}"); - -var part14 = match("MESSAGE#38452:spp_portscan/1_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src})(THRESHOLD %{p0}"); - -var part15 = match("MESSAGE#38452:spp_portscan/1_1", "nwparser.p0", "%{saddr}:%{sport}(THRESHOLD %{p0}"); - -var part16 = match("MESSAGE#38452:spp_portscan/1_2", "nwparser.p0", "%{saddr}(THRESHOLD %{p0}"); - -var select2444 = linear_select([ - part14, - part15, - part16, -]); - -var part17 = match("MESSAGE#38452:spp_portscan/2", "nwparser.p0", "%{dclass_counter1->} connections exceeded in %{duration->} seconds)"); - -var all67 = all_match({ - processors: [ - part13, - select2444, - part17, - ], - on_success: processor_chain([ - dup61, - dup31, - dup128, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var msg38453 = msg("spp_portscan", all67); - -var part18 = match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from %{saddr}: %{dclass_counter1->} connections across %{fld1->} hosts: %{fld2}, %{fld3}", processor_chain([ - dup61, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup128, -])); - -var msg38454 = msg("spp_portscan:01", part18); - -var part19 = match("MESSAGE#38454:spp_portscan:02", "nwparser.payload", "End of portscan from %{saddr}: TOTAL time(%{fld1}) hosts(%{fld2}) %{fld3->} %{fld4}", processor_chain([ - dup61, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, -])); - -var msg38455 = msg("spp_portscan:02", part19); - -var msg38456 = msg("spp_portscan:03", dup194); - -var select2445 = linear_select([ - msg38453, - msg38454, - msg38455, - msg38456, -]); - -var part20 = match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{saddr->} Talker(%{fld1}) Scanner(%{fld2})", processor_chain([ - dup61, - dup31, - dup32, -])); - -var msg38457 = msg("Portscan", part20); - -var part21 = match("MESSAGE#38457:Hops_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Hops: %{result}", processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38458 = msg("Hops_Change", part21); - -var msg38459 = msg("MAC_Information_Change", dup354); - -var msg38460 = msg("Additional_MAC_Detected_for", dup354); - -var part22 = match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} NETBIOS Name: %{result}", processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38461 = msg("NETBIOS_Name_Change", part22); - -var part23 = match("MESSAGE#38461:New_Host/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Host Type: %{p0}"); - -var part24 = match("MESSAGE#38461:New_Host/1_1", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{p0}"); - -var select2446 = linear_select([ - part23, - part24, -]); - -var part25 = match_copy("MESSAGE#38461:New_Host/2", "nwparser.p0", "fld7"); - -var all68 = all_match({ - processors: [ - dup133, - select2446, - part25, - ], - on_success: processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var msg38462 = msg("New_Host", all68); - -var part26 = match("MESSAGE#38462:New_Network_Protocol/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Network Protocol: %{p0}"); - -var part27 = match("MESSAGE#38462:New_Network_Protocol/1_1", "nwparser.p0", "IP Address: %{saddr->} Network Protocol: %{p0}"); - -var select2447 = linear_select([ - part26, - part27, -]); - -var all69 = all_match({ - processors: [ - dup133, - select2447, - dup134, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var msg38463 = msg("New_Network_Protocol", all69); - -var part28 = match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{protocol}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38464 = msg("New_UDP_Service", part28); - -var part29 = match("MESSAGE#38464:New_Transport_Protocol", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Transport Protocol: %{protocol}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38465 = msg("New_Transport_Protocol", part29); - -var msg38466 = msg("OS_Confidence_Update", dup183); - -var msg38467 = msg("OS_Information_Update", dup183); - -var msg38468 = msg("TCP_Service_Confidence_Update", dup184); - -var part30 = match("MESSAGE#38468:TCP_Service_Information_Update/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); - -var all70 = all_match({ - processors: [ - part30, - dup185, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var msg38469 = msg("TCP_Service_Information_Update", all70); - -var part31 = match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> MAC Address: %{saddr->} VLAN ID: %{sport->} Type: %{protocol->} Priority: %{threat_val}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, - dup45, -])); - -var msg38470 = msg("VLAN_Tag_Information_Update", part31); - -var part32 = match("MESSAGE#38470:New_OS/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{p0}"); - -var part33 = match("MESSAGE#38470:New_OS/1_0", "nwparser.p0", "%{os->} Device Info: %{fld7}"); - -var part34 = match_copy("MESSAGE#38470:New_OS/1_1", "nwparser.p0", "os"); - -var select2448 = linear_select([ - part33, - part34, -]); - -var all71 = all_match({ - processors: [ - part32, - select2448, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var msg38471 = msg("New_OS", all71); - -var msg38472 = msg("New_Client_Application", dup186); - -var msg38473 = msg("Client_Application_Update", dup186); - -var msg38474 = msg("New_TCP_Service", dup187); - -var msg38475 = msg("TCP_Port_Closed", dup187); - -var msg38476 = msg("TCP_Port_Timeout", dup188); - -var part35 = match("MESSAGE#38476:Client_Application_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} web browser %{application}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38477 = msg("Client_Application_Timeout", part35); - -var msg38478 = msg("Host_Timeout", dup188); - -var part36 = match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS%{os}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38479 = msg("Identity_Timeout", part36); - -var part37 = match("MESSAGE#38479:Identity_Timeout:01/0", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Serv%{p0}"); - -var part38 = match("MESSAGE#38479:Identity_Timeout:01/1_0", "nwparser.p0", "ice%{p0}"); - -var part39 = match("MESSAGE#38479:Identity_Timeout:01/1_1", "nwparser.p0", "er%{p0}"); - -var select2449 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#38479:Identity_Timeout:01/2", "nwparser.p0", "%{}port: %{sport}/%{protocol->} %{network_service}"); - -var all72 = all_match({ - processors: [ - part37, - select2449, - part40, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var msg38480 = msg("Identity_Timeout:01", all72); - -var select2450 = linear_select([ - msg38479, - msg38480, -]); - -var msg38481 = msg("UDP_Port_Timeout", dup188); - -var msg38482 = msg("UDP_Service_Confidence_Update", dup184); - -var part41 = match("MESSAGE#38482:UDP_Service_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result->} Subtypes: %{fld1}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var msg38483 = msg("UDP_Service_Information_Update", part41); - -var msg38484 = msg("UDP_Service_Information_Update:01", dup184); - -var select2451 = linear_select([ - msg38483, - msg38484, -]); - -var part42 = match("MESSAGE#38484:EmergingThreats/0", "nwparser.payload", "%{context->} [%{p0}"); - -var part43 = match("MESSAGE#38484:EmergingThreats/1_0", "nwparser.p0", "Impact: %{result}] From \"%{sensor}\" at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{p0}"); - -var part44 = match("MESSAGE#38484:EmergingThreats/1_1", "nwparser.p0", "Classification: %{sigtype}] [Priority: %{p0}"); - -var part45 = match("MESSAGE#38484:EmergingThreats/1_2", "nwparser.p0", "%{info}] [Priority: %{p0}"); - -var select2452 = linear_select([ - part43, - part44, - part45, -]); - -var part46 = match("MESSAGE#38484:EmergingThreats/2", "nwparser.p0", "%{threat_val->} ]%{p0}"); - -var all73 = all_match({ - processors: [ - part42, - select2452, - part46, - dup178, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - setf("sigid","hsigid"), - dup51, - dup76, - dup56, - ]), -}); - -var msg38485 = msg("EmergingThreats", all73); - -var part47 = match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that was using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ - dup127, - dup31, - dup32, -])); - -var msg38486 = msg("S5", part47); - -var part48 = match("MESSAGE#38486:S5:01", "nwparser.payload", "Session exceeded configured max bytes to queue %{fld4->} using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ - dup127, - dup31, - dup32, -])); - -var msg38487 = msg("S5:01", part48); - -var select2453 = linear_select([ - msg38486, - msg38487, -]); - -var part49 = match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Success%{}", processor_chain([ - dup112, - dup31, - dup32, - dup137, - dup138, - dup139, - dup140, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38488 = msg("SystemSettings:01", part49); - -var part50 = match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Success%{}", processor_chain([ - setc("eventcategory","1802000000"), - dup31, - dup32, - dup137, - dup144, - dup139, - dup140, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38489 = msg("SystemSettings:02", part50); - -var part51 = match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","System"), -])); - -var msg38490 = msg("SystemSettings:03", part51); - -var part52 = match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Policies"), -])); - -var msg38491 = msg("SystemSettings:04", part52); - -var part53 = match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38492 = msg("SystemSettings:05", part53); - -var part54 = match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38493 = msg("SystemSettings:06", part54); - -var part55 = match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Task Queue"), -])); - -var msg38494 = msg("SystemSettings:07", part55); - -var part56 = match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Intrusion Policy"), -])); - -var msg38495 = msg("SystemSettings:08", part56); - -var part57 = match("MESSAGE#38495:SystemSettings:09/0", "nwparser.payload", "Analysis \u0026 Reporting %{p0}"); - -var part58 = match("MESSAGE#38495:SystemSettings:09/1_1", "nwparser.p0", ",%{p0}"); - -var select2454 = linear_select([ - dup145, - part58, -]); - -var part59 = match("MESSAGE#38495:SystemSettings:09/2", "nwparser.p0", "%{} %{info}"); - -var all74 = all_match({ - processors: [ - part57, - select2454, - part59, - ], - on_success: processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Analysis \u0026 Reporting"), - ]), -}); - -var msg38496 = msg("SystemSettings:09", all74); - -var part60 = match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Heartbeat"), -])); - -var msg38497 = msg("SystemSettings:10", part60); - -var part61 = match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38498 = msg("SystemSettings:11", part61); - -var part62 = match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Health"), -])); - -var msg38499 = msg("SystemSettings:12", part62); - -var part63 = match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration, %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - dup146, -])); - -var msg38500 = msg("SystemSettings:13", part63); - -var part64 = match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - dup146, -])); - -var msg38501 = msg("SystemSettings:14", part64); - -var part65 = match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - dup146, -])); - -var msg38502 = msg("SystemSettings:15", part65); - -var part66 = match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,%{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, - setc("category","Intrusion Events"), -])); - -var msg38503 = msg("SystemSettings:16", part66); - -var part67 = match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Failed%{}", processor_chain([ - dup91, - dup31, - dup137, - dup138, - dup139, - setc("ec_outcome","Failure"), - dup32, - dup141, - dup47, - dup142, - dup143, - setc("event_description","Login Failed"), -])); - -var msg38504 = msg("SystemSettings:17", part67); - -var part68 = match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38505 = msg("SystemSettings:18", part68); - -var part69 = match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Policy > %{info}", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38506 = msg("SystemSettings:19", part69); - -var part70 = match_copy("MESSAGE#38506:SystemSettings:20", "nwparser.payload", "info", processor_chain([ - dup127, - dup31, - dup32, - dup141, - dup47, - dup142, - dup143, -])); - -var msg38507 = msg("SystemSettings:20", part70); - -var select2455 = linear_select([ - msg38488, - msg38489, - msg38490, - msg38491, - msg38492, - msg38493, - msg38494, - msg38495, - msg38496, - msg38497, - msg38498, - msg38499, - msg38500, - msg38501, - msg38502, - msg38503, - msg38504, - msg38505, - msg38506, - msg38507, -]); - -var msg38508 = msg("2100651", dup192); - -var msg38509 = msg("2101384", dup192); - -var msg38510 = msg("2101390", dup192); - -var msg38511 = msg("2101424", dup192); - -var msg38512 = msg("2101432", dup192); - -var msg38513 = msg("2101867", dup192); - -var msg38514 = msg("2101918", dup192); - -var part71 = match("MESSAGE#38514:Primary_Detection_Engine/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{saddr->} -> %{daddr}, type:%{event_type}, code:%{event_description}"); - -var all75 = all_match({ - processors: [ - dup147, - dup189, - part71, - ], - on_success: processor_chain([ - dup150, - dup31, - dup32, - dup47, - dup151, - dup152, - ]), -}); - -var msg38515 = msg("Primary_Detection_Engine", all75); - -var part72 = match("MESSAGE#38515:Primary_Detection_Engine:01/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{p0}"); - -var all76 = all_match({ - processors: [ - dup147, - dup189, - part72, - dup173, - dup174, - ], - on_success: processor_chain([ - dup150, - dup31, - dup32, - dup47, - dup151, - dup152, - ]), -}); - -var msg38516 = msg("Primary_Detection_Engine:01", all76); - -var part73 = match("MESSAGE#38516:Primary_Detection_Engine:02/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{p0}"); - -var part74 = match("MESSAGE#38516:Primary_Detection_Engine:02/3_0", "nwparser.p0", "%{sbytes}, Context: %{context->} {%{p0}"); - -var part75 = match("MESSAGE#38516:Primary_Detection_Engine:02/3_1", "nwparser.p0", "%{sbytes->} {%{p0}"); - -var select2456 = linear_select([ - part74, - part75, -]); - -var all77 = all_match({ - processors: [ - dup147, - dup189, - part73, - select2456, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup150, - dup31, - dup32, - dup47, - dup151, - dup152, - ]), -}); - -var msg38517 = msg("Primary_Detection_Engine:02", all77); - -var part76 = match("MESSAGE#38517:Primary_Detection_Engine:03", "nwparser.payload", "\"%{context}\" [Classification:%{sigtype}] User:%{username}, Application:%{application}, Client:%{fld12}, App Protocol:%{fld14}, Interface Ingress:%{dinterface}, Interface Egress:%{sinterface}, Security Zone Ingress:%{dst_zone}, Security Zone Egress:%{src_zone}, Context:%{fld13}, SSL Flow Status:%{fld1}, SSL Actual Action:%{fld22}, SSL Certificate:%{fld3}, SSL Subject CN:%{fld4}, SSL Subject Country:%{fld5}, SSL Subject OU:%{fld6}, SSL Subject Org:%{fld7}, SSL Issuer CN:%{fld8}, SSL Issuer Country:%{fld9}, SSL Issuer OU:%{fld10}, SSL Issuer Org:%{fld11}, SSL Valid Start Date:%{fld12}, SSL Valid End Date:%{fld13}, [Priority:%{threat_val}] {%{protocol}}%{saddr}:%{sport}->%{daddr}:%{dport}", processor_chain([ - dup44, - dup31, - dup32, - dup48, - setf("sigid","id"), - setf("version","hfld3"), - dup45, -])); - -var msg38518 = msg("Primary_Detection_Engine:03", part76); - -var select2457 = linear_select([ - msg38515, - msg38516, - msg38517, - msg38518, -]); - -var part77 = match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC > Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}>%{daddr}", processor_chain([ - dup100, - dup31, - dup129, - dup32, - dup47, -])); - -var msg38519 = msg("Network_Based_Malware", part77); - -var part78 = match("MESSAGE#38519:Network_Based_Malware:01/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -%{p0}"); - -var part79 = match("MESSAGE#38519:Network_Based_Malware:01/1_0", "nwparser.p0", "*>%{p0}"); - -var select2458 = linear_select([ - part79, - dup145, -]); - -var part80 = match("MESSAGE#38519:Network_Based_Malware:01/2", "nwparser.p0", "%{} %{space}Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); - -var all78 = all_match({ - processors: [ - part78, - select2458, - part80, - ], - on_success: processor_chain([ - dup100, - dup31, - dup129, - dup32, - dup47, - ]), -}); - -var msg38520 = msg("Network_Based_Malware:01", all78); - -var part81 = match("MESSAGE#38520:Network_Based_Malware:02", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ - dup100, - dup31, - dup129, - dup32, - dup47, -])); - -var msg38521 = msg("Network_Based_Malware:02", part81); - -var select2459 = linear_select([ - msg38519, - msg38520, - msg38521, -]); - -var part82 = match("MESSAGE#38521:Network_Based_Retrospective/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC %{p0}"); - -var part83 = match("MESSAGE#38521:Network_Based_Retrospective/2", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{p0}"); - -var part84 = match("MESSAGE#38521:Network_Based_Retrospective/3_0", "nwparser.p0", "%{saddr}->%{p0}"); - -var part85 = match("MESSAGE#38521:Network_Based_Retrospective/3_1", "nwparser.p0", "%{saddr}>%{p0}"); - -var select2460 = linear_select([ - part84, - part85, -]); - -var all79 = all_match({ - processors: [ - part82, - dup190, - part83, - select2460, - dup43, - ], - on_success: processor_chain([ - dup100, - dup31, - dup129, - dup32, - dup47, - ]), -}); - -var msg38522 = msg("Network_Based_Retrospective", all79); - -var part86 = match("MESSAGE#38522:Network_Based_Retrospective:01/4", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{p0}"); - -var part87 = match("MESSAGE#38522:Network_Based_Retrospective:01/5_0", "nwparser.p0", "%{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); - -var part88 = match_copy("MESSAGE#38522:Network_Based_Retrospective:01/5_1", "nwparser.p0", "threat_name"); - -var select2461 = linear_select([ - part87, - part88, -]); - -var all80 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - part86, - select2461, - ], - on_success: processor_chain([ - dup100, - dup31, - dup129, - dup32, - dup47, - ]), -}); - -var msg38523 = msg("Network_Based_Retrospective:01", all80); - -var select2462 = linear_select([ - msg38522, - msg38523, -]); - -var part89 = match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}", processor_chain([ - dup100, - dup32, - dup47, - dup158, -])); - -var msg38524 = msg("MALWARE:02", part89); - -var part90 = match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ - dup100, - dup32, - dup47, - dup158, -])); - -var msg38525 = msg("MALWARE:01", part90); - -var part91 = match_copy("MESSAGE#38537:MALWARE", "nwparser.payload", "threat_val", processor_chain([ - dup71, - dup31, - dup45, - dup32, -])); - -var msg38526 = msg("MALWARE", part91); - -var select2463 = linear_select([ - msg38524, - msg38525, - msg38526, -]); - -var all81 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var msg38527 = msg("Snort_AlertLog", all81); - -var part92 = match("MESSAGE#38526:New_TCP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{p0}"); - -var part93 = match("MESSAGE#38526:New_TCP_Port/5_0", "nwparser.p0", "%{sport->} Service: %{protocol->} Confidence: %{result}"); - -var part94 = match_copy("MESSAGE#38526:New_TCP_Port/5_1", "nwparser.p0", "sport"); - -var select2464 = linear_select([ - part93, - part94, -]); - -var all82 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - part92, - select2464, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var msg38528 = msg("New_TCP_Port", all82); - -var part95 = match("MESSAGE#38527:New_UDP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport}"); - -var all83 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - part95, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var msg38529 = msg("New_UDP_Port", all83); - -var msg38530 = msg("Client_Update", dup355); - -var msg38531 = msg("New_Client", dup355); - -var msg38532 = msg("UDP_Server_Information_Update", dup356); - -var msg38533 = msg("TCP_Server_Information_Update", dup356); - -var part96 = match("MESSAGE#38532:Client_Timeout/1_1", "nwparser.p0", "From %{sensor->} at %{p0}"); - -var select2465 = linear_select([ - dup155, - part96, - dup156, -]); - -var all84 = all_match({ - processors: [ - dup57, - select2465, - dup157, - dup190, - dup159, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var msg38534 = msg("Client_Timeout", all84); - -var part97 = match("MESSAGE#38533:Host_IOC_Set/4", "nwparser.p0", "IP Address: %{saddr->} Category: %{category->} Event Type: %{event_type}"); - -var all85 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - part97, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var msg38535 = msg("Host_IOC_Set", all85); - -var part98 = match("MESSAGE#38534:Host_Type_Changed/4", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{fld10}"); - -var all86 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - part98, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var msg38536 = msg("Host_Type_Changed", all86); - -var part99 = match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_chain([ - dup112, - dup31, - dup32, - dup137, - dup138, - dup139, - dup140, - dup47, -])); - -var msg38537 = msg("Login", part99); - -var part100 = match("MESSAGE#38536:Logout", "nwparser.payload", "Logout Success%{}", processor_chain([ - setc("eventcategory","1401070000"), - dup31, - dup32, - dup137, - dup144, - dup139, - dup140, - dup47, -])); - -var msg38538 = msg("Logout", part100); - -var part101 = tagval("MESSAGE#38538:connection_events", "nwparser.payload", tvm, { - "ACPolicy": "fld44", - "AccessControlRuleAction": "action", - "AccessControlRuleName": "rulename", - "AccessControlRuleReason": "result", - "ApplicationProtocol": "protocol", - "Classification": "risk_info", - "Client": "application", - "ClientVersion": "version", - "ConnectType": "event_state", - "DE": "fld16", - "DNSQuery": "obj_name", - "DNSRecordType": "obj_type", - "DNSResponseType": "fld17", - "DNS_TTL": "fld7", - "DstIP": "daddr", - "DstPort": "dport", - "EgressInterface": "sinterface", - "EgressZone": "src_zone", - "FileCount": "dclass_counter1", - "GID": "fld28", - "HTTPReferer": "web_ref_host", - "HTTPResponse": "resultcode", - "ICMPCode": "resultcode", - "ICMPType": "event_type", - "IPReputationSICategory": "threat_name", - "IngressInterface": "dinterface", - "IngressZone": "dst_zone", - "InitiatorBytes": "sbytes", - "InitiatorPackets": "fld14", - "Message": "fld49", - "NAPPolicy": "policyname", - "OriginalClientIP": "fld1", - "Policy": "policyname", - "Prefilter Policy": "fld2", - "Priority": "threat_val", - "ReferencedHost": "fld3", - "ResponderBytes": "rbytes", - "ResponderPackets": "fld13", - "Revision": "fld46", - "SID": "sid", - "Sinkhole": "fld15", - "SrcIP": "saddr", - "SrcPort": "sport", - "TCPFlags": "fld12", - "URL": "url", - "URLCategory": "category", - "URLReputation": "reputation_num", - "User": "fld48", - "UserAgent": "user_agent", - "UserName": "username", - "WebApplication": "application", -}, processor_chain([ - dup150, - dup31, - dup32, - dup47, - setc("dclass_counter1_string","Number of Files"), - setf("protocol","hprotocol"), - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("sid"), - }), - lookup({ - dest: "nwparser.event_cat_name", - map: map_getEventLegacyCategoryName, - key: field("event_cat"), - }), - call({ - dest: "nwparser.info", - fn: RMQ, - args: [ - field("fld49"), - ], - }), - dup45, - fqdn("fqdn","url"), - path("directory","url"), - page("filename_tmp","url"), - ext("web_extension_tmp","url"), - query("web_query","url"), - call({ - dest: "nwparser.filename", - fn: STRCAT, - args: [ - field("filename_tmp"), - field("web_extension_tmp"), - ], - }), -])); - -var msg38539 = msg("connection_events", part101); - -var part102 = match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP: %{saddr}, SrcPort: %{dport}, DstPort: %{sport}, Protocol: %{protocol}, FileDirection: Download, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ - dup150, - dup161, - dup162, - dup163, - dup32, - dup164, - setc("context","Download"), -])); - -var msg38540 = msg("FTD_events_01", part102); - -var part103 = match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP: %{daddr}, SrcPort: %{sport}, DstPort: %{dport}, Protocol: %{protocol}, FileDirection: Upload, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ - dup150, - dup161, - dup162, - dup163, - dup32, - dup164, - setc("context","Upload"), -])); - -var msg38541 = msg("FTD_events_02", part103); - -var part104 = match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' executed the '%{fld1}' command.", processor_chain([ - dup150, - dup162, - dup32, - dup164, -])); - -var msg38542 = msg("FTD_events_03", part104); - -var part105 = match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', running '%{application}' from IP%{hostip}, executed '%{fld1}'", processor_chain([ - dup150, - dup162, - dup32, - dup164, -])); - -var msg38543 = msg("FTD_events_04", part105); - -var part106 = match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in use,%{fld2}most used", processor_chain([ - dup150, - dup162, - dup32, - dup164, - setc("dclass_counter1_string","Number of Connections in use"), -])); - -var msg38544 = msg("FTD_events_05", part106); - -var part107 = match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for connection%{connectionid}from%{dinterface}:%{daddr}/%{dport}(%{dtransaddr}/%{dtransport}) to%{sinterface}:%{saddr}/%{sport}(%{stransaddr}/%{stransport})", processor_chain([ - dup150, - dup162, - dup32, - dup164, - setc("event_description","Offloaded TCP Flow for connection"), -])); - -var msg38545 = msg("FTD_events_06", part107); - -var part108 = match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egress interface for %{protocol->} from %{sinterface}:%{saddr}/%{sport->} to %{daddr}/%{dport}", processor_chain([ - setc("eventcategory","1801010000"), - dup162, - dup32, - dup164, - setc("event_description","Failed to locate egress interface"), -])); - -var msg38546 = msg("FTD_events_07", part108); - -var part109 = match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer offloaded for connection %{connectionid->} from %{dinterface}:%{daddr}/%{dport->} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport->} (%{stransaddr}/%{stransport})", processor_chain([ - dup150, - dup162, - dup32, - dup164, - setc("event_description","TCP Flow is no longer offloaded for connection"), -])); - -var msg38547 = msg("FTD_events_08", part109); - -var part110 = match("MESSAGE#38547:FTD_events_09", "nwparser.payload", "CLOCK: System clock set, source: %{event_source}, IP: %{hostip}, before: %{change_old}, after: %{change_new}", processor_chain([ - dup150, - dup162, - dup32, - dup164, - setc("change_attribute","Time"), -])); - -var msg38548 = msg("FTD_events_09", part110); - -var part111 = tagval("MESSAGE#38548:FTD_events", "nwparser.payload", tvm, { - "ACPolicy": "fld44", - "AccessControlRuleAction": "action", - "AccessControlRuleName": "rulename", - "AccessControlRuleReason": "result", - "ApplicationProtocol": "protocol", - "Classification": "risk_info", - "Client": "application", - "ClientVersion": "version", - "ConnectType": "event_state", - "ConnectionDuration": "duration", - "DE": "fld16", - "DNSQuery": "obj_name", - "DNSRecordType": "obj_type", - "DNSResponseType": "fld17", - "DNS_TTL": "fld7", - "DstIP": "daddr", - "DstPort": "dport", - "EgressInterface": "sinterface", - "EgressZone": "src_zone", - "FileAction": "action", - "FileDirection": "context", - "FileName": "filename", - "FilePolicy": "policyname", - "FileSHA256": "checksum", - "FileSandboxStatus": "result", - "FileSize": "filename_size", - "FileType": "filetype", - "FirstPacketSecond": "starttime", - "GID": "fld28", - "HTTPReferer": "web_ref_host", - "HTTPResponse": "resultcode", - "ICMPCode": "resultcode", - "ICMPType": "event_type", - "IPReputationSICategory": "threat_name", - "IngressInterface": "dinterface", - "IngressZone": "dst_zone", - "InitiatorBytes": "sbytes", - "InitiatorPackets": "fld14", - "Message": "fld49", - "NAPPolicy": "policyname", - "OriginalClientIP": "fld1", - "Policy": "policyname", - "Prefilter Policy": "fld2", - "Priority": "threat_val", - "Protocol": "protocol", - "ReferencedHost": "fld3", - "ResponderBytes": "rbytes", - "ResponderPackets": "fld13", - "Revision": "fld46", - "SHA_Disposition": "disposition", - "SID": "sid", - "Sinkhole": "fld15", - "SperoDisposition": "info", - "SrcIP": "saddr", - "SrcPort": "sport", - "TCPFlags": "fld12", - "ThreatName": "threat_name", - "ThreatScore": "fld76", - "URI": "url", - "URL": "url", - "URLCategory": "category", - "URLReputation": "reputation_num", - "User": "username", - "UserAgent": "user_agent", - "UserName": "username", - "WebApplication": "application", -}, processor_chain([ - dup150, - dup161, - dup162, - dup32, - dup164, -])); - -var msg38549 = msg("FTD_events", part111); - -var select2466 = linear_select([ - msg38540, - msg38541, - msg38542, - msg38543, - msg38544, - msg38545, - msg38546, - msg38547, - msg38548, - msg38549, -]); - -var part112 = match("MESSAGE#38549:NGIPS_events_01/0", "nwparser.payload", "AccessControlRuleAction:%{action}, AccessControlRuleReason:%{result}, SrcIP:%{saddr}, DstIP:%{daddr}, SrcPort:%{sport}, DstPort:%{dport}, Protocol: %{protocol}, IngressInterface: %{dinterface}, IngressZone:%{dst_zone}, ACPolicy:%{fld44}, AccessControlRuleName:%{rulename}, Prefilter Policy:%{fld2}, User:%{fld48}, Client:%{application}, ApplicationProtocol:%{protocol}, InitiatorPackets:%{fld14}, ResponderPackets:%{fld13}, InitiatorBytes:%{sbytes}, ResponderBytes:%{rbytes}, NAPPolicy:%{policyname}, DNSQuery:%{hostname}, DNSRecordType: a host address,%{p0}"); - -var part113 = match("MESSAGE#38549:NGIPS_events_01/1_0", "nwparser.p0", " DNS_TTL: %{fld7},%{p0}"); - -var select2467 = linear_select([ - part113, - dup59, -]); - -var part114 = match("MESSAGE#38549:NGIPS_events_01/2", "nwparser.p0", "%{}DNSSICategory:%{category}"); - -var all87 = all_match({ - processors: [ - part112, - select2467, - part114, - ], - on_success: processor_chain([ - dup150, - dup161, - dup32, - dup164, - ]), -}); - -var msg38550 = msg("NGIPS_events_01", all87); - -var part115 = tagval("MESSAGE#38550:NGIPS_events", "nwparser.payload", tvm, { - "ACPolicy": "fld44", - "AccessControlRuleAction": "action", - "AccessControlRuleName": "rulename", - "AccessControlRuleReason": "result", - "ApplicationProtocol": "protocol", - "Classification": "risk_info", - "Client": "application", - "ClientVersion": "version", - "ConnectType": "event_state", - "ConnectionDuration": "duration", - "DE": "fld16", - "DNSQuery": "obj_name", - "DNSRecordType": "obj_type", - "DNSResponseType": "fld17", - "DNSSICategory": "category", - "DNS_TTL": "fld7", - "DstIP": "daddr", - "DstPort": "dport", - "EgressInterface": "sinterface", - "EgressZone": "src_zone", - "GID": "fld28", - "HTTPReferer": "web_ref_host", - "HTTPResponse": "resultcode", - "ICMPCode": "resultcode", - "ICMPType": "event_type", - "IPReputationSICategory": "threat_name", - "IPSCount": "dclass_counter1", - "IngressInterface": "dinterface", - "IngressZone": "dst_zone", - "InitiatorBytes": "sbytes", - "InitiatorPackets": "fld14", - "InlineResult": "action", - "Message": "event_description", - "NAPPolicy": "policyname", - "OriginalClientIP": "fld1", - "Policy": "policyname", - "Prefilter Policy": "fld2", - "Priority": "threat_val", - "Protocol": "protocol", - "ReferencedHost": "fld3", - "ResponderBytes": "rbytes", - "ResponderPackets": "fld13", - "Revision": "fld46", - "SID": "sid", - "Sinkhole": "fld15", - "SrcIP": "saddr", - "SrcPort": "sport", - "TCPFlags": "fld12", - "URL": "url", - "URLCategory": "category", - "URLReputation": "reputation_num", - "URLSICategory": "category", - "User": "fld48", - "UserAgent": "user_agent", - "UserName": "username", - "VLAN_ID": "vlan", - "WebApplication": "application", -}, processor_chain([ - dup150, - dup161, - dup32, - dup164, - setc("dclass_counter1_string"," The number of intrusion events"), - setf("hostname","obj_name"), -])); - -var msg38551 = msg("NGIPS_events", part115); - -var select2468 = linear_select([ - msg38550, - msg38551, -]); - -var chain1 = processor_chain([ - select5, - msgid_select({ - "0": select6, - "1": select7, - "10": msg34, - "1000": select900, - "10000": msg12447, - "1000001": msg38282, - "100000121": msg38430, - "100000122": msg38431, - "100000137": msg38432, - "100000138": msg38433, - "100000160": msg38434, - "100000161": msg38435, - "100000185": msg38436, - "1000002": msg38283, - "100000211": msg38437, - "100000213": msg38438, - "100000219": msg38439, - "100000241": msg38440, - "100000262": msg38441, - "100000266": msg38442, - "100000272": msg38443, - "100000273": msg38444, - "100000274": msg38445, - "100000275": msg38446, - "100000277": msg38447, - "100000278": msg38448, - "1000003": select2443, - "1000004": msg38286, - "1000005": msg38287, - "100000550": msg38449, - "100000687": msg38450, - "100000689": msg38451, - "1000007": msg38288, - "1000010": msg38289, - "1000012": msg38290, - "1000014": msg38291, - "1000015": msg38292, - "1000016": msg38293, - "1000020": msg38294, - "1000021": msg38295, - "1000022": msg38296, - "1000023": msg38297, - "1000024": msg38298, - "1000026": msg38299, - "1000028": msg38300, - "1000029": msg38301, - "1000030": msg38302, - "1000031": msg38303, - "1000032": msg38304, - "1000033": msg38305, - "1000034": msg38306, - "1000035": msg38307, - "1000036": msg38308, - "1000037": msg38309, - "1000038": msg38310, - "1000039": msg38311, - "1000040": msg38312, - "1000041": msg38313, - "1000043": msg38314, - "1000044": msg38315, - "1000045": msg38316, - "1000046": msg38317, - "1000047": msg38318, - "1000048": msg38319, - "1000049": msg38320, - "1000050": msg38321, - "1000054": msg38322, - "1000055": msg38323, - "1000056": msg38324, - "1000057": msg38325, - "10001": msg12448, - "10002": msg12449, - "10003": msg12450, - "10004": msg12451, - "10005": msg12452, - "10006": msg12453, - "10007": msg12454, - "10008": msg12455, - "10009": msg12456, - "1001": select901, - "10010": msg12457, - "10011": msg12458, - "10012": msg12459, - "10013": msg12460, - "10014": msg12461, - "10015": msg12462, - "10016": msg12463, - "10017": msg12464, - "10018": msg12465, - "10019": msg12466, - "1002": select902, - "10020": msg12467, - "10021": msg12468, - "10022": msg12469, - "10023": msg12470, - "10024": msg12471, - "10025": msg12472, - "10026": msg12473, - "10027": msg12474, - "10028": msg12475, - "10029": msg12476, - "1003": select903, - "10030": msg12477, - "10031": msg12478, - "10032": msg12479, - "10033": msg12480, - "10034": msg12481, - "10035": msg12482, - "10036": msg12483, - "10037": msg12484, - "10038": msg12485, - "10039": msg12486, - "1004": select904, - "10040": msg12487, - "10041": msg12488, - "10042": msg12489, - "10043": msg12490, - "10044": msg12491, - "10045": msg12492, - "10046": msg12493, - "10047": msg12494, - "10048": msg12495, - "10049": msg12496, - "1005": select905, - "10050": msg12497, - "10051": msg12498, - "10052": msg12499, - "10053": msg12500, - "10054": msg12501, - "10055": msg12502, - "10056": msg12503, - "10057": msg12504, - "10058": msg12505, - "10059": msg12506, - "10060": msg12507, - "10061": msg12508, - "10062": msg12509, - "10063": msg12510, - "10064": msg12511, - "10065": msg12512, - "10066": msg12513, - "10067": msg12514, - "10068": msg12515, - "10069": msg12516, - "1007": select906, - "10070": msg12517, - "10071": msg12518, - "10072": msg12519, - "10073": msg12520, - "10074": msg12521, - "10075": msg12522, - "10076": msg12523, - "10077": msg12524, - "10078": msg12525, - "10079": msg12526, - "1008": select907, - "10080": msg12527, - "10081": msg12528, - "10082": msg12529, - "10083": msg12530, - "10084": msg12531, - "10085": msg12532, - "10086": msg12533, - "10087": msg12534, - "10088": msg12535, - "10089": msg12536, - "1009": select908, - "10090": msg12537, - "10091": msg12538, - "10092": msg12539, - "10093": msg12540, - "10094": msg12541, - "10095": msg12542, - "10096": msg12543, - "10097": msg12544, - "10098": msg12545, - "10099": msg12546, - "1010": select909, - "10100": msg12547, - "10101": msg12548, - "10102": msg12549, - "10103": msg12550, - "10104": msg12551, - "10105": msg12552, - "10106": msg12553, - "10107": msg12554, - "10108": msg12555, - "10109": msg12556, - "1011": select910, - "10110": msg12557, - "10111": msg12558, - "10112": msg12559, - "10113": msg12560, - "10114": msg12561, - "10115": msg12562, - "10116": msg12563, - "10117": msg12564, - "10118": msg12565, - "10119": msg12566, - "1012": select911, - "10120": msg12567, - "10121": msg12568, - "10122": msg12569, - "10123": msg12570, - "10124": msg12571, - "10125": msg12572, - "10126": msg12573, - "10127": msg12574, - "10128": msg12575, - "10129": msg12576, - "1013": select912, - "10130": msg12577, - "10131": msg12578, - "10132": msg12579, - "10133": msg12580, - "10134": msg12581, - "10135": msg12582, - "10136": msg12583, - "10137": msg12584, - "10138": msg12585, - "10139": msg12586, - "1014": select913, - "10140": msg12587, - "10141": msg12588, - "10142": msg12589, - "10143": msg12590, - "10144": msg12591, - "10145": msg12592, - "10146": msg12593, - "10147": msg12594, - "10148": msg12595, - "10149": msg12596, - "1015": select914, - "10150": msg12597, - "10151": msg12598, - "10152": msg12599, - "10153": msg12600, - "10154": msg12601, - "10155": msg12602, - "10156": msg12603, - "10157": msg12604, - "10158": msg12605, - "10159": msg12606, - "1016": select915, - "10160": msg12607, - "10161": msg12608, - "10162": msg12609, - "10163": msg12610, - "10164": msg12611, - "10165": msg12612, - "10166": msg12613, - "10167": msg12614, - "10168": msg12615, - "10169": msg12616, - "1017": select916, - "10170": msg12617, - "10171": msg12618, - "10172": msg12619, - "10173": msg12620, - "10174": msg12621, - "10175": msg12622, - "10176": msg12623, - "10177": msg12624, - "10178": msg12625, - "10179": msg12626, - "1018": select917, - "10180": msg12627, - "10181": msg12628, - "10182": msg12629, - "10183": msg12630, - "10184": msg12631, - "10185": msg12632, - "10186": msg12633, - "10187": msg12634, - "10188": msg12635, - "10189": msg12636, - "1019": select918, - "10190": msg12637, - "10191": msg12638, - "10192": msg12639, - "10193": msg12640, - "10194": msg12641, - "10195": msg12642, - "10196": msg12643, - "10197": msg12644, - "10198": msg12645, - "10199": msg12646, - "1020": select919, - "10200": msg12647, - "10201": msg12648, - "10202": msg12649, - "10203": msg12650, - "10204": msg12651, - "10205": msg12652, - "10206": msg12653, - "10207": msg12654, - "10208": msg12655, - "10209": msg12656, - "1021": select920, - "10210": msg12657, - "10211": msg12658, - "10212": msg12659, - "10213": msg12660, - "10214": msg12661, - "10215": msg12662, - "10216": msg12663, - "10217": msg12664, - "10218": msg12665, - "10219": msg12666, - "1022": select921, - "10220": msg12667, - "10221": msg12668, - "10222": msg12669, - "10223": msg12670, - "10224": msg12671, - "10225": msg12672, - "10226": msg12673, - "10227": msg12674, - "10228": msg12675, - "10229": msg12676, - "1023": select922, - "10230": msg12677, - "10231": msg12678, - "10232": msg12679, - "10233": msg12680, - "10234": msg12681, - "10235": msg12682, - "10236": msg12683, - "10237": msg12684, - "10238": msg12685, - "10239": msg12686, - "1024": select923, - "10240": msg12687, - "10241": msg12688, - "10242": msg12689, - "10243": msg12690, - "10244": msg12691, - "10245": msg12692, - "10246": msg12693, - "10247": msg12694, - "10248": msg12695, - "10249": msg12696, - "1025": select924, - "10250": msg12697, - "10251": msg12698, - "10252": msg12699, - "10253": msg12700, - "10254": msg12701, - "10255": msg12702, - "10256": msg12703, - "10257": msg12704, - "10258": msg12705, - "10259": msg12706, - "1026": select925, - "10260": msg12707, - "10261": msg12708, - "10262": msg12709, - "10263": msg12710, - "10264": msg12711, - "10265": msg12712, - "10266": msg12713, - "10267": msg12714, - "10268": msg12715, - "10269": msg12716, - "1027": select926, - "10270": msg12717, - "10271": msg12718, - "10272": msg12719, - "10273": msg12720, - "10274": msg12721, - "10275": msg12722, - "10276": msg12723, - "10277": msg12724, - "10278": msg12725, - "10279": msg12726, - "1028": select927, - "10280": msg12727, - "10281": msg12728, - "10282": msg12729, - "10283": msg12730, - "10284": msg12731, - "10285": msg12732, - "10286": msg12733, - "10287": msg12734, - "10288": msg12735, - "10289": msg12736, - "1029": select928, - "10290": msg12737, - "10291": msg12738, - "10292": msg12739, - "10293": msg12740, - "10294": msg12741, - "10295": msg12742, - "10296": msg12743, - "10297": msg12744, - "10298": msg12745, - "10299": msg12746, - "103": select31, - "1030": select929, - "10300": msg12747, - "10301": msg12748, - "10302": msg12749, - "10303": msg12750, - "10304": msg12751, - "10305": msg12752, - "10306": msg12753, - "10307": msg12754, - "10308": msg12755, - "10309": msg12756, - "1031": select930, - "10310": msg12757, - "10311": msg12758, - "10312": msg12759, - "10313": msg12760, - "10314": msg12761, - "10315": msg12762, - "10316": msg12763, - "10317": msg12764, - "10318": msg12765, - "10319": msg12766, - "1032": select931, - "10320": msg12767, - "10321": msg12768, - "10322": msg12769, - "10323": msg12770, - "10324": msg12771, - "10325": msg12772, - "10326": msg12773, - "10327": msg12774, - "10328": msg12775, - "10329": msg12776, - "1033": select932, - "10330": msg12777, - "10331": msg12778, - "10332": msg12779, - "10333": msg12780, - "10334": msg12781, - "10335": msg12782, - "10336": msg12783, - "10337": msg12784, - "10338": msg12785, - "10339": msg12786, - "1034": select933, - "10340": msg12787, - "10341": msg12788, - "10342": msg12789, - "10343": msg12790, - "10344": msg12791, - "10345": msg12792, - "10346": msg12793, - "10347": msg12794, - "10348": msg12795, - "10349": msg12796, - "1035": select934, - "10350": msg12797, - "10351": msg12798, - "10352": msg12799, - "10353": msg12800, - "10354": msg12801, - "10355": msg12802, - "10356": msg12803, - "10357": msg12804, - "10358": msg12805, - "10359": msg12806, - "1036": select935, - "10360": msg12807, - "10361": msg12808, - "10362": msg12809, - "10363": msg12810, - "10364": msg12811, - "10365": msg12812, - "10366": msg12813, - "10367": msg12814, - "10368": msg12815, - "10369": msg12816, - "1037": select936, - "10370": msg12817, - "10371": msg12818, - "10372": msg12819, - "10373": msg12820, - "10374": msg12821, - "10375": msg12822, - "10376": msg12823, - "10377": msg12824, - "10378": msg12825, - "10379": msg12826, - "1038": select937, - "10380": msg12827, - "10381": msg12828, - "10382": msg12829, - "10383": msg12830, - "10384": msg12831, - "10385": msg12832, - "10386": msg12833, - "10387": msg12834, - "10388": msg12835, - "10389": msg12836, - "1039": select938, - "10390": msg12837, - "10391": msg12838, - "10392": msg12839, - "10393": msg12840, - "10394": msg12841, - "10395": msg12842, - "10396": msg12843, - "10397": msg12844, - "10398": msg12845, - "10399": msg12846, - "104": select32, - "1040": select939, - "10400": msg12847, - "10401": msg12848, - "10402": msg12849, - "10403": msg12850, - "10404": msg12851, - "10405": msg12852, - "10406": msg12853, - "10407": msg12854, - "10408": msg12855, - "10409": msg12856, - "1041": select940, - "10410": msg12857, - "10411": msg12858, - "10412": msg12859, - "10413": msg12860, - "10414": msg12861, - "10415": msg12862, - "10416": msg12863, - "10417": msg12864, - "10418": msg12865, - "10419": msg12866, - "1042": select941, - "10420": msg12867, - "10421": msg12868, - "10422": msg12869, - "10423": msg12870, - "10424": msg12871, - "10425": msg12872, - "10426": msg12873, - "10427": msg12874, - "10428": msg12875, - "10429": msg12876, - "1043": select942, - "10430": msg12877, - "10431": msg12878, - "10432": msg12879, - "10433": msg12880, - "10434": msg12881, - "10435": msg12882, - "10436": msg12883, - "10437": msg12884, - "10438": msg12885, - "10439": msg12886, - "1044": select943, - "10440": msg12887, - "10441": msg12888, - "10442": msg12889, - "10443": msg12890, - "10444": msg12891, - "10445": msg12892, - "10446": msg12893, - "10447": msg12894, - "10448": msg12895, - "10449": msg12896, - "1045": select944, - "10450": msg12897, - "10451": msg12898, - "10452": msg12899, - "10453": msg12900, - "10454": msg12901, - "10455": msg12902, - "10456": msg12903, - "10457": msg12904, - "10458": msg12905, - "10459": msg12906, - "1046": select945, - "10460": msg12907, - "10461": msg12908, - "10462": msg12909, - "10463": msg12910, - "10464": msg12911, - "10465": msg12912, - "10466": msg12913, - "10467": msg12914, - "10468": msg12915, - "10469": msg12916, - "1047": select946, - "10470": msg12917, - "10471": msg12918, - "10472": msg12919, - "10473": msg12920, - "10474": msg12921, - "10475": msg12922, - "10476": msg12923, - "10477": msg12924, - "10478": msg12925, - "10479": msg12926, - "1048": select947, - "10480": msg12927, - "10481": msg12928, - "10482": msg12929, - "10483": msg12930, - "10484": msg12931, - "10485": msg12932, - "10486": msg12933, - "10487": msg12934, - "10488": msg12935, - "10489": msg12936, - "1049": select948, - "10490": msg12937, - "10491": msg12938, - "10492": msg12939, - "10493": msg12940, - "10494": msg12941, - "10495": msg12942, - "10496": msg12943, - "10497": msg12944, - "10498": msg12945, - "10499": msg12946, - "105": select33, - "105-1": msg86, - "105-2": msg87, - "105-3": msg88, - "105-4": msg89, - "1050": select949, - "10500": msg12947, - "10501": msg12948, - "10502": msg12949, - "10503": msg12950, - "10504": msg12951, - "10505": msg12952, - "10506": msg12953, - "10507": msg12954, - "10508": msg12955, - "10509": msg12956, - "1051": select950, - "10510": msg12957, - "10511": msg12958, - "10512": msg12959, - "10513": msg12960, - "10514": msg12961, - "10515": msg12962, - "10516": msg12963, - "10517": msg12964, - "10518": msg12965, - "10519": msg12966, - "1052": select951, - "10520": msg12967, - "10521": msg12968, - "10522": msg12969, - "10523": msg12970, - "10524": msg12971, - "10525": msg12972, - "10526": msg12973, - "10527": msg12974, - "10528": msg12975, - "10529": msg12976, - "1053": select952, - "10530": msg12977, - "10531": msg12978, - "10532": msg12979, - "10533": msg12980, - "10534": msg12981, - "10535": msg12982, - "10536": msg12983, - "10537": msg12984, - "10538": msg12985, - "10539": msg12986, - "1054": select953, - "10540": msg12987, - "10541": msg12988, - "10542": msg12989, - "10543": msg12990, - "10544": msg12991, - "10545": msg12992, - "10546": msg12993, - "10547": msg12994, - "10548": msg12995, - "10549": msg12996, - "1055": select954, - "10550": msg12997, - "10551": msg12998, - "10552": msg12999, - "10553": msg13000, - "10554": msg13001, - "10555": msg13002, - "10556": msg13003, - "10557": msg13004, - "10558": msg13005, - "10559": msg13006, - "1056": select955, - "10560": msg13007, - "10561": msg13008, - "10562": msg13009, - "10563": msg13010, - "10564": msg13011, - "10565": msg13012, - "10566": msg13013, - "10567": msg13014, - "10568": msg13015, - "10569": msg13016, - "1057": select956, - "10570": msg13017, - "10571": msg13018, - "10572": msg13019, - "10573": msg13020, - "10574": msg13021, - "10575": msg13022, - "10576": msg13023, - "10577": msg13024, - "10578": msg13025, - "10579": msg13026, - "1058": select957, - "10580": msg13027, - "10581": msg13028, - "10582": msg13029, - "10583": msg13030, - "10584": msg13031, - "10585": msg13032, - "10586": msg13033, - "10587": msg13034, - "10588": msg13035, - "10589": msg13036, - "1059": select958, - "10590": msg13037, - "10591": msg13038, - "10592": msg13039, - "10593": msg13040, - "10594": msg13041, - "10595": msg13042, - "10596": msg13043, - "10597": msg13044, - "10598": msg13045, - "10599": msg13046, - "106": select34, - "106-1": msg92, - "106-2": msg93, - "106-3": msg94, - "106-4": msg95, - "1060": select959, - "10600": msg13047, - "10601": msg13048, - "10602": msg13049, - "10603": msg13050, - "10604": msg13051, - "10605": msg13052, - "10606": msg13053, - "10607": msg13054, - "10608": msg13055, - "10609": msg13056, - "1061": select960, - "10610": msg13057, - "10611": msg13058, - "10612": msg13059, - "10613": msg13060, - "10614": msg13061, - "10615": msg13062, - "10616": msg13063, - "10617": msg13064, - "10618": msg13065, - "10619": msg13066, - "1062": select961, - "10620": msg13067, - "10621": msg13068, - "10622": msg13069, - "10623": msg13070, - "10624": msg13071, - "10625": msg13072, - "10626": msg13073, - "10627": msg13074, - "10628": msg13075, - "10629": msg13076, - "1063": select962, - "10630": msg13077, - "10631": msg13078, - "10632": msg13079, - "10633": msg13080, - "10634": msg13081, - "10635": msg13082, - "10636": msg13083, - "10637": msg13084, - "10638": msg13085, - "10639": msg13086, - "1064": select963, - "10640": msg13087, - "10641": msg13088, - "10642": msg13089, - "10643": msg13090, - "10644": msg13091, - "10645": msg13092, - "10646": msg13093, - "10647": msg13094, - "10648": msg13095, - "10649": msg13096, - "1065": select964, - "10650": msg13097, - "10651": msg13098, - "10652": msg13099, - "10653": msg13100, - "10654": msg13101, - "10655": msg13102, - "10656": msg13103, - "10657": msg13104, - "10658": msg13105, - "10659": msg13106, - "1066": select965, - "10660": msg13107, - "10661": msg13108, - "10662": msg13109, - "10663": msg13110, - "10664": msg13111, - "10665": msg13112, - "10666": msg13113, - "10667": msg13114, - "10668": msg13115, - "10669": msg13116, - "1067": select966, - "10670": msg13117, - "10671": msg13118, - "10672": msg13119, - "10673": msg13120, - "10674": msg13121, - "10675": msg13122, - "10676": msg13123, - "10677": msg13124, - "10678": msg13125, - "10679": msg13126, - "1068": select967, - "10680": msg13127, - "10681": msg13128, - "10682": msg13129, - "10683": msg13130, - "10684": msg13131, - "10685": msg13132, - "10686": msg13133, - "10687": msg13134, - "10688": msg13135, - "10689": msg13136, - "1069": select968, - "10690": msg13137, - "10691": msg13138, - "10692": msg13139, - "10693": msg13140, - "10694": msg13141, - "10695": msg13142, - "10696": msg13143, - "10697": msg13144, - "10698": msg13145, - "10699": msg13146, - "107": select35, - "1070": select969, - "10700": msg13147, - "10701": msg13148, - "10702": msg13149, - "10703": msg13150, - "10704": msg13151, - "10705": msg13152, - "10706": msg13153, - "10707": msg13154, - "10708": msg13155, - "10709": msg13156, - "1071": select970, - "10710": msg13157, - "10711": msg13158, - "10712": msg13159, - "10713": msg13160, - "10714": msg13161, - "10715": msg13162, - "10716": msg13163, - "10717": msg13164, - "10718": msg13165, - "10719": msg13166, - "1072": select971, - "10720": msg13167, - "10721": msg13168, - "10722": msg13169, - "10723": msg13170, - "10724": msg13171, - "10725": msg13172, - "10726": msg13173, - "10727": msg13174, - "10728": msg13175, - "10729": msg13176, - "1073": select972, - "10730": msg13177, - "10731": msg13178, - "10732": msg13179, - "10733": msg13180, - "10734": msg13181, - "10735": msg13182, - "10736": msg13183, - "10737": msg13184, - "10738": msg13185, - "10739": msg13186, - "10740": msg13187, - "10741": msg13188, - "10742": msg13189, - "10743": msg13190, - "10744": msg13191, - "10745": msg13192, - "10746": msg13193, - "10747": msg13194, - "10748": msg13195, - "10749": msg13196, - "1075": select973, - "10750": msg13197, - "10751": msg13198, - "10752": msg13199, - "10753": msg13200, - "10754": msg13201, - "10755": msg13202, - "10756": msg13203, - "10757": msg13204, - "10758": msg13205, - "10759": msg13206, - "1076": select974, - "10760": msg13207, - "10761": msg13208, - "10762": msg13209, - "10763": msg13210, - "10764": msg13211, - "10765": msg13212, - "10766": msg13213, - "10767": msg13214, - "10768": msg13215, - "10769": msg13216, - "1077": select975, - "10770": msg13217, - "10771": msg13218, - "10772": msg13219, - "10773": msg13220, - "10774": msg13221, - "10775": msg13222, - "10776": msg13223, - "10777": msg13224, - "10778": msg13225, - "10779": msg13226, - "1078": select976, - "10780": msg13227, - "10781": msg13228, - "10782": msg13229, - "10783": msg13230, - "10784": msg13231, - "10785": msg13232, - "10786": msg13233, - "10787": msg13234, - "10788": msg13235, - "10789": msg13236, - "1079": select977, - "10790": msg13237, - "10791": msg13238, - "10792": msg13239, - "10793": msg13240, - "10794": msg13241, - "10795": msg13242, - "10796": msg13243, - "10797": msg13244, - "10798": msg13245, - "10799": msg13246, - "108": select36, - "1080": select978, - "10800": msg13247, - "10801": msg13248, - "10802": msg13249, - "10803": msg13250, - "10804": msg13251, - "10805": msg13252, - "10806": msg13253, - "10807": msg13254, - "10808": msg13255, - "10809": msg13256, - "1081": select979, - "10810": msg13257, - "10811": msg13258, - "10812": msg13259, - "10813": msg13260, - "10814": msg13261, - "10815": msg13262, - "10816": msg13263, - "10817": msg13264, - "10818": msg13265, - "10819": msg13266, - "1082": select980, - "10820": msg13267, - "10821": msg13268, - "10822": msg13269, - "10823": msg13270, - "10824": msg13271, - "10825": msg13272, - "10826": msg13273, - "10827": msg13274, - "10828": msg13275, - "10829": msg13276, - "1083": select981, - "10830": msg13277, - "10831": msg13278, - "10832": msg13279, - "10833": msg13280, - "10834": msg13281, - "10835": msg13282, - "10836": msg13283, - "10837": msg13284, - "10838": msg13285, - "10839": msg13286, - "1084": select982, - "10840": msg13287, - "10841": msg13288, - "10842": msg13289, - "10843": msg13290, - "10844": msg13291, - "10845": msg13292, - "10846": msg13293, - "10847": msg13294, - "10848": msg13295, - "10849": msg13296, - "1085": select983, - "10850": msg13297, - "10851": msg13298, - "10852": msg13299, - "10853": msg13300, - "10854": msg13301, - "10855": msg13302, - "10856": msg13303, - "10857": msg13304, - "10858": msg13305, - "10859": msg13306, - "1086": select984, - "10860": msg13307, - "10861": msg13308, - "10862": msg13309, - "10863": msg13310, - "10864": msg13311, - "10865": msg13312, - "10866": msg13313, - "10867": msg13314, - "10868": msg13315, - "10869": msg13316, - "1087": select985, - "10870": msg13317, - "10871": msg13318, - "10872": msg13319, - "10873": msg13320, - "10874": msg13321, - "10875": msg13322, - "10876": msg13323, - "10877": msg13324, - "10878": msg13325, - "10879": msg13326, - "1088": select986, - "10880": msg13327, - "10881": msg13328, - "10882": msg13329, - "10883": msg13330, - "10884": msg13331, - "10885": msg13332, - "10886": msg13333, - "10887": msg13334, - "10888": msg13335, - "10889": msg13336, - "1089": select987, - "10890": msg13337, - "10891": msg13338, - "10892": msg13339, - "10893": msg13340, - "10894": msg13341, - "10895": msg13342, - "10896": msg13343, - "10897": msg13344, - "10898": msg13345, - "10899": msg13346, - "109": select37, - "1090": select988, - "10900": msg13347, - "10901": msg13348, - "10902": msg13349, - "10903": msg13350, - "10904": msg13351, - "10905": msg13352, - "10906": msg13353, - "10907": msg13354, - "10908": msg13355, - "10909": msg13356, - "1091": select989, - "10910": msg13357, - "10911": msg13358, - "10912": msg13359, - "10913": msg13360, - "10914": msg13361, - "10915": msg13362, - "10916": msg13363, - "10917": msg13364, - "10918": msg13365, - "10919": msg13366, - "1092": select990, - "10920": msg13367, - "10921": msg13368, - "10922": msg13369, - "10923": msg13370, - "10924": msg13371, - "10925": msg13372, - "10926": msg13373, - "10927": msg13374, - "10928": msg13375, - "10929": msg13376, - "1093": select991, - "10930": msg13377, - "10931": msg13378, - "10932": msg13379, - "10933": msg13380, - "10934": msg13381, - "10935": msg13382, - "10936": msg13383, - "10937": msg13384, - "10938": msg13385, - "10939": msg13386, - "1094": select992, - "10940": msg13387, - "10941": msg13388, - "10942": msg13389, - "10943": msg13390, - "10944": msg13391, - "10945": msg13392, - "10946": msg13393, - "10947": msg13394, - "10948": msg13395, - "10949": msg13396, - "1095": select993, - "10950": msg13397, - "10951": msg13398, - "10952": msg13399, - "10953": msg13400, - "10954": msg13401, - "10955": msg13402, - "10956": msg13403, - "10957": msg13404, - "10958": msg13405, - "10959": msg13406, - "1096": select994, - "10960": msg13407, - "10961": msg13408, - "10962": msg13409, - "10963": msg13410, - "10964": msg13411, - "10965": msg13412, - "10966": msg13413, - "10967": msg13414, - "10968": msg13415, - "10969": msg13416, - "1097": select995, - "10970": msg13417, - "10971": msg13418, - "10972": msg13419, - "10973": msg13420, - "10974": msg13421, - "10975": msg13422, - "10976": msg13423, - "10977": msg13424, - "10978": msg13425, - "10979": msg13426, - "1098": select996, - "10980": msg13427, - "10981": msg13428, - "10982": msg13429, - "10983": msg13430, - "10984": msg13431, - "10985": msg13432, - "10986": msg13433, - "10987": msg13434, - "10988": msg13435, - "10989": msg13436, - "1099": select997, - "10990": msg13437, - "10991": msg13438, - "10992": msg13439, - "10993": msg13440, - "10994": msg13441, - "10995": msg13442, - "10996": msg13443, - "10997": msg13444, - "10998": msg13445, - "10999": msg13446, - "11": msg35, - "110": select38, - "110-1": msg105, - "110-2": msg106, - "110-3": msg107, - "110-4": msg108, - "1100": select998, - "11000": msg13447, - "11001": msg13448, - "11002": msg13449, - "11003": msg13450, - "11004": msg13451, - "11005": msg13452, - "11006": msg13453, - "11007": msg13454, - "11008": msg13455, - "11009": msg13456, - "1101": select999, - "11010": msg13457, - "11011": msg13458, - "11012": msg13459, - "11013": msg13460, - "11014": msg13461, - "11015": msg13462, - "11016": msg13463, - "11017": msg13464, - "11018": msg13465, - "11019": msg13466, - "1102": select1000, - "11020": msg13467, - "11021": msg13468, - "11022": msg13469, - "11023": msg13470, - "11024": msg13471, - "11025": msg13472, - "11026": msg13473, - "11027": msg13474, - "11028": msg13475, - "11029": msg13476, - "1103": select1001, - "11030": msg13477, - "11031": msg13478, - "11032": msg13479, - "11033": msg13480, - "11034": msg13481, - "11035": msg13482, - "11036": msg13483, - "11037": msg13484, - "11038": msg13485, - "11039": msg13486, - "1104": select1002, - "11040": msg13487, - "11041": msg13488, - "11042": msg13489, - "11043": msg13490, - "11044": msg13491, - "11045": msg13492, - "11046": msg13493, - "11047": msg13494, - "11048": msg13495, - "11049": msg13496, - "1105": select1003, - "11050": msg13497, - "11051": msg13498, - "11052": msg13499, - "11053": msg13500, - "11054": msg13501, - "11055": msg13502, - "11056": msg13503, - "11057": msg13504, - "11058": msg13505, - "11059": msg13506, - "1106": select1004, - "11060": msg13507, - "11061": msg13508, - "11062": msg13509, - "11063": msg13510, - "11064": msg13511, - "11065": msg13512, - "11066": msg13513, - "11067": msg13514, - "11068": msg13515, - "11069": msg13516, - "1107": select1005, - "11070": msg13517, - "11071": msg13518, - "11072": msg13519, - "11073": msg13520, - "11074": msg13521, - "11075": msg13522, - "11076": msg13523, - "11077": msg13524, - "11078": msg13525, - "11079": msg13526, - "1108": select1006, - "11080": msg13527, - "11081": msg13528, - "11082": msg13529, - "11083": msg13530, - "11084": msg13531, - "11085": msg13532, - "11086": msg13533, - "11087": msg13534, - "11088": msg13535, - "11089": msg13536, - "1109": select1007, - "11090": msg13537, - "11091": msg13538, - "11092": msg13539, - "11093": msg13540, - "11094": msg13541, - "11095": msg13542, - "11096": msg13543, - "11097": msg13544, - "11098": msg13545, - "11099": msg13546, - "111": select39, - "111-1": msg111, - "111-10": msg112, - "111-11": msg113, - "111-12": msg114, - "111-13": msg115, - "111-14": msg116, - "111-15": msg117, - "111-16": msg118, - "111-17": msg119, - "111-2": msg120, - "111-3": msg121, - "111-4": msg122, - "111-5": msg123, - "111-6": msg124, - "111-7": msg125, - "111-8": msg126, - "111-9": msg127, - "1110": select1008, - "11100": msg13547, - "11101": msg13548, - "11102": msg13549, - "11103": msg13550, - "11104": msg13551, - "11105": msg13552, - "11106": msg13553, - "11107": msg13554, - "11108": msg13555, - "11109": msg13556, - "1111": select1009, - "11110": msg13557, - "11111": msg13558, - "11112": msg13559, - "11113": msg13560, - "11114": msg13561, - "11115": msg13562, - "11116": msg13563, - "11117": msg13564, - "11118": msg13565, - "11119": msg13566, - "1112": select1010, - "11120": msg13567, - "11121": msg13568, - "11122": msg13569, - "11123": msg13570, - "11124": msg13571, - "11125": msg13572, - "11126": msg13573, - "11127": msg13574, - "11128": msg13575, - "11129": msg13576, - "1113": select1011, - "11130": msg13577, - "11131": msg13578, - "11132": msg13579, - "11133": msg13580, - "11134": msg13581, - "11135": msg13582, - "11136": msg13583, - "11137": msg13584, - "11138": msg13585, - "11139": msg13586, - "1114": select1012, - "11140": msg13587, - "11141": msg13588, - "11142": msg13589, - "11143": msg13590, - "11144": msg13591, - "11145": msg13592, - "11146": msg13593, - "11147": msg13594, - "11148": msg13595, - "11149": msg13596, - "1115": select1013, - "11150": msg13597, - "11151": msg13598, - "11152": msg13599, - "11153": msg13600, - "11154": msg13601, - "11155": msg13602, - "11156": msg13603, - "11157": msg13604, - "11158": msg13605, - "11159": msg13606, - "1116": select1014, - "11160": msg13607, - "11161": msg13608, - "11162": msg13609, - "11163": msg13610, - "11164": msg13611, - "11165": msg13612, - "11166": msg13613, - "11167": msg13614, - "11168": msg13615, - "11169": msg13616, - "1117": select1015, - "11170": msg13617, - "11171": msg13618, - "11172": msg13619, - "11173": msg13620, - "11174": msg13621, - "11175": msg13622, - "11176": msg13623, - "11177": msg13624, - "11178": msg13625, - "11179": msg13626, - "1118": select1016, - "11180": msg13627, - "11181": msg13628, - "11182": msg13629, - "11183": msg13630, - "11184": msg13631, - "11185": msg13632, - "11186": msg13633, - "11187": msg13634, - "11188": msg13635, - "11189": msg13636, - "1119": select1017, - "11190": msg13637, - "11191": msg13638, - "11192": msg13639, - "11193": msg13640, - "11194": msg13641, - "11196": msg13642, - "11197": msg13643, - "11198": msg13644, - "11199": msg13645, - "112": select40, - "112-1": msg130, - "112-2": msg131, - "112-3": msg132, - "112-4": msg133, - "1120": select1018, - "11200": msg13646, - "11201": msg13647, - "11202": msg13648, - "11203": msg13649, - "11204": msg13650, - "11205": msg13651, - "11206": msg13652, - "11207": msg13653, - "11208": msg13654, - "11209": msg13655, - "1121": select1019, - "11210": msg13656, - "11211": msg13657, - "11212": msg13658, - "11213": msg13659, - "11214": msg13660, - "11215": msg13661, - "11216": msg13662, - "11217": msg13663, - "11218": msg13664, - "11219": msg13665, - "1122": select1020, - "11220": msg13666, - "11221": msg13667, - "11222": msg13668, - "11223": msg13669, - "11224": msg13670, - "11225": msg13671, - "11226": msg13672, - "11227": msg13673, - "11228": msg13674, - "11229": msg13675, - "1123": select1021, - "11230": msg13676, - "11231": msg13677, - "11232": msg13678, - "11233": msg13679, - "11234": msg13680, - "11235": msg13681, - "11236": msg13682, - "11237": msg13683, - "11238": msg13684, - "11239": msg13685, - "1124": select1022, - "11240": msg13686, - "11241": msg13687, - "11242": msg13688, - "11243": msg13689, - "11244": msg13690, - "11245": msg13691, - "11246": msg13692, - "11247": msg13693, - "11248": msg13694, - "11249": msg13695, - "1125": select1023, - "11250": msg13696, - "11251": msg13697, - "11252": msg13698, - "11253": msg13699, - "11254": msg13700, - "11255": msg13701, - "11256": msg13702, - "11257": msg13703, - "11258": msg13704, - "11259": msg13705, - "1126": select1024, - "11260": msg13706, - "11261": msg13707, - "11262": msg13708, - "11263": msg13709, - "11264": msg13710, - "11265": msg13711, - "11266": msg13712, - "11267": msg13713, - "11268": msg13714, - "11269": msg13715, - "1127": select1025, - "11270": msg13716, - "11271": msg13717, - "11272": msg13718, - "11273": msg13719, - "11274": msg13720, - "11275": msg13721, - "11276": msg13722, - "11277": msg13723, - "11278": msg13724, - "11279": msg13725, - "1128": select1026, - "11280": msg13726, - "11281": msg13727, - "11282": msg13728, - "11283": msg13729, - "11284": msg13730, - "11285": msg13731, - "11286": msg13732, - "11287": msg13733, - "11288": msg13734, - "11289": msg13735, - "1129": select1027, - "11290": msg13736, - "11291": msg13737, - "11292": msg13738, - "11293": msg13739, - "11294": msg13740, - "11295": msg13741, - "11296": msg13742, - "11297": msg13743, - "11298": msg13744, - "11299": msg13745, - "113": select41, - "1130": select1028, - "11300": msg13746, - "11301": msg13747, - "11302": msg13748, - "11303": msg13749, - "11304": msg13750, - "11305": msg13751, - "11306": msg13752, - "11307": msg13753, - "11308": msg13754, - "11309": msg13755, - "1131": select1029, - "11310": msg13756, - "11311": msg13757, - "11312": msg13758, - "11313": msg13759, - "11314": msg13760, - "11315": msg13761, - "11316": msg13762, - "11317": msg13763, - "11318": msg13764, - "11319": msg13765, - "1132": select1030, - "11320": msg13766, - "11321": msg13767, - "11322": msg13768, - "11323": msg13769, - "11324": msg13770, - "11325": msg13771, - "11326": msg13772, - "11327": msg13773, - "11328": msg13774, - "11329": msg13775, - "1133": select1031, - "11330": msg13776, - "11331": msg13777, - "11332": msg13778, - "11333": msg13779, - "11334": msg13780, - "11335": msg13781, - "11336": msg13782, - "11337": msg13783, - "11338": msg13784, - "11339": msg13785, - "1134": select1032, - "11340": msg13786, - "11341": msg13787, - "11342": msg13788, - "11343": msg13789, - "11344": msg13790, - "11345": msg13791, - "11346": msg13792, - "11347": msg13793, - "11348": msg13794, - "11349": msg13795, - "11350": msg13796, - "11351": msg13797, - "11352": msg13798, - "11353": msg13799, - "11354": msg13800, - "11355": msg13801, - "11356": msg13802, - "11357": msg13803, - "11358": msg13804, - "11359": msg13805, - "1136": select1033, - "11360": msg13806, - "11361": msg13807, - "11362": msg13808, - "11363": msg13809, - "11364": msg13810, - "11365": msg13811, - "11366": msg13812, - "11367": msg13813, - "11368": msg13814, - "11369": msg13815, - "1137": select1034, - "11370": msg13816, - "11371": msg13817, - "11372": msg13818, - "11373": msg13819, - "11374": msg13820, - "11375": msg13821, - "11376": msg13822, - "11377": msg13823, - "11378": msg13824, - "11379": msg13825, - "1138": select1035, - "11380": msg13826, - "11381": msg13827, - "11382": msg13828, - "11383": msg13829, - "11384": msg13830, - "11385": msg13831, - "11386": msg13832, - "11387": msg13833, - "11388": msg13834, - "11389": msg13835, - "1139": select1036, - "11390": msg13836, - "11391": msg13837, - "11392": msg13838, - "11393": msg13839, - "11394": msg13840, - "11395": msg13841, - "11396": msg13842, - "11397": msg13843, - "11398": msg13844, - "11399": msg13845, - "114": select42, - "1140": select1037, - "11400": msg13846, - "11401": msg13847, - "11402": msg13848, - "11403": msg13849, - "11404": msg13850, - "11405": msg13851, - "11406": msg13852, - "11407": msg13853, - "11408": msg13854, - "11409": msg13855, - "1141": select1038, - "11410": msg13856, - "11411": msg13857, - "11412": msg13858, - "11413": msg13859, - "11414": msg13860, - "11415": msg13861, - "11416": msg13862, - "11417": msg13863, - "11418": msg13864, - "11419": msg13865, - "1142": select1039, - "11420": msg13866, - "11421": msg13867, - "11422": msg13868, - "11423": msg13869, - "11424": msg13870, - "11425": msg13871, - "11426": msg13872, - "11427": msg13873, - "11428": msg13874, - "11429": msg13875, - "1143": select1040, - "11430": msg13876, - "11431": msg13877, - "11432": msg13878, - "11433": msg13879, - "11434": msg13880, - "11435": msg13881, - "11436": msg13882, - "11437": msg13883, - "11438": msg13884, - "11439": msg13885, - "1144": select1041, - "11440": msg13886, - "11441": msg13887, - "11442": msg13888, - "11443": msg13889, - "11444": msg13890, - "11445": msg13891, - "11446": msg13892, - "11447": msg13893, - "11448": msg13894, - "11449": msg13895, - "1145": select1042, - "11450": msg13896, - "11451": msg13897, - "11452": msg13898, - "11453": msg13899, - "11454": msg13900, - "11455": msg13901, - "11456": msg13902, - "11457": msg13903, - "11458": msg13904, - "11459": msg13905, - "1146": select1043, - "11460": msg13906, - "11461": msg13907, - "11462": msg13908, - "11463": msg13909, - "11464": msg13910, - "11465": msg13911, - "11466": msg13912, - "11467": msg13913, - "11468": msg13914, - "11469": msg13915, - "1147": select1044, - "11470": msg13916, - "11471": msg13917, - "11472": msg13918, - "11473": msg13919, - "11474": msg13920, - "11475": msg13921, - "11476": msg13922, - "11477": msg13923, - "11478": msg13924, - "11479": msg13925, - "1148": select1045, - "11480": msg13926, - "11481": msg13927, - "11482": msg13928, - "11483": msg13929, - "11484": msg13930, - "11485": msg13931, - "11486": msg13932, - "11487": msg13933, - "11488": msg13934, - "11489": msg13935, - "1149": select1046, - "11490": msg13936, - "11491": msg13937, - "11492": msg13938, - "11493": msg13939, - "11494": msg13940, - "11495": msg13941, - "11496": msg13942, - "11497": msg13943, - "11498": msg13944, - "11499": msg13945, - "115": select43, - "115-1": msg140, - "115-2": msg141, - "115-3": msg142, - "115-4": msg143, - "115-5": msg144, - "1150": select1047, - "11500": msg13946, - "11501": msg13947, - "11502": msg13948, - "11503": msg13949, - "11504": msg13950, - "11505": msg13951, - "11506": msg13952, - "11507": msg13953, - "11508": msg13954, - "11509": msg13955, - "1151": select1048, - "11510": msg13956, - "11511": msg13957, - "11512": msg13958, - "11513": msg13959, - "11514": msg13960, - "11515": msg13961, - "11516": msg13962, - "11517": msg13963, - "11518": msg13964, - "11519": msg13965, - "1152": select1049, - "11520": msg13966, - "11521": msg13967, - "11522": msg13968, - "11523": msg13969, - "11524": msg13970, - "11525": msg13971, - "11526": msg13972, - "11527": msg13973, - "11528": msg13974, - "11529": msg13975, - "1153": select1050, - "11530": msg13976, - "11531": msg13977, - "11532": msg13978, - "11533": msg13979, - "11534": msg13980, - "11535": msg13981, - "11536": msg13982, - "11537": msg13983, - "11538": msg13984, - "11539": msg13985, - "1154": select1051, - "11540": msg13986, - "11541": msg13987, - "11542": msg13988, - "11543": msg13989, - "11544": msg13990, - "11545": msg13991, - "11546": msg13992, - "11547": msg13993, - "11548": msg13994, - "11549": msg13995, - "1155": select1052, - "11550": msg13996, - "11551": msg13997, - "11552": msg13998, - "11553": msg13999, - "11554": msg14000, - "11555": msg14001, - "11556": msg14002, - "11557": msg14003, - "11558": msg14004, - "11559": msg14005, - "1156": select1053, - "11560": msg14006, - "11561": msg14007, - "11562": msg14008, - "11563": msg14009, - "11564": msg14010, - "11565": msg14011, - "11566": msg14012, - "11567": msg14013, - "11568": msg14014, - "11569": msg14015, - "1157": select1054, - "11570": msg14016, - "11571": msg14017, - "11572": msg14018, - "11573": msg14019, - "11574": msg14020, - "11575": msg14021, - "11576": msg14022, - "11577": msg14023, - "11578": msg14024, - "11579": msg14025, - "1158": select1055, - "11580": msg14026, - "11581": msg14027, - "11582": msg14028, - "11583": msg14029, - "11584": msg14030, - "11585": msg14031, - "11586": msg14032, - "11587": msg14033, - "11588": msg14034, - "11589": msg14035, - "1159": select1056, - "11590": msg14036, - "11591": msg14037, - "11592": msg14038, - "11593": msg14039, - "11594": msg14040, - "11595": msg14041, - "11596": msg14042, - "11597": msg14043, - "11598": msg14044, - "11599": msg14045, - "116": select44, - "116-5": msg147, - "1160": select1057, - "11600": msg14046, - "11601": msg14047, - "11602": msg14048, - "11603": msg14049, - "11604": msg14050, - "11605": msg14051, - "11606": msg14052, - "11607": msg14053, - "11608": msg14054, - "11609": msg14055, - "1161": select1058, - "11610": msg14056, - "11611": msg14057, - "11612": msg14058, - "11613": msg14059, - "11614": msg14060, - "11615": msg14061, - "11616": msg14062, - "11617": msg14063, - "11618": msg14064, - "11619": msg14065, - "1162": select1059, - "11620": msg14066, - "11621": msg14067, - "11622": msg14068, - "11623": msg14069, - "11624": msg14070, - "11625": msg14071, - "11626": msg14072, - "11627": msg14073, - "11628": msg14074, - "11629": msg14075, - "1163": select1060, - "11630": msg14076, - "11631": msg14077, - "11632": msg14078, - "11633": msg14079, - "11634": msg14080, - "11635": msg14081, - "11636": msg14082, - "11637": msg14083, - "11638": msg14084, - "11639": msg14085, - "1164": select1061, - "11640": msg14086, - "11641": msg14087, - "11642": msg14088, - "11643": msg14089, - "11644": msg14090, - "11645": msg14091, - "11646": msg14092, - "11647": msg14093, - "11648": msg14094, - "11649": msg14095, - "1165": select1062, - "11650": msg14096, - "11651": msg14097, - "11652": msg14098, - "11653": msg14099, - "11654": msg14100, - "11655": msg14101, - "11656": msg14102, - "11657": msg14103, - "11658": msg14104, - "11659": msg14105, - "1166": select1063, - "11660": msg14106, - "11661": msg14107, - "11662": msg14108, - "11663": msg14109, - "11664": msg14110, - "11665": msg14111, - "11666": msg14112, - "11667": msg14113, - "11668": msg14114, - "11669": msg14115, - "1167": select1064, - "11670": msg14116, - "11671": msg14117, - "11672": msg14118, - "11673": msg14119, - "11674": msg14120, - "11675": msg14121, - "11676": msg14122, - "11677": msg14123, - "11678": msg14124, - "11679": msg14125, - "1168": select1065, - "11680": msg14126, - "11681": msg14127, - "11682": msg14128, - "11683": msg14129, - "11684": msg14130, - "11685": msg14131, - "11686": msg14132, - "11687": msg14133, - "11688": msg14134, - "11689": msg14135, - "11690": msg14136, - "11691": msg14137, - "11692": msg14138, - "11693": msg14139, - "11694": msg14140, - "11695": msg14141, - "11696": msg14142, - "11697": msg14143, - "11698": msg14144, - "11699": msg14145, - "117": select45, - "11700": msg14146, - "11701": msg14147, - "11702": msg14148, - "11703": msg14149, - "11704": msg14150, - "11705": msg14151, - "11706": msg14152, - "11707": msg14153, - "11708": msg14154, - "11709": msg14155, - "1171": select1066, - "11710": msg14156, - "11711": msg14157, - "11712": msg14158, - "11713": msg14159, - "11714": msg14160, - "11715": msg14161, - "11716": msg14162, - "11717": msg14163, - "11718": msg14164, - "11719": msg14165, - "1172": select1067, - "11720": msg14166, - "11721": msg14167, - "11722": msg14168, - "11723": msg14169, - "11724": msg14170, - "11725": msg14171, - "11726": msg14172, - "11727": msg14173, - "11728": msg14174, - "11729": msg14175, - "1173": select1068, - "11730": msg14176, - "11731": msg14177, - "11732": msg14178, - "11733": msg14179, - "11734": msg14180, - "11735": msg14181, - "11736": msg14182, - "11737": msg14183, - "11738": msg14184, - "11739": msg14185, - "1174": select1069, - "11740": msg14186, - "11741": msg14187, - "11742": msg14188, - "11743": msg14189, - "11744": msg14190, - "11745": msg14191, - "11746": msg14192, - "11747": msg14193, - "11748": msg14194, - "11749": msg14195, - "1175": select1070, - "11750": msg14196, - "11751": msg14197, - "11752": msg14198, - "11753": msg14199, - "11754": msg14200, - "11755": msg14201, - "11756": msg14202, - "11757": msg14203, - "11758": msg14204, - "11759": msg14205, - "1176": select1071, - "11760": msg14206, - "11761": msg14207, - "11762": msg14208, - "11763": msg14209, - "11764": msg14210, - "11765": msg14211, - "11766": msg14212, - "11767": msg14213, - "11768": msg14214, - "11769": msg14215, - "1177": select1072, - "11770": msg14216, - "11771": msg14217, - "11772": msg14218, - "11773": msg14219, - "11774": msg14220, - "11775": msg14221, - "11776": msg14222, - "11777": msg14223, - "11778": msg14224, - "11779": msg14225, - "1178": select1073, - "11780": msg14226, - "11781": msg14227, - "11782": msg14228, - "11783": msg14229, - "11784": msg14230, - "11785": msg14231, - "11786": msg14232, - "11787": msg14233, - "11788": msg14234, - "11789": msg14235, - "1179": select1074, - "11790": msg14236, - "11791": msg14237, - "11792": msg14238, - "11793": msg14239, - "11794": msg14240, - "11795": msg14241, - "11796": msg14242, - "11797": msg14243, - "11798": msg14244, - "11799": msg14245, - "118": select46, - "1180": select1075, - "11800": msg14246, - "11801": msg14247, - "11802": msg14248, - "11803": msg14249, - "11804": msg14250, - "11805": msg14251, - "11806": msg14252, - "11807": msg14253, - "11808": msg14254, - "11809": msg14255, - "1181": select1076, - "11810": msg14256, - "11811": msg14257, - "11812": msg14258, - "11813": msg14259, - "11814": msg14260, - "11815": msg14261, - "11816": msg14262, - "11817": msg14263, - "11818": msg14264, - "11819": msg14265, - "1182": select1077, - "11820": msg14266, - "11821": msg14267, - "11822": msg14268, - "11823": msg14269, - "11824": msg14270, - "11825": msg14271, - "11826": msg14272, - "11827": msg14273, - "11828": msg14274, - "11829": msg14275, - "1183": select1078, - "11830": msg14276, - "11831": msg14277, - "11832": msg14278, - "11833": msg14279, - "11834": msg14280, - "11835": msg14281, - "11836": msg14282, - "11837": msg14283, - "11838": msg14284, - "11839": msg14285, - "1184": select1079, - "11840": msg14286, - "11841": msg14287, - "11842": msg14288, - "11843": msg14289, - "11844": msg14290, - "11845": msg14291, - "11846": msg14292, - "11847": msg14293, - "11848": msg14294, - "11849": msg14295, - "1185": select1080, - "11850": msg14296, - "11851": msg14297, - "11852": msg14298, - "11853": msg14299, - "11854": msg14300, - "11855": msg14301, - "11856": msg14302, - "11857": msg14303, - "11858": msg14304, - "11859": msg14305, - "1186": select1081, - "11860": msg14306, - "11861": msg14307, - "11862": msg14308, - "11863": msg14309, - "11864": msg14310, - "11865": msg14311, - "11866": msg14312, - "11867": msg14313, - "11868": msg14314, - "11869": msg14315, - "1187": select1082, - "11870": msg14316, - "11871": msg14317, - "11872": msg14318, - "11873": msg14319, - "11874": msg14320, - "11875": msg14321, - "11876": msg14322, - "11877": msg14323, - "11878": msg14324, - "11879": msg14325, - "1188": select1083, - "11880": msg14326, - "11881": msg14327, - "11882": msg14328, - "11883": msg14329, - "11884": msg14330, - "11885": msg14331, - "11886": msg14332, - "11887": msg14333, - "11888": msg14334, - "11889": msg14335, - "1189": select1084, - "11890": msg14336, - "11891": msg14337, - "11892": msg14338, - "11893": msg14339, - "11894": msg14340, - "11895": msg14341, - "11896": msg14342, - "11897": msg14343, - "11898": msg14344, - "11899": msg14345, - "119": select47, - "119-1": msg154, - "119-10": msg155, - "119-11": msg156, - "119-12": msg157, - "119-13": msg158, - "119-14": msg159, - "119-15": msg160, - "119-16": msg161, - "119-17": msg162, - "119-18": msg163, - "119-2": msg164, - "119-3": msg165, - "119-4": msg166, - "119-5": msg167, - "119-6": msg168, - "119-7": msg169, - "119-8": msg170, - "119-9": msg171, - "1190": select1085, - "11900": msg14346, - "11901": msg14347, - "11902": msg14348, - "11903": msg14349, - "11904": msg14350, - "11905": msg14351, - "11906": msg14352, - "11907": msg14353, - "11908": msg14354, - "11909": msg14355, - "1191": select1086, - "11910": msg14356, - "11911": msg14357, - "11912": msg14358, - "11913": msg14359, - "11914": msg14360, - "11915": msg14361, - "11916": msg14362, - "11917": msg14363, - "11918": msg14364, - "11919": msg14365, - "1192": select1087, - "11920": msg14366, - "11921": msg14367, - "11922": msg14368, - "11923": msg14369, - "11924": msg14370, - "11925": msg14371, - "11926": msg14372, - "11927": msg14373, - "11928": msg14374, - "11929": msg14375, - "1193": select1088, - "11930": msg14376, - "11931": msg14377, - "11932": msg14378, - "11933": msg14379, - "11934": msg14380, - "11935": msg14381, - "11936": msg14382, - "11937": msg14383, - "11938": msg14384, - "11939": msg14385, - "1194": select1089, - "11940": msg14386, - "11941": msg14387, - "11942": msg14388, - "11943": msg14389, - "11944": msg14390, - "11945": msg14391, - "11946": msg14392, - "11947": msg14393, - "11948": msg14394, - "11949": msg14395, - "1195": select1090, - "11950": msg14396, - "11951": msg14397, - "11952": msg14398, - "11953": msg14399, - "11954": msg14400, - "11955": msg14401, - "11956": msg14402, - "11957": msg14403, - "11958": msg14404, - "11959": msg14405, - "1196": select1091, - "11960": msg14406, - "11961": msg14407, - "11962": msg14408, - "11963": msg14409, - "11964": msg14410, - "11965": msg14411, - "11966": msg14412, - "11967": msg14413, - "11968": msg14414, - "11969": msg14415, - "1197": select1092, - "11970": msg14416, - "11971": msg14417, - "11972": msg14418, - "11973": msg14419, - "11974": msg14420, - "11975": msg14421, - "11976": msg14422, - "11977": msg14423, - "11978": msg14424, - "11979": msg14425, - "1198": select1093, - "11980": msg14426, - "11981": msg14427, - "11982": msg14428, - "11983": msg14429, - "11984": msg14430, - "11985": msg14431, - "11986": msg14432, - "11987": msg14433, - "11988": msg14434, - "11989": msg14435, - "1199": select1094, - "11990": msg14436, - "11991": msg14437, - "11992": msg14438, - "11993": msg14439, - "11994": msg14440, - "11995": msg14441, - "11996": msg14442, - "11997": msg14443, - "11998": msg14444, - "11999": msg14445, - "12": select14, - "120": select48, - "120-1": msg174, - "1200": select1095, - "12000": msg14446, - "12001": msg14447, - "12002": msg14448, - "12003": msg14449, - "12004": msg14450, - "12005": msg14451, - "12006": msg14452, - "12007": msg14453, - "12008": msg14454, - "12009": msg14455, - "1201": select1096, - "12010": msg14456, - "12011": msg14457, - "12012": msg14458, - "12013": msg14459, - "12014": msg14460, - "12015": msg14461, - "12016": msg14462, - "12017": msg14463, - "12018": msg14464, - "12019": msg14465, - "1202": select1097, - "12020": msg14466, - "12021": msg14467, - "12022": msg14468, - "12023": msg14469, - "12024": msg14470, - "12025": msg14471, - "12026": msg14472, - "12027": msg14473, - "12028": msg14474, - "12029": msg14475, - "12030": msg14476, - "12031": msg14477, - "12032": msg14478, - "12033": msg14479, - "12034": msg14480, - "12035": msg14481, - "12036": msg14482, - "12037": msg14483, - "12038": msg14484, - "12039": msg14485, - "1204": select1098, - "12040": msg14486, - "12041": msg14487, - "12042": msg14488, - "12043": msg14489, - "12044": msg14490, - "12045": msg14491, - "12046": msg14492, - "12047": msg14493, - "12048": msg14494, - "12049": msg14495, - "1205": select1099, - "12050": msg14496, - "12051": msg14497, - "12052": msg14498, - "12053": msg14499, - "12054": msg14500, - "12055": msg14501, - "12056": msg14502, - "12057": msg14503, - "12058": msg14504, - "12059": msg14505, - "1206": select1100, - "12060": msg14506, - "12061": msg14507, - "12062": msg14508, - "12063": msg14509, - "12064": msg14510, - "12065": msg14511, - "12066": msg14512, - "12067": msg14513, - "12068": msg14514, - "12069": msg14515, - "1207": select1101, - "12070": msg14516, - "12072": msg14517, - "12073": msg14518, - "12074": msg14519, - "12075": msg14520, - "12076": msg14521, - "12077": msg14522, - "12078": msg14523, - "12079": msg14524, - "1208": select1102, - "12080": msg14525, - "12081": msg14526, - "12082": msg14527, - "12083": msg14528, - "12084": msg14529, - "12085": msg14530, - "12086": msg14531, - "12087": msg14532, - "12088": msg14533, - "12089": msg14534, - "1209": select1103, - "12090": msg14535, - "12091": msg14536, - "12092": msg14537, - "12093": msg14538, - "12094": msg14539, - "12095": msg14540, - "12096": msg14541, - "12097": msg14542, - "12098": msg14543, - "12099": msg14544, - "121": select49, - "121-1": msg177, - "121-2": msg178, - "121-3": msg179, - "121-4": msg180, - "12100": msg14545, - "12101": msg14546, - "12102": msg14547, - "12103": msg14548, - "12104": msg14549, - "12105": msg14550, - "12106": msg14551, - "12107": msg14552, - "12108": msg14553, - "12109": msg14554, - "1211": select1104, - "12110": msg14555, - "12111": msg14556, - "12112": msg14557, - "12113": msg14558, - "12114": msg14559, - "12115": msg14560, - "12116": msg14561, - "12117": msg14562, - "12118": msg14563, - "12119": msg14564, - "1212": select1105, - "12120": msg14565, - "12121": msg14566, - "12122": msg14567, - "12123": msg14568, - "12124": msg14569, - "12125": msg14570, - "12126": msg14571, - "12127": msg14572, - "12128": msg14573, - "12129": msg14574, - "1213": select1106, - "12130": msg14575, - "12131": msg14576, - "12132": msg14577, - "12133": msg14578, - "12134": msg14579, - "12135": msg14580, - "12136": msg14581, - "12137": msg14582, - "12138": msg14583, - "12139": msg14584, - "1214": select1107, - "12140": msg14585, - "12141": msg14586, - "12142": msg14587, - "12143": msg14588, - "12144": msg14589, - "12145": msg14590, - "12146": msg14591, - "12147": msg14592, - "12148": msg14593, - "12149": msg14594, - "1215": select1108, - "12150": msg14595, - "12151": msg14596, - "12152": msg14597, - "12153": msg14598, - "12154": msg14599, - "12155": msg14600, - "12156": msg14601, - "12157": msg14602, - "12158": msg14603, - "12159": msg14604, - "1216": select1109, - "12160": msg14605, - "12161": msg14606, - "12162": msg14607, - "12163": msg14608, - "12164": msg14609, - "12165": msg14610, - "12166": msg14611, - "12167": msg14612, - "12168": msg14613, - "12169": msg14614, - "1217": select1110, - "12170": msg14615, - "12171": msg14616, - "12172": msg14617, - "12173": msg14618, - "12174": msg14619, - "12175": msg14620, - "12176": msg14621, - "12177": msg14622, - "12178": msg14623, - "12179": msg14624, - "1218": select1111, - "12180": msg14625, - "12181": msg14626, - "12182": msg14627, - "12183": msg14628, - "12184": msg14629, - "12185": msg14630, - "12186": msg14631, - "12187": msg14632, - "12188": msg14633, - "12189": msg14634, - "1219": select1112, - "12190": msg14635, - "12191": msg14636, - "12192": msg14637, - "12193": msg14638, - "12194": msg14639, - "12195": msg14640, - "12196": msg14641, - "12197": msg14642, - "12198": msg14643, - "12199": msg14644, - "122": select50, - "122-1": msg183, - "122-10": msg184, - "122-11": msg185, - "122-12": msg186, - "122-13": msg187, - "122-14": msg188, - "122-15": msg189, - "122-16": msg190, - "122-17": msg191, - "122-18": msg192, - "122-19": msg193, - "122-2": msg194, - "122-20": msg195, - "122-21": msg196, - "122-22": msg197, - "122-23": msg198, - "122-24": msg199, - "122-25": msg200, - "122-26": msg201, - "122-27": msg202, - "122-3": msg203, - "122-4": msg204, - "122-5": msg205, - "122-6": msg206, - "122-7": msg207, - "122-8": msg208, - "122-9": msg209, - "1220": select1113, - "12200": msg14645, - "12201": msg14646, - "12202": msg14647, - "12203": msg14648, - "12204": msg14649, - "12205": msg14650, - "12206": msg14651, - "12207": msg14652, - "12208": msg14653, - "12209": msg14654, - "1221": select1114, - "12210": msg14655, - "12211": msg14656, - "12212": msg14657, - "12213": msg14658, - "12214": msg14659, - "12215": msg14660, - "12216": msg14661, - "12217": msg14662, - "12218": msg14663, - "12219": msg14664, - "1222": select1115, - "12220": msg14665, - "12221": msg14666, - "12222": msg14667, - "12223": msg14668, - "12224": msg14669, - "12225": msg14670, - "12226": msg14671, - "12227": msg14672, - "12228": msg14673, - "12229": msg14674, - "12230": msg14675, - "12231": msg14676, - "12232": msg14677, - "12233": msg14678, - "12234": msg14679, - "12235": msg14680, - "12236": msg14681, - "12237": msg14682, - "12238": msg14683, - "12239": msg14684, - "1224": select1116, - "12240": msg14685, - "12241": msg14686, - "12242": msg14687, - "12243": msg14688, - "12244": msg14689, - "12245": msg14690, - "12246": msg14691, - "12247": msg14692, - "12248": msg14693, - "12249": msg14694, - "1225": select1117, - "12250": msg14695, - "12251": msg14696, - "12252": msg14697, - "12253": msg14698, - "12254": msg14699, - "12255": msg14700, - "12256": msg14701, - "12257": msg14702, - "12258": msg14703, - "12259": msg14704, - "1226": select1118, - "12260": msg14705, - "12261": msg14706, - "12262": msg14707, - "12263": msg14708, - "12264": msg14709, - "12265": msg14710, - "12266": msg14711, - "12267": msg14712, - "12268": msg14713, - "12269": msg14714, - "1227": select1119, - "12270": msg14715, - "12271": msg14716, - "12272": msg14717, - "12273": msg14718, - "12274": msg14719, - "12275": msg14720, - "12276": msg14721, - "12277": msg14722, - "12278": msg14723, - "12279": msg14724, - "1228": select1120, - "12280": msg14725, - "12281": msg14726, - "12282": msg14727, - "12283": msg14728, - "12284": msg14729, - "12285": msg14730, - "12286": msg14731, - "12287": msg14732, - "12288": msg14733, - "12289": msg14734, - "1229": select1121, - "12290": msg14735, - "12291": msg14736, - "12292": msg14737, - "12293": msg14738, - "12294": msg14739, - "12295": msg14740, - "12296": msg14741, - "12297": msg14742, - "12298": msg14743, - "12299": msg14744, - "123-10": msg210, - "123-9": msg211, - "1230": select1122, - "12300": msg14745, - "12301": msg14746, - "12302": msg14747, - "12303": msg14748, - "12304": msg14749, - "12305": msg14750, - "12306": msg14751, - "12307": msg14752, - "12308": msg14753, - "12309": msg14754, - "1231": select1123, - "12310": msg14755, - "12311": msg14756, - "12312": msg14757, - "12313": msg14758, - "12314": msg14759, - "12315": msg14760, - "12316": msg14761, - "12317": msg14762, - "12318": msg14763, - "12319": msg14764, - "1232": select1124, - "12320": msg14765, - "12321": msg14766, - "12322": msg14767, - "12323": msg14768, - "12324": msg14769, - "12325": msg14770, - "12326": msg14771, - "12327": msg14772, - "12328": msg14773, - "12329": msg14774, - "1233": select1125, - "12330": msg14775, - "12331": msg14776, - "12332": msg14777, - "12333": msg14778, - "12334": msg14779, - "12335": msg14780, - "12336": msg14781, - "12337": msg14782, - "12338": msg14783, - "12339": msg14784, - "1234": select1126, - "12340": msg14785, - "12341": msg14786, - "12342": msg14787, - "12343": msg14788, - "12344": msg14789, - "12345": msg14790, - "12346": msg14791, - "12347": msg14792, - "12348": msg14793, - "12349": msg14794, - "1235": select1127, - "12350": msg14795, - "12351": msg14796, - "12352": msg14797, - "12353": msg14798, - "12354": msg14799, - "12355": msg14800, - "12356": msg14801, - "12357": msg14802, - "12358": msg14803, - "12359": msg14804, - "1236": select1128, - "12360": msg14805, - "12361": msg14806, - "12362": msg14807, - "12363": msg14808, - "12364": msg14809, - "12365": msg14810, - "12366": msg14811, - "12367": msg14812, - "12368": msg14813, - "12369": msg14814, - "1237": select1129, - "12370": msg14815, - "12371": msg14816, - "12372": msg14817, - "12373": msg14818, - "12374": msg14819, - "12375": msg14820, - "12376": msg14821, - "12377": msg14822, - "12378": msg14823, - "12379": msg14824, - "1238": select1130, - "12380": msg14825, - "12381": msg14826, - "12382": msg14827, - "12383": msg14828, - "12384": msg14829, - "12385": msg14830, - "12386": msg14831, - "12387": msg14832, - "12388": msg14833, - "12389": msg14834, - "1239": select1131, - "12390": msg14835, - "12391": msg14836, - "12392": msg14837, - "12393": msg14838, - "12394": msg14839, - "12395": msg14840, - "12396": msg14841, - "12397": msg14842, - "12398": msg14843, - "12399": msg14844, - "124": select51, - "124-1": msg214, - "1240": select1132, - "12400": msg14845, - "12401": msg14846, - "12402": msg14847, - "12403": msg14848, - "12404": msg14849, - "12405": msg14850, - "12406": msg14851, - "12407": msg14852, - "12408": msg14853, - "12409": msg14854, - "1241": select1133, - "12410": msg14855, - "12411": msg14856, - "12412": msg14857, - "12413": msg14858, - "12414": msg14859, - "12415": msg14860, - "12416": msg14861, - "12417": msg14862, - "12418": msg14863, - "12419": msg14864, - "1242": select1134, - "12420": msg14865, - "12421": msg14866, - "12422": msg14867, - "12423": msg14868, - "12424": msg14869, - "12425": msg14870, - "12426": msg14871, - "12427": msg14872, - "12428": msg14873, - "12429": msg14874, - "1243": select1135, - "12430": msg14875, - "12431": msg14876, - "12432": msg14877, - "12433": msg14878, - "12434": msg14879, - "12435": msg14880, - "12436": msg14881, - "12437": msg14882, - "12438": msg14883, - "12439": msg14884, - "1244": select1136, - "12440": msg14885, - "12441": msg14886, - "12442": msg14887, - "12443": msg14888, - "12444": msg14889, - "12445": msg14890, - "12446": msg14891, - "12447": msg14892, - "12448": msg14893, - "12449": msg14894, - "1245": select1137, - "12450": msg14895, - "12451": msg14896, - "12452": msg14897, - "12453": msg14898, - "12454": msg14899, - "12455": msg14900, - "12456": msg14901, - "12457": msg14902, - "12458": msg14903, - "12459": msg14904, - "1246": select1138, - "12460": msg14905, - "12461": msg14906, - "12462": msg14907, - "12463": msg14908, - "12464": msg14909, - "12465": msg14910, - "12466": msg14911, - "12467": msg14912, - "12468": msg14913, - "12469": msg14914, - "1247": select1139, - "12470": msg14915, - "12471": msg14916, - "12472": msg14917, - "12473": msg14918, - "12474": msg14919, - "12475": msg14920, - "12476": msg14921, - "12477": msg14922, - "12478": msg14923, - "12479": msg14924, - "1248": select1140, - "12480": msg14925, - "12481": msg14926, - "12482": msg14927, - "12483": msg14928, - "12484": msg14929, - "12485": msg14930, - "12486": msg14931, - "12487": msg14932, - "12488": msg14933, - "12489": msg14934, - "1249": select1141, - "12490": msg14935, - "12491": msg14936, - "12492": msg14937, - "12493": msg14938, - "12494": msg14939, - "12495": msg14940, - "12496": msg14941, - "12497": msg14942, - "12498": msg14943, - "12499": msg14944, - "125": select52, - "125-3": msg217, - "125-5": msg218, - "125-6": msg219, - "125-8": msg220, - "1250": select1142, - "12500": msg14945, - "12501": msg14946, - "12502": msg14947, - "12503": msg14948, - "12504": msg14949, - "12505": msg14950, - "12506": msg14951, - "12507": msg14952, - "12508": msg14953, - "12509": msg14954, - "1251": select1143, - "12510": msg14955, - "12511": msg14956, - "12512": msg14957, - "12513": msg14958, - "12514": msg14959, - "12515": msg14960, - "12516": msg14961, - "12517": msg14962, - "12518": msg14963, - "12519": msg14964, - "1252": select1144, - "12520": msg14965, - "12521": msg14966, - "12522": msg14967, - "12523": msg14968, - "12524": msg14969, - "12525": msg14970, - "12526": msg14971, - "12527": msg14972, - "12528": msg14973, - "12529": msg14974, - "1253": select1145, - "12530": msg14975, - "12531": msg14976, - "12532": msg14977, - "12533": msg14978, - "12534": msg14979, - "12535": msg14980, - "12536": msg14981, - "12537": msg14982, - "12538": msg14983, - "12539": msg14984, - "1254": select1146, - "12540": msg14985, - "12541": msg14986, - "12542": msg14987, - "12543": msg14988, - "12544": msg14989, - "12545": msg14990, - "12546": msg14991, - "12547": msg14992, - "12548": msg14993, - "12549": msg14994, - "1255": select1147, - "12550": msg14995, - "12551": msg14996, - "12552": msg14997, - "12553": msg14998, - "12554": msg14999, - "12555": msg15000, - "12556": msg15001, - "12557": msg15002, - "12558": msg15003, - "12559": msg15004, - "1256": select1148, - "12560": msg15005, - "12561": msg15006, - "12562": msg15007, - "12563": msg15008, - "12564": msg15009, - "12565": msg15010, - "12566": msg15011, - "12567": msg15012, - "12568": msg15013, - "12569": msg15014, - "1257": select1149, - "12570": msg15015, - "12571": msg15016, - "12572": msg15017, - "12573": msg15018, - "12574": msg15019, - "12575": msg15020, - "12576": msg15021, - "12577": msg15022, - "12578": msg15023, - "12579": msg15024, - "1258": select1150, - "12580": msg15025, - "12581": msg15026, - "12582": msg15027, - "12583": msg15028, - "12584": msg15029, - "12585": msg15030, - "12586": msg15031, - "12587": msg15032, - "12588": msg15033, - "12589": msg15034, - "1259": select1151, - "12590": msg15035, - "12591": msg15036, - "12592": msg15037, - "12593": msg15038, - "12594": msg15039, - "12595": msg15040, - "12596": msg15041, - "12597": msg15042, - "12598": msg15043, - "12599": msg15044, - "126": select53, - "126-1": msg223, - "1260": select1152, - "12600": msg15045, - "12601": msg15046, - "12602": msg15047, - "12603": msg15048, - "12604": msg15049, - "12605": msg15050, - "12606": msg15051, - "12607": msg15052, - "12608": msg15053, - "12609": msg15054, - "1261": select1153, - "12610": msg15055, - "12611": msg15056, - "12612": msg15057, - "12613": msg15058, - "12614": msg15059, - "12615": msg15060, - "12616": msg15061, - "12617": msg15062, - "12618": msg15063, - "12619": msg15064, - "1262": select1154, - "12620": msg15065, - "12621": msg15066, - "12622": msg15067, - "12623": msg15068, - "12624": msg15069, - "12625": msg15070, - "12626": msg15071, - "12627": msg15072, - "12628": msg15073, - "12629": msg15074, - "1263": select1155, - "12630": msg15075, - "12631": msg15076, - "12632": msg15077, - "12633": msg15078, - "12634": msg15079, - "12635": msg15080, - "12636": msg15081, - "12637": msg15082, - "12638": msg15083, - "12639": msg15084, - "1264": select1156, - "12640": msg15085, - "12641": msg15086, - "12642": msg15087, - "12643": msg15088, - "12644": msg15089, - "12645": msg15090, - "12646": msg15091, - "12647": msg15092, - "12648": msg15093, - "12649": msg15094, - "1265": select1157, - "12650": msg15095, - "12651": msg15096, - "12652": msg15097, - "12653": msg15098, - "12654": msg15099, - "12655": msg15100, - "12656": msg15101, - "12657": msg15102, - "12658": msg15103, - "12659": msg15104, - "1266": select1158, - "12660": msg15105, - "12661": msg15106, - "12663": msg15107, - "12664": msg15108, - "12665": msg15109, - "12666": msg15110, - "12667": msg15111, - "12668": msg15112, - "12669": msg15113, - "1267": select1159, - "12670": msg15114, - "12671": msg15115, - "12672": msg15116, - "12673": msg15117, - "12674": msg15118, - "12675": msg15119, - "12676": msg15120, - "12677": msg15121, - "12678": msg15122, - "12679": msg15123, - "1268": select1160, - "12680": msg15124, - "12681": msg15125, - "12682": msg15126, - "12683": msg15127, - "12684": msg15128, - "12685": msg15129, - "12686": msg15130, - "12687": msg15131, - "12688": msg15132, - "12689": msg15133, - "1269": select1161, - "12690": msg15134, - "12691": msg15135, - "12692": msg15136, - "12693": msg15137, - "12694": msg15138, - "12695": msg15139, - "12696": msg15140, - "12697": msg15141, - "12698": msg15142, - "12699": msg15143, - "127": select54, - "1270": select1162, - "12700": msg15144, - "12701": msg15145, - "12702": msg15146, - "12703": msg15147, - "12704": msg15148, - "12705": msg15149, - "12706": msg15150, - "12707": msg15151, - "12708": msg15152, - "12709": msg15153, - "1271": select1163, - "12710": msg15154, - "12711": msg15155, - "12712": msg15156, - "12713": msg15157, - "12714": msg15158, - "12715": msg15159, - "12716": msg15160, - "12717": msg15161, - "12718": msg15162, - "12719": msg15163, - "1272": select1164, - "12720": msg15164, - "12721": msg15165, - "12722": msg15166, - "12723": msg15167, - "12724": msg15168, - "12725": msg15169, - "12726": msg15170, - "12727": msg15171, - "12728": msg15172, - "12729": msg15173, - "1273": select1165, - "12730": msg15174, - "12731": msg15175, - "12732": msg15176, - "12733": msg15177, - "12734": msg15178, - "12735": msg15179, - "12736": msg15180, - "12737": msg15181, - "12738": msg15182, - "12739": msg15183, - "1274": select1166, - "12740": msg15184, - "12741": msg15185, - "12742": msg15186, - "12743": msg15187, - "12744": msg15188, - "12745": msg15189, - "12746": msg15190, - "12747": msg15191, - "12748": msg15192, - "12749": msg15193, - "1275": select1167, - "12750": msg15194, - "12751": msg15195, - "12752": msg15196, - "12753": msg15197, - "12754": msg15198, - "12755": msg15199, - "12756": msg15200, - "12757": msg15201, - "12758": msg15202, - "12759": msg15203, - "1276": select1168, - "12760": msg15204, - "12761": msg15205, - "12762": msg15206, - "12763": msg15207, - "12764": msg15208, - "12765": msg15209, - "12766": msg15210, - "12767": msg15211, - "12768": msg15212, - "12769": msg15213, - "1277": select1169, - "12770": msg15214, - "12771": msg15215, - "12772": msg15216, - "12773": msg15217, - "12774": msg15218, - "12775": msg15219, - "12776": msg15220, - "12777": msg15221, - "12778": msg15222, - "12779": msg15223, - "1278": select1170, - "12780": msg15224, - "12781": msg15225, - "12782": msg15226, - "12783": msg15227, - "12784": msg15228, - "12785": msg15229, - "12786": msg15230, - "12787": msg15231, - "12788": msg15232, - "12789": msg15233, - "1279": select1171, - "12790": msg15234, - "12791": msg15235, - "12792": msg15236, - "12793": msg15237, - "12794": msg15238, - "12795": msg15239, - "12796": msg15240, - "12797": msg15241, - "12798": msg15242, - "12799": msg15243, - "128": select55, - "1280": select1172, - "12800": msg15244, - "12801": msg15245, - "12802": msg15246, - "12803": msg15247, - "12804": msg15248, - "12805": msg15249, - "12806": msg15250, - "12807": msg15251, - "12808": msg15252, - "12809": msg15253, - "1281": select1173, - "12810": msg15254, - "12811": msg15255, - "12812": msg15256, - "12813": msg15257, - "12814": msg15258, - "12815": msg15259, - "12816": msg15260, - "12817": msg15261, - "12818": msg15262, - "12819": msg15263, - "1282": select1174, - "12820": msg15264, - "12821": msg15265, - "12822": msg15266, - "12823": msg15267, - "12824": msg15268, - "12825": msg15269, - "12826": msg15270, - "12827": msg15271, - "12828": msg15272, - "12829": msg15273, - "1283": select1175, - "12830": msg15274, - "12831": msg15275, - "12832": msg15276, - "12833": msg15277, - "12834": msg15278, - "12835": msg15279, - "12836": msg15280, - "12837": msg15281, - "12838": msg15282, - "12839": msg15283, - "1284": select1176, - "12840": msg15284, - "12841": msg15285, - "12842": msg15286, - "12843": msg15287, - "12844": msg15288, - "12845": msg15289, - "12846": msg15290, - "12847": msg15291, - "12848": msg15292, - "12849": msg15293, - "1285": select1177, - "12850": msg15294, - "12851": msg15295, - "12852": msg15296, - "12853": msg15297, - "12854": msg15298, - "12855": msg15299, - "12856": msg15300, - "12857": msg15301, - "12858": msg15302, - "12859": msg15303, - "1286": select1178, - "12860": msg15304, - "12861": msg15305, - "12862": msg15306, - "12863": msg15307, - "12864": msg15308, - "12865": msg15309, - "12866": msg15310, - "12867": msg15311, - "12868": msg15312, - "12869": msg15313, - "1287": select1179, - "12870": msg15314, - "12871": msg15315, - "12872": msg15316, - "12873": msg15317, - "12874": msg15318, - "12875": msg15319, - "12876": msg15320, - "12877": msg15321, - "12878": msg15322, - "12879": msg15323, - "1288": select1180, - "12880": msg15324, - "12881": msg15325, - "12882": msg15326, - "12883": msg15327, - "12884": msg15328, - "12885": msg15329, - "12886": msg15330, - "12887": msg15331, - "12888": msg15332, - "12889": msg15333, - "1289": select1181, - "12890": msg15334, - "12891": msg15335, - "12892": msg15336, - "12893": msg15337, - "12894": msg15338, - "12895": msg15339, - "12896": msg15340, - "12897": msg15341, - "12898": msg15342, - "12899": msg15343, - "129": select56, - "129-2": msg230, - "129-6": msg231, - "1290": select1182, - "12900": msg15344, - "12901": msg15345, - "12902": msg15346, - "12903": msg15347, - "12904": msg15348, - "12905": msg15349, - "12906": msg15350, - "12907": msg15351, - "12908": msg15352, - "12909": msg15353, - "1291": select1183, - "12910": msg15354, - "12911": msg15355, - "12912": msg15356, - "12913": msg15357, - "12914": msg15358, - "12915": msg15359, - "12916": msg15360, - "12917": msg15361, - "12918": msg15362, - "12919": msg15363, - "1292": select1184, - "12920": msg15364, - "12921": msg15365, - "12922": msg15366, - "12923": msg15367, - "12924": msg15368, - "12925": msg15369, - "12926": msg15370, - "12927": msg15371, - "12928": msg15372, - "12929": msg15373, - "1293": select1185, - "12930": msg15374, - "12931": msg15375, - "12932": msg15376, - "12933": msg15377, - "12934": msg15378, - "12935": msg15379, - "12936": msg15380, - "12937": msg15381, - "12938": msg15382, - "12939": msg15383, - "1294": select1186, - "12940": msg15384, - "12941": msg15385, - "12942": msg15386, - "12943": msg15387, - "12944": msg15388, - "12945": msg15389, - "12946": msg15390, - "12947": msg15391, - "12948": msg15392, - "12949": msg15393, - "1295": select1187, - "12950": msg15394, - "12951": msg15395, - "12952": msg15396, - "12953": msg15397, - "12954": msg15398, - "12955": msg15399, - "12956": msg15400, - "12957": msg15401, - "12958": msg15402, - "12959": msg15403, - "1296": select1188, - "12960": msg15404, - "12961": msg15405, - "12962": msg15406, - "12963": msg15407, - "12964": msg15408, - "12965": msg15409, - "12966": msg15410, - "12967": msg15411, - "12968": msg15412, - "12969": msg15413, - "1297": select1189, - "12970": msg15414, - "12971": msg15415, - "12972": msg15416, - "12973": msg15417, - "12974": msg15418, - "12975": msg15419, - "12976": msg15420, - "12977": msg15421, - "12978": msg15422, - "12979": msg15423, - "1298": select1190, - "12980": msg15424, - "12981": msg15425, - "12982": msg15426, - "12983": msg15427, - "12984": msg15428, - "12985": msg15429, - "12986": msg15430, - "12987": msg15431, - "12988": msg15432, - "12989": msg15433, - "1299": select1191, - "12990": msg15434, - "12991": msg15435, - "12992": msg15436, - "12993": msg15437, - "12994": msg15438, - "12995": msg15439, - "12996": msg15440, - "12997": msg15441, - "12998": msg15442, - "12999": msg15443, - "13": select15, - "130": select57, - "1300": select1192, - "13000": msg15444, - "13001": msg15445, - "13002": msg15446, - "13003": msg15447, - "13004": msg15448, - "13005": msg15449, - "13006": msg15450, - "13007": msg15451, - "13008": msg15452, - "13009": msg15453, - "1301": select1193, - "13010": msg15454, - "13011": msg15455, - "13012": msg15456, - "13013": msg15457, - "13014": msg15458, - "13015": msg15459, - "13016": msg15460, - "13017": msg15461, - "13018": msg15462, - "13019": msg15463, - "1302": select1194, - "13020": msg15464, - "13021": msg15465, - "13022": msg15466, - "13023": msg15467, - "13024": msg15468, - "13025": msg15469, - "13026": msg15470, - "13027": msg15471, - "13028": msg15472, - "13029": msg15473, - "1303": select1195, - "13030": msg15474, - "13031": msg15475, - "13032": msg15476, - "13033": msg15477, - "13034": msg15478, - "13035": msg15479, - "13036": msg15480, - "13037": msg15481, - "13038": msg15482, - "13039": msg15483, - "1304": select1196, - "13040": msg15484, - "13041": msg15485, - "13042": msg15486, - "13043": msg15487, - "13044": msg15488, - "13045": msg15489, - "13046": msg15490, - "13047": msg15491, - "13048": msg15492, - "13049": msg15493, - "1305": select1197, - "13050": msg15494, - "13051": msg15495, - "13052": msg15496, - "13053": msg15497, - "13054": msg15498, - "13055": msg15499, - "13056": msg15500, - "13057": msg15501, - "13058": msg15502, - "13059": msg15503, - "1306": select1198, - "13060": msg15504, - "13061": msg15505, - "13062": msg15506, - "13063": msg15507, - "13064": msg15508, - "13065": msg15509, - "13066": msg15510, - "13067": msg15511, - "13068": msg15512, - "13069": msg15513, - "1307": select1199, - "13070": msg15514, - "13071": msg15515, - "13072": msg15516, - "13073": msg15517, - "13074": msg15518, - "13075": msg15519, - "13076": msg15520, - "13077": msg15521, - "13078": msg15522, - "13079": msg15523, - "1308": select1200, - "13080": msg15524, - "13081": msg15525, - "13082": msg15526, - "13083": msg15527, - "13084": msg15528, - "13085": msg15529, - "13086": msg15530, - "13087": msg15531, - "13088": msg15532, - "13089": msg15533, - "1309": select1201, - "13090": msg15534, - "13091": msg15535, - "13092": msg15536, - "13093": msg15537, - "13094": msg15538, - "13095": msg15539, - "13096": msg15540, - "13097": msg15541, - "13098": msg15542, - "13099": msg15543, - "131": select58, - "131-3": msg236, - "1310": select1202, - "13100": msg15544, - "13101": msg15545, - "13102": msg15546, - "13103": msg15547, - "13104": msg15548, - "13105": msg15549, - "13106": msg15550, - "13107": msg15551, - "13108": msg15552, - "13109": msg15553, - "1311": select1203, - "13110": msg15554, - "13111": msg15555, - "13112": msg15556, - "13113": msg15557, - "13114": msg15558, - "13115": msg15559, - "13116": msg15560, - "13117": msg15561, - "13118": msg15562, - "13119": msg15563, - "1312": select1204, - "13120": msg15564, - "13121": msg15565, - "13122": msg15566, - "13123": msg15567, - "13124": msg15568, - "13125": msg15569, - "13126": msg15570, - "13127": msg15571, - "13128": msg15572, - "13129": msg15573, - "1313": select1205, - "13130": msg15574, - "13131": msg15575, - "13132": msg15576, - "13133": msg15577, - "13134": msg15578, - "13135": msg15579, - "13136": msg15580, - "13137": msg15581, - "13138": msg15582, - "13139": msg15583, - "1314": select1206, - "13140": msg15584, - "13141": msg15585, - "13142": msg15586, - "13143": msg15587, - "13144": msg15588, - "13145": msg15589, - "13146": msg15590, - "13147": msg15591, - "13148": msg15592, - "13149": msg15593, - "1315": select1207, - "13150": msg15594, - "13151": msg15595, - "13152": msg15596, - "13153": msg15597, - "13154": msg15598, - "13155": msg15599, - "13156": msg15600, - "13157": msg15601, - "13158": msg15602, - "13159": msg15603, - "1316": select1208, - "13160": msg15604, - "13161": msg15605, - "13162": msg15606, - "13163": msg15607, - "13164": msg15608, - "13165": msg15609, - "13166": msg15610, - "13167": msg15611, - "13168": msg15612, - "13169": msg15613, - "1317": select1209, - "13170": msg15614, - "13171": msg15615, - "13172": msg15616, - "13173": msg15617, - "13174": msg15618, - "13175": msg15619, - "13176": msg15620, - "13177": msg15621, - "13178": msg15622, - "13179": msg15623, - "1318": select1210, - "13180": msg15624, - "13181": msg15625, - "13182": msg15626, - "13183": msg15627, - "13184": msg15628, - "13185": msg15629, - "13186": msg15630, - "13187": msg15631, - "13188": msg15632, - "13189": msg15633, - "1319": select1211, - "13190": msg15634, - "13191": msg15635, - "13192": msg15636, - "13193": msg15637, - "13194": msg15638, - "13195": msg15639, - "13196": msg15640, - "13197": msg15641, - "13198": msg15642, - "13199": msg15643, - "132": select59, - "1320": select1212, - "13200": msg15644, - "13201": msg15645, - "13202": msg15646, - "13203": msg15647, - "13204": msg15648, - "13205": msg15649, - "13206": msg15650, - "13207": msg15651, - "13208": msg15652, - "13209": msg15653, - "1321": select1213, - "13210": msg15654, - "13211": msg15655, - "13212": msg15656, - "13213": msg15657, - "13214": msg15658, - "13215": msg15659, - "13216": msg15660, - "13217": msg15661, - "13218": msg15662, - "13219": msg15663, - "1322": select1214, - "13220": msg15664, - "13221": msg15665, - "13222": msg15666, - "13223": msg15667, - "13224": msg15668, - "13225": msg15669, - "13226": msg15670, - "13227": msg15671, - "13228": msg15672, - "13229": msg15673, - "1323": select1215, - "13230": msg15674, - "13231": msg15675, - "13232": msg15676, - "13233": msg15677, - "13234": msg15678, - "13235": msg15679, - "13236": msg15680, - "13237": msg15681, - "13238": msg15682, - "13239": msg15683, - "1324": select1216, - "13240": msg15684, - "13241": msg15685, - "13242": msg15686, - "13243": msg15687, - "13244": msg15688, - "13245": msg15689, - "13246": msg15690, - "13247": msg15691, - "13248": msg15692, - "13249": msg15693, - "1325": select1217, - "13250": msg15694, - "13251": msg15695, - "13252": msg15696, - "13253": msg15697, - "13254": msg15698, - "13255": msg15699, - "13256": msg15700, - "13257": msg15701, - "13258": msg15702, - "13259": msg15703, - "1326": select1218, - "13260": msg15704, - "13261": msg15705, - "13262": msg15706, - "13263": msg15707, - "13264": msg15708, - "13265": msg15709, - "13266": msg15710, - "13267": msg15711, - "13268": msg15712, - "13269": msg15713, - "1327": select1219, - "13270": msg15714, - "13271": msg15715, - "13272": msg15716, - "13273": msg15717, - "13274": msg15718, - "13275": msg15719, - "13276": msg15720, - "13277": msg15721, - "13278": msg15722, - "13279": msg15723, - "1328": select1220, - "13280": msg15724, - "13281": msg15725, - "13282": msg15726, - "13283": msg15727, - "13284": msg15728, - "13285": msg15729, - "13286": msg15730, - "13287": msg15731, - "13288": msg15732, - "13289": msg15733, - "1329": select1221, - "13290": msg15734, - "13291": msg15735, - "13292": msg15736, - "13293": msg15737, - "13294": msg15738, - "13295": msg15739, - "13296": msg15740, - "13297": msg15741, - "13298": msg15742, - "13299": msg15743, - "133": select60, - "1330": select1222, - "13300": msg15744, - "13301": msg15745, - "13302": msg15746, - "13303": msg15747, - "13304": msg15748, - "13305": msg15749, - "13306": msg15750, - "13307": msg15751, - "13308": msg15752, - "13309": msg15753, - "1331": select1223, - "13310": msg15754, - "13311": msg15755, - "13312": msg15756, - "13313": msg15757, - "13314": msg15758, - "13315": msg15759, - "13316": msg15760, - "13317": msg15761, - "13318": msg15762, - "13319": msg15763, - "1332": select1224, - "13320": msg15764, - "13321": msg15765, - "13322": msg15766, - "13323": msg15767, - "13324": msg15768, - "13325": msg15769, - "13326": msg15770, - "13327": msg15771, - "13328": msg15772, - "13329": msg15773, - "1333": select1225, - "13330": msg15774, - "13331": msg15775, - "13332": msg15776, - "13333": msg15777, - "13334": msg15778, - "13335": msg15779, - "13336": msg15780, - "13337": msg15781, - "13338": msg15782, - "13339": msg15783, - "1334": select1226, - "13340": msg15784, - "13341": msg15785, - "13342": msg15786, - "13343": msg15787, - "13344": msg15788, - "13345": msg15789, - "13346": msg15790, - "13347": msg15791, - "13348": msg15792, - "13349": msg15793, - "1335": select1227, - "13350": msg15794, - "13351": msg15795, - "13352": msg15796, - "13353": msg15797, - "13354": msg15798, - "13355": msg15799, - "13356": msg15800, - "13357": msg15801, - "13358": msg15802, - "13359": msg15803, - "1336": select1228, - "13360": msg15804, - "13361": msg15805, - "13362": msg15806, - "13363": msg15807, - "13364": msg15808, - "13365": msg15809, - "13366": msg15810, - "13367": msg15811, - "13368": msg15812, - "13369": msg15813, - "1337": select1229, - "13370": msg15814, - "13371": msg15815, - "13372": msg15816, - "13373": msg15817, - "13374": msg15818, - "13375": msg15819, - "13376": msg15820, - "13377": msg15821, - "13378": msg15822, - "13379": msg15823, - "1338": select1230, - "13380": msg15824, - "13381": msg15825, - "13382": msg15826, - "13383": msg15827, - "13384": msg15828, - "13385": msg15829, - "13386": msg15830, - "13387": msg15831, - "13388": msg15832, - "13389": msg15833, - "1339": select1231, - "13390": msg15834, - "13391": msg15835, - "13392": msg15836, - "13393": msg15837, - "13394": msg15838, - "13395": msg15839, - "13396": msg15840, - "13397": msg15841, - "13398": msg15842, - "13399": msg15843, - "134": select61, - "1340": select1232, - "13400": msg15844, - "13401": msg15845, - "13402": msg15846, - "13403": msg15847, - "13404": msg15848, - "13405": msg15849, - "13406": msg15850, - "13407": msg15851, - "13408": msg15852, - "13409": msg15853, - "1341": select1233, - "13410": msg15854, - "13411": msg15855, - "13412": msg15856, - "13413": msg15857, - "13414": msg15858, - "13415": msg15859, - "13416": msg15860, - "13417": msg15861, - "13418": msg15862, - "13419": msg15863, - "1342": select1234, - "13420": msg15864, - "13421": msg15865, - "13422": msg15866, - "13423": msg15867, - "13424": msg15868, - "13425": msg15869, - "13426": msg15870, - "13427": msg15871, - "13428": msg15872, - "13429": msg15873, - "1343": select1235, - "13430": msg15874, - "13431": msg15875, - "13432": msg15876, - "13433": msg15877, - "13434": msg15878, - "13435": msg15879, - "13436": msg15880, - "13437": msg15881, - "13438": msg15882, - "13439": msg15883, - "1344": select1236, - "13440": msg15884, - "13441": msg15885, - "13442": msg15886, - "13443": msg15887, - "13444": msg15888, - "13445": msg15889, - "13446": msg15890, - "13447": msg15891, - "13448": msg15892, - "13449": msg15893, - "1345": select1237, - "13450": msg15894, - "13451": msg15895, - "13452": msg15896, - "13453": msg15897, - "13454": msg15898, - "13455": msg15899, - "13456": msg15900, - "13457": msg15901, - "13458": msg15902, - "13459": msg15903, - "1346": select1238, - "13460": msg15904, - "13465": msg15905, - "13466": msg15906, - "13467": msg15907, - "13468": msg15908, - "13469": msg15909, - "1347": select1239, - "13470": msg15910, - "13471": msg15911, - "13472": msg15912, - "13473": msg15913, - "13474": msg15914, - "13475": msg15915, - "13476": msg15916, - "13477": msg15917, - "13478": msg15918, - "13479": msg15919, - "1348": select1240, - "13480": msg15920, - "13481": msg15921, - "13482": msg15922, - "13483": msg15923, - "13484": msg15924, - "13485": msg15925, - "13486": msg15926, - "13487": msg15927, - "13488": msg15928, - "13489": msg15929, - "1349": select1241, - "13490": msg15930, - "13491": msg15931, - "13492": msg15932, - "13493": msg15933, - "13494": msg15934, - "13495": msg15935, - "13496": msg15936, - "13497": msg15937, - "13498": msg15938, - "13499": msg15939, - "135": select62, - "1350": select1242, - "13500": msg15940, - "13501": msg15941, - "13502": msg15942, - "13503": msg15943, - "13504": msg15944, - "13505": msg15945, - "13506": msg15946, - "13507": msg15947, - "13508": msg15948, - "13509": msg15949, - "1351": select1243, - "13510": msg15950, - "13511": msg15951, - "13512": msg15952, - "13513": msg15953, - "13514": msg15954, - "13515": msg15955, - "13516": msg15956, - "13517": msg15957, - "13518": msg15958, - "13519": msg15959, - "1352": select1244, - "13520": msg15960, - "13521": msg15961, - "13522": msg15962, - "13523": msg15963, - "13524": msg15964, - "13525": msg15965, - "13526": msg15966, - "13527": msg15967, - "13528": msg15968, - "13529": msg15969, - "1353": select1245, - "13530": msg15970, - "13531": msg15971, - "13532": msg15972, - "13533": msg15973, - "13534": msg15974, - "13535": msg15975, - "13536": msg15976, - "13537": msg15977, - "13538": msg15978, - "13539": msg15979, - "1354": select1246, - "13540": msg15980, - "13541": msg15981, - "13542": msg15982, - "13543": msg15983, - "13544": msg15984, - "13545": msg15985, - "13546": msg15986, - "13547": msg15987, - "13548": msg15988, - "13549": msg15989, - "1355": select1247, - "13550": msg15990, - "13551": msg15991, - "13552": msg15992, - "13553": msg15993, - "13554": msg15994, - "13555": msg15995, - "13556": msg15996, - "13557": msg15997, - "13558": msg15998, - "13559": msg15999, - "1356": select1248, - "13560": msg16000, - "13561": msg16001, - "13562": msg16002, - "13563": msg16003, - "13564": msg16004, - "13565": msg16005, - "13566": msg16006, - "13567": msg16007, - "13568": msg16008, - "13569": msg16009, - "1357": select1249, - "13570": msg16010, - "13571": msg16011, - "13572": msg16012, - "13573": msg16013, - "1358": select1250, - "13580": msg16014, - "13581": msg16015, - "13582": msg16016, - "13583": msg16017, - "13584": msg16018, - "13585": select2440, - "13586": msg16021, - "13587": msg16022, - "13588": msg16023, - "13589": msg16024, - "1359": select1251, - "13590": msg16025, - "13591": msg16026, - "13592": msg16027, - "13593": select2441, - "13594": msg16030, - "13595": msg16031, - "13596": msg16032, - "13597": msg16033, - "13598": msg16034, - "13599": msg16035, - "136": select63, - "1360": select1252, - "13600": msg16036, - "13601": msg16037, - "13602": msg16038, - "13603": msg16039, - "13604": msg16040, - "13605": msg16041, - "13606": msg16042, - "13607": msg16043, - "13608": msg16044, - "13609": msg16045, - "1361": select1253, - "13610": msg16046, - "13611": msg16047, - "13612": msg16048, - "13613": msg16049, - "13614": msg16050, - "13615": msg16051, - "13616": msg16052, - "13617": msg16053, - "13618": msg16054, - "13619": msg16055, - "1362": select1254, - "13620": msg16056, - "13621": msg16057, - "13622": msg16058, - "13623": msg16059, - "13624": msg16060, - "13625": msg16061, - "13626": msg16062, - "13627": msg16063, - "13628": select2442, - "13629": msg16066, - "1363": select1255, - "13630": msg16067, - "13631": msg16068, - "13632": msg16069, - "13633": msg16070, - "13634": msg16071, - "13635": msg16072, - "13636": msg16073, - "13637": msg16074, - "13638": msg16075, - "13639": msg16076, - "1364": select1256, - "13640": msg16077, - "13641": msg16078, - "13642": msg16079, - "13643": msg16080, - "13644": msg16081, - "13645": msg16082, - "13646": msg16083, - "13647": msg16084, - "13648": msg16085, - "13649": msg16086, - "1365": select1257, - "13650": msg16087, - "13651": msg16088, - "13652": msg16089, - "13653": msg16090, - "13654": msg16091, - "13655": msg16092, - "13656": msg16093, - "13657": msg16094, - "13658": msg16095, - "13659": msg16096, - "1366": select1258, - "13660": msg16097, - "13661": msg16098, - "13662": msg16099, - "13663": msg16100, - "13664": msg16101, - "13665": msg16102, - "13666": msg16103, - "13667": msg16104, - "13668": msg16105, - "13669": msg16106, - "1367": select1259, - "13670": msg16107, - "13671": msg16108, - "13672": msg16109, - "13673": msg16110, - "13674": msg16111, - "13675": msg16112, - "13676": msg16113, - "13677": msg16114, - "13678": msg16115, - "13679": msg16116, - "1368": select1260, - "13680": msg16117, - "13681": msg16118, - "13682": msg16119, - "13683": msg16120, - "13684": msg16121, - "13685": msg16122, - "13686": msg16123, - "13687": msg16124, - "13688": msg16125, - "13689": msg16126, - "1369": select1261, - "13690": msg16127, - "13691": msg16128, - "13692": msg16129, - "13693": msg16130, - "13694": msg16131, - "13695": msg16132, - "13696": msg16133, - "13697": msg16134, - "13698": msg16135, - "13699": msg16136, - "137": select64, - "1370": select1262, - "13700": msg16137, - "13709": msg16138, - "1371": select1263, - "13710": msg16139, - "13711": msg16140, - "13712": msg16141, - "13713": msg16142, - "13714": msg16143, - "13715": msg16144, - "13716": msg16145, - "13717": msg16146, - "13718": msg16147, - "13719": msg16148, - "1372": select1264, - "13720": msg16149, - "13721": msg16150, - "13722": msg16151, - "13723": msg16152, - "13724": msg16153, - "13725": msg16154, - "13726": msg16155, - "13727": msg16156, - "13728": msg16157, - "13729": msg16158, - "1373": select1265, - "13730": msg16159, - "13731": msg16160, - "13732": msg16161, - "13733": msg16162, - "13734": msg16163, - "13735": msg16164, - "13736": msg16165, - "13737": msg16166, - "13738": msg16167, - "13739": msg16168, - "1374": select1266, - "13740": msg16169, - "13741": msg16170, - "13742": msg16171, - "13743": msg16172, - "13744": msg16173, - "13745": msg16174, - "13746": msg16175, - "13747": msg16176, - "13748": msg16177, - "13749": msg16178, - "1375": select1267, - "13750": msg16179, - "13751": msg16180, - "13752": msg16181, - "13753": msg16182, - "13754": msg16183, - "13755": msg16184, - "13756": msg16185, - "13757": msg16186, - "13758": msg16187, - "13759": msg16188, - "1376": select1268, - "13760": msg16189, - "13761": msg16190, - "13762": msg16191, - "13763": msg16192, - "13764": msg16193, - "13765": msg16194, - "13766": msg16195, - "13767": msg16196, - "13768": msg16197, - "13769": msg16198, - "1377": select1269, - "13770": msg16199, - "13771": msg16200, - "13772": msg16201, - "13773": msg16202, - "13774": msg16203, - "13775": msg16204, - "13776": msg16205, - "13777": msg16206, - "13778": msg16207, - "13779": msg16208, - "1378": select1270, - "13780": msg16209, - "13781": msg16210, - "13782": msg16211, - "13783": msg16212, - "13784": msg16213, - "13785": msg16214, - "13786": msg16215, - "13787": msg16216, - "13788": msg16217, - "13789": msg16218, - "1379": select1271, - "13790": msg16219, - "13791": msg16220, - "13797": msg16221, - "13798": msg16222, - "13799": msg16223, - "138": select65, - "1380": select1272, - "13800": msg16224, - "13801": msg16225, - "13802": msg16226, - "13803": msg16227, - "13804": msg16228, - "13805": msg16229, - "13806": msg16230, - "13807": msg16231, - "13808": msg16232, - "13809": msg16233, - "1381": select1273, - "13810": msg16234, - "13811": msg16235, - "13812": msg16236, - "13813": msg16237, - "13814": msg16238, - "13815": msg16239, - "13816": msg16240, - "13817": msg16241, - "13818": msg16242, - "13819": msg16243, - "1382": select1274, - "13820": msg16244, - "13821": msg16245, - "13822": msg16246, - "13823": msg16247, - "13824": msg16248, - "13825": msg16249, - "13826": msg16250, - "13827": msg16251, - "13828": msg16252, - "13829": msg16253, - "1383": select1275, - "13830": msg16254, - "13831": msg16255, - "13832": msg16256, - "13833": msg16257, - "13834": msg16258, - "13835": msg16259, - "13838": msg16260, - "13839": msg16261, - "1384": select1276, - "13840": msg16262, - "13841": msg16263, - "13842": msg16264, - "13843": msg16265, - "13844": msg16266, - "13845": msg16267, - "13846": msg16268, - "13847": msg16269, - "13848": msg16270, - "13849": msg16271, - "1385": select1277, - "13850": msg16272, - "13851": msg16273, - "13852": msg16274, - "13853": msg16275, - "13854": msg16276, - "13855": msg16277, - "13856": msg16278, - "13857": msg16279, - "13858": msg16280, - "13859": msg16281, - "1386": select1278, - "13860": msg16282, - "13861": msg16283, - "13862": msg16284, - "13863": msg16285, - "13864": msg16286, - "13865": msg16287, - "13866": msg16288, - "13867": msg16289, - "13868": msg16290, - "13869": msg16291, - "1387": select1279, - "13870": msg16292, - "13871": msg16293, - "13872": msg16294, - "13873": msg16295, - "13874": msg16296, - "13875": msg16297, - "13876": msg16298, - "13877": msg16299, - "13878": msg16300, - "13879": msg16301, - "1388": select1280, - "13880": msg16302, - "13881": msg16303, - "13882": msg16304, - "13883": msg16305, - "13884": msg16306, - "13885": msg16307, - "13886": msg16308, - "13887": msg16309, - "13888": msg16310, - "13889": msg16311, - "1389": select1281, - "13890": msg16312, - "13891": msg16313, - "13892": msg16314, - "13893": msg16315, - "13894": msg16316, - "13895": msg16317, - "13896": msg16318, - "13897": msg16319, - "13898": msg16320, - "13899": msg16321, - "1390": select1282, - "13900": msg16322, - "13901": msg16323, - "13902": msg16324, - "13903": msg16325, - "13904": msg16326, - "13905": msg16327, - "13906": msg16328, - "13907": msg16329, - "13908": msg16330, - "13909": msg16331, - "1391": select1283, - "13910": msg16332, - "13911": msg16333, - "13912": msg16334, - "13913": msg16335, - "13914": msg16336, - "13915": msg16337, - "13916": msg16338, - "13917": msg16339, - "13918": msg16340, - "13919": msg16341, - "1392": select1284, - "13920": msg16342, - "13921": msg16343, - "13922": msg16344, - "13923": msg16345, - "13924": msg16346, - "13925": msg16347, - "13926": msg16348, - "13927": msg16349, - "13928": msg16350, - "13929": msg16351, - "1393": select1285, - "13930": msg16352, - "13931": msg16353, - "13932": msg16354, - "13933": msg16355, - "13934": msg16356, - "13935": msg16357, - "13936": msg16358, - "13937": msg16359, - "13938": msg16360, - "13939": msg16361, - "1394": select1286, - "13940": msg16362, - "13941": msg16363, - "13942": msg16364, - "13943": msg16365, - "13944": msg16366, - "13945": msg16367, - "13946": msg16368, - "13947": msg16369, - "13948": msg16370, - "13949": msg16371, - "1395": select1287, - "13950": msg16372, - "13951": msg16373, - "13952": msg16374, - "13953": msg16375, - "13954": msg16376, - "13958": msg16377, - "1396": select1288, - "13960": msg16378, - "13961": msg16379, - "13962": msg16380, - "13963": msg16381, - "13964": msg16382, - "13965": msg16383, - "13966": msg16384, - "13967": msg16385, - "13968": msg16386, - "13969": msg16387, - "1397": select1289, - "13970": msg16388, - "13971": msg16389, - "13972": msg16390, - "13973": msg16391, - "13974": msg16392, - "13975": msg16393, - "13976": msg16394, - "13977": msg16395, - "13978": msg16396, - "13979": msg16397, - "1398": select1290, - "13980": msg16398, - "13981": msg16399, - "13982": msg16400, - "13983": msg16401, - "13984": msg16402, - "13985": msg16403, - "13986": msg16404, - "13987": msg16405, - "13988": msg16406, - "13989": msg16407, - "1399": select1291, - "13990": msg16408, - "13991": msg16409, - "13992": msg16410, - "13993": msg16411, - "13994": msg16412, - "13995": msg16413, - "13996": msg16414, - "13997": msg16415, - "13998": msg16416, - "13999": msg16417, - "14": msg40, - "140": select66, - "1400": select1292, - "14000": msg16418, - "14001": msg16419, - "14002": msg16420, - "14003": msg16421, - "14004": msg16422, - "14005": msg16423, - "14006": msg16424, - "14007": msg16425, - "14008": msg16426, - "1401": select1293, - "14013": msg16427, - "14014": msg16428, - "14015": msg16429, - "14016": msg16430, - "14017": msg16431, - "14018": msg16432, - "14019": msg16433, - "1402": select1294, - "14020": msg16434, - "14021": msg16435, - "14022": msg16436, - "14023": msg16437, - "14024": msg16438, - "14025": msg16439, - "14026": msg16440, - "14027": msg16441, - "14028": msg16442, - "14029": msg16443, - "1403": select1295, - "14030": msg16444, - "14031": msg16445, - "14032": msg16446, - "14033": msg16447, - "14034": msg16448, - "14035": msg16449, - "14036": msg16450, - "14037": msg16451, - "14038": msg16452, - "14039": msg16453, - "1404": select1296, - "14040": msg16454, - "14041": msg16455, - "14042": msg16456, - "14043": msg16457, - "14044": msg16458, - "14045": msg16459, - "14046": msg16460, - "14047": msg16461, - "14048": msg16462, - "14049": msg16463, - "1405": select1297, - "14050": msg16464, - "14051": msg16465, - "14052": msg16466, - "14053": msg16467, - "14054": msg16468, - "14055": msg16469, - "14056": msg16470, - "14057": msg16471, - "14058": msg16472, - "14059": msg16473, - "1406": select1298, - "14060": msg16474, - "14061": msg16475, - "14062": msg16476, - "14063": msg16477, - "14064": msg16478, - "14065": msg16479, - "14066": msg16480, - "14067": msg16481, - "14068": msg16482, - "14069": msg16483, - "1407": select1299, - "14070": msg16484, - "14071": msg16485, - "14072": msg16486, - "14073": msg16487, - "14074": msg16488, - "14075": msg16489, - "14076": msg16490, - "14077": msg16491, - "14078": msg16492, - "14079": msg16493, - "1408": select1300, - "14080": msg16494, - "14081": msg16495, - "14082": msg16496, - "14083": msg16497, - "14084": msg16498, - "14085": msg16499, - "14086": msg16500, - "14087": msg16501, - "14088": msg16502, - "14089": msg16503, - "1409": select1301, - "14090": msg16504, - "14091": msg16505, - "14092": msg16506, - "14093": msg16507, - "14094": msg16508, - "14095": msg16509, - "14096": msg16510, - "14097": msg16511, - "14098": msg16512, - "14099": msg16513, - "141": select67, - "1410": select1302, - "14100": msg16514, - "14101": msg16515, - "14102": msg16516, - "14103": msg16517, - "14104": msg16518, - "14105": msg16519, - "14106": msg16520, - "14107": msg16521, - "14108": msg16522, - "14109": msg16523, - "1411": select1303, - "14110": msg16524, - "14111": msg16525, - "14112": msg16526, - "14113": msg16527, - "14114": msg16528, - "14115": msg16529, - "14116": msg16530, - "14117": msg16531, - "14118": msg16532, - "14119": msg16533, - "1412": select1304, - "14120": msg16534, - "14121": msg16535, - "14122": msg16536, - "14123": msg16537, - "14124": msg16538, - "14125": msg16539, - "14126": msg16540, - "14127": msg16541, - "14128": msg16542, - "14129": msg16543, - "1413": select1305, - "14130": msg16544, - "14131": msg16545, - "14132": msg16546, - "14133": msg16547, - "14134": msg16548, - "14135": msg16549, - "14136": msg16550, - "14137": msg16551, - "14138": msg16552, - "14139": msg16553, - "1414": select1306, - "14140": msg16554, - "14141": msg16555, - "14142": msg16556, - "14143": msg16557, - "14144": msg16558, - "14145": msg16559, - "14146": msg16560, - "14147": msg16561, - "14148": msg16562, - "14149": msg16563, - "1415": select1307, - "14150": msg16564, - "14151": msg16565, - "14152": msg16566, - "14153": msg16567, - "14154": msg16568, - "14155": msg16569, - "14156": msg16570, - "14157": msg16571, - "14158": msg16572, - "14159": msg16573, - "1416": select1308, - "14160": msg16574, - "14161": msg16575, - "14162": msg16576, - "14163": msg16577, - "14164": msg16578, - "14165": msg16579, - "14166": msg16580, - "14167": msg16581, - "14168": msg16582, - "14169": msg16583, - "1417": select1309, - "14170": msg16584, - "14171": msg16585, - "14172": msg16586, - "14173": msg16587, - "14174": msg16588, - "14175": msg16589, - "14176": msg16590, - "14177": msg16591, - "14178": msg16592, - "14179": msg16593, - "1418": select1310, - "14180": msg16594, - "14181": msg16595, - "14182": msg16596, - "14183": msg16597, - "14184": msg16598, - "14185": msg16599, - "14186": msg16600, - "14187": msg16601, - "14188": msg16602, - "14189": msg16603, - "1419": select1311, - "14190": msg16604, - "14191": msg16605, - "14192": msg16606, - "14193": msg16607, - "14194": msg16608, - "14195": msg16609, - "14196": msg16610, - "14197": msg16611, - "14198": msg16612, - "14199": msg16613, - "142": select68, - "1420": select1312, - "14200": msg16614, - "14201": msg16615, - "14202": msg16616, - "14203": msg16617, - "14204": msg16618, - "14205": msg16619, - "14206": msg16620, - "14207": msg16621, - "14208": msg16622, - "14209": msg16623, - "1421": select1313, - "14210": msg16624, - "14211": msg16625, - "14212": msg16626, - "14213": msg16627, - "14214": msg16628, - "14215": msg16629, - "14216": msg16630, - "14217": msg16631, - "14218": msg16632, - "14219": msg16633, - "1422": select1314, - "14220": msg16634, - "14221": msg16635, - "14222": msg16636, - "14223": msg16637, - "14224": msg16638, - "14225": msg16639, - "14226": msg16640, - "14227": msg16641, - "14228": msg16642, - "14229": msg16643, - "1423": select1315, - "14230": msg16644, - "14231": msg16645, - "14232": msg16646, - "14233": msg16647, - "14234": msg16648, - "14235": msg16649, - "14236": msg16650, - "14237": msg16651, - "14238": msg16652, - "14239": msg16653, - "1424": select1316, - "14240": msg16654, - "14241": msg16655, - "14242": msg16656, - "14243": msg16657, - "14244": msg16658, - "14245": msg16659, - "14246": msg16660, - "14247": msg16661, - "14248": msg16662, - "14249": msg16663, - "1425": select1317, - "14250": msg16664, - "14251": msg16665, - "14252": msg16666, - "14253": msg16667, - "14254": msg16668, - "14255": msg16669, - "14256": msg16670, - "14257": msg16671, - "14258": msg16672, - "14259": msg16673, - "1426": select1318, - "14260": msg16674, - "14261": msg16675, - "14262": msg16676, - "14263": msg16677, - "14264": msg16678, - "14265": msg16679, - "14266": msg16680, - "14267": msg16681, - "14268": msg16682, - "14269": msg16683, - "1427": select1319, - "14270": msg16684, - "14271": msg16685, - "14272": msg16686, - "14273": msg16687, - "14274": msg16688, - "14275": msg16689, - "14276": msg16690, - "14277": msg16691, - "14278": msg16692, - "14279": msg16693, - "1428": select1320, - "14280": msg16694, - "14281": msg16695, - "14282": msg16696, - "14283": msg16697, - "14284": msg16698, - "14285": msg16699, - "14286": msg16700, - "14287": msg16701, - "14288": msg16702, - "14289": msg16703, - "1429": select1321, - "14290": msg16704, - "14291": msg16705, - "14292": msg16706, - "14293": msg16707, - "14294": msg16708, - "14295": msg16709, - "14296": msg16710, - "14297": msg16711, - "14298": msg16712, - "14299": msg16713, - "143": select69, - "1430": select1322, - "14300": msg16714, - "14301": msg16715, - "14302": msg16716, - "14303": msg16717, - "14304": msg16718, - "14305": msg16719, - "14306": msg16720, - "14307": msg16721, - "14308": msg16722, - "14309": msg16723, - "1431": select1323, - "14310": msg16724, - "14311": msg16725, - "14312": msg16726, - "14313": msg16727, - "14314": msg16728, - "14315": msg16729, - "14316": msg16730, - "14317": msg16731, - "14318": msg16732, - "14319": msg16733, - "1432": select1324, - "14320": msg16734, - "14321": msg16735, - "14322": msg16736, - "14323": msg16737, - "14324": msg16738, - "14325": msg16739, - "14326": msg16740, - "14327": msg16741, - "14328": msg16742, - "14329": msg16743, - "1433": select1325, - "14330": msg16744, - "14331": msg16745, - "14332": msg16746, - "14333": msg16747, - "14334": msg16748, - "14335": msg16749, - "14336": msg16750, - "14337": msg16751, - "14338": msg16752, - "14339": msg16753, - "1434": select1326, - "14340": msg16754, - "14341": msg16755, - "14342": msg16756, - "14343": msg16757, - "14344": msg16758, - "14345": msg16759, - "14346": msg16760, - "14347": msg16761, - "14348": msg16762, - "14349": msg16763, - "1435": select1327, - "14350": msg16764, - "14351": msg16765, - "14352": msg16766, - "14353": msg16767, - "14354": msg16768, - "14355": msg16769, - "14356": msg16770, - "14357": msg16771, - "14358": msg16772, - "14359": msg16773, - "1436": select1328, - "14360": msg16774, - "14361": msg16775, - "14362": msg16776, - "14363": msg16777, - "14364": msg16778, - "14365": msg16779, - "14366": msg16780, - "14367": msg16781, - "14368": msg16782, - "14369": msg16783, - "1437": select1329, - "14370": msg16784, - "14371": msg16785, - "14372": msg16786, - "14373": msg16787, - "14374": msg16788, - "14375": msg16789, - "14376": msg16790, - "14377": msg16791, - "14378": msg16792, - "14379": msg16793, - "1438": select1330, - "14380": msg16794, - "14381": msg16795, - "14382": msg16796, - "14383": msg16797, - "14384": msg16798, - "14385": msg16799, - "14386": msg16800, - "14387": msg16801, - "14388": msg16802, - "14389": msg16803, - "1439": select1331, - "14390": msg16804, - "14391": msg16805, - "14392": msg16806, - "14393": msg16807, - "14394": msg16808, - "14395": msg16809, - "14396": msg16810, - "14397": msg16811, - "14398": msg16812, - "14399": msg16813, - "144": select70, - "1440": select1332, - "14400": msg16814, - "14401": msg16815, - "14402": msg16816, - "14403": msg16817, - "14404": msg16818, - "14405": msg16819, - "14406": msg16820, - "14407": msg16821, - "14408": msg16822, - "14409": msg16823, - "1441": select1333, - "14410": msg16824, - "14411": msg16825, - "14412": msg16826, - "14413": msg16827, - "14414": msg16828, - "14415": msg16829, - "14416": msg16830, - "14417": msg16831, - "14418": msg16832, - "14419": msg16833, - "1442": select1334, - "14420": msg16834, - "14421": msg16835, - "14422": msg16836, - "14423": msg16837, - "14424": msg16838, - "14425": msg16839, - "14426": msg16840, - "14427": msg16841, - "14428": msg16842, - "14429": msg16843, - "1443": select1335, - "14430": msg16844, - "14431": msg16845, - "14432": msg16846, - "14433": msg16847, - "14434": msg16848, - "14435": msg16849, - "14436": msg16850, - "14437": msg16851, - "14438": msg16852, - "14439": msg16853, - "1444": select1336, - "14440": msg16854, - "14441": msg16855, - "14442": msg16856, - "14443": msg16857, - "14444": msg16858, - "14445": msg16859, - "14446": msg16860, - "14447": msg16861, - "14448": msg16862, - "14449": msg16863, - "1445": select1337, - "14450": msg16864, - "14451": msg16865, - "14452": msg16866, - "14453": msg16867, - "14454": msg16868, - "14455": msg16869, - "14456": msg16870, - "14457": msg16871, - "14458": msg16872, - "14459": msg16873, - "1446": select1338, - "14460": msg16874, - "14461": msg16875, - "14462": msg16876, - "14463": msg16877, - "14464": msg16878, - "14465": msg16879, - "14466": msg16880, - "14467": msg16881, - "14468": msg16882, - "14469": msg16883, - "1447": select1339, - "14470": msg16884, - "14471": msg16885, - "14472": msg16886, - "14473": msg16887, - "14474": msg16888, - "14475": msg16889, - "14476": msg16890, - "14477": msg16891, - "14478": msg16892, - "14479": msg16893, - "1448": select1340, - "14480": msg16894, - "14481": msg16895, - "14482": msg16896, - "14483": msg16897, - "14484": msg16898, - "14485": msg16899, - "14486": msg16900, - "14487": msg16901, - "14488": msg16902, - "14489": msg16903, - "1449": select1341, - "14490": msg16904, - "14491": msg16905, - "14492": msg16906, - "14493": msg16907, - "14494": msg16908, - "14495": msg16909, - "14496": msg16910, - "14497": msg16911, - "14498": msg16912, - "14499": msg16913, - "145": select71, - "1450": select1342, - "14500": msg16914, - "14501": msg16915, - "14502": msg16916, - "14503": msg16917, - "14504": msg16918, - "14505": msg16919, - "14506": msg16920, - "14507": msg16921, - "14508": msg16922, - "14509": msg16923, - "1451": select1343, - "14510": msg16924, - "14511": msg16925, - "14512": msg16926, - "14513": msg16927, - "14514": msg16928, - "14515": msg16929, - "14516": msg16930, - "14517": msg16931, - "14518": msg16932, - "14519": msg16933, - "1452": select1344, - "14520": msg16934, - "14521": msg16935, - "14522": msg16936, - "14523": msg16937, - "14524": msg16938, - "14525": msg16939, - "14526": msg16940, - "14527": msg16941, - "14528": msg16942, - "14529": msg16943, - "1453": select1345, - "14530": msg16944, - "14531": msg16945, - "14532": msg16946, - "14533": msg16947, - "14534": msg16948, - "14535": msg16949, - "14536": msg16950, - "14537": msg16951, - "14538": msg16952, - "14539": msg16953, - "1454": select1346, - "14540": msg16954, - "14541": msg16955, - "14542": msg16956, - "14543": msg16957, - "14544": msg16958, - "14545": msg16959, - "14546": msg16960, - "14547": msg16961, - "14548": msg16962, - "14549": msg16963, - "1455": select1347, - "14550": msg16964, - "14551": msg16965, - "14552": msg16966, - "14553": msg16967, - "14554": msg16968, - "14555": msg16969, - "14556": msg16970, - "14557": msg16971, - "14558": msg16972, - "14559": msg16973, - "1456": select1348, - "14560": msg16974, - "14561": msg16975, - "14562": msg16976, - "14563": msg16977, - "14564": msg16978, - "14565": msg16979, - "14566": msg16980, - "14567": msg16981, - "14568": msg16982, - "14569": msg16983, - "1457": select1349, - "14570": msg16984, - "14571": msg16985, - "14572": msg16986, - "14573": msg16987, - "14574": msg16988, - "14575": msg16989, - "14576": msg16990, - "14577": msg16991, - "14578": msg16992, - "14579": msg16993, - "1458": select1350, - "14580": msg16994, - "14581": msg16995, - "14582": msg16996, - "14583": msg16997, - "14584": msg16998, - "14585": msg16999, - "14586": msg17000, - "14587": msg17001, - "14588": msg17002, - "14589": msg17003, - "1459": select1351, - "14590": msg17004, - "14591": msg17005, - "14592": msg17006, - "14593": msg17007, - "14594": msg17008, - "14595": msg17009, - "14596": msg17010, - "14597": msg17011, - "14598": msg17012, - "14599": msg17013, - "146": select72, - "1460": select1352, - "14600": msg17014, - "14601": msg17015, - "14602": msg17016, - "14603": msg17017, - "14604": msg17018, - "14605": msg17019, - "14606": msg17020, - "14607": msg17021, - "14608": msg17022, - "14609": msg17023, - "1461": select1353, - "14610": msg17024, - "14611": msg17025, - "14612": msg17026, - "14613": msg17027, - "14614": msg17028, - "14615": msg17029, - "14616": msg17030, - "14617": msg17031, - "14618": msg17032, - "14619": msg17033, - "1462": select1354, - "14620": msg17034, - "14621": msg17035, - "14622": msg17036, - "14623": msg17037, - "14624": msg17038, - "14625": msg17039, - "14626": msg17040, - "14627": msg17041, - "14628": msg17042, - "14629": msg17043, - "1463": select1355, - "14630": msg17044, - "14631": msg17045, - "14632": msg17046, - "14633": msg17047, - "14634": msg17048, - "14635": msg17049, - "14636": msg17050, - "14637": msg17051, - "14638": msg17052, - "14639": msg17053, - "1464": select1356, - "14640": msg17054, - "14641": msg17055, - "14642": msg17056, - "14643": msg17057, - "14644": msg17058, - "14645": msg17059, - "14646": msg17060, - "14647": msg17061, - "14648": msg17062, - "14649": msg17063, - "1465": select1357, - "14650": msg17064, - "14651": msg17065, - "14652": msg17066, - "14653": msg17067, - "14654": msg17068, - "14655": msg17069, - "14656": msg17070, - "14657": msg17071, - "1466": select1358, - "14661": msg17072, - "14662": msg17073, - "14663": msg17074, - "14664": msg17075, - "14665": msg17076, - "14666": msg17077, - "14667": msg17078, - "14668": msg17079, - "14669": msg17080, - "1467": select1359, - "14670": msg17081, - "14671": msg17082, - "14672": msg17083, - "14673": msg17084, - "14674": msg17085, - "14675": msg17086, - "14676": msg17087, - "14677": msg17088, - "14678": msg17089, - "14679": msg17090, - "1468": select1360, - "14680": msg17091, - "14681": msg17092, - "14682": msg17093, - "14683": msg17094, - "14684": msg17095, - "14685": msg17096, - "14686": msg17097, - "14687": msg17098, - "14688": msg17099, - "14689": msg17100, - "1469": select1361, - "14690": msg17101, - "14691": msg17102, - "14692": msg17103, - "14693": msg17104, - "14694": msg17105, - "14695": msg17106, - "14696": msg17107, - "14697": msg17108, - "14698": msg17109, - "14699": msg17110, - "147": select73, - "1470": select1362, - "14700": msg17111, - "14701": msg17112, - "14702": msg17113, - "14703": msg17114, - "14704": msg17115, - "14705": msg17116, - "14706": msg17117, - "14707": msg17118, - "14708": msg17119, - "14709": msg17120, - "1471": select1363, - "14710": msg17121, - "14711": msg17122, - "14712": msg17123, - "14713": msg17124, - "14714": msg17125, - "14715": msg17126, - "14716": msg17127, - "14717": msg17128, - "14718": msg17129, - "14719": msg17130, - "1472": select1364, - "14720": msg17131, - "14721": msg17132, - "14722": msg17133, - "14723": msg17134, - "14724": msg17135, - "14725": msg17136, - "14726": msg17137, - "14727": msg17138, - "14728": msg17139, - "14729": msg17140, - "1473": select1365, - "14730": msg17141, - "14731": msg17142, - "14732": msg17143, - "14733": msg17144, - "14734": msg17145, - "14735": msg17146, - "14736": msg17147, - "14737": msg17148, - "14738": msg17149, - "14739": msg17150, - "1474": select1366, - "14740": msg17151, - "14741": msg17152, - "14742": msg17153, - "14743": msg17154, - "14744": msg17155, - "14745": msg17156, - "14746": msg17157, - "14747": msg17158, - "14748": msg17159, - "14749": msg17160, - "1475": select1367, - "14750": msg17161, - "14751": msg17162, - "14752": msg17163, - "14753": msg17164, - "14754": msg17165, - "14755": msg17166, - "14756": msg17167, - "14757": msg17168, - "14758": msg17169, - "14759": msg17170, - "1476": select1368, - "14760": msg17171, - "14761": msg17172, - "14762": msg17173, - "14763": msg17174, - "14764": msg17175, - "14765": msg17176, - "14766": msg17177, - "14767": msg17178, - "14768": msg17179, - "14769": msg17180, - "1477": select1369, - "14770": msg17181, - "14771": msg17182, - "14772": msg17183, - "14773": msg17184, - "14774": msg17185, - "14775": msg17186, - "14776": msg17187, - "14777": msg17188, - "14778": msg17189, - "14779": msg17190, - "1478": select1370, - "14780": msg17191, - "14781": msg17192, - "14782": msg17193, - "14783": msg17194, - "14784": msg17195, - "14785": msg17196, - "14786": msg17197, - "14787": msg17198, - "14788": msg17199, - "14789": msg17200, - "1479": select1371, - "14790": msg17201, - "14791": msg17202, - "14792": msg17203, - "14793": msg17204, - "14794": msg17205, - "14795": msg17206, - "14796": msg17207, - "14797": msg17208, - "14798": msg17209, - "14799": msg17210, - "148": select74, - "1480": select1372, - "14800": msg17211, - "14801": msg17212, - "14802": msg17213, - "14803": msg17214, - "14804": msg17215, - "14805": msg17216, - "14806": msg17217, - "14807": msg17218, - "14808": msg17219, - "14809": msg17220, - "1481": select1373, - "14810": msg17221, - "14811": msg17222, - "14812": msg17223, - "14813": msg17224, - "14814": msg17225, - "14815": msg17226, - "14816": msg17227, - "14817": msg17228, - "14818": msg17229, - "14819": msg17230, - "1482": select1374, - "14820": msg17231, - "14821": msg17232, - "14822": msg17233, - "14823": msg17234, - "14824": msg17235, - "14825": msg17236, - "14826": msg17237, - "14827": msg17238, - "14828": msg17239, - "14829": msg17240, - "1483": select1375, - "14830": msg17241, - "14831": msg17242, - "14832": msg17243, - "14833": msg17244, - "14834": msg17245, - "14835": msg17246, - "14836": msg17247, - "14837": msg17248, - "14838": msg17249, - "14839": msg17250, - "1484": select1376, - "14840": msg17251, - "14841": msg17252, - "14842": msg17253, - "14843": msg17254, - "14844": msg17255, - "14845": msg17256, - "14846": msg17257, - "14847": msg17258, - "14848": msg17259, - "14849": msg17260, - "1485": select1377, - "14850": msg17261, - "14851": msg17262, - "14852": msg17263, - "14853": msg17264, - "14854": msg17265, - "14855": msg17266, - "14856": msg17267, - "14857": msg17268, - "14858": msg17269, - "14859": msg17270, - "1486": select1378, - "14860": msg17271, - "14861": msg17272, - "14862": msg17273, - "14863": msg17274, - "14864": msg17275, - "14865": msg17276, - "14866": msg17277, - "14867": msg17278, - "14868": msg17279, - "14869": msg17280, - "1487": select1379, - "14870": msg17281, - "14871": msg17282, - "1488": select1380, - "1489": select1381, - "14896": msg17283, - "14897": msg17284, - "14898": msg17285, - "14899": msg17286, - "149": select75, - "1490": select1382, - "14900": msg17287, - "1491": select1383, - "1492": select1384, - "1493": select1385, - "1494": select1386, - "1495": select1387, - "1496": select1388, - "1497": select1389, - "1498": select1390, - "14986": msg17288, - "14987": msg17289, - "14988": msg17290, - "14989": msg17291, - "1499": select1391, - "14990": msg17292, - "14991": msg17293, - "14992": msg17294, - "14993": msg17295, - "14994": msg17296, - "14995": msg17297, - "14996": msg17298, - "14997": msg17299, - "14998": msg17300, - "14999": msg17301, - "15": select16, - "150": select76, - "1500": select1392, - "15000": msg17302, - "15001": msg17303, - "15002": msg17304, - "15003": msg17305, - "15004": msg17306, - "15005": msg17307, - "15006": msg17308, - "15007": msg17309, - "15008": msg17310, - "15009": msg17311, - "1501": select1393, - "15010": msg17312, - "15011": msg17313, - "15012": msg17314, - "15013": msg17315, - "15014": msg17316, - "15015": msg17317, - "15016": msg17318, - "15017": msg17319, - "15018": msg17320, - "15019": msg17321, - "1502": select1394, - "15020": msg17322, - "15021": msg17323, - "15022": msg17324, - "15023": msg17325, - "15024": msg17326, - "15025": msg17327, - "15026": msg17328, - "15027": msg17329, - "15028": msg17330, - "15029": msg17331, - "1503": select1395, - "15030": msg17332, - "15031": msg17333, - "15032": msg17334, - "15033": msg17335, - "15034": msg17336, - "15035": msg17337, - "15036": msg17338, - "15037": msg17339, - "15038": msg17340, - "15039": msg17341, - "1504": select1396, - "15040": msg17342, - "15041": msg17343, - "15042": msg17344, - "15043": msg17345, - "15044": msg17346, - "15045": msg17347, - "15046": msg17348, - "15047": msg17349, - "15048": msg17350, - "15049": msg17351, - "1505": select1397, - "15050": msg17352, - "15051": msg17353, - "15052": msg17354, - "15053": msg17355, - "15054": msg17356, - "15055": msg17357, - "15056": msg17358, - "15057": msg17359, - "15058": msg17360, - "15059": msg17361, - "1506": select1398, - "15060": msg17362, - "15061": msg17363, - "15062": msg17364, - "15063": msg17365, - "15064": msg17366, - "15065": msg17367, - "15066": msg17368, - "15067": msg17369, - "15068": msg17370, - "15069": msg17371, - "1507": select1399, - "15070": msg17372, - "15071": msg17373, - "15072": msg17374, - "15073": msg17375, - "15074": msg17376, - "15075": msg17377, - "15076": msg17378, - "15077": msg17379, - "15078": msg17380, - "15079": msg17381, - "1508": select1400, - "15080": msg17382, - "15081": msg17383, - "15082": msg17384, - "15083": msg17385, - "15084": msg17386, - "15085": msg17387, - "15086": msg17388, - "15087": msg17389, - "15088": msg17390, - "15089": msg17391, - "1509": select1401, - "15090": msg17392, - "15091": msg17393, - "15092": msg17394, - "15093": msg17395, - "15094": msg17396, - "15095": msg17397, - "15096": msg17398, - "15097": msg17399, - "15098": msg17400, - "15099": msg17401, - "151": select77, - "1510": select1402, - "15100": msg17402, - "15101": msg17403, - "15102": msg17404, - "15103": msg17405, - "15104": msg17406, - "15105": msg17407, - "15106": msg17408, - "15107": msg17409, - "15108": msg17410, - "15109": msg17411, - "1511": select1403, - "15110": msg17412, - "15111": msg17413, - "15112": msg17414, - "15113": msg17415, - "15114": msg17416, - "15115": msg17417, - "15116": msg17418, - "15117": msg17419, - "15118": msg17420, - "15119": msg17421, - "1512": select1404, - "15120": msg17422, - "15121": msg17423, - "15122": msg17424, - "15123": msg17425, - "15124": msg17426, - "15125": msg17427, - "15126": msg17428, - "15127": msg17429, - "15128": msg17430, - "15129": msg17431, - "1513": select1405, - "15130": msg17432, - "15131": msg17433, - "15132": msg17434, - "15133": msg17435, - "15134": msg17436, - "15135": msg17437, - "15136": msg17438, - "15137": msg17439, - "15138": msg17440, - "15139": msg17441, - "1514": select1406, - "15140": msg17442, - "15141": msg17443, - "15142": msg17444, - "15143": msg17445, - "15144": msg17446, - "15145": msg17447, - "15146": msg17448, - "15147": msg17449, - "15148": msg17450, - "15149": msg17451, - "1515": select1407, - "15150": msg17452, - "15151": msg17453, - "15152": msg17454, - "15153": msg17455, - "15154": msg17456, - "15155": msg17457, - "15156": msg17458, - "15157": msg17459, - "15158": msg17460, - "15159": msg17461, - "1516": select1408, - "15160": msg17462, - "15161": msg17463, - "15162": msg17464, - "15163": msg17465, - "15164": msg17466, - "15165": msg17467, - "15166": msg17468, - "15167": msg17469, - "15168": msg17470, - "15169": msg17471, - "1517": select1409, - "15170": msg17472, - "15171": msg17473, - "15172": msg17474, - "15173": msg17475, - "15174": msg17476, - "15175": msg17477, - "15176": msg17478, - "15177": msg17479, - "15178": msg17480, - "15179": msg17481, - "1518": select1410, - "15180": msg17482, - "15181": msg17483, - "15182": msg17484, - "15183": msg17485, - "15184": msg17486, - "15185": msg17487, - "15186": msg17488, - "15187": msg17489, - "15188": msg17490, - "15189": msg17491, - "1519": select1411, - "15190": msg17492, - "15191": msg17493, - "15192": msg17494, - "15193": msg17495, - "15194": msg17496, - "15195": msg17497, - "15196": msg17498, - "15197": msg17499, - "15198": msg17500, - "15199": msg17501, - "152": select78, - "1520": select1412, - "15200": msg17502, - "15201": msg17503, - "15202": msg17504, - "15203": msg17505, - "15204": msg17506, - "15205": msg17507, - "15206": msg17508, - "15207": msg17509, - "15208": msg17510, - "15209": msg17511, - "1521": select1413, - "15210": msg17512, - "15211": msg17513, - "15212": msg17514, - "15213": msg17515, - "15214": msg17516, - "15215": msg17517, - "15216": msg17518, - "15217": msg17519, - "15218": msg17520, - "15219": msg17521, - "1522": select1414, - "15220": msg17522, - "15221": msg17523, - "15222": msg17524, - "15223": msg17525, - "15224": msg17526, - "15225": msg17527, - "15226": msg17528, - "15227": msg17529, - "15228": msg17530, - "15229": msg17531, - "1523": select1415, - "15230": msg17532, - "15231": msg17533, - "15232": msg17534, - "15233": msg17535, - "15234": msg17536, - "15235": msg17537, - "15236": msg17538, - "15237": msg17539, - "15238": msg17540, - "15239": msg17541, - "1524": select1416, - "15240": msg17542, - "15241": msg17543, - "15242": msg17544, - "15243": msg17545, - "15244": msg17546, - "15245": msg17547, - "15246": msg17548, - "15247": msg17549, - "15248": msg17550, - "15249": msg17551, - "1525": select1417, - "15250": msg17552, - "15251": msg17553, - "15252": msg17554, - "15253": msg17555, - "15254": msg17556, - "15255": msg17557, - "15256": msg17558, - "15257": msg17559, - "15258": msg17560, - "15259": msg17561, - "1526": select1418, - "15260": msg17562, - "15261": msg17563, - "15262": msg17564, - "15263": msg17565, - "15264": msg17566, - "15265": msg17567, - "15266": msg17568, - "15267": msg17569, - "15268": msg17570, - "15269": msg17571, - "1527": select1419, - "15270": msg17572, - "15271": msg17573, - "15272": msg17574, - "15273": msg17575, - "15274": msg17576, - "15275": msg17577, - "15276": msg17578, - "15277": msg17579, - "15278": msg17580, - "15279": msg17581, - "1528": select1420, - "15280": msg17582, - "15281": msg17583, - "15282": msg17584, - "15283": msg17585, - "15284": msg17586, - "15285": msg17587, - "15286": msg17588, - "15287": msg17589, - "15288": msg17590, - "15289": msg17591, - "1529": select1421, - "15290": msg17592, - "15291": msg17593, - "15292": msg17594, - "15293": msg17595, - "15294": msg17596, - "15295": msg17597, - "15296": msg17598, - "15297": msg17599, - "15298": msg17600, - "15299": msg17601, - "153": select79, - "1530": select1422, - "15300": msg17602, - "15301": msg17603, - "15302": msg17604, - "15303": msg17605, - "15304": msg17606, - "15305": msg17607, - "15306": msg17608, - "15307": msg17609, - "15308": msg17610, - "15309": msg17611, - "1531": select1423, - "15310": msg17612, - "15311": msg17613, - "15312": msg17614, - "15313": msg17615, - "15314": msg17616, - "15315": msg17617, - "15316": msg17618, - "15317": msg17619, - "15318": msg17620, - "15319": msg17621, - "1532": select1424, - "15320": msg17622, - "15321": msg17623, - "15322": msg17624, - "15323": msg17625, - "15324": msg17626, - "15325": msg17627, - "15326": msg17628, - "15327": msg17629, - "15328": msg17630, - "15329": msg17631, - "1533": select1425, - "15330": msg17632, - "15331": msg17633, - "15332": msg17634, - "15333": msg17635, - "15334": msg17636, - "15335": msg17637, - "15336": msg17638, - "15337": msg17639, - "15338": msg17640, - "15339": msg17641, - "1534": select1426, - "15340": msg17642, - "15341": msg17643, - "15342": msg17644, - "15343": msg17645, - "15344": msg17646, - "15345": msg17647, - "15346": msg17648, - "15347": msg17649, - "15348": msg17650, - "15349": msg17651, - "1535": select1427, - "15350": msg17652, - "15351": msg17653, - "15352": msg17654, - "15353": msg17655, - "15354": msg17656, - "15355": msg17657, - "15356": msg17658, - "15357": msg17659, - "15358": msg17660, - "15359": msg17661, - "1536": select1428, - "15360": msg17662, - "15361": msg17663, - "15362": msg17664, - "15363": msg17665, - "15364": msg17666, - "15365": msg17667, - "15366": msg17668, - "15367": msg17669, - "15368": msg17670, - "15369": msg17671, - "1537": select1429, - "15370": msg17672, - "15371": msg17673, - "15372": msg17674, - "15373": msg17675, - "15374": msg17676, - "15375": msg17677, - "15376": msg17678, - "15377": msg17679, - "15378": msg17680, - "15379": msg17681, - "1538": select1430, - "15380": msg17682, - "15381": msg17683, - "15382": msg17684, - "15383": msg17685, - "15384": msg17686, - "15385": msg17687, - "15386": msg17688, - "15387": msg17689, - "15388": msg17690, - "15389": msg17691, - "1539": select1431, - "15390": msg17692, - "15391": msg17693, - "15392": msg17694, - "15393": msg17695, - "15394": msg17696, - "15395": msg17697, - "15396": msg17698, - "15397": msg17699, - "15398": msg17700, - "15399": msg17701, - "154": select80, - "1540": select1432, - "15400": msg17702, - "15401": msg17703, - "15402": msg17704, - "15403": msg17705, - "15404": msg17706, - "15405": msg17707, - "15406": msg17708, - "15407": msg17709, - "15408": msg17710, - "15409": msg17711, - "1541": select1433, - "15410": msg17712, - "15411": msg17713, - "15412": msg17714, - "15413": msg17715, - "15414": msg17716, - "15415": msg17717, - "15416": msg17718, - "15417": msg17719, - "15418": msg17720, - "1542": select1434, - "15420": msg17721, - "15421": msg17722, - "15422": msg17723, - "15423": msg17724, - "15424": msg17725, - "15425": msg17726, - "15426": msg17727, - "15427": msg17728, - "15428": msg17729, - "15429": msg17730, - "1543": select1435, - "15430": msg17731, - "15431": msg17732, - "15432": msg17733, - "15433": msg17734, - "15434": msg17735, - "15435": msg17736, - "15436": msg17737, - "15437": msg17738, - "15438": msg17739, - "15439": msg17740, - "1544": select1436, - "15440": msg17741, - "15441": msg17742, - "15442": msg17743, - "15443": msg17744, - "15444": msg17745, - "15445": msg17746, - "15446": msg17747, - "15447": msg17748, - "15448": msg17749, - "15449": msg17750, - "1545": select1437, - "15450": msg17751, - "15451": msg17752, - "15452": msg17753, - "15453": msg17754, - "15454": msg17755, - "15455": msg17756, - "15456": msg17757, - "15457": msg17758, - "15458": msg17759, - "15459": msg17760, - "1546": select1438, - "15460": msg17761, - "15461": msg17762, - "15462": msg17763, - "15463": msg17764, - "15464": msg17765, - "15465": msg17766, - "15466": msg17767, - "15467": msg17768, - "15468": msg17769, - "15469": msg17770, - "1547": select1439, - "15470": msg17771, - "15471": msg17772, - "15472": msg17773, - "15473": msg17774, - "15474": msg17775, - "15475": msg17776, - "15476": msg17777, - "15477": msg17778, - "15478": msg17779, - "15479": msg17780, - "1548": select1440, - "15480": msg17781, - "15481": msg17782, - "15482": msg17783, - "15483": msg17784, - "15484": msg17785, - "15485": msg17786, - "15486": msg17787, - "15487": msg17788, - "15488": msg17789, - "15489": msg17790, - "1549": select1441, - "15490": msg17791, - "15491": msg17792, - "15492": msg17793, - "15493": msg17794, - "15494": msg17795, - "15495": msg17796, - "15496": msg17797, - "15497": msg17798, - "15498": msg17799, - "15499": msg17800, - "155": select81, - "1550": select1442, - "15500": msg17801, - "15501": msg17802, - "15502": msg17803, - "15503": msg17804, - "15504": msg17805, - "15505": msg17806, - "15506": msg17807, - "15507": msg17808, - "15508": msg17809, - "15509": msg17810, - "1551": select1443, - "15510": msg17811, - "15511": msg17812, - "15512": msg17813, - "15513": msg17814, - "15514": msg17815, - "15515": msg17816, - "15516": msg17817, - "15517": msg17818, - "15518": msg17819, - "15519": msg17820, - "1552": select1444, - "15520": msg17821, - "15521": msg17822, - "15522": msg17823, - "15523": msg17824, - "15524": msg17825, - "15525": msg17826, - "15526": msg17827, - "15527": msg17828, - "15528": msg17829, - "15529": msg17830, - "1553": select1445, - "15530": msg17831, - "15531": msg17832, - "15532": msg17833, - "15533": msg17834, - "15534": msg17835, - "15535": msg17836, - "15536": msg17837, - "15537": msg17838, - "15538": msg17839, - "15539": msg17840, - "1554": select1446, - "15540": msg17841, - "15541": msg17842, - "15542": msg17843, - "15543": msg17844, - "15544": msg17845, - "15545": msg17846, - "15546": msg17847, - "15547": msg17848, - "15548": msg17849, - "15549": msg17850, - "1555": select1447, - "15550": msg17851, - "15551": msg17852, - "15552": msg17853, - "15553": msg17854, - "15554": msg17855, - "15555": msg17856, - "15556": msg17857, - "15557": msg17858, - "15558": msg17859, - "15559": msg17860, - "1556": select1448, - "15560": msg17861, - "15561": msg17862, - "15562": msg17863, - "15563": msg17864, - "15564": msg17865, - "15565": msg17866, - "15566": msg17867, - "15567": msg17868, - "15568": msg17869, - "15569": msg17870, - "1557": select1449, - "15570": msg17871, - "15571": msg17872, - "15572": msg17873, - "15573": msg17874, - "15574": msg17875, - "15575": msg17876, - "15576": msg17877, - "15577": msg17878, - "15578": msg17879, - "15579": msg17880, - "1558": select1450, - "15580": msg17881, - "15581": msg17882, - "15582": msg17883, - "15583": msg17884, - "15584": msg17885, - "15585": msg17886, - "15586": msg17887, - "15587": msg17888, - "15588": msg17889, - "15589": msg17890, - "1559": select1451, - "15590": msg17891, - "15591": msg17892, - "15592": msg17893, - "15593": msg17894, - "15594": msg17895, - "15595": msg17896, - "15596": msg17897, - "15597": msg17898, - "15598": msg17899, - "15599": msg17900, - "156": select82, - "1560": select1452, - "15600": msg17901, - "15601": msg17902, - "15602": msg17903, - "15603": msg17904, - "15604": msg17905, - "15605": msg17906, - "15606": msg17907, - "15607": msg17908, - "15608": msg17909, - "15609": msg17910, - "1561": select1453, - "15610": msg17911, - "15611": msg17912, - "15612": msg17913, - "15613": msg17914, - "15614": msg17915, - "15615": msg17916, - "15616": msg17917, - "15617": msg17918, - "15618": msg17919, - "15619": msg17920, - "1562": select1454, - "15620": msg17921, - "15621": msg17922, - "15622": msg17923, - "15623": msg17924, - "15624": msg17925, - "15625": msg17926, - "15626": msg17927, - "15627": msg17928, - "15628": msg17929, - "15629": msg17930, - "1563": select1455, - "15630": msg17931, - "15631": msg17932, - "15632": msg17933, - "15633": msg17934, - "15634": msg17935, - "15635": msg17936, - "15636": msg17937, - "15637": msg17938, - "15638": msg17939, - "15639": msg17940, - "1564": select1456, - "15640": msg17941, - "15641": msg17942, - "15642": msg17943, - "15643": msg17944, - "15644": msg17945, - "15645": msg17946, - "15646": msg17947, - "15647": msg17948, - "15648": msg17949, - "15649": msg17950, - "1565": select1457, - "15650": msg17951, - "15651": msg17952, - "15652": msg17953, - "15653": msg17954, - "15654": msg17955, - "15655": msg17956, - "15656": msg17957, - "15657": msg17958, - "15658": msg17959, - "15659": msg17960, - "1566": select1458, - "15660": msg17961, - "15661": msg17962, - "15662": msg17963, - "15663": msg17964, - "15664": msg17965, - "15665": msg17966, - "15666": msg17967, - "15667": msg17968, - "15668": msg17969, - "15669": msg17970, - "1567": select1459, - "15670": msg17971, - "15671": msg17972, - "15672": msg17973, - "15673": msg17974, - "15674": msg17975, - "15675": msg17976, - "15676": msg17977, - "15677": msg17978, - "15678": msg17979, - "15679": msg17980, - "1568": select1460, - "15680": msg17981, - "15681": msg17982, - "15682": msg17983, - "15683": msg17984, - "15684": msg17985, - "15685": msg17986, - "15686": msg17987, - "15687": msg17988, - "15688": msg17989, - "15689": msg17990, - "1569": select1461, - "15690": msg17991, - "15691": msg17992, - "15692": msg17993, - "15693": msg17994, - "15694": msg17995, - "15695": msg17996, - "15696": msg17997, - "15697": msg17998, - "15698": msg17999, - "15699": msg18000, - "157": select83, - "1570": select1462, - "15700": msg18001, - "15701": msg18002, - "15702": msg18003, - "15703": msg18004, - "15704": msg18005, - "15705": msg18006, - "15706": msg18007, - "15707": msg18008, - "15708": msg18009, - "15709": msg18010, - "1571": select1463, - "15710": msg18011, - "15711": msg18012, - "15712": msg18013, - "15713": msg18014, - "15714": msg18015, - "15715": msg18016, - "15716": msg18017, - "15717": msg18018, - "15718": msg18019, - "15719": msg18020, - "1572": select1464, - "15720": msg18021, - "15721": msg18022, - "15722": msg18023, - "15723": msg18024, - "15724": msg18025, - "15725": msg18026, - "15726": msg18027, - "15727": msg18028, - "15728": msg18029, - "15729": msg18030, - "1573": select1465, - "15730": msg18031, - "15731": msg18032, - "15732": msg18033, - "15733": msg18034, - "15734": msg18035, - "1574": select1466, - "1575": select1467, - "1576": select1468, - "1577": select1469, - "1578": select1470, - "1579": select1471, - "158": select84, - "1580": select1472, - "1581": select1473, - "1582": select1474, - "1583": select1475, - "1584": select1476, - "15847": msg18036, - "15848": msg18037, - "15849": msg18038, - "1585": select1477, - "15850": msg18039, - "15851": msg18040, - "15852": msg18041, - "15853": msg18042, - "15854": msg18043, - "15855": msg18044, - "15856": msg18045, - "15857": msg18046, - "15858": msg18047, - "15859": msg18048, - "1586": select1478, - "15860": msg18049, - "15861": msg18050, - "15862": msg18051, - "15863": msg18052, - "15864": msg18053, - "15865": msg18054, - "15866": msg18055, - "15867": msg18056, - "15868": msg18057, - "15869": msg18058, - "1587": select1479, - "15870": msg18059, - "15871": msg18060, - "15872": msg18061, - "15873": msg18062, - "15874": msg18063, - "15875": msg18064, - "15876": msg18065, - "15877": msg18066, - "15878": msg18067, - "15879": msg18068, - "1588": select1480, - "15880": msg18069, - "15881": msg18070, - "15882": msg18071, - "15883": msg18072, - "15884": msg18073, - "15885": msg18074, - "15886": msg18075, - "15887": msg18076, - "15888": msg18077, - "15889": msg18078, - "1589": select1481, - "15890": msg18079, - "15891": msg18080, - "15892": msg18081, - "15893": msg18082, - "15894": msg18083, - "15895": msg18084, - "15896": msg18085, - "15897": msg18086, - "15898": msg18087, - "15899": msg18088, - "159": select85, - "1590": select1482, - "15900": msg18089, - "15901": msg18090, - "15902": msg18091, - "15903": msg18092, - "15904": msg18093, - "15905": msg18094, - "15906": msg18095, - "15907": msg18096, - "15908": msg18097, - "15909": msg18098, - "1591": select1483, - "15910": msg18099, - "15911": msg18100, - "15912": msg18101, - "15913": msg18102, - "15914": msg18103, - "15915": msg18104, - "15916": msg18105, - "15917": msg18106, - "15918": msg18107, - "15919": msg18108, - "1592": select1484, - "15920": msg18109, - "15921": msg18110, - "15922": msg18111, - "15923": msg18112, - "15924": msg18113, - "15925": msg18114, - "15926": msg18115, - "15927": msg18116, - "15928": msg18117, - "15929": msg18118, - "1593": select1485, - "15930": msg18119, - "15931": msg18120, - "15932": msg18121, - "15933": msg18122, - "15934": msg18123, - "15935": msg18124, - "15936": msg18125, - "15937": msg18126, - "15938": msg18127, - "15939": msg18128, - "1594": select1486, - "15940": msg18129, - "15941": msg18130, - "15942": msg18131, - "15943": msg18132, - "15944": msg18133, - "15945": msg18134, - "15946": msg18135, - "15947": msg18136, - "15948": msg18137, - "15949": msg18138, - "1595": select1487, - "15950": msg18139, - "15951": msg18140, - "15952": msg18141, - "15953": msg18142, - "15954": msg18143, - "15955": msg18144, - "15956": msg18145, - "15957": msg18146, - "15958": msg18147, - "15959": msg18148, - "15960": msg18149, - "15961": msg18150, - "15962": msg18151, - "15963": msg18152, - "15964": msg18153, - "15965": msg18154, - "15966": msg18155, - "15967": msg18156, - "15968": msg18157, - "15969": msg18158, - "1597": select1488, - "15970": msg18159, - "15971": msg18160, - "15972": msg18161, - "15973": msg18162, - "15974": msg18163, - "15975": msg18164, - "15976": msg18165, - "15977": msg18166, - "15978": msg18167, - "15979": msg18168, - "1598": select1489, - "15980": msg18169, - "15981": msg18170, - "15982": msg18171, - "15983": msg18172, - "15984": msg18173, - "15985": msg18174, - "15986": msg18175, - "15987": msg18176, - "15988": msg18177, - "15989": msg18178, - "1599": select1490, - "15990": msg18179, - "15991": msg18180, - "15992": msg18181, - "15993": msg18182, - "15994": msg18183, - "15995": msg18184, - "15996": msg18185, - "15997": msg18186, - "15998": msg18187, - "15999": msg18188, - "16": select17, - "160": select86, - "1600": select1491, - "16000": msg18189, - "16001": msg18190, - "16002": msg18191, - "16003": msg18192, - "16004": msg18193, - "16005": msg18194, - "16006": msg18195, - "16007": msg18196, - "16008": msg18197, - "16009": msg18198, - "1601": select1492, - "16010": msg18199, - "16011": msg18200, - "16012": msg18201, - "16013": msg18202, - "16014": msg18203, - "16015": msg18204, - "16016": msg18205, - "16017": msg18206, - "16018": msg18207, - "16019": msg18208, - "1602": select1493, - "16020": msg18209, - "16021": msg18210, - "16022": msg18211, - "16023": msg18212, - "16024": msg18213, - "16025": msg18214, - "16026": msg18215, - "16027": msg18216, - "16028": msg18217, - "16029": msg18218, - "1603": select1494, - "16030": msg18219, - "16031": msg18220, - "16032": msg18221, - "16033": msg18222, - "16034": msg18223, - "16035": msg18224, - "16036": msg18225, - "16037": msg18226, - "16038": msg18227, - "16039": msg18228, - "1604": select1495, - "16040": msg18229, - "16041": msg18230, - "16042": msg18231, - "16043": msg18232, - "16044": msg18233, - "16045": msg18234, - "16046": msg18235, - "16047": msg18236, - "16048": msg18237, - "16049": msg18238, - "1605": select1496, - "16050": msg18239, - "16051": msg18240, - "16052": msg18241, - "16053": msg18242, - "16054": msg18243, - "16055": msg18244, - "16056": msg18245, - "16057": msg18246, - "16058": msg18247, - "16059": msg18248, - "1606": select1497, - "16060": msg18249, - "16061": msg18250, - "16062": msg18251, - "16063": msg18252, - "16064": msg18253, - "16065": msg18254, - "16066": msg18255, - "16067": msg18256, - "16068": msg18257, - "16069": msg18258, - "1607": select1498, - "16070": msg18259, - "16071": msg18260, - "16072": msg18261, - "16073": msg18262, - "16074": msg18263, - "16075": msg18264, - "16076": msg18265, - "16077": msg18266, - "16078": msg18267, - "16079": msg18268, - "1608": select1499, - "16080": msg18269, - "16081": msg18270, - "16082": msg18271, - "16083": msg18272, - "16084": msg18273, - "16085": msg18274, - "16086": msg18275, - "16087": msg18276, - "16089": msg18277, - "1609": select1500, - "16090": msg18278, - "16091": msg18279, - "16092": msg18280, - "16093": msg18281, - "16094": msg18282, - "16095": msg18283, - "16096": msg18284, - "16097": msg18285, - "16098": msg18286, - "16099": msg18287, - "161": select87, - "1610": select1501, - "16100": msg18288, - "16101": msg18289, - "16102": msg18290, - "16103": msg18291, - "16104": msg18292, - "16105": msg18293, - "16106": msg18294, - "16107": msg18295, - "16108": msg18296, - "16109": msg18297, - "1611": select1502, - "16110": msg18298, - "16111": msg18299, - "16112": msg18300, - "16113": msg18301, - "16114": msg18302, - "16115": msg18303, - "16116": msg18304, - "16117": msg18305, - "16118": msg18306, - "16119": msg18307, - "1612": select1503, - "16120": msg18308, - "16121": msg18309, - "16122": msg18310, - "16123": msg18311, - "16124": msg18312, - "16125": msg18313, - "16126": msg18314, - "16127": msg18315, - "16128": msg18316, - "16129": msg18317, - "1613": select1504, - "16130": msg18318, - "16131": msg18319, - "16132": msg18320, - "16133": msg18321, - "16134": msg18322, - "16135": msg18323, - "16136": msg18324, - "16137": msg18325, - "16138": msg18326, - "16139": msg18327, - "1614": select1505, - "16140": msg18328, - "16141": msg18329, - "16142": msg18330, - "16143": msg18331, - "16144": msg18332, - "16145": msg18333, - "16146": msg18334, - "16147": msg18335, - "16148": msg18336, - "16149": msg18337, - "1615": select1506, - "16150": msg18338, - "16151": msg18339, - "16152": msg18340, - "16153": msg18341, - "16154": msg18342, - "16155": msg18343, - "16156": msg18344, - "16157": msg18345, - "16158": msg18346, - "16159": msg18347, - "1616": select1507, - "16160": msg18348, - "16161": msg18349, - "16162": msg18350, - "16163": msg18351, - "16164": msg18352, - "16165": msg18353, - "16166": msg18354, - "16167": msg18355, - "16168": msg18356, - "16169": msg18357, - "1617": select1508, - "16170": msg18358, - "16171": msg18359, - "16172": msg18360, - "16173": msg18361, - "16174": msg18362, - "16175": msg18363, - "16176": msg18364, - "16177": msg18365, - "16178": msg18366, - "16179": msg18367, - "1618": select1509, - "16180": msg18368, - "16181": msg18369, - "16182": msg18370, - "16183": msg18371, - "16184": msg18372, - "16185": msg18373, - "16186": msg18374, - "16187": msg18375, - "16188": msg18376, - "16189": msg18377, - "1619": select1510, - "16190": msg18378, - "16191": msg18379, - "16192": msg18380, - "16193": msg18381, - "16194": msg18382, - "16195": msg18383, - "16196": msg18384, - "16197": msg18385, - "16198": msg18386, - "16199": msg18387, - "162": select88, - "1620": select1511, - "16200": msg18388, - "16201": msg18389, - "16202": msg18390, - "16203": msg18391, - "16204": msg18392, - "16205": msg18393, - "16206": msg18394, - "16207": msg18395, - "16208": msg18396, - "16209": msg18397, - "1621": select1512, - "16210": msg18398, - "16211": msg18399, - "16212": msg18400, - "16213": msg18401, - "16214": msg18402, - "16215": msg18403, - "16216": msg18404, - "16217": msg18405, - "16218": msg18406, - "16219": msg18407, - "1622": select1513, - "16220": msg18408, - "16221": msg18409, - "16222": msg18410, - "16223": msg18411, - "16224": msg18412, - "16225": msg18413, - "16226": msg18414, - "16227": msg18415, - "16228": msg18416, - "16229": msg18417, - "1623": select1514, - "16230": msg18418, - "16231": msg18419, - "16232": msg18420, - "16233": msg18421, - "16234": msg18422, - "16235": msg18423, - "16236": msg18424, - "16237": msg18425, - "16238": msg18426, - "16239": msg18427, - "1624": select1515, - "16240": msg18428, - "16241": msg18429, - "16242": msg18430, - "16243": msg18431, - "16244": msg18432, - "16245": msg18433, - "16246": msg18434, - "16247": msg18435, - "16248": msg18436, - "16249": msg18437, - "1625": select1516, - "16250": msg18438, - "16251": msg18439, - "16252": msg18440, - "16253": msg18441, - "16254": msg18442, - "16255": msg18443, - "16256": msg18444, - "16257": msg18445, - "16258": msg18446, - "16259": msg18447, - "1626": select1517, - "16260": msg18448, - "16261": msg18449, - "16262": msg18450, - "16263": msg18451, - "16264": msg18452, - "16265": msg18453, - "16266": msg18454, - "16267": msg18455, - "16268": msg18456, - "16269": msg18457, - "1627": select1518, - "16270": msg18458, - "16271": msg18459, - "16272": msg18460, - "16273": msg18461, - "16274": msg18462, - "16275": msg18463, - "16276": msg18464, - "16277": msg18465, - "16278": msg18466, - "16279": msg18467, - "1628": select1519, - "16280": msg18468, - "16281": msg18469, - "16282": msg18470, - "16283": msg18471, - "16284": msg18472, - "16285": msg18473, - "16286": msg18474, - "16287": msg18475, - "16288": msg18476, - "16289": msg18477, - "1629": select1520, - "16290": msg18478, - "16291": msg18479, - "16292": msg18480, - "16293": msg18481, - "16294": msg18482, - "16295": msg18483, - "16296": msg18484, - "16297": msg18485, - "16298": msg18486, - "16299": msg18487, - "163": select89, - "1630": select1521, - "16300": msg18488, - "16301": msg18489, - "16302": msg18490, - "16303": msg18491, - "16304": msg18492, - "16305": msg18493, - "16306": msg18494, - "16307": msg18495, - "16308": msg18496, - "16309": msg18497, - "1631": select1522, - "16310": msg18498, - "16311": msg18499, - "16312": msg18500, - "16313": msg18501, - "16314": msg18502, - "16315": msg18503, - "16316": msg18504, - "16317": msg18505, - "16318": msg18506, - "16319": msg18507, - "1632": select1523, - "16320": msg18508, - "16321": msg18509, - "16322": msg18510, - "16323": msg18511, - "16324": msg18512, - "16325": msg18513, - "16326": msg18514, - "16327": msg18515, - "16328": msg18516, - "16329": msg18517, - "1633": select1524, - "16330": msg18518, - "16331": msg18519, - "16332": msg18520, - "16333": msg18521, - "16334": msg18522, - "16335": msg18523, - "16336": msg18524, - "16337": msg18525, - "16338": msg18526, - "16339": msg18527, - "1634": select1525, - "16340": msg18528, - "16341": msg18529, - "16342": msg18530, - "16343": msg18531, - "16344": msg18532, - "16345": msg18533, - "16346": msg18534, - "16347": msg18535, - "16348": msg18536, - "16349": msg18537, - "1635": select1526, - "16350": msg18538, - "16351": msg18539, - "16352": msg18540, - "16353": msg18541, - "16354": msg18542, - "16355": msg18543, - "16356": msg18544, - "16357": msg18545, - "16358": msg18546, - "16359": msg18547, - "1636": select1527, - "16360": msg18548, - "16361": msg18549, - "16362": msg18550, - "16363": msg18551, - "16364": msg18552, - "16365": msg18553, - "16366": msg18554, - "16367": msg18555, - "16368": msg18556, - "16369": msg18557, - "1637": select1528, - "16370": msg18558, - "16371": msg18559, - "16372": msg18560, - "16373": msg18561, - "16374": msg18562, - "16375": msg18563, - "16376": msg18564, - "16377": msg18565, - "16378": msg18566, - "16379": msg18567, - "1638": select1529, - "16380": msg18568, - "16381": msg18569, - "16382": msg18570, - "16383": msg18571, - "16384": msg18572, - "16385": msg18573, - "16386": msg18574, - "16387": msg18575, - "16388": msg18576, - "16389": msg18577, - "1639": select1530, - "16390": msg18578, - "16391": msg18579, - "16392": msg18580, - "16393": msg18581, - "16394": msg18582, - "16395": msg18583, - "16396": msg18584, - "16397": msg18585, - "16398": msg18586, - "16399": msg18587, - "164": select90, - "1640": select1531, - "16400": msg18588, - "16401": msg18589, - "16402": msg18590, - "16403": msg18591, - "16404": msg18592, - "16405": msg18593, - "16406": msg18594, - "16407": msg18595, - "16408": msg18596, - "16409": msg18597, - "1641": select1532, - "16410": msg18598, - "16411": msg18599, - "16412": msg18600, - "16413": msg18601, - "16414": msg18602, - "16415": msg18603, - "16416": msg18604, - "16417": msg18605, - "16418": msg18606, - "16419": msg18607, - "1642": select1533, - "16420": msg18608, - "16421": msg18609, - "16422": msg18610, - "16423": msg18611, - "16424": msg18612, - "16425": msg18613, - "16426": msg18614, - "16427": msg18615, - "16428": msg18616, - "16429": msg18617, - "1643": select1534, - "16430": msg18618, - "16431": msg18619, - "16432": msg18620, - "16433": msg18621, - "16434": msg18622, - "16435": msg18623, - "16436": msg18624, - "16437": msg18625, - "16438": msg18626, - "16439": msg18627, - "1644": select1535, - "16440": msg18628, - "16441": msg18629, - "16442": msg18630, - "16443": msg18631, - "16444": msg18632, - "16445": msg18633, - "16446": msg18634, - "16447": msg18635, - "16448": msg18636, - "16449": msg18637, - "1645": select1536, - "16450": msg18638, - "16451": msg18639, - "16452": msg18640, - "16453": msg18641, - "16454": msg18642, - "16455": msg18643, - "16456": msg18644, - "16457": msg18645, - "16458": msg18646, - "16459": msg18647, - "1646": select1537, - "16460": msg18648, - "16461": msg18649, - "16462": msg18650, - "16463": msg18651, - "16464": msg18652, - "16465": msg18653, - "16466": msg18654, - "16467": msg18655, - "16468": msg18656, - "16469": msg18657, - "1647": select1538, - "16470": msg18658, - "16471": msg18659, - "16472": msg18660, - "16473": msg18661, - "16474": msg18662, - "16475": msg18663, - "16476": msg18664, - "16477": msg18665, - "16478": msg18666, - "16479": msg18667, - "1648": select1539, - "16480": msg18668, - "16481": msg18669, - "16482": msg18670, - "16483": msg18671, - "16484": msg18672, - "16485": msg18673, - "16486": msg18674, - "16487": msg18675, - "16488": msg18676, - "16489": msg18677, - "1649": select1540, - "16490": msg18678, - "16492": msg18679, - "16493": msg18680, - "16494": msg18681, - "16495": msg18682, - "16496": msg18683, - "16497": msg18684, - "16498": msg18685, - "16499": msg18686, - "165": select91, - "1650": select1541, - "16500": msg18687, - "16501": msg18688, - "16502": msg18689, - "16503": msg18690, - "16504": msg18691, - "16505": msg18692, - "16506": msg18693, - "16507": msg18694, - "16508": msg18695, - "16509": msg18696, - "1651": select1542, - "16510": msg18697, - "16511": msg18698, - "16512": msg18699, - "16513": msg18700, - "16514": msg18701, - "16515": msg18702, - "16516": msg18703, - "16517": msg18704, - "16518": msg18705, - "16519": msg18706, - "1652": select1543, - "16520": msg18707, - "16521": msg18708, - "16522": msg18709, - "16523": msg18710, - "16524": msg18711, - "16525": msg18712, - "16526": msg18713, - "16527": msg18714, - "16528": msg18715, - "16529": msg18716, - "1653": select1544, - "16530": msg18717, - "16531": msg18718, - "16532": msg18719, - "16533": msg18720, - "16534": msg18721, - "16535": msg18722, - "16536": msg18723, - "16537": msg18724, - "16538": msg18725, - "16539": msg18726, - "1654": select1545, - "16540": msg18727, - "16541": msg18728, - "16542": msg18729, - "16543": msg18730, - "16544": msg18731, - "16545": msg18732, - "16546": msg18733, - "16547": msg18734, - "16548": msg18735, - "16549": msg18736, - "1655": select1546, - "16550": msg18737, - "16551": msg18738, - "16552": msg18739, - "16553": msg18740, - "16554": msg18741, - "16555": msg18742, - "16556": msg18743, - "16557": msg18744, - "16558": msg18745, - "16559": msg18746, - "1656": select1547, - "16560": msg18747, - "16561": msg18748, - "16562": msg18749, - "16563": msg18750, - "16564": msg18751, - "16565": msg18752, - "16566": msg18753, - "16567": msg18754, - "16568": msg18755, - "16569": msg18756, - "1657": select1548, - "16570": msg18757, - "16571": msg18758, - "16572": msg18759, - "16573": msg18760, - "16574": msg18761, - "16575": msg18762, - "16576": msg18763, - "16577": msg18764, - "16578": msg18765, - "16579": msg18766, - "1658": select1549, - "16580": msg18767, - "16581": msg18768, - "16582": msg18769, - "16583": msg18770, - "16584": msg18771, - "16585": msg18772, - "16586": msg18773, - "16587": msg18774, - "16588": msg18775, - "16589": msg18776, - "1659": select1550, - "16590": msg18777, - "16591": msg18778, - "16592": msg18779, - "16593": msg18780, - "16594": msg18781, - "16595": msg18782, - "16596": msg18783, - "16597": msg18784, - "16598": msg18785, - "16599": msg18786, - "166": select92, - "1660": select1551, - "16600": msg18787, - "16601": msg18788, - "16602": msg18789, - "16603": msg18790, - "16604": msg18791, - "16605": msg18792, - "16606": msg18793, - "16607": msg18794, - "16608": msg18795, - "16609": msg18796, - "1661": select1552, - "16610": msg18797, - "16611": msg18798, - "16612": msg18799, - "16613": msg18800, - "16614": msg18801, - "16615": msg18802, - "16616": msg18803, - "16617": msg18804, - "16618": msg18805, - "16619": msg18806, - "1662": select1553, - "16620": msg18807, - "16621": msg18808, - "16622": msg18809, - "16623": msg18810, - "16624": msg18811, - "16625": msg18812, - "16626": msg18813, - "16627": msg18814, - "16628": msg18815, - "16629": msg18816, - "1663": select1554, - "16630": msg18817, - "16631": msg18818, - "16632": msg18819, - "16633": msg18820, - "16634": msg18821, - "16635": msg18822, - "16636": msg18823, - "16637": msg18824, - "16638": msg18825, - "16639": msg18826, - "1664": select1555, - "16640": msg18827, - "16641": msg18828, - "16642": msg18829, - "16643": msg18830, - "16644": msg18831, - "16645": msg18832, - "16646": msg18833, - "16647": msg18834, - "16648": msg18835, - "16649": msg18836, - "1665": select1556, - "16650": msg18837, - "16651": msg18838, - "16652": msg18839, - "16653": msg18840, - "16654": msg18841, - "16655": msg18842, - "16656": msg18843, - "16657": msg18844, - "16658": msg18845, - "16659": msg18846, - "1666": select1557, - "16660": msg18847, - "16661": msg18848, - "16662": msg18849, - "16663": msg18850, - "16664": msg18851, - "16665": msg18852, - "16666": msg18853, - "16667": msg18854, - "16668": msg18855, - "16669": msg18856, - "1667": select1558, - "16670": msg18857, - "16671": msg18858, - "16672": msg18859, - "16673": msg18860, - "16674": msg18861, - "16675": msg18862, - "16676": msg18863, - "16677": msg18864, - "16678": msg18865, - "16679": msg18866, - "1668": select1559, - "16680": msg18867, - "16681": msg18868, - "16682": msg18869, - "16683": msg18870, - "16684": msg18871, - "16685": msg18872, - "16686": msg18873, - "16687": msg18874, - "16688": msg18875, - "16689": msg18876, - "1669": select1560, - "16690": msg18877, - "16691": msg18878, - "16692": msg18879, - "16693": msg18880, - "16694": msg18881, - "16695": msg18882, - "16696": msg18883, - "16697": msg18884, - "16698": msg18885, - "16699": msg18886, - "167": select93, - "1670": select1561, - "16700": msg18887, - "16701": msg18888, - "16702": msg18889, - "16703": msg18890, - "16704": msg18891, - "16705": msg18892, - "16706": msg18893, - "16707": msg18894, - "16708": msg18895, - "16709": msg18896, - "1671": select1562, - "16710": msg18897, - "16711": msg18898, - "16712": msg18899, - "16713": msg18900, - "16714": msg18901, - "16715": msg18902, - "16716": msg18903, - "16717": msg18904, - "16718": msg18905, - "16719": msg18906, - "1672": select1563, - "16720": msg18907, - "16721": msg18908, - "16722": msg18909, - "16723": msg18910, - "16724": msg18911, - "16725": msg18912, - "16726": msg18913, - "16727": msg18914, - "16728": msg18915, - "16729": msg18916, - "1673": select1564, - "16730": msg18917, - "16731": msg18918, - "16732": msg18919, - "16733": msg18920, - "16734": msg18921, - "16735": msg18922, - "16736": msg18923, - "16737": msg18924, - "16738": msg18925, - "16739": msg18926, - "1674": select1565, - "16740": msg18927, - "16741": msg18928, - "16742": msg18929, - "16743": msg18930, - "16744": msg18931, - "16745": msg18932, - "16746": msg18933, - "16747": msg18934, - "16748": msg18935, - "16749": msg18936, - "1675": select1566, - "16750": msg18937, - "16751": msg18938, - "16752": msg18939, - "16753": msg18940, - "16754": msg18941, - "16755": msg18942, - "16756": msg18943, - "16757": msg18944, - "16758": msg18945, - "16759": msg18946, - "1676": select1567, - "16760": msg18947, - "16761": msg18948, - "16762": msg18949, - "16763": msg18950, - "16764": msg18951, - "16765": msg18952, - "16766": msg18953, - "16767": msg18954, - "16768": msg18955, - "16769": msg18956, - "1677": select1568, - "16770": msg18957, - "16771": msg18958, - "16772": msg18959, - "16773": msg18960, - "16774": msg18961, - "16775": msg18962, - "16776": msg18963, - "16777": msg18964, - "16778": msg18965, - "16779": msg18966, - "1678": select1569, - "16780": msg18967, - "16781": msg18968, - "16782": msg18969, - "16783": msg18970, - "16784": msg18971, - "16785": msg18972, - "16786": msg18973, - "16787": msg18974, - "16788": msg18975, - "16789": msg18976, - "1679": select1570, - "16790": msg18977, - "16791": msg18978, - "16792": msg18979, - "16793": msg18980, - "16794": msg18981, - "16795": msg18982, - "16796": msg18983, - "16797": msg18984, - "16798": msg18985, - "16799": msg18986, - "168": select94, - "1680": select1571, - "16800": msg18987, - "16801": msg18988, - "16802": msg18989, - "16803": msg18990, - "16804": msg18991, - "16805": msg18992, - "16806": msg18993, - "16807": msg18994, - "16808": msg18995, - "16809": msg18996, - "1681": select1572, - "16810": msg18997, - "16811": msg18998, - "16812": msg18999, - "16813": msg19000, - "16814": msg19001, - "16815": msg19002, - "16816": msg19003, - "16817": msg19004, - "16818": msg19005, - "16819": msg19006, - "1682": select1573, - "16820": msg19007, - "16821": msg19008, - "16822": msg19009, - "16823": msg19010, - "16824": msg19011, - "16825": msg19012, - "16826": msg19013, - "16827": msg19014, - "16828": msg19015, - "16829": msg19016, - "1683": select1574, - "16830": msg19017, - "16831": msg19018, - "16832": msg19019, - "16833": msg19020, - "16834": msg19021, - "16835": msg19022, - "16836": msg19023, - "16837": msg19024, - "16838": msg19025, - "16839": msg19026, - "1684": select1575, - "16840": msg19027, - "16841": msg19028, - "16842": msg19029, - "16843": msg19030, - "16844": msg19031, - "16845": msg19032, - "16846": msg19033, - "16847": msg19034, - "16848": msg19035, - "16849": msg19036, - "1685": select1576, - "16850": msg19037, - "16851": msg19038, - "16852": msg19039, - "16853": msg19040, - "16854": msg19041, - "16855": msg19042, - "16856": msg19043, - "16857": msg19044, - "16858": msg19045, - "16859": msg19046, - "1686": select1577, - "16860": msg19047, - "16861": msg19048, - "16862": msg19049, - "16863": msg19050, - "16864": msg19051, - "16865": msg19052, - "16866": msg19053, - "16867": msg19054, - "16868": msg19055, - "16869": msg19056, - "1687": select1578, - "16870": msg19057, - "16871": msg19058, - "16872": msg19059, - "16873": msg19060, - "16874": msg19061, - "16875": msg19062, - "16876": msg19063, - "16877": msg19064, - "16878": msg19065, - "16879": msg19066, - "1688": select1579, - "16880": msg19067, - "16881": msg19068, - "16882": msg19069, - "16883": msg19070, - "16884": msg19071, - "16885": msg19072, - "16886": msg19073, - "16887": msg19074, - "16888": msg19075, - "16889": msg19076, - "1689": select1580, - "16890": msg19077, - "16891": msg19078, - "16892": msg19079, - "16893": msg19080, - "16894": msg19081, - "16895": msg19082, - "16896": msg19083, - "16897": msg19084, - "16898": msg19085, - "16899": msg19086, - "169": select95, - "1690": select1581, - "16900": msg19087, - "16901": msg19088, - "16902": msg19089, - "16903": msg19090, - "16904": msg19091, - "16905": msg19092, - "16906": msg19093, - "16907": msg19094, - "16908": msg19095, - "16909": msg19096, - "1691": select1582, - "16910": msg19097, - "16911": msg19098, - "16912": msg19099, - "16913": msg19100, - "16914": msg19101, - "16915": msg19102, - "16916": msg19103, - "16917": msg19104, - "16918": msg19105, - "16919": msg19106, - "1692": select1583, - "16920": msg19107, - "16921": msg19108, - "16922": msg19109, - "16923": msg19110, - "16924": msg19111, - "16925": msg19112, - "16926": msg19113, - "16927": msg19114, - "16928": msg19115, - "16929": msg19116, - "1693": select1584, - "16930": msg19117, - "16931": msg19118, - "16932": msg19119, - "16933": msg19120, - "16934": msg19121, - "16935": msg19122, - "16936": msg19123, - "16937": msg19124, - "16938": msg19125, - "16939": msg19126, - "1694": select1585, - "16940": msg19127, - "16941": msg19128, - "16942": msg19129, - "16943": msg19130, - "16944": msg19131, - "16945": msg19132, - "16946": msg19133, - "16947": msg19134, - "16948": msg19135, - "16949": msg19136, - "1695": select1586, - "16950": msg19137, - "16951": msg19138, - "16952": msg19139, - "16953": msg19140, - "16954": msg19141, - "16955": msg19142, - "16956": msg19143, - "16957": msg19144, - "16958": msg19145, - "16959": msg19146, - "1696": select1587, - "16960": msg19147, - "16961": msg19148, - "16962": msg19149, - "16963": msg19150, - "16964": msg19151, - "16965": msg19152, - "16966": msg19153, - "16967": msg19154, - "16968": msg19155, - "16969": msg19156, - "1697": select1588, - "16970": msg19157, - "16971": msg19158, - "16972": msg19159, - "16973": msg19160, - "16974": msg19161, - "16975": msg19162, - "16976": msg19163, - "16977": msg19164, - "16978": msg19165, - "16979": msg19166, - "1698": select1589, - "16980": msg19167, - "16981": msg19168, - "16982": msg19169, - "16983": msg19170, - "16984": msg19171, - "16985": msg19172, - "16986": msg19173, - "16987": msg19174, - "16988": msg19175, - "16989": msg19176, - "1699": select1590, - "16990": msg19177, - "16991": msg19178, - "16992": msg19179, - "16993": msg19180, - "16994": msg19181, - "16995": msg19182, - "16996": msg19183, - "16997": msg19184, - "16998": msg19185, - "16999": msg19186, - "17": select18, - "170": select96, - "1700": select1591, - "17000": msg19187, - "17001": msg19188, - "17002": msg19189, - "17003": msg19190, - "17004": msg19191, - "17005": msg19192, - "17006": msg19193, - "17007": msg19194, - "17008": msg19195, - "17009": msg19196, - "1701": select1592, - "17010": msg19197, - "17011": msg19198, - "17012": msg19199, - "17013": msg19200, - "17014": msg19201, - "17015": msg19202, - "17016": msg19203, - "17017": msg19204, - "17018": msg19205, - "17019": msg19206, - "1702": select1593, - "17020": msg19207, - "17021": msg19208, - "17022": msg19209, - "17023": msg19210, - "17024": msg19211, - "17025": msg19212, - "17026": msg19213, - "17027": msg19214, - "17028": msg19215, - "17029": msg19216, - "1703": select1594, - "17030": msg19217, - "17031": msg19218, - "17032": msg19219, - "17033": msg19220, - "17034": msg19221, - "17035": msg19222, - "17036": msg19223, - "17037": msg19224, - "17038": msg19225, - "17039": msg19226, - "1704": select1595, - "17041": msg19227, - "17042": msg19228, - "17043": msg19229, - "17044": msg19230, - "17045": msg19231, - "17046": msg19232, - "17047": msg19233, - "17048": msg19234, - "17049": msg19235, - "1705": select1596, - "17050": msg19236, - "17051": msg19237, - "17052": msg19238, - "17053": msg19239, - "17054": msg19240, - "17055": msg19241, - "17056": msg19242, - "17057": msg19243, - "17058": msg19244, - "17059": msg19245, - "1706": select1597, - "17060": msg19246, - "17061": msg19247, - "17062": msg19248, - "17063": msg19249, - "17064": msg19250, - "17065": msg19251, - "17066": msg19252, - "17067": msg19253, - "17068": msg19254, - "17069": msg19255, - "1707": select1598, - "17070": msg19256, - "17071": msg19257, - "17072": msg19258, - "17073": msg19259, - "17074": msg19260, - "17075": msg19261, - "17076": msg19262, - "17077": msg19263, - "17078": msg19264, - "17079": msg19265, - "1708": select1599, - "17080": msg19266, - "17081": msg19267, - "17082": msg19268, - "17083": msg19269, - "17084": msg19270, - "17085": msg19271, - "17086": msg19272, - "17087": msg19273, - "17088": msg19274, - "17089": msg19275, - "1709": select1600, - "17090": msg19276, - "17091": msg19277, - "17092": msg19278, - "17093": msg19279, - "17094": msg19280, - "17095": msg19281, - "17096": msg19282, - "17097": msg19283, - "17098": msg19284, - "17099": msg19285, - "171": select97, - "1710": select1601, - "17100": msg19286, - "17101": msg19287, - "17102": msg19288, - "17103": msg19289, - "17104": msg19290, - "17105": msg19291, - "17106": msg19292, - "17107": msg19293, - "17108": msg19294, - "17109": msg19295, - "1711": select1602, - "17110": msg19296, - "17111": msg19297, - "17112": msg19298, - "17113": msg19299, - "17114": msg19300, - "17115": msg19301, - "17116": msg19302, - "17117": msg19303, - "17118": msg19304, - "17119": msg19305, - "1712": select1603, - "17120": msg19306, - "17121": msg19307, - "17122": msg19308, - "17123": msg19309, - "17124": msg19310, - "17125": msg19311, - "17126": msg19312, - "17127": msg19313, - "17128": msg19314, - "17129": msg19315, - "1713": select1604, - "17130": msg19316, - "17131": msg19317, - "17132": msg19318, - "17133": msg19319, - "17134": msg19320, - "17135": msg19321, - "17136": msg19322, - "17137": msg19323, - "17138": msg19324, - "17139": msg19325, - "1714": select1605, - "17140": msg19326, - "17141": msg19327, - "17142": msg19328, - "17143": msg19329, - "17144": msg19330, - "17145": msg19331, - "17146": msg19332, - "17147": msg19333, - "17148": msg19334, - "17149": msg19335, - "1715": select1606, - "17150": msg19336, - "17151": msg19337, - "17152": msg19338, - "17153": msg19339, - "17154": msg19340, - "17155": msg19341, - "17156": msg19342, - "17157": msg19343, - "17158": msg19344, - "17159": msg19345, - "1716": select1607, - "17160": msg19346, - "17161": msg19347, - "17162": msg19348, - "17163": msg19349, - "17164": msg19350, - "17165": msg19351, - "17166": msg19352, - "17167": msg19353, - "17168": msg19354, - "17169": msg19355, - "1717": select1608, - "17170": msg19356, - "17171": msg19357, - "17172": msg19358, - "17173": msg19359, - "17174": msg19360, - "17175": msg19361, - "17176": msg19362, - "17177": msg19363, - "17178": msg19364, - "17179": msg19365, - "1718": select1609, - "17180": msg19366, - "17181": msg19367, - "17182": msg19368, - "17183": msg19369, - "17184": msg19370, - "17185": msg19371, - "17186": msg19372, - "17187": msg19373, - "17188": msg19374, - "17189": msg19375, - "1719": select1610, - "17190": msg19376, - "17191": msg19377, - "17192": msg19378, - "17193": msg19379, - "17194": msg19380, - "17195": msg19381, - "17196": msg19382, - "17197": msg19383, - "17198": msg19384, - "17199": msg19385, - "172": select98, - "1720": select1611, - "17200": msg19386, - "17201": msg19387, - "17202": msg19388, - "17203": msg19389, - "17204": msg19390, - "17205": msg19391, - "17206": msg19392, - "17207": msg19393, - "17208": msg19394, - "17209": msg19395, - "1721": select1612, - "17210": msg19396, - "17211": msg19397, - "17212": msg19398, - "17213": msg19399, - "17214": msg19400, - "17215": msg19401, - "17216": msg19402, - "17217": msg19403, - "17218": msg19404, - "17219": msg19405, - "1722": select1613, - "17220": msg19406, - "17221": msg19407, - "17222": msg19408, - "17223": msg19409, - "17224": msg19410, - "17225": msg19411, - "17226": msg19412, - "17227": msg19413, - "17228": msg19414, - "17229": msg19415, - "1723": select1614, - "17230": msg19416, - "17231": msg19417, - "17232": msg19418, - "17233": msg19419, - "17234": msg19420, - "17235": msg19421, - "17236": msg19422, - "17237": msg19423, - "17238": msg19424, - "17239": msg19425, - "1724": select1615, - "17240": msg19426, - "17241": msg19427, - "17242": msg19428, - "17243": msg19429, - "17244": msg19430, - "17245": msg19431, - "17246": msg19432, - "17247": msg19433, - "17248": msg19434, - "17249": msg19435, - "1725": select1616, - "17250": msg19436, - "17251": msg19437, - "17252": msg19438, - "17253": msg19439, - "17254": msg19440, - "17255": msg19441, - "17256": msg19442, - "17257": msg19443, - "17258": msg19444, - "17259": msg19445, - "1726": select1617, - "17260": msg19446, - "17261": msg19447, - "17262": msg19448, - "17263": msg19449, - "17264": msg19450, - "17265": msg19451, - "17266": msg19452, - "17267": msg19453, - "17268": msg19454, - "17269": msg19455, - "1727": select1618, - "17270": msg19456, - "17271": msg19457, - "17272": msg19458, - "17273": msg19459, - "17274": msg19460, - "17275": msg19461, - "17276": msg19462, - "17277": msg19463, - "17278": msg19464, - "17279": msg19465, - "1728": select1619, - "17280": msg19466, - "17281": msg19467, - "17282": msg19468, - "17283": msg19469, - "17284": msg19470, - "17285": msg19471, - "17286": msg19472, - "17287": msg19473, - "17288": msg19474, - "17289": msg19475, - "1729": select1620, - "17290": msg19476, - "17291": msg19477, - "17292": msg19478, - "17293": msg19479, - "17294": msg19480, - "17295": msg19481, - "17296": msg19482, - "17297": msg19483, - "17298": msg19484, - "17299": msg19485, - "173": select99, - "1730": select1621, - "17300": msg19486, - "17301": msg19487, - "17302": msg19488, - "17303": msg19489, - "17304": msg19490, - "17305": msg19491, - "17306": msg19492, - "17307": msg19493, - "17308": msg19494, - "17309": msg19495, - "1731": select1622, - "17310": msg19496, - "17311": msg19497, - "17312": msg19498, - "17313": msg19499, - "17314": msg19500, - "17315": msg19501, - "17316": msg19502, - "17317": msg19503, - "17318": msg19504, - "17319": msg19505, - "1732": select1623, - "17320": msg19506, - "17321": msg19507, - "17322": msg19508, - "17323": msg19509, - "17324": msg19510, - "17325": msg19511, - "17326": msg19512, - "17327": msg19513, - "17328": msg19514, - "17329": msg19515, - "1733": select1624, - "17330": msg19516, - "17331": msg19517, - "17332": msg19518, - "17333": msg19519, - "17334": msg19520, - "17335": msg19521, - "17336": msg19522, - "17337": msg19523, - "17338": msg19524, - "17339": msg19525, - "1734": select1625, - "17340": msg19526, - "17341": msg19527, - "17342": msg19528, - "17343": msg19529, - "17344": msg19530, - "17345": msg19531, - "17346": msg19532, - "17347": msg19533, - "17348": msg19534, - "17349": msg19535, - "1735": select1626, - "17350": msg19536, - "17351": msg19537, - "17352": msg19538, - "17353": msg19539, - "17354": msg19540, - "17355": msg19541, - "17356": msg19542, - "17357": msg19543, - "17358": msg19544, - "17359": msg19545, - "1736": select1627, - "17360": msg19546, - "17361": msg19547, - "17362": msg19548, - "17363": msg19549, - "17364": msg19550, - "17365": msg19551, - "17366": msg19552, - "17367": msg19553, - "17368": msg19554, - "17369": msg19555, - "1737": select1628, - "17370": msg19556, - "17371": msg19557, - "17372": msg19558, - "17373": msg19559, - "17374": msg19560, - "17375": msg19561, - "17376": msg19562, - "17377": msg19563, - "17378": msg19564, - "17379": msg19565, - "1738": select1629, - "17380": msg19566, - "17381": msg19567, - "17382": msg19568, - "17383": msg19569, - "17384": msg19570, - "17385": msg19571, - "17386": msg19572, - "17387": msg19573, - "17388": msg19574, - "17389": msg19575, - "1739": select1630, - "17390": msg19576, - "17391": msg19577, - "17392": msg19578, - "17393": msg19579, - "17394": msg19580, - "17395": msg19581, - "17396": msg19582, - "17397": msg19583, - "17398": msg19584, - "17399": msg19585, - "174": select100, - "1740": select1631, - "17400": msg19586, - "17401": msg19587, - "17402": msg19588, - "17403": msg19589, - "17404": msg19590, - "17405": msg19591, - "17406": msg19592, - "17407": msg19593, - "17408": msg19594, - "17409": msg19595, - "1741": select1632, - "17410": msg19596, - "17411": msg19597, - "17412": msg19598, - "17413": msg19599, - "17414": msg19600, - "17415": msg19601, - "17416": msg19602, - "17417": msg19603, - "17418": msg19604, - "17419": msg19605, - "1742": select1633, - "17420": msg19606, - "17421": msg19607, - "17422": msg19608, - "17423": msg19609, - "17424": msg19610, - "17425": msg19611, - "17426": msg19612, - "17427": msg19613, - "17428": msg19614, - "17429": msg19615, - "1743": select1634, - "17430": msg19616, - "17431": msg19617, - "17432": msg19618, - "17433": msg19619, - "17434": msg19620, - "17435": msg19621, - "17436": msg19622, - "17437": msg19623, - "17438": msg19624, - "17439": msg19625, - "1744": select1635, - "17440": msg19626, - "17441": msg19627, - "17442": msg19628, - "17443": msg19629, - "17444": msg19630, - "17445": msg19631, - "17446": msg19632, - "17447": msg19633, - "17448": msg19634, - "17449": msg19635, - "1745": select1636, - "17450": msg19636, - "17451": msg19637, - "17452": msg19638, - "17453": msg19639, - "17454": msg19640, - "17455": msg19641, - "17456": msg19642, - "17457": msg19643, - "17458": msg19644, - "17459": msg19645, - "1746": select1637, - "17460": msg19646, - "17461": msg19647, - "17462": msg19648, - "17463": msg19649, - "17464": msg19650, - "17465": msg19651, - "17466": msg19652, - "17467": msg19653, - "17468": msg19654, - "17469": msg19655, - "1747": select1638, - "17470": msg19656, - "17471": msg19657, - "17472": msg19658, - "17473": msg19659, - "17474": msg19660, - "17475": msg19661, - "17476": msg19662, - "17477": msg19663, - "17478": msg19664, - "17479": msg19665, - "1748": select1639, - "17480": msg19666, - "17481": msg19667, - "17482": msg19668, - "17483": msg19669, - "17484": msg19670, - "17485": msg19671, - "17486": msg19672, - "17487": msg19673, - "17488": msg19674, - "17489": msg19675, - "1749": select1640, - "17490": msg19676, - "17491": msg19677, - "17492": msg19678, - "17493": msg19679, - "17494": msg19680, - "17495": msg19681, - "17496": msg19682, - "17497": msg19683, - "17498": msg19684, - "17499": msg19685, - "175": select101, - "1750": select1641, - "17500": msg19686, - "17501": msg19687, - "17502": msg19688, - "17503": msg19689, - "17504": msg19690, - "17505": msg19691, - "17506": msg19692, - "17507": msg19693, - "17508": msg19694, - "17509": msg19695, - "1751": select1642, - "17510": msg19696, - "17511": msg19697, - "17512": msg19698, - "17513": msg19699, - "17514": msg19700, - "17515": msg19701, - "17516": msg19702, - "17517": msg19703, - "17518": msg19704, - "17519": msg19705, - "1752": select1643, - "17520": msg19706, - "17521": msg19707, - "17522": msg19708, - "17523": msg19709, - "17524": msg19710, - "17525": msg19711, - "17526": msg19712, - "17527": msg19713, - "17528": msg19714, - "17529": msg19715, - "1753": select1644, - "17530": msg19716, - "17531": msg19717, - "17532": msg19718, - "17533": msg19719, - "17534": msg19720, - "17535": msg19721, - "17536": msg19722, - "17537": msg19723, - "17538": msg19724, - "17539": msg19725, - "1754": select1645, - "17540": msg19726, - "17541": msg19727, - "17542": msg19728, - "17543": msg19729, - "17544": msg19730, - "17545": msg19731, - "17546": msg19732, - "17547": msg19733, - "17548": msg19734, - "17549": msg19735, - "1755": select1646, - "17550": msg19736, - "17551": msg19737, - "17552": msg19738, - "17553": msg19739, - "17554": msg19740, - "17555": msg19741, - "17556": msg19742, - "17557": msg19743, - "17558": msg19744, - "17559": msg19745, - "1756": select1647, - "17560": msg19746, - "17561": msg19747, - "17562": msg19748, - "17563": msg19749, - "17564": msg19750, - "17565": msg19751, - "17566": msg19752, - "17567": msg19753, - "17568": msg19754, - "17569": msg19755, - "1757": select1648, - "17570": msg19756, - "17571": msg19757, - "17572": msg19758, - "17573": msg19759, - "17574": msg19760, - "17575": msg19761, - "17576": msg19762, - "17577": msg19763, - "17578": msg19764, - "17579": msg19765, - "1758": select1649, - "17580": msg19766, - "17581": msg19767, - "17582": msg19768, - "17583": msg19769, - "17584": msg19770, - "17585": msg19771, - "17586": msg19772, - "17587": msg19773, - "17588": msg19774, - "17589": msg19775, - "1759": select1650, - "17590": msg19776, - "17591": msg19777, - "17592": msg19778, - "17593": msg19779, - "17594": msg19780, - "17595": msg19781, - "17596": msg19782, - "17597": msg19783, - "17598": msg19784, - "17599": msg19785, - "176": select102, - "1760": select1651, - "17600": msg19786, - "17601": msg19787, - "17602": msg19788, - "17603": msg19789, - "17604": msg19790, - "17605": msg19791, - "17606": msg19792, - "17607": msg19793, - "17608": msg19794, - "17609": msg19795, - "1761": select1652, - "17610": msg19796, - "17611": msg19797, - "17612": msg19798, - "17613": msg19799, - "17614": msg19800, - "17616": msg19801, - "17618": msg19802, - "17619": msg19803, - "1762": select1653, - "17620": msg19804, - "17621": msg19805, - "17622": msg19806, - "17623": msg19807, - "17624": msg19808, - "17625": msg19809, - "17626": msg19810, - "17628": msg19811, - "17629": msg19812, - "1763": select1654, - "17630": msg19813, - "17631": msg19814, - "17632": msg19815, - "17633": msg19816, - "17634": msg19817, - "17635": msg19818, - "17636": msg19819, - "17637": msg19820, - "17638": msg19821, - "17639": msg19822, - "1764": select1655, - "17640": msg19823, - "17641": msg19824, - "17642": msg19825, - "17643": msg19826, - "17644": msg19827, - "17645": msg19828, - "17646": msg19829, - "17647": msg19830, - "17648": msg19831, - "17649": msg19832, - "1765": select1656, - "17650": msg19833, - "17651": msg19834, - "17652": msg19835, - "17653": msg19836, - "17654": msg19837, - "17655": msg19838, - "17656": msg19839, - "17657": msg19840, - "17658": msg19841, - "17659": msg19842, - "1766": select1657, - "17660": msg19843, - "17661": msg19844, - "17662": msg19845, - "17663": msg19846, - "17664": msg19847, - "17665": msg19848, - "17666": msg19849, - "17667": msg19850, - "17668": msg19851, - "17669": msg19852, - "1767": select1658, - "17670": msg19853, - "17671": msg19854, - "17672": msg19855, - "17673": msg19856, - "17674": msg19857, - "17675": msg19858, - "17676": msg19859, - "17677": msg19860, - "17678": msg19861, - "17679": msg19862, - "1768": select1659, - "17680": msg19863, - "17685": msg19864, - "17686": msg19865, - "17687": msg19866, - "17688": msg19867, - "17689": msg19868, - "1769": select1660, - "17690": msg19869, - "17691": msg19870, - "17692": msg19871, - "17693": msg19872, - "17694": msg19873, - "17695": msg19874, - "17696": msg19875, - "17697": msg19876, - "17698": msg19877, - "17699": msg19878, - "177": select103, - "1770": select1661, - "17700": msg19879, - "17701": msg19880, - "17702": msg19881, - "17703": msg19882, - "17704": msg19883, - "17705": msg19884, - "17706": msg19885, - "17707": msg19886, - "17708": msg19887, - "17709": msg19888, - "1771": select1662, - "17710": msg19889, - "17711": msg19890, - "17712": msg19891, - "17713": msg19892, - "17714": msg19893, - "17715": msg19894, - "17716": msg19895, - "17717": msg19896, - "17718": msg19897, - "17719": msg19898, - "1772": select1663, - "17720": msg19899, - "17721": msg19900, - "17722": msg19901, - "17723": msg19902, - "17724": msg19903, - "17725": msg19904, - "17726": msg19905, - "17727": msg19906, - "17728": msg19907, - "17729": msg19908, - "1773": select1664, - "17730": msg19909, - "17731": msg19910, - "17732": msg19911, - "17733": msg19912, - "17734": msg19913, - "17735": msg19914, - "17736": msg19915, - "17737": msg19916, - "17738": msg19917, - "17739": msg19918, - "1774": select1665, - "17740": msg19919, - "17741": msg19920, - "17742": msg19921, - "17743": msg19922, - "17745": msg19923, - "17746": msg19924, - "17747": msg19925, - "17748": msg19926, - "17749": msg19927, - "1775": select1666, - "17750": msg19928, - "17751": msg19929, - "17752": msg19930, - "17753": msg19931, - "17754": msg19932, - "17755": msg19933, - "17756": msg19934, - "17757": msg19935, - "17758": msg19936, - "17759": msg19937, - "1776": select1667, - "17760": msg19938, - "17762": msg19939, - "17763": msg19940, - "17764": msg19941, - "17765": msg19942, - "17766": msg19943, - "17767": msg19944, - "17768": msg19945, - "17769": msg19946, - "1777": select1668, - "17770": msg19947, - "17771": msg19948, - "17772": msg19949, - "17773": msg19950, - "17774": msg19951, - "17775": msg19952, - "17776": msg19953, - "17777": msg19954, - "17778": msg19955, - "17779": msg19956, - "1778": select1669, - "17780": msg19957, - "17781": msg19958, - "17782": msg19959, - "17783": msg19960, - "17784": msg19961, - "17785": msg19962, - "17786": msg19963, - "17787": msg19964, - "17788": msg19965, - "17789": msg19966, - "1779": select1670, - "17790": msg19967, - "17791": msg19968, - "17792": msg19969, - "17793": msg19970, - "17794": msg19971, - "17795": msg19972, - "17796": msg19973, - "17797": msg19974, - "17798": msg19975, - "17799": msg19976, - "1780": select1671, - "17800": msg19977, - "17801": msg19978, - "17802": msg19979, - "17803": msg19980, - "17804": msg19981, - "17805": msg19982, - "17806": msg19983, - "17807": msg19984, - "17808": msg19985, - "17809": msg19986, - "1781": select1672, - "17810": msg19987, - "17811": msg19988, - "17812": msg19989, - "17813": msg19990, - "17814": msg19991, - "17815": msg19992, - "17816": msg19993, - "17817": msg19994, - "17818": msg19995, - "17819": msg19996, - "1782": select1673, - "17820": msg19997, - "17821": msg19998, - "17822": msg19999, - "17823": msg20000, - "17824": msg20001, - "17825": msg20002, - "17826": msg20003, - "17827": msg20004, - "17828": msg20005, - "17829": msg20006, - "1783": select1674, - "17830": msg20007, - "17831": msg20008, - "17832": msg20009, - "17833": msg20010, - "17834": msg20011, - "17835": msg20012, - "17836": msg20013, - "17837": msg20014, - "17838": msg20015, - "17839": msg20016, - "1784": select1675, - "17840": msg20017, - "17841": msg20018, - "17842": msg20019, - "17843": msg20020, - "17844": msg20021, - "17845": msg20022, - "17846": msg20023, - "17847": msg20024, - "17848": msg20025, - "17849": msg20026, - "1785": select1676, - "17850": msg20027, - "17851": msg20028, - "17852": msg20029, - "17853": msg20030, - "17854": msg20031, - "17855": msg20032, - "17856": msg20033, - "17857": msg20034, - "17858": msg20035, - "17859": msg20036, - "1786": select1677, - "17860": msg20037, - "17861": msg20038, - "17862": msg20039, - "17863": msg20040, - "17864": msg20041, - "17865": msg20042, - "17866": msg20043, - "17867": msg20044, - "17868": msg20045, - "17869": msg20046, - "1787": select1678, - "17870": msg20047, - "17871": msg20048, - "17872": msg20049, - "17873": msg20050, - "17874": msg20051, - "17875": msg20052, - "17876": msg20053, - "17877": msg20054, - "17878": msg20055, - "17879": msg20056, - "1788": select1679, - "17880": msg20057, - "17881": msg20058, - "17882": msg20059, - "17883": msg20060, - "17884": msg20061, - "17885": msg20062, - "17886": msg20063, - "17887": msg20064, - "17888": msg20065, - "17889": msg20066, - "1789": select1680, - "17890": msg20067, - "17891": msg20068, - "17892": msg20069, - "17893": msg20070, - "17894": msg20071, - "17895": msg20072, - "17896": msg20073, - "17897": msg20074, - "17898": msg20075, - "17899": msg20076, - "179": select104, - "1790": select1681, - "17900": msg20077, - "17901": msg20078, - "17902": msg20079, - "17903": msg20080, - "17904": msg20081, - "17905": msg20082, - "17906": msg20083, - "17907": msg20084, - "17908": msg20085, - "17909": msg20086, - "1791": select1682, - "17910": msg20087, - "17911": msg20088, - "17912": msg20089, - "17913": msg20090, - "17914": msg20091, - "17915": msg20092, - "17916": msg20093, - "17917": msg20094, - "17918": msg20095, - "17919": msg20096, - "1792": select1683, - "17920": msg20097, - "17921": msg20098, - "17922": msg20099, - "17923": msg20100, - "17924": msg20101, - "17925": msg20102, - "17926": msg20103, - "17927": msg20104, - "17928": msg20105, - "17929": msg20106, - "1793": select1684, - "17930": msg20107, - "17931": msg20108, - "17932": msg20109, - "17933": msg20110, - "17934": msg20111, - "17935": msg20112, - "17936": msg20113, - "17937": msg20114, - "17938": msg20115, - "17939": msg20116, - "1794": select1685, - "17940": msg20117, - "17941": msg20118, - "17942": msg20119, - "17943": msg20120, - "17944": msg20121, - "17945": msg20122, - "17946": msg20123, - "17947": msg20124, - "17948": msg20125, - "17949": msg20126, - "1795": select1686, - "17950": msg20127, - "17951": msg20128, - "17952": msg20129, - "17953": msg20130, - "17954": msg20131, - "17955": msg20132, - "17956": msg20133, - "17957": msg20134, - "17958": msg20135, - "17959": msg20136, - "1796": select1687, - "17960": msg20137, - "17961": msg20138, - "17962": msg20139, - "17963": msg20140, - "17964": msg20141, - "17965": msg20142, - "17966": msg20143, - "17967": msg20144, - "17968": msg20145, - "17969": msg20146, - "1797": select1688, - "17970": msg20147, - "17971": msg20148, - "17972": msg20149, - "17973": msg20150, - "17974": msg20151, - "17975": msg20152, - "17976": msg20153, - "17977": msg20154, - "17978": msg20155, - "17979": msg20156, - "1798": select1689, - "17980": msg20157, - "17981": msg20158, - "17982": msg20159, - "17983": msg20160, - "17984": msg20161, - "17985": msg20162, - "17986": msg20163, - "17987": msg20164, - "17988": msg20165, - "17989": msg20166, - "1799": select1690, - "17990": msg20167, - "17991": msg20168, - "17992": msg20169, - "17993": msg20170, - "17994": msg20171, - "17995": msg20172, - "17996": msg20173, - "17997": msg20174, - "17998": msg20175, - "17999": msg20176, - "18": select19, - "180": select105, - "1800": select1691, - "18000": msg20177, - "18001": msg20178, - "18002": msg20179, - "18003": msg20180, - "18004": msg20181, - "18005": msg20182, - "18006": msg20183, - "18007": msg20184, - "18008": msg20185, - "18009": msg20186, - "1801": select1692, - "18010": msg20187, - "18011": msg20188, - "18012": msg20189, - "18013": msg20190, - "18014": msg20191, - "18015": msg20192, - "18016": msg20193, - "18017": msg20194, - "18018": msg20195, - "18019": msg20196, - "1802": select1693, - "18020": msg20197, - "18021": msg20198, - "18022": msg20199, - "18023": msg20200, - "18024": msg20201, - "18025": msg20202, - "18026": msg20203, - "18027": msg20204, - "18028": msg20205, - "18029": msg20206, - "1803": select1694, - "18030": msg20207, - "18031": msg20208, - "18032": msg20209, - "18033": msg20210, - "18034": msg20211, - "18035": msg20212, - "18036": msg20213, - "18037": msg20214, - "18038": msg20215, - "18039": msg20216, - "1804": select1695, - "18040": msg20217, - "18041": msg20218, - "18042": msg20219, - "18043": msg20220, - "18044": msg20221, - "18045": msg20222, - "18046": msg20223, - "18047": msg20224, - "18048": msg20225, - "18049": msg20226, - "1805": select1696, - "18050": msg20227, - "18051": msg20228, - "18052": msg20229, - "18053": msg20230, - "18054": msg20231, - "18055": msg20232, - "18056": msg20233, - "18057": msg20234, - "18058": msg20235, - "18059": msg20236, - "1806": select1697, - "18060": msg20237, - "18061": msg20238, - "18062": msg20239, - "18063": msg20240, - "18064": msg20241, - "18065": msg20242, - "18066": msg20243, - "18067": msg20244, - "18068": msg20245, - "18069": msg20246, - "1807": select1698, - "18070": msg20247, - "18071": msg20248, - "18072": msg20249, - "18073": msg20250, - "18074": msg20251, - "18076": msg20252, - "18077": msg20253, - "18078": msg20254, - "18079": msg20255, - "1808": select1699, - "18080": msg20256, - "18081": msg20257, - "18082": msg20258, - "18083": msg20259, - "18084": msg20260, - "18085": msg20261, - "18086": msg20262, - "18087": msg20263, - "18088": msg20264, - "18089": msg20265, - "1809": select1700, - "18090": msg20266, - "18091": msg20267, - "18092": msg20268, - "18093": msg20269, - "18094": msg20270, - "18095": msg20271, - "18096": msg20272, - "18097": msg20273, - "18098": msg20274, - "18099": msg20275, - "181": select106, - "1810": select1701, - "18100": msg20276, - "18101": msg20277, - "18102": msg20278, - "18103": msg20279, - "18104": msg20280, - "18105": msg20281, - "18106": msg20282, - "18107": msg20283, - "18108": msg20284, - "18109": msg20285, - "1811": select1702, - "18110": msg20286, - "18111": msg20287, - "18112": msg20288, - "18113": msg20289, - "18114": msg20290, - "18115": msg20291, - "18116": msg20292, - "18117": msg20293, - "18118": msg20294, - "18119": msg20295, - "1812": select1703, - "18120": msg20296, - "18121": msg20297, - "18122": msg20298, - "18123": msg20299, - "18124": msg20300, - "18125": msg20301, - "18126": msg20302, - "18127": msg20303, - "18128": msg20304, - "18129": msg20305, - "1813": select1704, - "18130": msg20306, - "18131": msg20307, - "18132": msg20308, - "18133": msg20309, - "18134": msg20310, - "18135": msg20311, - "18136": msg20312, - "18137": msg20313, - "18138": msg20314, - "18139": msg20315, - "1814": select1705, - "18140": msg20316, - "18141": msg20317, - "18142": msg20318, - "18143": msg20319, - "18144": msg20320, - "18145": msg20321, - "18146": msg20322, - "18147": msg20323, - "18148": msg20324, - "18149": msg20325, - "1815": select1706, - "18150": msg20326, - "18151": msg20327, - "18152": msg20328, - "18153": msg20329, - "18154": msg20330, - "18155": msg20331, - "18156": msg20332, - "18157": msg20333, - "18158": msg20334, - "18159": msg20335, - "1816": select1707, - "18160": msg20336, - "18161": msg20337, - "18162": msg20338, - "18163": msg20339, - "18164": msg20340, - "18165": msg20341, - "18166": msg20342, - "18167": msg20343, - "18168": msg20344, - "18169": msg20345, - "1817": select1708, - "18170": msg20346, - "18171": msg20347, - "18172": msg20348, - "18173": msg20349, - "18174": msg20350, - "18175": msg20351, - "18176": msg20352, - "18177": msg20353, - "18178": msg20354, - "18179": msg20355, - "1818": select1709, - "18180": msg20356, - "18181": msg20357, - "18182": msg20358, - "18183": msg20359, - "18184": msg20360, - "18185": msg20361, - "18186": msg20362, - "18187": msg20363, - "18188": msg20364, - "18189": msg20365, - "1819": select1710, - "18190": msg20366, - "18191": msg20367, - "18192": msg20368, - "18193": msg20369, - "18194": msg20370, - "18195": msg20371, - "18196": msg20372, - "18197": msg20373, - "18198": msg20374, - "18199": msg20375, - "182": select107, - "1820": select1711, - "18200": msg20376, - "18201": msg20377, - "18202": msg20378, - "18203": msg20379, - "18204": msg20380, - "18205": msg20381, - "18206": msg20382, - "18207": msg20383, - "18208": msg20384, - "18209": msg20385, - "1821": select1712, - "18210": msg20386, - "18211": msg20387, - "18212": msg20388, - "18213": msg20389, - "18214": msg20390, - "18215": msg20391, - "18216": msg20392, - "18217": msg20393, - "18218": msg20394, - "18219": msg20395, - "1822": select1713, - "18220": msg20396, - "18221": msg20397, - "18222": msg20398, - "18223": msg20399, - "18224": msg20400, - "18225": msg20401, - "18226": msg20402, - "18227": msg20403, - "18228": msg20404, - "18229": msg20405, - "1823": select1714, - "18230": msg20406, - "18231": msg20407, - "18232": msg20408, - "18233": msg20409, - "18234": msg20410, - "18235": msg20411, - "18236": msg20412, - "18237": msg20413, - "18238": msg20414, - "18239": msg20415, - "1824": select1715, - "18240": msg20416, - "18241": msg20417, - "18242": msg20418, - "18243": msg20419, - "18244": msg20420, - "18245": msg20421, - "18246": msg20422, - "18247": msg20423, - "18248": msg20424, - "18249": msg20425, - "1825": select1716, - "18250": msg20426, - "18251": msg20427, - "18252": msg20428, - "18253": msg20429, - "18254": msg20430, - "18255": msg20431, - "18256": msg20432, - "18257": msg20433, - "18258": msg20434, - "18259": msg20435, - "1826": select1717, - "18260": msg20436, - "18261": msg20437, - "18262": msg20438, - "18263": msg20439, - "18264": msg20440, - "18265": msg20441, - "18266": msg20442, - "18267": msg20443, - "18268": msg20444, - "18269": msg20445, - "1827": select1718, - "18270": msg20446, - "18271": msg20447, - "18272": msg20448, - "18273": msg20449, - "18274": msg20450, - "18275": msg20451, - "18276": msg20452, - "18277": msg20453, - "18278": msg20454, - "18279": msg20455, - "1828": select1719, - "18280": msg20456, - "18281": msg20457, - "18282": msg20458, - "18283": msg20459, - "18284": msg20460, - "18285": msg20461, - "18286": msg20462, - "18287": msg20463, - "18288": msg20464, - "18289": msg20465, - "1829": select1720, - "18290": msg20466, - "18291": msg20467, - "18292": msg20468, - "18293": msg20469, - "18294": msg20470, - "18295": msg20471, - "18296": msg20472, - "18297": msg20473, - "18298": msg20474, - "18299": msg20475, - "183": select108, - "1830": select1721, - "18300": msg20476, - "18301": msg20477, - "18302": msg20478, - "18303": msg20479, - "18304": msg20480, - "18305": msg20481, - "18306": msg20482, - "18307": msg20483, - "18308": msg20484, - "18309": msg20485, - "1831": select1722, - "18310": msg20486, - "18311": msg20487, - "18312": msg20488, - "18313": msg20489, - "18314": msg20490, - "18315": msg20491, - "18316": msg20492, - "18317": msg20493, - "18318": msg20494, - "18319": msg20495, - "1832": select1723, - "18320": msg20496, - "18321": msg20497, - "18322": msg20498, - "18323": msg20499, - "18324": msg20500, - "18325": msg20501, - "18326": msg20502, - "18327": msg20503, - "18328": msg20504, - "18329": msg20505, - "1833": select1724, - "18330": msg20506, - "18331": msg20507, - "18332": msg20508, - "18333": msg20509, - "18334": msg20510, - "18335": msg20511, - "18336": msg20512, - "18337": msg20513, - "18338": msg20514, - "18339": msg20515, - "1834": select1725, - "18340": msg20516, - "18341": msg20517, - "18342": msg20518, - "18343": msg20519, - "18344": msg20520, - "18345": msg20521, - "18346": msg20522, - "18347": msg20523, - "18348": msg20524, - "18349": msg20525, - "1835": select1726, - "18350": msg20526, - "18351": msg20527, - "18352": msg20528, - "18353": msg20529, - "18354": msg20530, - "18355": msg20531, - "18356": msg20532, - "18357": msg20533, - "18358": msg20534, - "18359": msg20535, - "1836": select1727, - "18360": msg20536, - "18361": msg20537, - "18362": msg20538, - "18363": msg20539, - "18364": msg20540, - "18365": msg20541, - "18366": msg20542, - "18367": msg20543, - "18368": msg20544, - "18369": msg20545, - "1837": select1728, - "18370": msg20546, - "18371": msg20547, - "18372": msg20548, - "18373": msg20549, - "18374": msg20550, - "18375": msg20551, - "18376": msg20552, - "18377": msg20553, - "18378": msg20554, - "18379": msg20555, - "1838": select1729, - "18380": msg20556, - "18381": msg20557, - "18382": msg20558, - "18383": msg20559, - "18384": msg20560, - "18385": msg20561, - "18386": msg20562, - "18387": msg20563, - "18388": msg20564, - "18389": msg20565, - "1839": select1730, - "18390": msg20566, - "18391": msg20567, - "18392": msg20568, - "18393": msg20569, - "18394": msg20570, - "18395": msg20571, - "18396": msg20572, - "18397": msg20573, - "18398": msg20574, - "18399": msg20575, - "184": select109, - "1840": select1731, - "18400": msg20576, - "18401": msg20577, - "18402": msg20578, - "18403": msg20579, - "18404": msg20580, - "18405": msg20581, - "18406": msg20582, - "18407": msg20583, - "18408": msg20584, - "18409": msg20585, - "1841": select1732, - "18410": msg20586, - "18411": msg20587, - "18412": msg20588, - "18413": msg20589, - "18414": msg20590, - "18415": msg20591, - "18416": msg20592, - "18417": msg20593, - "18418": msg20594, - "18419": msg20595, - "1842": select1733, - "18420": msg20596, - "18421": msg20597, - "18422": msg20598, - "18423": msg20599, - "18424": msg20600, - "18425": msg20601, - "18426": msg20602, - "18427": msg20603, - "18428": msg20604, - "18429": msg20605, - "1843": select1734, - "18430": msg20606, - "18431": msg20607, - "18432": msg20608, - "18433": msg20609, - "18434": msg20610, - "18435": msg20611, - "18436": msg20612, - "18437": msg20613, - "18438": msg20614, - "18439": msg20615, - "1844": select1735, - "18440": msg20616, - "18441": msg20617, - "18442": msg20618, - "18443": msg20619, - "18444": msg20620, - "18445": msg20621, - "18446": msg20622, - "18447": msg20623, - "18448": msg20624, - "18449": msg20625, - "1845": select1736, - "18450": msg20626, - "18451": msg20627, - "18452": msg20628, - "18453": msg20629, - "18454": msg20630, - "18455": msg20631, - "18456": msg20632, - "18457": msg20633, - "18458": msg20634, - "18459": msg20635, - "1846": select1737, - "18460": msg20636, - "18461": msg20637, - "18462": msg20638, - "18463": msg20639, - "18464": msg20640, - "18465": msg20641, - "18466": msg20642, - "18467": msg20643, - "18468": msg20644, - "18469": msg20645, - "1847": select1738, - "18470": msg20646, - "18471": msg20647, - "18472": msg20648, - "18473": msg20649, - "18474": msg20650, - "18475": msg20651, - "18476": msg20652, - "18477": msg20653, - "18478": msg20654, - "18479": msg20655, - "1848": select1739, - "18480": msg20656, - "18481": msg20657, - "18482": msg20658, - "18483": msg20659, - "18484": msg20660, - "18485": msg20661, - "18486": msg20662, - "18487": msg20663, - "18488": msg20664, - "18489": msg20665, - "1849": select1740, - "18490": msg20666, - "18491": msg20667, - "18492": msg20668, - "18493": msg20669, - "18494": msg20670, - "18495": msg20671, - "18496": msg20672, - "18497": msg20673, - "18498": msg20674, - "18499": msg20675, - "185": select110, - "1850": select1741, - "18500": msg20676, - "18501": msg20677, - "18502": msg20678, - "18503": msg20679, - "18504": msg20680, - "18505": msg20681, - "18506": msg20682, - "18507": msg20683, - "18508": msg20684, - "18509": msg20685, - "1851": select1742, - "18510": msg20686, - "18511": msg20687, - "18512": msg20688, - "18513": msg20689, - "18514": msg20690, - "18515": msg20691, - "18516": msg20692, - "18517": msg20693, - "18518": msg20694, - "18519": msg20695, - "1852": select1743, - "18520": msg20696, - "18521": msg20697, - "18522": msg20698, - "18523": msg20699, - "18524": msg20700, - "18525": msg20701, - "18526": msg20702, - "18527": msg20703, - "18528": msg20704, - "18529": msg20705, - "1853": select1744, - "18530": msg20706, - "18531": msg20707, - "18532": msg20708, - "18533": msg20709, - "18534": msg20710, - "18535": msg20711, - "18536": msg20712, - "18537": msg20713, - "18538": msg20714, - "18539": msg20715, - "1854": select1745, - "18540": msg20716, - "18541": msg20717, - "18542": msg20718, - "18543": msg20719, - "18544": msg20720, - "18545": msg20721, - "18546": msg20722, - "18547": msg20723, - "18548": msg20724, - "18549": msg20725, - "1855": select1746, - "18550": msg20726, - "18551": msg20727, - "18552": msg20728, - "18553": msg20729, - "18554": msg20730, - "18555": msg20731, - "18556": msg20732, - "18557": msg20733, - "18558": msg20734, - "18559": msg20735, - "1856": select1747, - "18560": msg20736, - "18561": msg20737, - "18562": msg20738, - "18563": msg20739, - "18564": msg20740, - "18565": msg20741, - "18566": msg20742, - "18567": msg20743, - "18568": msg20744, - "18569": msg20745, - "1857": select1748, - "18570": msg20746, - "18571": msg20747, - "18572": msg20748, - "18573": msg20749, - "18574": msg20750, - "18575": msg20751, - "18576": msg20752, - "18577": msg20753, - "18578": msg20754, - "18579": msg20755, - "1858": select1749, - "18580": msg20756, - "18581": msg20757, - "18582": msg20758, - "18583": msg20759, - "18584": msg20760, - "18585": msg20761, - "18586": msg20762, - "18587": msg20763, - "18588": msg20764, - "18589": msg20765, - "1859": select1750, - "18590": msg20766, - "18591": msg20767, - "18592": msg20768, - "18593": msg20769, - "18594": msg20770, - "18595": msg20771, - "18596": msg20772, - "18597": msg20773, - "18598": msg20774, - "18599": msg20775, - "186": select111, - "1860": select1751, - "18600": msg20776, - "18601": msg20777, - "18602": msg20778, - "18603": msg20779, - "18604": msg20780, - "18605": msg20781, - "18606": msg20782, - "18607": msg20783, - "18608": msg20784, - "18609": msg20785, - "1861": select1752, - "18610": msg20786, - "18611": msg20787, - "18612": msg20788, - "18613": msg20789, - "18614": msg20790, - "18615": msg20791, - "18616": msg20792, - "18617": msg20793, - "18618": msg20794, - "18619": msg20795, - "1862": select1753, - "18620": msg20796, - "18621": msg20797, - "18622": msg20798, - "18623": msg20799, - "18624": msg20800, - "18625": msg20801, - "18626": msg20802, - "18627": msg20803, - "18628": msg20804, - "18629": msg20805, - "1863": select1754, - "18630": msg20806, - "18631": msg20807, - "18632": msg20808, - "18633": msg20809, - "18634": msg20810, - "18635": msg20811, - "18636": msg20812, - "18637": msg20813, - "18638": msg20814, - "18639": msg20815, - "1864": select1755, - "18640": msg20816, - "18641": msg20817, - "18642": msg20818, - "18643": msg20819, - "18644": msg20820, - "18645": msg20821, - "18646": msg20822, - "18647": msg20823, - "18648": msg20824, - "18649": msg20825, - "1865": select1756, - "18650": msg20826, - "18651": msg20827, - "18652": msg20828, - "18653": msg20829, - "18654": msg20830, - "18655": msg20831, - "18656": msg20832, - "18657": msg20833, - "18658": msg20834, - "18659": msg20835, - "1866": select1757, - "18660": msg20836, - "18661": msg20837, - "18662": msg20838, - "18663": msg20839, - "18664": msg20840, - "18665": msg20841, - "18666": msg20842, - "18667": msg20843, - "18668": msg20844, - "18669": msg20845, - "1867": select1758, - "18670": msg20846, - "18671": msg20847, - "18672": msg20848, - "18673": msg20849, - "18674": msg20850, - "18675": msg20851, - "18676": msg20852, - "18677": msg20853, - "18678": msg20854, - "18679": msg20855, - "1868": msg3638, - "18680": msg20856, - "18681": msg20857, - "18682": msg20858, - "18683": msg20859, - "18684": msg20860, - "18685": msg20861, - "18686": msg20862, - "18687": msg20863, - "18688": msg20864, - "18689": msg20865, - "1869": msg3639, - "18690": msg20866, - "18691": msg20867, - "187": select112, - "1870": select1759, - "18700": msg20868, - "18701": msg20869, - "18702": msg20870, - "18703": msg20871, - "18704": msg20872, - "18705": msg20873, - "18706": msg20874, - "18707": msg20875, - "18708": msg20876, - "18709": msg20877, - "1871": select1760, - "18710": msg20878, - "18711": msg20879, - "18712": msg20880, - "18713": msg20881, - "18714": msg20882, - "18715": msg20883, - "18716": msg20884, - "18717": msg20885, - "18718": msg20886, - "18719": msg20887, - "1872": select1761, - "18720": msg20888, - "18721": msg20889, - "18722": msg20890, - "18723": msg20891, - "18724": msg20892, - "18725": msg20893, - "18726": msg20894, - "18727": msg20895, - "18728": msg20896, - "18729": msg20897, - "1873": select1762, - "18730": msg20898, - "18731": msg20899, - "18732": msg20900, - "18733": msg20901, - "18734": msg20902, - "18735": msg20903, - "18736": msg20904, - "18737": msg20905, - "18738": msg20906, - "18739": msg20907, - "1874": select1763, - "18740": msg20908, - "18741": msg20909, - "18742": msg20910, - "18743": msg20911, - "18744": msg20912, - "18745": msg20913, - "18746": msg20914, - "18747": msg20915, - "18748": msg20916, - "18749": msg20917, - "1875": select1764, - "18750": msg20918, - "18751": msg20919, - "18752": msg20920, - "18753": msg20921, - "18754": msg20922, - "18755": msg20923, - "18756": msg20924, - "18757": msg20925, - "18758": msg20926, - "18759": msg20927, - "1876": select1765, - "18760": msg20928, - "18761": msg20929, - "18762": msg20930, - "18763": msg20931, - "18764": msg20932, - "18765": msg20933, - "18766": msg20934, - "18767": msg20935, - "18768": msg20936, - "18769": msg20937, - "1877": select1766, - "18770": msg20938, - "18771": msg20939, - "18772": msg20940, - "18773": msg20941, - "18774": msg20942, - "18775": msg20943, - "18776": msg20944, - "18777": msg20945, - "18778": msg20946, - "18779": msg20947, - "1878": select1767, - "18780": msg20948, - "18781": msg20949, - "18782": msg20950, - "18783": msg20951, - "18784": msg20952, - "18785": msg20953, - "18786": msg20954, - "18787": msg20955, - "18788": msg20956, - "18789": msg20957, - "1879": select1768, - "18790": msg20958, - "18791": msg20959, - "18792": msg20960, - "18793": msg20961, - "18794": msg20962, - "18795": msg20963, - "18796": msg20964, - "18797": msg20965, - "18798": msg20966, - "18799": msg20967, - "188": select113, - "1880": select1769, - "18800": msg20968, - "18801": msg20969, - "18802": msg20970, - "18803": msg20971, - "18804": msg20972, - "18805": msg20973, - "18806": msg20974, - "18807": msg20975, - "18808": msg20976, - "18809": msg20977, - "1881": select1770, - "18810": msg20978, - "18811": msg20979, - "18812": msg20980, - "18813": msg20981, - "18814": msg20982, - "18815": msg20983, - "18816": msg20984, - "18817": msg20985, - "18818": msg20986, - "18819": msg20987, - "1882": select1771, - "18820": msg20988, - "18821": msg20989, - "18822": msg20990, - "18823": msg20991, - "18824": msg20992, - "18825": msg20993, - "18826": msg20994, - "18827": msg20995, - "18828": msg20996, - "18829": msg20997, - "1883": select1772, - "18830": msg20998, - "18831": msg20999, - "18832": msg21000, - "18833": msg21001, - "18834": msg21002, - "18835": msg21003, - "18836": msg21004, - "18837": msg21005, - "18838": msg21006, - "18839": msg21007, - "1884": select1773, - "18840": msg21008, - "18841": msg21009, - "18842": msg21010, - "18843": msg21011, - "18844": msg21012, - "18845": msg21013, - "18846": msg21014, - "18847": msg21015, - "18848": msg21016, - "18849": msg21017, - "1885": select1774, - "18850": msg21018, - "18851": msg21019, - "18852": msg21020, - "18853": msg21021, - "18854": msg21022, - "18855": msg21023, - "18856": msg21024, - "18857": msg21025, - "18858": msg21026, - "18859": msg21027, - "1886": select1775, - "18860": msg21028, - "18861": msg21029, - "18862": msg21030, - "18863": msg21031, - "18864": msg21032, - "18865": msg21033, - "18866": msg21034, - "18867": msg21035, - "18868": msg21036, - "18869": msg21037, - "1887": select1776, - "18870": msg21038, - "18871": msg21039, - "18872": msg21040, - "18873": msg21041, - "18874": msg21042, - "18875": msg21043, - "18876": msg21044, - "18877": msg21045, - "18878": msg21046, - "18879": msg21047, - "1888": select1777, - "18880": msg21048, - "18881": msg21049, - "18882": msg21050, - "18883": msg21051, - "18884": msg21052, - "18885": msg21053, - "18886": msg21054, - "18887": msg21055, - "18888": msg21056, - "18889": msg21057, - "1889": select1778, - "18890": msg21058, - "18891": msg21059, - "18892": msg21060, - "18893": msg21061, - "18894": msg21062, - "18895": msg21063, - "18896": msg21064, - "18897": msg21065, - "18898": msg21066, - "18899": msg21067, - "189": select114, - "1890": select1779, - "18900": msg21068, - "18901": msg21069, - "18902": msg21070, - "18903": msg21071, - "18904": msg21072, - "18905": msg21073, - "18906": msg21074, - "18907": msg21075, - "18908": msg21076, - "18909": msg21077, - "1891": select1780, - "18910": msg21078, - "18911": msg21079, - "18912": msg21080, - "18913": msg21081, - "18914": msg21082, - "18915": msg21083, - "18916": msg21084, - "18917": msg21085, - "18918": msg21086, - "18919": msg21087, - "1892": msg3684, - "18920": msg21088, - "18921": msg21089, - "18922": msg21090, - "18923": msg21091, - "18924": msg21092, - "18925": msg21093, - "18926": msg21094, - "18927": msg21095, - "18928": msg21096, - "18929": msg21097, - "1893": select1781, - "18930": msg21098, - "18931": msg21099, - "18932": msg21100, - "18933": msg21101, - "18934": msg21102, - "18935": msg21103, - "18936": msg21104, - "18937": msg21105, - "18938": msg21106, - "18939": msg21107, - "1894": select1782, - "18940": msg21108, - "18941": msg21109, - "18942": msg21110, - "18943": msg21111, - "18944": msg21112, - "18945": msg21113, - "18946": msg21114, - "18947": msg21115, - "18948": msg21116, - "18949": msg21117, - "1895": select1783, - "18950": msg21118, - "18951": msg21119, - "18952": msg21120, - "18953": msg21121, - "18954": msg21122, - "18955": msg21123, - "18956": msg21124, - "18957": msg21125, - "18958": msg21126, - "18959": msg21127, - "1896": select1784, - "18960": msg21128, - "18961": msg21129, - "18962": msg21130, - "18963": msg21131, - "18964": msg21132, - "18965": msg21133, - "18966": msg21134, - "18967": msg21135, - "18968": msg21136, - "18969": msg21137, - "1897": select1785, - "18970": msg21138, - "18971": msg21139, - "18972": msg21140, - "18973": msg21141, - "18974": msg21142, - "18975": msg21143, - "18976": msg21144, - "18977": msg21145, - "18978": msg21146, - "18979": msg21147, - "1898": select1786, - "18980": msg21148, - "18981": msg21149, - "18982": msg21150, - "18983": msg21151, - "18984": msg21152, - "18985": msg21153, - "18986": msg21154, - "18987": msg21155, - "18988": msg21156, - "18989": msg21157, - "1899": select1787, - "18990": msg21158, - "18991": msg21159, - "18992": msg21160, - "18993": msg21161, - "18994": msg21162, - "18995": msg21163, - "18996": msg21164, - "18997": msg21165, - "18998": msg21166, - "18999": msg21167, - "19": select20, - "190": select115, - "1900": select1788, - "19000": msg21168, - "19001": msg21169, - "19002": msg21170, - "19003": msg21171, - "19004": msg21172, - "19005": msg21173, - "19006": msg21174, - "19007": msg21175, - "19008": msg21176, - "19009": msg21177, - "1901": select1789, - "19010": msg21178, - "19011": msg21179, - "19012": msg21180, - "19013": msg21181, - "19014": msg21182, - "19015": msg21183, - "19016": msg21184, - "19017": msg21185, - "19018": msg21186, - "19019": msg21187, - "1902": select1790, - "19020": msg21188, - "19021": msg21189, - "19022": msg21190, - "19023": msg21191, - "19024": msg21192, - "19025": msg21193, - "19026": msg21194, - "19027": msg21195, - "19028": msg21196, - "19029": msg21197, - "1903": select1791, - "19030": msg21198, - "19031": msg21199, - "19032": msg21200, - "19033": msg21201, - "19034": msg21202, - "19035": msg21203, - "19036": msg21204, - "19037": msg21205, - "19038": msg21206, - "19039": msg21207, - "1904": select1792, - "19040": msg21208, - "19041": msg21209, - "19042": msg21210, - "19043": msg21211, - "19044": msg21212, - "19045": msg21213, - "19046": msg21214, - "19047": msg21215, - "19048": msg21216, - "19049": msg21217, - "1905": select1793, - "19050": msg21218, - "19051": msg21219, - "19052": msg21220, - "19053": msg21221, - "19054": msg21222, - "19055": msg21223, - "19056": msg21224, - "19057": msg21225, - "19058": msg21226, - "19059": msg21227, - "1906": select1794, - "19060": msg21228, - "19061": msg21229, - "19062": msg21230, - "19063": msg21231, - "19064": msg21232, - "19065": msg21233, - "19066": msg21234, - "19067": msg21235, - "19068": msg21236, - "19069": msg21237, - "1907": select1795, - "19070": msg21238, - "19071": msg21239, - "19072": msg21240, - "19073": msg21241, - "19074": msg21242, - "19075": msg21243, - "19076": msg21244, - "19077": msg21245, - "19078": msg21246, - "19079": msg21247, - "1908": select1796, - "19080": msg21248, - "19081": msg21249, - "19082": msg21250, - "19083": msg21251, - "19084": msg21252, - "19085": msg21253, - "19086": msg21254, - "19087": msg21255, - "19088": msg21256, - "19089": msg21257, - "1909": select1797, - "19090": msg21258, - "19091": msg21259, - "19092": msg21260, - "19093": msg21261, - "19094": msg21262, - "19095": msg21263, - "19096": msg21264, - "19097": msg21265, - "19098": msg21266, - "19099": msg21267, - "191": select116, - "1910": select1798, - "19100": msg21268, - "19101": msg21269, - "19102": msg21270, - "19103": msg21271, - "19104": msg21272, - "19105": msg21273, - "19106": msg21274, - "19107": msg21275, - "19108": msg21276, - "19109": msg21277, - "1911": select1799, - "19110": msg21278, - "19111": msg21279, - "19112": msg21280, - "19113": msg21281, - "19114": msg21282, - "19115": msg21283, - "19116": msg21284, - "19117": msg21285, - "19118": msg21286, - "19119": msg21287, - "1912": select1800, - "19120": msg21288, - "19121": msg21289, - "19122": msg21290, - "19123": msg21291, - "19124": msg21292, - "19125": msg21293, - "19126": msg21294, - "19127": msg21295, - "19128": msg21296, - "19129": msg21297, - "1913": select1801, - "19130": msg21298, - "19131": msg21299, - "19132": msg21300, - "19133": msg21301, - "19134": msg21302, - "19135": msg21303, - "19136": msg21304, - "19137": msg21305, - "19138": msg21306, - "19139": msg21307, - "1914": select1802, - "19140": msg21308, - "19141": msg21309, - "19142": msg21310, - "19143": msg21311, - "19144": msg21312, - "19145": msg21313, - "19146": msg21314, - "19147": msg21315, - "19148": msg21316, - "19149": msg21317, - "1915": select1803, - "19150": msg21318, - "19151": msg21319, - "19152": msg21320, - "19153": msg21321, - "19154": msg21322, - "19155": msg21323, - "19156": msg21324, - "19157": msg21325, - "19158": msg21326, - "19159": msg21327, - "1916": select1804, - "19160": msg21328, - "19161": msg21329, - "19162": msg21330, - "19163": msg21331, - "19164": msg21332, - "19165": msg21333, - "19166": msg21334, - "19167": msg21335, - "19168": msg21336, - "19169": msg21337, - "1917": select1805, - "19170": msg21338, - "19171": msg21339, - "19172": msg21340, - "19173": msg21341, - "19174": msg21342, - "19175": msg21343, - "19176": msg21344, - "19177": msg21345, - "19178": msg21346, - "19179": msg21347, - "1918": select1806, - "19180": msg21348, - "19181": msg21349, - "19182": msg21350, - "19183": msg21351, - "19184": msg21352, - "19185": msg21353, - "19186": msg21354, - "19187": msg21355, - "19188": msg21356, - "19189": msg21357, - "1919": select1807, - "19190": msg21358, - "19191": msg21359, - "19192": msg21360, - "19193": msg21361, - "19194": msg21362, - "19195": msg21363, - "19196": msg21364, - "19197": msg21365, - "19198": msg21366, - "19199": msg21367, - "192": select117, - "1920": select1808, - "19200": msg21368, - "19201": msg21369, - "19202": msg21370, - "19203": msg21371, - "19204": msg21372, - "19205": msg21373, - "19206": msg21374, - "19207": msg21375, - "19208": msg21376, - "19209": msg21377, - "1921": select1809, - "19210": msg21378, - "19211": msg21379, - "19212": msg21380, - "19213": msg21381, - "19214": msg21382, - "19215": msg21383, - "19216": msg21384, - "19217": msg21385, - "19218": msg21386, - "19219": msg21387, - "1922": select1810, - "19220": msg21388, - "19221": msg21389, - "19222": msg21390, - "19223": msg21391, - "19224": msg21392, - "19225": msg21393, - "19226": msg21394, - "19227": msg21395, - "19228": msg21396, - "19229": msg21397, - "1923": select1811, - "19230": msg21398, - "19231": msg21399, - "19232": msg21400, - "19233": msg21401, - "19234": msg21402, - "19235": msg21403, - "19236": msg21404, - "19237": msg21405, - "19238": msg21406, - "19239": msg21407, - "1924": select1812, - "19240": msg21408, - "19241": msg21409, - "19242": msg21410, - "19243": msg21411, - "19244": msg21412, - "19245": msg21413, - "19246": msg21414, - "19247": msg21415, - "19248": msg21416, - "19249": msg21417, - "1925": select1813, - "19250": msg21418, - "19251": msg21419, - "19252": msg21420, - "19253": msg21421, - "19254": msg21422, - "19255": msg21423, - "19256": msg21424, - "19257": msg21425, - "19258": msg21426, - "19259": msg21427, - "1926": select1814, - "19260": msg21428, - "19261": msg21429, - "19262": msg21430, - "19263": msg21431, - "19264": msg21432, - "19265": msg21433, - "19266": msg21434, - "19267": msg21435, - "19268": msg21436, - "19269": msg21437, - "1927": select1815, - "19270": msg21438, - "19271": msg21439, - "19272": msg21440, - "19273": msg21441, - "19274": msg21442, - "19275": msg21443, - "19276": msg21444, - "19277": msg21445, - "19278": msg21446, - "19279": msg21447, - "1928": select1816, - "19280": msg21448, - "19281": msg21449, - "19282": msg21450, - "19283": msg21451, - "19284": msg21452, - "19285": msg21453, - "19286": msg21454, - "19287": msg21455, - "19288": msg21456, - "19289": msg21457, - "1929": select1817, - "19290": msg21458, - "19291": msg21459, - "19292": msg21460, - "19293": msg21461, - "19294": msg21462, - "19295": msg21463, - "19296": msg21464, - "19297": msg21465, - "19298": msg21466, - "19299": msg21467, - "193": select118, - "1930": select1818, - "19300": msg21468, - "19301": msg21469, - "19302": msg21470, - "19303": msg21471, - "19304": msg21472, - "19305": msg21473, - "19306": msg21474, - "19307": msg21475, - "19308": msg21476, - "19309": msg21477, - "1931": select1819, - "19310": msg21478, - "19311": msg21479, - "19312": msg21480, - "19313": msg21481, - "19314": msg21482, - "19315": msg21483, - "19316": msg21484, - "19317": msg21485, - "19318": msg21486, - "19319": msg21487, - "1932": select1820, - "19320": msg21488, - "19321": msg21489, - "19322": msg21490, - "19323": msg21491, - "19324": msg21492, - "19325": msg21493, - "19326": msg21494, - "19327": msg21495, - "19328": msg21496, - "19329": msg21497, - "1933": select1821, - "19330": msg21498, - "19331": msg21499, - "19332": msg21500, - "19333": msg21501, - "19334": msg21502, - "19335": msg21503, - "19336": msg21504, - "19337": msg21505, - "19338": msg21506, - "19339": msg21507, - "1934": select1822, - "19340": msg21508, - "19341": msg21509, - "19342": msg21510, - "19343": msg21511, - "19344": msg21512, - "19345": msg21513, - "19346": msg21514, - "19347": msg21515, - "19348": msg21516, - "19349": msg21517, - "1935": select1823, - "19350": msg21518, - "19351": msg21519, - "19352": msg21520, - "19353": msg21521, - "19354": msg21522, - "19355": msg21523, - "19356": msg21524, - "19357": msg21525, - "19358": msg21526, - "19359": msg21527, - "1936": select1824, - "19360": msg21528, - "19361": msg21529, - "19362": msg21530, - "19363": msg21531, - "19364": msg21532, - "19365": msg21533, - "19366": msg21534, - "19367": msg21535, - "19368": msg21536, - "19369": msg21537, - "1937": select1825, - "19370": msg21538, - "19371": msg21539, - "19372": msg21540, - "19373": msg21541, - "19374": msg21542, - "19375": msg21543, - "19376": msg21544, - "19377": msg21545, - "19378": msg21546, - "19379": msg21547, - "1938": select1826, - "19380": msg21548, - "19381": msg21549, - "19382": msg21550, - "19383": msg21551, - "19384": msg21552, - "19385": msg21553, - "19386": msg21554, - "19387": msg21555, - "19388": msg21556, - "19389": msg21557, - "1939": select1827, - "19390": msg21558, - "19391": msg21559, - "19392": msg21560, - "19393": msg21561, - "19394": msg21562, - "19395": msg21563, - "19396": msg21564, - "19397": msg21565, - "19398": msg21566, - "19399": msg21567, - "194": select119, - "1940": select1828, - "19400": msg21568, - "19401": msg21569, - "19402": msg21570, - "19403": msg21571, - "19404": msg21572, - "19405": msg21573, - "19406": msg21574, - "19407": msg21575, - "19408": msg21576, - "19409": msg21577, - "1941": select1829, - "19410": msg21578, - "19411": msg21579, - "19412": msg21580, - "19413": msg21581, - "19414": msg21582, - "19415": msg21583, - "19416": msg21584, - "19417": msg21585, - "19418": msg21586, - "19419": msg21587, - "1942": select1830, - "19420": msg21588, - "19421": msg21589, - "19422": msg21590, - "19423": msg21591, - "19424": msg21592, - "19425": msg21593, - "19426": msg21594, - "19427": msg21595, - "19428": msg21596, - "19429": msg21597, - "1943": select1831, - "19430": msg21598, - "19431": msg21599, - "19432": msg21600, - "19433": msg21601, - "19434": msg21602, - "19435": msg21603, - "19436": msg21604, - "19437": msg21605, - "19438": msg21606, - "19439": msg21607, - "1944": select1832, - "19440": msg21608, - "19441": msg21609, - "19442": msg21610, - "19443": msg21611, - "19444": msg21612, - "19445": msg21613, - "19446": msg21614, - "19447": msg21615, - "19448": msg21616, - "19449": msg21617, - "1945": select1833, - "19450": msg21618, - "19451": msg21619, - "19452": msg21620, - "19453": msg21621, - "19454": msg21622, - "19455": msg21623, - "19456": msg21624, - "19457": msg21625, - "19458": msg21626, - "19459": msg21627, - "1946": select1834, - "19460": msg21628, - "19461": msg21629, - "19462": msg21630, - "19463": msg21631, - "19464": msg21632, - "19465": msg21633, - "19466": msg21634, - "19467": msg21635, - "19468": msg21636, - "19469": msg21637, - "1947": select1835, - "19470": msg21638, - "19471": msg21639, - "19472": msg21640, - "19473": msg21641, - "19474": msg21642, - "19475": msg21643, - "19476": msg21644, - "19477": msg21645, - "19478": msg21646, - "19479": msg21647, - "1948": select1836, - "19480": msg21648, - "19481": msg21649, - "19482": msg21650, - "19483": msg21651, - "19484": msg21652, - "19485": msg21653, - "19486": msg21654, - "19487": msg21655, - "19488": msg21656, - "19489": msg21657, - "1949": select1837, - "19490": msg21658, - "19491": msg21659, - "19492": msg21660, - "19493": msg21661, - "19494": msg21662, - "19495": msg21663, - "19496": msg21664, - "19497": msg21665, - "19498": msg21666, - "19499": msg21667, - "195": select120, - "1950": select1838, - "19500": msg21668, - "19501": msg21669, - "19502": msg21670, - "19503": msg21671, - "19504": msg21672, - "19505": msg21673, - "19506": msg21674, - "19507": msg21675, - "19508": msg21676, - "19509": msg21677, - "1951": select1839, - "19510": msg21678, - "19511": msg21679, - "19512": msg21680, - "19513": msg21681, - "19514": msg21682, - "19515": msg21683, - "19516": msg21684, - "19517": msg21685, - "19518": msg21686, - "19519": msg21687, - "1952": select1840, - "19520": msg21688, - "19521": msg21689, - "19522": msg21690, - "19523": msg21691, - "19524": msg21692, - "19525": msg21693, - "19526": msg21694, - "19527": msg21695, - "19528": msg21696, - "19529": msg21697, - "1953": select1841, - "19530": msg21698, - "19531": msg21699, - "19532": msg21700, - "19533": msg21701, - "19534": msg21702, - "19535": msg21703, - "19536": msg21704, - "19537": msg21705, - "19538": msg21706, - "19539": msg21707, - "1954": select1842, - "19540": msg21708, - "19541": msg21709, - "19542": msg21710, - "19543": msg21711, - "19544": msg21712, - "19545": msg21713, - "19546": msg21714, - "19547": msg21715, - "19548": msg21716, - "19549": msg21717, - "1955": select1843, - "19550": msg21718, - "19551": msg21719, - "19552": msg21720, - "19553": msg21721, - "19554": msg21722, - "19555": msg21723, - "19556": msg21724, - "19557": msg21725, - "19558": msg21726, - "19559": msg21727, - "1956": select1844, - "19560": msg21728, - "19561": msg21729, - "19562": msg21730, - "19563": msg21731, - "19564": msg21732, - "19565": msg21733, - "19566": msg21734, - "19567": msg21735, - "19568": msg21736, - "19569": msg21737, - "1957": select1845, - "19570": msg21738, - "19571": msg21739, - "19572": msg21740, - "19573": msg21741, - "19574": msg21742, - "19575": msg21743, - "19576": msg21744, - "19577": msg21745, - "19578": msg21746, - "19579": msg21747, - "1958": select1846, - "19580": msg21748, - "19581": msg21749, - "19582": msg21750, - "19583": msg21751, - "19584": msg21752, - "19585": msg21753, - "19586": msg21754, - "19587": msg21755, - "19588": msg21756, - "19589": msg21757, - "1959": select1847, - "19590": msg21758, - "19591": msg21759, - "19592": msg21760, - "19593": msg21761, - "19594": msg21762, - "19595": msg21763, - "19596": msg21764, - "19597": msg21765, - "19598": msg21766, - "19599": msg21767, - "196": select121, - "1960": select1848, - "19600": msg21768, - "19601": msg21769, - "19602": msg21770, - "19603": msg21771, - "19604": msg21772, - "19605": msg21773, - "19606": msg21774, - "19607": msg21775, - "19608": msg21776, - "19609": msg21777, - "1961": select1849, - "19610": msg21778, - "19611": msg21779, - "19612": msg21780, - "19613": msg21781, - "19614": msg21782, - "19615": msg21783, - "19616": msg21784, - "19617": msg21785, - "19618": msg21786, - "19619": msg21787, - "1962": select1850, - "19620": msg21788, - "19621": msg21789, - "19622": msg21790, - "19623": msg21791, - "19624": msg21792, - "19625": msg21793, - "19626": msg21794, - "19627": msg21795, - "19628": msg21796, - "19629": msg21797, - "1963": select1851, - "19630": msg21798, - "19631": msg21799, - "19632": msg21800, - "19633": msg21801, - "19634": msg21802, - "19635": msg21803, - "19636": msg21804, - "19637": msg21805, - "19638": msg21806, - "19639": msg21807, - "1964": select1852, - "19640": msg21808, - "19641": msg21809, - "19642": msg21810, - "19643": msg21811, - "19644": msg21812, - "19645": msg21813, - "19646": msg21814, - "19647": msg21815, - "19648": msg21816, - "19649": msg21817, - "1965": select1853, - "19650": msg21818, - "19651": msg21819, - "19652": msg21820, - "19653": msg21821, - "19654": msg21822, - "19655": msg21823, - "19656": msg21824, - "19657": msg21825, - "19658": msg21826, - "19659": msg21827, - "1966": select1854, - "19660": msg21828, - "19661": msg21829, - "19662": msg21830, - "19663": msg21831, - "19664": msg21832, - "19665": msg21833, - "19666": msg21834, - "19667": msg21835, - "19668": msg21836, - "19669": msg21837, - "1967": select1855, - "19670": msg21838, - "19671": msg21839, - "19672": msg21840, - "19673": msg21841, - "19674": msg21842, - "19675": msg21843, - "19676": msg21844, - "19677": msg21845, - "19678": msg21846, - "19679": msg21847, - "1968": select1856, - "19680": msg21848, - "19681": msg21849, - "19682": msg21850, - "19683": msg21851, - "19684": msg21852, - "19685": msg21853, - "19686": msg21854, - "19687": msg21855, - "19688": msg21856, - "19689": msg21857, - "1969": select1857, - "19690": msg21858, - "19691": msg21859, - "19692": msg21860, - "19693": msg21861, - "19694": msg21862, - "19695": msg21863, - "19696": msg21864, - "19697": msg21865, - "19698": msg21866, - "19699": msg21867, - "197": select122, - "1970": select1858, - "19700": msg21868, - "19701": msg21869, - "19702": msg21870, - "19703": msg21871, - "19704": msg21872, - "19705": msg21873, - "19706": msg21874, - "19707": msg21875, - "19708": msg21876, - "19709": msg21877, - "1971": select1859, - "19710": msg21878, - "19711": msg21879, - "19712": msg21880, - "19713": msg21881, - "19714": msg21882, - "19715": msg21883, - "19716": msg21884, - "19717": msg21885, - "19718": msg21886, - "19719": msg21887, - "1972": select1860, - "19720": msg21888, - "19721": msg21889, - "19722": msg21890, - "19723": msg21891, - "19724": msg21892, - "19725": msg21893, - "19726": msg21894, - "19727": msg21895, - "19728": msg21896, - "19729": msg21897, - "1973": select1861, - "19730": msg21898, - "19731": msg21899, - "19732": msg21900, - "19733": msg21901, - "19734": msg21902, - "19735": msg21903, - "19736": msg21904, - "19737": msg21905, - "19738": msg21906, - "19739": msg21907, - "1974": select1862, - "19740": msg21908, - "19741": msg21909, - "19742": msg21910, - "19743": msg21911, - "19744": msg21912, - "19745": msg21913, - "19746": msg21914, - "19747": msg21915, - "19748": msg21916, - "19749": msg21917, - "1975": select1863, - "19750": msg21918, - "19751": msg21919, - "19752": msg21920, - "19753": msg21921, - "19754": msg21922, - "19755": msg21923, - "19756": msg21924, - "19757": msg21925, - "19758": msg21926, - "19759": msg21927, - "1976": select1864, - "19760": msg21928, - "19761": msg21929, - "19762": msg21930, - "19763": msg21931, - "19764": msg21932, - "19765": msg21933, - "19766": msg21934, - "19767": msg21935, - "19768": msg21936, - "19769": msg21937, - "1977": select1865, - "19770": msg21938, - "19771": msg21939, - "19772": msg21940, - "19773": msg21941, - "19774": msg21942, - "19775": msg21943, - "19776": msg21944, - "19777": msg21945, - "19778": msg21946, - "19779": msg21947, - "1978": select1866, - "19780": msg21948, - "19781": msg21949, - "19782": msg21950, - "19783": msg21951, - "19784": msg21952, - "19785": msg21953, - "19786": msg21954, - "19787": msg21955, - "19788": msg21956, - "19789": msg21957, - "1979": select1867, - "19790": msg21958, - "19791": msg21959, - "19792": msg21960, - "19793": msg21961, - "19794": msg21962, - "19795": msg21963, - "19796": msg21964, - "19797": msg21965, - "19798": msg21966, - "19799": msg21967, - "198": select123, - "1980": select1868, - "19800": msg21968, - "19801": msg21969, - "19802": msg21970, - "19803": msg21971, - "19804": msg21972, - "19805": msg21973, - "19806": msg21974, - "19807": msg21975, - "19808": msg21976, - "19809": msg21977, - "1981": select1869, - "19810": msg21978, - "19811": msg21979, - "19812": msg21980, - "19813": msg21981, - "19814": msg21982, - "19815": msg21983, - "19816": msg21984, - "19817": msg21985, - "19818": msg21986, - "19819": msg21987, - "1982": select1870, - "19820": msg21988, - "19821": msg21989, - "19822": msg21990, - "19823": msg21991, - "19824": msg21992, - "19825": msg21993, - "19826": msg21994, - "19827": msg21995, - "19828": msg21996, - "19829": msg21997, - "1983": select1871, - "19830": msg21998, - "19831": msg21999, - "19832": msg22000, - "19833": msg22001, - "19834": msg22002, - "19835": msg22003, - "19836": msg22004, - "19837": msg22005, - "19838": msg22006, - "19839": msg22007, - "1984": select1872, - "19840": msg22008, - "19841": msg22009, - "19842": msg22010, - "19843": msg22011, - "19844": msg22012, - "19845": msg22013, - "19846": msg22014, - "19847": msg22015, - "19848": msg22016, - "19849": msg22017, - "1985": select1873, - "19850": msg22018, - "19851": msg22019, - "19852": msg22020, - "19853": msg22021, - "19854": msg22022, - "19855": msg22023, - "19856": msg22024, - "19857": msg22025, - "19858": msg22026, - "19859": msg22027, - "1986": select1874, - "19860": msg22028, - "19861": msg22029, - "19862": msg22030, - "19863": msg22031, - "19864": msg22032, - "19865": msg22033, - "19866": msg22034, - "19867": msg22035, - "19868": msg22036, - "19869": msg22037, - "1987": select1875, - "19870": msg22038, - "19871": msg22039, - "19872": msg22040, - "19873": msg22041, - "19874": msg22042, - "19875": msg22043, - "19876": msg22044, - "19877": msg22045, - "19878": msg22046, - "19879": msg22047, - "1988": select1876, - "19880": msg22048, - "19881": msg22049, - "19882": msg22050, - "19883": msg22051, - "19884": msg22052, - "19885": msg22053, - "19886": msg22054, - "19887": msg22055, - "19888": msg22056, - "19889": msg22057, - "1989": select1877, - "19890": msg22058, - "19891": msg22059, - "19892": msg22060, - "19893": msg22061, - "19894": msg22062, - "19895": msg22063, - "19896": msg22064, - "19897": msg22065, - "19898": msg22066, - "19899": msg22067, - "199": select124, - "1990": select1878, - "19900": msg22068, - "19901": msg22069, - "19902": msg22070, - "19903": msg22071, - "19904": msg22072, - "19905": msg22073, - "19906": msg22074, - "19907": msg22075, - "19908": msg22076, - "19909": msg22077, - "1991": select1879, - "19910": msg22078, - "19911": msg22079, - "19912": msg22080, - "19914": msg22081, - "19915": msg22082, - "19916": msg22083, - "19917": msg22084, - "19918": msg22085, - "19919": msg22086, - "1992": select1880, - "19920": msg22087, - "19921": msg22088, - "19922": msg22089, - "19923": msg22090, - "19924": msg22091, - "19925": msg22092, - "19926": msg22093, - "19927": msg22094, - "19928": msg22095, - "19929": msg22096, - "1993": select1881, - "19930": msg22097, - "19931": msg22098, - "19932": msg22099, - "19933": msg22100, - "19934": msg22101, - "19935": msg22102, - "19936": msg22103, - "19937": msg22104, - "19938": msg22105, - "19939": msg22106, - "1994": select1882, - "19940": msg22107, - "19941": msg22108, - "19942": msg22109, - "19943": msg22110, - "19944": msg22111, - "19945": msg22112, - "19946": msg22113, - "19947": msg22114, - "19948": msg22115, - "19949": msg22116, - "1995": select1883, - "19950": msg22117, - "19951": msg22118, - "19952": msg22119, - "19953": msg22120, - "19954": msg22121, - "19955": msg22122, - "19956": msg22123, - "19957": msg22124, - "19958": msg22125, - "19959": msg22126, - "1996": select1884, - "19960": msg22127, - "19961": msg22128, - "19962": msg22129, - "19963": msg22130, - "19964": msg22131, - "19965": msg22132, - "19966": msg22133, - "19967": msg22134, - "19968": msg22135, - "19969": msg22136, - "1997": select1885, - "19970": msg22137, - "19971": msg22138, - "19972": msg22139, - "19973": msg22140, - "19974": msg22141, - "19975": msg22142, - "19976": msg22143, - "19977": msg22144, - "19978": msg22145, - "19979": msg22146, - "1998": select1886, - "19980": msg22147, - "19981": msg22148, - "19982": msg22149, - "19983": msg22150, - "19984": msg22151, - "19985": msg22152, - "19986": msg22153, - "19987": msg22154, - "19988": msg22155, - "19989": msg22156, - "1999": select1887, - "19990": msg22157, - "19991": msg22158, - "19992": msg22159, - "19993": msg22160, - "19994": msg22161, - "19995": msg22162, - "19996": msg22163, - "19997": msg22164, - "19998": msg22165, - "19999": msg22166, - "2": select8, - "20": select21, - "200": select125, - "2000": select1888, - "20000": msg22167, - "20001": msg22168, - "20002": msg22169, - "20003": msg22170, - "20004": msg22171, - "2000480": msg38326, - "20005": msg22172, - "2000538": msg38327, - "2000540": msg38328, - "2000562": msg38329, - "20006": msg22173, - "2000648": msg38330, - "20007": msg22174, - "2000716": msg38331, - "20008": msg22175, - "20009": msg22176, - "2000969": msg38332, - "2000971": msg38333, - "2000974": msg38334, - "2000976": msg38335, - "2000977": msg38336, - "2000987": msg38337, - "2000990": msg38338, - "2000993": msg38339, - "2000997": msg38340, - "2001": select1889, - "20010": msg22177, - "2001002": msg38341, - "2001010": msg38342, - "2001012": msg38343, - "2001013": msg38344, - "2001023": msg38345, - "2001025": msg38346, - "2001030": msg38347, - "2001040": msg38348, - "2001042": msg38349, - "20011": msg22178, - "20012": msg22179, - "2001244": msg38350, - "2001245": msg38351, - "2001286": msg38352, - "2001287": msg38353, - "2001288": msg38354, - "20013": msg22180, - "2001367": msg38355, - "20014": msg22181, - "2001400": msg38356, - "2001402": msg38357, - "2001411": msg38358, - "2001417": msg38359, - "2001419": msg38360, - "20015": msg22182, - "2001567": msg38361, - "2001568": msg38362, - "2001569": msg38363, - "2001579": msg38364, - "2001581": msg38365, - "20016": msg22183, - "20017": msg22184, - "2001726": msg38366, - "20018": msg22185, - "2001801": msg38367, - "2001852": msg38368, - "2001893": msg38369, - "20019": msg22186, - "2001904": msg38370, - "2001945": msg38371, - "2001970": msg38372, - "2001972": msg38373, - "2002": select1890, - "20020": msg22187, - "2002032": msg38374, - "20021": msg22188, - "2002134": msg38375, - "2002170": msg38376, - "2002176": msg38377, - "2002190": msg38378, - "2002196": msg38379, - "20022": msg22189, - "2002200": msg38380, - "2002205": msg38381, - "20023": msg22190, - "20024": msg22191, - "20025": msg22192, - "20026": msg22193, - "20027": msg22194, - "20028": msg22195, - "20029": msg22196, - "2002910": msg38382, - "2002911": msg38383, - "2002992": msg38384, - "2002993": msg38385, - "2002994": msg38386, - "2003": select1891, - "20030": msg22197, - "20031": msg22198, - "2003157": msg38387, - "2003183": msg38388, - "20032": msg22199, - "20033": msg22200, - "2003380": msg38389, - "20034": msg22201, - "20035": msg22202, - "20036": msg22203, - "2003642": msg38390, - "20037": msg22204, - "20038": msg22205, - "2003870": msg38391, - "20039": msg22206, - "2004": select1892, - "20040": msg22207, - "20041": msg22208, - "20042": msg22209, - "20043": msg22210, - "20044": msg22211, - "20045": msg22212, - "20046": msg22213, - "20047": msg22214, - "20048": msg22215, - "20049": msg22216, - "2005": select1893, - "20050": msg22217, - "20051": msg22218, - "20052": msg22219, - "20053": msg22220, - "20054": msg22221, - "20055": msg22222, - "20056": msg22223, - "20057": msg22224, - "20058": msg22225, - "20059": msg22226, - "2006": select1894, - "20060": msg22227, - "20061": msg22228, - "20062": msg22229, - "20063": msg22230, - "20064": msg22231, - "20065": msg22232, - "20066": msg22233, - "20067": msg22234, - "20068": msg22235, - "20069": msg22236, - "2007": select1895, - "20070": msg22237, - "20071": msg22238, - "2007142": msg38392, - "20072": msg22239, - "20073": msg22240, - "20074": msg22241, - "20075": msg22242, - "2007585": msg38393, - "2007588": msg38394, - "2007594": msg38395, - "20076": msg22243, - "2007688": msg38396, - "20077": msg22244, - "2007702": msg38397, - "2007724": msg38398, - "20078": msg22245, - "20079": msg22246, - "2007920": msg38399, - "2007962": msg38400, - "2007963": msg38401, - "2007964": msg38402, - "2008": select1896, - "20080": msg22247, - "2008010": msg38403, - "2008056": msg38404, - "2008059": msg38405, - "2008082": msg38406, - "20081": msg22248, - "2008109": msg38407, - "2008124": msg38408, - "2008143": msg38409, - "2008182": msg38410, - "2008194": msg38411, - "20082": msg22249, - "20083": msg22250, - "2008335": msg38412, - "2008373": msg38413, - "2008384": msg38414, - "2008386": msg38415, - "20084": msg22251, - "2008420": msg38416, - "2008475": msg38417, - "2008480": msg38418, - "20085": msg22252, - "2008505": msg38419, - "20086": msg22253, - "20087": msg22254, - "20088": msg22255, - "20089": msg22256, - "2009": select1897, - "20090": msg22257, - "20091": msg22258, - "20092": msg22259, - "20093": msg22260, - "20094": msg22261, - "20095": msg22262, - "20096": msg22263, - "20097": msg22264, - "20098": msg22265, - "20099": msg22266, - "201": select126, - "2010": select1898, - "20100": msg22267, - "20101": msg22268, - "20102": msg22269, - "20103": msg22270, - "20104": msg22271, - "20105": msg22272, - "20106": msg22273, - "20107": msg22274, - "20108": msg22275, - "20109": msg22276, - "2011": select1899, - "20110": msg22277, - "20111": msg22278, - "20112": msg22279, - "20113": msg22280, - "20114": msg22281, - "20115": msg22282, - "20116": msg22283, - "20117": msg22284, - "20118": msg22285, - "20119": msg22286, - "2012": select1900, - "20120": msg22287, - "20121": msg22288, - "20122": msg22289, - "20123": msg22290, - "20124": msg22291, - "20125": msg22292, - "20126": msg22293, - "20127": msg22294, - "20128": msg22295, - "20129": msg22296, - "2013": select1901, - "20130": msg22297, - "20131": msg22298, - "20132": msg22299, - "20133": msg22300, - "20134": msg22301, - "20135": msg22302, - "20136": msg22303, - "20137": msg22304, - "20138": msg22305, - "20139": msg22306, - "2014": select1902, - "20140": msg22307, - "20141": msg22308, - "20142": msg22309, - "20143": msg22310, - "20144": msg22311, - "20145": msg22312, - "20146": msg22313, - "20147": msg22314, - "20148": msg22315, - "20149": msg22316, - "2015": select1903, - "20150": msg22317, - "20151": msg22318, - "20152": msg22319, - "20153": msg22320, - "20154": msg22321, - "20155": msg22322, - "20156": msg22323, - "20157": msg22324, - "20158": msg22325, - "20159": msg22326, - "2016": select1904, - "20160": msg22327, - "20161": msg22328, - "20162": msg22329, - "20163": msg22330, - "20164": msg22331, - "20165": msg22332, - "20166": msg22333, - "20167": msg22334, - "20168": msg22335, - "20169": msg22336, - "2017": select1905, - "20170": msg22337, - "20171": msg22338, - "20172": msg22339, - "20173": msg22340, - "20174": msg22341, - "20175": msg22342, - "20176": msg22343, - "20177": msg22344, - "20178": msg22345, - "20179": msg22346, - "2018": select1906, - "20180": msg22347, - "20181": msg22348, - "20182": msg22349, - "20183": msg22350, - "20184": msg22351, - "20185": msg22352, - "20186": msg22353, - "20187": msg22354, - "20188": msg22355, - "20189": msg22356, - "2019": select1907, - "20190": msg22357, - "20191": msg22358, - "20192": msg22359, - "20193": msg22360, - "20194": msg22361, - "20195": msg22362, - "20196": msg22363, - "20197": msg22364, - "20198": msg22365, - "20199": msg22366, - "202": select127, - "2020": select1908, - "20200": msg22367, - "20201": msg22368, - "20202": msg22369, - "20203": msg22370, - "20204": msg22371, - "20205": msg22372, - "20206": msg22373, - "20207": msg22374, - "20208": msg22375, - "20209": msg22376, - "2021": select1909, - "20210": msg22377, - "20211": msg22378, - "20212": msg22379, - "20213": msg22380, - "20214": msg22381, - "20215": msg22382, - "20216": msg22383, - "20217": msg22384, - "20218": msg22385, - "20219": msg22386, - "2022": select1910, - "20220": msg22387, - "20221": msg22388, - "20222": msg22389, - "20223": msg22390, - "20224": msg22391, - "20225": msg22392, - "20226": msg22393, - "20227": msg22394, - "20228": msg22395, - "20229": msg22396, - "2023": select1911, - "20230": msg22397, - "20231": msg22398, - "20232": msg22399, - "20233": msg22400, - "20234": msg22401, - "20235": msg22402, - "20236": msg22403, - "20237": msg22404, - "20238": msg22405, - "20239": msg22406, - "2024": select1912, - "20240": msg22407, - "20241": msg22408, - "20242": msg22409, - "20243": msg22410, - "20244": msg22411, - "20245": msg22412, - "20246": msg22413, - "20247": msg22414, - "20248": msg22415, - "20249": msg22416, - "2025": select1913, - "20250": msg22417, - "20251": msg22418, - "20252": msg22419, - "20253": msg22420, - "20254": msg22421, - "20255": msg22422, - "20256": msg22423, - "20257": msg22424, - "20258": msg22425, - "20259": msg22426, - "2026": select1914, - "20260": msg22427, - "20261": msg22428, - "20262": msg22429, - "20263": msg22430, - "20264": msg22431, - "20265": msg22432, - "20266": msg22433, - "20267": msg22434, - "20268": msg22435, - "20269": msg22436, - "2027": select1915, - "20270": msg22437, - "20271": msg22438, - "20272": msg22439, - "20273": msg22440, - "20274": msg22441, - "20275": msg22442, - "20276": msg22443, - "20277": msg22444, - "20278": msg22445, - "20279": msg22446, - "2028": select1916, - "20280": msg22447, - "20281": msg22448, - "20282": msg22449, - "20283": msg22450, - "20284": msg22451, - "20285": msg22452, - "20286": msg22453, - "20287": msg22454, - "20288": msg22455, - "20289": msg22456, - "2029": select1917, - "20290": msg22457, - "20291": msg22458, - "20292": msg22459, - "20293": msg22460, - "20294": msg22461, - "20295": msg22462, - "20296": msg22463, - "20297": msg22464, - "20298": msg22465, - "20299": msg22466, - "203": select128, - "2030": select1918, - "20300": msg22467, - "20301": msg22468, - "20302": msg22469, - "20303": msg22470, - "20304": msg22471, - "20305": msg22472, - "20306": msg22473, - "20307": msg22474, - "20308": msg22475, - "20309": msg22476, - "2031": select1919, - "20310": msg22477, - "20311": msg22478, - "20312": msg22479, - "20313": msg22480, - "20314": msg22481, - "20315": msg22482, - "20316": msg22483, - "20317": msg22484, - "20318": msg22485, - "20319": msg22486, - "2032": select1920, - "20320": msg22487, - "20321": msg22488, - "20322": msg22489, - "20323": msg22490, - "20324": msg22491, - "20325": msg22492, - "20326": msg22493, - "20327": msg22494, - "20328": msg22495, - "20329": msg22496, - "2033": select1921, - "20330": msg22497, - "20331": msg22498, - "20332": msg22499, - "20333": msg22500, - "20334": msg22501, - "20335": msg22502, - "20336": msg22503, - "20337": msg22504, - "20338": msg22505, - "20339": msg22506, - "2034": select1922, - "20340": msg22507, - "20341": msg22508, - "20342": msg22509, - "20343": msg22510, - "20344": msg22511, - "20345": msg22512, - "20346": msg22513, - "20347": msg22514, - "20348": msg22515, - "20349": msg22516, - "2035": select1923, - "20350": msg22517, - "20351": msg22518, - "20352": msg22519, - "20353": msg22520, - "20354": msg22521, - "20355": msg22522, - "20356": msg22523, - "20357": msg22524, - "20358": msg22525, - "20359": msg22526, - "2036": select1924, - "20360": msg22527, - "20361": msg22528, - "20362": msg22529, - "20363": msg22530, - "20364": msg22531, - "20365": msg22532, - "20366": msg22533, - "20367": msg22534, - "20368": msg22535, - "20369": msg22536, - "2037": select1925, - "20370": msg22537, - "20371": msg22538, - "20372": msg22539, - "20373": msg22540, - "20374": msg22541, - "20375": msg22542, - "20376": msg22543, - "20377": msg22544, - "20378": msg22545, - "20379": msg22546, - "2038": select1926, - "20380": msg22547, - "20381": msg22548, - "20382": msg22549, - "20383": msg22550, - "20384": msg22551, - "20385": msg22552, - "20386": msg22553, - "20387": msg22554, - "20388": msg22555, - "20389": msg22556, - "2039": select1927, - "20390": msg22557, - "20391": msg22558, - "20392": msg22559, - "20393": msg22560, - "20394": msg22561, - "20395": msg22562, - "20396": msg22563, - "20397": msg22564, - "20398": msg22565, - "20399": msg22566, - "204": select129, - "2040": select1928, - "20400": msg22567, - "20401": msg22568, - "20402": msg22569, - "20403": msg22570, - "20404": msg22571, - "20405": msg22572, - "20406": msg22573, - "20407": msg22574, - "20408": msg22575, - "20409": msg22576, - "2041": select1929, - "20410": msg22577, - "20411": msg22578, - "20412": msg22579, - "20413": msg22580, - "20414": msg22581, - "20415": msg22582, - "20416": msg22583, - "20417": msg22584, - "20418": msg22585, - "20419": msg22586, - "2042": select1930, - "20420": msg22587, - "20421": msg22588, - "20422": msg22589, - "20423": msg22590, - "20424": msg22591, - "20425": msg22592, - "20426": msg22593, - "20427": msg22594, - "20428": msg22595, - "20429": msg22596, - "2043": select1931, - "20430": msg22597, - "20431": msg22598, - "20432": msg22599, - "20433": msg22600, - "20434": msg22601, - "20435": msg22602, - "20436": msg22603, - "20437": msg22604, - "20438": msg22605, - "20439": msg22606, - "2044": select1932, - "20440": msg22607, - "20441": msg22608, - "20442": msg22609, - "20443": msg22610, - "20444": msg22611, - "20445": msg22612, - "20446": msg22613, - "20447": msg22614, - "20448": msg22615, - "20449": msg22616, - "2045": select1933, - "20450": msg22617, - "20451": msg22618, - "20452": msg22619, - "20453": msg22620, - "20454": msg22621, - "20455": msg22622, - "20456": msg22623, - "20457": msg22624, - "20458": msg22625, - "20459": msg22626, - "2046": select1934, - "20460": msg22627, - "20461": msg22628, - "20462": msg22629, - "20463": msg22630, - "20464": msg22631, - "20465": msg22632, - "20466": msg22633, - "20467": msg22634, - "20468": msg22635, - "20469": msg22636, - "2047": select1935, - "20470": msg22637, - "20471": msg22638, - "20472": msg22639, - "20473": msg22640, - "20474": msg22641, - "20475": msg22642, - "20476": msg22643, - "20477": msg22644, - "20478": msg22645, - "20479": msg22646, - "2048": select1936, - "20480": msg22647, - "20481": msg22648, - "20482": msg22649, - "20483": msg22650, - "20484": msg22651, - "20485": msg22652, - "20486": msg22653, - "20487": msg22654, - "20488": msg22655, - "20489": msg22656, - "2049": select1937, - "20490": msg22657, - "20491": msg22658, - "20492": msg22659, - "20493": msg22660, - "20494": msg22661, - "20495": msg22662, - "20496": msg22663, - "20497": msg22664, - "20498": msg22665, - "20499": msg22666, - "205": select130, - "2050": select1938, - "20500": msg22667, - "20501": msg22668, - "20502": msg22669, - "20503": msg22670, - "20504": msg22671, - "20505": msg22672, - "20506": msg22673, - "20507": msg22674, - "20508": msg22675, - "20509": msg22676, - "2051": select1939, - "20510": msg22677, - "20511": msg22678, - "20512": msg22679, - "20513": msg22680, - "20514": msg22681, - "20515": msg22682, - "20516": msg22683, - "20517": msg22684, - "20518": msg22685, - "20519": msg22686, - "2052": select1940, - "20520": msg22687, - "20521": msg22688, - "20522": msg22689, - "20523": msg22690, - "20524": msg22691, - "20525": msg22692, - "20526": msg22693, - "20527": msg22694, - "20528": msg22695, - "20529": msg22696, - "2053": select1941, - "20530": msg22697, - "20531": msg22698, - "20532": msg22699, - "20533": msg22700, - "20534": msg22701, - "20535": msg22702, - "20536": msg22703, - "20537": msg22704, - "20538": msg22705, - "20539": msg22706, - "2054": select1942, - "20540": msg22707, - "20541": msg22708, - "20542": msg22709, - "20543": msg22710, - "20544": msg22711, - "20545": msg22712, - "20546": msg22713, - "20547": msg22714, - "20548": msg22715, - "20549": msg22716, - "2055": select1943, - "20550": msg22717, - "20551": msg22718, - "20552": msg22719, - "20553": msg22720, - "20554": msg22721, - "20555": msg22722, - "20556": msg22723, - "20557": msg22724, - "20558": msg22725, - "20559": msg22726, - "2056": select1944, - "20560": msg22727, - "20561": msg22728, - "20562": msg22729, - "20563": msg22730, - "20564": msg22731, - "20565": msg22732, - "20566": msg22733, - "20567": msg22734, - "20568": msg22735, - "20569": msg22736, - "2057": select1945, - "20570": msg22737, - "20571": msg22738, - "20572": msg22739, - "20573": msg22740, - "20574": msg22741, - "20575": msg22742, - "20576": msg22743, - "20577": msg22744, - "20578": msg22745, - "20579": msg22746, - "2058": select1946, - "20580": msg22747, - "20581": msg22748, - "20582": msg22749, - "20583": msg22750, - "20584": msg22751, - "20585": msg22752, - "20586": msg22753, - "20587": msg22754, - "20588": msg22755, - "20589": msg22756, - "2059": select1947, - "20590": msg22757, - "20591": msg22758, - "20592": msg22759, - "20593": msg22760, - "20594": msg22761, - "20595": msg22762, - "20596": msg22763, - "20597": msg22764, - "20598": msg22765, - "20599": msg22766, - "206": select131, - "2060": select1948, - "20600": msg22767, - "20601": msg22768, - "20602": msg22769, - "20603": msg22770, - "20604": msg22771, - "20605": msg22772, - "20606": msg22773, - "20607": msg22774, - "20608": msg22775, - "20609": msg22776, - "2061": select1949, - "20610": msg22777, - "20611": msg22778, - "20612": msg22779, - "20613": msg22780, - "20614": msg22781, - "20615": msg22782, - "20616": msg22783, - "20617": msg22784, - "20618": msg22785, - "20619": msg22786, - "2062": select1950, - "20620": msg22787, - "20621": msg22788, - "20622": msg22789, - "20623": msg22790, - "20624": msg22791, - "20625": msg22792, - "20626": msg22793, - "20627": msg22794, - "20628": msg22795, - "20629": msg22796, - "2063": select1951, - "20630": msg22797, - "20631": msg22798, - "20632": msg22799, - "20633": msg22800, - "20634": msg22801, - "20635": msg22802, - "20636": msg22803, - "20637": msg22804, - "20638": msg22805, - "20639": msg22806, - "2064": select1952, - "20640": msg22807, - "20641": msg22808, - "20642": msg22809, - "20643": msg22810, - "20644": msg22811, - "20645": msg22812, - "20646": msg22813, - "20647": msg22814, - "20648": msg22815, - "20649": msg22816, - "2065": select1953, - "20650": msg22817, - "20651": msg22818, - "20652": msg22819, - "20653": msg22820, - "20654": msg22821, - "20655": msg22822, - "20656": msg22823, - "20657": msg22824, - "20658": msg22825, - "20659": msg22826, - "2066": select1954, - "20660": msg22827, - "20661": msg22828, - "20662": msg22829, - "20663": msg22830, - "20664": msg22831, - "20665": msg22832, - "20666": msg22833, - "20667": msg22834, - "20668": msg22835, - "20669": msg22836, - "2067": select1955, - "20670": msg22837, - "20671": msg22838, - "20672": msg22839, - "20673": msg22840, - "20674": msg22841, - "20675": msg22842, - "20676": msg22843, - "20677": msg22844, - "20678": msg22845, - "20679": msg22846, - "2068": select1956, - "20680": msg22847, - "20681": msg22848, - "20682": msg22849, - "20683": msg22850, - "20684": msg22851, - "20685": msg22852, - "20686": msg22853, - "20687": msg22854, - "20688": msg22855, - "20689": msg22856, - "2069": select1957, - "20690": msg22857, - "20691": msg22858, - "20692": msg22859, - "20693": msg22860, - "20694": msg22861, - "20695": msg22862, - "20696": msg22863, - "20697": msg22864, - "20698": msg22865, - "20699": msg22866, - "207": select132, - "2070": select1958, - "20700": msg22867, - "20701": msg22868, - "20702": msg22869, - "20703": msg22870, - "20704": msg22871, - "20705": msg22872, - "20706": msg22873, - "20707": msg22874, - "20708": msg22875, - "20709": msg22876, - "2071": select1959, - "20710": msg22877, - "20711": msg22878, - "20712": msg22879, - "20713": msg22880, - "20714": msg22881, - "20715": msg22882, - "20716": msg22883, - "20717": msg22884, - "20718": msg22885, - "20719": msg22886, - "2072": select1960, - "20720": msg22887, - "20721": msg22888, - "20722": msg22889, - "20723": msg22890, - "20724": msg22891, - "20725": msg22892, - "20726": msg22893, - "20727": msg22894, - "20728": msg22895, - "20729": msg22896, - "2073": select1961, - "20730": msg22897, - "20731": msg22898, - "20732": msg22899, - "20733": msg22900, - "20734": msg22901, - "20735": msg22902, - "20736": msg22903, - "20737": msg22904, - "20738": msg22905, - "20739": msg22906, - "2074": select1962, - "20740": msg22907, - "20741": msg22908, - "20742": msg22909, - "20743": msg22910, - "20744": msg22911, - "20745": msg22912, - "20746": msg22913, - "20747": msg22914, - "20748": msg22915, - "20749": msg22916, - "2075": select1963, - "20750": msg22917, - "20751": msg22918, - "20752": msg22919, - "20753": msg22920, - "20754": msg22921, - "20755": msg22922, - "20756": msg22923, - "20757": msg22924, - "20758": msg22925, - "20759": msg22926, - "2076": select1964, - "20760": msg22927, - "20761": msg22928, - "20762": msg22929, - "20763": msg22930, - "20764": msg22931, - "20765": msg22932, - "20766": msg22933, - "20767": msg22934, - "20768": msg22935, - "20769": msg22936, - "2077": select1965, - "20770": msg22937, - "20771": msg22938, - "20772": msg22939, - "20773": msg22940, - "20774": msg22941, - "20775": msg22942, - "20776": msg22943, - "20777": msg22944, - "20778": msg22945, - "20779": msg22946, - "2078": select1966, - "20780": msg22947, - "20781": msg22948, - "20782": msg22949, - "20783": msg22950, - "20784": msg22951, - "20785": msg22952, - "20786": msg22953, - "20787": msg22954, - "20788": msg22955, - "20789": msg22956, - "2079": select1967, - "20790": msg22957, - "20791": msg22958, - "20792": msg22959, - "20793": msg22960, - "20794": msg22961, - "20795": msg22962, - "20796": msg22963, - "20797": msg22964, - "20798": msg22965, - "20799": msg22966, - "208": select133, - "2080": select1968, - "20800": msg22967, - "20801": msg22968, - "20802": msg22969, - "20803": msg22970, - "20804": msg22971, - "20805": msg22972, - "20806": msg22973, - "20807": msg22974, - "20808": msg22975, - "20809": msg22976, - "2081": select1969, - "20810": msg22977, - "20811": msg22978, - "20812": msg22979, - "20813": msg22980, - "20814": msg22981, - "20815": msg22982, - "20816": msg22983, - "20817": msg22984, - "20818": msg22985, - "20819": msg22986, - "2082": select1970, - "20820": msg22987, - "20821": msg22988, - "20822": msg22989, - "20823": msg22990, - "20824": msg22991, - "20825": msg22992, - "20826": msg22993, - "20827": msg22994, - "20828": msg22995, - "20829": msg22996, - "2083": select1971, - "20830": msg22997, - "20831": msg22998, - "20832": msg22999, - "20833": msg23000, - "20834": msg23001, - "20835": msg23002, - "20836": msg23003, - "20837": msg23004, - "20838": msg23005, - "20839": msg23006, - "2084": select1972, - "20840": msg23007, - "20841": msg23008, - "20842": msg23009, - "20843": msg23010, - "20844": msg23011, - "20845": msg23012, - "20846": msg23013, - "20847": msg23014, - "20848": msg23015, - "20849": msg23016, - "2085": select1973, - "20850": msg23017, - "20851": msg23018, - "20852": msg23019, - "20853": msg23020, - "20854": msg23021, - "20855": msg23022, - "20856": msg23023, - "20857": msg23024, - "20858": msg23025, - "20859": msg23026, - "2086": select1974, - "20860": msg23027, - "20861": msg23028, - "20862": msg23029, - "20863": msg23030, - "20864": msg23031, - "20865": msg23032, - "20866": msg23033, - "20867": msg23034, - "20868": msg23035, - "20869": msg23036, - "2087": select1975, - "20870": msg23037, - "20871": msg23038, - "20872": msg23039, - "20873": msg23040, - "20874": msg23041, - "20875": msg23042, - "20876": msg23043, - "20877": msg23044, - "20878": msg23045, - "20879": msg23046, - "2088": select1976, - "20880": msg23047, - "20881": msg23048, - "20882": msg23049, - "20883": msg23050, - "20884": msg23051, - "20885": msg23052, - "20886": msg23053, - "20887": msg23054, - "20888": msg23055, - "20889": msg23056, - "2089": select1977, - "20890": msg23057, - "20891": msg23058, - "20892": msg23059, - "20893": msg23060, - "20894": msg23061, - "20895": msg23062, - "20896": msg23063, - "20897": msg23064, - "20898": msg23065, - "20899": msg23066, - "209": select134, - "2090": select1978, - "20900": msg23067, - "20901": msg23068, - "20902": msg23069, - "20903": msg23070, - "20904": msg23071, - "20905": msg23072, - "20906": msg23073, - "20907": msg23074, - "20908": msg23075, - "20909": msg23076, - "2091": select1979, - "20910": msg23077, - "20911": msg23078, - "20912": msg23079, - "20913": msg23080, - "20914": msg23081, - "20915": msg23082, - "20916": msg23083, - "20917": msg23084, - "20918": msg23085, - "20919": msg23086, - "2092": select1980, - "20920": msg23087, - "20921": msg23088, - "20922": msg23089, - "20923": msg23090, - "20924": msg23091, - "20925": msg23092, - "20926": msg23093, - "20927": msg23094, - "20928": msg23095, - "20929": msg23096, - "2093": select1981, - "20930": msg23097, - "20931": msg23098, - "20932": msg23099, - "20933": msg23100, - "20934": msg23101, - "20935": msg23102, - "20936": msg23103, - "20937": msg23104, - "20938": msg23105, - "20939": msg23106, - "2094": select1982, - "20940": msg23107, - "20941": msg23108, - "20942": msg23109, - "20943": msg23110, - "20944": msg23111, - "20945": msg23112, - "20946": msg23113, - "20947": msg23114, - "20948": msg23115, - "20949": msg23116, - "2095": select1983, - "20950": msg23117, - "20951": msg23118, - "20952": msg23119, - "20953": msg23120, - "20954": msg23121, - "20955": msg23122, - "20956": msg23123, - "20957": msg23124, - "20958": msg23125, - "20959": msg23126, - "2096": select1984, - "20960": msg23127, - "20961": msg23128, - "20962": msg23129, - "20963": msg23130, - "20964": msg23131, - "20965": msg23132, - "20966": msg23133, - "20967": msg23134, - "20968": msg23135, - "20969": msg23136, - "2097": select1985, - "20970": msg23137, - "20971": msg23138, - "20972": msg23139, - "20973": msg23140, - "20974": msg23141, - "20975": msg23142, - "20976": msg23143, - "20977": msg23144, - "20978": msg23145, - "20979": msg23146, - "2098": select1986, - "20980": msg23147, - "20981": msg23148, - "20982": msg23149, - "20983": msg23150, - "20984": msg23151, - "20985": msg23152, - "20986": msg23153, - "20987": msg23154, - "20988": msg23155, - "20989": msg23156, - "2099": select1987, - "20990": msg23157, - "20991": msg23158, - "20992": msg23159, - "20993": msg23160, - "20994": msg23161, - "20995": msg23162, - "20996": msg23163, - "20997": msg23164, - "20998": msg23165, - "20999": msg23166, - "21": select22, - "210": select135, - "2100": select1988, - "21000": msg23167, - "21001": msg23168, - "21002": msg23169, - "21003": msg23170, - "21004": msg23171, - "21005": msg23172, - "21006": msg23173, - "2100651": msg38508, - "21007": msg23174, - "21008": msg23175, - "21009": msg23176, - "2101": select1989, - "21010": msg23177, - "21011": msg23178, - "21012": msg23179, - "21013": msg23180, - "2101384": msg38509, - "2101390": msg38510, - "21014": msg23181, - "2101424": msg38511, - "2101432": msg38512, - "21015": msg23182, - "21016": msg23183, - "21017": msg23184, - "21018": msg23185, - "2101867": msg38513, - "21019": msg23186, - "2101918": msg38514, - "2102": select1990, - "21020": msg23187, - "21021": msg23188, - "21022": msg23189, - "21023": msg23190, - "21024": msg23191, - "21025": msg23192, - "21026": msg23193, - "21027": msg23194, - "21028": msg23195, - "21029": msg23196, - "2103": select1991, - "21030": msg23197, - "21031": msg23198, - "21032": msg23199, - "21033": msg23200, - "21034": msg23201, - "21035": msg23202, - "21036": msg23203, - "21037": msg23204, - "21038": msg23205, - "21039": msg23206, - "2104": select1992, - "21040": msg23207, - "21041": msg23208, - "21042": msg23209, - "21043": msg23210, - "21044": msg23211, - "21045": msg23212, - "21046": msg23213, - "21047": msg23214, - "21048": msg23215, - "21049": msg23216, - "2105": select1993, - "21050": msg23217, - "21051": msg23218, - "21052": msg23219, - "21053": msg23220, - "21054": msg23221, - "21055": msg23222, - "21056": msg23223, - "21057": msg23224, - "21058": msg23225, - "21059": msg23226, - "2106": select1994, - "21060": msg23227, - "21061": msg23228, - "21062": msg23229, - "21063": msg23230, - "21064": msg23231, - "21065": msg23232, - "21066": msg23233, - "21067": msg23234, - "21068": msg23235, - "21069": msg23236, - "2107": select1995, - "21070": msg23237, - "21071": msg23238, - "21072": msg23239, - "21073": msg23240, - "21074": msg23241, - "21075": msg23242, - "21076": msg23243, - "21077": msg23244, - "21078": msg23245, - "21079": msg23246, - "2108": select1996, - "21080": msg23247, - "21081": msg23248, - "21082": msg23249, - "21083": msg23250, - "21084": msg23251, - "21085": msg23252, - "21086": msg23253, - "21087": msg23254, - "21088": msg23255, - "21089": msg23256, - "2109": select1997, - "21090": msg23257, - "21091": msg23258, - "21092": msg23259, - "21093": msg23260, - "21094": msg23261, - "21095": msg23262, - "21096": msg23263, - "21097": msg23264, - "21098": msg23265, - "21099": msg23266, - "211": select136, - "2110": select1998, - "21100": msg23267, - "21101": msg23268, - "21102": msg23269, - "21103": msg23270, - "21104": msg23271, - "21105": msg23272, - "21106": msg23273, - "21107": msg23274, - "21108": msg23275, - "21109": msg23276, - "2111": select1999, - "21110": msg23277, - "21111": msg23278, - "21112": msg23279, - "21113": msg23280, - "21114": msg23281, - "21115": msg23282, - "21116": msg23283, - "21117": msg23284, - "21118": msg23285, - "21119": msg23286, - "2112": select2000, - "21120": msg23287, - "21121": msg23288, - "21122": msg23289, - "21123": msg23290, - "21124": msg23291, - "21125": msg23292, - "21126": msg23293, - "21127": msg23294, - "21128": msg23295, - "21129": msg23296, - "2113": select2001, - "21130": msg23297, - "21131": msg23298, - "21132": msg23299, - "21133": msg23300, - "21134": msg23301, - "21135": msg23302, - "21136": msg23303, - "21137": msg23304, - "21138": msg23305, - "21139": msg23306, - "2114": select2002, - "21140": msg23307, - "21141": msg23308, - "21142": msg23309, - "21143": msg23310, - "21144": msg23311, - "21145": msg23312, - "21146": msg23313, - "21147": msg23314, - "21148": msg23315, - "21149": msg23316, - "2115": select2003, - "21150": msg23317, - "21151": msg23318, - "21152": msg23319, - "21153": msg23320, - "21154": msg23321, - "21155": msg23322, - "21156": msg23323, - "21157": msg23324, - "21158": msg23325, - "21159": msg23326, - "2116": select2004, - "21160": msg23327, - "21161": msg23328, - "21162": msg23329, - "21163": msg23330, - "21164": msg23331, - "21165": msg23332, - "21166": msg23333, - "21167": msg23334, - "21168": msg23335, - "21169": msg23336, - "2117": select2005, - "21170": msg23337, - "21171": msg23338, - "21172": msg23339, - "21173": msg23340, - "21174": msg23341, - "21175": msg23342, - "21176": msg23343, - "21177": msg23344, - "21178": msg23345, - "21179": msg23346, - "2118": select2006, - "21180": msg23347, - "21181": msg23348, - "21182": msg23349, - "21183": msg23350, - "21184": msg23351, - "21185": msg23352, - "21186": msg23353, - "21187": msg23354, - "21188": msg23355, - "21189": msg23356, - "2119": select2007, - "21190": msg23357, - "21191": msg23358, - "21192": msg23359, - "21193": msg23360, - "21194": msg23361, - "21195": msg23362, - "21196": msg23363, - "21197": msg23364, - "21198": msg23365, - "21199": msg23366, - "212": select137, - "2120": select2008, - "21200": msg23367, - "21201": msg23368, - "21202": msg23369, - "21203": msg23370, - "21204": msg23371, - "21205": msg23372, - "21206": msg23373, - "21207": msg23374, - "21208": msg23375, - "21209": msg23376, - "2121": select2009, - "21210": msg23377, - "21211": msg23378, - "21212": msg23379, - "21213": msg23380, - "21214": msg23381, - "21215": msg23382, - "21216": msg23383, - "21217": msg23384, - "21218": msg23385, - "21219": msg23386, - "2122": select2010, - "21220": msg23387, - "21221": msg23388, - "21222": msg23389, - "21223": msg23390, - "21224": msg23391, - "21225": msg23392, - "21226": msg23393, - "21227": msg23394, - "21228": msg23395, - "21229": msg23396, - "2123": select2011, - "21230": msg23397, - "21231": msg23398, - "21232": msg23399, - "21233": msg23400, - "21234": msg23401, - "21235": msg23402, - "21236": msg23403, - "21237": msg23404, - "21238": msg23405, - "21239": msg23406, - "2124": select2012, - "21240": msg23407, - "21241": msg23408, - "21242": msg23409, - "21243": msg23410, - "21244": msg23411, - "21245": msg23412, - "21246": msg23413, - "21247": msg23414, - "21248": msg23415, - "21249": msg23416, - "2125": select2013, - "21250": msg23417, - "21251": msg23418, - "21252": msg23419, - "21253": msg23420, - "21254": msg23421, - "21255": msg23422, - "21256": msg23423, - "21257": msg23424, - "21258": msg23425, - "21259": msg23426, - "2126": select2014, - "21260": msg23427, - "21261": msg23428, - "21262": msg23429, - "21263": msg23430, - "21264": msg23431, - "21265": msg23432, - "21266": msg23433, - "21267": msg23434, - "21268": msg23435, - "21269": msg23436, - "2127": select2015, - "21270": msg23437, - "21271": msg23438, - "21272": msg23439, - "21273": msg23440, - "21274": msg23441, - "21275": msg23442, - "21276": msg23443, - "21277": msg23444, - "21278": msg23445, - "21279": msg23446, - "2128": select2016, - "21280": msg23447, - "21281": msg23448, - "21282": msg23449, - "21283": msg23450, - "21284": msg23451, - "21285": msg23452, - "21286": msg23453, - "21287": msg23454, - "21288": msg23455, - "21289": msg23456, - "2129": select2017, - "21290": msg23457, - "21291": msg23458, - "21292": msg23459, - "21293": msg23460, - "21294": msg23461, - "21295": msg23462, - "21296": msg23463, - "21297": msg23464, - "21298": msg23465, - "21299": msg23466, - "213": select138, - "2130": select2018, - "21300": msg23467, - "21301": msg23468, - "21302": msg23469, - "21303": msg23470, - "21304": msg23471, - "21305": msg23472, - "21306": msg23473, - "21307": msg23474, - "21308": msg23475, - "21309": msg23476, - "2131": select2019, - "21310": msg23477, - "21311": msg23478, - "21312": msg23479, - "21313": msg23480, - "21314": msg23481, - "21315": msg23482, - "21316": msg23483, - "21317": msg23484, - "21318": msg23485, - "21319": msg23486, - "2132": select2020, - "21320": msg23487, - "21321": msg23488, - "21322": msg23489, - "21323": msg23490, - "21324": msg23491, - "21325": msg23492, - "21326": msg23493, - "21327": msg23494, - "21328": msg23495, - "21329": msg23496, - "2133": select2021, - "21330": msg23497, - "21331": msg23498, - "21332": msg23499, - "21333": msg23500, - "21334": msg23501, - "21335": msg23502, - "21336": msg23503, - "21337": msg23504, - "21338": msg23505, - "21339": msg23506, - "2134": select2022, - "21340": msg23507, - "21341": msg23508, - "21342": msg23509, - "21343": msg23510, - "21344": msg23511, - "21345": msg23512, - "21346": msg23513, - "21347": msg23514, - "21348": msg23515, - "21349": msg23516, - "2135": select2023, - "21350": msg23517, - "21351": msg23518, - "21352": msg23519, - "21353": msg23520, - "21354": msg23521, - "21355": msg23522, - "21356": msg23523, - "21357": msg23524, - "21358": msg23525, - "21359": msg23526, - "2136": select2024, - "21360": msg23527, - "21361": msg23528, - "21362": msg23529, - "21363": msg23530, - "21364": msg23531, - "21365": msg23532, - "21366": msg23533, - "21367": msg23534, - "21368": msg23535, - "21369": msg23536, - "2137": select2025, - "21370": msg23537, - "21371": msg23538, - "21372": msg23539, - "21373": msg23540, - "21374": msg23541, - "21375": msg23542, - "21376": msg23543, - "21377": msg23544, - "21378": msg23545, - "21379": msg23546, - "2138": select2026, - "21380": msg23547, - "21381": msg23548, - "21382": msg23549, - "21383": msg23550, - "21384": msg23551, - "21385": msg23552, - "21386": msg23553, - "21387": msg23554, - "21388": msg23555, - "21389": msg23556, - "2139": select2027, - "21390": msg23557, - "21391": msg23558, - "21392": msg23559, - "21393": msg23560, - "21394": msg23561, - "21395": msg23562, - "21396": msg23563, - "21397": msg23564, - "21398": msg23565, - "21399": msg23566, - "214": select139, - "2140": select2028, - "21400": msg23567, - "21401": msg23568, - "21402": msg23569, - "21403": msg23570, - "21404": msg23571, - "21405": msg23572, - "21406": msg23573, - "21407": msg23574, - "21408": msg23575, - "21409": msg23576, - "2141": select2029, - "21410": msg23577, - "21411": msg23578, - "21412": msg23579, - "21413": msg23580, - "21414": msg23581, - "21415": msg23582, - "21416": msg23583, - "21417": msg23584, - "21418": msg23585, - "21419": msg23586, - "2142": select2030, - "21420": msg23587, - "21421": msg23588, - "21422": msg23589, - "21423": msg23590, - "21424": msg23591, - "21425": msg23592, - "21426": msg23593, - "21427": msg23594, - "21428": msg23595, - "21429": msg23596, - "2143": select2031, - "21430": msg23597, - "21431": msg23598, - "21432": msg23599, - "21433": msg23600, - "21434": msg23601, - "21435": msg23602, - "21436": msg23603, - "21437": msg23604, - "21438": msg23605, - "21439": msg23606, - "2144": select2032, - "21440": msg23607, - "21441": msg23608, - "21442": msg23609, - "21443": msg23610, - "21444": msg23611, - "21445": msg23612, - "21446": msg23613, - "21447": msg23614, - "21448": msg23615, - "21449": msg23616, - "2145": select2033, - "21450": msg23617, - "21451": msg23618, - "21452": msg23619, - "21453": msg23620, - "21454": msg23621, - "21455": msg23622, - "21456": msg23623, - "21457": msg23624, - "21458": msg23625, - "21459": msg23626, - "2146": select2034, - "21460": msg23627, - "21461": msg23628, - "21462": msg23629, - "21463": msg23630, - "21464": msg23631, - "21465": msg23632, - "21466": msg23633, - "21467": msg23634, - "21468": msg23635, - "21469": msg23636, - "2147": select2035, - "21470": msg23637, - "21471": msg23638, - "21472": msg23639, - "21473": msg23640, - "21474": msg23641, - "21475": msg23642, - "21476": msg23643, - "21477": msg23644, - "21478": msg23645, - "21479": msg23646, - "2148": select2036, - "21480": msg23647, - "21481": msg23648, - "21482": msg23649, - "21483": msg23650, - "21484": msg23651, - "21485": msg23652, - "21486": msg23653, - "21487": msg23654, - "21488": msg23655, - "21489": msg23656, - "2149": select2037, - "21490": msg23657, - "21491": msg23658, - "21492": msg23659, - "21493": msg23660, - "21494": msg23661, - "21495": msg23662, - "21496": msg23663, - "21497": msg23664, - "21498": msg23665, - "21499": msg23666, - "215": select140, - "2150": select2038, - "21500": msg23667, - "21501": msg23668, - "21502": msg23669, - "21503": msg23670, - "21504": msg23671, - "21505": msg23672, - "21506": msg23673, - "21507": msg23674, - "21508": msg23675, - "21509": msg23676, - "2151": select2039, - "21510": msg23677, - "21511": msg23678, - "21512": msg23679, - "21513": msg23680, - "21514": msg23681, - "21515": msg23682, - "21516": msg23683, - "21517": msg23684, - "21518": msg23685, - "21519": msg23686, - "2152": select2040, - "21520": msg23687, - "21521": msg23688, - "21522": msg23689, - "21523": msg23690, - "21524": msg23691, - "21525": msg23692, - "21526": msg23693, - "21527": msg23694, - "21528": msg23695, - "21529": msg23696, - "2153": select2041, - "21530": msg23697, - "21531": msg23698, - "21532": msg23699, - "21533": msg23700, - "21534": msg23701, - "21535": msg23702, - "21536": msg23703, - "21537": msg23704, - "21538": msg23705, - "21539": msg23706, - "2154": select2042, - "21540": msg23707, - "21541": msg23708, - "21542": msg23709, - "21543": msg23710, - "21544": msg23711, - "21545": msg23712, - "21546": msg23713, - "21547": msg23714, - "21548": msg23715, - "21549": msg23716, - "2155": select2043, - "21550": msg23717, - "21551": msg23718, - "21552": msg23719, - "21553": msg23720, - "21554": msg23721, - "21555": msg23722, - "21556": msg23723, - "21557": msg23724, - "21558": msg23725, - "21559": msg23726, - "2156": select2044, - "21560": msg23727, - "21561": msg23728, - "21562": msg23729, - "21563": msg23730, - "21564": msg23731, - "21565": msg23732, - "21566": msg23733, - "21567": msg23734, - "21568": msg23735, - "21569": msg23736, - "2157": select2045, - "21570": msg23737, - "21571": msg23738, - "21572": msg23739, - "21573": msg23740, - "21574": msg23741, - "21575": msg23742, - "21576": msg23743, - "21577": msg23744, - "21578": msg23745, - "21579": msg23746, - "2158": select2046, - "21580": msg23747, - "21581": msg23748, - "21582": msg23749, - "21583": msg23750, - "21584": msg23751, - "21585": msg23752, - "21586": msg23753, - "21587": msg23754, - "21588": msg23755, - "21589": msg23756, - "2159": select2047, - "21590": msg23757, - "21591": msg23758, - "21592": msg23759, - "21593": msg23760, - "21594": msg23761, - "21595": msg23762, - "21596": msg23763, - "21597": msg23764, - "21598": msg23765, - "21599": msg23766, - "216": select141, - "2160": select2048, - "21600": msg23767, - "21601": msg23768, - "21602": msg23769, - "21603": msg23770, - "21604": msg23771, - "21605": msg23772, - "21606": msg23773, - "21607": msg23774, - "21608": msg23775, - "21609": msg23776, - "2161": select2049, - "21610": msg23777, - "21611": msg23778, - "21612": msg23779, - "21613": msg23780, - "21614": msg23781, - "21615": msg23782, - "21616": msg23783, - "21617": msg23784, - "21618": msg23785, - "21619": msg23786, - "2162": select2050, - "21620": msg23787, - "21621": msg23788, - "21622": msg23789, - "21623": msg23790, - "21624": msg23791, - "21625": msg23792, - "21626": msg23793, - "21627": msg23794, - "21628": msg23795, - "21629": msg23796, - "2163": select2051, - "21630": msg23797, - "21631": msg23798, - "21632": msg23799, - "21633": msg23800, - "21634": msg23801, - "21635": msg23802, - "21636": msg23803, - "21637": msg23804, - "21638": msg23805, - "21639": msg23806, - "2164": select2052, - "21640": msg23807, - "21641": msg23808, - "21642": msg23809, - "21643": msg23810, - "21644": msg23811, - "21645": msg23812, - "21646": msg23813, - "21647": msg23814, - "21648": msg23815, - "21649": msg23816, - "2165": select2053, - "21650": msg23817, - "21651": msg23818, - "21652": msg23819, - "21653": msg23820, - "21654": msg23821, - "21655": msg23822, - "21656": msg23823, - "21657": msg23824, - "21658": msg23825, - "21659": msg23826, - "2166": select2054, - "21660": msg23827, - "21661": msg23828, - "21662": msg23829, - "21663": msg23830, - "21664": msg23831, - "21665": msg23832, - "21666": msg23833, - "21667": msg23834, - "21668": msg23835, - "21669": msg23836, - "2167": select2055, - "21670": msg23837, - "21671": msg23838, - "21672": msg23839, - "21673": msg23840, - "21674": msg23841, - "21675": msg23842, - "21676": msg23843, - "21677": msg23844, - "21678": msg23845, - "21679": msg23846, - "2168": select2056, - "21680": msg23847, - "21681": msg23848, - "21682": msg23849, - "21683": msg23850, - "21684": msg23851, - "21685": msg23852, - "21686": msg23853, - "21687": msg23854, - "21688": msg23855, - "21689": msg23856, - "2169": select2057, - "21690": msg23857, - "21691": msg23858, - "21692": msg23859, - "21693": msg23860, - "21694": msg23861, - "21695": msg23862, - "21696": msg23863, - "21697": msg23864, - "21698": msg23865, - "21699": msg23866, - "217": select142, - "2170": select2058, - "21700": msg23867, - "21701": msg23868, - "21702": msg23869, - "21703": msg23870, - "21704": msg23871, - "21705": msg23872, - "21706": msg23873, - "21707": msg23874, - "21708": msg23875, - "21709": msg23876, - "2171": select2059, - "21710": msg23877, - "21711": msg23878, - "21712": msg23879, - "21713": msg23880, - "21714": msg23881, - "21715": msg23882, - "21716": msg23883, - "21717": msg23884, - "21718": msg23885, - "21719": msg23886, - "2172": select2060, - "21720": msg23887, - "21721": msg23888, - "21722": msg23889, - "21723": msg23890, - "21724": msg23891, - "21725": msg23892, - "21726": msg23893, - "21727": msg23894, - "21728": msg23895, - "21729": msg23896, - "2173": select2061, - "21730": msg23897, - "21731": msg23898, - "21732": msg23899, - "21733": msg23900, - "21734": msg23901, - "21735": msg23902, - "21736": msg23903, - "21737": msg23904, - "21738": msg23905, - "21739": msg23906, - "2174": select2062, - "21740": msg23907, - "21741": msg23908, - "21742": msg23909, - "21743": msg23910, - "21744": msg23911, - "21745": msg23912, - "21746": msg23913, - "21747": msg23914, - "21748": msg23915, - "21749": msg23916, - "2175": select2063, - "21750": msg23917, - "21751": msg23918, - "21752": msg23919, - "21753": msg23920, - "21754": msg23921, - "21755": msg23922, - "21756": msg23923, - "21757": msg23924, - "21758": msg23925, - "21759": msg23926, - "2176": select2064, - "21760": msg23927, - "21761": msg23928, - "21762": msg23929, - "21763": msg23930, - "21764": msg23931, - "21765": msg23932, - "21766": msg23933, - "21767": msg23934, - "21768": msg23935, - "21769": msg23936, - "2177": select2065, - "21770": msg23937, - "21771": msg23938, - "21772": msg23939, - "21773": msg23940, - "21774": msg23941, - "21775": msg23942, - "21776": msg23943, - "21777": msg23944, - "21778": msg23945, - "21779": msg23946, - "2178": select2066, - "21780": msg23947, - "21781": msg23948, - "21782": msg23949, - "21783": msg23950, - "21784": msg23951, - "21785": msg23952, - "21786": msg23953, - "21787": msg23954, - "21788": msg23955, - "21789": msg23956, - "2179": select2067, - "21790": msg23957, - "21791": msg23958, - "21792": msg23959, - "21793": msg23960, - "21794": msg23961, - "21795": msg23962, - "21796": msg23963, - "21797": msg23964, - "21798": msg23965, - "21799": msg23966, - "218": select143, - "2180": select2068, - "21800": msg23967, - "21801": msg23968, - "21802": msg23969, - "21803": msg23970, - "21804": msg23971, - "21805": msg23972, - "21806": msg23973, - "21807": msg23974, - "21808": msg23975, - "21809": msg23976, - "2181": select2069, - "21810": msg23977, - "21811": msg23978, - "21812": msg23979, - "21813": msg23980, - "21814": msg23981, - "21815": msg23982, - "21816": msg23983, - "21817": msg23984, - "21818": msg23985, - "21819": msg23986, - "2182": select2070, - "21820": msg23987, - "21821": msg23988, - "21822": msg23989, - "21823": msg23990, - "21824": msg23991, - "21825": msg23992, - "21826": msg23993, - "21827": msg23994, - "21828": msg23995, - "21829": msg23996, - "2183": select2071, - "21830": msg23997, - "21831": msg23998, - "21832": msg23999, - "21833": msg24000, - "21834": msg24001, - "21835": msg24002, - "21836": msg24003, - "21837": msg24004, - "21838": msg24005, - "21839": msg24006, - "2184": select2072, - "21840": msg24007, - "21841": msg24008, - "21842": msg24009, - "21843": msg24010, - "21844": msg24011, - "21845": msg24012, - "21846": msg24013, - "21847": msg24014, - "21848": msg24015, - "21849": msg24016, - "2185": select2073, - "21850": msg24017, - "21851": msg24018, - "21852": msg24019, - "21853": msg24020, - "21854": msg24021, - "21855": msg24022, - "21856": msg24023, - "21857": msg24024, - "21858": msg24025, - "21859": msg24026, - "2186": select2074, - "21860": msg24027, - "21861": msg24028, - "21862": msg24029, - "21863": msg24030, - "21864": msg24031, - "21865": msg24032, - "21866": msg24033, - "21867": msg24034, - "21868": msg24035, - "21869": msg24036, - "2187": select2075, - "21870": msg24037, - "21871": msg24038, - "21872": msg24039, - "21873": msg24040, - "21874": msg24041, - "21875": msg24042, - "21876": msg24043, - "21877": msg24044, - "21878": msg24045, - "21879": msg24046, - "2188": select2076, - "21880": msg24047, - "21881": msg24048, - "21882": msg24049, - "21883": msg24050, - "21884": msg24051, - "21885": msg24052, - "21886": msg24053, - "21887": msg24054, - "21888": msg24055, - "21889": msg24056, - "2189": select2077, - "21890": msg24057, - "21891": msg24058, - "21892": msg24059, - "21893": msg24060, - "21894": msg24061, - "21895": msg24062, - "21896": msg24063, - "21897": msg24064, - "21898": msg24065, - "21899": msg24066, - "219": select144, - "2190": select2078, - "21900": msg24067, - "21901": msg24068, - "21902": msg24069, - "21903": msg24070, - "21904": msg24071, - "21905": msg24072, - "21906": msg24073, - "21907": msg24074, - "21908": msg24075, - "21909": msg24076, - "2191": select2079, - "21910": msg24077, - "21911": msg24078, - "21912": msg24079, - "21913": msg24080, - "21914": msg24081, - "21915": msg24082, - "21916": msg24083, - "21917": msg24084, - "21918": msg24085, - "21919": msg24086, - "2192": select2080, - "21920": msg24087, - "21921": msg24088, - "21922": msg24089, - "21923": msg24090, - "21924": msg24091, - "21925": msg24092, - "21926": msg24093, - "21927": msg24094, - "21928": msg24095, - "21929": msg24096, - "2193": select2081, - "21930": msg24097, - "21931": msg24098, - "21932": msg24099, - "21933": msg24100, - "21934": msg24101, - "21935": msg24102, - "21937": msg24103, - "21938": msg24104, - "21939": msg24105, - "2194": select2082, - "21940": msg24106, - "21941": msg24107, - "21942": msg24108, - "21943": msg24109, - "21944": msg24110, - "21945": msg24111, - "21946": msg24112, - "21947": msg24113, - "21948": msg24114, - "21949": msg24115, - "2195": select2083, - "21950": msg24116, - "21951": msg24117, - "21952": msg24118, - "21953": msg24119, - "21954": msg24120, - "21955": msg24121, - "21956": msg24122, - "21957": msg24123, - "21958": msg24124, - "21959": msg24125, - "2196": select2084, - "21960": msg24126, - "21961": msg24127, - "21962": msg24128, - "21963": msg24129, - "21964": msg24130, - "21965": msg24131, - "21966": msg24132, - "21967": msg24133, - "21968": msg24134, - "21969": msg24135, - "2197": select2085, - "21970": msg24136, - "21971": msg24137, - "21972": msg24138, - "21973": msg24139, - "21974": msg24140, - "21975": msg24141, - "21976": msg24142, - "21977": msg24143, - "21978": msg24144, - "21979": msg24145, - "2198": select2086, - "21980": msg24146, - "21981": msg24147, - "21982": msg24148, - "21983": msg24149, - "21984": msg24150, - "21985": msg24151, - "21986": msg24152, - "21987": msg24153, - "21988": msg24154, - "21989": msg24155, - "2199": select2087, - "21990": msg24156, - "21991": msg24157, - "21992": msg24158, - "21993": msg24159, - "21994": msg24160, - "21995": msg24161, - "21996": msg24162, - "21997": msg24163, - "21998": msg24164, - "21999": msg24165, - "220": select145, - "2200": select2088, - "22000": msg24166, - "22001": msg24167, - "22002": msg24168, - "22003": msg24169, - "22004": msg24170, - "22005": msg24171, - "22006": msg24172, - "22007": msg24173, - "22008": msg24174, - "22009": msg24175, - "2201": select2089, - "22010": msg24176, - "22011": msg24177, - "22012": msg24178, - "22013": msg24179, - "22014": msg24180, - "22015": msg24181, - "22016": msg24182, - "22017": msg24183, - "22018": msg24184, - "22019": msg24185, - "2202": select2090, - "22020": msg24186, - "22021": msg24187, - "22022": msg24188, - "22023": msg24189, - "22024": msg24190, - "22025": msg24191, - "22026": msg24192, - "22027": msg24193, - "22028": msg24194, - "22029": msg24195, - "2203": select2091, - "22030": msg24196, - "22031": msg24197, - "22032": msg24198, - "22033": msg24199, - "22034": msg24200, - "22035": msg24201, - "22036": msg24202, - "22037": msg24203, - "22038": msg24204, - "22039": msg24205, - "2204": select2092, - "22040": msg24206, - "22041": msg24207, - "22042": msg24208, - "22043": msg24209, - "22044": msg24210, - "22045": msg24211, - "22046": msg24212, - "22047": msg24213, - "22048": msg24214, - "22049": msg24215, - "2205": select2093, - "22050": msg24216, - "22051": msg24217, - "22052": msg24218, - "22053": msg24219, - "22054": msg24220, - "22055": msg24221, - "22056": msg24222, - "22057": msg24223, - "22058": msg24224, - "22059": msg24225, - "2206": select2094, - "22060": msg24226, - "22061": msg24227, - "22062": msg24228, - "22063": msg24229, - "22064": msg24230, - "22065": msg24231, - "22066": msg24232, - "22067": msg24233, - "22068": msg24234, - "22069": msg24235, - "2207": select2095, - "22070": msg24236, - "22071": msg24237, - "22072": msg24238, - "22073": msg24239, - "22074": msg24240, - "22075": msg24241, - "22076": msg24242, - "22077": msg24243, - "22078": msg24244, - "22079": msg24245, - "2208": select2096, - "22080": msg24246, - "22081": msg24247, - "22082": msg24248, - "22083": msg24249, - "22084": msg24250, - "22085": msg24251, - "22086": msg24252, - "22087": msg24253, - "22088": msg24254, - "22089": msg24255, - "2209": select2097, - "22090": msg24256, - "22091": msg24257, - "22092": msg24258, - "22093": msg24259, - "22094": msg24260, - "22095": msg24261, - "22096": msg24262, - "22097": msg24263, - "22098": msg24264, - "22099": msg24265, - "221": select146, - "2210": select2098, - "22100": msg24266, - "22101": msg24267, - "22102": msg24268, - "22103": msg24269, - "22104": msg24270, - "22105": msg24271, - "22106": msg24272, - "22107": msg24273, - "22108": msg24274, - "22109": msg24275, - "2211": select2099, - "22110": msg24276, - "22111": msg24277, - "22112": msg24278, - "22113": msg24279, - "22114": msg24280, - "22115": msg24281, - "22116": msg24282, - "22117": msg24283, - "22118": msg24284, - "22119": msg24285, - "2212": select2100, - "22120": msg24286, - "22121": msg24287, - "22122": msg24288, - "22123": msg24289, - "22124": msg24290, - "22125": msg24291, - "22126": msg24292, - "22127": msg24293, - "22128": msg24294, - "22129": msg24295, - "2213": select2101, - "22130": msg24296, - "22131": msg24297, - "22132": msg24298, - "22133": msg24299, - "22134": msg24300, - "22135": msg24301, - "22136": msg24302, - "22137": msg24303, - "22138": msg24304, - "22139": msg24305, - "2214": select2102, - "22140": msg24306, - "22141": msg24307, - "22142": msg24308, - "22143": msg24309, - "22144": msg24310, - "22145": msg24311, - "22146": msg24312, - "22147": msg24313, - "22148": msg24314, - "22149": msg24315, - "2215": select2103, - "22150": msg24316, - "22151": msg24317, - "22152": msg24318, - "22153": msg24319, - "22154": msg24320, - "22155": msg24321, - "22156": msg24322, - "22157": msg24323, - "22158": msg24324, - "22159": msg24325, - "2216": select2104, - "22160": msg24326, - "22161": msg24327, - "22162": msg24328, - "22163": msg24329, - "22164": msg24330, - "22165": msg24331, - "22166": msg24332, - "22167": msg24333, - "22168": msg24334, - "22169": msg24335, - "2217": select2105, - "22170": msg24336, - "22171": msg24337, - "22172": msg24338, - "22173": msg24339, - "22174": msg24340, - "22175": msg24341, - "22176": msg24342, - "22177": msg24343, - "22178": msg24344, - "22179": msg24345, - "2218": select2106, - "22180": msg24346, - "22181": msg24347, - "22182": msg24348, - "22183": msg24349, - "22184": msg24350, - "22185": msg24351, - "22186": msg24352, - "22187": msg24353, - "22188": msg24354, - "22189": msg24355, - "2219": select2107, - "22190": msg24356, - "22191": msg24357, - "22192": msg24358, - "22193": msg24359, - "22194": msg24360, - "22195": msg24361, - "22196": msg24362, - "22197": msg24363, - "22198": msg24364, - "22199": msg24365, - "222": select147, - "2220": select2108, - "22200": msg24366, - "22201": msg24367, - "22202": msg24368, - "22203": msg24369, - "22204": msg24370, - "22205": msg24371, - "22206": msg24372, - "22207": msg24373, - "22208": msg24374, - "22209": msg24375, - "2221": select2109, - "22210": msg24376, - "22211": msg24377, - "22212": msg24378, - "22213": msg24379, - "22214": msg24380, - "22215": msg24381, - "22216": msg24382, - "22217": msg24383, - "22218": msg24384, - "22219": msg24385, - "2222": select2110, - "22220": msg24386, - "22221": msg24387, - "22222": msg24388, - "22223": msg24389, - "22224": msg24390, - "22225": msg24391, - "22226": msg24392, - "22227": msg24393, - "22228": msg24394, - "22229": msg24395, - "2223": select2111, - "22230": msg24396, - "22231": msg24397, - "22232": msg24398, - "22233": msg24399, - "22234": msg24400, - "22235": msg24401, - "22236": msg24402, - "22237": msg24403, - "22238": msg24404, - "22239": msg24405, - "2224": select2112, - "22240": msg24406, - "22241": msg24407, - "22242": msg24408, - "22243": msg24409, - "22244": msg24410, - "22245": msg24411, - "22246": msg24412, - "22247": msg24413, - "22248": msg24414, - "22249": msg24415, - "2225": select2113, - "22250": msg24416, - "22251": msg24417, - "22252": msg24418, - "22253": msg24419, - "22254": msg24420, - "22255": msg24421, - "22256": msg24422, - "22257": msg24423, - "22258": msg24424, - "22259": msg24425, - "2226": select2114, - "22260": msg24426, - "22261": msg24427, - "22262": msg24428, - "22263": msg24429, - "22264": msg24430, - "22265": msg24431, - "22266": msg24432, - "22267": msg24433, - "22268": msg24434, - "22269": msg24435, - "2227": select2115, - "22270": msg24436, - "22271": msg24437, - "22272": msg24438, - "22273": msg24439, - "22274": msg24440, - "22275": msg24441, - "22276": msg24442, - "22277": msg24443, - "22278": msg24444, - "22279": msg24445, - "2228": select2116, - "22280": msg24446, - "22281": msg24447, - "22282": msg24448, - "22283": msg24449, - "22284": msg24450, - "22285": msg24451, - "22286": msg24452, - "22287": msg24453, - "22288": msg24454, - "22289": msg24455, - "2229": select2117, - "22290": msg24456, - "22291": msg24457, - "22292": msg24458, - "22293": msg24459, - "22294": msg24460, - "22295": msg24461, - "22296": msg24462, - "22297": msg24463, - "22298": msg24464, - "22299": msg24465, - "223": select148, - "2230": select2118, - "22300": msg24466, - "22301": msg24467, - "22302": msg24468, - "22303": msg24469, - "22304": msg24470, - "22305": msg24471, - "22306": msg24472, - "22307": msg24473, - "22308": msg24474, - "22309": msg24475, - "2231": select2119, - "22310": msg24476, - "22311": msg24477, - "22312": msg24478, - "22313": msg24479, - "22314": msg24480, - "22315": msg24481, - "22316": msg24482, - "22317": msg24483, - "22318": msg24484, - "22319": msg24485, - "2232": select2120, - "22320": msg24486, - "22321": msg24487, - "22322": msg24488, - "22323": msg24489, - "22324": msg24490, - "22325": msg24491, - "22326": msg24492, - "22327": msg24493, - "22328": msg24494, - "22329": msg24495, - "2233": select2121, - "22330": msg24496, - "22331": msg24497, - "22332": msg24498, - "22333": msg24499, - "22334": msg24500, - "22335": msg24501, - "22336": msg24502, - "22337": msg24503, - "22338": msg24504, - "22339": msg24505, - "2234": select2122, - "22340": msg24506, - "22341": msg24507, - "22342": msg24508, - "22343": msg24509, - "22344": msg24510, - "22345": msg24511, - "22346": msg24512, - "22347": msg24513, - "22348": msg24514, - "22349": msg24515, - "2235": select2123, - "22350": msg24516, - "22351": msg24517, - "22352": msg24518, - "22353": msg24519, - "22354": msg24520, - "22355": msg24521, - "22356": msg24522, - "22357": msg24523, - "22358": msg24524, - "22359": msg24525, - "2236": select2124, - "22360": msg24526, - "22361": msg24527, - "22362": msg24528, - "22363": msg24529, - "22364": msg24530, - "22365": msg24531, - "22366": msg24532, - "22367": msg24533, - "22368": msg24534, - "22369": msg24535, - "2237": select2125, - "22370": msg24536, - "22371": msg24537, - "22372": msg24538, - "22373": msg24539, - "22374": msg24540, - "22375": msg24541, - "22376": msg24542, - "22377": msg24543, - "22378": msg24544, - "22379": msg24545, - "2238": select2126, - "22380": msg24546, - "22381": msg24547, - "22382": msg24548, - "22383": msg24549, - "22384": msg24550, - "22385": msg24551, - "22386": msg24552, - "22387": msg24553, - "22388": msg24554, - "22389": msg24555, - "2239": select2127, - "22390": msg24556, - "22391": msg24557, - "22392": msg24558, - "22393": msg24559, - "22394": msg24560, - "22395": msg24561, - "22396": msg24562, - "22397": msg24563, - "22398": msg24564, - "22399": msg24565, - "224": select149, - "2240": select2128, - "22400": msg24566, - "22401": msg24567, - "22402": msg24568, - "22403": msg24569, - "22404": msg24570, - "22405": msg24571, - "22406": msg24572, - "22407": msg24573, - "22408": msg24574, - "22409": msg24575, - "2241": select2129, - "22410": msg24576, - "22411": msg24577, - "22412": msg24578, - "22413": msg24579, - "22414": msg24580, - "22415": msg24581, - "22416": msg24582, - "22417": msg24583, - "22418": msg24584, - "22419": msg24585, - "2242": select2130, - "22420": msg24586, - "22421": msg24587, - "22422": msg24588, - "22423": msg24589, - "22424": msg24590, - "22425": msg24591, - "22426": msg24592, - "22427": msg24593, - "22428": msg24594, - "22429": msg24595, - "2243": select2131, - "22430": msg24596, - "22431": msg24597, - "22432": msg24598, - "22433": msg24599, - "22434": msg24600, - "22435": msg24601, - "22436": msg24602, - "22437": msg24603, - "22438": msg24604, - "22439": msg24605, - "2244": select2132, - "22440": msg24606, - "22441": msg24607, - "22442": msg24608, - "22443": msg24609, - "22444": msg24610, - "22445": msg24611, - "22446": msg24612, - "22447": msg24613, - "22448": msg24614, - "22449": msg24615, - "2245": select2133, - "22450": msg24616, - "22451": msg24617, - "22452": msg24618, - "22453": msg24619, - "22454": msg24620, - "22455": msg24621, - "22456": msg24622, - "22457": msg24623, - "22458": msg24624, - "22459": msg24625, - "2246": select2134, - "22460": msg24626, - "22461": msg24627, - "22462": msg24628, - "22463": msg24629, - "22464": msg24630, - "22465": msg24631, - "22466": msg24632, - "22467": msg24633, - "22468": msg24634, - "22469": msg24635, - "2247": select2135, - "22470": msg24636, - "22471": msg24637, - "22472": msg24638, - "22473": msg24639, - "22474": msg24640, - "22475": msg24641, - "22476": msg24642, - "22477": msg24643, - "22478": msg24644, - "22479": msg24645, - "2248": select2136, - "22480": msg24646, - "22481": msg24647, - "22482": msg24648, - "22483": msg24649, - "22484": msg24650, - "22485": msg24651, - "22486": msg24652, - "22487": msg24653, - "22488": msg24654, - "22489": msg24655, - "2249": select2137, - "22490": msg24656, - "22491": msg24657, - "22492": msg24658, - "22493": msg24659, - "22494": msg24660, - "22495": msg24661, - "22496": msg24662, - "22497": msg24663, - "22498": msg24664, - "22499": msg24665, - "225": select150, - "2250": select2138, - "22500": msg24666, - "22501": msg24667, - "22502": msg24668, - "22503": msg24669, - "22504": msg24670, - "22505": msg24671, - "22506": msg24672, - "22507": msg24673, - "22508": msg24674, - "22509": msg24675, - "2251": select2139, - "22510": msg24676, - "22511": msg24677, - "22512": msg24678, - "22513": msg24679, - "22514": msg24680, - "22515": msg24681, - "22516": msg24682, - "22517": msg24683, - "22518": msg24684, - "22519": msg24685, - "2252": select2140, - "22520": msg24686, - "22521": msg24687, - "22522": msg24688, - "22523": msg24689, - "22524": msg24690, - "22525": msg24691, - "22526": msg24692, - "22527": msg24693, - "22528": msg24694, - "22529": msg24695, - "2253": select2141, - "22530": msg24696, - "22531": msg24697, - "22532": msg24698, - "22533": msg24699, - "22534": msg24700, - "22535": msg24701, - "22536": msg24702, - "22537": msg24703, - "22538": msg24704, - "22539": msg24705, - "2254": select2142, - "22540": msg24706, - "22541": msg24707, - "22542": msg24708, - "22543": msg24709, - "22544": msg24710, - "22545": msg24711, - "22546": msg24712, - "22547": msg24713, - "22548": msg24714, - "22549": msg24715, - "2255": select2143, - "22550": msg24716, - "22551": msg24717, - "22552": msg24718, - "22553": msg24719, - "22554": msg24720, - "22555": msg24721, - "22556": msg24722, - "22557": msg24723, - "22558": msg24724, - "22559": msg24725, - "2256": select2144, - "22560": msg24726, - "22561": msg24727, - "22562": msg24728, - "22563": msg24729, - "22564": msg24730, - "22565": msg24731, - "22566": msg24732, - "22567": msg24733, - "22568": msg24734, - "22569": msg24735, - "2257": select2145, - "22570": msg24736, - "22571": msg24737, - "22572": msg24738, - "22573": msg24739, - "22574": msg24740, - "22575": msg24741, - "22576": msg24742, - "22577": msg24743, - "22578": msg24744, - "22579": msg24745, - "2258": select2146, - "22580": msg24746, - "22581": msg24747, - "22582": msg24748, - "22583": msg24749, - "22584": msg24750, - "22585": msg24751, - "22586": msg24752, - "22587": msg24753, - "22588": msg24754, - "22589": msg24755, - "2259": select2147, - "22590": msg24756, - "22591": msg24757, - "22592": msg24758, - "22593": msg24759, - "22594": msg24760, - "22595": msg24761, - "22596": msg24762, - "22597": msg24763, - "22598": msg24764, - "22599": msg24765, - "226": select151, - "2260": select2148, - "22600": msg24766, - "22601": msg24767, - "22602": msg24768, - "22603": msg24769, - "22604": msg24770, - "22605": msg24771, - "22606": msg24772, - "22607": msg24773, - "22608": msg24774, - "22609": msg24775, - "2261": select2149, - "22610": msg24776, - "22611": msg24777, - "22612": msg24778, - "22613": msg24779, - "22614": msg24780, - "22615": msg24781, - "22616": msg24782, - "22617": msg24783, - "22618": msg24784, - "22619": msg24785, - "2262": select2150, - "22620": msg24786, - "22621": msg24787, - "22622": msg24788, - "22623": msg24789, - "22624": msg24790, - "22625": msg24791, - "22626": msg24792, - "22627": msg24793, - "22628": msg24794, - "22629": msg24795, - "2263": select2151, - "22630": msg24796, - "22631": msg24797, - "22632": msg24798, - "22633": msg24799, - "22634": msg24800, - "22635": msg24801, - "22636": msg24802, - "22637": msg24803, - "22638": msg24804, - "22639": msg24805, - "2264": select2152, - "22640": msg24806, - "22641": msg24807, - "22642": msg24808, - "22643": msg24809, - "22644": msg24810, - "22645": msg24811, - "22646": msg24812, - "22647": msg24813, - "22648": msg24814, - "22649": msg24815, - "2265": select2153, - "22650": msg24816, - "22651": msg24817, - "22652": msg24818, - "22653": msg24819, - "22654": msg24820, - "22655": msg24821, - "22656": msg24822, - "22657": msg24823, - "22658": msg24824, - "22659": msg24825, - "2266": select2154, - "22660": msg24826, - "22661": msg24827, - "22662": msg24828, - "22663": msg24829, - "22664": msg24830, - "22665": msg24831, - "22666": msg24832, - "22667": msg24833, - "22668": msg24834, - "22669": msg24835, - "2267": select2155, - "22670": msg24836, - "22671": msg24837, - "22672": msg24838, - "22673": msg24839, - "22674": msg24840, - "22675": msg24841, - "22676": msg24842, - "22677": msg24843, - "22678": msg24844, - "22679": msg24845, - "2268": select2156, - "22680": msg24846, - "22681": msg24847, - "22682": msg24848, - "22683": msg24849, - "22684": msg24850, - "22685": msg24851, - "22686": msg24852, - "22687": msg24853, - "22688": msg24854, - "22689": msg24855, - "2269": select2157, - "22690": msg24856, - "22691": msg24857, - "22692": msg24858, - "22693": msg24859, - "22694": msg24860, - "22695": msg24861, - "22696": msg24862, - "22697": msg24863, - "22698": msg24864, - "22699": msg24865, - "227": select152, - "2270": select2158, - "22700": msg24866, - "22701": msg24867, - "22702": msg24868, - "22703": msg24869, - "22704": msg24870, - "22705": msg24871, - "22706": msg24872, - "22707": msg24873, - "22708": msg24874, - "22709": msg24875, - "2271": select2159, - "22710": msg24876, - "22711": msg24877, - "22712": msg24878, - "22713": msg24879, - "22714": msg24880, - "22715": msg24881, - "22716": msg24882, - "22717": msg24883, - "22718": msg24884, - "22719": msg24885, - "2272": select2160, - "22720": msg24886, - "22721": msg24887, - "22722": msg24888, - "22723": msg24889, - "22724": msg24890, - "22725": msg24891, - "22726": msg24892, - "22727": msg24893, - "22728": msg24894, - "22729": msg24895, - "2273": select2161, - "22730": msg24896, - "22731": msg24897, - "22732": msg24898, - "22733": msg24899, - "22734": msg24900, - "22735": msg24901, - "22736": msg24902, - "22737": msg24903, - "22738": msg24904, - "22739": msg24905, - "2274": select2162, - "22740": msg24906, - "22741": msg24907, - "22742": msg24908, - "22743": msg24909, - "22744": msg24910, - "22745": msg24911, - "22746": msg24912, - "22747": msg24913, - "22748": msg24914, - "22749": msg24915, - "2275": select2163, - "22750": msg24916, - "22751": msg24917, - "22752": msg24918, - "22753": msg24919, - "22754": msg24920, - "22755": msg24921, - "22756": msg24922, - "22757": msg24923, - "22758": msg24924, - "22759": msg24925, - "2276": select2164, - "22760": msg24926, - "22761": msg24927, - "22762": msg24928, - "22763": msg24929, - "22764": msg24930, - "22765": msg24931, - "22766": msg24932, - "22767": msg24933, - "22768": msg24934, - "22769": msg24935, - "2277": select2165, - "22770": msg24936, - "22771": msg24937, - "22772": msg24938, - "22773": msg24939, - "22774": msg24940, - "22775": msg24941, - "22776": msg24942, - "22777": msg24943, - "22778": msg24944, - "22779": msg24945, - "2278": select2166, - "22780": msg24946, - "22781": msg24947, - "22782": msg24948, - "22783": msg24949, - "22784": msg24950, - "22785": msg24951, - "22786": msg24952, - "22787": msg24953, - "22788": msg24954, - "22789": msg24955, - "2279": select2167, - "22790": msg24956, - "22791": msg24957, - "22792": msg24958, - "22793": msg24959, - "22794": msg24960, - "22795": msg24961, - "22796": msg24962, - "22797": msg24963, - "22798": msg24964, - "22799": msg24965, - "228": select153, - "2280": select2168, - "22800": msg24966, - "22801": msg24967, - "22802": msg24968, - "22803": msg24969, - "22804": msg24970, - "22805": msg24971, - "22806": msg24972, - "22807": msg24973, - "22808": msg24974, - "22809": msg24975, - "2281": select2169, - "22810": msg24976, - "22811": msg24977, - "22812": msg24978, - "22813": msg24979, - "22814": msg24980, - "22815": msg24981, - "22816": msg24982, - "22817": msg24983, - "22818": msg24984, - "22819": msg24985, - "2282": select2170, - "22820": msg24986, - "22821": msg24987, - "22822": msg24988, - "22823": msg24989, - "22824": msg24990, - "22825": msg24991, - "22826": msg24992, - "22827": msg24993, - "22828": msg24994, - "22829": msg24995, - "2283": select2171, - "22830": msg24996, - "22831": msg24997, - "22832": msg24998, - "22833": msg24999, - "22834": msg25000, - "22835": msg25001, - "22836": msg25002, - "22837": msg25003, - "22838": msg25004, - "22839": msg25005, - "2284": select2172, - "22840": msg25006, - "22841": msg25007, - "22842": msg25008, - "22843": msg25009, - "22844": msg25010, - "22845": msg25011, - "22846": msg25012, - "22847": msg25013, - "22848": msg25014, - "22849": msg25015, - "2285": select2173, - "22850": msg25016, - "22851": msg25017, - "22852": msg25018, - "22853": msg25019, - "22854": msg25020, - "22855": msg25021, - "22856": msg25022, - "22857": msg25023, - "22858": msg25024, - "22859": msg25025, - "2286": select2174, - "22860": msg25026, - "22861": msg25027, - "22862": msg25028, - "22863": msg25029, - "22864": msg25030, - "22865": msg25031, - "22866": msg25032, - "22867": msg25033, - "22868": msg25034, - "22869": msg25035, - "2287": select2175, - "22870": msg25036, - "22871": msg25037, - "22872": msg25038, - "22873": msg25039, - "22874": msg25040, - "22875": msg25041, - "22876": msg25042, - "22877": msg25043, - "22878": msg25044, - "22879": msg25045, - "2288": select2176, - "22880": msg25046, - "22881": msg25047, - "22882": msg25048, - "22883": msg25049, - "22884": msg25050, - "22885": msg25051, - "22886": msg25052, - "22887": msg25053, - "22888": msg25054, - "22889": msg25055, - "2289": select2177, - "22890": msg25056, - "22891": msg25057, - "22892": msg25058, - "22893": msg25059, - "22894": msg25060, - "22895": msg25061, - "22896": msg25062, - "22897": msg25063, - "22898": msg25064, - "22899": msg25065, - "229": select154, - "2290": select2178, - "22900": msg25066, - "22901": msg25067, - "22902": msg25068, - "22903": msg25069, - "22904": msg25070, - "22905": msg25071, - "22906": msg25072, - "22907": msg25073, - "22908": msg25074, - "22909": msg25075, - "2291": select2179, - "22910": msg25076, - "22911": msg25077, - "22912": msg25078, - "22913": msg25079, - "22914": msg25080, - "22915": msg25081, - "22916": msg25082, - "22917": msg25083, - "22918": msg25084, - "22919": msg25085, - "2292": select2180, - "22920": msg25086, - "22921": msg25087, - "22922": msg25088, - "22923": msg25089, - "22924": msg25090, - "22925": msg25091, - "22926": msg25092, - "22927": msg25093, - "22928": msg25094, - "22929": msg25095, - "2293": select2181, - "22930": msg25096, - "22931": msg25097, - "22932": msg25098, - "22933": msg25099, - "22934": msg25100, - "22935": msg25101, - "22936": msg25102, - "22937": msg25103, - "22938": msg25104, - "22939": msg25105, - "2294": select2182, - "22940": msg25106, - "22941": msg25107, - "22942": msg25108, - "22943": msg25109, - "22944": msg25110, - "22945": msg25111, - "22946": msg25112, - "22947": msg25113, - "22948": msg25114, - "22949": msg25115, - "2295": select2183, - "22950": msg25116, - "22951": msg25117, - "22952": msg25118, - "22953": msg25119, - "22954": msg25120, - "22955": msg25121, - "22956": msg25122, - "22957": msg25123, - "22958": msg25124, - "22959": msg25125, - "2296": select2184, - "22960": msg25126, - "22961": msg25127, - "22962": msg25128, - "22963": msg25129, - "22964": msg25130, - "22965": msg25131, - "22966": msg25132, - "22967": msg25133, - "22968": msg25134, - "22969": msg25135, - "2297": select2185, - "22970": msg25136, - "22971": msg25137, - "22972": msg25138, - "22973": msg25139, - "22974": msg25140, - "22975": msg25141, - "22976": msg25142, - "22977": msg25143, - "22978": msg25144, - "22979": msg25145, - "2298": select2186, - "22980": msg25146, - "22981": msg25147, - "22982": msg25148, - "22983": msg25149, - "22984": msg25150, - "22985": msg25151, - "22986": msg25152, - "22987": msg25153, - "22988": msg25154, - "22989": msg25155, - "2299": select2187, - "22990": msg25156, - "22991": msg25157, - "22992": msg25158, - "22993": msg25159, - "22994": msg25160, - "22995": msg25161, - "22996": msg25162, - "22997": msg25163, - "22998": msg25164, - "22999": msg25165, - "23": select23, - "230": select155, - "2300": select2188, - "23000": msg25166, - "23001": msg25167, - "23002": msg25168, - "23003": msg25169, - "23004": msg25170, - "23005": msg25171, - "23006": msg25172, - "23007": msg25173, - "23008": msg25174, - "23009": msg25175, - "2301": select2189, - "23010": msg25176, - "23011": msg25177, - "23012": msg25178, - "23013": msg25179, - "23014": msg25180, - "23015": msg25181, - "23016": msg25182, - "23017": msg25183, - "23018": msg25184, - "23019": msg25185, - "2302": select2190, - "23020": msg25186, - "23021": msg25187, - "23022": msg25188, - "23023": msg25189, - "23024": msg25190, - "23025": msg25191, - "23026": msg25192, - "23027": msg25193, - "23028": msg25194, - "23029": msg25195, - "2303": select2191, - "23030": msg25196, - "23031": msg25197, - "23032": msg25198, - "23033": msg25199, - "23034": msg25200, - "23035": msg25201, - "23036": msg25202, - "23037": msg25203, - "23038": msg25204, - "23039": msg25205, - "2304": select2192, - "23040": msg25206, - "23041": msg25207, - "23042": msg25208, - "23043": msg25209, - "23044": msg25210, - "23045": msg25211, - "23046": msg25212, - "23047": msg25213, - "23048": msg25214, - "23049": msg25215, - "2305": select2193, - "23050": msg25216, - "23051": msg25217, - "23054": msg25218, - "23055": msg25219, - "23056": msg25220, - "23057": msg25221, - "23058": msg25222, - "23059": msg25223, - "2306": select2194, - "23060": msg25224, - "23061": msg25225, - "23062": msg25226, - "23063": msg25227, - "23064": msg25228, - "23065": msg25229, - "23066": msg25230, - "23067": msg25231, - "23068": msg25232, - "23069": msg25233, - "2307": select2195, - "23070": msg25234, - "23071": msg25235, - "23072": msg25236, - "23073": msg25237, - "23074": msg25238, - "23075": msg25239, - "23076": msg25240, - "23077": msg25241, - "23078": msg25242, - "23079": msg25243, - "2308": select2196, - "23080": msg25244, - "23081": msg25245, - "23082": msg25246, - "23083": msg25247, - "23084": msg25248, - "23085": msg25249, - "23086": msg25250, - "23087": msg25251, - "23088": msg25252, - "23089": msg25253, - "2309": select2197, - "23090": msg25254, - "23091": msg25255, - "23092": msg25256, - "23093": msg25257, - "23094": msg25258, - "23095": msg25259, - "23096": msg25260, - "23097": msg25261, - "23098": msg25262, - "23099": msg25263, - "231": select156, - "2310": select2198, - "23100": msg25264, - "23101": msg25265, - "23102": msg25266, - "23103": msg25267, - "23104": msg25268, - "23105": msg25269, - "23106": msg25270, - "23107": msg25271, - "23108": msg25272, - "23109": msg25273, - "2311": select2199, - "23110": msg25274, - "23111": msg25275, - "23112": msg25276, - "23113": msg25277, - "23114": msg25278, - "23115": msg25279, - "23116": msg25280, - "23117": msg25281, - "23118": msg25282, - "23119": msg25283, - "2312": select2200, - "23120": msg25284, - "23121": msg25285, - "23122": msg25286, - "23123": msg25287, - "23124": msg25288, - "23125": msg25289, - "23126": msg25290, - "23127": msg25291, - "23128": msg25292, - "23129": msg25293, - "2313": select2201, - "23130": msg25294, - "23131": msg25295, - "23132": msg25296, - "23133": msg25297, - "23134": msg25298, - "23135": msg25299, - "23136": msg25300, - "23137": msg25301, - "23138": msg25302, - "23139": msg25303, - "2314": select2202, - "23140": msg25304, - "23141": msg25305, - "23142": msg25306, - "23143": msg25307, - "23144": msg25308, - "23145": msg25309, - "23146": msg25310, - "23147": msg25311, - "23148": msg25312, - "23149": msg25313, - "2315": select2203, - "23150": msg25314, - "23151": msg25315, - "23152": msg25316, - "23153": msg25317, - "23154": msg25318, - "23155": msg25319, - "23156": msg25320, - "23157": msg25321, - "23158": msg25322, - "23159": msg25323, - "2316": select2204, - "23160": msg25324, - "23161": msg25325, - "23162": msg25326, - "23163": msg25327, - "23164": msg25328, - "23165": msg25329, - "23166": msg25330, - "23167": msg25331, - "23168": msg25332, - "23169": msg25333, - "2317": select2205, - "23170": msg25334, - "23171": msg25335, - "23172": msg25336, - "23173": msg25337, - "23174": msg25338, - "23175": msg25339, - "23176": msg25340, - "23177": msg25341, - "23178": msg25342, - "23179": msg25343, - "2318": select2206, - "23180": msg25344, - "23181": msg25345, - "23182": msg25346, - "23183": msg25347, - "23184": msg25348, - "23185": msg25349, - "23186": msg25350, - "23187": msg25351, - "23188": msg25352, - "23189": msg25353, - "2319": select2207, - "23190": msg25354, - "23191": msg25355, - "23192": msg25356, - "23193": msg25357, - "23194": msg25358, - "23195": msg25359, - "23196": msg25360, - "23197": msg25361, - "23198": msg25362, - "23199": msg25363, - "232": select157, - "2320": select2208, - "23200": msg25364, - "23201": msg25365, - "23202": msg25366, - "23203": msg25367, - "23204": msg25368, - "23205": msg25369, - "23206": msg25370, - "23207": msg25371, - "23208": msg25372, - "23209": msg25373, - "2321": select2209, - "23210": msg25374, - "23211": msg25375, - "23212": msg25376, - "23213": msg25377, - "23214": msg25378, - "23215": msg25379, - "23216": msg25380, - "23217": msg25381, - "23218": msg25382, - "23219": msg25383, - "2322": select2210, - "23220": msg25384, - "23221": msg25385, - "23222": msg25386, - "23223": msg25387, - "23224": msg25388, - "23225": msg25389, - "23226": msg25390, - "23227": msg25391, - "23228": msg25392, - "23229": msg25393, - "2323": select2211, - "23230": msg25394, - "23231": msg25395, - "23232": msg25396, - "23233": msg25397, - "23234": msg25398, - "23235": msg25399, - "23236": msg25400, - "23237": msg25401, - "23238": msg25402, - "23239": msg25403, - "2324": select2212, - "23240": msg25404, - "23241": msg25405, - "23242": msg25406, - "23243": msg25407, - "23244": msg25408, - "23245": msg25409, - "23246": msg25410, - "23247": msg25411, - "23248": msg25412, - "23249": msg25413, - "2325": select2213, - "23250": msg25414, - "23251": msg25415, - "23252": msg25416, - "23253": msg25417, - "23254": msg25418, - "23255": msg25419, - "23256": msg25420, - "23257": msg25421, - "23258": msg25422, - "23259": msg25423, - "2326": select2214, - "23260": msg25424, - "23261": msg25425, - "23262": msg25426, - "23263": msg25427, - "23264": msg25428, - "23265": msg25429, - "23266": msg25430, - "23267": msg25431, - "23268": msg25432, - "23269": msg25433, - "2327": select2215, - "23270": msg25434, - "23271": msg25435, - "23272": msg25436, - "23273": msg25437, - "23274": msg25438, - "23275": msg25439, - "23276": msg25440, - "23277": msg25441, - "23278": msg25442, - "23279": msg25443, - "2328": select2216, - "23280": msg25444, - "23281": msg25445, - "23282": msg25446, - "23283": msg25447, - "23284": msg25448, - "23285": msg25449, - "23286": msg25450, - "23287": msg25451, - "23288": msg25452, - "23289": msg25453, - "2329": select2217, - "23290": msg25454, - "23291": msg25455, - "23292": msg25456, - "23293": msg25457, - "23294": msg25458, - "23295": msg25459, - "23296": msg25460, - "23297": msg25461, - "23298": msg25462, - "23299": msg25463, - "233": select158, - "2330": select2218, - "23300": msg25464, - "23301": msg25465, - "23302": msg25466, - "23303": msg25467, - "23304": msg25468, - "23305": msg25469, - "23306": msg25470, - "23307": msg25471, - "23308": msg25472, - "23309": msg25473, - "2331": select2219, - "23310": msg25474, - "23311": msg25475, - "23312": msg25476, - "23313": msg25477, - "23314": msg25478, - "23315": msg25479, - "23316": msg25480, - "23317": msg25481, - "23318": msg25482, - "23319": msg25483, - "2332": select2220, - "23320": msg25484, - "23321": msg25485, - "23322": msg25486, - "23323": msg25487, - "23324": msg25488, - "23325": msg25489, - "23326": msg25490, - "23327": msg25491, - "23328": msg25492, - "23329": msg25493, - "2333": select2221, - "23330": msg25494, - "23331": msg25495, - "23332": msg25496, - "23333": msg25497, - "23334": msg25498, - "23335": msg25499, - "23336": msg25500, - "23337": msg25501, - "23338": msg25502, - "23339": msg25503, - "2334": select2222, - "23340": msg25504, - "23341": msg25505, - "23342": msg25506, - "23343": msg25507, - "23344": msg25508, - "23345": msg25509, - "23346": msg25510, - "23347": msg25511, - "23348": msg25512, - "23349": msg25513, - "2335": select2223, - "23350": msg25514, - "23351": msg25515, - "23352": msg25516, - "23353": msg25517, - "23354": msg25518, - "23355": msg25519, - "23356": msg25520, - "23357": msg25521, - "23358": msg25522, - "23359": msg25523, - "2336": select2224, - "23360": msg25524, - "23361": msg25525, - "23362": msg25526, - "23363": msg25527, - "23364": msg25528, - "23365": msg25529, - "23366": msg25530, - "23367": msg25531, - "23368": msg25532, - "23369": msg25533, - "2337": select2225, - "23370": msg25534, - "23371": msg25535, - "23372": msg25536, - "23373": msg25537, - "23374": msg25538, - "23375": msg25539, - "23376": msg25540, - "23377": msg25541, - "23378": msg25542, - "23379": msg25543, - "2338": select2226, - "23380": msg25544, - "23381": msg25545, - "23382": msg25546, - "23383": msg25547, - "23384": msg25548, - "23385": msg25549, - "23386": msg25550, - "23387": msg25551, - "23388": msg25552, - "23389": msg25553, - "2339": select2227, - "23390": msg25554, - "23391": msg25555, - "23392": msg25556, - "23393": msg25557, - "23394": msg25558, - "23395": msg25559, - "23396": msg25560, - "23397": msg25561, - "23398": msg25562, - "23399": msg25563, - "234": select159, - "2340": select2228, - "23400": msg25564, - "23401": msg25565, - "23402": msg25566, - "23403": msg25567, - "23404": msg25568, - "23405": msg25569, - "23406": msg25570, - "23407": msg25571, - "23408": msg25572, - "23409": msg25573, - "2341": select2229, - "23410": msg25574, - "23411": msg25575, - "23412": msg25576, - "23413": msg25577, - "23414": msg25578, - "23415": msg25579, - "23416": msg25580, - "23417": msg25581, - "23418": msg25582, - "23419": msg25583, - "2342": select2230, - "23420": msg25584, - "23421": msg25585, - "23422": msg25586, - "23423": msg25587, - "23424": msg25588, - "23425": msg25589, - "23426": msg25590, - "23427": msg25591, - "23428": msg25592, - "23429": msg25593, - "2343": select2231, - "23430": msg25594, - "23431": msg25595, - "23432": msg25596, - "23433": msg25597, - "23434": msg25598, - "23435": msg25599, - "23436": msg25600, - "23437": msg25601, - "23438": msg25602, - "23439": msg25603, - "2344": select2232, - "23440": msg25604, - "23441": msg25605, - "23442": msg25606, - "23443": msg25607, - "23444": msg25608, - "23445": msg25609, - "23446": msg25610, - "23447": msg25611, - "23448": msg25612, - "23449": msg25613, - "2345": select2233, - "23450": msg25614, - "23451": msg25615, - "23452": msg25616, - "23453": msg25617, - "23454": msg25618, - "23455": msg25619, - "23456": msg25620, - "23457": msg25621, - "23458": msg25622, - "23459": msg25623, - "2346": select2234, - "23460": msg25624, - "23461": msg25625, - "23462": msg25626, - "23463": msg25627, - "23464": msg25628, - "23465": msg25629, - "23466": msg25630, - "23467": msg25631, - "23468": msg25632, - "23469": msg25633, - "2347": select2235, - "23470": msg25634, - "23471": msg25635, - "23472": msg25636, - "23473": msg25637, - "23474": msg25638, - "23475": msg25639, - "23476": msg25640, - "23477": msg25641, - "23478": msg25642, - "23479": msg25643, - "2348": select2236, - "23480": msg25644, - "23481": msg25645, - "23482": msg25646, - "23483": msg25647, - "23484": msg25648, - "23485": msg25649, - "23486": msg25650, - "23487": msg25651, - "23488": msg25652, - "23489": msg25653, - "2349": select2237, - "23490": msg25654, - "23491": msg25655, - "23492": msg25656, - "23493": msg25657, - "23494": msg25658, - "23495": msg25659, - "23496": msg25660, - "23497": msg25661, - "23498": msg25662, - "23499": msg25663, - "235": select160, - "2350": select2238, - "23500": msg25664, - "23501": msg25665, - "23502": msg25666, - "23503": msg25667, - "23504": msg25668, - "23505": msg25669, - "23506": msg25670, - "23507": msg25671, - "23508": msg25672, - "23509": msg25673, - "2351": select2239, - "23510": msg25674, - "23511": msg25675, - "23512": msg25676, - "23513": msg25677, - "23514": msg25678, - "23515": msg25679, - "23516": msg25680, - "23517": msg25681, - "23518": msg25682, - "23519": msg25683, - "2352": select2240, - "23520": msg25684, - "23521": msg25685, - "23522": msg25686, - "23523": msg25687, - "23524": msg25688, - "23525": msg25689, - "23526": msg25690, - "23527": msg25691, - "23528": msg25692, - "23529": msg25693, - "2353": select2241, - "23530": msg25694, - "23531": msg25695, - "23532": msg25696, - "23533": msg25697, - "23534": msg25698, - "23535": msg25699, - "23536": msg25700, - "23537": msg25701, - "23538": msg25702, - "23539": msg25703, - "2354": select2242, - "23540": msg25704, - "23541": msg25705, - "23542": msg25706, - "23543": msg25707, - "23544": msg25708, - "23545": msg25709, - "23546": msg25710, - "23547": msg25711, - "23548": msg25712, - "23549": msg25713, - "2355": select2243, - "23550": msg25714, - "23551": msg25715, - "23552": msg25716, - "23553": msg25717, - "23554": msg25718, - "23555": msg25719, - "23556": msg25720, - "23557": msg25721, - "23558": msg25722, - "23559": msg25723, - "2356": select2244, - "23560": msg25724, - "23561": msg25725, - "23562": msg25726, - "23563": msg25727, - "23564": msg25728, - "23565": msg25729, - "23566": msg25730, - "23567": msg25731, - "23568": msg25732, - "23569": msg25733, - "2357": select2245, - "23570": msg25734, - "23571": msg25735, - "23572": msg25736, - "23573": msg25737, - "23574": msg25738, - "23575": msg25739, - "23576": msg25740, - "23577": msg25741, - "23578": msg25742, - "23579": msg25743, - "2358": select2246, - "23580": msg25744, - "23581": msg25745, - "23582": msg25746, - "23583": msg25747, - "23584": msg25748, - "23585": msg25749, - "23586": msg25750, - "23587": msg25751, - "23588": msg25752, - "23589": msg25753, - "2359": select2247, - "23590": msg25754, - "23591": msg25755, - "23592": msg25756, - "23593": msg25757, - "23594": msg25758, - "23595": msg25759, - "23596": msg25760, - "23597": msg25761, - "23598": msg25762, - "23599": msg25763, - "236": select161, - "2360": select2248, - "23600": msg25764, - "23601": msg25765, - "23602": msg25766, - "23603": msg25767, - "23604": msg25768, - "23605": msg25769, - "23606": msg25770, - "23607": msg25771, - "23608": msg25772, - "23609": msg25773, - "2361": select2249, - "23610": msg25774, - "23611": msg25775, - "23612": msg25776, - "23613": msg25777, - "23614": msg25778, - "23615": msg25779, - "23616": msg25780, - "23617": msg25781, - "23618": msg25782, - "23619": msg25783, - "2362": select2250, - "23620": msg25784, - "23621": msg25785, - "23622": msg25786, - "23623": msg25787, - "23624": msg25788, - "23625": msg25789, - "23626": msg25790, - "23627": msg25791, - "23628": msg25792, - "23629": msg25793, - "2363": select2251, - "23630": msg25794, - "23631": msg25795, - "23632": msg25796, - "23633": msg25797, - "23634": msg25798, - "23635": msg25799, - "23636": msg25800, - "23637": msg25801, - "23638": msg25802, - "23639": msg25803, - "2364": select2252, - "23640": msg25804, - "23641": msg25805, - "23642": msg25806, - "23643": msg25807, - "23644": msg25808, - "23645": msg25809, - "23646": msg25810, - "23647": msg25811, - "23648": msg25812, - "23649": msg25813, - "2365": select2253, - "23650": msg25814, - "23651": msg25815, - "23652": msg25816, - "23653": msg25817, - "23654": msg25818, - "23655": msg25819, - "23656": msg25820, - "23657": msg25821, - "23658": msg25822, - "23659": msg25823, - "2366": select2254, - "23660": msg25824, - "23661": msg25825, - "23662": msg25826, - "23663": msg25827, - "23664": msg25828, - "23665": msg25829, - "23666": msg25830, - "23667": msg25831, - "23668": msg25832, - "23669": msg25833, - "2367": select2255, - "23670": msg25834, - "23671": msg25835, - "23672": msg25836, - "23673": msg25837, - "23674": msg25838, - "23675": msg25839, - "23676": msg25840, - "23677": msg25841, - "23678": msg25842, - "23679": msg25843, - "2368": select2256, - "23680": msg25844, - "23681": msg25845, - "23682": msg25846, - "23683": msg25847, - "23684": msg25848, - "23685": msg25849, - "23686": msg25850, - "23687": msg25851, - "23688": msg25852, - "23689": msg25853, - "2369": select2257, - "23690": msg25854, - "23691": msg25855, - "23692": msg25856, - "23693": msg25857, - "23694": msg25858, - "23695": msg25859, - "23696": msg25860, - "23697": msg25861, - "23698": msg25862, - "23699": msg25863, - "237": select162, - "2370": select2258, - "23700": msg25864, - "23701": msg25865, - "23702": msg25866, - "23703": msg25867, - "23704": msg25868, - "23705": msg25869, - "23706": msg25870, - "23707": msg25871, - "23708": msg25872, - "23709": msg25873, - "2371": select2259, - "23710": msg25874, - "23711": msg25875, - "23712": msg25876, - "23713": msg25877, - "23714": msg25878, - "23715": msg25879, - "23716": msg25880, - "23717": msg25881, - "23718": msg25882, - "23719": msg25883, - "2372": select2260, - "23720": msg25884, - "23721": msg25885, - "23722": msg25886, - "23723": msg25887, - "23724": msg25888, - "23725": msg25889, - "23726": msg25890, - "23727": msg25891, - "23728": msg25892, - "23729": msg25893, - "2373": select2261, - "23730": msg25894, - "23731": msg25895, - "23732": msg25896, - "23733": msg25897, - "23734": msg25898, - "23735": msg25899, - "23736": msg25900, - "23737": msg25901, - "23738": msg25902, - "23739": msg25903, - "2374": select2262, - "23740": msg25904, - "23741": msg25905, - "23742": msg25906, - "23743": msg25907, - "23744": msg25908, - "23745": msg25909, - "23746": msg25910, - "23747": msg25911, - "23748": msg25912, - "23749": msg25913, - "2375": select2263, - "23750": msg25914, - "23751": msg25915, - "23752": msg25916, - "23753": msg25917, - "23754": msg25918, - "23755": msg25919, - "23756": msg25920, - "23757": msg25921, - "23758": msg25922, - "23759": msg25923, - "2376": select2264, - "23760": msg25924, - "23761": msg25925, - "23762": msg25926, - "23763": msg25927, - "23764": msg25928, - "23765": msg25929, - "23766": msg25930, - "23767": msg25931, - "23768": msg25932, - "23769": msg25933, - "2377": select2265, - "23770": msg25934, - "23771": msg25935, - "23772": msg25936, - "23773": msg25937, - "23774": msg25938, - "23775": msg25939, - "23776": msg25940, - "23777": msg25941, - "23778": msg25942, - "23779": msg25943, - "2378": select2266, - "23780": msg25944, - "23781": msg25945, - "23782": msg25946, - "23783": msg25947, - "23784": msg25948, - "23785": msg25949, - "23786": msg25950, - "23787": msg25951, - "23788": msg25952, - "23789": msg25953, - "2379": select2267, - "23790": msg25954, - "23791": msg25955, - "23792": msg25956, - "23793": msg25957, - "23794": msg25958, - "23795": msg25959, - "23796": msg25960, - "23797": msg25961, - "23798": msg25962, - "23799": msg25963, - "238": select163, - "2380": select2268, - "23800": msg25964, - "23801": msg25965, - "23802": msg25966, - "23803": msg25967, - "23804": msg25968, - "23805": msg25969, - "23806": msg25970, - "23807": msg25971, - "23808": msg25972, - "23809": msg25973, - "2381": select2269, - "23810": msg25974, - "23811": msg25975, - "23812": msg25976, - "23813": msg25977, - "23814": msg25978, - "23815": msg25979, - "23816": msg25980, - "23817": msg25981, - "23818": msg25982, - "23819": msg25983, - "2382": select2270, - "23820": msg25984, - "23821": msg25985, - "23822": msg25986, - "23823": msg25987, - "23824": msg25988, - "23825": msg25989, - "23826": msg25990, - "23827": msg25991, - "23828": msg25992, - "23829": msg25993, - "2383": select2271, - "23830": msg25994, - "23831": msg25995, - "23832": msg25996, - "23833": msg25997, - "23834": msg25998, - "23835": msg25999, - "23836": msg26000, - "23837": msg26001, - "23838": msg26002, - "23839": msg26003, - "2384": select2272, - "23840": msg26004, - "23841": msg26005, - "23842": msg26006, - "23843": msg26007, - "23844": msg26008, - "23845": msg26009, - "23846": msg26010, - "23847": msg26011, - "23848": msg26012, - "23849": msg26013, - "2385": select2273, - "23850": msg26014, - "23851": msg26015, - "23852": msg26016, - "23853": msg26017, - "23854": msg26018, - "23855": msg26019, - "23856": msg26020, - "23857": msg26021, - "23858": msg26022, - "23859": msg26023, - "2386": select2274, - "23860": msg26024, - "23861": msg26025, - "23862": msg26026, - "23863": msg26027, - "23864": msg26028, - "23865": msg26029, - "23866": msg26030, - "23867": msg26031, - "23868": msg26032, - "23869": msg26033, - "2387": select2275, - "23870": msg26034, - "23871": msg26035, - "23872": msg26036, - "23873": msg26037, - "23874": msg26038, - "23875": msg26039, - "23876": msg26040, - "23877": msg26041, - "23878": msg26042, - "23879": msg26043, - "2388": select2276, - "23880": msg26044, - "23881": msg26045, - "23882": msg26046, - "23883": msg26047, - "23884": msg26048, - "23885": msg26049, - "23886": msg26050, - "23887": msg26051, - "23888": msg26052, - "23889": msg26053, - "2389": select2277, - "23890": msg26054, - "23891": msg26055, - "23892": msg26056, - "23893": msg26057, - "23894": msg26058, - "23895": msg26059, - "23896": msg26060, - "23897": msg26061, - "23898": msg26062, - "23899": msg26063, - "239": select164, - "2390": select2278, - "23900": msg26064, - "23901": msg26065, - "23902": msg26066, - "23903": msg26067, - "23904": msg26068, - "23905": msg26069, - "23906": msg26070, - "23907": msg26071, - "23908": msg26072, - "23909": msg26073, - "2391": select2279, - "23910": msg26074, - "23911": msg26075, - "23912": msg26076, - "23913": msg26077, - "23914": msg26078, - "23915": msg26079, - "23916": msg26080, - "23917": msg26081, - "23918": msg26082, - "23919": msg26083, - "2392": select2280, - "23920": msg26084, - "23921": msg26085, - "23922": msg26086, - "23923": msg26087, - "23924": msg26088, - "23925": msg26089, - "23926": msg26090, - "23927": msg26091, - "23928": msg26092, - "23929": msg26093, - "2393": select2281, - "23930": msg26094, - "23931": msg26095, - "23932": msg26096, - "23933": msg26097, - "23934": msg26098, - "23935": msg26099, - "23936": msg26100, - "23937": msg26101, - "23938": msg26102, - "23939": msg26103, - "2394": select2282, - "23940": msg26104, - "23941": msg26105, - "23942": msg26106, - "23943": msg26107, - "23944": msg26108, - "23945": msg26109, - "23946": msg26110, - "23947": msg26111, - "23948": msg26112, - "23949": msg26113, - "2395": select2283, - "23950": msg26114, - "23951": msg26115, - "23952": msg26116, - "23953": msg26117, - "23954": msg26118, - "23955": msg26119, - "23956": msg26120, - "23957": msg26121, - "23958": msg26122, - "23959": msg26123, - "2396": select2284, - "23960": msg26124, - "23961": msg26125, - "23962": msg26126, - "23963": msg26127, - "23964": msg26128, - "23965": msg26129, - "23966": msg26130, - "23967": msg26131, - "23968": msg26132, - "23969": msg26133, - "2397": select2285, - "23970": msg26134, - "23971": msg26135, - "23972": msg26136, - "23973": msg26137, - "23974": msg26138, - "23975": msg26139, - "23976": msg26140, - "23977": msg26141, - "23978": msg26142, - "23979": msg26143, - "2398": select2286, - "23980": msg26144, - "23981": msg26145, - "23982": msg26146, - "23983": msg26147, - "23984": msg26148, - "23985": msg26149, - "23986": msg26150, - "23987": msg26151, - "23988": msg26152, - "23989": msg26153, - "2399": select2287, - "23990": msg26154, - "23991": msg26155, - "23992": msg26156, - "23993": msg26157, - "23994": msg26158, - "23995": msg26159, - "23996": msg26160, - "23997": msg26161, - "23998": msg26162, - "23999": msg26163, - "24": msg57, - "240": select165, - "2400": select2288, - "24000": msg26164, - "24001": msg26165, - "24002": msg26166, - "24003": msg26167, - "24004": msg26168, - "24005": msg26169, - "24006": msg26170, - "24007": msg26171, - "24008": msg26172, - "24009": msg26173, - "2401": select2289, - "24010": msg26174, - "24011": msg26175, - "24012": msg26176, - "24013": msg26177, - "24014": msg26178, - "24015": msg26179, - "24016": msg26180, - "24017": msg26181, - "24018": msg26182, - "24019": msg26183, - "2402": select2290, - "24020": msg26184, - "24021": msg26185, - "24022": msg26186, - "24023": msg26187, - "24024": msg26188, - "24025": msg26189, - "24026": msg26190, - "24027": msg26191, - "24028": msg26192, - "24029": msg26193, - "2403": select2291, - "24030": msg26194, - "24031": msg26195, - "24032": msg26196, - "24033": msg26197, - "24034": msg26198, - "24035": msg26199, - "24036": msg26200, - "24037": msg26201, - "24038": msg26202, - "24039": msg26203, - "2404": select2292, - "24040": msg26204, - "2404003": msg38420, - "2404011": msg38421, - "2404013": msg38422, - "2404015": msg38423, - "2404016": msg38424, - "24041": msg26205, - "24042": msg26206, - "24043": msg26207, - "24044": msg26208, - "24045": msg26209, - "24046": msg26210, - "24047": msg26211, - "24048": msg26212, - "24049": msg26213, - "2405": select2293, - "24050": msg26214, - "24051": msg26215, - "24052": msg26216, - "24053": msg26217, - "24054": msg26218, - "24055": msg26219, - "24056": msg26220, - "24057": msg26221, - "24058": msg26222, - "24059": msg26223, - "2406": select2294, - "24060": msg26224, - "24061": msg26225, - "24062": msg26226, - "24063": msg26227, - "24064": msg26228, - "24065": msg26229, - "24066": msg26230, - "24067": msg26231, - "24068": msg26232, - "24069": msg26233, - "2407": select2295, - "24070": msg26234, - "24071": msg26235, - "24072": msg26236, - "24073": msg26237, - "24074": msg26238, - "24075": msg26239, - "24076": msg26240, - "24077": msg26241, - "24078": msg26242, - "24079": msg26243, - "2408": select2296, - "24080": msg26244, - "24081": msg26245, - "24082": msg26246, - "24083": msg26247, - "24084": msg26248, - "24085": msg26249, - "24086": msg26250, - "24087": msg26251, - "24088": msg26252, - "24089": msg26253, - "2409": select2297, - "24090": msg26254, - "24091": msg26255, - "24092": msg26256, - "24093": msg26257, - "24094": msg26258, - "24095": msg26259, - "24096": msg26260, - "24097": msg26261, - "24098": msg26262, - "24099": msg26263, - "241": select166, - "2410": select2298, - "24100": msg26264, - "24101": msg26265, - "24102": msg26266, - "24103": msg26267, - "24104": msg26268, - "24105": msg26269, - "24106": msg26270, - "24107": msg26271, - "24108": msg26272, - "24109": msg26273, - "2411": select2299, - "24110": msg26274, - "24111": msg26275, - "24112": msg26276, - "24113": msg26277, - "24114": msg26278, - "24115": msg26279, - "24116": msg26280, - "24117": msg26281, - "24118": msg26282, - "24119": msg26283, - "2412": select2300, - "24120": msg26284, - "24121": msg26285, - "24122": msg26286, - "24123": msg26287, - "24124": msg26288, - "24125": msg26289, - "24126": msg26290, - "24127": msg26291, - "24128": msg26292, - "24129": msg26293, - "2413": select2301, - "24130": msg26294, - "24131": msg26295, - "24132": msg26296, - "24133": msg26297, - "24134": msg26298, - "24135": msg26299, - "24136": msg26300, - "24137": msg26301, - "24138": msg26302, - "24139": msg26303, - "2414": select2302, - "24140": msg26304, - "24141": msg26305, - "24142": msg26306, - "24143": msg26307, - "24144": msg26308, - "24145": msg26309, - "24146": msg26310, - "24147": msg26311, - "24148": msg26312, - "24149": msg26313, - "2415": select2303, - "24150": msg26314, - "24151": msg26315, - "24152": msg26316, - "24153": msg26317, - "24154": msg26318, - "24155": msg26319, - "24156": msg26320, - "24157": msg26321, - "24158": msg26322, - "24159": msg26323, - "2416": select2304, - "24160": msg26324, - "24161": msg26325, - "24162": msg26326, - "24163": msg26327, - "24164": msg26328, - "24165": msg26329, - "24166": msg26330, - "24167": msg26331, - "24168": msg26332, - "24169": msg26333, - "2417": select2305, - "24170": msg26334, - "24171": msg26335, - "24172": msg26336, - "24173": msg26337, - "24174": msg26338, - "24175": msg26339, - "24176": msg26340, - "24177": msg26341, - "24178": msg26342, - "24179": msg26343, - "2418": select2306, - "24180": msg26344, - "24181": msg26345, - "24182": msg26346, - "24183": msg26347, - "24184": msg26348, - "24185": msg26349, - "24186": msg26350, - "24187": msg26351, - "24188": msg26352, - "24189": msg26353, - "2419": select2307, - "24190": msg26354, - "24191": msg26355, - "24192": msg26356, - "24193": msg26357, - "24194": msg26358, - "24195": msg26359, - "24196": msg26360, - "24197": msg26361, - "24198": msg26362, - "24199": msg26363, - "2420": select2308, - "24200": msg26364, - "24201": msg26365, - "24202": msg26366, - "24203": msg26367, - "24204": msg26368, - "24205": msg26369, - "24206": msg26370, - "24207": msg26371, - "24208": msg26372, - "24209": msg26373, - "2421": select2309, - "24210": msg26374, - "24211": msg26375, - "24212": msg26376, - "24213": msg26377, - "24214": msg26378, - "24215": msg26379, - "24216": msg26380, - "24217": msg26381, - "24218": msg26382, - "24219": msg26383, - "2422": select2310, - "24220": msg26384, - "24221": msg26385, - "24222": msg26386, - "24223": msg26387, - "24224": msg26388, - "24225": msg26389, - "24226": msg26390, - "24227": msg26391, - "24228": msg26392, - "24229": msg26393, - "2423": select2311, - "24230": msg26394, - "24231": msg26395, - "24232": msg26396, - "24233": msg26397, - "24234": msg26398, - "24235": msg26399, - "24236": msg26400, - "24237": msg26401, - "24238": msg26402, - "24239": msg26403, - "2424": select2312, - "24240": msg26404, - "24241": msg26405, - "24242": msg26406, - "24243": msg26407, - "24244": msg26408, - "24245": msg26409, - "24246": msg26410, - "24247": msg26411, - "24248": msg26412, - "24249": msg26413, - "2425": select2313, - "24250": msg26414, - "24251": msg26415, - "24252": msg26416, - "24253": msg26417, - "24254": msg26418, - "24255": msg26419, - "24256": msg26420, - "24257": msg26421, - "24258": msg26422, - "24259": msg26423, - "2426": select2314, - "24260": msg26424, - "24261": msg26425, - "24262": msg26426, - "24263": msg26427, - "24264": msg26428, - "24265": msg26429, - "24266": msg26430, - "24267": msg26431, - "24268": msg26432, - "24269": msg26433, - "2427": select2315, - "24270": msg26434, - "24271": msg26435, - "24272": msg26436, - "24273": msg26437, - "24274": msg26438, - "24275": msg26439, - "24276": msg26440, - "24277": msg26441, - "24278": msg26442, - "24279": msg26443, - "2428": select2316, - "24280": msg26444, - "24281": msg26445, - "24282": msg26446, - "24283": msg26447, - "24284": msg26448, - "24285": msg26449, - "24286": msg26450, - "24287": msg26451, - "24288": msg26452, - "24289": msg26453, - "2429": select2317, - "24290": msg26454, - "24291": msg26455, - "24292": msg26456, - "24293": msg26457, - "24294": msg26458, - "24295": msg26459, - "24296": msg26460, - "24297": msg26461, - "24298": msg26462, - "24299": msg26463, - "243": select167, - "2430": select2318, - "24300": msg26464, - "24301": msg26465, - "24302": msg26466, - "24303": msg26467, - "24304": msg26468, - "24305": msg26469, - "24306": msg26470, - "24307": msg26471, - "24308": msg26472, - "24309": msg26473, - "2431": select2319, - "24310": msg26474, - "24311": msg26475, - "24312": msg26476, - "24313": msg26477, - "24314": msg26478, - "24315": msg26479, - "24316": msg26480, - "24317": msg26481, - "24318": msg26482, - "24319": msg26483, - "2432": select2320, - "24320": msg26484, - "24321": msg26485, - "24322": msg26486, - "24323": msg26487, - "24324": msg26488, - "24325": msg26489, - "24326": msg26490, - "24327": msg26491, - "24328": msg26492, - "24329": msg26493, - "2433": select2321, - "24330": msg26494, - "24331": msg26495, - "24332": msg26496, - "24333": msg26497, - "24334": msg26498, - "24335": msg26499, - "24336": msg26500, - "24337": msg26501, - "24338": msg26502, - "24339": msg26503, - "2434": select2322, - "24340": msg26504, - "24341": msg26505, - "24342": msg26506, - "24343": msg26507, - "24344": msg26508, - "24345": msg26509, - "24346": msg26510, - "24347": msg26511, - "24348": msg26512, - "24349": msg26513, - "2435": select2323, - "24350": msg26514, - "24351": msg26515, - "24352": msg26516, - "24353": msg26517, - "24354": msg26518, - "24355": msg26519, - "24356": msg26520, - "24357": msg26521, - "24358": msg26522, - "24359": msg26523, - "2436": select2324, - "24360": msg26524, - "24361": msg26525, - "24362": msg26526, - "24363": msg26527, - "24364": msg26528, - "24365": msg26529, - "24366": msg26530, - "24367": msg26531, - "24368": msg26532, - "24369": msg26533, - "2437": select2325, - "24370": msg26534, - "24371": msg26535, - "24372": msg26536, - "24373": msg26537, - "24374": msg26538, - "24375": msg26539, - "24376": msg26540, - "24377": msg26541, - "24378": msg26542, - "24379": msg26543, - "2438": select2326, - "24380": msg26544, - "24381": msg26545, - "24382": msg26546, - "24383": msg26547, - "24384": msg26548, - "24385": msg26549, - "24386": msg26550, - "24387": msg26551, - "24388": msg26552, - "24389": msg26553, - "2439": select2327, - "24390": msg26554, - "24391": msg26555, - "24392": msg26556, - "24393": msg26557, - "24394": msg26558, - "24395": msg26559, - "24396": msg26560, - "24397": msg26561, - "24398": msg26562, - "24399": msg26563, - "244": select168, - "2440": select2328, - "24400": msg26564, - "24401": msg26565, - "24402": msg26566, - "24403": msg26567, - "24404": msg26568, - "24405": msg26569, - "24406": msg26570, - "24407": msg26571, - "24408": msg26572, - "24409": msg26573, - "2441": select2329, - "24410": msg26574, - "24411": msg26575, - "24412": msg26576, - "24413": msg26577, - "24414": msg26578, - "24415": msg26579, - "24416": msg26580, - "24417": msg26581, - "24418": msg26582, - "24419": msg26583, - "2442": select2330, - "24420": msg26584, - "24421": msg26585, - "24422": msg26586, - "24423": msg26587, - "24424": msg26588, - "24425": msg26589, - "24426": msg26590, - "24427": msg26591, - "24428": msg26592, - "24429": msg26593, - "2443": select2331, - "24430": msg26594, - "24431": msg26595, - "24432": msg26596, - "24433": msg26597, - "24434": msg26598, - "24435": msg26599, - "24436": msg26600, - "24437": msg26601, - "24438": msg26602, - "24439": msg26603, - "2444": select2332, - "24440": msg26604, - "24441": msg26605, - "24442": msg26606, - "24443": msg26607, - "24444": msg26608, - "24445": msg26609, - "24446": msg26610, - "24447": msg26611, - "24448": msg26612, - "24449": msg26613, - "2445": select2333, - "24450": msg26614, - "24451": msg26615, - "24452": msg26616, - "24453": msg26617, - "24454": msg26618, - "24455": msg26619, - "24456": msg26620, - "24457": msg26621, - "24458": msg26622, - "24459": msg26623, - "2446": select2334, - "24460": msg26624, - "24461": msg26625, - "24462": msg26626, - "24463": msg26627, - "24464": msg26628, - "24465": msg26629, - "24466": msg26630, - "24467": msg26631, - "24468": msg26632, - "24469": msg26633, - "2447": select2335, - "24470": msg26634, - "24471": msg26635, - "24472": msg26636, - "24473": msg26637, - "24474": msg26638, - "24475": msg26639, - "24476": msg26640, - "24477": msg26641, - "24478": msg26642, - "24479": msg26643, - "2448": select2336, - "24480": msg26644, - "24481": msg26645, - "24482": msg26646, - "24483": msg26647, - "24484": msg26648, - "24485": msg26649, - "24486": msg26650, - "24487": msg26651, - "24488": msg26652, - "24489": msg26653, - "2449": select2337, - "24490": msg26654, - "24491": msg26655, - "24492": msg26656, - "24493": msg26657, - "24494": msg26658, - "24495": msg26659, - "24496": msg26660, - "24497": msg26661, - "24498": msg26662, - "24499": msg26663, - "245": select169, - "2450": select2338, - "24500": msg26664, - "24501": msg26665, - "24502": msg26666, - "24503": msg26667, - "24504": msg26668, - "24505": msg26669, - "24506": msg26670, - "24507": msg26671, - "24508": msg26672, - "24509": msg26673, - "2451": select2339, - "24510": msg26674, - "24511": msg26675, - "24512": msg26676, - "24513": msg26677, - "24514": msg26678, - "24515": msg26679, - "24516": msg26680, - "24517": msg26681, - "24518": msg26682, - "24519": msg26683, - "2452": select2340, - "24520": msg26684, - "24521": msg26685, - "24522": msg26686, - "24523": msg26687, - "24524": msg26688, - "24525": msg26689, - "24526": msg26690, - "24527": msg26691, - "24528": msg26692, - "24529": msg26693, - "2453": select2341, - "24530": msg26694, - "24531": msg26695, - "24532": msg26696, - "24533": msg26697, - "24534": msg26698, - "24535": msg26699, - "24536": msg26700, - "24537": msg26701, - "24538": msg26702, - "24539": msg26703, - "2454": select2342, - "24540": msg26704, - "24541": msg26705, - "24542": msg26706, - "24543": msg26707, - "24544": msg26708, - "24545": msg26709, - "24546": msg26710, - "24547": msg26711, - "24548": msg26712, - "24549": msg26713, - "2455": select2343, - "24550": msg26714, - "24551": msg26715, - "24552": msg26716, - "24553": msg26717, - "24554": msg26718, - "24555": msg26719, - "24556": msg26720, - "24557": msg26721, - "24558": msg26722, - "24559": msg26723, - "2456": select2344, - "24560": msg26724, - "24561": msg26725, - "24562": msg26726, - "24563": msg26727, - "24564": msg26728, - "24565": msg26729, - "24566": msg26730, - "24567": msg26731, - "24568": msg26732, - "24569": msg26733, - "2457": select2345, - "24570": msg26734, - "24571": msg26735, - "24572": msg26736, - "24573": msg26737, - "24574": msg26738, - "24575": msg26739, - "24576": msg26740, - "24577": msg26741, - "24578": msg26742, - "24579": msg26743, - "2458": select2346, - "24580": msg26744, - "24581": msg26745, - "24582": msg26746, - "24583": msg26747, - "24584": msg26748, - "24585": msg26749, - "24586": msg26750, - "24587": msg26751, - "24588": msg26752, - "24589": msg26753, - "2459": select2347, - "24590": msg26754, - "24591": msg26755, - "24592": msg26756, - "24593": msg26757, - "24594": msg26758, - "24595": msg26759, - "24596": msg26760, - "24597": msg26761, - "24598": msg26762, - "24599": msg26763, - "246": select170, - "2460": select2348, - "24600": msg26764, - "24601": msg26765, - "24602": msg26766, - "24603": msg26767, - "24604": msg26768, - "24605": msg26769, - "24606": msg26770, - "24607": msg26771, - "24608": msg26772, - "24609": msg26773, - "2461": select2349, - "24610": msg26774, - "24611": msg26775, - "24612": msg26776, - "24613": msg26777, - "24614": msg26778, - "24615": msg26779, - "24616": msg26780, - "24617": msg26781, - "24618": msg26782, - "24619": msg26783, - "2462": select2350, - "24620": msg26784, - "24621": msg26785, - "24622": msg26786, - "24623": msg26787, - "24624": msg26788, - "24625": msg26789, - "24626": msg26790, - "24627": msg26791, - "24628": msg26792, - "24629": msg26793, - "2463": select2351, - "24630": msg26794, - "24631": msg26795, - "24632": msg26796, - "24633": msg26797, - "24634": msg26798, - "24635": msg26799, - "24636": msg26800, - "24637": msg26801, - "24638": msg26802, - "24639": msg26803, - "2464": select2352, - "24640": msg26804, - "24641": msg26805, - "24642": msg26806, - "24643": msg26807, - "24644": msg26808, - "24645": msg26809, - "24646": msg26810, - "24647": msg26811, - "24648": msg26812, - "24649": msg26813, - "2465": select2353, - "24650": msg26814, - "24651": msg26815, - "24652": msg26816, - "24653": msg26817, - "24654": msg26818, - "24655": msg26819, - "24656": msg26820, - "24657": msg26821, - "24658": msg26822, - "24659": msg26823, - "2466": select2354, - "24660": msg26824, - "24661": msg26825, - "24662": msg26826, - "24663": msg26827, - "24664": msg26828, - "24665": msg26829, - "24666": msg26830, - "24667": msg26831, - "24668": msg26832, - "24669": msg26833, - "2467": select2355, - "24670": msg26834, - "24671": msg26835, - "24672": msg26836, - "24673": msg26837, - "24674": msg26838, - "24675": msg26839, - "24676": msg26840, - "24677": msg26841, - "24678": msg26842, - "24679": msg26843, - "2468": select2356, - "24680": msg26844, - "24681": msg26845, - "24682": msg26846, - "24683": msg26847, - "24684": msg26848, - "24685": msg26849, - "24686": msg26850, - "24687": msg26851, - "24688": msg26852, - "24689": msg26853, - "2469": select2357, - "24690": msg26854, - "24691": msg26855, - "24692": msg26856, - "24693": msg26857, - "24694": msg26858, - "24695": msg26859, - "24696": msg26860, - "24697": msg26861, - "24698": msg26862, - "24699": msg26863, - "247": select171, - "2470": select2358, - "24700": msg26864, - "24701": msg26865, - "24702": msg26866, - "24703": msg26867, - "24704": msg26868, - "24705": msg26869, - "24706": msg26870, - "24707": msg26871, - "24708": msg26872, - "24709": msg26873, - "2471": select2359, - "24710": msg26874, - "24711": msg26875, - "24712": msg26876, - "24713": msg26877, - "24714": msg26878, - "24715": msg26879, - "24716": msg26880, - "24717": msg26881, - "24718": msg26882, - "24719": msg26883, - "2472": select2360, - "24720": msg26884, - "24721": msg26885, - "24722": msg26886, - "24723": msg26887, - "24724": msg26888, - "24725": msg26889, - "24726": msg26890, - "24727": msg26891, - "24728": msg26892, - "24729": msg26893, - "2473": select2361, - "24730": msg26894, - "24731": msg26895, - "24732": msg26896, - "24733": msg26897, - "24734": msg26898, - "24735": msg26899, - "24736": msg26900, - "24737": msg26901, - "24738": msg26902, - "24739": msg26903, - "2474": select2362, - "24740": msg26904, - "24741": msg26905, - "24742": msg26906, - "24743": msg26907, - "24744": msg26908, - "24745": msg26909, - "24746": msg26910, - "24747": msg26911, - "24748": msg26912, - "24749": msg26913, - "2475": select2363, - "24750": msg26914, - "24751": msg26915, - "24752": msg26916, - "24753": msg26917, - "24754": msg26918, - "24755": msg26919, - "24756": msg26920, - "24757": msg26921, - "24758": msg26922, - "24759": msg26923, - "2476": select2364, - "24760": msg26924, - "24761": msg26925, - "24762": msg26926, - "24763": msg26927, - "24764": msg26928, - "24765": msg26929, - "24766": msg26930, - "24767": msg26931, - "24768": msg26932, - "24769": msg26933, - "2477": select2365, - "24770": msg26934, - "24771": msg26935, - "24772": msg26936, - "24773": msg26937, - "24774": msg26938, - "24775": msg26939, - "24776": msg26940, - "24777": msg26941, - "24778": msg26942, - "24779": msg26943, - "2478": select2366, - "24780": msg26944, - "24781": msg26945, - "24782": msg26946, - "24783": msg26947, - "24784": msg26948, - "24785": msg26949, - "24786": msg26950, - "24787": msg26951, - "24788": msg26952, - "24789": msg26953, - "2479": select2367, - "24790": msg26954, - "24791": msg26955, - "24792": msg26956, - "24793": msg26957, - "24794": msg26958, - "24795": msg26959, - "24796": msg26960, - "24797": msg26961, - "24798": msg26962, - "24799": msg26963, - "248": select172, - "2480": select2368, - "24800": msg26964, - "24801": msg26965, - "24802": msg26966, - "24803": msg26967, - "24804": msg26968, - "24805": msg26969, - "24806": msg26970, - "24807": msg26971, - "24808": msg26972, - "24809": msg26973, - "2481": select2369, - "24810": msg26974, - "24811": msg26975, - "24812": msg26976, - "24813": msg26977, - "24814": msg26978, - "24815": msg26979, - "24816": msg26980, - "24817": msg26981, - "24818": msg26982, - "24819": msg26983, - "2482": select2370, - "24820": msg26984, - "24821": msg26985, - "24822": msg26986, - "24823": msg26987, - "24824": msg26988, - "24825": msg26989, - "24826": msg26990, - "24827": msg26991, - "24828": msg26992, - "24829": msg26993, - "2483": select2371, - "24830": msg26994, - "24831": msg26995, - "24832": msg26996, - "24833": msg26997, - "24834": msg26998, - "24835": msg26999, - "24836": msg27000, - "24837": msg27001, - "24838": msg27002, - "24839": msg27003, - "2484": select2372, - "24840": msg27004, - "24841": msg27005, - "24842": msg27006, - "24843": msg27007, - "24844": msg27008, - "24845": msg27009, - "24846": msg27010, - "24847": msg27011, - "24848": msg27012, - "24849": msg27013, - "2485": select2373, - "24850": msg27014, - "24851": msg27015, - "24852": msg27016, - "24853": msg27017, - "24854": msg27018, - "24855": msg27019, - "24856": msg27020, - "24857": msg27021, - "24858": msg27022, - "24859": msg27023, - "2486": select2374, - "24860": msg27024, - "24861": msg27025, - "24862": msg27026, - "24863": msg27027, - "24864": msg27028, - "24865": msg27029, - "24866": msg27030, - "24867": msg27031, - "24868": msg27032, - "24869": msg27033, - "2487": select2375, - "24870": msg27034, - "24871": msg27035, - "24872": msg27036, - "24873": msg27037, - "24874": msg27038, - "24875": msg27039, - "24876": msg27040, - "24877": msg27041, - "24878": msg27042, - "24879": msg27043, - "2488": select2376, - "24880": msg27044, - "24881": msg27045, - "24882": msg27046, - "24883": msg27047, - "24884": msg27048, - "24885": msg27049, - "24886": msg27050, - "24887": msg27051, - "24888": msg27052, - "24889": msg27053, - "2489": select2377, - "24890": msg27054, - "24891": msg27055, - "24892": msg27056, - "24893": msg27057, - "24894": msg27058, - "24895": msg27059, - "24896": msg27060, - "24897": msg27061, - "24898": msg27062, - "24899": msg27063, - "249": select173, - "2490": select2378, - "24900": msg27064, - "24901": msg27065, - "24902": msg27066, - "24903": msg27067, - "24904": msg27068, - "24905": msg27069, - "24906": msg27070, - "24907": msg27071, - "24908": msg27072, - "24909": msg27073, - "2491": select2379, - "24910": msg27074, - "24911": msg27075, - "24912": msg27076, - "24913": msg27077, - "24914": msg27078, - "24915": msg27079, - "24916": msg27080, - "24917": msg27081, - "24918": msg27082, - "2492": select2380, - "2493": select2381, - "2494": select2382, - "2495": select2383, - "24955": msg27083, - "24956": msg27084, - "24957": msg27085, - "24958": msg27086, - "24959": msg27087, - "2496": select2384, - "24960": msg27088, - "24961": msg27089, - "24962": msg27090, - "24963": msg27091, - "24964": msg27092, - "24965": msg27093, - "24966": msg27094, - "24967": msg27095, - "24968": msg27096, - "24969": msg27097, - "2497": select2385, - "24970": msg27098, - "24971": msg27099, - "24972": msg27100, - "24973": msg27101, - "24974": msg27102, - "24975": msg27103, - "24976": msg27104, - "24977": msg27105, - "24978": msg27106, - "24979": msg27107, - "2498": select2386, - "24980": msg27108, - "24981": msg27109, - "24982": msg27110, - "24983": msg27111, - "24984": msg27112, - "24985": msg27113, - "24986": msg27114, - "24987": msg27115, - "24988": msg27116, - "24989": msg27117, - "2499": select2387, - "24990": msg27118, - "24991": msg27119, - "24992": msg27120, - "24993": msg27121, - "24994": msg27122, - "24995": msg27123, - "24996": msg27124, - "24997": msg27125, - "24998": msg27126, - "24999": msg27127, - "25": select24, - "250": select174, - "2500": select2388, - "25000": msg27128, - "25001": msg27129, - "25002": msg27130, - "25003": msg27131, - "25004": msg27132, - "25005": msg27133, - "25006": msg27134, - "25007": msg27135, - "25008": msg27136, - "25009": msg27137, - "2501": select2389, - "25010": msg27138, - "25011": msg27139, - "25012": msg27140, - "25013": msg27141, - "25014": msg27142, - "25015": msg27143, - "25016": msg27144, - "25017": msg27145, - "25018": msg27146, - "25019": msg27147, - "2502": select2390, - "25020": msg27148, - "25021": msg27149, - "25022": msg27150, - "25023": msg27151, - "25024": msg27152, - "25025": msg27153, - "25026": msg27154, - "25027": msg27155, - "25028": msg27156, - "25029": msg27157, - "2503": select2391, - "25030": msg27158, - "25031": msg27159, - "25032": msg27160, - "25033": msg27161, - "25034": msg27162, - "25035": msg27163, - "25036": msg27164, - "25037": msg27165, - "25038": msg27166, - "25039": msg27167, - "2504": select2392, - "25040": msg27168, - "25041": msg27169, - "25042": msg27170, - "25043": msg27171, - "25044": msg27172, - "25045": msg27173, - "25046": msg27174, - "25047": msg27175, - "25048": msg27176, - "25049": msg27177, - "2505": select2393, - "25050": msg27178, - "25051": msg27179, - "25052": msg27180, - "25053": msg27181, - "25054": msg27182, - "25055": msg27183, - "25056": msg27184, - "25057": msg27185, - "25058": msg27186, - "25059": msg27187, - "2506": select2394, - "25060": msg27188, - "25061": msg27189, - "25062": msg27190, - "25063": msg27191, - "25064": msg27192, - "25065": msg27193, - "25066": msg27194, - "25067": msg27195, - "25068": msg27196, - "25069": msg27197, - "2507": select2395, - "25070": msg27198, - "25071": msg27199, - "25072": msg27200, - "25073": msg27201, - "25074": msg27202, - "25075": msg27203, - "25076": msg27204, - "25077": msg27205, - "25078": msg27206, - "25079": msg27207, - "2508": select2396, - "25080": msg27208, - "25081": msg27209, - "25082": msg27210, - "25083": msg27211, - "25084": msg27212, - "25085": msg27213, - "25086": msg27214, - "25087": msg27215, - "25088": msg27216, - "25089": msg27217, - "2509": select2397, - "25090": msg27218, - "25091": msg27219, - "25092": msg27220, - "25093": msg27221, - "25094": msg27222, - "25095": msg27223, - "25096": msg27224, - "25097": msg27225, - "25098": msg27226, - "25099": msg27227, - "251": select175, - "2510": select2398, - "25100": msg27228, - "25101": msg27229, - "25102": msg27230, - "25103": msg27231, - "25104": msg27232, - "25105": msg27233, - "25106": msg27234, - "25107": msg27235, - "25108": msg27236, - "25109": msg27237, - "2511": select2399, - "25110": msg27238, - "25111": msg27239, - "25112": msg27240, - "25113": msg27241, - "25114": msg27242, - "25115": msg27243, - "25116": msg27244, - "25117": msg27245, - "25118": msg27246, - "25119": msg27247, - "2512": select2400, - "25120": msg27248, - "25121": msg27249, - "25122": msg27250, - "25123": msg27251, - "25124": msg27252, - "25125": msg27253, - "25126": msg27254, - "25127": msg27255, - "25128": msg27256, - "25129": msg27257, - "2513": select2401, - "25130": msg27258, - "25131": msg27259, - "25132": msg27260, - "25133": msg27261, - "25134": msg27262, - "25135": msg27263, - "25136": msg27264, - "25137": msg27265, - "25138": msg27266, - "25139": msg27267, - "2514": select2402, - "25140": msg27268, - "25141": msg27269, - "25142": msg27270, - "25143": msg27271, - "25144": msg27272, - "25145": msg27273, - "25146": msg27274, - "25147": msg27275, - "25148": msg27276, - "25149": msg27277, - "2515": select2403, - "25150": msg27278, - "25151": msg27279, - "25152": msg27280, - "25153": msg27281, - "25154": msg27282, - "25155": msg27283, - "25156": msg27284, - "25157": msg27285, - "25158": msg27286, - "25159": msg27287, - "2516": select2404, - "25160": msg27288, - "25161": msg27289, - "25162": msg27290, - "25163": msg27291, - "25164": msg27292, - "25165": msg27293, - "25166": msg27294, - "25167": msg27295, - "25168": msg27296, - "25169": msg27297, - "2517": select2405, - "25170": msg27298, - "25171": msg27299, - "25172": msg27300, - "25173": msg27301, - "25174": msg27302, - "25175": msg27303, - "25176": msg27304, - "25177": msg27305, - "25178": msg27306, - "25179": msg27307, - "2518": select2406, - "25180": msg27308, - "25181": msg27309, - "25182": msg27310, - "25183": msg27311, - "25184": msg27312, - "25185": msg27313, - "25186": msg27314, - "25187": msg27315, - "25188": msg27316, - "25189": msg27317, - "2519": select2407, - "25190": msg27318, - "25191": msg27319, - "25192": msg27320, - "25193": msg27321, - "25194": msg27322, - "25195": msg27323, - "25196": msg27324, - "25197": msg27325, - "25198": msg27326, - "25199": msg27327, - "252": select176, - "2520": select2408, - "25200": msg27328, - "25201": msg27329, - "25202": msg27330, - "25203": msg27331, - "25204": msg27332, - "25205": msg27333, - "25206": msg27334, - "25207": msg27335, - "25208": msg27336, - "25209": msg27337, - "2521": select2409, - "25210": msg27338, - "25211": msg27339, - "25212": msg27340, - "25213": msg27341, - "25214": msg27342, - "25215": msg27343, - "25216": msg27344, - "25217": msg27345, - "25218": msg27346, - "25219": msg27347, - "2522": select2410, - "25220": msg27348, - "25221": msg27349, - "25222": msg27350, - "25223": msg27351, - "25224": msg27352, - "25225": msg27353, - "25226": msg27354, - "25227": msg27355, - "25228": msg27356, - "25229": msg27357, - "2523": select2411, - "25230": msg27358, - "25231": msg27359, - "25232": msg27360, - "25233": msg27361, - "25234": msg27362, - "25235": msg27363, - "25236": msg27364, - "25237": msg27365, - "25238": msg27366, - "25239": msg27367, - "2524": select2412, - "25240": msg27368, - "25241": msg27369, - "25242": msg27370, - "25243": msg27371, - "25244": msg27372, - "25245": msg27373, - "25246": msg27374, - "25247": msg27375, - "25248": msg27376, - "25249": msg27377, - "2525": select2413, - "25250": msg27378, - "25251": msg27379, - "25252": msg27380, - "25253": msg27381, - "25254": msg27382, - "25255": msg27383, - "25256": msg27384, - "25257": msg27385, - "25258": msg27386, - "25259": msg27387, - "2526": select2414, - "25260": msg27388, - "25261": msg27389, - "25262": msg27390, - "25263": msg27391, - "25264": msg27392, - "25265": msg27393, - "25266": msg27394, - "25267": msg27395, - "25268": msg27396, - "25269": msg27397, - "2527": select2415, - "25270": msg27398, - "25271": msg27399, - "25272": msg27400, - "25273": msg27401, - "25274": msg27402, - "25275": msg27403, - "25276": msg27404, - "25277": msg27405, - "25278": msg27406, - "25279": msg27407, - "2528": select2416, - "25280": msg27408, - "25281": msg27409, - "25282": msg27410, - "25283": msg27411, - "25284": msg27412, - "25285": msg27413, - "25286": msg27414, - "25287": msg27415, - "25288": msg27416, - "25289": msg27417, - "2529": select2417, - "25290": msg27418, - "25291": msg27419, - "25292": msg27420, - "25293": msg27421, - "25294": msg27422, - "25295": msg27423, - "25296": msg27424, - "25297": msg27425, - "25298": msg27426, - "25299": msg27427, - "253": select177, - "2530": select2418, - "25300": msg27428, - "25301": msg27429, - "25302": msg27430, - "25303": msg27431, - "25304": msg27432, - "25305": msg27433, - "25306": msg27434, - "25307": msg27435, - "25308": msg27436, - "25309": msg27437, - "2531": select2419, - "25310": msg27438, - "25311": msg27439, - "25312": msg27440, - "25313": msg27441, - "25314": msg27442, - "25315": msg27443, - "25316": msg27444, - "25317": msg27445, - "25318": msg27446, - "25319": msg27447, - "2532": select2420, - "25320": msg27448, - "25321": msg27449, - "25322": msg27450, - "25323": msg27451, - "25324": msg27452, - "25325": msg27453, - "25326": msg27454, - "25327": msg27455, - "25328": msg27456, - "25329": msg27457, - "2533": select2421, - "25330": msg27458, - "25331": msg27459, - "25332": msg27460, - "25333": msg27461, - "25334": msg27462, - "25335": msg27463, - "25336": msg27464, - "25337": msg27465, - "25338": msg27466, - "25339": msg27467, - "2534": select2422, - "25340": msg27468, - "25341": msg27469, - "25342": msg27470, - "25343": msg27471, - "25344": msg27472, - "25345": msg27473, - "25346": msg27474, - "25347": msg27475, - "25348": msg27476, - "25349": msg27477, - "2535": select2423, - "25350": msg27478, - "25351": msg27479, - "25352": msg27480, - "25353": msg27481, - "25354": msg27482, - "25355": msg27483, - "25356": msg27484, - "25357": msg27485, - "25358": msg27486, - "25359": msg27487, - "2536": select2424, - "25360": msg27488, - "25361": msg27489, - "25362": msg27490, - "25363": msg27491, - "25364": msg27492, - "25365": msg27493, - "25366": msg27494, - "25367": msg27495, - "25368": msg27496, - "25369": msg27497, - "2537": select2425, - "25370": msg27498, - "25371": msg27499, - "25372": msg27500, - "25373": msg27501, - "25374": msg27502, - "25375": msg27503, - "25376": msg27504, - "25377": msg27505, - "25378": msg27506, - "25379": msg27507, - "2538": select2426, - "25380": msg27508, - "25381": msg27509, - "25382": msg27510, - "25383": msg27511, - "25384": msg27512, - "25385": msg27513, - "25386": msg27514, - "25387": msg27515, - "25388": msg27516, - "25389": msg27517, - "2539": select2427, - "25390": msg27518, - "25391": msg27519, - "25392": msg27520, - "25393": msg27521, - "25394": msg27522, - "25395": msg27523, - "25396": msg27524, - "25397": msg27525, - "25398": msg27526, - "25399": msg27527, - "254": select178, - "2540": select2428, - "25400": msg27528, - "25401": msg27529, - "25402": msg27530, - "25403": msg27531, - "25404": msg27532, - "25405": msg27533, - "25406": msg27534, - "25407": msg27535, - "25408": msg27536, - "25409": msg27537, - "2541": select2429, - "25410": msg27538, - "25411": msg27539, - "25412": msg27540, - "25413": msg27541, - "25414": msg27542, - "25415": msg27543, - "25416": msg27544, - "25417": msg27545, - "25418": msg27546, - "25419": msg27547, - "2542": select2430, - "25420": msg27548, - "25421": msg27549, - "25422": msg27550, - "25423": msg27551, - "25424": msg27552, - "25425": msg27553, - "25426": msg27554, - "25427": msg27555, - "25428": msg27556, - "25429": msg27557, - "2543": select2431, - "25430": msg27558, - "25431": msg27559, - "25432": msg27560, - "25433": msg27561, - "25434": msg27562, - "25435": msg27563, - "25436": msg27564, - "25437": msg27565, - "25438": msg27566, - "25439": msg27567, - "2544": select2432, - "25440": msg27568, - "25441": msg27569, - "25442": msg27570, - "25443": msg27571, - "25444": msg27572, - "25445": msg27573, - "25446": msg27574, - "25447": msg27575, - "25448": msg27576, - "25449": msg27577, - "2545": select2433, - "25450": msg27578, - "25451": msg27579, - "25452": msg27580, - "25453": msg27581, - "25454": msg27582, - "25455": msg27583, - "25456": msg27584, - "25457": msg27585, - "25458": msg27586, - "25459": msg27587, - "2546": select2434, - "25460": msg27588, - "25461": msg27589, - "25462": msg27590, - "25463": msg27591, - "25464": msg27592, - "25465": msg27593, - "25466": msg27594, - "25467": msg27595, - "25468": msg27596, - "25469": msg27597, - "2547": select2435, - "25470": msg27598, - "25471": msg27599, - "25472": msg27600, - "25473": msg27601, - "25474": msg27602, - "25475": msg27603, - "25476": msg27604, - "25477": msg27605, - "25478": msg27606, - "25479": msg27607, - "2548": select2436, - "2549": select2437, - "255": select179, - "2550": select2438, - "25502": msg27608, - "25503": msg27609, - "25504": msg27610, - "25505": msg27611, - "25506": msg27612, - "25507": msg27613, - "25508": msg27614, - "25509": msg27615, - "2551": msg5001, - "25510": msg27616, - "25511": msg27617, - "25512": msg27618, - "25513": msg27619, - "25514": msg27620, - "25515": msg27621, - "25516": msg27622, - "25517": msg27623, - "25518": msg27624, - "25519": msg27625, - "2552": msg5002, - "25520": msg27626, - "25521": msg27627, - "25522": msg27628, - "25523": msg27629, - "25524": msg27630, - "25525": msg27631, - "25526": msg27632, - "25527": msg27633, - "25528": msg27634, - "25529": msg27635, - "2553": msg5003, - "25530": msg27636, - "25531": msg27637, - "25532": msg27638, - "25533": msg27639, - "25534": msg27640, - "25535": msg27641, - "25536": msg27642, - "25537": msg27643, - "25538": msg27644, - "25539": msg27645, - "2554": msg5004, - "25540": msg27646, - "25541": msg27647, - "25542": msg27648, - "25543": msg27649, - "25544": msg27650, - "25545": msg27651, - "25546": msg27652, - "25547": msg27653, - "25548": msg27654, - "25549": msg27655, - "2555": msg5005, - "25550": msg27656, - "25551": msg27657, - "25552": msg27658, - "25553": msg27659, - "25554": msg27660, - "25555": msg27661, - "25556": msg27662, - "25557": msg27663, - "25558": msg27664, - "25559": msg27665, - "2556": msg5006, - "25560": msg27666, - "25561": msg27667, - "25562": msg27668, - "25563": msg27669, - "25564": msg27670, - "25565": msg27671, - "25566": msg27672, - "25567": msg27673, - "25568": msg27674, - "25569": msg27675, - "2557": msg5007, - "25570": msg27676, - "25571": msg27677, - "25572": msg27678, - "25573": msg27679, - "25574": msg27680, - "25575": msg27681, - "25576": msg27682, - "25577": msg27683, - "25578": msg27684, - "25579": msg27685, - "2558": msg5008, - "25580": msg27686, - "25581": msg27687, - "25582": msg27688, - "25583": msg27689, - "25584": msg27690, - "25585": msg27691, - "25586": msg27692, - "25587": msg27693, - "25588": msg27694, - "25589": msg27695, - "2559": msg5009, - "25590": msg27696, - "25591": msg27697, - "25592": msg27698, - "25593": msg27699, - "25594": msg27700, - "25595": msg27701, - "25596": msg27702, - "25597": msg27703, - "25598": msg27704, - "25599": msg27705, - "256": select180, - "2560": msg5010, - "25600": msg27706, - "25601": msg27707, - "25602": msg27708, - "25603": msg27709, - "25604": msg27710, - "25605": msg27711, - "25606": msg27712, - "25607": msg27713, - "25608": msg27714, - "25609": msg27715, - "2561": msg5011, - "25610": msg27716, - "25611": msg27717, - "25612": msg27718, - "25613": msg27719, - "25614": msg27720, - "25615": msg27721, - "25616": msg27722, - "25617": msg27723, - "25618": msg27724, - "25619": msg27725, - "2562": msg5012, - "25620": msg27726, - "25621": msg27727, - "25622": msg27728, - "25623": msg27729, - "25624": msg27730, - "25625": msg27731, - "25626": msg27732, - "25627": msg27733, - "25628": msg27734, - "2563": msg5013, - "25630": msg27735, - "25631": msg27736, - "25632": msg27737, - "25633": msg27738, - "25634": msg27739, - "25635": msg27740, - "25636": msg27741, - "25637": msg27742, - "25638": msg27743, - "25639": msg27744, - "2564": msg5014, - "25640": msg27745, - "25641": msg27746, - "25642": msg27747, - "25643": msg27748, - "25644": msg27749, - "25645": msg27750, - "25646": msg27751, - "25647": msg27752, - "25648": msg27753, - "25649": msg27754, - "2565": msg5015, - "25650": msg27755, - "25651": msg27756, - "25652": msg27757, - "25653": msg27758, - "25654": msg27759, - "25655": msg27760, - "25656": msg27761, - "25657": msg27762, - "25658": msg27763, - "25659": msg27764, - "2566": msg5016, - "25660": msg27765, - "25661": msg27766, - "25662": msg27767, - "25663": msg27768, - "25664": msg27769, - "25665": msg27770, - "25666": msg27771, - "25667": msg27772, - "25668": msg27773, - "25669": msg27774, - "2567": msg5017, - "25670": msg27775, - "25671": msg27776, - "25672": msg27777, - "25673": msg27778, - "25674": msg27779, - "25675": msg27780, - "25676": msg27781, - "25677": msg27782, - "25678": msg27783, - "25679": msg27784, - "2568": msg5018, - "25680": msg27785, - "25681": msg27786, - "25682": msg27787, - "25683": msg27788, - "25684": msg27789, - "25685": msg27790, - "25686": msg27791, - "25687": msg27792, - "25688": msg27793, - "25689": msg27794, - "2569": msg5019, - "25690": msg27795, - "25691": msg27796, - "25692": msg27797, - "25693": msg27798, - "25694": msg27799, - "25695": msg27800, - "25696": msg27801, - "25697": msg27802, - "25698": msg27803, - "25699": msg27804, - "257": select181, - "2570": msg5020, - "25700": msg27805, - "25701": msg27806, - "25702": msg27807, - "25703": msg27808, - "25704": msg27809, - "25705": msg27810, - "25706": msg27811, - "25707": msg27812, - "25708": msg27813, - "25709": msg27814, - "2571": msg5021, - "25710": msg27815, - "25711": msg27816, - "25712": msg27817, - "25713": msg27818, - "25714": msg27819, - "25715": msg27820, - "25716": msg27821, - "25717": msg27822, - "25718": msg27823, - "25719": msg27824, - "2572": msg5022, - "25720": msg27825, - "25721": msg27826, - "25722": msg27827, - "25723": msg27828, - "25724": msg27829, - "25725": msg27830, - "25726": msg27831, - "25727": msg27832, - "25728": msg27833, - "25729": msg27834, - "2573": msg5023, - "25730": msg27835, - "25731": msg27836, - "25732": msg27837, - "25733": msg27838, - "25734": msg27839, - "25735": msg27840, - "25736": msg27841, - "25737": msg27842, - "25738": msg27843, - "25739": msg27844, - "2574": msg5024, - "25740": msg27845, - "25741": msg27846, - "25742": msg27847, - "25743": msg27848, - "25744": msg27849, - "25745": msg27850, - "25746": msg27851, - "25747": msg27852, - "25748": msg27853, - "25749": msg27854, - "2575": msg5025, - "25750": msg27855, - "25751": msg27856, - "25752": msg27857, - "25753": msg27858, - "25754": msg27859, - "25755": msg27860, - "25756": msg27861, - "25757": msg27862, - "25758": msg27863, - "25759": msg27864, - "2576": msg5026, - "25760": msg27865, - "25761": msg27866, - "25762": msg27867, - "25763": msg27868, - "25764": msg27869, - "25765": msg27870, - "25766": msg27871, - "25767": msg27872, - "25768": msg27873, - "25769": msg27874, - "2577": msg5027, - "25770": msg27875, - "25771": msg27876, - "25772": msg27877, - "25773": msg27878, - "25774": msg27879, - "25775": msg27880, - "25776": msg27881, - "25777": msg27882, - "25778": msg27883, - "25779": msg27884, - "2578": msg5028, - "25780": msg27885, - "25781": msg27886, - "25782": msg27887, - "25783": msg27888, - "25784": msg27889, - "25785": msg27890, - "25786": msg27891, - "25787": msg27892, - "25788": msg27893, - "25789": msg27894, - "2579": msg5029, - "25790": msg27895, - "25791": msg27896, - "25792": msg27897, - "25793": msg27898, - "25794": msg27899, - "25795": msg27900, - "25796": msg27901, - "25797": msg27902, - "25798": msg27903, - "25799": msg27904, - "258": select182, - "2580": msg5030, - "25800": msg27905, - "25801": msg27906, - "25802": msg27907, - "25803": msg27908, - "25804": msg27909, - "25805": msg27910, - "25806": msg27911, - "25807": msg27912, - "25808": msg27913, - "25809": msg27914, - "2581": msg5031, - "25810": msg27915, - "25811": msg27916, - "25812": msg27917, - "25813": msg27918, - "25814": msg27919, - "25815": msg27920, - "25816": msg27921, - "25817": msg27922, - "25818": msg27923, - "25819": msg27924, - "2582": msg5032, - "25820": msg27925, - "25821": msg27926, - "25822": msg27927, - "25823": msg27928, - "25824": msg27929, - "25825": msg27930, - "25826": msg27931, - "25827": msg27932, - "25828": msg27933, - "25829": msg27934, - "2583": msg5033, - "25830": msg27935, - "25831": msg27936, - "25832": msg27937, - "25833": msg27938, - "25834": msg27939, - "25835": msg27940, - "25836": msg27941, - "25837": msg27942, - "25838": msg27943, - "25839": msg27944, - "2584": msg5034, - "25840": msg27945, - "25841": msg27946, - "25842": msg27947, - "25843": msg27948, - "25844": msg27949, - "25845": msg27950, - "25846": msg27951, - "25847": msg27952, - "25848": msg27953, - "25849": msg27954, - "2585": msg5035, - "25850": msg27955, - "25851": msg27956, - "25852": msg27957, - "25853": msg27958, - "25854": msg27959, - "25855": msg27960, - "25856": msg27961, - "25857": msg27962, - "25858": msg27963, - "25859": msg27964, - "2586": msg5036, - "25860": msg27965, - "25861": msg27966, - "25862": msg27967, - "25863": msg27968, - "25864": msg27969, - "25865": msg27970, - "25866": msg27971, - "25867": msg27972, - "25868": msg27973, - "25869": msg27974, - "2587": msg5037, - "25870": msg27975, - "25871": msg27976, - "25872": msg27977, - "25873": msg27978, - "25874": msg27979, - "25875": msg27980, - "25876": msg27981, - "25877": msg27982, - "25878": msg27983, - "25879": msg27984, - "2588": msg5038, - "25880": msg27985, - "25881": msg27986, - "25882": msg27987, - "25883": msg27988, - "25884": msg27989, - "25885": msg27990, - "25886": msg27991, - "25887": msg27992, - "25888": msg27993, - "25889": msg27994, - "2589": msg5039, - "25890": msg27995, - "25891": msg27996, - "25892": msg27997, - "25893": msg27998, - "25894": msg27999, - "25895": msg28000, - "25896": msg28001, - "25897": msg28002, - "25898": msg28003, - "25899": msg28004, - "259": select183, - "2590": select2439, - "25900": msg28005, - "25901": msg28006, - "25902": msg28007, - "25903": msg28008, - "25904": msg28009, - "25905": msg28010, - "25906": msg28011, - "25907": msg28012, - "25908": msg28013, - "25909": msg28014, - "2591": msg5042, - "25910": msg28015, - "25911": msg28016, - "25912": msg28017, - "25913": msg28018, - "25914": msg28019, - "25915": msg28020, - "25916": msg28021, - "25917": msg28022, - "25918": msg28023, - "25919": msg28024, - "2592": msg5043, - "25920": msg28025, - "25921": msg28026, - "25922": msg28027, - "25923": msg28028, - "25924": msg28029, - "25925": msg28030, - "25926": msg28031, - "25927": msg28032, - "25928": msg28033, - "25929": msg28034, - "2593": msg5044, - "25930": msg28035, - "25931": msg28036, - "25932": msg28037, - "25933": msg28038, - "25934": msg28039, - "25935": msg28040, - "25936": msg28041, - "25937": msg28042, - "25938": msg28043, - "25939": msg28044, - "2594": msg5045, - "25940": msg28045, - "25941": msg28046, - "25942": msg28047, - "25943": msg28048, - "25944": msg28049, - "25945": msg28050, - "25946": msg28051, - "25947": msg28052, - "25948": msg28053, - "25949": msg28054, - "2595": msg5046, - "25950": msg28055, - "25951": msg28056, - "25952": msg28057, - "25953": msg28058, - "25954": msg28059, - "25955": msg28060, - "25956": msg28061, - "25957": msg28062, - "25958": msg28063, - "25959": msg28064, - "2596": msg5047, - "25960": msg28065, - "25961": msg28066, - "25962": msg28067, - "25963": msg28068, - "25964": msg28069, - "25965": msg28070, - "25966": msg28071, - "25967": msg28072, - "25968": msg28073, - "25969": msg28074, - "2597": msg5048, - "25970": msg28075, - "25971": msg28076, - "25972": msg28077, - "25973": msg28078, - "25974": msg28079, - "25975": msg28080, - "25976": msg28081, - "25977": msg28082, - "25978": msg28083, - "25979": msg28084, - "2598": msg5049, - "25980": msg28085, - "25981": msg28086, - "25982": msg28087, - "25983": msg28088, - "25984": msg28089, - "25985": msg28090, - "25986": msg28091, - "25987": msg28092, - "25988": msg28093, - "25989": msg28094, - "2599": msg5050, - "25990": msg28095, - "25991": msg28096, - "25992": msg28097, - "25993": msg28098, - "25994": msg28099, - "25995": msg28100, - "25996": msg28101, - "25997": msg28102, - "25998": msg28103, - "25999": msg28104, - "26": msg60, - "260": select184, - "2600": msg5051, - "26000": msg28105, - "26001": msg28106, - "26002": msg28107, - "26003": msg28108, - "26004": msg28109, - "26005": msg28110, - "26006": msg28111, - "26007": msg28112, - "26008": msg28113, - "26009": msg28114, - "2601": msg5052, - "26010": msg28115, - "26011": msg28116, - "26012": msg28117, - "26013": msg28118, - "26014": msg28119, - "26015": msg28120, - "26016": msg28121, - "26017": msg28122, - "26018": msg28123, - "26019": msg28124, - "2602": msg5053, - "26020": msg28125, - "26021": msg28126, - "26022": msg28127, - "26023": msg28128, - "26024": msg28129, - "26025": msg28130, - "26026": msg28131, - "26027": msg28132, - "26028": msg28133, - "26029": msg28134, - "2603": msg5054, - "26030": msg28135, - "26031": msg28136, - "26032": msg28137, - "26033": msg28138, - "26034": msg28139, - "26035": msg28140, - "26036": msg28141, - "26037": msg28142, - "26038": msg28143, - "26039": msg28144, - "2604": msg5055, - "26040": msg28145, - "26041": msg28146, - "26042": msg28147, - "26043": msg28148, - "26044": msg28149, - "26045": msg28150, - "26046": msg28151, - "26047": msg28152, - "26048": msg28153, - "26049": msg28154, - "2605": msg5056, - "26050": msg28155, - "26051": msg28156, - "26052": msg28157, - "26053": msg28158, - "26054": msg28159, - "26055": msg28160, - "26056": msg28161, - "26057": msg28162, - "26058": msg28163, - "26059": msg28164, - "2606": msg5057, - "26060": msg28165, - "26061": msg28166, - "26062": msg28167, - "26063": msg28168, - "26064": msg28169, - "26065": msg28170, - "26066": msg28171, - "26067": msg28172, - "26068": msg28173, - "26069": msg28174, - "2607": msg5058, - "26070": msg28175, - "26071": msg28176, - "26072": msg28177, - "26073": msg28178, - "26074": msg28179, - "26075": msg28180, - "26076": msg28181, - "26077": msg28182, - "26078": msg28183, - "26079": msg28184, - "2608": msg5059, - "26080": msg28185, - "26081": msg28186, - "26082": msg28187, - "26083": msg28188, - "26084": msg28189, - "26085": msg28190, - "26086": msg28191, - "26087": msg28192, - "26088": msg28193, - "26089": msg28194, - "2609": msg5060, - "26090": msg28195, - "26091": msg28196, - "26092": msg28197, - "26093": msg28198, - "26094": msg28199, - "26095": msg28200, - "26096": msg28201, - "26097": msg28202, - "26098": msg28203, - "26099": msg28204, - "261": select185, - "2610": msg5061, - "26100": msg28205, - "26101": msg28206, - "26102": msg28207, - "26103": msg28208, - "26104": msg28209, - "26105": msg28210, - "26106": msg28211, - "26107": msg28212, - "26108": msg28213, - "26109": msg28214, - "2611": msg5062, - "26110": msg28215, - "26111": msg28216, - "26112": msg28217, - "26113": msg28218, - "26114": msg28219, - "26115": msg28220, - "26116": msg28221, - "26117": msg28222, - "26118": msg28223, - "26119": msg28224, - "2612": msg5063, - "26120": msg28225, - "26121": msg28226, - "26122": msg28227, - "26123": msg28228, - "26124": msg28229, - "26125": msg28230, - "26126": msg28231, - "26127": msg28232, - "26128": msg28233, - "26129": msg28234, - "2613": msg5064, - "26130": msg28235, - "26131": msg28236, - "26132": msg28237, - "26133": msg28238, - "26134": msg28239, - "26135": msg28240, - "26136": msg28241, - "26137": msg28242, - "26138": msg28243, - "26139": msg28244, - "2614": msg5065, - "26140": msg28245, - "26141": msg28246, - "26142": msg28247, - "26143": msg28248, - "26144": msg28249, - "26145": msg28250, - "26146": msg28251, - "26147": msg28252, - "26148": msg28253, - "26149": msg28254, - "2615": msg5066, - "26150": msg28255, - "26151": msg28256, - "26152": msg28257, - "26153": msg28258, - "26154": msg28259, - "26155": msg28260, - "26156": msg28261, - "26157": msg28262, - "26158": msg28263, - "26159": msg28264, - "2616": msg5067, - "26160": msg28265, - "26161": msg28266, - "26162": msg28267, - "26163": msg28268, - "26164": msg28269, - "26165": msg28270, - "26166": msg28271, - "26167": msg28272, - "26168": msg28273, - "26169": msg28274, - "2617": msg5068, - "26170": msg28275, - "26171": msg28276, - "26172": msg28277, - "26173": msg28278, - "26174": msg28279, - "26175": msg28280, - "26176": msg28281, - "26177": msg28282, - "26178": msg28283, - "26179": msg28284, - "2618": msg5069, - "26180": msg28285, - "26181": msg28286, - "26182": msg28287, - "26183": msg28288, - "26184": msg28289, - "26185": msg28290, - "26186": msg28291, - "26187": msg28292, - "26188": msg28293, - "26189": msg28294, - "2619": msg5070, - "26190": msg28295, - "26191": msg28296, - "26192": msg28297, - "26193": msg28298, - "26194": msg28299, - "26195": msg28300, - "26196": msg28301, - "26197": msg28302, - "26198": msg28303, - "26199": msg28304, - "262": select186, - "2620": msg5071, - "26200": msg28305, - "26201": msg28306, - "26202": msg28307, - "26203": msg28308, - "26204": msg28309, - "26205": msg28310, - "26206": msg28311, - "26207": msg28312, - "26208": msg28313, - "26209": msg28314, - "2621": msg5072, - "26210": msg28315, - "26211": msg28316, - "26212": msg28317, - "26213": msg28318, - "26214": msg28319, - "26215": msg28320, - "26216": msg28321, - "26217": msg28322, - "26218": msg28323, - "26219": msg28324, - "2622": msg5073, - "26220": msg28325, - "26221": msg28326, - "26222": msg28327, - "26223": msg28328, - "26224": msg28329, - "26225": msg28330, - "26226": msg28331, - "26227": msg28332, - "26228": msg28333, - "26229": msg28334, - "2623": msg5074, - "26230": msg28335, - "26231": msg28336, - "26232": msg28337, - "26233": msg28338, - "26234": msg28339, - "26235": msg28340, - "26236": msg28341, - "26237": msg28342, - "26238": msg28343, - "26239": msg28344, - "2624": msg5075, - "26240": msg28345, - "26241": msg28346, - "26242": msg28347, - "26243": msg28348, - "26244": msg28349, - "26245": msg28350, - "26246": msg28351, - "26247": msg28352, - "26248": msg28353, - "26249": msg28354, - "2625": msg5076, - "26250": msg28355, - "26251": msg28356, - "26252": msg28357, - "26253": msg28358, - "26254": msg28359, - "26255": msg28360, - "26256": msg28361, - "26257": msg28362, - "26258": msg28363, - "26259": msg28364, - "2626": msg5077, - "26260": msg28365, - "26261": msg28366, - "26262": msg28367, - "26263": msg28368, - "26264": msg28369, - "26265": msg28370, - "26266": msg28371, - "26267": msg28372, - "26268": msg28373, - "26269": msg28374, - "2627": msg5078, - "26270": msg28375, - "26271": msg28376, - "26272": msg28377, - "26273": msg28378, - "26274": msg28379, - "26275": msg28380, - "26276": msg28381, - "26277": msg28382, - "26278": msg28383, - "26279": msg28384, - "2628": msg5079, - "26280": msg28385, - "26281": msg28386, - "26282": msg28387, - "26283": msg28388, - "26284": msg28389, - "26285": msg28390, - "26286": msg28391, - "26287": msg28392, - "26288": msg28393, - "26289": msg28394, - "2629": msg5080, - "26290": msg28395, - "26291": msg28396, - "26292": msg28397, - "26293": msg28398, - "26294": msg28399, - "26295": msg28400, - "26296": msg28401, - "26297": msg28402, - "26298": msg28403, - "26299": msg28404, - "2630": msg5081, - "26300": msg28405, - "26301": msg28406, - "26302": msg28407, - "26303": msg28408, - "26304": msg28409, - "26305": msg28410, - "26306": msg28411, - "26307": msg28412, - "26308": msg28413, - "26309": msg28414, - "2631": msg5082, - "26310": msg28415, - "26311": msg28416, - "26312": msg28417, - "26313": msg28418, - "26314": msg28419, - "26315": msg28420, - "26316": msg28421, - "26317": msg28422, - "26318": msg28423, - "26319": msg28424, - "2632": msg5083, - "26320": msg28425, - "26321": msg28426, - "26322": msg28427, - "26323": msg28428, - "26324": msg28429, - "26325": msg28430, - "26326": msg28431, - "26327": msg28432, - "26328": msg28433, - "26329": msg28434, - "2633": msg5084, - "26330": msg28435, - "26331": msg28436, - "26332": msg28437, - "26333": msg28438, - "26334": msg28439, - "26335": msg28440, - "26336": msg28441, - "26337": msg28442, - "26338": msg28443, - "26339": msg28444, - "2634": msg5085, - "26340": msg28445, - "26341": msg28446, - "26342": msg28447, - "26343": msg28448, - "26344": msg28449, - "26345": msg28450, - "26346": msg28451, - "26347": msg28452, - "26348": msg28453, - "26349": msg28454, - "2635": msg5086, - "26350": msg28455, - "26351": msg28456, - "26352": msg28457, - "26353": msg28458, - "26354": msg28459, - "26355": msg28460, - "26356": msg28461, - "26357": msg28462, - "26358": msg28463, - "26359": msg28464, - "2636": msg5087, - "26360": msg28465, - "26361": msg28466, - "26362": msg28467, - "26363": msg28468, - "26364": msg28469, - "26365": msg28470, - "26366": msg28471, - "26367": msg28472, - "26368": msg28473, - "26369": msg28474, - "2637": msg5088, - "26370": msg28475, - "26371": msg28476, - "26372": msg28477, - "26373": msg28478, - "26374": msg28479, - "26375": msg28480, - "26376": msg28481, - "26377": msg28482, - "26378": msg28483, - "26379": msg28484, - "2638": msg5089, - "26380": msg28485, - "26381": msg28486, - "26382": msg28487, - "26383": msg28488, - "26384": msg28489, - "26385": msg28490, - "26386": msg28491, - "26387": msg28492, - "26388": msg28493, - "26389": msg28494, - "2639": msg5090, - "26390": msg28495, - "26391": msg28496, - "26392": msg28497, - "26393": msg28498, - "26394": msg28499, - "26395": msg28500, - "26396": msg28501, - "26397": msg28502, - "26398": msg28503, - "26399": msg28504, - "264": select187, - "2640": msg5091, - "26400": msg28505, - "26401": msg28506, - "26402": msg28507, - "26403": msg28508, - "26404": msg28509, - "26405": msg28510, - "26406": msg28511, - "26407": msg28512, - "26408": msg28513, - "26409": msg28514, - "2641": msg5092, - "26410": msg28515, - "26411": msg28516, - "26412": msg28517, - "26413": msg28518, - "26414": msg28519, - "26415": msg28520, - "26416": msg28521, - "26417": msg28522, - "26418": msg28523, - "26419": msg28524, - "2642": msg5093, - "26420": msg28525, - "26421": msg28526, - "26422": msg28527, - "26423": msg28528, - "26424": msg28529, - "26425": msg28530, - "26426": msg28531, - "26427": msg28532, - "26428": msg28533, - "26429": msg28534, - "2643": msg5094, - "26430": msg28535, - "26431": msg28536, - "26432": msg28537, - "26433": msg28538, - "26434": msg28539, - "26435": msg28540, - "26436": msg28541, - "26437": msg28542, - "26438": msg28543, - "26439": msg28544, - "2644": msg5095, - "26440": msg28545, - "26441": msg28546, - "26442": msg28547, - "26443": msg28548, - "26444": msg28549, - "26445": msg28550, - "26446": msg28551, - "26447": msg28552, - "26448": msg28553, - "26449": msg28554, - "2645": msg5096, - "26450": msg28555, - "26451": msg28556, - "26452": msg28557, - "26453": msg28558, - "26454": msg28559, - "26455": msg28560, - "26456": msg28561, - "26457": msg28562, - "26458": msg28563, - "26459": msg28564, - "2646": msg5097, - "26460": msg28565, - "26461": msg28566, - "26462": msg28567, - "26463": msg28568, - "26464": msg28569, - "26465": msg28570, - "26466": msg28571, - "26467": msg28572, - "26468": msg28573, - "26469": msg28574, - "2647": msg5098, - "26470": msg28575, - "26471": msg28576, - "26472": msg28577, - "26473": msg28578, - "26474": msg28579, - "26475": msg28580, - "26476": msg28581, - "26477": msg28582, - "26478": msg28583, - "26479": msg28584, - "2648": msg5099, - "26480": msg28585, - "26481": msg28586, - "26482": msg28587, - "26483": msg28588, - "26484": msg28589, - "26485": msg28590, - "26486": msg28591, - "26487": msg28592, - "26488": msg28593, - "26489": msg28594, - "2649": msg5100, - "26490": msg28595, - "26491": msg28596, - "26492": msg28597, - "26493": msg28598, - "26494": msg28599, - "26495": msg28600, - "26496": msg28601, - "26497": msg28602, - "26498": msg28603, - "26499": msg28604, - "265": select188, - "2650": msg5101, - "26500": msg28605, - "26501": msg28606, - "26502": msg28607, - "26503": msg28608, - "26504": msg28609, - "26505": msg28610, - "26506": msg28611, - "26507": msg28612, - "26508": msg28613, - "26509": msg28614, - "2651": msg5102, - "26510": msg28615, - "26511": msg28616, - "26512": msg28617, - "26513": msg28618, - "26514": msg28619, - "26515": msg28620, - "26516": msg28621, - "26517": msg28622, - "26518": msg28623, - "26519": msg28624, - "2652": msg5103, - "26520": msg28625, - "26521": msg28626, - "26522": msg28627, - "26523": msg28628, - "26524": msg28629, - "26525": msg28630, - "26526": msg28631, - "26527": msg28632, - "26528": msg28633, - "26529": msg28634, - "2653": msg5104, - "26530": msg28635, - "26531": msg28636, - "26532": msg28637, - "26533": msg28638, - "26534": msg28639, - "26535": msg28640, - "26536": msg28641, - "26537": msg28642, - "26538": msg28643, - "26539": msg28644, - "2654": msg5105, - "26540": msg28645, - "26541": msg28646, - "26542": msg28647, - "26543": msg28648, - "26544": msg28649, - "26545": msg28650, - "26546": msg28651, - "26547": msg28652, - "26548": msg28653, - "26549": msg28654, - "2655": msg5106, - "26550": msg28655, - "26551": msg28656, - "26552": msg28657, - "26553": msg28658, - "26554": msg28659, - "26555": msg28660, - "26556": msg28661, - "26557": msg28662, - "26558": msg28663, - "26559": msg28664, - "2656": msg5107, - "26560": msg28665, - "26561": msg28666, - "26562": msg28667, - "26563": msg28668, - "26564": msg28669, - "26565": msg28670, - "26566": msg28671, - "26567": msg28672, - "26568": msg28673, - "26569": msg28674, - "2657": msg5108, - "26570": msg28675, - "26571": msg28676, - "26572": msg28677, - "26573": msg28678, - "26574": msg28679, - "26575": msg28680, - "26576": msg28681, - "26577": msg28682, - "26578": msg28683, - "26579": msg28684, - "2658": msg5109, - "26580": msg28685, - "26581": msg28686, - "26582": msg28687, - "26583": msg28688, - "26584": msg28689, - "26585": msg28690, - "26586": msg28691, - "26587": msg28692, - "26588": msg28693, - "26589": msg28694, - "2659": msg5110, - "26590": msg28695, - "26591": msg28696, - "26592": msg28697, - "26593": msg28698, - "26594": msg28699, - "26595": msg28700, - "26596": msg28701, - "26597": msg28702, - "26598": msg28703, - "26599": msg28704, - "266": select189, - "2660": msg5111, - "26600": msg28705, - "26601": msg28706, - "26602": msg28707, - "26603": msg28708, - "26604": msg28709, - "26605": msg28710, - "26606": msg28711, - "26607": msg28712, - "26608": msg28713, - "26609": msg28714, - "2661": msg5112, - "26610": msg28715, - "26611": msg28716, - "26612": msg28717, - "26613": msg28718, - "26614": msg28719, - "26615": msg28720, - "26616": msg28721, - "26617": msg28722, - "26618": msg28723, - "26619": msg28724, - "2662": msg5113, - "26620": msg28725, - "26621": msg28726, - "26622": msg28727, - "26623": msg28728, - "26624": msg28729, - "26625": msg28730, - "26626": msg28731, - "26627": msg28732, - "26628": msg28733, - "26629": msg28734, - "2663": msg5114, - "26630": msg28735, - "26631": msg28736, - "26632": msg28737, - "26633": msg28738, - "26634": msg28739, - "26635": msg28740, - "26636": msg28741, - "26637": msg28742, - "26638": msg28743, - "26639": msg28744, - "2664": msg5115, - "26640": msg28745, - "26641": msg28746, - "26642": msg28747, - "26643": msg28748, - "26644": msg28749, - "26645": msg28750, - "26646": msg28751, - "26647": msg28752, - "26648": msg28753, - "26649": msg28754, - "2665": msg5116, - "26650": msg28755, - "26651": msg28756, - "26652": msg28757, - "26653": msg28758, - "26654": msg28759, - "26655": msg28760, - "26656": msg28761, - "26657": msg28762, - "26658": msg28763, - "26659": msg28764, - "2666": msg5117, - "26660": msg28765, - "26661": msg28766, - "26662": msg28767, - "26663": msg28768, - "26664": msg28769, - "26665": msg28770, - "26666": msg28771, - "26667": msg28772, - "26668": msg28773, - "26669": msg28774, - "2667": msg5118, - "26670": msg28775, - "26671": msg28776, - "26672": msg28777, - "26673": msg28778, - "26674": msg28779, - "26675": msg28780, - "26676": msg28781, - "26677": msg28782, - "26678": msg28783, - "26679": msg28784, - "2668": msg5119, - "26680": msg28785, - "26681": msg28786, - "26682": msg28787, - "26683": msg28788, - "26684": msg28789, - "26685": msg28790, - "26686": msg28791, - "26687": msg28792, - "26688": msg28793, - "26689": msg28794, - "2669": msg5120, - "26690": msg28795, - "26691": msg28796, - "26692": msg28797, - "26693": msg28798, - "26694": msg28799, - "26695": msg28800, - "26696": msg28801, - "26697": msg28802, - "26698": msg28803, - "26699": msg28804, - "267": select190, - "2670": msg5121, - "26700": msg28805, - "26701": msg28806, - "26702": msg28807, - "26703": msg28808, - "26704": msg28809, - "26705": msg28810, - "26706": msg28811, - "26707": msg28812, - "26708": msg28813, - "26709": msg28814, - "2671": msg5122, - "26710": msg28815, - "26711": msg28816, - "26712": msg28817, - "26713": msg28818, - "26714": msg28819, - "26715": msg28820, - "26716": msg28821, - "26717": msg28822, - "26718": msg28823, - "26719": msg28824, - "2672": msg5123, - "26720": msg28825, - "26721": msg28826, - "26722": msg28827, - "26723": msg28828, - "26724": msg28829, - "26725": msg28830, - "26726": msg28831, - "26727": msg28832, - "26728": msg28833, - "26729": msg28834, - "2673": msg5124, - "26730": msg28835, - "26731": msg28836, - "26732": msg28837, - "26733": msg28838, - "26734": msg28839, - "26735": msg28840, - "26736": msg28841, - "26737": msg28842, - "26738": msg28843, - "26739": msg28844, - "2674": msg5125, - "26740": msg28845, - "26741": msg28846, - "26742": msg28847, - "26743": msg28848, - "26744": msg28849, - "26745": msg28850, - "26746": msg28851, - "26747": msg28852, - "26748": msg28853, - "26749": msg28854, - "2675": msg5126, - "26750": msg28855, - "26751": msg28856, - "26752": msg28857, - "26753": msg28858, - "26754": msg28859, - "26755": msg28860, - "26756": msg28861, - "26757": msg28862, - "26758": msg28863, - "26759": msg28864, - "2676": msg5127, - "26760": msg28865, - "26761": msg28866, - "26762": msg28867, - "26763": msg28868, - "26764": msg28869, - "26765": msg28870, - "26766": msg28871, - "26767": msg28872, - "26768": msg28873, - "26769": msg28874, - "2677": msg5128, - "26770": msg28875, - "26771": msg28876, - "26772": msg28877, - "26773": msg28878, - "26774": msg28879, - "26775": msg28880, - "26776": msg28881, - "26777": msg28882, - "26778": msg28883, - "26779": msg28884, - "2678": msg5129, - "26780": msg28885, - "26781": msg28886, - "26782": msg28887, - "26783": msg28888, - "26784": msg28889, - "26785": msg28890, - "26786": msg28891, - "26787": msg28892, - "26788": msg28893, - "26789": msg28894, - "2679": msg5130, - "26790": msg28895, - "26791": msg28896, - "26792": msg28897, - "26793": msg28898, - "26794": msg28899, - "26795": msg28900, - "26796": msg28901, - "26797": msg28902, - "26798": msg28903, - "26799": msg28904, - "268": select191, - "2680": msg5131, - "26800": msg28905, - "26801": msg28906, - "26802": msg28907, - "26803": msg28908, - "26804": msg28909, - "26805": msg28910, - "26806": msg28911, - "26807": msg28912, - "26808": msg28913, - "26809": msg28914, - "2681": msg5132, - "26810": msg28915, - "26811": msg28916, - "26812": msg28917, - "26813": msg28918, - "26814": msg28919, - "26815": msg28920, - "26816": msg28921, - "26817": msg28922, - "26818": msg28923, - "26819": msg28924, - "2682": msg5133, - "26820": msg28925, - "26821": msg28926, - "26822": msg28927, - "26823": msg28928, - "26824": msg28929, - "26825": msg28930, - "26826": msg28931, - "26827": msg28932, - "26828": msg28933, - "26829": msg28934, - "2683": msg5134, - "26830": msg28935, - "26831": msg28936, - "26832": msg28937, - "26833": msg28938, - "26834": msg28939, - "26835": msg28940, - "26836": msg28941, - "26837": msg28942, - "26838": msg28943, - "26839": msg28944, - "2684": msg5135, - "26840": msg28945, - "26841": msg28946, - "26842": msg28947, - "26843": msg28948, - "26844": msg28949, - "26845": msg28950, - "26846": msg28951, - "26847": msg28952, - "26848": msg28953, - "26849": msg28954, - "2685": msg5136, - "26850": msg28955, - "26851": msg28956, - "26852": msg28957, - "26853": msg28958, - "26854": msg28959, - "26855": msg28960, - "26856": msg28961, - "26857": msg28962, - "26858": msg28963, - "26859": msg28964, - "2686": msg5137, - "26860": msg28965, - "26861": msg28966, - "26862": msg28967, - "26863": msg28968, - "26864": msg28969, - "26865": msg28970, - "26866": msg28971, - "26867": msg28972, - "26868": msg28973, - "26869": msg28974, - "2687": msg5138, - "26870": msg28975, - "26871": msg28976, - "26872": msg28977, - "26873": msg28978, - "26874": msg28979, - "26875": msg28980, - "26876": msg28981, - "26877": msg28982, - "26878": msg28983, - "26879": msg28984, - "2688": msg5139, - "26880": msg28985, - "26881": msg28986, - "26882": msg28987, - "26883": msg28988, - "26884": msg28989, - "26885": msg28990, - "26886": msg28991, - "26887": msg28992, - "26888": msg28993, - "26889": msg28994, - "2689": msg5140, - "26890": msg28995, - "26891": msg28996, - "26892": msg28997, - "26893": msg28998, - "26894": msg28999, - "26895": msg29000, - "26896": msg29001, - "26897": msg29002, - "26898": msg29003, - "26899": msg29004, - "269": select192, - "2690": msg5141, - "26900": msg29005, - "26901": msg29006, - "26902": msg29007, - "26903": msg29008, - "26904": msg29009, - "26905": msg29010, - "26906": msg29011, - "26907": msg29012, - "26908": msg29013, - "26909": msg29014, - "2691": msg5142, - "26910": msg29015, - "26911": msg29016, - "26912": msg29017, - "26913": msg29018, - "26914": msg29019, - "26915": msg29020, - "26916": msg29021, - "26917": msg29022, - "26918": msg29023, - "26919": msg29024, - "2692": msg5143, - "26920": msg29025, - "26921": msg29026, - "26922": msg29027, - "26923": msg29028, - "26924": msg29029, - "26925": msg29030, - "26926": msg29031, - "26927": msg29032, - "26928": msg29033, - "26929": msg29034, - "2693": msg5144, - "26930": msg29035, - "26931": msg29036, - "26932": msg29037, - "26933": msg29038, - "26934": msg29039, - "26935": msg29040, - "26936": msg29041, - "26937": msg29042, - "26938": msg29043, - "26939": msg29044, - "2694": msg5145, - "26940": msg29045, - "26941": msg29046, - "26942": msg29047, - "26943": msg29048, - "26944": msg29049, - "26945": msg29050, - "26946": msg29051, - "26947": msg29052, - "26948": msg29053, - "26949": msg29054, - "2695": msg5146, - "26950": msg29055, - "26951": msg29056, - "26952": msg29057, - "26953": msg29058, - "26954": msg29059, - "26955": msg29060, - "26956": msg29061, - "26957": msg29062, - "26958": msg29063, - "26959": msg29064, - "2696": msg5147, - "26960": msg29065, - "26961": msg29066, - "26962": msg29067, - "26963": msg29068, - "26964": msg29069, - "26965": msg29070, - "26966": msg29071, - "26967": msg29072, - "26968": msg29073, - "26969": msg29074, - "2697": msg5148, - "26970": msg29075, - "26971": msg29076, - "26972": msg29077, - "26973": msg29078, - "26974": msg29079, - "26975": msg29080, - "26976": msg29081, - "26977": msg29082, - "26978": msg29083, - "26979": msg29084, - "2698": msg5149, - "26980": msg29085, - "26981": msg29086, - "26982": msg29087, - "26983": msg29088, - "26984": msg29089, - "26985": msg29090, - "26986": msg29091, - "26987": msg29092, - "26988": msg29093, - "26989": msg29094, - "2699": msg5150, - "26990": msg29095, - "26991": msg29096, - "26992": msg29097, - "26993": msg29098, - "26994": msg29099, - "26995": msg29100, - "26996": msg29101, - "26997": msg29102, - "26998": msg29103, - "26999": msg29104, - "27": msg61, - "270": select193, - "2700": msg5151, - "27000": msg29105, - "27001": msg29106, - "27002": msg29107, - "27003": msg29108, - "27004": msg29109, - "27005": msg29110, - "27006": msg29111, - "27007": msg29112, - "27008": msg29113, - "27009": msg29114, - "2701": msg5152, - "27010": msg29115, - "27011": msg29116, - "27012": msg29117, - "27013": msg29118, - "27014": msg29119, - "27015": msg29120, - "27016": msg29121, - "27017": msg29122, - "27018": msg29123, - "27019": msg29124, - "2702": msg5153, - "27020": msg29125, - "27021": msg29126, - "27022": msg29127, - "27023": msg29128, - "27024": msg29129, - "27025": msg29130, - "27026": msg29131, - "27027": msg29132, - "27028": msg29133, - "27029": msg29134, - "2703": msg5154, - "27030": msg29135, - "27031": msg29136, - "27032": msg29137, - "27033": msg29138, - "27034": msg29139, - "27035": msg29140, - "27036": msg29141, - "27037": msg29142, - "27038": msg29143, - "27039": msg29144, - "2704": msg5155, - "27040": msg29145, - "27041": msg29146, - "27042": msg29147, - "27043": msg29148, - "27044": msg29149, - "27045": msg29150, - "27046": msg29151, - "27047": msg29152, - "27048": msg29153, - "27049": msg29154, - "2705": msg5156, - "27050": msg29155, - "27051": msg29156, - "27052": msg29157, - "27053": msg29158, - "27054": msg29159, - "27055": msg29160, - "27056": msg29161, - "27057": msg29162, - "27058": msg29163, - "27059": msg29164, - "2706": msg5157, - "27060": msg29165, - "27061": msg29166, - "27062": msg29167, - "27063": msg29168, - "27064": msg29169, - "27065": msg29170, - "27066": msg29171, - "27067": msg29172, - "27068": msg29173, - "27069": msg29174, - "2707": msg5158, - "27070": msg29175, - "27071": msg29176, - "27072": msg29177, - "27073": msg29178, - "27074": msg29179, - "27075": msg29180, - "27076": msg29181, - "27077": msg29182, - "27078": msg29183, - "27079": msg29184, - "2708": msg5159, - "27080": msg29185, - "27081": msg29186, - "27082": msg29187, - "27083": msg29188, - "27084": msg29189, - "27085": msg29190, - "27086": msg29191, - "27087": msg29192, - "27088": msg29193, - "27089": msg29194, - "2709": msg5160, - "27090": msg29195, - "27091": msg29196, - "27092": msg29197, - "27093": msg29198, - "27094": msg29199, - "27095": msg29200, - "27096": msg29201, - "27097": msg29202, - "27098": msg29203, - "27099": msg29204, - "271": select194, - "2710": msg5161, - "27100": msg29205, - "27101": msg29206, - "27102": msg29207, - "27103": msg29208, - "27104": msg29209, - "27105": msg29210, - "27106": msg29211, - "27107": msg29212, - "27108": msg29213, - "27109": msg29214, - "2711": msg5162, - "27110": msg29215, - "27111": msg29216, - "27112": msg29217, - "27113": msg29218, - "27114": msg29219, - "27115": msg29220, - "27116": msg29221, - "27117": msg29222, - "27118": msg29223, - "27119": msg29224, - "2712": msg5163, - "27120": msg29225, - "27121": msg29226, - "27122": msg29227, - "27123": msg29228, - "27124": msg29229, - "27125": msg29230, - "27126": msg29231, - "27127": msg29232, - "27128": msg29233, - "27129": msg29234, - "2713": msg5164, - "27130": msg29235, - "27131": msg29236, - "27132": msg29237, - "27133": msg29238, - "27134": msg29239, - "27135": msg29240, - "27136": msg29241, - "27137": msg29242, - "27138": msg29243, - "27139": msg29244, - "2714": msg5165, - "27140": msg29245, - "27141": msg29246, - "27142": msg29247, - "27143": msg29248, - "27144": msg29249, - "27145": msg29250, - "27146": msg29251, - "27147": msg29252, - "27148": msg29253, - "27149": msg29254, - "2715": msg5166, - "27150": msg29255, - "27151": msg29256, - "27152": msg29257, - "27153": msg29258, - "27154": msg29259, - "27155": msg29260, - "27156": msg29261, - "27157": msg29262, - "27158": msg29263, - "27159": msg29264, - "2716": msg5167, - "27160": msg29265, - "27161": msg29266, - "27162": msg29267, - "27163": msg29268, - "27164": msg29269, - "27165": msg29270, - "27166": msg29271, - "27167": msg29272, - "27168": msg29273, - "27169": msg29274, - "2717": msg5168, - "27170": msg29275, - "27171": msg29276, - "27172": msg29277, - "27173": msg29278, - "27174": msg29279, - "27175": msg29280, - "27176": msg29281, - "27177": msg29282, - "27178": msg29283, - "27179": msg29284, - "2718": msg5169, - "27180": msg29285, - "27181": msg29286, - "27182": msg29287, - "27183": msg29288, - "27184": msg29289, - "27185": msg29290, - "27186": msg29291, - "27187": msg29292, - "27188": msg29293, - "27189": msg29294, - "2719": msg5170, - "27190": msg29295, - "27191": msg29296, - "27192": msg29297, - "27193": msg29298, - "27194": msg29299, - "27195": msg29300, - "27196": msg29301, - "27197": msg29302, - "27198": msg29303, - "27199": msg29304, - "272": select195, - "2720": msg5171, - "27200": msg29305, - "27201": msg29306, - "27202": msg29307, - "27203": msg29308, - "27204": msg29309, - "27205": msg29310, - "27206": msg29311, - "27207": msg29312, - "27208": msg29313, - "27209": msg29314, - "2721": msg5172, - "27210": msg29315, - "27211": msg29316, - "27212": msg29317, - "27213": msg29318, - "27214": msg29319, - "27215": msg29320, - "27216": msg29321, - "27217": msg29322, - "27218": msg29323, - "27219": msg29324, - "2722": msg5173, - "27220": msg29325, - "27221": msg29326, - "27222": msg29327, - "27223": msg29328, - "27224": msg29329, - "27225": msg29330, - "27226": msg29331, - "27227": msg29332, - "27228": msg29333, - "27229": msg29334, - "2723": msg5174, - "27230": msg29335, - "27231": msg29336, - "27232": msg29337, - "27233": msg29338, - "27234": msg29339, - "27235": msg29340, - "27236": msg29341, - "27237": msg29342, - "27238": msg29343, - "27239": msg29344, - "2724": msg5175, - "27240": msg29345, - "27241": msg29346, - "27242": msg29347, - "27243": msg29348, - "27244": msg29349, - "27245": msg29350, - "27246": msg29351, - "27247": msg29352, - "27248": msg29353, - "27249": msg29354, - "2725": msg5176, - "27250": msg29355, - "27251": msg29356, - "27252": msg29357, - "27253": msg29358, - "27254": msg29359, - "27255": msg29360, - "27256": msg29361, - "27257": msg29362, - "27258": msg29363, - "27259": msg29364, - "2726": msg5177, - "27260": msg29365, - "27261": msg29366, - "27262": msg29367, - "27263": msg29368, - "27264": msg29369, - "27265": msg29370, - "27266": msg29371, - "27267": msg29372, - "27268": msg29373, - "27269": msg29374, - "2727": msg5178, - "27270": msg29375, - "27271": msg29376, - "27272": msg29377, - "27273": msg29378, - "27274": msg29379, - "27275": msg29380, - "27276": msg29381, - "27277": msg29382, - "27278": msg29383, - "27279": msg29384, - "2728": msg5179, - "27280": msg29385, - "27281": msg29386, - "27282": msg29387, - "27283": msg29388, - "27284": msg29389, - "27285": msg29390, - "27286": msg29391, - "27287": msg29392, - "27288": msg29393, - "27289": msg29394, - "2729": msg5180, - "27290": msg29395, - "27291": msg29396, - "27292": msg29397, - "27293": msg29398, - "27294": msg29399, - "27295": msg29400, - "27296": msg29401, - "27297": msg29402, - "27298": msg29403, - "27299": msg29404, - "273": select196, - "2730": msg5181, - "27300": msg29405, - "27301": msg29406, - "27302": msg29407, - "27303": msg29408, - "27304": msg29409, - "27305": msg29410, - "27306": msg29411, - "27307": msg29412, - "27308": msg29413, - "27309": msg29414, - "2731": msg5182, - "27310": msg29415, - "27311": msg29416, - "27312": msg29417, - "27313": msg29418, - "27314": msg29419, - "27315": msg29420, - "27316": msg29421, - "27317": msg29422, - "27318": msg29423, - "27319": msg29424, - "2732": msg5183, - "27320": msg29425, - "27321": msg29426, - "27322": msg29427, - "27323": msg29428, - "27324": msg29429, - "27325": msg29430, - "27326": msg29431, - "27327": msg29432, - "27328": msg29433, - "27329": msg29434, - "2733": msg5184, - "27330": msg29435, - "27331": msg29436, - "27332": msg29437, - "27333": msg29438, - "27334": msg29439, - "27335": msg29440, - "27336": msg29441, - "27337": msg29442, - "27338": msg29443, - "27339": msg29444, - "2734": msg5185, - "27340": msg29445, - "27341": msg29446, - "27342": msg29447, - "27343": msg29448, - "27344": msg29449, - "27345": msg29450, - "27346": msg29451, - "27347": msg29452, - "27348": msg29453, - "27349": msg29454, - "2735": msg5186, - "27350": msg29455, - "27351": msg29456, - "27352": msg29457, - "27353": msg29458, - "27354": msg29459, - "27355": msg29460, - "27356": msg29461, - "27357": msg29462, - "27358": msg29463, - "27359": msg29464, - "2736": msg5187, - "27360": msg29465, - "27361": msg29466, - "27362": msg29467, - "27363": msg29468, - "27364": msg29469, - "27365": msg29470, - "27366": msg29471, - "27367": msg29472, - "27368": msg29473, - "27369": msg29474, - "2737": msg5188, - "27370": msg29475, - "27371": msg29476, - "27372": msg29477, - "27373": msg29478, - "27374": msg29479, - "27375": msg29480, - "27376": msg29481, - "27377": msg29482, - "27378": msg29483, - "27379": msg29484, - "2738": msg5189, - "27380": msg29485, - "27381": msg29486, - "27382": msg29487, - "27383": msg29488, - "27384": msg29489, - "27385": msg29490, - "27386": msg29491, - "27387": msg29492, - "27388": msg29493, - "27389": msg29494, - "2739": msg5190, - "27390": msg29495, - "27391": msg29496, - "27392": msg29497, - "27393": msg29498, - "27394": msg29499, - "27395": msg29500, - "27396": msg29501, - "27397": msg29502, - "27398": msg29503, - "27399": msg29504, - "274": select197, - "2740": msg5191, - "27400": msg29505, - "27401": msg29506, - "27402": msg29507, - "27403": msg29508, - "27404": msg29509, - "27405": msg29510, - "27406": msg29511, - "27407": msg29512, - "27408": msg29513, - "27409": msg29514, - "2741": msg5192, - "27410": msg29515, - "27411": msg29516, - "27412": msg29517, - "27413": msg29518, - "27414": msg29519, - "27415": msg29520, - "27416": msg29521, - "27417": msg29522, - "27418": msg29523, - "27419": msg29524, - "2742": msg5193, - "27420": msg29525, - "27421": msg29526, - "27422": msg29527, - "27423": msg29528, - "27424": msg29529, - "27425": msg29530, - "27426": msg29531, - "27427": msg29532, - "27428": msg29533, - "27429": msg29534, - "2743": msg5194, - "27430": msg29535, - "27431": msg29536, - "27432": msg29537, - "27433": msg29538, - "27434": msg29539, - "27435": msg29540, - "27436": msg29541, - "27437": msg29542, - "27438": msg29543, - "27439": msg29544, - "2744": msg5195, - "27440": msg29545, - "27441": msg29546, - "27442": msg29547, - "27443": msg29548, - "27444": msg29549, - "27445": msg29550, - "27446": msg29551, - "27447": msg29552, - "27448": msg29553, - "27449": msg29554, - "2745": msg5196, - "27450": msg29555, - "27451": msg29556, - "27452": msg29557, - "27453": msg29558, - "27454": msg29559, - "27455": msg29560, - "27456": msg29561, - "27457": msg29562, - "27458": msg29563, - "27459": msg29564, - "2746": msg5197, - "27460": msg29565, - "27461": msg29566, - "27462": msg29567, - "27463": msg29568, - "27464": msg29569, - "27465": msg29570, - "27466": msg29571, - "27467": msg29572, - "27468": msg29573, - "27469": msg29574, - "2747": msg5198, - "27470": msg29575, - "27471": msg29576, - "27472": msg29577, - "27473": msg29578, - "27474": msg29579, - "27475": msg29580, - "27476": msg29581, - "27477": msg29582, - "27478": msg29583, - "27479": msg29584, - "2748": msg5199, - "27480": msg29585, - "27481": msg29586, - "27482": msg29587, - "27483": msg29588, - "27484": msg29589, - "27485": msg29590, - "27486": msg29591, - "27487": msg29592, - "27488": msg29593, - "27489": msg29594, - "2749": msg5200, - "27490": msg29595, - "27491": msg29596, - "27492": msg29597, - "27493": msg29598, - "27494": msg29599, - "27495": msg29600, - "27496": msg29601, - "27497": msg29602, - "27498": msg29603, - "27499": msg29604, - "275": select198, - "2750": msg5201, - "27500": msg29605, - "27501": msg29606, - "27502": msg29607, - "27503": msg29608, - "27504": msg29609, - "27505": msg29610, - "27506": msg29611, - "27507": msg29612, - "27508": msg29613, - "27509": msg29614, - "2751": msg5202, - "27510": msg29615, - "27511": msg29616, - "27512": msg29617, - "27513": msg29618, - "27514": msg29619, - "27515": msg29620, - "27516": msg29621, - "27517": msg29622, - "27518": msg29623, - "27519": msg29624, - "2752": msg5203, - "27520": msg29625, - "27521": msg29626, - "27522": msg29627, - "27523": msg29628, - "27524": msg29629, - "27525": msg29630, - "27526": msg29631, - "27527": msg29632, - "27528": msg29633, - "27529": msg29634, - "2753": msg5204, - "27530": msg29635, - "27531": msg29636, - "27532": msg29637, - "27533": msg29638, - "27534": msg29639, - "27535": msg29640, - "27536": msg29641, - "27537": msg29642, - "27538": msg29643, - "27539": msg29644, - "2754": msg5205, - "27540": msg29645, - "27541": msg29646, - "27542": msg29647, - "27543": msg29648, - "27544": msg29649, - "27545": msg29650, - "27546": msg29651, - "27547": msg29652, - "27548": msg29653, - "27549": msg29654, - "2755": msg5206, - "27550": msg29655, - "27551": msg29656, - "27552": msg29657, - "27553": msg29658, - "27554": msg29659, - "27555": msg29660, - "27556": msg29661, - "27557": msg29662, - "27558": msg29663, - "27559": msg29664, - "2756": msg5207, - "27560": msg29665, - "27561": msg29666, - "27562": msg29667, - "27563": msg29668, - "27564": msg29669, - "27565": msg29670, - "27566": msg29671, - "27567": msg29672, - "27568": msg29673, - "27569": msg29674, - "2757": msg5208, - "27570": msg29675, - "27571": msg29676, - "27572": msg29677, - "27573": msg29678, - "27574": msg29679, - "27575": msg29680, - "27576": msg29681, - "27577": msg29682, - "27578": msg29683, - "27579": msg29684, - "2758": msg5209, - "27580": msg29685, - "27581": msg29686, - "27582": msg29687, - "27583": msg29688, - "27584": msg29689, - "27585": msg29690, - "27586": msg29691, - "27587": msg29692, - "27588": msg29693, - "27589": msg29694, - "2759": msg5210, - "27590": msg29695, - "27591": msg29696, - "27592": msg29697, - "27593": msg29698, - "27594": msg29699, - "27595": msg29700, - "27596": msg29701, - "27597": msg29702, - "27598": msg29703, - "27599": msg29704, - "276": select199, - "2760": msg5211, - "27600": msg29705, - "27601": msg29706, - "27602": msg29707, - "27603": msg29708, - "27604": msg29709, - "27605": msg29710, - "27606": msg29711, - "27607": msg29712, - "27608": msg29713, - "27609": msg29714, - "2761": msg5212, - "27610": msg29715, - "27611": msg29716, - "27612": msg29717, - "27613": msg29718, - "27614": msg29719, - "27615": msg29720, - "27616": msg29721, - "27617": msg29722, - "27618": msg29723, - "27619": msg29724, - "2762": msg5213, - "27620": msg29725, - "27621": msg29726, - "27622": msg29727, - "27623": msg29728, - "27624": msg29729, - "27625": msg29730, - "27626": msg29731, - "27627": msg29732, - "27628": msg29733, - "27629": msg29734, - "2763": msg5214, - "27630": msg29735, - "27631": msg29736, - "27632": msg29737, - "27633": msg29738, - "27634": msg29739, - "27635": msg29740, - "27636": msg29741, - "27637": msg29742, - "27638": msg29743, - "27639": msg29744, - "2764": msg5215, - "27640": msg29745, - "27641": msg29746, - "27642": msg29747, - "27643": msg29748, - "27644": msg29749, - "27645": msg29750, - "27646": msg29751, - "27647": msg29752, - "27648": msg29753, - "27649": msg29754, - "2765": msg5216, - "27650": msg29755, - "27651": msg29756, - "27652": msg29757, - "27653": msg29758, - "27654": msg29759, - "27655": msg29760, - "27656": msg29761, - "27657": msg29762, - "27658": msg29763, - "27659": msg29764, - "2766": msg5217, - "27660": msg29765, - "27661": msg29766, - "27662": msg29767, - "27663": msg29768, - "27664": msg29769, - "27665": msg29770, - "27666": msg29771, - "27667": msg29772, - "27668": msg29773, - "27669": msg29774, - "2767": msg5218, - "27670": msg29775, - "27671": msg29776, - "27672": msg29777, - "27673": msg29778, - "27674": msg29779, - "27675": msg29780, - "27676": msg29781, - "27677": msg29782, - "27678": msg29783, - "27679": msg29784, - "2768": msg5219, - "27680": msg29785, - "27681": msg29786, - "27682": msg29787, - "27683": msg29788, - "27684": msg29789, - "27685": msg29790, - "27686": msg29791, - "27687": msg29792, - "27688": msg29793, - "27689": msg29794, - "2769": msg5220, - "27690": msg29795, - "27691": msg29796, - "27692": msg29797, - "27693": msg29798, - "27694": msg29799, - "27695": msg29800, - "27696": msg29801, - "27697": msg29802, - "27698": msg29803, - "27699": msg29804, - "277": select200, - "2770": msg5221, - "27700": msg29805, - "27701": msg29806, - "27702": msg29807, - "27703": msg29808, - "27704": msg29809, - "27705": msg29810, - "27706": msg29811, - "27707": msg29812, - "27708": msg29813, - "27709": msg29814, - "2771": msg5222, - "27710": msg29815, - "27711": msg29816, - "27712": msg29817, - "27713": msg29818, - "27714": msg29819, - "27715": msg29820, - "27716": msg29821, - "27717": msg29822, - "27718": msg29823, - "27719": msg29824, - "2772": msg5223, - "27720": msg29825, - "27721": msg29826, - "27722": msg29827, - "27723": msg29828, - "27724": msg29829, - "27725": msg29830, - "27726": msg29831, - "27727": msg29832, - "27728": msg29833, - "27729": msg29834, - "2773": msg5224, - "27730": msg29835, - "27731": msg29836, - "27732": msg29837, - "27733": msg29838, - "27734": msg29839, - "27735": msg29840, - "27736": msg29841, - "27737": msg29842, - "27738": msg29843, - "27739": msg29844, - "2774": msg5225, - "27740": msg29845, - "27741": msg29846, - "27742": msg29847, - "27743": msg29848, - "27744": msg29849, - "27745": msg29850, - "27746": msg29851, - "27747": msg29852, - "27748": msg29853, - "27749": msg29854, - "2775": msg5226, - "27750": msg29855, - "27751": msg29856, - "27752": msg29857, - "27753": msg29858, - "27754": msg29859, - "27755": msg29860, - "27756": msg29861, - "27757": msg29862, - "27758": msg29863, - "27759": msg29864, - "2776": msg5227, - "27760": msg29865, - "27761": msg29866, - "27762": msg29867, - "27763": msg29868, - "27764": msg29869, - "27765": msg29870, - "27766": msg29871, - "27767": msg29872, - "27768": msg29873, - "27769": msg29874, - "2777": msg5228, - "27770": msg29875, - "27771": msg29876, - "27772": msg29877, - "27773": msg29878, - "27774": msg29879, - "27775": msg29880, - "27776": msg29881, - "27777": msg29882, - "27778": msg29883, - "27779": msg29884, - "2778": msg5229, - "27780": msg29885, - "27781": msg29886, - "27782": msg29887, - "27783": msg29888, - "27784": msg29889, - "27785": msg29890, - "27786": msg29891, - "27787": msg29892, - "27788": msg29893, - "27789": msg29894, - "2779": msg5230, - "27790": msg29895, - "27791": msg29896, - "27792": msg29897, - "27793": msg29898, - "27794": msg29899, - "27795": msg29900, - "27796": msg29901, - "27797": msg29902, - "27798": msg29903, - "27799": msg29904, - "278": select201, - "2780": msg5231, - "27800": msg29905, - "27801": msg29906, - "27802": msg29907, - "27803": msg29908, - "27804": msg29909, - "27805": msg29910, - "27806": msg29911, - "27807": msg29912, - "27808": msg29913, - "27809": msg29914, - "2781": msg5232, - "27810": msg29915, - "27811": msg29916, - "27812": msg29917, - "27813": msg29918, - "27814": msg29919, - "27815": msg29920, - "27816": msg29921, - "27817": msg29922, - "27818": msg29923, - "27819": msg29924, - "2782": msg5233, - "27820": msg29925, - "27821": msg29926, - "27822": msg29927, - "27823": msg29928, - "27824": msg29929, - "27825": msg29930, - "27826": msg29931, - "27827": msg29932, - "27828": msg29933, - "27829": msg29934, - "2783": msg5234, - "27830": msg29935, - "27831": msg29936, - "27832": msg29937, - "27833": msg29938, - "27834": msg29939, - "27835": msg29940, - "27836": msg29941, - "27837": msg29942, - "27838": msg29943, - "27839": msg29944, - "2784": msg5235, - "27840": msg29945, - "27841": msg29946, - "27842": msg29947, - "27843": msg29948, - "27844": msg29949, - "27845": msg29950, - "27846": msg29951, - "27847": msg29952, - "27848": msg29953, - "27849": msg29954, - "2785": msg5236, - "27850": msg29955, - "27851": msg29956, - "27852": msg29957, - "27853": msg29958, - "27854": msg29959, - "27855": msg29960, - "27856": msg29961, - "27857": msg29962, - "27858": msg29963, - "27859": msg29964, - "2786": msg5237, - "27860": msg29965, - "27861": msg29966, - "27862": msg29967, - "27863": msg29968, - "27864": msg29969, - "27865": msg29970, - "27866": msg29971, - "27867": msg29972, - "27868": msg29973, - "27869": msg29974, - "2787": msg5238, - "27870": msg29975, - "27871": msg29976, - "27872": msg29977, - "27873": msg29978, - "27874": msg29979, - "27875": msg29980, - "27876": msg29981, - "27877": msg29982, - "27878": msg29983, - "27879": msg29984, - "2788": msg5239, - "27880": msg29985, - "27881": msg29986, - "27882": msg29987, - "27883": msg29988, - "27884": msg29989, - "27885": msg29990, - "27886": msg29991, - "27887": msg29992, - "27888": msg29993, - "27889": msg29994, - "2789": msg5240, - "27890": msg29995, - "27891": msg29996, - "27892": msg29997, - "27893": msg29998, - "27894": msg29999, - "27895": msg30000, - "27896": msg30001, - "27897": msg30002, - "27898": msg30003, - "27899": msg30004, - "279": select202, - "2790": msg5241, - "27900": msg30005, - "27901": msg30006, - "27902": msg30007, - "27903": msg30008, - "27904": msg30009, - "27905": msg30010, - "27906": msg30011, - "27907": msg30012, - "27908": msg30013, - "27909": msg30014, - "2791": msg5242, - "27910": msg30015, - "27911": msg30016, - "27912": msg30017, - "27913": msg30018, - "27914": msg30019, - "27915": msg30020, - "27916": msg30021, - "27917": msg30022, - "27918": msg30023, - "27919": msg30024, - "2792": msg5243, - "27920": msg30025, - "27921": msg30026, - "27922": msg30027, - "27923": msg30028, - "27924": msg30029, - "27925": msg30030, - "27926": msg30031, - "27927": msg30032, - "27928": msg30033, - "27929": msg30034, - "2793": msg5244, - "27930": msg30035, - "27931": msg30036, - "27932": msg30037, - "27933": msg30038, - "27934": msg30039, - "27935": msg30040, - "27936": msg30041, - "27937": msg30042, - "27938": msg30043, - "27939": msg30044, - "2794": msg5245, - "27940": msg30045, - "27941": msg30046, - "27942": msg30047, - "27943": msg30048, - "27944": msg30049, - "27945": msg30050, - "27946": msg30051, - "27947": msg30052, - "27948": msg30053, - "27949": msg30054, - "2795": msg5246, - "27950": msg30055, - "27951": msg30056, - "27952": msg30057, - "27953": msg30058, - "27954": msg30059, - "27955": msg30060, - "27956": msg30061, - "27957": msg30062, - "27958": msg30063, - "27959": msg30064, - "2796": msg5247, - "27960": msg30065, - "27961": msg30066, - "27962": msg30067, - "27963": msg30068, - "27964": msg30069, - "27965": msg30070, - "27966": msg30071, - "27967": msg30072, - "27968": msg30073, - "27969": msg30074, - "2797": msg5248, - "27970": msg30075, - "27971": msg30076, - "27972": msg30077, - "27973": msg30078, - "27974": msg30079, - "27975": msg30080, - "27976": msg30081, - "27977": msg30082, - "27978": msg30083, - "27979": msg30084, - "2798": msg5249, - "27980": msg30085, - "27981": msg30086, - "27982": msg30087, - "27983": msg30088, - "27984": msg30089, - "27985": msg30090, - "27986": msg30091, - "27987": msg30092, - "27988": msg30093, - "27989": msg30094, - "2799": msg5250, - "27990": msg30095, - "27991": msg30096, - "27992": msg30097, - "27993": msg30098, - "27994": msg30099, - "27995": msg30100, - "27996": msg30101, - "27997": msg30102, - "27998": msg30103, - "27999": msg30104, - "28": msg62, - "280": select203, - "2800": msg5251, - "28000": msg30105, - "28001": msg30106, - "28002": msg30107, - "28003": msg30108, - "28004": msg30109, - "28005": msg30110, - "28006": msg30111, - "28007": msg30112, - "28008": msg30113, - "28009": msg30114, - "2801": msg5252, - "28010": msg30115, - "28011": msg30116, - "28012": msg30117, - "28013": msg30118, - "28014": msg30119, - "28015": msg30120, - "28016": msg30121, - "28017": msg30122, - "28018": msg30123, - "28019": msg30124, - "2802": msg5253, - "28020": msg30125, - "28021": msg30126, - "28022": msg30127, - "28023": msg30128, - "28024": msg30129, - "28025": msg30130, - "28026": msg30131, - "28027": msg30132, - "28028": msg30133, - "28029": msg30134, - "2803": msg5254, - "28030": msg30135, - "28031": msg30136, - "28032": msg30137, - "28033": msg30138, - "28034": msg30139, - "28035": msg30140, - "28036": msg30141, - "28037": msg30142, - "28038": msg30143, - "28039": msg30144, - "2804": msg5255, - "28040": msg30145, - "28041": msg30146, - "28042": msg30147, - "28043": msg30148, - "28044": msg30149, - "28045": msg30150, - "28046": msg30151, - "28047": msg30152, - "28048": msg30153, - "28049": msg30154, - "2805": msg5256, - "28050": msg30155, - "28051": msg30156, - "28052": msg30157, - "28053": msg30158, - "28054": msg30159, - "28055": msg30160, - "28056": msg30161, - "28057": msg30162, - "28058": msg30163, - "28059": msg30164, - "2806": msg5257, - "28060": msg30165, - "28061": msg30166, - "28062": msg30167, - "28063": msg30168, - "28064": msg30169, - "28065": msg30170, - "28066": msg30171, - "28067": msg30172, - "28068": msg30173, - "28069": msg30174, - "2807": msg5258, - "28070": msg30175, - "28071": msg30176, - "28072": msg30177, - "28073": msg30178, - "28074": msg30179, - "28075": msg30180, - "28076": msg30181, - "28077": msg30182, - "28078": msg30183, - "28079": msg30184, - "2808": msg5259, - "28080": msg30185, - "28081": msg30186, - "28082": msg30187, - "28083": msg30188, - "28084": msg30189, - "28085": msg30190, - "28086": msg30191, - "28087": msg30192, - "28088": msg30193, - "28089": msg30194, - "2809": msg5260, - "28090": msg30195, - "28093": msg30196, - "28094": msg30197, - "28095": msg30198, - "28096": msg30199, - "28097": msg30200, - "28098": msg30201, - "28099": msg30202, - "281": select204, - "2810": msg5261, - "28100": msg30203, - "28101": msg30204, - "28102": msg30205, - "28103": msg30206, - "28104": msg30207, - "28105": msg30208, - "28106": msg30209, - "28107": msg30210, - "28108": msg30211, - "28109": msg30212, - "2811": msg5262, - "28110": msg30213, - "28111": msg30214, - "28112": msg30215, - "28113": msg30216, - "28114": msg30217, - "28115": msg30218, - "28116": msg30219, - "28117": msg30220, - "28118": msg30221, - "28119": msg30222, - "2812": msg5263, - "28120": msg30223, - "28121": msg30224, - "28122": msg30225, - "28123": msg30226, - "28124": msg30227, - "28125": msg30228, - "28126": msg30229, - "28127": msg30230, - "28128": msg30231, - "28129": msg30232, - "2813": msg5264, - "28130": msg30233, - "28131": msg30234, - "28132": msg30235, - "28133": msg30236, - "28134": msg30237, - "28135": msg30238, - "28136": msg30239, - "28137": msg30240, - "28138": msg30241, - "28139": msg30242, - "2814": msg5265, - "28140": msg30243, - "28141": msg30244, - "28142": msg30245, - "28143": msg30246, - "28144": msg30247, - "28145": msg30248, - "28146": msg30249, - "28147": msg30250, - "28148": msg30251, - "28149": msg30252, - "2815": msg5266, - "28150": msg30253, - "28151": msg30254, - "28152": msg30255, - "28153": msg30256, - "28154": msg30257, - "28155": msg30258, - "28156": msg30259, - "28157": msg30260, - "28158": msg30261, - "28159": msg30262, - "2816": msg5267, - "28160": msg30263, - "28161": msg30264, - "28162": msg30265, - "28163": msg30266, - "28164": msg30267, - "28165": msg30268, - "28166": msg30269, - "28167": msg30270, - "28168": msg30271, - "28169": msg30272, - "2817": msg5268, - "28170": msg30273, - "28171": msg30274, - "28172": msg30275, - "28173": msg30276, - "28174": msg30277, - "28175": msg30278, - "28176": msg30279, - "28177": msg30280, - "28178": msg30281, - "28179": msg30282, - "2818": msg5269, - "28180": msg30283, - "28181": msg30284, - "28182": msg30285, - "28183": msg30286, - "28184": msg30287, - "28185": msg30288, - "28186": msg30289, - "28187": msg30290, - "28188": msg30291, - "28189": msg30292, - "2819": msg5270, - "28190": msg30293, - "28191": msg30294, - "28192": msg30295, - "28193": msg30296, - "28194": msg30297, - "28195": msg30298, - "28196": msg30299, - "28197": msg30300, - "28198": msg30301, - "28199": msg30302, - "282": select205, - "2820": msg5271, - "28200": msg30303, - "28201": msg30304, - "28202": msg30305, - "28203": msg30306, - "28204": msg30307, - "28205": msg30308, - "28206": msg30309, - "28207": msg30310, - "28208": msg30311, - "28209": msg30312, - "2821": msg5272, - "28210": msg30313, - "28211": msg30314, - "28212": msg30315, - "28213": msg30316, - "28214": msg30317, - "28215": msg30318, - "28216": msg30319, - "28217": msg30320, - "28218": msg30321, - "28219": msg30322, - "2822": msg5273, - "28220": msg30323, - "28221": msg30324, - "28222": msg30325, - "28223": msg30326, - "28224": msg30327, - "28225": msg30328, - "28226": msg30329, - "28227": msg30330, - "28228": msg30331, - "28229": msg30332, - "2823": msg5274, - "28230": msg30333, - "28231": msg30334, - "28232": msg30335, - "28233": msg30336, - "28234": msg30337, - "28235": msg30338, - "28236": msg30339, - "28237": msg30340, - "28238": msg30341, - "28239": msg30342, - "2824": msg5275, - "28240": msg30343, - "28241": msg30344, - "28242": msg30345, - "28243": msg30346, - "28244": msg30347, - "28245": msg30348, - "28246": msg30349, - "28247": msg30350, - "28248": msg30351, - "28249": msg30352, - "2825": msg5276, - "28250": msg30353, - "28251": msg30354, - "28252": msg30355, - "28253": msg30356, - "28254": msg30357, - "28255": msg30358, - "28256": msg30359, - "28257": msg30360, - "28258": msg30361, - "28259": msg30362, - "2826": msg5277, - "28260": msg30363, - "28261": msg30364, - "28262": msg30365, - "28263": msg30366, - "28264": msg30367, - "28265": msg30368, - "28266": msg30369, - "28267": msg30370, - "28268": msg30371, - "28269": msg30372, - "2827": msg5278, - "28270": msg30373, - "28271": msg30374, - "28272": msg30375, - "28273": msg30376, - "28274": msg30377, - "28275": msg30378, - "28276": msg30379, - "28277": msg30380, - "28278": msg30381, - "28279": msg30382, - "2828": msg5279, - "28280": msg30383, - "28281": msg30384, - "28282": msg30385, - "28283": msg30386, - "28284": msg30387, - "28285": msg30388, - "28286": msg30389, - "28287": msg30390, - "28288": msg30391, - "28289": msg30392, - "2829": msg5280, - "28290": msg30393, - "28291": msg30394, - "28292": msg30395, - "28293": msg30396, - "28294": msg30397, - "28295": msg30398, - "28296": msg30399, - "28297": msg30400, - "28298": msg30401, - "28299": msg30402, - "283": select206, - "2830": msg5281, - "28300": msg30403, - "28303": msg30404, - "28304": msg30405, - "28305": msg30406, - "28306": msg30407, - "28309": msg30408, - "2831": msg5282, - "28315": msg30409, - "2832": msg5283, - "28323": msg30410, - "28325": msg30411, - "28326": msg30412, - "28327": msg30413, - "28328": msg30414, - "28329": msg30415, - "2833": msg5284, - "28330": msg30416, - "28331": msg30417, - "28332": msg30418, - "28333": msg30419, - "28334": msg30420, - "28335": msg30421, - "28336": msg30422, - "28337": msg30423, - "28338": msg30424, - "28339": msg30425, - "2834": msg5285, - "28340": msg30426, - "28341": msg30427, - "28342": msg30428, - "28343": msg30429, - "28344": msg30430, - "28345": msg30431, - "28346": msg30432, - "28347": msg30433, - "28348": msg30434, - "28349": msg30435, - "2835": msg5286, - "28350": msg30436, - "28351": msg30437, - "28352": msg30438, - "28353": msg30439, - "28354": msg30440, - "28355": msg30441, - "28356": msg30442, - "28357": msg30443, - "28358": msg30444, - "28359": msg30445, - "2836": msg5287, - "28360": msg30446, - "28361": msg30447, - "28362": msg30448, - "28363": msg30449, - "28364": msg30450, - "28365": msg30451, - "28366": msg30452, - "28367": msg30453, - "28368": msg30454, - "28369": msg30455, - "2837": msg5288, - "28370": msg30456, - "28371": msg30457, - "28372": msg30458, - "28373": msg30459, - "28374": msg30460, - "28375": msg30461, - "28376": msg30462, - "28377": msg30463, - "28378": msg30464, - "28379": msg30465, - "2838": msg5289, - "28380": msg30466, - "28381": msg30467, - "28382": msg30468, - "28383": msg30469, - "28384": msg30470, - "28385": msg30471, - "28386": msg30472, - "28387": msg30473, - "28388": msg30474, - "28389": msg30475, - "2839": msg5290, - "28390": msg30476, - "28391": msg30477, - "28392": msg30478, - "28393": msg30479, - "28394": msg30480, - "28395": msg30481, - "28396": msg30482, - "28397": msg30483, - "28398": msg30484, - "28399": msg30485, - "284": select207, - "2840": msg5291, - "28400": msg30486, - "28401": msg30487, - "28402": msg30488, - "28403": msg30489, - "28404": msg30490, - "28405": msg30491, - "28406": msg30492, - "28407": msg30493, - "28408": msg30494, - "28409": msg30495, - "2841": msg5292, - "28410": msg30496, - "28411": msg30497, - "28412": msg30498, - "28413": msg30499, - "28414": msg30500, - "28415": msg30501, - "28416": msg30502, - "28417": msg30503, - "28418": msg30504, - "28419": msg30505, - "2842": msg5293, - "28420": msg30506, - "28421": msg30507, - "28422": msg30508, - "28423": msg30509, - "28424": msg30510, - "28425": msg30511, - "28426": msg30512, - "28427": msg30513, - "28428": msg30514, - "28429": msg30515, - "2843": msg5294, - "28430": msg30516, - "28431": msg30517, - "28432": msg30518, - "28433": msg30519, - "28434": msg30520, - "28435": msg30521, - "28436": msg30522, - "28437": msg30523, - "28438": msg30524, - "28439": msg30525, - "2844": msg5295, - "28440": msg30526, - "28441": msg30527, - "28442": msg30528, - "28443": msg30529, - "28444": msg30530, - "28445": msg30531, - "28446": msg30532, - "28447": msg30533, - "28448": msg30534, - "28449": msg30535, - "2845": msg5296, - "28450": msg30536, - "28451": msg30537, - "28452": msg30538, - "28453": msg30539, - "28454": msg30540, - "28455": msg30541, - "28456": msg30542, - "28457": msg30543, - "28458": msg30544, - "28459": msg30545, - "2846": msg5297, - "28460": msg30546, - "28461": msg30547, - "28462": msg30548, - "28463": msg30549, - "28464": msg30550, - "28465": msg30551, - "28466": msg30552, - "28467": msg30553, - "28468": msg30554, - "28469": msg30555, - "2847": msg5298, - "28470": msg30556, - "28471": msg30557, - "28472": msg30558, - "28473": msg30559, - "28474": msg30560, - "28475": msg30561, - "28476": msg30562, - "28477": msg30563, - "28478": msg30564, - "28479": msg30565, - "2848": msg5299, - "28480": msg30566, - "28481": msg30567, - "28482": msg30568, - "28483": msg30569, - "28484": msg30570, - "28485": msg30571, - "28486": msg30572, - "28487": msg30573, - "28488": msg30574, - "28489": msg30575, - "2849": msg5300, - "28490": msg30576, - "28491": msg30577, - "28492": msg30578, - "28493": msg30579, - "28494": msg30580, - "28495": msg30581, - "28496": msg30582, - "28497": msg30583, - "28498": msg30584, - "28499": msg30585, - "285": select208, - "2850": msg5301, - "28500": msg30586, - "28501": msg30587, - "28502": msg30588, - "28503": msg30589, - "28504": msg30590, - "28505": msg30591, - "28506": msg30592, - "28507": msg30593, - "28508": msg30594, - "28509": msg30595, - "2851": msg5302, - "28510": msg30596, - "28511": msg30597, - "28512": msg30598, - "28513": msg30599, - "28514": msg30600, - "28515": msg30601, - "28516": msg30602, - "28517": msg30603, - "28518": msg30604, - "28519": msg30605, - "2852": msg5303, - "28520": msg30606, - "28521": msg30607, - "28522": msg30608, - "28523": msg30609, - "28524": msg30610, - "28525": msg30611, - "28526": msg30612, - "28527": msg30613, - "28528": msg30614, - "28529": msg30615, - "2853": msg5304, - "28530": msg30616, - "28531": msg30617, - "28532": msg30618, - "28533": msg30619, - "28534": msg30620, - "28535": msg30621, - "28536": msg30622, - "28537": msg30623, - "28538": msg30624, - "28539": msg30625, - "2854": msg5305, - "28540": msg30626, - "28541": msg30627, - "28542": msg30628, - "28543": msg30629, - "28544": msg30630, - "28545": msg30631, - "28546": msg30632, - "28547": msg30633, - "28548": msg30634, - "28549": msg30635, - "2855": msg5306, - "28550": msg30636, - "28551": msg30637, - "28552": msg30638, - "28553": msg30639, - "28554": msg30640, - "28555": msg30641, - "28556": msg30642, - "28557": msg30643, - "28558": msg30644, - "28559": msg30645, - "2856": msg5307, - "28560": msg30646, - "28561": msg30647, - "28562": msg30648, - "28563": msg30649, - "28564": msg30650, - "28565": msg30651, - "28566": msg30652, - "28567": msg30653, - "28568": msg30654, - "28569": msg30655, - "2857": msg5308, - "28570": msg30656, - "28571": msg30657, - "28572": msg30658, - "28573": msg30659, - "28574": msg30660, - "28575": msg30661, - "28576": msg30662, - "28577": msg30663, - "28578": msg30664, - "28579": msg30665, - "2858": msg5309, - "28580": msg30666, - "28581": msg30667, - "28582": msg30668, - "28583": msg30669, - "28584": msg30670, - "28585": msg30671, - "28586": msg30672, - "28587": msg30673, - "28588": msg30674, - "28589": msg30675, - "2859": msg5310, - "28590": msg30676, - "28591": msg30677, - "28592": msg30678, - "28593": msg30679, - "28594": msg30680, - "28595": msg30681, - "28596": msg30682, - "28597": msg30683, - "28598": msg30684, - "28599": msg30685, - "286": select209, - "2860": msg5311, - "28600": msg30686, - "28601": msg30687, - "28602": msg30688, - "28603": msg30689, - "28604": msg30690, - "28605": msg30691, - "28606": msg30692, - "28607": msg30693, - "28608": msg30694, - "28609": msg30695, - "2861": msg5312, - "28610": msg30696, - "28611": msg30697, - "28612": msg30698, - "28613": msg30699, - "28614": msg30700, - "28615": msg30701, - "28616": msg30702, - "28617": msg30703, - "28618": msg30704, - "28619": msg30705, - "2862": msg5313, - "28620": msg30706, - "28621": msg30707, - "28622": msg30708, - "28623": msg30709, - "28624": msg30710, - "28625": msg30711, - "28626": msg30712, - "28627": msg30713, - "28628": msg30714, - "28629": msg30715, - "2863": msg5314, - "28630": msg30716, - "28631": msg30717, - "28632": msg30718, - "28633": msg30719, - "28634": msg30720, - "28635": msg30721, - "28636": msg30722, - "28637": msg30723, - "28638": msg30724, - "28639": msg30725, - "2864": msg5315, - "28640": msg30726, - "28641": msg30727, - "28642": msg30728, - "28643": msg30729, - "28644": msg30730, - "28645": msg30731, - "28646": msg30732, - "28647": msg30733, - "28648": msg30734, - "28649": msg30735, - "2865": msg5316, - "28650": msg30736, - "28651": msg30737, - "28652": msg30738, - "28653": msg30739, - "28654": msg30740, - "28655": msg30741, - "28656": msg30742, - "28657": msg30743, - "28658": msg30744, - "28659": msg30745, - "2866": msg5317, - "28660": msg30746, - "28661": msg30747, - "28662": msg30748, - "28663": msg30749, - "28664": msg30750, - "28665": msg30751, - "28666": msg30752, - "28667": msg30753, - "28668": msg30754, - "28669": msg30755, - "2867": msg5318, - "28670": msg30756, - "28671": msg30757, - "28672": msg30758, - "28673": msg30759, - "28674": msg30760, - "28675": msg30761, - "28676": msg30762, - "28677": msg30763, - "28678": msg30764, - "28679": msg30765, - "2868": msg5319, - "28680": msg30766, - "28681": msg30767, - "28682": msg30768, - "28683": msg30769, - "28684": msg30770, - "28685": msg30771, - "28686": msg30772, - "28687": msg30773, - "28688": msg30774, - "28689": msg30775, - "2869": msg5320, - "28690": msg30776, - "28691": msg30777, - "28692": msg30778, - "28693": msg30779, - "28694": msg30780, - "28695": msg30781, - "28696": msg30782, - "28697": msg30783, - "28698": msg30784, - "28699": msg30785, - "287": select210, - "2870": msg5321, - "28700": msg30786, - "28701": msg30787, - "28702": msg30788, - "28703": msg30789, - "28704": msg30790, - "28705": msg30791, - "28706": msg30792, - "28707": msg30793, - "28708": msg30794, - "28709": msg30795, - "2871": msg5322, - "28710": msg30796, - "28711": msg30797, - "28712": msg30798, - "28713": msg30799, - "28714": msg30800, - "28715": msg30801, - "28716": msg30802, - "28717": msg30803, - "28718": msg30804, - "28719": msg30805, - "2872": msg5323, - "28720": msg30806, - "28721": msg30807, - "28722": msg30808, - "28723": msg30809, - "28724": msg30810, - "28725": msg30811, - "28726": msg30812, - "28727": msg30813, - "28728": msg30814, - "28729": msg30815, - "2873": msg5324, - "28730": msg30816, - "28731": msg30817, - "28732": msg30818, - "28733": msg30819, - "28734": msg30820, - "28735": msg30821, - "28736": msg30822, - "28737": msg30823, - "28738": msg30824, - "28739": msg30825, - "2874": msg5325, - "28740": msg30826, - "28741": msg30827, - "28742": msg30828, - "28743": msg30829, - "28744": msg30830, - "28745": msg30831, - "28746": msg30832, - "28747": msg30833, - "28748": msg30834, - "28749": msg30835, - "2875": msg5326, - "28750": msg30836, - "28751": msg30837, - "28752": msg30838, - "28753": msg30839, - "28754": msg30840, - "28755": msg30841, - "28756": msg30842, - "28757": msg30843, - "28758": msg30844, - "28759": msg30845, - "2876": msg5327, - "28760": msg30846, - "28761": msg30847, - "28762": msg30848, - "28763": msg30849, - "28764": msg30850, - "28765": msg30851, - "28766": msg30852, - "28767": msg30853, - "28768": msg30854, - "28769": msg30855, - "2877": msg5328, - "28770": msg30856, - "28771": msg30857, - "28772": msg30858, - "28773": msg30859, - "28774": msg30860, - "28775": msg30861, - "28776": msg30862, - "28777": msg30863, - "28778": msg30864, - "28779": msg30865, - "2878": msg5329, - "28780": msg30866, - "28781": msg30867, - "28782": msg30868, - "28783": msg30869, - "28784": msg30870, - "28785": msg30871, - "28786": msg30872, - "28787": msg30873, - "28788": msg30874, - "28789": msg30875, - "2879": msg5330, - "28790": msg30876, - "28791": msg30877, - "28792": msg30878, - "28793": msg30879, - "28794": msg30880, - "28795": msg30881, - "28796": msg30882, - "28797": msg30883, - "28798": msg30884, - "28799": msg30885, - "288": select211, - "2880": msg5331, - "28800": msg30886, - "28801": msg30887, - "28802": msg30888, - "28803": msg30889, - "28804": msg30890, - "28805": msg30891, - "28806": msg30892, - "28807": msg30893, - "28808": msg30894, - "28809": msg30895, - "2881": msg5332, - "28810": msg30896, - "28811": msg30897, - "28812": msg30898, - "28813": msg30899, - "28814": msg30900, - "28815": msg30901, - "28816": msg30902, - "28817": msg30903, - "28818": msg30904, - "28819": msg30905, - "2882": msg5333, - "28820": msg30906, - "28821": msg30907, - "28822": msg30908, - "28823": msg30909, - "28824": msg30910, - "28825": msg30911, - "28826": msg30912, - "28827": msg30913, - "28828": msg30914, - "28829": msg30915, - "2883": msg5334, - "28830": msg30916, - "28831": msg30917, - "28832": msg30918, - "28833": msg30919, - "28834": msg30920, - "28835": msg30921, - "28836": msg30922, - "28837": msg30923, - "28838": msg30924, - "28839": msg30925, - "2884": msg5335, - "28840": msg30926, - "28841": msg30927, - "28842": msg30928, - "28843": msg30929, - "28844": msg30930, - "28845": msg30931, - "28846": msg30932, - "28847": msg30933, - "28848": msg30934, - "28849": msg30935, - "2885": msg5336, - "28850": msg30936, - "28851": msg30937, - "28852": msg30938, - "28853": msg30939, - "28854": msg30940, - "28855": msg30941, - "28856": msg30942, - "28857": msg30943, - "28858": msg30944, - "28859": msg30945, - "2886": msg5337, - "28860": msg30946, - "28861": msg30947, - "28862": msg30948, - "28863": msg30949, - "28864": msg30950, - "28865": msg30951, - "28866": msg30952, - "28867": msg30953, - "28868": msg30954, - "28869": msg30955, - "2887": msg5338, - "28870": msg30956, - "28871": msg30957, - "28872": msg30958, - "28873": msg30959, - "28874": msg30960, - "28875": msg30961, - "28876": msg30962, - "28877": msg30963, - "28878": msg30964, - "28879": msg30965, - "2888": msg5339, - "28880": msg30966, - "28881": msg30967, - "28882": msg30968, - "28883": msg30969, - "28884": msg30970, - "28885": msg30971, - "28886": msg30972, - "28887": msg30973, - "28888": msg30974, - "28889": msg30975, - "2889": msg5340, - "28890": msg30976, - "28891": msg30977, - "28892": msg30978, - "28893": msg30979, - "28894": msg30980, - "28895": msg30981, - "28896": msg30982, - "28897": msg30983, - "28898": msg30984, - "28899": msg30985, - "289": select212, - "2890": msg5341, - "28900": msg30986, - "28901": msg30987, - "28902": msg30988, - "28903": msg30989, - "28904": msg30990, - "28905": msg30991, - "28906": msg30992, - "28907": msg30993, - "28908": msg30994, - "28909": msg30995, - "2891": msg5342, - "28910": msg30996, - "28911": msg30997, - "28912": msg30998, - "28913": msg30999, - "28914": msg31000, - "28915": msg31001, - "28916": msg31002, - "28917": msg31003, - "28918": msg31004, - "28919": msg31005, - "2892": msg5343, - "28920": msg31006, - "28921": msg31007, - "28922": msg31008, - "28923": msg31009, - "28924": msg31010, - "28925": msg31011, - "28926": msg31012, - "28927": msg31013, - "28928": msg31014, - "28929": msg31015, - "2893": msg5344, - "28930": msg31016, - "28931": msg31017, - "28932": msg31018, - "28933": msg31019, - "28934": msg31020, - "28935": msg31021, - "28936": msg31022, - "28937": msg31023, - "28938": msg31024, - "28939": msg31025, - "2894": msg5345, - "28940": msg31026, - "28941": msg31027, - "28942": msg31028, - "28943": msg31029, - "28944": msg31030, - "28945": msg31031, - "28946": msg31032, - "28947": msg31033, - "28948": msg31034, - "28949": msg31035, - "2895": msg5346, - "28950": msg31036, - "28951": msg31037, - "28952": msg31038, - "28953": msg31039, - "28954": msg31040, - "28955": msg31041, - "28956": msg31042, - "28957": msg31043, - "28958": msg31044, - "28959": msg31045, - "2896": msg5347, - "28960": msg31046, - "28961": msg31047, - "28962": msg31048, - "28963": msg31049, - "28964": msg31050, - "28965": msg31051, - "28966": msg31052, - "28967": msg31053, - "28968": msg31054, - "28969": msg31055, - "2897": msg5348, - "28970": msg31056, - "28971": msg31057, - "28972": msg31058, - "28973": msg31059, - "28974": msg31060, - "28975": msg31061, - "28976": msg31062, - "28977": msg31063, - "28978": msg31064, - "28979": msg31065, - "2898": msg5349, - "28980": msg31066, - "28981": msg31067, - "28982": msg31068, - "28983": msg31069, - "28984": msg31070, - "28985": msg31071, - "28986": msg31072, - "28987": msg31073, - "28988": msg31074, - "28989": msg31075, - "2899": msg5350, - "28990": msg31076, - "28991": msg31077, - "28992": msg31078, - "28993": msg31079, - "28994": msg31080, - "28995": msg31081, - "28996": msg31082, - "28997": msg31083, - "28998": msg31084, - "28999": msg31085, - "29": msg63, - "290": select213, - "2900": msg5351, - "29000": msg31086, - "29001": msg31087, - "29002": msg31088, - "29003": msg31089, - "29004": msg31090, - "29005": msg31091, - "29006": msg31092, - "29007": msg31093, - "29008": msg31094, - "29009": msg31095, - "2901": msg5352, - "29010": msg31096, - "29011": msg31097, - "29012": msg31098, - "29013": msg31099, - "29014": msg31100, - "29015": msg31101, - "29016": msg31102, - "29017": msg31103, - "29018": msg31104, - "29019": msg31105, - "2902": msg5353, - "29020": msg31106, - "29021": msg31107, - "29022": msg31108, - "29023": msg31109, - "29024": msg31110, - "29025": msg31111, - "29026": msg31112, - "29027": msg31113, - "29028": msg31114, - "29029": msg31115, - "2903": msg5354, - "29030": msg31116, - "29031": msg31117, - "29032": msg31118, - "29033": msg31119, - "29034": msg31120, - "29035": msg31121, - "29036": msg31122, - "29037": msg31123, - "29038": msg31124, - "29039": msg31125, - "2904": msg5355, - "29040": msg31126, - "29041": msg31127, - "29042": msg31128, - "29043": msg31129, - "29044": msg31130, - "29045": msg31131, - "29046": msg31132, - "29047": msg31133, - "29048": msg31134, - "29049": msg31135, - "2905": msg5356, - "29050": msg31136, - "29051": msg31137, - "29052": msg31138, - "29053": msg31139, - "29054": msg31140, - "29055": msg31141, - "29056": msg31142, - "29057": msg31143, - "29058": msg31144, - "29059": msg31145, - "2906": msg5357, - "29060": msg31146, - "29061": msg31147, - "29062": msg31148, - "29063": msg31149, - "29064": msg31150, - "29065": msg31151, - "29066": msg31152, - "29067": msg31153, - "29068": msg31154, - "29069": msg31155, - "2907": msg5358, - "29070": msg31156, - "29071": msg31157, - "29072": msg31158, - "29073": msg31159, - "29074": msg31160, - "29075": msg31161, - "29076": msg31162, - "29077": msg31163, - "29078": msg31164, - "29079": msg31165, - "2908": msg5359, - "29080": msg31166, - "29081": msg31167, - "29082": msg31168, - "29083": msg31169, - "29084": msg31170, - "29085": msg31171, - "29086": msg31172, - "29087": msg31173, - "29088": msg31174, - "29089": msg31175, - "2909": msg5360, - "29090": msg31176, - "29091": msg31177, - "29092": msg31178, - "29093": msg31179, - "29094": msg31180, - "29095": msg31181, - "29096": msg31182, - "29097": msg31183, - "29098": msg31184, - "29099": msg31185, - "291": select214, - "2910": msg5361, - "29100": msg31186, - "29101": msg31187, - "29102": msg31188, - "29103": msg31189, - "29104": msg31190, - "29105": msg31191, - "29106": msg31192, - "29107": msg31193, - "29108": msg31194, - "29109": msg31195, - "2911": msg5362, - "29110": msg31196, - "29111": msg31197, - "29112": msg31198, - "29113": msg31199, - "29114": msg31200, - "29115": msg31201, - "29116": msg31202, - "29117": msg31203, - "29118": msg31204, - "29119": msg31205, - "2912": msg5363, - "29120": msg31206, - "29121": msg31207, - "29122": msg31208, - "29123": msg31209, - "29124": msg31210, - "29125": msg31211, - "29126": msg31212, - "29127": msg31213, - "29128": msg31214, - "29129": msg31215, - "2913": msg5364, - "29130": msg31216, - "29131": msg31217, - "29132": msg31218, - "29133": msg31219, - "29134": msg31220, - "29135": msg31221, - "29136": msg31222, - "29137": msg31223, - "29138": msg31224, - "29139": msg31225, - "2914": msg5365, - "29140": msg31226, - "29141": msg31227, - "29142": msg31228, - "29143": msg31229, - "29144": msg31230, - "29145": msg31231, - "29146": msg31232, - "29147": msg31233, - "29148": msg31234, - "29149": msg31235, - "2915": msg5366, - "29150": msg31236, - "29151": msg31237, - "29152": msg31238, - "29153": msg31239, - "29154": msg31240, - "29155": msg31241, - "29156": msg31242, - "29157": msg31243, - "29158": msg31244, - "29159": msg31245, - "2916": msg5367, - "29160": msg31246, - "29161": msg31247, - "29162": msg31248, - "29163": msg31249, - "29164": msg31250, - "29165": msg31251, - "29166": msg31252, - "29167": msg31253, - "29168": msg31254, - "29169": msg31255, - "2917": msg5368, - "29170": msg31256, - "29171": msg31257, - "29172": msg31258, - "29173": msg31259, - "29174": msg31260, - "29175": msg31261, - "29176": msg31262, - "29177": msg31263, - "29178": msg31264, - "29179": msg31265, - "2918": msg5369, - "29180": msg31266, - "29181": msg31267, - "29182": msg31268, - "29183": msg31269, - "29184": msg31270, - "29185": msg31271, - "29186": msg31272, - "29187": msg31273, - "29188": msg31274, - "29189": msg31275, - "2919": msg5370, - "29190": msg31276, - "29191": msg31277, - "29192": msg31278, - "29193": msg31279, - "29194": msg31280, - "29195": msg31281, - "29196": msg31282, - "29197": msg31283, - "29198": msg31284, - "29199": msg31285, - "292": select215, - "29200": msg31286, - "29201": msg31287, - "29202": msg31288, - "29203": msg31289, - "29204": msg31290, - "29205": msg31291, - "29206": msg31292, - "29207": msg31293, - "29208": msg31294, - "29209": msg31295, - "2921": msg5371, - "29210": msg31296, - "29211": msg31297, - "29212": msg31298, - "29213": msg31299, - "29214": msg31300, - "29215": msg31301, - "29216": msg31302, - "29217": msg31303, - "29218": msg31304, - "29219": msg31305, - "2922": msg5372, - "29220": msg31306, - "29221": msg31307, - "29222": msg31308, - "29223": msg31309, - "29224": msg31310, - "29225": msg31311, - "29226": msg31312, - "29227": msg31313, - "29228": msg31314, - "29229": msg31315, - "2923": msg5373, - "29230": msg31316, - "29231": msg31317, - "29232": msg31318, - "29233": msg31319, - "29234": msg31320, - "29235": msg31321, - "29236": msg31322, - "29237": msg31323, - "29238": msg31324, - "29239": msg31325, - "2924": msg5374, - "29240": msg31326, - "29241": msg31327, - "29242": msg31328, - "29243": msg31329, - "29244": msg31330, - "29245": msg31331, - "29246": msg31332, - "29247": msg31333, - "29248": msg31334, - "29249": msg31335, - "2925": msg5375, - "29250": msg31336, - "29251": msg31337, - "29252": msg31338, - "29253": msg31339, - "29254": msg31340, - "29255": msg31341, - "29256": msg31342, - "29257": msg31343, - "29258": msg31344, - "29259": msg31345, - "2926": msg5376, - "29260": msg31346, - "29261": msg31347, - "29262": msg31348, - "29263": msg31349, - "29264": msg31350, - "29265": msg31351, - "29266": msg31352, - "29267": msg31353, - "29268": msg31354, - "29269": msg31355, - "2927": msg5377, - "29270": msg31356, - "29271": msg31357, - "29272": msg31358, - "29273": msg31359, - "29274": msg31360, - "29275": msg31361, - "29276": msg31362, - "29277": msg31363, - "29278": msg31364, - "29279": msg31365, - "2928": msg5378, - "29280": msg31366, - "29281": msg31367, - "29282": msg31368, - "29283": msg31369, - "29284": msg31370, - "29285": msg31371, - "29286": msg31372, - "29287": msg31373, - "29288": msg31374, - "29289": msg31375, - "2929": msg5379, - "29290": msg31376, - "29291": msg31377, - "29292": msg31378, - "29293": msg31379, - "29294": msg31380, - "29295": msg31381, - "29296": msg31382, - "29297": msg31383, - "29298": msg31384, - "29299": msg31385, - "293": select216, - "2930": msg5380, - "29300": msg31386, - "29301": msg31387, - "29302": msg31388, - "29303": msg31389, - "29304": msg31390, - "29305": msg31391, - "29306": msg31392, - "29307": msg31393, - "2931": msg5381, - "29313": msg31394, - "29314": msg31395, - "29315": msg31396, - "29316": msg31397, - "29317": msg31398, - "29318": msg31399, - "29319": msg31400, - "2932": msg5382, - "29320": msg31401, - "29321": msg31402, - "29322": msg31403, - "29323": msg31404, - "29324": msg31405, - "29325": msg31406, - "29326": msg31407, - "29327": msg31408, - "29328": msg31409, - "29329": msg31410, - "2933": msg5383, - "29330": msg31411, - "29331": msg31412, - "29332": msg31413, - "29333": msg31414, - "29334": msg31415, - "29335": msg31416, - "29336": msg31417, - "29337": msg31418, - "29338": msg31419, - "29339": msg31420, - "2934": msg5384, - "29340": msg31421, - "29341": msg31422, - "29342": msg31423, - "29343": msg31424, - "29344": msg31425, - "29345": msg31426, - "29346": msg31427, - "29347": msg31428, - "29348": msg31429, - "29349": msg31430, - "2935": msg5385, - "29350": msg31431, - "29351": msg31432, - "29352": msg31433, - "29353": msg31434, - "29354": msg31435, - "29355": msg31436, - "29356": msg31437, - "29357": msg31438, - "29358": msg31439, - "29359": msg31440, - "2936": msg5386, - "29360": msg31441, - "29361": msg31442, - "29362": msg31443, - "29363": msg31444, - "29364": msg31445, - "29365": msg31446, - "29366": msg31447, - "29367": msg31448, - "29368": msg31449, - "29369": msg31450, - "2937": msg5387, - "29370": msg31451, - "29371": msg31452, - "29372": msg31453, - "29373": msg31454, - "29374": msg31455, - "29375": msg31456, - "29376": msg31457, - "29377": msg31458, - "29378": msg31459, - "29379": msg31460, - "2938": msg5388, - "29380": msg31461, - "29381": msg31462, - "29382": msg31463, - "29383": msg31464, - "29384": msg31465, - "29385": msg31466, - "29386": msg31467, - "29387": msg31468, - "29388": msg31469, - "29389": msg31470, - "2939": msg5389, - "29390": msg31471, - "29391": msg31472, - "29392": msg31473, - "29393": msg31474, - "29394": msg31475, - "29395": msg31476, - "29396": msg31477, - "29397": msg31478, - "29398": msg31479, - "29399": msg31480, - "2940": msg5390, - "29400": msg31481, - "29401": msg31482, - "29402": msg31483, - "29403": msg31484, - "29404": msg31485, - "29405": msg31486, - "29406": msg31487, - "29407": msg31488, - "29408": msg31489, - "29409": msg31490, - "2941": msg5391, - "29410": msg31491, - "29411": msg31492, - "29412": msg31493, - "29413": msg31494, - "29414": msg31495, - "29415": msg31496, - "29416": msg31497, - "29417": msg31498, - "29418": msg31499, - "29419": msg31500, - "2942": msg5392, - "29420": msg31501, - "29421": msg31502, - "29422": msg31503, - "29423": msg31504, - "29424": msg31505, - "29425": msg31506, - "29426": msg31507, - "29427": msg31508, - "29428": msg31509, - "29429": msg31510, - "2943": msg5393, - "29430": msg31511, - "29431": msg31512, - "29432": msg31513, - "29433": msg31514, - "29434": msg31515, - "29435": msg31516, - "29436": msg31517, - "29437": msg31518, - "29438": msg31519, - "29439": msg31520, - "2944": msg5394, - "29440": msg31521, - "29442": msg31522, - "29443": msg31523, - "29444": msg31524, - "29445": msg31525, - "29446": msg31526, - "29447": msg31527, - "29448": msg31528, - "29449": msg31529, - "2945": msg5395, - "29450": msg31530, - "29451": msg31531, - "29452": msg31532, - "29453": msg31533, - "29454": msg31534, - "29455": msg31535, - "29456": msg31536, - "29457": msg31537, - "29458": msg31538, - "29459": msg31539, - "2946": msg5396, - "29460": msg31540, - "29461": msg31541, - "29462": msg31542, - "29463": msg31543, - "29464": msg31544, - "29465": msg31545, - "29466": msg31546, - "29467": msg31547, - "29468": msg31548, - "29469": msg31549, - "2947": msg5397, - "29470": msg31550, - "29471": msg31551, - "29472": msg31552, - "29473": msg31553, - "29474": msg31554, - "29475": msg31555, - "29476": msg31556, - "29477": msg31557, - "29478": msg31558, - "29479": msg31559, - "2948": msg5398, - "29480": msg31560, - "29481": msg31561, - "29482": msg31562, - "29483": msg31563, - "29484": msg31564, - "29485": msg31565, - "29486": msg31566, - "29487": msg31567, - "29488": msg31568, - "29489": msg31569, - "2949": msg5399, - "29490": msg31570, - "29491": msg31571, - "29492": msg31572, - "29493": msg31573, - "29494": msg31574, - "29495": msg31575, - "29496": msg31576, - "29497": msg31577, - "29498": msg31578, - "29499": msg31579, - "295": select217, - "2950": msg5400, - "29500": msg31580, - "29501": msg31581, - "29502": msg31582, - "29503": msg31583, - "29504": msg31584, - "29505": msg31585, - "29506": msg31586, - "29507": msg31587, - "29508": msg31588, - "29509": msg31589, - "2951": msg5401, - "29510": msg31590, - "29511": msg31591, - "29512": msg31592, - "29513": msg31593, - "29514": msg31594, - "29515": msg31595, - "29516": msg31596, - "29517": msg31597, - "29518": msg31598, - "29519": msg31599, - "2952": msg5402, - "29520": msg31600, - "29521": msg31601, - "29522": msg31602, - "29523": msg31603, - "29524": msg31604, - "29525": msg31605, - "29526": msg31606, - "29527": msg31607, - "29528": msg31608, - "29529": msg31609, - "2953": msg5403, - "29530": msg31610, - "29531": msg31611, - "29532": msg31612, - "29533": msg31613, - "29534": msg31614, - "29535": msg31615, - "29536": msg31616, - "29537": msg31617, - "29538": msg31618, - "29539": msg31619, - "2954": msg5404, - "29540": msg31620, - "29541": msg31621, - "29542": msg31622, - "29543": msg31623, - "29544": msg31624, - "29545": msg31625, - "29546": msg31626, - "29547": msg31627, - "29548": msg31628, - "29549": msg31629, - "2955": msg5405, - "29550": msg31630, - "29551": msg31631, - "29552": msg31632, - "29553": msg31633, - "29554": msg31634, - "29555": msg31635, - "29556": msg31636, - "29557": msg31637, - "29558": msg31638, - "29559": msg31639, - "2956": msg5406, - "29560": msg31640, - "29561": msg31641, - "29562": msg31642, - "29563": msg31643, - "29564": msg31644, - "29565": msg31645, - "29566": msg31646, - "29567": msg31647, - "29568": msg31648, - "29569": msg31649, - "2957": msg5407, - "29570": msg31650, - "29571": msg31651, - "29572": msg31652, - "29573": msg31653, - "29574": msg31654, - "29575": msg31655, - "29576": msg31656, - "29577": msg31657, - "29578": msg31658, - "29579": msg31659, - "2958": msg5408, - "29580": msg31660, - "29581": msg31661, - "29582": msg31662, - "29583": msg31663, - "29584": msg31664, - "29585": msg31665, - "29586": msg31666, - "29587": msg31667, - "29588": msg31668, - "29589": msg31669, - "2959": msg5409, - "29590": msg31670, - "29591": msg31671, - "29592": msg31672, - "29593": msg31673, - "29594": msg31674, - "29595": msg31675, - "29596": msg31676, - "29597": msg31677, - "29598": msg31678, - "29599": msg31679, - "296": select218, - "2960": msg5410, - "29600": msg31680, - "29601": msg31681, - "29602": msg31682, - "29603": msg31683, - "29604": msg31684, - "29605": msg31685, - "29606": msg31686, - "29607": msg31687, - "29608": msg31688, - "29609": msg31689, - "2961": msg5411, - "29610": msg31690, - "29611": msg31691, - "29612": msg31692, - "29613": msg31693, - "29614": msg31694, - "29615": msg31695, - "29616": msg31696, - "29617": msg31697, - "29618": msg31698, - "29619": msg31699, - "2962": msg5412, - "29620": msg31700, - "29621": msg31701, - "29622": msg31702, - "29623": msg31703, - "29624": msg31704, - "29625": msg31705, - "29626": msg31706, - "29627": msg31707, - "29628": msg31708, - "29629": msg31709, - "2963": msg5413, - "29630": msg31710, - "29631": msg31711, - "29632": msg31712, - "29633": msg31713, - "29634": msg31714, - "29635": msg31715, - "29636": msg31716, - "29637": msg31717, - "29638": msg31718, - "29639": msg31719, - "2964": msg5414, - "29640": msg31720, - "29641": msg31721, - "29642": msg31722, - "29643": msg31723, - "29644": msg31724, - "29645": msg31725, - "29646": msg31726, - "29647": msg31727, - "29648": msg31728, - "29649": msg31729, - "2965": msg5415, - "29650": msg31730, - "29651": msg31731, - "29652": msg31732, - "29653": msg31733, - "29654": msg31734, - "29655": msg31735, - "29656": msg31736, - "29657": msg31737, - "29658": msg31738, - "29659": msg31739, - "2966": msg5416, - "29660": msg31740, - "29661": msg31741, - "29662": msg31742, - "29663": msg31743, - "29664": msg31744, - "29665": msg31745, - "29666": msg31746, - "29667": msg31747, - "29668": msg31748, - "29669": msg31749, - "2967": msg5417, - "29670": msg31750, - "29671": msg31751, - "29672": msg31752, - "29673": msg31753, - "29674": msg31754, - "29675": msg31755, - "29676": msg31756, - "29677": msg31757, - "29678": msg31758, - "29679": msg31759, - "2968": msg5418, - "29680": msg31760, - "29681": msg31761, - "29682": msg31762, - "29683": msg31763, - "29684": msg31764, - "29685": msg31765, - "29686": msg31766, - "29687": msg31767, - "29688": msg31768, - "29689": msg31769, - "2969": msg5419, - "29690": msg31770, - "29691": msg31771, - "29692": msg31772, - "29693": msg31773, - "29694": msg31774, - "29695": msg31775, - "29696": msg31776, - "29697": msg31777, - "29698": msg31778, - "29699": msg31779, - "297": select219, - "2970": msg5420, - "29700": msg31780, - "29701": msg31781, - "29702": msg31782, - "29703": msg31783, - "29704": msg31784, - "29705": msg31785, - "29706": msg31786, - "29707": msg31787, - "29708": msg31788, - "29709": msg31789, - "2971": msg5421, - "29710": msg31790, - "29711": msg31791, - "29712": msg31792, - "29713": msg31793, - "29714": msg31794, - "29715": msg31795, - "29716": msg31796, - "29717": msg31797, - "29718": msg31798, - "29719": msg31799, - "2972": msg5422, - "29720": msg31800, - "29721": msg31801, - "29722": msg31802, - "29723": msg31803, - "29724": msg31804, - "29725": msg31805, - "29726": msg31806, - "29727": msg31807, - "29728": msg31808, - "29729": msg31809, - "2973": msg5423, - "29730": msg31810, - "29731": msg31811, - "29732": msg31812, - "29733": msg31813, - "29734": msg31814, - "29735": msg31815, - "29736": msg31816, - "29737": msg31817, - "29738": msg31818, - "29739": msg31819, - "2974": msg5424, - "29740": msg31820, - "29741": msg31821, - "29742": msg31822, - "29743": msg31823, - "29744": msg31824, - "29745": msg31825, - "29746": msg31826, - "29747": msg31827, - "29748": msg31828, - "29749": msg31829, - "2975": msg5425, - "29750": msg31830, - "29751": msg31831, - "29752": msg31832, - "29753": msg31833, - "29754": msg31834, - "29755": msg31835, - "29756": msg31836, - "29757": msg31837, - "29758": msg31838, - "29759": msg31839, - "2976": msg5426, - "29760": msg31840, - "29761": msg31841, - "29762": msg31842, - "29763": msg31843, - "29764": msg31844, - "29765": msg31845, - "29766": msg31846, - "29767": msg31847, - "29768": msg31848, - "29769": msg31849, - "2977": msg5427, - "29770": msg31850, - "29771": msg31851, - "29772": msg31852, - "29773": msg31853, - "29774": msg31854, - "29775": msg31855, - "29776": msg31856, - "29777": msg31857, - "29778": msg31858, - "29779": msg31859, - "2978": msg5428, - "29780": msg31860, - "29781": msg31861, - "29782": msg31862, - "29783": msg31863, - "29784": msg31864, - "29785": msg31865, - "29786": msg31866, - "29787": msg31867, - "29788": msg31868, - "29789": msg31869, - "2979": msg5429, - "29790": msg31870, - "29791": msg31871, - "29792": msg31872, - "29793": msg31873, - "29794": msg31874, - "29795": msg31875, - "29796": msg31876, - "29797": msg31877, - "29798": msg31878, - "29799": msg31879, - "298": select220, - "2980": msg5430, - "29800": msg31880, - "29801": msg31881, - "29802": msg31882, - "29803": msg31883, - "29804": msg31884, - "29805": msg31885, - "29806": msg31886, - "29807": msg31887, - "29808": msg31888, - "29809": msg31889, - "2981": msg5431, - "29810": msg31890, - "29811": msg31891, - "29812": msg31892, - "29813": msg31893, - "29814": msg31894, - "29815": msg31895, - "29816": msg31896, - "29817": msg31897, - "29818": msg31898, - "29819": msg31899, - "2982": msg5432, - "29820": msg31900, - "29821": msg31901, - "29822": msg31902, - "29823": msg31903, - "29824": msg31904, - "29825": msg31905, - "29826": msg31906, - "29827": msg31907, - "29828": msg31908, - "29829": msg31909, - "2983": msg5433, - "29830": msg31910, - "29831": msg31911, - "29832": msg31912, - "29833": msg31913, - "29834": msg31914, - "29835": msg31915, - "29836": msg31916, - "29837": msg31917, - "29838": msg31918, - "29839": msg31919, - "2984": msg5434, - "29840": msg31920, - "29841": msg31921, - "29842": msg31922, - "29843": msg31923, - "29844": msg31924, - "29845": msg31925, - "29846": msg31926, - "29847": msg31927, - "29848": msg31928, - "29849": msg31929, - "2985": msg5435, - "29850": msg31930, - "29851": msg31931, - "29852": msg31932, - "29853": msg31933, - "29854": msg31934, - "29855": msg31935, - "29856": msg31936, - "29857": msg31937, - "29858": msg31938, - "29859": msg31939, - "2986": msg5436, - "29860": msg31940, - "29861": msg31941, - "29862": msg31942, - "29863": msg31943, - "29864": msg31944, - "29865": msg31945, - "29866": msg31946, - "29867": msg31947, - "29868": msg31948, - "29869": msg31949, - "2987": msg5437, - "29870": msg31950, - "29871": msg31951, - "29872": msg31952, - "29873": msg31953, - "29874": msg31954, - "29875": msg31955, - "29876": msg31956, - "29877": msg31957, - "29878": msg31958, - "29879": msg31959, - "2988": msg5438, - "29880": msg31960, - "29881": msg31961, - "29882": msg31962, - "29883": msg31963, - "29884": msg31964, - "29885": msg31965, - "29886": msg31966, - "29887": msg31967, - "29888": msg31968, - "29889": msg31969, - "2989": msg5439, - "29890": msg31970, - "29891": msg31971, - "29892": msg31972, - "29893": msg31973, - "29894": msg31974, - "29895": msg31975, - "29896": msg31976, - "29897": msg31977, - "29898": msg31978, - "29899": msg31979, - "299": select221, - "2990": msg5440, - "29900": msg31980, - "29901": msg31981, - "29902": msg31982, - "29903": msg31983, - "29904": msg31984, - "29905": msg31985, - "29906": msg31986, - "29907": msg31987, - "29909": msg31988, - "2991": msg5441, - "29910": msg31989, - "29911": msg31990, - "29912": msg31991, - "29913": msg31992, - "29914": msg31993, - "29915": msg31994, - "29916": msg31995, - "29917": msg31996, - "29918": msg31997, - "29919": msg31998, - "2992": msg5442, - "29920": msg31999, - "29921": msg32000, - "29922": msg32001, - "29923": msg32002, - "29924": msg32003, - "29925": msg32004, - "29926": msg32005, - "29927": msg32006, - "29928": msg32007, - "29929": msg32008, - "2993": msg5443, - "29930": msg32009, - "29931": msg32010, - "29932": msg32011, - "29933": msg32012, - "29934": msg32013, - "29935": msg32014, - "29936": msg32015, - "29937": msg32016, - "29938": msg32017, - "29939": msg32018, - "2994": msg5444, - "29940": msg32019, - "29941": msg32020, - "29942": msg32021, - "29943": msg32022, - "29944": msg32023, - "29945": msg32024, - "29946": msg32025, - "29947": msg32026, - "29948": msg32027, - "29949": msg32028, - "2995": msg5445, - "29950": msg32029, - "29951": msg32030, - "29952": msg32031, - "29953": msg32032, - "29954": msg32033, - "29955": msg32034, - "29956": msg32035, - "29957": msg32036, - "29958": msg32037, - "29959": msg32038, - "2996": msg5446, - "29960": msg32039, - "29961": msg32040, - "29962": msg32041, - "29963": msg32042, - "29964": msg32043, - "29965": msg32044, - "29966": msg32045, - "29967": msg32046, - "29968": msg32047, - "29969": msg32048, - "2997": msg5447, - "29970": msg32049, - "29971": msg32050, - "29972": msg32051, - "29973": msg32052, - "29974": msg32053, - "29975": msg32054, - "29976": msg32055, - "29977": msg32056, - "29978": msg32057, - "29979": msg32058, - "2998": msg5448, - "29980": msg32059, - "29981": msg32060, - "29982": msg32061, - "29983": msg32062, - "29984": msg32063, - "29985": msg32064, - "29986": msg32065, - "29987": msg32066, - "29988": msg32067, - "29989": msg32068, - "2999": msg5449, - "29990": msg32069, - "29991": msg32070, - "29992": msg32071, - "29993": msg32072, - "29994": msg32073, - "29995": msg32074, - "29996": msg32075, - "29997": msg32076, - "29998": msg32077, - "29999": msg32078, - "3": select9, - "3-10126": msg23, - "3-10127": msg10, - "3-10161": msg11, - "3-10480": msg12, - "3-10481": msg13, - "3-11619": msg14, - "3-11672": msg15, - "3-12028": msg16, - "3-12636": msg17, - "3-12692": msg18, - "3-7019": msg19, - "3-7196": msg20, - "3-8092": msg21, - "3-8351": msg22, - "30": msg64, - "300": select222, - "3000": msg5450, - "30000": msg32079, - "3000005": msg38425, - "30001": msg32080, - "30002": msg32081, - "30003": msg32082, - "30004": msg32083, - "30005": msg32084, - "30006": msg32085, - "30007": msg32086, - "30008": msg32087, - "30009": msg32088, - "3001": msg5451, - "30010": msg32089, - "30011": msg32090, - "30012": msg32091, - "30013": msg32092, - "30014": msg32093, - "30015": msg32094, - "30016": msg32095, - "30017": msg32096, - "30018": msg32097, - "30019": msg32098, - "3002": msg5452, - "30020": msg32099, - "30021": msg32100, - "30022": msg32101, - "30023": msg32102, - "30024": msg32103, - "30025": msg32104, - "30026": msg32105, - "30027": msg32106, - "30028": msg32107, - "30029": msg32108, - "3003": msg5453, - "30030": msg32109, - "30031": msg32110, - "30032": msg32111, - "30033": msg32112, - "30034": msg32113, - "30035": msg32114, - "30036": msg32115, - "30037": msg32116, - "30038": msg32117, - "30039": msg32118, - "3004": msg5454, - "30040": msg32119, - "30041": msg32120, - "30042": msg32121, - "30043": msg32122, - "30044": msg32123, - "30045": msg32124, - "30046": msg32125, - "30047": msg32126, - "30048": msg32127, - "30049": msg32128, - "3005": msg5455, - "30050": msg32129, - "30051": msg32130, - "30052": msg32131, - "30053": msg32132, - "30054": msg32133, - "30055": msg32134, - "30056": msg32135, - "30057": msg32136, - "30058": msg32137, - "30059": msg32138, - "3006": msg5456, - "30060": msg32139, - "30061": msg32140, - "30062": msg32141, - "30063": msg32142, - "30064": msg32143, - "30065": msg32144, - "30066": msg32145, - "30067": msg32146, - "30068": msg32147, - "30069": msg32148, - "3007": msg5457, - "30070": msg32149, - "30071": msg32150, - "30072": msg32151, - "30073": msg32152, - "30074": msg32153, - "30075": msg32154, - "30076": msg32155, - "30077": msg32156, - "30078": msg32157, - "30079": msg32158, - "3008": msg5458, - "30080": msg32159, - "30081": msg32160, - "30082": msg32161, - "30083": msg32162, - "30084": msg32163, - "30085": msg32164, - "30086": msg32165, - "30087": msg32166, - "30088": msg32167, - "30089": msg32168, - "3009": msg5459, - "30090": msg32169, - "30091": msg32170, - "30092": msg32171, - "30093": msg32172, - "30094": msg32173, - "30095": msg32174, - "30096": msg32175, - "30097": msg32176, - "30098": msg32177, - "30099": msg32178, - "301": select223, - "3010": msg5460, - "30100": msg32179, - "30101": msg32180, - "30102": msg32181, - "30103": msg32182, - "30104": msg32183, - "30105": msg32184, - "30106": msg32185, - "30107": msg32186, - "30108": msg32187, - "30109": msg32188, - "3011": msg5461, - "30110": msg32189, - "30111": msg32190, - "30112": msg32191, - "30113": msg32192, - "30114": msg32193, - "30115": msg32194, - "30116": msg32195, - "30117": msg32196, - "30118": msg32197, - "30119": msg32198, - "3012": msg5462, - "30120": msg32199, - "30121": msg32200, - "30122": msg32201, - "30123": msg32202, - "30124": msg32203, - "30125": msg32204, - "30126": msg32205, - "30127": msg32206, - "30128": msg32207, - "30129": msg32208, - "3013": msg5463, - "30130": msg32209, - "30131": msg32210, - "30132": msg32211, - "30133": msg32212, - "30134": msg32213, - "30135": msg32214, - "30136": msg32215, - "30137": msg32216, - "30138": msg32217, - "30139": msg32218, - "3014": msg5464, - "30140": msg32219, - "30141": msg32220, - "30142": msg32221, - "30143": msg32222, - "30144": msg32223, - "30145": msg32224, - "30146": msg32225, - "30147": msg32226, - "30148": msg32227, - "30149": msg32228, - "3015": msg5465, - "30150": msg32229, - "30151": msg32230, - "30152": msg32231, - "30153": msg32232, - "30154": msg32233, - "30155": msg32234, - "30156": msg32235, - "30157": msg32236, - "30158": msg32237, - "30159": msg32238, - "3016": msg5466, - "30160": msg32239, - "30161": msg32240, - "30162": msg32241, - "30163": msg32242, - "30164": msg32243, - "30165": msg32244, - "30166": msg32245, - "30167": msg32246, - "30168": msg32247, - "30169": msg32248, - "3017": msg5467, - "30170": msg32249, - "30171": msg32250, - "30172": msg32251, - "30173": msg32252, - "30174": msg32253, - "30175": msg32254, - "30176": msg32255, - "30177": msg32256, - "30178": msg32257, - "30179": msg32258, - "3018": msg5468, - "30180": msg32259, - "30181": msg32260, - "30182": msg32261, - "30183": msg32262, - "30184": msg32263, - "30185": msg32264, - "30186": msg32265, - "30187": msg32266, - "30188": msg32267, - "30189": msg32268, - "3019": msg5469, - "30190": msg32269, - "30191": msg32270, - "30192": msg32271, - "30193": msg32272, - "30194": msg32273, - "30195": msg32274, - "30196": msg32275, - "30197": msg32276, - "30198": msg32277, - "30199": msg32278, - "302": select224, - "3020": msg5470, - "30200": msg32279, - "30201": msg32280, - "30202": msg32281, - "30203": msg32282, - "30204": msg32283, - "30205": msg32284, - "30206": msg32285, - "30207": msg32286, - "30208": msg32287, - "30209": msg32288, - "3021": msg5471, - "30210": msg32289, - "30211": msg32290, - "30212": msg32291, - "30213": msg32292, - "30214": msg32293, - "30215": msg32294, - "30216": msg32295, - "30217": msg32296, - "30218": msg32297, - "30219": msg32298, - "3022": msg5472, - "30220": msg32299, - "30221": msg32300, - "30222": msg32301, - "30223": msg32302, - "30224": msg32303, - "30225": msg32304, - "30226": msg32305, - "30227": msg32306, - "30228": msg32307, - "30229": msg32308, - "3023": msg5473, - "30230": msg32309, - "30231": msg32310, - "30232": msg32311, - "30233": msg32312, - "30234": msg32313, - "30235": msg32314, - "30236": msg32315, - "30237": msg32316, - "30238": msg32317, - "30239": msg32318, - "3024": msg5474, - "30240": msg32319, - "30241": msg32320, - "30242": msg32321, - "30243": msg32322, - "30244": msg32323, - "30245": msg32324, - "30246": msg32325, - "30247": msg32326, - "30248": msg32327, - "30249": msg32328, - "3025": msg5475, - "30250": msg32329, - "30251": msg32330, - "30252": msg32331, - "30253": msg32332, - "30254": msg32333, - "30255": msg32334, - "30256": msg32335, - "30257": msg32336, - "30258": msg32337, - "30259": msg32338, - "3026": msg5476, - "30260": msg32339, - "30261": msg32340, - "30262": msg32341, - "30263": msg32342, - "30264": msg32343, - "30265": msg32344, - "30266": msg32345, - "30267": msg32346, - "30268": msg32347, - "30269": msg32348, - "3027": msg5477, - "30270": msg32349, - "30271": msg32350, - "30272": msg32351, - "30273": msg32352, - "30274": msg32353, - "30275": msg32354, - "30276": msg32355, - "30277": msg32356, - "30278": msg32357, - "30279": msg32358, - "3028": msg5478, - "30280": msg32359, - "30281": msg32360, - "30282": msg32361, - "30283": msg32362, - "30284": msg32363, - "30285": msg32364, - "30286": msg32365, - "30287": msg32366, - "30288": msg32367, - "30289": msg32368, - "3029": msg5479, - "30290": msg32369, - "30291": msg32370, - "30292": msg32371, - "30293": msg32372, - "30294": msg32373, - "30295": msg32374, - "30296": msg32375, - "30297": msg32376, - "30298": msg32377, - "30299": msg32378, - "303": select225, - "3030": msg5480, - "30300": msg32379, - "30301": msg32380, - "30302": msg32381, - "30303": msg32382, - "30304": msg32383, - "30305": msg32384, - "30306": msg32385, - "30307": msg32386, - "30308": msg32387, - "30309": msg32388, - "3031": msg5481, - "30310": msg32389, - "30311": msg32390, - "30312": msg32391, - "30313": msg32392, - "30314": msg32393, - "30315": msg32394, - "30316": msg32395, - "30317": msg32396, - "30318": msg32397, - "30319": msg32398, - "3032": msg5482, - "30320": msg32399, - "30321": msg32400, - "30322": msg32401, - "30323": msg32402, - "30324": msg32403, - "30325": msg32404, - "30326": msg32405, - "30327": msg32406, - "30328": msg32407, - "30329": msg32408, - "3033": msg5483, - "30330": msg32409, - "30331": msg32410, - "30332": msg32411, - "30333": msg32412, - "30334": msg32413, - "30335": msg32414, - "30336": msg32415, - "30337": msg32416, - "30338": msg32417, - "30339": msg32418, - "3034": msg5484, - "30340": msg32419, - "30341": msg32420, - "30342": msg32421, - "30343": msg32422, - "30344": msg32423, - "30345": msg32424, - "30347": msg32425, - "30348": msg32426, - "30349": msg32427, - "3035": msg5485, - "30350": msg32428, - "30351": msg32429, - "30352": msg32430, - "30353": msg32431, - "30354": msg32432, - "30355": msg32433, - "30356": msg32434, - "30357": msg32435, - "30358": msg32436, - "30359": msg32437, - "3036": msg5486, - "30360": msg32438, - "30361": msg32439, - "30362": msg32440, - "30363": msg32441, - "30364": msg32442, - "30365": msg32443, - "30366": msg32444, - "30367": msg32445, - "30368": msg32446, - "30369": msg32447, - "3037": msg5487, - "30370": msg32448, - "30371": msg32449, - "30372": msg32450, - "30373": msg32451, - "30374": msg32452, - "30375": msg32453, - "30376": msg32454, - "30377": msg32455, - "30378": msg32456, - "30379": msg32457, - "3038": msg5488, - "30380": msg32458, - "30381": msg32459, - "30382": msg32460, - "30383": msg32461, - "30384": msg32462, - "30385": msg32463, - "30386": msg32464, - "30387": msg32465, - "30388": msg32466, - "30389": msg32467, - "3039": msg5489, - "30390": msg32468, - "30391": msg32469, - "30392": msg32470, - "30393": msg32471, - "30394": msg32472, - "30395": msg32473, - "30396": msg32474, - "30397": msg32475, - "30398": msg32476, - "30399": msg32477, - "304": select226, - "3040": msg5490, - "30400": msg32478, - "30401": msg32479, - "30402": msg32480, - "30403": msg32481, - "30404": msg32482, - "30405": msg32483, - "30406": msg32484, - "30407": msg32485, - "30408": msg32486, - "30409": msg32487, - "3041": msg5491, - "30410": msg32488, - "30411": msg32489, - "30412": msg32490, - "30413": msg32491, - "30414": msg32492, - "30415": msg32493, - "30416": msg32494, - "30417": msg32495, - "30418": msg32496, - "30419": msg32497, - "3042": msg5492, - "30420": msg32498, - "30421": msg32499, - "30422": msg32500, - "30423": msg32501, - "30424": msg32502, - "30425": msg32503, - "30426": msg32504, - "30427": msg32505, - "30428": msg32506, - "30429": msg32507, - "3043": msg5493, - "30430": msg32508, - "30431": msg32509, - "30432": msg32510, - "30433": msg32511, - "30434": msg32512, - "30435": msg32513, - "30436": msg32514, - "30437": msg32515, - "30438": msg32516, - "30439": msg32517, - "3044": msg5494, - "30440": msg32518, - "30441": msg32519, - "30442": msg32520, - "30443": msg32521, - "30444": msg32522, - "30445": msg32523, - "30446": msg32524, - "30447": msg32525, - "30448": msg32526, - "30449": msg32527, - "3045": msg5495, - "30450": msg32528, - "30451": msg32529, - "30452": msg32530, - "30453": msg32531, - "30454": msg32532, - "30455": msg32533, - "30456": msg32534, - "30457": msg32535, - "30458": msg32536, - "30459": msg32537, - "3046": msg5496, - "30460": msg32538, - "30461": msg32539, - "30462": msg32540, - "30463": msg32541, - "30464": msg32542, - "30465": msg32543, - "30466": msg32544, - "30467": msg32545, - "30468": msg32546, - "30469": msg32547, - "3047": msg5497, - "30470": msg32548, - "30471": msg32549, - "30472": msg32550, - "30473": msg32551, - "30474": msg32552, - "30475": msg32553, - "30476": msg32554, - "30477": msg32555, - "30478": msg32556, - "30479": msg32557, - "3048": msg5498, - "30480": msg32558, - "30481": msg32559, - "30482": msg32560, - "30483": msg32561, - "30484": msg32562, - "30485": msg32563, - "30486": msg32564, - "30487": msg32565, - "30488": msg32566, - "30489": msg32567, - "3049": msg5499, - "30490": msg32568, - "30491": msg32569, - "30492": msg32570, - "30493": msg32571, - "30494": msg32572, - "30495": msg32573, - "30496": msg32574, - "30497": msg32575, - "30498": msg32576, - "30499": msg32577, - "305": select227, - "3050": msg5500, - "30500": msg32578, - "30501": msg32579, - "30502": msg32580, - "30503": msg32581, - "30504": msg32582, - "30505": msg32583, - "30506": msg32584, - "30507": msg32585, - "30508": msg32586, - "30509": msg32587, - "3051": msg5501, - "30510": msg32588, - "30511": msg32589, - "30512": msg32590, - "30513": msg32591, - "30514": msg32592, - "30515": msg32593, - "30516": msg32594, - "30517": msg32595, - "30518": msg32596, - "30519": msg32597, - "3052": msg5502, - "30520": msg32598, - "30521": msg32599, - "30522": msg32600, - "30523": msg32601, - "30524": msg32602, - "30525": msg32603, - "30526": msg32604, - "30527": msg32605, - "30528": msg32606, - "30529": msg32607, - "3053": msg5503, - "30530": msg32608, - "30531": msg32609, - "30532": msg32610, - "30533": msg32611, - "30534": msg32612, - "30535": msg32613, - "30536": msg32614, - "30537": msg32615, - "30538": msg32616, - "30539": msg32617, - "3054": msg5504, - "30540": msg32618, - "30541": msg32619, - "30542": msg32620, - "30543": msg32621, - "30544": msg32622, - "30545": msg32623, - "30546": msg32624, - "30547": msg32625, - "30548": msg32626, - "30549": msg32627, - "3055": msg5505, - "30550": msg32628, - "30551": msg32629, - "30552": msg32630, - "30553": msg32631, - "30554": msg32632, - "30555": msg32633, - "30556": msg32634, - "3056": msg5506, - "30562": msg32635, - "30566": msg32636, - "3057": msg5507, - "30570": msg32637, - "3058": msg5508, - "3059": msg5509, - "306": select228, - "3060": msg5510, - "3061": msg5511, - "3062": msg5512, - "3063": msg5513, - "3064": msg5514, - "3065": msg5515, - "3066": msg5516, - "3067": msg5517, - "3068": msg5518, - "3069": msg5519, - "307": select229, - "3070": msg5520, - "3071": msg5521, - "30711": msg32638, - "30712": msg32639, - "30713": msg32640, - "30714": msg32641, - "30715": msg32642, - "30716": msg32643, - "30717": msg32644, - "30718": msg32645, - "30719": msg32646, - "3072": msg5522, - "30720": msg32647, - "30721": msg32648, - "30722": msg32649, - "30723": msg32650, - "30724": msg32651, - "30725": msg32652, - "30726": msg32653, - "30727": msg32654, - "30728": msg32655, - "30729": msg32656, - "3073": msg5523, - "30730": msg32657, - "30731": msg32658, - "30732": msg32659, - "30733": msg32660, - "30734": msg32661, - "30735": msg32662, - "30736": msg32663, - "30737": msg32664, - "30738": msg32665, - "30739": msg32666, - "3074": msg5524, - "30740": msg32667, - "30741": msg32668, - "30742": msg32669, - "30743": msg32670, - "30744": msg32671, - "30745": msg32672, - "30746": msg32673, - "30747": msg32674, - "30748": msg32675, - "30749": msg32676, - "3075": msg5525, - "30750": msg32677, - "30751": msg32678, - "30752": msg32679, - "30753": msg32680, - "30754": msg32681, - "30755": msg32682, - "30756": msg32683, - "30757": msg32684, - "30758": msg32685, - "30759": msg32686, - "3076": msg5526, - "30760": msg32687, - "30761": msg32688, - "30762": msg32689, - "30763": msg32690, - "30764": msg32691, - "30765": msg32692, - "30766": msg32693, - "30767": msg32694, - "30768": msg32695, - "3077": msg5527, - "30777": msg32696, - "30778": msg32697, - "30779": msg32698, - "3078": msg5528, - "30780": msg32699, - "30781": msg32700, - "30782": msg32701, - "30783": msg32702, - "30784": msg32703, - "30785": msg32704, - "30786": msg32705, - "30787": msg32706, - "30788": msg32707, - "30789": msg32708, - "3079": msg5529, - "30790": msg32709, - "30791": msg32710, - "30792": msg32711, - "30793": msg32712, - "30794": msg32713, - "30795": msg32714, - "30796": msg32715, - "30797": msg32716, - "30798": msg32717, - "30799": msg32718, - "308": select230, - "3080": msg5530, - "30800": msg32719, - "30801": msg32720, - "30802": msg32721, - "30803": msg32722, - "30804": msg32723, - "30805": msg32724, - "30806": msg32725, - "30807": msg32726, - "30808": msg32727, - "30809": msg32728, - "3081": msg5531, - "30810": msg32729, - "30811": msg32730, - "30812": msg32731, - "30813": msg32732, - "30814": msg32733, - "30815": msg32734, - "30816": msg32735, - "30817": msg32736, - "30818": msg32737, - "30819": msg32738, - "3082": msg5532, - "30820": msg32739, - "30821": msg32740, - "30822": msg32741, - "30823": msg32742, - "30824": msg32743, - "30825": msg32744, - "30826": msg32745, - "30827": msg32746, - "30828": msg32747, - "30829": msg32748, - "3083": msg5533, - "30830": msg32749, - "30831": msg32750, - "30832": msg32751, - "30833": msg32752, - "30834": msg32753, - "30835": msg32754, - "30836": msg32755, - "30837": msg32756, - "30838": msg32757, - "30839": msg32758, - "3084": msg5534, - "30840": msg32759, - "30841": msg32760, - "30842": msg32761, - "30843": msg32762, - "30844": msg32763, - "30845": msg32764, - "30846": msg32765, - "30847": msg32766, - "30848": msg32767, - "30849": msg32768, - "3085": msg5535, - "30850": msg32769, - "30851": msg32770, - "30852": msg32771, - "30853": msg32772, - "30854": msg32773, - "30855": msg32774, - "30856": msg32775, - "30857": msg32776, - "30858": msg32777, - "30859": msg32778, - "3086": msg5536, - "30860": msg32779, - "30861": msg32780, - "30862": msg32781, - "30863": msg32782, - "30864": msg32783, - "30865": msg32784, - "30866": msg32785, - "30867": msg32786, - "30868": msg32787, - "30869": msg32788, - "3087": msg5537, - "30870": msg32789, - "30871": msg32790, - "30872": msg32791, - "30873": msg32792, - "30874": msg32793, - "30875": msg32794, - "30876": msg32795, - "30877": msg32796, - "30878": msg32797, - "30879": msg32798, - "3088": msg5538, - "30880": msg32799, - "30881": msg32800, - "30882": msg32801, - "30883": msg32802, - "30884": msg32803, - "30885": msg32804, - "30886": msg32805, - "30887": msg32806, - "30888": msg32807, - "30889": msg32808, - "3089": msg5539, - "30890": msg32809, - "30891": msg32810, - "30892": msg32811, - "30893": msg32812, - "30894": msg32813, - "30895": msg32814, - "30896": msg32815, - "30897": msg32816, - "30898": msg32817, - "30899": msg32818, - "309": select231, - "3090": msg5540, - "30900": msg32819, - "30901": msg32820, - "30902": msg32821, - "30903": msg32822, - "30904": msg32823, - "30905": msg32824, - "30906": msg32825, - "30907": msg32826, - "30908": msg32827, - "30909": msg32828, - "3091": msg5541, - "30910": msg32829, - "30911": msg32830, - "30912": msg32831, - "30913": msg32832, - "30914": msg32833, - "30915": msg32834, - "30916": msg32835, - "30917": msg32836, - "30918": msg32837, - "30919": msg32838, - "3092": msg5542, - "30920": msg32839, - "30921": msg32840, - "30922": msg32841, - "30923": msg32842, - "30924": msg32843, - "30925": msg32844, - "30926": msg32845, - "30927": msg32846, - "30928": msg32847, - "30929": msg32848, - "3093": msg5543, - "30930": msg32849, - "30931": msg32850, - "30932": msg32851, - "30933": msg32852, - "30934": msg32853, - "30935": msg32854, - "30936": msg32855, - "30937": msg32856, - "30938": msg32857, - "30939": msg32858, - "3094": msg5544, - "30940": msg32859, - "30941": msg32860, - "30942": msg32861, - "30943": msg32862, - "30944": msg32863, - "30945": msg32864, - "30946": msg32865, - "30947": msg32866, - "30948": msg32867, - "30949": msg32868, - "3095": msg5545, - "30950": msg32869, - "30951": msg32870, - "30952": msg32871, - "30953": msg32872, - "30954": msg32873, - "30955": msg32874, - "30956": msg32875, - "30957": msg32876, - "30958": msg32877, - "30959": msg32878, - "3096": msg5546, - "30960": msg32879, - "30961": msg32880, - "30962": msg32881, - "30963": msg32882, - "30964": msg32883, - "30965": msg32884, - "30966": msg32885, - "30967": msg32886, - "30968": msg32887, - "30969": msg32888, - "3097": msg5547, - "30970": msg32889, - "30971": msg32890, - "30972": msg32891, - "30973": msg32892, - "30974": msg32893, - "30975": msg32894, - "30976": msg32895, - "30977": msg32896, - "30978": msg32897, - "30979": msg32898, - "3098": msg5548, - "30980": msg32899, - "30981": msg32900, - "30982": msg32901, - "30983": msg32902, - "30984": msg32903, - "30985": msg32904, - "30986": msg32905, - "30987": msg32906, - "30988": msg32907, - "30989": msg32908, - "3099": msg5549, - "30990": msg32909, - "30991": msg32910, - "30992": msg32911, - "30993": msg32912, - "30994": msg32913, - "30995": msg32914, - "30996": msg32915, - "30997": msg32916, - "30998": msg32917, - "30999": msg32918, - "310": select232, - "3100": msg5550, - "31000": msg32919, - "31001": msg32920, - "31002": msg32921, - "31003": msg32922, - "31004": msg32923, - "31005": msg32924, - "31006": msg32925, - "31007": msg32926, - "31008": msg32927, - "31009": msg32928, - "3101": msg5551, - "31010": msg32929, - "31011": msg32930, - "31012": msg32931, - "31013": msg32932, - "31014": msg32933, - "31015": msg32934, - "31016": msg32935, - "31017": msg32936, - "31018": msg32937, - "31019": msg32938, - "3102": msg5552, - "31020": msg32939, - "31021": msg32940, - "31022": msg32941, - "31023": msg32942, - "31024": msg32943, - "31025": msg32944, - "31026": msg32945, - "31027": msg32946, - "31028": msg32947, - "31029": msg32948, - "3103": msg5553, - "31030": msg32949, - "31031": msg32950, - "31032": msg32951, - "31033": msg32952, - "31034": msg32953, - "31035": msg32954, - "31036": msg32955, - "31037": msg32956, - "31038": msg32957, - "31039": msg32958, - "3104": msg5554, - "31040": msg32959, - "31041": msg32960, - "31042": msg32961, - "31043": msg32962, - "31044": msg32963, - "31045": msg32964, - "31046": msg32965, - "31048": msg32966, - "31049": msg32967, - "3105": msg5555, - "31050": msg32968, - "31051": msg32969, - "31052": msg32970, - "31053": msg32971, - "31054": msg32972, - "31055": msg32973, - "31056": msg32974, - "31057": msg32975, - "31058": msg32976, - "31059": msg32977, - "3106": msg5556, - "31060": msg32978, - "31061": msg32979, - "31062": msg32980, - "31063": msg32981, - "31064": msg32982, - "31065": msg32983, - "31066": msg32984, - "31067": msg32985, - "31068": msg32986, - "31069": msg32987, - "3107": msg5557, - "31070": msg32988, - "31071": msg32989, - "31072": msg32990, - "31073": msg32991, - "31074": msg32992, - "31075": msg32993, - "31076": msg32994, - "31077": msg32995, - "31078": msg32996, - "31079": msg32997, - "3108": msg5558, - "31080": msg32998, - "31081": msg32999, - "31082": msg33000, - "31083": msg33001, - "31084": msg33002, - "31085": msg33003, - "31086": msg33004, - "31087": msg33005, - "31088": msg33006, - "31089": msg33007, - "3109": msg5559, - "31090": msg33008, - "31091": msg33009, - "31092": msg33010, - "31093": msg33011, - "31094": msg33012, - "31095": msg33013, - "31096": msg33014, - "31097": msg33015, - "31098": msg33016, - "31099": msg33017, - "311": select233, - "3110": msg5560, - "31100": msg33018, - "31101": msg33019, - "31102": msg33020, - "31103": msg33021, - "31104": msg33022, - "31105": msg33023, - "31106": msg33024, - "31107": msg33025, - "31108": msg33026, - "31109": msg33027, - "3111": msg5561, - "31110": msg33028, - "31111": msg33029, - "31112": msg33030, - "31113": msg33031, - "31114": msg33032, - "31115": msg33033, - "31116": msg33034, - "31117": msg33035, - "31118": msg33036, - "31119": msg33037, - "3112": msg5562, - "31120": msg33038, - "31121": msg33039, - "31122": msg33040, - "31123": msg33041, - "31124": msg33042, - "31125": msg33043, - "31126": msg33044, - "31127": msg33045, - "31128": msg33046, - "31129": msg33047, - "3113": msg5563, - "31130": msg33048, - "31131": msg33049, - "31132": msg33050, - "31133": msg33051, - "31134": msg33052, - "31135": msg33053, - "31136": msg33054, - "31137": msg33055, - "31138": msg33056, - "31139": msg33057, - "3114": msg5564, - "31140": msg33058, - "31141": msg33059, - "31142": msg33060, - "31143": msg33061, - "31144": msg33062, - "31145": msg33063, - "31146": msg33064, - "3115": msg5565, - "3116": msg5566, - "31167": msg33065, - "3117": msg5567, - "31176": msg33066, - "31177": msg33067, - "31178": msg33068, - "31179": msg33069, - "3118": msg5568, - "31180": msg33070, - "31181": msg33071, - "31182": msg33072, - "31183": msg33073, - "31184": msg33074, - "31185": msg33075, - "31186": msg33076, - "31187": msg33077, - "31188": msg33078, - "31189": msg33079, - "3119": msg5569, - "31190": msg33080, - "31191": msg33081, - "31192": msg33082, - "31193": msg33083, - "31194": msg33084, - "31195": msg33085, - "31196": msg33086, - "31197": msg33087, - "31198": msg33088, - "31199": msg33089, - "312": select234, - "3120": msg5570, - "31200": msg33090, - "31201": msg33091, - "31202": msg33092, - "31203": msg33093, - "31204": msg33094, - "31205": msg33095, - "31206": msg33096, - "31207": msg33097, - "31208": msg33098, - "31209": msg33099, - "3121": msg5571, - "31210": msg33100, - "31211": msg33101, - "31212": msg33102, - "31213": msg33103, - "31214": msg33104, - "31215": msg33105, - "31216": msg33106, - "31217": msg33107, - "31218": msg33108, - "31219": msg33109, - "3122": msg5572, - "31220": msg33110, - "31221": msg33111, - "31222": msg33112, - "31223": msg33113, - "31224": msg33114, - "31225": msg33115, - "31226": msg33116, - "31227": msg33117, - "31228": msg33118, - "31229": msg33119, - "3123": msg5573, - "31230": msg33120, - "31231": msg33121, - "31232": msg33122, - "31233": msg33123, - "31234": msg33124, - "31235": msg33125, - "31236": msg33126, - "31237": msg33127, - "31238": msg33128, - "31239": msg33129, - "3124": msg5574, - "31240": msg33130, - "31241": msg33131, - "31242": msg33132, - "31243": msg33133, - "31244": msg33134, - "31245": msg33135, - "31246": msg33136, - "31247": msg33137, - "31248": msg33138, - "31249": msg33139, - "3125": msg5575, - "31250": msg33140, - "31251": msg33141, - "31252": msg33142, - "31253": msg33143, - "31254": msg33144, - "31255": msg33145, - "31256": msg33146, - "31257": msg33147, - "31258": msg33148, - "31259": msg33149, - "3126": msg5576, - "31260": msg33150, - "31261": msg33151, - "31262": msg33152, - "31263": msg33153, - "31264": msg33154, - "31265": msg33155, - "31266": msg33156, - "31267": msg33157, - "31268": msg33158, - "31269": msg33159, - "3127": msg5577, - "31270": msg33160, - "31271": msg33161, - "31272": msg33162, - "31273": msg33163, - "31274": msg33164, - "31275": msg33165, - "31276": msg33166, - "31277": msg33167, - "31278": msg33168, - "31279": msg33169, - "3128": msg5578, - "31280": msg33170, - "31281": msg33171, - "31282": msg33172, - "31283": msg33173, - "31284": msg33174, - "31285": msg33175, - "31286": msg33176, - "31287": msg33177, - "31288": msg33178, - "31289": msg33179, - "3129": msg5579, - "31290": msg33180, - "31291": msg33181, - "31292": msg33182, - "31293": msg33183, - "31294": msg33184, - "31295": msg33185, - "31296": msg33186, - "31297": msg33187, - "31298": msg33188, - "31299": msg33189, - "313": select235, - "3130": msg5580, - "31300": msg33190, - "31301": msg33191, - "31302": msg33192, - "31303": msg33193, - "31304": msg33194, - "31305": msg33195, - "31306": msg33196, - "31307": msg33197, - "31308": msg33198, - "31309": msg33199, - "3131": msg5581, - "31310": msg33200, - "31311": msg33201, - "31312": msg33202, - "31313": msg33203, - "31314": msg33204, - "31315": msg33205, - "31316": msg33206, - "31317": msg33207, - "31318": msg33208, - "31319": msg33209, - "3132": msg5582, - "31320": msg33210, - "31321": msg33211, - "31322": msg33212, - "31323": msg33213, - "31324": msg33214, - "31325": msg33215, - "31326": msg33216, - "31327": msg33217, - "31328": msg33218, - "31329": msg33219, - "3133": msg5583, - "31330": msg33220, - "31331": msg33221, - "31332": msg33222, - "31333": msg33223, - "31334": msg33224, - "31335": msg33225, - "31336": msg33226, - "31337": msg33227, - "31338": msg33228, - "31339": msg33229, - "3134": msg5584, - "31340": msg33230, - "31341": msg33231, - "31342": msg33232, - "31343": msg33233, - "31344": msg33234, - "31345": msg33235, - "31346": msg33236, - "31347": msg33237, - "31348": msg33238, - "31349": msg33239, - "3135": msg5585, - "31350": msg33240, - "31351": msg33241, - "31352": msg33242, - "31353": msg33243, - "31354": msg33244, - "31355": msg33245, - "31356": msg33246, - "31357": msg33247, - "31358": msg33248, - "31359": msg33249, - "3136": msg5586, - "31360": msg33250, - "31361": msg33251, - "31362": msg33252, - "31363": msg33253, - "31364": msg33254, - "31365": msg33255, - "31366": msg33256, - "31367": msg33257, - "31368": msg33258, - "31369": msg33259, - "3137": msg5587, - "31370": msg33260, - "31371": msg33261, - "31372": msg33262, - "31373": msg33263, - "31374": msg33264, - "31375": msg33265, - "31376": msg33266, - "31377": msg33267, - "31378": msg33268, - "31379": msg33269, - "3138": msg5588, - "31380": msg33270, - "31381": msg33271, - "31382": msg33272, - "31383": msg33273, - "31384": msg33274, - "31385": msg33275, - "31386": msg33276, - "31387": msg33277, - "31388": msg33278, - "31389": msg33279, - "3139": msg5589, - "31390": msg33280, - "31391": msg33281, - "31392": msg33282, - "31393": msg33283, - "31394": msg33284, - "31395": msg33285, - "31396": msg33286, - "31397": msg33287, - "31398": msg33288, - "31399": msg33289, - "314": select236, - "3140": msg5590, - "31400": msg33290, - "31401": msg33291, - "31402": msg33292, - "31403": msg33293, - "31404": msg33294, - "31405": msg33295, - "31406": msg33296, - "31407": msg33297, - "31408": msg33298, - "31409": msg33299, - "3141": msg5591, - "31410": msg33300, - "31411": msg33301, - "31412": msg33302, - "31413": msg33303, - "31414": msg33304, - "31415": msg33305, - "31416": msg33306, - "31417": msg33307, - "31418": msg33308, - "31419": msg33309, - "3142": msg5592, - "31420": msg33310, - "31421": msg33311, - "31422": msg33312, - "31423": msg33313, - "31424": msg33314, - "31425": msg33315, - "31426": msg33316, - "31427": msg33317, - "31428": msg33318, - "31429": msg33319, - "3143": msg5593, - "31433": msg33320, - "31434": msg33321, - "31435": msg33322, - "31436": msg33323, - "31437": msg33324, - "31438": msg33325, - "31439": msg33326, - "3144": msg5594, - "31440": msg33327, - "31441": msg33328, - "31442": msg33329, - "31443": msg33330, - "31444": msg33331, - "31445": msg33332, - "31446": msg33333, - "31447": msg33334, - "31448": msg33335, - "31449": msg33336, - "3145": msg5595, - "31450": msg33337, - "31451": msg33338, - "31452": msg33339, - "31453": msg33340, - "31454": msg33341, - "31455": msg33342, - "31456": msg33343, - "31457": msg33344, - "31458": msg33345, - "31459": msg33346, - "3146": msg5596, - "31460": msg33347, - "31461": msg33348, - "31462": msg33349, - "31463": msg33350, - "31464": msg33351, - "31465": msg33352, - "31466": msg33353, - "31467": msg33354, - "31468": msg33355, - "31469": msg33356, - "3147": msg5597, - "31470": msg33357, - "31471": msg33358, - "31472": msg33359, - "31473": msg33360, - "31474": msg33361, - "31475": msg33362, - "31476": msg33363, - "31477": msg33364, - "31478": msg33365, - "31479": msg33366, - "3148": msg5598, - "31480": msg33367, - "31481": msg33368, - "31482": msg33369, - "31483": msg33370, - "31484": msg33371, - "31485": msg33372, - "31486": msg33373, - "31487": msg33374, - "31488": msg33375, - "31489": msg33376, - "3149": msg5599, - "31490": msg33377, - "31491": msg33378, - "31492": msg33379, - "31493": msg33380, - "31494": msg33381, - "31495": msg33382, - "31496": msg33383, - "31497": msg33384, - "31498": msg33385, - "31499": msg33386, - "315": select237, - "3150": msg5600, - "31500": msg33387, - "31501": msg33388, - "31502": msg33389, - "31503": msg33390, - "31504": msg33391, - "31505": msg33392, - "31506": msg33393, - "31507": msg33394, - "31508": msg33395, - "31509": msg33396, - "3151": msg5601, - "31510": msg33397, - "31511": msg33398, - "31512": msg33399, - "31513": msg33400, - "31514": msg33401, - "31515": msg33402, - "31516": msg33403, - "31517": msg33404, - "31518": msg33405, - "31519": msg33406, - "3152": msg5602, - "31520": msg33407, - "31521": msg33408, - "31522": msg33409, - "31523": msg33410, - "31524": msg33411, - "31525": msg33412, - "31526": msg33413, - "31527": msg33414, - "31528": msg33415, - "31529": msg33416, - "3153": msg5603, - "31530": msg33417, - "31531": msg33418, - "31532": msg33419, - "31533": msg33420, - "31534": msg33421, - "31535": msg33422, - "31536": msg33423, - "31537": msg33424, - "31538": msg33425, - "31539": msg33426, - "3154": msg5604, - "31540": msg33427, - "31541": msg33428, - "31542": msg33429, - "31543": msg33430, - "31544": msg33431, - "31545": msg33432, - "31546": msg33433, - "31547": msg33434, - "31548": msg33435, - "31549": msg33436, - "3155": msg5605, - "31550": msg33437, - "31551": msg33438, - "31552": msg33439, - "31553": msg33440, - "31554": msg33441, - "31555": msg33442, - "31556": msg33443, - "31557": msg33444, - "31558": msg33445, - "31559": msg33446, - "3156": msg5606, - "31560": msg33447, - "31561": msg33448, - "31562": msg33449, - "31563": msg33450, - "31564": msg33451, - "31565": msg33452, - "31566": msg33453, - "31567": msg33454, - "31568": msg33455, - "31569": msg33456, - "3157": msg5607, - "31570": msg33457, - "31571": msg33458, - "31572": msg33459, - "31573": msg33460, - "31574": msg33461, - "31575": msg33462, - "31576": msg33463, - "31577": msg33464, - "31578": msg33465, - "31579": msg33466, - "3158": msg5608, - "31580": msg33467, - "31581": msg33468, - "31582": msg33469, - "31583": msg33470, - "31584": msg33471, - "31585": msg33472, - "31586": msg33473, - "31587": msg33474, - "31588": msg33475, - "31589": msg33476, - "3159": msg5609, - "31590": msg33477, - "31591": msg33478, - "31592": msg33479, - "31593": msg33480, - "31594": msg33481, - "31595": msg33482, - "31596": msg33483, - "31597": msg33484, - "31598": msg33485, - "31599": msg33486, - "316": select238, - "3160": msg5610, - "31600": msg33487, - "31601": msg33488, - "31602": msg33489, - "31603": msg33490, - "31604": msg33491, - "31605": msg33492, - "31606": msg33493, - "31607": msg33494, - "31608": msg33495, - "31609": msg33496, - "3161": msg5611, - "31610": msg33497, - "31611": msg33498, - "31612": msg33499, - "31613": msg33500, - "31614": msg33501, - "31615": msg33502, - "31616": msg33503, - "31617": msg33504, - "31618": msg33505, - "31619": msg33506, - "3162": msg5612, - "31620": msg33507, - "31621": msg33508, - "31622": msg33509, - "31623": msg33510, - "31624": msg33511, - "31625": msg33512, - "31626": msg33513, - "31627": msg33514, - "31628": msg33515, - "31629": msg33516, - "3163": msg5613, - "31630": msg33517, - "31631": msg33518, - "31632": msg33519, - "31633": msg33520, - "31634": msg33521, - "31635": msg33522, - "31636": msg33523, - "31637": msg33524, - "31638": msg33525, - "31639": msg33526, - "3164": msg5614, - "31640": msg33527, - "31641": msg33528, - "31642": msg33529, - "31643": msg33530, - "31644": msg33531, - "31645": msg33532, - "31646": msg33533, - "31647": msg33534, - "31648": msg33535, - "31649": msg33536, - "3165": msg5615, - "31650": msg33537, - "31651": msg33538, - "31652": msg33539, - "31653": msg33540, - "31654": msg33541, - "31655": msg33542, - "31656": msg33543, - "31657": msg33544, - "31658": msg33545, - "31659": msg33546, - "3166": msg5616, - "31660": msg33547, - "31661": msg33548, - "31662": msg33549, - "31663": msg33550, - "31664": msg33551, - "31665": msg33552, - "31666": msg33553, - "31667": msg33554, - "31668": msg33555, - "31669": msg33556, - "3167": msg5617, - "31670": msg33557, - "31671": msg33558, - "31672": msg33559, - "31673": msg33560, - "31674": msg33561, - "31675": msg33562, - "31676": msg33563, - "31677": msg33564, - "31678": msg33565, - "31679": msg33566, - "3168": msg5618, - "31680": msg33567, - "31681": msg33568, - "31682": msg33569, - "31683": msg33570, - "31684": msg33571, - "31685": msg33572, - "31686": msg33573, - "31687": msg33574, - "31688": msg33575, - "31689": msg33576, - "3169": msg5619, - "31690": msg33577, - "31691": msg33578, - "31692": msg33579, - "31693": msg33580, - "31694": msg33581, - "31695": msg33582, - "31696": msg33583, - "31697": msg33584, - "31698": msg33585, - "31699": msg33586, - "317": select239, - "3170": msg5620, - "31700": msg33587, - "31701": msg33588, - "31702": msg33589, - "31703": msg33590, - "31704": msg33591, - "31705": msg33592, - "31706": msg33593, - "31707": msg33594, - "31708": msg33595, - "31709": msg33596, - "3171": msg5621, - "31710": msg33597, - "31711": msg33598, - "31712": msg33599, - "31713": msg33600, - "31714": msg33601, - "31715": msg33602, - "31716": msg33603, - "31717": msg33604, - "31718": msg33605, - "31719": msg33606, - "3172": msg5622, - "31720": msg33607, - "31721": msg33608, - "31722": msg33609, - "31723": msg33610, - "31724": msg33611, - "31725": msg33612, - "31726": msg33613, - "31727": msg33614, - "31728": msg33615, - "31729": msg33616, - "3173": msg5623, - "31730": msg33617, - "31731": msg33618, - "31732": msg33619, - "31733": msg33620, - "31734": msg33621, - "31735": msg33622, - "31736": msg33623, - "31737": msg33624, - "31738": msg33625, - "31739": msg33626, - "3174": msg5624, - "31740": msg33627, - "31741": msg33628, - "31742": msg33629, - "31743": msg33630, - "31744": msg33631, - "31745": msg33632, - "31746": msg33633, - "31747": msg33634, - "31748": msg33635, - "31749": msg33636, - "3175": msg5625, - "31750": msg33637, - "31751": msg33638, - "31752": msg33639, - "31753": msg33640, - "31754": msg33641, - "31755": msg33642, - "31756": msg33643, - "31757": msg33644, - "31758": msg33645, - "31759": msg33646, - "3176": msg5626, - "31760": msg33647, - "31761": msg33648, - "31762": msg33649, - "31763": msg33650, - "31764": msg33651, - "31765": msg33652, - "31766": msg33653, - "31767": msg33654, - "31768": msg33655, - "31769": msg33656, - "3177": msg5627, - "31770": msg33657, - "31771": msg33658, - "31772": msg33659, - "31773": msg33660, - "31774": msg33661, - "31775": msg33662, - "31776": msg33663, - "31777": msg33664, - "31778": msg33665, - "31779": msg33666, - "3178": msg5628, - "31780": msg33667, - "31781": msg33668, - "31782": msg33669, - "31783": msg33670, - "31784": msg33671, - "31785": msg33672, - "31786": msg33673, - "31787": msg33674, - "31788": msg33675, - "31789": msg33676, - "3179": msg5629, - "31790": msg33677, - "31791": msg33678, - "31792": msg33679, - "31793": msg33680, - "31794": msg33681, - "31795": msg33682, - "31796": msg33683, - "31797": msg33684, - "31798": msg33685, - "31799": msg33686, - "318": select240, - "3180": msg5630, - "31800": msg33687, - "31801": msg33688, - "31802": msg33689, - "31803": msg33690, - "31804": msg33691, - "31805": msg33692, - "31806": msg33693, - "31807": msg33694, - "31808": msg33695, - "31809": msg33696, - "3181": msg5631, - "31810": msg33697, - "31811": msg33698, - "31812": msg33699, - "31813": msg33700, - "31814": msg33701, - "31815": msg33702, - "31816": msg33703, - "31817": msg33704, - "31818": msg33705, - "31819": msg33706, - "3182": msg5632, - "31820": msg33707, - "31821": msg33708, - "31822": msg33709, - "31823": msg33710, - "31824": msg33711, - "31825": msg33712, - "31826": msg33713, - "31827": msg33714, - "31828": msg33715, - "31829": msg33716, - "3183": msg5633, - "31830": msg33717, - "31831": msg33718, - "31832": msg33719, - "31833": msg33720, - "31834": msg33721, - "31835": msg33722, - "31836": msg33723, - "31837": msg33724, - "31838": msg33725, - "31839": msg33726, - "3184": msg5634, - "31840": msg33727, - "31841": msg33728, - "31842": msg33729, - "31843": msg33730, - "31844": msg33731, - "31845": msg33732, - "31846": msg33733, - "31847": msg33734, - "31848": msg33735, - "31849": msg33736, - "3185": msg5635, - "31850": msg33737, - "31851": msg33738, - "31852": msg33739, - "31853": msg33740, - "31854": msg33741, - "31855": msg33742, - "31856": msg33743, - "31857": msg33744, - "31858": msg33745, - "31859": msg33746, - "3186": msg5636, - "31860": msg33747, - "31861": msg33748, - "31862": msg33749, - "31863": msg33750, - "31864": msg33751, - "31865": msg33752, - "31866": msg33753, - "31867": msg33754, - "31868": msg33755, - "31869": msg33756, - "3187": msg5637, - "31870": msg33757, - "31871": msg33758, - "31872": msg33759, - "31873": msg33760, - "31874": msg33761, - "31875": msg33762, - "31876": msg33763, - "31877": msg33764, - "31878": msg33765, - "31879": msg33766, - "3188": msg5638, - "31880": msg33767, - "31881": msg33768, - "31882": msg33769, - "31883": msg33770, - "31884": msg33771, - "31885": msg33772, - "31886": msg33773, - "31887": msg33774, - "31888": msg33775, - "31889": msg33776, - "3189": msg5639, - "31890": msg33777, - "31891": msg33778, - "31892": msg33779, - "31893": msg33780, - "31894": msg33781, - "31895": msg33782, - "31896": msg33783, - "31897": msg33784, - "31898": msg33785, - "31899": msg33786, - "319": select241, - "3190": msg5640, - "31900": msg33787, - "31901": msg33788, - "31902": msg33789, - "31903": msg33790, - "31904": msg33791, - "31905": msg33792, - "31906": msg33793, - "31907": msg33794, - "31908": msg33795, - "31909": msg33796, - "3191": msg5641, - "31910": msg33797, - "31911": msg33798, - "31912": msg33799, - "31913": msg33800, - "31914": msg33801, - "31915": msg33802, - "31916": msg33803, - "31917": msg33804, - "31918": msg33805, - "31919": msg33806, - "3192": msg5642, - "31920": msg33807, - "31921": msg33808, - "31922": msg33809, - "31923": msg33810, - "31924": msg33811, - "31925": msg33812, - "31926": msg33813, - "31927": msg33814, - "31928": msg33815, - "31929": msg33816, - "3193": msg5643, - "31930": msg33817, - "31931": msg33818, - "31932": msg33819, - "31933": msg33820, - "31934": msg33821, - "31935": msg33822, - "31936": msg33823, - "31937": msg33824, - "31938": msg33825, - "31939": msg33826, - "3194": msg5644, - "31940": msg33827, - "31941": msg33828, - "31942": msg33829, - "31943": msg33830, - "31944": msg33831, - "31945": msg33832, - "31946": msg33833, - "31947": msg33834, - "31948": msg33835, - "31949": msg33836, - "3195": msg5645, - "31950": msg33837, - "31951": msg33838, - "31952": msg33839, - "31953": msg33840, - "31954": msg33841, - "31955": msg33842, - "31956": msg33843, - "31957": msg33844, - "31958": msg33845, - "31959": msg33846, - "3196": msg5646, - "31960": msg33847, - "31961": msg33848, - "31962": msg33849, - "31963": msg33850, - "31964": msg33851, - "31965": msg33852, - "31966": msg33853, - "31967": msg33854, - "31968": msg33855, - "31969": msg33856, - "3197": msg5647, - "31970": msg33857, - "31971": msg33858, - "31972": msg33859, - "31973": msg33860, - "31974": msg33861, - "31975": msg33862, - "31976": msg33863, - "31977": msg33864, - "31978": msg33865, - "31979": msg33866, - "3198": msg5648, - "31980": msg33867, - "31981": msg33868, - "31982": msg33869, - "31983": msg33870, - "31984": msg33871, - "31985": msg33872, - "31986": msg33873, - "31987": msg33874, - "31988": msg33875, - "31989": msg33876, - "3199": msg5649, - "31990": msg33877, - "31991": msg33878, - "31992": msg33879, - "31993": msg33880, - "31994": msg33881, - "31995": msg33882, - "31996": msg33883, - "31997": msg33884, - "31998": msg33885, - "31999": msg33886, - "320": select242, - "3200": msg5650, - "32000": msg33887, - "32001": msg33888, - "32002": msg33889, - "32003": msg33890, - "32004": msg33891, - "32005": msg33892, - "32006": msg33893, - "32007": msg33894, - "32008": msg33895, - "32009": msg33896, - "3201": msg5651, - "32010": msg33897, - "32011": msg33898, - "32012": msg33899, - "32013": msg33900, - "32014": msg33901, - "32015": msg33902, - "32016": msg33903, - "32017": msg33904, - "32018": msg33905, - "32019": msg33906, - "3202": msg5652, - "32020": msg33907, - "32021": msg33908, - "32022": msg33909, - "32023": msg33910, - "32024": msg33911, - "32025": msg33912, - "32026": msg33913, - "32027": msg33914, - "32028": msg33915, - "32029": msg33916, - "3203": msg5653, - "32030": msg33917, - "32031": msg33918, - "32032": msg33919, - "32033": msg33920, - "32034": msg33921, - "32035": msg33922, - "32036": msg33923, - "32037": msg33924, - "32038": msg33925, - "32039": msg33926, - "3204": msg5654, - "32040": msg33927, - "32041": msg33928, - "32042": msg33929, - "32043": msg33930, - "32044": msg33931, - "32045": msg33932, - "32046": msg33933, - "32047": msg33934, - "32048": msg33935, - "32049": msg33936, - "3205": msg5655, - "32050": msg33937, - "32051": msg33938, - "32052": msg33939, - "32053": msg33940, - "32054": msg33941, - "32055": msg33942, - "32056": msg33943, - "32057": msg33944, - "32058": msg33945, - "32059": msg33946, - "3206": msg5656, - "32060": msg33947, - "32061": msg33948, - "32062": msg33949, - "32063": msg33950, - "32064": msg33951, - "32065": msg33952, - "32066": msg33953, - "32067": msg33954, - "32068": msg33955, - "32069": msg33956, - "3207": msg5657, - "32070": msg33957, - "32071": msg33958, - "32072": msg33959, - "32073": msg33960, - "32074": msg33961, - "32075": msg33962, - "32076": msg33963, - "32077": msg33964, - "32078": msg33965, - "32079": msg33966, - "3208": msg5658, - "32080": msg33967, - "32081": msg33968, - "32082": msg33969, - "32083": msg33970, - "32084": msg33971, - "32085": msg33972, - "32086": msg33973, - "32087": msg33974, - "32088": msg33975, - "32089": msg33976, - "3209": msg5659, - "32090": msg33977, - "32091": msg33978, - "32092": msg33979, - "32093": msg33980, - "32094": msg33981, - "32095": msg33982, - "32096": msg33983, - "32097": msg33984, - "32098": msg33985, - "32099": msg33986, - "321": select243, - "3210": msg5660, - "32100": msg33987, - "32101": msg33988, - "32102": msg33989, - "32103": msg33990, - "32104": msg33991, - "32105": msg33992, - "32106": msg33993, - "32107": msg33994, - "32108": msg33995, - "32109": msg33996, - "3211": msg5661, - "32110": msg33997, - "32111": msg33998, - "32112": msg33999, - "32113": msg34000, - "32114": msg34001, - "32115": msg34002, - "32116": msg34003, - "32117": msg34004, - "32118": msg34005, - "32119": msg34006, - "3212": msg5662, - "32120": msg34007, - "32121": msg34008, - "32122": msg34009, - "32123": msg34010, - "32124": msg34011, - "32125": msg34012, - "32126": msg34013, - "32127": msg34014, - "32128": msg34015, - "32129": msg34016, - "3213": msg5663, - "32130": msg34017, - "32131": msg34018, - "32132": msg34019, - "32133": msg34020, - "32134": msg34021, - "32135": msg34022, - "32136": msg34023, - "32137": msg34024, - "32138": msg34025, - "32139": msg34026, - "3214": msg5664, - "32140": msg34027, - "32141": msg34028, - "32142": msg34029, - "32143": msg34030, - "32144": msg34031, - "32145": msg34032, - "32146": msg34033, - "32147": msg34034, - "32148": msg34035, - "32149": msg34036, - "3215": msg5665, - "32150": msg34037, - "32151": msg34038, - "32152": msg34039, - "32153": msg34040, - "32154": msg34041, - "32155": msg34042, - "32156": msg34043, - "32157": msg34044, - "32158": msg34045, - "32159": msg34046, - "3216": msg5666, - "32160": msg34047, - "32161": msg34048, - "32162": msg34049, - "32163": msg34050, - "32164": msg34051, - "32165": msg34052, - "32166": msg34053, - "32167": msg34054, - "32168": msg34055, - "32169": msg34056, - "3217": msg5667, - "32170": msg34057, - "32171": msg34058, - "32172": msg34059, - "32173": msg34060, - "32174": msg34061, - "32175": msg34062, - "32176": msg34063, - "32177": msg34064, - "32178": msg34065, - "32179": msg34066, - "3218": msg5668, - "32180": msg34067, - "32181": msg34068, - "32182": msg34069, - "32183": msg34070, - "32184": msg34071, - "32185": msg34072, - "32186": msg34073, - "32187": msg34074, - "32188": msg34075, - "32189": msg34076, - "3219": msg5669, - "32190": msg34077, - "32191": msg34078, - "32192": msg34079, - "32193": msg34080, - "32194": msg34081, - "32195": msg34082, - "32196": msg34083, - "32197": msg34084, - "32198": msg34085, - "32199": msg34086, - "322": select244, - "3220": msg5670, - "32200": msg34087, - "32201": msg34088, - "32202": msg34089, - "32203": msg34090, - "32204": msg34091, - "32205": msg34092, - "32206": msg34093, - "32207": msg34094, - "32208": msg34095, - "32209": msg34096, - "3221": msg5671, - "32210": msg34097, - "32211": msg34098, - "32212": msg34099, - "32213": msg34100, - "32214": msg34101, - "32215": msg34102, - "32216": msg34103, - "32217": msg34104, - "32218": msg34105, - "32219": msg34106, - "3222": msg5672, - "32220": msg34107, - "32221": msg34108, - "32222": msg34109, - "32223": msg34110, - "32224": msg34111, - "32225": msg34112, - "32226": msg34113, - "32227": msg34114, - "32228": msg34115, - "32229": msg34116, - "3223": msg5673, - "32230": msg34117, - "32231": msg34118, - "32232": msg34119, - "32233": msg34120, - "32234": msg34121, - "32235": msg34122, - "32236": msg34123, - "32237": msg34124, - "32238": msg34125, - "32239": msg34126, - "3224": msg5674, - "32240": msg34127, - "32241": msg34128, - "32242": msg34129, - "32243": msg34130, - "32244": msg34131, - "32245": msg34132, - "32246": msg34133, - "32247": msg34134, - "32248": msg34135, - "32249": msg34136, - "3225": msg5675, - "32250": msg34137, - "32251": msg34138, - "32252": msg34139, - "32253": msg34140, - "32254": msg34141, - "32255": msg34142, - "32256": msg34143, - "32257": msg34144, - "32258": msg34145, - "32259": msg34146, - "3226": msg5676, - "32260": msg34147, - "32261": msg34148, - "32262": msg34149, - "32263": msg34150, - "32264": msg34151, - "32265": msg34152, - "32266": msg34153, - "32267": msg34154, - "32268": msg34155, - "32269": msg34156, - "3227": msg5677, - "32270": msg34157, - "32271": msg34158, - "32272": msg34159, - "32273": msg34160, - "32274": msg34161, - "32275": msg34162, - "32276": msg34163, - "32277": msg34164, - "32278": msg34165, - "32279": msg34166, - "3228": msg5678, - "32280": msg34167, - "32281": msg34168, - "32282": msg34169, - "32283": msg34170, - "32284": msg34171, - "32285": msg34172, - "32286": msg34173, - "32287": msg34174, - "32288": msg34175, - "32289": msg34176, - "3229": msg5679, - "32290": msg34177, - "32291": msg34178, - "32292": msg34179, - "32293": msg34180, - "32294": msg34181, - "32295": msg34182, - "32296": msg34183, - "32297": msg34184, - "32298": msg34185, - "32299": msg34186, - "323": select245, - "3230": msg5680, - "32300": msg34187, - "32301": msg34188, - "32302": msg34189, - "32303": msg34190, - "32304": msg34191, - "32305": msg34192, - "32306": msg34193, - "32307": msg34194, - "32308": msg34195, - "32309": msg34196, - "3231": msg5681, - "32310": msg34197, - "32311": msg34198, - "32312": msg34199, - "32313": msg34200, - "32314": msg34201, - "32315": msg34202, - "32316": msg34203, - "32319": msg34204, - "3232": msg5682, - "32320": msg34205, - "3233": msg5683, - "32334": msg34206, - "32335": msg34207, - "32336": msg34208, - "32337": msg34209, - "32338": msg34210, - "3234": msg5684, - "32342": msg34211, - "32343": msg34212, - "32344": msg34213, - "32345": msg34214, - "32346": msg34215, - "32347": msg34216, - "32348": msg34217, - "32349": msg34218, - "3235": msg5685, - "32350": msg34219, - "32351": msg34220, - "32352": msg34221, - "32353": msg34222, - "32354": msg34223, - "32355": msg34224, - "32356": msg34225, - "32357": msg34226, - "32358": msg34227, - "32359": msg34228, - "3236": msg5686, - "32360": msg34229, - "32361": msg34230, - "32362": msg34231, - "32363": msg34232, - "32364": msg34233, - "32365": msg34234, - "32366": msg34235, - "32367": msg34236, - "32368": msg34237, - "32369": msg34238, - "3237": msg5687, - "32370": msg34239, - "32371": msg34240, - "32372": msg34241, - "32373": msg34242, - "32374": msg34243, - "32375": msg34244, - "32376": msg34245, - "32377": msg34246, - "32378": msg34247, - "32379": msg34248, - "3238": msg5688, - "32380": msg34249, - "32381": msg34250, - "32382": msg34251, - "32383": msg34252, - "32384": msg34253, - "32385": msg34254, - "32386": msg34255, - "32387": msg34256, - "32388": msg34257, - "32389": msg34258, - "3239": msg5689, - "32390": msg34259, - "32391": msg34260, - "32392": msg34261, - "32393": msg34262, - "32394": msg34263, - "32395": msg34264, - "32396": msg34265, - "32397": msg34266, - "32398": msg34267, - "32399": msg34268, - "324": select246, - "3240": msg5690, - "32400": msg34269, - "32401": msg34270, - "32402": msg34271, - "32403": msg34272, - "32404": msg34273, - "32405": msg34274, - "32406": msg34275, - "32407": msg34276, - "32408": msg34277, - "32409": msg34278, - "3241": msg5691, - "32410": msg34279, - "32411": msg34280, - "32412": msg34281, - "32413": msg34282, - "32414": msg34283, - "32415": msg34284, - "32416": msg34285, - "32417": msg34286, - "32418": msg34287, - "32419": msg34288, - "3242": msg5692, - "32420": msg34289, - "32421": msg34290, - "32422": msg34291, - "32423": msg34292, - "32424": msg34293, - "32425": msg34294, - "32426": msg34295, - "32427": msg34296, - "32428": msg34297, - "32429": msg34298, - "3243": msg5693, - "32430": msg34299, - "32431": msg34300, - "32432": msg34301, - "32433": msg34302, - "32434": msg34303, - "32435": msg34304, - "32436": msg34305, - "32437": msg34306, - "32438": msg34307, - "32439": msg34308, - "3244": msg5694, - "32440": msg34309, - "32441": msg34310, - "32442": msg34311, - "32443": msg34312, - "32444": msg34313, - "32445": msg34314, - "32446": msg34315, - "32447": msg34316, - "32448": msg34317, - "32449": msg34318, - "3245": msg5695, - "32450": msg34319, - "32451": msg34320, - "32452": msg34321, - "32453": msg34322, - "32454": msg34323, - "32455": msg34324, - "32456": msg34325, - "32457": msg34326, - "32458": msg34327, - "32459": msg34328, - "3246": msg5696, - "32460": msg34329, - "32461": msg34330, - "32462": msg34331, - "32463": msg34332, - "32464": msg34333, - "32465": msg34334, - "32466": msg34335, - "32467": msg34336, - "32468": msg34337, - "32469": msg34338, - "3247": msg5697, - "32470": msg34339, - "32471": msg34340, - "32472": msg34341, - "32473": msg34342, - "32474": msg34343, - "32475": msg34344, - "32476": msg34345, - "32477": msg34346, - "32478": msg34347, - "32479": msg34348, - "3248": msg5698, - "32480": msg34349, - "32481": msg34350, - "32482": msg34351, - "32483": msg34352, - "32484": msg34353, - "32485": msg34354, - "32486": msg34355, - "32487": msg34356, - "32488": msg34357, - "32489": msg34358, - "3249": msg5699, - "32490": msg34359, - "32491": msg34360, - "32492": msg34361, - "32493": msg34362, - "32494": msg34363, - "32495": msg34364, - "32496": msg34365, - "32497": msg34366, - "32498": msg34367, - "32499": msg34368, - "325": select247, - "3250": msg5700, - "32500": msg34369, - "32501": msg34370, - "32502": msg34371, - "32503": msg34372, - "32504": msg34373, - "32505": msg34374, - "32506": msg34375, - "32507": msg34376, - "32508": msg34377, - "32509": msg34378, - "3251": msg5701, - "32510": msg34379, - "32511": msg34380, - "32512": msg34381, - "32513": msg34382, - "32514": msg34383, - "32515": msg34384, - "32516": msg34385, - "32517": msg34386, - "32518": msg34387, - "32519": msg34388, - "3252": msg5702, - "32520": msg34389, - "32521": msg34390, - "32522": msg34391, - "32523": msg34392, - "32524": msg34393, - "32525": msg34394, - "32526": msg34395, - "32527": msg34396, - "32528": msg34397, - "32529": msg34398, - "3253": msg5703, - "32530": msg34399, - "32531": msg34400, - "32532": msg34401, - "32533": msg34402, - "32534": msg34403, - "32535": msg34404, - "32536": msg34405, - "32537": msg34406, - "32538": msg34407, - "32539": msg34408, - "3254": msg5704, - "32540": msg34409, - "32541": msg34410, - "32542": msg34411, - "32543": msg34412, - "32544": msg34413, - "32545": msg34414, - "32546": msg34415, - "32547": msg34416, - "32548": msg34417, - "32549": msg34418, - "3255": msg5705, - "32550": msg34419, - "32551": msg34420, - "32552": msg34421, - "32553": msg34422, - "32554": msg34423, - "32555": msg34424, - "32556": msg34425, - "32557": msg34426, - "32558": msg34427, - "32559": msg34428, - "3256": msg5706, - "32560": msg34429, - "32561": msg34430, - "32562": msg34431, - "32563": msg34432, - "32564": msg34433, - "32565": msg34434, - "32566": msg34435, - "32567": msg34436, - "32568": msg34437, - "32569": msg34438, - "3257": msg5707, - "32570": msg34439, - "32571": msg34440, - "32572": msg34441, - "32573": msg34442, - "32574": msg34443, - "32575": msg34444, - "32576": msg34445, - "32577": msg34446, - "32578": msg34447, - "32579": msg34448, - "3258": msg5708, - "32580": msg34449, - "32581": msg34450, - "32582": msg34451, - "32583": msg34452, - "32584": msg34453, - "32585": msg34454, - "32586": msg34455, - "32587": msg34456, - "32588": msg34457, - "32589": msg34458, - "3259": msg5709, - "32590": msg34459, - "32591": msg34460, - "32592": msg34461, - "32593": msg34462, - "32594": msg34463, - "32595": msg34464, - "32596": msg34465, - "32597": msg34466, - "32598": msg34467, - "32599": msg34468, - "326": select248, - "3260": msg5710, - "32600": msg34469, - "32601": msg34470, - "32602": msg34471, - "32603": msg34472, - "32604": msg34473, - "32605": msg34474, - "32606": msg34475, - "32607": msg34476, - "32608": msg34477, - "32609": msg34478, - "3261": msg5711, - "32610": msg34479, - "32611": msg34480, - "32612": msg34481, - "32613": msg34482, - "32614": msg34483, - "32615": msg34484, - "32616": msg34485, - "32617": msg34486, - "32618": msg34487, - "32619": msg34488, - "3262": msg5712, - "32620": msg34489, - "32621": msg34490, - "32622": msg34491, - "32623": msg34492, - "32624": msg34493, - "32625": msg34494, - "32626": msg34495, - "32627": msg34496, - "32628": msg34497, - "32629": msg34498, - "3263": msg5713, - "32630": msg34499, - "32631": msg34500, - "32632": msg34501, - "32633": msg34502, - "32634": msg34503, - "32635": msg34504, - "32636": msg34505, - "32637": msg34506, - "32638": msg34507, - "32639": msg34508, - "3264": msg5714, - "32640": msg34509, - "32641": msg34510, - "32642": msg34511, - "32643": msg34512, - "32644": msg34513, - "32645": msg34514, - "32646": msg34515, - "32647": msg34516, - "32648": msg34517, - "32649": msg34518, - "3265": msg5715, - "32650": msg34519, - "32651": msg34520, - "32652": msg34521, - "32653": msg34522, - "32654": msg34523, - "32655": msg34524, - "32656": msg34525, - "32657": msg34526, - "32658": msg34527, - "32659": msg34528, - "3266": msg5716, - "32660": msg34529, - "32661": msg34530, - "32662": msg34531, - "32663": msg34532, - "32664": msg34533, - "32665": msg34534, - "32666": msg34535, - "32667": msg34536, - "32668": msg34537, - "32669": msg34538, - "3267": msg5717, - "32670": msg34539, - "32671": msg34540, - "32672": msg34541, - "32673": msg34542, - "32674": msg34543, - "32675": msg34544, - "32676": msg34545, - "32677": msg34546, - "32678": msg34547, - "32679": msg34548, - "3268": msg5718, - "32680": msg34549, - "32681": msg34550, - "32682": msg34551, - "32683": msg34552, - "32684": msg34553, - "32685": msg34554, - "32686": msg34555, - "32687": msg34556, - "32688": msg34557, - "32689": msg34558, - "3269": msg5719, - "32690": msg34559, - "32691": msg34560, - "32692": msg34561, - "32693": msg34562, - "32694": msg34563, - "32695": msg34564, - "32696": msg34565, - "32697": msg34566, - "32698": msg34567, - "32699": msg34568, - "327": select249, - "3270": msg5720, - "32700": msg34569, - "32701": msg34570, - "32702": msg34571, - "32703": msg34572, - "32704": msg34573, - "32705": msg34574, - "32706": msg34575, - "32707": msg34576, - "32708": msg34577, - "32709": msg34578, - "3271": msg5721, - "32710": msg34579, - "32711": msg34580, - "32712": msg34581, - "32713": msg34582, - "32714": msg34583, - "32715": msg34584, - "32716": msg34585, - "32717": msg34586, - "32718": msg34587, - "32719": msg34588, - "3272": msg5722, - "32720": msg34589, - "32721": msg34590, - "32722": msg34591, - "32723": msg34592, - "32724": msg34593, - "32725": msg34594, - "32726": msg34595, - "32727": msg34596, - "32728": msg34597, - "32729": msg34598, - "3273": msg5723, - "32730": msg34599, - "32731": msg34600, - "32732": msg34601, - "32733": msg34602, - "32734": msg34603, - "32735": msg34604, - "32736": msg34605, - "32737": msg34606, - "32738": msg34607, - "32739": msg34608, - "3274": msg5724, - "32740": msg34609, - "32741": msg34610, - "32742": msg34611, - "32743": msg34612, - "32744": msg34613, - "32745": msg34614, - "32746": msg34615, - "32747": msg34616, - "32748": msg34617, - "32749": msg34618, - "3275": msg5725, - "32750": msg34619, - "32751": msg34620, - "32752": msg34621, - "32753": msg34622, - "32754": msg34623, - "32755": msg34624, - "32756": msg34625, - "32757": msg34626, - "32758": msg34627, - "32759": msg34628, - "3276": msg5726, - "32760": msg34629, - "32761": msg34630, - "32762": msg34631, - "32763": msg34632, - "32764": msg34633, - "32765": msg34634, - "32766": msg34635, - "32767": msg34636, - "32768": msg34637, - "32769": msg34638, - "3277": msg5727, - "32770": msg34639, - "32771": msg34640, - "32772": msg34641, - "32773": msg34642, - "32774": msg34643, - "32775": msg34644, - "32776": msg34645, - "32777": msg34646, - "32778": msg34647, - "32779": msg34648, - "3278": msg5728, - "32780": msg34649, - "32781": msg34650, - "32782": msg34651, - "32783": msg34652, - "32784": msg34653, - "32785": msg34654, - "32786": msg34655, - "32787": msg34656, - "32788": msg34657, - "32789": msg34658, - "3279": msg5729, - "32790": msg34659, - "32791": msg34660, - "32792": msg34661, - "32793": msg34662, - "32794": msg34663, - "32795": msg34664, - "32796": msg34665, - "32797": msg34666, - "32798": msg34667, - "32799": msg34668, - "328": select250, - "3280": msg5730, - "32800": msg34669, - "32801": msg34670, - "32802": msg34671, - "32803": msg34672, - "32804": msg34673, - "32805": msg34674, - "32806": msg34675, - "32807": msg34676, - "32808": msg34677, - "32809": msg34678, - "3281": msg5731, - "32810": msg34679, - "32811": msg34680, - "32812": msg34681, - "32813": msg34682, - "32814": msg34683, - "32815": msg34684, - "32816": msg34685, - "32817": msg34686, - "32818": msg34687, - "32819": msg34688, - "3282": msg5732, - "32820": msg34689, - "32821": msg34690, - "32822": msg34691, - "32823": msg34692, - "32824": msg34693, - "32825": msg34694, - "32826": msg34695, - "32827": msg34696, - "32828": msg34697, - "32829": msg34698, - "3283": msg5733, - "32830": msg34699, - "32831": msg34700, - "32832": msg34701, - "32833": msg34702, - "32834": msg34703, - "32835": msg34704, - "32836": msg34705, - "32837": msg34706, - "32838": msg34707, - "32839": msg34708, - "3284": msg5734, - "32840": msg34709, - "32841": msg34710, - "32842": msg34711, - "32843": msg34712, - "32844": msg34713, - "32845": msg34714, - "32846": msg34715, - "32847": msg34716, - "32848": msg34717, - "32849": msg34718, - "3285": msg5735, - "32850": msg34719, - "32851": msg34720, - "32852": msg34721, - "32853": msg34722, - "32854": msg34723, - "32855": msg34724, - "32856": msg34725, - "32857": msg34726, - "32858": msg34727, - "32859": msg34728, - "3286": msg5736, - "32860": msg34729, - "32861": msg34730, - "32862": msg34731, - "32863": msg34732, - "32864": msg34733, - "32865": msg34734, - "32866": msg34735, - "32867": msg34736, - "32868": msg34737, - "32869": msg34738, - "3287": msg5737, - "32870": msg34739, - "32871": msg34740, - "32872": msg34741, - "32873": msg34742, - "32874": msg34743, - "32875": msg34744, - "32876": msg34745, - "32877": msg34746, - "32878": msg34747, - "32879": msg34748, - "3288": msg5738, - "32880": msg34749, - "32881": msg34750, - "32882": msg34751, - "32883": msg34752, - "32884": msg34753, - "32885": msg34754, - "32886": msg34755, - "32887": msg34756, - "32888": msg34757, - "32889": msg34758, - "3289": msg5739, - "32890": msg34759, - "32891": msg34760, - "32892": msg34761, - "32893": msg34762, - "32894": msg34763, - "32895": msg34764, - "32896": msg34765, - "32897": msg34766, - "32898": msg34767, - "32899": msg34768, - "329": select251, - "3290": msg5740, - "32900": msg34769, - "32901": msg34770, - "32902": msg34771, - "32903": msg34772, - "32904": msg34773, - "32905": msg34774, - "32906": msg34775, - "32907": msg34776, - "32908": msg34777, - "32909": msg34778, - "3291": msg5741, - "32910": msg34779, - "32911": msg34780, - "32912": msg34781, - "32913": msg34782, - "32914": msg34783, - "32915": msg34784, - "32916": msg34785, - "32917": msg34786, - "32918": msg34787, - "32919": msg34788, - "3292": msg5742, - "32920": msg34789, - "32921": msg34790, - "32922": msg34791, - "32923": msg34792, - "32924": msg34793, - "32925": msg34794, - "32926": msg34795, - "32927": msg34796, - "32928": msg34797, - "32929": msg34798, - "3293": msg5743, - "32930": msg34799, - "32931": msg34800, - "32932": msg34801, - "32933": msg34802, - "32934": msg34803, - "32935": msg34804, - "32936": msg34805, - "32937": msg34806, - "32938": msg34807, - "32939": msg34808, - "3294": msg5744, - "32940": msg34809, - "32941": msg34810, - "32942": msg34811, - "32943": msg34812, - "32944": msg34813, - "32945": msg34814, - "32946": msg34815, - "32947": msg34816, - "32948": msg34817, - "32949": msg34818, - "3295": msg5745, - "32950": msg34819, - "32951": msg34820, - "32952": msg34821, - "32953": msg34822, - "32954": msg34823, - "32955": msg34824, - "32956": msg34825, - "32957": msg34826, - "32958": msg34827, - "32959": msg34828, - "3296": msg5746, - "32960": msg34829, - "32961": msg34830, - "32962": msg34831, - "32963": msg34832, - "32964": msg34833, - "32965": msg34834, - "32966": msg34835, - "32967": msg34836, - "32968": msg34837, - "32969": msg34838, - "3297": msg5747, - "32970": msg34839, - "32971": msg34840, - "32972": msg34841, - "32973": msg34842, - "32974": msg34843, - "32975": msg34844, - "32976": msg34845, - "32977": msg34846, - "32978": msg34847, - "32979": msg34848, - "3298": msg5748, - "32980": msg34849, - "32981": msg34850, - "32982": msg34851, - "32983": msg34852, - "32984": msg34853, - "32985": msg34854, - "32986": msg34855, - "32987": msg34856, - "32988": msg34857, - "32989": msg34858, - "3299": msg5749, - "32990": msg34859, - "32991": msg34860, - "32992": msg34861, - "32993": msg34862, - "32994": msg34863, - "32995": msg34864, - "32996": msg34865, - "32997": msg34866, - "32998": msg34867, - "32999": msg34868, - "330": select252, - "3300": msg5750, - "33000": msg34869, - "33001": msg34870, - "33002": msg34871, - "33003": msg34872, - "33004": msg34873, - "33005": msg34874, - "33006": msg34875, - "33007": msg34876, - "33008": msg34877, - "33009": msg34878, - "3301": msg5751, - "33010": msg34879, - "33011": msg34880, - "33012": msg34881, - "33013": msg34882, - "33014": msg34883, - "33015": msg34884, - "33016": msg34885, - "33017": msg34886, - "33018": msg34887, - "33019": msg34888, - "3302": msg5752, - "33020": msg34889, - "33021": msg34890, - "33022": msg34891, - "33023": msg34892, - "33024": msg34893, - "33025": msg34894, - "33026": msg34895, - "33027": msg34896, - "33028": msg34897, - "33029": msg34898, - "3303": msg5753, - "33030": msg34899, - "33031": msg34900, - "33032": msg34901, - "33033": msg34902, - "33034": msg34903, - "33035": msg34904, - "33036": msg34905, - "33037": msg34906, - "33038": msg34907, - "33039": msg34908, - "3304": msg5754, - "33040": msg34909, - "33041": msg34910, - "33042": msg34911, - "33043": msg34912, - "33044": msg34913, - "33045": msg34914, - "33046": msg34915, - "33047": msg34916, - "33048": msg34917, - "33049": msg34918, - "3305": msg5755, - "33050": msg34919, - "33051": msg34920, - "33052": msg34921, - "33053": msg34922, - "33054": msg34923, - "33055": msg34924, - "33056": msg34925, - "33057": msg34926, - "33058": msg34927, - "33059": msg34928, - "3306": msg5756, - "33060": msg34929, - "33061": msg34930, - "33062": msg34931, - "33063": msg34932, - "33064": msg34933, - "33065": msg34934, - "33066": msg34935, - "33067": msg34936, - "33068": msg34937, - "33069": msg34938, - "3307": msg5757, - "33070": msg34939, - "33071": msg34940, - "33072": msg34941, - "33073": msg34942, - "33074": msg34943, - "33075": msg34944, - "33076": msg34945, - "33077": msg34946, - "33078": msg34947, - "33079": msg34948, - "3308": msg5758, - "33080": msg34949, - "33081": msg34950, - "33082": msg34951, - "33083": msg34952, - "33084": msg34953, - "33085": msg34954, - "33086": msg34955, - "33087": msg34956, - "33088": msg34957, - "33089": msg34958, - "3309": msg5759, - "33090": msg34959, - "33091": msg34960, - "33092": msg34961, - "33093": msg34962, - "33094": msg34963, - "33095": msg34964, - "33096": msg34965, - "33097": msg34966, - "33098": msg34967, - "33099": msg34968, - "331": select253, - "3310": msg5760, - "33100": msg34969, - "33101": msg34970, - "33102": msg34971, - "33103": msg34972, - "33104": msg34973, - "33105": msg34974, - "33106": msg34975, - "33107": msg34976, - "33108": msg34977, - "33109": msg34978, - "3311": msg5761, - "33110": msg34979, - "33111": msg34980, - "33112": msg34981, - "33113": msg34982, - "33114": msg34983, - "33115": msg34984, - "33116": msg34985, - "33117": msg34986, - "33118": msg34987, - "33119": msg34988, - "3312": msg5762, - "33120": msg34989, - "33121": msg34990, - "33122": msg34991, - "33123": msg34992, - "33124": msg34993, - "33125": msg34994, - "33126": msg34995, - "33127": msg34996, - "33128": msg34997, - "33129": msg34998, - "3313": msg5763, - "33130": msg34999, - "33131": msg35000, - "33132": msg35001, - "33133": msg35002, - "33134": msg35003, - "33135": msg35004, - "33136": msg35005, - "33137": msg35006, - "33138": msg35007, - "33139": msg35008, - "3314": msg5764, - "33140": msg35009, - "33141": msg35010, - "33142": msg35011, - "33143": msg35012, - "33144": msg35013, - "33145": msg35014, - "33146": msg35015, - "33147": msg35016, - "33148": msg35017, - "33149": msg35018, - "3315": msg5765, - "33150": msg35019, - "33151": msg35020, - "33152": msg35021, - "33153": msg35022, - "33154": msg35023, - "33155": msg35024, - "33156": msg35025, - "33157": msg35026, - "33158": msg35027, - "33159": msg35028, - "3316": msg5766, - "33160": msg35029, - "33161": msg35030, - "33162": msg35031, - "33163": msg35032, - "33164": msg35033, - "33165": msg35034, - "33166": msg35035, - "33167": msg35036, - "33168": msg35037, - "33169": msg35038, - "3317": msg5767, - "33170": msg35039, - "33171": msg35040, - "33172": msg35041, - "33173": msg35042, - "33174": msg35043, - "33175": msg35044, - "33176": msg35045, - "33177": msg35046, - "33178": msg35047, - "33179": msg35048, - "3318": msg5768, - "33180": msg35049, - "33181": msg35050, - "33182": msg35051, - "33183": msg35052, - "33184": msg35053, - "33185": msg35054, - "33186": msg35055, - "33187": msg35056, - "33188": msg35057, - "33189": msg35058, - "3319": msg5769, - "33190": msg35059, - "33191": msg35060, - "33192": msg35061, - "33193": msg35062, - "33194": msg35063, - "33195": msg35064, - "33196": msg35065, - "33197": msg35066, - "33198": msg35067, - "33199": msg35068, - "332": select254, - "3320": msg5770, - "33200": msg35069, - "33201": msg35070, - "33202": msg35071, - "33203": msg35072, - "33204": msg35073, - "33205": msg35074, - "33206": msg35075, - "33207": msg35076, - "33208": msg35077, - "33209": msg35078, - "3321": msg5771, - "33210": msg35079, - "33211": msg35080, - "33212": msg35081, - "33213": msg35082, - "33214": msg35083, - "33215": msg35084, - "33216": msg35085, - "33217": msg35086, - "33218": msg35087, - "33219": msg35088, - "3322": msg5772, - "33220": msg35089, - "33221": msg35090, - "33222": msg35091, - "33223": msg35092, - "33224": msg35093, - "33225": msg35094, - "33226": msg35095, - "33227": msg35096, - "33228": msg35097, - "33229": msg35098, - "3323": msg5773, - "33230": msg35099, - "33231": msg35100, - "33232": msg35101, - "33233": msg35102, - "33234": msg35103, - "33235": msg35104, - "33236": msg35105, - "33237": msg35106, - "33238": msg35107, - "33239": msg35108, - "3324": msg5774, - "33240": msg35109, - "33241": msg35110, - "33242": msg35111, - "33243": msg35112, - "33244": msg35113, - "33245": msg35114, - "33246": msg35115, - "33247": msg35116, - "33248": msg35117, - "33249": msg35118, - "3325": msg5775, - "33250": msg35119, - "33251": msg35120, - "33252": msg35121, - "33253": msg35122, - "33254": msg35123, - "33255": msg35124, - "33256": msg35125, - "33257": msg35126, - "33258": msg35127, - "33259": msg35128, - "3326": msg5776, - "33260": msg35129, - "33261": msg35130, - "33262": msg35131, - "33263": msg35132, - "33264": msg35133, - "33265": msg35134, - "33266": msg35135, - "33267": msg35136, - "33268": msg35137, - "33269": msg35138, - "3327": msg5777, - "33270": msg35139, - "33271": msg35140, - "33272": msg35141, - "33273": msg35142, - "33274": msg35143, - "33275": msg35144, - "33276": msg35145, - "33277": msg35146, - "33278": msg35147, - "33279": msg35148, - "3328": msg5778, - "33280": msg35149, - "33281": msg35150, - "33282": msg35151, - "33283": msg35152, - "33284": msg35153, - "33285": msg35154, - "33286": msg35155, - "33287": msg35156, - "33288": msg35157, - "33289": msg35158, - "3329": msg5779, - "33290": msg35159, - "33291": msg35160, - "33292": msg35161, - "33293": msg35162, - "33294": msg35163, - "33295": msg35164, - "33296": msg35165, - "33297": msg35166, - "33298": msg35167, - "33299": msg35168, - "333": select255, - "3330": msg5780, - "33300": msg35169, - "33301": msg35170, - "33302": msg35171, - "33303": msg35172, - "33304": msg35173, - "33305": msg35174, - "33306": msg35175, - "33307": msg35176, - "33308": msg35177, - "33309": msg35178, - "3331": msg5781, - "33310": msg35179, - "33311": msg35180, - "33312": msg35181, - "33313": msg35182, - "33314": msg35183, - "33315": msg35184, - "33316": msg35185, - "33317": msg35186, - "33318": msg35187, - "33319": msg35188, - "3332": msg5782, - "33320": msg35189, - "33321": msg35190, - "33322": msg35191, - "33323": msg35192, - "33324": msg35193, - "33325": msg35194, - "33326": msg35195, - "33327": msg35196, - "33328": msg35197, - "33329": msg35198, - "3333": msg5783, - "33330": msg35199, - "33331": msg35200, - "33332": msg35201, - "33333": msg35202, - "33334": msg35203, - "33335": msg35204, - "33336": msg35205, - "33337": msg35206, - "33338": msg35207, - "33339": msg35208, - "3334": msg5784, - "33340": msg35209, - "33341": msg35210, - "33342": msg35211, - "33343": msg35212, - "33344": msg35213, - "33345": msg35214, - "33346": msg35215, - "33347": msg35216, - "33348": msg35217, - "33349": msg35218, - "3335": msg5785, - "33350": msg35219, - "33351": msg35220, - "33352": msg35221, - "33353": msg35222, - "33354": msg35223, - "33355": msg35224, - "33356": msg35225, - "33357": msg35226, - "33358": msg35227, - "33359": msg35228, - "3336": msg5786, - "33360": msg35229, - "33361": msg35230, - "33362": msg35231, - "33363": msg35232, - "33364": msg35233, - "33365": msg35234, - "33366": msg35235, - "33367": msg35236, - "33368": msg35237, - "33369": msg35238, - "3337": msg5787, - "33370": msg35239, - "33371": msg35240, - "33372": msg35241, - "33373": msg35242, - "33374": msg35243, - "33375": msg35244, - "33376": msg35245, - "33377": msg35246, - "33378": msg35247, - "33379": msg35248, - "3338": msg5788, - "33380": msg35249, - "33381": msg35250, - "33382": msg35251, - "33383": msg35252, - "33384": msg35253, - "33385": msg35254, - "33386": msg35255, - "33387": msg35256, - "33388": msg35257, - "33389": msg35258, - "3339": msg5789, - "33390": msg35259, - "33391": msg35260, - "33392": msg35261, - "33393": msg35262, - "33394": msg35263, - "33395": msg35264, - "33396": msg35265, - "33397": msg35266, - "33398": msg35267, - "33399": msg35268, - "334": select256, - "3340": msg5790, - "33400": msg35269, - "33401": msg35270, - "33402": msg35271, - "33403": msg35272, - "33404": msg35273, - "33405": msg35274, - "33406": msg35275, - "33407": msg35276, - "33408": msg35277, - "33409": msg35278, - "3341": msg5791, - "33410": msg35279, - "33411": msg35280, - "33412": msg35281, - "33413": msg35282, - "33414": msg35283, - "33415": msg35284, - "33416": msg35285, - "33417": msg35286, - "33418": msg35287, - "33419": msg35288, - "3342": msg5792, - "33420": msg35289, - "33421": msg35290, - "33422": msg35291, - "33423": msg35292, - "33424": msg35293, - "33425": msg35294, - "33426": msg35295, - "33427": msg35296, - "33428": msg35297, - "33429": msg35298, - "3343": msg5793, - "33430": msg35299, - "33431": msg35300, - "33432": msg35301, - "33433": msg35302, - "33434": msg35303, - "33435": msg35304, - "33436": msg35305, - "33437": msg35306, - "33438": msg35307, - "33439": msg35308, - "3344": msg5794, - "33440": msg35309, - "33441": msg35310, - "33442": msg35311, - "33443": msg35312, - "33444": msg35313, - "33445": msg35314, - "33446": msg35315, - "33447": msg35316, - "33448": msg35317, - "33449": msg35318, - "3345": msg5795, - "33450": msg35319, - "33451": msg35320, - "33452": msg35321, - "33453": msg35322, - "33454": msg35323, - "33455": msg35324, - "33456": msg35325, - "33457": msg35326, - "33458": msg35327, - "33459": msg35328, - "3346": msg5796, - "33460": msg35329, - "33461": msg35330, - "33462": msg35331, - "33463": msg35332, - "33464": msg35333, - "33465": msg35334, - "33466": msg35335, - "33467": msg35336, - "33468": msg35337, - "33469": msg35338, - "3347": msg5797, - "33470": msg35339, - "33471": msg35340, - "33472": msg35341, - "33473": msg35342, - "33474": msg35343, - "33475": msg35344, - "33476": msg35345, - "33477": msg35346, - "33478": msg35347, - "3348": msg5798, - "3349": msg5799, - "335": select257, - "3350": msg5800, - "3351": msg5801, - "3352": msg5802, - "3353": msg5803, - "3354": msg5804, - "3355": msg5805, - "3356": msg5806, - "33564": msg35348, - "33565": msg35349, - "33566": msg35350, - "33567": msg35351, - "33568": msg35352, - "33569": msg35353, - "3357": msg5807, - "33570": msg35354, - "33571": msg35355, - "33572": msg35356, - "33573": msg35357, - "33574": msg35358, - "33575": msg35359, - "33576": msg35360, - "33577": msg35361, - "33578": msg35362, - "33579": msg35363, - "3358": msg5808, - "33580": msg35364, - "33581": msg35365, - "33582": msg35366, - "33583": msg35367, - "33584": msg35368, - "33585": msg35369, - "33586": msg35370, - "33587": msg35371, - "33588": msg35372, - "33589": msg35373, - "3359": msg5809, - "33590": msg35374, - "33591": msg35375, - "33592": msg35376, - "33593": msg35377, - "33594": msg35378, - "33595": msg35379, - "33596": msg35380, - "33597": msg35381, - "33598": msg35382, - "33599": msg35383, - "336": select258, - "3360": msg5810, - "33600": msg35384, - "33601": msg35385, - "33602": msg35386, - "33603": msg35387, - "33604": msg35388, - "33605": msg35389, - "33606": msg35390, - "33607": msg35391, - "33608": msg35392, - "33609": msg35393, - "3361": msg5811, - "33610": msg35394, - "33611": msg35395, - "33612": msg35396, - "33613": msg35397, - "33614": msg35398, - "33615": msg35399, - "33618": msg35400, - "33619": msg35401, - "3362": msg5812, - "33620": msg35402, - "33621": msg35403, - "33622": msg35404, - "33623": msg35405, - "33624": msg35406, - "33625": msg35407, - "33626": msg35408, - "33627": msg35409, - "33628": msg35410, - "33629": msg35411, - "3363": msg5813, - "33630": msg35412, - "33631": msg35413, - "33632": msg35414, - "33633": msg35415, - "33634": msg35416, - "33635": msg35417, - "33636": msg35418, - "33637": msg35419, - "33638": msg35420, - "33639": msg35421, - "3364": msg5814, - "33640": msg35422, - "33641": msg35423, - "33642": msg35424, - "33643": msg35425, - "33644": msg35426, - "33645": msg35427, - "33646": msg35428, - "33647": msg35429, - "33648": msg35430, - "33649": msg35431, - "3365": msg5815, - "33650": msg35432, - "33651": msg35433, - "33652": msg35434, - "33653": msg35435, - "33654": msg35436, - "33655": msg35437, - "33656": msg35438, - "33657": msg35439, - "33658": msg35440, - "33659": msg35441, - "3366": msg5816, - "33660": msg35442, - "33661": msg35443, - "33662": msg35444, - "33663": msg35445, - "33664": msg35446, - "33665": msg35447, - "33666": msg35448, - "33667": msg35449, - "33668": msg35450, - "33669": msg35451, - "3367": msg5817, - "33670": msg35452, - "33671": msg35453, - "33672": msg35454, - "33673": msg35455, - "33674": msg35456, - "33675": msg35457, - "33676": msg35458, - "33677": msg35459, - "33678": msg35460, - "33679": msg35461, - "3368": msg5818, - "33680": msg35462, - "33681": msg35463, - "33682": msg35464, - "33683": msg35465, - "33684": msg35466, - "33685": msg35467, - "33686": msg35468, - "33687": msg35469, - "33688": msg35470, - "33689": msg35471, - "3369": msg5819, - "33690": msg35472, - "33691": msg35473, - "33692": msg35474, - "33693": msg35475, - "33694": msg35476, - "33695": msg35477, - "33696": msg35478, - "33697": msg35479, - "33698": msg35480, - "33699": msg35481, - "337": select259, - "3370": msg5820, - "33700": msg35482, - "33701": msg35483, - "33702": msg35484, - "33703": msg35485, - "33704": msg35486, - "33705": msg35487, - "33706": msg35488, - "33707": msg35489, - "33708": msg35490, - "33709": msg35491, - "3371": msg5821, - "33710": msg35492, - "33711": msg35493, - "33712": msg35494, - "33713": msg35495, - "33714": msg35496, - "33715": msg35497, - "33716": msg35498, - "33717": msg35499, - "33718": msg35500, - "33719": msg35501, - "3372": msg5822, - "33720": msg35502, - "33721": msg35503, - "33722": msg35504, - "33723": msg35505, - "33724": msg35506, - "33725": msg35507, - "33726": msg35508, - "33727": msg35509, - "33728": msg35510, - "33729": msg35511, - "3373": msg5823, - "33730": msg35512, - "33731": msg35513, - "33732": msg35514, - "33733": msg35515, - "33734": msg35516, - "33735": msg35517, - "33736": msg35518, - "33737": msg35519, - "33738": msg35520, - "33739": msg35521, - "3374": msg5824, - "33740": msg35522, - "33741": msg35523, - "33742": msg35524, - "33743": msg35525, - "33744": msg35526, - "33745": msg35527, - "33746": msg35528, - "33747": msg35529, - "33748": msg35530, - "33749": msg35531, - "3375": msg5825, - "33750": msg35532, - "33751": msg35533, - "33752": msg35534, - "33753": msg35535, - "33754": msg35536, - "33755": msg35537, - "33756": msg35538, - "33757": msg35539, - "33758": msg35540, - "33759": msg35541, - "3376": msg5826, - "33760": msg35542, - "33761": msg35543, - "33762": msg35544, - "33763": msg35545, - "33764": msg35546, - "33765": msg35547, - "33766": msg35548, - "33767": msg35549, - "33768": msg35550, - "33769": msg35551, - "3377": msg5827, - "33770": msg35552, - "33771": msg35553, - "33772": msg35554, - "33773": msg35555, - "33774": msg35556, - "33775": msg35557, - "33776": msg35558, - "33777": msg35559, - "33778": msg35560, - "33779": msg35561, - "3378": msg5828, - "33780": msg35562, - "33781": msg35563, - "33782": msg35564, - "33783": msg35565, - "33784": msg35566, - "33785": msg35567, - "33786": msg35568, - "33787": msg35569, - "33788": msg35570, - "33789": msg35571, - "3379": msg5829, - "33790": msg35572, - "33791": msg35573, - "33792": msg35574, - "33793": msg35575, - "33794": msg35576, - "33795": msg35577, - "33796": msg35578, - "33797": msg35579, - "33798": msg35580, - "33799": msg35581, - "338": select260, - "3380": msg5830, - "33800": msg35582, - "33801": msg35583, - "33802": msg35584, - "33803": msg35585, - "33804": msg35586, - "33805": msg35587, - "33806": msg35588, - "33807": msg35589, - "33808": msg35590, - "33809": msg35591, - "3381": msg5831, - "33810": msg35592, - "33811": msg35593, - "33812": msg35594, - "33813": msg35595, - "33814": msg35596, - "33815": msg35597, - "33816": msg35598, - "33817": msg35599, - "33818": msg35600, - "33819": msg35601, - "3382": msg5832, - "33820": msg35602, - "33821": msg35603, - "33822": msg35604, - "33823": msg35605, - "33824": msg35606, - "33825": msg35607, - "33826": msg35608, - "33827": msg35609, - "33828": msg35610, - "33829": msg35611, - "3383": msg5833, - "33830": msg35612, - "33831": msg35613, - "33832": msg35614, - "33833": msg35615, - "33834": msg35616, - "33835": msg35617, - "33836": msg35618, - "33837": msg35619, - "33838": msg35620, - "33839": msg35621, - "3384": msg5834, - "33840": msg35622, - "33841": msg35623, - "33842": msg35624, - "33843": msg35625, - "33844": msg35626, - "33845": msg35627, - "33846": msg35628, - "33847": msg35629, - "33848": msg35630, - "33849": msg35631, - "3385": msg5835, - "33850": msg35632, - "33851": msg35633, - "33852": msg35634, - "33853": msg35635, - "33854": msg35636, - "33855": msg35637, - "33856": msg35638, - "33857": msg35639, - "33858": msg35640, - "33859": msg35641, - "3386": msg5836, - "33860": msg35642, - "33861": msg35643, - "33862": msg35644, - "33863": msg35645, - "33864": msg35646, - "33865": msg35647, - "33866": msg35648, - "33867": msg35649, - "33868": msg35650, - "33869": msg35651, - "3387": msg5837, - "33870": msg35652, - "33871": msg35653, - "33872": msg35654, - "33873": msg35655, - "33874": msg35656, - "33875": msg35657, - "33876": msg35658, - "33877": msg35659, - "33878": msg35660, - "33879": msg35661, - "3388": msg5838, - "33880": msg35662, - "33881": msg35663, - "33882": msg35664, - "33883": msg35665, - "33884": msg35666, - "33885": msg35667, - "33886": msg35668, - "33887": msg35669, - "33888": msg35670, - "33889": msg35671, - "3389": msg5839, - "33890": msg35672, - "33891": msg35673, - "33892": msg35674, - "33893": msg35675, - "33894": msg35676, - "33895": msg35677, - "33896": msg35678, - "33897": msg35679, - "33898": msg35680, - "33899": msg35681, - "339": select261, - "3390": msg5840, - "33900": msg35682, - "33901": msg35683, - "33902": msg35684, - "33903": msg35685, - "33904": msg35686, - "33905": msg35687, - "33906": msg35688, - "33907": msg35689, - "33908": msg35690, - "33909": msg35691, - "3391": msg5841, - "33910": msg35692, - "33911": msg35693, - "33912": msg35694, - "33913": msg35695, - "33914": msg35696, - "33915": msg35697, - "33916": msg35698, - "33917": msg35699, - "33918": msg35700, - "33919": msg35701, - "3392": msg5842, - "33920": msg35702, - "33921": msg35703, - "33922": msg35704, - "33923": msg35705, - "33924": msg35706, - "33925": msg35707, - "33926": msg35708, - "33927": msg35709, - "33928": msg35710, - "33929": msg35711, - "3393": msg5843, - "33930": msg35712, - "33931": msg35713, - "33932": msg35714, - "33933": msg35715, - "33934": msg35716, - "33935": msg35717, - "33936": msg35718, - "33937": msg35719, - "33938": msg35720, - "33939": msg35721, - "3394": msg5844, - "33940": msg35722, - "33941": msg35723, - "33942": msg35724, - "33943": msg35725, - "33944": msg35726, - "33945": msg35727, - "33946": msg35728, - "33947": msg35729, - "33948": msg35730, - "33949": msg35731, - "3395": msg5845, - "33950": msg35732, - "33951": msg35733, - "33952": msg35734, - "33953": msg35735, - "33954": msg35736, - "33955": msg35737, - "33956": msg35738, - "33957": msg35739, - "33958": msg35740, - "33959": msg35741, - "3396": msg5846, - "33960": msg35742, - "33961": msg35743, - "33962": msg35744, - "33963": msg35745, - "33964": msg35746, - "33965": msg35747, - "33966": msg35748, - "33967": msg35749, - "33968": msg35750, - "33969": msg35751, - "3397": msg5847, - "33970": msg35752, - "33971": msg35753, - "33972": msg35754, - "33973": msg35755, - "33974": msg35756, - "33975": msg35757, - "33976": msg35758, - "33977": msg35759, - "33978": msg35760, - "33979": msg35761, - "3398": msg5848, - "33980": msg35762, - "33981": msg35763, - "33982": msg35764, - "33983": msg35765, - "33984": msg35766, - "33985": msg35767, - "33986": msg35768, - "33987": msg35769, - "33988": msg35770, - "33989": msg35771, - "3399": msg5849, - "33990": msg35772, - "33991": msg35773, - "33992": msg35774, - "33993": msg35775, - "33994": msg35776, - "33995": msg35777, - "33996": msg35778, - "33997": msg35779, - "33998": msg35780, - "33999": msg35781, - "34": msg65, - "340": select262, - "3400": msg5850, - "34000": msg35782, - "34001": msg35783, - "34002": msg35784, - "34003": msg35785, - "34004": msg35786, - "34005": msg35787, - "34006": msg35788, - "34007": msg35789, - "34008": msg35790, - "34009": msg35791, - "3401": msg5851, - "34010": msg35792, - "34011": msg35793, - "34012": msg35794, - "34013": msg35795, - "34014": msg35796, - "34015": msg35797, - "34016": msg35798, - "34017": msg35799, - "34018": msg35800, - "34019": msg35801, - "3402": msg5852, - "34020": msg35802, - "34021": msg35803, - "34022": msg35804, - "34023": msg35805, - "34024": msg35806, - "34025": msg35807, - "34026": msg35808, - "34027": msg35809, - "34028": msg35810, - "34029": msg35811, - "3403": msg5853, - "34030": msg35812, - "34031": msg35813, - "34032": msg35814, - "34033": msg35815, - "34034": msg35816, - "34035": msg35817, - "34036": msg35818, - "34037": msg35819, - "34038": msg35820, - "34039": msg35821, - "3404": msg5854, - "34040": msg35822, - "34041": msg35823, - "34042": msg35824, - "3404269": msg38426, - "3404272": msg38427, - "34043": msg35825, - "34044": msg35826, - "34045": msg35827, - "34046": msg35828, - "34047": msg35829, - "34048": msg35830, - "34049": msg35831, - "3405": msg5855, - "34050": msg35832, - "34051": msg35833, - "34052": msg35834, - "34053": msg35835, - "34054": msg35836, - "34055": msg35837, - "34056": msg35838, - "34057": msg35839, - "34058": msg35840, - "34059": msg35841, - "3406": msg5856, - "34060": msg35842, - "34061": msg35843, - "34062": msg35844, - "34063": msg35845, - "34064": msg35846, - "34065": msg35847, - "34066": msg35848, - "34067": msg35849, - "34068": msg35850, - "34069": msg35851, - "3407": msg5857, - "34070": msg35852, - "34071": msg35853, - "34072": msg35854, - "34073": msg35855, - "34074": msg35856, - "34075": msg35857, - "34076": msg35858, - "34077": msg35859, - "34078": msg35860, - "34079": msg35861, - "3408": msg5858, - "34080": msg35862, - "34081": msg35863, - "34082": msg35864, - "34083": msg35865, - "34084": msg35866, - "34085": msg35867, - "34086": msg35868, - "34087": msg35869, - "34088": msg35870, - "34089": msg35871, - "3409": msg5859, - "34090": msg35872, - "34091": msg35873, - "34092": msg35874, - "34093": msg35875, - "34094": msg35876, - "34095": msg35877, - "34096": msg35878, - "34097": msg35879, - "34098": msg35880, - "34099": msg35881, - "341": select263, - "3410": msg5860, - "34100": msg35882, - "34101": msg35883, - "34102": msg35884, - "34103": msg35885, - "34104": msg35886, - "34105": msg35887, - "34106": msg35888, - "34107": msg35889, - "34108": msg35890, - "34109": msg35891, - "3411": msg5861, - "34110": msg35892, - "34111": msg35893, - "34112": msg35894, - "34113": msg35895, - "34114": msg35896, - "34115": msg35897, - "34116": msg35898, - "34117": msg35899, - "34118": msg35900, - "34119": msg35901, - "3412": msg5862, - "34120": msg35902, - "34121": msg35903, - "34122": msg35904, - "34123": msg35905, - "34124": msg35906, - "34125": msg35907, - "34126": msg35908, - "34127": msg35909, - "34128": msg35910, - "34129": msg35911, - "3413": msg5863, - "34130": msg35912, - "34131": msg35913, - "34132": msg35914, - "34133": msg35915, - "34134": msg35916, - "34135": msg35917, - "34136": msg35918, - "34137": msg35919, - "34138": msg35920, - "34139": msg35921, - "3414": msg5864, - "34140": msg35922, - "34141": msg35923, - "34142": msg35924, - "34143": msg35925, - "34144": msg35926, - "34145": msg35927, - "34146": msg35928, - "34147": msg35929, - "34148": msg35930, - "34149": msg35931, - "3415": msg5865, - "34150": msg35932, - "34151": msg35933, - "34152": msg35934, - "34153": msg35935, - "34154": msg35936, - "34155": msg35937, - "34156": msg35938, - "34157": msg35939, - "34158": msg35940, - "34159": msg35941, - "3416": msg5866, - "34160": msg35942, - "34161": msg35943, - "34162": msg35944, - "34163": msg35945, - "34164": msg35946, - "34165": msg35947, - "34166": msg35948, - "34167": msg35949, - "34168": msg35950, - "34169": msg35951, - "3417": msg5867, - "34170": msg35952, - "34171": msg35953, - "34172": msg35954, - "34173": msg35955, - "34174": msg35956, - "34175": msg35957, - "34176": msg35958, - "34177": msg35959, - "34178": msg35960, - "34179": msg35961, - "3418": msg5868, - "34180": msg35962, - "34181": msg35963, - "34182": msg35964, - "34183": msg35965, - "34184": msg35966, - "34185": msg35967, - "34186": msg35968, - "34187": msg35969, - "34188": msg35970, - "34189": msg35971, - "3419": msg5869, - "34190": msg35972, - "34191": msg35973, - "34192": msg35974, - "34193": msg35975, - "34194": msg35976, - "34195": msg35977, - "34196": msg35978, - "34197": msg35979, - "34198": msg35980, - "34199": msg35981, - "342": select264, - "3420": msg5870, - "34200": msg35982, - "34201": msg35983, - "34202": msg35984, - "34203": msg35985, - "34204": msg35986, - "34205": msg35987, - "34206": msg35988, - "34207": msg35989, - "34208": msg35990, - "34209": msg35991, - "3421": msg5871, - "34210": msg35992, - "34211": msg35993, - "34212": msg35994, - "34213": msg35995, - "34214": msg35996, - "34215": msg35997, - "34216": msg35998, - "34217": msg35999, - "34218": msg36000, - "34219": msg36001, - "3422": msg5872, - "34220": msg36002, - "34221": msg36003, - "34222": msg36004, - "34223": msg36005, - "34224": msg36006, - "34225": msg36007, - "34226": msg36008, - "34227": msg36009, - "34228": msg36010, - "34229": msg36011, - "3423": msg5873, - "34230": msg36012, - "34231": msg36013, - "34232": msg36014, - "34233": msg36015, - "34234": msg36016, - "34235": msg36017, - "34236": msg36018, - "34237": msg36019, - "34238": msg36020, - "34239": msg36021, - "3424": msg5874, - "34240": msg36022, - "34241": msg36023, - "34242": msg36024, - "34243": msg36025, - "34244": msg36026, - "34245": msg36027, - "34246": msg36028, - "34247": msg36029, - "34248": msg36030, - "34249": msg36031, - "3425": msg5875, - "34250": msg36032, - "34251": msg36033, - "34252": msg36034, - "34253": msg36035, - "34254": msg36036, - "34255": msg36037, - "34256": msg36038, - "34257": msg36039, - "34258": msg36040, - "34259": msg36041, - "3426": msg5876, - "34260": msg36042, - "34261": msg36043, - "34262": msg36044, - "34263": msg36045, - "34264": msg36046, - "34265": msg36047, - "34266": msg36048, - "34267": msg36049, - "34268": msg36050, - "34269": msg36051, - "3427": msg5877, - "34270": msg36052, - "34271": msg36053, - "34272": msg36054, - "34273": msg36055, - "34274": msg36056, - "34275": msg36057, - "34276": msg36058, - "34277": msg36059, - "34278": msg36060, - "34279": msg36061, - "3428": msg5878, - "34280": msg36062, - "34281": msg36063, - "34282": msg36064, - "34283": msg36065, - "34284": msg36066, - "34285": msg36067, - "34286": msg36068, - "34287": msg36069, - "34288": msg36070, - "34289": msg36071, - "3429": msg5879, - "34290": msg36072, - "34291": msg36073, - "34292": msg36074, - "34293": msg36075, - "34294": msg36076, - "34295": msg36077, - "34296": msg36078, - "34297": msg36079, - "34298": msg36080, - "34299": msg36081, - "343": select265, - "3430": msg5880, - "34300": msg36082, - "34301": msg36083, - "34302": msg36084, - "34303": msg36085, - "34304": msg36086, - "34305": msg36087, - "34306": msg36088, - "34307": msg36089, - "34308": msg36090, - "34309": msg36091, - "3431": msg5881, - "34310": msg36092, - "34311": msg36093, - "34312": msg36094, - "34313": msg36095, - "34314": msg36096, - "34315": msg36097, - "34316": msg36098, - "34317": msg36099, - "34318": msg36100, - "34319": msg36101, - "3432": msg5882, - "34320": msg36102, - "34321": msg36103, - "34322": msg36104, - "34323": msg36105, - "34324": msg36106, - "34325": msg36107, - "34326": msg36108, - "34327": msg36109, - "34328": msg36110, - "34329": msg36111, - "3433": msg5883, - "34330": msg36112, - "34331": msg36113, - "34332": msg36114, - "34333": msg36115, - "34334": msg36116, - "34335": msg36117, - "34336": msg36118, - "34337": msg36119, - "34338": msg36120, - "34339": msg36121, - "3434": msg5884, - "34340": msg36122, - "34341": msg36123, - "34342": msg36124, - "34343": msg36125, - "34344": msg36126, - "34345": msg36127, - "34346": msg36128, - "34347": msg36129, - "34348": msg36130, - "34349": msg36131, - "3435": msg5885, - "34350": msg36132, - "34351": msg36133, - "34352": msg36134, - "34353": msg36135, - "34354": msg36136, - "34355": msg36137, - "34356": msg36138, - "34357": msg36139, - "34358": msg36140, - "34359": msg36141, - "3436": msg5886, - "34360": msg36142, - "34361": msg36143, - "34362": msg36144, - "34363": msg36145, - "34364": msg36146, - "34365": msg36147, - "34366": msg36148, - "34367": msg36149, - "34368": msg36150, - "34369": msg36151, - "3437": msg5887, - "34370": msg36152, - "34371": msg36153, - "34372": msg36154, - "34373": msg36155, - "34374": msg36156, - "34375": msg36157, - "34376": msg36158, - "34377": msg36159, - "34378": msg36160, - "34379": msg36161, - "3438": msg5888, - "34380": msg36162, - "34381": msg36163, - "34382": msg36164, - "34383": msg36165, - "34384": msg36166, - "34385": msg36167, - "34386": msg36168, - "34387": msg36169, - "34388": msg36170, - "34389": msg36171, - "3439": msg5889, - "34390": msg36172, - "34391": msg36173, - "34392": msg36174, - "34393": msg36175, - "34394": msg36176, - "34395": msg36177, - "34396": msg36178, - "34397": msg36179, - "34398": msg36180, - "34399": msg36181, - "344": select266, - "3440": msg5890, - "34400": msg36182, - "34401": msg36183, - "34402": msg36184, - "34403": msg36185, - "34404": msg36186, - "34405": msg36187, - "34406": msg36188, - "34407": msg36189, - "34408": msg36190, - "34409": msg36191, - "3441": msg5891, - "34410": msg36192, - "34411": msg36193, - "34412": msg36194, - "34413": msg36195, - "34414": msg36196, - "34415": msg36197, - "34416": msg36198, - "34417": msg36199, - "34418": msg36200, - "34419": msg36201, - "3442": msg5892, - "34420": msg36202, - "34421": msg36203, - "34422": msg36204, - "34423": msg36205, - "34424": msg36206, - "34425": msg36207, - "34426": msg36208, - "34427": msg36209, - "34428": msg36210, - "34429": msg36211, - "3443": msg5893, - "34430": msg36212, - "34431": msg36213, - "34432": msg36214, - "34433": msg36215, - "34434": msg36216, - "34435": msg36217, - "34436": msg36218, - "34437": msg36219, - "34438": msg36220, - "34439": msg36221, - "3444": msg5894, - "34440": msg36222, - "34441": msg36223, - "34442": msg36224, - "34443": msg36225, - "34444": msg36226, - "34445": msg36227, - "34446": msg36228, - "34447": msg36229, - "34448": msg36230, - "34449": msg36231, - "3445": msg5895, - "34450": msg36232, - "34451": msg36233, - "34452": msg36234, - "34453": msg36235, - "34454": msg36236, - "34455": msg36237, - "34456": msg36238, - "34457": msg36239, - "34458": msg36240, - "34459": msg36241, - "3446": msg5896, - "34460": msg36242, - "34461": msg36243, - "34462": msg36244, - "34463": msg36245, - "34464": msg36246, - "34465": msg36247, - "34466": msg36248, - "34467": msg36249, - "34468": msg36250, - "34469": msg36251, - "3447": msg5897, - "34470": msg36252, - "34471": msg36253, - "34472": msg36254, - "34473": msg36255, - "34474": msg36256, - "34475": msg36257, - "34476": msg36258, - "34477": msg36259, - "34478": msg36260, - "34479": msg36261, - "3448": msg5898, - "34480": msg36262, - "34481": msg36263, - "34482": msg36264, - "34483": msg36265, - "34484": msg36266, - "34485": msg36267, - "34486": msg36268, - "34487": msg36269, - "34488": msg36270, - "34489": msg36271, - "3449": msg5899, - "34490": msg36272, - "34491": msg36273, - "34492": msg36274, - "34493": msg36275, - "34494": msg36276, - "34495": msg36277, - "34496": msg36278, - "34497": msg36279, - "34498": msg36280, - "34499": msg36281, - "345": select267, - "3450": msg5900, - "34500": msg36282, - "34501": msg36283, - "34502": msg36284, - "34503": msg36285, - "34504": msg36286, - "34505": msg36287, - "34506": msg36288, - "34507": msg36289, - "34508": msg36290, - "34509": msg36291, - "3451": msg5901, - "34510": msg36292, - "34511": msg36293, - "34512": msg36294, - "34513": msg36295, - "34514": msg36296, - "34515": msg36297, - "34516": msg36298, - "34517": msg36299, - "34518": msg36300, - "34519": msg36301, - "3452": msg5902, - "34520": msg36302, - "34521": msg36303, - "34522": msg36304, - "34523": msg36305, - "34524": msg36306, - "34525": msg36307, - "34526": msg36308, - "34527": msg36309, - "34528": msg36310, - "34529": msg36311, - "3453": msg5903, - "34530": msg36312, - "34531": msg36313, - "34532": msg36314, - "34533": msg36315, - "34534": msg36316, - "34535": msg36317, - "34536": msg36318, - "34537": msg36319, - "34538": msg36320, - "34539": msg36321, - "3454": msg5904, - "34540": msg36322, - "34541": msg36323, - "34542": msg36324, - "34543": msg36325, - "34544": msg36326, - "34545": msg36327, - "34546": msg36328, - "34547": msg36329, - "34548": msg36330, - "34549": msg36331, - "3455": msg5905, - "34550": msg36332, - "34551": msg36333, - "34552": msg36334, - "34553": msg36335, - "34554": msg36336, - "34555": msg36337, - "34556": msg36338, - "34557": msg36339, - "34558": msg36340, - "34559": msg36341, - "3456": msg5906, - "34560": msg36342, - "34561": msg36343, - "34562": msg36344, - "34563": msg36345, - "34564": msg36346, - "34565": msg36347, - "34566": msg36348, - "34567": msg36349, - "34568": msg36350, - "34569": msg36351, - "3457": msg5907, - "34570": msg36352, - "34571": msg36353, - "34572": msg36354, - "34573": msg36355, - "34574": msg36356, - "34575": msg36357, - "34576": msg36358, - "34577": msg36359, - "34578": msg36360, - "34579": msg36361, - "3458": msg5908, - "34580": msg36362, - "34581": msg36363, - "34582": msg36364, - "34583": msg36365, - "34584": msg36366, - "34585": msg36367, - "34586": msg36368, - "34587": msg36369, - "34588": msg36370, - "34589": msg36371, - "3459": msg5909, - "34590": msg36372, - "34591": msg36373, - "34592": msg36374, - "34593": msg36375, - "34594": msg36376, - "34595": msg36377, - "34596": msg36378, - "34597": msg36379, - "34598": msg36380, - "34599": msg36381, - "346": select268, - "3460": msg5910, - "34600": msg36382, - "34601": msg36383, - "34602": msg36384, - "34603": msg36385, - "34604": msg36386, - "34605": msg36387, - "34606": msg36388, - "34607": msg36389, - "34608": msg36390, - "34609": msg36391, - "3461": msg5911, - "34610": msg36392, - "34611": msg36393, - "34612": msg36394, - "34613": msg36395, - "34614": msg36396, - "34615": msg36397, - "34616": msg36398, - "34617": msg36399, - "34618": msg36400, - "34619": msg36401, - "3462": msg5912, - "34620": msg36402, - "34621": msg36403, - "34622": msg36404, - "34623": msg36405, - "34624": msg36406, - "34625": msg36407, - "34626": msg36408, - "34627": msg36409, - "34628": msg36410, - "34629": msg36411, - "3463": msg5913, - "34630": msg36412, - "34631": msg36413, - "34632": msg36414, - "34633": msg36415, - "34634": msg36416, - "34635": msg36417, - "34636": msg36418, - "34637": msg36419, - "34638": msg36420, - "34639": msg36421, - "3464": msg5914, - "34640": msg36422, - "34641": msg36423, - "34642": msg36424, - "34643": msg36425, - "34644": msg36426, - "34645": msg36427, - "34646": msg36428, - "34647": msg36429, - "34648": msg36430, - "34649": msg36431, - "3465": msg5915, - "34650": msg36432, - "34651": msg36433, - "34652": msg36434, - "34653": msg36435, - "34654": msg36436, - "34655": msg36437, - "34656": msg36438, - "34657": msg36439, - "34658": msg36440, - "34659": msg36441, - "3466": msg5916, - "34660": msg36442, - "34661": msg36443, - "34662": msg36444, - "34663": msg36445, - "34664": msg36446, - "34665": msg36447, - "34666": msg36448, - "34667": msg36449, - "34668": msg36450, - "34669": msg36451, - "3467": msg5917, - "34670": msg36452, - "34671": msg36453, - "34672": msg36454, - "34673": msg36455, - "34674": msg36456, - "34675": msg36457, - "34676": msg36458, - "34677": msg36459, - "34678": msg36460, - "34679": msg36461, - "3468": msg5918, - "34680": msg36462, - "34681": msg36463, - "34682": msg36464, - "34683": msg36465, - "34684": msg36466, - "34685": msg36467, - "34686": msg36468, - "34687": msg36469, - "34688": msg36470, - "34689": msg36471, - "3469": msg5919, - "34690": msg36472, - "34691": msg36473, - "34692": msg36474, - "34693": msg36475, - "34694": msg36476, - "34695": msg36477, - "34696": msg36478, - "34697": msg36479, - "34698": msg36480, - "34699": msg36481, - "347": select269, - "3470": msg5920, - "34700": msg36482, - "34701": msg36483, - "34702": msg36484, - "34703": msg36485, - "34704": msg36486, - "34705": msg36487, - "34706": msg36488, - "34707": msg36489, - "34708": msg36490, - "34709": msg36491, - "3471": msg5921, - "34710": msg36492, - "34711": msg36493, - "34712": msg36494, - "34713": msg36495, - "34714": msg36496, - "34715": msg36497, - "34716": msg36498, - "34717": msg36499, - "34718": msg36500, - "34719": msg36501, - "3472": msg5922, - "34720": msg36502, - "34721": msg36503, - "34722": msg36504, - "34723": msg36505, - "34724": msg36506, - "34725": msg36507, - "34726": msg36508, - "34727": msg36509, - "34728": msg36510, - "34729": msg36511, - "3473": msg5923, - "34730": msg36512, - "34731": msg36513, - "34732": msg36514, - "34733": msg36515, - "34734": msg36516, - "34735": msg36517, - "34736": msg36518, - "34737": msg36519, - "34738": msg36520, - "34739": msg36521, - "3474": msg5924, - "34740": msg36522, - "34741": msg36523, - "34742": msg36524, - "34743": msg36525, - "34744": msg36526, - "34745": msg36527, - "34746": msg36528, - "34747": msg36529, - "34748": msg36530, - "34749": msg36531, - "3475": msg5925, - "34750": msg36532, - "34751": msg36533, - "34752": msg36534, - "34753": msg36535, - "34754": msg36536, - "34755": msg36537, - "34756": msg36538, - "34757": msg36539, - "34758": msg36540, - "34759": msg36541, - "3476": msg5926, - "34760": msg36542, - "34761": msg36543, - "34762": msg36544, - "34763": msg36545, - "34764": msg36546, - "34765": msg36547, - "34766": msg36548, - "34767": msg36549, - "34768": msg36550, - "34769": msg36551, - "3477": msg5927, - "34770": msg36552, - "34771": msg36553, - "34772": msg36554, - "34773": msg36555, - "34774": msg36556, - "34775": msg36557, - "34776": msg36558, - "34777": msg36559, - "34778": msg36560, - "34779": msg36561, - "3478": msg5928, - "34780": msg36562, - "34781": msg36563, - "34782": msg36564, - "34783": msg36565, - "34784": msg36566, - "34785": msg36567, - "34786": msg36568, - "34787": msg36569, - "34788": msg36570, - "34789": msg36571, - "3479": msg5929, - "34790": msg36572, - "34791": msg36573, - "34792": msg36574, - "34793": msg36575, - "34794": msg36576, - "34795": msg36577, - "34796": msg36578, - "34797": msg36579, - "34798": msg36580, - "34799": msg36581, - "348": select270, - "3480": msg5930, - "34800": msg36582, - "34801": msg36583, - "34802": msg36584, - "34803": msg36585, - "34804": msg36586, - "34805": msg36587, - "34806": msg36588, - "34807": msg36589, - "34808": msg36590, - "34809": msg36591, - "3481": msg5931, - "34810": msg36592, - "34811": msg36593, - "34812": msg36594, - "34813": msg36595, - "34814": msg36596, - "34815": msg36597, - "34816": msg36598, - "34817": msg36599, - "34818": msg36600, - "34819": msg36601, - "3482": msg5932, - "34820": msg36602, - "34821": msg36603, - "34822": msg36604, - "34823": msg36605, - "34824": msg36606, - "34825": msg36607, - "34826": msg36608, - "34827": msg36609, - "34828": msg36610, - "34829": msg36611, - "3483": msg5933, - "34830": msg36612, - "34831": msg36613, - "34832": msg36614, - "34833": msg36615, - "34834": msg36616, - "34835": msg36617, - "34836": msg36618, - "34837": msg36619, - "34838": msg36620, - "34839": msg36621, - "3484": msg5934, - "34840": msg36622, - "34841": msg36623, - "34842": msg36624, - "34843": msg36625, - "34844": msg36626, - "34845": msg36627, - "34846": msg36628, - "34847": msg36629, - "34848": msg36630, - "34849": msg36631, - "3485": msg5935, - "34850": msg36632, - "34851": msg36633, - "34852": msg36634, - "34853": msg36635, - "34854": msg36636, - "34855": msg36637, - "34856": msg36638, - "34857": msg36639, - "34858": msg36640, - "34859": msg36641, - "3486": msg5936, - "34860": msg36642, - "34861": msg36643, - "34862": msg36644, - "34863": msg36645, - "34864": msg36646, - "34865": msg36647, - "34866": msg36648, - "34867": msg36649, - "34868": msg36650, - "34869": msg36651, - "3487": msg5937, - "34870": msg36652, - "34871": msg36653, - "34872": msg36654, - "34873": msg36655, - "34874": msg36656, - "34875": msg36657, - "34876": msg36658, - "34877": msg36659, - "34878": msg36660, - "34879": msg36661, - "3488": msg5938, - "34880": msg36662, - "34881": msg36663, - "34882": msg36664, - "34883": msg36665, - "34884": msg36666, - "34885": msg36667, - "34886": msg36668, - "34887": msg36669, - "34888": msg36670, - "34889": msg36671, - "3489": msg5939, - "34890": msg36672, - "34891": msg36673, - "34892": msg36674, - "34893": msg36675, - "34894": msg36676, - "34895": msg36677, - "34896": msg36678, - "34897": msg36679, - "34898": msg36680, - "34899": msg36681, - "349": select271, - "3490": msg5940, - "34900": msg36682, - "34901": msg36683, - "34902": msg36684, - "34903": msg36685, - "34904": msg36686, - "34905": msg36687, - "34906": msg36688, - "34907": msg36689, - "34908": msg36690, - "34909": msg36691, - "3491": msg5941, - "34910": msg36692, - "34911": msg36693, - "34912": msg36694, - "34913": msg36695, - "34914": msg36696, - "34915": msg36697, - "34916": msg36698, - "34917": msg36699, - "34918": msg36700, - "34919": msg36701, - "3492": msg5942, - "34920": msg36702, - "34921": msg36703, - "34922": msg36704, - "34923": msg36705, - "34924": msg36706, - "34925": msg36707, - "34926": msg36708, - "34927": msg36709, - "34928": msg36710, - "34929": msg36711, - "3493": msg5943, - "34930": msg36712, - "34931": msg36713, - "34932": msg36714, - "34933": msg36715, - "34934": msg36716, - "34935": msg36717, - "34936": msg36718, - "34937": msg36719, - "34938": msg36720, - "34939": msg36721, - "3494": msg5944, - "34940": msg36722, - "34941": msg36723, - "34942": msg36724, - "34943": msg36725, - "34944": msg36726, - "34945": msg36727, - "34946": msg36728, - "34947": msg36729, - "34948": msg36730, - "34949": msg36731, - "3495": msg5945, - "34950": msg36732, - "34951": msg36733, - "34952": msg36734, - "34953": msg36735, - "34954": msg36736, - "34955": msg36737, - "34956": msg36738, - "34957": msg36739, - "34958": msg36740, - "34959": msg36741, - "3496": msg5946, - "34960": msg36742, - "34961": msg36743, - "34962": msg36744, - "34963": msg36745, - "34964": msg36746, - "34965": msg36747, - "34966": msg36748, - "34967": msg36749, - "34968": msg36750, - "34969": msg36751, - "3497": msg5947, - "34970": msg36752, - "34971": msg36753, - "34972": msg36754, - "34973": msg36755, - "34974": msg36756, - "34975": msg36757, - "34976": msg36758, - "34977": msg36759, - "34978": msg36760, - "34979": msg36761, - "3498": msg5948, - "34980": msg36762, - "34981": msg36763, - "34982": msg36764, - "34983": msg36765, - "34984": msg36766, - "34985": msg36767, - "34986": msg36768, - "34987": msg36769, - "34988": msg36770, - "34989": msg36771, - "3499": msg5949, - "34990": msg36772, - "34991": msg36773, - "34992": msg36774, - "34993": msg36775, - "34994": msg36776, - "34995": msg36777, - "34996": msg36778, - "34997": msg36779, - "34998": msg36780, - "34999": msg36781, - "350": select272, - "3500": msg5950, - "35000": msg36782, - "35001": msg36783, - "35002": msg36784, - "35003": msg36785, - "35004": msg36786, - "35005": msg36787, - "35006": msg36788, - "35007": msg36789, - "35008": msg36790, - "35009": msg36791, - "3501": msg5951, - "35010": msg36792, - "35011": msg36793, - "35012": msg36794, - "35013": msg36795, - "35014": msg36796, - "35015": msg36797, - "35016": msg36798, - "35017": msg36799, - "35018": msg36800, - "35019": msg36801, - "3502": msg5952, - "35020": msg36802, - "35021": msg36803, - "35022": msg36804, - "35023": msg36805, - "35024": msg36806, - "35025": msg36807, - "35026": msg36808, - "35027": msg36809, - "35028": msg36810, - "35029": msg36811, - "3503": msg5953, - "35030": msg36812, - "35031": msg36813, - "35032": msg36814, - "35033": msg36815, - "35034": msg36816, - "35035": msg36817, - "35036": msg36818, - "35037": msg36819, - "35038": msg36820, - "35039": msg36821, - "3504": msg5954, - "35040": msg36822, - "35041": msg36823, - "35042": msg36824, - "35043": msg36825, - "35044": msg36826, - "35045": msg36827, - "35046": msg36828, - "35047": msg36829, - "35048": msg36830, - "35049": msg36831, - "3505": msg5955, - "35050": msg36832, - "35051": msg36833, - "35052": msg36834, - "35053": msg36835, - "3506": msg5956, - "35062": msg36836, - "35063": msg36837, - "35064": msg36838, - "35065": msg36839, - "35066": msg36840, - "35067": msg36841, - "35068": msg36842, - "35069": msg36843, - "3507": msg5957, - "35070": msg36844, - "35071": msg36845, - "35072": msg36846, - "35073": msg36847, - "35074": msg36848, - "35075": msg36849, - "35076": msg36850, - "35077": msg36851, - "35078": msg36852, - "35079": msg36853, - "3508": msg5958, - "35080": msg36854, - "35081": msg36855, - "35082": msg36856, - "35083": msg36857, - "35084": msg36858, - "35085": msg36859, - "35086": msg36860, - "35087": msg36861, - "35088": msg36862, - "35089": msg36863, - "3509": msg5959, - "35090": msg36864, - "35091": msg36865, - "35092": msg36866, - "35093": msg36867, - "35094": msg36868, - "35095": msg36869, - "35096": msg36870, - "35097": msg36871, - "35098": msg36872, - "35099": msg36873, - "351": select273, - "3510": msg5960, - "35100": msg36874, - "35101": msg36875, - "35102": msg36876, - "35103": msg36877, - "35104": msg36878, - "35105": msg36879, - "35106": msg36880, - "35107": msg36881, - "35108": msg36882, - "35109": msg36883, - "3511": msg5961, - "35110": msg36884, - "35111": msg36885, - "35112": msg36886, - "35113": msg36887, - "35114": msg36888, - "35115": msg36889, - "35116": msg36890, - "35117": msg36891, - "35118": msg36892, - "35119": msg36893, - "3512": msg5962, - "35120": msg36894, - "35121": msg36895, - "35122": msg36896, - "35123": msg36897, - "35124": msg36898, - "35125": msg36899, - "35126": msg36900, - "35127": msg36901, - "35128": msg36902, - "35129": msg36903, - "3513": msg5963, - "35130": msg36904, - "35131": msg36905, - "35132": msg36906, - "35133": msg36907, - "35134": msg36908, - "35135": msg36909, - "35136": msg36910, - "35137": msg36911, - "35138": msg36912, - "35139": msg36913, - "3514": msg5964, - "35140": msg36914, - "35141": msg36915, - "35142": msg36916, - "35143": msg36917, - "35144": msg36918, - "35145": msg36919, - "35146": msg36920, - "35147": msg36921, - "35148": msg36922, - "35149": msg36923, - "3515": msg5965, - "35150": msg36924, - "35151": msg36925, - "35152": msg36926, - "35153": msg36927, - "35154": msg36928, - "35155": msg36929, - "35156": msg36930, - "35157": msg36931, - "35158": msg36932, - "35159": msg36933, - "3516": msg5966, - "35160": msg36934, - "35161": msg36935, - "35162": msg36936, - "35163": msg36937, - "35164": msg36938, - "35165": msg36939, - "35166": msg36940, - "35167": msg36941, - "35168": msg36942, - "35169": msg36943, - "3517": msg5967, - "35170": msg36944, - "35171": msg36945, - "35172": msg36946, - "35173": msg36947, - "35174": msg36948, - "35175": msg36949, - "35176": msg36950, - "35177": msg36951, - "35178": msg36952, - "35179": msg36953, - "3518": msg5968, - "35180": msg36954, - "35181": msg36955, - "35182": msg36956, - "35183": msg36957, - "35184": msg36958, - "35185": msg36959, - "35186": msg36960, - "35187": msg36961, - "35188": msg36962, - "35189": msg36963, - "3519": msg5969, - "35190": msg36964, - "35191": msg36965, - "35192": msg36966, - "35193": msg36967, - "35194": msg36968, - "35195": msg36969, - "35196": msg36970, - "35197": msg36971, - "35198": msg36972, - "35199": msg36973, - "352": select274, - "3520": msg5970, - "35200": msg36974, - "35201": msg36975, - "35202": msg36976, - "35203": msg36977, - "35204": msg36978, - "35205": msg36979, - "35206": msg36980, - "35207": msg36981, - "35208": msg36982, - "35209": msg36983, - "3521": msg5971, - "35210": msg36984, - "35211": msg36985, - "35212": msg36986, - "35213": msg36987, - "35214": msg36988, - "35215": msg36989, - "35216": msg36990, - "35217": msg36991, - "35218": msg36992, - "35219": msg36993, - "3522": msg5972, - "35220": msg36994, - "35221": msg36995, - "35222": msg36996, - "35223": msg36997, - "35224": msg36998, - "35225": msg36999, - "35226": msg37000, - "35227": msg37001, - "35228": msg37002, - "35229": msg37003, - "3523": msg5973, - "35230": msg37004, - "35231": msg37005, - "35232": msg37006, - "35233": msg37007, - "35234": msg37008, - "35235": msg37009, - "35236": msg37010, - "35237": msg37011, - "35238": msg37012, - "35239": msg37013, - "3524": msg5974, - "35240": msg37014, - "35241": msg37015, - "35242": msg37016, - "35243": msg37017, - "35244": msg37018, - "35245": msg37019, - "35246": msg37020, - "35247": msg37021, - "35248": msg37022, - "35249": msg37023, - "3525": msg5975, - "35250": msg37024, - "35251": msg37025, - "35252": msg37026, - "35253": msg37027, - "35254": msg37028, - "35255": msg37029, - "35256": msg37030, - "35257": msg37031, - "35258": msg37032, - "35259": msg37033, - "3526": msg5976, - "35260": msg37034, - "35261": msg37035, - "35262": msg37036, - "35263": msg37037, - "35264": msg37038, - "35265": msg37039, - "35266": msg37040, - "35267": msg37041, - "35268": msg37042, - "35269": msg37043, - "3527": msg5977, - "35270": msg37044, - "35271": msg37045, - "35272": msg37046, - "35273": msg37047, - "35274": msg37048, - "35275": msg37049, - "35276": msg37050, - "35277": msg37051, - "35278": msg37052, - "35279": msg37053, - "3528": msg5978, - "35280": msg37054, - "35281": msg37055, - "35282": msg37056, - "35283": msg37057, - "35284": msg37058, - "35285": msg37059, - "35286": msg37060, - "35287": msg37061, - "35288": msg37062, - "35289": msg37063, - "3529": msg5979, - "35290": msg37064, - "35291": msg37065, - "35292": msg37066, - "35293": msg37067, - "35294": msg37068, - "35295": msg37069, - "35296": msg37070, - "35297": msg37071, - "35298": msg37072, - "35299": msg37073, - "353": select275, - "3530": msg5980, - "35300": msg37074, - "35301": msg37075, - "35302": msg37076, - "35303": msg37077, - "35304": msg37078, - "35305": msg37079, - "35306": msg37080, - "35307": msg37081, - "35308": msg37082, - "35309": msg37083, - "3531": msg5981, - "35310": msg37084, - "35311": msg37085, - "35312": msg37086, - "35313": msg37087, - "35314": msg37088, - "35315": msg37089, - "35316": msg37090, - "35317": msg37091, - "35318": msg37092, - "35319": msg37093, - "3532": msg5982, - "35320": msg37094, - "35321": msg37095, - "35322": msg37096, - "35323": msg37097, - "35324": msg37098, - "35325": msg37099, - "35326": msg37100, - "35327": msg37101, - "35328": msg37102, - "35329": msg37103, - "3533": msg5983, - "35330": msg37104, - "35331": msg37105, - "35332": msg37106, - "35333": msg37107, - "35334": msg37108, - "35335": msg37109, - "35336": msg37110, - "35337": msg37111, - "35338": msg37112, - "35339": msg37113, - "3534": msg5984, - "35340": msg37114, - "35341": msg37115, - "35342": msg37116, - "35343": msg37117, - "35344": msg37118, - "35345": msg37119, - "35346": msg37120, - "35347": msg37121, - "35348": msg37122, - "35349": msg37123, - "3535": msg5985, - "35350": msg37124, - "35351": msg37125, - "35352": msg37126, - "35353": msg37127, - "35354": msg37128, - "35355": msg37129, - "35356": msg37130, - "35357": msg37131, - "35358": msg37132, - "35359": msg37133, - "3536": msg5986, - "35360": msg37134, - "35361": msg37135, - "35362": msg37136, - "35363": msg37137, - "35364": msg37138, - "35365": msg37139, - "35366": msg37140, - "35367": msg37141, - "35368": msg37142, - "35369": msg37143, - "3537": msg5987, - "35370": msg37144, - "35371": msg37145, - "35372": msg37146, - "35373": msg37147, - "35374": msg37148, - "35375": msg37149, - "35376": msg37150, - "35377": msg37151, - "35378": msg37152, - "35379": msg37153, - "3538": msg5988, - "35380": msg37154, - "35381": msg37155, - "35382": msg37156, - "35383": msg37157, - "35384": msg37158, - "35385": msg37159, - "35386": msg37160, - "35387": msg37161, - "35388": msg37162, - "35389": msg37163, - "3539": msg5989, - "35390": msg37164, - "35391": msg37165, - "35392": msg37166, - "35393": msg37167, - "35394": msg37168, - "35395": msg37169, - "35396": msg37170, - "35397": msg37171, - "35398": msg37172, - "35399": msg37173, - "354": select276, - "3540": msg5990, - "35400": msg37174, - "35401": msg37175, - "35402": msg37176, - "35403": msg37177, - "35404": msg37178, - "35405": msg37179, - "35406": msg37180, - "35407": msg37181, - "35408": msg37182, - "35409": msg37183, - "3541": msg5991, - "35410": msg37184, - "35411": msg37185, - "35412": msg37186, - "35413": msg37187, - "35414": msg37188, - "35415": msg37189, - "35416": msg37190, - "35417": msg37191, - "35418": msg37192, - "35419": msg37193, - "3542": msg5992, - "35420": msg37194, - "35421": msg37195, - "35422": msg37196, - "35423": msg37197, - "35424": msg37198, - "35425": msg37199, - "35426": msg37200, - "35427": msg37201, - "35428": msg37202, - "35429": msg37203, - "3543": msg5993, - "35430": msg37204, - "35431": msg37205, - "35432": msg37206, - "35433": msg37207, - "35434": msg37208, - "35435": msg37209, - "35436": msg37210, - "35437": msg37211, - "35438": msg37212, - "35439": msg37213, - "3544": msg5994, - "35440": msg37214, - "35441": msg37215, - "35442": msg37216, - "35443": msg37217, - "35444": msg37218, - "35445": msg37219, - "35446": msg37220, - "35447": msg37221, - "35448": msg37222, - "35449": msg37223, - "3545": msg5995, - "35450": msg37224, - "35451": msg37225, - "35452": msg37226, - "35453": msg37227, - "35454": msg37228, - "35455": msg37229, - "35456": msg37230, - "35457": msg37231, - "35458": msg37232, - "35459": msg37233, - "3546": msg5996, - "35460": msg37234, - "35461": msg37235, - "35462": msg37236, - "35463": msg37237, - "35464": msg37238, - "35465": msg37239, - "35466": msg37240, - "35467": msg37241, - "35468": msg37242, - "35469": msg37243, - "3547": msg5997, - "35470": msg37244, - "35471": msg37245, - "35472": msg37246, - "35473": msg37247, - "35474": msg37248, - "35475": msg37249, - "35476": msg37250, - "35477": msg37251, - "35478": msg37252, - "35479": msg37253, - "3548": msg5998, - "35480": msg37254, - "35481": msg37255, - "35482": msg37256, - "35483": msg37257, - "35484": msg37258, - "35485": msg37259, - "35486": msg37260, - "35487": msg37261, - "35488": msg37262, - "35489": msg37263, - "3549": msg5999, - "35490": msg37264, - "35491": msg37265, - "35492": msg37266, - "35493": msg37267, - "35494": msg37268, - "35495": msg37269, - "35496": msg37270, - "35497": msg37271, - "35498": msg37272, - "35499": msg37273, - "355": select277, - "3550": msg6000, - "35500": msg37274, - "35501": msg37275, - "35502": msg37276, - "35503": msg37277, - "35504": msg37278, - "35505": msg37279, - "35506": msg37280, - "35507": msg37281, - "35508": msg37282, - "35509": msg37283, - "3551": msg6001, - "35510": msg37284, - "35511": msg37285, - "35512": msg37286, - "35513": msg37287, - "35514": msg37288, - "35515": msg37289, - "35516": msg37290, - "35517": msg37291, - "35518": msg37292, - "35519": msg37293, - "3552": msg6002, - "35520": msg37294, - "35521": msg37295, - "35522": msg37296, - "35523": msg37297, - "35524": msg37298, - "35525": msg37299, - "35526": msg37300, - "35527": msg37301, - "35528": msg37302, - "35529": msg37303, - "3553": msg6003, - "35530": msg37304, - "35531": msg37305, - "35532": msg37306, - "35533": msg37307, - "35534": msg37308, - "35535": msg37309, - "35536": msg37310, - "35537": msg37311, - "35538": msg37312, - "35539": msg37313, - "3554": msg6004, - "35540": msg37314, - "35541": msg37315, - "35542": msg37316, - "35543": msg37317, - "35544": msg37318, - "35545": msg37319, - "35546": msg37320, - "35547": msg37321, - "35548": msg37322, - "35549": msg37323, - "3555": msg6005, - "35550": msg37324, - "35551": msg37325, - "35552": msg37326, - "35553": msg37327, - "35554": msg37328, - "35555": msg37329, - "35556": msg37330, - "35557": msg37331, - "35558": msg37332, - "35559": msg37333, - "3556": msg6006, - "35560": msg37334, - "35561": msg37335, - "35562": msg37336, - "35563": msg37337, - "35564": msg37338, - "35565": msg37339, - "35566": msg37340, - "35567": msg37341, - "35568": msg37342, - "35569": msg37343, - "3557": msg6007, - "35570": msg37344, - "35571": msg37345, - "35572": msg37346, - "35573": msg37347, - "35574": msg37348, - "35575": msg37349, - "35576": msg37350, - "35577": msg37351, - "35578": msg37352, - "35579": msg37353, - "3558": msg6008, - "35580": msg37354, - "35581": msg37355, - "35582": msg37356, - "35583": msg37357, - "35584": msg37358, - "35585": msg37359, - "35586": msg37360, - "35587": msg37361, - "35588": msg37362, - "35589": msg37363, - "3559": msg6009, - "35590": msg37364, - "35591": msg37365, - "35592": msg37366, - "35593": msg37367, - "35594": msg37368, - "35595": msg37369, - "35596": msg37370, - "35597": msg37371, - "35598": msg37372, - "35599": msg37373, - "356": select278, - "3560": msg6010, - "35600": msg37374, - "35601": msg37375, - "35602": msg37376, - "35603": msg37377, - "35604": msg37378, - "35605": msg37379, - "35606": msg37380, - "35607": msg37381, - "35608": msg37382, - "35609": msg37383, - "3561": msg6011, - "35610": msg37384, - "35611": msg37385, - "35612": msg37386, - "35613": msg37387, - "35614": msg37388, - "35615": msg37389, - "35616": msg37390, - "35617": msg37391, - "35618": msg37392, - "35619": msg37393, - "3562": msg6012, - "35620": msg37394, - "35621": msg37395, - "35622": msg37396, - "35623": msg37397, - "35628": msg37398, - "35629": msg37399, - "3563": msg6013, - "35630": msg37400, - "35631": msg37401, - "35632": msg37402, - "35633": msg37403, - "35634": msg37404, - "35635": msg37405, - "35636": msg37406, - "35637": msg37407, - "35638": msg37408, - "35639": msg37409, - "3564": msg6014, - "35640": msg37410, - "35641": msg37411, - "35642": msg37412, - "35643": msg37413, - "35644": msg37414, - "35645": msg37415, - "35646": msg37416, - "35647": msg37417, - "35648": msg37418, - "35649": msg37419, - "3565": msg6015, - "35650": msg37420, - "35651": msg37421, - "35652": msg37422, - "35653": msg37423, - "35654": msg37424, - "35655": msg37425, - "35656": msg37426, - "35657": msg37427, - "35658": msg37428, - "35659": msg37429, - "3566": msg6016, - "35660": msg37430, - "35661": msg37431, - "35662": msg37432, - "35663": msg37433, - "35664": msg37434, - "35665": msg37435, - "35666": msg37436, - "35667": msg37437, - "35668": msg37438, - "35669": msg37439, - "3567": msg6017, - "35670": msg37440, - "35671": msg37441, - "35672": msg37442, - "35673": msg37443, - "35674": msg37444, - "35675": msg37445, - "35676": msg37446, - "35677": msg37447, - "35678": msg37448, - "35679": msg37449, - "3568": msg6018, - "35680": msg37450, - "35681": msg37451, - "35682": msg37452, - "35683": msg37453, - "35684": msg37454, - "35685": msg37455, - "35686": msg37456, - "35687": msg37457, - "3569": msg6019, - "35691": msg37458, - "35692": msg37459, - "35693": msg37460, - "35694": msg37461, - "35695": msg37462, - "35696": msg37463, - "35697": msg37464, - "35698": msg37465, - "35699": msg37466, - "357": select279, - "3570": msg6020, - "35700": msg37467, - "35701": msg37468, - "35702": msg37469, - "35703": msg37470, - "35704": msg37471, - "35705": msg37472, - "35706": msg37473, - "35707": msg37474, - "35708": msg37475, - "35709": msg37476, - "3571": msg6021, - "35710": msg37477, - "35719": msg37478, - "3572": msg6022, - "35720": msg37479, - "35723": msg37480, - "35724": msg37481, - "3573": msg6023, - "35731": msg37482, - "35732": msg37483, - "35733": msg37484, - "35734": msg37485, - "35735": msg37486, - "35736": msg37487, - "35737": msg37488, - "35738": msg37489, - "35739": msg37490, - "3574": msg6024, - "35740": msg37491, - "35741": msg37492, - "35742": msg37493, - "35743": msg37494, - "35744": msg37495, - "35745": msg37496, - "35746": msg37497, - "35747": msg37498, - "35748": msg37499, - "35749": msg37500, - "3575": msg6025, - "35750": msg37501, - "35751": msg37502, - "35752": msg37503, - "35753": msg37504, - "35754": msg37505, - "35755": msg37506, - "35756": msg37507, - "35757": msg37508, - "35758": msg37509, - "35759": msg37510, - "3576": msg6026, - "35760": msg37511, - "35761": msg37512, - "35762": msg37513, - "35763": msg37514, - "35764": msg37515, - "35765": msg37516, - "35766": msg37517, - "35767": msg37518, - "35768": msg37519, - "35769": msg37520, - "3577": msg6027, - "35770": msg37521, - "35771": msg37522, - "35772": msg37523, - "35779": msg37524, - "3578": msg6028, - "35780": msg37525, - "35781": msg37526, - "35782": msg37527, - "35783": msg37528, - "35784": msg37529, - "35785": msg37530, - "35786": msg37531, - "35787": msg37532, - "35788": msg37533, - "35789": msg37534, - "3579": msg6029, - "35790": msg37535, - "35791": msg37536, - "35792": msg37537, - "35793": msg37538, - "35794": msg37539, - "35795": msg37540, - "35796": msg37541, - "35797": msg37542, - "35798": msg37543, - "35799": msg37544, - "358": select280, - "3580": msg6030, - "35800": msg37545, - "35801": msg37546, - "35802": msg37547, - "35803": msg37548, - "35804": msg37549, - "35805": msg37550, - "35806": msg37551, - "35807": msg37552, - "35808": msg37553, - "35809": msg37554, - "3581": msg6031, - "35810": msg37555, - "35811": msg37556, - "35812": msg37557, - "35813": msg37558, - "35814": msg37559, - "35815": msg37560, - "35816": msg37561, - "35817": msg37562, - "35818": msg37563, - "35819": msg37564, - "3582": msg6032, - "35820": msg37565, - "35821": msg37566, - "35822": msg37567, - "35823": msg37568, - "35824": msg37569, - "35825": msg37570, - "35826": msg37571, - "35827": msg37572, - "3583": msg6033, - "35831": msg37573, - "35836": msg37574, - "35837": msg37575, - "35838": msg37576, - "35839": msg37577, - "3584": msg6034, - "35840": msg37578, - "35841": msg37579, - "35842": msg37580, - "35843": msg37581, - "35844": msg37582, - "35845": msg37583, - "35846": msg37584, - "35847": msg37585, - "35848": msg37586, - "35849": msg37587, - "3585": msg6035, - "35850": msg37588, - "35851": msg37589, - "35852": msg37590, - "35853": msg37591, - "35854": msg37592, - "35855": msg37593, - "35856": msg37594, - "35857": msg37595, - "35858": msg37596, - "35859": msg37597, - "3586": msg6036, - "35860": msg37598, - "35861": msg37599, - "35862": msg37600, - "35863": msg37601, - "35864": msg37602, - "35865": msg37603, - "35866": msg37604, - "35867": msg37605, - "35868": msg37606, - "35869": msg37607, - "3587": msg6037, - "35870": msg37608, - "35871": msg37609, - "35872": msg37610, - "35873": msg37611, - "35874": msg37612, - "35875": msg37613, - "35876": msg37614, - "35877": msg37615, - "35878": msg37616, - "35879": msg37617, - "3588": msg6038, - "35880": msg37618, - "35881": msg37619, - "35882": msg37620, - "35883": msg37621, - "35884": msg37622, - "35885": msg37623, - "35886": msg37624, - "35887": msg37625, - "35888": msg37626, - "35889": msg37627, - "3589": msg6039, - "35890": msg37628, - "35891": msg37629, - "35892": msg37630, - "35893": msg37631, - "35894": msg37632, - "35895": msg37633, - "35896": msg37634, - "35897": msg37635, - "35898": msg37636, - "35899": msg37637, - "359": select281, - "3590": msg6040, - "35900": msg37638, - "35901": msg37639, - "35902": msg37640, - "35903": msg37641, - "35904": msg37642, - "35905": msg37643, - "35906": msg37644, - "35907": msg37645, - "35908": msg37646, - "35909": msg37647, - "3591": msg6041, - "35910": msg37648, - "35911": msg37649, - "35912": msg37650, - "35913": msg37651, - "35914": msg37652, - "35915": msg37653, - "35916": msg37654, - "35917": msg37655, - "35918": msg37656, - "35919": msg37657, - "3592": msg6042, - "35920": msg37658, - "35921": msg37659, - "35922": msg37660, - "35923": msg37661, - "35924": msg37662, - "35925": msg37663, - "35926": msg37664, - "35927": msg37665, - "35928": msg37666, - "35929": msg37667, - "3593": msg6043, - "35930": msg37668, - "35931": msg37669, - "35932": msg37670, - "35933": msg37671, - "35934": msg37672, - "35935": msg37673, - "35936": msg37674, - "35937": msg37675, - "35938": msg37676, - "35939": msg37677, - "3594": msg6044, - "35940": msg37678, - "35941": msg37679, - "35942": msg37680, - "35943": msg37681, - "35944": msg37682, - "35945": msg37683, - "35946": msg37684, - "35947": msg37685, - "35948": msg37686, - "35949": msg37687, - "3595": msg6045, - "35950": msg37688, - "35951": msg37689, - "35952": msg37690, - "35953": msg37691, - "35954": msg37692, - "35955": msg37693, - "35956": msg37694, - "35957": msg37695, - "35958": msg37696, - "35959": msg37697, - "3596": msg6046, - "35960": msg37698, - "35961": msg37699, - "35962": msg37700, - "35963": msg37701, - "35964": msg37702, - "35965": msg37703, - "35966": msg37704, - "35967": msg37705, - "35968": msg37706, - "35969": msg37707, - "3597": msg6047, - "35970": msg37708, - "35971": msg37709, - "35972": msg37710, - "35973": msg37711, - "35974": msg37712, - "35975": msg37713, - "35976": msg37714, - "35977": msg37715, - "35978": msg37716, - "35979": msg37717, - "3598": msg6048, - "35980": msg37718, - "35981": msg37719, - "35982": msg37720, - "35983": msg37721, - "35984": msg37722, - "35985": msg37723, - "35986": msg37724, - "35987": msg37725, - "35988": msg37726, - "35989": msg37727, - "3599": msg6049, - "35990": msg37728, - "35991": msg37729, - "35992": msg37730, - "35993": msg37731, - "35994": msg37732, - "35995": msg37733, - "35996": msg37734, - "35997": msg37735, - "35998": msg37736, - "35999": msg37737, - "360": select282, - "3600": msg6050, - "36000": msg37738, - "36001": msg37739, - "36002": msg37740, - "36003": msg37741, - "36004": msg37742, - "36005": msg37743, - "36006": msg37744, - "36007": msg37745, - "36008": msg37746, - "36009": msg37747, - "3601": msg6051, - "36010": msg37748, - "36011": msg37749, - "36012": msg37750, - "36013": msg37751, - "36014": msg37752, - "36015": msg37753, - "36016": msg37754, - "36017": msg37755, - "36018": msg37756, - "36019": msg37757, - "3602": msg6052, - "36020": msg37758, - "36021": msg37759, - "36022": msg37760, - "36023": msg37761, - "36024": msg37762, - "36025": msg37763, - "36026": msg37764, - "36027": msg37765, - "36028": msg37766, - "36029": msg37767, - "3603": msg6053, - "36030": msg37768, - "36031": msg37769, - "36032": msg37770, - "36033": msg37771, - "36034": msg37772, - "36035": msg37773, - "36036": msg37774, - "36037": msg37775, - "36038": msg37776, - "36039": msg37777, - "3604": msg6054, - "36040": msg37778, - "36041": msg37779, - "36042": msg37780, - "36043": msg37781, - "36044": msg37782, - "36045": msg37783, - "36046": msg37784, - "36047": msg37785, - "36048": msg37786, - "36049": msg37787, - "3605": msg6055, - "36050": msg37788, - "36051": msg37789, - "36052": msg37790, - "36053": msg37791, - "36054": msg37792, - "36055": msg37793, - "36056": msg37794, - "36057": msg37795, - "36058": msg37796, - "36059": msg37797, - "3606": msg6056, - "36060": msg37798, - "36061": msg37799, - "36062": msg37800, - "36063": msg37801, - "36064": msg37802, - "36065": msg37803, - "36066": msg37804, - "36067": msg37805, - "36068": msg37806, - "36069": msg37807, - "3607": msg6057, - "36070": msg37808, - "36071": msg37809, - "36072": msg37810, - "36073": msg37811, - "36074": msg37812, - "36075": msg37813, - "36076": msg37814, - "36077": msg37815, - "36078": msg37816, - "36079": msg37817, - "3608": msg6058, - "36080": msg37818, - "36081": msg37819, - "36082": msg37820, - "36083": msg37821, - "36084": msg37822, - "36085": msg37823, - "36086": msg37824, - "36087": msg37825, - "36088": msg37826, - "36089": msg37827, - "3609": msg6059, - "36090": msg37828, - "36091": msg37829, - "36092": msg37830, - "36093": msg37831, - "36094": msg37832, - "36095": msg37833, - "36096": msg37834, - "36097": msg37835, - "36098": msg37836, - "36099": msg37837, - "361": select283, - "3610": msg6060, - "36100": msg37838, - "36101": msg37839, - "36102": msg37840, - "36103": msg37841, - "36104": msg37842, - "36105": msg37843, - "36106": msg37844, - "36107": msg37845, - "36108": msg37846, - "36109": msg37847, - "3611": msg6061, - "36110": msg37848, - "36111": msg37849, - "36112": msg37850, - "36113": msg37851, - "36114": msg37852, - "36115": msg37853, - "36116": msg37854, - "36117": msg37855, - "36118": msg37856, - "36119": msg37857, - "3612": msg6062, - "36120": msg37858, - "36121": msg37859, - "36122": msg37860, - "36123": msg37861, - "36124": msg37862, - "36125": msg37863, - "36126": msg37864, - "36127": msg37865, - "36128": msg37866, - "36129": msg37867, - "3613": msg6063, - "36130": msg37868, - "36131": msg37869, - "36132": msg37870, - "36133": msg37871, - "36134": msg37872, - "36135": msg37873, - "36136": msg37874, - "36137": msg37875, - "36138": msg37876, - "36139": msg37877, - "3614": msg6064, - "36140": msg37878, - "36141": msg37879, - "36142": msg37880, - "36143": msg37881, - "36144": msg37882, - "36145": msg37883, - "36146": msg37884, - "36147": msg37885, - "36148": msg37886, - "36149": msg37887, - "3615": msg6065, - "36150": msg37888, - "36151": msg37889, - "36152": msg37890, - "36153": msg37891, - "36154": msg37892, - "36155": msg37893, - "36156": msg37894, - "36157": msg37895, - "36158": msg37896, - "36159": msg37897, - "3616": msg6066, - "36160": msg37898, - "36161": msg37899, - "36162": msg37900, - "36163": msg37901, - "36164": msg37902, - "36165": msg37903, - "36166": msg37904, - "36167": msg37905, - "36168": msg37906, - "36169": msg37907, - "3617": msg6067, - "36170": msg37908, - "36171": msg37909, - "36172": msg37910, - "36173": msg37911, - "36174": msg37912, - "36175": msg37913, - "36176": msg37914, - "36177": msg37915, - "36178": msg37916, - "36179": msg37917, - "3618": msg6068, - "36180": msg37918, - "36181": msg37919, - "36182": msg37920, - "36183": msg37921, - "36184": msg37922, - "36185": msg37923, - "36186": msg37924, - "36187": msg37925, - "36188": msg37926, - "36189": msg37927, - "3619": msg6069, - "36190": msg37928, - "36191": msg37929, - "36192": msg37930, - "36193": msg37931, - "36194": msg37932, - "36195": msg37933, - "36196": msg37934, - "36197": msg37935, - "36198": msg37936, - "36199": msg37937, - "362": select284, - "3620": msg6070, - "36200": msg37938, - "36201": msg37939, - "36202": msg37940, - "36203": msg37941, - "36204": msg37942, - "36205": msg37943, - "36206": msg37944, - "36207": msg37945, - "36208": msg37946, - "36209": msg37947, - "3621": msg6071, - "3622": msg6072, - "36224": msg37948, - "3623": msg6073, - "36231": msg37949, - "36232": msg37950, - "36233": msg37951, - "36234": msg37952, - "36235": msg37953, - "36236": msg37954, - "36237": msg37955, - "36238": msg37956, - "36239": msg37957, - "3624": msg6074, - "36240": msg37958, - "36241": msg37959, - "36242": msg37960, - "36243": msg37961, - "36244": msg37962, - "36245": msg37963, - "36246": msg37964, - "36247": msg37965, - "36248": msg37966, - "36249": msg37967, - "3625": msg6075, - "36250": msg37968, - "36251": msg37969, - "36252": msg37970, - "36253": msg37971, - "36254": msg37972, - "36255": msg37973, - "36256": msg37974, - "36257": msg37975, - "36258": msg37976, - "36259": msg37977, - "3626": msg6076, - "36260": msg37978, - "36261": msg37979, - "36262": msg37980, - "36263": msg37981, - "36264": msg37982, - "36265": msg37983, - "36266": msg37984, - "36267": msg37985, - "36268": msg37986, - "36269": msg37987, - "3627": msg6077, - "36270": msg37988, - "36271": msg37989, - "36272": msg37990, - "36273": msg37991, - "36274": msg37992, - "36275": msg37993, - "36276": msg37994, - "36277": msg37995, - "36278": msg37996, - "36279": msg37997, - "3628": msg6078, - "36280": msg37998, - "36281": msg37999, - "36282": msg38000, - "36283": msg38001, - "36284": msg38002, - "36285": msg38003, - "36286": msg38004, - "36287": msg38005, - "36288": msg38006, - "36289": msg38007, - "3629": msg6079, - "36290": msg38008, - "36291": msg38009, - "36292": msg38010, - "36293": msg38011, - "36294": msg38012, - "36295": msg38013, - "36296": msg38014, - "36297": msg38015, - "36298": msg38016, - "36299": msg38017, - "363": select285, - "3630": msg6080, - "36300": msg38018, - "36301": msg38019, - "36302": msg38020, - "36303": msg38021, - "36304": msg38022, - "36305": msg38023, - "36306": msg38024, - "36307": msg38025, - "36308": msg38026, - "36309": msg38027, - "3631": msg6081, - "36310": msg38028, - "36311": msg38029, - "36312": msg38030, - "36313": msg38031, - "36314": msg38032, - "36315": msg38033, - "36316": msg38034, - "36317": msg38035, - "36318": msg38036, - "36319": msg38037, - "3632": msg6082, - "36320": msg38038, - "36321": msg38039, - "36322": msg38040, - "36323": msg38041, - "36324": msg38042, - "36325": msg38043, - "36326": msg38044, - "36327": msg38045, - "36328": msg38046, - "36329": msg38047, - "3633": msg6083, - "36330": msg38048, - "36331": msg38049, - "36332": msg38050, - "36333": msg38051, - "36334": msg38052, - "36335": msg38053, - "36336": msg38054, - "36337": msg38055, - "36338": msg38056, - "36339": msg38057, - "3634": msg6084, - "36340": msg38058, - "36341": msg38059, - "36342": msg38060, - "36343": msg38061, - "36344": msg38062, - "36345": msg38063, - "36346": msg38064, - "36347": msg38065, - "36348": msg38066, - "36349": msg38067, - "3635": msg6085, - "36350": msg38068, - "36351": msg38069, - "36352": msg38070, - "36353": msg38071, - "36354": msg38072, - "36355": msg38073, - "36356": msg38074, - "36357": msg38075, - "36358": msg38076, - "36359": msg38077, - "3636": msg6086, - "36360": msg38078, - "36361": msg38079, - "36362": msg38080, - "36363": msg38081, - "36364": msg38082, - "36365": msg38083, - "36366": msg38084, - "36367": msg38085, - "36368": msg38086, - "36369": msg38087, - "3637": msg6087, - "36370": msg38088, - "36371": msg38089, - "36372": msg38090, - "36373": msg38091, - "36374": msg38092, - "36375": msg38093, - "36376": msg38094, - "36377": msg38095, - "36378": msg38096, - "36379": msg38097, - "3638": msg6088, - "36380": msg38098, - "36381": msg38099, - "36382": msg38100, - "36383": msg38101, - "36384": msg38102, - "36389": msg38103, - "3639": msg6089, - "36390": msg38104, - "36391": msg38105, - "36392": msg38106, - "36393": msg38107, - "36394": msg38108, - "36395": msg38109, - "36396": msg38110, - "36397": msg38111, - "36398": msg38112, - "36399": msg38113, - "364": select286, - "3640": msg6090, - "36400": msg38114, - "36401": msg38115, - "36402": msg38116, - "36403": msg38117, - "36404": msg38118, - "36405": msg38119, - "36406": msg38120, - "36407": msg38121, - "36408": msg38122, - "36409": msg38123, - "3641": msg6091, - "36410": msg38124, - "36411": msg38125, - "36412": msg38126, - "36413": msg38127, - "36414": msg38128, - "36415": msg38129, - "36416": msg38130, - "36417": msg38131, - "36418": msg38132, - "36419": msg38133, - "3642": msg6092, - "36420": msg38134, - "36421": msg38135, - "36422": msg38136, - "36423": msg38137, - "36424": msg38138, - "36425": msg38139, - "36426": msg38140, - "36427": msg38141, - "36428": msg38142, - "36429": msg38143, - "3643": msg6093, - "36430": msg38144, - "36431": msg38145, - "36432": msg38146, - "36433": msg38147, - "36434": msg38148, - "36435": msg38149, - "36436": msg38150, - "36437": msg38151, - "36438": msg38152, - "36439": msg38153, - "3644": msg6094, - "36440": msg38154, - "36441": msg38155, - "36442": msg38156, - "36443": msg38157, - "36444": msg38158, - "36445": msg38159, - "36446": msg38160, - "36447": msg38161, - "36448": msg38162, - "36449": msg38163, - "3645": msg6095, - "36450": msg38164, - "36451": msg38165, - "36452": msg38166, - "36453": msg38167, - "36454": msg38168, - "36455": msg38169, - "36456": msg38170, - "36457": msg38171, - "36458": msg38172, - "36459": msg38173, - "3646": msg6096, - "36460": msg38174, - "36461": msg38175, - "36462": msg38176, - "36463": msg38177, - "36464": msg38178, - "36465": msg38179, - "36466": msg38180, - "36467": msg38181, - "36468": msg38182, - "36469": msg38183, - "3647": msg6097, - "36470": msg38184, - "36471": msg38185, - "36472": msg38186, - "36473": msg38187, - "36474": msg38188, - "36475": msg38189, - "36476": msg38190, - "36477": msg38191, - "36478": msg38192, - "36479": msg38193, - "3648": msg6098, - "36480": msg38194, - "36481": msg38195, - "36482": msg38196, - "36483": msg38197, - "36484": msg38198, - "36485": msg38199, - "36486": msg38200, - "36487": msg38201, - "36488": msg38202, - "36489": msg38203, - "3649": msg6099, - "36490": msg38204, - "36491": msg38205, - "36492": msg38206, - "36493": msg38207, - "36494": msg38208, - "36495": msg38209, - "36496": msg38210, - "36497": msg38211, - "36498": msg38212, - "36499": msg38213, - "365": select287, - "3650": msg6100, - "36500": msg38214, - "36501": msg38215, - "36502": msg38216, - "36503": msg38217, - "36504": msg38218, - "36505": msg38219, - "36506": msg38220, - "36507": msg38221, - "36508": msg38222, - "36509": msg38223, - "3651": msg6101, - "36510": msg38224, - "36511": msg38225, - "36512": msg38226, - "36513": msg38227, - "36514": msg38228, - "36515": msg38229, - "36516": msg38230, - "36517": msg38231, - "36518": msg38232, - "36519": msg38233, - "3652": msg6102, - "36520": msg38234, - "36521": msg38235, - "36522": msg38236, - "36523": msg38237, - "36524": msg38238, - "36525": msg38239, - "36526": msg38240, - "36527": msg38241, - "36528": msg38242, - "36529": msg38243, - "3653": msg6103, - "36530": msg38244, - "36531": msg38245, - "36532": msg38246, - "36533": msg38247, - "36534": msg38248, - "36535": msg38249, - "36536": msg38250, - "36537": msg38251, - "36538": msg38252, - "36539": msg38253, - "3654": msg6104, - "36540": msg38254, - "36541": msg38255, - "36542": msg38256, - "36543": msg38257, - "36544": msg38258, - "36545": msg38259, - "36546": msg38260, - "36547": msg38261, - "36548": msg38262, - "36549": msg38263, - "3655": msg6105, - "36550": msg38264, - "36551": msg38265, - "36552": msg38266, - "36553": msg38267, - "36554": msg38268, - "36555": msg38269, - "36556": msg38270, - "36557": msg38271, - "36558": msg38272, - "36559": msg38273, - "3656": msg6106, - "36560": msg38274, - "36561": msg38275, - "3657": msg6107, - "3658": msg6108, - "3659": msg6109, - "366": select288, - "3660": msg6110, - "3661": msg6111, - "3662": msg6112, - "3663": msg6113, - "3664": msg6114, - "3665": msg6115, - "3666": msg6116, - "3667": msg6117, - "3668": msg6118, - "3669": msg6119, - "3670": msg6120, - "3671": msg6121, - "3672": msg6122, - "3673": msg6123, - "3674": msg6124, - "3675": msg6125, - "3676": msg6126, - "3677": msg6127, - "3678": msg6128, - "3679": msg6129, - "368": select289, - "3680": msg6130, - "3681": msg6131, - "3682": msg6132, - "3683": msg6133, - "3684": msg6134, - "3685": msg6135, - "3686": msg6136, - "3687": msg6137, - "3688": msg6138, - "3689": msg6139, - "369": select290, - "3690": msg6140, - "3691": msg6141, - "3692": msg6142, - "3693": msg6143, - "3694": msg6144, - "3695": msg6145, - "3696": msg6146, - "3697": msg6147, - "3698": msg6148, - "3699": msg6149, - "370": select291, - "3700": msg6150, - "3701": msg6151, - "3702": msg6152, - "3703": msg6153, - "3704": msg6154, - "3705": msg6155, - "3706": msg6156, - "3707": msg6157, - "3708": msg6158, - "3709": msg6159, - "371": select292, - "3710": msg6160, - "3711": msg6161, - "3712": msg6162, - "3713": msg6163, - "3714": msg6164, - "3715": msg6165, - "3716": msg6166, - "3717": msg6167, - "3718": msg6168, - "3719": msg6169, - "372": select293, - "3720": msg6170, - "3721": msg6171, - "3722": msg6172, - "3723": msg6173, - "3724": msg6174, - "3725": msg6175, - "3726": msg6176, - "3727": msg6177, - "3728": msg6178, - "3729": msg6179, - "373": select294, - "3730": msg6180, - "3731": msg6181, - "3732": msg6182, - "3733": msg6183, - "3734": msg6184, - "3735": msg6185, - "3736": msg6186, - "3737": msg6187, - "3738": msg6188, - "3739": msg6189, - "374": select295, - "3740": msg6190, - "3741": msg6191, - "3742": msg6192, - "3743": msg6193, - "3744": msg6194, - "3745": msg6195, - "3746": msg6196, - "3747": msg6197, - "3748": msg6198, - "3749": msg6199, - "375": select296, - "3750": msg6200, - "3751": msg6201, - "3752": msg6202, - "3753": msg6203, - "3754": msg6204, - "3755": msg6205, - "3756": msg6206, - "3757": msg6207, - "3758": msg6208, - "3759": msg6209, - "376": select297, - "3760": msg6210, - "3761": msg6211, - "3762": msg6212, - "3763": msg6213, - "3764": msg6214, - "3765": msg6215, - "3766": msg6216, - "3767": msg6217, - "3768": msg6218, - "3769": msg6219, - "377": select298, - "3770": msg6220, - "3771": msg6221, - "3772": msg6222, - "3773": msg6223, - "3774": msg6224, - "3775": msg6225, - "3776": msg6226, - "3777": msg6227, - "3778": msg6228, - "3779": msg6229, - "378": select299, - "3780": msg6230, - "3781": msg6231, - "3782": msg6232, - "3783": msg6233, - "3784": msg6234, - "3785": msg6235, - "3786": msg6236, - "3787": msg6237, - "3788": msg6238, - "3789": msg6239, - "379": select300, - "3790": msg6240, - "3791": msg6241, - "3792": msg6242, - "3793": msg6243, - "3794": msg6244, - "3795": msg6245, - "3796": msg6246, - "3797": msg6247, - "3798": msg6248, - "3799": msg6249, - "380": select301, - "3800": msg6250, - "3801": msg6251, - "3802": msg6252, - "3803": msg6253, - "3804": msg6254, - "3805": msg6255, - "3806": msg6256, - "3807": msg6257, - "3808": msg6258, - "3809": msg6259, - "381": select302, - "3810": msg6260, - "3811": msg6261, - "3812": msg6262, - "3813": msg6263, - "3814": msg6264, - "3815": msg6265, - "3816": msg6266, - "3817": msg6267, - "3818": msg6268, - "3819": msg6269, - "382": select303, - "3820": msg6270, - "3821": msg6271, - "3822": msg6272, - "3823": msg6273, - "3824": msg6274, - "3825": msg6275, - "3826": msg6276, - "3827": msg6277, - "3828": msg6278, - "3829": msg6279, - "3830": msg6280, - "3831": msg6281, - "3832": msg6282, - "3833": msg6283, - "3834": msg6284, - "3835": msg6285, - "3836": msg6286, - "3837": msg6287, - "3838": msg6288, - "3839": msg6289, - "384": select304, - "3840": msg6290, - "3841": msg6291, - "3842": msg6292, - "3843": msg6293, - "3844": msg6294, - "3845": msg6295, - "3846": msg6296, - "3847": msg6297, - "3848": msg6298, - "3849": msg6299, - "385": select305, - "3850": msg6300, - "3851": msg6301, - "3852": msg6302, - "3853": msg6303, - "3854": msg6304, - "3855": msg6305, - "3856": msg6306, - "3857": msg6307, - "3858": msg6308, - "3859": msg6309, - "386": select306, - "3860": msg6310, - "3861": msg6311, - "3862": msg6312, - "3863": msg6313, - "3864": msg6314, - "3865": msg6315, - "3866": msg6316, - "3867": msg6317, - "3868": msg6318, - "3869": msg6319, - "387": select307, - "3870": msg6320, - "3871": msg6321, - "3872": msg6322, - "3873": msg6323, - "3874": msg6324, - "3875": msg6325, - "3876": msg6326, - "3877": msg6327, - "3878": msg6328, - "3879": msg6329, - "388": select308, - "3880": msg6330, - "3881": msg6331, - "3882": msg6332, - "3883": msg6333, - "3884": msg6334, - "3885": msg6335, - "3886": msg6336, - "3887": msg6337, - "3888": msg6338, - "3889": msg6339, - "389": select309, - "3890": msg6340, - "3891": msg6341, - "3892": msg6342, - "3893": msg6343, - "3894": msg6344, - "3895": msg6345, - "3896": msg6346, - "3897": msg6347, - "3898": msg6348, - "3899": msg6349, - "390": select310, - "3900": msg6350, - "3901": msg6351, - "3902": msg6352, - "3903": msg6353, - "3904": msg6354, - "3905": msg6355, - "3906": msg6356, - "3907": msg6357, - "3908": msg6358, - "3909": msg6359, - "391": select311, - "3910": msg6360, - "3911": msg6361, - "3912": msg6362, - "3913": msg6363, - "3914": msg6364, - "3915": msg6365, - "3916": msg6366, - "3917": msg6367, - "3918": msg6368, - "3919": msg6369, - "392": select312, - "3920": msg6370, - "3921": msg6371, - "3922": msg6372, - "3923": msg6373, - "3924": msg6374, - "3925": msg6375, - "3926": msg6376, - "3927": msg6377, - "3928": msg6378, - "3929": msg6379, - "393": select313, - "3930": msg6380, - "3931": msg6381, - "3932": msg6382, - "3933": msg6383, - "3934": msg6384, - "3935": msg6385, - "3936": msg6386, - "3937": msg6387, - "3938": msg6388, - "3939": msg6389, - "394": select314, - "3940": msg6390, - "3941": msg6391, - "3942": msg6392, - "3943": msg6393, - "3944": msg6394, - "3945": msg6395, - "3946": msg6396, - "3947": msg6397, - "3948": msg6398, - "3949": msg6399, - "395": select315, - "3950": msg6400, - "3951": msg6401, - "3952": msg6402, - "3953": msg6403, - "3954": msg6404, - "3955": msg6405, - "3956": msg6406, - "3957": msg6407, - "3958": msg6408, - "3959": msg6409, - "396": select316, - "3960": msg6410, - "3961": msg6411, - "3962": msg6412, - "3963": msg6413, - "3964": msg6414, - "3965": msg6415, - "3966": msg6416, - "3967": msg6417, - "3968": msg6418, - "3969": msg6419, - "397": select317, - "3970": msg6420, - "3971": msg6421, - "3972": msg6422, - "3973": msg6423, - "3974": msg6424, - "3975": msg6425, - "3976": msg6426, - "3977": msg6427, - "3978": msg6428, - "3979": msg6429, - "398": select318, - "3980": msg6430, - "3981": msg6431, - "3982": msg6432, - "3983": msg6433, - "3984": msg6434, - "3985": msg6435, - "3986": msg6436, - "3987": msg6437, - "3988": msg6438, - "3989": msg6439, - "399": select319, - "3990": msg6440, - "3991": msg6441, - "3992": msg6442, - "3993": msg6443, - "3994": msg6444, - "3995": msg6445, - "3996": msg6446, - "3997": msg6447, - "3998": msg6448, - "3999": msg6449, - "4": select10, - "400": select320, - "4000": msg6450, - "4001": msg6451, - "4002": msg6452, - "4003": msg6453, - "4004": msg6454, - "4005": msg6455, - "4006": msg6456, - "4007": msg6457, - "4008": msg6458, - "4009": msg6459, - "401": select321, - "4010": msg6460, - "4011": msg6461, - "4012": msg6462, - "4013": msg6463, - "4014": msg6464, - "4015": msg6465, - "4016": msg6466, - "4017": msg6467, - "4018": msg6468, - "4019": msg6469, - "402": select322, - "4020": msg6470, - "4021": msg6471, - "4022": msg6472, - "4023": msg6473, - "4024": msg6474, - "4025": msg6475, - "4026": msg6476, - "4027": msg6477, - "4028": msg6478, - "4029": msg6479, - "403": select323, - "4030": msg6480, - "4031": msg6481, - "4032": msg6482, - "4033": msg6483, - "4034": msg6484, - "4035": msg6485, - "4036": msg6486, - "4037": msg6487, - "4038": msg6488, - "4039": msg6489, - "404": select324, - "4040": msg6490, - "4041": msg6491, - "4042": msg6492, - "4043": msg6493, - "4044": msg6494, - "4045": msg6495, - "4046": msg6496, - "4047": msg6497, - "4048": msg6498, - "4049": msg6499, - "405": select325, - "4050": msg6500, - "4051": msg6501, - "4052": msg6502, - "4053": msg6503, - "4054": msg6504, - "4055": msg6505, - "4056": msg6506, - "4057": msg6507, - "4058": msg6508, - "4059": msg6509, - "406": select326, - "4060": msg6510, - "4061": msg6511, - "4062": msg6512, - "4063": msg6513, - "4064": msg6514, - "4065": msg6515, - "4066": msg6516, - "4067": msg6517, - "4068": msg6518, - "4069": msg6519, - "407": select327, - "4070": msg6520, - "4071": msg6521, - "4072": msg6522, - "4073": msg6523, - "4074": msg6524, - "4075": msg6525, - "4076": msg6526, - "4077": msg6527, - "4078": msg6528, - "4079": msg6529, - "408": select328, - "4080": msg6530, - "4081": msg6531, - "4082": msg6532, - "4083": msg6533, - "4084": msg6534, - "4085": msg6535, - "4086": msg6536, - "4087": msg6537, - "4088": msg6538, - "4089": msg6539, - "409": select329, - "4090": msg6540, - "4091": msg6541, - "4092": msg6542, - "4093": msg6543, - "4094": msg6544, - "4095": msg6545, - "4096": msg6546, - "4097": msg6547, - "4098": msg6548, - "4099": msg6549, - "410": select330, - "4100": msg6550, - "4101": msg6551, - "4102": msg6552, - "4103": msg6553, - "4104": msg6554, - "4105": msg6555, - "4106": msg6556, - "4107": msg6557, - "4108": msg6558, - "4109": msg6559, - "411": select331, - "4110": msg6560, - "4111": msg6561, - "4112": msg6562, - "4113": msg6563, - "4114": msg6564, - "4115": msg6565, - "4116": msg6566, - "4117": msg6567, - "4118": msg6568, - "4119": msg6569, - "412": select332, - "4120": msg6570, - "4121": msg6571, - "4122": msg6572, - "4123": msg6573, - "4124": msg6574, - "4125": msg6575, - "4126": msg6576, - "4127": msg6577, - "4128": msg6578, - "4129": msg6579, - "413": select333, - "4130": msg6580, - "4131": msg6581, - "4132": msg6582, - "4133": msg6583, - "4134": msg6584, - "4135": msg6585, - "4136": msg6586, - "414": select334, - "4140": msg6587, - "4141": msg6588, - "4142": msg6589, - "4143": msg6590, - "4144": msg6591, - "4145": msg6592, - "4146": msg6593, - "4147": msg6594, - "4148": msg6595, - "4149": msg6596, - "415": select335, - "4150": msg6597, - "4151": msg6598, - "4152": msg6599, - "4153": msg6600, - "4154": msg6601, - "4155": msg6602, - "4156": msg6603, - "4157": msg6604, - "4158": msg6605, - "4159": msg6606, - "416": select336, - "4160": msg6607, - "4161": msg6608, - "4162": msg6609, - "4163": msg6610, - "4164": msg6611, - "4165": msg6612, - "4166": msg6613, - "4167": msg6614, - "4168": msg6615, - "4169": msg6616, - "417": select337, - "4170": msg6617, - "4171": msg6618, - "4172": msg6619, - "4173": msg6620, - "4174": msg6621, - "4175": msg6622, - "4176": msg6623, - "4177": msg6624, - "4178": msg6625, - "4179": msg6626, - "418": select338, - "4180": msg6627, - "4181": msg6628, - "4182": msg6629, - "4183": msg6630, - "4184": msg6631, - "4185": msg6632, - "4186": msg6633, - "4187": msg6634, - "4188": msg6635, - "4189": msg6636, - "419": select339, - "4190": msg6637, - "4191": msg6638, - "4192": msg6639, - "4193": msg6640, - "4194": msg6641, - "4195": msg6642, - "4196": msg6643, - "4197": msg6644, - "4198": msg6645, - "4199": msg6646, - "420": select340, - "4200": msg6647, - "4201": msg6648, - "4202": msg6649, - "4203": msg6650, - "4204": msg6651, - "4205": msg6652, - "4206": msg6653, - "4207": msg6654, - "4208": msg6655, - "4209": msg6656, - "421": select341, - "4210": msg6657, - "4211": msg6658, - "4212": msg6659, - "4213": msg6660, - "4214": msg6661, - "4215": msg6662, - "4216": msg6663, - "4217": msg6664, - "4218": msg6665, - "4219": msg6666, - "422": select342, - "4220": msg6667, - "4221": msg6668, - "4222": msg6669, - "4223": msg6670, - "4224": msg6671, - "4225": msg6672, - "4226": msg6673, - "4227": msg6674, - "4228": msg6675, - "4229": msg6676, - "423": select343, - "4230": msg6677, - "4231": msg6678, - "4232": msg6679, - "4233": msg6680, - "4234": msg6681, - "4235": msg6682, - "4236": msg6683, - "4237": msg6684, - "4238": msg6685, - "4239": msg6686, - "424": select344, - "4240": msg6687, - "4241": msg6688, - "4242": msg6689, - "4243": msg6690, - "4244": msg6691, - "4245": msg6692, - "4246": msg6693, - "4247": msg6694, - "4248": msg6695, - "4249": msg6696, - "425": select345, - "4250": msg6697, - "4251": msg6698, - "4252": msg6699, - "4253": msg6700, - "4254": msg6701, - "4255": msg6702, - "4256": msg6703, - "4257": msg6704, - "4258": msg6705, - "4259": msg6706, - "426": select346, - "4260": msg6707, - "4261": msg6708, - "4262": msg6709, - "4263": msg6710, - "4264": msg6711, - "4265": msg6712, - "4266": msg6713, - "4267": msg6714, - "4268": msg6715, - "4269": msg6716, - "427": select347, - "4270": msg6717, - "4271": msg6718, - "4272": msg6719, - "4273": msg6720, - "4274": msg6721, - "4275": msg6722, - "4276": msg6723, - "4277": msg6724, - "4278": msg6725, - "4279": msg6726, - "428": select348, - "4280": msg6727, - "4281": msg6728, - "4282": msg6729, - "4283": msg6730, - "4284": msg6731, - "4285": msg6732, - "4286": msg6733, - "4287": msg6734, - "4288": msg6735, - "4289": msg6736, - "429": select349, - "4290": msg6737, - "4291": msg6738, - "4292": msg6739, - "4293": msg6740, - "4294": msg6741, - "4295": msg6742, - "4296": msg6743, - "4297": msg6744, - "4298": msg6745, - "4299": msg6746, - "430": select350, - "4300": msg6747, - "4301": msg6748, - "4302": msg6749, - "4303": msg6750, - "4304": msg6751, - "4305": msg6752, - "4306": msg6753, - "4307": msg6754, - "4308": msg6755, - "4309": msg6756, - "431": select351, - "4310": msg6757, - "4311": msg6758, - "4312": msg6759, - "4313": msg6760, - "4314": msg6761, - "4315": msg6762, - "4316": msg6763, - "4317": msg6764, - "4318": msg6765, - "4319": msg6766, - "432": select352, - "4320": msg6767, - "4321": msg6768, - "4322": msg6769, - "4323": msg6770, - "4324": msg6771, - "4325": msg6772, - "4326": msg6773, - "4327": msg6774, - "4328": msg6775, - "4329": msg6776, - "433": select353, - "4330": msg6777, - "4331": msg6778, - "4332": msg6779, - "4333": msg6780, - "4334": msg6781, - "4335": msg6782, - "4336": msg6783, - "4337": msg6784, - "4338": msg6785, - "4339": msg6786, - "4340": msg6787, - "4341": msg6788, - "4342": msg6789, - "4343": msg6790, - "4344": msg6791, - "4345": msg6792, - "4346": msg6793, - "4347": msg6794, - "4348": msg6795, - "4349": msg6796, - "4350": msg6797, - "4351": msg6798, - "4352": msg6799, - "4353": msg6800, - "4354": msg6801, - "4355": msg6802, - "4356": msg6803, - "4357": msg6804, - "4358": msg6805, - "4359": msg6806, - "436": select354, - "4360": msg6807, - "4361": msg6808, - "4362": msg6809, - "4363": msg6810, - "4364": msg6811, - "4365": msg6812, - "4366": msg6813, - "4367": msg6814, - "4368": msg6815, - "4369": msg6816, - "437": select355, - "4370": msg6817, - "4371": msg6818, - "4372": msg6819, - "4373": msg6820, - "4374": msg6821, - "4375": msg6822, - "4376": msg6823, - "4377": msg6824, - "4378": msg6825, - "4379": msg6826, - "438": select356, - "4380": msg6827, - "4381": msg6828, - "4382": msg6829, - "4383": msg6830, - "4384": msg6831, - "4385": msg6832, - "4386": msg6833, - "4387": msg6834, - "4388": msg6835, - "4389": msg6836, - "439": select357, - "4390": msg6837, - "4391": msg6838, - "4392": msg6839, - "4393": msg6840, - "4394": msg6841, - "4395": msg6842, - "4396": msg6843, - "4397": msg6844, - "4398": msg6845, - "4399": msg6846, - "440": select358, - "4400": msg6847, - "4401": msg6848, - "4402": msg6849, - "4403": msg6850, - "4404": msg6851, - "4405": msg6852, - "4406": msg6853, - "4407": msg6854, - "4408": msg6855, - "4409": msg6856, - "441": select359, - "4410": msg6857, - "4411": msg6858, - "4412": msg6859, - "4413": msg6860, - "4414": msg6861, - "4415": msg6862, - "4416": msg6863, - "4417": msg6864, - "4418": msg6865, - "4419": msg6866, - "4420": msg6867, - "4421": msg6868, - "4422": msg6869, - "4423": msg6870, - "4424": msg6871, - "4425": msg6872, - "4426": msg6873, - "4427": msg6874, - "4428": msg6875, - "4429": msg6876, - "443": select360, - "4430": msg6877, - "4431": msg6878, - "4432": msg6879, - "4433": msg6880, - "4434": msg6881, - "4435": msg6882, - "4436": msg6883, - "4437": msg6884, - "4438": msg6885, - "4439": msg6886, - "4440": msg6887, - "4441": msg6888, - "4442": msg6889, - "4443": msg6890, - "4444": msg6891, - "4445": msg6892, - "4446": msg6893, - "4447": msg6894, - "4448": msg6895, - "4449": msg6896, - "445": select361, - "4450": msg6897, - "4451": msg6898, - "4452": msg6899, - "4453": msg6900, - "4454": msg6901, - "4455": msg6902, - "4456": msg6903, - "4457": msg6904, - "4458": msg6905, - "4459": msg6906, - "446": select362, - "4460": msg6907, - "4461": msg6908, - "4462": msg6909, - "4463": msg6910, - "4464": msg6911, - "4465": msg6912, - "4466": msg6913, - "4467": msg6914, - "4468": msg6915, - "4469": msg6916, - "4470": msg6917, - "4471": msg6918, - "4472": msg6919, - "4473": msg6920, - "4474": msg6921, - "4475": msg6922, - "4476": msg6923, - "4477": msg6924, - "4478": msg6925, - "4479": msg6926, - "448": select363, - "4480": msg6927, - "4481": msg6928, - "4482": msg6929, - "4483": msg6930, - "4484": msg6931, - "4485": msg6932, - "4486": msg6933, - "4487": msg6934, - "4488": msg6935, - "4489": msg6936, - "449": select364, - "4490": msg6937, - "4491": msg6938, - "4492": msg6939, - "4493": msg6940, - "4494": msg6941, - "4495": msg6942, - "4496": msg6943, - "4497": msg6944, - "4498": msg6945, - "4499": msg6946, - "45": msg66, - "450": select365, - "4500": msg6947, - "4501": msg6948, - "4502": msg6949, - "4503": msg6950, - "4504": msg6951, - "4505": msg6952, - "4506": msg6953, - "4507": msg6954, - "4508": msg6955, - "4509": msg6956, - "451": select366, - "4510": msg6957, - "4511": msg6958, - "4512": msg6959, - "4513": msg6960, - "4514": msg6961, - "4515": msg6962, - "4516": msg6963, - "4517": msg6964, - "4518": msg6965, - "4519": msg6966, - "452": select367, - "4520": msg6967, - "4521": msg6968, - "4522": msg6969, - "4523": msg6970, - "4524": msg6971, - "4525": msg6972, - "4526": msg6973, - "4527": msg6974, - "4528": msg6975, - "4529": msg6976, - "453": select368, - "4530": msg6977, - "4531": msg6978, - "4532": msg6979, - "4533": msg6980, - "4534": msg6981, - "4535": msg6982, - "4536": msg6983, - "4537": msg6984, - "4538": msg6985, - "4539": msg6986, - "454": select369, - "4540": msg6987, - "4541": msg6988, - "4542": msg6989, - "4543": msg6990, - "4544": msg6991, - "4545": msg6992, - "4546": msg6993, - "4547": msg6994, - "4548": msg6995, - "4549": msg6996, - "455": select370, - "4550": msg6997, - "4551": msg6998, - "4552": msg6999, - "4553": msg7000, - "4554": msg7001, - "4555": msg7002, - "4556": msg7003, - "4557": msg7004, - "4558": msg7005, - "4559": msg7006, - "456": select371, - "4560": msg7007, - "4561": msg7008, - "4562": msg7009, - "4563": msg7010, - "4564": msg7011, - "4565": msg7012, - "4566": msg7013, - "4567": msg7014, - "4568": msg7015, - "4569": msg7016, - "457": select372, - "4570": msg7017, - "4571": msg7018, - "4572": msg7019, - "4573": msg7020, - "4574": msg7021, - "4575": msg7022, - "4576": msg7023, - "4577": msg7024, - "4578": msg7025, - "4579": msg7026, - "458": select373, - "4580": msg7027, - "4581": msg7028, - "4582": msg7029, - "4583": msg7030, - "4584": msg7031, - "4585": msg7032, - "4586": msg7033, - "4587": msg7034, - "4588": msg7035, - "4589": msg7036, - "459": select374, - "4590": msg7037, - "4591": msg7038, - "4592": msg7039, - "4593": msg7040, - "4594": msg7041, - "4595": msg7042, - "4596": msg7043, - "4597": msg7044, - "4598": msg7045, - "4599": msg7046, - "46": select25, - "460": select375, - "4600": msg7047, - "4601": msg7048, - "4602": msg7049, - "4603": msg7050, - "4604": msg7051, - "4605": msg7052, - "4606": msg7053, - "4607": msg7054, - "4608": msg7055, - "4609": msg7056, - "461": select376, - "4610": msg7057, - "4611": msg7058, - "4612": msg7059, - "4613": msg7060, - "4614": msg7061, - "4615": msg7062, - "4616": msg7063, - "4617": msg7064, - "4618": msg7065, - "4619": msg7066, - "462": select377, - "4620": msg7067, - "4621": msg7068, - "4622": msg7069, - "4623": msg7070, - "4624": msg7071, - "4625": msg7072, - "4626": msg7073, - "4627": msg7074, - "4628": msg7075, - "4629": msg7076, - "463": select378, - "4630": msg7077, - "4631": msg7078, - "4632": msg7079, - "4633": msg7080, - "4634": msg7081, - "4635": msg7082, - "4636": msg7083, - "4637": msg7084, - "4638": msg7085, - "4639": msg7086, - "4640": msg7087, - "4641": msg7088, - "4642": msg7089, - "4643": msg7090, - "4644": msg7091, - "4645": msg7092, - "4646": msg7093, - "4647": msg7094, - "4648": msg7095, - "4649": msg7096, - "465": select379, - "4650": msg7097, - "4651": msg7098, - "4652": msg7099, - "4653": msg7100, - "4654": msg7101, - "4655": msg7102, - "4656": msg7103, - "4657": msg7104, - "4658": msg7105, - "4659": msg7106, - "466": select380, - "4660": msg7107, - "4661": msg7108, - "4662": msg7109, - "4663": msg7110, - "4664": msg7111, - "4665": msg7112, - "4666": msg7113, - "4667": msg7114, - "4668": msg7115, - "4669": msg7116, - "467": select381, - "4670": msg7117, - "4671": msg7118, - "4672": msg7119, - "4673": msg7120, - "4674": msg7121, - "4675": msg7122, - "4676": msg7123, - "4677": msg7124, - "4678": msg7125, - "4679": msg7126, - "4680": msg7127, - "4681": msg7128, - "4682": msg7129, - "4683": msg7130, - "4684": msg7131, - "4685": msg7132, - "4686": msg7133, - "4687": msg7134, - "4688": msg7135, - "4689": msg7136, - "469": select382, - "4690": msg7137, - "4691": msg7138, - "4692": msg7139, - "4693": msg7140, - "4694": msg7141, - "4695": msg7142, - "4696": msg7143, - "4697": msg7144, - "4698": msg7145, - "4699": msg7146, - "47": select26, - "4700": msg7147, - "4701": msg7148, - "4702": msg7149, - "4703": msg7150, - "4704": msg7151, - "4705": msg7152, - "4706": msg7153, - "4707": msg7154, - "4708": msg7155, - "4709": msg7156, - "471": select383, - "4710": msg7157, - "4711": msg7158, - "4712": msg7159, - "4713": msg7160, - "4714": msg7161, - "4715": msg7162, - "4716": msg7163, - "4717": msg7164, - "4718": msg7165, - "4719": msg7166, - "472": select384, - "4720": msg7167, - "4721": msg7168, - "4722": msg7169, - "4723": msg7170, - "4724": msg7171, - "4725": msg7172, - "4726": msg7173, - "4727": msg7174, - "4728": msg7175, - "4729": msg7176, - "473": select385, - "4730": msg7177, - "4731": msg7178, - "4732": msg7179, - "4733": msg7180, - "4734": msg7181, - "4735": msg7182, - "4736": msg7183, - "4737": msg7184, - "4738": msg7185, - "4739": msg7186, - "474": select386, - "4740": msg7187, - "4741": msg7188, - "4742": msg7189, - "4743": msg7190, - "4744": msg7191, - "4745": msg7192, - "4746": msg7193, - "4747": msg7194, - "4748": msg7195, - "4749": msg7196, - "475": select387, - "4750": msg7197, - "4751": msg7198, - "4752": msg7199, - "4753": msg7200, - "4754": msg7201, - "4755": msg7202, - "4756": msg7203, - "4757": msg7204, - "4758": msg7205, - "4759": msg7206, - "476": select388, - "4760": msg7207, - "4761": msg7208, - "4762": msg7209, - "4763": msg7210, - "4764": msg7211, - "4765": msg7212, - "4766": msg7213, - "4767": msg7214, - "4768": msg7215, - "4769": msg7216, - "477": select389, - "4770": msg7217, - "4771": msg7218, - "4772": msg7219, - "4773": msg7220, - "4774": msg7221, - "4775": msg7222, - "4776": msg7223, - "4777": msg7224, - "4778": msg7225, - "4779": msg7226, - "478": select390, - "4780": msg7227, - "4781": msg7228, - "4782": msg7229, - "4783": msg7230, - "4784": msg7231, - "4785": msg7232, - "4786": msg7233, - "4787": msg7234, - "4788": msg7235, - "4789": msg7236, - "4790": msg7237, - "4791": msg7238, - "4792": msg7239, - "4793": msg7240, - "4794": msg7241, - "4795": msg7242, - "4796": msg7243, - "4797": msg7244, - "4798": msg7245, - "4799": msg7246, - "480": select391, - "4800": msg7247, - "4801": msg7248, - "4802": msg7249, - "4803": msg7250, - "4804": msg7251, - "4805": msg7252, - "4806": msg7253, - "4807": msg7254, - "4808": msg7255, - "4809": msg7256, - "481": select392, - "4810": msg7257, - "4811": msg7258, - "4812": msg7259, - "4813": msg7260, - "4814": msg7261, - "4815": msg7262, - "4816": msg7263, - "4817": msg7264, - "4818": msg7265, - "4819": msg7266, - "482": select393, - "4820": msg7267, - "4821": msg7268, - "4822": msg7269, - "4823": msg7270, - "4824": msg7271, - "4825": msg7272, - "4826": msg7273, - "4827": msg7274, - "4828": msg7275, - "4829": msg7276, - "483": select394, - "4830": msg7277, - "4831": msg7278, - "4832": msg7279, - "4833": msg7280, - "4834": msg7281, - "4835": msg7282, - "4836": msg7283, - "4837": msg7284, - "4838": msg7285, - "4839": msg7286, - "484": select395, - "4840": msg7287, - "4841": msg7288, - "4842": msg7289, - "4843": msg7290, - "4844": msg7291, - "4845": msg7292, - "4846": msg7293, - "4847": msg7294, - "4848": msg7295, - "4849": msg7296, - "485": select396, - "4850": msg7297, - "4851": msg7298, - "4852": msg7299, - "4853": msg7300, - "4854": msg7301, - "4855": msg7302, - "4856": msg7303, - "4857": msg7304, - "4858": msg7305, - "4859": msg7306, - "486": select397, - "4860": msg7307, - "4861": msg7308, - "4862": msg7309, - "4863": msg7310, - "4864": msg7311, - "4865": msg7312, - "4866": msg7313, - "4867": msg7314, - "4868": msg7315, - "4869": msg7316, - "487": select398, - "4870": msg7317, - "4871": msg7318, - "4872": msg7319, - "4873": msg7320, - "4874": msg7321, - "4875": msg7322, - "4876": msg7323, - "4877": msg7324, - "4878": msg7325, - "4879": msg7326, - "488": select399, - "4880": msg7327, - "4881": msg7328, - "4882": msg7329, - "4883": msg7330, - "4884": msg7331, - "4885": msg7332, - "4886": msg7333, - "4887": msg7334, - "4888": msg7335, - "4889": msg7336, - "489": select400, - "4890": msg7337, - "4891": msg7338, - "4892": msg7339, - "4893": msg7340, - "4894": msg7341, - "4895": msg7342, - "4896": msg7343, - "4897": msg7344, - "4898": msg7345, - "4899": msg7346, - "490": select401, - "4900": msg7347, - "4901": msg7348, - "4902": msg7349, - "4903": msg7350, - "4904": msg7351, - "4905": msg7352, - "4906": msg7353, - "4907": msg7354, - "4908": msg7355, - "4909": msg7356, - "491": msg923, - "4910": msg7357, - "4911": msg7358, - "4912": msg7359, - "4913": msg7360, - "4914": msg7361, - "4915": msg7362, - "4916": msg7363, - "4917": msg7364, - "4918": msg7365, - "4919": msg7366, - "492": select402, - "4920": msg7367, - "4921": msg7368, - "4922": msg7369, - "4923": msg7370, - "4924": msg7371, - "4925": msg7372, - "4926": msg7373, - "4927": msg7374, - "4928": msg7375, - "4929": msg7376, - "493": select403, - "4930": msg7377, - "4931": msg7378, - "4932": msg7379, - "4933": msg7380, - "4934": msg7381, - "4935": msg7382, - "4936": msg7383, - "4937": msg7384, - "4938": msg7385, - "4939": msg7386, - "494": select404, - "4940": msg7387, - "4941": msg7388, - "4942": msg7389, - "4943": msg7390, - "4944": msg7391, - "4945": msg7392, - "4946": msg7393, - "4947": msg7394, - "4948": msg7395, - "4949": msg7396, - "495": select405, - "4950": msg7397, - "4951": msg7398, - "4952": msg7399, - "4953": msg7400, - "4954": msg7401, - "4955": msg7402, - "4956": msg7403, - "4957": msg7404, - "4958": msg7405, - "4959": msg7406, - "496": select406, - "4960": msg7407, - "4961": msg7408, - "4962": msg7409, - "4963": msg7410, - "4964": msg7411, - "4965": msg7412, - "4966": msg7413, - "4967": msg7414, - "4968": msg7415, - "4969": msg7416, - "497": select407, - "4970": msg7417, - "4971": msg7418, - "4972": msg7419, - "4973": msg7420, - "4974": msg7421, - "4975": msg7422, - "4976": msg7423, - "4977": msg7424, - "4978": msg7425, - "4979": msg7426, - "498": select408, - "4980": msg7427, - "4981": msg7428, - "4982": msg7429, - "4983": msg7430, - "4984": msg7431, - "4985": msg7432, - "4986": msg7433, - "4987": msg7434, - "4988": msg7435, - "4989": msg7436, - "499": select409, - "4990": msg7437, - "4991": msg7438, - "4992": msg7439, - "4993": msg7440, - "4994": msg7441, - "4995": msg7442, - "4996": msg7443, - "4997": msg7444, - "4998": msg7445, - "4999": msg7446, - "5": msg26, - "500": select410, - "5000": msg7447, - "5001": msg7448, - "5002": msg7449, - "5003": msg7450, - "5004": msg7451, - "5005": msg7452, - "5006": msg7453, - "5007": msg7454, - "5008": msg7455, - "5009": msg7456, - "501": select411, - "5010": msg7457, - "5011": msg7458, - "5012": msg7459, - "5013": msg7460, - "5014": msg7461, - "5015": msg7462, - "5016": msg7463, - "5017": msg7464, - "5018": msg7465, - "5019": msg7466, - "502": select412, - "5020": msg7467, - "5021": msg7468, - "5022": msg7469, - "5023": msg7470, - "5024": msg7471, - "5025": msg7472, - "5026": msg7473, - "5027": msg7474, - "5028": msg7475, - "5029": msg7476, - "503": select413, - "5030": msg7477, - "5031": msg7478, - "5032": msg7479, - "5033": msg7480, - "5034": msg7481, - "5035": msg7482, - "5036": msg7483, - "5037": msg7484, - "5038": msg7485, - "5039": msg7486, - "504": select414, - "5040": msg7487, - "5041": msg7488, - "5042": msg7489, - "5043": msg7490, - "5044": msg7491, - "5045": msg7492, - "5046": msg7493, - "5047": msg7494, - "5048": msg7495, - "5049": msg7496, - "505": select415, - "5050": msg7497, - "5051": msg7498, - "5052": msg7499, - "5053": msg7500, - "5054": msg7501, - "5055": msg7502, - "5056": msg7503, - "5057": msg7504, - "5058": msg7505, - "5059": msg7506, - "506": select416, - "5060": msg7507, - "5061": msg7508, - "5062": msg7509, - "5063": msg7510, - "5064": msg7511, - "5065": msg7512, - "5066": msg7513, - "5067": msg7514, - "5068": msg7515, - "5069": msg7516, - "507": select417, - "5070": msg7517, - "5071": msg7518, - "5072": msg7519, - "5073": msg7520, - "5074": msg7521, - "5075": msg7522, - "5076": msg7523, - "5077": msg7524, - "5078": msg7525, - "5079": msg7526, - "508": select418, - "5080": msg7527, - "5081": msg7528, - "5082": msg7529, - "5083": msg7530, - "5084": msg7531, - "5085": msg7532, - "5086": msg7533, - "5087": msg7534, - "5088": msg7535, - "5089": msg7536, - "509": select419, - "5090": msg7537, - "5091": msg7538, - "5092": msg7539, - "5093": msg7540, - "5094": msg7541, - "5095": msg7542, - "5096": msg7543, - "5097": msg7544, - "5098": msg7545, - "5099": msg7546, - "510": select420, - "5100": msg7547, - "5101": msg7548, - "5102": msg7549, - "5103": msg7550, - "5104": msg7551, - "5105": msg7552, - "5106": msg7553, - "5107": msg7554, - "5108": msg7555, - "5109": msg7556, - "511": select421, - "5110": msg7557, - "5111": msg7558, - "5112": msg7559, - "5113": msg7560, - "5114": msg7561, - "5115": msg7562, - "5116": msg7563, - "5117": msg7564, - "5118": msg7565, - "5119": msg7566, - "512": select422, - "5120": msg7567, - "5121": msg7568, - "5122": msg7569, - "5123": msg7570, - "5124": msg7571, - "5125": msg7572, - "5126": msg7573, - "5127": msg7574, - "5128": msg7575, - "5129": msg7576, - "513": select423, - "5130": msg7577, - "5131": msg7578, - "5132": msg7579, - "5133": msg7580, - "5134": msg7581, - "5135": msg7582, - "5136": msg7583, - "5137": msg7584, - "5138": msg7585, - "5139": msg7586, - "514": select424, - "5140": msg7587, - "5141": msg7588, - "5142": msg7589, - "5143": msg7590, - "5144": msg7591, - "5145": msg7592, - "5146": msg7593, - "5147": msg7594, - "5148": msg7595, - "5149": msg7596, - "5150": msg7597, - "5151": msg7598, - "5152": msg7599, - "5153": msg7600, - "5154": msg7601, - "5155": msg7602, - "5156": msg7603, - "5157": msg7604, - "5158": msg7605, - "5159": msg7606, - "516": select425, - "5160": msg7607, - "5161": msg7608, - "5162": msg7609, - "5163": msg7610, - "5164": msg7611, - "5165": msg7612, - "5166": msg7613, - "5167": msg7614, - "5168": msg7615, - "5169": msg7616, - "517": select426, - "5170": msg7617, - "5171": msg7618, - "5172": msg7619, - "5173": msg7620, - "5174": msg7621, - "5175": msg7622, - "5176": msg7623, - "5177": msg7624, - "5178": msg7625, - "5179": msg7626, - "518": select427, - "5180": msg7627, - "5181": msg7628, - "5182": msg7629, - "5183": msg7630, - "5184": msg7631, - "5185": msg7632, - "5186": msg7633, - "5187": msg7634, - "5188": msg7635, - "5189": msg7636, - "519": select428, - "5190": msg7637, - "5191": msg7638, - "5192": msg7639, - "5193": msg7640, - "5194": msg7641, - "5195": msg7642, - "5196": msg7643, - "5197": msg7644, - "5198": msg7645, - "5199": msg7646, - "520": select429, - "5200": msg7647, - "5201": msg7648, - "5202": msg7649, - "5203": msg7650, - "5204": msg7651, - "5205": msg7652, - "5206": msg7653, - "5207": msg7654, - "5208": msg7655, - "5209": msg7656, - "521": select430, - "5210": msg7657, - "5211": msg7658, - "5212": msg7659, - "5213": msg7660, - "5214": msg7661, - "5215": msg7662, - "5216": msg7663, - "5217": msg7664, - "5218": msg7665, - "5219": msg7666, - "522": select431, - "5220": msg7667, - "5221": msg7668, - "5222": msg7669, - "5223": msg7670, - "5224": msg7671, - "5225": msg7672, - "5226": msg7673, - "5227": msg7674, - "5228": msg7675, - "5229": msg7676, - "523": select432, - "5230": msg7677, - "5231": msg7678, - "5232": msg7679, - "5233": msg7680, - "5234": msg7681, - "5235": msg7682, - "5236": msg7683, - "5237": msg7684, - "5238": msg7685, - "5239": msg7686, - "524": select433, - "5240": msg7687, - "5241": msg7688, - "5242": msg7689, - "5243": msg7690, - "5244": msg7691, - "5245": msg7692, - "5246": msg7693, - "5247": msg7694, - "5248": msg7695, - "5249": msg7696, - "525": select434, - "5250": msg7697, - "5251": msg7698, - "5252": msg7699, - "5253": msg7700, - "5254": msg7701, - "5255": msg7702, - "5256": msg7703, - "5257": msg7704, - "5258": msg7705, - "5259": msg7706, - "526": select435, - "5260": msg7707, - "5261": msg7708, - "5262": msg7709, - "5263": msg7710, - "5264": msg7711, - "5265": msg7712, - "5266": msg7713, - "5267": msg7714, - "5268": msg7715, - "5269": msg7716, - "527": select436, - "5270": msg7717, - "5271": msg7718, - "5272": msg7719, - "5273": msg7720, - "5274": msg7721, - "5275": msg7722, - "5276": msg7723, - "5277": msg7724, - "5278": msg7725, - "5279": msg7726, - "528": select437, - "5280": msg7727, - "5281": msg7728, - "5282": msg7729, - "5283": msg7730, - "5284": msg7731, - "5285": msg7732, - "5286": msg7733, - "5287": msg7734, - "5288": msg7735, - "5289": msg7736, - "529": select438, - "5290": msg7737, - "5291": msg7738, - "5292": msg7739, - "5293": msg7740, - "5294": msg7741, - "5295": msg7742, - "5296": msg7743, - "5297": msg7744, - "5298": msg7745, - "5299": msg7746, - "530": select439, - "5300": msg7747, - "5301": msg7748, - "5302": msg7749, - "5303": msg7750, - "5304": msg7751, - "5305": msg7752, - "5306": msg7753, - "5307": msg7754, - "5308": msg7755, - "5309": msg7756, - "5310": msg7757, - "5311": msg7758, - "5312": msg7759, - "5313": msg7760, - "5314": msg7761, - "5315": msg7762, - "5316": msg7763, - "5317": msg7764, - "5318": msg7765, - "5319": msg7766, - "532": select440, - "5320": msg7767, - "5321": msg7768, - "5322": msg7769, - "5323": msg7770, - "5324": msg7771, - "5325": msg7772, - "5326": msg7773, - "5327": msg7774, - "5328": msg7775, - "5329": msg7776, - "533": select441, - "5330": msg7777, - "5331": msg7778, - "5332": msg7779, - "5333": msg7780, - "5334": msg7781, - "5335": msg7782, - "5336": msg7783, - "5337": msg7784, - "5338": msg7785, - "5339": msg7786, - "534": select442, - "5340": msg7787, - "5341": msg7788, - "5342": msg7789, - "5343": msg7790, - "5344": msg7791, - "5345": msg7792, - "5346": msg7793, - "5347": msg7794, - "5348": msg7795, - "5349": msg7796, - "535": select443, - "5350": msg7797, - "5351": msg7798, - "5352": msg7799, - "5353": msg7800, - "5354": msg7801, - "5355": msg7802, - "5356": msg7803, - "5357": msg7804, - "5358": msg7805, - "5359": msg7806, - "536": select444, - "5360": msg7807, - "5361": msg7808, - "5362": msg7809, - "5363": msg7810, - "5364": msg7811, - "5365": msg7812, - "5366": msg7813, - "5367": msg7814, - "5368": msg7815, - "5369": msg7816, - "537": select445, - "5370": msg7817, - "5371": msg7818, - "5372": msg7819, - "5373": msg7820, - "5374": msg7821, - "5375": msg7822, - "5376": msg7823, - "5377": msg7824, - "5378": msg7825, - "5379": msg7826, - "538": select446, - "5380": msg7827, - "5381": msg7828, - "5382": msg7829, - "5383": msg7830, - "5384": msg7831, - "5385": msg7832, - "5386": msg7833, - "5387": msg7834, - "5388": msg7835, - "5389": msg7836, - "539": select447, - "5390": msg7837, - "5391": msg7838, - "5392": msg7839, - "5393": msg7840, - "5394": msg7841, - "5395": msg7842, - "5396": msg7843, - "5397": msg7844, - "5398": msg7845, - "5399": msg7846, - "54": select27, - "540": select448, - "5400": msg7847, - "5401": msg7848, - "5402": msg7849, - "5403": msg7850, - "5404": msg7851, - "5405": msg7852, - "5406": msg7853, - "5407": msg7854, - "5408": msg7855, - "5409": msg7856, - "541": select449, - "5410": msg7857, - "5411": msg7858, - "5412": msg7859, - "5413": msg7860, - "5414": msg7861, - "5415": msg7862, - "5416": msg7863, - "5417": msg7864, - "5418": msg7865, - "5419": msg7866, - "542": select450, - "5420": msg7867, - "5421": msg7868, - "5422": msg7869, - "5423": msg7870, - "5424": msg7871, - "5425": msg7872, - "5426": msg7873, - "5427": msg7874, - "5428": msg7875, - "5429": msg7876, - "543": select451, - "5430": msg7877, - "5431": msg7878, - "5432": msg7879, - "5433": msg7880, - "5434": msg7881, - "5435": msg7882, - "5436": msg7883, - "5437": msg7884, - "5438": msg7885, - "5439": msg7886, - "544": select452, - "5440": msg7887, - "5441": msg7888, - "5442": msg7889, - "5443": msg7890, - "5444": msg7891, - "5445": msg7892, - "5446": msg7893, - "5447": msg7894, - "5448": msg7895, - "5449": msg7896, - "545": select453, - "5450": msg7897, - "5451": msg7898, - "5452": msg7899, - "5453": msg7900, - "5454": msg7901, - "5455": msg7902, - "5456": msg7903, - "5457": msg7904, - "5458": msg7905, - "5459": msg7906, - "546": select454, - "5460": msg7907, - "5461": msg7908, - "5462": msg7909, - "5463": msg7910, - "5464": msg7911, - "5465": msg7912, - "5466": msg7913, - "5467": msg7914, - "5468": msg7915, - "5469": msg7916, - "547": select455, - "5470": msg7917, - "5471": msg7918, - "5472": msg7919, - "5473": msg7920, - "5474": msg7921, - "5475": msg7922, - "5476": msg7923, - "5477": msg7924, - "5478": msg7925, - "5479": msg7926, - "548": select456, - "5480": msg7927, - "5481": msg7928, - "5482": msg7929, - "5483": msg7930, - "5484": msg7931, - "5485": msg7932, - "5486": msg7933, - "5487": msg7934, - "5488": msg7935, - "5489": msg7936, - "549": select457, - "5490": msg7937, - "5491": msg7938, - "5492": msg7939, - "5493": msg7940, - "5494": msg7941, - "5495": msg7942, - "5496": msg7943, - "5497": msg7944, - "5498": msg7945, - "5499": msg7946, - "55": select28, - "550": select458, - "5500": msg7947, - "5501": msg7948, - "5502": msg7949, - "5503": msg7950, - "5504": msg7951, - "5505": msg7952, - "5506": msg7953, - "5507": msg7954, - "5508": msg7955, - "5509": msg7956, - "551": select459, - "5510": msg7957, - "5511": msg7958, - "5512": msg7959, - "5513": msg7960, - "5514": msg7961, - "5515": msg7962, - "5516": msg7963, - "5517": msg7964, - "5518": msg7965, - "5519": msg7966, - "552": select460, - "5520": msg7967, - "5521": msg7968, - "5522": msg7969, - "5523": msg7970, - "5524": msg7971, - "5525": msg7972, - "5526": msg7973, - "5527": msg7974, - "5528": msg7975, - "5529": msg7976, - "553": select461, - "5530": msg7977, - "5531": msg7978, - "5532": msg7979, - "5533": msg7980, - "5534": msg7981, - "5535": msg7982, - "5536": msg7983, - "5537": msg7984, - "5538": msg7985, - "5539": msg7986, - "554": select462, - "5540": msg7987, - "5541": msg7988, - "5542": msg7989, - "5543": msg7990, - "5544": msg7991, - "5545": msg7992, - "5546": msg7993, - "5547": msg7994, - "5548": msg7995, - "5549": msg7996, - "555": select463, - "5550": msg7997, - "5551": msg7998, - "5552": msg7999, - "5553": msg8000, - "5554": msg8001, - "5555": msg8002, - "5556": msg8003, - "5557": msg8004, - "5558": msg8005, - "5559": msg8006, - "556": select464, - "5560": msg8007, - "5561": msg8008, - "5562": msg8009, - "5563": msg8010, - "5564": msg8011, - "5565": msg8012, - "5566": msg8013, - "5567": msg8014, - "5568": msg8015, - "5569": msg8016, - "557": select465, - "5570": msg8017, - "5571": msg8018, - "5572": msg8019, - "5573": msg8020, - "5574": msg8021, - "5575": msg8022, - "5576": msg8023, - "5577": msg8024, - "5578": msg8025, - "5579": msg8026, - "558": select466, - "5580": msg8027, - "5581": msg8028, - "5582": msg8029, - "5583": msg8030, - "5584": msg8031, - "5585": msg8032, - "5586": msg8033, - "5587": msg8034, - "5588": msg8035, - "5589": msg8036, - "559": select467, - "5590": msg8037, - "5591": msg8038, - "5592": msg8039, - "5593": msg8040, - "5594": msg8041, - "5595": msg8042, - "5596": msg8043, - "5597": msg8044, - "5598": msg8045, - "5599": msg8046, - "560": select468, - "5600": msg8047, - "5601": msg8048, - "5602": msg8049, - "5603": msg8050, - "5604": msg8051, - "5605": msg8052, - "5606": msg8053, - "5607": msg8054, - "5608": msg8055, - "5609": msg8056, - "561": select469, - "5610": msg8057, - "5611": msg8058, - "5612": msg8059, - "5613": msg8060, - "5614": msg8061, - "5615": msg8062, - "5616": msg8063, - "5617": msg8064, - "5618": msg8065, - "5619": msg8066, - "562": select470, - "5620": msg8067, - "5621": msg8068, - "5622": msg8069, - "5623": msg8070, - "5624": msg8071, - "5625": msg8072, - "5626": msg8073, - "5627": msg8074, - "5628": msg8075, - "5629": msg8076, - "563": select471, - "5630": msg8077, - "5631": msg8078, - "5632": msg8079, - "5633": msg8080, - "5634": msg8081, - "5635": msg8082, - "5636": msg8083, - "5637": msg8084, - "5638": msg8085, - "5639": msg8086, - "564": select472, - "5640": msg8087, - "5641": msg8088, - "5642": msg8089, - "5643": msg8090, - "5644": msg8091, - "5645": msg8092, - "5646": msg8093, - "5647": msg8094, - "5648": msg8095, - "5649": msg8096, - "565": select473, - "5650": msg8097, - "5651": msg8098, - "5652": msg8099, - "5653": msg8100, - "5654": msg8101, - "5655": msg8102, - "5656": msg8103, - "5657": msg8104, - "5658": msg8105, - "5659": msg8106, - "566": select474, - "5660": msg8107, - "5661": msg8108, - "5662": msg8109, - "5663": msg8110, - "5664": msg8111, - "5665": msg8112, - "5666": msg8113, - "5667": msg8114, - "5668": msg8115, - "5669": msg8116, - "567": select475, - "5670": msg8117, - "5671": msg8118, - "5672": msg8119, - "5673": msg8120, - "5674": msg8121, - "5675": msg8122, - "5676": msg8123, - "5677": msg8124, - "5678": msg8125, - "5679": msg8126, - "568": select476, - "5680": msg8127, - "5681": msg8128, - "5682": msg8129, - "5683": msg8130, - "5684": msg8131, - "5685": msg8132, - "5686": msg8133, - "5687": msg8134, - "5688": msg8135, - "5689": msg8136, - "569": select477, - "5690": msg8137, - "5691": msg8138, - "5692": msg8139, - "5693": msg8140, - "5694": msg8141, - "5695": msg8142, - "5696": msg8143, - "5697": msg8144, - "5698": msg8145, - "5699": msg8146, - "570": select478, - "5700": msg8147, - "5701": msg8148, - "5702": msg8149, - "5703": msg8150, - "5704": msg8151, - "5705": msg8152, - "5706": msg8153, - "5707": msg8154, - "5708": msg8155, - "5709": msg8156, - "571": select479, - "5710": msg8157, - "5711": msg8158, - "5712": msg8159, - "5713": msg8160, - "5714": msg8161, - "5715": msg8162, - "5716": msg8163, - "5717": msg8164, - "5718": msg8165, - "5719": msg8166, - "572": select480, - "5720": msg8167, - "5721": msg8168, - "5722": msg8169, - "5723": msg8170, - "5724": msg8171, - "5725": msg8172, - "5726": msg8173, - "5727": msg8174, - "5728": msg8175, - "5729": msg8176, - "573": select481, - "5730": msg8177, - "5731": msg8178, - "5732": msg8179, - "5733": msg8180, - "5734": msg8181, - "5735": msg8182, - "5736": msg8183, - "5737": msg8184, - "5738": msg8185, - "5739": msg8186, - "574": select482, - "5740": msg8187, - "5741": msg8188, - "5742": msg8189, - "5743": msg8190, - "5744": msg8191, - "5745": msg8192, - "5746": msg8193, - "5747": msg8194, - "5748": msg8195, - "5749": msg8196, - "575": select483, - "5750": msg8197, - "5751": msg8198, - "5752": msg8199, - "5753": msg8200, - "5754": msg8201, - "5755": msg8202, - "5756": msg8203, - "5757": msg8204, - "5758": msg8205, - "5759": msg8206, - "576": select484, - "5760": msg8207, - "5761": msg8208, - "5762": msg8209, - "5763": msg8210, - "5764": msg8211, - "5765": msg8212, - "5766": msg8213, - "5767": msg8214, - "5768": msg8215, - "5769": msg8216, - "577": select485, - "5770": msg8217, - "5771": msg8218, - "5772": msg8219, - "5773": msg8220, - "5774": msg8221, - "5775": msg8222, - "5776": msg8223, - "5777": msg8224, - "5778": msg8225, - "5779": msg8226, - "578": select486, - "5780": msg8227, - "5781": msg8228, - "5782": msg8229, - "5783": msg8230, - "5784": msg8231, - "5785": msg8232, - "5786": msg8233, - "5787": msg8234, - "5788": msg8235, - "5789": msg8236, - "579": select487, - "5790": msg8237, - "5791": msg8238, - "5792": msg8239, - "5793": msg8240, - "5794": msg8241, - "5795": msg8242, - "5796": msg8243, - "5797": msg8244, - "5798": msg8245, - "5799": msg8246, - "58": select29, - "580": select488, - "5800": msg8247, - "5801": msg8248, - "5802": msg8249, - "5803": msg8250, - "5804": msg8251, - "5805": msg8252, - "5806": msg8253, - "5807": msg8254, - "5808": msg8255, - "5809": msg8256, - "581": select489, - "5810": msg8257, - "5811": msg8258, - "5812": msg8259, - "5813": msg8260, - "5814": msg8261, - "5815": msg8262, - "5816": msg8263, - "5817": msg8264, - "5818": msg8265, - "5819": msg8266, - "582": select490, - "5820": msg8267, - "5821": msg8268, - "5822": msg8269, - "5823": msg8270, - "5824": msg8271, - "5825": msg8272, - "5826": msg8273, - "5827": msg8274, - "5828": msg8275, - "5829": msg8276, - "583": select491, - "5830": msg8277, - "5831": msg8278, - "5832": msg8279, - "5833": msg8280, - "5834": msg8281, - "5835": msg8282, - "5836": msg8283, - "5837": msg8284, - "5838": msg8285, - "5839": msg8286, - "584": select492, - "5840": msg8287, - "5841": msg8288, - "5842": msg8289, - "5843": msg8290, - "5844": msg8291, - "5845": msg8292, - "5846": msg8293, - "5847": msg8294, - "5848": msg8295, - "5849": msg8296, - "585": select493, - "5850": msg8297, - "5851": msg8298, - "5852": msg8299, - "5853": msg8300, - "5854": msg8301, - "5855": msg8302, - "5856": msg8303, - "5857": msg8304, - "5858": msg8305, - "5859": msg8306, - "586": select494, - "5860": msg8307, - "5861": msg8308, - "5862": msg8309, - "5863": msg8310, - "5864": msg8311, - "5865": msg8312, - "5866": msg8313, - "5867": msg8314, - "5868": msg8315, - "5869": msg8316, - "587": select495, - "5870": msg8317, - "5871": msg8318, - "5872": msg8319, - "5873": msg8320, - "5874": msg8321, - "5875": msg8322, - "5876": msg8323, - "5877": msg8324, - "5878": msg8325, - "5879": msg8326, - "588": select496, - "5880": msg8327, - "5881": msg8328, - "5882": msg8329, - "5883": msg8330, - "5884": msg8331, - "5885": msg8332, - "5886": msg8333, - "5887": msg8334, - "5888": msg8335, - "5889": msg8336, - "589": select497, - "5890": msg8337, - "5891": msg8338, - "5892": msg8339, - "5893": msg8340, - "5894": msg8341, - "5895": msg8342, - "5896": msg8343, - "5897": msg8344, - "5898": msg8345, - "5899": msg8346, - "590": select498, - "5900": msg8347, - "5901": msg8348, - "5902": msg8349, - "5903": msg8350, - "5904": msg8351, - "5905": msg8352, - "5906": msg8353, - "5907": msg8354, - "5908": msg8355, - "5909": msg8356, - "591": select499, - "5910": msg8357, - "5911": msg8358, - "5912": msg8359, - "5913": msg8360, - "5914": msg8361, - "5915": msg8362, - "5916": msg8363, - "5917": msg8364, - "5918": msg8365, - "5919": msg8366, - "592": select500, - "5920": msg8367, - "5921": msg8368, - "5922": msg8369, - "5923": msg8370, - "5924": msg8371, - "5925": msg8372, - "5926": msg8373, - "5927": msg8374, - "5928": msg8375, - "5929": msg8376, - "593": select501, - "5930": msg8377, - "5931": msg8378, - "5932": msg8379, - "5933": msg8380, - "5934": msg8381, - "5935": msg8382, - "5936": msg8383, - "5937": msg8384, - "5938": msg8385, - "5939": msg8386, - "594": select502, - "5940": msg8387, - "5941": msg8388, - "5942": msg8389, - "5943": msg8390, - "5944": msg8391, - "5945": msg8392, - "5946": msg8393, - "5947": msg8394, - "5948": msg8395, - "5949": msg8396, - "595": select503, - "5950": msg8397, - "5951": msg8398, - "5952": msg8399, - "5953": msg8400, - "5954": msg8401, - "5955": msg8402, - "5956": msg8403, - "5957": msg8404, - "5958": msg8405, - "5959": msg8406, - "596": select504, - "5960": msg8407, - "5961": msg8408, - "5962": msg8409, - "5963": msg8410, - "5964": msg8411, - "5965": msg8412, - "5966": msg8413, - "5967": msg8414, - "5968": msg8415, - "5969": msg8416, - "597": select505, - "5970": msg8417, - "5971": msg8418, - "5972": msg8419, - "5973": msg8420, - "5974": msg8421, - "5975": msg8422, - "5976": msg8423, - "5977": msg8424, - "5978": msg8425, - "5979": msg8426, - "598": select506, - "5980": msg8427, - "5981": msg8428, - "5982": msg8429, - "5983": msg8430, - "5984": msg8431, - "5985": msg8432, - "5986": msg8433, - "5987": msg8434, - "5988": msg8435, - "5989": msg8436, - "599": select507, - "5990": msg8437, - "5991": msg8438, - "5992": msg8439, - "5993": msg8440, - "5994": msg8441, - "5995": msg8442, - "5996": msg8443, - "5997": msg8444, - "5998": msg8445, - "5999": msg8446, - "6": select11, - "600": select508, - "6000": msg8447, - "6000022": msg38279, - "6000025": msg38281, - "600009": msg38276, - "600010": msg38277, - "600015": msg38278, - "600023": msg38280, - "6001": msg8448, - "6002": msg8449, - "6003": msg8450, - "6004": msg8451, - "6005": msg8452, - "6006": msg8453, - "6007": msg8454, - "6008": msg8455, - "6009": msg8456, - "601": select509, - "6010": msg8457, - "6011": msg8458, - "6012": msg8459, - "6013": msg8460, - "6014": msg8461, - "6015": msg8462, - "6016": msg8463, - "6017": msg8464, - "6018": msg8465, - "6019": msg8466, - "602": select510, - "6020": msg8467, - "6021": msg8468, - "6022": msg8469, - "6023": msg8470, - "6024": msg8471, - "6025": msg8472, - "6026": msg8473, - "6027": msg8474, - "6028": msg8475, - "6029": msg8476, - "603": select511, - "6030": msg8477, - "6031": msg8478, - "6032": msg8479, - "6033": msg8480, - "6034": msg8481, - "6035": msg8482, - "6036": msg8483, - "6037": msg8484, - "6038": msg8485, - "6039": msg8486, - "604": select512, - "6040": msg8487, - "6041": msg8488, - "6042": msg8489, - "6043": msg8490, - "6044": msg8491, - "6045": msg8492, - "6046": msg8493, - "6047": msg8494, - "6048": msg8495, - "6049": msg8496, - "605": select513, - "6050": msg8497, - "6051": msg8498, - "6052": msg8499, - "6053": msg8500, - "6054": msg8501, - "6055": msg8502, - "6056": msg8503, - "6057": msg8504, - "6058": msg8505, - "6059": msg8506, - "606": select514, - "6060": msg8507, - "6061": msg8508, - "6062": msg8509, - "6063": msg8510, - "6064": msg8511, - "6065": msg8512, - "6066": msg8513, - "6067": msg8514, - "6068": msg8515, - "6069": msg8516, - "607": select515, - "6070": msg8517, - "6071": msg8518, - "6072": msg8519, - "6073": msg8520, - "6074": msg8521, - "6075": msg8522, - "6076": msg8523, - "6077": msg8524, - "6078": msg8525, - "6079": msg8526, - "608": select516, - "6080": msg8527, - "6081": msg8528, - "6082": msg8529, - "6083": msg8530, - "6084": msg8531, - "6085": msg8532, - "6086": msg8533, - "6087": msg8534, - "6088": msg8535, - "6089": msg8536, - "609": select517, - "6090": msg8537, - "6091": msg8538, - "6092": msg8539, - "6093": msg8540, - "6094": msg8541, - "6095": msg8542, - "6096": msg8543, - "6097": msg8544, - "6098": msg8545, - "6099": msg8546, - "610": select518, - "6100": msg8547, - "6101": msg8548, - "6102": msg8549, - "6103": msg8550, - "6104": msg8551, - "6105": msg8552, - "6106": msg8553, - "6107": msg8554, - "6108": msg8555, - "6109": msg8556, - "611": select519, - "6110": msg8557, - "6111": msg8558, - "6112": msg8559, - "6113": msg8560, - "6114": msg8561, - "6115": msg8562, - "6116": msg8563, - "6117": msg8564, - "6118": msg8565, - "6119": msg8566, - "612": select520, - "6120": msg8567, - "6121": msg8568, - "6122": msg8569, - "6123": msg8570, - "6124": msg8571, - "6125": msg8572, - "6126": msg8573, - "6127": msg8574, - "6128": msg8575, - "6129": msg8576, - "613": select521, - "6130": msg8577, - "6131": msg8578, - "6132": msg8579, - "6133": msg8580, - "6134": msg8581, - "6135": msg8582, - "6136": msg8583, - "6137": msg8584, - "6138": msg8585, - "6139": msg8586, - "614": select522, - "6140": msg8587, - "6141": msg8588, - "6142": msg8589, - "6143": msg8590, - "6144": msg8591, - "6145": msg8592, - "6146": msg8593, - "6147": msg8594, - "6148": msg8595, - "6149": msg8596, - "615": select523, - "6150": msg8597, - "6151": msg8598, - "6152": msg8599, - "6153": msg8600, - "6154": msg8601, - "6155": msg8602, - "6156": msg8603, - "6157": msg8604, - "6158": msg8605, - "6159": msg8606, - "616": select524, - "6160": msg8607, - "6161": msg8608, - "6162": msg8609, - "6163": msg8610, - "6164": msg8611, - "6165": msg8612, - "6166": msg8613, - "6167": msg8614, - "6168": msg8615, - "6169": msg8616, - "617": select525, - "6170": msg8617, - "6171": msg8618, - "6172": msg8619, - "6173": msg8620, - "6174": msg8621, - "6175": msg8622, - "6176": msg8623, - "6177": msg8624, - "6178": msg8625, - "6179": msg8626, - "618": select526, - "6180": msg8627, - "6181": msg8628, - "6182": msg8629, - "6183": msg8630, - "6184": msg8631, - "6185": msg8632, - "6186": msg8633, - "6187": msg8634, - "6188": msg8635, - "6189": msg8636, - "619": select527, - "6190": msg8637, - "6191": msg8638, - "6192": msg8639, - "6193": msg8640, - "6194": msg8641, - "6195": msg8642, - "6196": msg8643, - "6197": msg8644, - "6198": msg8645, - "6199": msg8646, - "620": select528, - "6200": msg8647, - "6201": msg8648, - "6202": msg8649, - "6203": msg8650, - "6204": msg8651, - "6205": msg8652, - "6206": msg8653, - "6207": msg8654, - "6208": msg8655, - "6209": msg8656, - "621": select529, - "6210": msg8657, - "6211": msg8658, - "6212": msg8659, - "6213": msg8660, - "6214": msg8661, - "6215": msg8662, - "6216": msg8663, - "6217": msg8664, - "6218": msg8665, - "6219": msg8666, - "622": select530, - "6220": msg8667, - "6221": msg8668, - "6222": msg8669, - "6223": msg8670, - "6224": msg8671, - "6225": msg8672, - "6226": msg8673, - "6227": msg8674, - "6228": msg8675, - "6229": msg8676, - "623": select531, - "6230": msg8677, - "6231": msg8678, - "6232": msg8679, - "6233": msg8680, - "6234": msg8681, - "6235": msg8682, - "6236": msg8683, - "6237": msg8684, - "6238": msg8685, - "6239": msg8686, - "624": select532, - "6240": msg8687, - "6241": msg8688, - "6242": msg8689, - "6243": msg8690, - "6244": msg8691, - "6245": msg8692, - "6246": msg8693, - "6247": msg8694, - "6248": msg8695, - "6249": msg8696, - "625": select533, - "6250": msg8697, - "6251": msg8698, - "6252": msg8699, - "6253": msg8700, - "6254": msg8701, - "6255": msg8702, - "6256": msg8703, - "6257": msg8704, - "6258": msg8705, - "6259": msg8706, - "626": select534, - "6260": msg8707, - "6261": msg8708, - "6262": msg8709, - "6263": msg8710, - "6264": msg8711, - "6265": msg8712, - "6266": msg8713, - "6267": msg8714, - "6268": msg8715, - "6269": msg8716, - "627": select535, - "6270": msg8717, - "6271": msg8718, - "6272": msg8719, - "6273": msg8720, - "6274": msg8721, - "6275": msg8722, - "6276": msg8723, - "6277": msg8724, - "6278": msg8725, - "6279": msg8726, - "628": select536, - "6280": msg8727, - "6281": msg8728, - "6282": msg8729, - "6283": msg8730, - "6284": msg8731, - "6285": msg8732, - "6286": msg8733, - "6287": msg8734, - "6288": msg8735, - "6289": msg8736, - "629": select537, - "6290": msg8737, - "6291": msg8738, - "6292": msg8739, - "6293": msg8740, - "6294": msg8741, - "6295": msg8742, - "6296": msg8743, - "6297": msg8744, - "6298": msg8745, - "6299": msg8746, - "630": select538, - "6300": msg8747, - "6301": msg8748, - "6302": msg8749, - "6303": msg8750, - "6304": msg8751, - "6305": msg8752, - "6306": msg8753, - "6307": msg8754, - "6308": msg8755, - "6309": msg8756, - "631": select539, - "6310": msg8757, - "6311": msg8758, - "6312": msg8759, - "6313": msg8760, - "6314": msg8761, - "6315": msg8762, - "6316": msg8763, - "6317": msg8764, - "6318": msg8765, - "6319": msg8766, - "632": select540, - "6320": msg8767, - "6321": msg8768, - "6322": msg8769, - "6323": msg8770, - "6324": msg8771, - "6325": msg8772, - "6326": msg8773, - "6327": msg8774, - "6328": msg8775, - "6329": msg8776, - "6330": msg8777, - "6331": msg8778, - "6332": msg8779, - "6333": msg8780, - "6334": msg8781, - "6335": msg8782, - "6336": msg8783, - "6337": msg8784, - "6338": msg8785, - "6339": msg8786, - "634": select541, - "6340": msg8787, - "6341": msg8788, - "6342": msg8789, - "6343": msg8790, - "6344": msg8791, - "6345": msg8792, - "6346": msg8793, - "6347": msg8794, - "6348": msg8795, - "6349": msg8796, - "635": select542, - "6350": msg8797, - "6351": msg8798, - "6352": msg8799, - "6353": msg8800, - "6354": msg8801, - "6355": msg8802, - "6356": msg8803, - "6357": msg8804, - "6358": msg8805, - "6359": msg8806, - "636": select543, - "6360": msg8807, - "6361": msg8808, - "6362": msg8809, - "6363": msg8810, - "6364": msg8811, - "6365": msg8812, - "6366": msg8813, - "6367": msg8814, - "6368": msg8815, - "6369": msg8816, - "637": select544, - "6370": msg8817, - "6371": msg8818, - "6372": msg8819, - "6373": msg8820, - "6374": msg8821, - "6375": msg8822, - "6376": msg8823, - "6377": msg8824, - "6378": msg8825, - "6379": msg8826, - "638": select545, - "6380": msg8827, - "6381": msg8828, - "6382": msg8829, - "6383": msg8830, - "6384": msg8831, - "6385": msg8832, - "6386": msg8833, - "6387": msg8834, - "6388": msg8835, - "6389": msg8836, - "639": select546, - "6390": msg8837, - "6391": msg8838, - "6392": msg8839, - "6393": msg8840, - "6394": msg8841, - "6395": msg8842, - "6396": msg8843, - "6397": msg8844, - "6398": msg8845, - "6399": msg8846, - "640": select547, - "6400": msg8847, - "6401": msg8848, - "6402": msg8849, - "6403": msg8850, - "6404": msg8851, - "6405": msg8852, - "6406": msg8853, - "6407": msg8854, - "6408": msg8855, - "6409": msg8856, - "641": select548, - "6410": msg8857, - "6411": msg8858, - "6412": msg8859, - "6413": msg8860, - "6414": msg8861, - "6415": msg8862, - "6416": msg8863, - "6417": msg8864, - "6418": msg8865, - "6419": msg8866, - "642": select549, - "6420": msg8867, - "6421": msg8868, - "6422": msg8869, - "6423": msg8870, - "6424": msg8871, - "6425": msg8872, - "6426": msg8873, - "6427": msg8874, - "6428": msg8875, - "6429": msg8876, - "643": select550, - "6430": msg8877, - "6431": msg8878, - "6432": msg8879, - "6433": msg8880, - "6434": msg8881, - "6435": msg8882, - "6436": msg8883, - "6437": msg8884, - "6438": msg8885, - "6439": msg8886, - "644": select551, - "6440": msg8887, - "6441": msg8888, - "6442": msg8889, - "6443": msg8890, - "6444": msg8891, - "6445": msg8892, - "6446": msg8893, - "6447": msg8894, - "6448": msg8895, - "6449": msg8896, - "645": select552, - "6450": msg8897, - "6451": msg8898, - "6452": msg8899, - "6453": msg8900, - "6454": msg8901, - "6455": msg8902, - "6456": msg8903, - "6457": msg8904, - "6458": msg8905, - "6459": msg8906, - "646": select553, - "6460": msg8907, - "6461": msg8908, - "6462": msg8909, - "6463": msg8910, - "6464": msg8911, - "6465": msg8912, - "6466": msg8913, - "6467": msg8914, - "6468": msg8915, - "6469": msg8916, - "647": select554, - "6470": msg8917, - "6471": msg8918, - "6472": msg8919, - "6473": msg8920, - "6474": msg8921, - "6475": msg8922, - "6476": msg8923, - "6477": msg8924, - "6478": msg8925, - "6479": msg8926, - "648": select555, - "6480": msg8927, - "6481": msg8928, - "6482": msg8929, - "6483": msg8930, - "6484": msg8931, - "6485": msg8932, - "6486": msg8933, - "6487": msg8934, - "6488": msg8935, - "6489": msg8936, - "649": select556, - "6490": msg8937, - "6491": msg8938, - "6492": msg8939, - "6493": msg8940, - "6494": msg8941, - "6495": msg8942, - "6496": msg8943, - "6497": msg8944, - "6498": msg8945, - "6499": msg8946, - "650": select557, - "6500": msg8947, - "6501": msg8948, - "6502": msg8949, - "6503": msg8950, - "6504": msg8951, - "6505": msg8952, - "6506": msg8953, - "6507": msg8954, - "6508": msg8955, - "6509": msg8956, - "651": select558, - "6510": msg8957, - "6511": msg8958, - "6512": msg8959, - "6513": msg8960, - "6514": msg8961, - "6515": msg8962, - "6516": msg8963, - "6517": msg8964, - "6518": msg8965, - "6519": msg8966, - "652": select559, - "6520": msg8967, - "6521": msg8968, - "6522": msg8969, - "6523": msg8970, - "6524": msg8971, - "6525": msg8972, - "6526": msg8973, - "6527": msg8974, - "6528": msg8975, - "6529": msg8976, - "653": select560, - "6530": msg8977, - "6531": msg8978, - "6532": msg8979, - "6533": msg8980, - "6534": msg8981, - "6535": msg8982, - "6536": msg8983, - "6537": msg8984, - "6538": msg8985, - "6539": msg8986, - "654": select561, - "6540": msg8987, - "6541": msg8988, - "6542": msg8989, - "6543": msg8990, - "6544": msg8991, - "6545": msg8992, - "6546": msg8993, - "6547": msg8994, - "6548": msg8995, - "6549": msg8996, - "655": select562, - "6550": msg8997, - "6551": msg8998, - "6552": msg8999, - "6553": msg9000, - "6554": msg9001, - "6555": msg9002, - "6556": msg9003, - "6557": msg9004, - "6558": msg9005, - "6559": msg9006, - "656": select563, - "6560": msg9007, - "6561": msg9008, - "6562": msg9009, - "6563": msg9010, - "6564": msg9011, - "6565": msg9012, - "6566": msg9013, - "6567": msg9014, - "6568": msg9015, - "6569": msg9016, - "657": select564, - "6570": msg9017, - "6571": msg9018, - "6572": msg9019, - "6573": msg9020, - "6574": msg9021, - "6575": msg9022, - "6576": msg9023, - "6577": msg9024, - "6578": msg9025, - "6579": msg9026, - "658": select565, - "6580": msg9027, - "6581": msg9028, - "6582": msg9029, - "6583": msg9030, - "6584": msg9031, - "6585": msg9032, - "6586": msg9033, - "6587": msg9034, - "6588": msg9035, - "6589": msg9036, - "659": select566, - "6590": msg9037, - "6591": msg9038, - "6592": msg9039, - "6593": msg9040, - "6594": msg9041, - "6595": msg9042, - "6596": msg9043, - "6597": msg9044, - "6598": msg9045, - "6599": msg9046, - "660": select567, - "6600": msg9047, - "6601": msg9048, - "6602": msg9049, - "6603": msg9050, - "6604": msg9051, - "6605": msg9052, - "6606": msg9053, - "6607": msg9054, - "6608": msg9055, - "6609": msg9056, - "661": select568, - "6610": msg9057, - "6611": msg9058, - "6612": msg9059, - "6613": msg9060, - "6614": msg9061, - "6615": msg9062, - "6616": msg9063, - "6617": msg9064, - "6618": msg9065, - "6619": msg9066, - "662": select569, - "6620": msg9067, - "6621": msg9068, - "6622": msg9069, - "6623": msg9070, - "6624": msg9071, - "6625": msg9072, - "6626": msg9073, - "6627": msg9074, - "6628": msg9075, - "6629": msg9076, - "663": select570, - "6630": msg9077, - "6631": msg9078, - "6632": msg9079, - "6633": msg9080, - "6634": msg9081, - "6635": msg9082, - "6636": msg9083, - "6637": msg9084, - "6638": msg9085, - "6639": msg9086, - "664": select571, - "6640": msg9087, - "6641": msg9088, - "6642": msg9089, - "6643": msg9090, - "6644": msg9091, - "6645": msg9092, - "6646": msg9093, - "6647": msg9094, - "6648": msg9095, - "6649": msg9096, - "665": select572, - "6650": msg9097, - "6651": msg9098, - "6652": msg9099, - "6653": msg9100, - "6654": msg9101, - "6655": msg9102, - "6656": msg9103, - "6657": msg9104, - "6658": msg9105, - "6659": msg9106, - "666": select573, - "6660": msg9107, - "6661": msg9108, - "6662": msg9109, - "6663": msg9110, - "6664": msg9111, - "6665": msg9112, - "6666": msg9113, - "6667": msg9114, - "6668": msg9115, - "6669": msg9116, - "667": select574, - "6670": msg9117, - "6671": msg9118, - "6672": msg9119, - "6673": msg9120, - "6674": msg9121, - "6675": msg9122, - "6676": msg9123, - "6677": msg9124, - "6678": msg9125, - "6679": msg9126, - "668": select575, - "6680": msg9127, - "6681": msg9128, - "6682": msg9129, - "6683": msg9130, - "6684": msg9131, - "6685": msg9132, - "6686": msg9133, - "6687": msg9134, - "6688": msg9135, - "6689": msg9136, - "669": select576, - "6690": msg9137, - "6691": msg9138, - "6692": msg9139, - "6693": msg9140, - "6694": msg9141, - "6695": msg9142, - "6696": msg9143, - "6697": msg9144, - "6698": msg9145, - "6699": msg9146, - "670": select577, - "6700": msg9147, - "6701": msg9148, - "6702": msg9149, - "6703": msg9150, - "6704": msg9151, - "6705": msg9152, - "6706": msg9153, - "6707": msg9154, - "6708": msg9155, - "6709": msg9156, - "671": select578, - "6710": msg9157, - "6711": msg9158, - "6712": msg9159, - "6713": msg9160, - "6714": msg9161, - "6715": msg9162, - "6716": msg9163, - "6717": msg9164, - "6718": msg9165, - "6719": msg9166, - "672": select579, - "6720": msg9167, - "6721": msg9168, - "6722": msg9169, - "6723": msg9170, - "6724": msg9171, - "6725": msg9172, - "6726": msg9173, - "6727": msg9174, - "6728": msg9175, - "6729": msg9176, - "673": select580, - "6730": msg9177, - "6731": msg9178, - "6732": msg9179, - "6733": msg9180, - "6734": msg9181, - "6735": msg9182, - "6736": msg9183, - "6737": msg9184, - "6738": msg9185, - "6739": msg9186, - "674": select581, - "6740": msg9187, - "6741": msg9188, - "6742": msg9189, - "6743": msg9190, - "6744": msg9191, - "6745": msg9192, - "6746": msg9193, - "6747": msg9194, - "6748": msg9195, - "6749": msg9196, - "675": select582, - "6750": msg9197, - "6751": msg9198, - "6752": msg9199, - "6753": msg9200, - "6754": msg9201, - "6755": msg9202, - "6756": msg9203, - "6757": msg9204, - "6758": msg9205, - "6759": msg9206, - "676": select583, - "6760": msg9207, - "6761": msg9208, - "6762": msg9209, - "6763": msg9210, - "6764": msg9211, - "6765": msg9212, - "6766": msg9213, - "6767": msg9214, - "6768": msg9215, - "6769": msg9216, - "677": select584, - "6770": msg9217, - "6771": msg9218, - "6772": msg9219, - "6773": msg9220, - "6774": msg9221, - "6775": msg9222, - "6776": msg9223, - "6777": msg9224, - "6778": msg9225, - "6779": msg9226, - "678": select585, - "6780": msg9227, - "6781": msg9228, - "6782": msg9229, - "6783": msg9230, - "6784": msg9231, - "6785": msg9232, - "6786": msg9233, - "6787": msg9234, - "6788": msg9235, - "6789": msg9236, - "679": select586, - "6790": msg9237, - "6791": msg9238, - "6792": msg9239, - "6793": msg9240, - "6794": msg9241, - "6795": msg9242, - "6796": msg9243, - "6797": msg9244, - "6798": msg9245, - "6799": msg9246, - "680": select587, - "6800": msg9247, - "6801": msg9248, - "6802": msg9249, - "6803": msg9250, - "6804": msg9251, - "6805": msg9252, - "6806": msg9253, - "6807": msg9254, - "6808": msg9255, - "6809": msg9256, - "681": select588, - "6810": msg9257, - "6811": msg9258, - "6812": msg9259, - "6813": msg9260, - "6814": msg9261, - "6815": msg9262, - "6816": msg9263, - "6817": msg9264, - "6818": msg9265, - "6819": msg9266, - "682": select589, - "6820": msg9267, - "6821": msg9268, - "6822": msg9269, - "6823": msg9270, - "6824": msg9271, - "6825": msg9272, - "6826": msg9273, - "6827": msg9274, - "6828": msg9275, - "6829": msg9276, - "683": select590, - "6830": msg9277, - "6831": msg9278, - "6832": msg9279, - "6833": msg9280, - "6834": msg9281, - "6835": msg9282, - "6836": msg9283, - "6837": msg9284, - "6838": msg9285, - "6839": msg9286, - "684": select591, - "6840": msg9287, - "6841": msg9288, - "6842": msg9289, - "6843": msg9290, - "6844": msg9291, - "6845": msg9292, - "6846": msg9293, - "6847": msg9294, - "6848": msg9295, - "6849": msg9296, - "685": select592, - "6850": msg9297, - "6851": msg9298, - "6852": msg9299, - "6853": msg9300, - "6854": msg9301, - "6855": msg9302, - "6856": msg9303, - "6857": msg9304, - "6858": msg9305, - "6859": msg9306, - "686": select593, - "6860": msg9307, - "6861": msg9308, - "6862": msg9309, - "6863": msg9310, - "6864": msg9311, - "6865": msg9312, - "6866": msg9313, - "6867": msg9314, - "6868": msg9315, - "6869": msg9316, - "687": select594, - "6870": msg9317, - "6871": msg9318, - "6872": msg9319, - "6873": msg9320, - "6874": msg9321, - "6875": msg9322, - "6876": msg9323, - "6877": msg9324, - "6878": msg9325, - "6879": msg9326, - "688": select595, - "6880": msg9327, - "6881": msg9328, - "6882": msg9329, - "6883": msg9330, - "6884": msg9331, - "6885": msg9332, - "6886": msg9333, - "6887": msg9334, - "6888": msg9335, - "6889": msg9336, - "689": select596, - "6890": msg9337, - "6891": msg9338, - "6892": msg9339, - "6893": msg9340, - "6894": msg9341, - "6895": msg9342, - "6896": msg9343, - "6897": msg9344, - "6898": msg9345, - "6899": msg9346, - "690": select597, - "6900": msg9347, - "6901": msg9348, - "6902": msg9349, - "6903": msg9350, - "6904": msg9351, - "6905": msg9352, - "6906": msg9353, - "6907": msg9354, - "6908": msg9355, - "6909": msg9356, - "691": select598, - "6910": msg9357, - "6911": msg9358, - "6912": msg9359, - "6913": msg9360, - "6914": msg9361, - "6915": msg9362, - "6916": msg9363, - "6917": msg9364, - "6918": msg9365, - "6919": msg9366, - "692": select599, - "6920": msg9367, - "6921": msg9368, - "6922": msg9369, - "6923": msg9370, - "6924": msg9371, - "6925": msg9372, - "6926": msg9373, - "6927": msg9374, - "6928": msg9375, - "6929": msg9376, - "693": select600, - "6930": msg9377, - "6931": msg9378, - "6932": msg9379, - "6933": msg9380, - "6934": msg9381, - "6935": msg9382, - "6936": msg9383, - "6937": msg9384, - "6938": msg9385, - "6939": msg9386, - "694": select601, - "6940": msg9387, - "6941": msg9388, - "6942": msg9389, - "6943": msg9390, - "6944": msg9391, - "6945": msg9392, - "6946": msg9393, - "6947": msg9394, - "6948": msg9395, - "6949": msg9396, - "695": select602, - "6950": msg9397, - "6951": msg9398, - "6952": msg9399, - "6953": msg9400, - "6954": msg9401, - "6955": msg9402, - "6956": msg9403, - "6957": msg9404, - "6958": msg9405, - "6959": msg9406, - "696": select603, - "6960": msg9407, - "6961": msg9408, - "6962": msg9409, - "6963": msg9410, - "6964": msg9411, - "6965": msg9412, - "6966": msg9413, - "6967": msg9414, - "6968": msg9415, - "6969": msg9416, - "697": select604, - "6970": msg9417, - "6971": msg9418, - "6972": msg9419, - "6973": msg9420, - "6974": msg9421, - "6975": msg9422, - "6976": msg9423, - "6977": msg9424, - "6978": msg9425, - "6979": msg9426, - "698": select605, - "6980": msg9427, - "6981": msg9428, - "6982": msg9429, - "6983": msg9430, - "6984": msg9431, - "6985": msg9432, - "6986": msg9433, - "6987": msg9434, - "6988": msg9435, - "6989": msg9436, - "699": select606, - "6990": msg9437, - "6991": msg9438, - "6992": msg9439, - "6993": msg9440, - "6994": msg9441, - "6995": msg9442, - "6996": msg9443, - "6997": msg9444, - "6998": msg9445, - "6999": msg9446, - "7": select12, - "700": select607, - "7000": msg9447, - "7001": msg9448, - "7002": msg9449, - "7003": msg9450, - "7004": msg9451, - "7005": msg9452, - "7006": msg9453, - "7007": msg9454, - "7008": msg9455, - "7009": msg9456, - "701": select608, - "7010": msg9457, - "7011": msg9458, - "7012": msg9459, - "7013": msg9460, - "7014": msg9461, - "7015": msg9462, - "7016": msg9463, - "7017": msg9464, - "7018": msg9465, - "7019": msg9466, - "702": select609, - "7020": msg9467, - "7021": msg9468, - "7022": msg9469, - "7023": msg9470, - "7024": msg9471, - "7025": msg9472, - "7026": msg9473, - "7027": msg9474, - "7028": msg9475, - "7029": msg9476, - "703": select610, - "7030": msg9477, - "7031": msg9478, - "7032": msg9479, - "7033": msg9480, - "7034": msg9481, - "7035": msg9482, - "7036": msg9483, - "7037": msg9484, - "7038": msg9485, - "7039": msg9486, - "704": select611, - "7040": msg9487, - "7041": msg9488, - "7042": msg9489, - "7043": msg9490, - "7044": msg9491, - "7045": msg9492, - "7046": msg9493, - "7047": msg9494, - "7048": msg9495, - "7049": msg9496, - "705": select612, - "7050": msg9497, - "7051": msg9498, - "7052": msg9499, - "7053": msg9500, - "7054": msg9501, - "7055": msg9502, - "7056": msg9503, - "7057": msg9504, - "7058": msg9505, - "7059": msg9506, - "706": select613, - "7060": msg9507, - "7061": msg9508, - "7062": msg9509, - "7063": msg9510, - "7064": msg9511, - "7065": msg9512, - "7066": msg9513, - "7067": msg9514, - "7068": msg9515, - "7069": msg9516, - "707": select614, - "7070": msg9517, - "7071": msg9518, - "7072": msg9519, - "7073": msg9520, - "7074": msg9521, - "7075": msg9522, - "7076": msg9523, - "7077": msg9524, - "7078": msg9525, - "7079": msg9526, - "708": select615, - "7080": msg9527, - "7081": msg9528, - "7082": msg9529, - "7083": msg9530, - "7084": msg9531, - "7085": msg9532, - "7086": msg9533, - "7087": msg9534, - "7088": msg9535, - "7089": msg9536, - "709": select616, - "7090": msg9537, - "7091": msg9538, - "7092": msg9539, - "7093": msg9540, - "7094": msg9541, - "7095": msg9542, - "7096": msg9543, - "7097": msg9544, - "7098": msg9545, - "7099": msg9546, - "710": select617, - "7100": msg9547, - "7101": msg9548, - "7102": msg9549, - "7103": msg9550, - "7104": msg9551, - "7105": msg9552, - "7106": msg9553, - "7107": msg9554, - "7108": msg9555, - "7109": msg9556, - "711": select618, - "7110": msg9557, - "7111": msg9558, - "7112": msg9559, - "7113": msg9560, - "7114": msg9561, - "7115": msg9562, - "7116": msg9563, - "7117": msg9564, - "7118": msg9565, - "7119": msg9566, - "712": select619, - "7120": msg9567, - "7121": msg9568, - "7122": msg9569, - "7123": msg9570, - "7124": msg9571, - "7125": msg9572, - "7126": msg9573, - "7127": msg9574, - "7128": msg9575, - "7129": msg9576, - "713": select620, - "7130": msg9577, - "7131": msg9578, - "7132": msg9579, - "7133": msg9580, - "7134": msg9581, - "7135": msg9582, - "7136": msg9583, - "7137": msg9584, - "7138": msg9585, - "7139": msg9586, - "714": select621, - "7140": msg9587, - "7141": msg9588, - "7142": msg9589, - "7143": msg9590, - "7144": msg9591, - "7145": msg9592, - "7146": msg9593, - "7147": msg9594, - "7148": msg9595, - "7149": msg9596, - "715": select622, - "7150": msg9597, - "7151": msg9598, - "7152": msg9599, - "7153": msg9600, - "7154": msg9601, - "7155": msg9602, - "7156": msg9603, - "7157": msg9604, - "7158": msg9605, - "7159": msg9606, - "716": select623, - "7160": msg9607, - "7161": msg9608, - "7162": msg9609, - "7163": msg9610, - "7164": msg9611, - "7165": msg9612, - "7166": msg9613, - "7167": msg9614, - "7168": msg9615, - "7169": msg9616, - "717": select624, - "7170": msg9617, - "7171": msg9618, - "7172": msg9619, - "7173": msg9620, - "7174": msg9621, - "7175": msg9622, - "7176": msg9623, - "7177": msg9624, - "7178": msg9625, - "7179": msg9626, - "718": select625, - "7180": msg9627, - "7181": msg9628, - "7182": msg9629, - "7183": msg9630, - "7184": msg9631, - "7185": msg9632, - "7186": msg9633, - "7187": msg9634, - "7188": msg9635, - "7189": msg9636, - "719": select626, - "7190": msg9637, - "7191": msg9638, - "7192": msg9639, - "7193": msg9640, - "7194": msg9641, - "7195": msg9642, - "7196": msg9643, - "7197": msg9644, - "7198": msg9645, - "7199": msg9646, - "720": select627, - "7200": msg9647, - "7201": msg9648, - "7202": msg9649, - "7203": msg9650, - "7204": msg9651, - "7205": msg9652, - "7206": msg9653, - "7207": msg9654, - "7208": msg9655, - "7209": msg9656, - "721": select628, - "7210": msg9657, - "7211": msg9658, - "7212": msg9659, - "7213": msg9660, - "7214": msg9661, - "7215": msg9662, - "7216": msg9663, - "7217": msg9664, - "7218": msg9665, - "7219": msg9666, - "722": select629, - "7220": msg9667, - "7221": msg9668, - "7222": msg9669, - "7223": msg9670, - "7224": msg9671, - "7225": msg9672, - "7226": msg9673, - "7227": msg9674, - "7228": msg9675, - "7229": msg9676, - "723": select630, - "7230": msg9677, - "7231": msg9678, - "7232": msg9679, - "7233": msg9680, - "7234": msg9681, - "7235": msg9682, - "7236": msg9683, - "7237": msg9684, - "7238": msg9685, - "7239": msg9686, - "724": select631, - "7240": msg9687, - "7241": msg9688, - "7242": msg9689, - "7243": msg9690, - "7244": msg9691, - "7245": msg9692, - "7246": msg9693, - "7247": msg9694, - "7248": msg9695, - "7249": msg9696, - "725": select632, - "7250": msg9697, - "7251": msg9698, - "7252": msg9699, - "7253": msg9700, - "7254": msg9701, - "7255": msg9702, - "7256": msg9703, - "7257": msg9704, - "7258": msg9705, - "7259": msg9706, - "726": select633, - "7260": msg9707, - "7261": msg9708, - "7262": msg9709, - "7263": msg9710, - "7264": msg9711, - "7265": msg9712, - "7266": msg9713, - "7267": msg9714, - "7268": msg9715, - "7269": msg9716, - "727": select634, - "7270": msg9717, - "7271": msg9718, - "7272": msg9719, - "7273": msg9720, - "7274": msg9721, - "7275": msg9722, - "7276": msg9723, - "7277": msg9724, - "7278": msg9725, - "7279": msg9726, - "728": select635, - "7280": msg9727, - "7281": msg9728, - "7282": msg9729, - "7283": msg9730, - "7284": msg9731, - "7285": msg9732, - "7286": msg9733, - "7287": msg9734, - "7288": msg9735, - "7289": msg9736, - "729": select636, - "7290": msg9737, - "7291": msg9738, - "7292": msg9739, - "7293": msg9740, - "7294": msg9741, - "7295": msg9742, - "7296": msg9743, - "7297": msg9744, - "7298": msg9745, - "7299": msg9746, - "730": select637, - "7300": msg9747, - "7301": msg9748, - "7302": msg9749, - "7303": msg9750, - "7304": msg9751, - "7305": msg9752, - "7306": msg9753, - "7307": msg9754, - "7308": msg9755, - "7309": msg9756, - "731": select638, - "7310": msg9757, - "7311": msg9758, - "7312": msg9759, - "7313": msg9760, - "7314": msg9761, - "7315": msg9762, - "7316": msg9763, - "7317": msg9764, - "7318": msg9765, - "7319": msg9766, - "732": select639, - "7320": msg9767, - "7321": msg9768, - "7322": msg9769, - "7323": msg9770, - "7324": msg9771, - "7325": msg9772, - "7326": msg9773, - "7327": msg9774, - "7328": msg9775, - "7329": msg9776, - "733": select640, - "7330": msg9777, - "7331": msg9778, - "7332": msg9779, - "7333": msg9780, - "7334": msg9781, - "7335": msg9782, - "7336": msg9783, - "7337": msg9784, - "7338": msg9785, - "7339": msg9786, - "734": select641, - "7340": msg9787, - "7341": msg9788, - "7342": msg9789, - "7343": msg9790, - "7344": msg9791, - "7345": msg9792, - "7346": msg9793, - "7347": msg9794, - "7348": msg9795, - "7349": msg9796, - "735": select642, - "7350": msg9797, - "7351": msg9798, - "7352": msg9799, - "7353": msg9800, - "7354": msg9801, - "7355": msg9802, - "7356": msg9803, - "7357": msg9804, - "7358": msg9805, - "7359": msg9806, - "736": select643, - "7360": msg9807, - "7361": msg9808, - "7362": msg9809, - "7363": msg9810, - "7364": msg9811, - "7365": msg9812, - "7366": msg9813, - "7367": msg9814, - "7368": msg9815, - "7369": msg9816, - "737": select644, - "7370": msg9817, - "7371": msg9818, - "7372": msg9819, - "7373": msg9820, - "7374": msg9821, - "7375": msg9822, - "7376": msg9823, - "7377": msg9824, - "7378": msg9825, - "7379": msg9826, - "738": select645, - "7380": msg9827, - "7381": msg9828, - "7382": msg9829, - "7383": msg9830, - "7384": msg9831, - "7385": msg9832, - "7386": msg9833, - "7387": msg9834, - "7388": msg9835, - "7389": msg9836, - "739": select646, - "7390": msg9837, - "7391": msg9838, - "7392": msg9839, - "7393": msg9840, - "7394": msg9841, - "7395": msg9842, - "7396": msg9843, - "7397": msg9844, - "7398": msg9845, - "7399": msg9846, - "740": select647, - "7400": msg9847, - "7401": msg9848, - "7402": msg9849, - "7403": msg9850, - "7404": msg9851, - "7405": msg9852, - "7406": msg9853, - "7407": msg9854, - "7408": msg9855, - "7409": msg9856, - "741": select648, - "7410": msg9857, - "7411": msg9858, - "7412": msg9859, - "7413": msg9860, - "7414": msg9861, - "7415": msg9862, - "7416": msg9863, - "7417": msg9864, - "7418": msg9865, - "7419": msg9866, - "742": select649, - "7420": msg9867, - "7421": msg9868, - "7422": msg9869, - "7423": msg9870, - "7424": msg9871, - "7425": msg9872, - "7426": msg9873, - "7427": msg9874, - "7428": msg9875, - "7429": msg9876, - "743": select650, - "7430": msg9877, - "7431": msg9878, - "7432": msg9879, - "7433": msg9880, - "7434": msg9881, - "7435": msg9882, - "7436": msg9883, - "7437": msg9884, - "7438": msg9885, - "7439": msg9886, - "744": select651, - "7440": msg9887, - "7441": msg9888, - "7442": msg9889, - "7443": msg9890, - "7444": msg9891, - "7445": msg9892, - "7446": msg9893, - "7447": msg9894, - "7448": msg9895, - "7449": msg9896, - "745": select652, - "7450": msg9897, - "7451": msg9898, - "7452": msg9899, - "7453": msg9900, - "7454": msg9901, - "7455": msg9902, - "7456": msg9903, - "7457": msg9904, - "7458": msg9905, - "7459": msg9906, - "746": select653, - "7460": msg9907, - "7461": msg9908, - "7462": msg9909, - "7463": msg9910, - "7464": msg9911, - "7465": msg9912, - "7466": msg9913, - "7467": msg9914, - "7468": msg9915, - "7469": msg9916, - "747": select654, - "7470": msg9917, - "7471": msg9918, - "7472": msg9919, - "7473": msg9920, - "7474": msg9921, - "7475": msg9922, - "7476": msg9923, - "7477": msg9924, - "7478": msg9925, - "7479": msg9926, - "748": select655, - "7480": msg9927, - "7481": msg9928, - "7482": msg9929, - "7483": msg9930, - "7484": msg9931, - "7485": msg9932, - "7486": msg9933, - "7487": msg9934, - "7488": msg9935, - "7489": msg9936, - "749": select656, - "7490": msg9937, - "7491": msg9938, - "7492": msg9939, - "7493": msg9940, - "7494": msg9941, - "7495": msg9942, - "7496": msg9943, - "7497": msg9944, - "7498": msg9945, - "7499": msg9946, - "7500": msg9947, - "7501": msg9948, - "7502": msg9949, - "7503": msg9950, - "7504": msg9951, - "7505": msg9952, - "7506": msg9953, - "7507": msg9954, - "7508": msg9955, - "7509": msg9956, - "751": select657, - "7510": msg9957, - "7511": msg9958, - "7512": msg9959, - "7513": msg9960, - "7514": msg9961, - "7515": msg9962, - "7516": msg9963, - "7517": msg9964, - "7518": msg9965, - "7519": msg9966, - "752": select658, - "7520": msg9967, - "7521": msg9968, - "7522": msg9969, - "7523": msg9970, - "7524": msg9971, - "7525": msg9972, - "7526": msg9973, - "7527": msg9974, - "7528": msg9975, - "7529": msg9976, - "753": select659, - "7530": msg9977, - "7531": msg9978, - "7532": msg9979, - "7533": msg9980, - "7534": msg9981, - "7535": msg9982, - "7536": msg9983, - "7537": msg9984, - "7538": msg9985, - "7539": msg9986, - "754": select660, - "7540": msg9987, - "7541": msg9988, - "7542": msg9989, - "7543": msg9990, - "7544": msg9991, - "7545": msg9992, - "7546": msg9993, - "7547": msg9994, - "7548": msg9995, - "7549": msg9996, - "755": select661, - "7550": msg9997, - "7551": msg9998, - "7552": msg9999, - "7553": msg10000, - "7554": msg10001, - "7555": msg10002, - "7556": msg10003, - "7557": msg10004, - "7558": msg10005, - "7559": msg10006, - "756": select662, - "7560": msg10007, - "7561": msg10008, - "7562": msg10009, - "7563": msg10010, - "7564": msg10011, - "7565": msg10012, - "7566": msg10013, - "7567": msg10014, - "7568": msg10015, - "7569": msg10016, - "757": select663, - "7570": msg10017, - "7571": msg10018, - "7572": msg10019, - "7573": msg10020, - "7574": msg10021, - "7575": msg10022, - "7576": msg10023, - "7577": msg10024, - "7578": msg10025, - "7579": msg10026, - "758": select664, - "7580": msg10027, - "7581": msg10028, - "7582": msg10029, - "7583": msg10030, - "7584": msg10031, - "7585": msg10032, - "7586": msg10033, - "7587": msg10034, - "7588": msg10035, - "7589": msg10036, - "759": select665, - "7590": msg10037, - "7591": msg10038, - "7592": msg10039, - "7593": msg10040, - "7594": msg10041, - "7595": msg10042, - "7596": msg10043, - "7597": msg10044, - "7598": msg10045, - "7599": msg10046, - "760": select666, - "7600": msg10047, - "7601": msg10048, - "7602": msg10049, - "7603": msg10050, - "7604": msg10051, - "7605": msg10052, - "7606": msg10053, - "7607": msg10054, - "7608": msg10055, - "7609": msg10056, - "761": select667, - "7610": msg10057, - "7611": msg10058, - "7612": msg10059, - "7613": msg10060, - "7614": msg10061, - "7615": msg10062, - "7616": msg10063, - "7617": msg10064, - "7618": msg10065, - "7619": msg10066, - "762": select668, - "7620": msg10067, - "7621": msg10068, - "7622": msg10069, - "7623": msg10070, - "7624": msg10071, - "7625": msg10072, - "7626": msg10073, - "7627": msg10074, - "7628": msg10075, - "7629": msg10076, - "763": select669, - "7630": msg10077, - "7631": msg10078, - "7632": msg10079, - "7633": msg10080, - "7634": msg10081, - "7635": msg10082, - "7636": msg10083, - "7637": msg10084, - "7638": msg10085, - "7639": msg10086, - "764": select670, - "7640": msg10087, - "7641": msg10088, - "7642": msg10089, - "7643": msg10090, - "7644": msg10091, - "7645": msg10092, - "7646": msg10093, - "7647": msg10094, - "7648": msg10095, - "7649": msg10096, - "765": select671, - "7650": msg10097, - "7651": msg10098, - "7652": msg10099, - "7653": msg10100, - "7654": msg10101, - "7655": msg10102, - "7656": msg10103, - "7657": msg10104, - "7658": msg10105, - "7659": msg10106, - "766": select672, - "7660": msg10107, - "7661": msg10108, - "7662": msg10109, - "7663": msg10110, - "7664": msg10111, - "7665": msg10112, - "7666": msg10113, - "7667": msg10114, - "7668": msg10115, - "7669": msg10116, - "767": select673, - "7670": msg10117, - "7671": msg10118, - "7672": msg10119, - "7673": msg10120, - "7674": msg10121, - "7675": msg10122, - "7676": msg10123, - "7677": msg10124, - "7678": msg10125, - "7679": msg10126, - "768": select674, - "7680": msg10127, - "7681": msg10128, - "7682": msg10129, - "7683": msg10130, - "7684": msg10131, - "7685": msg10132, - "7686": msg10133, - "7687": msg10134, - "7688": msg10135, - "7689": msg10136, - "769": select675, - "7690": msg10137, - "7691": msg10138, - "7692": msg10139, - "7693": msg10140, - "7694": msg10141, - "7695": msg10142, - "7696": msg10143, - "7697": msg10144, - "7698": msg10145, - "7699": msg10146, - "770": select676, - "7700": msg10147, - "7701": msg10148, - "7702": msg10149, - "7703": msg10150, - "7704": msg10151, - "7705": msg10152, - "7706": msg10153, - "7707": msg10154, - "7708": msg10155, - "7709": msg10156, - "771": select677, - "7710": msg10157, - "7711": msg10158, - "7712": msg10159, - "7713": msg10160, - "7714": msg10161, - "7715": msg10162, - "7716": msg10163, - "7717": msg10164, - "7718": msg10165, - "7719": msg10166, - "772": select678, - "7720": msg10167, - "7721": msg10168, - "7722": msg10169, - "7723": msg10170, - "7724": msg10171, - "7725": msg10172, - "7726": msg10173, - "7727": msg10174, - "7728": msg10175, - "7729": msg10176, - "773": select679, - "7730": msg10177, - "7731": msg10178, - "7732": msg10179, - "7733": msg10180, - "7734": msg10181, - "7735": msg10182, - "7736": msg10183, - "7737": msg10184, - "7738": msg10185, - "7739": msg10186, - "774": select680, - "7740": msg10187, - "7741": msg10188, - "7742": msg10189, - "7743": msg10190, - "7744": msg10191, - "7745": msg10192, - "7746": msg10193, - "7747": msg10194, - "7748": msg10195, - "7749": msg10196, - "775": select681, - "7750": msg10197, - "7751": msg10198, - "7752": msg10199, - "7753": msg10200, - "7754": msg10201, - "7755": msg10202, - "7756": msg10203, - "7757": msg10204, - "7758": msg10205, - "7759": msg10206, - "776": select682, - "7760": msg10207, - "7761": msg10208, - "7762": msg10209, - "7763": msg10210, - "7764": msg10211, - "7765": msg10212, - "7766": msg10213, - "7767": msg10214, - "7768": msg10215, - "7769": msg10216, - "777": select683, - "7770": msg10217, - "7771": msg10218, - "7772": msg10219, - "7773": msg10220, - "7774": msg10221, - "7775": msg10222, - "7776": msg10223, - "7777": msg10224, - "7778": msg10225, - "7779": msg10226, - "778": select684, - "7780": msg10227, - "7781": msg10228, - "7782": msg10229, - "7783": msg10230, - "7784": msg10231, - "7785": msg10232, - "7786": msg10233, - "7787": msg10234, - "7788": msg10235, - "7789": msg10236, - "779": select685, - "7790": msg10237, - "7791": msg10238, - "7792": msg10239, - "7793": msg10240, - "7794": msg10241, - "7795": msg10242, - "7796": msg10243, - "7797": msg10244, - "7798": msg10245, - "7799": msg10246, - "780": select686, - "7800": msg10247, - "7801": msg10248, - "7802": msg10249, - "7803": msg10250, - "7804": msg10251, - "7805": msg10252, - "7806": msg10253, - "7807": msg10254, - "7808": msg10255, - "7809": msg10256, - "781": select687, - "7810": msg10257, - "7811": msg10258, - "7812": msg10259, - "7813": msg10260, - "7814": msg10261, - "7815": msg10262, - "7816": msg10263, - "7817": msg10264, - "7818": msg10265, - "7819": msg10266, - "782": select688, - "7820": msg10267, - "7821": msg10268, - "7822": msg10269, - "7823": msg10270, - "7824": msg10271, - "7825": msg10272, - "7826": msg10273, - "7827": msg10274, - "7828": msg10275, - "7829": msg10276, - "783": select689, - "7830": msg10277, - "7831": msg10278, - "7832": msg10279, - "7833": msg10280, - "7834": msg10281, - "7835": msg10282, - "7836": msg10283, - "7837": msg10284, - "7838": msg10285, - "7839": msg10286, - "784": select690, - "7840": msg10287, - "7841": msg10288, - "7842": msg10289, - "7843": msg10290, - "7844": msg10291, - "7845": msg10292, - "7846": msg10293, - "7847": msg10294, - "7848": msg10295, - "7849": msg10296, - "785": select691, - "7850": msg10297, - "7851": msg10298, - "7852": msg10299, - "7853": msg10300, - "7854": msg10301, - "7855": msg10302, - "7856": msg10303, - "7857": msg10304, - "7858": msg10305, - "7859": msg10306, - "786": select692, - "7860": msg10307, - "7861": msg10308, - "7862": msg10309, - "7863": msg10310, - "7864": msg10311, - "7865": msg10312, - "7866": msg10313, - "7867": msg10314, - "7868": msg10315, - "7869": msg10316, - "787": select693, - "7870": msg10317, - "7871": msg10318, - "7872": msg10319, - "7873": msg10320, - "7874": msg10321, - "7875": msg10322, - "7876": msg10323, - "7877": msg10324, - "7878": msg10325, - "7879": msg10326, - "788": select694, - "7880": msg10327, - "7881": msg10328, - "7882": msg10329, - "7883": msg10330, - "7884": msg10331, - "7885": msg10332, - "7886": msg10333, - "7887": msg10334, - "7888": msg10335, - "7889": msg10336, - "789": select695, - "7890": msg10337, - "7891": msg10338, - "7892": msg10339, - "7893": msg10340, - "7894": msg10341, - "7895": msg10342, - "7896": msg10343, - "7897": msg10344, - "7898": msg10345, - "7899": msg10346, - "790": select696, - "7900": msg10347, - "7901": msg10348, - "7902": msg10349, - "7903": msg10350, - "7904": msg10351, - "7905": msg10352, - "7906": msg10353, - "7907": msg10354, - "7908": msg10355, - "7909": msg10356, - "791": select697, - "7910": msg10357, - "7911": msg10358, - "7912": msg10359, - "7913": msg10360, - "7914": msg10361, - "7915": msg10362, - "7916": msg10363, - "7917": msg10364, - "7918": msg10365, - "7919": msg10366, - "792": select698, - "7920": msg10367, - "7921": msg10368, - "7922": msg10369, - "7923": msg10370, - "7924": msg10371, - "7925": msg10372, - "7926": msg10373, - "7927": msg10374, - "7928": msg10375, - "7929": msg10376, - "793": select699, - "7930": msg10377, - "7931": msg10378, - "7932": msg10379, - "7933": msg10380, - "7934": msg10381, - "7935": msg10382, - "7936": msg10383, - "7937": msg10384, - "7938": msg10385, - "7939": msg10386, - "794": select700, - "7940": msg10387, - "7941": msg10388, - "7942": msg10389, - "7943": msg10390, - "7944": msg10391, - "7945": msg10392, - "7946": msg10393, - "7947": msg10394, - "7948": msg10395, - "7949": msg10396, - "795": select701, - "7950": msg10397, - "7951": msg10398, - "7952": msg10399, - "7953": msg10400, - "7954": msg10401, - "7955": msg10402, - "7956": msg10403, - "7957": msg10404, - "7958": msg10405, - "7959": msg10406, - "796": select702, - "7960": msg10407, - "7961": msg10408, - "7962": msg10409, - "7963": msg10410, - "7964": msg10411, - "7965": msg10412, - "7966": msg10413, - "7967": msg10414, - "7968": msg10415, - "7969": msg10416, - "797": select703, - "7970": msg10417, - "7971": msg10418, - "7972": msg10419, - "7973": msg10420, - "7974": msg10421, - "7975": msg10422, - "7976": msg10423, - "7977": msg10424, - "7978": msg10425, - "7979": msg10426, - "798": select704, - "7980": msg10427, - "7981": msg10428, - "7982": msg10429, - "7983": msg10430, - "7984": msg10431, - "7985": msg10432, - "7986": msg10433, - "7987": msg10434, - "7988": msg10435, - "7989": msg10436, - "799": select705, - "7990": msg10437, - "7991": msg10438, - "7992": msg10439, - "7993": msg10440, - "7994": msg10441, - "7995": msg10442, - "7996": msg10443, - "7997": msg10444, - "7998": msg10445, - "7999": msg10446, - "8": select13, - "800": select706, - "8000": msg10447, - "8001": msg10448, - "8002": msg10449, - "8003": msg10450, - "8004": msg10451, - "8005": msg10452, - "8006": msg10453, - "8007": msg10454, - "8008": msg10455, - "8009": msg10456, - "801": select707, - "8010": msg10457, - "8011": msg10458, - "8012": msg10459, - "8013": msg10460, - "8014": msg10461, - "8015": msg10462, - "8016": msg10463, - "8017": msg10464, - "8018": msg10465, - "8019": msg10466, - "802": select708, - "8020": msg10467, - "8021": msg10468, - "8022": msg10469, - "8023": msg10470, - "8024": msg10471, - "8025": msg10472, - "8026": msg10473, - "8027": msg10474, - "8028": msg10475, - "8029": msg10476, - "803": select709, - "8030": msg10477, - "8031": msg10478, - "8032": msg10479, - "8033": msg10480, - "8034": msg10481, - "8035": msg10482, - "8036": msg10483, - "8037": msg10484, - "8038": msg10485, - "8039": msg10486, - "804": select710, - "8040": msg10487, - "8041": msg10488, - "8042": msg10489, - "8043": msg10490, - "8044": msg10491, - "8045": msg10492, - "8046": msg10493, - "8047": msg10494, - "8048": msg10495, - "8049": msg10496, - "805": select711, - "8050": msg10497, - "8051": msg10498, - "8052": msg10499, - "8053": msg10500, - "8054": msg10501, - "8055": msg10502, - "8056": msg10503, - "8057": msg10504, - "8058": msg10505, - "8059": msg10506, - "806": select712, - "8060": msg10507, - "8061": msg10508, - "8062": msg10509, - "8063": msg10510, - "8064": msg10511, - "8065": msg10512, - "8066": msg10513, - "8067": msg10514, - "8068": msg10515, - "8069": msg10516, - "807": select713, - "8070": msg10517, - "8071": msg10518, - "8072": msg10519, - "8073": msg10520, - "8074": msg10521, - "8075": msg10522, - "8076": msg10523, - "8077": msg10524, - "8078": msg10525, - "8079": msg10526, - "808": select714, - "8080": msg10527, - "8081": msg10528, - "8082": msg10529, - "8083": msg10530, - "8084": msg10531, - "8085": msg10532, - "8086": msg10533, - "8087": msg10534, - "8088": msg10535, - "8089": msg10536, - "809": select715, - "8090": msg10537, - "8091": msg10538, - "8092": msg10539, - "8093": msg10540, - "8094": msg10541, - "8095": msg10542, - "8096": msg10543, - "8097": msg10544, - "8098": msg10545, - "8099": msg10546, - "810": select716, - "8100": msg10547, - "8101": msg10548, - "8102": msg10549, - "8103": msg10550, - "8104": msg10551, - "8105": msg10552, - "8106": msg10553, - "8107": msg10554, - "8108": msg10555, - "8109": msg10556, - "811": select717, - "8110": msg10557, - "8111": msg10558, - "8112": msg10559, - "8113": msg10560, - "8114": msg10561, - "8115": msg10562, - "8116": msg10563, - "8117": msg10564, - "8118": msg10565, - "8119": msg10566, - "812": select718, - "8120": msg10567, - "8121": msg10568, - "8122": msg10569, - "8123": msg10570, - "8124": msg10571, - "8125": msg10572, - "8126": msg10573, - "8127": msg10574, - "8128": msg10575, - "8129": msg10576, - "813": select719, - "8130": msg10577, - "8131": msg10578, - "8132": msg10579, - "8133": msg10580, - "8134": msg10581, - "8135": msg10582, - "8136": msg10583, - "8137": msg10584, - "8138": msg10585, - "8139": msg10586, - "8140": msg10587, - "8141": msg10588, - "8142": msg10589, - "8143": msg10590, - "8144": msg10591, - "8145": msg10592, - "8146": msg10593, - "8147": msg10594, - "8148": msg10595, - "8149": msg10596, - "815": select720, - "8150": msg10597, - "8151": msg10598, - "8152": msg10599, - "8153": msg10600, - "8154": msg10601, - "8155": msg10602, - "8156": msg10603, - "8157": msg10604, - "8158": msg10605, - "8159": msg10606, - "8160": msg10607, - "8161": msg10608, - "8162": msg10609, - "8163": msg10610, - "8164": msg10611, - "8165": msg10612, - "8166": msg10613, - "8167": msg10614, - "8168": msg10615, - "8169": msg10616, - "817": select721, - "8170": msg10617, - "8171": msg10618, - "8172": msg10619, - "8173": msg10620, - "8174": msg10621, - "8175": msg10622, - "8176": msg10623, - "8177": msg10624, - "8178": msg10625, - "8179": msg10626, - "818": select722, - "8180": msg10627, - "8181": msg10628, - "8182": msg10629, - "8183": msg10630, - "8184": msg10631, - "8185": msg10632, - "8186": msg10633, - "8187": msg10634, - "8188": msg10635, - "8189": msg10636, - "819": select723, - "8190": msg10637, - "8191": msg10638, - "8192": msg10639, - "8193": msg10640, - "8194": msg10641, - "8195": msg10642, - "8196": msg10643, - "8197": msg10644, - "8198": msg10645, - "8199": msg10646, - "820": select724, - "8200": msg10647, - "8201": msg10648, - "8202": msg10649, - "8203": msg10650, - "8204": msg10651, - "8205": msg10652, - "8206": msg10653, - "8207": msg10654, - "8208": msg10655, - "8209": msg10656, - "821": select725, - "8210": msg10657, - "8211": msg10658, - "8212": msg10659, - "8213": msg10660, - "8214": msg10661, - "8215": msg10662, - "8216": msg10663, - "8217": msg10664, - "8218": msg10665, - "8219": msg10666, - "8220": msg10667, - "8221": msg10668, - "8222": msg10669, - "8223": msg10670, - "8224": msg10671, - "8225": msg10672, - "8226": msg10673, - "8227": msg10674, - "8228": msg10675, - "8229": msg10676, - "823": select726, - "8230": msg10677, - "8231": msg10678, - "8232": msg10679, - "8233": msg10680, - "8234": msg10681, - "8235": msg10682, - "8236": msg10683, - "8237": msg10684, - "8238": msg10685, - "8239": msg10686, - "824": select727, - "8240": msg10687, - "8241": msg10688, - "8242": msg10689, - "8243": msg10690, - "8244": msg10691, - "8245": msg10692, - "8246": msg10693, - "8247": msg10694, - "8248": msg10695, - "8249": msg10696, - "825": select728, - "8250": msg10697, - "8251": msg10698, - "8252": msg10699, - "8253": msg10700, - "8254": msg10701, - "8255": msg10702, - "8256": msg10703, - "8257": msg10704, - "8258": msg10705, - "8259": msg10706, - "826": select729, - "8260": msg10707, - "8261": msg10708, - "8262": msg10709, - "8263": msg10710, - "8264": msg10711, - "8265": msg10712, - "8266": msg10713, - "8267": msg10714, - "8268": msg10715, - "8269": msg10716, - "827": select730, - "8270": msg10717, - "8271": msg10718, - "8272": msg10719, - "8273": msg10720, - "8274": msg10721, - "8275": msg10722, - "8276": msg10723, - "8277": msg10724, - "8278": msg10725, - "8279": msg10726, - "828": select731, - "8280": msg10727, - "8281": msg10728, - "8282": msg10729, - "8283": msg10730, - "8284": msg10731, - "8285": msg10732, - "8286": msg10733, - "8287": msg10734, - "8288": msg10735, - "8289": msg10736, - "829": select732, - "8290": msg10737, - "8291": msg10738, - "8292": msg10739, - "8293": msg10740, - "8294": msg10741, - "8295": msg10742, - "8296": msg10743, - "8297": msg10744, - "8298": msg10745, - "8299": msg10746, - "830": select733, - "8300": msg10747, - "8301": msg10748, - "8302": msg10749, - "8303": msg10750, - "8304": msg10751, - "8305": msg10752, - "8306": msg10753, - "8307": msg10754, - "8308": msg10755, - "8309": msg10756, - "8310": msg10757, - "8311": msg10758, - "8312": msg10759, - "8313": msg10760, - "8314": msg10761, - "8315": msg10762, - "8316": msg10763, - "8317": msg10764, - "8318": msg10765, - "8319": msg10766, - "832": select734, - "8320": msg10767, - "8321": msg10768, - "8322": msg10769, - "8323": msg10770, - "8324": msg10771, - "8325": msg10772, - "8326": msg10773, - "8327": msg10774, - "8328": msg10775, - "8329": msg10776, - "833": select735, - "8330": msg10777, - "8331": msg10778, - "8332": msg10779, - "8333": msg10780, - "8334": msg10781, - "8335": msg10782, - "8336": msg10783, - "8337": msg10784, - "8338": msg10785, - "8339": msg10786, - "834": select736, - "8340": msg10787, - "8341": msg10788, - "8342": msg10789, - "8343": msg10790, - "8344": msg10791, - "8345": msg10792, - "8346": msg10793, - "8347": msg10794, - "8348": msg10795, - "8349": msg10796, - "835": select737, - "8350": msg10797, - "8351": msg10798, - "8352": msg10799, - "8353": msg10800, - "8354": msg10801, - "8355": msg10802, - "8356": msg10803, - "8357": msg10804, - "8358": msg10805, - "8359": msg10806, - "836": select738, - "8360": msg10807, - "8361": msg10808, - "8362": msg10809, - "8363": msg10810, - "8364": msg10811, - "8365": msg10812, - "8366": msg10813, - "8367": msg10814, - "8368": msg10815, - "8369": msg10816, - "837": select739, - "8370": msg10817, - "8371": msg10818, - "8372": msg10819, - "8373": msg10820, - "8374": msg10821, - "8375": msg10822, - "8376": msg10823, - "8377": msg10824, - "8378": msg10825, - "8379": msg10826, - "838": select740, - "8380": msg10827, - "8381": msg10828, - "8382": msg10829, - "8383": msg10830, - "8384": msg10831, - "8385": msg10832, - "8386": msg10833, - "8387": msg10834, - "8388": msg10835, - "8389": msg10836, - "839": select741, - "8390": msg10837, - "8391": msg10838, - "8392": msg10839, - "8393": msg10840, - "8394": msg10841, - "8395": msg10842, - "8396": msg10843, - "8397": msg10844, - "8398": msg10845, - "8399": msg10846, - "840": select742, - "8400": msg10847, - "8401": msg10848, - "8402": msg10849, - "8403": msg10850, - "8404": msg10851, - "8405": msg10852, - "8406": msg10853, - "8407": msg10854, - "8408": msg10855, - "8409": msg10856, - "841": select743, - "8410": msg10857, - "8411": msg10858, - "8412": msg10859, - "8413": msg10860, - "8414": msg10861, - "8415": msg10862, - "8416": msg10863, - "8417": msg10864, - "8418": msg10865, - "8419": msg10866, - "842": select744, - "8420": msg10867, - "8421": msg10868, - "8422": msg10869, - "8423": msg10870, - "8424": msg10871, - "8425": msg10872, - "8426": msg10873, - "8427": msg10874, - "8428": msg10875, - "8429": msg10876, - "843": select745, - "8430": msg10877, - "8431": msg10878, - "8432": msg10879, - "8433": msg10880, - "8434": msg10881, - "8435": msg10882, - "8436": msg10883, - "8437": msg10884, - "8438": msg10885, - "8439": msg10886, - "844": select746, - "8440": msg10887, - "8441": msg10888, - "8442": msg10889, - "8443": msg10890, - "8444": msg10891, - "8445": msg10892, - "8446": msg10893, - "8447": msg10894, - "8448": msg10895, - "8449": msg10896, - "845": select747, - "8450": msg10897, - "8451": msg10898, - "8452": msg10899, - "8453": msg10900, - "8454": msg10901, - "8455": msg10902, - "8456": msg10903, - "8457": msg10904, - "8458": msg10905, - "8459": msg10906, - "846": select748, - "8460": msg10907, - "8461": msg10908, - "8462": msg10909, - "8463": msg10910, - "8464": msg10911, - "8465": msg10912, - "8466": msg10913, - "8467": msg10914, - "8468": msg10915, - "8469": msg10916, - "847": select749, - "8470": msg10917, - "8471": msg10918, - "8472": msg10919, - "8473": msg10920, - "8474": msg10921, - "8475": msg10922, - "8476": msg10923, - "8477": msg10924, - "8478": msg10925, - "8479": msg10926, - "848": select750, - "8480": msg10927, - "8481": msg10928, - "8482": msg10929, - "8483": msg10930, - "8484": msg10931, - "8485": msg10932, - "8486": msg10933, - "8487": msg10934, - "8488": msg10935, - "8489": msg10936, - "849": select751, - "8490": msg10937, - "8491": msg10938, - "8492": msg10939, - "8493": msg10940, - "8494": msg10941, - "8495": msg10942, - "8496": msg10943, - "8497": msg10944, - "8498": msg10945, - "8499": msg10946, - "850": select752, - "8500": msg10947, - "8501": msg10948, - "8502": msg10949, - "8503": msg10950, - "8504": msg10951, - "8505": msg10952, - "8506": msg10953, - "8507": msg10954, - "8508": msg10955, - "8509": msg10956, - "851": select753, - "8510": msg10957, - "8511": msg10958, - "8512": msg10959, - "8513": msg10960, - "8514": msg10961, - "8515": msg10962, - "8516": msg10963, - "8517": msg10964, - "8518": msg10965, - "8519": msg10966, - "852": select754, - "8520": msg10967, - "8521": msg10968, - "8522": msg10969, - "8523": msg10970, - "8524": msg10971, - "8525": msg10972, - "8526": msg10973, - "8527": msg10974, - "8528": msg10975, - "8529": msg10976, - "853": select755, - "8530": msg10977, - "8531": msg10978, - "8532": msg10979, - "8533": msg10980, - "8534": msg10981, - "8535": msg10982, - "8536": msg10983, - "8537": msg10984, - "8538": msg10985, - "8539": msg10986, - "854": select756, - "8540": msg10987, - "8541": msg10988, - "8542": msg10989, - "8543": msg10990, - "8544": msg10991, - "8545": msg10992, - "8546": msg10993, - "8547": msg10994, - "8548": msg10995, - "8549": msg10996, - "855": select757, - "8550": msg10997, - "8551": msg10998, - "8552": msg10999, - "8553": msg11000, - "8554": msg11001, - "8555": msg11002, - "8556": msg11003, - "8557": msg11004, - "8558": msg11005, - "8559": msg11006, - "856": select758, - "8560": msg11007, - "8561": msg11008, - "8562": msg11009, - "8563": msg11010, - "8564": msg11011, - "8565": msg11012, - "8566": msg11013, - "8567": msg11014, - "8568": msg11015, - "8569": msg11016, - "857": select759, - "8570": msg11017, - "8571": msg11018, - "8572": msg11019, - "8573": msg11020, - "8574": msg11021, - "8575": msg11022, - "8576": msg11023, - "8577": msg11024, - "8578": msg11025, - "8579": msg11026, - "858": select760, - "8580": msg11027, - "8581": msg11028, - "8582": msg11029, - "8583": msg11030, - "8584": msg11031, - "8585": msg11032, - "8586": msg11033, - "8587": msg11034, - "8588": msg11035, - "8589": msg11036, - "859": select761, - "8590": msg11037, - "8591": msg11038, - "8592": msg11039, - "8593": msg11040, - "8594": msg11041, - "8595": msg11042, - "8596": msg11043, - "8597": msg11044, - "8598": msg11045, - "8599": msg11046, - "860": select762, - "8600": msg11047, - "8601": msg11048, - "8602": msg11049, - "8603": msg11050, - "8604": msg11051, - "8605": msg11052, - "8606": msg11053, - "8607": msg11054, - "8608": msg11055, - "8609": msg11056, - "861": select763, - "8610": msg11057, - "8611": msg11058, - "8612": msg11059, - "8613": msg11060, - "8614": msg11061, - "8615": msg11062, - "8616": msg11063, - "8617": msg11064, - "8618": msg11065, - "8619": msg11066, - "862": select764, - "8620": msg11067, - "8621": msg11068, - "8622": msg11069, - "8623": msg11070, - "8624": msg11071, - "8625": msg11072, - "8626": msg11073, - "8627": msg11074, - "8628": msg11075, - "8629": msg11076, - "863": select765, - "8630": msg11077, - "8631": msg11078, - "8632": msg11079, - "8633": msg11080, - "8634": msg11081, - "8635": msg11082, - "8636": msg11083, - "8637": msg11084, - "8638": msg11085, - "8639": msg11086, - "864": select766, - "8640": msg11087, - "8641": msg11088, - "8642": msg11089, - "8643": msg11090, - "8644": msg11091, - "8645": msg11092, - "8646": msg11093, - "8647": msg11094, - "8648": msg11095, - "8649": msg11096, - "865": select767, - "8650": msg11097, - "8651": msg11098, - "8652": msg11099, - "8653": msg11100, - "8654": msg11101, - "8655": msg11102, - "8656": msg11103, - "8657": msg11104, - "8658": msg11105, - "8659": msg11106, - "866": select768, - "8660": msg11107, - "8661": msg11108, - "8662": msg11109, - "8663": msg11110, - "8664": msg11111, - "8665": msg11112, - "8666": msg11113, - "8667": msg11114, - "8668": msg11115, - "8669": msg11116, - "867": select769, - "8670": msg11117, - "8671": msg11118, - "8672": msg11119, - "8673": msg11120, - "8674": msg11121, - "8675": msg11122, - "8676": msg11123, - "8677": msg11124, - "8678": msg11125, - "8679": msg11126, - "868": select770, - "8680": msg11127, - "8681": msg11128, - "8682": msg11129, - "8683": msg11130, - "8684": msg11131, - "8685": msg11132, - "8686": msg11133, - "8687": msg11134, - "8688": msg11135, - "8689": msg11136, - "869": select771, - "8690": msg11137, - "8691": msg11138, - "8692": msg11139, - "8693": msg11140, - "8694": msg11141, - "8695": msg11142, - "8696": msg11143, - "8697": msg11144, - "8698": msg11145, - "8699": msg11146, - "870": select772, - "8700": msg11147, - "8701": msg11148, - "8702": msg11149, - "8703": msg11150, - "8704": msg11151, - "8705": msg11152, - "8706": msg11153, - "8707": msg11154, - "8708": msg11155, - "8709": msg11156, - "871": select773, - "8710": msg11157, - "8711": msg11158, - "8712": msg11159, - "8713": msg11160, - "8714": msg11161, - "8715": msg11162, - "8716": msg11163, - "8717": msg11164, - "8718": msg11165, - "8719": msg11166, - "872": select774, - "8720": msg11167, - "8721": msg11168, - "8722": msg11169, - "8723": msg11170, - "8724": msg11171, - "8725": msg11172, - "8726": msg11173, - "8727": msg11174, - "8728": msg11175, - "8729": msg11176, - "873": select775, - "8730": msg11177, - "8731": msg11178, - "8732": msg11179, - "8733": msg11180, - "8734": msg11181, - "8735": msg11182, - "8736": msg11183, - "8737": msg11184, - "8738": msg11185, - "8739": msg11186, - "874": select776, - "8740": msg11187, - "8741": msg11188, - "8742": msg11189, - "8743": msg11190, - "8744": msg11191, - "8745": msg11192, - "8746": msg11193, - "8747": msg11194, - "8748": msg11195, - "8749": msg11196, - "875": select777, - "8750": msg11197, - "8751": msg11198, - "8752": msg11199, - "8753": msg11200, - "8754": msg11201, - "8755": msg11202, - "8756": msg11203, - "8757": msg11204, - "8758": msg11205, - "8759": msg11206, - "876": select778, - "8760": msg11207, - "8761": msg11208, - "8762": msg11209, - "8763": msg11210, - "8764": msg11211, - "8765": msg11212, - "8766": msg11213, - "8767": msg11214, - "8768": msg11215, - "8769": msg11216, - "877": select779, - "8770": msg11217, - "8771": msg11218, - "8772": msg11219, - "8773": msg11220, - "8774": msg11221, - "8775": msg11222, - "8776": msg11223, - "8777": msg11224, - "8778": msg11225, - "8779": msg11226, - "878": select780, - "8780": msg11227, - "8781": msg11228, - "8782": msg11229, - "8783": msg11230, - "8784": msg11231, - "8785": msg11232, - "8786": msg11233, - "8787": msg11234, - "8788": msg11235, - "8789": msg11236, - "879": select781, - "8790": msg11237, - "8791": msg11238, - "8792": msg11239, - "8793": msg11240, - "8794": msg11241, - "8795": msg11242, - "8796": msg11243, - "8797": msg11244, - "8798": msg11245, - "8799": msg11246, - "880": select782, - "8800": msg11247, - "8801": msg11248, - "8802": msg11249, - "8803": msg11250, - "8804": msg11251, - "8805": msg11252, - "8806": msg11253, - "8807": msg11254, - "8808": msg11255, - "8809": msg11256, - "881": select783, - "8810": msg11257, - "8811": msg11258, - "8812": msg11259, - "8813": msg11260, - "8814": msg11261, - "8815": msg11262, - "8816": msg11263, - "8817": msg11264, - "8818": msg11265, - "8819": msg11266, - "882": select784, - "8820": msg11267, - "8821": msg11268, - "8822": msg11269, - "8823": msg11270, - "8824": msg11271, - "8825": msg11272, - "8826": msg11273, - "8827": msg11274, - "8828": msg11275, - "8829": msg11276, - "883": select785, - "8830": msg11277, - "8831": msg11278, - "8832": msg11279, - "8833": msg11280, - "8834": msg11281, - "8835": msg11282, - "8836": msg11283, - "8837": msg11284, - "8838": msg11285, - "8839": msg11286, - "884": select786, - "8840": msg11287, - "8841": msg11288, - "8842": msg11289, - "8843": msg11290, - "8844": msg11291, - "8845": msg11292, - "8846": msg11293, - "8847": msg11294, - "8848": msg11295, - "8849": msg11296, - "885": select787, - "8850": msg11297, - "8851": msg11298, - "8852": msg11299, - "8853": msg11300, - "8854": msg11301, - "8855": msg11302, - "8856": msg11303, - "8857": msg11304, - "8858": msg11305, - "8859": msg11306, - "886": select788, - "8860": msg11307, - "8861": msg11308, - "8862": msg11309, - "8863": msg11310, - "8864": msg11311, - "8865": msg11312, - "8866": msg11313, - "8867": msg11314, - "8868": msg11315, - "8869": msg11316, - "887": select789, - "8870": msg11317, - "8871": msg11318, - "8872": msg11319, - "8873": msg11320, - "8874": msg11321, - "8875": msg11322, - "8876": msg11323, - "8877": msg11324, - "8878": msg11325, - "8879": msg11326, - "888": select790, - "8880": msg11327, - "8881": msg11328, - "8882": msg11329, - "8883": msg11330, - "8884": msg11331, - "8885": msg11332, - "8886": msg11333, - "8887": msg11334, - "8888": msg11335, - "8888888": msg38428, - "8888889": msg38429, - "8889": msg11336, - "889": select791, - "8890": msg11337, - "8891": msg11338, - "8892": msg11339, - "8893": msg11340, - "8894": msg11341, - "8895": msg11342, - "8896": msg11343, - "8897": msg11344, - "8898": msg11345, - "8899": msg11346, - "890": select792, - "8900": msg11347, - "8901": msg11348, - "8902": msg11349, - "8903": msg11350, - "8904": msg11351, - "8905": msg11352, - "8906": msg11353, - "8907": msg11354, - "8908": msg11355, - "8909": msg11356, - "891": select793, - "8910": msg11357, - "8911": msg11358, - "8912": msg11359, - "8913": msg11360, - "8914": msg11361, - "8915": msg11362, - "8916": msg11363, - "8917": msg11364, - "8918": msg11365, - "8919": msg11366, - "892": select794, - "8920": msg11367, - "8921": msg11368, - "8922": msg11369, - "8923": msg11370, - "8924": msg11371, - "8925": msg11372, - "8926": msg11373, - "8927": msg11374, - "8928": msg11375, - "8929": msg11376, - "893": select795, - "8930": msg11377, - "8931": msg11378, - "8932": msg11379, - "8933": msg11380, - "8934": msg11381, - "8935": msg11382, - "8936": msg11383, - "8937": msg11384, - "8938": msg11385, - "8939": msg11386, - "894": select796, - "8940": msg11387, - "8941": msg11388, - "8942": msg11389, - "8943": msg11390, - "8944": msg11391, - "8945": msg11392, - "8946": msg11393, - "8947": msg11394, - "8948": msg11395, - "8949": msg11396, - "895": select797, - "8950": msg11397, - "8951": msg11398, - "8952": msg11399, - "8953": msg11400, - "8954": msg11401, - "8955": msg11402, - "8956": msg11403, - "8957": msg11404, - "8958": msg11405, - "8959": msg11406, - "896": select798, - "8960": msg11407, - "8961": msg11408, - "8962": msg11409, - "8963": msg11410, - "8964": msg11411, - "8965": msg11412, - "8966": msg11413, - "8967": msg11414, - "8968": msg11415, - "8969": msg11416, - "897": select799, - "8970": msg11417, - "8971": msg11418, - "8972": msg11419, - "8973": msg11420, - "8974": msg11421, - "8975": msg11422, - "8976": msg11423, - "8977": msg11424, - "8978": msg11425, - "8979": msg11426, - "898": select800, - "8980": msg11427, - "8981": msg11428, - "8982": msg11429, - "8983": msg11430, - "8984": msg11431, - "8985": msg11432, - "8986": msg11433, - "8987": msg11434, - "8988": msg11435, - "8989": msg11436, - "899": select801, - "8990": msg11437, - "8991": msg11438, - "8992": msg11439, - "8993": msg11440, - "8994": msg11441, - "8995": msg11442, - "8996": msg11443, - "8997": msg11444, - "8998": msg11445, - "8999": msg11446, - "9": msg33, - "900": select802, - "9000": msg11447, - "9001": msg11448, - "9002": msg11449, - "9003": msg11450, - "9004": msg11451, - "9005": msg11452, - "9006": msg11453, - "9007": msg11454, - "9008": msg11455, - "9009": msg11456, - "901": select803, - "9010": msg11457, - "9011": msg11458, - "9012": msg11459, - "9013": msg11460, - "9014": msg11461, - "9015": msg11462, - "9016": msg11463, - "9017": msg11464, - "9018": msg11465, - "9019": msg11466, - "902": select804, - "9020": msg11467, - "9021": msg11468, - "9022": msg11469, - "9023": msg11470, - "9024": msg11471, - "9025": msg11472, - "9026": msg11473, - "9027": msg11474, - "9028": msg11475, - "9029": msg11476, - "903": select805, - "9030": msg11477, - "9031": msg11478, - "9032": msg11479, - "9033": msg11480, - "9034": msg11481, - "9035": msg11482, - "9036": msg11483, - "9037": msg11484, - "9038": msg11485, - "9039": msg11486, - "904": select806, - "9040": msg11487, - "9041": msg11488, - "9042": msg11489, - "9043": msg11490, - "9044": msg11491, - "9045": msg11492, - "9046": msg11493, - "9047": msg11494, - "9048": msg11495, - "9049": msg11496, - "905": select807, - "9050": msg11497, - "9051": msg11498, - "9052": msg11499, - "9053": msg11500, - "9054": msg11501, - "9055": msg11502, - "9056": msg11503, - "9057": msg11504, - "9058": msg11505, - "9059": msg11506, - "906": select808, - "9060": msg11507, - "9061": msg11508, - "9062": msg11509, - "9063": msg11510, - "9064": msg11511, - "9065": msg11512, - "9066": msg11513, - "9067": msg11514, - "9068": msg11515, - "9069": msg11516, - "907": select809, - "9070": msg11517, - "9071": msg11518, - "9072": msg11519, - "9073": msg11520, - "9074": msg11521, - "9075": msg11522, - "9076": msg11523, - "9077": msg11524, - "9078": msg11525, - "9079": msg11526, - "908": select810, - "9080": msg11527, - "9081": msg11528, - "9082": msg11529, - "9083": msg11530, - "9084": msg11531, - "9085": msg11532, - "9086": msg11533, - "9087": msg11534, - "9088": msg11535, - "9089": msg11536, - "909": select811, - "9090": msg11537, - "9091": msg11538, - "9092": msg11539, - "9093": msg11540, - "9094": msg11541, - "9095": msg11542, - "9096": msg11543, - "9097": msg11544, - "9098": msg11545, - "9099": msg11546, - "910": select812, - "9100": msg11547, - "9101": msg11548, - "9102": msg11549, - "9103": msg11550, - "9104": msg11551, - "9105": msg11552, - "9106": msg11553, - "9107": msg11554, - "9108": msg11555, - "9109": msg11556, - "911": select813, - "9110": msg11557, - "9111": msg11558, - "9112": msg11559, - "9113": msg11560, - "9114": msg11561, - "9115": msg11562, - "9116": msg11563, - "9117": msg11564, - "9118": msg11565, - "9119": msg11566, - "912": select814, - "9120": msg11567, - "9121": msg11568, - "9122": msg11569, - "9123": msg11570, - "9124": msg11571, - "9125": msg11572, - "9126": msg11573, - "9127": msg11574, - "9128": msg11575, - "9129": msg11576, - "913": select815, - "9130": msg11577, - "9131": msg11578, - "9132": msg11579, - "9133": msg11580, - "9134": msg11581, - "9135": msg11582, - "9136": msg11583, - "9137": msg11584, - "9138": msg11585, - "9139": msg11586, - "914": select816, - "9140": msg11587, - "9141": msg11588, - "9142": msg11589, - "9143": msg11590, - "9144": msg11591, - "9145": msg11592, - "9146": msg11593, - "9147": msg11594, - "9148": msg11595, - "9149": msg11596, - "915": select817, - "9150": msg11597, - "9151": msg11598, - "9152": msg11599, - "9153": msg11600, - "9154": msg11601, - "9155": msg11602, - "9156": msg11603, - "9157": msg11604, - "9158": msg11605, - "9159": msg11606, - "916": select818, - "9160": msg11607, - "9161": msg11608, - "9162": msg11609, - "9163": msg11610, - "9164": msg11611, - "9165": msg11612, - "9166": msg11613, - "9167": msg11614, - "9168": msg11615, - "9169": msg11616, - "917": select819, - "9170": msg11617, - "9171": msg11618, - "9172": msg11619, - "9173": msg11620, - "9174": msg11621, - "9175": msg11622, - "9176": msg11623, - "9177": msg11624, - "9178": msg11625, - "9179": msg11626, - "918": select820, - "9180": msg11627, - "9181": msg11628, - "9182": msg11629, - "9183": msg11630, - "9184": msg11631, - "9185": msg11632, - "9186": msg11633, - "9187": msg11634, - "9188": msg11635, - "9189": msg11636, - "919": select821, - "9190": msg11637, - "9191": msg11638, - "9192": msg11639, - "9193": msg11640, - "9194": msg11641, - "9195": msg11642, - "9196": msg11643, - "9197": msg11644, - "9198": msg11645, - "9199": msg11646, - "920": select822, - "9200": msg11647, - "9201": msg11648, - "9202": msg11649, - "9203": msg11650, - "9204": msg11651, - "9205": msg11652, - "9206": msg11653, - "9207": msg11654, - "9208": msg11655, - "9209": msg11656, - "921": select823, - "9210": msg11657, - "9211": msg11658, - "9212": msg11659, - "9213": msg11660, - "9214": msg11661, - "9215": msg11662, - "9216": msg11663, - "9217": msg11664, - "9218": msg11665, - "9219": msg11666, - "922": select824, - "9220": msg11667, - "9221": msg11668, - "9222": msg11669, - "9223": msg11670, - "9224": msg11671, - "9225": msg11672, - "9226": msg11673, - "9227": msg11674, - "9228": msg11675, - "9229": msg11676, - "923": select825, - "9230": msg11677, - "9231": msg11678, - "9232": msg11679, - "9233": msg11680, - "9234": msg11681, - "9235": msg11682, - "9236": msg11683, - "9237": msg11684, - "9238": msg11685, - "9239": msg11686, - "924": select826, - "9240": msg11687, - "9241": msg11688, - "9242": msg11689, - "9243": msg11690, - "9244": msg11691, - "9245": msg11692, - "9246": msg11693, - "9247": msg11694, - "9248": msg11695, - "9249": msg11696, - "925": select827, - "9250": msg11697, - "9251": msg11698, - "9252": msg11699, - "9253": msg11700, - "9254": msg11701, - "9255": msg11702, - "9256": msg11703, - "9257": msg11704, - "9258": msg11705, - "9259": msg11706, - "926": select828, - "9260": msg11707, - "9261": msg11708, - "9262": msg11709, - "9263": msg11710, - "9264": msg11711, - "9265": msg11712, - "9266": msg11713, - "9267": msg11714, - "9268": msg11715, - "9269": msg11716, - "927": select829, - "9270": msg11717, - "9271": msg11718, - "9272": msg11719, - "9273": msg11720, - "9274": msg11721, - "9275": msg11722, - "9276": msg11723, - "9277": msg11724, - "9278": msg11725, - "9279": msg11726, - "928": select830, - "9280": msg11727, - "9281": msg11728, - "9282": msg11729, - "9283": msg11730, - "9284": msg11731, - "9285": msg11732, - "9286": msg11733, - "9287": msg11734, - "9288": msg11735, - "9289": msg11736, - "929": select831, - "9290": msg11737, - "9291": msg11738, - "9292": msg11739, - "9293": msg11740, - "9294": msg11741, - "9295": msg11742, - "9296": msg11743, - "9297": msg11744, - "9298": msg11745, - "9299": msg11746, - "930": select832, - "9300": msg11747, - "9301": msg11748, - "9302": msg11749, - "9303": msg11750, - "9304": msg11751, - "9305": msg11752, - "9306": msg11753, - "9307": msg11754, - "9308": msg11755, - "9309": msg11756, - "931": select833, - "9310": msg11757, - "9311": msg11758, - "9312": msg11759, - "9313": msg11760, - "9314": msg11761, - "9315": msg11762, - "9316": msg11763, - "9317": msg11764, - "9318": msg11765, - "9319": msg11766, - "932": select834, - "9320": msg11767, - "9321": msg11768, - "9322": msg11769, - "9323": msg11770, - "9324": msg11771, - "9325": msg11772, - "9326": msg11773, - "9327": msg11774, - "9328": msg11775, - "9329": msg11776, - "933": select835, - "9330": msg11777, - "9331": msg11778, - "9332": msg11779, - "9333": msg11780, - "9334": msg11781, - "9335": msg11782, - "9336": msg11783, - "9337": msg11784, - "9338": msg11785, - "9339": msg11786, - "9340": msg11787, - "9341": msg11788, - "9342": msg11789, - "9343": msg11790, - "9344": msg11791, - "9345": msg11792, - "9346": msg11793, - "9347": msg11794, - "9348": msg11795, - "9349": msg11796, - "935": select836, - "9350": msg11797, - "9351": msg11798, - "9352": msg11799, - "9353": msg11800, - "9354": msg11801, - "9355": msg11802, - "9356": msg11803, - "9357": msg11804, - "9358": msg11805, - "9359": msg11806, - "936": select837, - "9360": msg11807, - "9361": msg11808, - "9362": msg11809, - "9363": msg11810, - "9364": msg11811, - "9365": msg11812, - "9366": msg11813, - "9367": msg11814, - "9368": msg11815, - "9369": msg11816, - "937": select838, - "9370": msg11817, - "9371": msg11818, - "9372": msg11819, - "9373": msg11820, - "9374": msg11821, - "9375": msg11822, - "9376": msg11823, - "9377": msg11824, - "9378": msg11825, - "9379": msg11826, - "9380": msg11827, - "9381": msg11828, - "9382": msg11829, - "9383": msg11830, - "9384": msg11831, - "9385": msg11832, - "9386": msg11833, - "9387": msg11834, - "9388": msg11835, - "9389": msg11836, - "939": select839, - "9390": msg11837, - "9391": msg11838, - "9392": msg11839, - "9393": msg11840, - "9394": msg11841, - "9395": msg11842, - "9396": msg11843, - "9397": msg11844, - "9398": msg11845, - "9399": msg11846, - "940": select840, - "9400": msg11847, - "9401": msg11848, - "9402": msg11849, - "9403": msg11850, - "9404": msg11851, - "9405": msg11852, - "9406": msg11853, - "9407": msg11854, - "9408": msg11855, - "9409": msg11856, - "941": select841, - "9410": msg11857, - "9411": msg11858, - "9412": msg11859, - "9413": msg11860, - "9414": msg11861, - "9415": msg11862, - "9416": msg11863, - "9417": msg11864, - "9418": msg11865, - "9419": msg11866, - "942": select842, - "9420": msg11867, - "9421": msg11868, - "9422": msg11869, - "9423": msg11870, - "9424": msg11871, - "9425": msg11872, - "9426": msg11873, - "9427": msg11874, - "9428": msg11875, - "9429": msg11876, - "943": select843, - "9430": msg11877, - "9431": msg11878, - "9432": msg11879, - "9433": msg11880, - "9434": msg11881, - "9435": msg11882, - "9436": msg11883, - "9437": msg11884, - "9438": msg11885, - "9439": msg11886, - "944": select844, - "9440": msg11887, - "9441": msg11888, - "9442": msg11889, - "9443": msg11890, - "9444": msg11891, - "9445": msg11892, - "9446": msg11893, - "9447": msg11894, - "9448": msg11895, - "9449": msg11896, - "945": select845, - "9450": msg11897, - "9451": msg11898, - "9452": msg11899, - "9453": msg11900, - "9454": msg11901, - "9455": msg11902, - "9456": msg11903, - "9457": msg11904, - "9458": msg11905, - "9459": msg11906, - "946": select846, - "9460": msg11907, - "9461": msg11908, - "9462": msg11909, - "9463": msg11910, - "9464": msg11911, - "9465": msg11912, - "9466": msg11913, - "9467": msg11914, - "9468": msg11915, - "9469": msg11916, - "947": select847, - "9470": msg11917, - "9471": msg11918, - "9472": msg11919, - "9473": msg11920, - "9474": msg11921, - "9475": msg11922, - "9476": msg11923, - "9477": msg11924, - "9478": msg11925, - "9479": msg11926, - "948": select848, - "9480": msg11927, - "9481": msg11928, - "9482": msg11929, - "9483": msg11930, - "9484": msg11931, - "9485": msg11932, - "9486": msg11933, - "9487": msg11934, - "9488": msg11935, - "9489": msg11936, - "949": select849, - "9490": msg11937, - "9491": msg11938, - "9492": msg11939, - "9493": msg11940, - "9494": msg11941, - "9495": msg11942, - "9496": msg11943, - "9497": msg11944, - "9498": msg11945, - "9499": msg11946, - "950": select850, - "9500": msg11947, - "9501": msg11948, - "9502": msg11949, - "9503": msg11950, - "9504": msg11951, - "9505": msg11952, - "9506": msg11953, - "9507": msg11954, - "9508": msg11955, - "9509": msg11956, - "951": select851, - "9510": msg11957, - "9511": msg11958, - "9512": msg11959, - "9513": msg11960, - "9514": msg11961, - "9515": msg11962, - "9516": msg11963, - "9517": msg11964, - "9518": msg11965, - "9519": msg11966, - "952": select852, - "9520": msg11967, - "9521": msg11968, - "9522": msg11969, - "9523": msg11970, - "9524": msg11971, - "9525": msg11972, - "9526": msg11973, - "9527": msg11974, - "9528": msg11975, - "9529": msg11976, - "953": select853, - "9530": msg11977, - "9531": msg11978, - "9532": msg11979, - "9533": msg11980, - "9534": msg11981, - "9535": msg11982, - "9536": msg11983, - "9537": msg11984, - "9538": msg11985, - "9539": msg11986, - "954": select854, - "9540": msg11987, - "9541": msg11988, - "9542": msg11989, - "9543": msg11990, - "9544": msg11991, - "9545": msg11992, - "9546": msg11993, - "9547": msg11994, - "9548": msg11995, - "9549": msg11996, - "955": select855, - "9550": msg11997, - "9551": msg11998, - "9552": msg11999, - "9553": msg12000, - "9554": msg12001, - "9555": msg12002, - "9556": msg12003, - "9557": msg12004, - "9558": msg12005, - "9559": msg12006, - "956": select856, - "9560": msg12007, - "9561": msg12008, - "9562": msg12009, - "9563": msg12010, - "9564": msg12011, - "9565": msg12012, - "9566": msg12013, - "9567": msg12014, - "9568": msg12015, - "9569": msg12016, - "957": select857, - "9570": msg12017, - "9571": msg12018, - "9572": msg12019, - "9573": msg12020, - "9574": msg12021, - "9575": msg12022, - "9576": msg12023, - "9577": msg12024, - "9578": msg12025, - "9579": msg12026, - "958": select858, - "9580": msg12027, - "9581": msg12028, - "9582": msg12029, - "9583": msg12030, - "9584": msg12031, - "9585": msg12032, - "9586": msg12033, - "9587": msg12034, - "9588": msg12035, - "9589": msg12036, - "959": select859, - "9590": msg12037, - "9591": msg12038, - "9592": msg12039, - "9593": msg12040, - "9594": msg12041, - "9595": msg12042, - "9596": msg12043, - "9597": msg12044, - "9598": msg12045, - "9599": msg12046, - "96": msg77, - "960": select860, - "9600": msg12047, - "9601": msg12048, - "9602": msg12049, - "9603": msg12050, - "9604": msg12051, - "9605": msg12052, - "9606": msg12053, - "9607": msg12054, - "9608": msg12055, - "9609": msg12056, - "961": select861, - "9610": msg12057, - "9611": msg12058, - "9612": msg12059, - "9613": msg12060, - "9614": msg12061, - "9615": msg12062, - "9616": msg12063, - "9617": msg12064, - "9618": msg12065, - "9619": msg12066, - "962": select862, - "9620": msg12067, - "9621": msg12068, - "9622": msg12069, - "9623": msg12070, - "9624": msg12071, - "9625": msg12072, - "9626": msg12073, - "9627": msg12074, - "9628": msg12075, - "9629": msg12076, - "963": select863, - "9630": msg12077, - "9631": msg12078, - "9632": msg12079, - "9633": msg12080, - "9634": msg12081, - "9635": msg12082, - "9636": msg12083, - "9637": msg12084, - "9638": msg12085, - "9639": msg12086, - "964": select864, - "9640": msg12087, - "9641": msg12088, - "9642": msg12089, - "9643": msg12090, - "9644": msg12091, - "9645": msg12092, - "9646": msg12093, - "9647": msg12094, - "9648": msg12095, - "9649": msg12096, - "965": select865, - "9650": msg12097, - "9651": msg12098, - "9652": msg12099, - "9653": msg12100, - "9654": msg12101, - "9655": msg12102, - "9656": msg12103, - "9657": msg12104, - "9658": msg12105, - "9659": msg12106, - "966": select866, - "9660": msg12107, - "9661": msg12108, - "9662": msg12109, - "9663": msg12110, - "9664": msg12111, - "9665": msg12112, - "9666": msg12113, - "9667": msg12114, - "9668": msg12115, - "9669": msg12116, - "967": select867, - "9670": msg12117, - "9671": msg12118, - "9672": msg12119, - "9673": msg12120, - "9674": msg12121, - "9675": msg12122, - "9676": msg12123, - "9677": msg12124, - "9678": msg12125, - "9679": msg12126, - "968": select868, - "9680": msg12127, - "9681": msg12128, - "9682": msg12129, - "9683": msg12130, - "9684": msg12131, - "9685": msg12132, - "9686": msg12133, - "9687": msg12134, - "9688": msg12135, - "9689": msg12136, - "969": select869, - "9690": msg12137, - "9691": msg12138, - "9692": msg12139, - "9693": msg12140, - "9694": msg12141, - "9695": msg12142, - "9696": msg12143, - "9697": msg12144, - "9698": msg12145, - "9699": msg12146, - "97": select30, - "970": select870, - "9700": msg12147, - "9701": msg12148, - "9702": msg12149, - "9703": msg12150, - "9704": msg12151, - "9705": msg12152, - "9706": msg12153, - "9707": msg12154, - "9708": msg12155, - "9709": msg12156, - "971": select871, - "9710": msg12157, - "9711": msg12158, - "9712": msg12159, - "9713": msg12160, - "9714": msg12161, - "9715": msg12162, - "9716": msg12163, - "9717": msg12164, - "9718": msg12165, - "9719": msg12166, - "972": select872, - "9720": msg12167, - "9721": msg12168, - "9722": msg12169, - "9723": msg12170, - "9724": msg12171, - "9725": msg12172, - "9726": msg12173, - "9727": msg12174, - "9728": msg12175, - "9729": msg12176, - "973": select873, - "9730": msg12177, - "9731": msg12178, - "9732": msg12179, - "9733": msg12180, - "9734": msg12181, - "9735": msg12182, - "9736": msg12183, - "9737": msg12184, - "9738": msg12185, - "9739": msg12186, - "974": select874, - "9740": msg12187, - "9741": msg12188, - "9742": msg12189, - "9743": msg12190, - "9744": msg12191, - "9745": msg12192, - "9746": msg12193, - "9747": msg12194, - "9748": msg12195, - "9749": msg12196, - "975": select875, - "9750": msg12197, - "9751": msg12198, - "9752": msg12199, - "9753": msg12200, - "9754": msg12201, - "9755": msg12202, - "9756": msg12203, - "9757": msg12204, - "9758": msg12205, - "9759": msg12206, - "976": select876, - "9760": msg12207, - "9761": msg12208, - "9762": msg12209, - "9763": msg12210, - "9764": msg12211, - "9765": msg12212, - "9766": msg12213, - "9767": msg12214, - "9768": msg12215, - "9769": msg12216, - "977": select877, - "9770": msg12217, - "9771": msg12218, - "9772": msg12219, - "9773": msg12220, - "9774": msg12221, - "9775": msg12222, - "9776": msg12223, - "9777": msg12224, - "9778": msg12225, - "9779": msg12226, - "978": select878, - "9780": msg12227, - "9781": msg12228, - "9782": msg12229, - "9783": msg12230, - "9784": msg12231, - "9785": msg12232, - "9786": msg12233, - "9787": msg12234, - "9788": msg12235, - "9789": msg12236, - "979": select879, - "9790": msg12237, - "9791": msg12238, - "9792": msg12239, - "9793": msg12240, - "9794": msg12241, - "9795": msg12242, - "9796": msg12243, - "9797": msg12244, - "9798": msg12245, - "9799": msg12246, - "980": select880, - "9800": msg12247, - "9801": msg12248, - "9802": msg12249, - "9803": msg12250, - "9804": msg12251, - "9805": msg12252, - "9806": msg12253, - "9807": msg12254, - "9808": msg12255, - "9809": msg12256, - "981": select881, - "9810": msg12257, - "9811": msg12258, - "9812": msg12259, - "9813": msg12260, - "9814": msg12261, - "9815": msg12262, - "9816": msg12263, - "9817": msg12264, - "9818": msg12265, - "9819": msg12266, - "982": select882, - "9820": msg12267, - "9821": msg12268, - "9822": msg12269, - "9823": msg12270, - "9824": msg12271, - "9825": msg12272, - "9826": msg12273, - "9827": msg12274, - "9828": msg12275, - "9829": msg12276, - "983": select883, - "9830": msg12277, - "9831": msg12278, - "9832": msg12279, - "9833": msg12280, - "9834": msg12281, - "9835": msg12282, - "9836": msg12283, - "9837": msg12284, - "9838": msg12285, - "9839": msg12286, - "984": select884, - "9840": msg12287, - "9841": msg12288, - "9842": msg12289, - "9843": msg12290, - "9844": msg12291, - "9845": msg12292, - "9846": msg12293, - "9847": msg12294, - "9848": msg12295, - "9849": msg12296, - "985": select885, - "9850": msg12297, - "9851": msg12298, - "9852": msg12299, - "9853": msg12300, - "9854": msg12301, - "9855": msg12302, - "9856": msg12303, - "9857": msg12304, - "9858": msg12305, - "9859": msg12306, - "986": select886, - "9860": msg12307, - "9861": msg12308, - "9862": msg12309, - "9863": msg12310, - "9864": msg12311, - "9865": msg12312, - "9866": msg12313, - "9867": msg12314, - "9868": msg12315, - "9869": msg12316, - "987": select887, - "9870": msg12317, - "9871": msg12318, - "9872": msg12319, - "9873": msg12320, - "9874": msg12321, - "9875": msg12322, - "9876": msg12323, - "9877": msg12324, - "9878": msg12325, - "9879": msg12326, - "988": select888, - "9880": msg12327, - "9881": msg12328, - "9882": msg12329, - "9883": msg12330, - "9884": msg12331, - "9885": msg12332, - "9886": msg12333, - "9887": msg12334, - "9888": msg12335, - "9889": msg12336, - "989": select889, - "9890": msg12337, - "9891": msg12338, - "9892": msg12339, - "9893": msg12340, - "9894": msg12341, - "9895": msg12342, - "9896": msg12343, - "9897": msg12344, - "9898": msg12345, - "9899": msg12346, - "990": select890, - "9900": msg12347, - "9901": msg12348, - "9902": msg12349, - "9903": msg12350, - "9904": msg12351, - "9905": msg12352, - "9906": msg12353, - "9907": msg12354, - "9908": msg12355, - "9909": msg12356, - "991": select891, - "9910": msg12357, - "9911": msg12358, - "9912": msg12359, - "9913": msg12360, - "9914": msg12361, - "9915": msg12362, - "9916": msg12363, - "9917": msg12364, - "9918": msg12365, - "9919": msg12366, - "992": select892, - "9920": msg12367, - "9921": msg12368, - "9922": msg12369, - "9923": msg12370, - "9924": msg12371, - "9925": msg12372, - "9926": msg12373, - "9927": msg12374, - "9928": msg12375, - "9929": msg12376, - "993": select893, - "9930": msg12377, - "9931": msg12378, - "9932": msg12379, - "9933": msg12380, - "9934": msg12381, - "9935": msg12382, - "9936": msg12383, - "9937": msg12384, - "9938": msg12385, - "9939": msg12386, - "994": select894, - "9940": msg12387, - "9941": msg12388, - "9942": msg12389, - "9943": msg12390, - "9944": msg12391, - "9945": msg12392, - "9946": msg12393, - "9947": msg12394, - "9948": msg12395, - "9949": msg12396, - "995": select895, - "9950": msg12397, - "9951": msg12398, - "9952": msg12399, - "9953": msg12400, - "9954": msg12401, - "9955": msg12402, - "9956": msg12403, - "9957": msg12404, - "9958": msg12405, - "9959": msg12406, - "996": select896, - "9960": msg12407, - "9961": msg12408, - "9962": msg12409, - "9963": msg12410, - "9964": msg12411, - "9965": msg12412, - "9966": msg12413, - "9967": msg12414, - "9968": msg12415, - "9969": msg12416, - "997": select897, - "9970": msg12417, - "9971": msg12418, - "9972": msg12419, - "9973": msg12420, - "9974": msg12421, - "9975": msg12422, - "9976": msg12423, - "9977": msg12424, - "9978": msg12425, - "9979": msg12426, - "998": select898, - "9980": msg12427, - "9981": msg12428, - "9982": msg12429, - "9983": msg12430, - "9984": msg12431, - "9985": msg12432, - "9986": msg12433, - "9987": msg12434, - "9988": msg12435, - "9989": msg12436, - "999": select899, - "9990": msg12437, - "9991": msg12438, - "9992": msg12439, - "9993": msg12440, - "9994": msg12441, - "9995": msg12442, - "9996": msg12443, - "9997": msg12444, - "9998": msg12445, - "9999": msg12446, - "Additional_MAC_Detected_for": msg38460, - "Client_Application_Timeout": msg38477, - "Client_Application_Update": msg38473, - "Client_Timeout": msg38534, - "Client_Update": msg38530, - "ET": msg38485, - "FTD_events": select2466, - "HMNOTIFY": msg1, - "Hops_Change": msg38458, - "Host_IOC_Set": msg38535, - "Host_Timeout": msg38478, - "Host_Type_Changed": msg38536, - "Identity_Timeout": select2450, - "Login": msg38537, - "Logout": msg38538, - "MAC_Information_Change": msg38459, - "MALWARE": select2463, - "NETBIOS_Name_Change": msg38461, - "NGIPS_events": select2468, - "Network_Based_Malware": select2459, - "Network_Based_Retrospective": select2462, - "New_Client": msg38531, - "New_Client_Application": msg38472, - "New_Host": msg38462, - "New_Network_Protocol": msg38463, - "New_OS": msg38471, - "New_TCP_Port": msg38528, - "New_TCP_Service": msg38474, - "New_Transport_Protocol": msg38465, - "New_UDP_Port": msg38529, - "New_UDP_Service": msg38464, - "OS_Confidence_Update": msg38466, - "OS_Information_Update": msg38467, - "Portscan": msg38457, - "Primary_Detection_Engine": select2457, - "S5": select2453, - "Snort_AlertLog": msg38527, - "SystemSettings": select2455, - "TCP_Port_Closed": msg38475, - "TCP_Port_Timeout": msg38476, - "TCP_Server_Information_Update": msg38533, - "TCP_Service_Confidence_Update": msg38468, - "TCP_Service_Information_Update": msg38469, - "UDP_Port_Timeout": msg38481, - "UDP_Server_Information_Update": msg38532, - "UDP_Service_Confidence_Update": msg38482, - "UDP_Service_Information_Update": select2451, - "VLAN_Tag_Information_Update": msg38470, - "connection_events": msg38539, - "snort-sid-template": msg38452, - "spp_portscan": select2445, - }), -]); - -var hdr35 = match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var part116 = match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); - -var part117 = match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); - -var part118 = match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var part119 = match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); - -var part120 = match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); - -var part121 = match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); - -var part122 = match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); - -var part123 = match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); - -var part124 = match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); - -var hdr36 = match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var part125 = match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); - -var hdr37 = match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); - -var part126 = match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); - -var part127 = match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); - -var part128 = match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); - -var part129 = match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); - -var part130 = match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); - -var hdr38 = match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); - -var part131 = match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); - -var part132 = match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); - -var part133 = match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); - -var part134 = match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); - -var part135 = match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); - -var part136 = match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); - -var part137 = match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); - -var part138 = match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); - -var part139 = match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); - -var part140 = match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); - -var part141 = match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); - -var part142 = match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); - -var part143 = match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); - -var part144 = match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); - -var part145 = match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); - -var part146 = match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); - -var part147 = match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); - -var part148 = match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); - -var part149 = match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); - -var part150 = match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); - -var part151 = match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); - -var part152 = match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); - -var part153 = match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); - -var part154 = match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); - -var part155 = match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); - -var part156 = match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); - -var part157 = match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); - -var part158 = match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); - -var part159 = match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); - -var part160 = match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); - -var part161 = match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); - -var part162 = match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); - -var part163 = match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); - -var part164 = match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); - -var part165 = match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); - -var part166 = match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); - -var part167 = match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); - -var part168 = match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); - -var part169 = match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); - -var part170 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); - -var part171 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); - -var part172 = match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); - -var part173 = match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); - -var part174 = match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); - -var select2469 = linear_select([ - dup3, - dup4, -]); - -var select2470 = linear_select([ - dup6, - dup7, -]); - -var select2471 = linear_select([ - dup9, - dup10, -]); - -var hdr39 = match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ - dup19, -])); - -var select2472 = linear_select([ - dup26, - dup27, -]); - -var select2473 = linear_select([ - dup33, - dup34, - dup35, - dup36, -]); - -var select2474 = linear_select([ - dup38, - dup39, - dup40, -]); - -var select2475 = linear_select([ - dup41, - dup42, - dup43, -]); - -var select2476 = linear_select([ - dup58, - dup59, -]); - -var select2477 = linear_select([ - dup67, - dup68, - dup69, -]); - -var select2478 = linear_select([ - dup113, - dup114, - dup115, -]); - -var select2479 = linear_select([ - dup68, - dup69, -]); - -var select2480 = linear_select([ - dup67, - dup124, - dup68, - dup69, -]); - -var select2481 = linear_select([ - dup39, - dup125, -]); - -var select2482 = linear_select([ - dup42, - dup126, -]); - -var select2483 = linear_select([ - dup131, - dup132, -]); - -var part175 = match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, -])); - -var part176 = match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var select2484 = linear_select([ - dup136, - dup134, -]); - -var part177 = match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var part178 = match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var part179 = match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ - dup135, - dup31, - dup32, - dup47, - dup129, -])); - -var select2485 = linear_select([ - dup148, - dup149, -]); - -var select2486 = linear_select([ - dup153, - dup154, -]); - -var select2487 = linear_select([ - dup155, - dup156, -]); - -var all88 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all89 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var all90 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all91 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var all92 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all93 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all94 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all95 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup65, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all96 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all97 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all98 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all99 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all100 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all101 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all102 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all103 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all104 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all105 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all106 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all107 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all108 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all109 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup82, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all110 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all111 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup85, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all112 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup85, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all113 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all114 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup86, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all115 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup86, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all116 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all117 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all118 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all119 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all120 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup87, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all121 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup88, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all122 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup88, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all123 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all124 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all125 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all126 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all127 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all128 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all129 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all130 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all131 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all132 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup91, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all133 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup91, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all134 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all135 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all136 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup93, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all137 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup93, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all138 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all139 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all140 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all141 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup62, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all142 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup95, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all143 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup95, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all144 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup96, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all145 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup96, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all146 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all147 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all148 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all149 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all150 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all151 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all152 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all153 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup98, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all154 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all155 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all156 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup99, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all157 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup99, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all158 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup44, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all159 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all160 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all161 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all162 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all163 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all164 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all165 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all166 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all167 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup103, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all168 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup103, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all169 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all170 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup104, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all171 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup104, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all172 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup105, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all173 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup105, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all174 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup106, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all175 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup106, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all176 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup98, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all177 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup107, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all178 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup107, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all179 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all180 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup72, - dup84, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all181 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup108, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all182 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup108, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all183 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all184 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all185 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all186 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup92, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all187 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all188 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup72, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all189 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all190 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup80, - dup31, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all191 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup109, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all192 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup109, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all193 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup110, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all194 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup111, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all195 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup111, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all196 = all_match({ - processors: [ - dup75, - dup173, - dup174, - ], - on_success: processor_chain([ - dup110, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup76, - dup50, - dup51, - ]), -}); - -var all197 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup112, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all198 = all_match({ - processors: [ - dup177, - dup116, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all199 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup117, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all200 = all_match({ - processors: [ - dup177, - dup116, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all201 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup118, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all202 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup105, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all203 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup70, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all204 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all205 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all206 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all207 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all208 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup119, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all209 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup120, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all210 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all211 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup94, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all212 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup65, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all213 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup121, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all214 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup77, - dup73, - dup74, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all215 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup122, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all216 = all_match({ - processors: [ - dup172, - dup37, - dup173, - dup174, - ], - on_success: processor_chain([ - dup123, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all217 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all218 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup99, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all219 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all220 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all221 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all222 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup119, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all223 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup121, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all224 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup93, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all225 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup120, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all226 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup108, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all227 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup104, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all228 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup90, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all229 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all230 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup89, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all231 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup97, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all232 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup61, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all233 = all_match({ - processors: [ - dup66, - dup179, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all234 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup118, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all235 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup100, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all236 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup71, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all237 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup63, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all238 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup102, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all239 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup79, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all240 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup70, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all241 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup64, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all242 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup99, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all243 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup101, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all244 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup65, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all245 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup105, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all246 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup81, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all247 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup78, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all248 = all_match({ - processors: [ - dup66, - dup176, - dup60, - dup180, - dup181, - ], - on_success: processor_chain([ - dup104, - dup31, - dup45, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - dup52, - dup53, - dup54, - dup55, - dup56, - ]), -}); - -var all249 = all_match({ - processors: [ - dup57, - dup175, - dup60, - dup173, - dup174, - ], - on_success: processor_chain([ - dup83, - dup31, - dup32, - dup46, - dup47, - dup48, - dup49, - dup50, - dup51, - ]), -}); - -var all250 = all_match({ - processors: [ - dup130, - dup182, - ], - on_success: processor_chain([ - dup127, - dup31, - dup32, - dup47, - dup129, - ]), -}); - -var all251 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - dup159, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); - -var all252 = all_match({ - processors: [ - dup57, - dup191, - dup157, - dup190, - dup160, - dup185, - ], - on_success: processor_chain([ - dup135, - dup31, - dup32, - dup47, - ]), -}); diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml deleted file mode 100644 index 262bbcff330..00000000000 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Snort/Sourcefire - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/snort/log/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml deleted file mode 100644 index ae467072b22..00000000000 --- a/x-pack/filebeat/module/snort/log/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["snort.log", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9548 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/snort/log/test/generated.log b/x-pack/filebeat/module/snort/log/test/generated.log deleted file mode 100644 index 8ecab402325..00000000000 --- a/x-pack/filebeat/module/snort/log/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -Jan 29 2016 06:09:59 quid2184.invalid: %FTD-enim-dqu:CLOCK: System clock set, source: veri, IP: 10.202.72.124, before: inv, after: emo -2016-2-12T13:12:33Z inBCSedu5722.internal.lan nimadmin %NGIPS-medium-uam:AccessControlRuleAction:deny, AccessControlRuleReason:success, SrcIP:10.38.77.13, DstIP:10.212.11.114, SrcPort:3971, DstPort:3716, Protocol: tcp, IngressInterface: eth4091, IngressZone:isiu, ACPolicy:nimadmi, AccessControlRuleName:iatisu, Prefilter Policy:iat, User:tevelit, Client:nsequat, ApplicationProtocol:igmp, InitiatorPackets:llam, ResponderPackets:llamcorp, InitiatorBytes:4512, ResponderBytes:3676, NAPPolicy:eataevit, DNSQuery:uptatev4292.www.invalid, DNSRecordType: a host address, DNSSICategory:atat -Feb 26 20:15:08 tlabo6088.www.localdomain Lor: HMNOTIFY: itecto (Sensor erc): Severity:medium: failure -Mar 12 03:17:42 eporroqu4200.domain atquovo: HMNOTIFY: suntinc (Sensor xeac): Severity:medium: success -Mar 26 10:20:16 eirure: conseq557.mail.lan: aaliquaU@ntor, Analysis & Reporting > lpaqui -2016-4-9T17:22:51Z ationemu5040.www.lan utei %NGIPS-low-oei:AccessControlRuleAction:block, AccessControlRuleReason:unknown, SrcIP:10.182.199.231, DstIP:10.24.67.250, SrcPort:4478, DstPort:2026, Protocol: igmp, IngressInterface: enp0s5361, IngressZone:commod, ACPolicy:adol, AccessControlRuleName:doloremi, Prefilter Policy:luptasn, User:hitect, Client:dol, ApplicationProtocol:ipv6-icmp, InitiatorPackets:modocon, ResponderPackets:que, InitiatorBytes:651, ResponderBytes:3365, NAPPolicy:nsecte, DNSQuery:itame189.domain, DNSRecordType: a host address, DNSSICategory:exercit -Apr 24 00:25:25 uscipit: vitaedi1318.corp: temqu@edol, FailD, colab -May 8 07:27:59 nimid: itatione1916.www.host: oluptate@issus, Analysis & Reporting > osamn -May 22 14:30:33 its7829.localhost datatno: [siutali:5979:1.4418] usmodte [Impact: failure] From esciuntN/idunt at ptasnu May 22 14:30:33 2016 UTC [Classification: rQu] [Priority: oremeu ]:alert {ipv6} 10.110.31.190 -> 10.157.18.252:5300 (eeufugia) -Jun 5 21:33:08 aec3673.internal.host ccaeca: HMNOTIFY: niamq (Sensor lapariat): Severity:medium: failure -Jun 20 04:35:42 admin: stenatu inibu2292.www.invalid: isetquas@ute, Login, Login Success -Jul 4 11:38:16 ori1241.www.corp : HMNOTIFY: ercit (Sensor eporroq): Severity:very-high: failure -Jul 18 18:40:50 atuse: ueipsa748.localdomain: aparia@tatnon, Heartbeat, leumiur -Aug 2 01:43:25 oluptat548.www5.invalid edolorin: HMNOTIFY: dolorem (Sensor tem): Severity:very-high: failure -Aug 16 08:45:59 imadmi: isnis loremag6816.www5.lan: inrepreh@quovo, System > urExcep -Aug 30 15:48:33 tionemu5269.internal.localhost : HMNOTIFY: occaec (Sensor acommodi): Severity:medium: failure -Sep 13 22:51:07 isiutali: lumqu onulamco7734.www.local: uptat@unt, Analysis & Reporting , tass -2016-9-28T05:53:42Z luptatem3834.lan edq %NGIPS-medium-tise:AccessControlRuleAction:block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: ipiscive,URL: https://www.example.org/etdolor/uat.gif?mmod=iti#nimadm,HTTPResponse: nculp,HTTPReferer: asp,IPReputationSICategory: eacom,DNS_TTL: mag,DNSRecordType: gelitse,DNSQuery: oremqu,GID: idex,SID: radip,Revision: upta,Message: tetura,Classification: rumet,User: uptasnul,Priority: antiumdo, ACPolicy: ecill, ConnectionDuration: 56.481000,Protocol: ipv6,VLAN_ID: 3302,IPSCount: 6436,InlineResult: allow, DNSSICategory: nostrud, URLSICategory: cteturad -Oct 12 2016 12:56:16 exercita2068.api.invalid %FTD-veleumi-nsequatu:CLOCK: System clock set, source: nula, IP: 10.169.84.140, before: santi, after: ritati -Oct 26 2016 19:58:50 orumS757.www5.corp: %FTD-eursint-orio:CLOCK: System clock set, source: gna, IP: 10.130.231.129, before: olu, after: iameaque -2016-11-10T03:01:24Z sedquian4212.www5.domain magnaa %NGIPS-medium-eca:AccessControlRuleAction:allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its, ACPolicy: uptasnul, ConnectionDuration: 115.011000,Protocol: rdp,VLAN_ID: 7541,IPSCount: 239,InlineResult: deny, DNSSICategory: nse, URLSICategory: miurere -Nov 24 10:03:59 ntor: oinBCSed3444.api.local: smodtem@roquisqu, Logout, Logout Success -Dec 8 17:06:33 apari5002.api.test orum: [nsequat:27813:1.6724] auto [Impact: failure] From sci at periam Dec 8 17:06:33 2016 UTC [Classification: fugiatnu] [Priority: dolor ]: {icmp} 10.182.213.195:7119 (tur) -> 10.9.200.197 -2016-12-23T00:09:07Z audant3412.www.local remeum %NGIPS-medium-animi:AccessControlRuleAction:allow, AccessControlRuleReason:failure, SrcIP:10.210.180.142, DstIP:10.111.33.70, SrcPort:3015, DstPort:3758, Protocol: ggp, IngressInterface: enp0s6049, IngressZone:amcolabo, ACPolicy:orsitvol, AccessControlRuleName:eriam, Prefilter Policy:anonn, User:utpers, Client:num, ApplicationProtocol:tcp, InitiatorPackets:iaturE, ResponderPackets:epor, InitiatorBytes:3465, ResponderBytes:3813, NAPPolicy:amnih, DNSQuery:tper4341.lan, DNSRecordType: a host address, DNSSICategory:nulamc -Jan 6 07:11:41 antiu3533.internal.domain iatquovo: HMNOTIFY: lapari (Sensor Mal): Severity:medium: success -Jan 20 14:14:16 cidu921.internal.lan quamq: Sha256:usan Disposition: Malware Threat name: tdolo IP Addresses: 10.222.183.123<<-10.165.33.19 -Feb 3 21:16:50 unturmag6190.api.lan remeum: [etur:16539:1.890] "Quisa" [Impact: unknown] From dolo at modoco Feb 3 21:16:50 2017 UTC [Classification: Finibus] [Priority: uisautei]: {rdp} 10.52.190.18:4411 -> 10.238.223.171 -Feb 18 04:19:24 conseq6079.www.corp tiu: [wri:26992:1.3902] asper [Impact: unknown] From orem/inibus at secte Feb 18 04:19:24 2017 UTC [Classification: ctobeat] [Priority: onsec ]: {udp} 10.68.233.163 -> 10.160.178.109:1934 -Mar 4 2017 11:21:59 tvol3402.www.local %FTD-ollita-qua:CLOCK: System clock set, source: ionula, IP: 10.162.109.83, before: nderi, after: tem -Mar 18 2017 18:24:33 xcep3783.internal.localhost %FTD-ercitati-atem:User 'serro' executed the 'lumquid' command. -Apr 2 01:27:07 ciatisun7378.www5.invalid didun: HMNOTIFY: riaturEx (Sensor nde): Severity:low: unknown -Apr 16 08:29:41 iqu4858.mail.invalid audant: [obeata:11634:1.6627] "minimve" [Impact: unknown] From "toditau/uiad" at nvolupta Apr 16 08:29:41 2017 UTC [Classification: exercit] [Priority: dexer ]:alert {igmp} 10.116.175.84 -> 10.213.100.153 -Apr 30 15:32:16 lumqui: ectet ionu3320.api.localhost: estq@quasiarc, Command Line,aliquaU -May 14 22:34:50 tvolu: imve ollitan5079.www.lan: deriti@edictasu, Health > eturadi -May 29 05:37:24 nihilmol1849.api.local eporroq: Protocol: tcp, AccessControlRuleAction:block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0],ReferencedHost: tate,URL: https://internal.example.com/uun/amrem.gif?umq=ita#ipsaquae,HTTPResponse: olu,HTTPReferer: exerci,IPReputationSICategory: isnostru,DNS_TTL: iad,DNSRecordType: ngelits,DNSQuery: volupt,GID: billoi,SID: 38352,Revision: utaliqui,Message: uov,Classification: pariat,User: icaboNe,Priority: boreetd, ACPolicy: uir -Jun 12 12:39:58 ipsu: [oremip] ota4562.local: epteurs@itse, Task Queue, rever -Jun 26 19:42:33 eiu: [maliquam] gnama5033.www5.home: ction@emveleum, Object > siuta -Jul 11 02:45:07 sum6106.www.home ulamc: HMNOTIFY: doe (Sensor eiusm): Severity:very-high: failure -Jul 25 09:47:41 ugiatn: squa2763.www.lan: trude@snulap, Task Queue, onsequat -2017-8-8T16:50:15Z aturvel1847.mail.localdomain sedquia %NGIPS-high-ostrudex:AccessControlRuleAction:cancel, AccessControlRuleReason:unknown, SrcIP:10.240.144.78, DstIP:10.251.159.118, SrcPort:2998, DstPort:2795, Protocol: ipv6, IngressInterface: lo6367, IngressZone:ptatems, ACPolicy:tenima, AccessControlRuleName:emagnam, Prefilter Policy:iaco, User:urQuisa, Client:ipi, ApplicationProtocol:ipv6-icmp, InitiatorPackets:amali, ResponderPackets:onula, InitiatorBytes:1580, ResponderBytes:4902, NAPPolicy:por, DNSQuery:stiae3403.internal.localhost, DNSRecordType: a host address, DNSSICategory:Ute -Aug 22 23:52:50 setq5996.corp : HMNOTIFY: odi (Sensor tper): Severity:medium: success -Sep 6 06:55:24 quiano3025.api.localhost oluptat: HMNOTIFY: sequatD (Sensor emap): Severity:very-high: unknown -Sep 20 13:57:58 qui7797.www.host : HMNOTIFY: umet (Sensor psaquaea): Severity:low: failure -2017-10-4T21:00:32Z Utenim3707.www5.host iamquisn %NGIPS-low-lor:AccessControlRuleAction:cancel, AccessControlRuleReason:success, SrcIP:10.140.209.249, DstIP:10.201.132.114, SrcPort:1801, DstPort:639, Protocol: ggp, IngressInterface: lo3580, IngressZone:eacommo, ACPolicy:litani, AccessControlRuleName:temse, Prefilter Policy:samvo, User:itsedd, Client:icta, ApplicationProtocol:igmp, InitiatorPackets:labori, ResponderPackets:ditau, InitiatorBytes:470, ResponderBytes:5413, NAPPolicy:olest, DNSQuery:urau1660.www.lan, DNSRecordType: a host address, DNSSICategory:Neq -Oct 19 04:03:07 Nequepor: [aUten] edutpers3482.www5.corp: mnisis@onsequa, Access Control Policy > sunt -Nov 2 11:05:41 nofde7732.internal.test emp: [emoeni:13228:1.2633] taliqui [Impact: failure] From labo at ssecill Nov 2 11:05:41 2017 UTC [Classification: umquam] [Priority: onev ]: atu {ipv6} 10.198.44.231 -> 10.36.122.169:6751 (ariatu) -2017-11-16T18:08:15Z byCicero7475.www.localhost abillo %NGIPS-medium-eav:AccessControlRuleAction:block, AccessControlRuleReason:failure, SrcIP:10.77.86.215, DstIP:10.144.162.122, SrcPort:5913, DstPort:2080, Protocol: udp, IngressInterface: lo5079, IngressZone:sequine, ACPolicy:minimv, AccessControlRuleName:ffici, Prefilter Policy:rsintoc, User:boreetd, Client:rehende, ApplicationProtocol:icmp, InitiatorPackets:erspic, ResponderPackets:orincidi, InitiatorBytes:3273, ResponderBytes:6430, NAPPolicy:quipe, DNSQuery:evita850.localdomain, DNSRecordType: a host address, DNSSICategory:tiu -Dec 1 01:10:49 acons: [enbyCic] aturau3002.api.corp: sci@psamvolu, itsedqui -2017-12-15T08:13:24Z ntiumt238.internal.corp isc %NGIPS-high-odite:AccessControlRuleAction:cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30,ReferencedHost: nsecte,URL: https://api.example.org/tat/pitlabor.gif?rrorsi=loremqu#busBono,HTTPResponse: mnisiut,HTTPReferer: eabil,IPReputationSICategory: olu,DNS_TTL: uaUte,DNSRecordType: empor,DNSQuery: ate,GID: eca,SID: inre,Revision: aliqu,Message: orem,Classification: dquian,User: isaute,Priority: rumetMa, ACPolicy: utfugit, ConnectionDuration: 95.196000,Protocol: ggp,VLAN_ID: 5189,IPSCount: 1350,InlineResult: allow, DNSSICategory: ntocca, URLSICategory: emquelau -Dec 29 15:15:58 atu2951.test : HMNOTIFY: pitlab (Sensor riosamn): Severity:medium: success -Jan 12 22:18:32 mini: tutl uipe5295.api.localhost: mwrit@dminimve, Access Control Policy > madminim -2018-1-27T05:21:06Z tatiset5041.www5.local tevelit %NGIPS-low-Utenim:AccessControlRuleAction:deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91,ReferencedHost: todit,URL: https://www.example.com/fug/ulpaq.gif?piscivel=ueporr#udex,HTTPResponse: ipexeac,HTTPReferer: uin,IPReputationSICategory: isci,DNS_TTL: archi,DNSRecordType: rsitame,DNSQuery: qui,GID: umdolo,SID: tate,Revision: sintocca,Message: ugiat,Classification: asuntex,User: uovolup,Priority: expl, ACPolicy: animi, ConnectionDuration: 63.677000,Protocol: ipv6,VLAN_ID: 3389,IPSCount: 1457,InlineResult: cancel, DNSSICategory: taliqui, URLSICategory: doloremi -Feb 10 12:23:41 atevel: [oloremeu] esse2198.mail.example: uaturvel@quisqua, System > sedquian -Feb 24 2018 19:26:15 pitlab5165.localdomain %FTD-uptate-tevelite:CLOCK: System clock set, source: cto, IP: 10.17.172.91, before: agn, after: dip -Mar 11 02:28:49 acomm: [edquia] uinesci6041.api.local: pers@lpaquiof, Analysis isisten -Mar 25 09:31:24 uovol2459.www5.invalid volup: [nimi:5155:1.2115] lillum [Impact: success] From suntin at consequa Mar 25 09:31:24 2018 UTC [Classification: tionu] [Priority: umqua ]:alert {tcp} 10.28.105.106 -> 10.60.137.215:3266 (icons) -Apr 8 16:33:58 ptate7215.www5.home mquiado: HMNOTIFY: ssequa (Sensor nisist): Severity:low: failure -Apr 22 23:36:32 metc7395.lan ataevit: Protocol: rdp, AccessControlRuleAction:deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: umtota,URL: https://internal.example.com/xplic/isn.html?ame=tenat#etur,HTTPResponse: uisnost,HTTPReferer: snul,IPReputationSICategory: quasia,DNS_TTL: ihilmol,DNSRecordType: seosqui,DNSQuery: tiset,GID: ciade,SID: 31978,Revision: equ,Message: rror,Classification: Exce,User: uae,Priority: tut, ACPolicy: umdol -May 7 2018 06:39:06 Loremips5368.www5.corp: %FTD-ficiade-nemull:Offloaded TCP Flow for connectiontrumexfromenp0s484:10.49.190.163/4220(10.20.167.114/6975) tolo7626:10.166.40.137/5279(10.65.144.119/6233) -May 21 13:41:41 mexer1548.www5.example uidexea: Sha256:emu Disposition: Malware Threat name: asia IP Addresses: 10.162.128.87<<-10.104.78.147 -Jun 4 20:44:15 emulla6625.www5.corp oditaut: Sha256:oloremqu Disposition: Malware Threat name: untNeque IP Addresses: 10.82.180.46<<-10.237.43.87 -Jun 19 03:46:49 magn3657.api.invalid tquiine: [ill:5315:1.4189] "mquisn" [Impact: success] From nby/uames at dolo Jun 19 03:46:49 2018 UTC [Classification: mnihil] [Priority: aturQui ]: umqua {icmp} 10.234.234.205:5714 (eos) -> 10.180.28.156:4665 (quovol) -Jul 3 10:49:23 nis3942.mail.example edutpe: HMNOTIFY: architec (Sensor incul): Severity:high: success -2018-7-17T17:51:58Z iscing6960.api.invalid emipsu %NGIPS-very-high-temUte:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.40.250.209, DstIP:10.166.10.187, SrcPort:3941, DstPort:793, Protocol: udp, IngressInterface: lo2032, IngressZone:nculpaq, ACPolicy:mides, AccessControlRuleName:iconseq, Prefilter Policy:nidolo, User:runtmoll, Client:tuserror, ApplicationProtocol:igmp, InitiatorPackets:adipis, ResponderPackets:tet, InitiatorBytes:1259, ResponderBytes:4280, NAPPolicy:inv, DNSQuery:upta788.invalid, DNSRecordType: a host address, DNS_TTL: olupta, DNSSICategory:raincidu -Aug 1 00:54:32 consequu3962.api.localdomain Maloru: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36,ReferencedHost: temporai,URL: https://example.com/emeumf/res.txt?ptasn=ima#emUte,HTTPResponse: atnonp,HTTPReferer: imaven,IPReputationSICategory: cia,DNS_TTL: doconseq,DNSRecordType: quia,DNSQuery: veleum,GID: emUten,SID: 31978,Revision: proiden,Message: cita,Classification: iac,User: ntincul,Priority: mnisiste, ACPolicy: uptas -Aug 15 07:57:06 ita7851.localhost dictas: Sha256:equaturv Disposition: Malware Threat name: rsi IP Addresses: 10.78.180.219<<-10.198.202.72 -Aug 29 14:59:40 laparia5374.api.domain norumet: [tconse:26152:1.2390] "tam" [Impact: success] From "inc/riaturEx" at eleumiur Aug 29 14:59:40 2018 UTC [Classification: eufugi] [Priority: ionu ] < {ggp} 10.147.155.100 -> 10.232.67.182:2086 (maccusan) -Sep 12 22:02:15 onse3711.api.domain aliquaUt: [boreet:9193:1.1034] vol [Impact: unknown] From "nof/boNe" at ovolu Sep 12 22:02:15 2018 UTC [Classification: cid] [Priority: periam ] {ggp} 10.4.147.70:3210 -> 10.95.152.78:1267 -Sep 27 05:04:49 elite: nde iac7016.api.lan: antiu@llumquid, FailD, paq -Oct 11 12:07:23 sit: tte4006.www5.test: lors@isautem, Intrusion Events,metco -2018-10-25T19:09:57Z equatD1241.www5.host rpo %NGIPS-low-econs:AccessControlRuleAction:cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36,ReferencedHost: atae,URL: https://www5.example.net/boNemo/duntutla.html?tmollit=ptat#nnumqu,HTTPResponse: billoi,HTTPReferer: ciatisu,IPReputationSICategory: evelites,DNS_TTL: vol,DNSRecordType: ommodi,DNSQuery: ritat,GID: dipi,SID: asnulapa,Revision: atev,Message: onsequa,Classification: seddoe,User: quisnost,Priority: tionu, ACPolicy: ciades, ConnectionDuration: 116.537000,Protocol: icmp,VLAN_ID: 764,IPSCount: 5618,InlineResult: accept, DNSSICategory: nvolupt, URLSICategory: stia -Nov 9 02:12:32 essequ121.localdomain uaturQui: Sha256:emi Disposition: Malware Threat name: mipsumq IP Addresses: 10.216.14.36<<-10.224.250.83 -Nov 23 09:15:06 borios1685.www.localhost umfu: [inesc:10329:1.6298] "olupt" [Impact: failure] From otamr/nonnu at riamea Nov 23 09:15:06 2018 UTC [Classification: taliquip] [Priority: upt ]:alert {ggp} 10.38.22.60:653 (ipi) -> 10.231.10.63 -2018-12-7T16:17:40Z odt2318.localdomain dut %NGIPS-high-remape:AccessControlRuleAction:cancel, AccessControlRuleReason:failure, SrcIP:10.46.57.181, DstIP:10.29.231.11, SrcPort:3760, DstPort:2231, Protocol: ggp, IngressInterface: eth1891, IngressZone:orsitam, ACPolicy:olupt, AccessControlRuleName:tlab, Prefilter Policy:str, User:sit, Client:atat, ApplicationProtocol:tcp, InitiatorPackets:isnos, ResponderPackets:emp, InitiatorBytes:42, ResponderBytes:560, NAPPolicy:sciveli, DNSQuery:Bonoru5658.mail.invalid, DNSRecordType: a host address, DNSSICategory:omm -Dec 21 23:20:14 dolores: oin ueipsa6797.mail.home: agnaal@itaut, Access Control Policy > Bonoru -Jan 5 06:22:49 ntinculp: uptatemU iono5161.www5.localhost: ita@olupt, System > orisnisi -Jan 19 13:25:23 untut3537.domain sit: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: vol,URL: https://api.example.com/non/quaturQu.gif?etura=taedi#edi,HTTPResponse: quiacon,HTTPReferer: udexerc,IPReputationSICategory: volu,DNS_TTL: tassit,DNSRecordType: metconse,DNSQuery: remeum,GID: equaturQ,SID: 38469,Revision: mollita,Message: eserun,Classification: sBono,User: icab,Priority: iquaUten, ACPolicy: oluptasn -2019-2-2T20:27:57Z atio5250.api.localhost idolo %NGIPS-low-ritat:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.107.144.80, DstIP:10.135.250.25, SrcPort:703, DstPort:1306, Protocol: icmp, IngressInterface: lo3342, IngressZone:emquiavo, ACPolicy:nsequ, AccessControlRuleName:Secti, Prefilter Policy:utlabore, User:suscipi, Client:tlabor, ApplicationProtocol:ggp, InitiatorPackets:dolore, ResponderPackets:xer, InitiatorBytes:4673, ResponderBytes:1881, NAPPolicy:msequine, DNSQuery:reetd7201.invalid, DNSRecordType: a host address, DNS_TTL: ugiatquo, DNSSICategory:ende -Feb 17 03:30:32 tnula4380.mail.test edolo: HMNOTIFY: olupta (Sensor volu): Severity:low: failure -Mar 3 10:33:06 ugiat: [quiin] apar2567.www.localhost: iscing@ser, Policies > nama -Mar 17 2019 17:35:40 onsecte5119.www.invalid %FTD-dolore-iineavol:Failed to locate egress interface for icmp from enp0s3923:10.198.207.31/579 to 10.5.88.183/7518 -Apr 1 00:38:14 uis: [oluptat] iutali3143.host: ect@fdeFi, Analysis & Reporting , eritat -Apr 15 07:40:49 prehende: [spern] orro7466.www5.lan: issu@accusant, rrorsitv -Apr 29 14:43:23 quii: [dantiu] epre7710.www.domain: aria@ugi, Heartbeat, econ -May 13 21:45:57 tio: [tlabori] nsequatu2799.www5.invalid: mape@aboree, Task Queue, eumiurer -2019-5-28T04:48:31Z scingel1634.api.home orsit %NGIPS-high-meaq:AccessControlRuleAction:block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36,ReferencedHost: untu,URL: https://mail.example.net/quunturm/upta.gif?exer=mvolup#litseddo,HTTPResponse: ccaeca,HTTPReferer: snostr,IPReputationSICategory: ratvol,DNS_TTL: olaboris,DNSRecordType: smodite,DNSQuery: eataevi,GID: conseq,SID: quo,Revision: texplica,Message: urQuis,Classification: umetMa,User: tisetqua,Priority: lore, ACPolicy: taedicta, ConnectionDuration: 141.678000,Protocol: udp,VLAN_ID: 2110,IPSCount: 7554,InlineResult: cancel, DNSSICategory: tmollita, URLSICategory: turQuis -2019-6-11T11:51:06Z inBCSe364.www.corp ntore %NGIPS-very-high-tsedquia:AccessControlRuleAction:deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;],ReferencedHost: peria,URL: https://api.example.com/uscip/uptatem.txt?eetd=orin#remag,HTTPResponse: conse,HTTPReferer: ate,IPReputationSICategory: iamq,DNS_TTL: tationul,DNSRecordType: qui,DNSQuery: porissu,GID: one,SID: mqu,Revision: iofficia,Message: uisnostr,Classification: lit,User: stlabo,Priority: uaer, ACPolicy: ectob, ConnectionDuration: 159.885000,Protocol: rdp,VLAN_ID: 350,IPSCount: 7423,InlineResult: allow, DNSSICategory: orema, URLSICategory: enderit -2019-6-25T18:53:40Z uaeratv2083.internal.localhost essecil %NGIPS-medium-uptate:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.154.87.98, DstIP:10.186.68.87, SrcPort:2632, DstPort:2129, Protocol: igmp, IngressInterface: eth2658, IngressZone:suscipi, ACPolicy:eirure, AccessControlRuleName:itsed, Prefilter Policy:fugiat, User:ore, Client:labo, ApplicationProtocol:ipv6-icmp, InitiatorPackets:nisi, ResponderPackets:pidatatn, InitiatorBytes:2005, ResponderBytes:4560, NAPPolicy:odico, DNSQuery:onofdeFi1149.www5.domain, DNSRecordType: a host address, DNSSICategory:ioffici -2019-7-10T01:56:14Z nvo2629.example onsequ %NGIPS-medium-itess:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.35.59.140, DstIP:10.67.211.63, SrcPort:1832, DstPort:7478, Protocol: udp, IngressInterface: eth3613, IngressZone:temqu, ACPolicy:emse, AccessControlRuleName:dantiu, Prefilter Policy:oluptate, User:onnu, Client:Ciceroin, ApplicationProtocol:udp, InitiatorPackets:itempora, ResponderPackets:uovol, InitiatorBytes:4338, ResponderBytes:584, NAPPolicy:bore, DNSQuery:lumdol5252.internal.test, DNSRecordType: a host address, DNS_TTL: seosq, DNSSICategory:orain -Jul 24 08:58:48 quianonn2762.api.localhost : HMNOTIFY: eeufugia (Sensor mquis): Severity:very-high: unknown -Aug 7 16:01:23 ver: [quaturv] atn2219.api.invalid: radip@ipsum, Heartbeat, itesse -Aug 21 23:03:57 equu1159.internal.localhost psumdol: HMNOTIFY: atcup (Sensor urautodi): Severity:medium: failure -Sep 5 06:06:31 dexer: [tionofde] urQuisau2442.mail.invalid: uptate@itesse, Login, Login Success -Sep 19 13:09:05 cididu3187.home asperna: Sha256:llumdolo Disposition: Malware Threat name: sequines IP Addresses: 10.14.46.141->10.179.27.185 -Oct 3 20:11:40 lorem: aliqua4025.www.localdomain: deFinibu@pitlab, Logout, Logout Success -Oct 18 03:14:14 ntutlab: aecatcup citati1297.api.domain: emp@uptate, Policies > olupta -Nov 1 10:16:48 nreprehe2138.www5.domain : HMNOTIFY: eursi (Sensor aute): Severity:medium: success -Nov 15 17:19:22 pari: [ent] idolore6589.api.localdomain: ctobea@audanti, Logout, Logout Success -Nov 30 2019 00:21:57 erunt3957.internal.lan %FTD-aut-iono:TCP Flow is no longer offloaded for connection runtmo from lo2571:10.118.103.185/1333 (10.240.77.10/2226) to lo5895:10.125.130.61/6154 (10.32.195.34/135) -Dec 14 07:24:31 ntNe7144.api.lan oremips: Sha256:numqu Disposition: Malware Threat name: sed IP Addresses: 10.111.130.177<<-10.188.88.133 diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json deleted file mode 100644 index a30c9af806f..00000000000 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ /dev/null @@ -1,3784 +0,0 @@ -[ - { - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jan 29 2016 06:09:59 quid2184.invalid: %FTD-enim-dqu:CLOCK: System clock set, source: veri, IP: 10.202.72.124, before: inv, after: emo", - "fileset.name": "log", - "host.ip": "10.202.72.124", - "host.name": "quid2184.invalid", - "input.type": "log", - "log.offset": 0, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "quid2184.invalid", - "veri" - ], - "related.ip": [ - "10.202.72.124" - ], - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "dqu", - "rsa.misc.change_attrib": "Time", - "rsa.misc.change_new": "emo", - "rsa.misc.change_old": "inv", - "rsa.misc.event_source": "veri", - "rsa.network.alias_host": [ - "quid2184.invalid" - ], - "rsa.time.day": "29", - "rsa.time.month": "Jan", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 3676, - "destination.ip": "10.212.11.114", - "destination.port": 3716, - "event.action": "deny", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2016-2-12T13:12:33Z inBCSedu5722.internal.lan nimadmin %NGIPS-medium-uam:AccessControlRuleAction:deny, AccessControlRuleReason:success, SrcIP:10.38.77.13, DstIP:10.212.11.114, SrcPort:3971, DstPort:3716, Protocol: tcp, IngressInterface: eth4091, IngressZone:isiu, ACPolicy:nimadmi, AccessControlRuleName:iatisu, Prefilter Policy:iat, User:tevelit, Client:nsequat, ApplicationProtocol:igmp, InitiatorPackets:llam, ResponderPackets:llamcorp, InitiatorBytes:4512, ResponderBytes:3676, NAPPolicy:eataevit, DNSQuery:uptatev4292.www.invalid, DNSRecordType: a host address, DNSSICategory:atat", - "fileset.name": "log", - "host.name": "uptatev4292.www.invalid", - "input.type": "log", - "log.level": "medium", - "log.offset": 135, - "network.application": "nsequat", - "network.protocol": "igmp", - "observer.egress.interface.name": "eth4091", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "uptatev4292.www.invalid" - ], - "related.ip": [ - "10.212.11.114", - "10.38.77.13" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "uam", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "atat", - "rsa.misc.policy_name": "eataevit", - "rsa.misc.result": "success", - "rsa.misc.rule_name": "iatisu", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "uptatev4292.www.invalid" - ], - "rsa.network.dinterface": "eth4091", - "rsa.network.zone_dst": "isiu", - "rsa.time.day": "12", - "rule.name": "iatisu", - "service.type": "snort", - "source.bytes": 4512, - "source.ip": "10.38.77.13", - "source.port": 3971, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "itecto", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Feb 26 20:15:08 tlabo6088.www.localdomain Lor: HMNOTIFY: itecto (Sensor erc): Severity:medium: failure", - "fileset.name": "log", - "host.name": "tlabo6088.www.localdomain", - "input.type": "log", - "log.level": "medium", - "log.offset": 721, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "tlabo6088.www.localdomain" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "itecto", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "erc", - "rsa.misc.severity": "medium", - "rsa.time.day": "26", - "rsa.time.month": "Feb", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "suntinc", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 12 03:17:42 eporroqu4200.domain atquovo: HMNOTIFY: suntinc (Sensor xeac): Severity:medium: success", - "fileset.name": "log", - "host.name": "eporroqu4200.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 824, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "eporroqu4200.domain" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "suntinc", - "rsa.misc.result": "success", - "rsa.misc.sensor": "xeac", - "rsa.misc.severity": "medium", - "rsa.time.day": "12", - "rsa.time.month": "Mar", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 26 10:20:16 eirure: conseq557.mail.lan: aaliquaU@ntor, Analysis & Reporting > lpaqui", - "file.name": "eirure", - "fileset.name": "log", - "host.name": "conseq557.mail.lan", - "input.type": "log", - "log.offset": 927, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "conseq557.mail.lan" - ], - "related.user": [ - "aaliquaU" - ], - "rsa.db.index": "lpaqui", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Analysis & Reporting", - "rsa.network.alias_host": [ - "conseq557.mail.lan" - ], - "rsa.time.day": "26", - "rsa.time.month": "Mar", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "aaliquaU" - }, - { - "destination.bytes": 3365, - "destination.ip": "10.24.67.250", - "destination.port": 2026, - "event.action": "block", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2016-4-9T17:22:51Z ationemu5040.www.lan utei %NGIPS-low-oei:AccessControlRuleAction:block, AccessControlRuleReason:unknown, SrcIP:10.182.199.231, DstIP:10.24.67.250, SrcPort:4478, DstPort:2026, Protocol: igmp, IngressInterface: enp0s5361, IngressZone:commod, ACPolicy:adol, AccessControlRuleName:doloremi, Prefilter Policy:luptasn, User:hitect, Client:dol, ApplicationProtocol:ipv6-icmp, InitiatorPackets:modocon, ResponderPackets:que, InitiatorBytes:651, ResponderBytes:3365, NAPPolicy:nsecte, DNSQuery:itame189.domain, DNSRecordType: a host address, DNSSICategory:exercit", - "fileset.name": "log", - "host.name": "itame189.domain", - "input.type": "log", - "log.level": "low", - "log.offset": 1016, - "network.application": "dol", - "network.protocol": "ipv6-icmp", - "observer.egress.interface.name": "enp0s5361", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "itame189.domain" - ], - "related.ip": [ - "10.182.199.231", - "10.24.67.250" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "oei", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "exercit", - "rsa.misc.policy_name": "nsecte", - "rsa.misc.result": "unknown", - "rsa.misc.rule_name": "doloremi", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "itame189.domain" - ], - "rsa.network.dinterface": "enp0s5361", - "rsa.network.zone_dst": "commod", - "rsa.time.day": "9", - "rule.name": "doloremi", - "service.type": "snort", - "source.bytes": 651, - "source.ip": "10.182.199.231", - "source.port": 4478, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 24 00:25:25 uscipit: vitaedi1318.corp: temqu@edol, FailD, colab", - "file.name": "uscipit", - "fileset.name": "log", - "host.name": "vitaedi1318.corp", - "input.type": "log", - "log.offset": 1590, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "vitaedi1318.corp" - ], - "related.user": [ - "temqu" - ], - "rsa.db.index": "colab", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "vitaedi1318.corp" - ], - "rsa.time.day": "24", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "temqu" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 8 07:27:59 nimid: itatione1916.www.host: oluptate@issus, Analysis & Reporting > osamn", - "file.name": "nimid", - "fileset.name": "log", - "host.name": "itatione1916.www.host", - "input.type": "log", - "log.offset": 1658, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "itatione1916.www.host" - ], - "related.user": [ - "oluptate" - ], - "rsa.db.index": "osamn", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Analysis & Reporting", - "rsa.network.alias_host": [ - "itatione1916.www.host" - ], - "rsa.time.day": "8", - "rsa.time.month": "May", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "oluptate" - }, - { - "destination.geo.country_name": "eeufugia", - "destination.ip": "10.157.18.252", - "destination.port": 5300, - "event.code": "5979", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 22 14:30:33 its7829.localhost datatno: [siutali:5979:1.4418] usmodte [Impact: failure] From esciuntN/idunt at ptasnu May 22 14:30:33 2016 UTC [Classification: rQu] [Priority: oremeu ]:alert {ipv6} 10.110.31.190 -> 10.157.18.252:5300 (eeufugia)", - "fileset.name": "log", - "host.name": "its7829.localhost", - "input.type": "log", - "log.level": "oremeu", - "log.offset": 1748, - "network.protocol": "ipv6", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.4418", - "related.hosts": [ - "its7829.localhost" - ], - "related.ip": [ - "10.110.31.190", - "10.157.18.252" - ], - "rsa.crypto.sig_type": "rQu", - "rsa.internal.messageid": "5979", - "rsa.misc.context": "usmodte", - "rsa.misc.event_log": "datatno", - "rsa.misc.group_object": "esciuntN", - "rsa.misc.policy_name": "usmodte", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "idunt", - "rsa.misc.severity": "oremeu", - "rsa.misc.sig_id": 5979, - "rsa.misc.version": "1.4418", - "rsa.network.alias_host": [ - "its7829.localhost" - ], - "rsa.threat.threat_desc": "oremeu", - "rsa.time.day": "22", - "rsa.time.event_time_str": "May 22 14:30:33 2016 UTC", - "rsa.time.month": "May", - "service.type": "snort", - "source.ip": "10.110.31.190", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "niamq", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jun 5 21:33:08 aec3673.internal.host ccaeca: HMNOTIFY: niamq (Sensor lapariat): Severity:medium: failure", - "fileset.name": "log", - "host.name": "aec3673.internal.host", - "input.type": "log", - "log.level": "medium", - "log.offset": 1996, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "aec3673.internal.host" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "niamq", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "lapariat", - "rsa.misc.severity": "medium", - "rsa.time.day": "5", - "rsa.time.month": "Jun", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jun 20 04:35:42 admin: stenatu inibu2292.www.invalid: isetquas@ute, Login, Login Success", - "event.outcome": "success", - "file.name": "admin", - "fileset.name": "log", - "host.name": "inibu2292.www.invalid", - "input.type": "log", - "log.offset": 2101, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "inibu2292.www.invalid" - ], - "related.user": [ - "isetquas" - ], - "rsa.internal.messageid": "SystemSettings", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.network.alias_host": [ - "inibu2292.www.invalid" - ], - "rsa.time.day": "20", - "rsa.time.month": "Jun", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "isetquas" - }, - { - "event.action": "ercit", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jul 4 11:38:16 ori1241.www.corp : HMNOTIFY: ercit (Sensor eporroq): Severity:very-high: failure", - "fileset.name": "log", - "host.name": "ori1241.www.corp", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2190, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ori1241.www.corp" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "ercit", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "eporroq", - "rsa.misc.severity": "very-high", - "rsa.time.day": "4", - "rsa.time.month": "Jul", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jul 18 18:40:50 atuse: ueipsa748.localdomain: aparia@tatnon, Heartbeat, leumiur", - "file.name": "atuse", - "fileset.name": "log", - "host.name": "ueipsa748.localdomain", - "input.type": "log", - "log.offset": 2286, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ueipsa748.localdomain" - ], - "related.user": [ - "aparia" - ], - "rsa.db.index": "leumiur", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Heartbeat", - "rsa.network.alias_host": [ - "ueipsa748.localdomain" - ], - "rsa.time.day": "18", - "rsa.time.month": "Jul", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "aparia" - }, - { - "event.action": "dolorem", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 2 01:43:25 oluptat548.www5.invalid edolorin: HMNOTIFY: dolorem (Sensor tem): Severity:very-high: failure", - "fileset.name": "log", - "host.name": "oluptat548.www5.invalid", - "input.type": "log", - "log.level": "very-high", - "log.offset": 2366, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "oluptat548.www5.invalid" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "dolorem", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "tem", - "rsa.misc.severity": "very-high", - "rsa.time.day": "2", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 16 08:45:59 imadmi: isnis loremag6816.www5.lan: inrepreh@quovo, System > urExcep", - "file.name": "imadmi", - "fileset.name": "log", - "host.name": "loremag6816.www5.lan", - "input.type": "log", - "log.offset": 2475, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "loremag6816.www5.lan" - ], - "related.user": [ - "inrepreh" - ], - "rsa.db.index": "urExcep", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "System", - "rsa.network.alias_host": [ - "loremag6816.www5.lan" - ], - "rsa.time.day": "16", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "inrepreh" - }, - { - "event.action": "occaec", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 30 15:48:33 tionemu5269.internal.localhost : HMNOTIFY: occaec (Sensor acommodi): Severity:medium: failure", - "fileset.name": "log", - "host.name": "tionemu5269.internal.localhost", - "input.type": "log", - "log.level": "medium", - "log.offset": 2560, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "tionemu5269.internal.localhost" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "occaec", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "acommodi", - "rsa.misc.severity": "medium", - "rsa.time.day": "30", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 13 22:51:07 isiutali: lumqu onulamco7734.www.local: uptat@unt, Analysis & Reporting , tass", - "file.name": "isiutali", - "fileset.name": "log", - "host.name": "onulamco7734.www.local", - "input.type": "log", - "log.offset": 2670, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "onulamco7734.www.local" - ], - "related.user": [ - "uptat" - ], - "rsa.db.index": "tass", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Analysis & Reporting", - "rsa.network.alias_host": [ - "onulamco7734.www.local" - ], - "rsa.time.day": "13", - "rsa.time.month": "Sep", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "uptat" - }, - { - "event.action": "block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2016-9-28T05:53:42Z luptatem3834.lan edq %NGIPS-medium-tise:AccessControlRuleAction:block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: ipiscive,URL: https://www.example.org/etdolor/uat.gif?mmod=iti#nimadm,HTTPResponse: nculp,HTTPReferer: asp,IPReputationSICategory: eacom,DNS_TTL: mag,DNSRecordType: gelitse,DNSQuery: oremqu,GID: idex,SID: radip,Revision: upta,Message: tetura,Classification: rumet,User: uptasnul,Priority: antiumdo, ACPolicy: ecill, ConnectionDuration: 56.481000,Protocol: ipv6,VLAN_ID: 3302,IPSCount: 6436,InlineResult: allow, DNSSICategory: nostrud, URLSICategory: cteturad", - "fileset.name": "log", - "host.name": "luptatem3834.lan", - "input.type": "log", - "log.level": "medium", - "log.offset": 2765, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "luptatem3834.lan" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "tise", - "rsa.misc.action": [ - "block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML" - ], - "rsa.misc.category": "cteturad", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "luptatem3834.lan" - ], - "rsa.time.day": "28", - "rsa.time.duration_time": 56.481, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Oct 12 2016 12:56:16 exercita2068.api.invalid %FTD-veleumi-nsequatu:CLOCK: System clock set, source: nula, IP: 10.169.84.140, before: santi, after: ritati", - "fileset.name": "log", - "host.ip": "10.169.84.140", - "host.name": "exercita2068.api.invalid", - "input.type": "log", - "log.offset": 4085, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "exercita2068.api.invalid", - "nula" - ], - "related.ip": [ - "10.169.84.140" - ], - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "nsequatu", - "rsa.misc.change_attrib": "Time", - "rsa.misc.change_new": "ritati", - "rsa.misc.change_old": "santi", - "rsa.misc.event_source": "nula", - "rsa.network.alias_host": [ - "exercita2068.api.invalid" - ], - "rsa.time.day": "12", - "rsa.time.month": "Oct", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Oct 26 2016 19:58:50 orumS757.www5.corp: %FTD-eursint-orio:CLOCK: System clock set, source: gna, IP: 10.130.231.129, before: olu, after: iameaque", - "fileset.name": "log", - "host.ip": "10.130.231.129", - "host.name": "orumS757.www5.corp", - "input.type": "log", - "log.offset": 4240, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "gna", - "orumS757.www5.corp" - ], - "related.ip": [ - "10.130.231.129" - ], - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "orio", - "rsa.misc.change_attrib": "Time", - "rsa.misc.change_new": "iameaque", - "rsa.misc.change_old": "olu", - "rsa.misc.event_source": "gna", - "rsa.network.alias_host": [ - "orumS757.www5.corp" - ], - "rsa.time.day": "26", - "rsa.time.month": "Oct", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2016-11-10T03:01:24Z sedquian4212.www5.domain magnaa %NGIPS-medium-eca:AccessControlRuleAction:allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its, ACPolicy: uptasnul, ConnectionDuration: 115.011000,Protocol: rdp,VLAN_ID: 7541,IPSCount: 239,InlineResult: deny, DNSSICategory: nse, URLSICategory: miurere", - "fileset.name": "log", - "host.name": "sedquian4212.www5.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 4386, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "sedquian4212.www5.domain" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "eca", - "rsa.misc.action": [ - "allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its" - ], - "rsa.misc.category": "miurere", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "sedquian4212.www5.domain" - ], - "rsa.time.day": "10", - "rsa.time.duration_time": 115.011, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 24 10:03:59 ntor: oinBCSed3444.api.local: smodtem@roquisqu, Logout, Logout Success", - "event.outcome": "success", - "file.name": "ntor", - "fileset.name": "log", - "host.name": "oinBCSed3444.api.local", - "input.type": "log", - "log.offset": 5754, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "oinBCSed3444.api.local" - ], - "related.user": [ - "smodtem" - ], - "rsa.internal.messageid": "SystemSettings", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.network.alias_host": [ - "oinBCSed3444.api.local" - ], - "rsa.time.day": "24", - "rsa.time.month": "Nov", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "smodtem" - }, - { - "destination.ip": "10.9.200.197", - "event.code": "27813", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Dec 8 17:06:33 apari5002.api.test orum: [nsequat:27813:1.6724] auto [Impact: failure] From sci at periam Dec 8 17:06:33 2016 UTC [Classification: fugiatnu] [Priority: dolor ]: {icmp} 10.182.213.195:7119 (tur) -> 10.9.200.197", - "fileset.name": "log", - "host.name": "apari5002.api.test", - "input.type": "log", - "log.level": "dolor", - "log.offset": 5841, - "network.protocol": "icmp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.6724", - "related.hosts": [ - "apari5002.api.test" - ], - "related.ip": [ - "10.182.213.195", - "10.9.200.197" - ], - "rsa.crypto.sig_type": "fugiatnu", - "rsa.internal.messageid": "27813", - "rsa.misc.context": "auto", - "rsa.misc.event_log": "orum", - "rsa.misc.policy_name": "auto", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "sci", - "rsa.misc.severity": "dolor", - "rsa.misc.sig_id": 27813, - "rsa.misc.version": "1.6724", - "rsa.network.alias_host": [ - "apari5002.api.test" - ], - "rsa.threat.threat_desc": "dolor", - "rsa.time.day": "8", - "rsa.time.event_time_str": "Dec 8 17:06:33 2016 UTC", - "rsa.time.month": "Dec", - "service.type": "snort", - "source.geo.country_name": "tur", - "source.ip": "10.182.213.195", - "source.port": 7119, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 3813, - "destination.ip": "10.111.33.70", - "destination.port": 3758, - "event.action": "allow", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2016-12-23T00:09:07Z audant3412.www.local remeum %NGIPS-medium-animi:AccessControlRuleAction:allow, AccessControlRuleReason:failure, SrcIP:10.210.180.142, DstIP:10.111.33.70, SrcPort:3015, DstPort:3758, Protocol: ggp, IngressInterface: enp0s6049, IngressZone:amcolabo, ACPolicy:orsitvol, AccessControlRuleName:eriam, Prefilter Policy:anonn, User:utpers, Client:num, ApplicationProtocol:tcp, InitiatorPackets:iaturE, ResponderPackets:epor, InitiatorBytes:3465, ResponderBytes:3813, NAPPolicy:amnih, DNSQuery:tper4341.lan, DNSRecordType: a host address, DNSSICategory:nulamc", - "fileset.name": "log", - "host.name": "tper4341.lan", - "input.type": "log", - "log.level": "medium", - "log.offset": 6066, - "network.application": "num", - "network.protocol": "tcp", - "observer.egress.interface.name": "enp0s6049", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "tper4341.lan" - ], - "related.ip": [ - "10.111.33.70", - "10.210.180.142" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "animi", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "nulamc", - "rsa.misc.policy_name": "amnih", - "rsa.misc.result": "failure", - "rsa.misc.rule_name": "eriam", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "tper4341.lan" - ], - "rsa.network.dinterface": "enp0s6049", - "rsa.network.zone_dst": "amcolabo", - "rsa.time.day": "23", - "rule.name": "eriam", - "service.type": "snort", - "source.bytes": 3465, - "source.ip": "10.210.180.142", - "source.port": 3015, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "lapari", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jan 6 07:11:41 antiu3533.internal.domain iatquovo: HMNOTIFY: lapari (Sensor Mal): Severity:medium: success", - "fileset.name": "log", - "host.name": "antiu3533.internal.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 6639, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "antiu3533.internal.domain" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "lapari", - "rsa.misc.result": "success", - "rsa.misc.sensor": "Mal", - "rsa.misc.severity": "medium", - "rsa.time.day": "6", - "rsa.time.month": "Jan", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.222.183.123", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jan 20 14:14:16 cidu921.internal.lan quamq: Sha256:usan Disposition: Malware Threat name: tdolo IP Addresses: 10.222.183.123<<-10.165.33.19", - "fileset.name": "log", - "host.name": "cidu921.internal.lan", - "input.type": "log", - "log.offset": 6746, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "cidu921.internal.lan" - ], - "related.ip": [ - "10.165.33.19", - "10.222.183.123" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "usan", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "cidu921.internal.lan" - ], - "rsa.threat.threat_category": "tdolo", - "rsa.time.day": "20", - "rsa.time.month": "Jan", - "service.type": "snort", - "source.ip": "10.165.33.19", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.238.223.171", - "event.code": "16539", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Feb 3 21:16:50 unturmag6190.api.lan remeum: [etur:16539:1.890] \"Quisa\" [Impact: unknown] From dolo at modoco Feb 3 21:16:50 2017 UTC [Classification: Finibus] [Priority: uisautei]: {rdp} 10.52.190.18:4411 -> 10.238.223.171", - "fileset.name": "log", - "host.name": "unturmag6190.api.lan", - "input.type": "log", - "log.level": "uisautei", - "log.offset": 6886, - "network.protocol": "rdp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.890", - "related.hosts": [ - "unturmag6190.api.lan" - ], - "related.ip": [ - "10.238.223.171", - "10.52.190.18" - ], - "rsa.crypto.sig_type": "Finibus", - "rsa.internal.messageid": "16539", - "rsa.misc.context": "Quisa", - "rsa.misc.event_log": "remeum", - "rsa.misc.policy_name": "Quisa", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "dolo", - "rsa.misc.severity": "uisautei", - "rsa.misc.sig_id": 16539, - "rsa.misc.version": "1.890", - "rsa.network.alias_host": [ - "unturmag6190.api.lan" - ], - "rsa.threat.threat_desc": "uisautei", - "rsa.time.day": "3", - "rsa.time.event_time_str": "Feb 3 21:16:50 2017 UTC", - "rsa.time.month": "Feb", - "service.type": "snort", - "source.ip": "10.52.190.18", - "source.port": 4411, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.160.178.109", - "destination.port": 1934, - "event.code": "26992", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Feb 18 04:19:24 conseq6079.www.corp tiu: [wri:26992:1.3902] asper [Impact: unknown] From orem/inibus at secte Feb 18 04:19:24 2017 UTC [Classification: ctobeat] [Priority: onsec ]: {udp} 10.68.233.163 -> 10.160.178.109:1934", - "fileset.name": "log", - "host.name": "conseq6079.www.corp", - "input.type": "log", - "log.level": "onsec", - "log.offset": 7109, - "network.protocol": "udp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.3902", - "related.hosts": [ - "conseq6079.www.corp" - ], - "related.ip": [ - "10.160.178.109", - "10.68.233.163" - ], - "rsa.crypto.sig_type": "ctobeat", - "rsa.internal.messageid": "26992", - "rsa.misc.context": "asper", - "rsa.misc.event_log": "tiu", - "rsa.misc.group_object": "orem", - "rsa.misc.policy_name": "asper", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "inibus", - "rsa.misc.severity": "onsec", - "rsa.misc.sig_id": 26992, - "rsa.misc.version": "1.3902", - "rsa.network.alias_host": [ - "conseq6079.www.corp" - ], - "rsa.threat.threat_desc": "onsec", - "rsa.time.day": "18", - "rsa.time.event_time_str": "Feb 18 04:19:24 2017 UTC", - "rsa.time.month": "Feb", - "service.type": "snort", - "source.ip": "10.68.233.163", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 4 2017 11:21:59 tvol3402.www.local %FTD-ollita-qua:CLOCK: System clock set, source: ionula, IP: 10.162.109.83, before: nderi, after: tem", - "fileset.name": "log", - "host.ip": "10.162.109.83", - "host.name": "tvol3402.www.local", - "input.type": "log", - "log.offset": 7333, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ionula", - "tvol3402.www.local" - ], - "related.ip": [ - "10.162.109.83" - ], - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "qua", - "rsa.misc.change_attrib": "Time", - "rsa.misc.change_new": "tem", - "rsa.misc.change_old": "nderi", - "rsa.misc.event_source": "ionula", - "rsa.network.alias_host": [ - "tvol3402.www.local" - ], - "rsa.time.day": "4", - "rsa.time.month": "Mar", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 18 2017 18:24:33 xcep3783.internal.localhost %FTD-ercitati-atem:User 'serro' executed the 'lumquid' command.", - "fileset.name": "log", - "host.name": "xcep3783.internal.localhost", - "input.type": "log", - "log.offset": 7474, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "xcep3783.internal.localhost" - ], - "related.user": [ - "serro" - ], - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "atem", - "rsa.network.alias_host": [ - "xcep3783.internal.localhost" - ], - "rsa.time.day": "18", - "rsa.time.month": "Mar", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "serro" - }, - { - "event.action": "riaturEx", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 2 01:27:07 ciatisun7378.www5.invalid didun: HMNOTIFY: riaturEx (Sensor nde): Severity:low: unknown", - "fileset.name": "log", - "host.name": "ciatisun7378.www5.invalid", - "input.type": "log", - "log.level": "low", - "log.offset": 7587, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ciatisun7378.www5.invalid" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "riaturEx", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "nde", - "rsa.misc.severity": "low", - "rsa.time.day": "2", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.213.100.153", - "event.code": "11634", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 16 08:29:41 iqu4858.mail.invalid audant: [obeata:11634:1.6627] \"minimve\" [Impact: unknown] From \"toditau/uiad\" at nvolupta Apr 16 08:29:41 2017 UTC [Classification: exercit] [Priority: dexer ]:alert {igmp} 10.116.175.84 -> 10.213.100.153", - "fileset.name": "log", - "host.name": "iqu4858.mail.invalid", - "input.type": "log", - "log.level": "dexer", - "log.offset": 7690, - "network.protocol": "igmp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.6627", - "related.hosts": [ - "iqu4858.mail.invalid" - ], - "related.ip": [ - "10.116.175.84", - "10.213.100.153" - ], - "rsa.crypto.sig_type": "exercit", - "rsa.internal.messageid": "11634", - "rsa.misc.context": "minimve", - "rsa.misc.event_log": "audant", - "rsa.misc.group_object": "toditau", - "rsa.misc.policy_name": "minimve", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "uiad", - "rsa.misc.severity": "dexer", - "rsa.misc.sig_id": 11634, - "rsa.misc.version": "1.6627", - "rsa.network.alias_host": [ - "iqu4858.mail.invalid" - ], - "rsa.threat.threat_desc": "dexer", - "rsa.time.day": "16", - "rsa.time.event_time_str": "Apr 16 08:29:41 2017 UTC", - "rsa.time.month": "Apr", - "service.type": "snort", - "source.ip": "10.116.175.84", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 30 15:32:16 lumqui: ectet ionu3320.api.localhost: estq@quasiarc, Command Line,aliquaU", - "file.name": "lumqui", - "fileset.name": "log", - "host.name": "ionu3320.api.localhost", - "input.type": "log", - "log.offset": 7932, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ionu3320.api.localhost" - ], - "related.user": [ - "estq" - ], - "rsa.db.index": "aliquaU", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "ionu3320.api.localhost" - ], - "rsa.time.day": "30", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "estq" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 14 22:34:50 tvolu: imve ollitan5079.www.lan: deriti@edictasu, Health > eturadi", - "file.name": "tvolu", - "fileset.name": "log", - "host.name": "ollitan5079.www.lan", - "input.type": "log", - "log.offset": 8022, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ollitan5079.www.lan" - ], - "related.user": [ - "deriti" - ], - "rsa.db.index": "eturadi", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Health", - "rsa.network.alias_host": [ - "ollitan5079.www.lan" - ], - "rsa.time.day": "14", - "rsa.time.month": "May", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "deriti" - }, - { - "event.action": "block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML", - "event.code": "connection_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 29 05:37:24 nihilmol1849.api.local eporroq: Protocol: tcp, AccessControlRuleAction:block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0],ReferencedHost: tate,URL: https://internal.example.com/uun/amrem.gif?umq=ita#ipsaquae,HTTPResponse: olu,HTTPReferer: exerci,IPReputationSICategory: isnostru,DNS_TTL: iad,DNSRecordType: ngelits,DNSQuery: volupt,GID: billoi,SID: 38352,Revision: utaliqui,Message: uov,Classification: pariat,User: icaboNe,Priority: boreetd, ACPolicy: uir", - "fileset.name": "log", - "host.name": "nihilmol1849.api.local", - "input.type": "log", - "log.offset": 8105, - "network.protocol": "tcp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "nihilmol1849.api.local" - ], - "rsa.counters.dclass_c1_str": "Number of Files", - "rsa.internal.messageid": "connection_events", - "rsa.misc.action": [ - "block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML" - ], - "rsa.network.alias_host": [ - "nihilmol1849.api.local" - ], - "rsa.time.day": "29", - "rsa.time.month": "May", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jun 12 12:39:58 ipsu: [oremip] ota4562.local: epteurs@itse, Task Queue, rever", - "file.name": "ipsu", - "fileset.name": "log", - "host.name": "ota4562.local", - "input.type": "log", - "log.offset": 9464, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ota4562.local" - ], - "related.user": [ - "epteurs" - ], - "rsa.db.index": "rever", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Task Queue", - "rsa.network.alias_host": [ - "ota4562.local" - ], - "rsa.time.day": "12", - "rsa.time.month": "Jun", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "epteurs" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jun 26 19:42:33 eiu: [maliquam] gnama5033.www5.home: ction@emveleum, Object > siuta", - "file.name": "eiu", - "fileset.name": "log", - "host.name": "gnama5033.www5.home", - "input.type": "log", - "log.offset": 9542, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "gnama5033.www5.home" - ], - "related.user": [ - "ction" - ], - "rsa.db.index": "siuta", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "gnama5033.www5.home" - ], - "rsa.time.day": "26", - "rsa.time.month": "Jun", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "ction" - }, - { - "event.action": "doe", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jul 11 02:45:07 sum6106.www.home ulamc: HMNOTIFY: doe (Sensor eiusm): Severity:very-high: failure", - "fileset.name": "log", - "host.name": "sum6106.www.home", - "input.type": "log", - "log.level": "very-high", - "log.offset": 9626, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "sum6106.www.home" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "doe", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "eiusm", - "rsa.misc.severity": "very-high", - "rsa.time.day": "11", - "rsa.time.month": "Jul", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jul 25 09:47:41 ugiatn: squa2763.www.lan: trude@snulap, Task Queue, onsequat", - "file.name": "ugiatn", - "fileset.name": "log", - "host.name": "squa2763.www.lan", - "input.type": "log", - "log.offset": 9724, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "squa2763.www.lan" - ], - "related.user": [ - "trude" - ], - "rsa.db.index": "onsequat", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Task Queue", - "rsa.network.alias_host": [ - "squa2763.www.lan" - ], - "rsa.time.day": "25", - "rsa.time.month": "Jul", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "trude" - }, - { - "destination.bytes": 4902, - "destination.ip": "10.251.159.118", - "destination.port": 2795, - "event.action": "cancel", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2017-8-8T16:50:15Z aturvel1847.mail.localdomain sedquia %NGIPS-high-ostrudex:AccessControlRuleAction:cancel, AccessControlRuleReason:unknown, SrcIP:10.240.144.78, DstIP:10.251.159.118, SrcPort:2998, DstPort:2795, Protocol: ipv6, IngressInterface: lo6367, IngressZone:ptatems, ACPolicy:tenima, AccessControlRuleName:emagnam, Prefilter Policy:iaco, User:urQuisa, Client:ipi, ApplicationProtocol:ipv6-icmp, InitiatorPackets:amali, ResponderPackets:onula, InitiatorBytes:1580, ResponderBytes:4902, NAPPolicy:por, DNSQuery:stiae3403.internal.localhost, DNSRecordType: a host address, DNSSICategory:Ute", - "fileset.name": "log", - "host.name": "stiae3403.internal.localhost", - "input.type": "log", - "log.level": "high", - "log.offset": 9801, - "network.application": "ipi", - "network.protocol": "ipv6-icmp", - "observer.egress.interface.name": "lo6367", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "stiae3403.internal.localhost" - ], - "related.ip": [ - "10.240.144.78", - "10.251.159.118" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "ostrudex", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "Ute", - "rsa.misc.policy_name": "por", - "rsa.misc.result": "unknown", - "rsa.misc.rule_name": "emagnam", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "stiae3403.internal.localhost" - ], - "rsa.network.dinterface": "lo6367", - "rsa.network.zone_dst": "ptatems", - "rsa.time.day": "8", - "rule.name": "emagnam", - "service.type": "snort", - "source.bytes": 1580, - "source.ip": "10.240.144.78", - "source.port": 2998, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "odi", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 22 23:52:50 setq5996.corp : HMNOTIFY: odi (Sensor tper): Severity:medium: success", - "fileset.name": "log", - "host.name": "setq5996.corp", - "input.type": "log", - "log.level": "medium", - "log.offset": 10398, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "setq5996.corp" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "odi", - "rsa.misc.result": "success", - "rsa.misc.sensor": "tper", - "rsa.misc.severity": "medium", - "rsa.time.day": "22", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "sequatD", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 6 06:55:24 quiano3025.api.localhost oluptat: HMNOTIFY: sequatD (Sensor emap): Severity:very-high: unknown", - "fileset.name": "log", - "host.name": "quiano3025.api.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 10484, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "quiano3025.api.localhost" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "sequatD", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "emap", - "rsa.misc.severity": "very-high", - "rsa.time.day": "6", - "rsa.time.month": "Sep", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "umet", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 20 13:57:58 qui7797.www.host : HMNOTIFY: umet (Sensor psaquaea): Severity:low: failure", - "fileset.name": "log", - "host.name": "qui7797.www.host", - "input.type": "log", - "log.level": "low", - "log.offset": 10594, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "qui7797.www.host" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "umet", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "psaquaea", - "rsa.misc.severity": "low", - "rsa.time.day": "20", - "rsa.time.month": "Sep", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 5413, - "destination.ip": "10.201.132.114", - "destination.port": 639, - "event.action": "cancel", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2017-10-4T21:00:32Z Utenim3707.www5.host iamquisn %NGIPS-low-lor:AccessControlRuleAction:cancel, AccessControlRuleReason:success, SrcIP:10.140.209.249, DstIP:10.201.132.114, SrcPort:1801, DstPort:639, Protocol: ggp, IngressInterface: lo3580, IngressZone:eacommo, ACPolicy:litani, AccessControlRuleName:temse, Prefilter Policy:samvo, User:itsedd, Client:icta, ApplicationProtocol:igmp, InitiatorPackets:labori, ResponderPackets:ditau, InitiatorBytes:470, ResponderBytes:5413, NAPPolicy:olest, DNSQuery:urau1660.www.lan, DNSRecordType: a host address, DNSSICategory:Neq", - "fileset.name": "log", - "host.name": "urau1660.www.lan", - "input.type": "log", - "log.level": "low", - "log.offset": 10685, - "network.application": "icta", - "network.protocol": "igmp", - "observer.egress.interface.name": "lo3580", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "urau1660.www.lan" - ], - "related.ip": [ - "10.140.209.249", - "10.201.132.114" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "lor", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "Neq", - "rsa.misc.policy_name": "olest", - "rsa.misc.result": "success", - "rsa.misc.rule_name": "temse", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "urau1660.www.lan" - ], - "rsa.network.dinterface": "lo3580", - "rsa.network.zone_dst": "eacommo", - "rsa.time.day": "4", - "rule.name": "temse", - "service.type": "snort", - "source.bytes": 470, - "source.ip": "10.140.209.249", - "source.port": 1801, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Oct 19 04:03:07 Nequepor: [aUten] edutpers3482.www5.corp: mnisis@onsequa, Access Control Policy > sunt", - "file.name": "Nequepor", - "fileset.name": "log", - "host.name": "edutpers3482.www5.corp", - "input.type": "log", - "log.offset": 11253, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "edutpers3482.www5.corp" - ], - "related.user": [ - "mnisis" - ], - "rsa.db.index": "sunt", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "edutpers3482.www5.corp" - ], - "rsa.time.day": "19", - "rsa.time.month": "Oct", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "mnisis" - }, - { - "destination.geo.country_name": "ariatu", - "destination.ip": "10.36.122.169", - "destination.port": 6751, - "event.code": "13228", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 2 11:05:41 nofde7732.internal.test emp: [emoeni:13228:1.2633] taliqui [Impact: failure] From labo at ssecill Nov 2 11:05:41 2017 UTC [Classification: umquam] [Priority: onev ]: atu {ipv6} 10.198.44.231 -> 10.36.122.169:6751 (ariatu)", - "fileset.name": "log", - "host.name": "nofde7732.internal.test", - "input.type": "log", - "log.level": "onev", - "log.offset": 11356, - "network.protocol": "ipv6", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.2633", - "related.hosts": [ - "nofde7732.internal.test" - ], - "related.ip": [ - "10.198.44.231", - "10.36.122.169" - ], - "rsa.crypto.sig_type": "umquam", - "rsa.internal.messageid": "13228", - "rsa.misc.context": "taliqui", - "rsa.misc.event_log": "emp", - "rsa.misc.policy_name": "taliqui", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "labo", - "rsa.misc.severity": "onev", - "rsa.misc.sig_id": 13228, - "rsa.misc.version": "1.2633", - "rsa.network.alias_host": [ - "nofde7732.internal.test" - ], - "rsa.threat.threat_desc": "onev", - "rsa.time.day": "2", - "rsa.time.event_time_str": "Nov 2 11:05:41 2017 UTC", - "rsa.time.month": "Nov", - "service.type": "snort", - "source.ip": "10.198.44.231", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 6430, - "destination.ip": "10.144.162.122", - "destination.port": 2080, - "event.action": "block", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2017-11-16T18:08:15Z byCicero7475.www.localhost abillo %NGIPS-medium-eav:AccessControlRuleAction:block, AccessControlRuleReason:failure, SrcIP:10.77.86.215, DstIP:10.144.162.122, SrcPort:5913, DstPort:2080, Protocol: udp, IngressInterface: lo5079, IngressZone:sequine, ACPolicy:minimv, AccessControlRuleName:ffici, Prefilter Policy:rsintoc, User:boreetd, Client:rehende, ApplicationProtocol:icmp, InitiatorPackets:erspic, ResponderPackets:orincidi, InitiatorBytes:3273, ResponderBytes:6430, NAPPolicy:quipe, DNSQuery:evita850.localdomain, DNSRecordType: a host address, DNSSICategory:tiu", - "fileset.name": "log", - "host.name": "evita850.localdomain", - "input.type": "log", - "log.level": "medium", - "log.offset": 11593, - "network.application": "rehende", - "network.protocol": "icmp", - "observer.egress.interface.name": "lo5079", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "evita850.localdomain" - ], - "related.ip": [ - "10.144.162.122", - "10.77.86.215" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "eav", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tiu", - "rsa.misc.policy_name": "quipe", - "rsa.misc.result": "failure", - "rsa.misc.rule_name": "ffici", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "evita850.localdomain" - ], - "rsa.network.dinterface": "lo5079", - "rsa.network.zone_dst": "sequine", - "rsa.time.day": "16", - "rule.name": "ffici", - "service.type": "snort", - "source.bytes": 3273, - "source.ip": "10.77.86.215", - "source.port": 5913, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Dec 1 01:10:49 acons: [enbyCic] aturau3002.api.corp: sci@psamvolu, itsedqui", - "file.name": "acons", - "fileset.name": "log", - "host.name": "aturau3002.api.corp", - "input.type": "log", - "log.offset": 12181, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "aturau3002.api.corp" - ], - "related.user": [ - "sci" - ], - "rsa.db.index": "itsedqui", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "aturau3002.api.corp" - ], - "rsa.time.day": "1", - "rsa.time.month": "Dec", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "sci" - }, - { - "event.action": "cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2017-12-15T08:13:24Z ntiumt238.internal.corp isc %NGIPS-high-odite:AccessControlRuleAction:cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30,ReferencedHost: nsecte,URL: https://api.example.org/tat/pitlabor.gif?rrorsi=loremqu#busBono,HTTPResponse: mnisiut,HTTPReferer: eabil,IPReputationSICategory: olu,DNS_TTL: uaUte,DNSRecordType: empor,DNSQuery: ate,GID: eca,SID: inre,Revision: aliqu,Message: orem,Classification: dquian,User: isaute,Priority: rumetMa, ACPolicy: utfugit, ConnectionDuration: 95.196000,Protocol: ggp,VLAN_ID: 5189,IPSCount: 1350,InlineResult: allow, DNSSICategory: ntocca, URLSICategory: emquelau", - "fileset.name": "log", - "host.name": "ntiumt238.internal.corp", - "input.type": "log", - "log.level": "high", - "log.offset": 12257, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ntiumt238.internal.corp" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "odite", - "rsa.misc.action": [ - "cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML" - ], - "rsa.misc.category": "emquelau", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "ntiumt238.internal.corp" - ], - "rsa.time.day": "15", - "rsa.time.duration_time": 95.196, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "pitlab", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Dec 29 15:15:58 atu2951.test : HMNOTIFY: pitlab (Sensor riosamn): Severity:medium: success", - "fileset.name": "log", - "host.name": "atu2951.test", - "input.type": "log", - "log.level": "medium", - "log.offset": 13585, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "atu2951.test" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "pitlab", - "rsa.misc.result": "success", - "rsa.misc.sensor": "riosamn", - "rsa.misc.severity": "medium", - "rsa.time.day": "29", - "rsa.time.month": "Dec", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jan 12 22:18:32 mini: tutl uipe5295.api.localhost: mwrit@dminimve, Access Control Policy > madminim", - "file.name": "mini", - "fileset.name": "log", - "host.name": "uipe5295.api.localhost", - "input.type": "log", - "log.offset": 13676, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "uipe5295.api.localhost" - ], - "related.user": [ - "mwrit" - ], - "rsa.db.index": "madminim", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "uipe5295.api.localhost" - ], - "rsa.time.day": "12", - "rsa.time.month": "Jan", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "mwrit" - }, - { - "event.action": "deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2018-1-27T05:21:06Z tatiset5041.www5.local tevelit %NGIPS-low-Utenim:AccessControlRuleAction:deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91,ReferencedHost: todit,URL: https://www.example.com/fug/ulpaq.gif?piscivel=ueporr#udex,HTTPResponse: ipexeac,HTTPReferer: uin,IPReputationSICategory: isci,DNS_TTL: archi,DNSRecordType: rsitame,DNSQuery: qui,GID: umdolo,SID: tate,Revision: sintocca,Message: ugiat,Classification: asuntex,User: uovolup,Priority: expl, ACPolicy: animi, ConnectionDuration: 63.677000,Protocol: ipv6,VLAN_ID: 3389,IPSCount: 1457,InlineResult: cancel, DNSSICategory: taliqui, URLSICategory: doloremi", - "fileset.name": "log", - "host.name": "tatiset5041.www5.local", - "input.type": "log", - "log.level": "low", - "log.offset": 13776, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "tatiset5041.www5.local" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "Utenim", - "rsa.misc.action": [ - "deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML" - ], - "rsa.misc.category": "doloremi", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "tatiset5041.www5.local" - ], - "rsa.time.day": "27", - "rsa.time.duration_time": 63.677, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Feb 10 12:23:41 atevel: [oloremeu] esse2198.mail.example: uaturvel@quisqua, System > sedquian", - "file.name": "atevel", - "fileset.name": "log", - "host.name": "esse2198.mail.example", - "input.type": "log", - "log.offset": 15178, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "esse2198.mail.example" - ], - "related.user": [ - "uaturvel" - ], - "rsa.db.index": "sedquian", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "System", - "rsa.network.alias_host": [ - "esse2198.mail.example" - ], - "rsa.time.day": "10", - "rsa.time.month": "Feb", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "uaturvel" - }, - { - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Feb 24 2018 19:26:15 pitlab5165.localdomain %FTD-uptate-tevelite:CLOCK: System clock set, source: cto, IP: 10.17.172.91, before: agn, after: dip", - "fileset.name": "log", - "host.ip": "10.17.172.91", - "host.name": "pitlab5165.localdomain", - "input.type": "log", - "log.offset": 15272, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "cto", - "pitlab5165.localdomain" - ], - "related.ip": [ - "10.17.172.91" - ], - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "tevelite", - "rsa.misc.change_attrib": "Time", - "rsa.misc.change_new": "dip", - "rsa.misc.change_old": "agn", - "rsa.misc.event_source": "cto", - "rsa.network.alias_host": [ - "pitlab5165.localdomain" - ], - "rsa.time.day": "24", - "rsa.time.month": "Feb", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 11 02:28:49 acomm: [edquia] uinesci6041.api.local: pers@lpaquiof, Analysis isisten", - "file.name": "acomm", - "fileset.name": "log", - "host.name": "uinesci6041.api.local", - "input.type": "log", - "log.offset": 15417, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "uinesci6041.api.local" - ], - "related.user": [ - "pers" - ], - "rsa.db.index": "isisten", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Session Expiration", - "rsa.network.alias_host": [ - "uinesci6041.api.local" - ], - "rsa.time.day": "11", - "rsa.time.month": "Mar", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "pers" - }, - { - "destination.geo.country_name": "icons", - "destination.ip": "10.60.137.215", - "destination.port": 3266, - "event.code": "5155", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 25 09:31:24 uovol2459.www5.invalid volup: [nimi:5155:1.2115] lillum [Impact: success] From suntin at consequa Mar 25 09:31:24 2018 UTC [Classification: tionu] [Priority: umqua ]:alert {tcp} 10.28.105.106 -> 10.60.137.215:3266 (icons)", - "fileset.name": "log", - "host.name": "uovol2459.www5.invalid", - "input.type": "log", - "log.level": "umqua", - "log.offset": 15504, - "network.protocol": "tcp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.2115", - "related.hosts": [ - "uovol2459.www5.invalid" - ], - "related.ip": [ - "10.28.105.106", - "10.60.137.215" - ], - "rsa.crypto.sig_type": "tionu", - "rsa.internal.messageid": "5155", - "rsa.misc.context": "lillum", - "rsa.misc.event_log": "volup", - "rsa.misc.policy_name": "lillum", - "rsa.misc.result": "success", - "rsa.misc.sensor": "suntin", - "rsa.misc.severity": "umqua", - "rsa.misc.sig_id": 5155, - "rsa.misc.version": "1.2115", - "rsa.network.alias_host": [ - "uovol2459.www5.invalid" - ], - "rsa.threat.threat_desc": "umqua", - "rsa.time.day": "25", - "rsa.time.event_time_str": "Mar 25 09:31:24 2018 UTC", - "rsa.time.month": "Mar", - "service.type": "snort", - "source.ip": "10.28.105.106", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "ssequa", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 8 16:33:58 ptate7215.www5.home mquiado: HMNOTIFY: ssequa (Sensor nisist): Severity:low: failure", - "fileset.name": "log", - "host.name": "ptate7215.www5.home", - "input.type": "log", - "log.level": "low", - "log.offset": 15742, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ptate7215.www5.home" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "ssequa", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "nisist", - "rsa.misc.severity": "low", - "rsa.time.day": "8", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML", - "event.code": "connection_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 22 23:36:32 metc7395.lan ataevit: Protocol: rdp, AccessControlRuleAction:deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: umtota,URL: https://internal.example.com/xplic/isn.html?ame=tenat#etur,HTTPResponse: uisnost,HTTPReferer: snul,IPReputationSICategory: quasia,DNS_TTL: ihilmol,DNSRecordType: seosqui,DNSQuery: tiset,GID: ciade,SID: 31978,Revision: equ,Message: rror,Classification: Exce,User: uae,Priority: tut, ACPolicy: umdol", - "fileset.name": "log", - "host.name": "metc7395.lan", - "input.type": "log", - "log.offset": 15842, - "network.protocol": "rdp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "metc7395.lan" - ], - "rsa.counters.dclass_c1_str": "Number of Files", - "rsa.internal.messageid": "connection_events", - "rsa.misc.action": [ - "deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML" - ], - "rsa.network.alias_host": [ - "metc7395.lan" - ], - "rsa.time.day": "22", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.49.190.163", - "destination.nat.ip": "10.20.167.114", - "destination.nat.port": 6975, - "destination.port": 4220, - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 7 2018 06:39:06 Loremips5368.www5.corp: %FTD-ficiade-nemull:Offloaded TCP Flow for connectiontrumexfromenp0s484:10.49.190.163/4220(10.20.167.114/6975) tolo7626:10.166.40.137/5279(10.65.144.119/6233)", - "fileset.name": "log", - "host.name": "Loremips5368.www5.corp", - "input.type": "log", - "log.offset": 17035, - "observer.egress.interface.name": "enp0s484", - "observer.ingress.interface.name": "lo7626", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "Loremips5368.www5.corp" - ], - "related.ip": [ - "10.166.40.137", - "10.20.167.114", - "10.49.190.163", - "10.65.144.119" - ], - "rsa.internal.event_desc": "Offloaded TCP Flow for connection", - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "nemull", - "rsa.misc.connection_id": "trumex", - "rsa.network.alias_host": [ - "Loremips5368.www5.corp" - ], - "rsa.network.dinterface": "enp0s484", - "rsa.network.sinterface": "lo7626", - "rsa.time.day": "7", - "rsa.time.month": "May", - "service.type": "snort", - "source.ip": "10.166.40.137", - "source.nat.ip": "10.65.144.119", - "source.nat.port": 6233, - "source.port": 5279, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.162.128.87", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 21 13:41:41 mexer1548.www5.example uidexea: Sha256:emu Disposition: Malware Threat name: asia IP Addresses: 10.162.128.87<<-10.104.78.147", - "fileset.name": "log", - "host.name": "mexer1548.www5.example", - "input.type": "log", - "log.offset": 17238, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "mexer1548.www5.example" - ], - "related.ip": [ - "10.104.78.147", - "10.162.128.87" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "emu", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "mexer1548.www5.example" - ], - "rsa.threat.threat_category": "asia", - "rsa.time.day": "21", - "rsa.time.month": "May", - "service.type": "snort", - "source.ip": "10.104.78.147", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.82.180.46", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jun 4 20:44:15 emulla6625.www5.corp oditaut: Sha256:oloremqu Disposition: Malware Threat name: untNeque IP Addresses: 10.82.180.46<<-10.237.43.87", - "fileset.name": "log", - "host.name": "emulla6625.www5.corp", - "input.type": "log", - "log.offset": 17380, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "emulla6625.www5.corp" - ], - "related.ip": [ - "10.237.43.87", - "10.82.180.46" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "oloremqu", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "emulla6625.www5.corp" - ], - "rsa.threat.threat_category": "untNeque", - "rsa.time.day": "4", - "rsa.time.month": "Jun", - "service.type": "snort", - "source.ip": "10.237.43.87", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.geo.country_name": "quovol", - "destination.ip": "10.180.28.156", - "destination.port": 4665, - "event.code": "5315", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jun 19 03:46:49 magn3657.api.invalid tquiine: [ill:5315:1.4189] \"mquisn\" [Impact: success] From nby/uames at dolo Jun 19 03:46:49 2018 UTC [Classification: mnihil] [Priority: aturQui ]: umqua {icmp} 10.234.234.205:5714 (eos) -> 10.180.28.156:4665 (quovol)", - "fileset.name": "log", - "host.name": "magn3657.api.invalid", - "input.type": "log", - "log.level": "aturQui", - "log.offset": 17526, - "network.protocol": "icmp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.4189", - "related.hosts": [ - "magn3657.api.invalid" - ], - "related.ip": [ - "10.180.28.156", - "10.234.234.205" - ], - "rsa.crypto.sig_type": "mnihil", - "rsa.internal.messageid": "5315", - "rsa.misc.context": "mquisn", - "rsa.misc.event_log": "tquiine", - "rsa.misc.group_object": "nby", - "rsa.misc.policy_name": "mquisn", - "rsa.misc.result": "success", - "rsa.misc.sensor": "uames", - "rsa.misc.severity": "aturQui", - "rsa.misc.sig_id": 5315, - "rsa.misc.version": "1.4189", - "rsa.network.alias_host": [ - "magn3657.api.invalid" - ], - "rsa.threat.threat_desc": "aturQui", - "rsa.time.day": "19", - "rsa.time.event_time_str": "Jun 19 03:46:49 2018 UTC", - "rsa.time.month": "Jun", - "service.type": "snort", - "source.geo.country_name": "eos", - "source.ip": "10.234.234.205", - "source.port": 5714, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "architec", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jul 3 10:49:23 nis3942.mail.example edutpe: HMNOTIFY: architec (Sensor incul): Severity:high: success", - "fileset.name": "log", - "host.name": "nis3942.mail.example", - "input.type": "log", - "log.level": "high", - "log.offset": 17782, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "nis3942.mail.example" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "architec", - "rsa.misc.result": "success", - "rsa.misc.sensor": "incul", - "rsa.misc.severity": "high", - "rsa.time.day": "3", - "rsa.time.month": "Jul", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 4280, - "destination.ip": "10.166.10.187", - "destination.port": 793, - "event.action": "block", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2018-7-17T17:51:58Z iscing6960.api.invalid emipsu %NGIPS-very-high-temUte:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.40.250.209, DstIP:10.166.10.187, SrcPort:3941, DstPort:793, Protocol: udp, IngressInterface: lo2032, IngressZone:nculpaq, ACPolicy:mides, AccessControlRuleName:iconseq, Prefilter Policy:nidolo, User:runtmoll, Client:tuserror, ApplicationProtocol:igmp, InitiatorPackets:adipis, ResponderPackets:tet, InitiatorBytes:1259, ResponderBytes:4280, NAPPolicy:inv, DNSQuery:upta788.invalid, DNSRecordType: a host address, DNS_TTL: olupta, DNSSICategory:raincidu", - "fileset.name": "log", - "host.name": "upta788.invalid", - "input.type": "log", - "log.level": "very", - "log.offset": 17884, - "network.application": "tuserror", - "network.protocol": "igmp", - "observer.egress.interface.name": "lo2032", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "upta788.invalid" - ], - "related.ip": [ - "10.166.10.187", - "10.40.250.209" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "high-temUte", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "raincidu", - "rsa.misc.policy_name": "inv", - "rsa.misc.result": "success", - "rsa.misc.rule_name": "iconseq", - "rsa.misc.severity": "very", - "rsa.network.alias_host": [ - "upta788.invalid" - ], - "rsa.network.dinterface": "lo2032", - "rsa.network.zone_dst": "nculpaq", - "rsa.time.day": "17", - "rule.name": "iconseq", - "service.type": "snort", - "source.bytes": 1259, - "source.ip": "10.40.250.209", - "source.port": 3941, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML", - "event.code": "connection_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 1 00:54:32 consequu3962.api.localdomain Maloru: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36,ReferencedHost: temporai,URL: https://example.com/emeumf/res.txt?ptasn=ima#emUte,HTTPResponse: atnonp,HTTPReferer: imaven,IPReputationSICategory: cia,DNS_TTL: doconseq,DNSRecordType: quia,DNSQuery: veleum,GID: emUten,SID: 31978,Revision: proiden,Message: cita,Classification: iac,User: ntincul,Priority: mnisiste, ACPolicy: uptas", - "fileset.name": "log", - "host.name": "consequu3962.api.localdomain", - "input.type": "log", - "log.offset": 18484, - "network.protocol": "ggp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "consequu3962.api.localdomain" - ], - "rsa.counters.dclass_c1_str": "Number of Files", - "rsa.internal.messageid": "connection_events", - "rsa.misc.action": [ - "cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML" - ], - "rsa.network.alias_host": [ - "consequu3962.api.localdomain" - ], - "rsa.time.day": "1", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.78.180.219", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 15 07:57:06 ita7851.localhost dictas: Sha256:equaturv Disposition: Malware Threat name: rsi IP Addresses: 10.78.180.219<<-10.198.202.72", - "fileset.name": "log", - "host.name": "ita7851.localhost", - "input.type": "log", - "log.offset": 19724, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ita7851.localhost" - ], - "related.ip": [ - "10.198.202.72", - "10.78.180.219" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "equaturv", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "ita7851.localhost" - ], - "rsa.threat.threat_category": "rsi", - "rsa.time.day": "15", - "rsa.time.month": "Aug", - "service.type": "snort", - "source.ip": "10.198.202.72", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.geo.country_name": "maccusan", - "destination.ip": "10.232.67.182", - "destination.port": 2086, - "event.code": "26152", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 29 14:59:40 laparia5374.api.domain norumet: [tconse:26152:1.2390] \"tam\" [Impact: success] From \"inc/riaturEx\" at eleumiur Aug 29 14:59:40 2018 UTC [Classification: eufugi] [Priority: ionu ] < {ggp} 10.147.155.100 -> 10.232.67.182:2086 (maccusan)", - "fileset.name": "log", - "host.name": "laparia5374.api.domain", - "input.type": "log", - "log.level": "ionu", - "log.offset": 19864, - "network.interface.name": "enp0s2413", - "network.protocol": "ggp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.2390", - "related.hosts": [ - "laparia5374.api.domain" - ], - "related.ip": [ - "10.147.155.100", - "10.232.67.182" - ], - "rsa.crypto.sig_type": "eufugi", - "rsa.internal.messageid": "26152", - "rsa.misc.context": "tam", - "rsa.misc.event_log": "norumet", - "rsa.misc.group_object": "inc", - "rsa.misc.policy_name": "tam", - "rsa.misc.result": "success", - "rsa.misc.sensor": "riaturEx", - "rsa.misc.severity": "ionu", - "rsa.misc.sig_id": 26152, - "rsa.misc.version": "1.2390", - "rsa.network.alias_host": [ - "laparia5374.api.domain" - ], - "rsa.network.interface": "enp0s2413", - "rsa.threat.threat_desc": "ionu", - "rsa.time.day": "29", - "rsa.time.event_time_str": "Aug 29 14:59:40 2018 UTC", - "rsa.time.month": "Aug", - "service.type": "snort", - "source.ip": "10.147.155.100", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.95.152.78", - "destination.port": 1267, - "event.code": "9193", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 12 22:02:15 onse3711.api.domain aliquaUt: [boreet:9193:1.1034] vol [Impact: unknown] From \"nof/boNe\" at ovolu Sep 12 22:02:15 2018 UTC [Classification: cid] [Priority: periam ] {ggp} 10.4.147.70:3210 -> 10.95.152.78:1267", - "fileset.name": "log", - "host.name": "onse3711.api.domain", - "input.type": "log", - "log.level": "periam", - "log.offset": 20125, - "network.protocol": "ggp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.1034", - "related.hosts": [ - "onse3711.api.domain" - ], - "related.ip": [ - "10.4.147.70", - "10.95.152.78" - ], - "rsa.crypto.sig_type": "cid", - "rsa.internal.messageid": "9193", - "rsa.misc.context": "vol", - "rsa.misc.event_log": "aliquaUt", - "rsa.misc.group_object": "nof", - "rsa.misc.policy_name": "vol", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "boNe", - "rsa.misc.severity": "periam", - "rsa.misc.sig_id": 9193, - "rsa.misc.version": "1.1034", - "rsa.network.alias_host": [ - "onse3711.api.domain" - ], - "rsa.threat.threat_desc": "periam", - "rsa.time.day": "12", - "rsa.time.event_time_str": "Sep 12 22:02:15 2018 UTC", - "rsa.time.month": "Sep", - "service.type": "snort", - "source.ip": "10.4.147.70", - "source.port": 3210, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 27 05:04:49 elite: nde iac7016.api.lan: antiu@llumquid, FailD, paq", - "file.name": "elite", - "fileset.name": "log", - "host.name": "iac7016.api.lan", - "input.type": "log", - "log.offset": 20350, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "iac7016.api.lan" - ], - "related.user": [ - "antiu" - ], - "rsa.db.index": "paq", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "iac7016.api.lan" - ], - "rsa.time.day": "27", - "rsa.time.month": "Sep", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "antiu" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Oct 11 12:07:23 sit: tte4006.www5.test: lors@isautem, Intrusion Events,metco", - "file.name": "sit", - "fileset.name": "log", - "host.name": "tte4006.www5.test", - "input.type": "log", - "log.offset": 20421, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "tte4006.www5.test" - ], - "related.user": [ - "lors" - ], - "rsa.db.index": "metco", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Intrusion Events", - "rsa.network.alias_host": [ - "tte4006.www5.test" - ], - "rsa.time.day": "11", - "rsa.time.month": "Oct", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "lors" - }, - { - "event.action": "cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2018-10-25T19:09:57Z equatD1241.www5.host rpo %NGIPS-low-econs:AccessControlRuleAction:cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36,ReferencedHost: atae,URL: https://www5.example.net/boNemo/duntutla.html?tmollit=ptat#nnumqu,HTTPResponse: billoi,HTTPReferer: ciatisu,IPReputationSICategory: evelites,DNS_TTL: vol,DNSRecordType: ommodi,DNSQuery: ritat,GID: dipi,SID: asnulapa,Revision: atev,Message: onsequa,Classification: seddoe,User: quisnost,Priority: tionu, ACPolicy: ciades, ConnectionDuration: 116.537000,Protocol: icmp,VLAN_ID: 764,IPSCount: 5618,InlineResult: accept, DNSSICategory: nvolupt, URLSICategory: stia", - "fileset.name": "log", - "host.name": "equatD1241.www5.host", - "input.type": "log", - "log.level": "low", - "log.offset": 20498, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "equatD1241.www5.host" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "econs", - "rsa.misc.action": [ - "cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML" - ], - "rsa.misc.category": "stia", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "equatD1241.www5.host" - ], - "rsa.time.day": "25", - "rsa.time.duration_time": 116.537, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.216.14.36", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 9 02:12:32 essequ121.localdomain uaturQui: Sha256:emi Disposition: Malware Threat name: mipsumq IP Addresses: 10.216.14.36<<-10.224.250.83", - "fileset.name": "log", - "host.name": "essequ121.localdomain", - "input.type": "log", - "log.offset": 21841, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "essequ121.localdomain" - ], - "related.ip": [ - "10.216.14.36", - "10.224.250.83" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "emi", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "essequ121.localdomain" - ], - "rsa.threat.threat_category": "mipsumq", - "rsa.time.day": "9", - "rsa.time.month": "Nov", - "service.type": "snort", - "source.ip": "10.224.250.83", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.231.10.63", - "event.code": "10329", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 23 09:15:06 borios1685.www.localhost umfu: [inesc:10329:1.6298] \"olupt\" [Impact: failure] From otamr/nonnu at riamea Nov 23 09:15:06 2018 UTC [Classification: taliquip] [Priority: upt ]:alert {ggp} 10.38.22.60:653 (ipi) -> 10.231.10.63", - "fileset.name": "log", - "host.name": "borios1685.www.localhost", - "input.type": "log", - "log.level": "upt", - "log.offset": 21984, - "network.protocol": "ggp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "observer.version": "1.6298", - "related.hosts": [ - "borios1685.www.localhost" - ], - "related.ip": [ - "10.231.10.63", - "10.38.22.60" - ], - "rsa.crypto.sig_type": "taliquip", - "rsa.internal.messageid": "10329", - "rsa.misc.context": "olupt", - "rsa.misc.event_log": "umfu", - "rsa.misc.group_object": "otamr", - "rsa.misc.policy_name": "olupt", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "nonnu", - "rsa.misc.severity": "upt", - "rsa.misc.sig_id": 10329, - "rsa.misc.version": "1.6298", - "rsa.network.alias_host": [ - "borios1685.www.localhost" - ], - "rsa.threat.threat_desc": "upt", - "rsa.time.day": "23", - "rsa.time.event_time_str": "Nov 23 09:15:06 2018 UTC", - "rsa.time.month": "Nov", - "service.type": "snort", - "source.geo.country_name": "ipi", - "source.ip": "10.38.22.60", - "source.port": 653, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 560, - "destination.ip": "10.29.231.11", - "destination.port": 2231, - "event.action": "cancel", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2018-12-7T16:17:40Z odt2318.localdomain dut %NGIPS-high-remape:AccessControlRuleAction:cancel, AccessControlRuleReason:failure, SrcIP:10.46.57.181, DstIP:10.29.231.11, SrcPort:3760, DstPort:2231, Protocol: ggp, IngressInterface: eth1891, IngressZone:orsitam, ACPolicy:olupt, AccessControlRuleName:tlab, Prefilter Policy:str, User:sit, Client:atat, ApplicationProtocol:tcp, InitiatorPackets:isnos, ResponderPackets:emp, InitiatorBytes:42, ResponderBytes:560, NAPPolicy:sciveli, DNSQuery:Bonoru5658.mail.invalid, DNSRecordType: a host address, DNSSICategory:omm", - "fileset.name": "log", - "host.name": "Bonoru5658.mail.invalid", - "input.type": "log", - "log.level": "high", - "log.offset": 22224, - "network.application": "atat", - "network.protocol": "tcp", - "observer.egress.interface.name": "eth1891", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "Bonoru5658.mail.invalid" - ], - "related.ip": [ - "10.29.231.11", - "10.46.57.181" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "remape", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "omm", - "rsa.misc.policy_name": "sciveli", - "rsa.misc.result": "failure", - "rsa.misc.rule_name": "tlab", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "Bonoru5658.mail.invalid" - ], - "rsa.network.dinterface": "eth1891", - "rsa.network.zone_dst": "orsitam", - "rsa.time.day": "7", - "rule.name": "tlab", - "service.type": "snort", - "source.bytes": 42, - "source.ip": "10.46.57.181", - "source.port": 3760, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Dec 21 23:20:14 dolores: oin ueipsa6797.mail.home: agnaal@itaut, Access Control Policy > Bonoru", - "file.name": "dolores", - "fileset.name": "log", - "host.name": "ueipsa6797.mail.home", - "input.type": "log", - "log.offset": 22784, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ueipsa6797.mail.home" - ], - "related.user": [ - "agnaal" - ], - "rsa.db.index": "Bonoru", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "ueipsa6797.mail.home" - ], - "rsa.time.day": "21", - "rsa.time.month": "Dec", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "agnaal" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jan 5 06:22:49 ntinculp: uptatemU iono5161.www5.localhost: ita@olupt, System > orisnisi", - "file.name": "ntinculp", - "fileset.name": "log", - "host.name": "iono5161.www5.localhost", - "input.type": "log", - "log.offset": 22880, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "iono5161.www5.localhost" - ], - "related.user": [ - "ita" - ], - "rsa.db.index": "orisnisi", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "System", - "rsa.network.alias_host": [ - "iono5161.www5.localhost" - ], - "rsa.time.day": "5", - "rsa.time.month": "Jan", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "ita" - }, - { - "event.action": "cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML", - "event.code": "connection_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jan 19 13:25:23 untut3537.domain sit: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: vol,URL: https://api.example.com/non/quaturQu.gif?etura=taedi#edi,HTTPResponse: quiacon,HTTPReferer: udexerc,IPReputationSICategory: volu,DNS_TTL: tassit,DNSRecordType: metconse,DNSQuery: remeum,GID: equaturQ,SID: 38469,Revision: mollita,Message: eserun,Classification: sBono,User: icab,Priority: iquaUten, ACPolicy: oluptasn", - "fileset.name": "log", - "host.name": "untut3537.domain", - "input.type": "log", - "log.offset": 22968, - "network.protocol": "ggp", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "untut3537.domain" - ], - "rsa.counters.dclass_c1_str": "Number of Files", - "rsa.internal.messageid": "connection_events", - "rsa.misc.action": [ - "cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML" - ], - "rsa.network.alias_host": [ - "untut3537.domain" - ], - "rsa.time.day": "19", - "rsa.time.month": "Jan", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 1881, - "destination.ip": "10.135.250.25", - "destination.port": 1306, - "event.action": "block", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2019-2-2T20:27:57Z atio5250.api.localhost idolo %NGIPS-low-ritat:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.107.144.80, DstIP:10.135.250.25, SrcPort:703, DstPort:1306, Protocol: icmp, IngressInterface: lo3342, IngressZone:emquiavo, ACPolicy:nsequ, AccessControlRuleName:Secti, Prefilter Policy:utlabore, User:suscipi, Client:tlabor, ApplicationProtocol:ggp, InitiatorPackets:dolore, ResponderPackets:xer, InitiatorBytes:4673, ResponderBytes:1881, NAPPolicy:msequine, DNSQuery:reetd7201.invalid, DNSRecordType: a host address, DNS_TTL: ugiatquo, DNSSICategory:ende", - "fileset.name": "log", - "host.name": "reetd7201.invalid", - "input.type": "log", - "log.level": "low", - "log.offset": 24183, - "network.application": "tlabor", - "network.protocol": "ggp", - "observer.egress.interface.name": "lo3342", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "reetd7201.invalid" - ], - "related.ip": [ - "10.107.144.80", - "10.135.250.25" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "ritat", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "ende", - "rsa.misc.policy_name": "msequine", - "rsa.misc.result": "success", - "rsa.misc.rule_name": "Secti", - "rsa.misc.severity": "low", - "rsa.network.alias_host": [ - "reetd7201.invalid" - ], - "rsa.network.dinterface": "lo3342", - "rsa.network.zone_dst": "emquiavo", - "rsa.time.day": "2", - "rule.name": "Secti", - "service.type": "snort", - "source.bytes": 4673, - "source.ip": "10.107.144.80", - "source.port": 703, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "olupta", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Feb 17 03:30:32 tnula4380.mail.test edolo: HMNOTIFY: olupta (Sensor volu): Severity:low: failure", - "fileset.name": "log", - "host.name": "tnula4380.mail.test", - "input.type": "log", - "log.level": "low", - "log.offset": 24777, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "tnula4380.mail.test" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "olupta", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "volu", - "rsa.misc.severity": "low", - "rsa.time.day": "17", - "rsa.time.month": "Feb", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 3 10:33:06 ugiat: [quiin] apar2567.www.localhost: iscing@ser, Policies > nama", - "file.name": "ugiat", - "fileset.name": "log", - "host.name": "apar2567.www.localhost", - "input.type": "log", - "log.offset": 24874, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "apar2567.www.localhost" - ], - "related.user": [ - "iscing" - ], - "rsa.db.index": "nama", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Policies", - "rsa.network.alias_host": [ - "apar2567.www.localhost" - ], - "rsa.time.day": "3", - "rsa.time.month": "Mar", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "iscing" - }, - { - "destination.ip": "10.5.88.183", - "destination.port": 7518, - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Mar 17 2019 17:35:40 onsecte5119.www.invalid %FTD-dolore-iineavol:Failed to locate egress interface for icmp from enp0s3923:10.198.207.31/579 to 10.5.88.183/7518", - "fileset.name": "log", - "host.name": "onsecte5119.www.invalid", - "input.type": "log", - "log.offset": 24956, - "network.protocol": "icmp", - "observer.ingress.interface.name": "enp0s3923", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "onsecte5119.www.invalid" - ], - "related.ip": [ - "10.198.207.31", - "10.5.88.183" - ], - "rsa.internal.event_desc": "Failed to locate egress interface", - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "iineavol", - "rsa.network.alias_host": [ - "onsecte5119.www.invalid" - ], - "rsa.network.sinterface": "enp0s3923", - "rsa.time.day": "17", - "rsa.time.month": "Mar", - "service.type": "snort", - "source.ip": "10.198.207.31", - "source.port": 579, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 1 00:38:14 uis: [oluptat] iutali3143.host: ect@fdeFi, Analysis & Reporting , eritat", - "file.name": "uis", - "fileset.name": "log", - "host.name": "iutali3143.host", - "input.type": "log", - "log.offset": 25118, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "iutali3143.host" - ], - "related.user": [ - "ect" - ], - "rsa.db.index": "eritat", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Analysis & Reporting", - "rsa.network.alias_host": [ - "iutali3143.host" - ], - "rsa.time.day": "1", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "ect" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 15 07:40:49 prehende: [spern] orro7466.www5.lan: issu@accusant, rrorsitv", - "file.name": "prehende", - "fileset.name": "log", - "host.name": "orro7466.www5.lan", - "input.type": "log", - "log.offset": 25206, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "orro7466.www5.lan" - ], - "related.user": [ - "issu" - ], - "rsa.db.index": "rrorsitv", - "rsa.internal.messageid": "SystemSettings", - "rsa.network.alias_host": [ - "orro7466.www5.lan" - ], - "rsa.time.day": "15", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "issu" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Apr 29 14:43:23 quii: [dantiu] epre7710.www.domain: aria@ugi, Heartbeat, econ", - "file.name": "quii", - "fileset.name": "log", - "host.name": "epre7710.www.domain", - "input.type": "log", - "log.offset": 25283, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "epre7710.www.domain" - ], - "related.user": [ - "aria" - ], - "rsa.db.index": "econ", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Heartbeat", - "rsa.network.alias_host": [ - "epre7710.www.domain" - ], - "rsa.time.day": "29", - "rsa.time.month": "Apr", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "aria" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "May 13 21:45:57 tio: [tlabori] nsequatu2799.www5.invalid: mape@aboree, Task Queue, eumiurer", - "file.name": "tio", - "fileset.name": "log", - "host.name": "nsequatu2799.www5.invalid", - "input.type": "log", - "log.offset": 25361, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "nsequatu2799.www5.invalid" - ], - "related.user": [ - "mape" - ], - "rsa.db.index": "eumiurer", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Task Queue", - "rsa.network.alias_host": [ - "nsequatu2799.www5.invalid" - ], - "rsa.time.day": "13", - "rsa.time.month": "May", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "mape" - }, - { - "event.action": "block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2019-5-28T04:48:31Z scingel1634.api.home orsit %NGIPS-high-meaq:AccessControlRuleAction:block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36,ReferencedHost: untu,URL: https://mail.example.net/quunturm/upta.gif?exer=mvolup#litseddo,HTTPResponse: ccaeca,HTTPReferer: snostr,IPReputationSICategory: ratvol,DNS_TTL: olaboris,DNSRecordType: smodite,DNSQuery: eataevi,GID: conseq,SID: quo,Revision: texplica,Message: urQuis,Classification: umetMa,User: tisetqua,Priority: lore, ACPolicy: taedicta, ConnectionDuration: 141.678000,Protocol: udp,VLAN_ID: 2110,IPSCount: 7554,InlineResult: cancel, DNSSICategory: tmollita, URLSICategory: turQuis", - "fileset.name": "log", - "host.name": "scingel1634.api.home", - "input.type": "log", - "log.level": "high", - "log.offset": 25453, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "scingel1634.api.home" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "meaq", - "rsa.misc.action": [ - "block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML" - ], - "rsa.misc.category": "turQuis", - "rsa.misc.severity": "high", - "rsa.network.alias_host": [ - "scingel1634.api.home" - ], - "rsa.time.day": "28", - "rsa.time.duration_time": 141.678, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2019-6-11T11:51:06Z inBCSe364.www.corp ntore %NGIPS-very-high-tsedquia:AccessControlRuleAction:deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;],ReferencedHost: peria,URL: https://api.example.com/uscip/uptatem.txt?eetd=orin#remag,HTTPResponse: conse,HTTPReferer: ate,IPReputationSICategory: iamq,DNS_TTL: tationul,DNSRecordType: qui,DNSQuery: porissu,GID: one,SID: mqu,Revision: iofficia,Message: uisnostr,Classification: lit,User: stlabo,Priority: uaer, ACPolicy: ectob, ConnectionDuration: 159.885000,Protocol: rdp,VLAN_ID: 350,IPSCount: 7423,InlineResult: allow, DNSSICategory: orema, URLSICategory: enderit", - "fileset.name": "log", - "host.name": "inBCSe364.www.corp", - "input.type": "log", - "log.level": "very", - "log.offset": 26810, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "inBCSe364.www.corp" - ], - "rsa.counters.dclass_c1_str": " The number of intrusion events", - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "high-tsedquia", - "rsa.misc.action": [ - "deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML" - ], - "rsa.misc.category": "enderit", - "rsa.misc.severity": "very", - "rsa.network.alias_host": [ - "inBCSe364.www.corp" - ], - "rsa.time.day": "11", - "rsa.time.duration_time": 159.885, - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 4560, - "destination.ip": "10.186.68.87", - "destination.port": 2129, - "event.action": "allow", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2019-6-25T18:53:40Z uaeratv2083.internal.localhost essecil %NGIPS-medium-uptate:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.154.87.98, DstIP:10.186.68.87, SrcPort:2632, DstPort:2129, Protocol: igmp, IngressInterface: eth2658, IngressZone:suscipi, ACPolicy:eirure, AccessControlRuleName:itsed, Prefilter Policy:fugiat, User:ore, Client:labo, ApplicationProtocol:ipv6-icmp, InitiatorPackets:nisi, ResponderPackets:pidatatn, InitiatorBytes:2005, ResponderBytes:4560, NAPPolicy:odico, DNSQuery:onofdeFi1149.www5.domain, DNSRecordType: a host address, DNSSICategory:ioffici", - "fileset.name": "log", - "host.name": "onofdeFi1149.www5.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 28227, - "network.application": "labo", - "network.protocol": "ipv6-icmp", - "observer.egress.interface.name": "eth2658", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "onofdeFi1149.www5.domain" - ], - "related.ip": [ - "10.154.87.98", - "10.186.68.87" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "uptate", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ioffici", - "rsa.misc.policy_name": "odico", - "rsa.misc.result": "unknown", - "rsa.misc.rule_name": "itsed", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "onofdeFi1149.www5.domain" - ], - "rsa.network.dinterface": "eth2658", - "rsa.network.zone_dst": "suscipi", - "rsa.time.day": "25", - "rule.name": "itsed", - "service.type": "snort", - "source.bytes": 2005, - "source.ip": "10.154.87.98", - "source.port": 2632, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.bytes": 584, - "destination.ip": "10.67.211.63", - "destination.port": 7478, - "event.action": "allow", - "event.code": "NGIPS_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "2019-7-10T01:56:14Z nvo2629.example onsequ %NGIPS-medium-itess:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.35.59.140, DstIP:10.67.211.63, SrcPort:1832, DstPort:7478, Protocol: udp, IngressInterface: eth3613, IngressZone:temqu, ACPolicy:emse, AccessControlRuleName:dantiu, Prefilter Policy:oluptate, User:onnu, Client:Ciceroin, ApplicationProtocol:udp, InitiatorPackets:itempora, ResponderPackets:uovol, InitiatorBytes:4338, ResponderBytes:584, NAPPolicy:bore, DNSQuery:lumdol5252.internal.test, DNSRecordType: a host address, DNS_TTL: seosq, DNSSICategory:orain", - "fileset.name": "log", - "host.name": "lumdol5252.internal.test", - "input.type": "log", - "log.level": "medium", - "log.offset": 28825, - "network.application": "Ciceroin", - "network.protocol": "udp", - "observer.egress.interface.name": "eth3613", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "lumdol5252.internal.test" - ], - "related.ip": [ - "10.35.59.140", - "10.67.211.63" - ], - "rsa.internal.messageid": "NGIPS_events", - "rsa.internal.msg_id": "itess", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "orain", - "rsa.misc.policy_name": "bore", - "rsa.misc.result": "unknown", - "rsa.misc.rule_name": "dantiu", - "rsa.misc.severity": "medium", - "rsa.network.alias_host": [ - "lumdol5252.internal.test" - ], - "rsa.network.dinterface": "eth3613", - "rsa.network.zone_dst": "temqu", - "rsa.time.day": "10", - "rule.name": "dantiu", - "service.type": "snort", - "source.bytes": 4338, - "source.ip": "10.35.59.140", - "source.port": 1832, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.action": "eeufugia", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Jul 24 08:58:48 quianonn2762.api.localhost : HMNOTIFY: eeufugia (Sensor mquis): Severity:very-high: unknown", - "fileset.name": "log", - "host.name": "quianonn2762.api.localhost", - "input.type": "log", - "log.level": "very-high", - "log.offset": 29416, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "quianonn2762.api.localhost" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "eeufugia", - "rsa.misc.result": "unknown", - "rsa.misc.sensor": "mquis", - "rsa.misc.severity": "very-high", - "rsa.time.day": "24", - "rsa.time.month": "Jul", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 7 16:01:23 ver: [quaturv] atn2219.api.invalid: radip@ipsum, Heartbeat, itesse", - "file.name": "ver", - "fileset.name": "log", - "host.name": "atn2219.api.invalid", - "input.type": "log", - "log.offset": 29524, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "atn2219.api.invalid" - ], - "related.user": [ - "radip" - ], - "rsa.db.index": "itesse", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Heartbeat", - "rsa.network.alias_host": [ - "atn2219.api.invalid" - ], - "rsa.time.day": "7", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "radip" - }, - { - "event.action": "atcup", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Aug 21 23:03:57 equu1159.internal.localhost psumdol: HMNOTIFY: atcup (Sensor urautodi): Severity:medium: failure", - "fileset.name": "log", - "host.name": "equu1159.internal.localhost", - "input.type": "log", - "log.level": "medium", - "log.offset": 29606, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "equu1159.internal.localhost" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "atcup", - "rsa.misc.result": "failure", - "rsa.misc.sensor": "urautodi", - "rsa.misc.severity": "medium", - "rsa.time.day": "21", - "rsa.time.month": "Aug", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 5 06:06:31 dexer: [tionofde] urQuisau2442.mail.invalid: uptate@itesse, Login, Login Success", - "event.outcome": "success", - "file.name": "dexer", - "fileset.name": "log", - "host.name": "urQuisau2442.mail.invalid", - "input.type": "log", - "log.offset": 29719, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "urQuisau2442.mail.invalid" - ], - "related.user": [ - "uptate" - ], - "rsa.internal.messageid": "SystemSettings", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.network.alias_host": [ - "urQuisau2442.mail.invalid" - ], - "rsa.time.day": "5", - "rsa.time.month": "Sep", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "uptate" - }, - { - "destination.ip": "10.179.27.185", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Sep 19 13:09:05 cididu3187.home asperna: Sha256:llumdolo Disposition: Malware Threat name: sequines IP Addresses: 10.14.46.141->10.179.27.185", - "fileset.name": "log", - "host.name": "cididu3187.home", - "input.type": "log", - "log.offset": 29815, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "cididu3187.home" - ], - "related.ip": [ - "10.14.46.141", - "10.179.27.185" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "llumdolo", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "cididu3187.home" - ], - "rsa.threat.threat_category": "sequines", - "rsa.time.day": "19", - "rsa.time.month": "Sep", - "service.type": "snort", - "source.ip": "10.14.46.141", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Oct 3 20:11:40 lorem: aliqua4025.www.localdomain: deFinibu@pitlab, Logout, Logout Success", - "event.outcome": "success", - "file.name": "lorem", - "fileset.name": "log", - "host.name": "aliqua4025.www.localdomain", - "input.type": "log", - "log.offset": 29957, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "aliqua4025.www.localdomain" - ], - "related.user": [ - "deFinibu" - ], - "rsa.internal.messageid": "SystemSettings", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.network.alias_host": [ - "aliqua4025.www.localdomain" - ], - "rsa.time.day": "3", - "rsa.time.month": "Oct", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "deFinibu" - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Oct 18 03:14:14 ntutlab: aecatcup citati1297.api.domain: emp@uptate, Policies > olupta", - "file.name": "ntutlab", - "fileset.name": "log", - "host.name": "citati1297.api.domain", - "input.type": "log", - "log.offset": 30047, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "citati1297.api.domain" - ], - "related.user": [ - "emp" - ], - "rsa.db.index": "olupta", - "rsa.internal.messageid": "SystemSettings", - "rsa.misc.category": "Policies", - "rsa.network.alias_host": [ - "citati1297.api.domain" - ], - "rsa.time.day": "18", - "rsa.time.month": "Oct", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "emp" - }, - { - "event.action": "eursi", - "event.code": "HMNOTIFY", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 1 10:16:48 nreprehe2138.www5.domain : HMNOTIFY: eursi (Sensor aute): Severity:medium: success", - "fileset.name": "log", - "host.name": "nreprehe2138.www5.domain", - "input.type": "log", - "log.level": "medium", - "log.offset": 30134, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "nreprehe2138.www5.domain" - ], - "rsa.internal.messageid": "HMNOTIFY", - "rsa.misc.event_type": "eursi", - "rsa.misc.result": "success", - "rsa.misc.sensor": "aute", - "rsa.misc.severity": "medium", - "rsa.time.day": "1", - "rsa.time.month": "Nov", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "event.code": "SystemSettings", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 15 17:19:22 pari: [ent] idolore6589.api.localdomain: ctobea@audanti, Logout, Logout Success", - "event.outcome": "success", - "file.name": "pari", - "fileset.name": "log", - "host.name": "idolore6589.api.localdomain", - "input.type": "log", - "log.offset": 30232, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "idolore6589.api.localdomain" - ], - "related.user": [ - "ctobea" - ], - "rsa.internal.messageid": "SystemSettings", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.network.alias_host": [ - "idolore6589.api.localdomain" - ], - "rsa.time.day": "15", - "rsa.time.month": "Nov", - "service.type": "snort", - "tags": [ - "forwarded", - "snort.log" - ], - "user.name": "ctobea" - }, - { - "destination.ip": "10.118.103.185", - "destination.nat.ip": "10.240.77.10", - "destination.nat.port": 2226, - "destination.port": 1333, - "event.code": "FTD_events", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Nov 30 2019 00:21:57 erunt3957.internal.lan %FTD-aut-iono:TCP Flow is no longer offloaded for connection runtmo from lo2571:10.118.103.185/1333 (10.240.77.10/2226) to lo5895:10.125.130.61/6154 (10.32.195.34/135)", - "fileset.name": "log", - "host.name": "erunt3957.internal.lan", - "input.type": "log", - "log.offset": 30328, - "observer.egress.interface.name": "lo2571", - "observer.ingress.interface.name": "lo5895", - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "erunt3957.internal.lan" - ], - "related.ip": [ - "10.118.103.185", - "10.125.130.61", - "10.240.77.10", - "10.32.195.34" - ], - "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", - "rsa.internal.messageid": "FTD_events", - "rsa.internal.msg_id": "iono", - "rsa.misc.connection_id": "runtmo", - "rsa.network.alias_host": [ - "erunt3957.internal.lan" - ], - "rsa.network.dinterface": "lo2571", - "rsa.network.sinterface": "lo5895", - "rsa.time.day": "30", - "rsa.time.month": "Nov", - "service.type": "snort", - "source.ip": "10.125.130.61", - "source.nat.ip": "10.32.195.34", - "source.nat.port": 135, - "source.port": 6154, - "tags": [ - "forwarded", - "snort.log" - ] - }, - { - "destination.ip": "10.111.130.177", - "event.code": "MALWARE", - "event.dataset": "snort.log", - "event.module": "snort", - "event.original": "Dec 14 07:24:31 ntNe7144.api.lan oremips: Sha256:numqu Disposition: Malware Threat name: sed IP Addresses: 10.111.130.177<<-10.188.88.133", - "fileset.name": "log", - "host.name": "ntNe7144.api.lan", - "input.type": "log", - "log.offset": 30540, - "observer.product": "IDS", - "observer.type": "IDS", - "observer.vendor": "Snort", - "related.hosts": [ - "ntNe7144.api.lan" - ], - "related.ip": [ - "10.111.130.177", - "10.188.88.133" - ], - "rsa.internal.messageid": "MALWARE", - "rsa.misc.checksum": "numqu", - "rsa.misc.disposition": "Malware", - "rsa.network.alias_host": [ - "ntNe7144.api.lan" - ], - "rsa.threat.threat_category": "sed", - "rsa.time.day": "14", - "rsa.time.month": "Dec", - "service.type": "snort", - "source.ip": "10.188.88.133", - "tags": [ - "forwarded", - "snort.log" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/snort.yml.disabled b/x-pack/filebeat/modules.d/snort.yml.disabled deleted file mode 100644 index d8befbb7d7c..00000000000 --- a/x-pack/filebeat/modules.d/snort.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: snort -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-snort.html - -- module: snort - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9532 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From b71e6ca300bb4c2ab49fc63c8581b00147d8b39c Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 14:04:37 +0200 Subject: [PATCH 16/22] feat: remove deprecated sonicwall --- filebeat/docs/fields.asciidoc | 5435 ------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/sonicwall/README.md | 7 - .../module/sonicwall/_meta/config.yml | 19 - .../module/sonicwall/_meta/docs.asciidoc | 70 - .../module/sonicwall/_meta/fields.yml | 5 - x-pack/filebeat/module/sonicwall/fields.go | 23 - .../sonicwall/firewall/_meta/fields.yml | 2635 ------ .../sonicwall/firewall/config/input.yml | 87 - .../sonicwall/firewall/config/liblogparser.js | 2514 ------ .../sonicwall/firewall/config/pipeline.js | 7145 ----------------- .../sonicwall/firewall/ingest/pipeline.yml | 64 - .../module/sonicwall/firewall/manifest.yml | 31 - .../sonicwall/firewall/test/general.log | 21 - .../firewall/test/general.log-expected.json | 595 -- .../sonicwall/firewall/test/generated.log | 100 - .../firewall/test/generated.log-expected.json | 2712 ------- .../filebeat/modules.d/sonicwall.yml.disabled | 22 - 20 files changed, 21509 deletions(-) delete mode 100644 x-pack/filebeat/module/sonicwall/README.md delete mode 100644 x-pack/filebeat/module/sonicwall/_meta/config.yml delete mode 100644 x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/sonicwall/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/sonicwall/fields.go delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/config/input.yml delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/manifest.yml delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/general.log delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/generated.log delete mode 100644 x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/sonicwall.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b8658a9d7a0..8bfac69ac84 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -74,7 +74,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -55649,5440 +55648,6 @@ type: keyword CWE vulnerability identifiers. -type: keyword - --- - -[[exported-fields-sonicwall]] -== Sonicwall-FW fields - -sonicwall fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - type: keyword -- diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 8e7820f9da6..b1131b69b1d 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -50,7 +50,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -114,7 +113,6 @@ include::modules/redis.asciidoc[] include::modules/salesforce.asciidoc[] include::modules/santa.asciidoc[] include::modules/snyk.asciidoc[] -include::modules/sonicwall.asciidoc[] include::modules/sophos.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 419f9a1b183..a2c48dac171 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1742,27 +1742,6 @@ filebeat.modules: #var.min_priority_score: 0 #var.max_priority_score: 1000 -#----------------------------- Sonicwall-FW Module ----------------------------- -- module: sonicwall - firewall: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9519 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #-------------------------------- Sophos Module -------------------------------- - module: sophos xg: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 04441d2a804..78d2b230d4d 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -45,7 +45,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/salesforce" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snyk" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" diff --git a/x-pack/filebeat/module/sonicwall/README.md b/x-pack/filebeat/module/sonicwall/README.md deleted file mode 100644 index 65bd2526ff1..00000000000 --- a/x-pack/filebeat/module/sonicwall/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# sonicwall module - -This is a module for Sonicwall-FW logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML sonicwall version 124 -at 2020-07-13 17:55:41.955704 +0000 UTC. - diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml deleted file mode 100644 index 92a71910286..00000000000 --- a/x-pack/filebeat/module/sonicwall/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: sonicwall - firewall: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9519 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc deleted file mode 100644 index adccfd17799..00000000000 --- a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: sonicwall_firewall -:has-dashboards: false - -== Sonicwall module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Sonicwall-FW logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: firewall - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `firewall` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "sonicwall" device revision 124. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9519` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/sonicwall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/_meta/fields.yml deleted file mode 100644 index 13a72000b12..00000000000 --- a/x-pack/filebeat/module/sonicwall/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: sonicwall - title: Sonicwall-FW - description: > - sonicwall fields. - fields: diff --git a/x-pack/filebeat/module/sonicwall/fields.go b/x-pack/filebeat/module/sonicwall/fields.go deleted file mode 100644 index 8280b796d00..00000000000 --- a/x-pack/filebeat/module/sonicwall/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package sonicwall - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "sonicwall", asset.ModuleFieldsPri, AssetSonicwall); err != nil { - panic(err) - } -} - -// AssetSonicwall returns asset data. -// This is the base64 encoded zlib format compressed contents of module/sonicwall. -func AssetSonicwall() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q+JUZKzFRXiL4RYbgW8Jpftn7775fe/EFKCYZrXliv5mvzbXwghmx+RGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8dmiuly97fIxi1/3tPKyBqRuwC2pVJtzJZLUADfmY1nc04IwtqyBRAEjU1oJdQTgYb0IbeAdu5Vk3d++suWTZwES1JxRb+4+DHFogtsVmkMvOtv+9fYZzkA7J/XHDjvke4IY2BklhFGK1tEwis6YpUYAydu39TS5iqwLhNK/f5DmhC3qo5OQWmStDxjXhYfBepQ7fTwoUlSFu4rSUGHBDOTP1AcoM0Z0pakNa4C8ClsVTaFg0TxdHy6hAES2p3Pxhixz1ObglCLVktOFsQSgwYw5UkC24NoeQ92N+5lWBMe/qTAWt0mzUL1YiSSFiCJlPo+K6m2gB5B5Y61CiZaVX1lnr6Vs3NiwvKrsCaZwPwp1wDs2L9nNiANyUfwEsDz+Gyh+YkSkgBSxAHUFIouXs/tyh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZc8bvwj0/P/2BLKlowo3nJUjLZzxwJ1xTZolQc39eenAQuDvuwAduwe+546iptpw1gmr8fTjYyShnDEAfxCkxzhhAHueU0SNZHvdMXv7/M9l/Jm7VPAdyv+urpn8UuJHdY3k02C3pIUIvO2oajGo0y/T23p9sue7//TAzllqoQNrHiBxtSm4LJujOHX4k6IG0ev0YEVs4neoxIsblYYjl1ZhayfF4Oa0Eeoj0yEu2GUCZ0oYa0Wtidmbvi63d77AZ6CEDJeF+VsSOHjKAfoMVMU7FHefIkagoe26TKPk8uQbbTEQ+EqHgncnHjqFWN5J/aWCjRutu/+FP622j9kRJ5h4HatVjt2xHxM2S5xWHfeqeuGX4jDPav89v1ZycLUFaconCmTSyBO1MEA1BUA22PuPXUBID1gHZ+vH2GmbcYGkPYQD73gZLdwgD0Hc6lKEnML1/6TDGHOzrDjS5Gw0WymTSV/t8+asyti8ixS5HGpAll/P2QxNjm54P6euhLz+EwQY/GiXs+cXyJ0LLUjtZOXbdd4k72L1VXytxl69yk/fV/7vkddTKLxt25YJ3pPW9ZSWhZM6XIDsn2derCDgSHea/yGuBlI9R+fs6IhqjDg1VrwsNXzKcdT94iAeM+56ukcpnfmlygRfpefBmW0o+rmsgjA4lyBQIcLsATT6dS/vDK6I0+UUoan98SabUIBe1AbIZnzcaVb8b9n2IuvsV7xvDoPmMzwT+BffrucrlZttnHbcrf/UOBqVXVJfZlLqeROttu0/J84vPW/oeJRoE3T1SQszaWKjCIxrQdtAW4DnVeOK5fyvN51xS0f5mW1u5gQ659K89iRHnF59fRUgQ0B9Q4v4k6DAaUjnF67Nh1KHieOjrswBagj5K7PpXXIqcn94nSurx7QdLEcxhsdJH7WQTrMjuZ6OtonW+UbTwojjT5UQJAcwq/TUKYEe9B8i5cTzHDWGedFA6TLcU1bdqV20hewj9CC2+ik0fi6paKYPJbpWSZLoeHBohGr40YKwDaHhVi3U4J/dlJ+gJULYghpdAnn5P7EI35OXPPz8jK2qIAZDdKnso8SiU11tQwtRKGshHCvbVcAVTjbSdT6Gppl7ouatsohDIUzpVS+gRg8toZmUr3ozVQKvR+8O+GrZ5YFJByZtdPS0Fob6JaY6dY4HPCLf/bF5+/8NfjRfpL2oUoC3S/xzs5p/OHnxL16DJS3ImGa1NI3xkxZmUd5LrMej3DH5Ecitjq/z4kvyr2+5z8uOP5F8JU9rpy7iLsOhz8t+F/Z/ui9yQbaJ8Ez1CqUp4tLauXEHBqBBTyq7yasAeOaksXhtqvV3hiAiyrBWXFk0TC/EEZ2SOArRWmfLTNvqgqYFxKhBjxNRYpZ1mLdde63AfLKngpWeMGFKEzFQjS/fCCEDkuZwH5ejG5MXtGzGAnCIWGK7DnrDRyCmshaLlY3nnAjrE8D+BVGA1ZxGrI5jC/S+jLeyf+1YIu2ef2o1Gq2btsU3Ir2rljmZoc3JJlHbGmFXkCqC+gWiP4sX7SoimFQNjiiUvizJX1PWslTxzkKCpxUteOgr27MIl17ahwhntW753GXFx8Io7sxtj5UgMv4tw1c9PiXbS2qBDBYlG9Rxs97UbKWF0pqSnB6eEz4TbTwmdJRQ0FPznp63v9QNUygK5DPzONOBDO12PCUr3vzYQ8xUEXsJKhakFz5nZ8KjNecMHav+j0M2czM3I73jr3BsQeL3lutZqCU/If40IoxcvMy4eIEbvVnXG0cXJm4ug+zIqHXl4VSu9q/ESfCK/ujSI5nG4Pz75pwoNcTTdY67UbVO+2fxkY7B7PQct8wl5+fMrskK6V0AloULEfQXo1Ec1aeM/IivQ4MFSSwRQY4mSO+Ui20R8cDXx6yZi5K7mCNsG2v2udImEw6wmYAuphJqvdwNxM64HWiwhPxO2oJoy64noLvUa8UenuSSNDDk9YstnPlpRm7qg2wfqcwYR9sQu0aKonJKpZBtG0HQ1KtNQsu6olZShxupjFDL4HBRjjW4hGktlSXVJpNIVFfzPWH6v0lWUPmXIcjiYRKqZDp6kOxFpg3WHzAvBZ4A7jhj4BpiS5YiCvTnuwticfpY9G+KSqaoWYKMMMOpEpajAW813xGCv3kzbB2LkS7d2lJ3HWHmbM0fZr1LSLhId06Y+NVXOyybLqXwgwp/JMgfZHcg/lczdbWGPWHSrtyqmT6/9uEvhgYjKdqPfEAvXNlw+sgRteuUU5b48sMj53pfZ1kBTbXNTpseULqHM9w6GJJvwTJluxVbHaDNtui/24+vD10qraoJQGyzKNwwk1Vx5tb5qhOXfWQ6a0LoWbfXLpllNRSWdx0pzCREY3mntRY+Ux9UQbp8YolbSR8Ysrepdz2DA2K3mUBzePmsIW3Bn3agSzIS8a4xFM6kP1N1KakfycqmFAw9prwCbzRzeSziGJoSH3C7oaadhBhok8wxBnWpd8iUvnWaD/BAXZJetIPu4Q7z4Jq9rro+2w815+ljQteNEbsXab9Y4oef0NYcUMuh+32jCQx914Tx30riTZ5PBkl06mWpSS6BqoMjdF2JH/9RXBTXILw00R2Mlx92eizbycUUNQSTKEb5B5H5ITdSESsEWQTPItHllM7y+8yoHrnWRAdW6yKE91ylF0TbQl8mhZtCVeq/Iw5iQO+Zj9I0ZPJd3enMOFZs3ybVDggWbB2KnG0JqRxBlAyU+hWJtGpE77DRiRanGMlXBC49DZ7xgVraaDTiEykCCLQNyhEFgCZrbnKUjezbWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKXIAnYuRl5uCidZFVYYgSxTvYDYf6xA+b1vpfUtQafLbZUiN5aZNCNj1q+H67QmNVUmaWhmeUHDcirfQnJal7zCFqfzt3R3twtMIW+RrXXRHUSSbCjRnd5VF0b0doYptz8b6lWzdzfBiyd/vwdaWIEulQ8Ls3p2p6R8P0L2mDe2q6R/A4na0Qyx/LfiA3E6C7kfMS/qcveq+GV7IUPUfxEzwci1ol1sslSWULELHi3gCrVDzok1UeRCh3jLinYX6MXqmbMm+v2O6FbalRvERV/yV4Gyd+/bskQsXiEDoni3FekQuNyJn3nScgB8aAYhYXJwqaeE6t8baIXQuvb9u0w+VlqVx/4ePKhUtQrEGMDc8zmxB5RwKCavcsmAscAmrXqgflRBrNZ82FnoSYpijbzzqTlvvP39x0WFqmkzYdZQTPFvbyn1EQ0NwN7/II9PX3yLGLVaAOYK1DQfNJudLL0FPyCX4Q2kM6AmdA7byDpnuM6VbHAawWzBeb2f4e+J/3+tboTSZarVyn7V/DbqmN7tG+0mflxdU29Ruug5wao9KuFNqUB16rDulRNmpjbmulKohBBRzvcVvJKECtO2yi/Rm0fA3H94K4qPXBACTkCIKc0mkkt9pqAEtmX3ZD2g2HPPJYY3W7sJ09gqeJOpxL7iPsLXhn8HOVtwugrLsZT05xQWnWG0iiZLfzZX77z0vASopRURxzLhv2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG8gPCVMNMa2DBn+MTgm/Ak37iRDTXTwbzjFFz8dV4GOrv34Gxa36H1bpnxK2ZObDC+H5SliQagxinH0l7rTiNqTeGBv+RW8JpTUi7XhjApScnP1nNQaZ6I8J2DZk7iiTDU9pPbyjg+9r7PRtAIL2pCaGuziZbCRg+9FwFRVOSmmtoL2w9IasGyvuuffg4fS+HpnmOFh8uKbqapuhncww7FRsuKyVKuQT8uUZFDb510mxSgxBtucNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3u27lTCt1xeQRlqgdpEdGrQOxUMFPfJNx1qE17uOzgx6AqRVdT1Rzd5t8QuAi16v10+FF6/1cHzSi6H7Xq6oDPoiu8OdsrtYg1rIrae//dr2j8m1rRnXOS/492Wf8HVumusoWwYkDZyBHF3mwHNqSgir2m2R+QSl2zV5t33sfcAuhdm1C8A7Moc1HIghcc4rO4eugU1i+6GOrUwUmXYsIXP/G1rbLoyw5MW0k6LMLeRbpmJ0cz9qvv3sNKUOHkuCcecu0YyAVS7P2EjvA1qoYAweDt1W9h5c/TBC79m2OfpUb9YTFVTLru+2f0HK5SN6ju8XkuuG3NsT19fG0EExj1+xwmQRq7EiV/d92Qc95R6Cy67a7wjn/cyn5+S917SPA2NG4iftheKfh1uz+J6tXdAP4Qvv+d+Pj9FkoaSt05MDL0H2xE5nwbotzDxTORkwYqbuJG6NOucvey3o7qhQNurC3v92NIb30fkGkf6k25hcn56oyabyj93gybrEHspy41GOyEnvj4z9DsV/oP92iwiqLe/8cM3wR03bWxXuals9xg1UoDxlFH+QVkpsqSa06kYVAH6pgxcklrQEUFgQJqs/VG2DrSvqvqVJ05SOQ2jrS/k7pwvX5xf7OrQJLSM9R6FsbrsAwcK3roWchNp8UiSc2nJJZ9LisJihEVrpXM2r30ykF+OSS9a3U1hV0f8T4dI7y4jl5Uqwjjvf/tIuGSiKcGJszCp1v18Qp6eXdOqFvCaXHiHiAeL0nsS94tgZO7osU10Tm2eljhm3Fw5lfsAvO5QitdzY74PT8MHbq72hFyt5vM56Hwj7OIk+9yPBQQcUDtdaDALJUrHPd5WH5k0uhV6P4JnYRh7D1L56QevYzzrmnGcn8bLSG4dnWeqqosj513hqYTcKxzj6v17ppl+59BREutTZzhuRpUNG7PSglr6QFljfcw7aak0dh5wcr3Fb2RKHNXliuqHydAbdtV30pWGh8htYqQ18lMnRCl5R1nbTzmu3DoRdFQ7RsnvWgVV75dC3tZMPtRaAzXJc4ONpbZJpTh3/ijKxYOZHW7xqbomvHwx/n65l7U5BoYOo0+Dxsf+Ljgs4le3fccyT98bMPnpcO7eIc8Zl6pJFePs1ZGYefI75SRpSqfDwCP7U2LAuTszbrHEGyGc3COmYQyMmTWCnLn1CVMlGMcSbbPfuGXBZQnXiQkguLGHaZ73lC24MJpiukViChrjmxXVXGAGT8SD5+Pvck4oEvE799vozmQGPlRT31zogTTisDp52uVz1qBNHYpuvYQZkCyoCJuE+LbD07ORIkPv5hq+x7kTSrzy1SV5BV+V/7b7kHJpSAmWchFxMkxVY3u/G9maEkfPzWw9trTLY0M8xh9SC1UtsmXzvCElzGgIAYXOl20MP2RrOq14CVrQNRZyWRUeV/I0ciPdB2h1h1/DrK0C9756Y7ltsDEjiW5sYxsMGzbd97omjWL1/DuMpsY0g6xiqqrcfcrDRiceOuG9ZN9aqyUvvf+s7SJXgRlNhCoVOzzQeHdv2S9cbLRG1s/Li6sG1zUmPT2MrG9Xzyvr/1DTA/1OB2/vf6tpCMDEb1fN8zXOPcWEYn/ylxfn5HygUPXRyNa1NlSX7McgYWFXVw07T2pI38UfFnKr48q9FxHFVJW5K74GFXe7SkfAhThcRtSjRfpuCT5kcITK854LOJQO+wTaLh7C57zsQjkjTrwqtdU4KANP8PKnU/K6fddNzmeqne598cl3z2kDUZiscQ2s6XsRfOrXFGLlrW0Xpn2JG0dwhES94uW2Q6SrrqRLygUdBjJI5wonWF85A61HJi34O3SIrz9d3C0YK1VoAOUDsIMthXQDw+eTEYnIq2LalOU6uX+GV0XSOqAe3MbAYY3O93qp0kPUXCXscrBTYleY5hgFCdz0s1d9z1XalNx2lXWbvmgBo9hgu03Fhhclm/DC/k36LLHUFFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaJuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwhMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQjpGjCC2rtHJ3B7PP736nGshHnwD87bef3/3+5sPZt9/6nNsl1ZSP8uRK6auUJcs3XrDf2wX7EbZRJxiVqZWIULOTtktJ9xxQ5p6LdQYTZqY0SMNZSgHScyVlwLhK7wWJxAdSAS1WlA+HE9/bO4C9z1MDddcndYm6aaaZLoWdlsbq1JXvWK+dzSHWf0uTvaNtzUc+J+mhxS6bwWADlSYUm2zqXkK9iwMx46OOpnar2Ryxh2412o0oss3d8p64UD64n+DdHRcO+aD/fxiuulGZ/eS/B2GxsuejD4jsRfJBmKON4+7DT6kjJG1tnWzPLn1qu4z2NssO+2Q+Q7fbgHNvjky3Lav5MeJhWPQ1o1w4WrfNXC6CzDg/7de2YScuZw5amEdaGIxnFbY514VTEQ/YzyGJ15huHaqPTlRVNXLXEzXATh7WuOm+2L2Ha/t3iOvUHW7mMM36vrhdUln+u4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/sdb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbTcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsl5gcEsbQFVB3g2x1ZLGcCq6R8ZoNY0+SQM33EqOXth0L3gqR+c0LmtAqd6JkdaFpThYJT05ScOtpEJjfce4Om8Xv4kr+0i+fvOZMGsLkqTtO96D7qDfFjk6RaAl4ImlxiyADnnMmFR5BB0jtxoWcwKs+KWJZcfspgJtTK0Sp+70oct7TIf9AxRFyYLLnOKEy5r0NV0nSzhfQC7Zld5gC+pyMErvC5qrawq0oekEPrypwI9julhi2x3U6h5UeYgtgOcPv+NyaKi14W1qdwG24AdRwvI8ChUXGZCmst8SNfCFGIqitRh0S3Y32cEnrwzeA926l6Ifdipq3r7sH/OCPtVRtj/khH2/8gI+695YFtVCzqFHCKlg57ePJNF1QhUvqfrDO9kC7y+yqCXVI3g86rOo307LZOKeeokpACZ51BKDHxh6X0jsjA+ITHDCRrN8liTDnAea9KsTVNnmEXKZFdWncVUtco60wOuM4gQq6wzzHLBRrMmC/BG8mtJpTLAMjDh8pWjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8J5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvXLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjlOEQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZh0sqVTYCDFM5qB2A83kG2aRqs6I26cz/HvRYBnkSwBrm3FhN03tCNrAzaHwa6lyk1tlobbATuc4kX31mvmfxDNCtBlplUCR9KVAutPMp16uF4qbwE2bTQ19TTbMweDlSCJsC8tLPt08NlxtLZfI5x6Wx00anGhbYQgU/KygH1CY5run16LYmOTVYnNwwSz/s+tBOA/tgzmlZpr4DvEwdVm1bB2V4i3hVMK1UlaUrkQOcwUzjVZEnOTJ0PMpB5voqeXum2qRvWcprU2ueGKigltsmefaZ4BLStdjZQDVJJ+p0cLH4Nr1bSyjf9bSYCZX8Oe+AZ0j5dzZvcqnjgGaQOM6GzoBq8twEoeZZWFfOs1zgWunUAqyaNvMc16zihuUQC5XJwrA55kBIsNhcKTnc5DLcN4BOnfHnoaZOx5OrVWoLJEtFmfIDoJNboiq9ZqQ0nxeReVz3hruSoNO/WXXhh/ImB5t0MvUGrB/xmoXJMhRuhpk4qYVBAJtaGtSFdyQlR5ca4z4s2CJVnf8ANFzXPHkgoAZdzTWVdtBzNwXkVRbA6Z9e34ns06edKaAJAGs1L6ipEw4M6IPWNDVUDVTk0O80MKSD7zqaCXh6IjvIaVu49iArXWbAOL0j02TwDRvvG86QD2AgdSKAH3icwTgx8CU9A8QatCaDmsGUMnyeQfCaOrWXzWiW4x5oViZXpI1msa64CQDbdCO2+jAbk7yr5pLJ1IUS0Wmx9wXqm3Sm3r6d2/Rs5YGmj+h1Mz1Tw13Xybu1NuU0Sx56o0WGt7AxoIuSp656zzK2oo0M5SCDZcbSKrU3eFlwaSydZdAMllzbHGr4spYZWjdZpRuZ0s0aa4sW6Sj6prGKfGgkGSzdZY9kHJb3mQpekhMNJbfkhOoydDM02P49jo6fnJWRSmMTQhEMDtEn2N+AKUFipTpdPgSX+Sh3VtVCrWEwWPBG+s1Uk6yp9y15zNHQ+4xw3pmGOVyTiu42WtjEYuW82R0Gkh1JwQ0OZ2hXD0ePDZSIaepaaUuGjUcJWS2oJdySWsNsjBXukZZ7lyEUMcIHq6NDgXAZOruP9IUWXOaeyN9D1a3Wx9MQq+ZgF6Anm++bhWoGLxohEpagu3FEVpGaagPkHViKE8H9XaUdCZ6+VXPz4sKXvT4jp2HE13NiF5EpRdgM+AOE0ceItiTvwf7OrQQTP+chU2ch3gxHdne3CBf3mzVANVtMuORR/HDm7hH6a++IT5yFgckQLwRtJM76nTc4x7Vt4h5v4L7Tr33PnvK34+721DXhDvOLR4x9dxBFwpqm23VexWXJR7i2eCvG3AXHmEY9IpA2g+ve44RqKUYmXmL33IzjwLF/rgFLNHxpwNg9TbsPz1a+e698rzLgWB6/qpfYux6pLu90252yDyePEcbGtv6OHdrN6+jOU87+v3m+oVvs/LQVCrh2nDfQakiXxHtHFnaPy5QaID5du8OGDG5Vd0rhFw+Dr+xGwXeYK+3b10fJSAg1xADguDO6f16VptJQdoTxvoMO035piWrvhmlYo3EC2j6ka9AV9+rGsZDeLOkHc/AlFzAHImAJglBj+Fz6g9vM64+zPrZkfkD5jevv4fTpg0x6dpg1kn9pYHdMIo1fvh6+h3VMPGwKSqvR8NJfSKakBMytICtuF2OCgpBIZUinsWs4qLzozqaFIyfKk+6JEmrOGRXEYTBi+iAWD4sdLjUypvHhaFcv1iaOXi+dbaV2slpTP/BUcGqKhcpuE3gjrjPXcJbKZqiRk4r9ETzxfgDEXxqHLb5pYRALE0D15I0wyhniW/ftFIPl5Nfwiwl5I9fdvwbQLdryRlpCywlTVd1Y0HExnMWN7zaWzzz7ZvcscMbi1oFw+8/m5fc//NXZvqe942gp9k0U7cCnRdqI2W0dN3QNmvxL55MzLwIaiFz81qeu/8nP83KD8xbX7z2PA5OXb5JtT3YHprh1JuT9bx/P3N5Bg3eeoL+05IZpqKlka6dVBvVM7OaCEKTQc/Lx3WtyLu2PL5+T8/enZ//5mnw6l/bVT+TparEmErhdgCZsoUwYlaa0BmbxWz+8+l//7dmTKEXALjLKuF16oEydVDQ+jsdk5r47XvNLz4vnLVLxK14+LqT7sukGzA9sGHfrBz6G745iurFOPnNtGyrI2zfvo8j+qSTk82Udxhn/R0mYxGnr0P1qRChu5GbhiUfwGN/gPecwpxZW9AFGpCN3X5A3ZanRT+u5PIZO9/Syqj40znnfWMj5ybsL/yqNhscqao4Y/dhyKnlNNbzd5PzCoTLi/XI0PHASRBIaurXHadhqYoWfrnVcAdFDl5Yld1+mYhOw7c3yj79zR2QAZxLiBVfhhp9us8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNjwAbtc3S15zZNr7/XA5bx+TdlvvxggvIWY3HsuLG7BDy5caoxh3Kqf3Gw10HOLksqZyDpPOdGJKzvi80VCS6RphgiwxayguZ+oDWw8MikZHtOXoorMM/Q5EQt2/X8KV3AGgoVIWipDZnT7PKD1pS2kKWvhU/Ayga6vzAJ9lYIlZhmphkeM65Op/UmcgKi2L1hOXTy3fteDdPia7q/WdCQ+gwZ7ZBWgJlnxc1/CcfGqfsbfoAPuRXLQOsMFL8NuYptaO6jmCMjFiGrdIB7/4c0KFiCoT9eaLmOBGNSbmLUG7N5BLq4ix+JhzST6djwoUhgmy2eRVcpHtgKo6w9g3B1iDSZ3R68BmKHHxL2LqVHT0t2fA1o9WKATIefJJkYizUz4yaqEjGqhXeajoBWAkYZhOMCOU/KL0iupyOKebkDdzTPbShLobf425dFOwKwAZVz0Td028a4xbWSr6oTqPDMGW8ZgZMdghlyHPFdMSKm6dWAojNuJbXAoqjxHHv4WDsk0Q6bkoBxvcdlluIilLZ8HO0YDdfnlSRyqBYReCZbp+cLeL2FNtOWsE1QT7RZMWiadn16/fqrmazeLT34EVdgHZj3cL2Y9uQX8be3ifObwdum8auwBpQ7L4KNqmSdk54XYJPX7JcdQ/GdCjCKvGMnVcSoclxxG+bBgDY0Zwxs7jhzVHOyzxBPEiTsWdK70mkcKEAW7HEE5bOMIOjk4qYYDP1Eq6d8XJrZhy2P2QDBSl7V0t0/WjG3k3KfFdS7FmQHAou/0EP8yOPswlMdw2EflJsLgAgogOUBfUEFqq2r0udgFcE7WSmyPzhLP0WklVjeTV4kwOw32L+uMqEU6557J08kdp0xGAkl+4APImIDYZkOE2zl7ZbczfydGE8W7/D5KuMEqCy5C1kJYKsT1GCJGy3v0ehPD5epehXiM1JcYTQqcqZ/VAZPNTWNAlVw1ql0xVtVYVH8lQhGMjdybpVGAR2Yyc7MeNy2UndjIiuYvhltZJoghsYZh0uMwBCEbW7/DLfbq9V3Zz30bZblNm2Ui7W86WWqMvsQy8YIeY9bfSgvA9noMEzVm7JSQIJvrtphZwu8CnNjbbjQRkJ+yHibF6PPjZ7umQtlsPtqeX+/cU1Au/VsZ9RU3Tzgi3vALj5LrX9jTUMBpECqeQrCnEjQeBjQfveQz6lqx1SO/uB2OtH2+3px8Kk2zI6a23FhzGN+1wsDfc8UYg3EIYfL27e3nj7vRRz85ftCR70zefXLJeqscRIDfI8U6AfL3s+OPNR5ZqtMFxjux28lEfVYKkvGO3kB9HZceUexswY6fUYwnajp86eeVOYxdFBXahHiBKQrc8ycSjEb42euDYS0mrrF6nPVGdD0oEf61DZA9fZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjHjF0cyxrTK7FXcV//pTjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt7ORD7TkjfErEKWJ4RUXVHvx5MSmu0MM3/V4eRXec8PLY3Ya6WfKf3KM0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxnwQnDcQK8so4y7MpXOmRgwCNkgqZWeU8n/3JNVLfOxwm2JfQCl+zw1Qu4Z19Fa0kxdf35xy+Fr4Vt8+d5FW1nNvwIVdsGoBlJrKFXFJY0W3PXE0wW1HKQ1N6bHC3rM3b6lD7pZ3/oR6kyM667OEye4aqotNkPabHW/WD1is6MgbG4jUWdQgqYWyiJZUtke/nDC55d2xS54dqHVkpdd87DwPVrXImiqA8YIzX/cs7at08YVnM0meXmkXXZLhl5/dj2yzejwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5ZKNeR0WNlRpirNJe4jtoFViKqz3Bb03ct57Ed1/xshRwPCn3Dte7rZyLHG9P7h0k59rxGMfZ7kVYrddhSK7b6OxzUgvqjsy9z0oTkEyv6zEvP6ZCHsGevEUGne5sy1+VseQdZQsuR0y6kmaSHN/s0vqTxEz/WoMTH04/8k3OzIS8LWlNPuM/vH5UKunrTv85fDzJgi7BaU4CqCZfGtBrgj0ITa2kgVajihenuv0W+JvjyMvQA485yJq3XSCl377vyzeOZ7ulI6C6YaAPoTnqbTHFKU95HWa7PN62lt5qYuRsw/DwckN0I2XUjjXPu5fHR559G6mRGrsAsQgWZv6DoGTFZalWhpgaGJ9x5j55HqsTDHmywwvitufx3eTckKfYERYk2zxDGLp81qMWaSS+429hTtmafDLbjW+7CGy1W0ibPLvWrXAEg33kte+bWogK1qohk7kXcUDxrg9ApPp/q9IUy3mG5Nvedn6Feqw7r1evIzvGHUYZLfzmgM0eJ693bKshwze43ltZd4ZbH+8COtzNcRx2XcBg+2w2CZn+GAYnFG9IcXPxM5YNpBwJOFrhhlsuYcZl8NWjcMKufhWtR5oOInYHFYplwm3jgNlR/1ILxs5nm3vvoZfSSG/KzodtLWWL6sgt8DerIsHJwDrqH0eWIS9TLtNNEEt6N9yWsagw7+MZEVL9sh08Ft9Ge1PeH5naOcA679t3A9Y11S1PuT8/32xlteCDVurE3Q5ny/rk91ttzyafWeLbWii9znfgfzM1lf92Y8eYFpHtLuqteh57mhxZ/vYCod+wtwdTiQa7avut79/VKBcUIK1W9SGio1TNdOBcuBWPhzWdtQ03lCMgjr6647j38ERVNZXr7j7itcNx+t5eWYJ2z1DB5UzFlQJqrnLXCN0gP3asyBazFeTtij77kitH4JdGiDX5j4YKPuNQklOse/bOwSgqK5gWTKkr/kBB999hSvz6G/uZijFtPnm32U04vG4sqtwHjjC9+a5/6JYIU3aCO9r75Cfk47r2W994Dhxx/AmOH56GWZG0mewO2g4H74jQT0ysbe0uMsdw1XXK5TZ23rNYK916+zHE/OHtyJH3euUkZqeWFnXeOUR7SOFWvtFz36KplcqkiWwj5dZx50FqauOuSSYLalJG+3uAdSinTwy50SLhMfegJjyVzhgtGp3KG9KDaUAXdJ7OptyATv48bYNOmv64DTpwfQbBAtcWJKpW6Y0TBz8ZN3eK3kLDTqpMao3KL3GMWsItmfsRl0X16kX475OAwovwHyGvKeb2pwJ0PDsvbOcBo+d+M/3gOXpce6PWBtspw0A0Z1JxOQOtR+Kuw30fZV99xf9G0kfds0dAsu1LPOsdQ+RKYVhbZb1SkSWOxn5nPm7v2O4jZhDr/p/+AcMErfGBn7xegD6OP8Lp7CHj6ekJjn58Rk5w/ThqoO2RmqWM0PkEdBj+CVtZmHua80LW0HGPkL0Dd4s+Mb1O0XtPmv95qFfy7q1R4qdNLvmfcW8Nv8okU87/cUYkzJXl/gDrBTUjE6AMO3Zbod5R+sXHhwu6o842AWqQ4LLDY23j9Lb+Jp6QYvj8GBUV2/2NuqmHH0cHLTtpwo1pkiudCBmTpfJ56+4XQ0EMQeusPtDBofSl55lbnFxicHqfdDpKhkTXGTxEkZ9eYmrn/seoJz0PQ/Lu0nMPjuMi1BhRLHO+6Lsh1eDIjiJTFo71aJO8TaPJBZhfQbCoMzU3+GYzrqT/IKFs/YkYjNcpTc4v3/zj3QW5cO8U+U2OTF/ZYJupkvoQbD+uVBxbFENsAezKHOREvp0QztuDLDZ0ruvX2bUIwzTQMIJwIwX3aLmg+aAp5AMouR6PrivIqNGAOFtqm6NN+OxjuaSCl54RI0jsCsKjdbXeJwiRYlewNrtiOxHntwmkiWEvrK1NwXEGbRbQeJQ5CMLoI7hNfC7byheluV3fcKOYqqqsfeJuibfHIziE4iX4K65B7FqaqV0sK0FlYcxDDbx1K3sZ/nvYbVujFcXWlxoXteLHSKuOIewxIIgBIhW3BpCsbEGlHDTOyN1uKqyKiIzEbI/Utrl7WMLMw9/fvnkf3r0XO8t3D4pVetf3n7xnGzdXxVKJJhcB3rRznGWYc9NNxm7H+TaSW0OeeiTMM+zWgYW97UTdHfAEkY7uRjSZpNnbgOsnyW1IF5hsFx0sQWOmwKwRhCnJoLbOUL70ZzjSXmG1yil9PeGdwd6O0HaI1kpbohx9f/33N7EU3CjZU/Od0vPjJ1juFhhsuVin1Dc7iTaK+fvZbxfnF+Qdva64LLux3vFjdXs7ehrm1hDFkW2FbQx2t29bnfoUL1lMnp7tqxyL2fEKNh+6CL/dcna1Y8tZFqTy+Wno0huw2IuhON6hPHCvgHbH1X/5uuGuMEeWQ00y9e1Gf4kzoR8ouzGMq0YrvgvqVr649zkxTSRFnRryN2O1kvN/mwrKrgQ3Fsq/vQh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8gIW2qYc2P12ln2xxQWNbWL0Ky/w4Hs4jBAEp1Sx0LTF0L7ei2mdK8LeadPdpiDtHr9l/8bAAD///piqWI=" -} diff --git a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml b/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml deleted file mode 100644 index a90a84dc451..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Sonicwall" - product: "Firewalls" - type: "Firewall" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/sonicwall/firewall/config/liblogparser.js - - ${path.home}/module/sonicwall/firewall/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} n=%{fld2->} src=%{p0}"); - -var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - -var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - -var dup11 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup12 = setc("eventcategory","1502010000"); - -var dup13 = setc("eventcategory","1502020000"); - -var dup14 = setc("eventcategory","1002010000"); - -var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - -var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - -var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - -var dup18 = setf("hostip","hhostip"); - -var dup19 = setf("id","hid"); - -var dup20 = setf("serial_number","hserial_number"); - -var dup21 = setf("category","hcategory"); - -var dup22 = setf("severity","hseverity"); - -var dup23 = setc("eventcategory","1805010000"); - -var dup24 = call({ - dest: "nwparser.msg", - fn: RMQ, - args: [ - field("msg"), - ], -}); - -var dup25 = setc("eventcategory","1302000000"); - -var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - -var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - -var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - -var dup30 = setc("eventcategory","1401050100"); - -var dup31 = setc("eventcategory","1401030000"); - -var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - -var dup33 = setc("eventcategory","1301020000"); - -var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - -var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - -var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - -var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - -var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - -var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - -var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - -var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - -var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - -var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - -var dup44 = date_time({ - dest: "event_time", - args: ["date","time"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - -var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - -var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - -var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - -var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - -var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - -var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - -var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - -var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - -var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - -var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - -var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - -var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - -var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - -var dup59 = setc("ec_subject","NetworkComm"); - -var dup60 = setc("ec_activity","Deny"); - -var dup61 = setc("ec_theme","Communication"); - -var dup62 = setf("msg","$MSG"); - -var dup63 = setc("action","dropped"); - -var dup64 = setc("eventcategory","1608010000"); - -var dup65 = setc("eventcategory","1302010000"); - -var dup66 = setc("eventcategory","1301000000"); - -var dup67 = setc("eventcategory","1001000000"); - -var dup68 = setc("eventcategory","1003030000"); - -var dup69 = setc("eventcategory","1003050000"); - -var dup70 = setc("eventcategory","1103000000"); - -var dup71 = setc("eventcategory","1603110000"); - -var dup72 = setc("eventcategory","1605020000"); - -var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - -var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - -var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - -var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - -var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - -var dup78 = setc("eventcategory","1801000000"); - -var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - -var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - -var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - -var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - -var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - -var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - -var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - -var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - -var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - -var dup88 = setf("id","hfld1"); - -var dup89 = setc("eventcategory","1001020309"); - -var dup90 = setc("eventcategory","1303000000"); - -var dup91 = setc("eventcategory","1801010100"); - -var dup92 = setc("eventcategory","1604010000"); - -var dup93 = setc("eventcategory","1002020000"); - -var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - -var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - -var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - -var dup97 = setc("eventcategory","1001010000"); - -var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - -var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - -var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - -var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - -var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - -var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - -var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - -var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - -var dup106 = setc("eventcategory","1401060000"); - -var dup107 = setc("eventcategory","1804000000"); - -var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - -var dup109 = setc("eventcategory","1401070000"); - -var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - -var dup111 = setc("eventcategory","1801030000"); - -var dup112 = setc("eventcategory","1402020300"); - -var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - -var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - -var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - -var dup116 = setc("eventcategory","1402000000"); - -var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - -var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - -var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - -var dup120 = setc("eventcategory","1803020000"); - -var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - -var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - -var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - -var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - -var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - -var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - -var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - -var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - -var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - -var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - -var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - -var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - -var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - -var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - -var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - -var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - -var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - -var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - -var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - -var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - -var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - -var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - -var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - -var dup144 = setc("event_description","Connection Closed"); - -var dup145 = setc("eventcategory","1801020000"); - -var dup146 = setc("ec_activity","Permit"); - -var dup147 = setc("action","allowed"); - -var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - -var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - -var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - -var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - -var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - -var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - -var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - -var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - -var dup156 = setc("eventcategory","1001030500"); - -var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - -var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - -var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - -var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - -var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - -var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - -var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - -var dup165 = setc("eventcategory","1801010000"); - -var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - -var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - -var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - -var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var dup170 = setc("eventcategory","1003010000"); - -var dup171 = setc("eventcategory","1609000000"); - -var dup172 = setc("eventcategory","1204000000"); - -var dup173 = setc("eventcategory","1602000000"); - -var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - -var dup175 = setc("eventcategory","1803000000"); - -var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - -var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - -var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - -var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - -var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - -var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - -var dup182 = linear_select([ - dup8, - dup9, -]); - -var dup183 = linear_select([ - dup15, - dup16, -]); - -var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, -])); - -var dup185 = linear_select([ - dup26, - dup27, -]); - -var dup186 = linear_select([ - dup28, - dup29, -]); - -var dup187 = linear_select([ - dup35, - dup36, -]); - -var dup188 = linear_select([ - dup37, - dup38, -]); - -var dup189 = linear_select([ - dup39, - dup40, -]); - -var dup190 = linear_select([ - dup26, - dup46, -]); - -var dup191 = linear_select([ - dup48, - dup49, -]); - -var dup192 = linear_select([ - dup52, - dup53, -]); - -var dup193 = linear_select([ - dup55, - dup56, -]); - -var dup194 = linear_select([ - dup57, - dup58, -]); - -var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, -])); - -var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, -])); - -var dup197 = linear_select([ - dup75, - dup76, -]); - -var dup198 = linear_select([ - dup83, - dup84, -]); - -var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, -])); - -var dup200 = linear_select([ - dup94, - dup95, -]); - -var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, -])); - -var dup202 = linear_select([ - dup98, - dup99, -]); - -var dup203 = linear_select([ - dup86, - dup102, -]); - -var dup204 = linear_select([ - dup103, - dup104, -]); - -var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, -])); - -var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, -])); - -var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, -])); - -var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, -])); - -var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, -])); - -var dup210 = linear_select([ - dup114, - dup115, -]); - -var dup211 = linear_select([ - dup117, - dup118, -]); - -var dup212 = linear_select([ - dup43, - dup42, -]); - -var dup213 = linear_select([ - dup8, - dup27, -]); - -var dup214 = linear_select([ - dup8, - dup26, - dup46, -]); - -var dup215 = linear_select([ - dup80, - dup15, - dup16, -]); - -var dup216 = linear_select([ - dup124, - dup125, - dup126, - dup38, -]); - -var dup217 = linear_select([ - dup127, - dup128, -]); - -var dup218 = linear_select([ - dup129, - dup130, -]); - -var dup219 = linear_select([ - dup135, - dup136, - dup137, -]); - -var dup220 = linear_select([ - dup138, - dup56, -]); - -var dup221 = linear_select([ - dup140, - dup141, -]); - -var dup222 = linear_select([ - dup142, - dup143, -]); - -var dup223 = linear_select([ - dup150, - dup151, -]); - -var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, -])); - -var dup225 = linear_select([ - dup158, - dup38, -]); - -var dup226 = linear_select([ - dup160, - dup161, -]); - -var dup227 = linear_select([ - dup162, - dup163, -]); - -var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, -])); - -var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, -])); - -var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, -])); - -var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, -])); - -var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, -])); - -var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, -])); - -var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, -])); - -var dup235 = linear_select([ - dup177, - dup178, -]); - -var dup236 = linear_select([ - dup180, - dup181, -]); - -var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var dup238 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), -}); - -var dup239 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), -}); - -var dup240 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), -}); - -var dup241 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), -}); - -var dup242 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), -}); - -var dup243 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), -}); - -var dup244 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), -}); - -var dup245 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), -}); - -var dup246 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), -}); - -var dup247 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), -}); - -var dup248 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), -}); - -var dup249 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var dup250 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var dup251 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var dup252 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var dup253 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("= "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, -]); - -var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ - dup1, -])); - -var msg1 = msg("4", part1); - -var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ - dup1, -])); - -var msg2 = msg("5", part2); - -var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup1, -])); - -var msg3 = msg("5:01", part3); - -var select2 = linear_select([ - msg2, - msg3, -]); - -var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ - dup1, -])); - -var msg4 = msg("6", part4); - -var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ - dup1, -])); - -var msg5 = msg("6:01", part5); - -var select3 = linear_select([ - msg4, - msg5, -]); - -var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ - dup2, -])); - -var msg6 = msg("7", part6); - -var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ - dup3, -])); - -var msg7 = msg("8", part7); - -var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ - dup4, -])); - -var msg8 = msg("9", part8); - -var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ - dup4, -])); - -var msg9 = msg("10", part9); - -var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ - dup4, -])); - -var msg10 = msg("11", part10); - -var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ - dup5, -])); - -var msg11 = msg("12", part11); - -var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup5, -])); - -var msg12 = msg("12:01", part12); - -var select4 = linear_select([ - msg11, - msg12, -]); - -var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ - dup1, -])); - -var msg13 = msg("13", part13); - -var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); - -var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); - -var select5 = linear_select([ - part14, - part15, -]); - -var all1 = all_match({ - processors: [ - select5, - ], - on_success: processor_chain([ - dup6, - setc("action","Web site access denied"), - ]), -}); - -var msg14 = msg("14", all1); - -var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); - -var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); - -var select6 = linear_select([ - part16, - part17, -]); - -var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); - -var all2 = all_match({ - processors: [ - dup7, - dup182, - dup10, - select6, - part18, - ], - on_success: processor_chain([ - dup6, - ]), -}); - -var msg15 = msg("14:01", all2); - -var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, -])); - -var msg16 = msg("14:02", part19); - -var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, -])); - -var msg17 = msg("14:03", part20); - -var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, -])); - -var msg18 = msg("14:04", part21); - -var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, -])); - -var msg19 = msg("14:05", part22); - -var select7 = linear_select([ - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, -]); - -var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ - dup12, -])); - -var msg20 = msg("15", part23); - -var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ - dup13, -])); - -var msg21 = msg("16", part24); - -var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ - dup13, -])); - -var msg22 = msg("17", part25); - -var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ - dup12, -])); - -var msg23 = msg("18", part26); - -var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ - dup12, -])); - -var msg24 = msg("19", part27); - -var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ - dup12, -])); - -var msg25 = msg("20", part28); - -var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ - dup1, -])); - -var msg26 = msg("21", part29); - -var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ - dup14, -])); - -var msg27 = msg("22", part30); - -var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ - dup14, -])); - -var msg28 = msg("23", part31); - -var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); - -var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); - -var select8 = linear_select([ - part33, - part34, -]); - -var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); - -var all3 = all_match({ - processors: [ - part32, - dup183, - dup17, - select8, - part35, - ], - on_success: processor_chain([ - dup14, - ]), -}); - -var msg29 = msg("23:01", all3); - -var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ - dup14, -])); - -var msg30 = msg("23:02", part36); - -var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - -var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); - -var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); - -var select9 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); - -var all4 = all_match({ - processors: [ - part37, - select9, - part40, - ], - on_success: processor_chain([ - dup14, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg31 = msg("23:03", all4); - -var select10 = linear_select([ - msg28, - msg29, - msg30, - msg31, -]); - -var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ - dup23, -])); - -var msg32 = msg("24", part41); - -var msg33 = msg("24:01", dup184); - -var select11 = linear_select([ - msg32, - msg33, -]); - -var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ - dup14, -])); - -var msg34 = msg("25", part42); - -var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ - dup14, -])); - -var msg35 = msg("26", part43); - -var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ - dup14, -])); - -var msg36 = msg("27", part44); - -var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ - dup14, -])); - -var msg37 = msg("28", part45); - -var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup14, -])); - -var msg38 = msg("28:01", part46); - -var select12 = linear_select([ - msg37, - msg38, -]); - -var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ - dup25, -])); - -var msg39 = msg("29", part47); - -var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - -var all5 = all_match({ - processors: [ - part48, - dup185, - dup186, - ], - on_success: processor_chain([ - dup30, - ]), -}); - -var msg40 = msg("29:01", all5); - -var select13 = linear_select([ - msg39, - msg40, -]); - -var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup31, -])); - -var msg41 = msg("30", part49); - -var msg42 = msg("30:01", dup238); - -var select14 = linear_select([ - msg41, - msg42, -]); - -var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ - dup25, -])); - -var msg43 = msg("31", part50); - -var all6 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup25, - ]), -}); - -var msg44 = msg("31:01", all6); - -var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, -])); - -var msg45 = msg("31:02", part51); - -var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, -])); - -var msg46 = msg("31:03", part52); - -var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, -])); - -var msg47 = msg("31:04", part53); - -var select15 = linear_select([ - msg43, - msg44, - msg45, - msg46, - msg47, -]); - -var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup31, -])); - -var msg48 = msg("32", part54); - -var msg49 = msg("32:01", dup238); - -var select16 = linear_select([ - msg48, - msg49, -]); - -var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup33, -])); - -var msg50 = msg("33", part55); - -var all7 = all_match({ - processors: [ - dup34, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), -}); - -var msg51 = msg("33:01", all7); - -var select17 = linear_select([ - msg50, - msg51, -]); - -var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ - dup5, -])); - -var msg52 = msg("34", part56); - -var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ - setc("eventcategory","1401040000"), -])); - -var msg53 = msg("35", part57); - -var all8 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1401050200"), - ]), -}); - -var msg54 = msg("35:01", all8); - -var select18 = linear_select([ - msg53, - msg54, -]); - -var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ - dup5, -])); - -var msg55 = msg("36", part58); - -var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); - -var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); - -var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - -var select19 = linear_select([ - part61, - dup42, - dup43, -]); - -var all9 = all_match({ - processors: [ - part59, - dup188, - part60, - dup189, - dup41, - dup183, - dup17, - select19, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), -}); - -var msg56 = msg("36:01", all9); - -var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); - -var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); - -var select20 = linear_select([ - part62, - part63, -]); - -var all10 = all_match({ - processors: [ - dup45, - dup190, - dup17, - dup183, - dup17, - select20, - dup47, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg57 = msg("36:02", all10); - -var select21 = linear_select([ - msg55, - msg56, - msg57, -]); - -var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ - dup5, -])); - -var msg58 = msg("37", part64); - -var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); - -var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - -var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); - -var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); - -var select22 = linear_select([ - part67, - part68, -]); - -var all11 = all_match({ - processors: [ - part65, - dup188, - part66, - select22, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), -}); - -var msg59 = msg("37:01", all11); - -var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ - dup5, -])); - -var msg60 = msg("37:02", part69); - -var all12 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg61 = msg("37:03", all12); - -var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup11, -])); - -var msg62 = msg("37:04", part70); - -var select23 = linear_select([ - msg58, - msg59, - msg60, - msg61, - msg62, -]); - -var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ - dup5, -])); - -var msg63 = msg("38", part71); - -var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); - -var select24 = linear_select([ - part72, - dup42, -]); - -var all13 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup183, - dup17, - select24, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg64 = msg("38:01", all13); - -var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); - -var all14 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup192, - part73, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg65 = msg("38:02", all14); - -var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - -var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); - -var all15 = all_match({ - processors: [ - dup54, - dup193, - part74, - dup194, - part75, - ], - on_success: processor_chain([ - dup5, - dup11, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg66 = msg("38:03", all15); - -var select25 = linear_select([ - msg63, - msg64, - msg65, - msg66, -]); - -var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ - dup5, -])); - -var msg67 = msg("39", part76); - -var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ - dup5, -])); - -var msg68 = msg("40", part77); - -var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg69 = msg("41:01", part78); - -var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ - dup5, -])); - -var msg70 = msg("41:02", part79); - -var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ - dup5, -])); - -var msg71 = msg("41:03", part80); - -var select26 = linear_select([ - msg69, - msg70, - msg71, -]); - -var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ - dup5, -])); - -var msg72 = msg("42", part81); - -var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ - dup5, -])); - -var msg73 = msg("43", part82); - -var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ - dup5, -])); - -var msg74 = msg("44", part83); - -var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ - dup5, -])); - -var msg75 = msg("45", part84); - -var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup5, -])); - -var msg76 = msg("45:01", part85); - -var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ - dup5, -])); - -var msg77 = msg("45:02", part86); - -var select27 = linear_select([ - msg75, - msg76, - msg77, -]); - -var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg78 = msg("46:01", part87); - -var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup5, -])); - -var msg79 = msg("46:02", part88); - -var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ - dup5, -])); - -var msg80 = msg("46", part89); - -var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - -var all16 = all_match({ - processors: [ - part90, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg81 = msg("46:03", all16); - -var select28 = linear_select([ - msg78, - msg79, - msg80, - msg81, -]); - -var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ - dup5, -])); - -var msg82 = msg("47", part91); - -var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ - dup5, -])); - -var msg83 = msg("48", part92); - -var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ - dup5, -])); - -var msg84 = msg("49", part93); - -var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ - dup5, -])); - -var msg85 = msg("50", part94); - -var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ - dup5, -])); - -var msg86 = msg("51", part95); - -var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ - dup5, -])); - -var msg87 = msg("52", part96); - -var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ - dup2, -])); - -var msg88 = msg("53", part97); - -var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ - dup64, -])); - -var msg89 = msg("58", part98); - -var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ - dup12, -])); - -var msg90 = msg("60", part99); - -var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ - dup1, -])); - -var msg91 = msg("61", part100); - -var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ - dup65, -])); - -var msg92 = msg("62", part101); - -var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ - dup66, -])); - -var msg93 = msg("63", part102); - -var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, -])); - -var msg94 = msg("63:01", part103); - -var select29 = linear_select([ - msg93, - msg94, -]); - -var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ - dup1, -])); - -var msg95 = msg("64", part104); - -var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ - dup66, -])); - -var msg96 = msg("65", part105); - -var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ - dup66, -])); - -var msg97 = msg("66", part106); - -var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ - dup66, -])); - -var msg98 = msg("67", part107); - -var all17 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup66, - ]), -}); - -var msg99 = msg("67:01", all17); - -var select30 = linear_select([ - msg98, - msg99, -]); - -var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ - dup66, -])); - -var msg100 = msg("68", part108); - -var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ - dup66, -])); - -var msg101 = msg("69", part109); - -var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ - dup66, -])); - -var msg102 = msg("70", part110); - -var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); - -var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); - -var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); - -var select31 = linear_select([ - part112, - part113, -]); - -var all18 = all_match({ - processors: [ - part111, - select31, - ], - on_success: processor_chain([ - dup66, - ]), -}); - -var msg103 = msg("70:01", all18); - -var select32 = linear_select([ - msg102, - msg103, -]); - -var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ - dup67, -])); - -var msg104 = msg("72", part114); - -var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup67, -])); - -var msg105 = msg("72:01", part115); - -var select33 = linear_select([ - msg104, - msg105, -]); - -var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ - dup68, -])); - -var msg106 = msg("73", part116); - -var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ - dup69, -])); - -var msg107 = msg("74", part117); - -var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ - dup68, -])); - -var msg108 = msg("75", part118); - -var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ - dup67, -])); - -var msg109 = msg("76", part119); - -var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ - dup67, -])); - -var msg110 = msg("77", part120); - -var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ - dup69, -])); - -var msg111 = msg("78", part121); - -var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ - dup67, -])); - -var msg112 = msg("79", part122); - -var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ - dup67, -])); - -var msg113 = msg("80", part123); - -var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ - dup14, -])); - -var msg114 = msg("81", part124); - -var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ - dup70, -])); - -var msg115 = msg("82", part125); - -var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ - dup70, -])); - -var msg116 = msg("82:02", part126); - -var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup70, -])); - -var msg117 = msg("82:03", part127); - -var msg118 = msg("82:01", dup195); - -var select34 = linear_select([ - msg115, - msg116, - msg117, - msg118, -]); - -var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ - dup70, -])); - -var msg119 = msg("83", part128); - -var msg120 = msg("83:01", dup196); - -var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup5, -])); - -var msg121 = msg("83:02", part129); - -var select35 = linear_select([ - msg119, - msg120, - msg121, -]); - -var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); - -var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); - -var select36 = linear_select([ - part130, - part131, -]); - -var all19 = all_match({ - processors: [ - select36, - ], - on_success: processor_chain([ - dup71, - setc("action","Failed to resolve name"), - ]), -}); - -var msg122 = msg("84", all19); - -var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ - dup72, -])); - -var msg123 = msg("87", part132); - -var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup72, -])); - -var msg124 = msg("87:01", part133); - -var select37 = linear_select([ - msg123, - msg124, -]); - -var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ - dup66, -])); - -var msg125 = msg("88", part134); - -var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, -])); - -var msg126 = msg("88:01", part135); - -var select38 = linear_select([ - msg125, - msg126, -]); - -var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ - dup72, -])); - -var msg127 = msg("89", part136); - -var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); - -var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); - -var select39 = linear_select([ - part137, - part138, -]); - -var all20 = all_match({ - processors: [ - dup73, - select39, - ], - on_success: processor_chain([ - dup72, - ]), -}); - -var msg128 = msg("89:01", all20); - -var select40 = linear_select([ - msg127, - msg128, -]); - -var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ - dup72, -])); - -var msg129 = msg("90", part139); - -var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ - dup72, -])); - -var msg130 = msg("91", part140); - -var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ - dup72, -])); - -var msg131 = msg("92", part141); - -var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ - dup1, -])); - -var msg132 = msg("93", part142); - -var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ - dup1, -])); - -var msg133 = msg("94", part143); - -var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ - dup1, -])); - -var msg134 = msg("95", part144); - -var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ - dup1, -])); - -var msg135 = msg("96", part145); - -var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ - dup1, -])); - -var msg136 = msg("97", part146); - -var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); - -var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); - -var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); - -var select41 = linear_select([ - part148, - part149, -]); - -var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); - -var all21 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part147, - select41, - dup197, - part150, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg137 = msg("97:01", all21); - -var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); - -var all22 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part151, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg138 = msg("97:02", all22); - -var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); - -var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - -var all23 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part152, - dup197, - part153, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg139 = msg("97:03", all23); - -var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); - -var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - -var all24 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part154, - dup197, - part155, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg140 = msg("97:04", all24); - -var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); - -var all25 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part156, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg141 = msg("97:05", all25); - -var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); - -var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); - -var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); - -var select42 = linear_select([ - part158, - part159, -]); - -var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - -var all26 = all_match({ - processors: [ - part157, - select42, - part160, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), -}); - -var msg142 = msg("97:06", all26); - -var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - -var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); - -var select43 = linear_select([ - part162, - dup79, -]); - -var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - -var all27 = all_match({ - processors: [ - part161, - select43, - part163, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), -}); - -var msg143 = msg("97:07", all27); - -var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, -])); - -var msg144 = msg("97:08", part164); - -var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, -])); - -var msg145 = msg("97:09", part165); - -var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, -])); - -var msg146 = msg("97:10", part166); - -var select44 = linear_select([ - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, -]); - -var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - -var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - -var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); - -var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); - -var select45 = linear_select([ - part168, - part169, - part170, -]); - -var all28 = all_match({ - processors: [ - dup54, - dup193, - part167, - select45, - ], - on_success: processor_chain([ - dup78, - dup59, - setc("ec_activity","Stop"), - dup61, - dup62, - dup11, - setc("action","Opened"), - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg147 = msg("98", all28); - -var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg148 = msg("98:07", part171); - -var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); - -var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); - -var select46 = linear_select([ - part173, - dup56, -]); - -var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); - -var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); - -var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); - -var select47 = linear_select([ - part175, - part176, -]); - -var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); - -var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); - -var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); - -var select48 = linear_select([ - part177, - part178, - part179, -]); - -var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); - -var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - -var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); - -var select49 = linear_select([ - dup80, - part181, - part182, -]); - -var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - -var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); - -var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - -var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - -var select50 = linear_select([ - part183, - part184, - part185, - part186, - dup81, - dup43, -]); - -var all29 = all_match({ - processors: [ - part172, - select46, - part174, - select47, - select48, - part180, - select49, - select50, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg149 = msg("98:01", all29); - -var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); - -var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); - -var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); - -var select51 = linear_select([ - part187, - part188, - part189, -]); - -var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); - -var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); - -var select52 = linear_select([ - part191, - dup56, -]); - -var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); - -var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - -var select53 = linear_select([ - part193, - part194, - dup85, - part195, -]); - -var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); - -var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - -var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); - -var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); - -var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); - -var select54 = linear_select([ - part197, - part198, - part199, - dup86, - part200, -]); - -var all30 = all_match({ - processors: [ - dup82, - select51, - part190, - select52, - part192, - dup198, - dup17, - select53, - part196, - select54, - ], - on_success: processor_chain([ - dup78, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg150 = msg("98:06", all30); - -var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); - -var all31 = all_match({ - processors: [ - part201, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg151 = msg("98:02", all31); - -var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); - -var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); - -var select55 = linear_select([ - part202, - part203, -]); - -var all32 = all_match({ - processors: [ - select55, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), -}); - -var msg152 = msg("98:03", all32); - -var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); - -var all33 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part204, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg153 = msg("98:04", all33); - -var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); - -var all34 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part205, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg154 = msg("98:05", all34); - -var select56 = linear_select([ - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, -]); - -var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup31, - dup11, -])); - -var msg155 = msg("986", part206); - -var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); - -var all35 = all_match({ - processors: [ - dup73, - dup185, - dup183, - part207, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg156 = msg("427", all35); - -var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - -var all36 = all_match({ - processors: [ - dup87, - dup194, - part208, - ], - on_success: processor_chain([ - dup23, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg157 = msg("428", all36); - -var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ - dup72, -])); - -var msg158 = msg("99", part209); - -var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ - dup72, -])); - -var msg159 = msg("100", part210); - -var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, -])); - -var msg160 = msg("101", part211); - -var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, -])); - -var msg161 = msg("102", part212); - -var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, -])); - -var msg162 = msg("103", part213); - -var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, -])); - -var msg163 = msg("104", part214); - -var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ - dup72, -])); - -var msg164 = msg("105", part215); - -var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ - dup71, -])); - -var msg165 = msg("106", part216); - -var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ - dup72, -])); - -var msg166 = msg("107", part217); - -var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ - dup72, -])); - -var msg167 = msg("108", part218); - -var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ - dup71, -])); - -var msg168 = msg("109", part219); - -var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ - dup72, -])); - -var msg169 = msg("110", part220); - -var msg170 = msg("111:01", dup199); - -var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ - dup72, -])); - -var msg171 = msg("111", part221); - -var select57 = linear_select([ - msg170, - msg171, -]); - -var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ - dup72, -])); - -var msg172 = msg("112", part222); - -var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ - dup72, -])); - -var msg173 = msg("113", part223); - -var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ - dup72, -])); - -var msg174 = msg("114", part224); - -var msg175 = msg("115:01", dup199); - -var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, -])); - -var msg176 = msg("115", part225); - -var select58 = linear_select([ - msg175, - msg176, -]); - -var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, -])); - -var msg177 = msg("116", part226); - -var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, -])); - -var msg178 = msg("117", part227); - -var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, -])); - -var msg179 = msg("118", part228); - -var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ - dup71, -])); - -var msg180 = msg("119", part229); - -var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ - dup71, -])); - -var msg181 = msg("120", part230); - -var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ - dup72, -])); - -var msg182 = msg("121", part231); - -var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ - dup71, -])); - -var msg183 = msg("122", part232); - -var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ - dup71, -])); - -var msg184 = msg("123", part233); - -var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ - dup72, -])); - -var msg185 = msg("124", part234); - -var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ - dup72, -])); - -var msg186 = msg("125", part235); - -var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, -])); - -var msg187 = msg("1254", part236); - -var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg188 = msg("1256", part237); - -var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, -])); - -var msg189 = msg("1257", part238); - -var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ - dup72, -])); - -var msg190 = msg("126", part239); - -var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ - dup72, -])); - -var msg191 = msg("127", part240); - -var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ - dup5, -])); - -var msg192 = msg("128", part241); - -var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ - dup5, -])); - -var msg193 = msg("129", part242); - -var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ - dup1, -])); - -var msg194 = msg("130", part243); - -var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ - dup1, -])); - -var msg195 = msg("131", part244); - -var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ - dup1, -])); - -var msg196 = msg("132", part245); - -var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ - dup1, -])); - -var msg197 = msg("133", part246); - -var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ - dup1, -])); - -var msg198 = msg("134", part247); - -var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ - dup90, -])); - -var msg199 = msg("135", part248); - -var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ - dup90, -])); - -var msg200 = msg("136", part249); - -var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ - dup3, -])); - -var msg201 = msg("137", part250); - -var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ - dup3, -])); - -var msg202 = msg("138", part251); - -var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ - dup5, -])); - -var msg203 = msg("139", part252); - -var all37 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1801020100"), - ]), -}); - -var msg204 = msg("139:01", all37); - -var select59 = linear_select([ - msg203, - msg204, -]); - -var msg205 = msg("140", dup239); - -var msg206 = msg("141", dup239); - -var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ - dup1, -])); - -var msg207 = msg("142", part253); - -var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ - dup1, -])); - -var msg208 = msg("143", part254); - -var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, -])); - -var msg209 = msg("1431", part255); - -var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ - dup1, -])); - -var msg210 = msg("144", part256); - -var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ - dup1, -])); - -var msg211 = msg("145", part257); - -var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup92, -])); - -var msg212 = msg("146", part258); - -var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup92, -])); - -var msg213 = msg("147", part259); - -var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ - dup1, -])); - -var msg214 = msg("148", part260); - -var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - setc("eventcategory","1204010000"), - dup11, -])); - -var msg215 = msg("1480", part261); - -var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ - dup1, -])); - -var msg216 = msg("149", part262); - -var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ - dup1, -])); - -var msg217 = msg("150", part263); - -var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ - dup1, -])); - -var msg218 = msg("151", part264); - -var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ - dup1, -])); - -var msg219 = msg("152", part265); - -var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ - setc("eventcategory","1603010000"), -])); - -var msg220 = msg("153", part266); - -var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ - dup64, -])); - -var msg221 = msg("154", part267); - -var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup92, -])); - -var msg222 = msg("155", part268); - -var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup92, -])); - -var msg223 = msg("156", part269); - -var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup1, -])); - -var msg224 = msg("157:01", part270); - -var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ - dup5, -])); - -var msg225 = msg("157", part271); - -var select60 = linear_select([ - msg224, - msg225, -]); - -var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup92, -])); - -var msg226 = msg("158", part272); - -var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ - dup5, -])); - -var msg227 = msg("159", part273); - -var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ - setc("eventcategory","1203000000"), -])); - -var msg228 = msg("160", part274); - -var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ - dup65, -])); - -var msg229 = msg("161", part275); - -var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup33, -])); - -var msg230 = msg("162", part276); - -var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ - dup5, -])); - -var msg231 = msg("163", part277); - -var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ - dup5, -])); - -var msg232 = msg("164", part278); - -var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ - dup1, -])); - -var msg233 = msg("165", part279); - -var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ - dup12, -])); - -var msg234 = msg("166", part280); - -var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ - dup12, -])); - -var msg235 = msg("167", part281); - -var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ - dup12, -])); - -var msg236 = msg("168", part282); - -var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ - dup1, -])); - -var msg237 = msg("169", part283); - -var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ - dup1, -])); - -var msg238 = msg("170", part284); - -var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ - dup70, -])); - -var msg239 = msg("171", part285); - -var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, -])); - -var msg240 = msg("171:01", part286); - -var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, -])); - -var msg241 = msg("171:02", part287); - -var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); - -var all38 = all_match({ - processors: [ - part288, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup93, - ]), -}); - -var msg242 = msg("171:03", all38); - -var select61 = linear_select([ - msg239, - msg240, - msg241, - msg242, -]); - -var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ - dup70, -])); - -var msg243 = msg("172", part289); - -var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup70, -])); - -var msg244 = msg("172:01", part290); - -var select62 = linear_select([ - msg243, - msg244, -]); - -var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ - dup70, -])); - -var msg245 = msg("173", part291); - -var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ - dup67, -])); - -var msg246 = msg("174", part292); - -var all39 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup67, - ]), -}); - -var msg247 = msg("174:01", all39); - -var all40 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup12, - ]), -}); - -var msg248 = msg("174:02", all40); - -var all41 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup12, - ]), -}); - -var msg249 = msg("174:03", all41); - -var select63 = linear_select([ - msg246, - msg247, - msg248, - msg249, -]); - -var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ - dup67, -])); - -var msg250 = msg("175", part293); - -var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ - dup67, -])); - -var msg251 = msg("175:01", part294); - -var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ - dup67, -])); - -var msg252 = msg("175:02", part295); - -var select64 = linear_select([ - msg250, - msg251, - msg252, -]); - -var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup93, -])); - -var msg253 = msg("176", part296); - -var msg254 = msg("177", dup196); - -var msg255 = msg("178", dup201); - -var msg256 = msg("179", dup196); - -var all42 = all_match({ - processors: [ - dup34, - dup185, - dup187, - ], - on_success: processor_chain([ - dup97, - ]), -}); - -var msg257 = msg("180", all42); - -var all43 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup97, - ]), -}); - -var msg258 = msg("180:01", all43); - -var select65 = linear_select([ - msg257, - msg258, -]); - -var msg259 = msg("181", dup195); - -var all44 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup70, - ]), -}); - -var msg260 = msg("181:01", all44); - -var select66 = linear_select([ - msg259, - msg260, -]); - -var msg261 = msg("193", dup240); - -var msg262 = msg("194", dup241); - -var msg263 = msg("195", dup241); - -var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); - -var all45 = all_match({ - processors: [ - part297, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg264 = msg("196", all45); - -var all46 = all_match({ - processors: [ - dup101, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg265 = msg("196:01", all46); - -var select67 = linear_select([ - msg264, - msg265, -]); - -var msg266 = msg("199", dup242); - -var msg267 = msg("200", dup243); - -var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup30, -])); - -var msg268 = msg("235:02", part298); - -var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); - -var all47 = all_match({ - processors: [ - part299, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), -}); - -var msg269 = msg("235", all47); - -var msg270 = msg("235:01", dup244); - -var select68 = linear_select([ - msg268, - msg269, - msg270, -]); - -var msg271 = msg("236", dup244); - -var msg272 = msg("237", dup242); - -var msg273 = msg("238", dup242); - -var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, -])); - -var msg274 = msg("239", part300); - -var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, -])); - -var msg275 = msg("240", part301); - -var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup78, -])); - -var msg276 = msg("241", part302); - -var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup78, -])); - -var msg277 = msg("241:01", part303); - -var select69 = linear_select([ - msg276, - msg277, -]); - -var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); - -var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); - -var select70 = linear_select([ - part304, - part305, - dup40, -]); - -var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); - -var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); - -var select71 = linear_select([ - part306, - part307, - dup36, -]); - -var all48 = all_match({ - processors: [ - dup51, - select70, - dup41, - select71, - ], - on_success: processor_chain([ - dup78, - ]), -}); - -var msg278 = msg("242", all48); - -var msg279 = msg("252", dup205); - -var msg280 = msg("255", dup205); - -var msg281 = msg("257", dup205); - -var msg282 = msg("261:01", dup245); - -var msg283 = msg("261", dup205); - -var select72 = linear_select([ - msg282, - msg283, -]); - -var msg284 = msg("262", dup245); - -var all49 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg285 = msg("273", all49); - -var msg286 = msg("328", dup246); - -var msg287 = msg("329", dup243); - -var msg288 = msg("346", dup205); - -var msg289 = msg("350", dup205); - -var msg290 = msg("351", dup205); - -var msg291 = msg("352", dup205); - -var msg292 = msg("353:01", dup201); - -var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup5, -])); - -var msg293 = msg("353", part308); - -var select73 = linear_select([ - msg292, - msg293, -]); - -var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup1, -])); - -var msg294 = msg("354", part309); - -var msg295 = msg("355", dup206); - -var msg296 = msg("355:01", dup205); - -var select74 = linear_select([ - msg295, - msg296, -]); - -var msg297 = msg("356", dup207); - -var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ - dup93, -])); - -var msg298 = msg("357", part310); - -var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, -])); - -var msg299 = msg("357:01", part311); - -var select75 = linear_select([ - msg298, - msg299, -]); - -var msg300 = msg("358", dup208); - -var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ - setc("eventcategory","1503000000"), -])); - -var msg301 = msg("371", part312); - -var msg302 = msg("371:01", dup209); - -var select76 = linear_select([ - msg301, - msg302, -]); - -var msg303 = msg("372", dup205); - -var msg304 = msg("373", dup207); - -var msg305 = msg("401", dup247); - -var msg306 = msg("402", dup247); - -var msg307 = msg("406", dup208); - -var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, -])); - -var msg308 = msg("413", part313); - -var msg309 = msg("414", dup205); - -var msg310 = msg("438", dup248); - -var msg311 = msg("439", dup248); - -var all50 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501020000"), - ]), -}); - -var msg312 = msg("440", all50); - -var all51 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1502050000"), - ]), -}); - -var msg313 = msg("441", all51); - -var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - setc("eventcategory","1001020000"), -])); - -var msg314 = msg("441:01", part314); - -var select77 = linear_select([ - msg313, - msg314, -]); - -var all52 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501030000"), - ]), -}); - -var msg315 = msg("442", all52); - -var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); - -var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); - -var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); - -var select78 = linear_select([ - part316, - part317, -]); - -var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var all53 = all_match({ - processors: [ - part315, - select78, - part318, - dup211, - dup119, - ], - on_success: processor_chain([ - dup67, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg316 = msg("446", all53); - -var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg317 = msg("477", part319); - -var all54 = all_match({ - processors: [ - dup73, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), -}); - -var msg318 = msg("509", all54); - -var all55 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), -}); - -var msg319 = msg("520", all55); - -var msg320 = msg("522", dup249); - -var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); - -var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); - -var all56 = all_match({ - processors: [ - part320, - dup189, - part321, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg321 = msg("522:01", all56); - -var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); - -var select79 = linear_select([ - part322, - dup46, -]); - -var all57 = all_match({ - processors: [ - dup45, - select79, - dup17, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg322 = msg("522:02", all57); - -var select80 = linear_select([ - msg320, - msg321, - msg322, -]); - -var msg323 = msg("523", dup249); - -var all58 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg324 = msg("524", all58); - -var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); - -var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); - -var select81 = linear_select([ - part323, - part324, -]); - -var all59 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - select81, - dup47, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg325 = msg("524:01", all59); - -var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); - -var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); - -var select82 = linear_select([ - part326, - dup56, -]); - -var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); - -var all60 = all_match({ - processors: [ - part325, - select82, - part327, - ], - on_success: processor_chain([ - dup6, - dup11, - ]), -}); - -var msg326 = msg("524:02", all60); - -var select83 = linear_select([ - msg324, - msg325, - msg326, -]); - -var msg327 = msg("526", dup250); - -var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); - -var select84 = linear_select([ - dup26, - part328, - dup46, -]); - -var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); - -var select85 = linear_select([ - dup35, - part329, -]); - -var all61 = all_match({ - processors: [ - dup73, - select84, - dup17, - select85, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg328 = msg("526:01", all61); - -var all62 = all_match({ - processors: [ - dup7, - dup213, - dup183, - dup121, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg329 = msg("526:02", all62); - -var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, -])); - -var msg330 = msg("526:03", part330); - -var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, -])); - -var msg331 = msg("526:04", part331); - -var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, -])); - -var msg332 = msg("526:05", part332); - -var select86 = linear_select([ - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, -]); - -var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); - -var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); - -var select87 = linear_select([ - part334, - dup123, -]); - -var all63 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - part333, - select87, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg333 = msg("537:01", all63); - -var all64 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - dup81, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg334 = msg("537:02", all64); - -var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); - -var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - -var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); - -var select88 = linear_select([ - part335, - part336, - part337, -]); - -var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); - -var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - -var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); - -var select89 = linear_select([ - part339, - part340, -]); - -var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); - -var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); - -var select90 = linear_select([ - part341, - dup131, - part342, - dup132, - dup133, -]); - -var all65 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select88, - part338, - select89, - dup218, - select90, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg335 = msg("537:08", all65); - -var select91 = linear_select([ - dup125, - dup124, - dup126, - dup38, -]); - -var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - -var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - -var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); - -var select92 = linear_select([ - part343, - part344, - part345, -]); - -var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - -var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - -var select93 = linear_select([ - part347, - dup131, - dup132, - dup133, -]); - -var all66 = all_match({ - processors: [ - dup54, - select91, - dup217, - select92, - part346, - dup218, - select93, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg336 = msg("537:09", all66); - -var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - -var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - -var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); - -var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); - -var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); - -var select94 = linear_select([ - part348, - part349, - part350, - part351, - part352, -]); - -var all67 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select94, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg337 = msg("537:07", all67); - -var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); - -var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); - -var select95 = linear_select([ - part354, - dup56, -]); - -var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); - -var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - -var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); - -var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - -var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); - -var select96 = linear_select([ - part356, - part357, - part358, - part359, -]); - -var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); - -var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); - -var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); - -var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); - -var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); - -var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); - -var select97 = linear_select([ - part361, - part362, - part363, - part364, - part365, -]); - -var all68 = all_match({ - processors: [ - part353, - select95, - part355, - select96, - part360, - select97, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg338 = msg("537", all68); - -var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); - -var all69 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part366, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg339 = msg("537:04", all69); - -var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); - -var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); - -var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); - -var select98 = linear_select([ - part368, - part369, -]); - -var all70 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part367, - select98, - dup96, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg340 = msg("537:05", all70); - -var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - -var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - -var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - -var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); - -var select99 = linear_select([ - part371, - part372, - part373, -]); - -var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - -var all71 = all_match({ - processors: [ - part370, - dup220, - dup139, - dup221, - select99, - part374, - dup222, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg341 = msg("537:10", all71); - -var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - -var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - -var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); - -var select100 = linear_select([ - dup85, - part376, - part377, -]); - -var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - -var all72 = all_match({ - processors: [ - part375, - dup220, - dup139, - dup221, - select100, - part378, - dup222, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg342 = msg("537:03", all72); - -var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); - -var all73 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part379, - ], - on_success: processor_chain([ - dup111, - ]), -}); - -var msg343 = msg("537:06", all73); - -var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, -])); - -var msg344 = msg("537:11", part380); - -var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, -])); - -var msg345 = msg("537:12", part381); - -var select101 = linear_select([ - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, -]); - -var msg346 = msg("538", dup240); - -var msg347 = msg("549", dup243); - -var msg348 = msg("557", dup243); - -var all74 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020200"), - ]), -}); - -var msg349 = msg("558", all74); - -var msg350 = msg("561", dup246); - -var msg351 = msg("562", dup246); - -var msg352 = msg("563", dup246); - -var all75 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020400"), - ]), -}); - -var msg353 = msg("583", all75); - -var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg354 = msg("597:01", part382); - -var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup1, -])); - -var msg355 = msg("597:02", part383); - -var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); - -var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - -var all76 = all_match({ - processors: [ - part384, - dup198, - part385, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg356 = msg("597:03", all76); - -var select102 = linear_select([ - msg354, - msg355, - msg356, -]); - -var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ - dup1, -])); - -var msg357 = msg("598", part386); - -var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); - -var all77 = all_match({ - processors: [ - dup148, - dup192, - part387, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg358 = msg("598:01", all77); - -var all78 = all_match({ - processors: [ - dup148, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg359 = msg("598:02", all78); - -var select103 = linear_select([ - msg357, - msg358, - msg359, -]); - -var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg360 = msg("602:01", part388); - -var msg361 = msg("602:02", dup250); - -var all79 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg362 = msg("602:03", all79); - -var select104 = linear_select([ - msg360, - msg361, - msg362, -]); - -var msg363 = msg("605", dup208); - -var all80 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup211, - dup119, - ], - on_success: processor_chain([ - dup93, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg364 = msg("606", all80); - -var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); - -var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); - -var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); - -var select105 = linear_select([ - part390, - part391, -]); - -var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); - -var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); - -var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); - -var select106 = linear_select([ - part393, - part394, -]); - -var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); - -var select107 = linear_select([ - part395, - dup154, - dup155, -]); - -var all81 = all_match({ - processors: [ - part389, - select105, - part392, - select106, - dup153, - select107, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), -}); - -var msg365 = msg("608", all81); - -var msg366 = msg("616", dup206); - -var msg367 = msg("658", dup201); - -var msg368 = msg("710", dup224); - -var msg369 = msg("712:02", dup251); - -var msg370 = msg("712", dup224); - -var all82 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup156, - ]), -}); - -var msg371 = msg("712:01", all82); - -var select108 = linear_select([ - msg369, - msg370, - msg371, -]); - -var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg372 = msg("713:01", part396); - -var msg373 = msg("713:04", dup251); - -var msg374 = msg("713:02", dup224); - -var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg375 = msg("713:03", part397); - -var select109 = linear_select([ - msg372, - msg373, - msg374, - msg375, -]); - -var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg376 = msg("760", part398); - -var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - -var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); - -var all83 = all_match({ - processors: [ - part399, - dup182, - dup10, - dup202, - part400, - ], - on_success: processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg377 = msg("760:01", all83); - -var select110 = linear_select([ - msg376, - msg377, -]); - -var msg378 = msg("766", dup228); - -var msg379 = msg("860", dup228); - -var msg380 = msg("860:01", dup229); - -var select111 = linear_select([ - msg379, - msg380, -]); - -var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); - -var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - -var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); - -var select112 = linear_select([ - part402, - part403, -]); - -var all84 = all_match({ - processors: [ - part401, - select112, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), -}); - -var msg381 = msg("866", all84); - -var msg382 = msg("866:01", dup229); - -var select113 = linear_select([ - msg381, - msg382, -]); - -var msg383 = msg("867", dup228); - -var msg384 = msg("867:01", dup229); - -var select114 = linear_select([ - msg383, - msg384, -]); - -var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup1, -])); - -var msg385 = msg("882", part404); - -var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ - dup1, -])); - -var msg386 = msg("882:01", part405); - -var select115 = linear_select([ - msg385, - msg386, -]); - -var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup165, -])); - -var msg387 = msg("888", part406); - -var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup165, -])); - -var msg388 = msg("888:01", part407); - -var select116 = linear_select([ - msg387, - msg388, -]); - -var all85 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup165, - ]), -}); - -var msg389 = msg("892", all85); - -var msg390 = msg("904", dup228); - -var msg391 = msg("905", dup228); - -var msg392 = msg("906", dup228); - -var msg393 = msg("907", dup228); - -var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); - -var select117 = linear_select([ - part408, - dup167, -]); - -var all86 = all_match({ - processors: [ - dup166, - select117, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg394 = msg("908", all86); - -var msg395 = msg("909", dup228); - -var msg396 = msg("914", dup230); - -var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup72, -])); - -var msg397 = msg("931", part409); - -var msg398 = msg("657", dup230); - -var all87 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var msg399 = msg("657:01", all87); - -var select118 = linear_select([ - msg398, - msg399, -]); - -var msg400 = msg("403", dup209); - -var msg401 = msg("534", dup184); - -var msg402 = msg("994", dup231); - -var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ - dup1, - dup24, -])); - -var msg403 = msg("243", part410); - -var msg404 = msg("995", dup184); - -var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ - dup1, - dup59, - dup61, - dup62, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg405 = msg("997", part411); - -var msg406 = msg("998", dup231); - -var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup11, -])); - -var msg407 = msg("998:01", part412); - -var select119 = linear_select([ - msg406, - msg407, -]); - -var msg408 = msg("1110", dup232); - -var msg409 = msg("565", dup232); - -var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup62, -])); - -var msg410 = msg("404", part413); - -var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); - -var select120 = linear_select([ - part414, - dup58, -]); - -var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); - -var all88 = all_match({ - processors: [ - dup87, - select120, - part415, - ], - on_success: processor_chain([ - dup111, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg411 = msg("267:01", all88); - -var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ - dup1, - dup62, -])); - -var msg412 = msg("267", part416); - -var select121 = linear_select([ - msg411, - msg412, -]); - -var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ - dup1, - dup24, -])); - -var msg413 = msg("263", part417); - -var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, -])); - -var msg414 = msg("264", part418); - -var msg415 = msg("412", dup209); - -var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, -])); - -var msg416 = msg("793", part419); - -var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ - dup1, - dup24, -])); - -var msg417 = msg("805", part420); - -var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, -])); - -var msg418 = msg("809", part421); - -var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, -])); - -var msg419 = msg("809:01", part422); - -var select122 = linear_select([ - msg418, - msg419, -]); - -var msg420 = msg("935", dup230); - -var msg421 = msg("614", dup233); - -var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - -var all89 = all_match({ - processors: [ - part423, - dup211, - dup119, - ], - on_success: processor_chain([ - dup66, - dup44, - ]), -}); - -var msg422 = msg("748", all89); - -var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - -var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); - -var select123 = linear_select([ - part425, - dup118, -]); - -var all90 = all_match({ - processors: [ - part424, - select123, - dup119, - ], - on_success: processor_chain([ - dup171, - dup44, - ]), -}); - -var msg423 = msg("794", all90); - -var msg424 = msg("1086", dup233); - -var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, -])); - -var msg425 = msg("1430", part426); - -var msg426 = msg("1149", dup233); - -var msg427 = msg("1159", dup233); - -var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, -])); - -var msg428 = msg("1195", part427); - -var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup171, - dup44, -])); - -var msg429 = msg("1195:01", part428); - -var select124 = linear_select([ - msg428, - msg429, -]); - -var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, -])); - -var msg430 = msg("1226", part429); - -var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, -])); - -var msg431 = msg("1222", part430); - -var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, -])); - -var msg432 = msg("1154", part431); - -var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); - -var all91 = all_match({ - processors: [ - part432, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - dup24, - ]), -}); - -var msg433 = msg("1154:01", all91); - -var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup172, - dup11, -])); - -var msg434 = msg("1154:02", part433); - -var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - -var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); - -var select125 = linear_select([ - part435, - dup79, -]); - -var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); - -var all92 = all_match({ - processors: [ - part434, - select125, - part436, - ], - on_success: processor_chain([ - dup172, - dup11, - ]), -}); - -var msg435 = msg("1154:03", all92); - -var select126 = linear_select([ - msg432, - msg433, - msg434, - msg435, -]); - -var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup173, -])); - -var msg436 = msg("msg", part437); - -var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup173, -])); - -var msg437 = msg("src", part438); - -var all93 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg438 = msg("1235", all93); - -var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); - -var all94 = all_match({ - processors: [ - dup7, - dup185, - dup10, - dup202, - part439, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg439 = msg("1197", all94); - -var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); - -var all95 = all_match({ - processors: [ - part440, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg440 = msg("1199", all95); - -var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, -])); - -var msg441 = msg("1199:01", part441); - -var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, -])); - -var msg442 = msg("1199:02", part442); - -var select127 = linear_select([ - msg440, - msg441, - msg442, -]); - -var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); - -var all96 = all_match({ - processors: [ - part443, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg443 = msg("1155", all96); - -var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup111, -])); - -var msg444 = msg("1155:01", part444); - -var select128 = linear_select([ - msg443, - msg444, -]); - -var all97 = all_match({ - processors: [ - dup176, - dup213, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg445 = msg("1198", all97); - -var all98 = all_match({ - processors: [ - dup7, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg446 = msg("714", all98); - -var msg447 = msg("709", dup252); - -var msg448 = msg("1005", dup252); - -var msg449 = msg("1003", dup252); - -var msg450 = msg("1007", dup253); - -var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, -])); - -var msg451 = msg("1008", part445); - -var msg452 = msg("708", dup253); - -var all99 = all_match({ - processors: [ - dup176, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg453 = msg("1201", all99); - -var msg454 = msg("1201:01", dup253); - -var select129 = linear_select([ - msg453, - msg454, -]); - -var msg455 = msg("654", dup234); - -var msg456 = msg("670", dup234); - -var msg457 = msg("884", dup253); - -var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ - dup1, -])); - -var msg458 = msg("1153", part446); - -var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); - -var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); - -var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); - -var select130 = linear_select([ - part447, - part448, - part449, -]); - -var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); - -var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - -var select131 = linear_select([ - part451, - dup26, -]); - -var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); - -var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); - -var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); - -var select132 = linear_select([ - part452, - part453, - part454, -]); - -var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); - -var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); - -var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); - -var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); - -var select133 = linear_select([ - part456, - part457, - part458, -]); - -var all100 = all_match({ - processors: [ - dup54, - select130, - part450, - select131, - select132, - part455, - select133, - dup123, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg459 = msg("1153:01", all100); - -var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); - -var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); - -var select134 = linear_select([ - part459, - part460, -]); - -var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); - -var all101 = all_match({ - processors: [ - dup82, - select134, - part461, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var msg460 = msg("1153:02", all101); - -var select135 = linear_select([ - msg458, - msg459, - msg460, -]); - -var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ - dup1, -])); - -var msg461 = msg("1107", part462); - -var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); - -var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); - -var select136 = linear_select([ - part464, - part465, -]); - -var all102 = all_match({ - processors: [ - part463, - select136, - dup153, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg462 = msg("1220", all102); - -var all103 = all_match({ - processors: [ - dup149, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg463 = msg("1230", all103); - -var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ - dup1, -])); - -var msg464 = msg("1231", part466); - -var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, -])); - -var msg465 = msg("1233", part467); - -var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); - -var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); - -var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); - -var select137 = linear_select([ - part469, - part470, -]); - -var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); - -var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); - -var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); - -var select138 = linear_select([ - part472, - part473, - dup38, -]); - -var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); - -var all104 = all_match({ - processors: [ - part468, - select137, - part471, - select138, - part474, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg466 = msg("1079", all104); - -var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ - dup1, -])); - -var msg467 = msg("1079:01", part475); - -var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","destination is not allowed by access control"), - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg468 = msg("1079:02", part476); - -var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), - dup18, - dup19, - dup20, - dup21, - dup22, -])); - -var msg469 = msg("1079:03", part477); - -var select139 = linear_select([ - msg466, - msg467, - msg468, - msg469, -]); - -var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); - -var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var select140 = linear_select([ - dup8, - part479, -]); - -var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - -var select141 = linear_select([ - dup135, - part480, -]); - -var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); - -var all105 = all_match({ - processors: [ - part478, - select140, - select141, - part481, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var msg470 = msg("1080", all105); - -var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg471 = msg("580", part482); - -var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); - -var all106 = all_match({ - processors: [ - part483, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg472 = msg("1369", all106); - -var all107 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg473 = msg("1370", all107); - -var all108 = all_match({ - processors: [ - dup149, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg474 = msg("1371", all108); - -var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); - -var select142 = linear_select([ - dup167, - part484, -]); - -var all109 = all_match({ - processors: [ - dup166, - select142, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg475 = msg("1387", all109); - -var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); - -var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); - -var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); - -var select143 = linear_select([ - part486, - part487, -]); - -var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); - -var select144 = linear_select([ - part488, - dup154, - dup155, -]); - -var all110 = all_match({ - processors: [ - part485, - select143, - dup153, - select144, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg476 = msg("1391", all110); - -var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg477 = msg("1253", part489); - -var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg478 = msg("1009", part490); - -var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); - -var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); - -var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); - -var select145 = linear_select([ - part492, - part493, -]); - -var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); - -var all111 = all_match({ - processors: [ - part491, - select145, - part494, - ], - on_success: processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg479 = msg("910", all111); - -var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup22, - dup44, -])); - -var msg480 = msg("m:01", part495); - -var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg481 = msg("1011", part496); - -var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup172, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg482 = msg("609", part497); - -var msg483 = msg("796", dup237); - -var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg484 = msg("880", part498); - -var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var msg485 = msg("1309", part499); - -var msg486 = msg("1310", dup237); - -var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - -var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); - -var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); - -var select146 = linear_select([ - part501, - part502, -]); - -var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); - -var all112 = all_match({ - processors: [ - part500, - select146, - part503, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg487 = msg("1232", all112); - -var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var all113 = all_match({ - processors: [ - part504, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), -}); - -var msg488 = msg("1447", all113); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "10": msg9, - "100": msg159, - "1003": msg449, - "1005": msg448, - "1007": msg450, - "1008": msg451, - "1009": msg478, - "101": msg160, - "1011": msg481, - "102": msg161, - "103": msg162, - "104": msg163, - "105": msg164, - "106": msg165, - "107": msg166, - "1079": select139, - "108": msg167, - "1080": msg470, - "1086": msg424, - "109": msg168, - "11": msg10, - "110": msg169, - "1107": msg461, - "111": select57, - "1110": msg408, - "112": msg172, - "113": msg173, - "114": msg174, - "1149": msg426, - "115": select58, - "1153": select135, - "1154": select126, - "1155": select128, - "1159": msg427, - "116": msg177, - "117": msg178, - "118": msg179, - "119": msg180, - "1195": select124, - "1197": msg439, - "1198": msg445, - "1199": select127, - "12": select4, - "120": msg181, - "1201": select129, - "121": msg182, - "122": msg183, - "1220": msg462, - "1222": msg431, - "1226": msg430, - "123": msg184, - "1230": msg463, - "1231": msg464, - "1232": msg487, - "1233": msg465, - "1235": msg438, - "124": msg185, - "125": msg186, - "1253": msg477, - "1254": msg187, - "1256": msg188, - "1257": msg189, - "126": msg190, - "127": msg191, - "128": msg192, - "129": msg193, - "13": msg13, - "130": msg194, - "1309": msg485, - "131": msg195, - "1310": msg486, - "132": msg196, - "133": msg197, - "134": msg198, - "135": msg199, - "136": msg200, - "1369": msg472, - "137": msg201, - "1370": msg473, - "1371": msg474, - "138": msg202, - "1387": msg475, - "139": select59, - "1391": msg476, - "14": select7, - "140": msg205, - "141": msg206, - "142": msg207, - "143": msg208, - "1430": msg425, - "1431": msg209, - "144": msg210, - "1447": msg488, - "145": msg211, - "146": msg212, - "147": msg213, - "148": msg214, - "1480": msg215, - "149": msg216, - "15": msg20, - "150": msg217, - "151": msg218, - "152": msg219, - "153": msg220, - "154": msg221, - "155": msg222, - "156": msg223, - "157": select60, - "158": msg226, - "159": msg227, - "16": msg21, - "160": msg228, - "161": msg229, - "162": msg230, - "163": msg231, - "164": msg232, - "165": msg233, - "166": msg234, - "167": msg235, - "168": msg236, - "169": msg237, - "17": msg22, - "170": msg238, - "171": select61, - "172": select62, - "173": msg245, - "174": select63, - "175": select64, - "176": msg253, - "177": msg254, - "178": msg255, - "179": msg256, - "18": msg23, - "180": select65, - "181": select66, - "19": msg24, - "193": msg261, - "194": msg262, - "195": msg263, - "196": select67, - "199": msg266, - "20": msg25, - "200": msg267, - "21": msg26, - "22": msg27, - "23": select10, - "235": select68, - "236": msg271, - "237": msg272, - "238": msg273, - "239": msg274, - "24": select11, - "240": msg275, - "241": select69, - "242": msg278, - "243": msg403, - "25": msg34, - "252": msg279, - "255": msg280, - "257": msg281, - "26": msg35, - "261": select72, - "262": msg284, - "263": msg413, - "264": msg414, - "267": select121, - "27": msg36, - "273": msg285, - "28": select12, - "29": select13, - "30": select14, - "31": select15, - "32": select16, - "328": msg286, - "329": msg287, - "33": select17, - "34": msg52, - "346": msg288, - "35": select18, - "350": msg289, - "351": msg290, - "352": msg291, - "353": select73, - "354": msg294, - "355": select74, - "356": msg297, - "357": select75, - "358": msg300, - "36": select21, - "37": select23, - "371": select76, - "372": msg303, - "373": msg304, - "38": select25, - "39": msg67, - "4": msg1, - "40": msg68, - "401": msg305, - "402": msg306, - "403": msg400, - "404": msg410, - "406": msg307, - "41": select26, - "412": msg415, - "413": msg308, - "414": msg309, - "42": msg72, - "427": msg156, - "428": msg157, - "43": msg73, - "438": msg310, - "439": msg311, - "44": msg74, - "440": msg312, - "441": select77, - "442": msg315, - "446": msg316, - "45": select27, - "46": select28, - "47": msg82, - "477": msg317, - "48": msg83, - "49": msg84, - "5": select2, - "50": msg85, - "509": msg318, - "51": msg86, - "52": msg87, - "520": msg319, - "522": select80, - "523": msg323, - "524": select83, - "526": select86, - "53": msg88, - "534": msg401, - "537": select101, - "538": msg346, - "549": msg347, - "557": msg348, - "558": msg349, - "561": msg350, - "562": msg351, - "563": msg352, - "565": msg409, - "58": msg89, - "580": msg471, - "583": msg353, - "597": select102, - "598": select103, - "6": select3, - "60": msg90, - "602": select104, - "605": msg363, - "606": msg364, - "608": msg365, - "609": msg482, - "61": msg91, - "614": msg421, - "616": msg366, - "62": msg92, - "63": select29, - "64": msg95, - "65": msg96, - "654": msg455, - "657": select118, - "658": msg367, - "66": msg97, - "67": select30, - "670": msg456, - "68": msg100, - "69": msg101, - "7": msg6, - "70": select32, - "708": msg452, - "709": msg447, - "710": msg368, - "712": select108, - "713": select109, - "714": msg446, - "72": select33, - "73": msg106, - "74": msg107, - "748": msg422, - "75": msg108, - "76": msg109, - "760": select110, - "766": msg378, - "77": msg110, - "78": msg111, - "79": msg112, - "793": msg416, - "794": msg423, - "796": msg483, - "8": msg7, - "80": msg113, - "805": msg417, - "809": select122, - "81": msg114, - "82": select34, - "83": select35, - "84": msg122, - "860": select111, - "866": select113, - "867": select114, - "87": select37, - "88": select38, - "880": msg484, - "882": select115, - "884": msg457, - "888": select116, - "89": select40, - "892": msg389, - "9": msg8, - "90": msg129, - "904": msg390, - "905": msg391, - "906": msg392, - "907": msg393, - "908": msg394, - "909": msg395, - "91": msg130, - "910": msg479, - "914": msg396, - "92": msg131, - "93": msg132, - "931": msg397, - "935": msg420, - "94": msg133, - "95": msg134, - "96": msg135, - "97": select44, - "98": select56, - "986": msg155, - "99": msg158, - "994": msg402, - "995": msg404, - "997": msg405, - "998": select119, - "m": msg480, - "msg": msg436, - "src": msg437, - }), -]); - -var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - -var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - -var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - -var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - -var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - -var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - -var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - -var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - -var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - -var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - -var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - -var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - -var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - -var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - -var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - -var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - -var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - -var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - -var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - -var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - -var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - -var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - -var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - -var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - -var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - -var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - -var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - -var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - -var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - -var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - -var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - -var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - -var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - -var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - -var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - -var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - -var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - -var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - -var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - -var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - -var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - -var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - -var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - -var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - -var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - -var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - -var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - -var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - -var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - -var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - -var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - -var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - -var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - -var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - -var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - -var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - -var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - -var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - -var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - -var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - -var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - -var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - -var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - -var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - -var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - -var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - -var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - -var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - -var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - -var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - -var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - -var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - -var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - -var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - -var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - -var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - -var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - -var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - -var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - -var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - -var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - -var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - -var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - -var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - -var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - -var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - -var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - -var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - -var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - -var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - -var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - -var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - -var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - -var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - -var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - -var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - -var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - -var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - -var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - -var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - -var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - -var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - -var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - -var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - -var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - -var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - -var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - -var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - -var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - -var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - -var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - -var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - -var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - -var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - -var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - -var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - -var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - -var select147 = linear_select([ - dup8, - dup9, -]); - -var select148 = linear_select([ - dup15, - dup16, -]); - -var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, -])); - -var select149 = linear_select([ - dup26, - dup27, -]); - -var select150 = linear_select([ - dup28, - dup29, -]); - -var select151 = linear_select([ - dup35, - dup36, -]); - -var select152 = linear_select([ - dup37, - dup38, -]); - -var select153 = linear_select([ - dup39, - dup40, -]); - -var select154 = linear_select([ - dup26, - dup46, -]); - -var select155 = linear_select([ - dup48, - dup49, -]); - -var select156 = linear_select([ - dup52, - dup53, -]); - -var select157 = linear_select([ - dup55, - dup56, -]); - -var select158 = linear_select([ - dup57, - dup58, -]); - -var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, -])); - -var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, -])); - -var select159 = linear_select([ - dup75, - dup76, -]); - -var select160 = linear_select([ - dup83, - dup84, -]); - -var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, -])); - -var select161 = linear_select([ - dup94, - dup95, -]); - -var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, -])); - -var select162 = linear_select([ - dup98, - dup99, -]); - -var select163 = linear_select([ - dup86, - dup102, -]); - -var select164 = linear_select([ - dup103, - dup104, -]); - -var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, -])); - -var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, -])); - -var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, -])); - -var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, -])); - -var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, -])); - -var select165 = linear_select([ - dup114, - dup115, -]); - -var select166 = linear_select([ - dup117, - dup118, -]); - -var select167 = linear_select([ - dup43, - dup42, -]); - -var select168 = linear_select([ - dup8, - dup27, -]); - -var select169 = linear_select([ - dup8, - dup26, - dup46, -]); - -var select170 = linear_select([ - dup80, - dup15, - dup16, -]); - -var select171 = linear_select([ - dup124, - dup125, - dup126, - dup38, -]); - -var select172 = linear_select([ - dup127, - dup128, -]); - -var select173 = linear_select([ - dup129, - dup130, -]); - -var select174 = linear_select([ - dup135, - dup136, - dup137, -]); - -var select175 = linear_select([ - dup138, - dup56, -]); - -var select176 = linear_select([ - dup140, - dup141, -]); - -var select177 = linear_select([ - dup142, - dup143, -]); - -var select178 = linear_select([ - dup150, - dup151, -]); - -var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, -])); - -var select179 = linear_select([ - dup158, - dup38, -]); - -var select180 = linear_select([ - dup160, - dup161, -]); - -var select181 = linear_select([ - dup162, - dup163, -]); - -var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, -])); - -var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, -])); - -var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, -])); - -var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, -])); - -var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, -])); - -var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, -])); - -var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, -])); - -var select182 = linear_select([ - dup177, - dup178, -]); - -var select183 = linear_select([ - dup180, - dup181, -]); - -var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, -])); - -var all114 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), -}); - -var all115 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), -}); - -var all116 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), -}); - -var all117 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), -}); - -var all118 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), -}); - -var all119 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), -}); - -var all120 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), -}); - -var all121 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), -}); - -var all122 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), -}); - -var all123 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), -}); - -var all124 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), -}); - -var all125 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), -}); - -var all126 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var all127 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), -}); - -var all128 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), -}); - -var all129 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), -}); diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml deleted file mode 100644 index 0d5140dee4c..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Sonicwall-FW - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml deleted file mode 100644 index f9949f03fd5..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["sonicwall.firewall", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9536 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log b/x-pack/filebeat/module/sonicwall/firewall/test/general.log deleted file mode 100644 index bebffc65961..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log +++ /dev/null @@ -1,21 +0,0 @@ -Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 -Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=89.160.20.156 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN -Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 -Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 -Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" -Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" -Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152 -Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 -Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN -Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 -Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=89.160.20.156 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=89.160.20.156:6822:WAN type=3 code=3 -Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=89.160.20.156:0:WAN proto=udp/0 -Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=89.160.20.156:500 -Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 -Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=89.160.20.156:500 -Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns -Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 -Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 -Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" -Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 -Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json deleted file mode 100644 index 7ea2067409d..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ /dev/null @@ -1,595 +0,0 @@ -[ - { - "@timestamp": "2007-01-03T16:48:06.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 0, - "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "2.2.2.2" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "rsa.time.event_time": "2007-01-03T16:48:06.000Z", - "service.type": "sonicwall", - "source.ip": "2.2.2.2", - "source.port": 36701, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:07.000Z", - "event.action": "Administrator login denied due to bad credentials", - "event.code": "30", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=89.160.20.156 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 215, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "30", - "rsa.misc.action": [ - "Administrator login denied due to bad credentials" - ], - "rsa.time.event_time": "2007-01-03T16:48:07.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:07.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 438, - "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "2.2.2.2" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "rsa.time.event_time": "2007-01-03T16:48:07.000Z", - "service.type": "sonicwall", - "source.ip": "2.2.2.2", - "source.port": 36702, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:07.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 653, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:07.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:08.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 885, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:08.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1140, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:10.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1399, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:10.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:10.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1626, - "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "2.2.2.2" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "rsa.time.event_time": "2007-01-03T16:48:10.000Z", - "service.type": "sonicwall", - "source.ip": "2.2.2.2", - "source.port": 36703, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:10.000Z", - "event.action": "Administrator login denied due to bad credentials", - "event.code": "30", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1841, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "30", - "rsa.misc.action": [ - "Administrator login denied due to bad credentials" - ], - "rsa.time.event_time": "2007-01-03T16:48:10.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:11.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2064, - "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "2.2.2.2" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000", - "rsa.time.event_time": "2007-01-03T16:48:11.000Z", - "service.type": "sonicwall", - "source.ip": "2.2.2.2", - "source.port": 36704, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:14.000Z", - "event.code": "38", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=89.160.20.156 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=89.160.20.156:6822:WAN type=3 code=3", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2279, - "observer.ingress.interface.name": "WAN", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "219.89.19.223" - ], - "rsa.internal.event_desc": "ICMP packet dropped", - "rsa.internal.messageid": "38", - "rsa.network.sinterface": "WAN", - "rsa.time.event_time": "2007-01-03T16:48:14.000Z", - "service.type": "sonicwall", - "source.ip": "219.89.19.223", - "source.port": 1026, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:14.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=89.160.20.156:0:WAN proto=udp/0", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2496, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:14.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:15.000Z", - "event.code": "346", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=89.160.20.156:500", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2708, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "346", - "rsa.internal.msg": "IKE Initiator: Start Quick Mode (Phase 2).", - "rsa.time.event_time": "2007-01-03T16:48:15.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:15.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2918, - "observer.ingress.interface.name": "WAN dst=2.2.2.2:500:WAN proto=udp/500", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "89.160.20.156" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=2.2.2.2:500:WAN proto=udp/500", - "rsa.time.event_time": "2007-01-03T16:48:15.000Z", - "service.type": "sonicwall", - "source.as.number": 29518, - "source.as.organization.name": "Bredband2 AB", - "source.geo.city_name": "Link\u00f6ping", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "SE", - "source.geo.country_name": "Sweden", - "source.geo.location.lat": 58.4167, - "source.geo.location.lon": 15.6167, - "source.geo.region_iso_code": "SE-E", - "source.geo.region_name": "\u00d6sterg\u00f6tland County", - "source.ip": "89.160.20.156", - "source.port": 500, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:15.000Z", - "event.code": "483", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=89.160.20.156:500", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3127, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "483", - "rsa.time.event_time": "2007-01-03T16:48:15.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:15.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3327, - "observer.ingress.interface.name": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "192.168.115.10" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", - "rsa.time.event_time": "2007-01-03T16:48:15.000Z", - "service.type": "sonicwall", - "source.ip": "192.168.115.10", - "source.port": 11549, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:17.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3543, - "observer.ingress.interface.name": "LAN dst=192.168.1.100:445:WAN proto=tcp/445", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "192.168.5.64" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "LAN dst=192.168.1.100:445:WAN proto=tcp/445", - "rsa.time.event_time": "2007-01-03T16:48:17.000Z", - "service.type": "sonicwall", - "source.ip": "192.168.5.64", - "source.port": 3182, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:18.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3758, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:18.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:20.000Z", - "event.action": "Connection Closed", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3992, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "Connection Closed", - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "Connection Closed" - ], - "rsa.time.event_time": "2007-01-03T16:48:20.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:20.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4241, - "observer.ingress.interface.name": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "192.168.125.75" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582", - "rsa.time.event_time": "2007-01-03T16:48:20.000Z", - "service.type": "sonicwall", - "source.ip": "192.168.125.75", - "source.port": 524, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2007-01-03T16:48:21.000Z", - "event.code": "98", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4458, - "observer.ingress.interface.name": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "192.168.6.10" - ], - "rsa.internal.event_desc": "Connection Opened", - "rsa.internal.messageid": "98", - "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", - "rsa.time.event_time": "2007-01-03T16:48:21.000Z", - "service.type": "sonicwall", - "source.ip": "192.168.6.10", - "source.port": 28503, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log deleted file mode 100644 index 303aa073e77..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -id=nnumqua sn=eacommod time="2016/01/29 06:09:59" fw=10.208.232.8 pri=very-high c=tur m=1197 msg="itv" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= "ntsunti Protocol:udp" npcs=ciade -idi id=pexe sn=nes time="2016/02/12 13:12:33" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp -id=umexe sn=estlabo time="2016/02/26 20:15:08" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed -id=alo sn=eosquir time="2016-3-12 3:17:42" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" -emape id=aer sn=lupt time="2016/03/26 10:20:16" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up -id=consec sn=taliquip time="2016/04/09 17:22:51" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway -id=tconsec sn=nsequat time="2016/04/24 00:25:25" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 -llamcorp id=ari sn=eataevit time="2016/05/08 07:27:59" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked -mquisnos id=loremagn sn=iciade time="2016/05/22 14:30:33" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure -id=aali sn=ametcons time="2016/06/05 21:33:08" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal -emip id=tvol sn=moll time="2016/06/20 04:35:42" fw=10.228.149.225 pri=high c=deomni m=139 msg="accept" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205 -orsitame id=quiratio sn=ite time="2016/07/04 11:38:16" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked -id=usan sn=aper time="2016/07/18 18:40:50" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host -id=atquovo sn=iumto time="2016/08/02 01:43:25" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated -id=undeo sn=loremip time="2016-8-16 8:45:59" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" -id=rveli sn=rsint time="2016/08/30 15:48:33" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped -id=qua sn=luptatev time="2016/09/13 22:51:07" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores -id=tatiset sn=eprehen time="2016/09/28 05:53:42" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings -id=aliq sn=rsitam time="2016/10/12 12:56:16" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" -id=itecto sn=erc time="2016/10/26 19:58:50" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed -id=tat sn=tion time="2016/11/10 03:01:24" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" -id=tati sn=utaliqu time="2016/11/24 10:03:59" fw=10.53.187.44 pri=high c=iadese m=242 msg="imidest" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108 -id=nidolo sn=tatn time="2016/12/08 17:06:33" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 -id=quip sn=mporain time="2016-12-23 12:09:07" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" -id=idex sn=xerci time="2017/01/06 07:11:41" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib -id=ari sn=exercit time="2017/01/20 14:14:16" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active -id=serunt sn=aquaeabi time="2017/02/03 21:16:50" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). -id=veniamq sn=one time="2017/02/18 04:19:24" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source -id=tin sn=tenima time="2017/03/04 11:21:59" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete -id=tmollita sn=fde time="2017-3-18 6:24:33" fw=10.149.89.126 pri=high c=abo m=794 msg="veniamqu" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action="cancel" -id=aturQui sn=utlabor time="2017/04/02 01:27:07" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication -id=tvolu sn=ecte time="2017/04/16 08:29:41" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available -olupta id=litse sn=icabo time="2017/04/30 15:32:16" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 -ionevo id=ugiatnu sn=ciati time="2017/05/14 22:34:50" fw=10.184.122.157 pri=medium c=scivelit m=31 msg="allow" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 -id=pta sn=tetu time="2017/05/29 05:37:24" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings -ntocc id=uteirure sn=nevo time="2017/06/12 12:39:58" fw=10.226.23.214 pri=very-high c=adip m=994 msg="tium" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note="quinesc" -id=tur sn=roi time="2017/06/26 19:42:33" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL -ntocca id=ostru sn=ntoccae time="2017/07/11 02:45:07" fw=10.35.99.92 pri=medium c=iatisu m=866 msg="sec" sess=cons n=sBon -id=ten sn=vita time="2017/07/25 09:47:41" fw=10.35.5.16 pri=high c=emaccusa m=538 msg="accept" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13 -id=evolu sn=ersp time="2017/08/08 16:50:15" fw=10.64.221.30 pri=medium c=inven m=793 msg="osquira" af_polid=tes af_policy="mquame" af_type="nihilmol" af_service="xercita" af_action="trud" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost -id=nbyCic sn=utlabor time="2017/08/22 23:52:50" fw=10.27.251.77 pri=medium c=ine m=905 msg="lup" n=tatemUt -id=quovol sn=nve time="2017/09/06 06:55:24" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B -tau id=exercita sn=ris time="2017/09/20 13:57:58" fw=10.84.25.23 pri=high c=boree m=565 msg="intoc" n=ncidi -irat id=onev sn=aturauto time="2017/10/04 21:00:32" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped -id=temUt sn=olor time="2017/10/19 04:03:07" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated -id=ess sn=ipisci time="2017/11/02 11:05:41" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source -luptate id=persp sn=entsunt time="2017/11/16 18:08:15" fw=10.206.107.211 pri=low c=fugi m=140 msg="accept" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157 -id=cusant sn=atemq time="2017/12/01 01:10:49" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying). -id=ercita sn=ciadeser time="2017/12/15 08:13:24" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked -id=isiuta sn=orsitam time="2017/12/29 15:15:58" fw=10.159.119.34 pri=high c=psaquaea m=195 msg="taevita" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587 -id=nre sn=veli time="2018/01/12 22:18:32" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked -id=quasia sn=adi time="2018/01/27 05:21:06" fw=10.9.12.248 pri=medium c=mac m=616 msg="block" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935 -id=llamco sn=nea time="2018/02/10 12:23:41" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available -id=ise sn=itau time="2018/02/24 19:26:15" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg="dolore" n=uptate -id=odi sn=ptass time="2018/03/11 02:28:49" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error -id=aco sn=tio time="2018/03/25 09:31:24" fw=10.112.38.219 pri=high c=dantium m=261 msg="lor" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107 -id=utodita sn=aec time="2018-4-8 4:33:58" fw=10.21.89.175 pri=medium c=diconse m=428 msg="elitse" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action="block" -id=ritin sn=temporin time="2018-4-22 11:36:32" fw=10.122.76.148 pri=high c=tdol m=794 msg="upt" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action="allow" -id=quaea sn=ametcons time="2018/05/07 06:39:06" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL -id=ariatur sn=rer time="2018/05/21 13:41:41" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 -id=luptatem sn=uaeratv time="2018/06/04 20:44:15" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 -id=ntutlabo sn=iusmodte time="2018-6-19 3:46:49" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" -id=emvele sn=isnost time="2018/07/03 10:49:23" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped -sit id=rumSect sn=ita time="2018/07/17 17:51:58" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E -oremag id=illu sn=ruredo time="2018/08/01 00:54:32" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore -sBono id=loremqu sn=tetur time="2018/08/15 07:57:06" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg="block" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441 -id=ddoeius sn=ugiatn time="2018/08/29 14:59:40" fw=10.50.102.128 pri=high c=abore m=328 msg="squ" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241 -id=onu sn=liquaUte time="2018/09/12 22:02:15" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication -id=mveniamq sn=taedict time="2018-9-27 5:04:49" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" -id=uiinea sn=mnisiut time="2018/10/11 12:07:23" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 -id=mve sn=uia time="2018/10/25 19:09:57" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout -id=doei sn=cipitl time="2018/11/09 02:12:32" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 -id=repreh sn=plic time="2018/11/23 09:15:06" fw=10.17.87.79 pri=high c=saq m=199 msg="block" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527 -ipsa id=asuntexp sn=adminim time="2018/12/07 16:17:40" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable -id=iumt sn=tsed time="2018/12/21 23:20:14" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out -id=loremag sn=tcu time="2019/01/05 06:22:49" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 -elillum id=upt sn=rnat time="2019/01/19 13:25:23" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped -doeiu id=deF sn=itempo time="2019/02/02 20:27:57" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" -BCS id=qui sn=ugiatquo time="2019/02/17 03:30:32" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN -id=vol sn=admi time="2019/03/03 10:33:06" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 -id=olorem sn=gitse time="2019/03/17 17:35:40" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" -id=nisiu sn=imad time="2019/04/01 00:38:14" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol -undeom id=emullamc sn=tec time="2019/04/15 07:40:49" fw=10.29.118.7 pri=medium c=mveleum m=537 msg="accept" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635 -id=gna sn=isiutali time="2019/04/29 14:43:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed -id=uaturve sn=amquisno time="2019/05/13 21:45:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 -id=atu sn=iusm time="2019/05/28 04:48:31" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 -id=oin sn=itseddoe time="2019/06/11 11:51:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. -id=giatquov sn=olu time="2019/06/25 18:53:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. -emagn id=emulla sn=mips time="2019/07/10 01:56:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out -id=itametc sn=ori time="2019/07/24 08:58:48" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle -id=doconse sn=etdol time="2019/08/07 16:01:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 -id=min sn=oluptat time="2019/08/21 23:03:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 -id=eacommo sn=ueip time="2019/09/05 06:06:31" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon -usm id=labori sn=porai time="2019/09/19 13:09:05" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked -id=lup sn=upta time="2019-10-3 8:11:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" -id=mmod sn=iti time="2019/10/18 03:14:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked -id=mag sn=gelitse time="2019/11/01 10:16:48" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 -id=nostrud sn=cteturad time="2019/11/15 17:19:22" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F -id=imavenia sn=expli time="2019/11/30 00:21:57" fw=10.144.57.239 pri=medium c=rur m=520 msg="itse" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234 -oluptate id=lit sn=santi time="2019/12/14 07:24:31" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json deleted file mode 100644 index ae681e881ef..00000000000 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ /dev/null @@ -1,2712 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "destination.ip": "10.208.15.216", - "destination.port": 4257, - "event.code": "1197", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=nnumqua sn=eacommod time=\"2016/01/29 06:09:59\" fw=10.208.232.8 pri=very-high c=tur m=1197 msg=\"itv\" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= \"ntsunti Protocol:udp\" npcs=ciade", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 0, - "network.protocol": "udp", - "observer.egress.interface.name": "lo6125", - "observer.ingress.interface.name": "eth5722", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.20.234.169", - "10.208.15.216" - ], - "rsa.db.index": "ciade", - "rsa.internal.messageid": "1197", - "rsa.internal.msg": "itv", - "rsa.network.dinterface": "lo6125", - "rsa.network.sinterface": "eth5722", - "rsa.time.date": "2016/01/29", - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "service.type": "sonicwall", - "source.ip": "10.20.234.169", - "source.port": 1001, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-02-12T15:12:33.000Z", - "destination.nat.ip": "10.49.111.67", - "destination.nat.port": 884, - "event.code": "914", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "idi id=pexe sn=nes time=\"2016/02/12 13:12:33\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", - "fileset.name": "firewall", - "host.hostname": "oreetdol1714.internal.corp", - "host.name": "nostrud4819.mail.test", - "input.type": "log", - "log.offset": 222, - "observer.egress.interface.name": "eth3598", - "observer.ingress.interface.name": "eth7178", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.hosts": [ - "nostrud4819.mail.test", - "oreetdol1714.internal.corp" - ], - "related.ip": [ - "10.49.111.67", - "10.92.136.230" - ], - "rsa.internal.messageid": "914", - "rsa.internal.msg": "lupt", - "rsa.network.dinterface": "eth3598", - "rsa.network.sinterface": "eth7178", - "rsa.time.event_time": "2016-02-12T15:12:33.000Z", - "service.type": "sonicwall", - "source.address": "oreetdol1714.internal.corp", - "source.nat.ip": "10.92.136.230", - "source.nat.port": 6437, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-02-26T22:15:08.000Z", - "event.code": "16", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=umexe sn=estlabo time=\"2016/02/26 20:15:08\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 433, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "16", - "rsa.time.date": "2016/02/26", - "rsa.time.event_time": "2016-02-26T22:15:08.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.ip": "10.227.15.1", - "destination.mac": "01:00:5e:f7:a9:ff", - "destination.port": 410, - "event.action": "allow", - "event.code": "alo", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=alo sn=eosquir time=\"2016-3-12 3:17:42\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", - "fileset.name": "firewall", - "host.ip": "10.149.203.46", - "input.type": "log", - "log.level": "medium", - "log.offset": 538, - "network.protocol": "rdp", - "observer.egress.interface.name": "eth1977", - "observer.ingress.interface.name": "eth6183", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.149.203.46", - "10.150.156.22", - "10.227.15.1" - ], - "rsa.internal.event_desc": "ctetur", - "rsa.internal.messageid": "1369", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "mwritten", - "rsa.misc.reference_id": "alo", - "rsa.misc.serial_number": "eosquir", - "rsa.misc.severity": "medium", - "rsa.network.dinterface": "eth1977", - "rsa.network.sinterface": "eth6183", - "rsa.time.date": "2016-3-12", - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "service.type": "sonicwall", - "source.ip": "10.150.156.22", - "source.mac": "01:00:5e:84:66:6c", - "source.port": 6378, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "event.code": "127", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "emape id=aer sn=lupt time=\"2016/03/26 10:20:16\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 785, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "127", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-04-09T19:22:51.000Z", - "event.code": "170", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=consec sn=taliquip time=\"2016/04/09 17:22:51\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 892, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "170", - "rsa.time.date": "2016/04/09", - "rsa.time.event_time": "2016-04-09T19:22:51.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-04-24T02:25:25.000Z", - "destination.ip": "10.13.70.213", - "event.code": "372", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tconsec sn=nsequat time=\"2016/04/24 00:25:25\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1033, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.13.70.213", - "10.95.245.65" - ], - "rsa.internal.messageid": "372", - "rsa.internal.msg": "llu", - "rsa.time.date": "2016/04/24", - "rsa.time.event_time": "2016-04-24T02:25:25.000Z", - "service.type": "sonicwall", - "source.ip": "10.95.245.65", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "event.code": "176", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "llamcorp id=ari sn=eataevit time=\"2016/05/08 07:27:59\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1181, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "176", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-05-22T16:30:33.000Z", - "event.code": "50", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/22 14:30:33\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1320, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "50", - "rsa.time.event_time": "2016-05-22T16:30:33.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-06-05T23:33:08.000Z", - "event.code": "87", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=aali sn=ametcons time=\"2016/06/05 21:33:08\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1442, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "87", - "rsa.time.date": "2016/06/05", - "rsa.time.event_time": "2016-06-05T23:33:08.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.ip": "10.16.52.205", - "event.action": "accept", - "event.code": "139", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "emip id=tvol sn=moll time=\"2016/06/20 04:35:42\" fw=10.228.149.225 pri=high c=deomni m=139 msg=\"accept\" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1567, - "observer.ingress.interface.name": "enp0s2489", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.136.153.149", - "10.16.52.205" - ], - "rsa.internal.messageid": "139", - "rsa.misc.action": [ - "accept" - ], - "rsa.network.sinterface": "enp0s2489", - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "service.type": "sonicwall", - "source.ip": "10.136.153.149", - "source.port": 3788, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "15", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "orsitame id=quiratio sn=ite time=\"2016/07/04 11:38:16\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1729, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "15", - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-07-18T20:40:50.000Z", - "event.code": "70", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=usan sn=aper time=\"2016/07/18 18:40:50\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1845, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "70", - "rsa.time.date": "2016/07/18", - "rsa.time.event_time": "2016-07-18T20:40:50.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "event.code": "129", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=atquovo sn=iumto time=\"2016/08/02 01:43:25\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 1957, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "129", - "rsa.time.date": "2016/08/02", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "event.action": "cancel", - "event.code": "1149", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=undeo sn=loremip time=\"2016-8-16 8:45:59\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2062, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "idolore", - "rsa.internal.messageid": "1149", - "rsa.misc.action": [ - "cancel" - ], - "rsa.time.date": "2016-8-16", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-08-30T17:48:33.000Z", - "event.code": "81", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=rveli sn=rsint time=\"2016/08/30 15:48:33\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2190, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "81", - "rsa.time.date": "2016/08/30", - "rsa.time.event_time": "2016-08-30T17:48:33.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-09-14T00:51:07.000Z", - "event.code": "1110", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=qua sn=luptatev time=\"2016/09/13 22:51:07\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2317, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "1110", - "rsa.time.date": "2016/09/13", - "rsa.time.event_time": "2016-09-14T00:51:07.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "10", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tatiset sn=eprehen time=\"2016/09/28 05:53:42\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2427, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "10", - "rsa.time.date": "2016/09/28", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "destination.nat.ip": "10.30.196.102", - "event.code": "353", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=aliq sn=rsitam time=\"2016/10/12 12:56:16\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", - "fileset.name": "firewall", - "host.hostname": "fugi4637.www.lan", - "input.type": "log", - "log.offset": 2570, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.hosts": [ - "fugi4637.www.lan" - ], - "related.ip": [ - "10.241.178.107", - "10.30.196.102" - ], - "rsa.internal.messageid": "353", - "rsa.internal.msg": "onproide", - "rsa.misc.misc": "imadmini", - "rsa.misc.ntype": "Nemoen", - "rsa.time.date": "2016/10/12", - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "service.type": "sonicwall", - "source.address": "fugi4637.www.lan", - "source.nat.ip": "10.241.178.107", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-10-26T21:58:50.000Z", - "event.code": "68", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=itecto sn=erc time=\"2016/10/26 19:58:50\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2763, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "68", - "rsa.time.date": "2016/10/26", - "rsa.time.event_time": "2016-10-26T21:58:50.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "destination.nat.ip": "10.78.151.178", - "destination.nat.port": 3088, - "event.code": "24", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tat sn=tion time=\"2016/11/10 03:01:24\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 2868, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.157.161.103", - "10.78.151.178" - ], - "rsa.internal.event_desc": "taut", - "rsa.internal.messageid": "24", - "rsa.internal.msg": "emp", - "rsa.time.date": "2016/11/10", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.157.161.103", - "source.nat.port": 383, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "destination.ip": "10.206.136.206", - "destination.port": 4108, - "event.code": "242", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tati sn=utaliqu time=\"2016/11/24 10:03:59\" fw=10.53.187.44 pri=high c=iadese m=242 msg=\"imidest\" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3028, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.153.136.222", - "10.206.136.206" - ], - "rsa.internal.messageid": "242", - "rsa.internal.msg": "imidest", - "rsa.time.date": "2016/11/24", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "service.type": "sonicwall", - "source.ip": "10.153.136.222", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-12-08T19:06:33.000Z", - "destination.ip": "10.239.201.234", - "event.code": "87", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=nidolo sn=tatn time=\"2016/12/08 17:06:33\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3184, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.204.11.20", - "10.239.201.234" - ], - "rsa.internal.messageid": "87", - "rsa.internal.msg": "Loremip", - "rsa.time.date": "2016/12/08", - "rsa.time.event_time": "2016-12-08T19:06:33.000Z", - "service.type": "sonicwall", - "source.ip": "10.204.11.20", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2016-12-23T14:09:07.000Z", - "destination.ip": "10.219.116.137", - "destination.mac": "01:00:5e:e1:73:47", - "destination.port": 3452, - "event.action": "accept", - "event.code": "quip", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=quip sn=mporain time=\"2016-12-23 12:09:07\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", - "fileset.name": "firewall", - "host.ip": "10.34.161.166", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3331, - "network.protocol": "icmp", - "observer.egress.interface.name": "enp0s3611", - "observer.ingress.interface.name": "eth4059", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.219.116.137", - "10.245.200.97", - "10.34.161.166" - ], - "rsa.internal.event_desc": "rehend", - "rsa.internal.messageid": "428", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "sequi", - "rsa.misc.reference_id": "quip", - "rsa.misc.serial_number": "mporain", - "rsa.misc.severity": "very-high", - "rsa.network.dinterface": "enp0s3611", - "rsa.network.sinterface": "eth4059", - "rsa.time.date": "2016-12-23", - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", - "service.type": "sonicwall", - "source.ip": "10.245.200.97", - "source.mac": "01:00:5e:1a:ec:91", - "source.port": 3768, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.ip": "10.252.122.195", - "event.code": "401", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=idex sn=xerci time=\"2017/01/06 07:11:41\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3587, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.118.80.140", - "10.252.122.195" - ], - "rsa.internal.messageid": "401", - "rsa.internal.msg": "inesci", - "rsa.misc.name": "eFinib", - "rsa.time.date": "2017/01/06", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "service.type": "sonicwall", - "source.ip": "10.118.80.140", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-01-20T16:14:16.000Z", - "event.code": "143", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ari sn=exercit time=\"2017/01/20 14:14:16\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3743, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "143", - "rsa.time.date": "2017/01/20", - "rsa.time.event_time": "2017-01-20T16:14:16.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-02-03T23:16:50.000Z", - "event.code": "104", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=serunt sn=aquaeabi time=\"2017/02/03 21:16:50\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 3874, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "104", - "rsa.time.date": "2017/02/03", - "rsa.time.event_time": "2017-02-03T23:16:50.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "156", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=veniamq sn=one time=\"2017/02/18 04:19:24\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4003, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "156", - "rsa.time.date": "2017/02/18", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "132", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tin sn=tenima time=\"2017/03/04 11:21:59\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4136, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "132", - "rsa.time.date": "2017/03/04", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-03-18T08:24:33.000Z", - "destination.ip": "10.30.153.159", - "destination.port": 6843, - "event.action": "cancel", - "event.code": "794", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tmollita sn=fde time=\"2017-3-18 6:24:33\" fw=10.149.89.126 pri=high c=abo m=794 msg=\"veniamqu\" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action=\"cancel\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4257, - "network.protocol": "icmp", - "observer.egress.interface.name": "enp0s6487", - "observer.ingress.interface.name": "lo6501", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.30.153.159", - "10.86.101.235" - ], - "rsa.identity.user_sid_dst": "nse", - "rsa.internal.event_desc": "veniamqu", - "rsa.internal.messageid": "794", - "rsa.misc.action": [ - "cancel" - ], - "rsa.network.dinterface": "enp0s6487", - "rsa.network.sinterface": "lo6501", - "rsa.time.date": "2017-3-18", - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", - "service.type": "sonicwall", - "source.ip": "10.86.101.235", - "source.port": 3266, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "event.code": "133", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=aturQui sn=utlabor time=\"2017/04/02 01:27:07\" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4514, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "133", - "rsa.time.date": "2017/04/02", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "event.code": "9", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tvolu sn=ecte time=\"2017/04/16 08:29:41\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4638, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "9", - "rsa.time.date": "2017/04/16", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-04-30T17:32:16.000Z", - "destination.ip": "10.162.172.28", - "event.code": "255", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "olupta id=litse sn=icabo time=\"2017/04/30 15:32:16\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4750, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.162.172.28", - "10.237.163.139" - ], - "rsa.internal.messageid": "255", - "rsa.internal.msg": "nre", - "rsa.time.event_time": "2017-04-30T17:32:16.000Z", - "service.type": "sonicwall", - "source.ip": "10.237.163.139", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-05-15T00:34:50.000Z", - "event.action": "allow", - "event.code": "31", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "ionevo id=ugiatnu sn=ciati time=\"2017/05/14 22:34:50\" fw=10.184.122.157 pri=medium c=scivelit m=31 msg=\"allow\" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 ", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4900, - "observer.ingress.interface.name": "eth4488", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.191.23.41" - ], - "rsa.internal.messageid": "31", - "rsa.misc.action": [ - "allow" - ], - "rsa.network.sinterface": "eth4488", - "rsa.time.event_time": "2017-05-15T00:34:50.000Z", - "service.type": "sonicwall", - "source.ip": "10.191.23.41", - "source.port": 1493, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "12", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=pta sn=tetu time=\"2017/05/29 05:37:24\" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 5068, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "12", - "rsa.time.date": "2017/05/29", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "destination.nat.ip": "10.111.187.12", - "destination.nat.port": 3577, - "event.code": "994", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "ntocc id=uteirure sn=nevo time=\"2017/06/12 12:39:58\" fw=10.226.23.214 pri=very-high c=adip m=994 msg=\"tium\" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note=\"quinesc\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 5196, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.111.187.12", - "10.16.72.220" - ], - "related.user": [ - "tenbyCi" - ], - "rsa.internal.event_desc": "quinesc", - "rsa.internal.messageid": "994", - "rsa.internal.msg": "tium", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.16.72.220", - "source.nat.port": 1842, - "tags": [ - "forwarded", - "sonicwall.firewall" - ], - "user.name": "tenbyCi" - }, - { - "@timestamp": "2017-06-26T21:42:33.000Z", - "event.code": "7", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=tur sn=roi time=\"2017/06/26 19:42:33\" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 5383, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "7", - "rsa.time.date": "2017/06/26", - "rsa.time.event_time": "2017-06-26T21:42:33.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "event.code": "866", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "ntocca id=ostru sn=ntoccae time=\"2017/07/11 02:45:07\" fw=10.35.99.92 pri=medium c=iatisu m=866 msg=\"sec\" sess=cons n=sBon", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 5491, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "866", - "rsa.internal.msg": "sec", - "rsa.misc.ntype": "sBon", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "destination.ip": "10.131.61.13", - "event.action": "accept", - "event.code": "538", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ten sn=vita time=\"2017/07/25 09:47:41\" fw=10.35.5.16 pri=high c=emaccusa m=538 msg=\"accept\" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 5613, - "observer.ingress.interface.name": "lo3470", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.131.61.13", - "10.143.76.137" - ], - "rsa.internal.messageid": "538", - "rsa.misc.action": [ - "accept" - ], - "rsa.network.sinterface": "lo3470", - "rsa.time.date": "2017/07/25", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "service.type": "sonicwall", - "source.ip": "10.143.76.137", - "source.port": 1414, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-08-08T18:50:15.000Z", - "destination.address": "Nemoenim2039.api.localhost", - "destination.nat.ip": "10.77.129.130", - "destination.nat.port": 6604, - "event.code": "793", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=evolu sn=ersp time=\"2017/08/08 16:50:15\" fw=10.64.221.30 pri=medium c=inven m=793 msg=\"osquira\" af_polid=tes af_policy=\"mquame\" af_type=\"nihilmol\" af_service=\"xercita\" af_action=\"trud\" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost", - "fileset.name": "firewall", - "host.hostname": "sequatu341.mail.invalid", - "input.type": "log", - "log.offset": 5762, - "observer.egress.interface.name": "enp0s4138", - "observer.ingress.interface.name": "eth1766", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.hosts": [ - "Nemoenim2039.api.localhost", - "sequatu341.mail.invalid" - ], - "related.ip": [ - "10.77.129.130", - "10.99.0.226" - ], - "rsa.internal.messageid": "793", - "rsa.internal.msg": "osquira", - "rsa.network.dinterface": "enp0s4138", - "rsa.network.host_dst": "Nemoenim2039.api.localhost", - "rsa.network.sinterface": "eth1766", - "rsa.time.date": "2017/08/08", - "rsa.time.event_time": "2017-08-08T18:50:15.000Z", - "service.type": "sonicwall", - "source.address": "sequatu341.mail.invalid", - "source.nat.ip": "10.99.0.226", - "source.nat.port": 2984, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-08-23T01:52:50.000Z", - "event.code": "905", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=nbyCic sn=utlabor time=\"2017/08/22 23:52:50\" fw=10.27.251.77 pri=medium c=ine m=905 msg=\"lup\" n=tatemUt", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6071, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "905", - "rsa.internal.msg": "lup", - "rsa.misc.ntype": "tatemUt", - "rsa.time.date": "2017/08/22", - "rsa.time.event_time": "2017-08-23T01:52:50.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "94", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=quovol sn=nve time=\"2017/09/06 06:55:24\" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6178, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "94", - "rsa.time.date": "2017/09/06", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-09-20T15:57:58.000Z", - "event.code": "565", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "tau id=exercita sn=ris time=\"2017/09/20 13:57:58\" fw=10.84.25.23 pri=high c=boree m=565 msg=\"intoc\" n=ncidi", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6286, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "565", - "rsa.time.event_time": "2017-09-20T15:57:58.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-10-04T23:00:32.000Z", - "event.code": "37", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "irat id=onev sn=aturauto time=\"2017/10/04 21:00:32\" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6394, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "37", - "rsa.time.event_time": "2017-10-04T23:00:32.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "4", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=temUt sn=olor time=\"2017/10/19 04:03:07\" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6509, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "4", - "rsa.time.date": "2017/10/19", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "event.code": "156", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ess sn=ipisci time=\"2017/11/02 11:05:41\" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6611, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "156", - "rsa.time.date": "2017/11/02", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-11-16T20:08:15.000Z", - "destination.ip": "10.192.27.157", - "event.action": "accept", - "event.code": "140", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "luptate id=persp sn=entsunt time=\"2017/11/16 18:08:15\" fw=10.206.107.211 pri=low c=fugi m=140 msg=\"accept\" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6746, - "observer.ingress.interface.name": "enp0s5632", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.192.27.157", - "10.230.173.4" - ], - "rsa.internal.messageid": "140", - "rsa.misc.action": [ - "accept" - ], - "rsa.network.sinterface": "enp0s5632", - "rsa.time.event_time": "2017-11-16T20:08:15.000Z", - "service.type": "sonicwall", - "source.ip": "10.230.173.4", - "source.port": 2631, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "event.code": "118", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=cusant sn=atemq time=\"2017/12/01 01:10:49\" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying).", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 6911, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "118", - "rsa.time.date": "2017/12/01", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "event.code": "18", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ercita sn=ciadeser time=\"2017/12/15 08:13:24\" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7032, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "18", - "rsa.time.date": "2017/12/15", - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2017-12-29T17:15:58.000Z", - "destination.bytes": 6587, - "destination.ip": "10.190.175.158", - "destination.port": 7005, - "event.code": "195", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=isiuta sn=orsitam time=\"2017/12/29 15:15:58\" fw=10.159.119.34 pri=high c=psaquaea m=195 msg=\"taevita\" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7140, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.190.175.158", - "10.227.15.253" - ], - "rsa.internal.messageid": "195", - "rsa.internal.msg": "taevita", - "rsa.time.date": "2017/12/29", - "rsa.time.event_time": "2017-12-29T17:15:58.000Z", - "service.type": "sonicwall", - "source.ip": "10.227.15.253", - "source.port": 271, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-01-13T00:18:32.000Z", - "event.code": "22", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=nre sn=veli time=\"2018/01/12 22:18:32\" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7323, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "22", - "rsa.time.date": "2018/01/12", - "rsa.time.event_time": "2018-01-13T00:18:32.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.ip": "10.15.97.155", - "destination.port": 5935, - "event.action": "block", - "event.code": "616", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=quasia sn=adi time=\"2018/01/27 05:21:06\" fw=10.9.12.248 pri=medium c=mac m=616 msg=\"block\" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7426, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.15.97.155", - "10.29.155.171" - ], - "rsa.internal.messageid": "616", - "rsa.misc.action": [ - "block" - ], - "rsa.time.date": "2018/01/27", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "service.type": "sonicwall", - "source.ip": "10.29.155.171", - "source.port": 1871, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "event.code": "9", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=llamco sn=nea time=\"2018/02/10 12:23:41\" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7573, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "9", - "rsa.time.date": "2018/02/10", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-02-24T21:26:15.000Z", - "event.code": "907", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ise sn=itau time=\"2018/02/24 19:26:15\" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg=\"dolore\" n=uptate", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7687, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "907", - "rsa.internal.msg": "dolore", - "rsa.misc.ntype": "uptate", - "rsa.time.date": "2018/02/24", - "rsa.time.event_time": "2018-02-24T21:26:15.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "157", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=odi sn=ptass time=\"2018/03/11 02:28:49\" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7796, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "157", - "rsa.time.date": "2018/03/11", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.ip": "10.25.32.107", - "event.code": "261", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=aco sn=tio time=\"2018/03/25 09:31:24\" fw=10.112.38.219 pri=high c=dantium m=261 msg=\"lor\" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 7907, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.18.204.87", - "10.25.32.107" - ], - "related.user": [ - "cteturad" - ], - "rsa.internal.messageid": "261", - "rsa.internal.msg": "lor", - "rsa.time.date": "2018/03/25", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "service.type": "sonicwall", - "source.ip": "10.18.204.87", - "tags": [ - "forwarded", - "sonicwall.firewall" - ], - "user.name": "cteturad" - }, - { - "@timestamp": "2018-04-08T06:33:58.000Z", - "destination.ip": "10.246.0.167", - "destination.mac": "01:00:5e:2c:22:06", - "destination.port": 2189, - "event.action": "block", - "event.code": "utodita", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=utodita sn=aec time=\"2018-4-8 4:33:58\" fw=10.21.89.175 pri=medium c=diconse m=428 msg=\"elitse\" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action=\"block\"", - "fileset.name": "firewall", - "host.ip": "10.21.89.175", - "input.type": "log", - "log.level": "medium", - "log.offset": 8059, - "network.protocol": "icmp", - "observer.egress.interface.name": "eth2632", - "observer.ingress.interface.name": "lo3856", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.21.89.175", - "10.246.0.167", - "10.71.238.250" - ], - "rsa.internal.event_desc": "elitse", - "rsa.internal.messageid": "428", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "diconse", - "rsa.misc.reference_id": "utodita", - "rsa.misc.serial_number": "aec", - "rsa.misc.severity": "medium", - "rsa.network.dinterface": "eth2632", - "rsa.network.sinterface": "lo3856", - "rsa.time.date": "2018-4-8", - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", - "service.type": "sonicwall", - "source.ip": "10.71.238.250", - "source.mac": "01:00:5e:7c:42:0b", - "source.port": 41, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-04-22T13:36:32.000Z", - "destination.ip": "10.176.209.227", - "destination.port": 6362, - "event.action": "allow", - "event.code": "794", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ritin sn=temporin time=\"2018-4-22 11:36:32\" fw=10.122.76.148 pri=high c=tdol m=794 msg=\"upt\" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action=\"allow\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 8303, - "network.protocol": "ipv6", - "observer.egress.interface.name": "eth7037", - "observer.ingress.interface.name": "enp0s5411", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.13.66.97", - "10.176.209.227" - ], - "rsa.identity.user_sid_dst": "mex", - "rsa.internal.event_desc": "upt", - "rsa.internal.messageid": "794", - "rsa.misc.action": [ - "allow" - ], - "rsa.network.dinterface": "eth7037", - "rsa.network.sinterface": "enp0s5411", - "rsa.time.date": "2018-4-22", - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", - "service.type": "sonicwall", - "source.ip": "10.13.66.97", - "source.port": 2000, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "event.code": "7", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=quaea sn=ametcons time=\"2018/05/07 06:39:06\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 8553, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "7", - "rsa.time.date": "2018/05/07", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-05-21T15:41:41.000Z", - "destination.nat.ip": "10.77.174.205", - "event.code": "240", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ariatur sn=rer time=\"2018/05/21 13:41:41\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 8675, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.240.49.224", - "10.77.174.205" - ], - "rsa.internal.messageid": "240", - "rsa.internal.msg": "issuscip", - "rsa.misc.ntype": "uisa", - "rsa.time.date": "2018/05/21", - "rsa.time.event_time": "2018-05-21T15:41:41.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.240.49.224", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-06-04T22:44:15.000Z", - "destination.ip": "10.187.210.173", - "event.code": "255", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=luptatem sn=uaeratv time=\"2018/06/04 20:44:15\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 8821, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.187.210.173", - "10.44.150.31" - ], - "rsa.internal.messageid": "255", - "rsa.internal.msg": "quamnih", - "rsa.time.date": "2018/06/04", - "rsa.time.event_time": "2018-06-04T22:44:15.000Z", - "service.type": "sonicwall", - "source.ip": "10.44.150.31", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.ip": "10.251.248.228", - "destination.mac": "01:00:5e:c3:ed:55", - "destination.port": 6909, - "event.action": "deny", - "event.code": "ntutlabo", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ntutlabo sn=iusmodte time=\"2018-6-19 3:46:49\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", - "fileset.name": "firewall", - "host.ip": "10.108.84.24", - "input.type": "log", - "log.level": "low", - "log.offset": 8976, - "network.protocol": "udp", - "observer.ingress.interface.name": "eth163", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.108.84.24", - "10.113.100.237", - "10.251.248.228" - ], - "rsa.internal.event_desc": "volupt", - "rsa.internal.messageid": "606", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "iosamnis", - "rsa.misc.reference_id": "ntutlabo", - "rsa.misc.serial_number": "iusmodte", - "rsa.misc.severity": "low", - "rsa.network.sinterface": "eth163", - "rsa.time.date": "2018-6-19", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "service.type": "sonicwall", - "source.ip": "10.113.100.237", - "source.mac": "01:00:5e:8b:c1:b4", - "source.port": 3887, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "28", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=emvele sn=isnost time=\"2018/07/03 10:49:23\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 9217, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "28", - "rsa.time.date": "2018/07/03", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-07-17T19:51:58.000Z", - "event.code": "61", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "sit id=rumSect sn=ita time=\"2018/07/17 17:51:58\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 9330, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "61", - "rsa.time.event_time": "2018-07-17T19:51:58.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-08-01T02:54:32.000Z", - "event.code": "906", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "oremag id=illu sn=ruredo time=\"2018/08/01 00:54:32\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 9434, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "906", - "rsa.internal.msg": "its", - "rsa.misc.ntype": "lore", - "rsa.time.event_time": "2018-08-01T02:54:32.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "destination.ip": "10.50.44.5", - "destination.port": 7668, - "event.action": "block", - "event.code": "237", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "sBono id=loremqu sn=tetur time=\"2018/08/15 07:57:06\" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg=\"block\" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 9550, - "observer.egress.interface.name": "lo1441", - "observer.ingress.interface.name": "enp0s382", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.105.46.101", - "10.50.44.5" - ], - "rsa.internal.messageid": "237", - "rsa.misc.action": [ - "block" - ], - "rsa.network.dinterface": "lo1441", - "rsa.network.sinterface": "enp0s382", - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "service.type": "sonicwall", - "source.ip": "10.105.46.101", - "source.port": 3346, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-08-29T16:59:40.000Z", - "destination.ip": "10.52.248.251", - "destination.port": 5776, - "event.code": "328", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ddoeius sn=ugiatn time=\"2018/08/29 14:59:40\" fw=10.50.102.128 pri=high c=abore m=328 msg=\"squ\" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 9729, - "observer.egress.interface.name": "lo2241", - "observer.ingress.interface.name": "eth6291", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.52.248.251", - "10.60.142.127" - ], - "rsa.internal.messageid": "328", - "rsa.internal.msg": "squ", - "rsa.network.dinterface": "lo2241", - "rsa.network.sinterface": "eth6291", - "rsa.time.date": "2018/08/29", - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", - "service.type": "sonicwall", - "source.ip": "10.60.142.127", - "source.port": 1081, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-09-13T00:02:15.000Z", - "event.code": "134", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=onu sn=liquaUte time=\"2018/09/12 22:02:15\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 9898, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "134", - "rsa.time.date": "2018/09/12", - "rsa.time.event_time": "2018-09-13T00:02:15.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "event.action": "allow", - "event.code": "mveniamq", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=mveniamq sn=taedict time=\"2018-9-27 5:04:49\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", - "fileset.name": "firewall", - "host.ip": "10.206.69.135", - "input.type": "log", - "log.level": "high", - "log.offset": 10020, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.206.69.135" - ], - "rsa.db.index": "aaliq", - "rsa.internal.event_desc": "utfug", - "rsa.internal.messageid": "880", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "aturve", - "rsa.misc.reference_id": "mveniamq", - "rsa.misc.serial_number": "taedict", - "rsa.misc.severity": "high", - "rsa.time.date": "2018-9-27", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.ip": "10.115.38.80", - "event.code": "441", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=uiinea sn=mnisiut time=\"2018/10/11 12:07:23\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10161, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.115.38.80", - "10.240.54.28" - ], - "rsa.internal.messageid": "441", - "rsa.internal.msg": "labor", - "rsa.time.date": "2018/10/11", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "service.type": "sonicwall", - "source.ip": "10.240.54.28", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-10-25T21:09:57.000Z", - "event.code": "163", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=mve sn=uia time=\"2018/10/25 19:09:57\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10302, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "163", - "rsa.time.date": "2018/10/25", - "rsa.time.event_time": "2018-10-25T21:09:57.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "destination.ip": "10.104.49.142", - "event.code": "252", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=doei sn=cipitl time=\"2018/11/09 02:12:32\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10428, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.102.166.19", - "10.104.49.142" - ], - "rsa.internal.messageid": "252", - "rsa.internal.msg": "eprehend", - "rsa.time.date": "2018/11/09", - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "service.type": "sonicwall", - "source.ip": "10.102.166.19", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "destination.ip": "10.120.25.169", - "destination.port": 1965, - "event.action": "block", - "event.code": "199", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=repreh sn=plic time=\"2018/11/23 09:15:06\" fw=10.17.87.79 pri=high c=saq m=199 msg=\"block\" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10577, - "observer.egress.interface.name": "lo4527", - "observer.ingress.interface.name": "lo4991", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.120.25.169", - "10.203.77.154" - ], - "rsa.internal.messageid": "199", - "rsa.misc.action": [ - "block" - ], - "rsa.network.dinterface": "lo4527", - "rsa.network.sinterface": "lo4991", - "rsa.time.date": "2018/11/23", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "service.type": "sonicwall", - "source.ip": "10.203.77.154", - "source.port": 3916, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-12-07T18:17:40.000Z", - "event.code": "88", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/12/07 16:17:40\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10739, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "88", - "rsa.time.event_time": "2018-12-07T18:17:40.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2018-12-22T01:20:14.000Z", - "event.code": "34", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=iumt sn=tsed time=\"2018/12/21 23:20:14\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10878, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", - "rsa.time.date": "2018/12/21", - "rsa.time.event_time": "2018-12-22T01:20:14.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "destination.bytes": 1629, - "destination.ip": "10.137.217.159", - "destination.port": 563, - "event.code": "195", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=loremag sn=tcu time=\"2019/01/05 06:22:49\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 10985, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.137.217.159", - "10.77.95.12" - ], - "rsa.internal.messageid": "195", - "rsa.internal.msg": "rorsit", - "rsa.time.date": "2019/01/05", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "service.type": "sonicwall", - "source.ip": "10.77.95.12", - "source.port": 2310, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-01-19T15:25:23.000Z", - "event.code": "48", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "elillum id=upt sn=rnat time=\"2019/01/19 13:25:23\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 11159, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "48", - "rsa.time.event_time": "2019-01-19T15:25:23.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-02-02T22:27:57.000Z", - "destination.nat.ip": "10.191.242.168", - "destination.nat.port": 5251, - "event.code": "995", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "doeiu id=deF sn=itempo time=\"2019/02/02 20:27:57\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 11281, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.165.48.224", - "10.191.242.168" - ], - "rsa.internal.event_desc": "equep", - "rsa.internal.messageid": "995", - "rsa.internal.msg": "isci", - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.165.48.224", - "source.nat.port": 5386, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "909", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "BCS id=qui sn=ugiatquo time=\"2019/02/17 03:30:32\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 11455, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "909", - "rsa.internal.msg": "emq", - "rsa.misc.ntype": "plicaboN", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "destination.nat.ip": "10.116.173.79", - "destination.nat.port": 7693, - "event.code": "178", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=vol sn=admi time=\"2019/03/03 10:33:06\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 11570, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.116.173.79", - "10.185.37.32" - ], - "rsa.internal.messageid": "178", - "rsa.internal.msg": "ende", - "rsa.misc.ntype": "abor", - "rsa.time.date": "2019/03/03", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.185.37.32", - "source.nat.port": 708, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-03-17T19:35:40.000Z", - "destination.nat.ip": "10.57.85.98", - "destination.nat.port": 3286, - "event.code": "995", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=olorem sn=gitse time=\"2019/03/17 17:35:40\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 11715, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.219.42.212", - "10.57.85.98" - ], - "rsa.internal.event_desc": "mquisno", - "rsa.internal.messageid": "995", - "rsa.internal.msg": "sci", - "rsa.time.date": "2019/03/17", - "rsa.time.event_time": "2019-03-17T19:35:40.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.219.42.212", - "source.nat.port": 5708, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-04-01T02:38:14.000Z", - "destination.ip": "10.88.244.209", - "destination.port": 6953, - "event.code": "97", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=nisiu sn=imad time=\"2019/04/01 00:38:14\" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 11885, - "network.protocol": "ipv6-icmp", - "observer.egress.interface.name": "enp0s2460", - "observer.ingress.interface.name": "enp0s3423", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.152.35.175", - "10.88.244.209" - ], - "rsa.internal.messageid": "97", - "rsa.misc.name": "tquidol", - "rsa.network.dinterface": "enp0s2460", - "rsa.network.sinterface": "enp0s3423", - "rsa.time.date": "2019/04/01", - "rsa.time.event_time": "2019-04-01T02:38:14.000Z", - "service.type": "sonicwall", - "source.bytes": 5835, - "source.ip": "10.152.35.175", - "source.port": 2737, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.address": "ugitsedq5067.internal.test", - "destination.bytes": 1635, - "destination.ip": "10.107.216.138", - "destination.port": 3147, - "event.action": "accept", - "event.code": "537", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "undeom id=emullamc sn=tec time=\"2019/04/15 07:40:49\" fw=10.29.118.7 pri=medium c=mveleum m=537 msg=\"accept\" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12100, - "network.protocol": "rdp", - "observer.egress.interface.name": "lo5057", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.hosts": [ - "ugitsedq5067.internal.test" - ], - "related.ip": [ - "10.107.216.138", - "10.132.171.15" - ], - "rsa.internal.messageid": "537", - "rsa.misc.action": [ - "accept" - ], - "rsa.network.dinterface": "lo5057", - "rsa.network.host_dst": "ugitsedq5067.internal.test", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "service.type": "sonicwall", - "source.bytes": 5943, - "source.ip": "10.132.171.15", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-04-29T16:43:23.000Z", - "event.code": "137", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=gna sn=isiutali time=\"2019/04/29 14:43:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12338, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "137", - "rsa.time.date": "2019/04/29", - "rsa.time.event_time": "2019-04-29T16:43:23.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-05-13T23:45:57.000Z", - "destination.ip": "10.195.223.82", - "event.code": "351", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=uaturve sn=amquisno time=\"2019/05/13 21:45:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12443, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.135.70.159", - "10.195.223.82" - ], - "rsa.internal.messageid": "351", - "rsa.internal.msg": "CSe", - "rsa.time.date": "2019/05/13", - "rsa.time.event_time": "2019-05-13T23:45:57.000Z", - "service.type": "sonicwall", - "source.ip": "10.135.70.159", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "destination.ip": "10.142.120.198", - "event.code": "261", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=atu sn=iusm time=\"2019/05/28 04:48:31\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12591, - "observer.ingress.interface.name": "eth3249", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.142.120.198", - "10.22.244.71" - ], - "related.user": [ - "usmo" - ], - "rsa.internal.messageid": "261", - "rsa.internal.msg": "rsitvolu", - "rsa.network.sinterface": "eth3249", - "rsa.time.date": "2019/05/28", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "service.type": "sonicwall", - "source.ip": "10.22.244.71", - "source.port": 1865, - "tags": [ - "forwarded", - "sonicwall.firewall" - ], - "user.name": "usmo" - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "125", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=oin sn=itseddoe time=\"2019/06/11 11:51:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12755, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "125", - "rsa.time.date": "2019/06/11", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-06-25T20:53:40.000Z", - "event.code": "105", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=giatquov sn=olu time=\"2019/06/25 18:53:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12859, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "105", - "rsa.time.date": "2019/06/25", - "rsa.time.event_time": "2019-06-25T20:53:40.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "34", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "emagn id=emulla sn=mips time=\"2019/07/10 01:56:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 12971, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "144", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=itametc sn=ori time=\"2019/07/24 08:58:48\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 13090, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "144", - "rsa.time.date": "2019/07/24", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-08-07T18:01:23.000Z", - "destination.nat.ip": "10.12.54.142", - "destination.nat.port": 6543, - "event.code": "658", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=doconse sn=etdol time=\"2019/08/07 16:01:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 13213, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.12.54.142", - "10.56.10.84" - ], - "rsa.internal.messageid": "658", - "rsa.internal.msg": "osquirat", - "rsa.misc.ntype": "equat", - "rsa.time.date": "2019/08/07", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.56.10.84", - "source.nat.port": 5366, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-08-22T01:03:57.000Z", - "destination.bytes": 7416, - "destination.ip": "10.117.63.181", - "destination.port": 6863, - "event.code": "195", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=min sn=oluptat time=\"2019/08/21 23:03:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 13364, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.117.63.181", - "10.222.169.140" - ], - "rsa.internal.messageid": "195", - "rsa.internal.msg": "magnaal", - "rsa.time.date": "2019/08/21", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", - "service.type": "sonicwall", - "source.ip": "10.222.169.140", - "source.port": 5299, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "867", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=eacommo sn=ueip time=\"2019/09/05 06:06:31\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 13543, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "867", - "rsa.internal.msg": "scipi", - "rsa.misc.ntype": "acon", - "rsa.time.date": "2019/09/05", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-09-19T15:09:05.000Z", - "event.code": "60", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "usm id=labori sn=porai time=\"2019/09/19 13:09:05\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 13657, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "60", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-10-03T10:11:40.000Z", - "destination.ip": "10.200.122.184", - "destination.port": 1176, - "event.action": "allow", - "event.code": "794", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=lup sn=upta time=\"2019-10-3 8:11:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 13775, - "network.protocol": "rdp", - "observer.egress.interface.name": "eth5397", - "observer.ingress.interface.name": "lo1325", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.200.122.184", - "10.57.255.4" - ], - "rsa.identity.user_sid_dst": "sBon", - "rsa.internal.event_desc": "fic", - "rsa.internal.messageid": "794", - "rsa.misc.action": [ - "allow" - ], - "rsa.network.dinterface": "eth5397", - "rsa.network.sinterface": "lo1325", - "rsa.time.date": "2019-10-3", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", - "service.type": "sonicwall", - "source.ip": "10.57.255.4", - "source.port": 239, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "19", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=mmod sn=iti time=\"2019/10/18 03:14:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 14027, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "19", - "rsa.time.date": "2019/10/18", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "destination.nat.ip": "10.129.101.147", - "destination.nat.port": 3606, - "event.code": "413", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=mag sn=gelitse time=\"2019/11/01 10:16:48\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 14119, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.129.101.147", - "10.206.229.61" - ], - "rsa.internal.messageid": "413", - "rsa.internal.msg": "upta", - "rsa.time.date": "2019/11/01", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "service.type": "sonicwall", - "source.nat.ip": "10.206.229.61", - "source.nat.port": 3467, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-11-15T19:19:22.000Z", - "event.code": "159", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=nostrud sn=cteturad time=\"2019/11/15 17:19:22\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 14270, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "159", - "rsa.time.date": "2019/11/15", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-11-30T02:21:57.000Z", - "destination.ip": "10.119.4.120", - "destination.port": 3822, - "event.code": "520", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=imavenia sn=expli time=\"2019/11/30 00:21:57\" fw=10.144.57.239 pri=medium c=rur m=520 msg=\"itse\" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 14380, - "observer.egress.interface.name": "enp0s234", - "observer.ingress.interface.name": "lo5561", - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "related.ip": [ - "10.119.4.120", - "10.167.9.200" - ], - "rsa.internal.messageid": "520", - "rsa.internal.msg": "itse", - "rsa.network.dinterface": "enp0s234", - "rsa.network.sinterface": "lo5561", - "rsa.time.date": "2019/11/30", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", - "service.type": "sonicwall", - "source.ip": "10.167.9.200", - "source.port": 4003, - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "1079", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "oluptate id=lit sn=santi time=\"2019/12/14 07:24:31\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", - "fileset.name": "firewall", - "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 14546, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "1079", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "service.type": "sonicwall", - "tags": [ - "forwarded", - "sonicwall.firewall" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled deleted file mode 100644 index cf0706bdd81..00000000000 --- a/x-pack/filebeat/modules.d/sonicwall.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: sonicwall -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-sonicwall.html - -- module: sonicwall - firewall: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9519 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From b67c599ac95ad51b7ec5e6f83ba2f321cee2fa14 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 14:05:13 +0200 Subject: [PATCH 17/22] feat: remove deprecated squid --- filebeat/docs/fields.asciidoc | 5435 ------------ filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/squid/README.md | 7 - x-pack/filebeat/module/squid/_meta/config.yml | 19 - .../filebeat/module/squid/_meta/docs.asciidoc | 70 - x-pack/filebeat/module/squid/_meta/fields.yml | 5 - x-pack/filebeat/module/squid/fields.go | 23 - .../module/squid/log/_meta/fields.yml | 2635 ------ .../module/squid/log/config/input.yml | 87 - .../module/squid/log/config/liblogparser.js | 2514 ------ .../module/squid/log/config/pipeline.js | 463 -- .../module/squid/log/ingest/pipeline.yml | 92 - x-pack/filebeat/module/squid/log/manifest.yml | 31 - .../module/squid/log/test/access1.log | 100 - .../squid/log/test/access1.log-expected.json | 6062 -------------- .../module/squid/log/test/generated.log | 100 - .../log/test/generated.log-expected.json | 7403 ----------------- x-pack/filebeat/modules.d/squid.yml.disabled | 22 - 20 files changed, 25092 deletions(-) delete mode 100644 x-pack/filebeat/module/squid/README.md delete mode 100644 x-pack/filebeat/module/squid/_meta/config.yml delete mode 100644 x-pack/filebeat/module/squid/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/squid/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/squid/fields.go delete mode 100644 x-pack/filebeat/module/squid/log/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/squid/log/config/input.yml delete mode 100644 x-pack/filebeat/module/squid/log/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/squid/log/config/pipeline.js delete mode 100644 x-pack/filebeat/module/squid/log/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/squid/log/manifest.yml delete mode 100644 x-pack/filebeat/module/squid/log/test/access1.log delete mode 100644 x-pack/filebeat/module/squid/log/test/access1.log-expected.json delete mode 100644 x-pack/filebeat/module/squid/log/test/generated.log delete mode 100644 x-pack/filebeat/module/squid/log/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/squid.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 8bfac69ac84..9204ac32ee2 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -75,7 +75,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -57711,5440 +57710,6 @@ type: keyword related XSS caught by the WAF -type: keyword - --- - -[[exported-fields-squid]] -== Squid fields - -squid fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - type: keyword -- diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index b1131b69b1d..ae2fd0a1d75 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -51,7 +51,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -114,7 +113,6 @@ include::modules/salesforce.asciidoc[] include::modules/santa.asciidoc[] include::modules/snyk.asciidoc[] include::modules/sophos.asciidoc[] -include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] include::modules/threatintel.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index a2c48dac171..f5fcf159e94 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1768,27 +1768,6 @@ filebeat.modules: # hostname: "b.host.local" -#-------------------------------- Squid Module -------------------------------- -- module: squid - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9520 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #------------------------------- Suricata Module ------------------------------- - module: suricata # All logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 78d2b230d4d..712ffeb52bf 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -46,7 +46,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/salesforce" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snyk" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/threatintel" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" diff --git a/x-pack/filebeat/module/squid/README.md b/x-pack/filebeat/module/squid/README.md deleted file mode 100644 index 6956555b2dd..00000000000 --- a/x-pack/filebeat/module/squid/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# squid module - -This is a module for Squid logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML squid version 112 -at 2020-07-13 17:55:42.446629 +0000 UTC. - diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml deleted file mode 100644 index ad0f3f2053c..00000000000 --- a/x-pack/filebeat/module/squid/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: squid - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9520 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc deleted file mode 100644 index 25a8e1edc1e..00000000000 --- a/x-pack/filebeat/module/squid/_meta/docs.asciidoc +++ /dev/null @@ -1,70 +0,0 @@ -[role="xpack"] - -:modulename: squid -:has-dashboards: false - -== Squid module - -deprecated::[8.12.0,"This module is deprecated. See <> for migration options."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Squid logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: log - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `log` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "squid" device revision 112. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9520` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/squid/_meta/fields.yml b/x-pack/filebeat/module/squid/_meta/fields.yml deleted file mode 100644 index 6268a29d8d9..00000000000 --- a/x-pack/filebeat/module/squid/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: squid - title: Squid - description: > - squid fields. - fields: diff --git a/x-pack/filebeat/module/squid/fields.go b/x-pack/filebeat/module/squid/fields.go deleted file mode 100644 index 35197a8d3e4..00000000000 --- a/x-pack/filebeat/module/squid/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package squid - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "squid", asset.ModuleFieldsPri, AssetSquid); err != nil { - panic(err) - } -} - -// AssetSquid returns asset data. -// This is the base64 encoded zlib format compressed contents of module/squid. -func AssetSquid() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q+J+dLw8i+EWG4FvCaX4Z8lGKZ5bbmSr8m//YUQ4r9JZhxEaSZ/IeG/XuNn7n/fEUkreE0k2JXSVxMuLegZZTBxf+++Rohagl5pbuE1sbrpf2LXNbx2eK2ULnt/j2DT/u89rYCoGbELaFcm3cpktQAN+JnVdDbjjCyoIVMASdTUgF5CORlsQBt6B2znWjV176+7ZNnARbQkFVv4j4MfWyC2xGaRysy3/r5/hXGSD8j+ccGN+x7hhjQGSmIVYbS2TSCwpitSgTF07v5NLWGqAuM2rdznO6AJeavm5BSYKkHHN+Jh8V2kDt1OCxeWIG3htpYYcEA4M/UDyQ3SnClpQVrjLgCXxlJpWzRMFEfLq0MQLKnd/WCIHfc4uSUItWS14GxBKDFgDFeSLLg1hJL3YH/nVoIx7elPBqzRbdYsVCNKImEJmkyh47uaagPkHVjqUKNkplXVW+rpWzU3Ly4ouwJrng3An3INzIr1c2ID3pR8AC8NPIfLHpqTKCEFLEEcQEmh5O793KLkKdQaGLUBkxJmXEJJlBSIlqVTAaSidRyrysyLZBdmzxm/C/f8/PQHsqSiCTeelyAtn/HAnXBNmSVCzf156cFB4O64Ax+4Bb/njqOm2nLWCKrx9+FgJ6OcMQB9EKfEOGMAeZxTRo9kedwzefn/z2T/mbhV8xzI/a6vmv5R4EZ2j+XRYLekhwi97KhpMKrRLNPbe3+y5br/98PMWGqhAmkfI3K0KbktmKA7d/iRoAfS6vVjRGzhdKrHiBiXhyGWV2NqJcfj5bQS6CHSIy/ZZgBlShtqRK+J2Zm9L7Z2v8NmoIcMlIT7WRE7esgA+g1WxDgVd5wjR6Ki7LlNouTz5BpsMxH5SISCdyYfO4Za3Uj+pYGNGq27/Yc/rbeN2hMlmXscqFWP3bIdETdLnlcc9ql74pbhM85o/z6/VXNytgRpySUKZ9LIErQzQTQEQTXY+oxfQ0kMWAdk68fba5hxg6U9hAHsexss3SEMQN/pUIaewPT+pcMYc7CvO9DkbjRYKJNJX+3z5a/K2L6IFLscaUCWXM7bD02MbXo+pK+HvvwQBhv8aJSw5xfLnwgtS+1k5dh13yXuYPdWfa3EXb7KTd5X/++S11Erv2zYlQvekdb3lpWEkjlfguycZF+vIuBIdJj/Iq8FUj5G5e/riGiMOjRUvS40fMlw1v3gIR4w7nu6Riqf+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg1zUBshmfN5oVP1u2Pch6u5XvG8Mg+YzPhP4F9yv5yqXm22fddyu/NU7GJReUV1mU+p6Eq237T4lzy8+b+l7lGgQdPdICTFrY6EKj2hA20FbgOdU44nn/q00n3NJRfubbW3lBjrk0r/2JEacX3x+FSFBQH9AifuToMNoSOUUr8+GUYeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB31HiDnxvEcN4R50kHpMN1SVN+qXbWF7CH0I7T4KjZ9LKpqpQwmu1VKkul6cGiEaPjSgLEOoOFVLdbhnNyXnaAnQNmCGF4Cefo9sQvdkJc///yMrKghBkB2q+yhxKNQXm9BCVMraSAfKdhXwxVMNdJ2PoWmmnqh566yiUIgT+lULaFHDC6jmZWteDNWA61G7w/7atjmgUkFJW929bQUhPompjl2jgU+I9z+s3n5/Q9/NV6kv6hRgLZI/3Owm386e/AtXYMmL8mZZLQ2jfCRFWdS3kmux6DfM/gRya2MrfLjS/KvbrvPyY8/kn8lTGmnL+MuwqLPyX8X9n+6L3JDtonyTfQIpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFIyLIslZcWjRNLMQTnJE5CtBaZcpP2+iDpgbGqUCMEVNjlXaatVx7rcN9sKSCl54xYkgRMlONLN0LIwCR53IelKMbkxe3b8QAcopYYLgOe8JGI6ewFoqWj+WdC+gQw/8EUoHVnEWsjmAK97+MtrB/7lsh7J59ajcarZq1xzYhv6qVO5qhzcklUdoZY1aRK4D6BqI9ihfvKyGaVgyMKZa8LMpcUdezVvLMQYKmFi956SjYswuXXNuGCme0b/neZcTFwSvuzG6MlSMx/C7CVT8/JdpJa4MOFSQa1XOw3ddupITRmZKeHpwSPhNuPyV0llDQUPCfn7a+1w9QKQvkMvA704AP7XQ9Jijd/9pAzFcQeAkrFaYWPGdmw6M25w0fqP2PQjdzMjcjv+Otc29A4PWW61qrJTwh/zUijF68zLh4gBi9W9UZRxcnby6C7suodOThVa30rsZL8In86tIgmsfh/vjknyo0xNF0j7lSt035ZvOTjcHu9Ry0zCfk5c+vyArpXgGVhAoR9xWgUx/VpI3/iKxAgwdLLRFAjSVK7pSLbBPxwdXEr5uIkbuaI2wbaPe70iUSDrOagC2kEmq+3g3EzbgeaLGE/EzYgmrKrCeiu9RrxB+d5pI0MuT0iC2f+WhFbeqCbh+ozxlE2BO7RIuickqmkm0YQdPVqExDybqjVlKGGquPUcjgc1CMNbqFaCyVJdUlkUpXVPA/Y/m9SldR+pQhy+FgEqlmOniS7kSkDdYdMi8EnwHuOGLgG2BKliMK9ua4C2Nz+ln2bIhLpqpagI0ywKgTlaICbzXfEYO9ejNtH4iRL93aUXYeY+Vtzhxlv0pJu0h0TJv61FQ5L5ssp/KBCH8myxxkdyD/VDJ3t4U9YtGt3qqYPr324y6FByIq241+Qyxc23D5yBK06ZVTlPvywCLne19mWwNNtc1NmR5TuoQy3zsYkmzCM2W6FVsdo8206b7Yj68PXyutqglCbbAo3zCQVHPl1fqqEZZ/ZzloQutatNUvm2Y1FZV0HivNJURgeKe1Fz1SHldDuH1iiFpJHxmztKp3PYMBY7eaQ3F4+6whbMGddaNKMBPyrjEWzaQ+UHcrqR3Jy6UWDjykvQJsNnN4L+EYmhAecrugp52GGWiQzDMEdap1yZe8dJoN8kNckF22guzjDvHim7yuuT7aDjfn6WNB144TuRVrv1njhJ7T1xxSyKD7faMJD33UhfPcSeNOnk0GS3bpZKpJLYGqgSJ3X4gd/VNfFdQgvzTQHI2VHHd7LtrIxxU1BJEoR/gGkfshNVETKgVbBM0g0+aVzfD6zqscuNZFBlTrIof2XKcURdtAXyaHmkFX6r0iD2NC7piP0Tdm8Fze6c05VGzeJNcOCRZsHoidbgipHUGUDZT4FIq1aUTusNOIFaUay1QFLzwOnfGCWdlqNuAQKgMJtgzIEQaBJWhuc5aO7NlYu3ooAuxFdva5fPIWLw56B/pXuqt0cdAw7lQD4zO+MXzi2q0P5oz1VAm6cv5spsgBdC5GXm4KJloXVRmCLFG8g9l8rEP4vG2l9y1BpclvlyE1lps2IWDXr4brtyc0ViVpamV4QsFxK95Cc1qWvsMUpvK3d3e0C08jbJGvddEdRZFsKtCc3VUWRfd2hCq2PRvrV7J1N8OLJX+/B1tbgiyVDgmze3empn88QPeaNrSrpn8Ai9vRDrH8teADcjsJuh8xL+lz9qr7ZnghQ9V/EDPBy7WgXW6xVJZQsggdL+IJtELNizZR5UGEesuIdxbqx+iZsiX7/o7pVtiWGsVHXPFXgrN17tuzRy5cIAKhe7YU6xG53IicedNxAn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh11FO8GxtK/cRDQ3B3fwij0xff4sYt1gB5gjWNhw0m5wvvQQ9IZfgD6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2St4kqjHveA+wtaGfwY7W3G7CMqyl/XkFBecYrWJJEp+N1fuv/e8BKikFBHFMeO+aS8Y+AIRcEiqGXHSwXIwE3K5kSm7gw36lVV5MD7x5XyNcUaMLxn1yTZlEL+B8JQw0RjbMmT4x+CY8CfcuJMMNdHBv+EUX/x0XAU6uvbjb1jcovdtmfIpZU9uMrwclqeIBaHGKMbRX+pOI2pP4oG95VfwmlBSL9aGMypIyc3Vc1JrnInynIBlT+KKMtX0kNrLOz70vs5G0wosaENqarCLl8FGDr4XAVNV5aSY2graD0trwLK96p5/Dx5K4+udYYaHyYtvpqq6Gd7BDMdGyYrLUq1CPi1TkkFtn3eZFKPEGGxz1gixJl8aKrzzs1QV5TJIDdlbSKiRp6vv9UylLu3ZulMJ33J5BWWoBWoT0alB71QwUNwn33SoTXi57+DEoCtEVlHXH93k3RK7CLTo/Xb5UHj9VgfPK7kctuvpgs6gK7472Cm3izWsidh6/t+vaf+YWNOecZH/jndb/gVX666xhrJhQNrIEcTdbQY0p6KIvKbZHpFLXLJVm3ffx94D6F6YUb8AsCtzUMuBFB7jsLp76BbULLob6tTCSJVhwxY+87etsenKDE9aSDstwtxGumUmRjP3q+7fw0pT4uS5JBxz7hrJBFDt/oSN8DaohQLC4O3UbWHnzdEHL/yaYZ+nR/1iMVVNuez6ZvcfrFA2qu/wei25bsyxPX19bQQRGPf4HSdAGrkSJ35135Nx3FPqLbjsrvGOfN7LfH5K3ntJ8zQ0biB+2l4o+nW4PYvr1d4B/RC+/J77+fwUSRpK3joxMfQebEfkfBqg38LEM5GTBStu4kbq0qxz9rLfjuqGAm2vLuz1Y0tvfB+RaxzpT7qFyfnpjZpsKv/cDZqsQ+ylLDca7YSc+PrM0O9U+A/2a7OIoN7+xg/fBHfctLFd5aay3WPUSAHGU0b5B2WlyJJqTqdiUAXomzJwSWpBRwSBAWmy9kfZOtC+qupXnjhJ5TSMtr6Qu3O+fHF+satDk9Ay1nsUxuqyDxwoeOtayE2kxSNJzqUll3wuKQqLERatlc7ZvPbJQH45Jr1odTeFXR3xPx0ivbuMXFaqCOO8/+0j4ZKJpgQnzsKkWvfzCXl6dk2rWsBrcuEdIh4sSu9J3C+CkbmjxzbRObV5WuKYcXPlVO4D8LpDKV7Pjfk+PA0fuLnaE3K1ms/noPONsIuT7HM/FhBwQO10ocEslCgd93hbfWTS6Fbo/QiehWHsPUjlpx+8jvGsa8ZxfhovI7l1dJ6pqi6OnHeFpxJyr3CMq/fvmWb6nUNHSaxPneG4GVU2bMxKC2rpA2WN9THvpKXS2HnAyfUWv5EpcVSXK6ofJkNv2FXfSVcaHiK3iZHWyE+dEKXkHWVtP+W4cutE0FHtGCW/axVUvV8KeVsz+VBrDdQkzw02ltomleLc+aMoFw9mdrjFp+qa8PLF+PvlXtbmGBg6jD4NGh/7u+CwiF/d9h3LPH1vwOSnw7l7hzxnXKomVYyzV0di5snvlJOkKZ0OA4/sT4kB5+7MuMUSb4Rwco+YhjEwZtYIcubWJ0yVYBxLtM1+45YFlyVcJyaA4MYepnneU7bgwmiK6RaJKWiMb1ZUc4EZPBEPno+/yzmhSMTv3G+jO5MZ+FBNfXOhB9KIw+rkaZfPWYM2dSi69RJmQLKgImwS4tsOT89Gigy9m2v4HudOKPHKV5fkFXxV/tvuQ8qlISVYykXEyTBVje39bmRrShw9N7P12NIujw3xGH9ILVS1yJbN84aUMKMhBBQ6X7Yx/JCt6bTiJWhB11jIZVV4XMnTyI10H6DVHX4Ns7YK3PvqjeW2wcaMJLqxjW0wbNh03+uaNIrV8+8wmhrTDLKKqapy9ykPG5146IT3kn1rrZa89P6ztotcBWY0EapU7PBA4929Zb9wsdEaWT8vL64aXNeY9PQwsr5dPa+s/0NND/Q7Hby9/62mIQATv101z9c49xQTiv3JX16ck/OBQtVHI1vX2lBdsh+DhIVdXTXsPKkhfRd/WMitjiv3XkQUU1XmrvgaVNztKh0BF+JwGVGPFum7JfiQwREqz3su4FA67BNou3gIn/OyC+WMOPGq1FbjoAw8wcufTsnr9l03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA62FNINDJ9PRiQir4ppU5br5P4ZXhVJ64B6cBsDhzU63+ulSg9Rc5Wwy8FOiV1hmmMUJHDTz171PVdpU3LbVdZt+qIFjGKD7TYVG16UbMIL+zfps8RSU3B5NKv85PMZeRpqJT43wunKUy6wgAPzwM6ua2XcN5+R74aOBrkbhbmSaiW3DCEDrMFmFstt6COTNhk9ggtuNy30pK1yfx9Kk97CnLI1+TRqrgk+1fQhivLDwlsk5pJUlMuZphXsTceoqcapvfn7JGwplxe4LHmvSp8cvWkL2Ms6iyBFbtC+MFXAESKXhbTdN+49rMivjURT8p0qQZCnXC4n3z4nXLHnZOr+D9z/UUnF2nAz+TYeX7SsLmaCDibnp9ahtjX8kwuCi6KvC+Xkuh1+pWZ7GzVYlRVT/9dpwLNtg2BAO0aOIrSs0srdHcw+v/udaiAffQLwt99+fvf7mw9n337rc26XVFM+ypMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mtqtZnPEHrrVaDeiyDZ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HoTFyp6PPiCyF8kHYY42jrsPP6WOkLS1dbI9u/Sp7TLa2yw77JP5DN1uA869OTLdtqzmx4iHYdHXjHLhaN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTxgP4ckXmO6dag+OlFV1chdT9QAO3lY46b7Yvceru3fIa5Td7iZwzTr++J2SWX57yoeNdvgZqnlh0iGe2M3XHgLOdOYmjOukmWJHsuCR+xXVMth0OGxo25kVRcqlzC+fP/ugvzm/aibpNQ4Il+Omkpw+R9vyZcG9Ejv1kbIQsNup868yQ09h+iafGiLzqJpXZ2WzhI+pH2gKvUYAQe0PshxdBNUGwmO3RtumX5AAxVUVxlOy4HN4F6gdcIC5A5oUyabSrsFM223qy3QJbW7WuF94U5BskVFdaqykg7uuqaD8cX3jj5RNkinSgKzWCTnBQaztAVUHeDZHFstZQCrpn9kgFrT5JMwfMep5OyFQfeCp35wQue2CpzqmRxpWVCGg1HSl5842EYmNN57gKfzevmTvLaL5O87kwWzuihN0r7rPegO8mGRp1sAXgqaXGLIAuScy4RFkUPQOXKjZTErzIpbllx+yGIm1MrQKn3uSh+2tMt80DNEXZgsuMwpTrisQVfTdbKE9wHsml3lAb6kIgev8LqotbKqSB+SQujLnwr0OKaHLbLdTaHmRZmD2A5w+vw3JouKXhfWpnIbbAN2HC0gw6NQcZkJaS7zIV0LU4ipKFKHRbdgf58RePLO4D3YqXsh9mGnrurtw/45I+xXGWH/S0bY/yMj7L/mgW1VLegUcoiUDnp680wWVSNQ+Z6uM7yTLfD6KoNeUjWCz6s6j/bttEwq5qmTkAJknkMpMfCFpfeNyML4hMQMJ2g0y2NNOsB5rEmzNk2dYRYpk11ZdRZT1SrrTA+4ziBCrLLOMMsFG82aLMAbya8llcoAy8CEy1eOKpkeheUrVdsF0DKDW01VdcFEBh+2A5whSIJw9XRt07tFHWSTBXLdFBliGkxzyxkVGQqITEHnINk6YdZVH7akYv0nlNMceC8LbAOaBbJvB5MHa59YmwX6dF4vX+XxQZtiyu1fszQaY6ZIOytuB7BWyUW1yXLNESownb7KzXgff7JZWz3AYBfez5/eOeKBo9qXBbjvJp+ug1wP9owLyGHDmGKW4xD5LGVx9jbgHLqBKXiNSYpFFlHH6+VPpbH1oJl/IthGsyywBZ9BDjPGoKO5gpInKxjdhs1lHi6pVNkIMEzloHYAzucZZJOqzYrapDP/e9BjGeRJAGuYc2M1Te8J2cDOoPFpqHORWmejtcFO5DqTfPWZ+Z7FM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc3C4OVIIWwKyEs/3z41XG4slcnnHJfGThudalhgCxX8rKAcUJvkuKbXo9ua5NRgcXLDLP2w60M7DeyDOadlmfoO8DJ1WLVtHZThLeJVwbRSVZauRA5wBjONV0We5MjQ8SgHmeur5O2ZapO+ZSmvTa15YqCCWm6b5NlngktI12JnA9UknajTwcXi2/RuLaF819NiJlTy57wDniHl39m8yaWOA5pB4jgbOgOqyXMThJpnYV05z3KBa6VTC7Bq2sxzXLOKG5ZDLFQmC8PmmAMhwWJzpeRwk8tw3wA6dcafh5o6HU+uVqktkCwVZcoPgE5uiar0mpHSfF5E5nHdG+5Kgk7/ZtWFH8qbHGzSydQbsH7EaxYmy1C4GWbipBYGAWxqaVAX3pGUHF1qjPuwYItUdf4D0HBd8+SBgBp0NddU2kHP3RSQV1kAp396fSeyT592poAmAKzVvKCmTjgwoA9a09RQNVCRQ7/TwJAOvutoJuDpiewgp23h2oOsdJkB4/SOTJPBN2y8bzhDPoCB1IkAfuBxBuPEwJf0DBBr0JoMagZTyvB5BsFr6tReNqNZjnugWZlckTaaxbriJgBs043Y6sNsTPKumksmUxdKRKfF3heob9KZevt2btOzlQeaPqLXzfRMDXddJ+/W2pTTLHnojRYZ3sLGgC5KnrrqPcvYijYylIMMlhlLq9Te4GXBpbF0lkEzWHJtc6jhy1pmaN1klW5kSjdrrC1apKPom8Yq8qGRZLB0lz2ScVjeZyp4SU40lNySE6rL0M3QYPv3ODp+clZGKo1NCEUwOESfYH8DpgSJlep0+RBc5qPcWVULtYbBYMEb6TdTTbKm3rfkMUdD7zPCeWca5nBNKrrbaGETi5XzZncYSHYkBTc4nKFdPRw9NlAipqlrpS0ZNh4lZLWglnBLag2zMVa4R1ruXYZQxAgfrI4OBcJl6Ow+0hdacJl7In8PVbdaH09DrJqDXYCebL5vFqoZvGiESFiC7sYRWUVqqg2Qd2ApTgT3d5V2JHj6Vs3Niwtf9vqMnIYRX8+JXUSmFGEz4A8QRh8j2pK8B/s7txJM/JyHTJ2FeDMc2d3dIlzcb9YA1Wwx4ZJH8cOZu0for70jPnEWBiZDvBC0kTjrd97gHNe2iXu8gftOv/Y9e8rfjrvbU9eEO8wvHjH23UEUCWuabtd5FZclH+Ha4q0YcxccYxr1iEDaDK57jxOqpRiZeIndczOOA8f+uQYs0fClAWP3NO0+PFv57r3yvcqAY3n8ql5i73qkurzTbXfKPpw8Rhgb2/o7dmg3r6M7Tzn7/+b5hm6x89NWKODacd5AqyFdEu8dWdg9LlNqgPh07Q4bMrhV3SmFXzwMvrIbBd9hrrRvXx8lIyHUEAOA487o/nlVmkpD2RHG+w46TPulJaq9G6ZhjcYJaPuQrkFX3Ksbx0J6s6QfzMGXXMAciIAlCEKN4XPpD24zrz/O+tiS+QHlN66/h9OnDzLp2WHWSP6lgd0xiTR++Xr4HtYx8bApKK1Gw0t/IZmSEjC3gqy4XYwJCkIilSGdxq7hoPKiO5sWjpwoT7onSqg5Z1QQh8GI6YNYPCx2uNTImMaHo129WJs4er10tpXayWpN/cBTwakpFiq7TeCNuM5cw1kqm6FGTir2R/DE+wEQf2kctvimhUEsTADVkzfCKGeIb923UwyWk1/DLybkjVx3/xpAt2jLG2kJLSdMVXVjQcfFcBY3vttYPvPsm92zwBmLWwfC7T+bl9//8Fdn+572jqOl2DdRtAOfFmkjZrd13NA1aPIvnU/OvAhoIHLxW5+6/ic/z8sNzltcv/c8Dkxevkm2PdkdmOLWmZD3v308c3sHDd55gv7SkhumoaaSrZ1WGdQzsZsLQpBCz8nHd6/JubQ/vnxOzt+fnv3na/LpXNpXP5Gnq8WaSOB2AZqwhTJhVJrSGpjFb/3w6n/9t2dPohQBu8go43bpgTJ1UtH4OB6TmfvueM0vPS+et0jFr3j5uJDuy6YbMD+wYdytH/gYvjuK6cY6+cy1baggb9+8jyL7p5KQz5d1GGf8HyVhEqetQ/erEaG4kZuFJx7BY3yD95zDnFpY0QcYkY7cfUHelKVGP63n8hg63dPLqvrQOOd9YyHnJ+8u/Ks0Gh6rqDli9GPLqeQ11fB2k/MLh8qI98vR8MBJEElo6NYep2GriRV+utZxBUQPXVqW3H2Zik3AtjfLP/7OHZEBnEmIF1yFG366zQIDVDa51ln0uts+aZS8DxheKG07kTwQuiUG2PAAuF3fLHnNkWnv98PlvH1M2m29GyO8hJjdeCwvbsAOLV9qjGLcqZzebzTQcYiTy5rKOUw604kpOePzRkNJpmuECbLErKG4nKkPbD0wKBod0Zaji84y9DsQCXX/fglXcgeAhkpZKEJmd/o8o/SkLaUpaOFT8TOArq3OA3yWgSVmGaqFRY7rkKv/SZ2BqLQsWk9cPrV814J3+5jsrtZ3JjyABntmF6AlWPJxXcNz8ql9xt6iA+xHctE6wAYvwW9jmlo7qucIysSIadwiHfzizwkVIqpM1JsvYoIb1ZiYtwTt3kAurSLG4mPOJfl0PipQGCbIZpNXyUW2A6rqDGPfHGANJnVGrwObocTFv4ipU9HR354BWz9aoRAg58knRSLOTvnIqIWOaKBe5aGiF4CRhGE6wYxQ8ovSK6rL4ZxuQt7MMdlLE+pu/DXm0k3BrgBkXPVM3DXxrjFuZanoh+o8MgRbxmNmxGCHXIY8V0xLqLh1YimM2IhvcSmoPEYc/xYOyjZBpOeiHGxw22W5iaQsnQU7RwN2++VJHakEhl0Ilun6wd0uYk+15awRVBPsF01aJJ6eXb9+q+ZqNotPfwdW2AVkP94tZD+6Bf1t7OF95vB26L5p7AKkDcnio2ibJmXnhNsl9Pglx1H/ZECPIqway9RxKR2WHEf4smEMjBnBGTuPH9Yc7bDEE8SLOBV3rvSaRAoTBrgdQzht4Qg7ODqphAE+Uyvp3hUnt2LKYfdDMlCUtne1TNePbuTdpMR3LcWaAcGh7PYT/DA7+jCXxHDbROQnweICCCI6QF1QQ2ipave62AVwTdRKbo7ME87SayVVNZJXizM5DPct6o+rRDjlnsvSyR+lTUcASn7hAsibgNhkQIbbOHtltzF/J0cTxrv9P0i6wigJLkPWQloqxPYYIUTKevd7EMLn612Geo3UlBhPCJ2qnNUDkc1PYUGXXDWoXTJV1VpVfCRDEY6N3JmkU4FFZDNysh83Lped2MmI5C6GW1oniSKwhWHS4TIHIBhZv8Mv9+n2XtnNfRtlu02ZZSPtbjlbao2+xDLwgh1i1t9KC8L3eA4SNGftlpAgmOi3m1rA7QKf2thsNxKQnbAfJsbq8eBnu6dD2m492J5e7t9TUC/8Whn3FTVNOyPc8gqMk+te29NQw2gQKZxCsqYQNx4ENh685zHoW7LWIb27H4y1frzdnn4oTLIhp7feWnAY37TDwd5wxxuBcAth8PXu7uWNu9NHPTt/0ZLsTd98csl6qR5HgNwgxzsB8vWy4483H1mq0QbHObLbyUd9VAmS8o7dQn4clR1T7m3AjJ1SjyVoO37q5JU7jV0UFdiFeoAoCd3yJBOPRvja6IFjLyWtsnqd9kR1PigR/LUOkT18mckT8p+Tn7//njx9e/rm4hk55cZyOW+4WUCJpfBRXISaq+x9gfZFwjBbdubxCMeMXxzJGNMqs1dxX/2nO9UYBt2NQY98sqHPd7kuDNP+u7rfnuMPcYrFTKmMtUnfZIpRkao73c5GPtCSN8avQJQmhldcUO3FkxOb7g4xfNfj5VV4zw0vj9lppJ8p/8kxQutF3OmLubnk+eos3sh9dx3DGqHSsOf/DU4i/GTAC8FxA72yjDLuylQ6Z2LAIGSDpFZ6TiX/c09WtczHCrcl9gGU7vPUCLlnXEdrSTN1/fnFLYevhW/x5XsXbWU1/wpU2AWjGkitoVQVlzRacNcTTxfUcpDW3JgeL+gxd/uWPuhmfetHqDMxrrs6T5zgqqm22Axps9X9YvWIzY6CsLmNRJ1BCZpaKItkSWV7+MMJn1/aFbvg2YVWS152zcPC92hdi6CpDhgjNP9xz9q2ThtXcDab5OWRdtktGXr92fXINqPDQzFzcsl99Hyxq7iPtIDrlM6UQ8HvqnnCNepMvR/1KqHnkY16HRU1VmqIsUp7ie+gVWAprvYEvzVx33oS333Fy1LA8aTcO1zvtnIucrw9uXeQnGvHYxxnuxdhtV6HIbluo7PPSS2oOzL3PitNQDK9rse8/JgKeQR78hYZdLqzLX9VxpJ3lC24HDHpSppJcnyzS+tPEjP9aw1OfDj9yDc5MxPytqQ1+Yz/8PpRqaSvO/3n8PEkC7oEpzkJoJp8aUCvCfYgNLWSBlqNKl6c6vZb4G+OIy9DDzzmIGvedoGUfvu+L984nu2WjoDqhoE+hOaot8UUpzzldZjt8njbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPkPgpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+I257Hd5NzQ55iR1iQbPMMYejyWY9apJH4jr+FOWVr8slsN77tIrDVbiFt8uxat8IRDPaR175vaiEqWKuGTOZexAHFuz4Aker/rUpTLOcZkm972/kV6rHuvF69juwYdxhltPCbAzZ7nLzesa2GDN/gem9l3RlufbwL6HA3x3HYdQGD7bPZJGT6YxicULwhxc3Fz1g2kHIk4GiFG265hBmXwVePwgm7+lW0Hmk6iNgdVCiWCbeNA2ZH/UstGDufbe69h15KI70pOx+2tZQtqiO3wN+sigQnA+uofxxZhrxMuUw3QSzp3XBbxqLCvI9nREj1y3bwWHwb7U15f2Rq5wDrvG/fDVjXVLc85f78fLOV1YIPWqkTdzucLeuT32+1PZt8Zolva6H0Ot+B/83UVP7bjR1jWkS2u6i36nnsaXJk+dsLhH7D3h5MJRrsqu23vn9Xo1xQgLRa1YeIjlI104Fz4VY8HtZ01jbcUI6AOPrqjuPewxNV1VSuu/uI1w7H6Xt7ZQnaPUMFlzMVVwqoucpdI3SD/NixIlvMVpC3K/rsS64cgV8aIdbkPxoq+IxDSU6x7tk7B6OorGBaMKWu+AMF3X+HKfHrb+xnKsa0+eTdZjfh8LqxqHIfOML05rv+oVsiTNkJ7mjvk5+Qj+vab33jOXDE8Sc4fngaZkXSZrI7aDscvCNCPzGxtrW7yBzDVdcpl9vYec9irXTr7ccQ84e3I0fe65WTmJ1aWtR55xDtIYVb+UbPfYumViqTJrKNlFvHnQepqY27JpksqEkZ7e8B1qGcPjHkRouEx9yDmvBUOmO0aHQqb0gPpgFd0Hk6m3IDOvnztA06afrjNujA9RkEC1xbkKhapTdOHPxk3NwpegsNO6kyqTUqv8Qxagm3ZO5HXBbVqxfhv08CCi/Cf4S8ppjbnwrQ8ey8sJ0HjJ77zfSD5+hx7Y1aG2ynDAPRnEnF5Qy0Hom7Dvd9lH31Ff8bSR91zx4BybYv8ax3DJErhWFtlfVKRZY4Gvud+bi9Y7uPmEGs+3/6BwwTtMYHfvJ6Afo4/gins4eMp6cnOPrxGTnB9eOogbZHapYyQucT0GH4J2xlYe5pzgtZQ8c9QvYO3C36xPQ6Re89af7noV7Ju7dGiZ82ueR/xr01/CqTTDn/xxmRMFeW+wOsF9SMTIAy7NhthXpH6RcfHy7ojjrbBKhBgssOj7WN09v6m3hCiuHzY1RUbPc36qYefhwdtOykCTemSa50ImRMlsrnrbtfDAUxBK2z+kAHh9KXnmducXKJwel90ukoGRJdZ/AQRX56iamd+x+jnvQ8DMm7S889OI6LUGNEscz5ou+GVIMjO4pMWTjWo03yNo0mF2B+BcGiztTc4JvNuJL+g4Sy9SdiMF6nNDm/fPOPdxfkwr1T5Dc5Mn1lg22mSupDsP24UnFsUQyxBbArc5AT+XZCOG8PstjQua5fZ9ciDNNAwwjCjRTco+WC5oOmkA+g5Ho8uq4go0YD4mypbY424bOP5ZIKXnpGjCCxKwiP1tV6nyBEil3B2uyK7USc3yaQJoa9sLY2BccZtFlA41HmIAijj+A28blsK1+U5nZ9w41iqqqy9om7Jd4ej+AQipfgr7gGsWtppnaxrASVhTEPNfDWrexl+O9ht22NVhRbX2pc1IofI606hrDHgCAGiFTcGkCysgWVctA4I3e7qbAqIjISsz1S2+buYQkzD39/++Z9ePde7CzfPShW6V3ff/KebdxcFUslmlwEeNPOcZZhzk03Gbsd59tIbg156pEwz7BbBxb2thN1d8ATRDq6G9FkkmZvA66fJLchXWCyXXSwBI2ZArNGEKYkg9o6Q/nSn+FIe4XVKqf09YR3Bns7QtshWittiXL0/fXf38RScKNkT813Ss+Pn2C5W2Cw5WKdUt/sJNoo5u9nv12cX5B39LrisuzGeseP1e3t6GmYW0MUR7YVtjHY3b5tdepTvGQxeXq2r3IsZscr2HzoIvx2y9nVji1nWZDK56ehS2/AYi+G4niH8sC9AtodV//l64a7whxZDjXJ1Lcb/SXOhH6g7MYwrhqt+C6oW/ni3ufENJEUdWrI34zVSs7/bSoouxLcWCj/9iL87Xn3KZczYPGPZlzDioqoIkOnovcbQmVJjCIjbKlhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1X/5vAAAA//9IzKOm" -} diff --git a/x-pack/filebeat/module/squid/log/_meta/fields.yml b/x-pack/filebeat/module/squid/log/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/squid/log/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml deleted file mode 100644 index fadcc7a49b8..00000000000 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Squid" - product: "Proxy" - type: "Proxies" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/squid/log/config/liblogparser.js - - ${path.home}/module/squid/log/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var dup16 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, -])); - -var dup17 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var dup18 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, -])); - -var dup19 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hsaddr"), - constant(" "), - field("hsport"), - constant(" ["), - field("fld20"), - constant(" "), - field("fld21"), - constant("] \""), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_time_string"), - constant(" "), - field("hduration"), - constant(" "), - field("hsaddr"), - constant(" "), - field("haction"), - constant("/"), - field("hresultcode"), - constant(" "), - field("hsbytes"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, -]); - -var msg1 = msg("GET", dup15); - -var part1 = match("MESSAGE#18:GET:02", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{resultcode->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action->} %{daddr->} %{content_type->} %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var msg2 = msg("GET:02", part1); - -var msg3 = msg("GET:01", dup16); - -var select2 = linear_select([ - msg1, - msg2, - msg3, -]); - -var msg4 = msg("HEAD", dup15); - -var msg5 = msg("HEAD:01", dup16); - -var select3 = linear_select([ - msg4, - msg5, -]); - -var msg6 = msg("POST", dup17); - -var msg7 = msg("POST:01", dup18); - -var select4 = linear_select([ - msg6, - msg7, -]); - -var msg8 = msg("PUT", dup19); - -var msg9 = msg("PUT:01", dup20); - -var select5 = linear_select([ - msg8, - msg9, -]); - -var msg10 = msg("DELETE", dup19); - -var msg11 = msg("DELETE:01", dup20); - -var select6 = linear_select([ - msg10, - msg11, -]); - -var msg12 = msg("TRACE", dup19); - -var msg13 = msg("TRACE:01", dup20); - -var select7 = linear_select([ - msg12, - msg13, -]); - -var msg14 = msg("OPTIONS", dup19); - -var msg15 = msg("OPTIONS:01", dup20); - -var select8 = linear_select([ - msg14, - msg15, -]); - -var msg16 = msg("CONNECT", dup17); - -var msg17 = msg("CONNECT:01", dup18); - -var select9 = linear_select([ - msg16, - msg17, -]); - -var msg18 = msg("ICP_QUERY", dup19); - -var msg19 = msg("ICP_QUERY:01", dup20); - -var select10 = linear_select([ - msg18, - msg19, -]); - -var msg20 = msg("PURGE", dup19); - -var msg21 = msg("PURGE:01", dup20); - -var select11 = linear_select([ - msg20, - msg21, -]); - -var msg22 = msg("PROPFIND", dup19); - -var msg23 = msg("PROPFIND:01", dup20); - -var select12 = linear_select([ - msg22, - msg23, -]); - -var msg24 = msg("PROPATCH", dup19); - -var msg25 = msg("PROPATCH:01", dup20); - -var select13 = linear_select([ - msg24, - msg25, -]); - -var msg26 = msg("MKOL", dup19); - -var msg27 = msg("MKOL:01", dup20); - -var select14 = linear_select([ - msg26, - msg27, -]); - -var msg28 = msg("COPY", dup19); - -var msg29 = msg("COPY:01", dup20); - -var select15 = linear_select([ - msg28, - msg29, -]); - -var msg30 = msg("MOVE", dup19); - -var msg31 = msg("MOVE:01", dup20); - -var select16 = linear_select([ - msg30, - msg31, -]); - -var msg32 = msg("LOCK", dup19); - -var msg33 = msg("LOCK:01", dup20); - -var select17 = linear_select([ - msg32, - msg33, -]); - -var msg34 = msg("UNLOCK", dup19); - -var msg35 = msg("UNLOCK:01", dup20); - -var select18 = linear_select([ - msg34, - msg35, -]); - -var msg36 = msg("NONE", dup19); - -var msg37 = msg("NONE:01", dup20); - -var select19 = linear_select([ - msg36, - msg37, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "CONNECT": select9, - "COPY": select15, - "DELETE": select6, - "GET": select2, - "HEAD": select3, - "ICP_QUERY": select10, - "LOCK": select17, - "MKOL": select14, - "MOVE": select16, - "NONE": select19, - "OPTIONS": select8, - "POST": select4, - "PROPATCH": select13, - "PROPFIND": select12, - "PURGE": select11, - "PUT": select5, - "TRACE": select7, - "UNLOCK": select18, - }), -]); - -var part2 = match("MESSAGE#0:GET", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var part3 = match("MESSAGE#19:GET:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, -])); - -var part4 = match("MESSAGE#2:POST", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var part5 = match("MESSAGE#21:POST:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup2, - dup4, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, -])); - -var part6 = match("MESSAGE#3:PUT", "nwparser.payload", "%{saddr->} %{sport->} [%{fld20->} %{fld21}] \"%{web_method->} %{url->} %{network_service}\" %{daddr->} %{fld1->} %{username->} \"%{webpage}\" %{resultcode->} %{content_type->} %{sbytes->} \"%{web_referer}\" \"%{user_agent}\" %{action}", processor_chain([ - dup1, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, -])); - -var part7 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string}.%{fld20->} %{duration->} %{saddr->} %{action}/%{resultcode->} %{sbytes->} %{web_method->} %{url->} %{username->} %{h_code}/%{daddr->} %{content_type}", processor_chain([ - dup1, - dup13, - dup8, - dup9, - dup10, - dup14, - dup12, -])); diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml deleted file mode 100644 index f9f6ddaa027..00000000000 --- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -description: Pipeline for Squid - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - - remove: - field: url.scheme - ignore_missing: true - if: ctx?.url?.scheme == ctx?.url?.domain - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/squid/log/manifest.yml b/x-pack/filebeat/module/squid/log/manifest.yml deleted file mode 100644 index 6e909b014f5..00000000000 --- a/x-pack/filebeat/module/squid/log/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["squid.log", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9537 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/squid/log/test/access1.log b/x-pack/filebeat/module/squid/log/test/access1.log deleted file mode 100644 index cb21bd0fc0b..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access1.log +++ /dev/null @@ -1,100 +0,0 @@ -1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - -1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html -1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 - -1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css -1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript -1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html -1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif -1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 - -1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 - -1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 - -1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif -1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html -1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 - -1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html -1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html -1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif -1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 - -1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 - -1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html -1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 - -1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif -1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html -1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - -1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html -1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain -1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html -1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css -1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain -1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html -1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css -1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css -1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html -1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css -1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain -1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html -1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html -1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain -1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml -1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html -1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml -1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml -1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html -1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html -1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html -1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html -1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html -1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain -1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html -1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html -1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 - -1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif -1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif -1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif -1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml -1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif -1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg -1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg -1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html -1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg -1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml -1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml -1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html -1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html -1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html -1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg -1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html -1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html -1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash -1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html -1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif -1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif -1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 - -1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript -1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css -1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif -1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 - -1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 - -1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif -1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif -1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif -1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif -1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif -1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html -1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html -1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif -1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html -1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html -1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript -1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css -1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript -1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript -1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript -1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json deleted file mode 100644 index f993048245a..00000000000 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ /dev/null @@ -1,6062 +0,0 @@ -[ - { - "@timestamp": "2006-09-08T04:21:52.000Z", - "destination.ip": "209.73.177.115", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 0, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "login.yahoo.com" - ], - "related.ip": [ - "10.105.21.199", - "209.73.177.115" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "login.yahoo.com", - "rsa.time.duration_time": 5006, - "rsa.time.event_time": "2006-09-08T04:21:52.000Z", - "rsa.time.event_time_str": "1157689312", - "rsa.web.alias_host": "login.yahoo.com", - "server.domain": "login.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "login", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 19763, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "login.yahoo.com", - "url.original": "login.yahoo.com:443", - "url.registered_domain": "yahoo.com", - "url.subdomain": "login", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:00.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 115, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 2864, - "rsa.time.event_time": "2006-09-08T04:22:00.000Z", - "rsa.time.event_time_str": "1157689320", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 10182, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.original": "http://www.goonernews.com/", - "url.path": "/", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:00.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", - "file.name": "styles.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 240, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1357, - "rsa.time.event_time": "2006-09-08T04:22:00.000Z", - "rsa.time.event_time_str": "1157689320", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 214, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "css", - "url.original": "http://www.goonernews.com/styles.css", - "url.path": "/styles.css", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:01.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", - "file.name": "styles.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 372, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:22:01.000Z", - "rsa.time.event_time_str": "1157689321", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1464, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "css", - "url.original": "http://www.goonernews.com/styles.css", - "url.path": "/styles.css", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:02.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", - "file.name": "urchin.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 490, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.google-analytics.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "text/javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google-analytics.com", - "rsa.time.duration_time": 1464, - "rsa.time.event_time": "2006-09-08T04:22:02.000Z", - "rsa.time.event_time_str": "1157689322", - "rsa.web.alias_host": "www.google-analytics.com", - "server.domain": "www.google-analytics.com", - "server.registered_domain": "google-analytics.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5626, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.google-analytics.com", - "url.extension": "js", - "url.original": "http://www.google-analytics.com/urchin.js", - "url.path": "/urchin.js", - "url.registered_domain": "google-analytics.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:03.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 620, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 3856, - "rsa.time.event_time": "2006-09-08T04:22:03.000Z", - "rsa.time.event_time_str": "1157689323", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 30169, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.original": "http://www.goonernews.com/", - "url.path": "/", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:04.000Z", - "destination.ip": "66.102.9.147", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", - "file.name": "__utm.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 745, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.google-analytics.com" - ], - "related.ip": [ - "10.105.21.199", - "66.102.9.147" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.google-analytics.com", - "rsa.time.duration_time": 1372, - "rsa.time.event_time": "2006-09-08T04:22:04.000Z", - "rsa.time.event_time_str": "1157689324", - "rsa.web.alias_host": "www.google-analytics.com", - "server.domain": "www.google-analytics.com", - "server.registered_domain": "google-analytics.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 399, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.google-analytics.com", - "url.extension": "gif", - "url.original": "http://www.google-analytics.com/__utm.gif?", - "url.path": "/__utm.gif", - "url.query": "", - "url.registered_domain": "google-analytics.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:04.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", - "file.name": "newslogo.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 883, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1457, - "rsa.time.event_time": "2006-09-08T04:22:04.000Z", - "rsa.time.event_time_str": "1157689324", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 215, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "gif", - "url.original": "http://www.goonernews.com/graphics/newslogo.gif", - "url.path": "/graphics/newslogo.gif", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:04.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", - "file.name": "arsenal_shop_ad.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1026, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1465, - "rsa.time.event_time": "2006-09-08T04:22:04.000Z", - "rsa.time.event_time_str": "1157689324", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 215, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "jpg", - "url.original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", - "url.path": "/shop/arsenal_shop_ad.jpg", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:05.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", - "file.name": "FUS.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1172, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1452, - "rsa.time.event_time": "2006-09-08T04:22:05.000Z", - "rsa.time.event_time_str": "1157689325", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 214, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "gif", - "url.original": "http://www.goonernews.com/flags/FUS.gif", - "url.path": "/flags/FUS.gif", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:05.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", - "file.name": "FGB.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1307, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 2, - "rsa.time.event_time": "2006-09-08T04:22:05.000Z", - "rsa.time.event_time_str": "1157689325", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1353, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "gif", - "url.original": "http://www.goonernews.com/flags/FGB.gif", - "url.path": "/flags/FGB.gif", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:05.000Z", - "destination.ip": "209.85.16.38", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", - "file.name": "s", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1429, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "as.casalemedia.com" - ], - "related.ip": [ - "10.105.21.199", - "209.85.16.38" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "as.casalemedia.com", - "rsa.time.duration_time": 2603, - "rsa.time.event_time": "2006-09-08T04:22:05.000Z", - "rsa.time.event_time_str": "1157689325", - "rsa.web.alias_host": "as.casalemedia.com", - "server.domain": "as.casalemedia.com", - "server.registered_domain": "casalemedia.com", - "server.subdomain": "as", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1013, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "as.casalemedia.com", - "url.original": "http://as.casalemedia.com/s?", - "url.path": "/s", - "url.query": "", - "url.registered_domain": "casalemedia.com", - "url.scheme": "http", - "url.subdomain": "as", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:06.000Z", - "destination.ip": "68.142.213.132", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1554, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.bc.yahoo.com" - ], - "related.ip": [ - "10.105.21.199", - "68.142.213.132" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.bc.yahoo.com", - "rsa.time.duration_time": 4459, - "rsa.time.event_time": "2006-09-08T04:22:06.000Z", - "rsa.time.event_time_str": "1157689326", - "rsa.web.alias_host": "us.bc.yahoo.com", - "server.domain": "us.bc.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "us.bc", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1845, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.bc.yahoo.com", - "url.original": "us.bc.yahoo.com:443", - "url.registered_domain": "yahoo.com", - "url.subdomain": "us.bc", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:07.000Z", - "destination.ip": "217.212.240.172", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", - "file.name": "992098", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1668, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "impgb.tradedoubler.com" - ], - "related.ip": [ - "10.105.21.199", - "217.212.240.172" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "impgb.tradedoubler.com", - "rsa.time.duration_time": 1356, - "rsa.time.event_time": "2006-09-08T04:22:07.000Z", - "rsa.time.event_time_str": "1157689327", - "rsa.web.alias_host": "impgb.tradedoubler.com", - "server.domain": "impgb.tradedoubler.com", - "server.registered_domain": "tradedoubler.com", - "server.subdomain": "impgb", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 729, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "impgb.tradedoubler.com", - "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", - "url.path": "/imp/img/16349696/992098", - "url.registered_domain": "tradedoubler.com", - "url.scheme": "http", - "url.subdomain": "impgb", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:07.000Z", - "destination.ip": "206.169.136.22", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", - "file.name": "text_group.php", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1820, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "4.adbrite.com" - ], - "related.ip": [ - "10.105.21.199", - "206.169.136.22" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "4.adbrite.com", - "rsa.time.duration_time": 3484, - "rsa.time.event_time": "2006-09-08T04:22:07.000Z", - "rsa.time.event_time_str": "1157689327", - "rsa.web.alias_host": "4.adbrite.com", - "server.domain": "4.adbrite.com", - "server.registered_domain": "adbrite.com", - "server.subdomain": "4", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1577, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "4.adbrite.com", - "url.extension": "php", - "url.original": "http://4.adbrite.com/mb/text_group.php?", - "url.path": "/mb/text_group.php", - "url.query": "", - "url.registered_domain": "adbrite.com", - "url.scheme": "http", - "url.subdomain": "4", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:07.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", - "file.name": "FFR.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 1958, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 9, - "rsa.time.event_time": "2006-09-08T04:22:07.000Z", - "rsa.time.event_time_str": "1157689327", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1353, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "gif", - "url.original": "http://www.goonernews.com/flags/FFR.gif", - "url.path": "/flags/FFR.gif", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:09.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", - "file.name": "FAU.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2080, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1431, - "rsa.time.event_time": "2006-09-08T04:22:09.000Z", - "rsa.time.event_time_str": "1157689329", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 214, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "gif", - "url.original": "http://www.goonernews.com/flags/FAU.gif", - "url.path": "/flags/FAU.gif", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:09.000Z", - "destination.ip": "207.58.145.61", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", - "file.name": "spacer.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2215, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.goonernews.com" - ], - "related.ip": [ - "10.105.21.199", - "207.58.145.61" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "www.goonernews.com", - "rsa.time.duration_time": 1414, - "rsa.time.event_time": "2006-09-08T04:22:09.000Z", - "rsa.time.event_time_str": "1157689329", - "rsa.web.alias_host": "www.goonernews.com", - "server.domain": "www.goonernews.com", - "server.registered_domain": "goonernews.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 213, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.goonernews.com", - "url.extension": "gif", - "url.original": "http://www.goonernews.com/graphics/spacer.gif", - "url.path": "/graphics/spacer.gif", - "url.registered_domain": "goonernews.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:10.000Z", - "destination.ip": "64.127.126.178", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", - "file.name": "text_group.php", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2356, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "4.adbrite.com" - ], - "related.ip": [ - "10.105.21.199", - "64.127.126.178" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "4.adbrite.com", - "rsa.time.duration_time": 1686, - "rsa.time.event_time": "2006-09-08T04:22:10.000Z", - "rsa.time.event_time_str": "1157689330", - "rsa.web.alias_host": "4.adbrite.com", - "server.domain": "4.adbrite.com", - "server.registered_domain": "adbrite.com", - "server.subdomain": "4", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1784, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "4.adbrite.com", - "url.extension": "php", - "url.original": "http://4.adbrite.com/mb/text_group.php?", - "url.path": "/mb/text_group.php", - "url.query": "", - "url.registered_domain": "adbrite.com", - "url.scheme": "http", - "url.subdomain": "4", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:11.000Z", - "destination.ip": "213.160.98.161", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", - "file.name": "image", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2494, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "ff.connextra.com" - ], - "related.ip": [ - "10.105.21.199", - "213.160.98.161" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "302", - "rsa.network.domain": "ff.connextra.com", - "rsa.time.duration_time": 3997, - "rsa.time.event_time": "2006-09-08T04:22:11.000Z", - "rsa.time.event_time_str": "1157689331", - "rsa.web.alias_host": "ff.connextra.com", - "server.domain": "ff.connextra.com", - "server.registered_domain": "connextra.com", - "server.subdomain": "ff", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 851, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "ff.connextra.com", - "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", - "url.path": "/Ladbrokes/selector/image", - "url.query": "", - "url.registered_domain": "connextra.com", - "url.scheme": "http", - "url.subdomain": "ff", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:15.000Z", - "destination.ip": "213.160.98.160", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", - "file.name": "controller", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2633, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "dd.connextra.com" - ], - "related.ip": [ - "10.105.21.199", - "213.160.98.160" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "dd.connextra.com", - "rsa.time.duration_time": 3962, - "rsa.time.event_time": "2006-09-08T04:22:15.000Z", - "rsa.time.event_time_str": "1157689335", - "rsa.web.alias_host": "dd.connextra.com", - "server.domain": "dd.connextra.com", - "server.registered_domain": "connextra.com", - "server.subdomain": "dd", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 30904, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "dd.connextra.com", - "url.original": "http://dd.connextra.com/servlet/controller?", - "url.path": "/servlet/controller", - "url.query": "", - "url.registered_domain": "connextra.com", - "url.scheme": "http", - "url.subdomain": "dd", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:17.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2776, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "hi5.com" - ], - "related.ip": [ - "10.105.47.218" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "hi5.com", - "rsa.time.duration_time": 4, - "rsa.time.event_time": "2006-09-08T04:22:17.000Z", - "rsa.time.event_time_str": "1157689337", - "rsa.web.alias_host": "hi5.com", - "server.domain": "hi5.com", - "server.registered_domain": "hi5.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1661, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "hi5.com", - "url.original": "http://hi5.com/", - "url.path": "/", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:22.000Z", - "destination.ip": "209.73.177.115", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2871, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "login.yahoo.com" - ], - "related.ip": [ - "10.105.21.199", - "209.73.177.115" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "login.yahoo.com", - "rsa.time.duration_time": 3657, - "rsa.time.event_time": "2006-09-08T04:22:22.000Z", - "rsa.time.event_time_str": "1157689342", - "rsa.web.alias_host": "login.yahoo.com", - "server.domain": "login.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "login", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 12569, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "login.yahoo.com", - "url.original": "login.yahoo.com:443", - "url.registered_domain": "yahoo.com", - "url.subdomain": "login", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:23.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", - "file.name": "msgrcli7.html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 2986, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "update.messenger.yahoo.com" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "update.messenger.yahoo.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:22:23.000Z", - "rsa.time.event_time_str": "1157689343", - "rsa.web.alias_host": "update.messenger.yahoo.com", - "server.domain": "update.messenger.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "update.messenger", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1752, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "update.messenger.yahoo.com", - "url.extension": "html", - "url.original": "http://update.messenger.yahoo.com/msgrcli7.html", - "url.path": "/msgrcli7.html", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "update.messenger", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:23.000Z", - "destination.ip": "216.155.194.239", - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3113, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "shttp.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.155.194.239" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "shttp.msg.yahoo.com", - "rsa.time.duration_time": 1371, - "rsa.time.event_time": "2006-09-08T04:22:23.000Z", - "rsa.time.event_time_str": "1157689343", - "rsa.web.alias_host": "shttp.msg.yahoo.com", - "server.domain": "shttp.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "shttp.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 484, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "shttp.msg.yahoo.com", - "url.original": "http://shttp.msg.yahoo.com/notify/", - "url.path": "/notify/", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "shttp.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:24.000Z", - "destination.ip": "204.13.51.238", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3256, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "hi5.com" - ], - "related.ip": [ - "10.105.47.218", - "204.13.51.238" - ], - "related.user": [ - "nazsoau" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "hi5.com", - "rsa.time.duration_time": 4969, - "rsa.time.event_time": "2006-09-08T04:22:24.000Z", - "rsa.time.event_time_str": "1157689344", - "rsa.web.alias_host": "hi5.com", - "server.domain": "hi5.com", - "server.registered_domain": "hi5.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 29359, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "hi5.com", - "url.original": "http://hi5.com/", - "url.path": "/", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.top_level_domain": "com", - "user.name": "nazsoau" - }, - { - "@timestamp": "2006-09-08T04:22:24.000Z", - "destination.ip": "204.13.51.238", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", - "file.name": "homepage.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3370, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "hi5.com" - ], - "related.ip": [ - "10.105.47.218", - "204.13.51.238" - ], - "related.user": [ - "nazsoau" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "200", - "rsa.network.domain": "hi5.com", - "rsa.time.duration_time": 1631, - "rsa.time.event_time": "2006-09-08T04:22:24.000Z", - "rsa.time.event_time_str": "1157689344", - "rsa.web.alias_host": "hi5.com", - "server.domain": "hi5.com", - "server.registered_domain": "hi5.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5930, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "hi5.com", - "url.extension": "css", - "url.original": "http://hi5.com/friend/styles/homepage.css", - "url.path": "/friend/styles/homepage.css", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.top_level_domain": "com", - "user.name": "nazsoau" - }, - { - "@timestamp": "2006-09-08T04:22:25.000Z", - "destination.ip": "216.155.194.239", - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3508, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "shttp.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.155.194.239" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "shttp.msg.yahoo.com", - "rsa.time.duration_time": 1810, - "rsa.time.event_time": "2006-09-08T04:22:25.000Z", - "rsa.time.event_time_str": "1157689345", - "rsa.web.alias_host": "shttp.msg.yahoo.com", - "server.domain": "shttp.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "shttp.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1645, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "shttp.msg.yahoo.com", - "url.original": "http://shttp.msg.yahoo.com/notify/", - "url.path": "/notify/", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "shttp.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:26.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", - "file.name": "read0600win_ENUadbe0000.xml", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3652, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "rms.adobe.com" - ], - "related.ip": [ - "10.105.37.58" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "rms.adobe.com", - "rsa.time.duration_time": 880, - "rsa.time.event_time": "2006-09-08T04:22:26.000Z", - "rsa.time.event_time_str": "1157689346", - "rsa.web.alias_host": "rms.adobe.com", - "server.domain": "rms.adobe.com", - "server.registered_domain": "adobe.com", - "server.subdomain": "rms", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1812, - "source.ip": "10.105.37.58", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "rms.adobe.com", - "url.extension": "xml", - "url.original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", - "url.path": "/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", - "url.registered_domain": "adobe.com", - "url.scheme": "http", - "url.subdomain": "rms", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:27.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", - "file.name": "style.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3798, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "images.hi5.com" - ], - "related.ip": [ - "10.105.47.218" - ], - "related.user": [ - "nazsoau" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "304", - "rsa.network.domain": "images.hi5.com", - "rsa.time.duration_time": 10, - "rsa.time.event_time": "2006-09-08T04:22:27.000Z", - "rsa.time.event_time_str": "1157689347", - "rsa.web.alias_host": "images.hi5.com", - "server.domain": "images.hi5.com", - "server.registered_domain": "hi5.com", - "server.subdomain": "images", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 217, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "images.hi5.com", - "url.extension": "css", - "url.original": "http://images.hi5.com/styles/style.css", - "url.path": "/styles/style.css", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.subdomain": "images", - "url.top_level_domain": "com", - "user.name": "nazsoau" - }, - { - "@timestamp": "2006-09-08T04:22:27.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", - "file.name": "buttons_en_us.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 3921, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "images.hi5.com" - ], - "related.ip": [ - "10.105.47.218" - ], - "related.user": [ - "nazsoau" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "304", - "rsa.network.domain": "images.hi5.com", - "rsa.time.duration_time": 116, - "rsa.time.event_time": "2006-09-08T04:22:27.000Z", - "rsa.time.event_time_str": "1157689347", - "rsa.web.alias_host": "images.hi5.com", - "server.domain": "images.hi5.com", - "server.registered_domain": "hi5.com", - "server.subdomain": "images", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 217, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "images.hi5.com", - "url.extension": "css", - "url.original": "http://images.hi5.com/friend/styles/buttons_en_us.css", - "url.path": "/friend/styles/buttons_en_us.css", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.subdomain": "images", - "url.top_level_domain": "com", - "user.name": "nazsoau" - }, - { - "@timestamp": "2006-09-08T04:22:27.000Z", - "destination.ip": "204.13.51.238", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4059, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "hi5.com" - ], - "related.ip": [ - "10.105.47.218", - "204.13.51.238" - ], - "related.user": [ - "nazsoau" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "hi5.com", - "rsa.time.duration_time": 6160, - "rsa.time.event_time": "2006-09-08T04:22:27.000Z", - "rsa.time.event_time_str": "1157689347", - "rsa.web.alias_host": "hi5.com", - "server.domain": "hi5.com", - "server.registered_domain": "hi5.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 27799, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "hi5.com", - "url.original": "http://hi5.com/", - "url.path": "/", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.top_level_domain": "com", - "user.name": "nazsoau" - }, - { - "@timestamp": "2006-09-08T04:22:29.000Z", - "destination.ip": "204.13.51.238", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", - "file.name": "headernav.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4173, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "hi5.com" - ], - "related.ip": [ - "10.105.47.218", - "204.13.51.238" - ], - "related.user": [ - "nazsoau" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "200", - "rsa.network.domain": "hi5.com", - "rsa.time.duration_time": 1758, - "rsa.time.event_time": "2006-09-08T04:22:29.000Z", - "rsa.time.event_time_str": "1157689349", - "rsa.web.alias_host": "hi5.com", - "server.domain": "hi5.com", - "server.registered_domain": "hi5.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 4470, - "source.ip": "10.105.47.218", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "hi5.com", - "url.extension": "css", - "url.original": "http://hi5.com/friend/styles/headernav.css", - "url.path": "/friend/styles/headernav.css", - "url.registered_domain": "hi5.com", - "url.scheme": "http", - "url.top_level_domain": "com", - "user.name": "nazsoau" - }, - { - "@timestamp": "2006-09-08T04:22:30.000Z", - "destination.ip": "216.155.194.239", - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4312, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "shttp.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.155.194.239" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "shttp.msg.yahoo.com", - "rsa.time.duration_time": 1393, - "rsa.time.event_time": "2006-09-08T04:22:30.000Z", - "rsa.time.event_time_str": "1157689350", - "rsa.web.alias_host": "shttp.msg.yahoo.com", - "server.domain": "shttp.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "shttp.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 382, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "shttp.msg.yahoo.com", - "url.original": "http://shttp.msg.yahoo.com/notify/", - "url.path": "/notify/", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "shttp.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:33.000Z", - "destination.ip": "68.142.194.14", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4455, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "insider.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.194.14" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "insider.msg.yahoo.com", - "rsa.time.duration_time": 3667, - "rsa.time.event_time": "2006-09-08T04:22:33.000Z", - "rsa.time.event_time_str": "1157689353", - "rsa.web.alias_host": "insider.msg.yahoo.com", - "server.domain": "insider.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "insider.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 24095, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "insider.msg.yahoo.com", - "url.original": "http://insider.msg.yahoo.com/?", - "url.path": "/", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "insider.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:33.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", - "file.name": "playmessenger.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4592, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 4899, - "rsa.time.event_time": "2006-09-08T04:22:33.000Z", - "rsa.time.event_time_str": "1157689353", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 22964, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", - "url.path": "/radio/play/playmessenger.asp", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:34.000Z", - "destination.ip": "216.155.194.239", - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4758, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "shttp.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.155.194.239" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "shttp.msg.yahoo.com", - "rsa.time.duration_time": 1349, - "rsa.time.event_time": "2006-09-08T04:22:34.000Z", - "rsa.time.event_time_str": "1157689354", - "rsa.web.alias_host": "shttp.msg.yahoo.com", - "server.domain": "shttp.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "shttp.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 646, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "shttp.msg.yahoo.com", - "url.original": "http://shttp.msg.yahoo.com/notify/", - "url.path": "/notify/", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "shttp.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:35.000Z", - "destination.ip": "209.191.93.51", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", - "file.name": "us", - "fileset.name": "log", - "input.type": "log", - "log.offset": 4901, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "address.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "209.191.93.51" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "address.yahoo.com", - "rsa.time.duration_time": 1578, - "rsa.time.event_time": "2006-09-08T04:22:35.000Z", - "rsa.time.event_time_str": "1157689355", - "rsa.web.alias_host": "address.yahoo.com", - "server.domain": "address.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "address", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 699, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "address.yahoo.com", - "url.original": "http://address.yahoo.com/yab/us?", - "url.path": "/yab/us", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "address", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:36.000Z", - "destination.ip": "63.245.209.21", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", - "file.name": "rss20.xml", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5037, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "fxfeeds.mozilla.org" - ], - "related.ip": [ - "10.105.21.199", - "63.245.209.21" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "fxfeeds.mozilla.org", - "rsa.time.duration_time": 6741, - "rsa.time.event_time": "2006-09-08T04:22:36.000Z", - "rsa.time.event_time_str": "1157689356", - "rsa.web.alias_host": "fxfeeds.mozilla.org", - "server.domain": "fxfeeds.mozilla.org", - "server.registered_domain": "mozilla.org", - "server.subdomain": "fxfeeds", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 734, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "fxfeeds.mozilla.org", - "url.extension": "xml", - "url.original": "http://fxfeeds.mozilla.org/rss20.xml", - "url.path": "/rss20.xml", - "url.registered_domain": "mozilla.org", - "url.scheme": "http", - "url.subdomain": "fxfeeds", - "url.top_level_domain": "org", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:37.000Z", - "destination.ip": "68.142.231.252", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5170, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "insider.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.231.252" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "insider.msg.yahoo.com", - "rsa.time.duration_time": 6424, - "rsa.time.event_time": "2006-09-08T04:22:37.000Z", - "rsa.time.event_time_str": "1157689357", - "rsa.web.alias_host": "insider.msg.yahoo.com", - "server.domain": "insider.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "insider.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 31400, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "insider.msg.yahoo.com", - "url.original": "http://insider.msg.yahoo.com/ycontent/?", - "url.path": "/ycontent/", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "insider.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:37.000Z", - "destination.ip": "68.142.194.14", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5316, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "insider.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.194.14" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "insider.msg.yahoo.com", - "rsa.time.duration_time": 2831, - "rsa.time.event_time": "2006-09-08T04:22:37.000Z", - "rsa.time.event_time_str": "1157689357", - "rsa.web.alias_host": "insider.msg.yahoo.com", - "server.domain": "insider.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "insider.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 21152, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "insider.msg.yahoo.com", - "url.original": "http://insider.msg.yahoo.com/ycontent/?", - "url.path": "/ycontent/", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "insider.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5461, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.37.17" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:22:38.000Z", - "rsa.time.event_time_str": "1157689358", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1667, - "source.ip": "10.105.37.17", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.original": "us.mcafee.com:443", - "url.registered_domain": "mcafee.com", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", - "file.name": "appinstru.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5561, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.37.17" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2006-09-08T04:22:38.000Z", - "rsa.time.event_time_str": "1157689358", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1767, - "source.ip": "10.105.37.17", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.extension": "asp", - "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", - "url.path": "/apps/agent/submgr/appinstru.asp", - "url.registered_domain": "mcafee.com", - "url.scheme": "http", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", - "file.name": "appsync.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5693, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.37.17" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2006-09-08T04:22:38.000Z", - "rsa.time.event_time_str": "1157689358", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1761, - "source.ip": "10.105.37.17", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.extension": "asp", - "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", - "url.path": "/apps/agent/submgr/appsync.asp", - "url.registered_domain": "mcafee.com", - "url.scheme": "http", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5823, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.37.17" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2006-09-08T04:22:38.000Z", - "rsa.time.event_time_str": "1157689358", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1667, - "source.ip": "10.105.37.17", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.original": "us.mcafee.com:443", - "url.registered_domain": "mcafee.com", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:38.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "btn_stations.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 5923, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 711, - "rsa.time.event_time": "2006-09-08T04:22:38.000Z", - "rsa.time.event_time_str": "1157689358", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", - "url.path": "/radio/clientdata/538/images/btn_stations.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:38.000Z", - "event.action": "TCP_DENIED", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6102, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.37.17" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2006-09-08T04:22:38.000Z", - "rsa.time.event_time_str": "1157689358", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1667, - "source.ip": "10.105.37.17", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.original": "us.mcafee.com:443", - "url.registered_domain": "mcafee.com", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:39.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "btn_stations_over.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6202, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 713, - "rsa.time.event_time": "2006-09-08T04:22:39.000Z", - "rsa.time.event_time_str": "1157689359", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", - "url.path": "/radio/clientdata/538/images/btn_stations_over.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:39.000Z", - "destination.ip": "216.155.194.239", - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6386, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "shttp.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.155.194.239" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/plain", - "rsa.misc.result_code": "200", - "rsa.network.domain": "shttp.msg.yahoo.com", - "rsa.time.duration_time": 1982, - "rsa.time.event_time": "2006-09-08T04:22:39.000Z", - "rsa.time.event_time_str": "1157689359", - "rsa.web.alias_host": "shttp.msg.yahoo.com", - "server.domain": "shttp.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "shttp.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 362, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "shttp.msg.yahoo.com", - "url.original": "http://shttp.msg.yahoo.com/notify/", - "url.path": "/notify/", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "shttp.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:39.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "bg_left.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6529, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 725, - "rsa.time.event_time": "2006-09-08T04:22:39.000Z", - "rsa.time.event_time_str": "1157689359", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 511, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", - "url.path": "/radio/clientdata/538/skins/1/images/bg_left.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:40.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "launchcast_radio.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6711, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 687, - "rsa.time.event_time": "2006-09-08T04:22:40.000Z", - "rsa.time.event_time_str": "1157689360", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", - "url.path": "/radio/clientdata/538/images/launchcast_radio.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:40.000Z", - "event.action": "TCP_DENIED", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", - "file.name": "appinstru.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 6894, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.47.191" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:22:40.000Z", - "rsa.time.event_time_str": "1157689360", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1767, - "source.ip": "10.105.47.191", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.extension": "asp", - "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", - "url.path": "/apps/agent/submgr/appinstru.asp", - "url.registered_domain": "mcafee.com", - "url.scheme": "http", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:41.000Z", - "event.action": "TCP_DENIED", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", - "file.name": "appsync.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7027, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.47.191" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:22:41.000Z", - "rsa.time.event_time_str": "1157689361", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1761, - "source.ip": "10.105.47.191", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.extension": "asp", - "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", - "url.path": "/apps/agent/submgr/appsync.asp", - "url.registered_domain": "mcafee.com", - "url.scheme": "http", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:41.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "bg_right.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7158, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 783, - "rsa.time.event_time": "2006-09-08T04:22:41.000Z", - "rsa.time.event_time_str": "1157689361", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", - "url.path": "/radio/clientdata/538/skins/1/images/bg_right.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:41.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "bg_center.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7341, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 2242, - "rsa.time.event_time": "2006-09-08T04:22:41.000Z", - "rsa.time.event_time_str": "1157689361", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", - "url.path": "/radio/clientdata/538/skins/1/images/bg_center.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:42.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "bg_controls_off.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7525, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 827, - "rsa.time.event_time": "2006-09-08T04:22:42.000Z", - "rsa.time.event_time_str": "1157689362", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", - "url.path": "/radio/clientdata/538/skins/1/images/bg_controls_off.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:42.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_REFRESH_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", - "file.name": "t.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7715, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 751, - "rsa.time.event_time": "2006-09-08T04:22:42.000Z", - "rsa.time.event_time_str": "1157689362", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 512, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", - "url.path": "/radio/common_radio/resources/images/t.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", - "file.name": "btn_off_state_station.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 7891, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 3, - "rsa.time.event_time": "2006-09-08T04:22:42.000Z", - "rsa.time.event_time_str": "1157689362", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 218, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", - "url.path": "/radio/clientdata/538/images/btn_off_state_station.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", - "file.name": "bg_controls_fill.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8068, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 13, - "rsa.time.event_time": "2006-09-08T04:22:42.000Z", - "rsa.time.event_time_str": "1157689362", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 218, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "gif", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", - "url.path": "/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:42.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", - "file.name": "toolbar50x50.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8248, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.i1.yimg.com" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.i1.yimg.com", - "rsa.time.duration_time": 8, - "rsa.time.event_time": "2006-09-08T04:22:42.000Z", - "rsa.time.event_time_str": "1157689362", - "rsa.web.alias_host": "us.i1.yimg.com", - "server.domain": "us.i1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.i1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2263, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.i1.yimg.com", - "url.extension": "gif", - "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", - "url.path": "/us.yimg.com/i/us/toolbar50x50.gif", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.i1", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:43.000Z", - "destination.ip": "212.58.226.33", - "event.action": "TCP_REFRESH_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", - "file.name": "rss.xml", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8394, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "newsrss.bbc.co.uk" - ], - "related.ip": [ - "10.105.21.199", - "212.58.226.33" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_REFRESH_MISS" - ], - "rsa.misc.content_type": "application/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "newsrss.bbc.co.uk", - "rsa.time.duration_time": 6517, - "rsa.time.event_time": "2006-09-08T04:22:43.000Z", - "rsa.time.event_time_str": "1157689363", - "rsa.web.alias_host": "newsrss.bbc.co.uk", - "server.domain": "newsrss.bbc.co.uk", - "server.registered_domain": "bbc.co.uk", - "server.subdomain": "newsrss", - "server.top_level_domain": "co.uk", - "service.type": "squid", - "source.bytes": 17396, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "newsrss.bbc.co.uk", - "url.extension": "xml", - "url.original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", - "url.path": "/rss/newsonline_world_edition/front_page/rss.xml", - "url.registered_domain": "bbc.co.uk", - "url.scheme": "http", - "url.subdomain": "newsrss", - "url.top_level_domain": "co.uk", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:44.000Z", - "destination.ip": "68.142.231.252", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", - "file.name": "beacon.php", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8579, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "insider.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.231.252" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "insider.msg.yahoo.com", - "rsa.time.duration_time": 2140, - "rsa.time.event_time": "2006-09-08T04:22:44.000Z", - "rsa.time.event_time_str": "1157689364", - "rsa.web.alias_host": "insider.msg.yahoo.com", - "server.domain": "insider.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "insider.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 407, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "insider.msg.yahoo.com", - "url.extension": "php", - "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php", - "url.path": "/ycontent/beacon.php", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "insider.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:44.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", - "file.name": "32457654.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8733, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.ent1.yimg.com" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "304", - "rsa.network.domain": "us.ent1.yimg.com", - "rsa.time.duration_time": 7, - "rsa.time.event_time": "2006-09-08T04:22:44.000Z", - "rsa.time.event_time_str": "1157689364", - "rsa.web.alias_host": "us.ent1.yimg.com", - "server.domain": "us.ent1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.ent1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 219, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.ent1.yimg.com", - "url.extension": "jpg", - "url.original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", - "url.path": "/images.launch.yahoo.com/000/032/457/32457654.jpg", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.ent1", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:44.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", - "file.name": "thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 8900, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.news1.yimg.com" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.news1.yimg.com", - "rsa.time.duration_time": 8, - "rsa.time.event_time": "2006-09-08T04:22:44.000Z", - "rsa.time.event_time_str": "1157689364", - "rsa.web.alias_host": "us.news1.yimg.com", - "server.domain": "us.news1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.news1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 10593, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.news1.yimg.com", - "url.extension": "jpg", - "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", - "url.path": "/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.news1", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:45.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", - "file.name": "authplay.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9113, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 2420, - "rsa.time.event_time": "2006-09-08T04:22:45.000Z", - "rsa.time.event_time_str": "1157689365", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1270, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", - "url.path": "/radio/play/authplay.asp", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:46.000Z", - "destination.ip": "213.160.98.159", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", - "file.name": "thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9274, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.news1.yimg.com" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.159" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.news1.yimg.com", - "rsa.time.duration_time": 1966, - "rsa.time.event_time": "2006-09-08T04:22:46.000Z", - "rsa.time.event_time_str": "1157689366", - "rsa.web.alias_host": "us.news1.yimg.com", - "server.domain": "us.news1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.news1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 10519, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.news1.yimg.com", - "url.extension": "jpg", - "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", - "url.path": "/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.news1", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:48.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", - "file.name": "initstationfeed.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9504, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.music.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "radio.music.yahoo.com", - "rsa.time.duration_time": 1703, - "rsa.time.event_time": "2006-09-08T04:22:48.000Z", - "rsa.time.event_time_str": "1157689368", - "rsa.web.alias_host": "radio.music.yahoo.com", - "server.domain": "radio.music.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.music", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 515, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.music.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", - "url.path": "/radio/player/ymsgr/initstationfeed.asp", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.music", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:48.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", - "file.name": "initstationfeed.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9677, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.music.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/xml", - "rsa.misc.result_code": "200", - "rsa.network.domain": "radio.music.yahoo.com", - "rsa.time.duration_time": 3057, - "rsa.time.event_time": "2006-09-08T04:22:48.000Z", - "rsa.time.event_time_str": "1157689368", - "rsa.web.alias_host": "radio.music.yahoo.com", - "server.domain": "radio.music.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.music", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 14411, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.music.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", - "url.path": "/radio/player/ymsgr/initstationfeed.asp", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.music", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:48.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "file.name": "authplay.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 9852, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 808, - "rsa.time.event_time": "2006-09-08T04:22:48.000Z", - "rsa.time.event_time_str": "1157689368", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1627, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", - "url.path": "/radio/play/authplay.asp", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:49.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", - "file.name": "iesocks", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10013, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "natrocket.kmip.net" - ], - "related.ip": [ - "10.105.37.65" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "natrocket.kmip.net", - "rsa.time.duration_time": 1226, - "rsa.time.event_time": "2006-09-08T04:22:49.000Z", - "rsa.time.event_time_str": "1157689369", - "rsa.web.alias_host": "natrocket.kmip.net", - "server.domain": "natrocket.kmip.net", - "server.registered_domain": "kmip.net", - "server.subdomain": "natrocket", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1728, - "source.ip": "10.105.37.65", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "natrocket.kmip.net", - "url.original": "http://natrocket.kmip.net:5288/iesocks?", - "url.path": "/iesocks", - "url.port": 5288, - "url.query": "", - "url.registered_domain": "kmip.net", - "url.scheme": "http", - "url.subdomain": "natrocket", - "url.top_level_domain": "net", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:49.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", - "file.name": "return", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10131, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "natrocket.kmip.net" - ], - "related.ip": [ - "10.105.37.65" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "natrocket.kmip.net", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2006-09-08T04:22:49.000Z", - "rsa.time.event_time_str": "1157689369", - "rsa.web.alias_host": "natrocket.kmip.net", - "server.domain": "natrocket.kmip.net", - "server.registered_domain": "kmip.net", - "server.subdomain": "natrocket", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1725, - "source.ip": "10.105.37.65", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "natrocket.kmip.net", - "url.original": "http://natrocket.kmip.net:5288/return?", - "url.path": "/return", - "url.port": 5288, - "url.query": "", - "url.registered_domain": "kmip.net", - "url.scheme": "http", - "url.subdomain": "natrocket", - "url.top_level_domain": "net", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:22:50.000Z", - "destination.ip": "213.160.98.159", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", - "file.name": "thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10248, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.news1.yimg.com" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.159" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/jpeg", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.news1.yimg.com", - "rsa.time.duration_time": 1202, - "rsa.time.event_time": "2006-09-08T04:22:50.000Z", - "rsa.time.event_time_str": "1157689370", - "rsa.web.alias_host": "us.news1.yimg.com", - "server.domain": "us.news1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.news1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 13124, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.news1.yimg.com", - "url.extension": "jpg", - "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", - "url.path": "/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.news1", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:50.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "file.name": "starter.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10482, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "302", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 736, - "rsa.time.event_time": "2006-09-08T04:22:50.000Z", - "rsa.time.event_time_str": "1157689370", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 912, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", - "url.path": "/radio/clientdata/515/starter.asp", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:51.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "file.name": "default.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10651, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 828, - "rsa.time.event_time": "2006-09-08T04:22:51.000Z", - "rsa.time.event_time_str": "1157689371", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1450, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.launch.yahoo.com/radio/player/default.asp?", - "url.path": "/radio/player/default.asp", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:51.000Z", - "destination.ip": "213.160.98.152", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", - "file.name": "081106_lrec_msgr_interophitchhiker.swf", - "fileset.name": "log", - "input.type": "log", - "log.offset": 10813, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.a2.yimg.com" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.152" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/x-shockwave-flash", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.a2.yimg.com", - "rsa.time.duration_time": 3617, - "rsa.time.event_time": "2006-09-08T04:22:51.000Z", - "rsa.time.event_time_str": "1157689371", - "rsa.web.alias_host": "us.a2.yimg.com", - "server.domain": "us.a2.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.a2", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 30432, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.a2.yimg.com", - "url.extension": "swf", - "url.original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", - "url.path": "/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf", - "url.query": "", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.a2", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:53.000Z", - "destination.ip": "68.142.219.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", - "file.name": "stickwall.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11035, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "radio.launch.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.219.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "radio.launch.yahoo.com", - "rsa.time.duration_time": 1626, - "rsa.time.event_time": "2006-09-08T04:22:53.000Z", - "rsa.time.event_time_str": "1157689373", - "rsa.web.alias_host": "radio.launch.yahoo.com", - "server.domain": "radio.launch.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "radio.launch", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 14643, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "radio.launch.yahoo.com", - "url.extension": "asp", - "url.original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", - "url.path": "/radio/player/stickwall.asp", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "radio.launch", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:54.000Z", - "destination.ip": "68.142.213.132", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", - "file.name": "b", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11200, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.bc.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.213.132" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.bc.yahoo.com", - "rsa.time.duration_time": 2078, - "rsa.time.event_time": "2006-09-08T04:22:54.000Z", - "rsa.time.event_time_str": "1157689374", - "rsa.web.alias_host": "us.bc.yahoo.com", - "server.domain": "us.bc.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "us.bc", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 425, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.bc.yahoo.com", - "url.original": "http://us.bc.yahoo.com/b?", - "url.path": "/b", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "us.bc", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:56.000Z", - "destination.ip": "68.142.194.14", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", - "file.name": "beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11331, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "insider.msg.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "68.142.194.14" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "insider.msg.yahoo.com", - "rsa.time.duration_time": 2130, - "rsa.time.event_time": "2006-09-08T04:22:56.000Z", - "rsa.time.event_time_str": "1157689376", - "rsa.web.alias_host": "insider.msg.yahoo.com", - "server.domain": "insider.msg.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "insider.msg", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 407, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "insider.msg.yahoo.com", - "url.extension": "php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", - "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", - "url.path": "/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "insider.msg", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:57.000Z", - "destination.ip": "216.109.124.55", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11551, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "pclick.internal.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.109.124.55" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "pclick.internal.yahoo.com", - "rsa.time.duration_time": 3412, - "rsa.time.event_time": "2006-09-08T04:22:57.000Z", - "rsa.time.event_time_str": "1157689377", - "rsa.web.alias_host": "pclick.internal.yahoo.com", - "server.domain": "pclick.internal.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "pclick.internal", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1476, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "pclick.internal.yahoo.com", - "url.original": "pclick.internal.yahoo.com:443", - "url.registered_domain": "yahoo.com", - "url.subdomain": "pclick.internal", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:57.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", - "file.name": "rapiBridge_1_4.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11683, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 11, - "rsa.time.event_time": "2006-09-08T04:22:57.000Z", - "rsa.time.event_time_str": "1157689377", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 233, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "js", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", - "url.path": "/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:57.000Z", - "destination.ip": "213.160.98.159", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", - "file.name": "other.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 11922, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.159" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 1159, - "rsa.time.event_time": "2006-09-08T04:22:57.000Z", - "rsa.time.event_time_str": "1157689377", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 236, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "css", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", - "url.path": "/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:58.000Z", - "destination.ip": "213.160.98.159", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", - "file.name": "bg_left.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12133, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.159" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 797, - "rsa.time.event_time": "2006-09-08T04:22:58.000Z", - "rsa.time.event_time_str": "1157689378", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 238, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", - "url.path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:58.000Z", - "destination.ip": "209.73.177.115", - "event.action": "TCP_MISS", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12362, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "login.yahoo.com" - ], - "related.ip": [ - "10.105.21.199", - "209.73.177.115" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "200", - "rsa.network.domain": "login.yahoo.com", - "rsa.time.duration_time": 3288, - "rsa.time.event_time": "2006-09-08T04:22:58.000Z", - "rsa.time.event_time_str": "1157689378", - "rsa.web.alias_host": "login.yahoo.com", - "server.domain": "login.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "login", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2681, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "login.yahoo.com", - "url.original": "login.yahoo.com:443", - "url.registered_domain": "yahoo.com", - "url.subdomain": "login", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:22:58.000Z", - "destination.ip": "213.160.98.167", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", - "file.name": "noaccess_msgr_uk.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12476, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.167" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "-", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 1405, - "rsa.time.event_time": "2006-09-08T04:22:58.000Z", - "rsa.time.event_time_str": "1157689378", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 136, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", - "url.path": "/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:58.000Z", - "destination.ip": "213.160.98.159", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", - "file.name": "bg_right.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12706, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.159" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 702, - "rsa.time.event_time": "2006-09-08T04:22:58.000Z", - "rsa.time.event_time_str": "1157689378", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 237, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", - "url.path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:58.000Z", - "event.action": "TCP_IMS_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", - "file.name": "t.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 12936, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 4, - "rsa.time.event_time": "2006-09-08T04:22:58.000Z", - "rsa.time.event_time_str": "1157689378", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 218, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", - "url.path": "/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:59.000Z", - "destination.ip": "213.160.98.167", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", - "file.name": "bg_controls_off.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13147, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.167" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 563, - "rsa.time.event_time": "2006-09-08T04:22:59.000Z", - "rsa.time.event_time_str": "1157689379", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 238, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", - "url.path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:22:59.000Z", - "destination.ip": "213.160.98.159", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", - "file.name": "bg_center.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13384, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.159" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 560, - "rsa.time.event_time": "2006-09-08T04:22:59.000Z", - "rsa.time.event_time_str": "1157689379", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 238, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", - "url.path": "/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:23:00.000Z", - "destination.ip": "213.160.98.167", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", - "file.name": "bg_controls_fill.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13615, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "a1568.g.akamai.net" - ], - "related.ip": [ - "10.105.33.214", - "213.160.98.167" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "304", - "rsa.network.domain": "a1568.g.akamai.net", - "rsa.time.duration_time": 685, - "rsa.time.event_time": "2006-09-08T04:23:00.000Z", - "rsa.time.event_time_str": "1157689380", - "rsa.web.alias_host": "a1568.g.akamai.net", - "server.domain": "a1568.g.akamai.net", - "server.registered_domain": "g.akamai.net", - "server.subdomain": "a1568", - "server.top_level_domain": "akamai.net", - "service.type": "squid", - "source.bytes": 238, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "a1568.g.akamai.net", - "url.extension": "gif", - "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", - "url.path": "/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", - "url.registered_domain": "g.akamai.net", - "url.scheme": "http", - "url.subdomain": "a1568", - "url.top_level_domain": "akamai.net", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:23:01.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", - "file.name": "supported_domains", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13853, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.google.com" - ], - "related.ip": [ - "10.105.37.180" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "www.google.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:23:01.000Z", - "rsa.time.event_time_str": "1157689381", - "rsa.web.alias_host": "www.google.com", - "server.domain": "www.google.com", - "server.registered_domain": "google.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1728, - "source.ip": "10.105.37.180", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.google.com", - "url.original": "http://www.google.com/supported_domains", - "url.path": "/supported_domains", - "url.registered_domain": "google.com", - "url.scheme": "http", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:23:01.000Z", - "event.action": "TCP_DENIED", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", - "file.name": "chknews.asp", - "fileset.name": "log", - "input.type": "log", - "log.offset": 13972, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.mcafee.com" - ], - "related.ip": [ - "10.105.47.191" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "us.mcafee.com", - "rsa.time.duration_time": 0, - "rsa.time.event_time": "2006-09-08T04:23:01.000Z", - "rsa.time.event_time_str": "1157689381", - "rsa.web.alias_host": "us.mcafee.com", - "server.domain": "us.mcafee.com", - "server.registered_domain": "mcafee.com", - "server.subdomain": "us", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1782, - "source.ip": "10.105.47.191", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.mcafee.com", - "url.extension": "asp", - "url.original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", - "url.path": "/apps/agent/en-us/agent5/chknews.asp", - "url.query": "", - "url.registered_domain": "mcafee.com", - "url.scheme": "http", - "url.subdomain": "us", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:23:01.000Z", - "destination.ip": "216.109.125.112", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", - "file.name": "l", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14109, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "launch.adserver.yahoo.com" - ], - "related.ip": [ - "10.105.33.214", - "216.109.125.112" - ], - "related.user": [ - "adeolaegbedokun" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "launch.adserver.yahoo.com", - "rsa.time.duration_time": 2171, - "rsa.time.event_time": "2006-09-08T04:23:01.000Z", - "rsa.time.event_time_str": "1157689381", - "rsa.web.alias_host": "launch.adserver.yahoo.com", - "server.domain": "launch.adserver.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "launch.adserver", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 449, - "source.ip": "10.105.33.214", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "launch.adserver.yahoo.com", - "url.original": "http://launch.adserver.yahoo.com/l?", - "url.path": "/l", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "launch.adserver", - "url.top_level_domain": "com", - "user.name": "adeolaegbedokun" - }, - { - "@timestamp": "2006-09-08T04:23:02.000Z", - "destination.ip": "217.12.10.96", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", - "file.name": "launch", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14251, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "uk.f250.mail.yahoo.com" - ], - "related.ip": [ - "10.105.21.199", - "217.12.10.96" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "200", - "rsa.network.domain": "uk.f250.mail.yahoo.com", - "rsa.time.duration_time": 3700, - "rsa.time.event_time": "2006-09-08T04:23:02.000Z", - "rsa.time.event_time_str": "1157689382", - "rsa.web.alias_host": "uk.f250.mail.yahoo.com", - "server.domain": "uk.f250.mail.yahoo.com", - "server.registered_domain": "yahoo.com", - "server.subdomain": "uk.f250.mail", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 11746, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "uk.f250.mail.yahoo.com", - "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", - "url.path": "/dc/launch", - "url.query": "", - "url.registered_domain": "yahoo.com", - "url.scheme": "http", - "url.subdomain": "uk.f250.mail", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:23:02.000Z", - "event.action": "TCP_DENIED", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14389, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "login.live.com" - ], - "related.ip": [ - "10.105.37.180" - ], - "related.user": [ - "-" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" - ], - "rsa.misc.content_type": "text/html", - "rsa.misc.result_code": "407", - "rsa.network.domain": "login.live.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:23:02.000Z", - "rsa.time.event_time_str": "1157689382", - "rsa.web.alias_host": "login.live.com", - "server.domain": "login.live.com", - "server.registered_domain": "live.com", - "server.subdomain": "login", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1670, - "source.ip": "10.105.37.180", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "login.live.com", - "url.original": "login.live.com:443", - "url.registered_domain": "live.com", - "url.subdomain": "login", - "url.top_level_domain": "com", - "user.name": "-" - }, - { - "@timestamp": "2006-09-08T04:23:04.000Z", - "destination.ip": "213.160.98.169", - "event.action": "TCP_SWAPFAIL_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", - "file.name": "77cf3e56414f974dfd8616f56f0f632c_1.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14491, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.js2.yimg.com" - ], - "related.ip": [ - "10.105.21.199", - "213.160.98.169" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_SWAPFAIL_MISS" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.js2.yimg.com", - "rsa.time.duration_time": 2828, - "rsa.time.event_time": "2006-09-08T04:23:04.000Z", - "rsa.time.event_time_str": "1157689384", - "rsa.web.alias_host": "us.js2.yimg.com", - "server.domain": "us.js2.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.js2", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 633, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.js2.yimg.com", - "url.extension": "js", - "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", - "url.path": "/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.js2", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:23:05.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", - "file.name": "ygma5.css", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14714, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.js1.yimg.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "text/css", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.js1.yimg.com", - "rsa.time.duration_time": 1397, - "rsa.time.event_time": "2006-09-08T04:23:05.000Z", - "rsa.time.event_time_str": "1157689385", - "rsa.web.alias_host": "us.js1.yimg.com", - "server.domain": "us.js1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.js1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1742, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.js1.yimg.com", - "url.extension": "css", - "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", - "url.path": "/us.yimg.com/lib/hdr/ygma5.css", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.js1", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:23:07.000Z", - "destination.ip": "213.160.98.169", - "event.action": "TCP_MISS", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", - "file.name": "f7fc76100697c9c2d25dd0ec35e563b0_1.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 14848, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.js2.yimg.com" - ], - "related.ip": [ - "10.105.21.199", - "213.160.98.169" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "DIRECT", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_MISS" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.js2.yimg.com", - "rsa.time.duration_time": 1977, - "rsa.time.event_time": "2006-09-08T04:23:07.000Z", - "rsa.time.event_time_str": "1157689387", - "rsa.web.alias_host": "us.js2.yimg.com", - "server.domain": "us.js2.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.js2", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 14561, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.js2.yimg.com", - "url.extension": "js", - "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", - "url.path": "/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.js2", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", - "file.name": "ac.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15064, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.js1.yimg.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.js1.yimg.com", - "rsa.time.duration_time": 80, - "rsa.time.event_time": "2006-09-08T04:23:07.000Z", - "rsa.time.event_time_str": "1157689387", - "rsa.web.alias_host": "us.js1.yimg.com", - "server.domain": "us.js1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.js1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 68733, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.js1.yimg.com", - "url.extension": "js", - "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", - "url.path": "/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.js1", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", - "file.name": "yahoo_2.0.0-b4.js", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15231, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.js2.yimg.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "application/x-javascript", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.js2.yimg.com", - "rsa.time.duration_time": 1, - "rsa.time.event_time": "2006-09-08T04:23:07.000Z", - "rsa.time.event_time_str": "1157689387", - "rsa.web.alias_host": "us.js2.yimg.com", - "server.domain": "us.js2.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.js2", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 898, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.js2.yimg.com", - "url.extension": "js", - "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", - "url.path": "/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.js2", - "url.top_level_domain": "com", - "user.name": "badeyek" - }, - { - "@timestamp": "2006-09-08T04:23:07.000Z", - "event.action": "TCP_HIT", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", - "file.name": "liam_ball_1.gif", - "fileset.name": "log", - "input.type": "log", - "log.offset": 15402, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "us.i1.yimg.com" - ], - "related.ip": [ - "10.105.21.199" - ], - "related.user": [ - "badeyek" - ], - "rsa.internal.hcode": "NONE", - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "TCP_HIT" - ], - "rsa.misc.content_type": "image/gif", - "rsa.misc.result_code": "200", - "rsa.network.domain": "us.i1.yimg.com", - "rsa.time.duration_time": 60, - "rsa.time.event_time": "2006-09-08T04:23:07.000Z", - "rsa.time.event_time_str": "1157689387", - "rsa.web.alias_host": "us.i1.yimg.com", - "server.domain": "us.i1.yimg.com", - "server.registered_domain": "yimg.com", - "server.subdomain": "us.i1", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 26803, - "source.ip": "10.105.21.199", - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "us.i1.yimg.com", - "url.extension": "gif", - "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", - "url.path": "/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", - "url.registered_domain": "yimg.com", - "url.scheme": "http", - "url.subdomain": "us.i1", - "url.top_level_domain": "com", - "user.name": "badeyek" - } -] diff --git a/x-pack/filebeat/module/squid/log/test/generated.log b/x-pack/filebeat/module/squid/log/test/generated.log deleted file mode 100644 index 14078eea632..00000000000 --- a/x-pack/filebeat/module/squid/log/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] "PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite" 10.234.224.44 etdo tation "quasiarc" liqua ciade 5699 "https://example.net/umq/ntium.gif?nes=eab#aliqu" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny -10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] "PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU" 10.70.36.222 estlabo doeiu "nia" olupt volup 208 "https://example.com/eosquir/orsi.txt?itessequ=vol#luptat" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny -10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] "OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident" 10.142.172.64 lupt tia "oloremqu" temvel iatu 5493 "https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] "GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia" quiavo 1156 "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" allow 10.81.122.126 taev 160.145000 -10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] "PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad" 10.171.175.51 boreet onev "tenima" laboreet aquaeabi 5738 "https://api.example.net/veleumi/tia.gif?ude=maveniam#uian" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] "HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo" 10.12.195.60 uiano mrema "autfu" natura aboris 2946 "https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept -10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] "DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt" 10.207.249.121 iciade tsed "orai" mUt usmodte 1296 "https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" allow -10.34.9.93 124 [08/May/2016:7:27:59 onse] "PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio" 10.116.120.216 qua umdo "sed" apariat mol 1510 "https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" accept -10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] "HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd" 10.30.216.41 enim saute "vel" quu undeo 5794 "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept -10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] "CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup" 10.203.172.203 idestla Nemoeni "uradi" aborumSe luptat 6884 "https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] "UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa" 10.158.185.163 rudexerc aliq "rsitam" quam adm 987 "https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi" "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g" allow -10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] "OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae" 10.201.76.240 amqu uines "nsec" onse emips 2655 "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" accept -10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] "COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat" 10.206.136.206 suntinc xeac "nidolo" tatn eli 6462 "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] "COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum" 10.134.161.118 tat ipitla "quae" maccusa uptat 3458 "https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" block -10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] "NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat" 10.76.3.41 isc aturve "emulla" mpori aaliquaU 2989 "https://www5.example.com/ern/psaquae.html?nsectet=utla#utei" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] "PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali" 10.249.213.83 nsecte itame "eumfug" lit asun 1250 "https://api.example.com/oluptate/onseq.html?labore=texp#tMalor" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept -10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] "HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre" 10.236.248.65 pisciv iquidex "radipisc" tmo fficiade 3280 "https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] "PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali" 10.214.7.83 liquide etdol "uela" boN eprehend 2462 "https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] "GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn" 10.49.92.179 osamn isnisiu "bore" tsu tcons 3128 "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] "PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit" 10.90.86.89 piscin lapar "laboree" tfu udan 5516 "https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] "PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio" 10.14.48.16 sintoc volupt "siste" uiinea Utenima 1612 "https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] "CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure" 10.93.123.174 evelit reetdolo "smo" etcons iusmodi 1563 "https://example.com/uiac/epte.gif?itam=aper#santiumd" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] "MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon" 10.233.48.103 leumiur tlab "aperiame" isc ullamcor 584 "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.93.220.10 2805 [23/Dec/2016:12:09:07 com] "PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu" 10.27.58.92 amvo qui "tasn" Nemoenim squirati 63 "https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] "PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni" 10.135.217.12 metMalo ntexplic "archite" loreme untu 5676 "https://example.net/con/nisist.gif?ium=esciuntN#idunt" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] "PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt" 10.233.239.112 npr mquelau "iadolor" amcol adeser 3780 "https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" cancel -10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] "CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi" 10.21.169.127 rpori ice "oles" edic seq 2835 "https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] "LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge" 10.69.139.26 ditemp edqui "nre" veli volupta 7124 "https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] "COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi" 10.104.80.189 dolore onsecte "nBCSedut" ugiat onulam 1542 "https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] "UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol" 10.116.230.217 mvele isis "uasiar" utlab emUteni 7122 "https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block -10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] "ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu" 10.119.90.128 lor oraincid "intocc" amcorp ntsunt 4826 "https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel -10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] "HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo" 10.76.110.144 tdol upt "mex" tatem untutlab 3386 "https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" deny -10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] "MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo" 10.135.46.242 lupta xeaco "nvolupt" oremi elites 1940 "https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] "TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri" 10.154.53.249 tae autodit "elit" cidunt plica 7398 "https://internal.example.org/emqu/nderi.html?accusant=onse#admin" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" accept -10.93.39.140 4275 [29/May/2017:5:37:24 ute] "COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc" 10.150.245.88 orisn reetd "prehen" ntutlabo iusmodte 1738 "https://example.org/isc/Nequepor.txt?rem=idid#tesse" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" cancel -10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] "UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu" 10.73.207.70 llamco atu "untincul" ssecil commodi 3023 "https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] "GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac" temUt 2741 "https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow 10.50.124.116 numquam 104.719000 -10.173.222.131 918 [11/Jul/2017:2:45:07 ori] "TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil" 10.211.234.224 uiadol Duisa "lupta" aUt boNem 5564 "https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] "PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed" 10.0.157.225 itam atu "lloin" remipsum tempor 1282 "https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] "PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia" 10.92.237.93 mad onse "redol" gnaa mod 5107 "https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] "POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN" 10.20.28.92 econs ntexpl "dunt" litsedq nderiti 409 "https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" allow -10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] "NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic" 10.17.87.79 tetur tionula "ritqu" ecatcupi uamei 4595 "https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] "DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc" 10.189.94.51 tetura rsp "oluptat" metco acom 5704 "https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" allow -10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] "GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco" 10.101.85.169 natu liquid "enim" Finibus radi 5697 "https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" accept -10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] "HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi" 10.231.7.209 lorsita eavol "osamnis" temaccu scipitl 1247 "https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block -10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] "CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv" 10.77.129.175 tali BCS "qui" ugiatquo incidid 2617 "https://www.example.com/sBonor/fugits.jpg?amc=vol#admi" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.51.236.148 329 [16/Nov/2017:6:08:15 adol] "PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup" 10.116.146.114 col obea "emp" agnaaliq est 1444 "https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny -10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] "NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse" 10.217.222.99 ame amvolu "mip" tion tobeatae 2512 "https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" block -10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] "PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis" 10.150.198.112 ntmoll mexer "estla" uipexe abor 1370 "https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.45.114.111 357 [29/Dec/2017:3:15:58 olup] "POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab" 10.45.54.107 seddoeiu nse "aali" edictasu mdolors 7490 "https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" accept -10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] "TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia" 10.205.28.24 oeni untutlab "tvolup" consecte pteurs 742 "https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" allow -10.17.202.219 487 [27/Jan/2018:5:21:06 iame] "HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni" 10.183.223.149 cor odoco "oin" itseddoe elites 6366 "https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny -10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] "MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan" 10.88.172.222 doconse etdol "dolorsi" nturmag tura 6695 "https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau" "mobmail android 2.1.3.3150" cancel -10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] "OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero" 10.247.53.179 issu identsu "piscivel" hend eacommo 6835 "https://example.com/osquira/umd.gif?scipi=tur#acon" "mobmail android 2.1.3.3150" accept -10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] "UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido" 10.172.148.223 snulap enimadm "stenatu" upta atc 3066 "https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon" "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80" accept -10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] "GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico" 10.232.19.43 porinc riame "riat" sseq eriam 729 "https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny -10.207.97.192 973 [08/Apr/2018:4:33:58 emp] "ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx" 10.55.55.72 nculp asp "eacom" mag gelitse 2007 "https://example.net/lab/llumq.htm?tetura=rumet#uptasnul" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.41.156.88 203 [22/Apr/2018:11:36:32 oco] "MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat" 10.89.73.240 orem ntorever "pisciv" fugiatqu seos 5561 "https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" deny -10.54.44.231 5292 [07/May/2018:6:39:06 aco] "CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios" 10.101.183.86 mvenia mcorpo "ntexpl" abor oreverit 6451 "https://internal.example.net/tat/eufugia.htm?tau=fficia#est" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" allow -10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] "LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc" 10.130.150.189 oreeu nvo "iamqui" tassita colabori 1223 "https://www.example.net/lpa/isn.htm?iat=ffic#siuta" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] "GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup" 10.83.130.95 ipitlabo userror "eacommo" nderi liqua 7030 "https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" deny -10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] "COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt" 10.166.160.217 olor radip "rchitect" Dui iameaqu 2429 "https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny -10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] "UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu" 10.183.243.246 amni tatio "amquisno" modoc magnam 3267 "https://example.com/idatat/onev.html?lesti=oreseo#reprehen" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel -10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] "OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam" 10.202.224.209 iusmodit aturv "ectetura" obeataev umf 3141 "https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" cancel -10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] "PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors" 10.170.234.233 accus uatu "mquis" lab uido 2046 "https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] "DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic" 10.142.130.227 olabori odic "iuta" liquaUte scivelit 7795 "https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" allow -10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] "DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini" 10.61.110.7 oremque quaU "ufugi" cin tmo 508 "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny -10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] "COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore" 10.68.198.188 doeiu onsectet "dentsunt" inea animid 2119 "https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" block -10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] "CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit" 10.169.63.169 ariat midestl "quatu" avolu teturad 3465 "https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block -10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] "PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima" 10.62.10.137 eeufugi deomnisi "olupta" oll laboree 3880 "https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel -10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] "COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud" 10.255.40.12 rro oeiusmo "nimv" emeu tatemac 5192 "https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" deny -10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] "GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam" tuser 2694 "https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" deny 10.88.98.31 rured 105.243000 -10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] "OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi" 10.1.27.133 edqu tationu "gnaaliq" olore ntutlab 6881 "https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block -10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] "POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco" 10.70.244.155 olorsi caboNemo "uptas" temaccus ons 2160 "https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" accept -10.204.214.98 985 [21/Dec/2018:11:20:14 equ] "PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo" 10.121.80.158 boriosa cillumdo "ditau" moenimip uames 7663 "https://internal.example.com/lor/oreeu.html?eturadip=nost#atus" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept -10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] "PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu" 10.139.151.19 eumf roquisq "uasi" maveniam uis 5533 "https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block -10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] "DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat" 10.242.48.203 ctobeat isi "idexeac" ntu tdolo 3872 "https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" deny -10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] "PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod" 10.254.10.98 adipisc aparia "maliq" ccusant epteurs 6661 "https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca" "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36" accept -10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] "LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr" 10.175.138.42 olore onemul "trudexe" remeum etur 890 "https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny -10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] "PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch" 10.18.199.203 ugits ittenb "tobeatae" ntut llum 366 "https://example.com/equat/estiaec.htm?mquido=ende#ntmollit" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] "NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt" 10.73.80.251 pteurs ercitati "atem" serro lumquid 5939 "https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" allow -10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] "PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill" 10.22.34.206 mini mve "tionev" uasiarch velites 1745 "https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" block -10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] "CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt" 10.199.103.185 uipe ipsa "con" eirured sequamn 5243 "https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" allow -10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] "COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab" 10.128.84.27 nula ptate "volupta" umfu utla 2478 "https://www5.example.com/dolo/velites.gif?equa=apari#tsunt" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block -10.49.169.175 2103 [13/May/2019:9:45:57 sistena] "HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines" 10.115.154.104 illum ore "spici" Sedut tatis 7767 "https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow -10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] "PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse" 10.33.112.100 catcup enimad "magnaali" velillum ionev 1594 "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" block -10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] "CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa" 10.25.53.93 tvolup oremeu "lab" lla urau 6127 "https://example.net/equamni/atcupi.htm?onemull=mdo#labore" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel -10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] "HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu" 10.246.115.57 edquiano mSecti "henderi" taevitae tevel 5926 "https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow -10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] "NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse" 10.82.148.126 inBCSedu ita "ade" nihilmol nder 2214 "https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" block -10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] "DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali" 10.6.11.124 edqui tvolu "psu" strud onsequ 5930 "https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" accept -10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] "CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov" 10.145.25.55 litsed lumd "tiaec" lorem iamquisn 2079 "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] "TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm" 10.6.88.105 uptatemU rem "onorumet" iscivel rinci 249 "https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" allow -10.252.146.132 503 [05/Sep/2019:6:06:31 tat] "CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi" 10.163.9.35 uatDu umq "ipsu" oremip ota 4562 "https://example.com/epteurs/itse.jpg?modi=cip#tla" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept -10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] "DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo" 10.235.160.245 squamest upta "umquiad" porinc uameiu 4857 "https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" deny -10.140.170.171 773 [03/Oct/2019:8:11:40 deom] "TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici" 10.73.218.58 quidol tinv "Utenima" nse umq 1831 "https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block -10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] "OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu" 10.67.148.40 tcons squamest "ction" emveleum siuta 2155 "https://example.com/epteur/onproi.txt?imveniam=sunte#exerc" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny -10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] "UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa" 10.37.33.179 taed eatae "siutali" oloremq sum 6106 "https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat" "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept -10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] "MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv" 10.84.107.38 tutla usmod "ine" qui itse 2097 "https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny -10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] "POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit" 10.204.223.184 oinve ptasnul "utaliqui" mcorpor rerepr 6861 "https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny -10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] "PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela" 10.229.39.190 Nequepo edictas "emac" rmagnido exeaco 2574 "https://api.example.org/loremi/nven.htm?usan=ugiatn#squa" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny diff --git a/x-pack/filebeat/module/squid/log/test/generated.log-expected.json b/x-pack/filebeat/module/squid/log/test/generated.log-expected.json deleted file mode 100644 index df54bd891fd..00000000000 --- a/x-pack/filebeat/module/squid/log/test/generated.log-expected.json +++ /dev/null @@ -1,7403 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "destination.ip": "10.234.224.44", - "event.action": "deny", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] \"PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite\" 10.234.224.44 etdo tation \"quasiarc\" liqua ciade 5699 \"https://example.net/umq/ntium.gif?nes=eab#aliqu\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", - "file.name": "quasiarc", - "fileset.name": "log", - "http.request.referrer": "https://example.net/umq/ntium.gif?nes=eab#aliqu", - "input.type": "log", - "log.offset": 0, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.net", - "example.org" - ], - "related.ip": [ - "10.234.224.44", - "10.251.224.219" - ], - "related.user": [ - "tation" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "deny" - ], - "rsa.misc.content_type": "ciade", - "rsa.misc.result_code": "liqua", - "rsa.network.domain": "example.org", - "rsa.network.network_service": "ite", - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "rsa.web.alias_host": "example.org", - "rsa.web.web_ref_domain": "example.net", - "rsa.web.web_ref_query": "nes=eab", - "server.domain": "example.org", - "server.registered_domain": "example.org", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 5699, - "source.ip": "10.251.224.219", - "source.port": 7337, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "min", - "url.original": "https://example.org/exercita/der.htm?odoco=ria#min", - "url.path": [ - "/exercita/der.htm", - "https://example.net" - ], - "url.query": "odoco=ria", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.top_level_domain": "org", - "user.name": "tation", - "user_agent.device.name": "Samsung SM-A715F", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2016-02-12T03:12:33.000Z", - "destination.ip": "10.70.36.222", - "event.action": "deny", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] \"PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU\" 10.70.36.222 estlabo doeiu \"nia\" olupt volup 208 \"https://example.com/eosquir/orsi.txt?itessequ=vol#luptat\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", - "file.name": "nia", - "fileset.name": "log", - "http.request.referrer": "https://example.com/eosquir/orsi.txt?itessequ=vol#luptat", - "input.type": "log", - "log.offset": 426, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www.example.org" - ], - "related.ip": [ - "10.102.123.34", - "10.70.36.222" - ], - "related.user": [ - "doeiu" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "deny" - ], - "rsa.misc.content_type": "volup", - "rsa.misc.result_code": "olupt", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "tatemU", - "rsa.time.event_time": "2016-02-12T03:12:33.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "itessequ=vol", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 208, - "source.ip": "10.102.123.34", - "source.port": 7178, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "txt", - "url.fragment": "nidolor", - "url.original": "https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor", - "url.path": [ - "/enderitq/sperna.txt", - "https://example.com" - ], - "url.query": "billoi=oreetdol", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "doeiu", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2016-02-26T10:15:08.000Z", - "destination.ip": "10.142.172.64", - "event.action": "accept", - "event.code": "OPTIONS", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] \"OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident\" 10.142.172.64 lupt tia \"oloremqu\" temvel iatu 5493 \"https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "file.name": "oloremqu", - "fileset.name": "log", - "http.request.referrer": "https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam", - "input.type": "log", - "log.offset": 877, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.net", - "internal.example.com" - ], - "related.ip": [ - "10.142.172.64", - "10.15.135.248" - ], - "related.user": [ - "tia" - ], - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "OPTIONS", - "accept" - ], - "rsa.misc.content_type": "iatu", - "rsa.misc.result_code": "temvel", - "rsa.network.domain": "internal.example.com", - "rsa.network.network_service": "proident", - "rsa.time.event_time": "2016-02-26T10:15:08.000Z", - "rsa.web.alias_host": "internal.example.com", - "rsa.web.web_ref_domain": "example.net", - "rsa.web.web_ref_query": "roinBCS=ufugiatn", - "server.domain": "internal.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "internal", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5493, - "source.ip": "10.15.135.248", - "source.port": 7269, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.com", - "url.extension": "jpg", - "url.fragment": "iin", - "url.original": "https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin", - "url.path": [ - "/aqu/utper.jpg", - "https://example.net" - ], - "url.query": "eFinib=omm", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "tia", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.ip": "10.81.122.126", - "event.action": "allow", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] \"GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia\" quiavo 1156 \"https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" allow 10.81.122.126 taev 160.145000", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", - "input.type": "log", - "log.offset": 1300, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "mail.example.com" - ], - "related.ip": [ - "10.44.134.153", - "10.81.122.126" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "allow" - ], - "rsa.misc.content_type": "taev", - "rsa.misc.result_code": "quiavo", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "uia", - "rsa.time.duration_time": 160.145, - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "radip=tNequ", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1156, - "source.ip": "10.44.134.153", - "source.port": 5162, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "con", - "url.original": "https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con", - "url.path": [ - "/ceroinBC/ratvolup.gif", - "https://mail.example.com" - ], - "url.query": "iatu=ionofde", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "destination.ip": "10.171.175.51", - "event.action": "cancel", - "event.code": "PUT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] \"PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad\" 10.171.175.51 boreet onev \"tenima\" laboreet aquaeabi 5738 \"https://api.example.net/veleumi/tia.gif?ude=maveniam#uian\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "file.name": "tenima", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/veleumi/tia.gif?ude=maveniam#uian", - "input.type": "log", - "log.offset": 1719, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "api.example.org" - ], - "related.ip": [ - "10.160.95.56", - "10.171.175.51" - ], - "related.user": [ - "onev" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "PUT", - "cancel" - ], - "rsa.misc.content_type": "aquaeabi", - "rsa.misc.result_code": "laboreet", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "enimad", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "api.example.net", - "rsa.web.web_ref_query": "ude=maveniam", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 5738, - "source.ip": "10.160.95.56", - "source.port": 1980, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "eos", - "url.original": "https://api.example.org/isetq/estqui.gif?magn=equuntu#eos", - "url.path": [ - "/isetq/estqui.gif", - "https://api.example.net" - ], - "url.query": "magn=equuntu", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "onev", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-04-09T07:22:51.000Z", - "destination.ip": "10.12.195.60", - "event.action": "accept", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] \"HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo\" 10.12.195.60 uiano mrema \"autfu\" natura aboris 2946 \"https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", - "file.name": "autfu", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep", - "input.type": "log", - "log.offset": 2088, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www.example.org" - ], - "related.ip": [ - "10.12.195.60", - "10.175.107.139" - ], - "related.user": [ - "mrema" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "accept" - ], - "rsa.misc.content_type": "aboris", - "rsa.misc.result_code": "natura", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "reetdolo", - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "iutal=dexe", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2946, - "source.ip": "10.175.107.139", - "source.port": 4243, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "txt", - "url.fragment": "ect", - "url.original": "https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect", - "url.path": [ - "/inesci/rsitvolu.txt", - "https://api.example.com" - ], - "url.query": "pori=occ", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "mrema", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-04-24T14:25:25.000Z", - "destination.ip": "10.207.249.121", - "event.action": "allow", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] \"DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt\" 10.207.249.121 iciade tsed \"orai\" mUt usmodte 1296 \"https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" allow", - "file.name": "orai", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu", - "input.type": "log", - "log.offset": 2532, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.example.org", - "www5.example.com" - ], - "related.ip": [ - "10.198.136.50", - "10.207.249.121" - ], - "related.user": [ - "tsed" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "allow" - ], - "rsa.misc.content_type": "usmodte", - "rsa.misc.result_code": "mUt", - "rsa.network.domain": "www5.example.com", - "rsa.network.network_service": "quunt", - "rsa.time.event_time": "2016-04-24T14:25:25.000Z", - "rsa.web.alias_host": "www5.example.com", - "rsa.web.web_ref_domain": "www.example.org", - "rsa.web.web_ref_query": "temsequ=emquiavo", - "server.domain": "www5.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www5", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1296, - "source.ip": "10.198.136.50", - "source.port": 6875, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.com", - "url.extension": "txt", - "url.fragment": "atat", - "url.original": "https://www5.example.com/ari/eataevit.txt?iam=mqua#atat", - "url.path": [ - "/ari/eataevit.txt", - "https://www.example.org" - ], - "url.query": "iam=mqua", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "tsed", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "destination.ip": "10.116.120.216", - "event.action": "accept", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.34.9.93 124 [08/May/2016:7:27:59 onse] \"PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio\" 10.116.120.216 qua umdo \"sed\" apariat mol 1510 \"https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" accept", - "file.name": "sed", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten", - "input.type": "log", - "log.offset": 2912, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.org", - "internal.example.net" - ], - "related.ip": [ - "10.116.120.216", - "10.34.9.93" - ], - "related.user": [ - "umdo" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "accept" - ], - "rsa.misc.content_type": "mol", - "rsa.misc.result_code": "apariat", - "rsa.network.domain": "example.org", - "rsa.network.network_service": "quiratio", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "rsa.web.alias_host": "example.org", - "rsa.web.web_ref_domain": "internal.example.net", - "rsa.web.web_ref_query": "erc=taliqu", - "server.domain": "example.org", - "server.registered_domain": "example.org", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1510, - "source.ip": "10.34.9.93", - "source.port": 124, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "orsitame", - "url.original": "https://example.org/tatno/imav.htm?ofdeF=tion#orsitame", - "url.path": [ - "/tatno/imav.htm", - "https://internal.example.net" - ], - "url.query": "ofdeF=tion", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.top_level_domain": "org", - "user.name": "umdo", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-05-22T04:30:33.000Z", - "destination.ip": "10.30.216.41", - "event.action": "accept", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] \"HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd\" 10.30.216.41 enim saute \"vel\" quu undeo 5794 \"https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", - "file.name": "vel", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", - "input.type": "log", - "log.offset": 3271, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.org", - "mail.example.net" - ], - "related.ip": [ - "10.30.216.41", - "10.90.131.186" - ], - "related.user": [ - "saute" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "accept" - ], - "rsa.misc.content_type": "undeo", - "rsa.misc.result_code": "quu", - "rsa.network.domain": "example.org", - "rsa.network.network_service": "aboreetd", - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", - "rsa.web.alias_host": "example.org", - "rsa.web.web_ref_domain": "mail.example.net", - "rsa.web.web_ref_query": "idolore=onse", - "server.domain": "example.org", - "server.registered_domain": "example.org", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 5794, - "source.ip": "10.90.131.186", - "source.port": 6343, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.org", - "url.extension": "txt", - "url.fragment": "iumto", - "url.original": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", - "url.path": [ - "/uaera/sitas.txt", - "https://mail.example.net" - ], - "url.query": "aedic=atquovo", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.top_level_domain": "org", - "user.name": "saute", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-06-05T11:33:08.000Z", - "destination.ip": "10.203.172.203", - "event.action": "accept", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] \"CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup\" 10.203.172.203 idestla Nemoeni \"uradi\" aborumSe luptat 6884 \"https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "file.name": "uradi", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor", - "input.type": "log", - "log.offset": 3691, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.org", - "www5.example.org" - ], - "related.ip": [ - "10.203.172.203", - "10.8.88.110" - ], - "related.user": [ - "Nemoeni" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "accept" - ], - "rsa.misc.content_type": "luptat", - "rsa.misc.result_code": "aborumSe", - "rsa.network.domain": "mail.example.org", - "rsa.network.network_service": "cup", - "rsa.time.event_time": "2016-06-05T11:33:08.000Z", - "rsa.web.alias_host": "mail.example.org", - "rsa.web.web_ref_domain": "www5.example.org", - "rsa.web.web_ref_query": "ittenbyC=aperi", - "server.domain": "mail.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "mail", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 6884, - "source.ip": "10.8.88.110", - "source.port": 7618, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.org", - "url.extension": "htm", - "url.fragment": "nsequu", - "url.original": "https://mail.example.org/edquiano/loru.htm?end=enia#nsequu", - "url.path": [ - "/edquiano/loru.htm", - "https://www5.example.org" - ], - "url.query": "end=enia", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "Nemoeni", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.ip": "10.158.185.163", - "event.action": "allow", - "event.code": "UNLOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] \"UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa\" 10.158.185.163 rudexerc aliq \"rsitam\" quam adm 987 \"https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi\" \"Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g\" allow", - "file.name": "rsitam", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi", - "input.type": "log", - "log.offset": 4068, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.example.org" - ], - "related.ip": [ - "10.158.185.163", - "10.71.34.9" - ], - "related.user": [ - "aliq" - ], - "rsa.internal.messageid": "UNLOCK", - "rsa.misc.action": [ - "UNLOCK", - "allow" - ], - "rsa.misc.content_type": "adm", - "rsa.misc.result_code": "quam", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "lpa", - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "www.example.org", - "rsa.web.web_ref_query": "icab=mwr", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 987, - "source.ip": "10.71.34.9", - "source.port": 267, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "txt", - "url.fragment": "xercitat", - "url.original": "https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat", - "url.path": [ - "/iqui/etc.txt", - "https://www.example.org" - ], - "url.query": "tatiset=eprehen", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "aliq", - "user_agent.device.name": "XiaoMi Redmi 4X", - "user_agent.name": "MiuiBrowser", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", - "user_agent.os.full": "Android 7.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.1.2", - "user_agent.version": "12.2.3" - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "destination.ip": "10.201.76.240", - "event.action": "accept", - "event.code": "OPTIONS", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] \"OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae\" 10.201.76.240 amqu uines \"nsec\" onse emips 2655 \"https://example.net/tion/eataev.htm?uiineavo=tisetq#irati\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" accept", - "file.name": "nsec", - "fileset.name": "log", - "http.request.referrer": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", - "input.type": "log", - "log.offset": 4495, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.net", - "internal.example.net" - ], - "related.ip": [ - "10.201.76.240", - "10.210.74.24" - ], - "related.user": [ - "uines" - ], - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "OPTIONS", - "accept" - ], - "rsa.misc.content_type": "emips", - "rsa.misc.result_code": "onse", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "stiae", - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "example.net", - "rsa.web.web_ref_query": "uiineavo=tisetq", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2655, - "source.ip": "10.210.74.24", - "source.port": 6423, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "txt", - "url.fragment": "ugiatnu", - "url.original": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", - "url.path": [ - "/ommod/sequatur.txt", - "https://example.net" - ], - "url.query": "tlabo=suntexp", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "uines", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2016-07-18T08:40:50.000Z", - "destination.ip": "10.206.136.206", - "event.action": "deny", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] \"COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat\" 10.206.136.206 suntinc xeac \"nidolo\" tatn eli 6462 \"https://www.example.net/pida/nse.html?emeumfu=CSed#lupt\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", - "file.name": "nidolo", - "fileset.name": "log", - "http.request.referrer": "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt", - "input.type": "log", - "log.offset": 4894, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "www.example.net" - ], - "related.ip": [ - "10.114.138.121", - "10.206.136.206" - ], - "related.user": [ - "xeac" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "deny" - ], - "rsa.misc.content_type": "eli", - "rsa.misc.result_code": "tatn", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "uat", - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "www.example.net", - "rsa.web.web_ref_query": "emeumfu=CSed", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 6462, - "source.ip": "10.114.138.121", - "source.port": 1939, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "eporroqu", - "url.original": "https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu", - "url.path": [ - "/oriosamn/deFinibu.gif", - "https://www.example.net" - ], - "url.query": "iciatisu=rehender", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "xeac", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "destination.ip": "10.134.161.118", - "event.action": "block", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] \"COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum\" 10.134.161.118 tat ipitla \"quae\" maccusa uptat 3458 \"https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" block", - "file.name": "quae", - "fileset.name": "log", - "http.request.referrer": "https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi", - "input.type": "log", - "log.offset": 5263, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.org", - "www.example.com" - ], - "related.ip": [ - "10.134.161.118", - "10.200.199.166" - ], - "related.user": [ - "ipitla" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "block" - ], - "rsa.misc.content_type": "uptat", - "rsa.misc.result_code": "maccusa", - "rsa.network.domain": "mail.example.org", - "rsa.network.network_service": "lum", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "rsa.web.alias_host": "mail.example.org", - "rsa.web.web_ref_domain": "www.example.com", - "rsa.web.web_ref_query": "olorema=iades", - "server.domain": "mail.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "mail", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 3458, - "source.ip": "10.200.199.166", - "source.port": 3727, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.org", - "url.extension": "html", - "url.fragment": "civeli", - "url.original": "https://mail.example.org/rehend/tio.html?numqu=qui#civeli", - "url.path": [ - "/rehend/tio.html", - "https://www.example.com" - ], - "url.query": "numqu=qui", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "ipitla", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "destination.ip": "10.76.3.41", - "event.action": "allow", - "event.code": "NONE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] \"NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat\" 10.76.3.41 isc aturve \"emulla\" mpori aaliquaU 2989 \"https://www5.example.com/ern/psaquae.html?nsectet=utla#utei\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "file.name": "emulla", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/ern/psaquae.html?nsectet=utla#utei", - "input.type": "log", - "log.offset": 5659, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www.example.org", - "www5.example.com" - ], - "related.ip": [ - "10.122.46.71", - "10.76.3.41" - ], - "related.user": [ - "aturve" - ], - "rsa.internal.messageid": "NONE", - "rsa.misc.action": [ - "NONE", - "allow" - ], - "rsa.misc.content_type": "aaliquaU", - "rsa.misc.result_code": "mpori", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "quirat", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "nsectet=utla", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2989, - "source.ip": "10.122.46.71", - "source.port": 2807, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "txt", - "url.fragment": "iamquis", - "url.original": "https://www.example.org/eav/ionevo.txt?siar=orev#iamquis", - "url.path": [ - "/eav/ionevo.txt", - "https://www5.example.com" - ], - "url.query": "siar=orev", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "aturve", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-08-30T05:48:33.000Z", - "destination.ip": "10.249.213.83", - "event.action": "accept", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] \"PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali\" 10.249.213.83 nsecte itame \"eumfug\" lit asun 1250 \"https://api.example.com/oluptate/onseq.html?labore=texp#tMalor\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", - "file.name": "eumfug", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/oluptate/onseq.html?labore=texp#tMalor", - "input.type": "log", - "log.offset": 6019, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "internal.example.net" - ], - "related.ip": [ - "10.164.250.63", - "10.249.213.83" - ], - "related.user": [ - "itame" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "accept" - ], - "rsa.misc.content_type": "asun", - "rsa.misc.result_code": "lit", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "namali", - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "labore=texp", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1250, - "source.ip": "10.164.250.63", - "source.port": 2530, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "leumiu", - "url.original": "https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu", - "url.path": [ - "/wri/bor.jpg", - "https://api.example.com" - ], - "url.query": "hitect=dol", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "itame", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2016-09-13T12:51:07.000Z", - "destination.ip": "10.236.248.65", - "event.action": "cancel", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] \"HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre\" 10.236.248.65 pisciv iquidex \"radipisc\" tmo fficiade 3280 \"https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "file.name": "radipisc", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi", - "input.type": "log", - "log.offset": 6454, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "www5.example.net" - ], - "related.ip": [ - "10.236.248.65", - "10.61.242.75" - ], - "related.user": [ - "iquidex" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "cancel" - ], - "rsa.misc.content_type": "fficiade", - "rsa.misc.result_code": "tmo", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "amre", - "rsa.time.event_time": "2016-09-13T12:51:07.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "one=etMalor", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 3280, - "source.ip": "10.61.242.75", - "source.port": 2591, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "htm", - "url.fragment": "eriamea", - "url.original": "https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea", - "url.path": [ - "/equat/doloreme.htm", - "https://www5.example.net" - ], - "url.query": "ione=ihilmole", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "iquidex", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "destination.ip": "10.214.7.83", - "event.action": "block", - "event.code": "PUT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] \"PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali\" 10.214.7.83 liquide etdol \"uela\" boN eprehend 2462 \"https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "file.name": "uela", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo", - "input.type": "log", - "log.offset": 6824, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.net", - "www5.example.com" - ], - "related.ip": [ - "10.13.59.31", - "10.214.7.83" - ], - "related.user": [ - "etdol" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "PUT", - "block" - ], - "rsa.misc.content_type": "eprehend", - "rsa.misc.result_code": "boN", - "rsa.network.domain": "www5.example.com", - "rsa.network.network_service": "iutali", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "rsa.web.alias_host": "www5.example.com", - "rsa.web.web_ref_domain": "internal.example.net", - "rsa.web.web_ref_query": "gel=lorsitam", - "server.domain": "www5.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www5", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2462, - "source.ip": "10.13.59.31", - "source.port": 5685, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.com", - "url.extension": "gif", - "url.fragment": "xerc", - "url.original": "https://www5.example.com/estia/tper.gif?volupt=osqui#xerc", - "url.path": [ - "/estia/tper.gif", - "https://internal.example.net" - ], - "url.query": "volupt=osqui", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "etdol", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "destination.ip": "10.49.92.179", - "event.action": "accept", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] \"GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn\" 10.49.92.179 osamn isnisiu \"bore\" tsu tcons 3128 \"https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "file.name": "bore", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", - "input.type": "log", - "log.offset": 7186, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "internal.example.net" - ], - "related.ip": [ - "10.49.92.179", - "10.89.201.140" - ], - "related.user": [ - "isnisiu" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "accept" - ], - "rsa.misc.content_type": "tcons", - "rsa.misc.result_code": "tsu", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "uptasn", - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "idata=rumwritt", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 3128, - "source.ip": "10.89.201.140", - "source.port": 2447, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "htm", - "url.fragment": "isnis", - "url.original": "https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis", - "url.path": [ - "/sin/rvel.htm", - "https://api.example.org" - ], - "url.query": "nimid=itatione", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "isnisiu", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-10-26T09:58:50.000Z", - "destination.ip": "10.90.86.89", - "event.action": "deny", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] \"PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit\" 10.90.86.89 piscin lapar \"laboree\" tfu udan 5516 \"https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", - "file.name": "laboree", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex", - "input.type": "log", - "log.offset": 7611, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "mail.example.net" - ], - "related.ip": [ - "10.235.7.92", - "10.90.86.89" - ], - "related.user": [ - "lapar" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "deny" - ], - "rsa.misc.content_type": "udan", - "rsa.misc.result_code": "tfu", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "derit", - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "mail.example.net", - "rsa.web.web_ref_query": "utlabor=rau", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 5516, - "source.ip": "10.235.7.92", - "source.port": 5787, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "gif", - "url.fragment": "equat", - "url.original": "https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat", - "url.path": [ - "/abo/veniamqu.gif", - "https://mail.example.net" - ], - "url.query": "aliquide=ofde", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "lapar", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "destination.ip": "10.14.48.16", - "event.action": "cancel", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] \"PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio\" 10.14.48.16 sintoc volupt \"siste\" uiinea Utenima 1612 \"https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "file.name": "siste", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto", - "input.type": "log", - "log.offset": 7985, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "www5.example.net" - ], - "related.ip": [ - "10.14.211.43", - "10.14.48.16" - ], - "related.user": [ - "volupt" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "cancel" - ], - "rsa.misc.content_type": "Utenima", - "rsa.misc.result_code": "uiinea", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "itatio", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "ugiatnu=ciati", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1612, - "source.ip": "10.14.211.43", - "source.port": 4762, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "jpg", - "url.fragment": "icabo", - "url.original": "https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo", - "url.path": [ - "/autfu/gnaaliq.jpg", - "https://www5.example.net" - ], - "url.query": "olupta=litse", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "volupt", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "destination.ip": "10.93.123.174", - "event.action": "block", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] \"CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure\" 10.93.123.174 evelit reetdolo \"smo\" etcons iusmodi 1563 \"https://example.com/uiac/epte.gif?itam=aper#santiumd\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", - "file.name": "smo", - "fileset.name": "log", - "http.request.referrer": "https://example.com/uiac/epte.gif?itam=aper#santiumd", - "input.type": "log", - "log.offset": 8370, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "internal.example.net" - ], - "related.ip": [ - "10.47.25.230", - "10.93.123.174" - ], - "related.user": [ - "reetdolo" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "block" - ], - "rsa.misc.content_type": "iusmodi", - "rsa.misc.result_code": "etcons", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "uteirure", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "itam=aper", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1563, - "source.ip": "10.47.25.230", - "source.port": 5491, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "html", - "url.fragment": "ntocc", - "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", - "url.path": [ - "/ptatemq/luptatev.html", - "https://example.com" - ], - "url.query": "Nequepo=ipsumd", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "reetdolo", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2016-12-08T07:06:33.000Z", - "destination.ip": "10.233.48.103", - "event.action": "cancel", - "event.code": "MKOL", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] \"MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon\" 10.233.48.103 leumiur tlab \"aperiame\" isc ullamcor 584 \"https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "file.name": "aperiame", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", - "input.type": "log", - "log.offset": 8829, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www5.example.com", - "www5.example.net" - ], - "related.ip": [ - "10.233.48.103", - "10.7.46.36" - ], - "related.user": [ - "tlab" - ], - "rsa.internal.messageid": "MKOL", - "rsa.misc.action": [ - "MKOL", - "cancel" - ], - "rsa.misc.content_type": "ullamcor", - "rsa.misc.result_code": "isc", - "rsa.network.domain": "www5.example.net", - "rsa.network.network_service": "sBon", - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", - "rsa.web.alias_host": "www5.example.net", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "tenatus=cipitlab", - "server.domain": "www5.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www5", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 584, - "source.ip": "10.7.46.36", - "source.port": 837, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.net", - "url.extension": "gif", - "url.fragment": "cons", - "url.original": "https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons", - "url.path": [ - "/quiavol/rrorsi.gif", - "https://www5.example.com" - ], - "url.query": "iatisu=sec", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "tlab", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2016-12-23T14:09:07.000Z", - "destination.ip": "10.27.58.92", - "event.action": "accept", - "event.code": "PROPATCH", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.93.220.10 2805 [23/Dec/2016:12:09:07 com] \"PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu\" 10.27.58.92 amvo qui \"tasn\" Nemoenim squirati 63 \"https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "file.name": "tasn", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe", - "input.type": "log", - "log.offset": 9210, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "mail.example.com" - ], - "related.ip": [ - "10.27.58.92", - "10.93.220.10" - ], - "related.user": [ - "qui" - ], - "rsa.internal.messageid": "PROPATCH", - "rsa.misc.action": [ - "PROPATCH", - "accept" - ], - "rsa.misc.content_type": "squirati", - "rsa.misc.result_code": "Nemoenim", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "sequatu", - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "iciade=ntiumt", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 63, - "source.ip": "10.93.220.10", - "source.port": 2805, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "jpg", - "url.fragment": "edquia", - "url.original": "https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia", - "url.path": [ - "/orain/tiumt.jpg", - "https://mail.example.com" - ], - "url.query": "litessec=itas", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "qui", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.ip": "10.135.217.12", - "event.action": "block", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] \"PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni\" 10.135.217.12 metMalo ntexplic \"archite\" loreme untu 5676 \"https://example.net/con/nisist.gif?ium=esciuntN#idunt\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "file.name": "archite", - "fileset.name": "log", - "http.request.referrer": "https://example.net/con/nisist.gif?ium=esciuntN#idunt", - "input.type": "log", - "log.offset": 9635, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.net", - "www.example.net" - ], - "related.ip": [ - "10.135.217.12", - "10.213.144.249" - ], - "related.user": [ - "ntexplic" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "block" - ], - "rsa.misc.content_type": "untu", - "rsa.misc.result_code": "loreme", - "rsa.network.domain": "www.example.net", - "rsa.network.network_service": "uamni", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "rsa.web.alias_host": "www.example.net", - "rsa.web.web_ref_domain": "example.net", - "rsa.web.web_ref_query": "ium=esciuntN", - "server.domain": "www.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5676, - "source.ip": "10.213.144.249", - "source.port": 4427, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.net", - "url.extension": "txt", - "url.fragment": "untut", - "url.original": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", - "url.path": [ - "/str/idolore.txt", - "https://example.net" - ], - "url.query": "eetdolo=cteturad", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "ntexplic", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-01-20T04:14:16.000Z", - "destination.ip": "10.233.239.112", - "event.action": "cancel", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] \"PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt\" 10.233.239.112 npr mquelau \"iadolor\" amcol adeser 3780 \"https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" cancel", - "file.name": "iadolor", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat", - "input.type": "log", - "log.offset": 10003, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "mail.example.net" - ], - "related.ip": [ - "10.13.226.57", - "10.233.239.112" - ], - "related.user": [ - "mquelau" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "cancel" - ], - "rsa.misc.content_type": "adeser", - "rsa.misc.result_code": "amcol", - "rsa.network.domain": "mail.example.net", - "rsa.network.network_service": "temUt", - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", - "rsa.web.alias_host": "mail.example.net", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "quam=quid", - "server.domain": "mail.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "mail", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 3780, - "source.ip": "10.13.226.57", - "source.port": 3275, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.net", - "url.extension": "html", - "url.fragment": "mestq", - "url.original": "https://mail.example.net/velitse/oditem.html?torever=oremi#mestq", - "url.path": [ - "/velitse/oditem.html", - "https://internal.example.com" - ], - "url.query": "torever=oremi", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "mquelau", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-02-03T11:16:50.000Z", - "destination.ip": "10.21.169.127", - "event.action": "accept", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] \"CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi\" 10.21.169.127 rpori ice \"oles\" edic seq 2835 \"https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "file.name": "oles", - "fileset.name": "log", - "http.request.referrer": "https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni", - "input.type": "log", - "log.offset": 10374, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "internal.example.org" - ], - "related.ip": [ - "10.161.203.252", - "10.21.169.127" - ], - "related.user": [ - "ice" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "accept" - ], - "rsa.misc.content_type": "seq", - "rsa.misc.result_code": "edic", - "rsa.network.domain": "internal.example.org", - "rsa.network.network_service": "eFi", - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", - "rsa.web.alias_host": "internal.example.org", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "billo=labo", - "server.domain": "internal.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "internal", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2835, - "source.ip": "10.161.203.252", - "source.port": 301, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.org", - "url.extension": "gif", - "url.fragment": "uisa", - "url.original": "https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa", - "url.path": [ - "/isnisi/ritatise.gif", - "https://example.com" - ], - "url.query": "tamet=quatur", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "org", - "user.name": "ice", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "destination.ip": "10.69.139.26", - "event.action": "block", - "event.code": "LOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] \"LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge\" 10.69.139.26 ditemp edqui \"nre\" veli volupta 7124 \"https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", - "file.name": "nre", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate", - "input.type": "log", - "log.offset": 10735, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www.example.net" - ], - "related.ip": [ - "10.17.215.111", - "10.69.139.26" - ], - "related.user": [ - "edqui" - ], - "rsa.internal.messageid": "LOCK", - "rsa.misc.action": [ - "LOCK", - "block" - ], - "rsa.misc.content_type": "volupta", - "rsa.misc.result_code": "veli", - "rsa.network.domain": "www.example.net", - "rsa.network.network_service": "piscinge", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "rsa.web.alias_host": "www.example.net", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "adi=umwrit", - "server.domain": "www.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 7124, - "source.ip": "10.17.215.111", - "source.port": 148, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.net", - "url.extension": "htm", - "url.fragment": "ano", - "url.original": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", - "url.path": [ - "/ianon/tsed.htm", - "https://api.example.com" - ], - "url.query": "ameiusm=proide", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "edqui", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "destination.ip": "10.104.80.189", - "event.action": "accept", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] \"COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi\" 10.104.80.189 dolore onsecte \"nBCSedut\" ugiat onulam 1542 \"https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "file.name": "nBCSedut", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo", - "input.type": "log", - "log.offset": 11158, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.org", - "www5.example.org" - ], - "related.ip": [ - "10.10.213.83", - "10.104.80.189" - ], - "related.user": [ - "onsecte" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "accept" - ], - "rsa.misc.content_type": "onulam", - "rsa.misc.result_code": "ugiat", - "rsa.network.domain": "www5.example.org", - "rsa.network.network_service": "vitaedi", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "rsa.web.alias_host": "www5.example.org", - "rsa.web.web_ref_domain": "mail.example.org", - "rsa.web.web_ref_query": "lumdolor=nonp", - "server.domain": "www5.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www5", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1542, - "source.ip": "10.10.213.83", - "source.port": 7206, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.org", - "url.extension": "jpg", - "url.fragment": "apariat", - "url.original": "https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat", - "url.path": [ - "/ncididun/umSe.jpg", - "https://mail.example.org" - ], - "url.query": "ise=itau", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "onsecte", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-03-18T08:24:33.000Z", - "destination.ip": "10.116.230.217", - "event.action": "block", - "event.code": "UNLOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] \"UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol\" 10.116.230.217 mvele isis \"uasiar\" utlab emUteni 7122 \"https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", - "file.name": "uasiar", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe", - "input.type": "log", - "log.offset": 11529, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "example.org" - ], - "related.ip": [ - "10.116.230.217", - "10.125.131.91" - ], - "related.user": [ - "isis" - ], - "rsa.internal.messageid": "UNLOCK", - "rsa.misc.action": [ - "UNLOCK", - "block" - ], - "rsa.misc.content_type": "emUteni", - "rsa.misc.result_code": "utlab", - "rsa.network.domain": "example.org", - "rsa.network.network_service": "dol", - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", - "rsa.web.alias_host": "example.org", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "dolorem=tvolu", - "server.domain": "example.org", - "server.registered_domain": "example.org", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 7122, - "source.ip": "10.125.131.91", - "source.port": 3480, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.org", - "url.extension": "gif", - "url.fragment": "tem", - "url.original": "https://example.org/uatur/adminimv.gif?exeacom=roidents#tem", - "url.path": [ - "/uatur/adminimv.gif", - "https://api.example.org" - ], - "url.query": "exeacom=roidents", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.top_level_domain": "org", - "user.name": "isis", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "destination.ip": "10.119.90.128", - "event.action": "cancel", - "event.code": "ICP_QUERY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] \"ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu\" 10.119.90.128 lor oraincid \"intocc\" amcorp ntsunt 4826 \"https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", - "file.name": "intocc", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse", - "input.type": "log", - "log.offset": 11865, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "mail.example.com" - ], - "related.ip": [ - "10.119.90.128", - "10.26.96.202" - ], - "related.user": [ - "oraincid" - ], - "rsa.internal.messageid": "ICP_QUERY", - "rsa.misc.action": [ - "ICP_QUERY", - "cancel" - ], - "rsa.misc.content_type": "ntsunt", - "rsa.misc.result_code": "amcorp", - "rsa.network.domain": "api.example.com", - "rsa.network.network_service": "tincu", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "rsa.web.alias_host": "api.example.com", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "fdeF=iquidexe", - "server.domain": "api.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "api", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 4826, - "source.ip": "10.26.96.202", - "source.port": 2751, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.com", - "url.extension": "html", - "url.fragment": "reprehe", - "url.original": "https://api.example.com/ven/rQu.html?doloreme=dun#reprehe", - "url.path": [ - "/ven/rQu.html", - "https://mail.example.com" - ], - "url.query": "doloreme=dun", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "oraincid", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "destination.ip": "10.76.110.144", - "event.action": "deny", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] \"HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo\" 10.76.110.144 tdol upt \"mex\" tatem untutlab 3386 \"https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" deny", - "file.name": "mex", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss", - "input.type": "log", - "log.offset": 12300, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "mail.example.com" - ], - "related.ip": [ - "10.0.98.205", - "10.76.110.144" - ], - "related.user": [ - "upt" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "deny" - ], - "rsa.misc.content_type": "untutlab", - "rsa.misc.result_code": "tatem", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "ipsamvo", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "uisaute=imide", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 3386, - "source.ip": "10.0.98.205", - "source.port": 126, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "html", - "url.fragment": "ate", - "url.original": "https://api.example.net/eseru/quamest.html?qua=rsita#ate", - "url.path": [ - "/eseru/quamest.html", - "https://mail.example.com" - ], - "url.query": "qua=rsita", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "upt", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2017-04-30T05:32:16.000Z", - "destination.ip": "10.135.46.242", - "event.action": "deny", - "event.code": "MOVE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] \"MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo\" 10.135.46.242 lupta xeaco \"nvolupt\" oremi elites 1940 \"https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", - "file.name": "nvolupt", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis", - "input.type": "log", - "log.offset": 12695, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.org", - "www.example.org" - ], - "related.ip": [ - "10.135.46.242", - "10.224.11.165" - ], - "related.user": [ - "xeaco" - ], - "rsa.internal.messageid": "MOVE", - "rsa.misc.action": [ - "MOVE", - "deny" - ], - "rsa.misc.content_type": "elites", - "rsa.misc.result_code": "oremi", - "rsa.network.domain": "internal.example.org", - "rsa.network.network_service": "licabo", - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", - "rsa.web.alias_host": "internal.example.org", - "rsa.web.web_ref_domain": "www.example.org", - "rsa.web.web_ref_query": "amvolupt=onevolu", - "server.domain": "internal.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "internal", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1940, - "source.ip": "10.224.11.165", - "source.port": 1646, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.org", - "url.extension": "txt", - "url.fragment": "isiu", - "url.original": "https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu", - "url.path": [ - "/mvolu/conse.txt", - "https://www.example.org" - ], - "url.query": "aincidu=nimadmin", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "org", - "user.name": "xeaco", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2017-05-14T12:34:50.000Z", - "destination.ip": "10.154.53.249", - "event.action": "accept", - "event.code": "TRACE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] \"TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri\" 10.154.53.249 tae autodit \"elit\" cidunt plica 7398 \"https://internal.example.org/emqu/nderi.html?accusant=onse#admin\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" accept", - "file.name": "elit", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.org/emqu/nderi.html?accusant=onse#admin", - "input.type": "log", - "log.offset": 13084, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.org" - ], - "related.ip": [ - "10.154.53.249", - "10.27.44.4" - ], - "related.user": [ - "autodit" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "TRACE", - "accept" - ], - "rsa.misc.content_type": "plica", - "rsa.misc.result_code": "cidunt", - "rsa.network.domain": "internal.example.org", - "rsa.network.network_service": "eri", - "rsa.time.event_time": "2017-05-14T12:34:50.000Z", - "rsa.web.alias_host": "internal.example.org", - "rsa.web.web_ref_domain": "internal.example.org", - "rsa.web.web_ref_query": "accusant=onse", - "server.domain": "internal.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "internal", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 7398, - "source.ip": "10.27.44.4", - "source.port": 4686, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.org", - "url.extension": "html", - "url.fragment": "ilmol", - "url.original": "https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol", - "url.path": [ - "/isciv/rroqu.html", - "https://internal.example.org" - ], - "url.query": "uisa=tametco", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "org", - "user.name": "autodit", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "destination.ip": "10.150.245.88", - "event.action": "cancel", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.93.39.140 4275 [29/May/2017:5:37:24 ute] \"COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc\" 10.150.245.88 orisn reetd \"prehen\" ntutlabo iusmodte 1738 \"https://example.org/isc/Nequepor.txt?rem=idid#tesse\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" cancel", - "file.name": "prehen", - "fileset.name": "log", - "http.request.referrer": "https://example.org/isc/Nequepor.txt?rem=idid#tesse", - "input.type": "log", - "log.offset": 13539, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.org", - "www5.example.net" - ], - "related.ip": [ - "10.150.245.88", - "10.93.39.140" - ], - "related.user": [ - "reetd" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "cancel" - ], - "rsa.misc.content_type": "iusmodte", - "rsa.misc.result_code": "ntutlabo", - "rsa.network.domain": "www5.example.net", - "rsa.network.network_service": "rExc", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "rsa.web.alias_host": "www5.example.net", - "rsa.web.web_ref_domain": "example.org", - "rsa.web.web_ref_query": "rem=idid", - "server.domain": "www5.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www5", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1738, - "source.ip": "10.93.39.140", - "source.port": 4275, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.net", - "url.extension": "txt", - "url.fragment": "pid", - "url.original": "https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid", - "url.path": [ - "/uaeratv/isa.txt", - "https://example.org" - ], - "url.query": "periam=dqu", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "reetd", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "destination.ip": "10.73.207.70", - "event.action": "block", - "event.code": "UNLOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] \"UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu\" 10.73.207.70 llamco atu \"untincul\" ssecil commodi 3023 \"https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", - "file.name": "untincul", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem", - "input.type": "log", - "log.offset": 13927, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.net", - "www5.example.com" - ], - "related.ip": [ - "10.61.92.2", - "10.73.207.70" - ], - "related.user": [ - "atu" - ], - "rsa.internal.messageid": "UNLOCK", - "rsa.misc.action": [ - "UNLOCK", - "block" - ], - "rsa.misc.content_type": "commodi", - "rsa.misc.result_code": "ssecil", - "rsa.network.domain": "www5.example.com", - "rsa.network.network_service": "ecillu", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "rsa.web.alias_host": "www5.example.com", - "rsa.web.web_ref_domain": "mail.example.net", - "rsa.web.web_ref_query": "emvele=isnost", - "server.domain": "www5.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www5", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 3023, - "source.ip": "10.61.92.2", - "source.port": 6595, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.com", - "url.extension": "txt", - "url.fragment": "remagn", - "url.original": "https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn", - "url.path": [ - "/orroq/vitaedic.txt", - "https://mail.example.net" - ], - "url.query": "orisni=ons", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "atu", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2017-06-26T09:42:33.000Z", - "destination.ip": "10.50.124.116", - "event.action": "allow", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] \"GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac\" temUt 2741 \"https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow 10.50.124.116 numquam 104.719000", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono", - "input.type": "log", - "log.offset": 14365, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.net", - "internal.example.com" - ], - "related.ip": [ - "10.50.124.116", - "10.84.32.178" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "allow" - ], - "rsa.misc.content_type": "numquam", - "rsa.misc.result_code": "temUt", - "rsa.network.domain": "example.net", - "rsa.network.network_service": "mac", - "rsa.time.duration_time": 104.719, - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", - "rsa.web.alias_host": "example.net", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "scingeli=isn", - "server.domain": "example.net", - "server.registered_domain": "example.net", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2741, - "source.ip": "10.84.32.178", - "source.port": 5271, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.net", - "url.extension": "gif", - "url.fragment": "ruredo", - "url.original": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", - "url.path": [ - "/mven/olorsit.gif", - "https://internal.example.com" - ], - "url.query": "oremag=illu", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.top_level_domain": "net", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "destination.ip": "10.211.234.224", - "event.action": "accept", - "event.code": "TRACE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.173.222.131 918 [11/Jul/2017:2:45:07 ori] \"TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil\" 10.211.234.224 uiadol Duisa \"lupta\" aUt boNem 5564 \"https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "file.name": "lupta", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev", - "input.type": "log", - "log.offset": 14772, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "www5.example.net" - ], - "related.ip": [ - "10.173.222.131", - "10.211.234.224" - ], - "related.user": [ - "Duisa" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "TRACE", - "accept" - ], - "rsa.misc.content_type": "boNem", - "rsa.misc.result_code": "aUt", - "rsa.network.domain": "www5.example.net", - "rsa.network.network_service": "hil", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "rsa.web.alias_host": "www5.example.net", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "liquaUte=alorum", - "server.domain": "www5.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www5", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5564, - "source.ip": "10.173.222.131", - "source.port": 918, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.net", - "url.extension": "html", - "url.fragment": "oin", - "url.original": "https://www5.example.net/rum/eataevi.html?ulla=iqu#oin", - "url.path": [ - "/rum/eataevi.html", - "https://api.example.org" - ], - "url.query": "ulla=iqu", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "Duisa", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "destination.ip": "10.0.157.225", - "event.action": "deny", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] \"PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed\" 10.0.157.225 itam atu \"lloin\" remipsum tempor 1282 \"https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", - "file.name": "lloin", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve", - "input.type": "log", - "log.offset": 15130, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.net", - "www5.example.net" - ], - "related.ip": [ - "10.0.157.225", - "10.11.83.126" - ], - "related.user": [ - "atu" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "deny" - ], - "rsa.misc.content_type": "tempor", - "rsa.misc.result_code": "remipsum", - "rsa.network.domain": "mail.example.net", - "rsa.network.network_service": "tsed", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "rsa.web.alias_host": "mail.example.net", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "edquian=loremeu", - "server.domain": "mail.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "mail", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1282, - "source.ip": "10.11.83.126", - "source.port": 6581, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.net", - "url.extension": "txt", - "url.fragment": "tinvolup", - "url.original": "https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup", - "url.path": [ - "/osquir/mod.txt", - "https://www5.example.net" - ], - "url.query": "fugitse=imad", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "atu", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-08-08T06:50:15.000Z", - "destination.ip": "10.92.237.93", - "event.action": "cancel", - "event.code": "PUT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] \"PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia\" 10.92.237.93 mad onse \"redol\" gnaa mod 5107 \"https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "file.name": "redol", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu", - "input.type": "log", - "log.offset": 15505, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www5.example.com" - ], - "related.ip": [ - "10.228.77.21", - "10.92.237.93" - ], - "related.user": [ - "onse" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "PUT", - "cancel" - ], - "rsa.misc.content_type": "mod", - "rsa.misc.result_code": "gnaa", - "rsa.network.domain": "api.example.com", - "rsa.network.network_service": "uia", - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", - "rsa.web.alias_host": "api.example.com", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "strumex=eprehend", - "server.domain": "api.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "api", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5107, - "source.ip": "10.228.77.21", - "source.port": 6889, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.com", - "url.extension": "txt", - "url.fragment": "mve", - "url.original": "https://api.example.com/asper/umq.txt?itasper=uae#mve", - "url.path": [ - "/asper/umq.txt", - "https://www5.example.com" - ], - "url.query": "itasper=uae", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "onse", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2017-08-22T13:52:50.000Z", - "destination.ip": "10.20.28.92", - "event.action": "allow", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] \"POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN\" 10.20.28.92 econs ntexpl \"dunt\" litsedq nderiti 409 \"https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" allow", - "file.name": "dunt", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab", - "input.type": "log", - "log.offset": 15871, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www5.example.net" - ], - "related.ip": [ - "10.102.215.23", - "10.20.28.92" - ], - "related.user": [ - "ntexpl" - ], - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "allow" - ], - "rsa.misc.content_type": "nderiti", - "rsa.misc.result_code": "litsedq", - "rsa.network.domain": "www5.example.net", - "rsa.network.network_service": "licaboN", - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", - "rsa.web.alias_host": "www5.example.net", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "iscive=quasiar", - "server.domain": "www5.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www5", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 409, - "source.ip": "10.102.215.23", - "source.port": 3665, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.net", - "url.extension": "jpg", - "url.fragment": "veniamqu", - "url.original": "https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu", - "url.path": [ - "/quatD/isqua.jpg", - "https://api.example.com" - ], - "url.query": "oloreseo=iruredol", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "ntexpl", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "destination.ip": "10.17.87.79", - "event.action": "block", - "event.code": "NONE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] \"NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic\" 10.17.87.79 tetur tionula \"ritqu\" ecatcupi uamei 4595 \"https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "file.name": "ritqu", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration", - "input.type": "log", - "log.offset": 16214, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "www5.example.com" - ], - "related.ip": [ - "10.17.87.79", - "10.45.28.159" - ], - "related.user": [ - "tionula" - ], - "rsa.internal.messageid": "NONE", - "rsa.misc.action": [ - "NONE", - "block" - ], - "rsa.misc.content_type": "uamei", - "rsa.misc.result_code": "ecatcupi", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "plic", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "duntutla=ntium", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 4595, - "source.ip": "10.45.28.159", - "source.port": 5627, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "html", - "url.fragment": "repreh", - "url.original": "https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh", - "url.path": [ - "/ation/luptas.html", - "https://www5.example.com" - ], - "url.query": "iatqu=lorsi", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "tionula", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-09-20T03:57:58.000Z", - "destination.ip": "10.189.94.51", - "event.action": "allow", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] \"DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc\" 10.189.94.51 tetura rsp \"oluptat\" metco acom 5704 \"https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" allow", - "file.name": "oluptat", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun", - "input.type": "log", - "log.offset": 16583, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "internal.example.com" - ], - "related.ip": [ - "10.177.238.45", - "10.189.94.51" - ], - "related.user": [ - "rsp" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "allow" - ], - "rsa.misc.content_type": "acom", - "rsa.misc.result_code": "metco", - "rsa.network.domain": "internal.example.com", - "rsa.network.network_service": "quasiarc", - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", - "rsa.web.alias_host": "internal.example.com", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "taliqui=mides", - "server.domain": "internal.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "internal", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5704, - "source.ip": "10.177.238.45", - "source.port": 5137, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.com", - "url.extension": "jpg", - "url.fragment": "eumi", - "url.original": "https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi", - "url.path": [ - "/mpo/unte.jpg", - "https://api.example.com" - ], - "url.query": "ueipsa=scipitl", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "rsp", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2017-10-04T11:00:32.000Z", - "destination.ip": "10.101.85.169", - "event.action": "accept", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] \"GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco\" 10.101.85.169 natu liquid \"enim\" Finibus radi 5697 \"https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" accept", - "file.name": "enim", - "fileset.name": "log", - "http.request.referrer": "https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus", - "input.type": "log", - "log.offset": 16986, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www.example.org" - ], - "related.ip": [ - "10.101.85.169", - "10.46.77.76" - ], - "related.user": [ - "liquid" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "accept" - ], - "rsa.misc.content_type": "radi", - "rsa.misc.result_code": "Finibus", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "aco", - "rsa.time.event_time": "2017-10-04T11:00:32.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "rroqu=dquiaco", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 5697, - "source.ip": "10.46.77.76", - "source.port": 5169, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "jpg", - "url.fragment": "olup", - "url.original": "https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup", - "url.path": [ - "/uov/quaeab.jpg", - "https://example.com" - ], - "url.query": "moles=dipiscin", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "liquid", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "destination.ip": "10.231.7.209", - "event.action": "block", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] \"HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi\" 10.231.7.209 lorsita eavol \"osamnis\" temaccu scipitl 1247 \"https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", - "file.name": "osamnis", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa", - "input.type": "log", - "log.offset": 17373, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.net", - "www5.example.org" - ], - "related.ip": [ - "10.231.7.209", - "10.24.54.129" - ], - "related.user": [ - "eavol" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "block" - ], - "rsa.misc.content_type": "scipitl", - "rsa.misc.result_code": "temaccu", - "rsa.network.domain": "example.net", - "rsa.network.network_service": "orsi", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "rsa.web.alias_host": "example.net", - "rsa.web.web_ref_domain": "www5.example.org", - "rsa.web.web_ref_query": "litesseq=atcupida", - "server.domain": "example.net", - "server.registered_domain": "example.net", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1247, - "source.ip": "10.24.54.129", - "source.port": 77, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.net", - "url.extension": "jpg", - "url.fragment": "snos", - "url.original": "https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos", - "url.path": [ - "/edolo/ugiatquo.jpg", - "https://www5.example.org" - ], - "url.query": "eosquira=pta", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.top_level_domain": "net", - "user.name": "eavol", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "destination.ip": "10.77.129.175", - "event.action": "allow", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] \"CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv\" 10.77.129.175 tali BCS \"qui\" ugiatquo incidid 2617 \"https://www.example.com/sBonor/fugits.jpg?amc=vol#admi\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "file.name": "qui", - "fileset.name": "log", - "http.request.referrer": "https://www.example.com/sBonor/fugits.jpg?amc=vol#admi", - "input.type": "log", - "log.offset": 17756, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "www.example.com" - ], - "related.ip": [ - "10.121.163.5", - "10.77.129.175" - ], - "related.user": [ - "BCS" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "allow" - ], - "rsa.misc.content_type": "incidid", - "rsa.misc.result_code": "ugiatquo", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "ratv", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "www.example.com", - "rsa.web.web_ref_query": "amc=vol", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2617, - "source.ip": "10.121.163.5", - "source.port": 7803, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "htm", - "url.fragment": "nrepreh", - "url.original": "https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh", - "url.path": [ - "/isci/dolor.htm", - "https://www.example.com" - ], - "url.query": "orinrep=quiavol", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "BCS", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-11-16T08:08:15.000Z", - "destination.ip": "10.116.146.114", - "event.action": "deny", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.51.236.148 329 [16/Nov/2017:6:08:15 adol] \"PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup\" 10.116.146.114 col obea \"emp\" agnaaliq est 1444 \"https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", - "file.name": "emp", - "fileset.name": "log", - "http.request.referrer": "https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna", - "input.type": "log", - "log.offset": 18118, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.com", - "www.example.com" - ], - "related.ip": [ - "10.116.146.114", - "10.51.236.148" - ], - "related.user": [ - "obea" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "deny" - ], - "rsa.misc.content_type": "est", - "rsa.misc.result_code": "agnaaliq", - "rsa.network.domain": "mail.example.com", - "rsa.network.network_service": "tvolup", - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", - "rsa.web.alias_host": "mail.example.com", - "rsa.web.web_ref_domain": "www.example.com", - "rsa.web.web_ref_query": "umdolors=dolori", - "server.domain": "mail.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "mail", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1444, - "source.ip": "10.51.236.148", - "source.port": 329, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.com", - "url.extension": "gif", - "url.fragment": "culpaqui", - "url.original": "https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui", - "url.path": [ - "/roide/tem.gif", - "https://www.example.com" - ], - "url.query": "rerepre=nculpaq", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "obea", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "destination.ip": "10.217.222.99", - "event.action": "block", - "event.code": "NONE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] \"NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse\" 10.217.222.99 ame amvolu \"mip\" tion tobeatae 2512 \"https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" block", - "file.name": "mip", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed", - "input.type": "log", - "log.offset": 18550, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "internal.example.net" - ], - "related.ip": [ - "10.217.222.99", - "10.244.108.135" - ], - "related.user": [ - "amvolu" - ], - "rsa.internal.messageid": "NONE", - "rsa.misc.action": [ - "NONE", - "block" - ], - "rsa.misc.content_type": "tobeatae", - "rsa.misc.result_code": "tion", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "itesse", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "oremqu=uradi", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2512, - "source.ip": "10.244.108.135", - "source.port": 6997, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "edquia", - "url.original": "https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia", - "url.path": [ - "/rautod/olest.jpg", - "https://api.example.com" - ], - "url.query": "lapar=ritati", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "amvolu", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "destination.ip": "10.150.198.112", - "event.action": "block", - "event.code": "PUT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] \"PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis\" 10.150.198.112 ntmoll mexer \"estla\" uipexe abor 1370 \"https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", - "file.name": "estla", - "fileset.name": "log", - "http.request.referrer": "https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol", - "input.type": "log", - "log.offset": 18972, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "www.example.net" - ], - "related.ip": [ - "10.150.198.112", - "10.4.69.152" - ], - "related.user": [ - "mexer" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "PUT", - "block" - ], - "rsa.misc.content_type": "abor", - "rsa.misc.result_code": "uipexe", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "orroquis", - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "www.example.net", - "rsa.web.web_ref_query": "abori=uisnostr", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1370, - "source.ip": "10.4.69.152", - "source.port": 3833, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "txt", - "url.fragment": "iame", - "url.original": "https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame", - "url.path": [ - "/iusmodt/enim.txt", - "https://www.example.net" - ], - "url.query": "aquio=ersp", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "mexer", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2017-12-29T05:15:58.000Z", - "destination.ip": "10.45.54.107", - "event.action": "accept", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.45.114.111 357 [29/Dec/2017:3:15:58 olup] \"POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab\" 10.45.54.107 seddoeiu nse \"aali\" edictasu mdolors 7490 \"https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" accept", - "file.name": "aali", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill", - "input.type": "log", - "log.offset": 19421, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.org", - "www5.example.org" - ], - "related.ip": [ - "10.45.114.111", - "10.45.54.107" - ], - "related.user": [ - "nse" - ], - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "accept" - ], - "rsa.misc.content_type": "mdolors", - "rsa.misc.result_code": "edictasu", - "rsa.network.domain": "example.org", - "rsa.network.network_service": "tlab", - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", - "rsa.web.alias_host": "example.org", - "rsa.web.web_ref_domain": "www5.example.org", - "rsa.web.web_ref_query": "nisiut=rumwri", - "server.domain": "example.org", - "server.registered_domain": "example.org", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 7490, - "source.ip": "10.45.114.111", - "source.port": 357, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.org", - "url.extension": "html", - "url.fragment": "eetdo", - "url.original": "https://example.org/abillo/undeom.html?oraincid=quaer#eetdo", - "url.path": [ - "/abillo/undeom.html", - "https://www5.example.org" - ], - "url.query": "oraincid=quaer", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.top_level_domain": "org", - "user.name": "nse", - "user_agent.device.name": "Samsung SM-A715F", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2018-01-12T12:18:32.000Z", - "destination.ip": "10.205.28.24", - "event.action": "allow", - "event.code": "TRACE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] \"TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia\" 10.205.28.24 oeni untutlab \"tvolup\" consecte pteurs 742 \"https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" allow", - "file.name": "tvolup", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol", - "input.type": "log", - "log.offset": 19869, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.net", - "www5.example.net" - ], - "related.ip": [ - "10.205.28.24", - "10.49.242.174" - ], - "related.user": [ - "untutlab" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "TRACE", - "allow" - ], - "rsa.misc.content_type": "pteurs", - "rsa.misc.result_code": "consecte", - "rsa.network.domain": "mail.example.net", - "rsa.network.network_service": "venia", - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", - "rsa.web.alias_host": "mail.example.net", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "unt=tass", - "server.domain": "mail.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "mail", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 742, - "source.ip": "10.49.242.174", - "source.port": 4078, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "sse", - "url.original": "https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse", - "url.path": [ - "/uam/orumSec.jpg", - "https://www5.example.net" - ], - "url.query": "isnisiu=suntincu", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "untutlab", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.ip": "10.183.223.149", - "event.action": "deny", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.17.202.219 487 [27/Jan/2018:5:21:06 iame] \"HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni\" 10.183.223.149 cor odoco \"oin\" itseddoe elites 6366 \"https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", - "file.name": "oin", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov", - "input.type": "log", - "log.offset": 20290, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.17.202.219", - "10.183.223.149" - ], - "related.user": [ - "odoco" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "deny" - ], - "rsa.misc.content_type": "elites", - "rsa.misc.result_code": "itseddoe", - "rsa.network.domain": "www5.example.org", - "rsa.network.network_service": "imaveni", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "rsa.web.alias_host": "www5.example.org", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "licaboNe=tautfug", - "server.domain": "www5.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www5", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 6366, - "source.ip": "10.17.202.219", - "source.port": 487, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.org", - "url.extension": "txt", - "url.fragment": "iamea", - "url.original": "https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea", - "url.path": [ - "/umiurer/rere.txt", - "https://mail.example.com" - ], - "url.query": "mnisi=usmo", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "odoco", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "destination.ip": "10.88.172.222", - "event.action": "cancel", - "event.code": "MOVE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] \"MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan\" 10.88.172.222 doconse etdol \"dolorsi\" nturmag tura 6695 \"https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau\" \"mobmail android 2.1.3.3150\" cancel", - "file.name": "dolorsi", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau", - "input.type": "log", - "log.offset": 20692, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.net", - "internal.example.org" - ], - "related.ip": [ - "10.81.140.173", - "10.88.172.222" - ], - "related.user": [ - "etdol" - ], - "rsa.internal.messageid": "MOVE", - "rsa.misc.action": [ - "MOVE", - "cancel" - ], - "rsa.misc.content_type": "tura", - "rsa.misc.result_code": "nturmag", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "tan", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "internal.example.org", - "rsa.web.web_ref_query": "idunt=atqu", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 6695, - "source.ip": "10.81.140.173", - "source.port": 7623, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "remipsu", - "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", - "url.path": [ - "/atnula/ditautf.jpg", - "https://internal.example.org" - ], - "url.query": "iquidex=olup", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "etdol", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2018-02-24T09:26:15.000Z", - "destination.ip": "10.247.53.179", - "event.action": "accept", - "event.code": "OPTIONS", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] \"OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero\" 10.247.53.179 issu identsu \"piscivel\" hend eacommo 6835 \"https://example.com/osquira/umd.gif?scipi=tur#acon\" \"mobmail android 2.1.3.3150\" accept", - "file.name": "piscivel", - "fileset.name": "log", - "http.request.referrer": "https://example.com/osquira/umd.gif?scipi=tur#acon", - "input.type": "log", - "log.offset": 20979, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "example.com" - ], - "related.ip": [ - "10.162.129.196", - "10.247.53.179" - ], - "related.user": [ - "identsu" - ], - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "OPTIONS", - "accept" - ], - "rsa.misc.content_type": "eacommo", - "rsa.misc.result_code": "hend", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "Cicero", - "rsa.time.event_time": "2018-02-24T09:26:15.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "scipi=tur", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 6835, - "source.ip": "10.162.129.196", - "source.port": 4247, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "txt", - "url.fragment": "xeacommo", - "url.original": "https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo", - "url.path": [ - "/uscip/umS.txt", - "https://example.com" - ], - "url.query": "quiacons=uisa", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "identsu", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "destination.ip": "10.172.148.223", - "event.action": "accept", - "event.code": "UNLOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] \"UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido\" 10.172.148.223 snulap enimadm \"stenatu\" upta atc 3066 \"https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon\" \"Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80\" accept", - "file.name": "stenatu", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon", - "input.type": "log", - "log.offset": 21250, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.com", - "www5.example.net" - ], - "related.ip": [ - "10.110.86.230", - "10.172.148.223" - ], - "related.user": [ - "enimadm" - ], - "rsa.internal.messageid": "UNLOCK", - "rsa.misc.action": [ - "UNLOCK", - "accept" - ], - "rsa.misc.content_type": "atc", - "rsa.misc.result_code": "upta", - "rsa.network.domain": "mail.example.com", - "rsa.network.network_service": "uido", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "rsa.web.alias_host": "mail.example.com", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "orissu=fic", - "server.domain": "mail.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "mail", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 3066, - "source.ip": "10.110.86.230", - "source.port": 536, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.com", - "url.extension": "txt", - "url.fragment": "temporai", - "url.original": "https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai", - "url.path": [ - "/mrema/ullamc.txt", - "https://www5.example.net" - ], - "url.query": "eufug=roquisq", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "enimadm", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.ip": "10.232.19.43", - "event.action": "deny", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] \"GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico\" 10.232.19.43 porinc riame \"riat\" sseq eriam 729 \"https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", - "file.name": "riat", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu", - "input.type": "log", - "log.offset": 21675, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.net", - "www5.example.com" - ], - "related.ip": [ - "10.232.19.43", - "10.93.159.170" - ], - "related.user": [ - "riame" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "deny" - ], - "rsa.misc.content_type": "eriam", - "rsa.misc.result_code": "sseq", - "rsa.network.domain": "www5.example.com", - "rsa.network.network_service": "modico", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "rsa.web.alias_host": "www5.example.com", - "rsa.web.web_ref_domain": "internal.example.net", - "rsa.web.web_ref_query": "urQuis=etcon", - "server.domain": "www5.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www5", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 729, - "source.ip": "10.93.159.170", - "source.port": 3481, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.com", - "url.extension": "txt", - "url.fragment": "orsitam", - "url.original": "https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam", - "url.path": [ - "/isau/itinvol.txt", - "https://internal.example.net" - ], - "url.query": "saquaea=ons", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "riame", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-04-08T06:33:58.000Z", - "destination.ip": "10.55.55.72", - "event.action": "cancel", - "event.code": "ICP_QUERY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.207.97.192 973 [08/Apr/2018:4:33:58 emp] \"ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx\" 10.55.55.72 nculp asp \"eacom\" mag gelitse 2007 \"https://example.net/lab/llumq.htm?tetura=rumet#uptasnul\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "file.name": "eacom", - "fileset.name": "log", - "http.request.referrer": "https://example.net/lab/llumq.htm?tetura=rumet#uptasnul", - "input.type": "log", - "log.offset": 22058, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "example.net" - ], - "related.ip": [ - "10.207.97.192", - "10.55.55.72" - ], - "related.user": [ - "asp" - ], - "rsa.internal.messageid": "ICP_QUERY", - "rsa.misc.action": [ - "ICP_QUERY", - "cancel" - ], - "rsa.misc.content_type": "gelitse", - "rsa.misc.result_code": "mag", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "riaturEx", - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "example.net", - "rsa.web.web_ref_query": "tetura=rumet", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2007, - "source.ip": "10.207.97.192", - "source.port": 973, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "htm", - "url.fragment": "onemulla", - "url.original": "https://api.example.net/veli/venia.htm?etdolor=uat#onemulla", - "url.path": [ - "/veli/venia.htm", - "https://example.net" - ], - "url.query": "etdolor=uat", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "asp", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-04-22T13:36:32.000Z", - "destination.ip": "10.89.73.240", - "event.action": "deny", - "event.code": "MOVE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.41.156.88 203 [22/Apr/2018:11:36:32 oco] \"MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat\" 10.89.73.240 orem ntorever \"pisciv\" fugiatqu seos 5561 \"https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" deny", - "file.name": "pisciv", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit", - "input.type": "log", - "log.offset": 22421, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.net", - "www5.example.net" - ], - "related.ip": [ - "10.41.156.88", - "10.89.73.240" - ], - "related.user": [ - "ntorever" - ], - "rsa.internal.messageid": "MOVE", - "rsa.misc.action": [ - "MOVE", - "deny" - ], - "rsa.misc.content_type": "seos", - "rsa.misc.result_code": "fugiatqu", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "ugiat", - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "tvol=oluptate", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5561, - "source.ip": "10.41.156.88", - "source.port": 203, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "expli", - "url.original": "https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli", - "url.path": [ - "/ainci/osqu.jpg", - "https://www5.example.net" - ], - "url.query": "sus=imavenia", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "ntorever", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "destination.ip": "10.101.183.86", - "event.action": "allow", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.54.44.231 5292 [07/May/2018:6:39:06 aco] \"CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios\" 10.101.183.86 mvenia mcorpo \"ntexpl\" abor oreverit 6451 \"https://internal.example.net/tat/eufugia.htm?tau=fficia#est\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" allow", - "file.name": "ntexpl", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/tat/eufugia.htm?tau=fficia#est", - "input.type": "log", - "log.offset": 22853, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.net", - "www.example.org" - ], - "related.ip": [ - "10.101.183.86", - "10.54.44.231" - ], - "related.user": [ - "mcorpo" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "allow" - ], - "rsa.misc.content_type": "oreverit", - "rsa.misc.result_code": "abor", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "rios", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "internal.example.net", - "rsa.web.web_ref_query": "tau=fficia", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 6451, - "source.ip": "10.54.44.231", - "source.port": 5292, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "htm", - "url.fragment": "seos", - "url.original": "https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos", - "url.path": [ - "/runtm/eturadip.htm", - "https://internal.example.net" - ], - "url.query": "psumd=oloree", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "mcorpo", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2018-05-21T03:41:41.000Z", - "destination.ip": "10.130.150.189", - "event.action": "accept", - "event.code": "LOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] \"LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc\" 10.130.150.189 oreeu nvo \"iamqui\" tassita colabori 1223 \"https://www.example.net/lpa/isn.htm?iat=ffic#siuta\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "file.name": "iamqui", - "fileset.name": "log", - "http.request.referrer": "https://www.example.net/lpa/isn.htm?iat=ffic#siuta", - "input.type": "log", - "log.offset": 23248, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.org", - "www.example.net" - ], - "related.ip": [ - "10.130.150.189", - "10.181.177.74" - ], - "related.user": [ - "nvo" - ], - "rsa.internal.messageid": "LOCK", - "rsa.misc.action": [ - "LOCK", - "accept" - ], - "rsa.misc.content_type": "colabori", - "rsa.misc.result_code": "tassita", - "rsa.network.domain": "internal.example.org", - "rsa.network.network_service": "odoc", - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", - "rsa.web.alias_host": "internal.example.org", - "rsa.web.web_ref_domain": "www.example.net", - "rsa.web.web_ref_query": "iat=ffic", - "server.domain": "internal.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "internal", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1223, - "source.ip": "10.181.177.74", - "source.port": 3378, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.org", - "url.extension": "html", - "url.fragment": "umwri", - "url.original": "https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri", - "url.path": [ - "/liquipex/uisnos.html", - "https://www.example.net" - ], - "url.query": "ventor=lupt", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "org", - "user.name": "nvo", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-06-04T10:44:15.000Z", - "destination.ip": "10.83.130.95", - "event.action": "deny", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] \"GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup\" 10.83.130.95 ipitlabo userror \"eacommo\" nderi liqua 7030 \"https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" deny", - "file.name": "eacommo", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic", - "input.type": "log", - "log.offset": 23613, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "api.example.org" - ], - "related.ip": [ - "10.76.220.3", - "10.83.130.95" - ], - "related.user": [ - "userror" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "deny" - ], - "rsa.misc.content_type": "liqua", - "rsa.misc.result_code": "nderi", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "lup", - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "api.example.net", - "rsa.web.web_ref_query": "voluptas=velill", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 7030, - "source.ip": "10.76.220.3", - "source.port": 2492, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "txt", - "url.fragment": "veniamq", - "url.original": "https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq", - "url.path": [ - "/mquisnos/lore.txt", - "https://api.example.net" - ], - "url.query": "siar=isn", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "userror", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.ip": "10.166.160.217", - "event.action": "deny", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] \"COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt\" 10.166.160.217 olor radip \"rchitect\" Dui iameaqu 2429 \"https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", - "file.name": "rchitect", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect", - "input.type": "log", - "log.offset": 24005, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www.example.com" - ], - "related.ip": [ - "10.166.160.217", - "10.219.245.58" - ], - "related.user": [ - "radip" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "deny" - ], - "rsa.misc.content_type": "iameaqu", - "rsa.misc.result_code": "Dui", - "rsa.network.domain": "www.example.com", - "rsa.network.network_service": "upt", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "rsa.web.alias_host": "www.example.com", - "rsa.web.web_ref_domain": "api.example.com", - "rsa.web.web_ref_query": "ender=inc", - "server.domain": "www.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2429, - "source.ip": "10.219.245.58", - "source.port": 7073, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "uptatem", - "url.original": "https://www.example.com/quas/occaeca.htm?ender=dico#uptatem", - "url.path": [ - "/quas/occaeca.htm", - "https://api.example.com" - ], - "url.query": "ender=dico", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "radip", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "destination.ip": "10.183.243.246", - "event.action": "cancel", - "event.code": "UNLOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] \"UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu\" 10.183.243.246 amni tatio \"amquisno\" modoc magnam 3267 \"https://example.com/idatat/onev.html?lesti=oreseo#reprehen\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", - "file.name": "amquisno", - "fileset.name": "log", - "http.request.referrer": "https://example.com/idatat/onev.html?lesti=oreseo#reprehen", - "input.type": "log", - "log.offset": 24338, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www5.example.org" - ], - "related.ip": [ - "10.121.121.153", - "10.183.243.246" - ], - "related.user": [ - "tatio" - ], - "rsa.internal.messageid": "UNLOCK", - "rsa.misc.action": [ - "UNLOCK", - "cancel" - ], - "rsa.misc.content_type": "magnam", - "rsa.misc.result_code": "modoc", - "rsa.network.domain": "www5.example.org", - "rsa.network.network_service": "catcu", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "rsa.web.alias_host": "www5.example.org", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "lesti=oreseo", - "server.domain": "www5.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www5", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 3267, - "source.ip": "10.121.121.153", - "source.port": 723, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.org", - "url.extension": "jpg", - "url.fragment": "sit", - "url.original": "https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit", - "url.path": [ - "/uidolo/umdolore.jpg", - "https://example.com" - ], - "url.query": "oquisq=abori", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "tatio", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-07-17T07:51:58.000Z", - "destination.ip": "10.202.224.209", - "event.action": "cancel", - "event.code": "OPTIONS", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] \"OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam\" 10.202.224.209 iusmodit aturv \"ectetura\" obeataev umf 3141 \"https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" cancel", - "file.name": "ectetura", - "fileset.name": "log", - "http.request.referrer": "https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu", - "input.type": "log", - "log.offset": 24774, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.net", - "www.example.com" - ], - "related.ip": [ - "10.202.224.209", - "10.54.5.47" - ], - "related.user": [ - "aturv" - ], - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "OPTIONS", - "cancel" - ], - "rsa.misc.content_type": "umf", - "rsa.misc.result_code": "obeataev", - "rsa.network.domain": "internal.example.net", - "rsa.network.network_service": "remagnam", - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", - "rsa.web.alias_host": "internal.example.net", - "rsa.web.web_ref_domain": "www.example.com", - "rsa.web.web_ref_query": "urExc=tDuis", - "server.domain": "internal.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "internal", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 3141, - "source.ip": "10.54.5.47", - "source.port": 1585, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.net", - "url.extension": "htm", - "url.fragment": "tisu", - "url.original": "https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu", - "url.path": [ - "/eniamqu/inimav.htm", - "https://www.example.com" - ], - "url.query": "imadm=uta", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "aturv", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2018-08-01T14:54:32.000Z", - "destination.ip": "10.170.234.233", - "event.action": "allow", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] \"PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors\" 10.170.234.233 accus uatu \"mquis\" lab uido 2046 \"https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "file.name": "mquis", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup", - "input.type": "log", - "log.offset": 25173, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.com", - "mail.example.net" - ], - "related.ip": [ - "10.170.234.233", - "10.72.99.69" - ], - "related.user": [ - "uatu" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "allow" - ], - "rsa.misc.content_type": "uido", - "rsa.misc.result_code": "lab", - "rsa.network.domain": "mail.example.net", - "rsa.network.network_service": "lors", - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", - "rsa.web.alias_host": "mail.example.net", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "CSedu=mcol", - "server.domain": "mail.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "mail", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2046, - "source.ip": "10.72.99.69", - "source.port": 3172, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.net", - "url.extension": "htm", - "url.fragment": "giatquo", - "url.original": "https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo", - "url.path": [ - "/sintocca/mipsumqu.htm", - "https://mail.example.com" - ], - "url.query": "tnulapar=ico", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "uatu", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "destination.ip": "10.142.130.227", - "event.action": "allow", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] \"DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic\" 10.142.130.227 olabori odic \"iuta\" liquaUte scivelit 7795 \"https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" allow", - "file.name": "iuta", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali", - "input.type": "log", - "log.offset": 25542, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "internal.example.net" - ], - "related.ip": [ - "10.142.130.227", - "10.245.240.47" - ], - "related.user": [ - "odic" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "allow" - ], - "rsa.misc.content_type": "scivelit", - "rsa.misc.result_code": "liquaUte", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "edic", - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "internal.example.net", - "rsa.web.web_ref_query": "evolup=rvelil", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 7795, - "source.ip": "10.245.240.47", - "source.port": 4017, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "html", - "url.fragment": "eleumi", - "url.original": "https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi", - "url.path": [ - "/rep/remap.html", - "https://internal.example.net" - ], - "url.query": "siarc=fdeFin", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "odic", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-08-29T04:59:40.000Z", - "destination.ip": "10.61.110.7", - "event.action": "deny", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] \"DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini\" 10.61.110.7 oremque quaU \"ufugi\" cin tmo 508 \"https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", - "file.name": "ufugi", - "fileset.name": "log", - "http.request.referrer": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", - "input.type": "log", - "log.offset": 25999, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "example.com" - ], - "related.ip": [ - "10.61.110.7", - "10.62.188.193" - ], - "related.user": [ - "quaU" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "deny" - ], - "rsa.misc.content_type": "tmo", - "rsa.misc.result_code": "cin", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "mini", - "rsa.time.event_time": "2018-08-29T04:59:40.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "iavol=natuserr", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 508, - "source.ip": "10.62.188.193", - "source.port": 4104, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "htm", - "url.fragment": "osa", - "url.original": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", - "url.path": [ - "/eturad/tDuis.htm", - "https://example.com" - ], - "url.query": "enimadmi=tateveli", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "quaU", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2018-09-12T12:02:15.000Z", - "destination.ip": "10.68.198.188", - "event.action": "block", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] \"COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore\" 10.68.198.188 doeiu onsectet \"dentsunt\" inea animid 2119 \"https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" block", - "file.name": "dentsunt", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol", - "input.type": "log", - "log.offset": 26383, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.net", - "www.example.net" - ], - "related.ip": [ - "10.172.139.78", - "10.68.198.188" - ], - "related.user": [ - "onsectet" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "block" - ], - "rsa.misc.content_type": "animid", - "rsa.misc.result_code": "inea", - "rsa.network.domain": "www.example.net", - "rsa.network.network_service": "tlabore", - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", - "rsa.web.alias_host": "www.example.net", - "rsa.web.web_ref_domain": "mail.example.net", - "rsa.web.web_ref_query": "upt=atatnonp", - "server.domain": "www.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2119, - "source.ip": "10.172.139.78", - "source.port": 6533, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.net", - "url.extension": "htm", - "url.fragment": "madmi", - "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", - "url.path": [ - "/hender/ptatemU.htm", - "https://mail.example.net" - ], - "url.query": "mquisnos=tnulapa", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "onsectet", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "destination.ip": "10.169.63.169", - "event.action": "block", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] \"CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit\" 10.169.63.169 ariat midestl \"quatu\" avolu teturad 3465 \"https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", - "file.name": "quatu", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro", - "input.type": "log", - "log.offset": 26828, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "www.example.org" - ], - "related.ip": [ - "10.169.63.169", - "10.172.47.7" - ], - "related.user": [ - "midestl" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "block" - ], - "rsa.misc.content_type": "teturad", - "rsa.misc.result_code": "avolu", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "rchit", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "api.example.net", - "rsa.web.web_ref_query": "rpo=velites", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 3465, - "source.ip": "10.172.47.7", - "source.port": 2805, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "htm", - "url.fragment": "oid", - "url.original": "https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid", - "url.path": [ - "/iduntutl/rsitam.htm", - "https://api.example.net" - ], - "url.query": "ntor=oinBCSed", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "midestl", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.ip": "10.62.10.137", - "event.action": "cancel", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] \"PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima\" 10.62.10.137 eeufugi deomnisi \"olupta\" oll laboree 3880 \"https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", - "file.name": "olupta", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb", - "input.type": "log", - "log.offset": 27172, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "example.org" - ], - "related.ip": [ - "10.32.98.109", - "10.62.10.137" - ], - "related.user": [ - "deomnisi" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "cancel" - ], - "rsa.misc.content_type": "laboree", - "rsa.misc.result_code": "oll", - "rsa.network.domain": "example.org", - "rsa.network.network_service": "aUtenima", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "rsa.web.alias_host": "example.org", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "rsint=itl", - "server.domain": "example.org", - "server.registered_domain": "example.org", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 3880, - "source.ip": "10.32.98.109", - "source.port": 5012, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.org", - "url.extension": "html", - "url.fragment": "dat", - "url.original": "https://example.org/itessequ/porissu.html?uip=ectobea#dat", - "url.path": [ - "/itessequ/porissu.html", - "https://api.example.org" - ], - "url.query": "uip=ectobea", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.top_level_domain": "org", - "user.name": "deomnisi", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-10-25T09:09:57.000Z", - "destination.ip": "10.255.40.12", - "event.action": "deny", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] \"COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud\" 10.255.40.12 rro oeiusmo \"nimv\" emeu tatemac 5192 \"https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" deny", - "file.name": "nimv", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui", - "input.type": "log", - "log.offset": 27547, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "www5.example.com" - ], - "related.ip": [ - "10.176.62.146", - "10.255.40.12" - ], - "related.user": [ - "oeiusmo" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "deny" - ], - "rsa.misc.content_type": "tatemac", - "rsa.misc.result_code": "emeu", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "quelaud", - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "lamcolab=ceroinB", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5192, - "source.ip": "10.176.62.146", - "source.port": 5945, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "txt", - "url.fragment": "nimide", - "url.original": "https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide", - "url.path": [ - "/enimad/tis.txt", - "https://www5.example.com" - ], - "url.query": "mipsumq=ident", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "oeiusmo", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "destination.ip": "10.88.98.31", - "event.action": "deny", - "event.code": "GET", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] \"GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam\" tuser 2694 \"https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" deny 10.88.98.31 rured 105.243000", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli", - "input.type": "log", - "log.offset": 27967, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "internal.example.com" - ], - "related.ip": [ - "10.194.198.46", - "10.88.98.31" - ], - "rsa.internal.messageid": "GET", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "GET", - "deny" - ], - "rsa.misc.content_type": "rured", - "rsa.misc.result_code": "tuser", - "rsa.network.domain": "api.example.org", - "rsa.network.network_service": "mveniam", - "rsa.time.duration_time": 105.243, - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "rsa.web.alias_host": "api.example.org", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "equuntu=quamni", - "server.domain": "api.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "api", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2694, - "source.ip": "10.194.198.46", - "source.port": 3387, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.org", - "url.extension": "htm", - "url.fragment": "nse", - "url.original": "https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse", - "url.path": [ - "/taspe/yCiceroi.htm", - "https://internal.example.com" - ], - "url.query": "cti=ommodoc", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "destination.ip": "10.1.27.133", - "event.action": "block", - "event.code": "OPTIONS", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] \"OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi\" 10.1.27.133 edqu tationu \"gnaaliq\" olore ntutlab 6881 \"https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", - "file.name": "gnaaliq", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt", - "input.type": "log", - "log.offset": 28483, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www5.example.com" - ], - "related.ip": [ - "10.1.27.133", - "10.5.49.20" - ], - "related.user": [ - "tationu" - ], - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "OPTIONS", - "block" - ], - "rsa.misc.content_type": "ntutlab", - "rsa.misc.result_code": "olore", - "rsa.network.domain": "example.com", - "rsa.network.network_service": "emsequi", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "rsa.web.alias_host": "example.com", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "ratvo=ntutl", - "server.domain": "example.com", - "server.registered_domain": "example.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 6881, - "source.ip": "10.5.49.20", - "source.port": 7503, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.com", - "url.extension": "jpg", - "url.fragment": "iarchite", - "url.original": "https://example.com/beat/rro.jpg?uisau=qua#iarchite", - "url.path": [ - "/beat/rro.jpg", - "https://www5.example.com" - ], - "url.query": "uisau=qua", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.top_level_domain": "com", - "user.name": "tationu", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2018-12-07T06:17:40.000Z", - "destination.ip": "10.70.244.155", - "event.action": "accept", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] \"POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco\" 10.70.244.155 olorsi caboNemo \"uptas\" temaccus ons 2160 \"https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" accept", - "file.name": "uptas", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec", - "input.type": "log", - "log.offset": 28908, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.11.73.145", - "10.70.244.155" - ], - "related.user": [ - "caboNemo" - ], - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "accept" - ], - "rsa.misc.content_type": "ons", - "rsa.misc.result_code": "temaccus", - "rsa.network.domain": "www5.example.org", - "rsa.network.network_service": "aco", - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", - "rsa.web.alias_host": "www5.example.org", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "oreeu=mea", - "server.domain": "www5.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www5", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2160, - "source.ip": "10.11.73.145", - "source.port": 6972, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.org", - "url.extension": "txt", - "url.fragment": "dexea", - "url.original": "https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea", - "url.path": [ - "/loremq/turmagni.txt", - "https://internal.example.com" - ], - "url.query": "emUtenim=ende", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "caboNemo", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2018-12-21T13:20:14.000Z", - "destination.ip": "10.121.80.158", - "event.action": "accept", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.204.214.98 985 [21/Dec/2018:11:20:14 equ] \"PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo\" 10.121.80.158 boriosa cillumdo \"ditau\" moenimip uames 7663 \"https://internal.example.com/lor/oreeu.html?eturadip=nost#atus\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", - "file.name": "ditau", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/lor/oreeu.html?eturadip=nost#atus", - "input.type": "log", - "log.offset": 29441, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "www5.example.net" - ], - "related.ip": [ - "10.121.80.158", - "10.204.214.98" - ], - "related.user": [ - "cillumdo" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "accept" - ], - "rsa.misc.content_type": "uames", - "rsa.misc.result_code": "moenimip", - "rsa.network.domain": "www5.example.net", - "rsa.network.network_service": "abo", - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", - "rsa.web.alias_host": "www5.example.net", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "eturadip=nost", - "server.domain": "www5.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www5", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 7663, - "source.ip": "10.204.214.98", - "source.port": 985, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.net", - "url.extension": "txt", - "url.fragment": "ecte", - "url.original": "https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte", - "url.path": [ - "/deomnisi/ddoe.txt", - "https://internal.example.com" - ], - "url.query": "oremi=ectobeat", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "cillumdo", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "destination.ip": "10.139.151.19", - "event.action": "block", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] \"PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu\" 10.139.151.19 eumf roquisq \"uasi\" maveniam uis 5533 \"https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", - "file.name": "uasi", - "fileset.name": "log", - "http.request.referrer": "https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt", - "input.type": "log", - "log.offset": 29818, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "www.example.com" - ], - "related.ip": [ - "10.139.151.19", - "10.74.115.33" - ], - "related.user": [ - "roquisq" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "block" - ], - "rsa.misc.content_type": "uis", - "rsa.misc.result_code": "maveniam", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "eumfu", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "www.example.com", - "rsa.web.web_ref_query": "ama=tatnonp", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5533, - "source.ip": "10.74.115.33", - "source.port": 4006, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "jpg", - "url.fragment": "lors", - "url.original": "https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors", - "url.path": [ - "/tiset/sci.jpg", - "https://www.example.com" - ], - "url.query": "rauto=doloreeu", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "roquisq", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2019-01-19T03:25:23.000Z", - "destination.ip": "10.242.48.203", - "event.action": "deny", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] \"DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat\" 10.242.48.203 ctobeat isi \"idexeac\" ntu tdolo 3872 \"https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" deny", - "file.name": "idexeac", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm", - "input.type": "log", - "log.offset": 30261, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "mail.example.com" - ], - "related.ip": [ - "10.191.220.1", - "10.242.48.203" - ], - "related.user": [ - "isi" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "deny" - ], - "rsa.misc.content_type": "tdolo", - "rsa.misc.result_code": "ntu", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "pariat", - "rsa.time.event_time": "2019-01-19T03:25:23.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "etquasia=qua", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 3872, - "source.ip": "10.191.220.1", - "source.port": 6454, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "htm", - "url.fragment": "tconsect", - "url.original": "https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect", - "url.path": [ - "/tDuisau/aturve.htm", - "https://mail.example.com" - ], - "url.query": "tper=pisciv", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "isi", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-02-02T10:27:57.000Z", - "destination.ip": "10.254.10.98", - "event.action": "accept", - "event.code": "PROPATCH", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] \"PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod\" 10.254.10.98 adipisc aparia \"maliq\" ccusant epteurs 6661 \"https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca\" \"Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36\" accept", - "file.name": "maliq", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca", - "input.type": "log", - "log.offset": 30622, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.109.88.27", - "10.254.10.98" - ], - "related.user": [ - "aparia" - ], - "rsa.internal.messageid": "PROPATCH", - "rsa.misc.action": [ - "PROPATCH", - "accept" - ], - "rsa.misc.content_type": "epteurs", - "rsa.misc.result_code": "ccusant", - "rsa.network.domain": "internal.example.com", - "rsa.network.network_service": "eacommod", - "rsa.time.event_time": "2019-02-02T10:27:57.000Z", - "rsa.web.alias_host": "internal.example.com", - "rsa.web.web_ref_domain": "www5.example.org", - "rsa.web.web_ref_query": "temqui=lup", - "server.domain": "internal.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "internal", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 6661, - "source.ip": "10.109.88.27", - "source.port": 5568, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.com", - "url.extension": "jpg", - "url.fragment": "scip", - "url.original": "https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip", - "url.path": [ - "/oluptate/todi.jpg", - "https://www5.example.org" - ], - "url.query": "tdolo=ident", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "aparia", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "destination.ip": "10.175.138.42", - "event.action": "deny", - "event.code": "LOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] \"LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr\" 10.175.138.42 olore onemul \"trudexe\" remeum etur 890 \"https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", - "file.name": "trudexe", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu", - "input.type": "log", - "log.offset": 31020, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.com", - "mail.example.org" - ], - "related.ip": [ - "10.175.138.42", - "10.5.148.114" - ], - "related.user": [ - "onemul" - ], - "rsa.internal.messageid": "LOCK", - "rsa.misc.action": [ - "LOCK", - "deny" - ], - "rsa.misc.content_type": "etur", - "rsa.misc.result_code": "remeum", - "rsa.network.domain": "mail.example.com", - "rsa.network.network_service": "tamr", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "rsa.web.alias_host": "mail.example.com", - "rsa.web.web_ref_domain": "mail.example.org", - "rsa.web.web_ref_query": "Finibus=uisautei", - "server.domain": "mail.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "mail", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 890, - "source.ip": "10.5.148.114", - "source.port": 4749, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.com", - "url.extension": "html", - "url.fragment": "utlabore", - "url.original": "https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore", - "url.path": [ - "/radipis/lore.html", - "https://mail.example.org" - ], - "url.query": "civeli=eufugia", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "onemul", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "destination.ip": "10.18.199.203", - "event.action": "allow", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] \"PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch\" 10.18.199.203 ugits ittenb \"tobeatae\" ntut llum 366 \"https://example.com/equat/estiaec.htm?mquido=ende#ntmollit\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "file.name": "tobeatae", - "fileset.name": "log", - "http.request.referrer": "https://example.com/equat/estiaec.htm?mquido=ende#ntmollit", - "input.type": "log", - "log.offset": 31401, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "internal.example.org" - ], - "related.ip": [ - "10.0.0.240", - "10.18.199.203" - ], - "related.user": [ - "ittenb" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "allow" - ], - "rsa.misc.content_type": "llum", - "rsa.misc.result_code": "ntut", - "rsa.network.domain": "internal.example.org", - "rsa.network.network_service": "arch", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "rsa.web.alias_host": "internal.example.org", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "mquido=ende", - "server.domain": "internal.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "internal", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 366, - "source.ip": "10.0.0.240", - "source.port": 1795, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.org", - "url.extension": "jpg", - "url.fragment": "emp", - "url.original": "https://internal.example.org/olupta/tio.jpg?idestl=litani#emp", - "url.path": [ - "/olupta/tio.jpg", - "https://example.com" - ], - "url.query": "idestl=litani", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "org", - "user.name": "ittenb", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-03-17T07:35:40.000Z", - "destination.ip": "10.73.80.251", - "event.action": "allow", - "event.code": "NONE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] \"NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt\" 10.73.80.251 pteurs ercitati \"atem\" serro lumquid 5939 \"https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" allow", - "file.name": "atem", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui", - "input.type": "log", - "log.offset": 31762, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www5.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.1.220.47", - "10.73.80.251" - ], - "related.user": [ - "ercitati" - ], - "rsa.internal.messageid": "NONE", - "rsa.misc.action": [ - "NONE", - "allow" - ], - "rsa.misc.content_type": "lumquid", - "rsa.misc.result_code": "serro", - "rsa.network.domain": "www5.example.com", - "rsa.network.network_service": "runt", - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", - "rsa.web.alias_host": "www5.example.com", - "rsa.web.web_ref_domain": "www5.example.org", - "rsa.web.web_ref_query": "ssequamn=ave", - "server.domain": "www5.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www5", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5939, - "source.ip": "10.1.220.47", - "source.port": 6685, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.com", - "url.extension": "gif", - "url.fragment": "Neq", - "url.original": "https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq", - "url.path": [ - "/sequines/cto.gif", - "https://www5.example.org" - ], - "url.query": "temaccu=uamqua", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "ercitati", - "user_agent.device.name": "Samsung SM-A715F", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2019-04-01T14:38:14.000Z", - "destination.ip": "10.22.34.206", - "event.action": "block", - "event.code": "PURGE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] \"PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill\" 10.22.34.206 mini mve \"tionev\" uasiarch velites 1745 \"https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" block", - "file.name": "tionev", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica", - "input.type": "log", - "log.offset": 32212, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "www.example.net" - ], - "related.ip": [ - "10.153.109.61", - "10.22.34.206" - ], - "related.user": [ - "mve" - ], - "rsa.internal.messageid": "PURGE", - "rsa.misc.action": [ - "PURGE", - "block" - ], - "rsa.misc.content_type": "velites", - "rsa.misc.result_code": "uasiarch", - "rsa.network.domain": "www.example.net", - "rsa.network.network_service": "abill", - "rsa.time.event_time": "2019-04-01T14:38:14.000Z", - "rsa.web.alias_host": "www.example.net", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "olorsit=naaliq", - "server.domain": "www.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 1745, - "source.ip": "10.153.109.61", - "source.port": 7499, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.net", - "url.extension": "gif", - "url.fragment": "onorume", - "url.original": "https://www.example.net/periam/ain.gif?iquipex=mqu#onorume", - "url.path": [ - "/periam/ain.gif", - "https://api.example.org" - ], - "url.query": "iquipex=mqu", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "mve", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.ip": "10.199.103.185", - "event.action": "allow", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] \"CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt\" 10.199.103.185 uipe ipsa \"con\" eirured sequamn 5243 \"https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" allow", - "file.name": "con", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde", - "input.type": "log", - "log.offset": 32641, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.com", - "www.example.net" - ], - "related.ip": [ - "10.199.103.185", - "10.62.168.226" - ], - "related.user": [ - "ipsa" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "allow" - ], - "rsa.misc.content_type": "sequamn", - "rsa.misc.result_code": "eirured", - "rsa.network.domain": "www.example.net", - "rsa.network.network_service": "lupt", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "rsa.web.alias_host": "www.example.net", - "rsa.web.web_ref_domain": "mail.example.com", - "rsa.web.web_ref_query": "didun=riaturEx", - "server.domain": "www.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5243, - "source.ip": "10.62.168.226", - "source.port": 5334, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.net", - "url.extension": "jpg", - "url.fragment": "Duis", - "url.original": "https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis", - "url.path": [ - "/ecatc/quovolu.jpg", - "https://mail.example.com" - ], - "url.query": "dexe=nemul", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "ipsa", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2019-04-29T04:43:23.000Z", - "destination.ip": "10.128.84.27", - "event.action": "block", - "event.code": "COPY", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] \"COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab\" 10.128.84.27 nula ptate \"volupta\" umfu utla 2478 \"https://www5.example.com/dolo/velites.gif?equa=apari#tsunt\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", - "file.name": "volupta", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/dolo/velites.gif?equa=apari#tsunt", - "input.type": "log", - "log.offset": 33163, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www5.example.com" - ], - "related.ip": [ - "10.128.84.27", - "10.97.33.56" - ], - "related.user": [ - "ptate" - ], - "rsa.internal.messageid": "COPY", - "rsa.misc.action": [ - "COPY", - "block" - ], - "rsa.misc.content_type": "utla", - "rsa.misc.result_code": "umfu", - "rsa.network.domain": "example.com", - "rsa.network.network_service": "tlab", - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", - "rsa.web.alias_host": "example.com", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "equa=apari", - "server.domain": "example.com", - "server.registered_domain": "example.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2478, - "source.ip": "10.97.33.56", - "source.port": 3541, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.com", - "url.extension": "gif", - "url.fragment": "cipitla", - "url.original": "https://example.com/tqui/ssequ.gif?emse=emqui#cipitla", - "url.path": [ - "/tqui/ssequ.gif", - "https://www5.example.com" - ], - "url.query": "emse=emqui", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.top_level_domain": "com", - "user.name": "ptate", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2019-05-13T11:45:57.000Z", - "destination.ip": "10.115.154.104", - "event.action": "allow", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.49.169.175 2103 [13/May/2019:9:45:57 sistena] \"HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines\" 10.115.154.104 illum ore \"spici\" Sedut tatis 7767 \"https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow", - "file.name": "spici", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta", - "input.type": "log", - "log.offset": 33516, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www5.example.com" - ], - "related.ip": [ - "10.115.154.104", - "10.49.169.175" - ], - "related.user": [ - "ore" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "allow" - ], - "rsa.misc.content_type": "tatis", - "rsa.misc.result_code": "Sedut", - "rsa.network.domain": "example.com", - "rsa.network.network_service": "sequines", - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", - "rsa.web.alias_host": "example.com", - "rsa.web.web_ref_domain": "www5.example.com", - "rsa.web.web_ref_query": "toditau=uiad", - "server.domain": "example.com", - "server.registered_domain": "example.com", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 7767, - "source.ip": "10.49.169.175", - "source.port": 2103, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.com", - "url.extension": "jpg", - "url.fragment": "quisnost", - "url.original": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", - "url.path": [ - "/caboN/imipsam.jpg", - "https://www5.example.com" - ], - "url.query": "catcupid=ritquiin", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.top_level_domain": "com", - "user.name": "ore", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "destination.ip": "10.33.112.100", - "event.action": "block", - "event.code": "PROPFIND", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] \"PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse\" 10.33.112.100 catcup enimad \"magnaali\" velillum ionev 1594 \"https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" block", - "file.name": "magnaali", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure", - "input.type": "log", - "log.offset": 33948, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "www.example.org" - ], - "related.ip": [ - "10.213.100.153", - "10.33.112.100" - ], - "related.user": [ - "enimad" - ], - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "PROPFIND", - "block" - ], - "rsa.misc.content_type": "ionev", - "rsa.misc.result_code": "velillum", - "rsa.network.domain": "www.example.org", - "rsa.network.network_service": "ptatemse", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "rsa.web.alias_host": "www.example.org", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "lestiae=iav", - "server.domain": "www.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 1594, - "source.ip": "10.213.100.153", - "source.port": 2571, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.org", - "url.extension": "htm", - "url.fragment": "osqu", - "url.original": "https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu", - "url.path": [ - "/oinvento/ali.htm", - "https://internal.example.com" - ], - "url.query": "utaliqui=isciv", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "enimad", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "destination.ip": "10.25.53.93", - "event.action": "cancel", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] \"CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa\" 10.25.53.93 tvolup oremeu \"lab\" lla urau 6127 \"https://example.net/equamni/atcupi.htm?onemull=mdo#labore\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", - "file.name": "lab", - "fileset.name": "log", - "http.request.referrer": "https://example.net/equamni/atcupi.htm?onemull=mdo#labore", - "input.type": "log", - "log.offset": 34344, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "example.net" - ], - "related.ip": [ - "10.216.143.226", - "10.25.53.93" - ], - "related.user": [ - "oremeu" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "cancel" - ], - "rsa.misc.content_type": "urau", - "rsa.misc.result_code": "lla", - "rsa.network.domain": "api.example.net", - "rsa.network.network_service": "psa", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "rsa.web.alias_host": "api.example.net", - "rsa.web.web_ref_domain": "example.net", - "rsa.web.web_ref_query": "onemull=mdo", - "server.domain": "api.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "api", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 6127, - "source.ip": "10.216.143.226", - "source.port": 2632, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.net", - "url.extension": "htm", - "url.fragment": "rch", - "url.original": "https://api.example.net/quido/llo.htm?tpersp=assi#rch", - "url.path": [ - "/quido/llo.htm", - "https://example.net" - ], - "url.query": "tpersp=assi", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "oremeu", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2019-06-25T08:53:40.000Z", - "destination.ip": "10.246.115.57", - "event.action": "allow", - "event.code": "HEAD", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] \"HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu\" 10.246.115.57 edquiano mSecti \"henderi\" taevitae tevel 5926 \"https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", - "file.name": "henderi", - "fileset.name": "log", - "http.request.referrer": "https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi", - "input.type": "log", - "log.offset": 34709, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "www.example.net" - ], - "related.ip": [ - "10.139.195.188", - "10.246.115.57" - ], - "related.user": [ - "mSecti" - ], - "rsa.internal.messageid": "HEAD", - "rsa.investigations.ec_activity": "Request", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "HEAD", - "allow" - ], - "rsa.misc.content_type": "tevel", - "rsa.misc.result_code": "taevitae", - "rsa.network.domain": "www.example.net", - "rsa.network.network_service": "edictasu", - "rsa.time.event_time": "2019-06-25T08:53:40.000Z", - "rsa.web.alias_host": "www.example.net", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "quamqua=quuntur", - "server.domain": "www.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 5926, - "source.ip": "10.139.195.188", - "source.port": 893, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www.example.net", - "url.extension": "txt", - "url.fragment": "deriti", - "url.original": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", - "url.path": [ - "/tvolu/imve.txt", - "https://example.com" - ], - "url.query": "gnaaliq=quam", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "mSecti", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "destination.ip": "10.82.148.126", - "event.action": "block", - "event.code": "NONE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] \"NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse\" 10.82.148.126 inBCSedu ita \"ade\" nihilmol nder 2214 \"https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" block", - "file.name": "ade", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq", - "input.type": "log", - "log.offset": 35079, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.net", - "www5.example.com" - ], - "related.ip": [ - "10.60.56.205", - "10.82.148.126" - ], - "related.user": [ - "ita" - ], - "rsa.internal.messageid": "NONE", - "rsa.misc.action": [ - "NONE", - "block" - ], - "rsa.misc.content_type": "nder", - "rsa.misc.result_code": "nihilmol", - "rsa.network.domain": "www5.example.com", - "rsa.network.network_service": "tesse", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "rsa.web.alias_host": "www5.example.com", - "rsa.web.web_ref_domain": "api.example.net", - "rsa.web.web_ref_query": "tseddo=diduntut", - "server.domain": "www5.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "www5", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2214, - "source.ip": "10.60.56.205", - "source.port": 4345, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.com", - "url.extension": "htm", - "url.fragment": "tquii", - "url.original": "https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii", - "url.path": [ - "/ugitsed/dminimve.htm", - "https://api.example.net" - ], - "url.query": "onse=uiac", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "ita", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "destination.ip": "10.6.11.124", - "event.action": "accept", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] \"DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali\" 10.6.11.124 edqui tvolu \"psu\" strud onsequ 5930 \"https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" accept", - "file.name": "psu", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que", - "input.type": "log", - "log.offset": 35603, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www5.example.net" - ], - "related.ip": [ - "10.245.251.98", - "10.6.11.124" - ], - "related.user": [ - "tvolu" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "accept" - ], - "rsa.misc.content_type": "onsequ", - "rsa.misc.result_code": "strud", - "rsa.network.domain": "api.example.com", - "rsa.network.network_service": "gnamali", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "rsa.web.alias_host": "api.example.com", - "rsa.web.web_ref_domain": "www5.example.net", - "rsa.web.web_ref_query": "runtm=mdoloree", - "server.domain": "api.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "api", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 5930, - "source.ip": "10.245.251.98", - "source.port": 261, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.com", - "url.extension": "htm", - "url.fragment": "usan", - "url.original": "https://api.example.com/ntium/ide.htm?tamrema=isautem#usan", - "url.path": [ - "/ntium/ide.htm", - "https://www5.example.net" - ], - "url.query": "tamrema=isautem", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "tvolu", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2019-08-07T06:01:23.000Z", - "destination.ip": "10.145.25.55", - "event.action": "block", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] \"CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov\" 10.145.25.55 litsed lumd \"tiaec\" lorem iamquisn 2079 \"https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "file.name": "tiaec", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve", - "input.type": "log", - "log.offset": 35983, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "mail.example.org", - "www5.example.org" - ], - "related.ip": [ - "10.145.25.55", - "10.99.55.115" - ], - "related.user": [ - "lumd" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "block" - ], - "rsa.misc.content_type": "iamquisn", - "rsa.misc.result_code": "lorem", - "rsa.network.domain": "www5.example.org", - "rsa.network.network_service": "uov", - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", - "rsa.web.alias_host": "www5.example.org", - "rsa.web.web_ref_domain": "mail.example.org", - "rsa.web.web_ref_query": "lumdol=edutper", - "server.domain": "www5.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "www5", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 2079, - "source.ip": "10.99.55.115", - "source.port": 1537, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.org", - "url.extension": "jpg", - "url.fragment": "utaliqui", - "url.original": "https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui", - "url.path": [ - "/iad/ngelits.jpg", - "https://mail.example.org" - ], - "url.query": "mporin=orissusc", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "lumd", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-08-21T13:03:57.000Z", - "destination.ip": "10.6.88.105", - "event.action": "allow", - "event.code": "TRACE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] \"TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm\" 10.6.88.105 uptatemU rem \"onorumet\" iscivel rinci 249 \"https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" allow", - "file.name": "onorumet", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion", - "input.type": "log", - "log.offset": 36362, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "mail.example.com" - ], - "related.ip": [ - "10.187.86.64", - "10.6.88.105" - ], - "related.user": [ - "rem" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "TRACE", - "allow" - ], - "rsa.misc.content_type": "rinci", - "rsa.misc.result_code": "iscivel", - "rsa.network.domain": "mail.example.com", - "rsa.network.network_service": "ddoeiusm", - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", - "rsa.web.alias_host": "mail.example.com", - "rsa.web.web_ref_domain": "internal.example.com", - "rsa.web.web_ref_query": "rema=mcol", - "server.domain": "mail.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "mail", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 249, - "source.ip": "10.187.86.64", - "source.port": 3325, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.com", - "url.extension": "htm", - "url.fragment": "eprehe", - "url.original": "https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe", - "url.path": [ - "/iatnulap/roi.htm", - "https://internal.example.com" - ], - "url.query": "uine=loreeu", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "rem", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "destination.ip": "10.163.9.35", - "event.action": "accept", - "event.code": "CONNECT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.252.146.132 503 [05/Sep/2019:6:06:31 tat] \"CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi\" 10.163.9.35 uatDu umq \"ipsu\" oremip ota 4562 \"https://example.com/epteurs/itse.jpg?modi=cip#tla\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", - "file.name": "ipsu", - "fileset.name": "log", - "http.request.referrer": "https://example.com/epteurs/itse.jpg?modi=cip#tla", - "input.type": "log", - "log.offset": 36731, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "mail.example.org" - ], - "related.ip": [ - "10.163.9.35", - "10.252.146.132" - ], - "related.user": [ - "umq" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "CONNECT", - "accept" - ], - "rsa.misc.content_type": "ota", - "rsa.misc.result_code": "oremip", - "rsa.network.domain": "mail.example.org", - "rsa.network.network_service": "eursi", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "rsa.web.alias_host": "mail.example.org", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "modi=cip", - "server.domain": "mail.example.org", - "server.registered_domain": "example.org", - "server.subdomain": "mail", - "server.top_level_domain": "org", - "service.type": "squid", - "source.bytes": 4562, - "source.ip": "10.252.146.132", - "source.port": 503, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.org", - "url.extension": "jpg", - "url.fragment": "illoin", - "url.original": "https://mail.example.org/turv/use.jpg?mtot=macc#illoin", - "url.path": [ - "/turv/use.jpg", - "https://example.com" - ], - "url.query": "mtot=macc", - "url.registered_domain": "example.org", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "umq", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-09-19T03:09:05.000Z", - "destination.ip": "10.235.160.245", - "event.action": "deny", - "event.code": "DELETE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] \"DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo\" 10.235.160.245 squamest upta \"umquiad\" porinc uameiu 4857 \"https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" deny", - "file.name": "umquiad", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce", - "input.type": "log", - "log.offset": 37127, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.org", - "mail.example.com" - ], - "related.ip": [ - "10.235.160.245", - "10.249.101.177" - ], - "related.user": [ - "upta" - ], - "rsa.internal.messageid": "DELETE", - "rsa.misc.action": [ - "DELETE", - "deny" - ], - "rsa.misc.content_type": "uameiu", - "rsa.misc.result_code": "porinc", - "rsa.network.domain": "mail.example.com", - "rsa.network.network_service": "umdo", - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", - "rsa.web.alias_host": "mail.example.com", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "reeufu=umexe", - "server.domain": "mail.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "mail", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 4857, - "source.ip": "10.249.101.177", - "source.port": 4465, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "mail.example.com", - "url.extension": "txt", - "url.fragment": "ineavol", - "url.original": "https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol", - "url.path": [ - "/umdol/rerepr.txt", - "https://api.example.org" - ], - "url.query": "emipsumq=orinr", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "upta", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-10-03T10:11:40.000Z", - "destination.ip": "10.73.218.58", - "event.action": "block", - "event.code": "TRACE", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.140.170.171 773 [03/Oct/2019:8:11:40 deom] \"TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici\" 10.73.218.58 quidol tinv \"Utenima\" nse umq 1831 \"https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", - "file.name": "Utenima", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed", - "input.type": "log", - "log.offset": 37549, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "internal.example.com", - "mail.example.org" - ], - "related.ip": [ - "10.140.170.171", - "10.73.218.58" - ], - "related.user": [ - "tinv" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "TRACE", - "block" - ], - "rsa.misc.content_type": "umq", - "rsa.misc.result_code": "nse", - "rsa.network.domain": "internal.example.com", - "rsa.network.network_service": "erspici", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", - "rsa.web.alias_host": "internal.example.com", - "rsa.web.web_ref_domain": "mail.example.org", - "rsa.web.web_ref_query": "atev=vento", - "server.domain": "internal.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "internal", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 1831, - "source.ip": "10.140.170.171", - "source.port": 773, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "internal.example.com", - "url.extension": "htm", - "url.fragment": "nevolup", - "url.original": "https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup", - "url.path": [ - "/rautod/onorumet.htm", - "https://mail.example.org" - ], - "url.query": "mvo=agnidol", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "tinv", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "destination.ip": "10.67.148.40", - "event.action": "deny", - "event.code": "OPTIONS", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] \"OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu\" 10.67.148.40 tcons squamest \"ction\" emveleum siuta 2155 \"https://example.com/epteur/onproi.txt?imveniam=sunte#exerc\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", - "file.name": "ction", - "fileset.name": "log", - "http.request.referrer": "https://example.com/epteur/onproi.txt?imveniam=sunte#exerc", - "input.type": "log", - "log.offset": 37919, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "example.com", - "example.net" - ], - "related.ip": [ - "10.248.156.138", - "10.67.148.40" - ], - "related.user": [ - "squamest" - ], - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "OPTIONS", - "deny" - ], - "rsa.misc.content_type": "siuta", - "rsa.misc.result_code": "emveleum", - "rsa.network.domain": "example.net", - "rsa.network.network_service": "eiu", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "rsa.web.alias_host": "example.net", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "imveniam=sunte", - "server.domain": "example.net", - "server.registered_domain": "example.net", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2155, - "source.ip": "10.248.156.138", - "source.port": 2125, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "example.net", - "url.extension": "jpg", - "url.fragment": "asiar", - "url.original": "https://example.net/dun/xce.jpg?nsequat=mvol#asiar", - "url.path": [ - "/dun/xce.jpg", - "https://example.com" - ], - "url.query": "nsequat=mvol", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.top_level_domain": "net", - "user.name": "squamest", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "destination.ip": "10.37.33.179", - "event.action": "accept", - "event.code": "UNLOCK", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] \"UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa\" 10.37.33.179 taed eatae \"siutali\" oloremq sum 6106 \"https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat\" \"Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", - "file.name": "siutali", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat", - "input.type": "log", - "log.offset": 38247, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "www.example.org" - ], - "related.ip": [ - "10.37.33.179", - "10.83.154.75" - ], - "related.user": [ - "eatae" - ], - "rsa.internal.messageid": "UNLOCK", - "rsa.misc.action": [ - "UNLOCK", - "accept" - ], - "rsa.misc.content_type": "sum", - "rsa.misc.result_code": "oloremq", - "rsa.network.domain": "api.example.com", - "rsa.network.network_service": "orumetMa", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "rsa.web.alias_host": "api.example.com", - "rsa.web.web_ref_domain": "www.example.org", - "rsa.web.web_ref_query": "remquela=toreve", - "server.domain": "api.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "api", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 6106, - "source.ip": "10.83.154.75", - "source.port": 4260, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.com", - "url.extension": "jpg", - "url.fragment": "sequu", - "url.original": "https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu", - "url.path": [ - "/teiru/mquamei.jpg", - "https://www.example.org" - ], - "url.query": "pta=uradi", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "eatae", - "user_agent.device.name": "Meizu M6", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "77.0.3865.120" - }, - { - "@timestamp": "2019-11-15T07:19:22.000Z", - "destination.ip": "10.84.107.38", - "event.action": "deny", - "event.code": "MKOL", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] \"MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv\" 10.84.107.38 tutla usmod \"ine\" qui itse 2097 \"https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", - "file.name": "ine", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe", - "input.type": "log", - "log.offset": 38676, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "www5.example.net", - "www5.example.org" - ], - "related.ip": [ - "10.14.29.202", - "10.84.107.38" - ], - "related.user": [ - "usmod" - ], - "rsa.internal.messageid": "MKOL", - "rsa.misc.action": [ - "MKOL", - "deny" - ], - "rsa.misc.content_type": "itse", - "rsa.misc.result_code": "qui", - "rsa.network.domain": "www5.example.net", - "rsa.network.network_service": "nimv", - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", - "rsa.web.alias_host": "www5.example.net", - "rsa.web.web_ref_domain": "www5.example.org", - "rsa.web.web_ref_query": "metc=aincidu", - "server.domain": "www5.example.net", - "server.registered_domain": "example.net", - "server.subdomain": "www5", - "server.top_level_domain": "net", - "service.type": "squid", - "source.bytes": 2097, - "source.ip": "10.14.29.202", - "source.port": 7842, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "www5.example.net", - "url.extension": "gif", - "url.fragment": "umdolo", - "url.original": "https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo", - "url.path": [ - "/dtempor/rroquisq.gif", - "https://www5.example.org" - ], - "url.query": "liquid=uidex", - "url.registered_domain": "example.net", - "url.scheme": "https", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "usmod", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2019-11-30T14:21:57.000Z", - "destination.ip": "10.204.223.184", - "event.action": "deny", - "event.code": "POST", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] \"POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit\" 10.204.223.184 oinve ptasnul \"utaliqui\" mcorpor rerepr 6861 \"https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", - "file.name": "utaliqui", - "fileset.name": "log", - "http.request.referrer": "https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni", - "input.type": "log", - "log.offset": 39122, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "example.com" - ], - "related.ip": [ - "10.204.223.184", - "10.221.86.133" - ], - "related.user": [ - "ptasnul" - ], - "rsa.internal.messageid": "POST", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "ALM", - "rsa.misc.action": [ - "POST", - "deny" - ], - "rsa.misc.content_type": "rerepr", - "rsa.misc.result_code": "mcorpor", - "rsa.network.domain": "api.example.com", - "rsa.network.network_service": "rcit", - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", - "rsa.web.alias_host": "api.example.com", - "rsa.web.web_ref_domain": "example.com", - "rsa.web.web_ref_query": "deritq=boreetdo", - "server.domain": "api.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "api", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 6861, - "source.ip": "10.221.86.133", - "source.port": 6682, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.com", - "url.extension": "htm", - "url.fragment": "rchite", - "url.original": "https://api.example.com/ore/adeser.htm?pre=aute#rchite", - "url.path": [ - "/ore/adeser.htm", - "https://example.com" - ], - "url.query": "pre=aute", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "ptasnul", - "user_agent.device.name": "Samsung SM-A715F", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "destination.ip": "10.229.39.190", - "event.action": "deny", - "event.code": "PUT", - "event.dataset": "squid.log", - "event.module": "squid", - "event.original": "10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] \"PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela\" 10.229.39.190 Nequepo edictas \"emac\" rmagnido exeaco 2574 \"https://api.example.org/loremi/nven.htm?usan=ugiatn#squa\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", - "file.name": "emac", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/loremi/nven.htm?usan=ugiatn#squa", - "input.type": "log", - "log.offset": 39568, - "observer.product": "Proxy", - "observer.type": "Proxies", - "observer.vendor": "Squid", - "related.hosts": [ - "api.example.com", - "api.example.org" - ], - "related.ip": [ - "10.195.4.70", - "10.229.39.190" - ], - "related.user": [ - "edictas" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "PUT", - "deny" - ], - "rsa.misc.content_type": "exeaco", - "rsa.misc.result_code": "rmagnido", - "rsa.network.domain": "api.example.com", - "rsa.network.network_service": "quela", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "rsa.web.alias_host": "api.example.com", - "rsa.web.web_ref_domain": "api.example.org", - "rsa.web.web_ref_query": "usan=ugiatn", - "server.domain": "api.example.com", - "server.registered_domain": "example.com", - "server.subdomain": "api", - "server.top_level_domain": "com", - "service.type": "squid", - "source.bytes": 2574, - "source.ip": "10.195.4.70", - "source.port": 3844, - "tags": [ - "forwarded", - "squid.log" - ], - "url.domain": "api.example.com", - "url.extension": "htm", - "url.fragment": "aer", - "url.original": "https://api.example.com/liqu/dolor.htm?ess=umdo#aer", - "url.path": [ - "/liqu/dolor.htm", - "https://api.example.org" - ], - "url.query": "ess=umdo", - "url.registered_domain": "example.com", - "url.scheme": "https", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "edictas", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled deleted file mode 100644 index bc34fdcb5a6..00000000000 --- a/x-pack/filebeat/modules.d/squid.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: squid -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-squid.html - -- module: squid - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9520 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From b9d079cb24c9d998e1db429d59648479a86b8acf Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 14:05:57 +0200 Subject: [PATCH 18/22] feat: remove deprecated tomcat --- filebeat/docs/fields.asciidoc | 5435 --------------- filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 22 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/tomcat/README.md | 7 - .../filebeat/module/tomcat/_meta/config.yml | 20 - .../module/tomcat/_meta/docs.asciidoc | 74 - .../filebeat/module/tomcat/_meta/fields.yml | 5 - x-pack/filebeat/module/tomcat/fields.go | 23 - .../module/tomcat/log/_meta/fields.yml | 2635 ------- .../module/tomcat/log/config/input.yml | 87 - .../module/tomcat/log/config/liblogparser.js | 2514 ------- .../module/tomcat/log/config/pipeline.js | 173 - .../module/tomcat/log/ingest/pipeline.yml | 64 - .../filebeat/module/tomcat/log/manifest.yml | 31 - .../module/tomcat/log/test/generated.log | 100 - .../log/test/generated.log-expected.json | 6144 ----------------- x-pack/filebeat/modules.d/tomcat.yml.disabled | 23 - 18 files changed, 17360 deletions(-) delete mode 100644 x-pack/filebeat/module/tomcat/README.md delete mode 100644 x-pack/filebeat/module/tomcat/_meta/config.yml delete mode 100644 x-pack/filebeat/module/tomcat/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/tomcat/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/tomcat/fields.go delete mode 100644 x-pack/filebeat/module/tomcat/log/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/tomcat/log/config/input.yml delete mode 100644 x-pack/filebeat/module/tomcat/log/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/tomcat/log/config/pipeline.js delete mode 100644 x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/tomcat/log/manifest.yml delete mode 100644 x-pack/filebeat/module/tomcat/log/test/generated.log delete mode 100644 x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/tomcat.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9204ac32ee2..499b6b7eb5d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -78,7 +78,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -60939,5440 +60938,6 @@ type: flattened -- -[[exported-fields-tomcat]] -== Apache Tomcat fields - -tomcat fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - [[exported-fields-traefik]] == Traefik fields diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index ae2fd0a1d75..191c149f448 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -54,7 +54,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -116,7 +115,6 @@ include::modules/sophos.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] include::modules/threatintel.asciidoc[] -include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] include::modules/zookeeper.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index f5fcf159e94..4c7c7cecf82 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1950,28 +1950,6 @@ filebeat.modules: # Customize the HTTP timeout configured for the API requests #var.http_client_timeout: 30s -#---------------------------- Apache Tomcat Module ---------------------------- -- module: tomcat - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9501 - - # Set paths for the log files when file input is used. - # var.paths: - # - /var/log/tomcat/*.log - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #------------------------------- Traefik Module ------------------------------- #- module: traefik # Access logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 712ffeb52bf..9765c5d8f76 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -48,7 +48,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/threatintel" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zookeeper" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" diff --git a/x-pack/filebeat/module/tomcat/README.md b/x-pack/filebeat/module/tomcat/README.md deleted file mode 100644 index 3a24ecf13e5..00000000000 --- a/x-pack/filebeat/module/tomcat/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# tomcat module - -This is a module for Apache Tomcat logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML apachetomcat version 105 -at 2020-07-13 17:55:32.188756 +0000 UTC. - diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml deleted file mode 100644 index e04b9201704..00000000000 --- a/x-pack/filebeat/module/tomcat/_meta/config.yml +++ /dev/null @@ -1,20 +0,0 @@ -- module: tomcat - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9501 - - # Set paths for the log files when file input is used. - # var.paths: - # - /var/log/tomcat/*.log - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc deleted file mode 100644 index cb7339f3388..00000000000 --- a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc +++ /dev/null @@ -1,74 +0,0 @@ -[role="xpack"] - -:modulename: tomcat -:has-dashboards: false - -== Tomcat module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/apache_tomcat[Apache Tomcat] Elastic integration instead."] - -experimental[] - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -This is a module for receiving Apache Tomcat access logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: log - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `log` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "apachetomcat" device revision 105. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.paths`*:: - -The paths from which files are read. Needs to be a list. Only works when `var.input` is set to `file`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9501` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/tomcat/_meta/fields.yml b/x-pack/filebeat/module/tomcat/_meta/fields.yml deleted file mode 100644 index 4c67d0156af..00000000000 --- a/x-pack/filebeat/module/tomcat/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: tomcat - title: Apache Tomcat - description: > - tomcat fields. - fields: diff --git a/x-pack/filebeat/module/tomcat/fields.go b/x-pack/filebeat/module/tomcat/fields.go deleted file mode 100644 index 5015b32c217..00000000000 --- a/x-pack/filebeat/module/tomcat/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package tomcat - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "tomcat", asset.ModuleFieldsPri, AssetTomcat); err != nil { - panic(err) - } -} - -// AssetTomcat returns asset data. -// This is the base64 encoded zlib format compressed contents of module/tomcat. -func AssetTomcat() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2Go1Go3/3d+QK1q+JVRWj9i+EWG4FvCZvasoWQD62fy7BMM1ry5V8Tf7tL4SQ8BMy4yBKM/kLCf/1Gj90//uOSFrBayLBrpS+mnBpQc8og4n7e/c1QtQS9EpzC6+J1U3/E7uu4bXDcKV02ft7BJ32f+9pBUTNiF1AuzLpViarBWjAz6ymsxlnZEENmQJIoqYG9BLKyWAD2tA7YDvXqql7f90lywYuoiWp2MJ/HPzYArElNotUZr719/0rjJN8QPaPC27c9wg3pDFQEqsIo7VtAoE1XZEKjKFz929qCVMVGLdp5T7fAU3IWzUnp8BUCTq+EQ+L7yJ16HZauLAEaQu3tcSAA8KZqR9IbpDmTEkL0hp3Abg0lkrbomGiOFpeHYJgSe3uB0PsuMfJLUGoJasFZwtCiQFjuJJkwa0hlLwH+zu3EoxpT38yYI1us2ahGlESCUvQZAod39VUGyDvwFKHGiUzrareUk/fqrl5cUHZFVjzbAD+lGtgVqyfExvwpuQDeGngOVz20JxECSlgCeIASgold+/nFiVPodbAqA2YlDDjEkqipEC0LJ0KIBWt41hVZl4kuzB7zvhduOfnpz+QJRVNuPG8BGn5jAfuhGvKLBFq7s9LDw4Cd8cd+MAt+D13HDXVlrNGUI2/Dwc7GeWMAeiDOCXGGQPI45wyeiTL457Jy/9/JvvPxK2a50Dud33V9I8CN7J7LI8GuyU9ROhlR02DUY1mmd7e+5Mt1/2/H2bGUgsVSPsYkaNNyW3BBN25w48EPZBWrx8jYgunUz1GxLg8DLG8GlMrOR4vp5VAD5Eeeck2AyhT2lAjek3Mzux9sbX7HTYDPWSgJNzPitjRQwbQb7Aixqm44xw5EhVlz20SJZ8n12CbichHIhS8M/nYMdTqRvIvDWzUaN3tP/xpvW3UnijJ3ONArXrslu2IuFnyvOKwT90TtwyfcUb79/mtmpOzJUhLLlE4k0aWoJ0JoiEIqsHWZ/waSmLAOiBbP95ew4wbLO0hDGDf22DpDmEA+k6HMvQEpvcvHcaYg33dgSZ3o8FCmUz6ap8vf1XG9kWk2OVIA7Lkct5+aGJs0/MhfT305Ycw2OBHo4Q9v1j+RGhZaicrx677LnEHu7fqayXu8lVu8r76f5e8jlr5ZcOuXPCOtL63rCSUzPkSZOck+3oVAUeiw/wXeS2Q8jEqf19HRGPUoaHqdaHhS4az7gcP8YBx39M1UvnML00u8CI9D95sS8nHdQ2E0aEEmQIBbhegyadzaX94RZQmvwhF7Y8vyZQa5KI2QDbj80aj6nfDvg9Rd7/ifWMYNJ/xmcC/4H49V7ncbPus43blr97BoPSK6jKbUteTaL1t9yl5fvF5S9+jRIOgu0dKiFkbC1V4RAPaDtoCPKcaTzz3b6X5nEsq2t9says30CGX/rUnMeL84vOrCAkC+gNK3J8EHUZDKqd4fTaMOlQcD319FkBL0EeJXf+KS5Hz0/tEST2+/WApgjksVvqonWyCFdn9bLRVtM43ihZeFGe6nCghgFmlv0YB7Kj3ADk3jue4IcyTDkqH6Zai+lbtqi1kD6EfocVXseljUVUrZTDZrVKSTNeDQyNEw5cGjHUADa9qsQ7n5L7sBD0ByhbE8BLI0++JXeiGvPz552dkRQ0xALJbZQ8lHoXyegtKmFpJA/lIwb4armCqkbbzKTTV1As9d5VNFAJ5SqdqCT1icBnNrGzFm7EaaDV6f9hXwzYPTCooebOrp6Ug1DcxzbFzLPAZ4fafzcvvf/ir8SL9RY0CtEX6n4Pd/NPZg2/pGjR5Sc4ko7VphI+sOJPyTnI9Bv2ewY9IbmVslR9fkn91231OfvyR/CthSjt9GXcRFn1O/ruw/9N9kRuyTZRvokcoVQmP1taVKygYFWJK2VVeDdgjJ5XFa0OttyscEUGWteLSomliIZ7gjMxRgNYqU37aRh80NTBOBWKMmBqrtNOs5dprHe6DJRW89IwRQ4qQmWpk6V4YAYg8l/OgHN2YvLh9IwaQU8QCw3XYEzYaOYW1ULR8LO9cQIcY/ieQCqzmLGJ1BFO4/2W0hf1z3wph9+xTu9Fo1aw9tgn5Va3c0QxtTi6J0s4Ys4pcAdQ3EO1RvHhfCdG0YmBMseRlUeaKup61kmcOEjS1eMlLR8GeXbjk2jZUOKN9y/cuIy4OXnFndmOsHInhdxGu+vkp0U5aG3SoINGonoPtvnYjJYzOlPT04JTwmXD7KaGzhIKGgv/8tPW9foBKWSCXgd+ZBnxop+sxQen+1wZivoLAS1ipMLXgOTMbHrU5b/hA7X8UupmTuRn5HW+dewMCr7dc11ot4Qn5rxFh9OJlxsUDxOjdqs44ujh5cxF0X0alIw+vaqV3NV6CT+RXlwbRPA73xyf/VKEhjqZ7zJW6bco3m59sDHav56BlPiEvf35FVkj3CqgkVIi4rwCd+qgmbfxHZAUaPFhqiQBqLFFyp1xkm4gPriZ+3USM3NUcYdtAu9+VLpFwmNUEbCGVUPP1biBuxvVAiyXkZ8IWVFNmPRHdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Zy+9VuorSpwxZDgeTSDXTwZN0JyJtsO6QeSH4DHDHEQPfAFOyHFGwN8ddGJvTz7JnQ1wyVdUCbJQBRp2oFBV4q/mOGOzVm2n7QIx86daOsvMYK29z5ij7VUraRaJj2tSnpsp52WQ5lQ9E+DNZ5iC7A/mnkrm7LewRi271VsX06bUfdyk8EFHZbvQbYuHahstHlqBNr5yi3JcHFjnf+zLbGmiqbW7K9JjSJZT53sGQZBOeKdOt2OoYbaZN98V+fH34WmlVTRBqg0X5hoGkmiuv1leNsPw7y0ETWteirX7ZNKupqKTzWGkuIQLDO6296JHyuBrC7RND1Er6yJilVb3rGQwYu9UcisPbZw1hC+6sG1WCmZB3jbFoJvWBultJ7UheLrVw4CHtFWCzmcN7CcfQhPCQ2wU97TTMQINkniGoU61LvuSl02yQH+KC7LIVZB93iBff5HXN9dF2uDlPHwu6dpzIrVj7zRon9Jy+5pBCBt3vG0146KMunOdOGnfybDJYsksnU01qCVQNFLn7Quzon/qqoAb5pYHmaKzkuNtz0UY+rqghiEQ5wjeI3A+piZpQKdgiaAaZNq9shtd3XuXAtS4yoFoXObTnOqUo2gb6MjnUDLpS7xV5GBNyx3yMvjGD5/JOb86hYvMmuXZIsGDzQOx0Q0jtCKJsoMSnUKxNI3KHnUasKNVYpip44XHojBfMylazAYdQGUiwZUCOMAgsQXObs3Rkz8ba1UMRYC+ys8/lk7d4cdA70L/SXaWLg4ZxpxoYn/GN4RPXbn0wZ6ynStCV82czRQ6gczHyclMw0bqoyhBkieIdzOZjHcLnbSu9bwkqTX67DKmx3LQJAbt+NVy/PaGxKklTK8MTCo5b8Raa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIourcjVLHt2Vi/kq27GV4s+fs92NoSZKl0SJjduzM1/eMBute0oV01/QNY3I52iOWvBR+Q20nQ/Yh5SZ+zV903wwsZqv6DmAlergXtcoulsoSSReh4EU+gFWpetIkqDyLUW0a8s1A/Rs+ULdn3d0y3wrbUKD7iir8SnK1z3549cuECEQjds6VYj8jlRuTMm44T8EMjABGLi1MlLVzn1lg7hM6l99dt+qHSsjTu//BRpaJFKNYA5obHmS2onEMhYZVbFowFLmHVC/WjEmKt5tPGQk9CDHP0jUfdaev95y8uOkxNkwm7jnKCZ2tbuY9oaAju5hd5ZPr6W8S4xQowR7C24aDZ5HzpJegJuQR/KI0BPaFzwFbeIdN9pnSLwwB2C8br7Qx/T/zve30rlCZTrVbus/avQdf0ZtdoP+nz8oJqm9pN1wFO7VEJd0oNqkOPdaeUKDu1MdeVUjWEgGKut/iNJFSAtl12kd4sGv7mw1tBfPSaAGASUkRhLolU8jsNNaAlsy/7Ac2GYz45rNHaXZjOXsGTRD3uBfcRtjb8M9jZittFUJa9rCenuOAUq00kUfK7uXL/veclQCWliCiOGfdNe8HAF4iAQ1LNiJMOloOZkMuNTNkdbNCvrMqD8Ykv52uMM2J8yahPtimD+A2Ep4SJxtiWIcM/BseEP+HGnWSoiQ7+Daf44qfjKtDRtR9/w+IWvW/LlE8pe3KT4eWwPEUsCDVGMY7+UncaUXsSD+wtv4LXhJJ6sTacUUFKbq6ek1rjTJTnBCx7EleUqaaH1F7e8aH3dTaaVmBBG1JTg128DDZy8L0ImKoqJ8XUVtB+WFoDlu1V9/x78FAaX+8MMzxMXnwzVdXN8A5mODZKVlyWahXyaZmSDGr7vMukGCXGYJuzRog1+dJQ4Z2fpaool0FqyN5CQo08XX2vZyp1ac/WnUr4lssrKEMtUJuITg16p4KB4j75pkNtwst9BycGXSGyirr+6CbvlthFoEXvt8uHwuu3OnheyeWwXU8XdAZd8d3BTrldrGFNxNbz/35N+8fEmvaMi/x3vNvyL7had401lA0D0kaOIO5uM6A5FUXkNc32iFzikq3avPs+9h5A98KM+gWAXZmDWg6k8BiH1d1Dt6Bm0d1QpxZGqgwbtvCZv22NTVdmeNJC2mkR5jbSLTMxmrlfdf8eVpoSJ88l4Zhz10gmgGr3J2yEt0EtFBAGb6duCztvjj544dcM+zw96heLqWrKZdc3u/9ghbJRfYfXa8l1Y47t6etrI4jAuMfvOAHSyJU48av7nozjnlJvwWV3jXfk817m81Py3kuap6FxA/HT9kLRr8PtWVyv9g7oh/Dl99zP56dI0lDy1omJofdgOyLn0wD9FiaeiZwsWHETN1KXZp2zl/12VDcUaHt1Ya8fW3rj+4hc40h/0i1Mzk9v1GRT+edu0GQdYi9ludFoJ+TE12eGfqfCf7Bfm0UE9fY3fvgmuOOmje0qN5XtHqNGCjCeMso/KCtFllRzOhWDKkDflIFLUgs6IggMSJO1P8rWgfZVVb/yxEkqp2G09YXcnfPli/OLXR2ahJax3qMwVpd94EDBW9dCbiItHklyLi255HNJUViMsGitdM7mtU8G8ssx6UWruyns6oj/6RDp3WXkslJFGOf9bx8Jl0w0JThxFibVup9PyNOza1rVAl6TC+8Q8WBRek/ifhGMzB09tonOqc3TEseMmyunch+A1x1K8XpuzPfhafjAzdWekKvVfD4HnW+EXZxkn/uxgIADaqcLDWahROm4x9vqI5NGt0LvR/AsDGPvQSo//eB1jGddM47z03gZya2j80xVdXHkvCs8lZB7hWNcvX/PNNPvHDpKYn3qDMfNqLJhY1ZaUEsfKGusj3knLZXGzgNOrrf4jUyJo7pcUf0wGXrDrvpOutLwELlNjLRGfuqEKCXvKGv7KceVWyeCjmrHKPldq6Dq/VLI25rJh1proCZ5brCx1DapFOfOH0W5eDCzwy0+VdeEly/G3y/3sjbHwNBh9GnQ+NjfBYdF/Oq271jm6XsDJj8dzt075DnjUjWpYpy9OhIzT36nnCRN6XQYeGR/Sgw4d2fGLZZ4I4STe8Q0jIExs0aQM7c+YaoE41iibfYbtyy4LOE6MQEEN/YwzfOesgUXRlNMt0hMQWN8s6KaC8zgiXjwfPxdzglFIn7nfhvdmczAh2rqmws9kEYcVidPu3zOGrSpQ9GtlzADkgUVYZMQ33Z4ejZSZOjdXMP3OHdCiVe+uiSv4Kvy33YfUi4NKcFSLiJOhqlqbO93I1tT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYk0Y1tbINhw6b7XtekUayef4fR1JhmkFVMVZW7T3nY6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9H2p6oN/p4O39bzUNAZj47ap5vsa5p5hQ7E/+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl6377rJ+Uy1070vPvnuOW0gCpM1roE1fS+CT/2aQqy8te3CtC9x4wiOkKhXvNx2iHTVlXRJuaDDQAbpXOEE6ytnoPXIpAV/hw7x9aeLuwVjpQoNoHwAdrClkG5g+HwyIhF5VUybslwn98/wqkhaB9SD2xg4rNH5Xi9Veoiaq4RdDnZK7ArTHKMggZt+9qrvuUqbktuusm7TFy1gFBtst6nY8KJkE17Yv0mfJZaagsujWeUnn8/I01Ar8bkRTleecoEFHJgHdnZdK+O++Yx8N3Q0yN0ozJVUK7llCBlgDTazWG5DH5m0yegRXHC7aaEnbZX7+1Ca9BbmlK3Jp1FzTfCppg9RlB8W3iIxl6SiXM40rWBvOkZNNU7tzd8nYUu5vMBlyXtV+uToTVvAXtZZBClyg/aFqQKOELkspO2+ce9hRX5tJJqS71QJgjzlcjn59jnhij0nU/d/4P6PSirWhpvJt/H4omV1MRN0MDk/tQ61reGfXBBcFH1dKCfX7fArNdvbqMGqrJj6v04Dnm0bBAPaMXIUoWWVVu7uYPb53e9UA/noE4C//fbzu9/ffDj79lufc7ukmvJRnlwpfZWyZPnGC/Z7u2A/wjbqBKMytRIRanbSdinpngPK3HOxzmDCzJQGaThLKUB6rqQMGFfpvSCR+EAqoMWK8uFw4nt7B7D3eWqg7vqkLlE3zTTTpbDT0liduvId67WzOcT6b2myd7St+cjnJD202GUzGGyg0oRik03dS6h3cSBmfNTR1G41myP20K1GuxFFtrlb3hMXygf3E7y748IhH/T/D8NVNyqzn/z3ICxW9nz0AZG9SD4Ic7Rx3H34KXWEpK2tk+3ZpU9tl9HeZtlhn8xn6HYbcO7Nkem2ZTU/RjwMi75mlAtH67aZy0WQGeen/do27MTlzEEL80gLg/GswjbnunAq4gH7OSTxGtOtQ/XRiaqqRu56ogbYycMaN90Xu/dwbf8OcZ26w80cplnfF7dLKst/V/Go2QY3Sy0/RDLcG7vhwlvImcbUnHGVLEv0WBY8Yr+iWg6DDo8ddSOrulC5hPHl+3cX5DfvR90kpcYR+XLUVILL/3hLvjSgR3q3NkIWGnY7deZNbug5RNfkQ1t0Fk3r6rR0lvAh7QNVqccIOKD1QY6jm6DaSHDs3nDL9AMaqKC6ynBaDmwG9wKtExYgd0CbMtlU2i2YabtdbYEuqd3VCu8LdwqSLSqqU5WVdHDXNR2ML7539ImyQTpVEpjFIjkvMJilLaDqAM/m2GopA1g1/SMD1Jomn4ThO04lZy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOXiF10WtlVVF+pAUQl/+VKDHMT1ske1uCjUvyhzEdoDT578xWVT0urA2ldtgG7DjaAEZHoWKy0xIc5kP6VqYQkxFkTosugX7+4zAk3cG78FO3QuxDzt1VW8f9s8ZYb/KCPtfMsL+Hxlh/zUPbKtqQaeQQ6R00NObZ7KoGoHK93Sd4Z1sgddXGfSSqhF8XtV5tG+nZVIxT52EFCDzHEqJgS8svW9EFsYnJGY4QaNZHmvSAc5jTZq1aeoMs0iZ7Mqqs5iqVllnesB1BhFilXWGWS7YaNZkAd5Ifi2pVAZYBiZcvnJUyfQoLF+p2i6AlhncaqqqCyYy+LAd4AxBEoSrp2ub3i3qIJsskOumyBDTYJpbzqjIUEBkCjoHydYJs676sCUV6z+hnObAe1lgG9AskH07mDxY+8TaLNCn83r5Ko8P2hRTbv+apdEYM0XaWXE7gLVKLqpNlmuOUIHp9FVuxvv4k83a6gEGu/B+/vTOEQ8c1b4swH03+XQd5HqwZ1xADhvGFLMch8hnKYuztwHn0A1MwWtMUiyyiDpeL38qja0HzfwTwTaaZYEt+AxymDEGHc0VlDxZweg2bC7zcEmlykaAYSoHtQNwPs8gm1RtVtQmnfnfgx7LIE8CWMOcG6tpek/IBnYGjU9DnYvUOhutDXYi15nkq8/M9yyeAbrVQKsMiqQvBcqFdj7lerVQ3BR+wmx66GuqaRYGL0cKYVNAXvr59qnhcmOpTD7nuDR22uhUwwJbqOBnBeWA2iTHNb0e3dYkpwaLkxtm6YddH9ppYB/MOS3L1HeAl6nDqm3roAxvEa8KppWqsnQlcoAzmGm8KvIkR4aORznIXF8lb89Um/QtS3ltas0TAxXUctskzz4TXEK6FjsbqCbpRJ0OLhbfpndrCeW7nhYzoZI/5x3wDCn/zuZNLnUc0AwSx9nQGVBNnpsg1DwL68p5lgtcK51agFXTZp7jmlXcsBxioTJZGDbHHAgJFpsrJYebXIb7BtCpM/481NTpeHK1Sm2BZKkoU34AdHJLVKXXjJTm8yIyj+vecFcSdPo3qy78UN7kYJNOpt6A9SNeszBZhsLNMBMntTAIYFNLg7rwjqTk6FJj3IcFW6Sq8x+AhuuaJw8E1KCruabSDnrupoC8ygI4/dPrO5F9+rQzBTQBYK3mBTV1woEBfdCapoaqgYoc+p0GhnTwXUczAU9PZAc5bQvXHmSlywwYp3dkmgy+YeN9wxnyAQykTgTwA48zGCcGvqRngFiD1mRQM5hShs8zCF5Tp/ayGc1y3APNyuSKtNEs1hU3AWCbbsRWH2ZjknfVXDKZulAiOi32vkB9k87U27dzm56tPND0Eb1upmdquOs6ebfWppxmyUNvtMjwFjYGdFHy1FXvWcZWtJGhHGSwzFhapfYGLwsujaWzDJrBkmubQw1f1jJD6yardCNTulljbdEiHUXfNFaRD40kg6W77JGMw/I+U8FLcqKh5JacUF2GboYG27/H0fGTszJSaWxCKILBIfoE+xswJUisVKfLh+AyH+XOqlqoNQwGC95Iv5lqkjX1viWPORp6nxHOO9Mwh2tS0d1GC5tYrJw3u8NAsiMpuMHhDO3q4eixgRIxTV0rbcmw8SghqwW1hFtSa5iNscI90nLvMoQiRvhgdXQoEC5DZ/eRvtCCy9wT+XuoutX6eBpi1RzsAvRk832zUM3gRSNEwhJ0N47IKlJTbYC8A0txIri/q7QjwdO3am5eXPiy12fkNIz4ek7sIjKlCJsBf4Aw+hjRluQ92N+5lWDi5zxk6izEm+HI7u4W4eJ+swaoZosJlzyKH87cPUJ/7R3xibMwMBnihaCNxFm/8wbnuLZN3OMN3Hf6te/ZU/523N2euibcYX7xiLHvDqJIWNN0u86ruCz5CNcWb8WYu+AY06hHBNJmcN17nFAtxcjES+yem3EcOPbPNWCJhi8NGLunaffh2cp375XvVQYcy+NX9RJ71yPV5Z1uu1P24eQxwtjY1t+xQ7t5Hd15ytn/N883dIudn7ZCAdeO8wZaDemSeO/Iwu5xmVIDxKdrd9iQwa3qTin84mHwld0o+A5zpX37+igZCaGGGAAcd0b3z6vSVBrKjjDed9Bh2i8tUe3dMA1rNE5A24d0DbriXt04FtKbJf1gDr7kAuZABCxBEGoMn0t/cJt5/XHWx5bMDyi/cf09nD59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw5ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7erF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jx3cbymWff7J4FzljcOhBu/9m8/P6Hvzrb97R3HC3FvomiHfi0SBsxu63jhq5Bk3/pfHLmRUADkYvf+tT1P/l5Xm5w3uL6vedxYPLyTbLtye7AFLfOhLz/7eOZ2zto8M4T9JeW3DANNZVs7bTKoJ6J3VwQghR6Tj6+e03Opf3x5XNy/v707D9fk0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsSpQjYRUYZt0sPlKmTisbH8ZjM3HfHa37pefG8RSp+xcvHhXRfNt2A+YEN4279wMfw3VFMN9bJZ65tQwV5++Z9FNk/lYR8vqzDOOP/KAmTOG0dul+NCMWN3Cw88Qge4xu85xzm1MKKPsCIdOTuC/KmLDX6aT2Xx9Dpnl5W1YfGOe8bCzk/eXfhX6XR8FhFzRGjH1tOJa+phrebnF84VEa8X46GB06CSEJDt/Y4DVtNrPDTtY4rIHro0rLk7stUbAK2vVn+8XfuiAzgTEK84Crc8NNtFhigssm1zqLX3fZJo+R9wPBCaduJ5IHQLTHAhgfA7fpmyWuOTHu/Hy7n7WPSbuvdGOElxOzGY3lxA3Zo+VJjFONO5fR+o4GOQ5xc1lTOYdKZTkzJGZ83GkoyXSNMkCVmDcXlTH1g64FB0eiIthxddJah34FIqPv3S7iSOwA0VMpCETK70+cZpSdtKU1BC5+KnwF0bXUe4LMMLDHLUC0sclyHXP1P6gxEpWXReuLyqeW7Frzbx2R3tb4z4QE02DO7AC3Bko/rGp6TT+0z9hYdYD+Si9YBNngJfhvT1NpRPUdQJkZM4xbp4Bd/TqgQUWWi3nwRE9yoxsS8JWj3BnJpFTEWH3MuyafzUYHCMEE2m7xKLrIdUFVnGPvmAGswqTN6HdgMJS7+RUydio7+9gzY+tEKhQA5Tz4pEnF2ykdGLXREA/UqDxW9AIwkDNMJZoSSX5ReUV0O53QT8maOyV6aUHfjrzGXbgp2BSDjqmfirol3jXErS0U/VOeRIdgyHjMjBjvkMuS5YlpCxa0TS2HERnyLS0HlMeL4t3BQtgkiPRflYIPbLstNJGXpLNg5GrDbL0/qSCUw7EKwTNcP7nYRe6otZ42gmmC/aNIi8fTs+vVbNVezWXz6O7DCLiD78W4h+9Et6G9jD+8zh7dD901jFyBtSBYfRds0KTsn3C6hxy85jvonA3oUYdVYpo5L6bDkOMKXDWNgzAjO2Hn8sOZohyWeIF7EqbhzpdckUpgwwO0YwmkLR9jB0UklDPCZWkn3rji5FVMOux+SgaK0vatlun50I+8mJb5rKdYMCA5lt5/gh9nRh7kkhtsmIj8JFhdAENEB6oIaQktVu9fFLoBrolZyc2SecJZeK6mqkbxanMlhuG9Rf1wlwin3XJZO/ihtOgJQ8gsXQN4ExCYDMtzG2Su7jfk7OZow3u3/QdIVRklwGbIW0lIhtscIIVLWu9+DED5f7zLUa6SmxHhC6FTlrB6IbH4KC7rkqkHtkqmq1qriIxmKcGzkziSdCiwim5GT/bhxuezETkYkdzHc0jpJFIEtDJMOlzkAwcj6HX65T7f3ym7u2yjbbcosG2l3y9lSa/QlloEX7BCz/lZaEL7Hc5CgOWu3hATBRL/d1AJuF/jUxma7kYDshP0wMVaPBz/bPR3SduvB9vRy/56CeuHXyrivqGnaGeGWV2CcXPfanoYaRoNI4RSSNYW48SCw8eA9j0HfkrUO6d39YKz14+329ENhkg05vfXWgsP4ph0O9oY73giEWwiDr3d3L2/cnT7q2fmLlmRv+uaTS9ZL9TgC5AY53gmQr5cdf7z5yFKNNjjOkd1OPuqjSpCUd+wW8uOo7JhybwNm7JR6LEHb8VMnr9xp7KKowC7UA0RJ6JYnmXg0wtdGDxx7KWmV1eu0J6rzQYngr3WI7OHLTJ6Q/5z8/P335Onb0zcXz8gpN5bLecPNAkoshY/iItRcZe8LtC8ShtmyM49HOGb84kjGmFaZvYr76j/dqcYw6G4MeuSTDX2+y3VhmPbf1f32HH+IUyxmSmWsTfomU4yKVN3pdjbygZa8MX4FojQxvOKCai+enNh0d4jhux4vr8J7bnh5zE4j/Uz5T44RWi/iTl/MzSXPV2fxRu676xjWCJWGPf9vcBLhJwNeCI4b6JVllHFXptI5EwMGIRsktdJzKvmfe7KqZT5WuC2xD6B0n6dGyD3jOlpLmqnrzy9uOXwtfIsv37toK6v5V6DCLhjVQGoNpaq4pNGCu554uqCWg7TmxvR4QY+527f0QTfrWz9CnYlx3dV54gRXTbXFZkibre4Xq0dsdhSEzW0k6gxK0NRCWSRLKtvDH074/NKu2AXPLrRa8rJrHha+R+taBE11wBih+Y971rZ12riCs9kkL4+0y27J0OvPrke2GR0eipmTS+6j54tdxX2kBVyndKYcCn5XzROuUWfq/ahXCT2PbNTrqKixUkOMVdpLfAetAktxtSf4rYn71pP47itelgKOJ+Xe4Xq3lXOR4+3JvYPkXDse4zjbvQir9ToMyXUbnX1OakHdkbn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdWn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUt98Cf3MceRl64DEHWfO2C6T02/d9+cbxbLd0BFQ3DPQhNEe9LaY45Smvw2yXx9vW0ltNjJxtGB5ebohupIzaseZ59/L4yLNvIzVSYxcgFsHCzH8QlKy4LNXKEFMD4zPO3CfPY3WCIU92eEHc9jy+m5wb8hQ7woJkm2cIQ5fPetQijcR3/C3MKVuTT2a78W0Xga12C2mTZ9e6FY5gsI+89n1TC1HBWjVkMvciDije9QGIVP9vVZpiOc+QfNvbzq9Qj3Xn9ep1ZMe4wyijhd8csNnj5PWObTVk+AbXeyvrznDr411Ah7s5jsOuCxhsn80mIdMfw+CE4g0pbi5+xrKBlCMBRyvccMslzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc+899FIa6U3Z+bCtpWxRHbkF/mZVJDgZWEf948gy5GXKZboJYknvhtsyFhXmfTwjQqpftoPH4ttob8r7I1M7B1jnfftuwLqmuuUp9+fnm62sFnzQSp242+FsWZ/8fqvt2eQzS3xbC6XX+Q78b6am8t9u7BjTIrLdRb1Vz2NPkyPL314g9Bv29mAq0WBXbb/1/bsa5YICpNWqPkR0lKqZDpwLt+LxsKaztuGGcgTE0Vd3HPcenqiqpnLd3Ue8djhO39srS9DuGSq4nKm4UkDNVe4aoRvkx44V2WK2grxd0WdfcuUI/NIIsSb/0VDBZxxKcop1z945GEVlBdOCKXXFHyjo/jtMiV9/Yz9TMabNJ+82uwmH141FlfvAEaY33/UP3RJhyk5wR3uf/IR8XNd+6xvPgSOOP8Hxw9MwK5I2k91B2+HgHRH6iYm1rd1F5hiuuk653MbOexZrpVtvP4aYP7wdOfJer5zE7NTSos47h2gPKdzKN3ruWzS1Upk0kW2k3DruPEhNbdw1yWRBTcpofw+wDuX0iSE3WiQ85h7UhKfSGaNFo1N5Q3owDeiCztPZlBvQyZ+nbdBJ0x+3QQeuzyBY4NqCRNUqvXHi4Cfj5k7RW2jYSZVJrVH5JY5RS7glcz/isqhevQj/fRJQeBH+I+Q1xdz+VICOZ+eF7Txg9Nxvph88R49rb9TaYDtlGIjmTCouZ6D1SNx1uO+j7Kuv+N9I+qh79ghItn2JZ71jiFwpDGurrFcqssTR2O/Mx+0d233EDGLd/9M/YJigNT7wk9cL0MfxRzidPWQ8PT3B0Y/PyAmuH0cNtD1Ss5QROp+ADsM/YSsLc09zXsgaOu4RsnfgbtEnptcpeu9J8z8P9UrevTVK/LTJJf8z7q3hV5lkyvk/zoiEubLcH2C9oGZkApRhx24r1DtKv/j4cEF31NkmQA0SXHZ4rG2c3tbfxBNSDJ8fo6Jiu79RN/Xw4+igZSdNuDFNcqUTIWOyVD5v3f1iKIghaJ3VBzo4lL70PHOLk0sMTu+TTkfJkOg6g4co8tNLTO3c/xj1pOdhSN5deu7BcVyEGiOKZc4XfTekGhzZUWTKwrEebZK3aTS5APMrCBZ1puYG32zGlfQfJJStPxGD8Tqlyfnlm3+8uyAX7p0iv8mR6SsbbDNVUh+C7ceVimOLYogtgF2Zg5zItxPCeXuQxYbOdf06uxZhmAYaRhBupOAeLRc0HzSFfAAl1+PRdQUZNRoQZ0ttc7QJn30sl1Tw0jNiBIldQXi0rtb7BCFS7ArWZldsJ+L8NoE0MeyFtbUpOM6gzQIajzIHQRh9BLeJz2Vb+aI0t+sbbhRTVZW1T9wt8fZ4BIdQvAR/xTWIXUsztYtlJagsjHmogbduZS/Dfw+7bWu0otj6UuOiVvwYadUxhD0GBDFApOLWAJKVLaiUg8YZudtNhVURkZGY7ZHaNncPS5h5+PvbN+/Du/diZ/nuQbFK7/r+k/ds4+aqWCrR5CLAm3aOswxzbrrJ2O0430Zya8hTj4R5ht06sLC3nai7A54g0tHdiCaTNHsbcP0kuQ3pApPtooMlaMwUmDWCMCUZ1NYZypf+DEfaK6xWOaWvJ7wz2NsR2g7RWmlLlKPvr//+JpaCGyV7ar5Ten78BMvdAoMtF+uU+mYn0UYxfz/77eL8gryj1xWXZTfWO36sbm9HT8PcGqI4sq2wjcHu9m2rU5/iJYvJ07N9lWMxO17B5kMX4bdbzq52bDnLglQ+Pw1degMWezEUxzuUB+4V0O64+i9fN9wV5shyqEmmvt3oL3Em9ANlN4Zx1WjFd0Hdyhf3PiemiaSoU0P+ZqxWcv5vU0HZleDGQvm3F+Fvz7tPuZwBi3804xpWVEQVGToVvd8QKktiFBlhSw1zbqxeO8v+mMKipnYRmvV3OJBdHAZIolPqWGj6Qmhfr8WU7nUh7/TJDnOQVq//8n8DAAD//1ixpy4=" -} diff --git a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml b/x-pack/filebeat/module/tomcat/log/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/tomcat/log/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml deleted file mode 100644 index 10a6921f961..00000000000 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Apache" - product: "TomCat" - type: "Web" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/tomcat/log/config/liblogparser.js - - ${path.home}/module/tomcat/log/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, -]); - -var msg1 = msg("ABCD", dup7); - -var msg2 = msg("BADMETHOD", dup7); - -var msg3 = msg("BADMTHD", dup7); - -var msg4 = msg("BDMTHD", dup7); - -var msg5 = msg("INDEX", dup7); - -var msg6 = msg("CFYZ", dup7); - -var msg7 = msg("CONNECT", dup7); - -var msg8 = msg("DELETE", dup7); - -var msg9 = msg("DETECT_METHOD_TYPE", dup7); - -var msg10 = msg("FGET", dup7); - -var msg11 = msg("GET", dup7); - -var msg12 = msg("get", dup7); - -var msg13 = msg("HEAD", dup7); - -var msg14 = msg("id", dup7); - -var msg15 = msg("LOCK", dup7); - -var msg16 = msg("MKCOL", dup7); - -var msg17 = msg("NCIRCLE", dup7); - -var msg18 = msg("OPTIONS", dup7); - -var msg19 = msg("POST", dup7); - -var msg20 = msg("PRONECT", dup7); - -var msg21 = msg("PROPFIND", dup7); - -var msg22 = msg("PUT", dup7); - -var msg23 = msg("QUALYS", dup7); - -var msg24 = msg("SEARCH", dup7); - -var msg25 = msg("TRACK", dup7); - -var msg26 = msg("TRACE", dup7); - -var msg27 = msg("uGET", dup7); - -var msg28 = msg("null", dup7); - -var msg29 = msg("rndmmtd", dup7); - -var msg30 = msg("RNDMMTD", dup7); - -var msg31 = msg("asdf", dup7); - -var msg32 = msg("DEBUG", dup7); - -var msg33 = msg("COOK", dup7); - -var msg34 = msg("nGET", dup7); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "ABCD": msg1, - "BADMETHOD": msg2, - "BADMTHD": msg3, - "BDMTHD": msg4, - "CFYZ": msg6, - "CONNECT": msg7, - "COOK": msg33, - "DEBUG": msg32, - "DELETE": msg8, - "DETECT_METHOD_TYPE": msg9, - "FGET": msg10, - "GET": msg11, - "HEAD": msg13, - "INDEX": msg5, - "LOCK": msg15, - "MKCOL": msg16, - "NCIRCLE": msg17, - "OPTIONS": msg18, - "POST": msg19, - "PRONECT": msg20, - "PROPFIND": msg21, - "PUT": msg22, - "QUALYS": msg23, - "RNDMMTD": msg30, - "SEARCH": msg24, - "TRACE": msg26, - "TRACK": msg25, - "asdf": msg31, - "get": msg12, - "id": msg14, - "nGET": msg34, - "null": msg28, - "rndmmtd": msg29, - "uGET": msg27, - }), -]); - -var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup6, -])); diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml deleted file mode 100644 index ca97aa661d1..00000000000 --- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Apache Tomcat - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tomcat/log/manifest.yml b/x-pack/filebeat/module/tomcat/log/manifest.yml deleted file mode 100644 index 5df417cde24..00000000000 --- a/x-pack/filebeat/module/tomcat/log/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["tomcat.log", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9523 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log b/x-pack/filebeat/module/tomcat/log/test/generated.log deleted file mode 100644 index 6d52ed9cd2e..00000000000 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu -%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari -February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul -%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec -%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug -%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi -April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed -May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam -%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera -%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc -June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain -July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq -July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto -%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese -%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio -August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn -%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu -September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender -%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab -October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor -November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol -%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan -%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea -%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure -January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec -January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain -%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol -%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium -March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed -%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita -April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe -April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni -%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo -May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto -%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec -June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica -June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites -%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae -%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun -%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq -August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq -%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni -%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq -October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo -%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc -%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo -%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd -December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo -December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim -December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet -%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF -January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon -%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem -%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua -March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll -%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq -April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo -%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa -%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla -May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except -June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer -%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul -July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau -%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola -August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore -August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco -August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met -%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq -September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt -%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi -%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat -November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq -November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit -December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut -%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem -%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa -%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor -February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd -February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con -March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti -%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau -%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq -April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse -April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel -May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit -%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw -%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq -June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari -July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid -%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu -August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa -%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo -%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides -%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea -October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol -October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau -November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta -November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve -November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua -%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json deleted file mode 100644 index 4e5d8079691..00000000000 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ /dev/null @@ -1,6144 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "event.code": "asdf", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu", - "event.timezone": "OMST", - "file.name": "vol", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer", - "input.type": "log", - "log.offset": 0, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://example.com/illumqui/ventore.html?min=ite#utl", - "mail.example.net" - ], - "related.ip": [ - "10.251.224.219" - ], - "related.user": [ - "rci" - ], - "rsa.internal.level": 1516, - "rsa.internal.messageid": "asdf", - "rsa.misc.action": [ - "exercita" - ], - "rsa.misc.result_code": "ntsunti", - "rsa.network.network_service": "oremi", - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://example.com/illumqui/ventore.html?min=ite#utl", - "rsa.web.fqdn": "https://example.com/illumqui/ventore.html?min=ite#utl", - "rsa.web.web_cookie": "aliqu", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 5293, - "source.ip": "10.251.224.219", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "amremap", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "rci", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-02-12T03:12:33.000Z", - "event.code": "CFYZ", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari", - "event.timezone": "PST", - "file.name": "pisciv", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn", - "input.type": "log", - "log.offset": 369, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", - "mail.example.com", - "www5.example.net" - ], - "related.ip": [ - "10.196.153.12" - ], - "related.user": [ - "abo" - ], - "rsa.internal.level": 259, - "rsa.internal.messageid": "CFYZ", - "rsa.misc.action": [ - "umqui" - ], - "rsa.misc.result_code": "estlabo", - "rsa.network.network_service": "umexe", - "rsa.time.event_time": "2016-02-12T03:12:33.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", - "rsa.web.fqdn": "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", - "rsa.web.web_cookie": "nulapari", - "rsa.web.web_ref_domain": "mail.example.com", - "service.type": "tomcat", - "source.bytes": 5222, - "source.ip": "10.196.153.12", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.net", - "url.query": "uii", - "url.registered_domain": "example.net", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "abo", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2016-02-26T10:15:08.000Z", - "event.code": "COOK", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul", - "event.timezone": "PT", - "file.name": "emape", - "fileset.name": "log", - "host.name": "ctetur5806.api.home", - "http.request.referrer": "https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons", - "input.type": "log", - "log.offset": 708, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "ctetur5806.api.home", - "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", - "internal.example.com", - "www.example.com" - ], - "related.ip": [ - "10.156.194.38" - ], - "related.user": [ - "enatus" - ], - "rsa.internal.messageid": "COOK", - "rsa.misc.action": [ - "incid" - ], - "rsa.misc.result_code": "tia", - "rsa.network.alias_host": [ - "ctetur5806.api.home" - ], - "rsa.network.network_service": "lupt", - "rsa.time.event_time": "2016-02-26T10:15:08.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", - "rsa.web.fqdn": "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", - "rsa.web.web_cookie": "nul", - "rsa.web.web_ref_domain": "www.example.com", - "service.type": "tomcat", - "source.bytes": 7019, - "source.ip": "10.156.194.38", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "aer", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "enatus", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "event.code": "INDEX", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec", - "event.timezone": "CT", - "file.name": "ionofde", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", - "input.type": "log", - "log.offset": 1166, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", - "mail.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.196.118.192" - ], - "related.user": [ - "tur" - ], - "rsa.internal.level": 1060, - "rsa.internal.messageid": "INDEX", - "rsa.misc.action": [ - "equat" - ], - "rsa.misc.result_code": "quiavo", - "rsa.network.network_service": "uia", - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", - "rsa.web.fqdn": "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", - "rsa.web.web_cookie": "tconsec", - "rsa.web.web_ref_domain": "mail.example.com", - "service.type": "tomcat", - "source.bytes": 1156, - "source.ip": "10.196.118.192", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.org", - "url.query": "con", - "url.registered_domain": "example.org", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "tur", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "event.code": "BADMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug", - "event.timezone": "GMT+02:00", - "file.name": "equuntu", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat", - "input.type": "log", - "log.offset": 1603, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", - "internal.example.com", - "internal.example.net" - ], - "related.ip": [ - "10.246.209.145" - ], - "related.user": [ - "llu" - ], - "rsa.internal.level": 4141, - "rsa.internal.messageid": "BADMTHD", - "rsa.misc.action": [ - "ommod" - ], - "rsa.misc.result_code": "rmagni", - "rsa.network.network_service": "enimad", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", - "rsa.web.fqdn": "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", - "rsa.web.web_cookie": "fug", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 1998, - "source.ip": "10.246.209.145", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "eos", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "llu", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-04-09T07:22:51.000Z", - "event.code": "BADMETHOD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi", - "event.timezone": "PST", - "file.name": "pori", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu", - "input.type": "log", - "log.offset": 1997, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", - "internal.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.114.191.225" - ], - "related.user": [ - "tempo" - ], - "rsa.internal.level": 2964, - "rsa.internal.messageid": "BADMETHOD", - "rsa.misc.action": [ - "exercit" - ], - "rsa.misc.result_code": "reetdolo", - "rsa.network.network_service": "ect", - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", - "rsa.web.fqdn": "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", - "rsa.web.web_cookie": "tanimi", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 2770, - "source.ip": "10.114.191.225", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "occ", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "tempo", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2016-04-24T14:25:25.000Z", - "event.code": "INDEX", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed", - "event.timezone": "PT", - "file.name": "loremagn", - "fileset.name": "log", - "host.name": "erep2696.www.home", - "http.request.referrer": "https://api.example.com/uovol/dmi.txt?quunt=ptat#ore", - "input.type": "log", - "log.offset": 2400, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "erep2696.www.home", - "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", - "www5.example.net" - ], - "related.ip": [ - "10.38.77.13" - ], - "related.user": [ - "liqu" - ], - "rsa.internal.messageid": "INDEX", - "rsa.misc.action": [ - "ehend" - ], - "rsa.misc.result_code": "tatevel", - "rsa.network.alias_host": [ - "erep2696.www.home" - ], - "rsa.network.network_service": "gelits", - "rsa.time.event_time": "2016-04-24T14:25:25.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", - "rsa.web.fqdn": "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", - "rsa.web.web_cookie": "tsed", - "rsa.web.web_ref_domain": "api.example.com", - "service.type": "tomcat", - "source.bytes": 3856, - "source.ip": "10.38.77.13", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.net", - "url.query": "ipis", - "url.registered_domain": "example.net", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "liqu", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "event.code": "DEBUG", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam", - "event.timezone": "CEST", - "file.name": "inB", - "fileset.name": "log", - "host.name": "mUt2398.invalid", - "http.request.referrer": "https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio", - "input.type": "log", - "log.offset": 2830, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", - "mUt2398.invalid", - "mail.example.org", - "www.example.org" - ], - "related.ip": [ - "10.11.201.109" - ], - "related.user": [ - "ugits" - ], - "rsa.internal.messageid": "DEBUG", - "rsa.misc.action": [ - "iinea" - ], - "rsa.misc.result_code": "ntsuntin", - "rsa.network.alias_host": [ - "mUt2398.invalid" - ], - "rsa.network.network_service": "tquovol", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", - "rsa.web.fqdn": "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", - "rsa.web.web_cookie": "iam", - "rsa.web.web_ref_domain": "mail.example.org", - "service.type": "tomcat", - "source.bytes": 3341, - "source.ip": "10.11.201.109", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "deomni", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "ugits", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2016-05-22T04:30:33.000Z", - "event.code": "BADMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera", - "event.timezone": "CT", - "file.name": "iqu", - "fileset.name": "log", - "http.request.referrer": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", - "input.type": "log", - "log.offset": 3299, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "example.org", - "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan" - ], - "related.ip": [ - "10.182.166.181" - ], - "related.user": [ - "mol" - ], - "rsa.internal.level": 3097, - "rsa.internal.messageid": "BADMTHD", - "rsa.misc.action": [ - "olupta" - ], - "rsa.misc.result_code": "aper", - "rsa.network.network_service": "usan", - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", - "rsa.web.fqdn": "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", - "rsa.web.web_cookie": "mquaera", - "rsa.web.web_ref_domain": "example.org", - "service.type": "tomcat", - "source.bytes": 5529, - "source.ip": "10.182.166.181", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.org", - "url.query": "ollit", - "url.registered_domain": "example.org", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "mol", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-06-05T11:33:08.000Z", - "event.code": "null", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc", - "event.timezone": "OMST", - "file.name": "metcon", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist", - "input.type": "log", - "log.offset": 3696, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", - "internal.example.com", - "mail.example.net" - ], - "related.ip": [ - "10.185.126.247" - ], - "related.user": [ - "quu" - ], - "rsa.internal.level": 6283, - "rsa.internal.messageid": "null", - "rsa.misc.action": [ - "avol" - ], - "rsa.misc.result_code": "emporinc", - "rsa.network.network_service": "litessec", - "rsa.time.event_time": "2016-06-05T11:33:08.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", - "rsa.web.fqdn": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", - "rsa.web.web_cookie": "caecatc", - "rsa.web.web_ref_domain": "internal.example.com", - "service.type": "tomcat", - "source.bytes": 5075, - "source.ip": "10.185.126.247", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.net", - "url.query": "smo", - "url.registered_domain": "example.net", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "quu", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "event.code": "SEARCH", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain", - "event.timezone": "PST", - "file.name": "antiumto", - "fileset.name": "log", - "host.name": "siuta2896.www.localhost", - "http.request.referrer": "https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea", - "input.type": "log", - "log.offset": 4044, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", - "mail.example.net", - "siuta2896.www.localhost" - ], - "related.ip": [ - "10.72.114.23" - ], - "related.user": [ - "nsequu" - ], - "rsa.internal.messageid": "SEARCH", - "rsa.misc.action": [ - "rsint" - ], - "rsa.misc.result_code": "usmod", - "rsa.network.alias_host": [ - "siuta2896.www.localhost" - ], - "rsa.network.network_service": "ctetura", - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", - "rsa.web.fqdn": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", - "rsa.web.web_cookie": "orain", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 1640, - "source.ip": "10.72.114.23", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "strude", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "nsequu", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "TRACE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq", - "event.timezone": "PST", - "file.name": "onproide", - "fileset.name": "log", - "host.name": "oin6316.www5.host", - "http.request.referrer": "https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE", - "input.type": "log", - "log.offset": 4460, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", - "internal.example.net", - "oin6316.www5.host" - ], - "related.ip": [ - "10.129.241.147" - ], - "related.user": [ - "lapariat" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "etc" - ], - "rsa.misc.result_code": "imaven", - "rsa.network.alias_host": [ - "oin6316.www5.host" - ], - "rsa.network.network_service": "itaut", - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", - "rsa.web.fqdn": "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", - "rsa.web.web_cookie": "inculpaq", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 152, - "source.ip": "10.129.241.147", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "luptat", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "lapariat", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2016-07-18T08:40:50.000Z", - "event.code": "BDMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto", - "event.timezone": "GMT+02:00", - "file.name": "tectobe", - "fileset.name": "log", - "host.name": "tionemu7691.www.local", - "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", - "input.type": "log", - "log.offset": 4878, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", - "internal.example.net", - "tionemu7691.www.local", - "www5.example.com" - ], - "related.ip": [ - "10.185.101.76" - ], - "related.user": [ - "des" - ], - "rsa.internal.messageid": "BDMTHD", - "rsa.misc.action": [ - "stl" - ], - "rsa.misc.result_code": "etdolo", - "rsa.network.alias_host": [ - "tionemu7691.www.local" - ], - "rsa.network.network_service": "iusmodt", - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", - "rsa.web.fqdn": "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", - "rsa.web.web_cookie": "itecto", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 3768, - "source.ip": "10.185.101.76", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "colabor", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "des", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "event.code": "GET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese", - "event.timezone": "OMST", - "file.name": "ici", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten", - "input.type": "log", - "log.offset": 5364, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", - "www.example.org" - ], - "related.ip": [ - "10.57.170.140" - ], - "related.user": [ - "onse" - ], - "rsa.internal.level": 3217, - "rsa.internal.messageid": "GET", - "rsa.misc.action": [ - "inibusBo" - ], - "rsa.misc.result_code": "dexeac", - "rsa.network.network_service": "eritquii", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", - "rsa.web.fqdn": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", - "rsa.web.web_cookie": "iadese", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 3088, - "source.ip": "10.57.170.140", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "giatquov", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "onse", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "event.code": "PUT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio", - "event.timezone": "GMT+02:00", - "file.name": "idolor", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu", - "input.type": "log", - "log.offset": 5761, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", - "internal.example.com", - "internal.example.net" - ], - "related.ip": [ - "10.33.153.47" - ], - "related.user": [ - "atquovo" - ], - "rsa.internal.level": 1109, - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "iineavo" - ], - "rsa.misc.result_code": "lupt", - "rsa.network.network_service": "CSed", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", - "rsa.web.fqdn": "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", - "rsa.web.web_cookie": "tio", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 6136, - "source.ip": "10.33.153.47", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "emeumfu", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "atquovo", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-08-30T05:48:33.000Z", - "event.code": "FGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn", - "event.timezone": "CET", - "file.name": "olorema", - "fileset.name": "log", - "host.name": "conse2991.internal.lan", - "http.request.referrer": "https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit", - "input.type": "log", - "log.offset": 6206, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "conse2991.internal.lan", - "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", - "internal.example.net" - ], - "related.ip": [ - "10.116.104.101" - ], - "related.user": [ - "tat" - ], - "rsa.internal.messageid": "FGET", - "rsa.misc.action": [ - "lumqui" - ], - "rsa.misc.result_code": "datatn", - "rsa.network.alias_host": [ - "conse2991.internal.lan" - ], - "rsa.network.network_service": "siarchi", - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", - "rsa.time.timezone": "CET", - "rsa.web.alias_host": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", - "rsa.web.fqdn": "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", - "rsa.web.web_cookie": "remagn", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 5076, - "source.ip": "10.116.104.101", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.net", - "url.query": "iades", - "url.registered_domain": "example.net", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "tat", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-09-13T12:51:07.000Z", - "event.code": "null", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu", - "event.timezone": "ET", - "file.name": "iadese", - "fileset.name": "log", - "http.request.referrer": "https://example.com/tlabori/oin.jpg?quisnos=ite#ationul", - "input.type": "log", - "log.offset": 6628, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", - "internal.example.com" - ], - "related.ip": [ - "10.202.194.67" - ], - "related.user": [ - "ittenbyC" - ], - "rsa.internal.level": 3361, - "rsa.internal.messageid": "null", - "rsa.misc.action": [ - "eirure" - ], - "rsa.misc.result_code": "utei", - "rsa.network.network_service": "utla", - "rsa.time.event_time": "2016-09-13T12:51:07.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", - "rsa.web.fqdn": "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", - "rsa.web.web_cookie": "eritqu", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 2716, - "source.ip": "10.202.194.67", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "nsectet", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "ittenbyC", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "PUT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender", - "event.timezone": "PST", - "file.name": "eaq", - "fileset.name": "log", - "host.name": "wri2784.api.domain", - "http.request.referrer": "https://www.example.com/adeseru/emoe.html?atur=itanimi#itame", - "input.type": "log", - "log.offset": 7086, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", - "wri2784.api.domain", - "www.example.com", - "www5.example.com" - ], - "related.ip": [ - "10.153.111.103" - ], - "related.user": [ - "modocon" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "taevit" - ], - "rsa.misc.result_code": "labore", - "rsa.network.alias_host": [ - "wri2784.api.domain" - ], - "rsa.network.network_service": "ctetura", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", - "rsa.web.fqdn": "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", - "rsa.web.web_cookie": "rehender", - "rsa.web.web_ref_domain": "www.example.com", - "service.type": "tomcat", - "source.bytes": 4621, - "source.ip": "10.153.111.103", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "occae", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "modocon", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "event.code": "DETECT_METHOD_TYPE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab", - "event.timezone": "GMT+02:00", - "file.name": "radipisc", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", - "input.type": "log", - "log.offset": 7515, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", - "internal.example.net", - "www5.example.org" - ], - "related.ip": [ - "10.52.186.29" - ], - "related.user": [ - "doloreme" - ], - "rsa.internal.level": 1637, - "rsa.internal.messageid": "DETECT_METHOD_TYPE", - "rsa.misc.action": [ - "ione" - ], - "rsa.misc.result_code": "uscipit", - "rsa.network.network_service": "fficiade", - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", - "rsa.web.fqdn": "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", - "rsa.web.web_cookie": "mcolab", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 4168, - "source.ip": "10.52.186.29", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.org", - "url.query": "tmo", - "url.registered_domain": "example.org", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "doloreme", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-10-26T09:58:50.000Z", - "event.code": "BDMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor", - "event.timezone": "GMT-07:00", - "file.name": "boN", - "fileset.name": "log", - "host.name": "oquisqu2937.mail.domain", - "http.request.referrer": "https://example.net/tlabo/uames.gif?mpo=offi#giatnu", - "input.type": "log", - "log.offset": 7922, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", - "oquisqu2937.mail.domain", - "www.example.org" - ], - "related.ip": [ - "10.209.182.237" - ], - "related.user": [ - "olor" - ], - "rsa.internal.messageid": "BDMTHD", - "rsa.misc.action": [ - "osqui" - ], - "rsa.misc.result_code": "aboN", - "rsa.network.alias_host": [ - "oquisqu2937.mail.domain" - ], - "rsa.network.network_service": "aevit", - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", - "rsa.web.fqdn": "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", - "rsa.web.web_cookie": "lor", - "rsa.web.web_ref_domain": "example.net", - "service.type": "tomcat", - "source.bytes": 3423, - "source.ip": "10.209.182.237", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "eprehend", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "olor", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "event.code": "CFYZ", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol", - "event.timezone": "CT", - "file.name": "isnisiu", - "fileset.name": "log", - "host.name": "dolore1287.internal.lan", - "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", - "input.type": "log", - "log.offset": 8486, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "dolore1287.internal.lan", - "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", - "mail.example.net" - ], - "related.ip": [ - "10.63.194.87" - ], - "related.user": [ - "sin" - ], - "rsa.internal.messageid": "CFYZ", - "rsa.misc.action": [ - "aliquam" - ], - "rsa.misc.result_code": "tcons", - "rsa.network.alias_host": [ - "dolore1287.internal.lan" - ], - "rsa.network.network_service": "tsu", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", - "rsa.web.fqdn": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", - "rsa.web.web_cookie": "dol", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 3128, - "source.ip": "10.63.194.87", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.net", - "url.query": "bore", - "url.registered_domain": "example.net", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "sin", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "event.code": "TRACE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan", - "event.timezone": "OMST", - "file.name": "eroi", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", - "input.type": "log", - "log.offset": 8961, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", - "www.example.org", - "www5.example.org" - ], - "related.ip": [ - "10.62.191.18" - ], - "related.user": [ - "orporiss" - ], - "rsa.internal.level": 4307, - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "tlabo" - ], - "rsa.misc.result_code": "ofde", - "rsa.network.network_service": "aliquide", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", - "rsa.web.fqdn": "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", - "rsa.web.web_cookie": "udan", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 4940, - "source.ip": "10.62.191.18", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "dtemp", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "orporiss", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-12-08T07:06:33.000Z", - "event.code": "CFYZ", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea", - "event.timezone": "ET", - "file.name": "iciadese", - "fileset.name": "log", - "http.request.referrer": "https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat", - "input.type": "log", - "log.offset": 9407, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "example.org", - "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer" - ], - "related.ip": [ - "10.238.164.29" - ], - "related.user": [ - "utlabor" - ], - "rsa.internal.level": 6040, - "rsa.internal.messageid": "CFYZ", - "rsa.misc.action": [ - "temvel" - ], - "rsa.misc.result_code": "olupta", - "rsa.network.network_service": "tessec", - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", - "rsa.web.fqdn": "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", - "rsa.web.web_cookie": "uiinea", - "rsa.web.web_ref_domain": "example.org", - "service.type": "tomcat", - "source.bytes": 2660, - "source.ip": "10.238.164.29", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "quidolor", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "utlabor", - "user_agent.device.name": "Meizu M6", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "77.0.3865.120" - }, - { - "@timestamp": "2016-12-23T14:09:07.000Z", - "event.code": "SEARCH", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure", - "event.timezone": "CT", - "file.name": "ipsumdol", - "fileset.name": "log", - "http.request.referrer": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", - "input.type": "log", - "log.offset": 9841, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", - "internal.example.com" - ], - "related.ip": [ - "10.155.230.17" - ], - "related.user": [ - "ionevo" - ], - "rsa.internal.level": 1612, - "rsa.internal.messageid": "SEARCH", - "rsa.misc.action": [ - "Ute" - ], - "rsa.misc.result_code": "urerepr", - "rsa.network.network_service": "etdo", - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", - "rsa.web.fqdn": "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", - "rsa.web.web_cookie": "uteirure", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 4674, - "source.ip": "10.155.230.17", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "tet", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "ionevo", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "event.code": "RNDMMTD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec", - "event.timezone": "PST", - "file.name": "niamqui", - "fileset.name": "log", - "host.name": "ide2767.www5.local", - "http.request.referrer": "https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav", - "input.type": "log", - "log.offset": 10224, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/officiad/itam.html?madmi=tur#roi", - "ide2767.www5.local", - "mail.example.net" - ], - "related.ip": [ - "10.102.229.102" - ], - "related.user": [ - "tenbyCi" - ], - "rsa.internal.messageid": "RNDMMTD", - "rsa.misc.action": [ - "tco" - ], - "rsa.misc.result_code": "atno", - "rsa.network.alias_host": [ - "ide2767.www5.local" - ], - "rsa.network.network_service": "sno", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://example.net/officiad/itam.html?madmi=tur#roi", - "rsa.web.fqdn": "https://example.net/officiad/itam.html?madmi=tur#roi", - "rsa.web.web_cookie": "sec", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 5263, - "source.ip": "10.102.229.102", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "orem", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "tenbyCi", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-01-20T04:14:16.000Z", - "event.code": "HEAD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain", - "event.timezone": "OMST", - "file.name": "etconsec", - "fileset.name": "log", - "host.name": "sBon1759.invalid", - "http.request.referrer": "https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol", - "input.type": "log", - "log.offset": 10625, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", - "mail.example.org", - "sBon1759.invalid", - "www5.example.org" - ], - "related.ip": [ - "10.194.14.7" - ], - "related.user": [ - "vita" - ], - "rsa.internal.messageid": "HEAD", - "rsa.misc.action": [ - "ullamcor" - ], - "rsa.misc.result_code": "ersp", - "rsa.network.alias_host": [ - "sBon1759.invalid" - ], - "rsa.network.network_service": "evolu", - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", - "rsa.web.fqdn": "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", - "rsa.web.web_cookie": "orain", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 3536, - "source.ip": "10.194.14.7", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.org", - "url.query": "ios", - "url.registered_domain": "example.org", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "vita", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2017-02-03T11:16:50.000Z", - "event.code": "get", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol", - "event.timezone": "ET", - "file.name": "utp", - "fileset.name": "log", - "http.request.referrer": "https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi", - "input.type": "log", - "log.offset": 11083, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "example.com", - "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp" - ], - "related.ip": [ - "10.99.0.226" - ], - "related.user": [ - "uidol" - ], - "rsa.internal.level": 6113, - "rsa.internal.messageid": "get", - "rsa.misc.action": [ - "quameius" - ], - "rsa.misc.result_code": "iciade", - "rsa.network.network_service": "rsitv", - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", - "rsa.web.fqdn": "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", - "rsa.web.web_cookie": "uredol", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 5649, - "source.ip": "10.99.0.226", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.net", - "url.query": "ema", - "url.registered_domain": "example.net", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "uidol", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "DETECT_METHOD_TYPE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium", - "event.timezone": "OMST", - "file.name": "uamni", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/loreme/untu.htm?ven=con#nisist", - "input.type": "log", - "log.offset": 11478, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", - "www.example.net" - ], - "related.ip": [ - "10.107.174.213" - ], - "related.user": [ - "minimav" - ], - "rsa.internal.level": 6945, - "rsa.internal.messageid": "DETECT_METHOD_TYPE", - "rsa.misc.action": [ - "taedicta" - ], - "rsa.misc.result_code": "uine", - "rsa.network.network_service": "ati", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", - "rsa.web.fqdn": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", - "rsa.web.web_cookie": "ium", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 2438, - "source.ip": "10.107.174.213", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.net", - "url.query": "ctet", - "url.registered_domain": "example.net", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "minimav", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "ABCD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed", - "event.timezone": "CET", - "file.name": "gitsedqu", - "fileset.name": "log", - "host.name": "idunt4707.host", - "http.request.referrer": "https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser", - "input.type": "log", - "log.offset": 11878, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", - "idunt4707.host", - "mail.example.org", - "www.example.org" - ], - "related.ip": [ - "10.84.25.23" - ], - "related.user": [ - "isnost" - ], - "rsa.internal.messageid": "ABCD", - "rsa.misc.action": [ - "rQuisau" - ], - "rsa.misc.result_code": "quam", - "rsa.network.alias_host": [ - "idunt4707.host" - ], - "rsa.network.network_service": "rsitvolu", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "rsa.time.timezone": "CET", - "rsa.web.alias_host": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", - "rsa.web.fqdn": "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", - "rsa.web.web_cookie": "gitsed", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 5315, - "source.ip": "10.84.25.23", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.org", - "url.query": "borios", - "url.registered_domain": "example.org", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "isnost", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2017-03-18T08:24:33.000Z", - "event.code": "uGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita", - "event.timezone": "PT", - "file.name": "rnatur", - "fileset.name": "log", - "http.request.referrer": "https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre", - "input.type": "log", - "log.offset": 12362, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", - "www.example.org" - ], - "related.ip": [ - "10.193.143.108" - ], - "related.user": [ - "luptate" - ], - "rsa.internal.level": 4367, - "rsa.internal.messageid": "uGET", - "rsa.misc.action": [ - "atisun" - ], - "rsa.misc.result_code": "acommo", - "rsa.network.network_service": "essequam", - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", - "rsa.web.fqdn": "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", - "rsa.web.web_cookie": "ercita", - "rsa.web.web_ref_domain": "api.example.com", - "service.type": "tomcat", - "source.bytes": 3105, - "source.ip": "10.193.143.108", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "ofdeFin", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "luptate", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "event.code": "INDEX", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe", - "event.timezone": "CT", - "file.name": "seq", - "fileset.name": "log", - "host.name": "emquia1497.www5.lan", - "http.request.referrer": "https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu", - "input.type": "log", - "log.offset": 12826, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "emquia1497.www5.lan", - "example.com", - "example.org", - "https://example.com/mexe/its.htm?ice=oles#edic" - ], - "related.ip": [ - "10.190.51.22" - ], - "related.user": [ - "siut" - ], - "rsa.internal.messageid": "INDEX", - "rsa.misc.action": [ - "uisa" - ], - "rsa.misc.result_code": "atevelit", - "rsa.network.alias_host": [ - "emquia1497.www5.lan" - ], - "rsa.network.network_service": "sau", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://example.com/mexe/its.htm?ice=oles#edic", - "rsa.web.fqdn": "https://example.com/mexe/its.htm?ice=oles#edic", - "rsa.web.web_cookie": "orumSe", - "rsa.web.web_ref_domain": "example.org", - "service.type": "tomcat", - "source.bytes": 2450, - "source.ip": "10.190.51.22", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "tutlab", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "siut", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "event.code": "BADMETHOD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni", - "event.timezone": "PT", - "file.name": "rnatu", - "fileset.name": "log", - "host.name": "riat3854.www5.home", - "http.request.referrer": "https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla", - "input.type": "log", - "log.offset": 13211, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.com/velitess/naali.htm?nre=veli#volupta", - "riat3854.www5.home", - "www.example.com", - "www5.example.com" - ], - "related.ip": [ - "10.194.90.130" - ], - "related.user": [ - "tconsect" - ], - "rsa.internal.messageid": "BADMETHOD", - "rsa.misc.action": [ - "piscinge" - ], - "rsa.misc.result_code": "quasia", - "rsa.network.alias_host": [ - "riat3854.www5.home" - ], - "rsa.network.network_service": "ima", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", - "rsa.web.fqdn": "https://www.example.com/velitess/naali.htm?nre=veli#volupta", - "rsa.web.web_cookie": "sequamni", - "rsa.web.web_ref_domain": "www5.example.com", - "service.type": "tomcat", - "source.bytes": 2382, - "source.ip": "10.194.90.130", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.com", - "url.query": "elitse", - "url.registered_domain": "example.com", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "tconsect", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2017-04-30T05:32:16.000Z", - "event.code": "BDMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo", - "event.timezone": "OMST", - "file.name": "dolore", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", - "input.type": "log", - "log.offset": 13540, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", - "internal.example.com", - "www.example.org" - ], - "related.ip": [ - "10.10.213.83" - ], - "related.user": [ - "psum" - ], - "rsa.internal.level": 6198, - "rsa.internal.messageid": "BDMTHD", - "rsa.misc.action": [ - "ncididun" - ], - "rsa.misc.result_code": "ect", - "rsa.network.network_service": "quidexea", - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", - "rsa.web.fqdn": "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", - "rsa.web.web_cookie": "labo", - "rsa.web.web_ref_domain": "internal.example.com", - "service.type": "tomcat", - "source.bytes": 23, - "source.ip": "10.10.213.83", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "uptate", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "psum", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2017-05-14T12:34:50.000Z", - "event.code": "uGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto", - "event.timezone": "ET", - "file.name": "liqua", - "fileset.name": "log", - "host.name": "aboreetd5461.host", - "http.request.referrer": "https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem", - "input.type": "log", - "log.offset": 14078, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "aboreetd5461.host", - "api.example.org", - "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", - "mail.example.net" - ], - "related.ip": [ - "10.52.125.9" - ], - "related.user": [ - "urv" - ], - "rsa.internal.messageid": "uGET", - "rsa.misc.action": [ - "nimid" - ], - "rsa.misc.result_code": "uasiar", - "rsa.network.alias_host": [ - "aboreetd5461.host" - ], - "rsa.network.network_service": "isis", - "rsa.time.event_time": "2017-05-14T12:34:50.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", - "rsa.web.fqdn": "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", - "rsa.web.web_cookie": "rauto", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 2552, - "source.ip": "10.52.125.9", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.org", - "url.query": "mvele", - "url.registered_domain": "example.org", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "urv", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "RNDMMTD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec", - "event.timezone": "PT", - "file.name": "reprehe", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo", - "input.type": "log", - "log.offset": 14644, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", - "www5.example.org" - ], - "related.ip": [ - "10.19.17.202" - ], - "related.user": [ - "mve" - ], - "rsa.internal.level": 5770, - "rsa.internal.messageid": "RNDMMTD", - "rsa.misc.action": [ - "isau" - ], - "rsa.misc.result_code": "itse", - "rsa.network.network_service": "suntin", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", - "rsa.web.fqdn": "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", - "rsa.web.web_cookie": "aec", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 814, - "source.ip": "10.19.17.202", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.net", - "url.query": "tincu", - "url.registered_domain": "example.net", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "mve", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "RNDMMTD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica", - "event.timezone": "PT", - "file.name": "qua", - "fileset.name": "log", - "host.name": "iquidexe304.mail.test", - "http.request.referrer": "https://api.example.com/tdol/upt.htm?asper=idunt#luptat", - "input.type": "log", - "log.offset": 15012, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", - "iquidexe304.mail.test", - "mail.example.org" - ], - "related.ip": [ - "10.195.64.5" - ], - "related.user": [ - "uat" - ], - "rsa.internal.messageid": "RNDMMTD", - "rsa.misc.action": [ - "moenimi" - ], - "rsa.misc.result_code": "ipsamvo", - "rsa.network.alias_host": [ - "iquidexe304.mail.test" - ], - "rsa.network.network_service": "ate", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", - "rsa.web.fqdn": "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", - "rsa.web.web_cookie": "ica", - "rsa.web.web_ref_domain": "api.example.com", - "service.type": "tomcat", - "source.bytes": 344, - "source.ip": "10.195.64.5", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.org", - "url.query": "rsita", - "url.registered_domain": "example.org", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "uat", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-06-26T09:42:33.000Z", - "event.code": "POST", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites", - "event.timezone": "OMST", - "file.name": "xce", - "fileset.name": "log", - "host.name": "remips4828.www5.host", - "http.request.referrer": "https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor", - "input.type": "log", - "log.offset": 15419, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", - "internal.example.com", - "mail.example.com", - "remips4828.www5.host" - ], - "related.ip": [ - "10.209.77.194" - ], - "related.user": [ - "itesseq" - ], - "rsa.internal.messageid": "POST", - "rsa.misc.action": [ - "snost" - ], - "rsa.misc.result_code": "nimadmin", - "rsa.network.alias_host": [ - "remips4828.www5.host" - ], - "rsa.network.network_service": "aincidu", - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", - "rsa.web.fqdn": "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", - "rsa.web.web_cookie": "elites", - "rsa.web.web_ref_domain": "mail.example.com", - "service.type": "tomcat", - "source.bytes": 4843, - "source.ip": "10.209.77.194", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.com", - "url.query": "dat", - "url.registered_domain": "example.com", - "url.subdomain": "internal", - "url.top_level_domain": "com", - "user.name": "itesseq", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "event.code": "MKCOL", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae", - "event.timezone": "GMT+02:00", - "file.name": "ariatur", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", - "input.type": "log", - "log.offset": 15838, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", - "mail.example.org" - ], - "related.ip": [ - "10.168.6.90" - ], - "related.user": [ - "amvolupt" - ], - "rsa.internal.level": 1952, - "rsa.internal.messageid": "MKCOL", - "rsa.misc.action": [ - "atisund" - ], - "rsa.misc.result_code": "porincid", - "rsa.network.network_service": "iconseq", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", - "rsa.web.fqdn": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", - "rsa.web.web_cookie": "tae", - "rsa.web.web_ref_domain": "mail.example.org", - "service.type": "tomcat", - "source.bytes": 6941, - "source.ip": "10.168.6.90", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "rer", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "amvolupt", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "rndmmtd", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun", - "event.timezone": "OMST", - "file.name": "est", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc", - "input.type": "log", - "log.offset": 16270, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", - "mail.example.com" - ], - "related.ip": [ - "10.89.137.238" - ], - "related.user": [ - "ore" - ], - "rsa.internal.level": 7717, - "rsa.internal.messageid": "rndmmtd", - "rsa.misc.action": [ - "emqu" - ], - "rsa.misc.result_code": "tla", - "rsa.network.network_service": "leumiu", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", - "rsa.web.fqdn": "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", - "rsa.web.web_cookie": "erun", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 4765, - "source.ip": "10.89.137.238", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.com", - "url.query": "uptatemU", - "url.registered_domain": "example.com", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "ore", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2017-08-08T06:50:15.000Z", - "event.code": "OPTIONS", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq", - "event.timezone": "CT", - "file.name": "giatquov", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame", - "input.type": "log", - "log.offset": 16704, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.org", - "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", - "www5.example.net" - ], - "related.ip": [ - "10.246.61.213" - ], - "related.user": [ - "iusmodte" - ], - "rsa.internal.level": 4574, - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "loi" - ], - "rsa.misc.result_code": "toccaec", - "rsa.network.network_service": "miurerep", - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", - "rsa.web.fqdn": "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", - "rsa.web.web_cookie": "orroq", - "rsa.web.web_ref_domain": "www5.example.net", - "service.type": "tomcat", - "source.bytes": 7645, - "source.ip": "10.246.61.213", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.org", - "url.query": "tconsec", - "url.registered_domain": "example.org", - "url.top_level_domain": "org", - "user.name": "iusmodte", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2017-08-22T13:52:50.000Z", - "event.code": "MKCOL", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq", - "event.timezone": "PST", - "file.name": "oluptas", - "fileset.name": "log", - "host.name": "orin5238.host", - "http.request.referrer": "https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita", - "input.type": "log", - "log.offset": 17094, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "orin5238.host", - "www.example.org", - "www5.example.net" - ], - "related.ip": [ - "10.117.44.138" - ], - "related.user": [ - "rcit" - ], - "rsa.internal.messageid": "MKCOL", - "rsa.misc.action": [ - "enderit" - ], - "rsa.misc.result_code": "olorem", - "rsa.network.alias_host": [ - "orin5238.host" - ], - "rsa.network.network_service": "isnost", - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "rsa.web.fqdn": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "rsa.web.web_cookie": "aliq", - "rsa.web.web_ref_domain": "www5.example.net", - "service.type": "tomcat", - "source.bytes": 2760, - "source.ip": "10.117.44.138", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "emvele", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "rcit", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "PRONECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni", - "event.timezone": "OMST", - "file.name": "itlab", - "fileset.name": "log", - "http.request.referrer": "https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve", - "input.type": "log", - "log.offset": 17515, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", - "www.example.net" - ], - "related.ip": [ - "10.69.30.196" - ], - "related.user": [ - "elits" - ], - "rsa.internal.level": 4801, - "rsa.internal.messageid": "PRONECT", - "rsa.misc.action": [ - "ruredo" - ], - "rsa.misc.result_code": "equ", - "rsa.network.network_service": "omm", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", - "rsa.web.fqdn": "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", - "rsa.web.web_cookie": "nimveni", - "rsa.web.web_ref_domain": "www.example.net", - "service.type": "tomcat", - "source.bytes": 4808, - "source.ip": "10.69.30.196", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "urmag", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "elits", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2017-09-20T03:57:58.000Z", - "event.code": "BADMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq", - "event.timezone": "CT", - "file.name": "tate", - "fileset.name": "log", - "http.request.referrer": "https://example.org/onu/liquaUte.txt?velillu=ria#atDu", - "input.type": "log", - "log.offset": 17856, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "example.org", - "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq" - ], - "related.ip": [ - "10.135.91.88" - ], - "related.user": [ - "eporroq" - ], - "rsa.internal.level": 7668, - "rsa.internal.messageid": "BADMTHD", - "rsa.misc.action": [ - "ugiatn" - ], - "rsa.misc.result_code": "ectiono", - "rsa.network.network_service": "asi", - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", - "rsa.web.fqdn": "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", - "rsa.web.web_cookie": "emq", - "rsa.web.web_ref_domain": "example.org", - "service.type": "tomcat", - "source.bytes": 2241, - "source.ip": "10.135.91.88", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.com", - "url.query": "urExce", - "url.registered_domain": "example.com", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "eporroq", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-10-04T11:00:32.000Z", - "event.code": "ABCD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo", - "event.timezone": "CEST", - "file.name": "estl", - "fileset.name": "log", - "host.name": "agnaaliq1829.mail.test", - "http.request.referrer": "https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl", - "input.type": "log", - "log.offset": 18224, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "agnaaliq1829.mail.test", - "api.example.org", - "example.net", - "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor" - ], - "related.ip": [ - "10.81.45.174" - ], - "related.user": [ - "fugitse" - ], - "rsa.internal.messageid": "ABCD", - "rsa.misc.action": [ - "liquide" - ], - "rsa.misc.result_code": "incidid", - "rsa.network.alias_host": [ - "agnaaliq1829.mail.test" - ], - "rsa.network.network_service": "iruredol", - "rsa.time.event_time": "2017-10-04T11:00:32.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", - "rsa.web.fqdn": "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", - "rsa.web.web_cookie": "mipsamvo", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 7699, - "source.ip": "10.81.45.174", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "erun", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "fugitse", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "rndmmtd", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc", - "event.timezone": "PST", - "file.name": "mve", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", - "input.type": "log", - "log.offset": 18644, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", - "www.example.org" - ], - "related.ip": [ - "10.87.179.233" - ], - "related.user": [ - "avolu" - ], - "rsa.internal.level": 3517, - "rsa.internal.messageid": "rndmmtd", - "rsa.misc.action": [ - "eum" - ], - "rsa.misc.result_code": "lorem", - "rsa.network.network_service": "iciad", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", - "rsa.web.fqdn": "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", - "rsa.web.web_cookie": "dexerc", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 6137, - "source.ip": "10.87.179.233", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "uia", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "avolu", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "event.code": "COOK", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo", - "event.timezone": "OMST", - "file.name": "eavolup", - "fileset.name": "log", - "http.request.referrer": "https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ", - "input.type": "log", - "log.offset": 19027, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "example.com", - "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir" - ], - "related.ip": [ - "10.198.57.130" - ], - "related.user": [ - "henderit" - ], - "rsa.internal.level": 2669, - "rsa.internal.messageid": "COOK", - "rsa.misc.action": [ - "perspici" - ], - "rsa.misc.result_code": "erc", - "rsa.network.network_service": "ver", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", - "rsa.web.fqdn": "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", - "rsa.web.web_cookie": "emo", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 294, - "source.ip": "10.198.57.130", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.net", - "url.query": "emip", - "url.registered_domain": "example.net", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "henderit", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2017-11-16T08:08:15.000Z", - "event.code": "GET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd", - "event.timezone": "ET", - "file.name": "iscive", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea", - "input.type": "log", - "log.offset": 19452, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", - "www.example.net", - "www.example.org" - ], - "related.ip": [ - "10.218.0.197" - ], - "related.user": [ - "econs" - ], - "rsa.internal.level": 494, - "rsa.internal.messageid": "GET", - "rsa.misc.action": [ - "eritin" - ], - "rsa.misc.result_code": "teur", - "rsa.network.network_service": "aeab", - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", - "rsa.web.fqdn": "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", - "rsa.web.web_cookie": "eetd", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 609, - "source.ip": "10.218.0.197", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.net", - "url.query": "quasiar", - "url.registered_domain": "example.net", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "econs", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "event.code": "get", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo", - "event.timezone": "PST", - "file.name": "turvel", - "fileset.name": "log", - "host.name": "iatqu7310.api.home", - "http.request.referrer": "https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed", - "input.type": "log", - "log.offset": 19817, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", - "iatqu7310.api.home", - "mail.example.com" - ], - "related.ip": [ - "10.123.199.198" - ], - "related.user": [ - "illumqui" - ], - "rsa.internal.messageid": "get", - "rsa.misc.action": [ - "tionula" - ], - "rsa.misc.result_code": "asuntexp", - "rsa.network.alias_host": [ - "iatqu7310.api.home" - ], - "rsa.network.network_service": "ipsa", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", - "rsa.web.fqdn": "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", - "rsa.web.web_cookie": "mpo", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 1390, - "source.ip": "10.123.199.198", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.com", - "url.query": "eratv", - "url.registered_domain": "example.com", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "illumqui", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "event.code": "POST", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim", - "event.timezone": "ET", - "file.name": "rsi", - "fileset.name": "log", - "host.name": "uamnihil6127.api.domain", - "http.request.referrer": "https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex", - "input.type": "log", - "log.offset": 20237, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.org", - "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", - "internal.example.net", - "uamnihil6127.api.domain" - ], - "related.ip": [ - "10.29.119.245" - ], - "related.user": [ - "leumiur" - ], - "rsa.internal.messageid": "POST", - "rsa.misc.action": [ - "ore" - ], - "rsa.misc.result_code": "ciun", - "rsa.network.alias_host": [ - "uamnihil6127.api.domain" - ], - "rsa.network.network_service": "mides", - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", - "rsa.web.fqdn": "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", - "rsa.web.web_cookie": "anim", - "rsa.web.web_ref_domain": "example.org", - "service.type": "tomcat", - "source.bytes": 39, - "source.ip": "10.29.119.245", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.net", - "url.query": "taliqui", - "url.registered_domain": "example.net", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "leumiur", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2017-12-29T05:15:58.000Z", - "event.code": "DETECT_METHOD_TYPE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet", - "event.timezone": "PT", - "file.name": "des", - "fileset.name": "log", - "host.name": "uov1629.internal.invalid", - "http.request.referrer": "https://www.example.org/taedi/tquido.html?etconsec=elillum#upt", - "input.type": "log", - "log.offset": 20688, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", - "mail.example.net", - "uov1629.internal.invalid", - "www.example.org" - ], - "related.ip": [ - "10.130.175.17" - ], - "related.user": [ - "quaU" - ], - "rsa.internal.messageid": "DETECT_METHOD_TYPE", - "rsa.misc.action": [ - "inimav" - ], - "rsa.misc.result_code": "rroqu", - "rsa.network.alias_host": [ - "uov1629.internal.invalid" - ], - "rsa.network.network_service": "billo", - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", - "rsa.web.fqdn": "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", - "rsa.web.web_cookie": "onsectet", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 2170, - "source.ip": "10.130.175.17", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.net", - "url.query": "atnulapa", - "url.registered_domain": "example.net", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "quaU", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-01-12T12:18:32.000Z", - "event.code": "PROPFIND", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF", - "event.timezone": "CET", - "file.name": "lupta", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih", - "input.type": "log", - "log.offset": 21121, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", - "internal.example.org", - "mail.example.net" - ], - "related.ip": [ - "10.166.90.130" - ], - "related.user": [ - "eosquira" - ], - "rsa.internal.level": 5752, - "rsa.internal.messageid": "PROPFIND", - "rsa.misc.action": [ - "lloinven" - ], - "rsa.misc.result_code": "caboNem", - "rsa.network.network_service": "etconsec", - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", - "rsa.time.timezone": "CET", - "rsa.web.alias_host": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", - "rsa.web.fqdn": "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", - "rsa.web.web_cookie": "deF", - "rsa.web.web_ref_domain": "internal.example.org", - "service.type": "tomcat", - "source.bytes": 1043, - "source.ip": "10.166.90.130", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.net", - "url.query": "npr", - "url.registered_domain": "example.net", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "eosquira", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "event.code": "GET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon", - "event.timezone": "GMT-07:00", - "file.name": "ugiatquo", - "fileset.name": "log", - "host.name": "orumw5960.www5.home", - "http.request.referrer": "https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema", - "input.type": "log", - "log.offset": 21574, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", - "internal.example.org", - "orumw5960.www5.home" - ], - "related.ip": [ - "10.248.111.207" - ], - "related.user": [ - "tiumto" - ], - "rsa.internal.messageid": "GET", - "rsa.misc.action": [ - "quiavol" - ], - "rsa.misc.result_code": "autemv", - "rsa.network.alias_host": [ - "orumw5960.www5.home" - ], - "rsa.network.network_service": "quin", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", - "rsa.web.fqdn": "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", - "rsa.web.web_cookie": "atatnon", - "rsa.web.web_ref_domain": "internal.example.org", - "service.type": "tomcat", - "source.bytes": 6174, - "source.ip": "10.248.111.207", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.org", - "url.query": "incidid", - "url.registered_domain": "example.org", - "url.subdomain": "api", - "url.top_level_domain": "org", - "user.name": "tiumto", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "event.code": "asdf", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem", - "event.timezone": "GMT+02:00", - "file.name": "red", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", - "input.type": "log", - "log.offset": 21994, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", - "internal.example.net" - ], - "related.ip": [ - "10.185.37.32" - ], - "related.user": [ - "tesseq" - ], - "rsa.internal.level": 2940, - "rsa.internal.messageid": "asdf", - "rsa.misc.action": [ - "tem" - ], - "rsa.misc.result_code": "luptas", - "rsa.network.network_service": "tatev", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", - "rsa.web.fqdn": "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", - "rsa.web.web_cookie": "ptatem", - "rsa.web.web_ref_domain": "api.example.net", - "service.type": "tomcat", - "source.bytes": 3286, - "source.ip": "10.185.37.32", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.net", - "url.query": "sinto", - "url.registered_domain": "example.net", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "tesseq", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-02-24T09:26:15.000Z", - "event.code": "SEARCH", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua", - "event.timezone": "CET", - "file.name": "atcupi", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa", - "input.type": "log", - "log.offset": 22449, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.org", - "https://example.org/pisc/urEx.html?rautod=olest#eataev", - "internal.example.com" - ], - "related.ip": [ - "10.5.194.202" - ], - "related.user": [ - "ntmo" - ], - "rsa.internal.level": 4927, - "rsa.internal.messageid": "SEARCH", - "rsa.misc.action": [ - "riosa" - ], - "rsa.misc.result_code": "otamr", - "rsa.network.network_service": "qui", - "rsa.time.event_time": "2018-02-24T09:26:15.000Z", - "rsa.time.timezone": "CET", - "rsa.web.alias_host": "https://example.org/pisc/urEx.html?rautod=olest#eataev", - "rsa.web.fqdn": "https://example.org/pisc/urEx.html?rautod=olest#eataev", - "rsa.web.web_cookie": "iqua", - "rsa.web.web_ref_domain": "internal.example.com", - "service.type": "tomcat", - "source.bytes": 7278, - "source.ip": "10.5.194.202", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.org", - "url.query": "atem", - "url.registered_domain": "example.org", - "url.top_level_domain": "org", - "user.name": "ntmo", - "user_agent.device.name": "LM-V350", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "PRONECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll", - "event.timezone": "CEST", - "file.name": "veleum", - "fileset.name": "log", - "host.name": "deriti6952.mail.domain", - "http.request.referrer": "https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio", - "input.type": "log", - "log.offset": 22822, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "deriti6952.mail.domain", - "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", - "www.example.org", - "www5.example.com" - ], - "related.ip": [ - "10.183.34.1" - ], - "related.user": [ - "isn" - ], - "rsa.internal.messageid": "PRONECT", - "rsa.misc.action": [ - "der" - ], - "rsa.misc.result_code": "lmolesti", - "rsa.network.alias_host": [ - "deriti6952.mail.domain" - ], - "rsa.network.network_service": "nes", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", - "rsa.web.fqdn": "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", - "rsa.web.web_cookie": "ntmoll", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 1559, - "source.ip": "10.183.34.1", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "piciatis", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "isn", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "event.code": "CFYZ", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq", - "event.timezone": "CEST", - "file.name": "odi", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab", - "input.type": "log", - "log.offset": 23258, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", - "internal.example.com", - "mail.example.net" - ], - "related.ip": [ - "10.101.163.40" - ], - "related.user": [ - "nBCSe" - ], - "rsa.internal.level": 4472, - "rsa.internal.messageid": "CFYZ", - "rsa.misc.action": [ - "remips" - ], - "rsa.misc.result_code": "ore", - "rsa.network.network_service": "runtmo", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", - "rsa.web.fqdn": "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", - "rsa.web.web_cookie": "liq", - "rsa.web.web_ref_domain": "internal.example.com", - "service.type": "tomcat", - "source.bytes": 3512, - "source.ip": "10.101.163.40", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.net", - "url.query": "ptatems", - "url.registered_domain": "example.net", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "nBCSe", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2018-04-08T06:33:58.000Z", - "event.code": "uGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo", - "event.timezone": "ET", - "file.name": "tatevel", - "fileset.name": "log", - "host.name": "nse3421.mail.localhost", - "http.request.referrer": "https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui", - "input.type": "log", - "log.offset": 23666, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", - "internal.example.com", - "nse3421.mail.localhost", - "www5.example.com" - ], - "related.ip": [ - "10.216.188.152" - ], - "related.user": [ - "ugitsedq" - ], - "rsa.internal.messageid": "uGET", - "rsa.misc.action": [ - "atDuis" - ], - "rsa.misc.result_code": "ict", - "rsa.network.alias_host": [ - "nse3421.mail.localhost" - ], - "rsa.network.network_service": "untu", - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", - "rsa.web.fqdn": "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", - "rsa.web.web_cookie": "Nequepo", - "rsa.web.web_ref_domain": "internal.example.com", - "service.type": "tomcat", - "source.bytes": 2699, - "source.ip": "10.216.188.152", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "iumdolo", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "ugitsedq", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-04-22T13:36:32.000Z", - "event.code": "nGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa", - "event.timezone": "OMST", - "file.name": "isiutali", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/unt/tass.html?tla=mquiad#CSe", - "input.type": "log", - "log.offset": 24141, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", - "mail.example.net", - "www5.example.org" - ], - "related.ip": [ - "10.94.140.77" - ], - "related.user": [ - "isnisiu" - ], - "rsa.internal.level": 1033, - "rsa.internal.messageid": "nGET", - "rsa.misc.action": [ - "dol" - ], - "rsa.misc.result_code": "ons", - "rsa.network.network_service": "onulamco", - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", - "rsa.web.fqdn": "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", - "rsa.web.web_cookie": "psa", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 5050, - "source.ip": "10.94.140.77", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.org", - "url.query": "lumqu", - "url.registered_domain": "example.org", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "isnisiu", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "event.code": "PUT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla", - "event.timezone": "PST", - "file.name": "iamea", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", - "input.type": "log", - "log.offset": 24484, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", - "mail.example.org", - "www.example.com" - ], - "related.ip": [ - "10.223.205.204" - ], - "related.user": [ - "ccaec" - ], - "rsa.internal.level": 4133, - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "ommo" - ], - "rsa.misc.result_code": "iam", - "rsa.network.network_service": "uiacon", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", - "rsa.web.fqdn": "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", - "rsa.web.web_cookie": "tutla", - "rsa.web.web_ref_domain": "mail.example.org", - "service.type": "tomcat", - "source.bytes": 7526, - "source.ip": "10.223.205.204", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.com", - "url.query": "imaveni", - "url.registered_domain": "example.com", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "ccaec", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-05-21T03:41:41.000Z", - "event.code": "PUT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except", - "event.timezone": "CEST", - "file.name": "ditautf", - "fileset.name": "log", - "host.name": "tautfug689.localdomain", - "http.request.referrer": "https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag", - "input.type": "log", - "log.offset": 24917, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", - "mail.example.org", - "tautfug689.localdomain" - ], - "related.ip": [ - "10.85.137.156" - ], - "related.user": [ - "serror" - ], - "rsa.internal.messageid": "PUT", - "rsa.misc.action": [ - "isiut" - ], - "rsa.misc.result_code": "uamqu", - "rsa.network.alias_host": [ - "tautfug689.localdomain" - ], - "rsa.network.network_service": "ori", - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", - "rsa.web.fqdn": "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", - "rsa.web.web_cookie": "Except", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 2804, - "source.ip": "10.85.137.156", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.org", - "url.query": "itametc", - "url.registered_domain": "example.org", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "serror", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-06-04T10:44:15.000Z", - "event.code": "QUALYS", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer", - "event.timezone": "PST", - "file.name": "iciadese", - "fileset.name": "log", - "host.name": "totam6886.api.localhost", - "http.request.referrer": "https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo", - "input.type": "log", - "log.offset": 25326, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", - "mail.example.com", - "totam6886.api.localhost", - "www5.example.net" - ], - "related.ip": [ - "10.12.54.142" - ], - "related.user": [ - "liquam" - ], - "rsa.internal.messageid": "QUALYS", - "rsa.misc.action": [ - "lor" - ], - "rsa.misc.result_code": "dol", - "rsa.network.alias_host": [ - "totam6886.api.localhost" - ], - "rsa.network.network_service": "oeni", - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", - "rsa.web.fqdn": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", - "rsa.web.web_cookie": "aer", - "rsa.web.web_ref_domain": "www5.example.net", - "service.type": "tomcat", - "source.bytes": 3000, - "source.ip": "10.12.54.142", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.com", - "url.query": "riatur", - "url.registered_domain": "example.com", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "liquam", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "event.code": "RNDMMTD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul", - "event.timezone": "OMST", - "file.name": "umdolors", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.org/uovol/prehend.html?eque=eufug#est", - "input.type": "log", - "log.offset": 25746, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/labori/porai.gif?utali=sed#xeac", - "internal.example.org" - ], - "related.ip": [ - "10.158.6.52" - ], - "related.user": [ - "sed" - ], - "rsa.internal.level": 3864, - "rsa.internal.messageid": "RNDMMTD", - "rsa.misc.action": [ - "Nemoenim" - ], - "rsa.misc.result_code": "eFini", - "rsa.network.network_service": "acom", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://example.net/labori/porai.gif?utali=sed#xeac", - "rsa.web.fqdn": "https://example.net/labori/porai.gif?utali=sed#xeac", - "rsa.web.web_cookie": "ntincul", - "rsa.web.web_ref_domain": "internal.example.org", - "service.type": "tomcat", - "source.bytes": 4262, - "source.ip": "10.158.6.52", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "lumdo", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "sed", - "user_agent.device.name": "XiaoMi Redmi 4X", - "user_agent.name": "MiuiBrowser", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", - "user_agent.os.full": "Android 7.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.1.2", - "user_agent.version": "12.2.3" - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "MKCOL", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau", - "event.timezone": "CT", - "file.name": "atnul", - "fileset.name": "log", - "host.name": "tquo854.api.domain", - "http.request.referrer": "https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl", - "input.type": "log", - "log.offset": 26190, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", - "tquo854.api.domain", - "www5.example.org" - ], - "related.ip": [ - "10.195.160.182" - ], - "related.user": [ - "urerepre" - ], - "rsa.internal.messageid": "MKCOL", - "rsa.misc.action": [ - "itessequ" - ], - "rsa.misc.result_code": "Nemoenim", - "rsa.network.alias_host": [ - "tquo854.api.domain" - ], - "rsa.network.network_service": "stquidol", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", - "rsa.web.fqdn": "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", - "rsa.web.web_cookie": "isau", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 1325, - "source.ip": "10.195.160.182", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.org", - "url.query": "umfugi", - "url.registered_domain": "example.org", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "urerepre", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-07-17T07:51:58.000Z", - "event.code": "CONNECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola", - "event.timezone": "ET", - "file.name": "udan", - "fileset.name": "log", - "http.request.referrer": "https://example.net/orum/Bonoru.txt?agnamal=quei#quio", - "input.type": "log", - "log.offset": 26601, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", - "mail.example.com" - ], - "related.ip": [ - "10.20.68.117" - ], - "related.user": [ - "quas" - ], - "rsa.internal.level": 6084, - "rsa.internal.messageid": "CONNECT", - "rsa.misc.action": [ - "metco" - ], - "rsa.misc.result_code": "urQuis", - "rsa.network.network_service": "iutaliq", - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", - "rsa.web.fqdn": "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", - "rsa.web.web_cookie": "lamcola", - "rsa.web.web_ref_domain": "example.net", - "service.type": "tomcat", - "source.bytes": 1742, - "source.ip": "10.20.68.117", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.com", - "url.query": "archi", - "url.registered_domain": "example.com", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "quas", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-08-01T14:54:32.000Z", - "event.code": "CONNECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore", - "event.timezone": "PST", - "file.name": "radip", - "fileset.name": "log", - "host.name": "venia6656.api.domain", - "http.request.referrer": "https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica", - "input.type": "log", - "log.offset": 26982, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", - "venia6656.api.domain", - "www5.example.com", - "www5.example.org" - ], - "related.ip": [ - "10.94.136.235" - ], - "related.user": [ - "iti" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.misc.action": [ - "amqu" - ], - "rsa.misc.result_code": "rumet", - "rsa.network.alias_host": [ - "venia6656.api.domain" - ], - "rsa.network.network_service": "tetura", - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", - "rsa.web.fqdn": "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", - "rsa.web.web_cookie": "ore", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 6923, - "source.ip": "10.94.136.235", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "upta", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "iti", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "event.code": "NCIRCLE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco", - "event.timezone": "GMT+02:00", - "file.name": "elillum", - "fileset.name": "log", - "host.name": "veniam1216.www5.invalid", - "http.request.referrer": "https://example.com/santi/ritati.gif?turadip=dip#idolo", - "input.type": "log", - "log.offset": 27454, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", - "veniam1216.www5.invalid", - "www.example.net" - ], - "related.ip": [ - "10.152.11.26" - ], - "related.user": [ - "ugiat" - ], - "rsa.internal.messageid": "NCIRCLE", - "rsa.misc.action": [ - "oinBCSed" - ], - "rsa.misc.result_code": "nula", - "rsa.network.alias_host": [ - "veniam1216.www5.invalid" - ], - "rsa.network.network_service": "nsequatu", - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", - "rsa.web.fqdn": "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", - "rsa.web.web_cookie": "aco", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 2783, - "source.ip": "10.152.11.26", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.net", - "url.query": "veleumi", - "url.registered_domain": "example.net", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "ugiat", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2018-08-29T04:59:40.000Z", - "event.code": "PRONECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met", - "event.timezone": "GMT+02:00", - "file.name": "Finibus", - "fileset.name": "log", - "host.name": "runtm5729.invalid", - "http.request.referrer": "https://www5.example.com/itametco/vel.htm?rere=pta#nonn", - "input.type": "log", - "log.offset": 27908, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", - "runtm5729.invalid", - "www5.example.com" - ], - "related.ip": [ - "10.82.118.95" - ], - "related.user": [ - "ptate" - ], - "rsa.internal.messageid": "PRONECT", - "rsa.misc.action": [ - "labo" - ], - "rsa.misc.result_code": "tau", - "rsa.network.alias_host": [ - "runtm5729.invalid" - ], - "rsa.network.network_service": "olupta", - "rsa.time.event_time": "2018-08-29T04:59:40.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", - "rsa.web.fqdn": "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", - "rsa.web.web_cookie": "met", - "rsa.web.web_ref_domain": "www5.example.com", - "service.type": "tomcat", - "source.bytes": 5211, - "source.ip": "10.82.118.95", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "Utenimad", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "ptate", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-09-12T12:02:15.000Z", - "event.code": "id", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq", - "event.timezone": "CEST", - "file.name": "amquaer", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.net/iat/ffic.htm?cte=aparia#CSe", - "input.type": "log", - "log.offset": 28378, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", - "www.example.net", - "www5.example.net" - ], - "related.ip": [ - "10.187.152.213" - ], - "related.user": [ - "ventor" - ], - "rsa.internal.level": 4322, - "rsa.internal.messageid": "id", - "rsa.misc.action": [ - "mag" - ], - "rsa.misc.result_code": "lpa", - "rsa.network.network_service": "enby", - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", - "rsa.web.fqdn": "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", - "rsa.web.web_cookie": "ugitsedq", - "rsa.web.web_ref_domain": "www5.example.net", - "service.type": "tomcat", - "source.bytes": 3948, - "source.ip": "10.187.152.213", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.net", - "url.query": "aqui", - "url.registered_domain": "example.net", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "ventor", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "event.code": "uGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt", - "event.timezone": "GMT+02:00", - "file.name": "ever", - "fileset.name": "log", - "host.name": "pta6012.www.local", - "http.request.referrer": "https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei", - "input.type": "log", - "log.offset": 28738, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", - "internal.example.net", - "pta6012.www.local", - "www.example.net" - ], - "related.ip": [ - "10.98.71.45" - ], - "related.user": [ - "fugitse" - ], - "rsa.internal.messageid": "uGET", - "rsa.misc.action": [ - "eirur" - ], - "rsa.misc.result_code": "ipitlabo", - "rsa.network.alias_host": [ - "pta6012.www.local" - ], - "rsa.network.network_service": "eos", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", - "rsa.web.fqdn": "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", - "rsa.web.web_cookie": "unt", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 5440, - "source.ip": "10.98.71.45", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.net", - "url.query": "civelits", - "url.registered_domain": "example.net", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "fugitse", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "event.code": "uGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi", - "event.timezone": "OMST", - "file.name": "rumSecti", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu", - "input.type": "log", - "log.offset": 29180, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", - "www5.example.net", - "www5.example.org" - ], - "related.ip": [ - "10.86.123.33" - ], - "related.user": [ - "meum" - ], - "rsa.internal.level": 5971, - "rsa.internal.messageid": "uGET", - "rsa.misc.action": [ - "doei" - ], - "rsa.misc.result_code": "orumS", - "rsa.network.network_service": "olore", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", - "rsa.web.fqdn": "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", - "rsa.web.web_cookie": "yCiceroi", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 757, - "source.ip": "10.86.123.33", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.net", - "url.query": "Utenima", - "url.registered_domain": "example.net", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "meum", - "user_agent.device.name": "XiaoMi Redmi 4X", - "user_agent.name": "MiuiBrowser", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", - "user_agent.os.full": "Android 7.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.1.2", - "user_agent.version": "12.2.3" - }, - { - "@timestamp": "2018-10-25T09:09:57.000Z", - "event.code": "FGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat", - "event.timezone": "GMT-07:00", - "file.name": "tam", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc", - "input.type": "log", - "log.offset": 29627, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", - "www5.example.net" - ], - "related.ip": [ - "10.6.112.183" - ], - "related.user": [ - "oluptat" - ], - "rsa.internal.level": 2852, - "rsa.internal.messageid": "FGET", - "rsa.misc.action": [ - "eni" - ], - "rsa.misc.result_code": "dunt", - "rsa.network.network_service": "eufugi", - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", - "rsa.web.fqdn": "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", - "rsa.web.web_cookie": "idatat", - "rsa.web.web_ref_domain": "api.example.net", - "service.type": "tomcat", - "source.bytes": 6169, - "source.ip": "10.6.112.183", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.net", - "url.query": "oremip", - "url.registered_domain": "example.net", - "url.subdomain": "www5", - "url.top_level_domain": "net", - "user.name": "oluptat", - "user_agent.device.name": "LM-V350", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "LOCK", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq", - "event.timezone": "CEST", - "file.name": "inimav", - "fileset.name": "log", - "host.name": "orsi2109.internal.home", - "http.request.referrer": "https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev", - "input.type": "log", - "log.offset": 30008, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", - "orsi2109.internal.home", - "www5.example.org" - ], - "related.ip": [ - "10.227.156.143" - ], - "related.user": [ - "idolo" - ], - "rsa.internal.messageid": "LOCK", - "rsa.misc.action": [ - "tsedquia" - ], - "rsa.misc.result_code": "nci", - "rsa.network.alias_host": [ - "orsi2109.internal.home" - ], - "rsa.network.network_service": "midestl", - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", - "rsa.web.fqdn": "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", - "rsa.web.web_cookie": "seq", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 6587, - "source.ip": "10.227.156.143", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "tatevel", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "idolo", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "get", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit", - "event.timezone": "CT", - "file.name": "eprehen", - "fileset.name": "log", - "host.name": "quaeabil2539.www5.lan", - "http.request.referrer": "https://example.net/dolor/lorumwri.htm?mquis=lab#uido", - "input.type": "log", - "log.offset": 30458, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "example.org", - "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", - "quaeabil2539.www5.lan" - ], - "related.ip": [ - "10.124.129.248" - ], - "related.user": [ - "quide" - ], - "rsa.internal.messageid": "get", - "rsa.misc.action": [ - "cididun" - ], - "rsa.misc.result_code": "sectetu", - "rsa.network.alias_host": [ - "quaeabil2539.www5.lan" - ], - "rsa.network.network_service": "sequ", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", - "rsa.web.fqdn": "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", - "rsa.web.web_cookie": "mwrit", - "rsa.web.web_ref_domain": "example.net", - "service.type": "tomcat", - "source.bytes": 7182, - "source.ip": "10.124.129.248", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.org", - "url.query": "hilmole", - "url.registered_domain": "example.org", - "url.top_level_domain": "org", - "user.name": "quide", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-12-07T06:17:40.000Z", - "event.code": "CONNECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut", - "event.timezone": "OMST", - "file.name": "eaqueip", - "fileset.name": "log", - "host.name": "aal1598.mail.host", - "http.request.referrer": "https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab", - "input.type": "log", - "log.offset": 30879, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "aal1598.mail.host", - "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", - "www5.example.net", - "www5.example.org" - ], - "related.ip": [ - "10.173.125.112" - ], - "related.user": [ - "upta" - ], - "rsa.internal.messageid": "CONNECT", - "rsa.misc.action": [ - "umtota" - ], - "rsa.misc.result_code": "rep", - "rsa.network.alias_host": [ - "aal1598.mail.host" - ], - "rsa.network.network_service": "olorema", - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", - "rsa.web.fqdn": "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", - "rsa.web.web_cookie": "isnisiut", - "rsa.web.web_ref_domain": "www5.example.net", - "service.type": "tomcat", - "source.bytes": 3380, - "source.ip": "10.173.125.112", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.org", - "url.query": "itaedict", - "url.registered_domain": "example.org", - "url.subdomain": "www5", - "url.top_level_domain": "org", - "user.name": "upta", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-12-21T13:20:14.000Z", - "event.code": "GET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem", - "event.timezone": "PST", - "file.name": "tno", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", - "input.type": "log", - "log.offset": 31317, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", - "www.example.org" - ], - "related.ip": [ - "10.37.156.140" - ], - "related.user": [ - "olores" - ], - "rsa.internal.level": 5227, - "rsa.internal.messageid": "GET", - "rsa.misc.action": [ - "epo" - ], - "rsa.misc.result_code": "lum", - "rsa.network.network_service": "taspe", - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", - "rsa.web.fqdn": "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", - "rsa.web.web_cookie": "idolorem", - "rsa.web.web_ref_domain": "api.example.net", - "service.type": "tomcat", - "source.bytes": 5911, - "source.ip": "10.37.156.140", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "iss", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "olores", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "event.code": "PRONECT", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa", - "event.timezone": "ET", - "file.name": "nse", - "fileset.name": "log", - "http.request.referrer": "https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq", - "input.type": "log", - "log.offset": 31660, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", - "www5.example.org" - ], - "related.ip": [ - "10.121.225.135" - ], - "related.user": [ - "cin" - ], - "rsa.internal.level": 5776, - "rsa.internal.messageid": "PRONECT", - "rsa.misc.action": [ - "byC" - ], - "rsa.misc.result_code": "uatu", - "rsa.network.network_service": "evit", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", - "rsa.web.fqdn": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", - "rsa.web.web_cookie": "tnulapa", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 2448, - "source.ip": "10.121.225.135", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "miurere", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "cin", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2019-01-19T03:25:23.000Z", - "event.code": "DEBUG", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor", - "event.timezone": "CEST", - "file.name": "ipis", - "fileset.name": "log", - "http.request.referrer": "https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam", - "input.type": "log", - "log.offset": 32096, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", - "mail.example.net", - "www.example.org" - ], - "related.ip": [ - "10.123.68.56" - ], - "related.user": [ - "olore" - ], - "rsa.internal.level": 7708, - "rsa.internal.messageid": "DEBUG", - "rsa.misc.action": [ - "dentsunt" - ], - "rsa.misc.result_code": "tam", - "rsa.network.network_service": "nesci", - "rsa.time.event_time": "2019-01-19T03:25:23.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", - "rsa.web.fqdn": "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", - "rsa.web.web_cookie": "ntor", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 1206, - "source.ip": "10.123.68.56", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "itautfu", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "olore", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2019-02-02T10:27:57.000Z", - "event.code": "RNDMMTD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd", - "event.timezone": "GMT-07:00", - "file.name": "orsitv", - "fileset.name": "log", - "host.name": "oid218.api.invalid", - "http.request.referrer": "https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi", - "input.type": "log", - "log.offset": 32480, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://api.example.net/itesse/expl.html?prehende=lup#tpers", - "mail.example.net", - "oid218.api.invalid" - ], - "related.ip": [ - "10.63.56.164" - ], - "related.user": [ - "evo" - ], - "rsa.internal.messageid": "RNDMMTD", - "rsa.misc.action": [ - "avolu" - ], - "rsa.misc.result_code": "uun", - "rsa.network.alias_host": [ - "oid218.api.invalid" - ], - "rsa.network.network_service": "uisaute", - "rsa.time.event_time": "2019-02-02T10:27:57.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", - "rsa.web.fqdn": "https://api.example.net/itesse/expl.html?prehende=lup#tpers", - "rsa.web.web_cookie": "umd", - "rsa.web.web_ref_domain": "mail.example.net", - "service.type": "tomcat", - "source.bytes": 4638, - "source.ip": "10.63.56.164", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.net", - "url.query": "temseq", - "url.registered_domain": "example.net", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "evo", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "HEAD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con", - "event.timezone": "ET", - "file.name": "itl", - "fileset.name": "log", - "host.name": "sectetur2674.www5.test", - "http.request.referrer": "https://example.com/eumfu/lors.gif?upidata=ici#usant", - "input.type": "log", - "log.offset": 32919, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "example.net", - "https://example.net/deritinv/evelite.html?iav=odico#rsint", - "sectetur2674.www5.test" - ], - "related.ip": [ - "10.62.10.137" - ], - "related.user": [ - "deomnisi" - ], - "rsa.internal.messageid": "HEAD", - "rsa.misc.action": [ - "issus" - ], - "rsa.misc.result_code": "quiav", - "rsa.network.alias_host": [ - "sectetur2674.www5.test" - ], - "rsa.network.network_service": "olor", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://example.net/deritinv/evelite.html?iav=odico#rsint", - "rsa.web.fqdn": "https://example.net/deritinv/evelite.html?iav=odico#rsint", - "rsa.web.web_cookie": "con", - "rsa.web.web_ref_domain": "example.com", - "service.type": "tomcat", - "source.bytes": 6648, - "source.ip": "10.62.10.137", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "ttenb", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "deomnisi", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "event.code": "INDEX", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti", - "event.timezone": "GMT+02:00", - "file.name": "umqui", - "fileset.name": "log", - "host.name": "sequatD4487.internal.localhost", - "http.request.referrer": "https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi", - "input.type": "log", - "log.offset": 33403, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "example.org", - "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", - "sequatD4487.internal.localhost" - ], - "related.ip": [ - "10.89.154.115" - ], - "related.user": [ - "nimv" - ], - "rsa.internal.messageid": "INDEX", - "rsa.misc.action": [ - "tconse" - ], - "rsa.misc.result_code": "mquia", - "rsa.network.alias_host": [ - "sequatD4487.internal.localhost" - ], - "rsa.network.network_service": "temsequi", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", - "rsa.web.fqdn": "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", - "rsa.web.web_cookie": "cti", - "rsa.web.web_ref_domain": "api.example.net", - "service.type": "tomcat", - "source.bytes": 1119, - "source.ip": "10.89.154.115", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.org", - "url.query": "citation", - "url.registered_domain": "example.org", - "url.top_level_domain": "org", - "user.name": "nimv", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-03-17T07:35:40.000Z", - "event.code": "TRACE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau", - "event.timezone": "PST", - "file.name": "boreet", - "fileset.name": "log", - "http.request.referrer": "https://api.example.org/xerc/Nequep.htm?ria=beat#rro", - "input.type": "log", - "log.offset": 33846, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", - "www5.example.com" - ], - "related.ip": [ - "10.122.252.130" - ], - "related.user": [ - "mmo" - ], - "rsa.internal.level": 4758, - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "tlaboru" - ], - "rsa.misc.result_code": "snostr", - "rsa.network.network_service": "ento", - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", - "rsa.web.fqdn": "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", - "rsa.web.web_cookie": "uisau", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 3904, - "source.ip": "10.122.252.130", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www5.example.com", - "url.query": "luptasnu", - "url.registered_domain": "example.com", - "url.subdomain": "www5", - "url.top_level_domain": "com", - "user.name": "mmo", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2019-04-01T14:38:14.000Z", - "event.code": "id", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq", - "event.timezone": "GMT-07:00", - "file.name": "tesse", - "fileset.name": "log", - "http.request.referrer": "https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut", - "input.type": "log", - "log.offset": 34283, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", - "www.example.net" - ], - "related.ip": [ - "10.195.152.53" - ], - "related.user": [ - "ute" - ], - "rsa.internal.level": 2573, - "rsa.internal.messageid": "id", - "rsa.misc.action": [ - "tationu" - ], - "rsa.misc.result_code": "oluptas", - "rsa.network.network_service": "isno", - "rsa.time.event_time": "2019-04-01T14:38:14.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", - "rsa.web.fqdn": "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", - "rsa.web.web_cookie": "paq", - "rsa.web.web_ref_domain": "www.example.net", - "service.type": "tomcat", - "source.bytes": 5560, - "source.ip": "10.195.152.53", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.com", - "url.query": "olupta", - "url.registered_domain": "example.com", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "ute", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "event.code": "ABCD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse", - "event.timezone": "CT", - "file.name": "mexerci", - "fileset.name": "log", - "host.name": "nul5107.www5.domain", - "http.request.referrer": "https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi", - "input.type": "log", - "log.offset": 34572, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", - "mail.example.com", - "nul5107.www5.domain" - ], - "related.ip": [ - "10.9.255.204" - ], - "related.user": [ - "emUtenim" - ], - "rsa.internal.messageid": "ABCD", - "rsa.misc.action": [ - "uid" - ], - "rsa.misc.result_code": "ctetur", - "rsa.network.alias_host": [ - "nul5107.www5.domain" - ], - "rsa.network.network_service": "ditaut", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", - "rsa.web.fqdn": "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", - "rsa.web.web_cookie": "iaeconse", - "rsa.web.web_ref_domain": "mail.example.com", - "service.type": "tomcat", - "source.bytes": 3089, - "source.ip": "10.9.255.204", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.com", - "url.query": "urEx", - "url.registered_domain": "example.com", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "emUtenim", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2019-04-29T04:43:23.000Z", - "event.code": "RNDMMTD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel", - "event.timezone": "GMT-07:00", - "file.name": "boriosa", - "fileset.name": "log", - "host.name": "nimadmin5630.localdomain", - "http.request.referrer": "https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost", - "input.type": "log", - "log.offset": 35009, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", - "internal.example.net", - "nimadmin5630.localdomain", - "www.example.org" - ], - "related.ip": [ - "10.214.235.133" - ], - "related.user": [ - "nulapari" - ], - "rsa.internal.messageid": "RNDMMTD", - "rsa.misc.action": [ - "tsunt" - ], - "rsa.misc.result_code": "moenimip", - "rsa.network.alias_host": [ - "nimadmin5630.localdomain" - ], - "rsa.network.network_service": "ditau", - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", - "rsa.web.fqdn": "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", - "rsa.web.web_cookie": "evel", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 5930, - "source.ip": "10.214.235.133", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "cillumdo", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "nulapari", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-05-13T11:45:57.000Z", - "event.code": "TRACE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit", - "event.timezone": "PT", - "file.name": "lors", - "fileset.name": "log", - "host.name": "sequuntu3563.internal.test", - "http.request.referrer": "https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi", - "input.type": "log", - "log.offset": 35444, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "api.example.org", - "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", - "sequuntu3563.internal.test" - ], - "related.ip": [ - "10.5.134.204" - ], - "related.user": [ - "iarchit" - ], - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "orum" - ], - "rsa.misc.result_code": "tur", - "rsa.network.alias_host": [ - "sequuntu3563.internal.test" - ], - "rsa.network.network_service": "docons", - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", - "rsa.web.fqdn": "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", - "rsa.web.web_cookie": "taevit", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 3197, - "source.ip": "10.5.134.204", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.com", - "url.query": "eumfu", - "url.registered_domain": "example.com", - "url.subdomain": "api", - "url.top_level_domain": "com", - "user.name": "iarchit", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "event.code": "SEARCH", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw", - "event.timezone": "CEST", - "file.name": "quaerat", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi", - "input.type": "log", - "log.offset": 35912, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.org", - "https://example.org/rep/mveni.txt?utpers=num#ctetura", - "internal.example.com" - ], - "related.ip": [ - "10.144.111.42" - ], - "related.user": [ - "vento" - ], - "rsa.internal.level": 6820, - "rsa.internal.messageid": "SEARCH", - "rsa.misc.action": [ - "asnu" - ], - "rsa.misc.result_code": "ptateve", - "rsa.network.network_service": "aturve", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://example.org/rep/mveni.txt?utpers=num#ctetura", - "rsa.web.fqdn": "https://example.org/rep/mveni.txt?utpers=num#ctetura", - "rsa.web.web_cookie": "lorumw", - "rsa.web.web_ref_domain": "internal.example.com", - "service.type": "tomcat", - "source.bytes": 7615, - "source.ip": "10.144.111.42", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.org", - "url.query": "tDuisau", - "url.registered_domain": "example.org", - "url.top_level_domain": "org", - "user.name": "vento", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "FGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq", - "event.timezone": "CT", - "file.name": "illumdo", - "fileset.name": "log", - "http.request.referrer": "https://www.example.com/uae/ata.htm?snulap=cidu#hilmol", - "input.type": "log", - "log.offset": 36349, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://example.net/adm/snostr.jpg?tec=itaspe#con", - "www.example.com" - ], - "related.ip": [ - "10.122.0.80" - ], - "related.user": [ - "ola" - ], - "rsa.internal.level": 3071, - "rsa.internal.messageid": "FGET", - "rsa.misc.action": [ - "etquasia" - ], - "rsa.misc.result_code": "eseosq", - "rsa.network.network_service": "remaper", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://example.net/adm/snostr.jpg?tec=itaspe#con", - "rsa.web.fqdn": "https://example.net/adm/snostr.jpg?tec=itaspe#con", - "rsa.web.web_cookie": "quamq", - "rsa.web.web_ref_domain": "www.example.com", - "service.type": "tomcat", - "source.bytes": 2945, - "source.ip": "10.122.0.80", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.net", - "url.query": "antium", - "url.registered_domain": "example.net", - "url.top_level_domain": "net", - "user.name": "ola", - "user_agent.device.name": "XiaoMi Redmi 4X", - "user_agent.name": "MiuiBrowser", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", - "user_agent.os.full": "Android 7.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.1.2", - "user_agent.version": "12.2.3" - }, - { - "@timestamp": "2019-06-25T08:53:40.000Z", - "event.code": "ABCD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari", - "event.timezone": "ET", - "file.name": "dit", - "fileset.name": "log", - "host.name": "tdolo2150.www.example", - "http.request.referrer": "https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug", - "input.type": "log", - "log.offset": 36779, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", - "mail.example.com", - "tdolo2150.www.example", - "www.example.net" - ], - "related.ip": [ - "10.165.33.19" - ], - "related.user": [ - "iusmodi" - ], - "rsa.internal.messageid": "ABCD", - "rsa.misc.action": [ - "aparia" - ], - "rsa.misc.result_code": "tetura", - "rsa.network.alias_host": [ - "tdolo2150.www.example" - ], - "rsa.network.network_service": "yCic", - "rsa.time.event_time": "2019-06-25T08:53:40.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", - "rsa.web.fqdn": "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", - "rsa.web.web_cookie": "lapari", - "rsa.web.web_ref_domain": "www.example.net", - "service.type": "tomcat", - "source.bytes": 1569, - "source.ip": "10.165.33.19", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.com", - "url.query": "namaliqu", - "url.registered_domain": "example.com", - "url.subdomain": "mail", - "url.top_level_domain": "com", - "user.name": "iusmodi", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "BADMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid", - "event.timezone": "CT", - "file.name": "quiav", - "fileset.name": "log", - "host.name": "cinge6032.api.local", - "http.request.referrer": "https://internal.example.org/unt/isni.htm?ecillum=olor#amei", - "input.type": "log", - "log.offset": 37193, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "cinge6032.api.local", - "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", - "internal.example.org", - "mail.example.org" - ], - "related.ip": [ - "10.87.92.17" - ], - "related.user": [ - "tamr" - ], - "rsa.internal.messageid": "BADMTHD", - "rsa.misc.action": [ - "iutaliq" - ], - "rsa.misc.result_code": "sam", - "rsa.network.alias_host": [ - "cinge6032.api.local" - ], - "rsa.network.network_service": "elit", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "rsa.time.timezone": "CT", - "rsa.web.alias_host": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", - "rsa.web.fqdn": "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", - "rsa.web.web_cookie": "quid", - "rsa.web.web_ref_domain": "internal.example.org", - "service.type": "tomcat", - "source.bytes": 6211, - "source.ip": "10.87.92.17", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.org", - "url.query": "ctionofd", - "url.registered_domain": "example.org", - "url.subdomain": "mail", - "url.top_level_domain": "org", - "user.name": "tamr", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "BADMETHOD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu", - "event.timezone": "ET", - "file.name": "emp", - "fileset.name": "log", - "http.request.referrer": "https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat", - "input.type": "log", - "log.offset": 37607, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.com", - "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", - "internal.example.org" - ], - "related.ip": [ - "10.51.52.203" - ], - "related.user": [ - "itame" - ], - "rsa.internal.level": 7615, - "rsa.internal.messageid": "BADMETHOD", - "rsa.misc.action": [ - "dictasun" - ], - "rsa.misc.result_code": "mollit", - "rsa.network.network_service": "non", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "rsa.time.timezone": "ET", - "rsa.web.alias_host": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", - "rsa.web.fqdn": "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", - "rsa.web.web_cookie": "mqu", - "rsa.web.web_ref_domain": "internal.example.org", - "service.type": "tomcat", - "source.bytes": 5823, - "source.ip": "10.51.52.203", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "arch", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "itame", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-08-07T06:01:23.000Z", - "event.code": "rndmmtd", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa", - "event.timezone": "CEST", - "file.name": "utfugi", - "fileset.name": "log", - "host.name": "ende6053.local", - "http.request.referrer": "https://internal.example.net/tvol/lup.gif?ollita=qua#ionula", - "input.type": "log", - "log.offset": 37977, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "ende6053.local", - "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", - "internal.example.net" - ], - "related.ip": [ - "10.0.211.86" - ], - "related.user": [ - "imipsa" - ], - "rsa.internal.messageid": "rndmmtd", - "rsa.misc.action": [ - "int" - ], - "rsa.misc.result_code": "mmodicon", - "rsa.network.alias_host": [ - "ende6053.local" - ], - "rsa.network.network_service": "tio", - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.alias_host": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", - "rsa.web.fqdn": "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", - "rsa.web.web_cookie": "cusa", - "rsa.web.web_ref_domain": "internal.example.net", - "service.type": "tomcat", - "source.bytes": 6776, - "source.ip": "10.0.211.86", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.net", - "url.query": "ursintoc", - "url.registered_domain": "example.net", - "url.subdomain": "internal", - "url.top_level_domain": "net", - "user.name": "imipsa", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-08-21T13:03:57.000Z", - "event.code": "OPTIONS", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo", - "event.timezone": "PST", - "file.name": "leumiur", - "fileset.name": "log", - "http.request.referrer": "https://example.net/undeomn/ape.jpg?amco=ons#onsecte", - "input.type": "log", - "log.offset": 38442, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", - "mail.example.net" - ], - "related.ip": [ - "10.106.34.244" - ], - "related.user": [ - "nim" - ], - "rsa.internal.level": 264, - "rsa.internal.messageid": "OPTIONS", - "rsa.misc.action": [ - "rehen" - ], - "rsa.misc.result_code": "taliqui", - "rsa.network.network_service": "ave", - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", - "rsa.web.fqdn": "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", - "rsa.web.web_cookie": "atquo", - "rsa.web.web_ref_domain": "example.net", - "service.type": "tomcat", - "source.bytes": 3714, - "source.ip": "10.106.34.244", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "mail.example.net", - "url.query": "ssequamn", - "url.registered_domain": "example.net", - "url.subdomain": "mail", - "url.top_level_domain": "net", - "user.name": "nim", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "nGET", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides", - "event.timezone": "OMST", - "file.name": "onorume", - "fileset.name": "log", - "http.request.referrer": "https://example.net/tionev/uasiarch.html?qui=ehender#equa", - "input.type": "log", - "log.offset": 38823, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "example.net", - "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", - "www.example.org" - ], - "related.ip": [ - "10.191.210.188" - ], - "related.user": [ - "ruredol" - ], - "rsa.internal.level": 2943, - "rsa.internal.messageid": "nGET", - "rsa.misc.action": [ - "ipit" - ], - "rsa.misc.result_code": "ofdeFini", - "rsa.network.network_service": "ametcon", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.alias_host": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", - "rsa.web.fqdn": "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", - "rsa.web.web_cookie": "nimides", - "rsa.web.web_ref_domain": "example.net", - "service.type": "tomcat", - "source.bytes": 7052, - "source.ip": "10.191.210.188", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "abill", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "ruredol", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2019-09-19T03:09:05.000Z", - "event.code": "BDMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea", - "event.timezone": "GMT+02:00", - "file.name": "nemul", - "fileset.name": "log", - "http.request.referrer": "https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira", - "input.type": "log", - "log.offset": 39233, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", - "www.example.com", - "www.example.org" - ], - "related.ip": [ - "10.2.38.49" - ], - "related.user": [ - "lor" - ], - "rsa.internal.level": 6165, - "rsa.internal.messageid": "BDMTHD", - "rsa.misc.action": [ - "snula" - ], - "rsa.misc.result_code": "quatur", - "rsa.network.network_service": "lupt", - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.alias_host": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", - "rsa.web.fqdn": "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", - "rsa.web.web_cookie": "aea", - "rsa.web.web_ref_domain": "www.example.org", - "service.type": "tomcat", - "source.bytes": 5775, - "source.ip": "10.2.38.49", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.com", - "url.query": "Duis", - "url.registered_domain": "example.com", - "url.subdomain": "www", - "url.top_level_domain": "com", - "user.name": "lor", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2019-10-03T10:11:40.000Z", - "event.code": "id", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol", - "event.timezone": "PST", - "file.name": "cipitla", - "fileset.name": "log", - "host.name": "didun1193.example", - "http.request.referrer": "https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo", - "input.type": "log", - "log.offset": 39505, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "didun1193.example", - "example.com", - "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", - "mail.example.com" - ], - "related.ip": [ - "10.66.92.90" - ], - "related.user": [ - "atisu" - ], - "rsa.internal.messageid": "id", - "rsa.misc.action": [ - "tse" - ], - "rsa.misc.result_code": "ionevo", - "rsa.network.alias_host": [ - "didun1193.example" - ], - "rsa.network.network_service": "vel", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", - "rsa.web.fqdn": "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", - "rsa.web.web_cookie": "samvol", - "rsa.web.web_ref_domain": "mail.example.com", - "service.type": "tomcat", - "source.bytes": 4580, - "source.ip": "10.66.92.90", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "tlab", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "atisu", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "BADMTHD", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau", - "event.timezone": "PST", - "file.name": "sequines", - "fileset.name": "log", - "host.name": "apari2660.www5.lan", - "http.request.referrer": "https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve", - "input.type": "log", - "log.offset": 39956, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "apari2660.www5.lan", - "example.com", - "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", - "mail.example.com" - ], - "related.ip": [ - "10.97.108.108" - ], - "related.user": [ - "teirured" - ], - "rsa.internal.messageid": "BADMTHD", - "rsa.misc.action": [ - "sistena" - ], - "rsa.misc.result_code": "lorum", - "rsa.network.alias_host": [ - "apari2660.www5.lan" - ], - "rsa.network.network_service": "sequa", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "rsa.time.timezone": "PST", - "rsa.web.alias_host": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", - "rsa.web.fqdn": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", - "rsa.web.web_cookie": "toditau", - "rsa.web.web_ref_domain": "mail.example.com", - "service.type": "tomcat", - "source.bytes": 7649, - "source.ip": "10.97.108.108", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "example.com", - "url.query": "olor", - "url.registered_domain": "example.com", - "url.top_level_domain": "com", - "user.name": "teirured", - "user_agent.device.name": "XiaoMi Redmi 4X", - "user_agent.name": "MiuiBrowser", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", - "user_agent.os.full": "Android 7.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.1.2", - "user_agent.version": "12.2.3" - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "COOK", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta", - "event.timezone": "CET", - "file.name": "econ", - "fileset.name": "log", - "host.name": "nvolupta238.www.host", - "http.request.referrer": "https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons", - "input.type": "log", - "log.offset": 40457, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", - "nvolupta238.www.host", - "www5.example.org" - ], - "related.ip": [ - "10.147.147.248" - ], - "related.user": [ - "uira" - ], - "rsa.internal.messageid": "COOK", - "rsa.misc.action": [ - "ptatev" - ], - "rsa.misc.result_code": "catcup", - "rsa.network.alias_host": [ - "nvolupta238.www.host" - ], - "rsa.network.network_service": "rve", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "rsa.time.timezone": "CET", - "rsa.web.alias_host": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", - "rsa.web.fqdn": "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", - "rsa.web.web_cookie": "lupta", - "rsa.web.web_ref_domain": "www5.example.org", - "service.type": "tomcat", - "source.bytes": 177, - "source.ip": "10.147.147.248", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "api.example.net", - "url.query": "aborio", - "url.registered_domain": "example.net", - "url.subdomain": "api", - "url.top_level_domain": "net", - "user.name": "uira", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-11-15T07:19:22.000Z", - "event.code": "NCIRCLE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve", - "event.timezone": "GMT-07:00", - "file.name": "sedd", - "fileset.name": "log", - "host.name": "icer123.mail.example", - "http.request.referrer": "https://api.example.com/dan/pta.html?oNem=itaedict#eroi", - "input.type": "log", - "log.offset": 40863, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.com", - "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", - "icer123.mail.example", - "www.example.org" - ], - "related.ip": [ - "10.152.190.61" - ], - "related.user": [ - "culp" - ], - "rsa.internal.messageid": "NCIRCLE", - "rsa.misc.action": [ - "nesciu" - ], - "rsa.misc.result_code": "oremeu", - "rsa.network.alias_host": [ - "icer123.mail.example" - ], - "rsa.network.network_service": "tvolup", - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", - "rsa.web.fqdn": "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", - "rsa.web.web_cookie": "uptateve", - "rsa.web.web_ref_domain": "api.example.com", - "service.type": "tomcat", - "source.bytes": 6708, - "source.ip": "10.152.190.61", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.org", - "url.query": "atione", - "url.registered_domain": "example.org", - "url.subdomain": "www", - "url.top_level_domain": "org", - "user.name": "culp", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-11-30T14:21:57.000Z", - "event.code": "DETECT_METHOD_TYPE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua", - "event.timezone": "GMT-07:00", - "file.name": "edictasu", - "fileset.name": "log", - "host.name": "lumqui6488.api.example", - "http.request.referrer": "https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe", - "input.type": "log", - "log.offset": 41290, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.org", - "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", - "lumqui6488.api.example", - "www.example.net" - ], - "related.ip": [ - "10.129.232.105" - ], - "related.user": [ - "deFini" - ], - "rsa.internal.messageid": "DETECT_METHOD_TYPE", - "rsa.misc.action": [ - "aliquaU" - ], - "rsa.misc.result_code": "noru", - "rsa.network.alias_host": [ - "lumqui6488.api.example" - ], - "rsa.network.network_service": "umS", - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.alias_host": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", - "rsa.web.fqdn": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", - "rsa.web.web_cookie": "quamqua", - "rsa.web.web_ref_domain": "api.example.org", - "service.type": "tomcat", - "source.bytes": 5321, - "source.ip": "10.129.232.105", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "www.example.net", - "url.query": "eturadi", - "url.registered_domain": "example.net", - "url.subdomain": "www", - "url.top_level_domain": "net", - "user.name": "deFini", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "TRACE", - "event.dataset": "tomcat.log", - "event.module": "tomcat", - "event.original": "%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu", - "event.timezone": "PT", - "file.name": "litsedd", - "fileset.name": "log", - "http.request.referrer": "https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse", - "input.type": "log", - "log.offset": 41781, - "observer.product": "TomCat", - "observer.type": "Web", - "observer.vendor": "Apache", - "related.hosts": [ - "api.example.net", - "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", - "internal.example.org" - ], - "related.ip": [ - "10.12.173.112" - ], - "related.user": [ - "mco" - ], - "rsa.internal.level": 5473, - "rsa.internal.messageid": "TRACE", - "rsa.misc.action": [ - "undeom" - ], - "rsa.misc.result_code": "hite", - "rsa.network.network_service": "inBC", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "rsa.time.timezone": "PT", - "rsa.web.alias_host": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", - "rsa.web.fqdn": "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", - "rsa.web.web_cookie": "emeumfu", - "rsa.web.web_ref_domain": "api.example.net", - "service.type": "tomcat", - "source.bytes": 423, - "source.ip": "10.12.173.112", - "tags": [ - "forwarded", - "tomcat.log" - ], - "url.domain": "internal.example.org", - "url.query": "nidol", - "url.registered_domain": "example.org", - "url.subdomain": "internal", - "url.top_level_domain": "org", - "user.name": "mco", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled deleted file mode 100644 index 1fda24706e3..00000000000 --- a/x-pack/filebeat/modules.d/tomcat.yml.disabled +++ /dev/null @@ -1,23 +0,0 @@ -# Module: tomcat -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-tomcat.html - -- module: tomcat - log: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9501 - - # Set paths for the log files when file input is used. - # var.paths: - # - /var/log/tomcat/*.log - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From a3707205b9ce40be280e6f9e74647962128f1fdc Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 14:06:39 +0200 Subject: [PATCH 19/22] feat: remove deprecated zscaler --- filebeat/docs/fields.asciidoc | 5435 ------------ filebeat/docs/modules_list.asciidoc | 2 - x-pack/filebeat/filebeat.reference.yml | 21 - x-pack/filebeat/include/list.go | 1 - x-pack/filebeat/module/zscaler/README.md | 7 - .../filebeat/module/zscaler/_meta/config.yml | 19 - .../module/zscaler/_meta/docs.asciidoc | 76 - .../filebeat/module/zscaler/_meta/fields.yml | 5 - x-pack/filebeat/module/zscaler/fields.go | 23 - .../module/zscaler/zia/_meta/fields.yml | 2635 ------ .../module/zscaler/zia/config/input.yml | 87 - .../module/zscaler/zia/config/liblogparser.js | 2514 ------ .../module/zscaler/zia/config/pipeline.js | 61 - .../module/zscaler/zia/ingest/pipeline.yml | 88 - .../filebeat/module/zscaler/zia/manifest.yml | 31 - .../module/zscaler/zia/test/generated.log | 100 - .../zia/test/generated.log-expected.json | 7776 ----------------- .../filebeat/module/zscaler/zia/test/test.log | 1 - .../zscaler/zia/test/test.log-expected.json | 60 - .../filebeat/modules.d/zscaler.yml.disabled | 22 - 20 files changed, 18964 deletions(-) delete mode 100644 x-pack/filebeat/module/zscaler/README.md delete mode 100644 x-pack/filebeat/module/zscaler/_meta/config.yml delete mode 100644 x-pack/filebeat/module/zscaler/_meta/docs.asciidoc delete mode 100644 x-pack/filebeat/module/zscaler/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/zscaler/fields.go delete mode 100644 x-pack/filebeat/module/zscaler/zia/_meta/fields.yml delete mode 100644 x-pack/filebeat/module/zscaler/zia/config/input.yml delete mode 100644 x-pack/filebeat/module/zscaler/zia/config/liblogparser.js delete mode 100644 x-pack/filebeat/module/zscaler/zia/config/pipeline.js delete mode 100644 x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml delete mode 100644 x-pack/filebeat/module/zscaler/zia/manifest.yml delete mode 100644 x-pack/filebeat/module/zscaler/zia/test/generated.log delete mode 100644 x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json delete mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log delete mode 100644 x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json delete mode 100644 x-pack/filebeat/modules.d/zscaler.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 499b6b7eb5d..4f669cddbc8 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -83,7 +83,6 @@ grouped in the following categories: * <> * <> * <> -* <> -- [[exported-fields-activemq]] @@ -68546,5438 +68545,4 @@ type: flattened -- -[[exported-fields-zscaler]] -== Zscaler NSS fields - -zscaler fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_server`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_val`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.resource`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.audit_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.entry`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.hcode`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.inode`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.resource_class`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.dead`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.feed_desc`*:: -+ --- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.feed_name`*:: -+ --- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_class`*:: -+ --- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_group`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_host`*:: -+ --- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_ip`*:: -+ --- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_ipv6`*:: -+ --- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.device_type`*:: -+ --- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.device_type_id`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.did`*:: -+ --- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.entropy_req`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.entropy_res`*:: -+ --- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long - --- - -*`rsa.internal.event_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: -+ --- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip - --- - -*`rsa.internal.header_id`*:: -+ --- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_cid`*:: -+ --- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date - --- - -*`rsa.internal.mcb_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcb_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long - --- - -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.mcbc_res`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long - --- - -*`rsa.internal.medium`*:: -+ --- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long - --- - -*`rsa.internal.node_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.nwe_callback_id`*:: -+ --- -This key denotes that event is endpoint related - -type: keyword - --- - -*`rsa.internal.parse_error`*:: -+ --- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.payload_req`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.payload_res`*:: -+ --- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long - --- - -*`rsa.internal.process_vid_dst`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - -type: keyword - --- - -*`rsa.internal.process_vid_src`*:: -+ --- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - -type: keyword - --- - -*`rsa.internal.rid`*:: -+ --- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.session_split`*:: -+ --- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.site`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: -+ --- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.ubc_res`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long - --- - -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword - --- - - -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date - --- - -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double - --- - -*`rsa.time.event_time_str`*:: -+ --- -This key is used to capture the incomplete time mentioned in a session as a string - -type: keyword - --- - -*`rsa.time.starttime`*:: -+ --- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.month`*:: -+ --- -type: keyword - --- - -*`rsa.time.day`*:: -+ --- -type: keyword - --- - -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form - -type: date - --- - -*`rsa.time.timezone`*:: -+ --- -This key is used to capture the timezone of the Event Time - -type: keyword - --- - -*`rsa.time.duration_str`*:: -+ --- -A text string version of the duration - -type: keyword - --- - -*`rsa.time.date`*:: -+ --- -type: keyword - --- - -*`rsa.time.year`*:: -+ --- -type: keyword - --- - -*`rsa.time.recorded_time`*:: -+ --- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date - --- - -*`rsa.time.datetime`*:: -+ --- -type: keyword - --- - -*`rsa.time.effective_time`*:: -+ --- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date - --- - -*`rsa.time.expire_time`*:: -+ --- -This key is the timestamp that explicitly refers to an expiration. - -type: date - --- - -*`rsa.time.process_time`*:: -+ --- -Deprecated, use duration.time - -type: keyword - --- - -*`rsa.time.hour`*:: -+ --- -type: keyword - --- - -*`rsa.time.min`*:: -+ --- -type: keyword - --- - -*`rsa.time.timestamp`*:: -+ --- -type: keyword - --- - -*`rsa.time.event_queue_time`*:: -+ --- -This key is the Time that the event was queued. - -type: date - --- - -*`rsa.time.p_time1`*:: -+ --- -type: keyword - --- - -*`rsa.time.tzone`*:: -+ --- -type: keyword - --- - -*`rsa.time.eventtime`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmtdate`*:: -+ --- -type: keyword - --- - -*`rsa.time.gmttime`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_date`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_month`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_time2`*:: -+ --- -type: keyword - --- - -*`rsa.time.p_year`*:: -+ --- -type: keyword - --- - -*`rsa.time.expire_time_str`*:: -+ --- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword - --- - -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. - -type: date - --- - - -*`rsa.misc.action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.result`*:: -+ --- -This key is used to capture the outcome/result string value of an action in a session. - -type: keyword - --- - -*`rsa.misc.severity`*:: -+ --- -This key is used to capture the severity given the session - -type: keyword - --- - -*`rsa.misc.event_type`*:: -+ --- -This key captures the event category type as specified by the event source. - -type: keyword - --- - -*`rsa.misc.reference_id`*:: -+ --- -This key is used to capture an event id from the session directly - -type: keyword - --- - -*`rsa.misc.version`*:: -+ --- -This key captures Version of the application or OS which is generating the event. - -type: keyword - --- - -*`rsa.misc.disposition`*:: -+ --- -This key captures the The end state of an action. - -type: keyword - --- - -*`rsa.misc.result_code`*:: -+ --- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword - --- - -*`rsa.misc.category`*:: -+ --- -This key is used to capture the category of an event given by the vendor in the session - -type: keyword - --- - -*`rsa.misc.obj_name`*:: -+ --- -This is used to capture name of object - -type: keyword - --- - -*`rsa.misc.obj_type`*:: -+ --- -This is used to capture type of object - -type: keyword - --- - -*`rsa.misc.event_source`*:: -+ --- -This key captures Source of the event that’s not a hostname - -type: keyword - --- - -*`rsa.misc.log_session_id`*:: -+ --- -This key is used to capture a sessionid from the session directly - -type: keyword - --- - -*`rsa.misc.group`*:: -+ --- -This key captures the Group Name value - -type: keyword - --- - -*`rsa.misc.policy_name`*:: -+ --- -This key is used to capture the Policy Name only. - -type: keyword - --- - -*`rsa.misc.rule_name`*:: -+ --- -This key captures the Rule Name - -type: keyword - --- - -*`rsa.misc.context`*:: -+ --- -This key captures Information which adds additional context to the event. - -type: keyword - --- - -*`rsa.misc.change_new`*:: -+ --- -This key is used to capture the new values of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.space`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client`*:: -+ --- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - -type: keyword - --- - -*`rsa.misc.msgIdPart1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.change_old`*:: -+ --- -This key is used to capture the old value of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.operation_id`*:: -+ --- -An alert number or operation number. The values should be unique and non-repeating. - -type: keyword - --- - -*`rsa.misc.event_state`*:: -+ --- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - -type: keyword - --- - -*`rsa.misc.group_object`*:: -+ --- -This key captures a collection/grouping of entities. Specific usage - -type: keyword - --- - -*`rsa.misc.node`*:: -+ --- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - -type: keyword - --- - -*`rsa.misc.rule`*:: -+ --- -This key captures the Rule number - -type: keyword - --- - -*`rsa.misc.device_name`*:: -+ --- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword - --- - -*`rsa.misc.param`*:: -+ --- -This key is the parameters passed as part of a command or application, etc. - -type: keyword - --- - -*`rsa.misc.change_attrib`*:: -+ --- -This key is used to capture the name of the attribute that’s changing in a session - -type: keyword - --- - -*`rsa.misc.event_computer`*:: -+ --- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - -type: keyword - --- - -*`rsa.misc.reference_id1`*:: -+ --- -This key is for Linked ID to be used as an addition to "reference.id" - -type: keyword - --- - -*`rsa.misc.event_log`*:: -+ --- -This key captures the Name of the event log - -type: keyword - --- - -*`rsa.misc.OS`*:: -+ --- -This key captures the Name of the Operating System - -type: keyword - --- - -*`rsa.misc.terminal`*:: -+ --- -This key captures the Terminal Names only - -type: keyword - --- - -*`rsa.misc.msgIdPart3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.filter`*:: -+ --- -This key captures Filter used to reduce result set - -type: keyword - --- - -*`rsa.misc.serial_number`*:: -+ --- -This key is the Serial number associated with a physical asset. - -type: keyword - --- - -*`rsa.misc.checksum`*:: -+ --- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - -type: keyword - --- - -*`rsa.misc.event_user`*:: -+ --- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword - --- - -*`rsa.misc.virusname`*:: -+ --- -This key captures the name of the virus - -type: keyword - --- - -*`rsa.misc.content_type`*:: -+ --- -This key is used to capture Content Type only. - -type: keyword - --- - -*`rsa.misc.group_id`*:: -+ --- -This key captures Group ID Number (related to the group name) - -type: keyword - --- - -*`rsa.misc.policy_id`*:: -+ --- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - -type: keyword - --- - -*`rsa.misc.vsys`*:: -+ --- -This key captures Virtual System Name - -type: keyword - --- - -*`rsa.misc.connection_id`*:: -+ --- -This key captures the Connection ID - -type: keyword - --- - -*`rsa.misc.reference_id2`*:: -+ --- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - -type: keyword - --- - -*`rsa.misc.sensor`*:: -+ --- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - -type: keyword - --- - -*`rsa.misc.sig_id`*:: -+ --- -This key captures IDS/IPS Int Signature ID - -type: long - --- - -*`rsa.misc.port_name`*:: -+ --- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - -type: keyword - --- - -*`rsa.misc.rule_group`*:: -+ --- -This key captures the Rule group name - -type: keyword - --- - -*`rsa.misc.risk_num`*:: -+ --- -This key captures a Numeric Risk value - -type: double - --- - -*`rsa.misc.trigger_val`*:: -+ --- -This key captures the Value of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.log_session_id1`*:: -+ --- -This key is used to capture a Linked (Related) Session ID from the session directly - -type: keyword - --- - -*`rsa.misc.comp_version`*:: -+ --- -This key captures the Version level of a sub-component of a product. - -type: keyword - --- - -*`rsa.misc.content_version`*:: -+ --- -This key captures Version level of a signature or database content. - -type: keyword - --- - -*`rsa.misc.hardware_id`*:: -+ --- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - -type: keyword - --- - -*`rsa.misc.risk`*:: -+ --- -This key captures the non-numeric risk value - -type: keyword - --- - -*`rsa.misc.event_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.reason`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mail_id`*:: -+ --- -This key is used to capture the mailbox id/name - -type: keyword - --- - -*`rsa.misc.rule_uid`*:: -+ --- -This key is the Unique Identifier for a rule. - -type: keyword - --- - -*`rsa.misc.trigger_desc`*:: -+ --- -This key captures the Description of the trigger or threshold condition. - -type: keyword - --- - -*`rsa.misc.inout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.data_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgIdPart4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.error`*:: -+ --- -This key captures All non successful Error codes or responses - -type: keyword - --- - -*`rsa.misc.index`*:: -+ --- -type: keyword - --- - -*`rsa.misc.listnum`*:: -+ --- -This key is used to capture listname or listnumber, primarily for collecting access-list - -type: keyword - --- - -*`rsa.misc.ntype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.observed_val`*:: -+ --- -This key captures the Value observed (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.policy_value`*:: -+ --- -This key captures the contents of the policy. This contains details about the policy - -type: keyword - --- - -*`rsa.misc.pool_name`*:: -+ --- -This key captures the name of a resource pool - -type: keyword - --- - -*`rsa.misc.rule_template`*:: -+ --- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - -type: keyword - --- - -*`rsa.misc.count`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigcat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comments`*:: -+ --- -Comment information provided in the log message - -type: keyword - --- - -*`rsa.misc.doc_number`*:: -+ --- -This key captures File Identification number - -type: long - --- - -*`rsa.misc.expected_val`*:: -+ --- -This key captures the Value expected (from the perspective of the device generating the log). - -type: keyword - --- - -*`rsa.misc.job_num`*:: -+ --- -This key captures the Job Number - -type: keyword - --- - -*`rsa.misc.spi_dst`*:: -+ --- -Destination SPI Index - -type: keyword - --- - -*`rsa.misc.spi_src`*:: -+ --- -Source SPI Index - -type: keyword - --- - -*`rsa.misc.code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.agent_id`*:: -+ --- -This key is used to capture agent id - -type: keyword - --- - -*`rsa.misc.message_body`*:: -+ --- -This key captures the The contents of the message body. - -type: keyword - --- - -*`rsa.misc.phone`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sig_id_str`*:: -+ --- -This key captures a string object of the sigid variable. - -type: keyword - --- - -*`rsa.misc.cmd`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu`*:: -+ --- -This key is the CPU time used in the execution of the event being recorded. - -type: long - --- - -*`rsa.misc.event_desc`*:: -+ --- -This key is used to capture a description of an event available directly or inferred - -type: keyword - --- - -*`rsa.misc.sig_id1`*:: -+ --- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- - -*`rsa.misc.im_buddyid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_client`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.priority`*:: -+ --- -type: keyword - --- - -*`rsa.misc.context_subject`*:: -+ --- -This key is to be used in an audit context where the subject is the object being identified - -type: keyword - --- - -*`rsa.misc.context_target`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cve`*:: -+ --- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - -type: keyword - --- - -*`rsa.misc.fcatnum`*:: -+ --- -This key captures Filter Category Number. Legacy Usage - -type: keyword - --- - -*`rsa.misc.library`*:: -+ --- -This key is used to capture library information in mainframe devices - -type: keyword - --- - -*`rsa.misc.parent_node`*:: -+ --- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword - --- - -*`rsa.misc.risk_info`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.tcp_flags`*:: -+ --- -This key is captures the TCP flags set in any packet of session - -type: long - --- - -*`rsa.misc.tos`*:: -+ --- -This key describes the type of service - -type: long - --- - -*`rsa.misc.vm_target`*:: -+ --- -VMWare Target **VMWARE** only varaible. - -type: keyword - --- - -*`rsa.misc.workspace`*:: -+ --- -This key captures Workspace Description - -type: keyword - --- - -*`rsa.misc.command`*:: -+ --- -type: keyword - --- - -*`rsa.misc.event_category`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facilityname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword - --- - -*`rsa.misc.jobname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policy_waiver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.second`*:: -+ --- -type: keyword - --- - -*`rsa.misc.space1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.subcategory`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alert_id`*:: -+ --- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.checksum_dst`*:: -+ --- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - -type: keyword - --- - -*`rsa.misc.checksum_src`*:: -+ --- -This key is used to capture the checksum or hash of the source entity such as a file or process. - -type: keyword - --- - -*`rsa.misc.fresult`*:: -+ --- -This key captures the Filter Result - -type: long - --- - -*`rsa.misc.payload_dst`*:: -+ --- -This key is used to capture destination payload - -type: keyword - --- - -*`rsa.misc.payload_src`*:: -+ --- -This key is used to capture source payload - -type: keyword - --- - -*`rsa.misc.pool_id`*:: -+ --- -This key captures the identifier (typically numeric field) of a resource pool - -type: keyword - --- - -*`rsa.misc.process_id_val`*:: -+ --- -This key is a failure key for Process ID when it is not an integer value - -type: keyword - --- - -*`rsa.misc.risk_num_comm`*:: -+ --- -This key captures Risk Number Community - -type: double - --- - -*`rsa.misc.risk_num_next`*:: -+ --- -This key captures Risk Number NextGen - -type: double - --- - -*`rsa.misc.risk_num_sand`*:: -+ --- -This key captures Risk Number SandBox - -type: double - --- - -*`rsa.misc.risk_num_static`*:: -+ --- -This key captures Risk Number Static - -type: double - --- - -*`rsa.misc.risk_suspicious`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.risk_warning`*:: -+ --- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - -type: keyword - --- - -*`rsa.misc.snmp_oid`*:: -+ --- -SNMP Object Identifier - -type: keyword - --- - -*`rsa.misc.sql`*:: -+ --- -This key captures the SQL query - -type: keyword - --- - -*`rsa.misc.vuln_ref`*:: -+ --- -This key captures the Vulnerability Reference details - -type: keyword - --- - -*`rsa.misc.acl_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_op`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_pos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.acl_table`*:: -+ --- -type: keyword - --- - -*`rsa.misc.admin`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.alarmname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.app_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.audit_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.auditdata`*:: -+ --- -type: keyword - --- - -*`rsa.misc.benchmark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.bypass`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cefversion`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_attr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_obj`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cfg_path`*:: -+ --- -type: keyword - --- - -*`rsa.misc.changes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.client_ip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.clustermembers`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_asn_src`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_bgpv4nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ctr_dst_code`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_dst_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_engine_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_f_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampintv`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_flowsampmode`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inacttimeout`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermbyts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_inpermpckts`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_invalid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ip_proto_ver`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_ipv4_ident`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_l_switch`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_did`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_log_rid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_max_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_maxpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_min_ttl`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_minpcktlen`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_10`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_4`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_5`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_6`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_7`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_8`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mpls_lbl_9`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mplstoplabip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_byt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_mul_dst_pks`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_muligmptype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampalgo`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sampint`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_seqctr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_spackets`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_tos`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_src_vlan`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_sysuptime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_template_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totbytsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totflowexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_totpcktsexp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_unixnanosecs`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6flowlabel`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cn_v6optheaders`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_rbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.comp_sbytes`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cpu_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.criticality`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_agency_dst`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_analyzedby`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_other`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_primary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_av_secondary`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bgpv6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_bit9status`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_context`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_control`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_datecret`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_dst_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_event_uuid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_filetype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_desc`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ip_next_hop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_ipv4srcpre`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_lifetime`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_log_medium`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_loginname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulescore`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_modulesign`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_opswatresult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrant`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_represult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_rpayload`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sampler_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_sourcemodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_streams`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword - --- - -*`rsa.misc.cs_yararesult`*:: -+ --- -type: keyword - --- - -*`rsa.misc.description`*:: -+ --- -type: keyword - --- - -*`rsa.misc.devvendor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.distance`*:: -+ --- -type: keyword - --- - -*`rsa.misc.dstburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.edomaub`*:: -+ --- -type: keyword - --- - -*`rsa.misc.euid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.facility`*:: -+ --- -type: keyword - --- - -*`rsa.misc.finterface`*:: -+ --- -type: keyword - --- - -*`rsa.misc.flags`*:: -+ --- -type: keyword - --- - -*`rsa.misc.gaddr`*:: -+ --- -type: keyword - --- - -*`rsa.misc.id3`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_buddyname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_members`*:: -+ --- -type: keyword - --- - -*`rsa.misc.im_username`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipscat`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ipspri`*:: -+ --- -type: keyword - --- - -*`rsa.misc.latitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.linenum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.list_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.load_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_floor`*:: -+ --- -type: keyword - --- - -*`rsa.misc.location_mark`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.log_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logip`*:: -+ --- -type: keyword - --- - -*`rsa.misc.logname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.longitude`*:: -+ --- -type: keyword - --- - -*`rsa.misc.lport`*:: -+ --- -type: keyword - --- - -*`rsa.misc.mbug_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.misc_name`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msg_type`*:: -+ --- -type: keyword - --- - -*`rsa.misc.msgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.netsessid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.number2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.nwwn`*:: -+ --- -type: keyword - --- - -*`rsa.misc.object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.operation`*:: -+ --- -type: keyword - --- - -*`rsa.misc.opkt`*:: -+ --- -type: keyword - --- - -*`rsa.misc.orig_from`*:: -+ --- -type: keyword - --- - -*`rsa.misc.owner_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_action`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_filter`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_group_object`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_id`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword - --- - -*`rsa.misc.p_result1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_chg`*:: -+ --- -type: keyword - --- - -*`rsa.misc.password_expire`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permgranted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.permwanted`*:: -+ --- -type: keyword - --- - -*`rsa.misc.pgid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.policyUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.prog_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.program`*:: -+ --- -type: keyword - --- - -*`rsa.misc.real_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_device`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_asp_num`*:: -+ --- -type: keyword - --- - -*`rsa.misc.rec_library`*:: -+ --- -type: keyword - --- - -*`rsa.misc.recordnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.ruid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sdomain_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sec`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sensorname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.seqnum`*:: -+ --- -type: keyword - --- - -*`rsa.misc.session`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sessiontype`*:: -+ --- -type: keyword - --- - -*`rsa.misc.sigUUID`*:: -+ --- -type: keyword - --- - -*`rsa.misc.spi`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcburb`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.srcservice`*:: -+ --- -type: keyword - --- - -*`rsa.misc.state`*:: -+ --- -type: keyword - --- - -*`rsa.misc.status1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.svcno`*:: -+ --- -type: keyword - --- - -*`rsa.misc.system`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tbdstr1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword - --- - -*`rsa.misc.tgtdomain`*:: -+ --- -type: keyword - --- - -*`rsa.misc.threshold`*:: -+ --- -type: keyword - --- - -*`rsa.misc.type1`*:: -+ --- -type: keyword - --- - -*`rsa.misc.udb_class`*:: -+ --- -type: keyword - --- - -*`rsa.misc.url_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.user_div`*:: -+ --- -type: keyword - --- - -*`rsa.misc.userid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.username_fld`*:: -+ --- -type: keyword - --- - -*`rsa.misc.utcstamp`*:: -+ --- -type: keyword - --- - -*`rsa.misc.v_instafname`*:: -+ --- -type: keyword - --- - -*`rsa.misc.virt_data`*:: -+ --- -type: keyword - --- - -*`rsa.misc.vpnid`*:: -+ --- -type: keyword - --- - -*`rsa.misc.autorun_type`*:: -+ --- -This is used to capture Auto Run type - -type: keyword - --- - -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: -+ --- -This key captures the content type from protocol headers - -type: keyword - --- - -*`rsa.misc.ein_number`*:: -+ --- -Employee Identification Numbers only - -type: long - --- - -*`rsa.misc.found`*:: -+ --- -This is used to capture the results of regex match - -type: keyword - --- - -*`rsa.misc.language`*:: -+ --- -This is used to capture list of languages the client support and what it prefers - -type: keyword - --- - -*`rsa.misc.lifetime`*:: -+ --- -This key is used to capture the session lifetime in seconds. - -type: long - --- - -*`rsa.misc.link`*:: -+ --- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.misc.match`*:: -+ --- -This key is for regex match name from search.ini - -type: keyword - --- - -*`rsa.misc.param_dst`*:: -+ --- -This key captures the command line/launch argument of the target process or file - -type: keyword - --- - -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter - -type: keyword - --- - -*`rsa.misc.search_text`*:: -+ --- -This key captures the Search Text used - -type: keyword - --- - -*`rsa.misc.sig_name`*:: -+ --- -This key is used to capture the Signature Name only. - -type: keyword - --- - -*`rsa.misc.snmp_value`*:: -+ --- -SNMP set request value - -type: keyword - --- - -*`rsa.misc.streams`*:: -+ --- -This key captures number of streams in session - -type: long - --- - - -*`rsa.db.index`*:: -+ --- -This key captures IndexID of the index. - -type: keyword - --- - -*`rsa.db.instance`*:: -+ --- -This key is used to capture the database server instance name - -type: keyword - --- - -*`rsa.db.database`*:: -+ --- -This key is used to capture the name of a database or an instance as seen in a session - -type: keyword - --- - -*`rsa.db.transact_id`*:: -+ --- -This key captures the SQL transantion ID of the current session - -type: keyword - --- - -*`rsa.db.permissions`*:: -+ --- -This key captures permission or privilege level assigned to a resource. - -type: keyword - --- - -*`rsa.db.table_name`*:: -+ --- -This key is used to capture the table name - -type: keyword - --- - -*`rsa.db.db_id`*:: -+ --- -This key is used to capture the unique identifier for a database - -type: keyword - --- - -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server - -type: long - --- - -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads - -type: long - --- - -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes - -type: long - --- - -*`rsa.db.pread`*:: -+ --- -This key is used for the number of physical writes - -type: long - --- - - -*`rsa.network.alias_host`*:: -+ --- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - -type: keyword - --- - -*`rsa.network.domain`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_dst`*:: -+ --- -This key should only be used when it’s a Destination Hostname - -type: keyword - --- - -*`rsa.network.network_service`*:: -+ --- -This is used to capture layer 7 protocols/service names - -type: keyword - --- - -*`rsa.network.interface`*:: -+ --- -This key should be used when the source or destination context of an interface is not clear - -type: keyword - --- - -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long - --- - -*`rsa.network.eth_host`*:: -+ --- -Deprecated, use alias.mac - -type: keyword - --- - -*`rsa.network.sinterface`*:: -+ --- -This key should only be used when it’s a Source Interface - -type: keyword - --- - -*`rsa.network.dinterface`*:: -+ --- -This key should only be used when it’s a Destination Interface - -type: keyword - --- - -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN - -type: long - --- - -*`rsa.network.zone_src`*:: -+ --- -This key should only be used when it’s a Source Zone. - -type: keyword - --- - -*`rsa.network.zone`*:: -+ --- -This key should be used when the source or destination context of a Zone is not clear - -type: keyword - --- - -*`rsa.network.zone_dst`*:: -+ --- -This key should only be used when it’s a Destination Zone. - -type: keyword - --- - -*`rsa.network.gateway`*:: -+ --- -This key is used to capture the IP Address of the gateway - -type: keyword - --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long - --- - -*`rsa.network.mask`*:: -+ --- -This key is used to capture the device network IPmask. - -type: keyword - --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long - --- - -*`rsa.network.protocol_detail`*:: -+ --- -This key should be used to capture additional protocol information - -type: keyword - --- - -*`rsa.network.dmask`*:: -+ --- -This key is used for Destionation Device network mask - -type: keyword - --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long - --- - -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask - -type: keyword - --- - -*`rsa.network.netname`*:: -+ --- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - -type: keyword - --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip - --- - -*`rsa.network.faddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.lhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.origin`*:: -+ --- -type: keyword - --- - -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.addr`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_a_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_ptr_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.fhost`*:: -+ --- -type: keyword - --- - -*`rsa.network.fport`*:: -+ --- -type: keyword - --- - -*`rsa.network.laddr`*:: -+ --- -type: keyword - --- - -*`rsa.network.linterface`*:: -+ --- -type: keyword - --- - -*`rsa.network.phost`*:: -+ --- -type: keyword - --- - -*`rsa.network.ad_computer_dst`*:: -+ --- -Deprecated, use host.dst - -type: keyword - --- - -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- - -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long - --- - -*`rsa.network.dns_cname_record`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_id`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_opcode`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_resp`*:: -+ --- -type: keyword - --- - -*`rsa.network.dns_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.domain1`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_type`*:: -+ --- -type: keyword - --- - -*`rsa.network.packet_length`*:: -+ --- -type: keyword - --- - -*`rsa.network.host_orig`*:: -+ --- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- - -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - -type: keyword - --- - -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN - -type: keyword - --- - - -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) - -type: keyword - --- - -*`rsa.investigations.ec_theme`*:: -+ --- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword - --- - -*`rsa.investigations.ec_subject`*:: -+ --- -This key captures the Subject of a particular Event(Ex:User) - -type: keyword - --- - -*`rsa.investigations.ec_outcome`*:: -+ --- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword - --- - -*`rsa.investigations.event_cat`*:: -+ --- -This key captures the Event category number - -type: long - --- - -*`rsa.investigations.event_cat_name`*:: -+ --- -This key captures the event category name corresponding to the event cat code - -type: keyword - --- - -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - -type: keyword - --- - -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword - --- - -*`rsa.investigations.analysis_service`*:: -+ --- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword - --- - -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - -type: keyword - --- - -*`rsa.investigations.boc`*:: -+ --- -This is used to capture behaviour of compromise - -type: keyword - --- - -*`rsa.investigations.eoc`*:: -+ --- -This is used to capture Enablers of Compromise - -type: keyword - --- - -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category - -type: keyword - --- - -*`rsa.investigations.inv_context`*:: -+ --- -This used to capture investigation context - -type: keyword - --- - -*`rsa.investigations.ioc`*:: -+ --- -This is key capture indicator of compromise - -type: keyword - --- - - -*`rsa.counters.dclass_c1`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long - --- - -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long - --- - -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated - -type: long - --- - -*`rsa.counters.dclass_r1`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r1.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long - --- - -*`rsa.counters.dclass_c1_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c1 only - -type: keyword - --- - -*`rsa.counters.dclass_c2_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword - --- - -*`rsa.counters.dclass_r1_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r1 only - -type: keyword - --- - -*`rsa.counters.dclass_r2`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r2.str only - -type: keyword - --- - -*`rsa.counters.dclass_c3_str`*:: -+ --- -This is a generic counter string key that should be used with the label dclass.c3 only - -type: keyword - --- - -*`rsa.counters.dclass_r3`*:: -+ --- -This is a generic ratio key that should be used with the label dclass.r3.str only - -type: keyword - --- - -*`rsa.counters.dclass_r2_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r2 only - -type: keyword - --- - -*`rsa.counters.dclass_r3_str`*:: -+ --- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword - --- - - -*`rsa.identity.auth_method`*:: -+ --- -This key is used to capture authentication methods used only - -type: keyword - --- - -*`rsa.identity.user_role`*:: -+ --- -This key is used to capture the Role of a user only - -type: keyword - --- - -*`rsa.identity.dn`*:: -+ --- -X.500 (LDAP) Distinguished Name - -type: keyword - --- - -*`rsa.identity.logon_type`*:: -+ --- -This key is used to capture the type of logon method used. - -type: keyword - --- - -*`rsa.identity.profile`*:: -+ --- -This key is used to capture the user profile - -type: keyword - --- - -*`rsa.identity.accesses`*:: -+ --- -This key is used to capture actual privileges used in accessing an object - -type: keyword - --- - -*`rsa.identity.realm`*:: -+ --- -Radius realm or similar grouping of accounts - -type: keyword - --- - -*`rsa.identity.user_sid_dst`*:: -+ --- -This key captures Destination User Session ID - -type: keyword - --- - -*`rsa.identity.dn_src`*:: -+ --- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - -type: keyword - --- - -*`rsa.identity.org`*:: -+ --- -This key captures the User organization - -type: keyword - --- - -*`rsa.identity.dn_dst`*:: -+ --- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - -type: keyword - --- - -*`rsa.identity.firstname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.lastname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.user_dept`*:: -+ --- -User's Department Names only - -type: keyword - --- - -*`rsa.identity.user_sid_src`*:: -+ --- -This key captures Source User Session ID - -type: keyword - --- - -*`rsa.identity.federated_sp`*:: -+ --- -This key is the Federated Service Provider. This is the application requesting authentication. - -type: keyword - --- - -*`rsa.identity.federated_idp`*:: -+ --- -This key is the federated Identity Provider. This is the server providing the authentication. - -type: keyword - --- - -*`rsa.identity.logon_type_desc`*:: -+ --- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - -type: keyword - --- - -*`rsa.identity.middlename`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.identity.password`*:: -+ --- -This key is for Passwords seen in any session, plain text or encrypted - -type: keyword - --- - -*`rsa.identity.host_role`*:: -+ --- -This key should only be used to capture the role of a Host Machine - -type: keyword - --- - -*`rsa.identity.ldap`*:: -+ --- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword - --- - -*`rsa.identity.ldap_query`*:: -+ --- -This key is the Search criteria from an LDAP search - -type: keyword - --- - -*`rsa.identity.ldap_response`*:: -+ --- -This key is to capture Results from an LDAP search - -type: keyword - --- - -*`rsa.identity.owner`*:: -+ --- -This is used to capture username the process or service is running as, the author of the task - -type: keyword - --- - -*`rsa.identity.service_account`*:: -+ --- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword - --- - - -*`rsa.email.email_dst`*:: -+ --- -This key is used to capture the Destination email address only, when the destination context is not clear use email - -type: keyword - --- - -*`rsa.email.email_src`*:: -+ --- -This key is used to capture the source email address only, when the source context is not clear use email - -type: keyword - --- - -*`rsa.email.subject`*:: -+ --- -This key is used to capture the subject string from an Email only. - -type: keyword - --- - -*`rsa.email.email`*:: -+ --- -This key is used to capture a generic email address where the source or destination context is not clear - -type: keyword - --- - -*`rsa.email.trans_from`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.email.trans_to`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - - -*`rsa.file.privilege`*:: -+ --- -Deprecated, use permissions - -type: keyword - --- - -*`rsa.file.attachment`*:: -+ --- -This key captures the attachment file name - -type: keyword - --- - -*`rsa.file.filesystem`*:: -+ --- -type: keyword - --- - -*`rsa.file.binary`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.file.filename_dst`*:: -+ --- -This is used to capture name of the file targeted by the action - -type: keyword - --- - -*`rsa.file.filename_src`*:: -+ --- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword - --- - -*`rsa.file.filename_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.file.directory_dst`*:: -+ --- -This key is used to capture the directory of the target process or file - -type: keyword - --- - -*`rsa.file.directory_src`*:: -+ --- -This key is used to capture the directory of the source process or file - -type: keyword - --- - -*`rsa.file.file_entropy`*:: -+ --- -This is used to capture entropy vale of a file - -type: double - --- - -*`rsa.file.file_vendor`*:: -+ --- -This is used to capture Company name of file located in version_info - -type: keyword - --- - -*`rsa.file.task_name`*:: -+ --- -This is used to capture name of the task - -type: keyword - --- - - -*`rsa.web.fqdn`*:: -+ --- -Fully Qualified Domain Names - -type: keyword - --- - -*`rsa.web.web_cookie`*:: -+ --- -This key is used to capture the Web cookies specifically. - -type: keyword - --- - -*`rsa.web.alias_host`*:: -+ --- -type: keyword - --- - -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains - -type: double - --- - -*`rsa.web.web_ref_domain`*:: -+ --- -Web referer's domain - -type: keyword - --- - -*`rsa.web.web_ref_query`*:: -+ --- -This key captures Web referer's query portion of the URL - -type: keyword - --- - -*`rsa.web.remote_domain`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_ref_page`*:: -+ --- -This key captures Web referer's page information - -type: keyword - --- - -*`rsa.web.web_ref_root`*:: -+ --- -Web referer's root URL path - -type: keyword - --- - -*`rsa.web.cn_asn_dst`*:: -+ --- -type: keyword - --- - -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlpage`*:: -+ --- -type: keyword - --- - -*`rsa.web.urlroot`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_url`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_user_agent`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_cookie`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_method`*:: -+ --- -type: keyword - --- - -*`rsa.web.p_web_referer`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_extension_tmp`*:: -+ --- -type: keyword - --- - -*`rsa.web.web_page`*:: -+ --- -type: keyword - --- - - -*`rsa.threat.threat_category`*:: -+ --- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword - --- - -*`rsa.threat.threat_desc`*:: -+ --- -This key is used to capture the threat description from the session directly or inferred - -type: keyword - --- - -*`rsa.threat.alert`*:: -+ --- -This key is used to capture name of the alert - -type: keyword - --- - -*`rsa.threat.threat_source`*:: -+ --- -This key is used to capture source of the threat - -type: keyword - --- - - -*`rsa.crypto.crypto`*:: -+ --- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword - --- - -*`rsa.crypto.cipher_src`*:: -+ --- -This key is for Source (Client) Cipher - -type: keyword - --- - -*`rsa.crypto.cert_subject`*:: -+ --- -This key is used to capture the Certificate organization only - -type: keyword - --- - -*`rsa.crypto.peer`*:: -+ --- -This key is for Encryption peer's IP Address - -type: keyword - --- - -*`rsa.crypto.cipher_size_src`*:: -+ --- -This key captures Source (Client) Cipher Size - -type: long - --- - -*`rsa.crypto.ike`*:: -+ --- -IKE negotiation phase. - -type: keyword - --- - -*`rsa.crypto.scheme`*:: -+ --- -This key captures the Encryption scheme used - -type: keyword - --- - -*`rsa.crypto.peer_id`*:: -+ --- -This key is for Encryption peer’s identity - -type: keyword - --- - -*`rsa.crypto.sig_type`*:: -+ --- -This key captures the Signature Type - -type: keyword - --- - -*`rsa.crypto.cert_issuer`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_name`*:: -+ --- -Deprecated key defined only in table map. - -type: keyword - --- - -*`rsa.crypto.cert_error`*:: -+ --- -This key captures the Certificate Error String - -type: keyword - --- - -*`rsa.crypto.cipher_dst`*:: -+ --- -This key is for Destination (Server) Cipher - -type: keyword - --- - -*`rsa.crypto.cipher_size_dst`*:: -+ --- -This key captures Destination (Server) Cipher Size - -type: long - --- - -*`rsa.crypto.ssl_ver_src`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.ike_cookie1`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword - --- - -*`rsa.crypto.ike_cookie2`*:: -+ --- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword - --- - -*`rsa.crypto.cert_checksum`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_host_cat`*:: -+ --- -This key is used for the hostname category value of a certificate - -type: keyword - --- - -*`rsa.crypto.cert_serial`*:: -+ --- -This key is used to capture the Certificate serial number only - -type: keyword - --- - -*`rsa.crypto.cert_status`*:: -+ --- -This key captures Certificate validation status - -type: keyword - --- - -*`rsa.crypto.ssl_ver_dst`*:: -+ --- -Deprecated, use version - -type: keyword - --- - -*`rsa.crypto.cert_keysize`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_insact`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.https_valid`*:: -+ --- -type: keyword - --- - -*`rsa.crypto.cert_ca`*:: -+ --- -This key is used to capture the Certificate signing authority only - -type: keyword - --- - -*`rsa.crypto.cert_common`*:: -+ --- -This key is used to capture the Certificate common name only - -type: keyword - --- - - -*`rsa.wireless.wlan_ssid`*:: -+ --- -This key is used to capture the ssid of a Wireless Session - -type: keyword - --- - -*`rsa.wireless.access_point`*:: -+ --- -This key is used to capture the access point name. - -type: keyword - --- - -*`rsa.wireless.wlan_channel`*:: -+ --- -This is used to capture the channel names - -type: long - --- - -*`rsa.wireless.wlan_name`*:: -+ --- -This key captures either WLAN number/name - -type: keyword - --- - - -*`rsa.storage.disk_volume`*:: -+ --- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword - --- - -*`rsa.storage.lun`*:: -+ --- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword - --- - -*`rsa.storage.pwwn`*:: -+ --- -This uniquely identifies a port on a HBA. - -type: keyword - --- - - -*`rsa.physical.org_dst`*:: -+ --- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword - --- - -*`rsa.physical.org_src`*:: -+ --- -This is used to capture the source organization based on the GEOPIP Maxmind database. - -type: keyword - --- - - -*`rsa.healthcare.patient_fname`*:: -+ --- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_id`*:: -+ --- -This key captures the unique ID for a patient - -type: keyword - --- - -*`rsa.healthcare.patient_lname`*:: -+ --- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - -*`rsa.healthcare.patient_mname`*:: -+ --- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword - --- - - -*`rsa.endpoint.host_state`*:: -+ --- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword - --- - -*`rsa.endpoint.registry_key`*:: -+ --- -This key captures the path to the registry key - -type: keyword - --- - -*`rsa.endpoint.registry_value`*:: -+ --- -This key captures values or decorators used within a registry entry - -type: keyword - --- - :edit_url!: \ No newline at end of file diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 191c149f448..68f0476e11e 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -58,7 +58,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> -- @@ -119,4 +118,3 @@ include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] include::modules/zookeeper.asciidoc[] include::modules/zoom.asciidoc[] -include::modules/zscaler.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 4c7c7cecf82..e5f74a67e59 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2093,27 +2093,6 @@ filebeat.modules: # The secret token value provided by Zoom for CRC validation #crc.secret: ZOOMSECRETTOKEN -#----------------------------- Zscaler NSS Module ----------------------------- -- module: zscaler - zia: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9521 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #=========================== Filebeat inputs ============================= diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 9765c5d8f76..a9966a42e97 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -51,7 +51,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zookeeper" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/add_nomad_metadata" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/aws_vpcflow" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" diff --git a/x-pack/filebeat/module/zscaler/README.md b/x-pack/filebeat/module/zscaler/README.md deleted file mode 100644 index 0cd50920c35..00000000000 --- a/x-pack/filebeat/module/zscaler/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# zscaler module - -This is a module for Zscaler NSS logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML zscalernss version 108 -at 2020-07-13 17:55:42.808847 +0000 UTC. - diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml deleted file mode 100644 index d7c47dc6e70..00000000000 --- a/x-pack/filebeat/module/zscaler/_meta/config.yml +++ /dev/null @@ -1,19 +0,0 @@ -- module: zscaler - zia: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9521 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc deleted file mode 100644 index 8a1b07a1372..00000000000 --- a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc +++ /dev/null @@ -1,76 +0,0 @@ -[role="xpack"] - -:modulename: zscaler -:has-dashboards: false - -== Zscaler module - -deprecated::[8.12.0,"This module is deprecated. Use the https://docs.elastic.co/integrations/zscaler_zia[Zscaler Internet Access] Elastic integration instead."] - -experimental[] - -//temporarily override modulename to create working link -:modulename: zscaler_zia - -include::{libbeat-dir}/shared/integration-link.asciidoc[] - -//reset modulename -:modulename: zscaler - -This is a module for receiving Zscaler NSS logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: zia - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `zia` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "zscalernss" device revision 108. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. Defaults to `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9521` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/zscaler/_meta/fields.yml b/x-pack/filebeat/module/zscaler/_meta/fields.yml deleted file mode 100644 index d8e04d3db90..00000000000 --- a/x-pack/filebeat/module/zscaler/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: zscaler - title: Zscaler NSS - description: > - zscaler fields. - fields: diff --git a/x-pack/filebeat/module/zscaler/fields.go b/x-pack/filebeat/module/zscaler/fields.go deleted file mode 100644 index e5a42369cc3..00000000000 --- a/x-pack/filebeat/module/zscaler/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package zscaler - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "zscaler", asset.ModuleFieldsPri, AssetZscaler); err != nil { - panic(err) - } -} - -// AssetZscaler returns asset data. -// This is the base64 encoded zlib format compressed contents of module/zscaler. -func AssetZscaler() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZzqtXWzUFYpokVhhgDGBIMX/9FRqY4ZCDoSQKoOR3bz9sxSLZaDQajf7d35ErWL8mfxhGBeg/EWK5FfCa/Kf/A3l/efknQkowTPPaciVfk7/+iRDS/oLMOIjSTP5Ewn+9xk/d/74jklbwmkiwK6WvJlxa0DPKYOL+3n2NELUEvdLcwmtiddP/xK5reO0wXCld9v4ewaf933taAVEzYhfQrky6lclqARrwM6vpbMYZWVBDpgCSqKkBvYRyMtiANvQO2M61aureX3fJsoGLaEkqtvAfBz+2QGyJzSKVmW/9ff8K4yQfkP3jghv3PcINaQyUxCrCaG2bQGBNV6QCY+jc/ZtawlQFxm1auc93QBPyVs3JKTBVIhtGNuJh8V2kDt1OCxeWIG3htpYYcEA4M/UDyQ3SnClpQVrjLgCXxlJpWzRMFEfLq0MQLKnd/WCIHfc4uSUItWS14GxBKDFgDFeSLLg1hJL3YH/nVoIx7elPBqzRbdYsVCNKImEJmkyh47uaagPkHVjqUKNkplXVW+rpWzU3Ly4ouwJrng3An3INzIr1c2ID3pR8AC8NPIfLHpqTKCEFLEEcQEmh5O793KLkKdQaGLUBkxJmXEJJlBSIlqVTAaSidRyrysyLZBdmzxm/C/f8/PQHsqSiCTeelyAtn/HAnXBNmSVCzf156cFB4O64Ax+4Bb/njqOm2nLWCKrx9+FgJ6OcMQB9EKfEOGMAeZxTRo9kedwzefnfZ7L/TNyqeQ7kftdXTf9Z4EZ2j+XRYLekhwi97KhpMKrRLNPbe3+y5br/98PMWGqhAmkfI3K0KbktmKA7d/iRoAfS6vVjRGzhdKrHiBiXhyGWV2NqJcfj5bQS6CHSIy/ZZgBlShtqRK+J2Zm9L7Z2v8NmoIcMlIT7WRE7esgA+g1WxDgVd5wjR6Ki7LlNouTz5BpsMxH5SISCdyYfO4Za3Uj+pYGNGq27/Yc/rbeN2hMlmXscqFWP3bIdETdLnlcc9ql74pbhM85o/z6/VXNytgRpySUKZ9LIErQzQTQEQTXY+oxfQ0kMWAdk68fba5hxg6U9hAHsexss3SEMQN/pUIaewPT+pcMYc7CvO9DkbjRYKJNJX+3z5a/K2L6IFLscaUCWXM7bD02MbXo+pK+HvvwQBhv8aJSw5xfLnwgtS+1k5dh13yXuYPdWfa3EXb7KTd5X//+S11Erv2zYlQvekdb3lpWEkjlfguycZF+vIuBIdJj/Iq8FUj5G5e/riGiMOjRUvS40fMlw1v3gIR4w7nu6Riqf+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg1zUBshmfN5oVP1u2Pch6u5XvG8Mg+YzPhP4F9yv5yqXm22fddyu/NU7GJReUV1mU+p6Eq237T4lzy8+b+l7lGgQdPdICTFrY6EKj2hA20FbgOdU44nn/q00n3NJRfubbW3lBjrk0r/2JEacX3x+FSFBQH9AifuToMNoSOUUr8+GUYeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB31HiDnxvEcN4R50kHpMN1SVN+qXbWF7CH0I7T4KjZ9LKpqpQwmu1VKkul6cGiEaPjSgLEOoOFVLdbhnNyXnaAnQNmCGF4Cefo9sQvdkJc///yMrKghBkB2q+yhxKNQXm9BCVMraSAfKdhXwxVMNdJ2PoWmmnqh566yiUIgT+lULaFHDC6jmZWteDNWA61G7w/7atjmgUkFJW929bQUhPompjl2jgU+I9z+o3n5/Q9/Nl6kv6hRgLZI/2Owm384e/AtXYMmL8mZZLQ2jfCRFWdS3kmux6DfM/gRya2MrfLjS/KvbrvPyY8/kn8lTGmnL+MuwqLPyf8U9n+7L3JDtonyTfQIpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFIyLIslZcWjRNLMQTnJE5CtBaZcpP2+iDpgbGqUCMEVNjlXaatVx7rcN9sKSCl54xYkgRMlONLN0LIwCR53IelKMbkxe3b8QAcopYYLgOe8JGI6ewFoqWj+WdC+gQw/8AUoHVnEWsjmAK97+MtrB/7lsh7J59ajcarZq1xzYhv6qVO5qhzcklUdoZY1aRK4D6BqI9ihfvKyGaVgyMKZa8LMpcUdezVvLMQYKmFi956SjYswuXXNuGCme0b/neZcTFwSvuzG6MlSMx/C7CVT8/JdpJa4MOFSQa1XOw3ddupITRmZKeHpwSPhNuPyV0llDQUPCfn7a+1w9QKQvkMvA704AP7XQ9Jijd/9pAzFcQeAkrFaYWPGdmw6M25w0fqP2PQjdzMjcjv+Otc29A4PWW61qrJTwh/zUijF68zLh4gBi9W9UZRxcnby6C7suodOThVa30rsZL8In86tIgmsfh/vjknyo0xNF0j7lSt035ZvOTjcHu9Ry0zCfk5c+vyArpXgGVhAoR9xWgUx/VpI3/iKxAgwdLLRFAjSVK7pSLbBPxwdXEr5uIkbuaI2wbaPe70iUSDrOagC2kEmq+3g3EzbgeaLGE/EzYgmrKrCeiu9RrxB+d5pI0MuT0iC2f+WhFbeqCbh+ozxlE2BO7RIuickqmkm0YQdPVqExDybqjVlKGGquPUcjgc1CMNbqFaCyVJdUlkUpXVPA/Yvm9SldR+pQhy+FgEqlmOniS7kSkDdYdMi8EnwHuOGLgG2BKliMK9ua4C2Nz+ln2bIhLpqpagI0ywKgTlaICbzXfEYO9ejNtH4iRL93aUXYeY+Vtzhxlv0pJu0h0TJv61FQ5L5ssp/KBCH8myxxkdyD/UDJ3t4U9YtGt3qqYPr324y6FByIq241+Qyxc23D5yBK06ZVTlPvywCLne19mWwNNtc1NmR5TuoQy3zsYkmzCM2W6FVsdo8206b7Yj68PXyutqglCbbAo3zCQVHPl1fqqEZZ/ZzloQutatNUvm2Y1FZV0HivNJURgeKe1Fz1SHldDuH1iiFpJHxmztKp3PYMBY7eaQ3F4+6whbMGddaNKMBPyrjEWzaQ+UHcrqR3Jy6UWDjykvQJsNnN4L+EYmhAecrugp52GGWiQzDMEdap1yZe8dJoN8kNckF22guzjDvHim7yuuT7aDjfn6WNB144TuRVrv1njhJ7T1xxSyKD7faMJD33UhfPcSeNOnk0GS3bpZKpJLYGqgSJ3X4gd/VNfFdQgvzTQHI2VHHd7LtrIxxU1BJEoR/gGkfshNVETKgVbBM0g0+aVzfD6zqscuNZFBlTrIof2XKcURdtAXyaHmkFX6r0iD2NC7piP0Tdm8Fze6c05VGzeJNcOCRZsHoidbgipHUGUDZT4FIq1aUTusNOIFaUay1QFLzwOnfGCWdlqNuAQKgMJtgzIEQaBJWhuc5aO7NlYu3ooAuxFdva5fPIWLw56B/pXuqt0cdAw7lQD4zO+MXzi2q0P5oz1VAm6cv5spsgBdC5GXm4KJloXVRmCLFG8g9l8rEP4vG2l9y1BpclvlyE1lps2IWDXr4brtyc0ViVpamV4QsFxK95Cc1qWvsMUpvK3d3e0C08jbJGvddEdRZFsKtCc3VUWRfd2hCq2PRvrV7J1N8OLJX+/B1tbgiyVDgmze3empv98gO41bWhXTf8JLG5HO8Ty14IPyO0k6H7EvKTP2avum+GFDFX/QcwEL9eCdrnFUllCySJ0vIgn0Ao1L9pElQcR6i0j3lmoH6Nnypbs+xumW2FbahQfccVfCc7WuW/PHrlwgQiE7tlSrEfkciNy5k3HCfihEYCIxcWpkhauc2usHULn0vvrNv1QaVka93/4qFLRIhRrAHPD48wWVM6hkLDKLQvGApew6oX6UQmxVvNpY6EnIYY5+saj7rT1/vMXFx2mpsmEXUc5wbO1rdxHNDQEd/OLPDJ9/S1i3GIFmCNY23DQbHK+9BL0hFyCP5TGgJ7QOWAr75DpPlO6xWEAuwXj9XaGvyf+972+FUqTqVYr91n716BrerNrtJ/0eXlBtU3tpusAp/aohDulBtWhx7pTSpSd2pjrSqkaQkAx11v8RhIqQNsuu0hvFg1/8+GtID56TQAwCSmiMJdEKvmdhhrQktmX/YBmwzGfHNZo7S5MZ6/gSaIe94L7CFsb/hnsbMXtIijLXtaTU1xwitUmkij53Vy5/97zEqCSUkQUx4z7pr1g4AtEwCGpZsRJB8vBTMjlRqbsDjboV1blwfjEl/M1xhkxvmTUJ9uUQfwGwlPCRGNsy5DhH4Njwp9w404y1EQH/4ZTfPHTcRXo6NqPv2Fxi963ZcqnlD25yfByWJ4iFoQaoxhHf6k7jag9iQf2ll/Ba0JJvVgbzqggJTdXz0mtcSbKcwKWPYkrylTTQ2ov7/jQ+zobTSuwoA2pqcEuXgYbOfheBExVlZNiaitoPyytAcv2qnv+PXgoja93hhkeJi++marqZngHMxwbJSsuS7UK+bRMSQa1fd5lUowSY7DNWSPEmnxpqPDOz1JVlMsgNWRvIaFGnq6+1zOVurRn604lfMvlFZShFqhNRKcGvVPBQHGffNOhNuHlvoMTg64QWUVdf3STd0vsItCi99vlQ+H1Wx08r+Ry2K6nCzqDrvjuYKfcLtawJmLr+X+/pv1jYk17xkX+O95t+RdcrbvGGsqGAWkjRxB3txnQnIoi8ppme0QucclWbd59H3sPoHthRv0CwK7MQS0HUniMw+ruoVtQs+huqFMLI1WGDVv4zN+2xqYrMzxpIe20CHMb6ZaZGM3cr7p/DytNiZPnknDMuWskE0C1+xM2wtugFgoIg7dTt4WdN0cfvPBrhn2eHvWLxVQ15bLrm91/sELZqL7D67XkujHH9vT1tRFEYNzjd5wAaeRKnPjVfU/GcU+pt+Cyu8Y78nkv8/kpee8lzdPQuIH4aXuh6Nfh9iyuV3sH9EP48nvu5/NTJGkoeevExNB7sB2R82mAfgsTz0ROFqy4iRupS7PO2ct+O6obCrS9urDXjy298X1ErnGkP+kWJuenN2qyqfxzN2iyDrGXstxotBNy4uszQ79T4T/Yr80ignr7Gz98E9xx08Z2lZvKdo9RIwUYTxnlH5SVIkuqOZ2KQRWgb8rAJakFHREEBqTJ2h9l60D7qqpfeeIkldMw2vpC7s758sX5xa4OTULLWO9RGKvLPnCg4K1rITeRFo8kOZeWXPK5pCgsRli0Vjpn89onA/nlmPSi1d0UdnXE/3SI9O4yclmpIozz/rePhEsmmhKcOAuTat3PJ+Tp2TWtagGvyYV3iHiwKL0ncb8IRuaOHttE59TmaYljxs2VU7kPwOsOpXg9N+b78DR84OZqT8jVaj6fg843wi5Oss/9WEDAAbXThQazUKJ03ONt9ZFJo1uh9yN4Foax9yCVn37wOsazrhnH+Wm8jOTW0Xmmqro4ct4VnkrIvcIxrt6/Z5rpdw4dJbE+dYbjZlTZsDErLailD5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+mAy9YVd9J11peIjcJkZaIz91QpSSd5S1/ZTjyq0TQUe1Y5T8rlVQ9X4p5G3N5EOtNVCTPDfYWGqbVIpz54+iXDyY2eEWn6prwssX4++Xe1mbY2DoMPo0aHzs74LDIn5123cs8/S9AZOfDufuHfKccamaVDHOXh2JmSe/U06SpnQ6DDyyPyUGnLsz4xZLvBHCyT1iGsbAmFkjyJlbnzBVgnEs0Tb7jVsWXJZwnZgAght7mOZ5T9mCC6MpplskpqAxvllRzQVm8EQ8eD7+LueEIhG/c7+N7kxm4EM19c2FHkgjDquTp10+Zw3a1KHo1kuYAcmCirBJiG87PD0bKTL0bq7he5w7ocQrX12SV/BV+W+7DymXhpRgKRcRJ8NUNbb3u5GtKXH03MzWY0u7PDbEY/whtVDVIls2zxtSwoyGEFDofNnG8EO2ptOKl6AFXWMhl1XhcSVPIzfSfYBWd/g1zNoqcO+rN5bbBhszkujGNrbBsGHTfa9r0ihWz7/DaGpMM8gqpqrK3ac8bHTioRPeS/attVry0vvP2i5yFZjRRKhSscMDjXf3lv3CxUZrZP28vLhqcF1j0tPDyPp29byy/p9qeqDf6eDt/V81DQGY+O2qeb7GuaeYUOxP/vLinJwPFKo+Gtm61obqkv0YJCzs6qph50kN6bv4w0JudVy59yKimKoyd8XXoOJuV+kIuBCHy4h6tEjfLcGHDI5Qed5zAYfSYZ9A28VD+JyXXShnxIlXpbYaB2XgCV7+dEpet++6yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHawpZBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2L9JnyWWmoLLo1nlJ5/PyNNQK/G5EU5XnnKBBRyYB3Z2XSvjvvmMfDd0NMjdKMyVVCu5ZQgZYA02s1huQx+ZtMnoEVxwu2mhJ22V+/tQmvQW5pStyadRc03wqaYPUZQfFt4iMZekolzONK1gbzpGTTVO7c3fJ2FLubzAZcl7Vfrk6E1bwF7WWQQpcoP2hakCjhC5LKTtvnHvYUV+bSSaku9UCYI85XI5+fY54Yo9J1P3f+D+j0oq1oabybfx+KJldTETdDA5P7UOta3hn1wQXBR9XSgn1+3wKzXb26jBqqyY+r9OA55tGwQD2jFyFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJryUZ5cKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dRuNZsj9tCtRrsRRba5W94TF8oH9xO8u+PCIR/0/w/DVTcqs5/89yAsVvZ89AGRvUg+CHO0cdx9+Cl1hKStrZPt2aVPbZfR3mbZYZ/MZ+h2G3DuzZHptmU1P0Y8DIu+ZpQLR+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB+zkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/BnGdusPNHKZZ3xe3SyrLf1PxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy39/S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqiguspwWg5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSI5LzCYpS2g6gDP5thqKQNYNf1nBqg1TT4Jw3ecSs5eGHQveOoHJ3Ruq8CpnsmRlgVlOBglffmJg21kQuO9B3g6r5c/yWu7SP6+M1kwq4vSJO273oPuIB8WeboF4KWgySWGLEDOuUxYFDkEnSM3Whazwqy4ZcnlhyxmQq0MrdLnrvRhS7vMBz1D1IXJgsuc4oTLGnQ1XSdLeB/ArtlVHuBLKnLwCq+LWiurivQhKYS+/KlAj2N62CLb3RRqXpQ5iO0Ap89/Y7Ko6HVhbSq3wTZgx9ECMjwKFZeZkOYyH9K1MIWYiiJ1WHQL9vcZgSfvDN6DnboXYh926qrePuyfM8J+lRH2v2SE/b8ywv5zHthW1YJOIYdI6aCnN89kUTUCle/pOsM72QKvrzLoJVUj+Lyq82jfTsukYp46CSlA5jmUEgNfWHrfiCyMT0jMcIJGszzWpAOcx5o0a9PUGWaRMtmVVWcxVa2yzvSA6wwixCrrDLNcsNGsyQK8kfxaUqkMsAxMuHzlqJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QDnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+OUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOQ6Rz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5uGSSpWNAMNUDmoH4HyeQTap2qyoTTrzvwc9lkGeBLCGOTdW0/SekA3sDBqfhjoXqXU2WhvsRK4zyVefme9ZPAN0q4FWGRRJXwqUC+18yvVqobgp/ITZ9NDXVNMsDF6OFMKmgLz08+1Tw+XGUpl8znFp7LTRqYYFtlDBzwrKAbVJjmt6PbqtSU4NFic3zNIPuz6008A+mHNalqnvAC9Th1Xb1kEZ3iJeFUwrVWXpSuQAZzDTeFXkSY4MHY9ykLm+St6eqTbpW5by2tSaJwYqqOW2SZ59JriEdC12NlBN0ok6HVwsvk3v1hLKdz0tZkIlf8474BlS/p3Nm1zqOKAZJI6zoTOgmjw3Qah5FtaV8ywXuFY6tQCrps08xzWruGE5xEJlsjBsjjkQEiw2V0oON7kM9w2gU2f8eaip0/HkapXaAslSUab8AOjklqhKrxkpzedFZB7XveGuJOj0b1Zd+KG8ycEmnUy9AetHvGZhsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQzp4LuOZgKensgOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJzwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7H2B+iadqbdv5zY9W3mg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznIYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKvmmsIh8aSQZLd9kjGYflfaaCl+REQ8ktOaG6DN0MDbZ/j6PjJ2dlpNLYhFAEg0P0CfY3YEqQWKlOlw/BZT7KnVW1UGsYDBa8kX4z1SRr6n1LHnM09D4jnHemYQ7XpKK7jRY2sVg5b3aHgWRHUnCDwxna1cPRYwMlYpq6VtqSYeNRQlYLagm3pNYwG2OFe6Tl3mUIRYzwweroUCBchs7uI32hBZe5J/L3UHWr9fE0xKo52AXoyeb7ZqGawYtGiIQl6G4ckVWkptoAeQeW4kRwf1dpR4Knb9XcvLjwZa/PyGkY8fWc2EVkShE2A/4AYfQxoi3Je7C/cyvBxM95yNRZiDfDkd3dLcLF/WYNUM0WEy55FD+cuXuE/to74hNnYWAyxAtBG4mzfucNznFtm7jHG7jv9Gvfs6f87bi7PXVNuMP84hFj3x1EkbCm6XadV3FZ8hGuLd6KMXfBMaZRjwikzeC69zihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Puw7OV794r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2/Y4d28zq685Sz/2+eb+gWOz9thQKuHecNtBrSJfHekYXd4zKlBohP1+6wIYNb1Z1S+MXD4Cu7UfAd5kr79vVRMhJCDTEAOO6M7p9Xpak0lB1hvO+gw7RfWqLau2Ea1micgLYP6Rp0xb26cSykN0v6wRx8yQXMgQhYgiDUGD6X/uA28/rjrI8tmR9QfuP6ezh9+iCTnh1mjeRfGtgdk0jjl6+H72EdEw+bgtJqNLz0F5IpKQFzK8iK28WYoCAkUhnSaewaDiovurNp4ciJ8qR7ooSac0YFcRiMmD6IxcNih0uNjGl8ONrVi7WJo9dLZ1upnazW1A88FZyaYqGy2wTeiOvMNZylshlq5KRifwRPvB8A8ZfGYYtvWhjEwgRQPXkjjHKG+NZ9O8VgOfk1/GJC3sh1968BdIu2vJGW0HLCVFU3FnRcDGdx47uN5TPPvtk9C5yxuHUg3P6jefn9D392tu9p7zhain0TRTvwaZE2YnZbxw1dgyb/0vnkzIuABiIXv/Wp63/y87zc4LzF9XvP48Dk5Ztk25PdgSlunQl5/9vHM7d30OCdJ+gvLblhGmoq2dpplUE9E7u5IAQp9Jx8fPeanEv748vn5Pz96dl/vCafzqV99RN5ulqsiQRuF6AJWygTRqUprYFZ/NYPr/7P/3j2JEoRsIuMMm6XHihTJxWNj+Mxmbnvjtf80vPieYtU/IqXjwvpvmy6AfMDG8bd+oGP4bujmG6sk89c24YK8vbN+yiyfygJ+XxZh3HGfyoJkzhtHbpfjQjFjdwsPPEIHuMbvOcc5tTCij7AiHTk7gvypiw1+mk9l8fQ6Z5eVtWHxjnvGws5P3l34V+l0fBYRc0Rox9bTiWvqYa3m5xfOFRGvF+OhgdOgkhCQ7f2OA1bTazw07WOKyB66NKy5O7LVGwCtr1Z/vF37ogM4ExCvOAq3PDTbRYYoLLJtc6i1932SaPkfcDwQmnbieSB0C0xwIYHwO36Zslrjkx7vx8u5+1j0m7r3RjhJcTsxmN5cQN2aPlSYxTjTuX0fqOBjkOcXNZUzmHSmU5MyRmfNxpKMl0jTJAlZg3F5Ux9YOuBQdHoiLYcXXSWod+BSKj790u4kjsANFTKQhEyu9PnGaUnbSlNQQufip8BdG11HuCzDCwxy1AtLHJch1z9T+oMRKVl0Xri8qnluxa828dkd7W+M+EBNNgzuwAtwZKP6xqek0/tM/YWHWA/kovWATZ4CX4b09TaUT1HUCZGTOMW6eAXf06oEFFlot58ERPcqMbEvCVo9wZyaRUxFh9zLsmn81GBwjBBNpu8Si6yHVBVZxj75gBrMKkzeh3YDCUu/kVMnYqO/vYM2PrRCoUAOU8+KRJxdspHRi10RAP1Kg8VvQCMJAzTCWaEkl+UXlFdDud0E/JmjslemlB3468xl24KdgUg46pn4q6Jd41xK0tFP1TnkSHYMh4zIwY75DLkuWJaQsWtE0thxEZ8i0tB5THi+LdwULYJIj0X5WCD2y7LTSRl6SzYORqw2y9P6kglMOxCsEzXD+52EXuqLWeNoJpgv2jSIvH07Pr1WzVXs1l8+juwwi4g+/FuIfvRLehvYw/vM4e3Q/dNYxcgbUgWH0XbNCk7J9wuoccvOY76JwN6FGHVWKaOS+mw5DjClw1jYMwIzth5/LDmaIclniBexKm4c6XXJFKYMMDtGMJpC0fYwdFJJQzwmVpJ9644uRVTDrsfkoGitL2rZbp+dCPvJiW+aynWDAgOZbef4IfZ0Ye5JIbbJiI/CRYXQBDRAeqCGkJLVbvXxS6Aa6JWcnNknnCWXiupqpG8WpzJYbhvUX9cJcIp91yWTv4obToCUPILF0DeBMQmAzLcxtkru435OzmaMN7t/0HSFUZJcBmyFtJSIbbHCCFS1rvfgxA+X+8y1GukpsR4QuhU5aweiGx+Cgu65KpB7ZKpqtaq4iMZinBs5M4knQosIpuRk/24cbnsxE5GJHcx3NI6SRSBLQyTDpc5AMHI+h1+uU+398pu7tso223KLBtpd8vZUmv0JZaBF+wQs/5WWhC+x3OQoDlrt4QEwUS/3dQCbhf41MZmu5GA7IT9MDFWjwc/2z0d0nbrwfb0cv+egnrh18q4r6hp2hnhlldgnFz32p6GGkaDSOEUkjWFuPEgsPHgPY9B35K1Dund/WCs9ePt9vRDYZINOb311oLD+KYdDvaGO94IhFsIg693dy9v3J0+6tn5i5Zkb/rmk0vWS/U4AuQGOd4JkK+XHX+8+chSjTY4zpHdTj7qo0qQlHfsFvLjqOyYcm8DZuyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRg8ceylpldXrtCeq80GJ4K91iOzhy0yekP+Y/Pz99+Tp29M3F8/IKTeWy3nDzQJKLIWP4iLUXGXvC7QvEobZsjOPRzhm/OJIxphWmb2K++o/3anGMOhuDHrkkw19vst1YZj239X99hx/iFMsZkplrE36JlOMilTd6XY28oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U+OEVov4k5fzM0lz1dn8Ubuu+sY1giVhj3/b3AS4ScDXgiOG+iVZZRxV6bSORMDBiEbJLXScyr5H3uyqmU+VrgtsQ+gdJ+nRsg94zpaS5qp688vbjl8LXyLL9+7aCur+Vegwi4Y1UBqDaWquKTRgrueeLqgloO05sb0eEGPudu39EE361s/Qp2Jcd3VeeIEV021xWZIm63uF6tHbHYUhM1tJOoMStDUQlkkSyrbwx9O+PzSrtgFzy60WvKyax4WvkfrWgRNdcAYofmPe9a2ddq4grPZJC+PtMtuydDrz65HthkdHoqZk0vuo+eLXcV9pAVcp3SmHAp+V80TrlFn6v2oVwk9j2zU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aT+O4rXpYCjifl3uF6t5VzkePtyb2D5Fw7HuM4270Iq/U6DMl1G519TmpB3ZG591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXVp/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/ho8nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVLffAn9zHHkZeuAxB1nztguk9Nv3ffnG8Wy3dARUNwz0ITRHvS2mOOUpr8Nsl8fb1tJbTYycbRgeXm6IbqSM2rHmeffy+MizbyM1UmMXIBbBwsx/EJSsuCzVyhBTA+Mzztwnz2N1giFPdnhB3PY8vpucG/IUO8KCZJtnCEOXz3rUIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1ZDL3Ig4o3vUBiFT/b1WaYjnPkHzb286vUI915/XqdWTHuMMoo4XfHLDZ4+T1jm01ZPgG13sr685w6+NdQIe7OY7DrgsYbJ/NJiHTH8PghOINKW4ufsaygZQjAUcr3HDLJcy4DL56FE7Y1a+i9UjTQcTuoEKxTLhtHDA76l9qwdj5bHPvPfRSGulN2fmwraVsUR25Bf5mVSQ4GVhH/ePIMuRlymW6CWJJ74bbMhYV5n08I0KqX7aDx+LbaG/K+yNTOwdY5337bsC6prrlKffn55utrBZ80EqduNvhbFmf/H6r7dnkM0t8Wwul1/kO/C+mpvKvN3aMaRHZ7qLequexp8mR5S8vEPoNe3swlWiwq7bf+v5djXJBAdJqVR8iOkrVTAfOhVvxeFjTWdtwQzkC4uirO457D09UVVO57u4jXjscp+/tlSVo9wwVXM5UXCmg5ip3jdAN8mPHimwxW0HeruizL7lyBH5phFiTf2+o4DMOJTnFumfvHIyisoJpwZS64g8UdP8dpsSvv7GfqRjT5pN3m92Ew+vGosp94AjTm+/6h26JMGUnuKO9T35CPq5rv/WN58ARx5/g+OFpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejhx5r1dOYnZqaVHnnUO0hxRu5Rs99y2aWqlMmsg2Um4ddx6kpjbummSyoCZltL8HWIdy+sSQGy0SHnMPasJT6YzRotGpvCE9mAZ0QefpbMoN6OTP0zbopOmP26AD12cQLHBtQaJqld44cfCTcXOn6C007KTKpNao/BLHqCXckrkfcVlUr16E/z4JKLwI/xHymmJufypAx7PzwnYeMHruN9MPnqPHtTdqbbCdMgxEcyYVlzPQeiTuOtz3UfbVV/xvJH3UPXsEJNu+xLPeMUSuFIa1VdYrFVniaOx35uP2ju0+Ygax7v/p7zBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ1PQIfhn7CVhbmnOS9kDR33CNk7cLfoE9PrFL33pPkfh3ol794aJX7a5JL/EffW8KtMMuX872dEwlxZ7g+wXlAzMgHKsGO3FeodpV98fLigO+psE6AGCS47PNY2Tm/rb+IJKYbPj1FRsd3fqJt6+HF00LKTJtyYJrnSiZAxWSqft+5+MRTEELTO6gMdHEpfep65xcklBqf3SaejZEh0ncFDFPnpJaZ27n+MetLzMCTvLj334DguQo0RxTLni74bUg2O7CgyZeFYjzbJ2zSaXID5FQSLOlNzg28240r6DxLK1p+IwXid0uT88s3f312QC/dOkd/kyPSVDbaZKqkPwfbjSsWxRTHEFsCuzEFO5NsJ4bw9yGJD57p+nV2LMEwDDSMIN1Jwj5YLmg+aQj6Akuvx6LqCjBoNiLOltjnahM8+lksqeOkZMYLEriA8WlfrfYIQKXYFa7MrthNxfptAmhj2wtraFBxn0GYBjUeZgyCMPoLbxOeyrXxRmtv1DTeKqarK2ifulnh7PIJDKF6Cv+IaxK6lmdrFshJUFsY81MBbt7KX4b+H3bY1WlFsfalxUSt+jLTqGMIeA4IYIFJxawDJyhZUykHjjNztpsKqiMhIzPZIbZu7hyXMPPz97Zv34d17sbN896BYpXd9/8l7tnFzVSyVaHIR4E07x1mGOTfdZOx2nG8juTXkqUfCPMNuHVjY207U3QFPEOnobkSTSZq9Dbh+ktyGdIHJdtHBEjRmCswaQZiSDGrrDOVLf4Yj7RVWq5zS1xPeGeztCG2HaK20JcrR99d/exNLwY2SPTXfKT0/foLlboHBlot1Sn2zk2ijmL+d/XZxfkHe0euKy7Ib6x0/Vre3o6dhbg1RHNlW2MZgd/u21alP8ZLF5OnZvsqxmB2vYPOhi/DbLWdXO7acZUEqn5+GLr0Bi70YiuMdygP3Cmh3XP2XrxvuCnNkOdQkU99u9Jc4E/qBshvDuGq04rugbuWLe58T00RS1KkhfzFWKzn/61RQdiW4sVD+5UX42/PuUy5nwOIfzbiGFRVRRYZORe83hMqSGEVG2FLDnBur186yP6awqKldhGb9HQ5kF4cBkuiUOhaavhDa12sxpXtdyDt9ssMcpNXrP/2/AAAA///l/ack" -} diff --git a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml b/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml deleted file mode 100644 index 08a34153c4f..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/_meta/fields.yml +++ /dev/null @@ -1,2635 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml deleted file mode 100644 index 36e7fd2e2f9..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Zscaler" - product: "Internet" - type: "Configuration" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/zscaler/zia/config/liblogparser.js - - ${path.home}/module/zscaler/zia/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js deleted file mode 100644 index b35eaa3ddce..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ZSCALERNSS: time=%{hfld2->} %{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hyear}^^timezone=%{timezone}^^%{payload}", processor_chain([ - setc("header_id","0001"), - setc("messageid","ZSCALERNSS_1"), -])); - -var select1 = linear_select([ - hdr1, -]); - -var part1 = match("MESSAGE#0:ZSCALERNSS_1", "nwparser.payload", "action=%{action}^^reason=%{result}^^hostname=%{hostname}^^protocol=%{protocol}^^serverip=%{daddr}^^url=%{url}^^urlcategory=%{filter}^^urlclass=%{info}^^dlpdictionaries=%{fld3}^^dlpengine=%{fld4}^^filetype=%{filetype}^^threatcategory=%{category}^^threatclass=%{vendor_event_cat}^^pagerisk=%{fld8}^^threatname=%{threat_name}^^clientpublicIP=%{fld9}^^ClientIP=%{saddr}^^location=%{fld11}^^refererURL=%{web_referer}^^useragent=%{user_agent}^^department=%{user_dept}^^user=%{username}^^event_id=%{id}^^clienttranstime=%{fld17}^^requestmethod=%{web_method}^^requestsize=%{sbytes}^^requestversion=%{fld20}^^status=%{resultcode}^^responsesize=%{rbytes}^^responseversion=%{fld23}^^transactionsize=%{bytes}", processor_chain([ - setc("eventcategory","1605000000"), - setf("fqdn","hostname"), - setf("msg","$MSG"), - date_time({ - dest: "event_time", - args: ["hmonth","hday","hyear","hhour","hmin","hsec"], - fmts: [ - [dB,dF,dW,dN,dU,dO], - ], - }), - lookup({ - dest: "nwparser.ec_activity", - map: map_getEventCategoryActivity, - key: field("action"), - }), - setc("ec_theme","Communication"), - setc("ec_subject","User"), -])); - -var msg1 = msg("ZSCALERNSS_1", part1); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "ZSCALERNSS_1": msg1, - }), -]); diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml deleted file mode 100644 index abf179e94b3..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for Zscaler NSS - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/zscaler/zia/manifest.yml b/x-pack/filebeat/module/zscaler/zia/manifest.yml deleted file mode 100644 index b7d00ea2957..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["zscaler.zia", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9538 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log b/x-pack/filebeat/module/zscaler/zia/test/generated.log deleted file mode 100644 index 328281d72ba..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942 -olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868 -amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905 -uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292 -dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787 -llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061 -ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152 -tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051 -upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578 -rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526 -tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741 -rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298 -quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073 -equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509 -tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927 -sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688 -ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52 -ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301 -adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672 -quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332 -adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014 -fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664 -ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846 -acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702 -ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696 -quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365 -inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302 -eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622 -tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501 -roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879 -eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617 -autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460 -caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099 -mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373 -atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16 -rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695 -equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142 -ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735 -riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203 -ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813 -tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386 -tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429 -olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185 -tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577 -quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281 -tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017 -nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046 -uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800 -cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815 -tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882 -eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826 -uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914 -pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991 -luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993 -uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078 -eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508 -asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52 -umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724 -aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916 -mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345 -hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421 -iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052 -cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562 -eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526 -deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491 -siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258 -rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676 -pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238 -usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365 -iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280 -tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672 -modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212 -issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020 -tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306 -ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210 -dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808 -deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714 -userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977 -mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673 -nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667 -ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076 -laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789 -lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409 -rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318 -erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330 -poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218 -uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838 -eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304 -tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077 -riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089 -liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843 -ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508 -osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182 -idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480 -uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856 -ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119 -utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150 -pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387 -agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487 -onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745 diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json deleted file mode 100644 index 687938ddcea..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ /dev/null @@ -1,7776 +0,0 @@ -[ - { - "@timestamp": "2016-01-29T08:09:59.000Z", - "destination.bytes": 1803, - "destination.ip": "10.206.191.17", - "event.action": "Blocked", - "event.code": "litesse", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942", - "event.timezone": "GMT+02:00", - "file.type": "psa", - "fileset.name": "zia", - "host.name": "rci737.www5.example", - "http.request.referrer": "https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo", - "input.type": "log", - "log.offset": 0, - "network.bytes": 3942, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "rci737.www5.example" - ], - "related.ip": [ - "10.176.10.114", - "10.206.191.17" - ], - "related.user": [ - "sumdo" - ], - "rsa.db.index": "ntsunti", - "rsa.identity.user_dept": "sperna", - "rsa.internal.data": "iusm", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ntium", - "rsa.misc.action": [ - "Blocked", - "pisciv" - ], - "rsa.misc.category": "umq", - "rsa.misc.filter": "oremi", - "rsa.misc.reference_id": "litesse", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "sist", - "rsa.network.alias_host": [ - "rci737.www5.example" - ], - "rsa.threat.threat_category": "cer", - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "rci737.www5.example", - "service.type": "zscaler", - "source.bytes": 1884, - "source.ip": "10.176.10.114", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "htm", - "url.fragment": "amremap", - "url.original": "https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap", - "url.path": "/ivelitse/ritin.htm", - "url.query": "utl=vol", - "url.scheme": "https", - "user.name": "sumdo", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2016-02-12T03:12:33.000Z", - "destination.bytes": 2004, - "destination.ip": "10.173.22.152", - "event.action": "Allowed", - "event.code": "byC", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868", - "event.timezone": "CT", - "file.type": "ntex", - "fileset.name": "zia", - "host.name": "eosquir5191.www.example", - "http.request.referrer": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", - "input.type": "log", - "log.offset": 844, - "network.bytes": 7868, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "eosquir5191.www.example" - ], - "related.ip": [ - "10.173.22.152", - "10.26.46.95" - ], - "related.user": [ - "eataevi" - ], - "rsa.db.index": "aqu", - "rsa.identity.user_dept": "com", - "rsa.internal.data": "olupt", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "luptat", - "rsa.misc.action": [ - "Allowed", - "tur" - ], - "rsa.misc.category": "eius", - "rsa.misc.filter": "ameaqu", - "rsa.misc.reference_id": "byC", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "atemsequ", - "rsa.network.alias_host": [ - "eosquir5191.www.example" - ], - "rsa.threat.threat_category": "aer", - "rsa.time.event_time": "2016-02-12T03:12:33.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "eosquir5191.www.example", - "service.type": "zscaler", - "source.bytes": 2977, - "source.ip": "10.26.46.95", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "mquia", - "url.original": "https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia", - "url.path": "/isiutal/moenimi.jpg", - "url.query": "gnaali=enatus", - "url.scheme": "https", - "user.name": "eataevi", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-02-26T10:15:08.000Z", - "destination.bytes": 1837, - "destination.ip": "10.204.86.149", - "event.action": "Blocked", - "event.code": "laboreet", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905", - "event.timezone": "CT", - "file.type": "oluptas", - "fileset.name": "zia", - "host.name": "orsitame3262.domain", - "http.request.referrer": "https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit", - "input.type": "log", - "log.offset": 1742, - "network.bytes": 6905, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "orsitame3262.domain" - ], - "related.ip": [ - "10.204.86.149", - "10.254.146.57" - ], - "related.user": [ - "tenima" - ], - "rsa.db.index": "nsequat", - "rsa.identity.user_dept": "onev", - "rsa.internal.data": "amco", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "uptassi", - "rsa.misc.action": [ - "Blocked", - "giatq" - ], - "rsa.misc.category": "llu", - "rsa.misc.filter": "tconsec", - "rsa.misc.reference_id": "laboreet", - "rsa.misc.result": "success", - "rsa.misc.result_code": "tia", - "rsa.network.alias_host": [ - "orsitame3262.domain" - ], - "rsa.threat.threat_category": "tur", - "rsa.time.event_time": "2016-02-26T10:15:08.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "orsitame3262.domain", - "service.type": "zscaler", - "source.bytes": 2935, - "source.ip": "10.254.146.57", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "gif", - "url.fragment": "iquaUte", - "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", - "url.path": "/taspe/mvolu.gif", - "url.query": "atcup=snos", - "url.scheme": "https", - "user.name": "tenima", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.bytes": 3856, - "destination.ip": "10.103.246.190", - "event.action": "Allowed", - "event.code": "suntinc", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292", - "event.timezone": "PST", - "file.type": "natura", - "fileset.name": "zia", - "host.name": "tempor4496.www.localdomain", - "http.request.referrer": "https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi", - "input.type": "log", - "log.offset": 2617, - "network.bytes": 4292, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tempor4496.www.localdomain" - ], - "related.ip": [ - "10.103.246.190", - "10.252.125.53" - ], - "related.user": [ - "equun" - ], - "rsa.db.index": "uiano", - "rsa.identity.user_dept": "ari", - "rsa.internal.data": "uian", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ima", - "rsa.misc.action": [ - "Allowed", - "llam" - ], - "rsa.misc.category": "aboris", - "rsa.misc.filter": "atatnonp", - "rsa.misc.reference_id": "suntinc", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "tatevel", - "rsa.network.alias_host": [ - "tempor4496.www.localdomain" - ], - "rsa.threat.threat_category": "nimadmin", - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "tempor4496.www.localdomain", - "service.type": "zscaler", - "source.bytes": 3077, - "source.ip": "10.252.125.53", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.org", - "url.extension": "jpg", - "url.fragment": "uid", - "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", - "url.path": "/doloreeu/pori.jpg", - "url.query": "itati=mfu", - "url.scheme": "https", - "user.name": "equun", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-03-26T12:20:16.000Z", - "destination.bytes": 5772, - "destination.ip": "10.61.78.108", - "event.action": "Blocked", - "event.code": "umdolore", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787", - "event.timezone": "GMT-07:00", - "file.type": "umdolor", - "fileset.name": "zia", - "host.name": "ore2933.www.test", - "http.request.referrer": "https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam", - "input.type": "log", - "log.offset": 3507, - "network.bytes": 6787, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ore2933.www.test" - ], - "related.ip": [ - "10.136.153.149", - "10.61.78.108" - ], - "related.user": [ - "ercit" - ], - "rsa.db.index": "idexea", - "rsa.identity.user_dept": "ciati", - "rsa.internal.data": "dmi", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "inim", - "rsa.misc.action": [ - "Blocked", - "reetdolo" - ], - "rsa.misc.category": "osquir", - "rsa.misc.filter": "ipit", - "rsa.misc.reference_id": "umdolore", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "rumet", - "rsa.network.alias_host": [ - "ore2933.www.test" - ], - "rsa.threat.threat_category": "roinBCSe", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "ore2933.www.test", - "service.type": "zscaler", - "source.bytes": 2451, - "source.ip": "10.136.153.149", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "gif", - "url.fragment": "iinea", - "url.original": "https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea", - "url.path": "/ele/tenbyCic.gif", - "url.query": "porainc=amquisno", - "url.scheme": "https", - "user.name": "ercit", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-04-09T07:22:51.000Z", - "destination.bytes": 2984, - "destination.ip": "10.183.16.166", - "event.action": "Allowed", - "event.code": "remipsum", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061", - "event.timezone": "GMT-07:00", - "file.type": "eriame", - "fileset.name": "zia", - "host.name": "ollit4105.mail.localdomain", - "http.request.referrer": "https://example.com/metcon/smo.jpg?upta=omn#ipsumq", - "input.type": "log", - "log.offset": 4394, - "network.bytes": 6061, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ollit4105.mail.localdomain" - ], - "related.ip": [ - "10.183.16.166", - "10.66.250.92" - ], - "related.user": [ - "tessec" - ], - "rsa.db.index": "essecill", - "rsa.identity.user_dept": "ons", - "rsa.internal.data": "llam", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "avol", - "rsa.misc.action": [ - "Allowed", - "ist" - ], - "rsa.misc.category": "lorema", - "rsa.misc.filter": "sun", - "rsa.misc.reference_id": "remipsum", - "rsa.misc.result": "success", - "rsa.misc.result_code": "onsequat", - "rsa.network.alias_host": [ - "ollit4105.mail.localdomain" - ], - "rsa.threat.threat_category": "atuse", - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "ollit4105.mail.localdomain", - "service.type": "zscaler", - "source.bytes": 571, - "source.ip": "10.66.250.92", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "jpg", - "url.fragment": "aboreetd", - "url.original": "https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd", - "url.path": "/sitas/ehenderi.jpg", - "url.query": "atquovo=iumto", - "url.scheme": "https", - "user.name": "tessec", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2016-04-24T14:25:25.000Z", - "destination.bytes": 2053, - "destination.ip": "10.243.224.205", - "event.action": "Blocked", - "event.code": "lpa", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152", - "event.timezone": "PT", - "file.type": "ipi", - "fileset.name": "zia", - "host.name": "cup1793.local", - "http.request.referrer": "https://api.example.com/loremq/lores.txt?iqui=etc#etM", - "input.type": "log", - "log.offset": 5306, - "network.bytes": 152, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "cup1793.local" - ], - "related.ip": [ - "10.123.104.59", - "10.243.224.205" - ], - "related.user": [ - "xercitat" - ], - "rsa.db.index": "edqui", - "rsa.identity.user_dept": "eprehen", - "rsa.internal.data": "ema", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "lupt", - "rsa.misc.action": [ - "Blocked", - "dun" - ], - "rsa.misc.category": "rsitamet", - "rsa.misc.filter": "usmod", - "rsa.misc.reference_id": "lpa", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "rsitam", - "rsa.network.alias_host": [ - "cup1793.local" - ], - "rsa.threat.threat_category": "qua", - "rsa.time.event_time": "2016-04-24T14:25:25.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "cup1793.local", - "service.type": "zscaler", - "source.bytes": 941, - "source.ip": "10.123.104.59", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "txt", - "url.fragment": "ctetura", - "url.original": "https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura", - "url.path": "/aborumSe/luptat.txt", - "url.query": "antiumto=strude", - "url.scheme": "https", - "user.name": "xercitat", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-05-08T09:27:59.000Z", - "destination.bytes": 6888, - "destination.ip": "10.119.185.63", - "event.action": "Blocked", - "event.code": "amqu", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051", - "event.timezone": "GMT+02:00", - "file.type": "mUtenima", - "fileset.name": "zia", - "host.name": "icab4668.local", - "http.request.referrer": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", - "input.type": "log", - "log.offset": 6194, - "network.bytes": 6051, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "icab4668.local" - ], - "related.ip": [ - "10.119.185.63", - "10.74.17.5" - ], - "related.user": [ - "erc" - ], - "rsa.db.index": "ume", - "rsa.identity.user_dept": "itecto", - "rsa.internal.data": "tema", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tame", - "rsa.misc.action": [ - "Blocked", - "nsec" - ], - "rsa.misc.category": "emaperi", - "rsa.misc.filter": "rehe", - "rsa.misc.reference_id": "amqu", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "inibusBo", - "rsa.network.alias_host": [ - "icab4668.local" - ], - "rsa.threat.threat_category": "tectobe", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "icab4668.local", - "service.type": "zscaler", - "source.bytes": 6907, - "source.ip": "10.74.17.5", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.net", - "url.extension": "jpg", - "url.fragment": "des", - "url.original": "https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des", - "url.path": "/ntutla/equa.jpg", - "url.query": "civeli=errorsi", - "url.scheme": "https", - "user.name": "erc", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-05-22T04:30:33.000Z", - "destination.bytes": 6354, - "destination.ip": "10.78.151.178", - "event.action": "Allowed", - "event.code": "mporain", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578", - "event.timezone": "CET", - "file.type": "eprehend", - "fileset.name": "zia", - "host.name": "aperia4409.www5.invalid", - "http.request.referrer": "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt", - "input.type": "log", - "log.offset": 7136, - "network.bytes": 6578, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "aperia4409.www5.invalid" - ], - "related.ip": [ - "10.25.192.202", - "10.78.151.178" - ], - "related.user": [ - "quip" - ], - "rsa.db.index": "iadese", - "rsa.identity.user_dept": "ecillu", - "rsa.internal.data": "upt", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "atquovo", - "rsa.misc.action": [ - "Allowed", - "amvolup" - ], - "rsa.misc.category": "hil", - "rsa.misc.filter": "deFinibu", - "rsa.misc.reference_id": "mporain", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "colabo", - "rsa.network.alias_host": [ - "aperia4409.www5.invalid" - ], - "rsa.threat.threat_category": "xeac", - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", - "rsa.time.timezone": "CET", - "rsa.web.fqdn": "aperia4409.www5.invalid", - "service.type": "zscaler", - "source.bytes": 7700, - "source.ip": "10.25.192.202", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.net", - "url.extension": "txt", - "url.fragment": "oriosamn", - "url.original": "https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn", - "url.path": "/atvol/umiur.txt", - "url.query": "tati=utaliqu", - "url.scheme": "https", - "user.name": "quip", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-06-05T11:33:08.000Z", - "destination.bytes": 5269, - "destination.ip": "10.71.170.37", - "event.action": "Allowed", - "event.code": "umexerci", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526", - "event.timezone": "GMT+02:00", - "file.type": "mipsumd", - "fileset.name": "zia", - "host.name": "sitvolup368.internal.host", - "http.request.referrer": "https://api.example.net/quirat/llu.jpg?isc=aturve#emulla", - "input.type": "log", - "log.offset": 8036, - "network.bytes": 2526, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "sitvolup368.internal.host" - ], - "related.ip": [ - "10.135.225.244", - "10.71.170.37" - ], - "related.user": [ - "atu" - ], - "rsa.db.index": "serror", - "rsa.identity.user_dept": "atiset", - "rsa.internal.data": "rumetM", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ihilm", - "rsa.misc.action": [ - "Allowed", - "psaquae" - ], - "rsa.misc.category": "eFinib", - "rsa.misc.filter": "inesci", - "rsa.misc.reference_id": "umexerci", - "rsa.misc.result": "success", - "rsa.misc.result_code": "utla", - "rsa.network.alias_host": [ - "sitvolup368.internal.host" - ], - "rsa.threat.threat_category": "eav", - "rsa.time.event_time": "2016-06-05T11:33:08.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "sitvolup368.internal.host", - "service.type": "zscaler", - "source.bytes": 7355, - "source.ip": "10.135.225.244", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "gif", - "url.fragment": "uipe", - "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", - "url.path": "/equep/iavolu.gif", - "url.query": "aqu=rpo", - "url.scheme": "https", - "user.name": "atu", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.bytes": 752, - "destination.ip": "10.223.247.86", - "event.action": "Allowed", - "event.code": "lup", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741", - "event.timezone": "ET", - "file.type": "ari", - "fileset.name": "zia", - "host.name": "ite2026.www.invalid", - "http.request.referrer": "https://internal.example.net/acc/amc.txt?amest=corp#modtemp", - "input.type": "log", - "log.offset": 8916, - "network.bytes": 7741, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ite2026.www.invalid" - ], - "related.ip": [ - "10.19.145.131", - "10.223.247.86" - ], - "related.user": [ - "tNequepo" - ], - "rsa.db.index": "rinrepre", - "rsa.identity.user_dept": "oluptas", - "rsa.internal.data": "tlabori", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "sci", - "rsa.misc.action": [ - "Allowed", - "emseq" - ], - "rsa.misc.category": "exercit", - "rsa.misc.filter": "taevit", - "rsa.misc.reference_id": "lup", - "rsa.misc.result": "success", - "rsa.misc.result_code": "pic", - "rsa.network.alias_host": [ - "ite2026.www.invalid" - ], - "rsa.threat.threat_category": "oluptate", - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "ite2026.www.invalid", - "service.type": "zscaler", - "source.bytes": 821, - "source.ip": "10.19.145.131", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "namali", - "url.original": "https://example.org/bor/occa.htm?dol=leumiu#namali", - "url.path": "/bor/occa.htm", - "url.query": "dol=leumiu", - "url.scheme": "https", - "user.name": "tNequepo", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-07-04T13:38:16.000Z", - "destination.bytes": 3314, - "destination.ip": "10.2.53.125", - "event.action": "Allowed", - "event.code": "radi", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298", - "event.timezone": "GMT-07:00", - "file.type": "agnid", - "fileset.name": "zia", - "host.name": "radipisc7020.home", - "http.request.referrer": "https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio", - "input.type": "log", - "log.offset": 9805, - "network.bytes": 7298, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "radipisc7020.home" - ], - "related.ip": [ - "10.181.80.139", - "10.2.53.125" - ], - "related.user": [ - "ihilmo" - ], - "rsa.db.index": "tin", - "rsa.identity.user_dept": "aboN", - "rsa.internal.data": "rsita", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "dolorem", - "rsa.misc.action": [ - "Allowed", - "lorsitam" - ], - "rsa.misc.category": "proide", - "rsa.misc.filter": "pariatu", - "rsa.misc.reference_id": "radi", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "ris", - "rsa.network.alias_host": [ - "radipisc7020.home" - ], - "rsa.threat.threat_category": "volupt", - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "radipisc7020.home", - "service.type": "zscaler", - "source.bytes": 6408, - "source.ip": "10.181.80.139", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.net", - "url.extension": "htm", - "url.fragment": "reseos", - "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", - "url.path": "/oru/temqu.htm", - "url.query": "etMalor=ipi", - "url.scheme": "https", - "user.name": "ihilmo", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-07-18T08:40:50.000Z", - "destination.bytes": 2742, - "destination.ip": "10.31.240.6", - "event.action": "Allowed", - "event.code": "olup", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073", - "event.timezone": "ET", - "file.type": "sciun", - "fileset.name": "zia", - "host.name": "uamei2493.www.test", - "http.request.referrer": "https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo", - "input.type": "log", - "log.offset": 10682, - "network.bytes": 3073, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "uamei2493.www.test" - ], - "related.ip": [ - "10.167.98.76", - "10.31.240.6" - ], - "related.user": [ - "ratvolu" - ], - "rsa.db.index": "bore", - "rsa.identity.user_dept": "gnido", - "rsa.internal.data": "quioffi", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "catc", - "rsa.misc.action": [ - "Allowed", - "veni" - ], - "rsa.misc.category": "sBono", - "rsa.misc.filter": "isnisiu", - "rsa.misc.reference_id": "olup", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "veniamqu", - "rsa.network.alias_host": [ - "uamei2493.www.test" - ], - "rsa.threat.threat_category": "idata", - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "uamei2493.www.test", - "service.type": "zscaler", - "source.bytes": 3140, - "source.ip": "10.167.98.76", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "html", - "url.fragment": "osamn", - "url.original": "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", - "url.path": "/itatione/isnis.html", - "url.query": "oluptate=issus", - "url.scheme": "https", - "user.name": "ratvolu", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2016-08-02T03:43:25.000Z", - "destination.bytes": 5368, - "destination.ip": "10.0.55.9", - "event.action": "Allowed", - "event.code": "rcitati", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509", - "event.timezone": "PT", - "file.type": "ecte", - "fileset.name": "zia", - "host.name": "piscin6866.internal.host", - "http.request.referrer": "https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim", - "input.type": "log", - "log.offset": 11586, - "network.bytes": 509, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "piscin6866.internal.host" - ], - "related.ip": [ - "10.0.55.9", - "10.135.160.125" - ], - "related.user": [ - "volupta" - ], - "rsa.db.index": "mfugiat", - "rsa.identity.user_dept": "Utenima", - "rsa.internal.data": "equat", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "iurer", - "rsa.misc.action": [ - "Allowed", - "ionevo" - ], - "rsa.misc.category": "tinvolu", - "rsa.misc.filter": "idex", - "rsa.misc.reference_id": "rcitati", - "rsa.misc.result": "success", - "rsa.misc.result_code": "sperna", - "rsa.network.alias_host": [ - "piscin6866.internal.host" - ], - "rsa.threat.threat_category": "quidolor", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "piscin6866.internal.host", - "service.type": "zscaler", - "source.bytes": 3616, - "source.ip": "10.135.160.125", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "html", - "url.fragment": "rau", - "url.original": "https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau", - "url.path": "/eporr/xeacomm.html", - "url.query": "aturQui=utlabor", - "url.scheme": "https", - "user.name": "volupta", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-08-16T10:45:59.000Z", - "destination.bytes": 6027, - "destination.ip": "10.63.250.128", - "event.action": "Allowed", - "event.code": "ntocca", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927", - "event.timezone": "OMST", - "file.type": "adip", - "fileset.name": "zia", - "host.name": "spi3544.www.host", - "http.request.referrer": "https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno", - "input.type": "log", - "log.offset": 12524, - "network.bytes": 1927, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "spi3544.www.host" - ], - "related.ip": [ - "10.111.187.12", - "10.63.250.128" - ], - "related.user": [ - "saute" - ], - "rsa.db.index": "nevo", - "rsa.identity.user_dept": "tev", - "rsa.internal.data": "tDuisaut", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "nnum", - "rsa.misc.action": [ - "Allowed", - "ntoccae" - ], - "rsa.misc.category": "tium", - "rsa.misc.filter": "uteirure", - "rsa.misc.reference_id": "ntocca", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "temquiav", - "rsa.network.alias_host": [ - "spi3544.www.host" - ], - "rsa.threat.threat_category": "ate", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "spi3544.www.host", - "service.type": "zscaler", - "source.bytes": 1705, - "source.ip": "10.111.187.12", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.net", - "url.extension": "html", - "url.fragment": "ntocc", - "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", - "url.path": "/ptatemq/luptatev.html", - "url.query": "Nequepo=ipsumd", - "url.scheme": "https", - "user.name": "saute", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2016-08-30T05:48:33.000Z", - "destination.bytes": 1394, - "destination.ip": "10.5.126.127", - "event.action": "Allowed", - "event.code": "eprehen", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688", - "event.timezone": "PST", - "file.type": "imadmini", - "fileset.name": "zia", - "host.name": "tlab5981.www.host", - "http.request.referrer": "https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit", - "input.type": "log", - "log.offset": 13426, - "network.bytes": 7688, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tlab5981.www.host" - ], - "related.ip": [ - "10.252.124.150", - "10.5.126.127" - ], - "related.user": [ - "inibusB" - ], - "rsa.db.index": "uirati", - "rsa.identity.user_dept": "roid", - "rsa.internal.data": "sBon", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "mod", - "rsa.misc.action": [ - "Allowed", - "xeacomm" - ], - "rsa.misc.category": "sauteiru", - "rsa.misc.filter": "antiu", - "rsa.misc.reference_id": "eprehen", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ema", - "rsa.network.alias_host": [ - "tlab5981.www.host" - ], - "rsa.threat.threat_category": "ataevi", - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "tlab5981.www.host", - "service.type": "zscaler", - "source.bytes": 1940, - "source.ip": "10.252.124.150", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.com", - "url.extension": "txt", - "url.fragment": "ipsumd", - "url.original": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", - "url.path": "/tateve/itinvol.txt", - "url.query": "tenatus=cipitlab", - "url.scheme": "https", - "user.name": "inibusB", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2016-09-13T12:51:07.000Z", - "destination.bytes": 248, - "destination.ip": "10.201.171.120", - "event.action": "Blocked", - "event.code": "ris", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52", - "event.timezone": "CT", - "file.type": "illoin", - "fileset.name": "zia", - "host.name": "upida508.example", - "http.request.referrer": "https://example.net/psumquia/ven.html?siutali=amnih#ium", - "input.type": "log", - "log.offset": 14325, - "network.bytes": 52, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "upida508.example" - ], - "related.ip": [ - "10.201.171.120", - "10.91.126.231" - ], - "related.user": [ - "exercita" - ], - "rsa.db.index": "str", - "rsa.identity.user_dept": "tau", - "rsa.internal.data": "ine", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "umdo", - "rsa.misc.action": [ - "Blocked", - "orumSe" - ], - "rsa.misc.category": "tanimid", - "rsa.misc.filter": "itam", - "rsa.misc.reference_id": "ris", - "rsa.misc.result": "success", - "rsa.misc.result_code": "queips", - "rsa.network.alias_host": [ - "upida508.example" - ], - "rsa.threat.threat_category": "gnamal", - "rsa.time.event_time": "2016-09-13T12:51:07.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "upida508.example", - "service.type": "zscaler", - "source.bytes": 728, - "source.ip": "10.91.126.231", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.net", - "url.extension": "jpg", - "url.fragment": "taedicta", - "url.original": "https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta", - "url.path": "/tquiin/tse.jpg", - "url.query": "ovol=ptasn", - "url.scheme": "https", - "user.name": "exercita", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-09-28T07:53:42.000Z", - "destination.bytes": 2703, - "destination.ip": "10.135.82.97", - "event.action": "Allowed", - "event.code": "iat", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301", - "event.timezone": "GMT+02:00", - "file.type": "fugitsed", - "fileset.name": "zia", - "host.name": "oditem5255.api.localdomain", - "http.request.referrer": "https://www.example.net/iduntu/idestlab.htm?avol=icero#xer", - "input.type": "log", - "log.offset": 15210, - "network.bytes": 301, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "oditem5255.api.localdomain" - ], - "related.ip": [ - "10.107.251.87", - "10.135.82.97" - ], - "related.user": [ - "str" - ], - "rsa.db.index": "oin", - "rsa.identity.user_dept": "nturma", - "rsa.internal.data": "ofdeFini", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "quid", - "rsa.misc.action": [ - "Allowed", - "itecto" - ], - "rsa.misc.category": "quam", - "rsa.misc.filter": "adeser", - "rsa.misc.reference_id": "iat", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "tut", - "rsa.network.alias_host": [ - "oditem5255.api.localdomain" - ], - "rsa.threat.threat_category": "atisun", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "oditem5255.api.localdomain", - "service.type": "zscaler", - "source.bytes": 1300, - "source.ip": "10.107.251.87", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "gif", - "url.fragment": "amcol", - "url.original": "https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol", - "url.path": "/olor/ineavo.gif", - "url.query": "mquelau=iadolor", - "url.scheme": "https", - "user.name": "str", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2016-10-12T14:56:16.000Z", - "destination.bytes": 100, - "destination.ip": "10.31.198.58", - "event.action": "Blocked", - "event.code": "ditemp", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672", - "event.timezone": "PST", - "file.type": "billo", - "fileset.name": "zia", - "host.name": "uamei2389.internal.example", - "http.request.referrer": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", - "input.type": "log", - "log.offset": 16116, - "network.bytes": 6672, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "uamei2389.internal.example" - ], - "related.ip": [ - "10.215.205.216", - "10.31.198.58" - ], - "related.user": [ - "aturve" - ], - "rsa.db.index": "sau", - "rsa.identity.user_dept": "boreetdo", - "rsa.internal.data": "adipisc", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "oNemoeni", - "rsa.misc.action": [ - "Blocked", - "nre" - ], - "rsa.misc.category": "labo", - "rsa.misc.filter": "tutlab", - "rsa.misc.reference_id": "ditemp", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "olab", - "rsa.network.alias_host": [ - "uamei2389.internal.example" - ], - "rsa.threat.threat_category": "boris", - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "uamei2389.internal.example", - "service.type": "zscaler", - "source.bytes": 7231, - "source.ip": "10.215.205.216", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "gif", - "url.fragment": "seq", - "url.original": "https://www.example.com/its/ender.gif?oles=edic#seq", - "url.path": "/its/ender.gif", - "url.query": "oles=edic", - "url.scheme": "https", - "user.name": "aturve", - "user_agent.device.name": "Samsung SM-S337TL", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2016-10-26T09:58:50.000Z", - "destination.bytes": 7205, - "destination.ip": "10.29.155.171", - "event.action": "Allowed", - "event.code": "aboreetd", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332", - "event.timezone": "PST", - "file.type": "itau", - "fileset.name": "zia", - "host.name": "eacommod1930.internal.lan", - "http.request.referrer": "https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim", - "input.type": "log", - "log.offset": 17002, - "network.bytes": 332, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "eacommod1930.internal.lan" - ], - "related.ip": [ - "10.229.83.165", - "10.29.155.171" - ], - "related.user": [ - "ulapar" - ], - "rsa.db.index": "orsit", - "rsa.identity.user_dept": "labo", - "rsa.internal.data": "quasia", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "vitaedi", - "rsa.misc.action": [ - "Allowed", - "llitanim" - ], - "rsa.misc.category": "apariat", - "rsa.misc.filter": "tasnulap", - "rsa.misc.reference_id": "aboreetd", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "por", - "rsa.network.alias_host": [ - "eacommod1930.internal.lan" - ], - "rsa.threat.threat_category": "dolore", - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "eacommod1930.internal.lan", - "service.type": "zscaler", - "source.bytes": 5047, - "source.ip": "10.229.83.165", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.org", - "url.extension": "gif", - "url.fragment": "psum", - "url.original": "https://www5.example.org/oeni/tdol.gif?llamco=nea#psum", - "url.path": "/oeni/tdol.gif", - "url.query": "llamco=nea", - "url.scheme": "https", - "user.name": "ulapar", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2016-11-10T05:01:24.000Z", - "destination.bytes": 6498, - "destination.ip": "10.129.192.145", - "event.action": "Blocked", - "event.code": "oraincid", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014", - "event.timezone": "GMT-07:00", - "file.type": "ationev", - "fileset.name": "zia", - "host.name": "tem6984.www5.domain", - "http.request.referrer": "https://example.com/rQu/mco.jpg?dun=reprehe#tincu", - "input.type": "log", - "log.offset": 18036, - "network.bytes": 4014, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tem6984.www5.domain" - ], - "related.ip": [ - "10.129.192.145", - "10.161.148.64" - ], - "related.user": [ - "lor" - ], - "rsa.db.index": "cteturad", - "rsa.identity.user_dept": "dex", - "rsa.internal.data": "adminimv", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "uaUten", - "rsa.misc.action": [ - "Blocked", - "amcorp" - ], - "rsa.misc.category": "umdolor", - "rsa.misc.filter": "velillu", - "rsa.misc.reference_id": "oraincid", - "rsa.misc.result": "success", - "rsa.misc.result_code": "liqua", - "rsa.network.alias_host": [ - "tem6984.www5.domain" - ], - "rsa.threat.threat_category": "mve", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "tem6984.www5.domain", - "service.type": "zscaler", - "source.bytes": 1275, - "source.ip": "10.161.148.64", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "lor", - "url.original": "https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor", - "url.path": "/uasiar/utlab.htm", - "url.query": "loremqu=dantium", - "url.scheme": "https", - "user.name": "lor", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2016-11-24T12:03:59.000Z", - "destination.bytes": 6392, - "destination.ip": "10.7.200.140", - "event.action": "Allowed", - "event.code": "tpersp", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664", - "event.timezone": "CEST", - "file.type": "equatur", - "fileset.name": "zia", - "host.name": "lapariat7287.internal.host", - "http.request.referrer": "https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup", - "input.type": "log", - "log.offset": 18921, - "network.bytes": 1664, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "lapariat7287.internal.host" - ], - "related.ip": [ - "10.203.65.161", - "10.7.200.140" - ], - "related.user": [ - "snost" - ], - "rsa.db.index": "qui", - "rsa.identity.user_dept": "siu", - "rsa.internal.data": "fdeF", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tdol", - "rsa.misc.action": [ - "Allowed", - "nte" - ], - "rsa.misc.category": "adeseru", - "rsa.misc.filter": "mac", - "rsa.misc.reference_id": "tpersp", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "porinc", - "rsa.network.alias_host": [ - "lapariat7287.internal.host" - ], - "rsa.threat.threat_category": "mex", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "lapariat7287.internal.host", - "service.type": "zscaler", - "source.bytes": 3571, - "source.ip": "10.203.65.161", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.org", - "url.extension": "html", - "url.fragment": "quamest", - "url.original": "https://api.example.org/icabo/gna.html?urerepr=eseru#quamest", - "url.path": "/icabo/gna.html", - "url.query": "urerepr=eseru", - "url.scheme": "https", - "user.name": "snost", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2016-12-08T07:06:33.000Z", - "destination.bytes": 7595, - "destination.ip": "10.86.22.67", - "event.action": "Blocked", - "event.code": "mquae", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846", - "event.timezone": "GMT-07:00", - "file.type": "ites", - "fileset.name": "zia", - "host.name": "licabo1493.api.corp", - "http.request.referrer": "https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi", - "input.type": "log", - "log.offset": 19875, - "network.bytes": 2846, - "network.protocol": "icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "licabo1493.api.corp" - ], - "related.ip": [ - "10.218.98.29", - "10.86.22.67" - ], - "related.user": [ - "olori" - ], - "rsa.db.index": "cab", - "rsa.identity.user_dept": "quunt", - "rsa.internal.data": "ipi", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "iutali", - "rsa.misc.action": [ - "Blocked", - "atcupi" - ], - "rsa.misc.category": "isetq", - "rsa.misc.filter": "equinesc", - "rsa.misc.reference_id": "mquae", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ore", - "rsa.network.alias_host": [ - "licabo1493.api.corp" - ], - "rsa.threat.threat_category": "teturad", - "rsa.time.event_time": "2016-12-08T07:06:33.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "licabo1493.api.corp", - "service.type": "zscaler", - "source.bytes": 2332, - "source.ip": "10.218.98.29", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.org", - "url.extension": "html", - "url.fragment": "onsequ", - "url.original": "https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ", - "url.path": "/oremi/elites.html", - "url.query": "iosa=boNemoe", - "url.scheme": "https", - "user.name": "olori", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2016-12-23T14:09:07.000Z", - "destination.bytes": 2147, - "destination.ip": "10.39.31.115", - "event.action": "Allowed", - "event.code": "labo", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702", - "event.timezone": "CT", - "file.type": "naaliq", - "fileset.name": "zia", - "host.name": "stenatu4844.www.invalid", - "http.request.referrer": "https://example.net/idid/tesse.txt?boru=ptateve#enderi", - "input.type": "log", - "log.offset": 20787, - "network.bytes": 5702, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "stenatu4844.www.invalid" - ], - "related.ip": [ - "10.24.111.229", - "10.39.31.115" - ], - "related.user": [ - "fugi" - ], - "rsa.db.index": "rExc", - "rsa.identity.user_dept": "toccaec", - "rsa.internal.data": "acommod", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ulpa", - "rsa.misc.action": [ - "Allowed", - "gnaal" - ], - "rsa.misc.category": "nte", - "rsa.misc.filter": "pid", - "rsa.misc.reference_id": "labo", - "rsa.misc.result": "success", - "rsa.misc.result_code": "maliquam", - "rsa.network.alias_host": [ - "stenatu4844.www.invalid" - ], - "rsa.threat.threat_category": "rad", - "rsa.time.event_time": "2016-12-23T14:09:07.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "stenatu4844.www.invalid", - "service.type": "zscaler", - "source.bytes": 7224, - "source.ip": "10.24.111.229", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "gif", - "url.fragment": "dqu", - "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", - "url.path": "/luptatem/uaeratv.gif", - "url.query": "dat=periam", - "url.scheme": "https", - "user.name": "fugi", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.bytes": 4814, - "destination.ip": "10.179.210.218", - "event.action": "Blocked", - "event.code": "undeom", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696", - "event.timezone": "PST", - "file.type": "ido", - "fileset.name": "zia", - "host.name": "sitam5077.internal.host", - "http.request.referrer": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", - "input.type": "log", - "log.offset": 21648, - "network.bytes": 696, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "sitam5077.internal.host" - ], - "related.ip": [ - "10.179.210.218", - "10.32.39.220" - ], - "related.user": [ - "boreetdo" - ], - "rsa.db.index": "emvele", - "rsa.identity.user_dept": "tatevel", - "rsa.internal.data": "ritati", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "riss", - "rsa.misc.action": [ - "Blocked", - "risnis" - ], - "rsa.misc.category": "emqu", - "rsa.misc.filter": "oluptas", - "rsa.misc.reference_id": "undeom", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "isn", - "rsa.network.alias_host": [ - "sitam5077.internal.host" - ], - "rsa.threat.threat_category": "sit", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "sitam5077.internal.host", - "service.type": "zscaler", - "source.bytes": 1140, - "source.ip": "10.32.39.220", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "jpg", - "url.fragment": "umetMalo", - "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", - "url.path": "/tanimi/rumSecti.jpg", - "url.query": "emporain=ntiumto", - "url.scheme": "https", - "user.name": "boreetdo", - "user_agent.device.name": "Samsung SM-A715F", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2017-01-20T04:14:16.000Z", - "destination.bytes": 3916, - "destination.ip": "10.128.173.19", - "event.action": "Blocked", - "event.code": "tlaboree", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365", - "event.timezone": "CT", - "file.type": "modocon", - "fileset.name": "zia", - "host.name": "dquia107.www.test", - "http.request.referrer": "https://example.org/liquaUte/alorum.txt?ria=atDu#nsec", - "input.type": "log", - "log.offset": 22620, - "network.bytes": 2365, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "dquia107.www.test" - ], - "related.ip": [ - "10.128.173.19", - "10.88.172.34" - ], - "related.user": [ - "agnaaliq" - ], - "rsa.db.index": "oin", - "rsa.identity.user_dept": "maperi", - "rsa.internal.data": "quunt", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ntNeq", - "rsa.misc.action": [ - "Blocked", - "dtempo" - ], - "rsa.misc.category": "ipsu", - "rsa.misc.filter": "iqu", - "rsa.misc.reference_id": "tlaboree", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "mve", - "rsa.network.alias_host": [ - "dquia107.www.test" - ], - "rsa.threat.threat_category": "urExce", - "rsa.time.event_time": "2017-01-20T04:14:16.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "dquia107.www.test", - "service.type": "zscaler", - "source.bytes": 7680, - "source.ip": "10.88.172.34", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "html", - "url.fragment": "ulla", - "url.original": "https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla", - "url.path": "/ori/tconsect.html", - "url.query": "ercit=eporroq", - "url.scheme": "https", - "user.name": "agnaaliq", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2017-02-03T11:16:50.000Z", - "destination.bytes": 7889, - "destination.ip": "10.130.241.232", - "event.action": "Allowed", - "event.code": "redol", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302", - "event.timezone": "CT", - "file.type": "emoe", - "fileset.name": "zia", - "host.name": "lloin4019.www.localhost", - "http.request.referrer": "https://example.net/naal/equun.gif?mve=uia#iciad", - "input.type": "log", - "log.offset": 23507, - "network.bytes": 2302, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "lloin4019.www.localhost" - ], - "related.ip": [ - "10.130.241.232", - "10.238.224.49" - ], - "related.user": [ - "onse" - ], - "rsa.db.index": "aaliq", - "rsa.identity.user_dept": "mad", - "rsa.internal.data": "inv", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "mnisiut", - "rsa.misc.action": [ - "Allowed", - "mod" - ], - "rsa.misc.category": "uiinea", - "rsa.misc.filter": "aturQu", - "rsa.misc.reference_id": "redol", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "toditaut", - "rsa.network.alias_host": [ - "lloin4019.www.localhost" - ], - "rsa.threat.threat_category": "Except", - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "lloin4019.www.localhost", - "service.type": "zscaler", - "source.bytes": 5107, - "source.ip": "10.238.224.49", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.org", - "url.extension": "txt", - "url.fragment": "utfug", - "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", - "url.path": "/rure/asiarchi.txt", - "url.query": "loremeu=aturve", - "url.scheme": "https", - "user.name": "onse", - "user_agent.device.name": "POCOPHONE F1", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-02-18T06:19:24.000Z", - "destination.bytes": 609, - "destination.ip": "10.115.53.31", - "event.action": "Allowed", - "event.code": "olorema", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622", - "event.timezone": "OMST", - "file.type": "esseq", - "fileset.name": "zia", - "host.name": "tamet6317.www.host", - "http.request.referrer": "https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti", - "input.type": "log", - "log.offset": 24381, - "network.bytes": 2622, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tamet6317.www.host" - ], - "related.ip": [ - "10.115.53.31", - "10.2.67.127" - ], - "related.user": [ - "Cic" - ], - "rsa.db.index": "ntexplic", - "rsa.identity.user_dept": "mdolore", - "rsa.internal.data": "eprehend", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "quatD", - "rsa.misc.action": [ - "Allowed", - "tatem" - ], - "rsa.misc.category": "aincidun", - "rsa.misc.filter": "uela", - "rsa.misc.reference_id": "olorema", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "teur", - "rsa.network.alias_host": [ - "tamet6317.www.host" - ], - "rsa.threat.threat_category": "uta", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "tamet6317.www.host", - "service.type": "zscaler", - "source.bytes": 6156, - "source.ip": "10.2.67.127", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "htm", - "url.fragment": "labore", - "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", - "url.path": "/emUte/molestia.htm", - "url.query": "orroqu=elitsed", - "url.scheme": "https", - "user.name": "Cic", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-03-04T13:21:59.000Z", - "destination.bytes": 5328, - "destination.ip": "10.204.214.251", - "event.action": "Allowed", - "event.code": "scipitl", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501", - "event.timezone": "OMST", - "file.type": "tas", - "fileset.name": "zia", - "host.name": "saquaea6344.www.invalid", - "http.request.referrer": "https://example.org/modoc/boNem.gif?ssusci=animid#mpo", - "input.type": "log", - "log.offset": 25254, - "network.bytes": 501, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "saquaea6344.www.invalid" - ], - "related.ip": [ - "10.101.38.213", - "10.204.214.251" - ], - "related.user": [ - "ueipsa" - ], - "rsa.db.index": "ecatcupi", - "rsa.identity.user_dept": "atuse", - "rsa.internal.data": "tur", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tasun", - "rsa.misc.action": [ - "Allowed", - "quasiarc" - ], - "rsa.misc.category": "autfugi", - "rsa.misc.filter": "ritqu", - "rsa.misc.reference_id": "scipitl", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "tetura", - "rsa.network.alias_host": [ - "saquaea6344.www.invalid" - ], - "rsa.threat.threat_category": "ntium", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "saquaea6344.www.invalid", - "service.type": "zscaler", - "source.bytes": 3487, - "source.ip": "10.101.38.213", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "tionula", - "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", - "url.path": "/repreh/plic.jpg", - "url.query": "utlabo=tetur", - "url.scheme": "https", - "user.name": "ueipsa", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-03-18T08:24:33.000Z", - "destination.bytes": 2118, - "destination.ip": "10.18.226.72", - "event.action": "Allowed", - "event.code": "dquiaco", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879", - "event.timezone": "GMT+02:00", - "file.type": "essecill", - "fileset.name": "zia", - "host.name": "utaliqu4248.www.localhost", - "http.request.referrer": "https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed", - "input.type": "log", - "log.offset": 26141, - "network.bytes": 7879, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "utaliqu4248.www.localhost" - ], - "related.ip": [ - "10.101.85.169", - "10.18.226.72" - ], - "related.user": [ - "rroqu" - ], - "rsa.db.index": "iacons", - "rsa.identity.user_dept": "billo", - "rsa.internal.data": "roquisqu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "moles", - "rsa.misc.action": [ - "Allowed", - "vitaed" - ], - "rsa.misc.category": "billoi", - "rsa.misc.filter": "suntex", - "rsa.misc.reference_id": "dquiaco", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "oru", - "rsa.network.alias_host": [ - "utaliqu4248.www.localhost" - ], - "rsa.threat.threat_category": "olup", - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "utaliqu4248.www.localhost", - "service.type": "zscaler", - "source.bytes": 2352, - "source.ip": "10.101.85.169", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "jpg", - "url.fragment": "ema", - "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", - "url.path": "/tcu/iatqu.jpg", - "url.query": "quovo=urExcep", - "url.scheme": "https", - "user.name": "rroqu", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-04-02T03:27:07.000Z", - "destination.bytes": 7509, - "destination.ip": "10.87.100.240", - "event.action": "Allowed", - "event.code": "equep", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617", - "event.timezone": "GMT-07:00", - "file.type": "rumetMal", - "fileset.name": "zia", - "host.name": "mdolore473.internal.test", - "http.request.referrer": "https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep", - "input.type": "log", - "log.offset": 27035, - "network.bytes": 2617, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "mdolore473.internal.test" - ], - "related.ip": [ - "10.242.182.193", - "10.87.100.240" - ], - "related.user": [ - "stenatus" - ], - "rsa.db.index": "etconsec", - "rsa.identity.user_dept": "nder", - "rsa.internal.data": "eprehend", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "mag", - "rsa.misc.action": [ - "Allowed", - "tali" - ], - "rsa.misc.category": "oconse", - "rsa.misc.filter": "npr", - "rsa.misc.reference_id": "equep", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "iqu", - "rsa.network.alias_host": [ - "mdolore473.internal.test" - ], - "rsa.threat.threat_category": "dolores", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "mdolore473.internal.test", - "service.type": "zscaler", - "source.bytes": 2124, - "source.ip": "10.242.182.193", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.com", - "url.extension": "gif", - "url.fragment": "lupta", - "url.original": "https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta", - "url.path": "/apariatu/lorsita.gif", - "url.query": "msequ=uat", - "url.scheme": "https", - "user.name": "stenatus", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "destination.bytes": 204, - "destination.ip": "10.229.242.223", - "event.action": "Blocked", - "event.code": "dexe", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460", - "event.timezone": "GMT-07:00", - "file.type": "culpaqui", - "fileset.name": "zia", - "host.name": "tatio6513.www.invalid", - "http.request.referrer": "https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad", - "input.type": "log", - "log.offset": 27937, - "network.bytes": 2460, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tatio6513.www.invalid" - ], - "related.ip": [ - "10.229.242.223", - "10.80.57.247" - ], - "related.user": [ - "itasp" - ], - "rsa.db.index": "pernat", - "rsa.identity.user_dept": "ptatem", - "rsa.internal.data": "autemv", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tdolore", - "rsa.misc.action": [ - "Blocked", - "onproide" - ], - "rsa.misc.category": "tvolup", - "rsa.misc.filter": "niam", - "rsa.misc.reference_id": "dexe", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "riosa", - "rsa.network.alias_host": [ - "tatio6513.www.invalid" - ], - "rsa.threat.threat_category": "red", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "tatio6513.www.invalid", - "service.type": "zscaler", - "source.bytes": 2737, - "source.ip": "10.80.57.247", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.net", - "url.extension": "jpg", - "url.fragment": "tesseq", - "url.original": "https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq", - "url.path": "/ende/abor.jpg", - "url.query": "riameaqu=ame", - "url.scheme": "https", - "user.name": "itasp", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2017-04-30T05:32:16.000Z", - "destination.bytes": 6146, - "destination.ip": "10.193.66.155", - "event.action": "Allowed", - "event.code": "enim", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099", - "event.timezone": "PT", - "file.type": "sintocc", - "fileset.name": "zia", - "host.name": "lapar1599.www.lan", - "http.request.referrer": "https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis", - "input.type": "log", - "log.offset": 28899, - "network.bytes": 6099, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "lapar1599.www.lan" - ], - "related.ip": [ - "10.106.77.138", - "10.193.66.155" - ], - "related.user": [ - "iusmodt" - ], - "rsa.db.index": "iqua", - "rsa.identity.user_dept": "henderi", - "rsa.internal.data": "caecat", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "uteir", - "rsa.misc.action": [ - "Allowed", - "Section" - ], - "rsa.misc.category": "cididu", - "rsa.misc.filter": "Utenima", - "rsa.misc.reference_id": "enim", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "orroquis", - "rsa.network.alias_host": [ - "lapar1599.www.lan" - ], - "rsa.threat.threat_category": "isn", - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "lapar1599.www.lan", - "service.type": "zscaler", - "source.bytes": 4329, - "source.ip": "10.106.77.138", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "txt", - "url.fragment": "mvolupta", - "url.original": "https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta", - "url.path": "/ame/amvolu.txt", - "url.query": "equaturv=lamc", - "url.scheme": "https", - "user.name": "iusmodt", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2017-05-14T12:34:50.000Z", - "destination.bytes": 3862, - "destination.ip": "10.236.230.136", - "event.action": "Allowed", - "event.code": "quira", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373", - "event.timezone": "ET", - "file.type": "undeom", - "fileset.name": "zia", - "host.name": "aquioff3853.www.localdomain", - "http.request.referrer": "https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag", - "input.type": "log", - "log.offset": 29854, - "network.bytes": 5373, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "aquioff3853.www.localdomain" - ], - "related.ip": [ - "10.236.230.136", - "10.54.159.1" - ], - "related.user": [ - "mUteni" - ], - "rsa.db.index": "olup", - "rsa.identity.user_dept": "asnulapa", - "rsa.internal.data": "mexer", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tec", - "rsa.misc.action": [ - "Allowed", - "tatema" - ], - "rsa.misc.category": "emullamc", - "rsa.misc.filter": "emveleum", - "rsa.misc.reference_id": "quira", - "rsa.misc.result": "success", - "rsa.misc.result_code": "tatevel", - "rsa.network.alias_host": [ - "aquioff3853.www.localdomain" - ], - "rsa.threat.threat_category": "tutlabo", - "rsa.time.event_time": "2017-05-14T12:34:50.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "aquioff3853.www.localdomain", - "service.type": "zscaler", - "source.bytes": 2446, - "source.ip": "10.54.159.1", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "txt", - "url.fragment": "nisi", - "url.original": "https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi", - "url.path": "/uisnostr/reetdol.txt", - "url.query": "ugi=niamquis", - "url.scheme": "https", - "user.name": "mUteni", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "destination.bytes": 4968, - "destination.ip": "10.49.242.174", - "event.action": "Allowed", - "event.code": "rroqui", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16", - "event.timezone": "OMST", - "file.type": "oeni", - "fileset.name": "zia", - "host.name": "ura675.mail.localdomain", - "http.request.referrer": "https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum", - "input.type": "log", - "log.offset": 30815, - "network.bytes": 16, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ura675.mail.localdomain" - ], - "related.ip": [ - "10.131.246.134", - "10.49.242.174" - ], - "related.user": [ - "umdolo" - ], - "rsa.db.index": "sumquiad", - "rsa.identity.user_dept": "aconsequ", - "rsa.internal.data": "atae", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tvolup", - "rsa.misc.action": [ - "Allowed", - "utemvel" - ], - "rsa.misc.category": "untutlab", - "rsa.misc.filter": "dol", - "rsa.misc.reference_id": "rroqui", - "rsa.misc.result": "success", - "rsa.misc.result_code": "iusm", - "rsa.network.alias_host": [ - "ura675.mail.localdomain" - ], - "rsa.threat.threat_category": "pteurs", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "ura675.mail.localdomain", - "service.type": "zscaler", - "source.bytes": 5325, - "source.ip": "10.131.246.134", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "gif", - "url.fragment": "stiaecon", - "url.original": "https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon", - "url.path": "/radipis/cive.gif", - "url.query": "orumSec=nisiuta", - "url.scheme": "https", - "user.name": "umdolo", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "destination.bytes": 1046, - "destination.ip": "10.142.120.198", - "event.action": "Blocked", - "event.code": "ido", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695", - "event.timezone": "CT", - "file.type": "nat", - "fileset.name": "zia", - "host.name": "iamea478.www5.host", - "http.request.referrer": "https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex", - "input.type": "log", - "log.offset": 31783, - "network.bytes": 6695, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "iamea478.www5.host" - ], - "related.ip": [ - "10.142.120.198", - "10.166.10.42" - ], - "related.user": [ - "olori" - ], - "rsa.db.index": "fugiatn", - "rsa.identity.user_dept": "uamqu", - "rsa.internal.data": "rere", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ende", - "rsa.misc.action": [ - "Blocked", - "doconse" - ], - "rsa.misc.category": "uovolupt", - "rsa.misc.filter": "litesse", - "rsa.misc.reference_id": "ido", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "iusmodi", - "rsa.network.alias_host": [ - "iamea478.www5.host" - ], - "rsa.threat.threat_category": "dolor", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "iamea478.www5.host", - "service.type": "zscaler", - "source.bytes": 2522, - "source.ip": "10.166.10.42", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "html", - "url.fragment": "eursinto", - "url.original": "https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto", - "url.path": "/oin/itseddoe.html", - "url.query": "citati=uamei", - "url.scheme": "https", - "user.name": "olori", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-06-26T09:42:33.000Z", - "destination.bytes": 3520, - "destination.ip": "10.138.188.201", - "event.action": "Allowed", - "event.code": "rsitvol", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142", - "event.timezone": "GMT+02:00", - "file.type": "dol", - "fileset.name": "zia", - "host.name": "eaque6543.api.domain", - "http.request.referrer": "https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim", - "input.type": "log", - "log.offset": 32670, - "network.bytes": 1142, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "eaque6543.api.domain" - ], - "related.ip": [ - "10.128.184.241", - "10.138.188.201" - ], - "related.user": [ - "etur" - ], - "rsa.db.index": "riatur", - "rsa.identity.user_dept": "urau", - "rsa.internal.data": "equat", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "issu", - "rsa.misc.action": [ - "Allowed", - "sed" - ], - "rsa.misc.category": "atur", - "rsa.misc.filter": "iciadese", - "rsa.misc.reference_id": "rsitvol", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "uid", - "rsa.network.alias_host": [ - "eaque6543.api.domain" - ], - "rsa.threat.threat_category": "piscivel", - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "eaque6543.api.domain", - "service.type": "zscaler", - "source.bytes": 6793, - "source.ip": "10.128.184.241", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "html", - "url.fragment": "umS", - "url.original": "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", - "url.path": "/eseruntm/lpaquiof.html", - "url.query": "magnaal=uscip", - "url.scheme": "https", - "user.name": "etur", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-07-11T04:45:07.000Z", - "destination.bytes": 2990, - "destination.ip": "10.53.101.131", - "event.action": "Allowed", - "event.code": "itinvol", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735", - "event.timezone": "CET", - "file.type": "exerci", - "fileset.name": "zia", - "host.name": "eufug1756.mail.corp", - "http.request.referrer": "https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul", - "input.type": "log", - "log.offset": 33551, - "network.bytes": 6735, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "eufug1756.mail.corp" - ], - "related.ip": [ - "10.213.57.165", - "10.53.101.131" - ], - "related.user": [ - "isau" - ], - "rsa.db.index": "asnulap", - "rsa.identity.user_dept": "ectetura", - "rsa.internal.data": "ectob", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ese", - "rsa.misc.action": [ - "Allowed", - "litanim" - ], - "rsa.misc.category": "idata", - "rsa.misc.filter": "urerepre", - "rsa.misc.reference_id": "itinvol", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "modico", - "rsa.network.alias_host": [ - "eufug1756.mail.corp" - ], - "rsa.threat.threat_category": "amni", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", - "rsa.time.timezone": "CET", - "rsa.web.fqdn": "eufug1756.mail.corp", - "service.type": "zscaler", - "source.bytes": 2135, - "source.ip": "10.213.57.165", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.net", - "url.extension": "html", - "url.fragment": "ine", - "url.original": "https://example.net/snulap/enimadm.html?writte=sitvo#ine", - "url.path": "/snulap/enimadm.html", - "url.query": "writte=sitvo", - "url.scheme": "https", - "user.name": "isau", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-07-25T11:47:41.000Z", - "destination.bytes": 3601, - "destination.ip": "10.243.6.41", - "event.action": "Blocked", - "event.code": "ainc", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203", - "event.timezone": "GMT+02:00", - "file.type": "venia", - "fileset.name": "zia", - "host.name": "orp5697.www.invalid", - "http.request.referrer": "https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip", - "input.type": "log", - "log.offset": 34428, - "network.bytes": 203, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "orp5697.www.invalid" - ], - "related.ip": [ - "10.243.6.41", - "10.55.81.14" - ], - "related.user": [ - "eiusmo" - ], - "rsa.db.index": "emp", - "rsa.identity.user_dept": "tenim", - "rsa.internal.data": "riame", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "idolores", - "rsa.misc.action": [ - "Blocked", - "lestia" - ], - "rsa.misc.category": "risni", - "rsa.misc.filter": "emacc", - "rsa.misc.reference_id": "ainc", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "pisci", - "rsa.network.alias_host": [ - "orp5697.www.invalid" - ], - "rsa.threat.threat_category": "mmod", - "rsa.time.event_time": "2017-07-25T11:47:41.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "orp5697.www.invalid", - "service.type": "zscaler", - "source.bytes": 3606, - "source.ip": "10.55.81.14", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.org", - "url.extension": "gif", - "url.fragment": "ents", - "url.original": "https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents", - "url.path": "/etcon/onsequu.gif", - "url.query": "Bonoru=madminim", - "url.scheme": "https", - "user.name": "eiusmo", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2017-08-08T06:50:15.000Z", - "destination.bytes": 4241, - "destination.ip": "10.33.144.10", - "event.action": "Blocked", - "event.code": "labo", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813", - "event.timezone": "PST", - "file.type": "tvol", - "fileset.name": "zia", - "host.name": "pariatur7238.www5.invalid", - "http.request.referrer": "https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo", - "input.type": "log", - "log.offset": 35335, - "network.bytes": 3813, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "pariatur7238.www5.invalid" - ], - "related.ip": [ - "10.202.224.79", - "10.33.144.10" - ], - "related.user": [ - "rios" - ], - "rsa.db.index": "edolori", - "rsa.identity.user_dept": "seos", - "rsa.internal.data": "ore", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "lit", - "rsa.misc.action": [ - "Blocked", - "quu" - ], - "rsa.misc.category": "oluptate", - "rsa.misc.filter": "exercita", - "rsa.misc.reference_id": "labo", - "rsa.misc.result": "success", - "rsa.misc.result_code": "abor", - "rsa.network.alias_host": [ - "pariatur7238.www5.invalid" - ], - "rsa.threat.threat_category": "ritati", - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "pariatur7238.www5.invalid", - "service.type": "zscaler", - "source.bytes": 2203, - "source.ip": "10.202.224.79", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "gif", - "url.fragment": "seos", - "url.original": "https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos", - "url.path": "/rur/itse.gif", - "url.query": "pisciv=fugiatqu", - "url.scheme": "https", - "user.name": "rios", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-08-22T13:52:50.000Z", - "destination.bytes": 6317, - "destination.ip": "10.158.18.51", - "event.action": "Allowed", - "event.code": "exerci", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386", - "event.timezone": "GMT-07:00", - "file.type": "meum", - "fileset.name": "zia", - "host.name": "fficia2304.www5.home", - "http.request.referrer": "https://www.example.net/lpa/isn.htm?iat=ffic#siuta", - "input.type": "log", - "log.offset": 36210, - "network.bytes": 4386, - "network.protocol": "icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "fficia2304.www5.home" - ], - "related.ip": [ - "10.158.18.51", - "10.20.124.138" - ], - "related.user": [ - "CSe" - ], - "rsa.db.index": "quamqua", - "rsa.identity.user_dept": "aparia", - "rsa.internal.data": "tat", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "Loremip", - "rsa.misc.action": [ - "Allowed", - "quid" - ], - "rsa.misc.category": "mini", - "rsa.misc.filter": "uisnos", - "rsa.misc.reference_id": "exerci", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "orem", - "rsa.network.alias_host": [ - "fficia2304.www5.home" - ], - "rsa.threat.threat_category": "nvo", - "rsa.time.event_time": "2017-08-22T13:52:50.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "fficia2304.www5.home", - "service.type": "zscaler", - "source.bytes": 5452, - "source.ip": "10.20.124.138", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "jpg", - "url.fragment": "liquipex", - "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", - "url.path": "/qui/equeporr.jpg", - "url.query": "itsedd=texpli", - "url.scheme": "https", - "user.name": "CSe", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2017-09-06T08:55:24.000Z", - "destination.bytes": 1044, - "destination.ip": "10.134.128.27", - "event.action": "Allowed", - "event.code": "olore", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429", - "event.timezone": "CT", - "file.type": "sautei", - "fileset.name": "zia", - "host.name": "mquisnos7453.home", - "http.request.referrer": "https://www5.example.org/snisiut/siar.txt?inB=orp#ender", - "input.type": "log", - "log.offset": 37074, - "network.bytes": 2429, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "mquisnos7453.home" - ], - "related.ip": [ - "10.118.177.136", - "10.134.128.27" - ], - "related.user": [ - "Utenima" - ], - "rsa.db.index": "liqua", - "rsa.identity.user_dept": "rumSecti", - "rsa.internal.data": "tqu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "voluptas", - "rsa.misc.action": [ - "Allowed", - "olor" - ], - "rsa.misc.category": "ataevita", - "rsa.misc.filter": "nderi", - "rsa.misc.reference_id": "olore", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "orio", - "rsa.network.alias_host": [ - "mquisnos7453.home" - ], - "rsa.threat.threat_category": "rspic", - "rsa.time.event_time": "2017-09-06T08:55:24.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "mquisnos7453.home", - "service.type": "zscaler", - "source.bytes": 6908, - "source.ip": "10.118.177.136", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.net", - "url.extension": "html", - "url.fragment": "eacommo", - "url.original": "https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo", - "url.path": "/lup/iumtotam.html", - "url.query": "ipitlabo=userror", - "url.scheme": "https", - "user.name": "Utenima", - "user_agent.device.name": "Meizu M6", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "77.0.3865.120" - }, - { - "@timestamp": "2017-09-20T03:57:58.000Z", - "destination.bytes": 3034, - "destination.ip": "10.68.8.143", - "event.action": "Allowed", - "event.code": "lorem", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185", - "event.timezone": "OMST", - "file.type": "dunt", - "fileset.name": "zia", - "host.name": "aquio748.www.localhost", - "http.request.referrer": "https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet", - "input.type": "log", - "log.offset": 38021, - "network.bytes": 1185, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "aquio748.www.localhost" - ], - "related.ip": [ - "10.125.120.97", - "10.68.8.143" - ], - "related.user": [ - "reet" - ], - "rsa.db.index": "tam", - "rsa.identity.user_dept": "idolo", - "rsa.internal.data": "olu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "amni", - "rsa.misc.action": [ - "Allowed", - "edutp" - ], - "rsa.misc.category": "ames", - "rsa.misc.filter": "dmi", - "rsa.misc.reference_id": "lorem", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "eserun", - "rsa.network.alias_host": [ - "aquio748.www.localhost" - ], - "rsa.threat.threat_category": "amquisno", - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "aquio748.www.localhost", - "service.type": "zscaler", - "source.bytes": 911, - "source.ip": "10.125.120.97", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "htm", - "url.fragment": "umdolore", - "url.original": "https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore", - "url.path": "/onproide/uamnih.htm", - "url.query": "tatisetq=uidolo", - "url.scheme": "https", - "user.name": "reet", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2017-10-04T11:00:32.000Z", - "destination.bytes": 4982, - "destination.ip": "10.143.0.78", - "event.action": "Blocked", - "event.code": "atems", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577", - "event.timezone": "PST", - "file.type": "aria", - "fileset.name": "zia", - "host.name": "remagnam796.mail.corp", - "http.request.referrer": "https://www5.example.net/ico/giatquo.htm?evi=tionula#accus", - "input.type": "log", - "log.offset": 38924, - "network.bytes": 5577, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "remagnam796.mail.corp" - ], - "related.ip": [ - "10.137.164.122", - "10.143.0.78" - ], - "related.user": [ - "orissus" - ], - "rsa.db.index": "itesse", - "rsa.identity.user_dept": "amnihil", - "rsa.internal.data": "tatevel", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "etdol", - "rsa.misc.action": [ - "Blocked", - "mwrit" - ], - "rsa.misc.category": "inim", - "rsa.misc.filter": "aturQu", - "rsa.misc.reference_id": "atems", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "officiad", - "rsa.network.alias_host": [ - "remagnam796.mail.corp" - ], - "rsa.threat.threat_category": "oremeumf", - "rsa.time.event_time": "2017-10-04T11:00:32.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "remagnam796.mail.corp", - "service.type": "zscaler", - "source.bytes": 2923, - "source.ip": "10.137.164.122", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.org", - "url.extension": "htm", - "url.fragment": "emip", - "url.original": "https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip", - "url.path": "/obeataev/umf.htm", - "url.query": "moll=quaeabil", - "url.scheme": "https", - "user.name": "orissus", - "user_agent.device.name": "Meizu M6", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "77.0.3865.120" - }, - { - "@timestamp": "2017-10-19T06:03:07.000Z", - "destination.bytes": 7556, - "destination.ip": "10.30.87.51", - "event.action": "Blocked", - "event.code": "rchit", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281", - "event.timezone": "OMST", - "file.type": "edic", - "fileset.name": "zia", - "host.name": "etdolore4227.internal.corp", - "http.request.referrer": "https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup", - "input.type": "log", - "log.offset": 39868, - "network.bytes": 3281, - "network.protocol": "icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "etdolore4227.internal.corp" - ], - "related.ip": [ - "10.156.177.53", - "10.30.87.51" - ], - "related.user": [ - "psaquaea" - ], - "rsa.db.index": "siarc", - "rsa.identity.user_dept": "rmagnido", - "rsa.internal.data": "quiavolu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tatno", - "rsa.misc.action": [ - "Blocked", - "ptatev" - ], - "rsa.misc.category": "udexerc", - "rsa.misc.filter": "ptatemse", - "rsa.misc.reference_id": "rchit", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "ctetura", - "rsa.network.alias_host": [ - "etdolore4227.internal.corp" - ], - "rsa.threat.threat_category": "atatnon", - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "etdolore4227.internal.corp", - "service.type": "zscaler", - "source.bytes": 6552, - "source.ip": "10.156.177.53", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "gif", - "url.fragment": "leumiur", - "url.original": "https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur", - "url.path": "/consequa/eaqueip.gif", - "url.query": "aevitaed=byCic", - "url.scheme": "https", - "user.name": "psaquaea", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2017-11-02T13:05:41.000Z", - "destination.bytes": 470, - "destination.ip": "10.83.138.34", - "event.action": "Blocked", - "event.code": "inea", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017", - "event.timezone": "GMT+02:00", - "file.type": "usmodite", - "fileset.name": "zia", - "host.name": "rors1935.api.domain", - "http.request.referrer": "https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl", - "input.type": "log", - "log.offset": 40778, - "network.bytes": 6017, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "rors1935.api.domain" - ], - "related.ip": [ - "10.111.249.184", - "10.83.138.34" - ], - "related.user": [ - "dentsunt" - ], - "rsa.db.index": "datatnon", - "rsa.identity.user_dept": "onsectet", - "rsa.internal.data": "tat", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tatemse", - "rsa.misc.action": [ - "Blocked", - "upta" - ], - "rsa.misc.category": "tlabo", - "rsa.misc.filter": "aliqui", - "rsa.misc.reference_id": "inea", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "quioff", - "rsa.network.alias_host": [ - "rors1935.api.domain" - ], - "rsa.threat.threat_category": "uamestqu", - "rsa.time.event_time": "2017-11-02T13:05:41.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "rors1935.api.domain", - "service.type": "zscaler", - "source.bytes": 313, - "source.ip": "10.111.249.184", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "txt", - "url.fragment": "uptasnul", - "url.original": "https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul", - "url.path": "/tmo/onofdeF.txt", - "url.query": "oremip=its", - "url.scheme": "https", - "user.name": "dentsunt", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2017-11-16T08:08:15.000Z", - "destination.bytes": 7810, - "destination.ip": "10.141.195.13", - "event.action": "Allowed", - "event.code": "tautfugi", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046", - "event.timezone": "PT", - "file.type": "avolu", - "fileset.name": "zia", - "host.name": "idexeac1655.internal.test", - "http.request.referrer": "https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp", - "input.type": "log", - "log.offset": 41820, - "network.bytes": 4046, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "idexeac1655.internal.test" - ], - "related.ip": [ - "10.141.195.13", - "10.180.150.47" - ], - "related.user": [ - "taliq" - ], - "rsa.db.index": "ariat", - "rsa.identity.user_dept": "ncul", - "rsa.internal.data": "nvol", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "itesse", - "rsa.misc.action": [ - "Allowed", - "uip" - ], - "rsa.misc.category": "teturad", - "rsa.misc.filter": "roquisqu", - "rsa.misc.reference_id": "tautfugi", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "edquian", - "rsa.network.alias_host": [ - "idexeac1655.internal.test" - ], - "rsa.threat.threat_category": "essecill", - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "idexeac1655.internal.test", - "service.type": "zscaler", - "source.bytes": 3940, - "source.ip": "10.180.150.47", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "htm", - "url.fragment": "smodtem", - "url.original": "https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem", - "url.path": "/orsitvol/ntor.htm", - "url.query": "itqu=minimav", - "url.scheme": "https", - "user.name": "taliq", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2017-12-01T03:10:49.000Z", - "destination.bytes": 2266, - "destination.ip": "10.166.195.20", - "event.action": "Allowed", - "event.code": "ceroinB", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800", - "event.timezone": "GMT-07:00", - "file.type": "ici", - "fileset.name": "zia", - "host.name": "laboree3880.api.invalid", - "http.request.referrer": "https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint", - "input.type": "log", - "log.offset": 42776, - "network.bytes": 7800, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "laboree3880.api.invalid" - ], - "related.ip": [ - "10.166.195.20", - "10.255.40.12" - ], - "related.user": [ - "lamcolab" - ], - "rsa.db.index": "tdolorem", - "rsa.identity.user_dept": "remagnaa", - "rsa.internal.data": "uames", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "mipsumq", - "rsa.misc.action": [ - "Allowed", - "citation" - ], - "rsa.misc.category": "usant", - "rsa.misc.filter": "Nem", - "rsa.misc.reference_id": "ceroinB", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "orisn", - "rsa.network.alias_host": [ - "laboree3880.api.invalid" - ], - "rsa.threat.threat_category": "nimide", - "rsa.time.event_time": "2017-12-01T03:10:49.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "laboree3880.api.invalid", - "service.type": "zscaler", - "source.bytes": 7073, - "source.ip": "10.255.40.12", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.org", - "url.extension": "gif", - "url.fragment": "gna", - "url.original": "https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna", - "url.path": "/rumexe/xerci.gif", - "url.query": "olor=quiav", - "url.scheme": "https", - "user.name": "lamcolab", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2017-12-15T10:13:24.000Z", - "destination.bytes": 5091, - "destination.ip": "10.22.122.43", - "event.action": "Blocked", - "event.code": "mexer", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815", - "event.timezone": "PT", - "file.type": "boreet", - "fileset.name": "zia", - "host.name": "tecto708.www5.example", - "http.request.referrer": "https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame", - "input.type": "log", - "log.offset": 43645, - "network.bytes": 7815, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tecto708.www5.example" - ], - "related.ip": [ - "10.100.143.226", - "10.22.122.43" - ], - "related.user": [ - "ute" - ], - "rsa.db.index": "turveli", - "rsa.identity.user_dept": "ueporroq", - "rsa.internal.data": "cta", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ento", - "rsa.misc.action": [ - "Blocked", - "Bonoru" - ], - "rsa.misc.category": "luptasnu", - "rsa.misc.filter": "quamni", - "rsa.misc.reference_id": "mexer", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "rumSecti", - "rsa.network.alias_host": [ - "tecto708.www5.example" - ], - "rsa.threat.threat_category": "udexerc", - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "tecto708.www5.example", - "service.type": "zscaler", - "source.bytes": 1396, - "source.ip": "10.100.143.226", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "html", - "url.fragment": "equuntu", - "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", - "url.path": "/tvolu/dutper.html", - "url.query": "nbyCicer=scipit", - "url.scheme": "https", - "user.name": "ute", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2017-12-29T05:15:58.000Z", - "destination.bytes": 7456, - "destination.ip": "10.119.53.68", - "event.action": "Blocked", - "event.code": "illum", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882", - "event.timezone": "GMT+02:00", - "file.type": "emUtenim", - "fileset.name": "zia", - "host.name": "ine3181.www.invalid", - "http.request.referrer": "https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame", - "input.type": "log", - "log.offset": 44575, - "network.bytes": 1882, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ine3181.www.invalid" - ], - "related.ip": [ - "10.119.53.68", - "10.121.9.5" - ], - "related.user": [ - "ssec" - ], - "rsa.db.index": "sitam", - "rsa.identity.user_dept": "mea", - "rsa.internal.data": "tesse", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "dexea", - "rsa.misc.action": [ - "Blocked", - "tinvolup" - ], - "rsa.misc.category": "ende", - "rsa.misc.filter": "onse", - "rsa.misc.reference_id": "illum", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ptat", - "rsa.network.alias_host": [ - "ine3181.www.invalid" - ], - "rsa.threat.threat_category": "sse", - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "ine3181.www.invalid", - "service.type": "zscaler", - "source.bytes": 497, - "source.ip": "10.121.9.5", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "nul", - "url.original": "https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul", - "url.path": "/uiavo/uisaut.htm", - "url.query": "paq=uianon", - "url.scheme": "https", - "user.name": "ssec", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2018-01-12T12:18:32.000Z", - "destination.bytes": 1428, - "destination.ip": "10.237.0.173", - "event.action": "Blocked", - "event.code": "periam", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826", - "event.timezone": "GMT-07:00", - "file.type": "oreeu", - "fileset.name": "zia", - "host.name": "tsunt3403.www5.test", - "http.request.referrer": "https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor", - "input.type": "log", - "log.offset": 45512, - "network.bytes": 6826, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tsunt3403.www5.test" - ], - "related.ip": [ - "10.237.0.173", - "10.31.153.177" - ], - "related.user": [ - "sci" - ], - "rsa.db.index": "tMalor", - "rsa.identity.user_dept": "tiset", - "rsa.internal.data": "eleumi", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "eritqui", - "rsa.misc.action": [ - "Blocked", - "dolor" - ], - "rsa.misc.category": "taspe", - "rsa.misc.filter": "oremipsu", - "rsa.misc.reference_id": "periam", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "docons", - "rsa.network.alias_host": [ - "tsunt3403.www5.test" - ], - "rsa.threat.threat_category": "evel", - "rsa.time.event_time": "2018-01-12T12:18:32.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "tsunt3403.www5.test", - "service.type": "zscaler", - "source.bytes": 4350, - "source.ip": "10.31.153.177", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "jpg", - "url.fragment": "upt", - "url.original": "https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt", - "url.path": "/uasiarch/Malor.jpg", - "url.query": "iinea=snos", - "url.scheme": "https", - "user.name": "sci", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.bytes": 7612, - "destination.ip": "10.243.182.229", - "event.action": "Allowed", - "event.code": "emporin", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914", - "event.timezone": "PST", - "file.type": "edolori", - "fileset.name": "zia", - "host.name": "pitl6126.www.localdomain", - "http.request.referrer": "https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca", - "input.type": "log", - "log.offset": 46366, - "network.bytes": 3914, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "pitl6126.www.localdomain" - ], - "related.ip": [ - "10.229.102.140", - "10.243.182.229" - ], - "related.user": [ - "duntut" - ], - "rsa.db.index": "mveni", - "rsa.identity.user_dept": "nimve", - "rsa.internal.data": "uasi", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "epor", - "rsa.misc.action": [ - "Allowed", - "etquasia" - ], - "rsa.misc.category": "iaturE", - "rsa.misc.filter": "rep", - "rsa.misc.reference_id": "emporin", - "rsa.misc.result": "success", - "rsa.misc.result_code": "nimip", - "rsa.network.alias_host": [ - "pitl6126.www.localdomain" - ], - "rsa.threat.threat_category": "amnih", - "rsa.time.event_time": "2018-01-27T07:21:06.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "pitl6126.www.localdomain", - "service.type": "zscaler", - "source.bytes": 1800, - "source.ip": "10.229.102.140", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.org", - "url.extension": "jpg", - "url.fragment": "com", - "url.original": "https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com", - "url.path": "/ntiumt/sumquia.jpg", - "url.query": "lam=asnu", - "url.scheme": "https", - "user.name": "duntut", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2018-02-10T14:23:41.000Z", - "destination.bytes": 5763, - "destination.ip": "10.39.46.155", - "event.action": "Blocked", - "event.code": "BCSe", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991", - "event.timezone": "CEST", - "file.type": "hend", - "fileset.name": "zia", - "host.name": "remaper3297.internal.test", - "http.request.referrer": "https://internal.example.org/onsec/dit.gif?lup=aeca#isau", - "input.type": "log", - "log.offset": 47161, - "network.bytes": 3991, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "remaper3297.internal.test" - ], - "related.ip": [ - "10.120.138.109", - "10.39.46.155" - ], - "related.user": [ - "picia" - ], - "rsa.db.index": "pta", - "rsa.identity.user_dept": "sciveli", - "rsa.internal.data": "pteu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "adipisc", - "rsa.misc.action": [ - "Blocked", - "exer" - ], - "rsa.misc.category": "remagna", - "rsa.misc.filter": "emvel", - "rsa.misc.reference_id": "BCSe", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "lapari", - "rsa.network.alias_host": [ - "remaper3297.internal.test" - ], - "rsa.threat.threat_category": "maliq", - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "remaper3297.internal.test", - "service.type": "zscaler", - "source.bytes": 447, - "source.ip": "10.120.138.109", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "jpg", - "url.fragment": "todi", - "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", - "url.path": "/itsedqu/paq.jpg", - "url.query": "hilmol=oluptate", - "url.scheme": "https", - "user.name": "picia", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-02-24T09:26:15.000Z", - "destination.bytes": 6740, - "destination.ip": "10.53.191.49", - "event.action": "Blocked", - "event.code": "idestl", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993", - "event.timezone": "ET", - "file.type": "metMal", - "fileset.name": "zia", - "host.name": "tamr1693.api.home", - "http.request.referrer": "https://example.net/wri/itame.html?dictasun=psa#lorese", - "input.type": "log", - "log.offset": 48041, - "network.bytes": 5993, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tamr1693.api.home" - ], - "related.ip": [ - "10.133.102.57", - "10.53.191.49" - ], - "related.user": [ - "onsec" - ], - "rsa.db.index": "sam", - "rsa.identity.user_dept": "ctobeat", - "rsa.internal.data": "luptate", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ecillum", - "rsa.misc.action": [ - "Blocked", - "emp" - ], - "rsa.misc.category": "ciati", - "rsa.misc.filter": "elit", - "rsa.misc.reference_id": "idestl", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "data", - "rsa.network.alias_host": [ - "tamr1693.api.home" - ], - "rsa.threat.threat_category": "amei", - "rsa.time.event_time": "2018-02-24T09:26:15.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "tamr1693.api.home", - "service.type": "zscaler", - "source.bytes": 6397, - "source.ip": "10.133.102.57", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.org", - "url.extension": "html", - "url.fragment": "ctionofd", - "url.original": "https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd", - "url.path": "/remeum/etur.html", - "url.query": "Quisa=quiav", - "url.scheme": "https", - "user.name": "onsec", - "user_agent.device.name": "Asus X01BDA", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "80.0.3987.162" - }, - { - "@timestamp": "2018-03-11T04:28:49.000Z", - "destination.bytes": 5521, - "destination.ip": "10.91.2.225", - "event.action": "Allowed", - "event.code": "tcu", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078", - "event.timezone": "PST", - "file.type": "etcons", - "fileset.name": "zia", - "host.name": "cia5990.api.localdomain", - "http.request.referrer": "https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco", - "input.type": "log", - "log.offset": 48912, - "network.bytes": 1078, - "network.protocol": "icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "cia5990.api.localdomain" - ], - "related.ip": [ - "10.89.41.97", - "10.91.2.225" - ], - "related.user": [ - "tem" - ], - "rsa.db.index": "ntut", - "rsa.identity.user_dept": "nderi", - "rsa.internal.data": "uam", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "iuntN", - "rsa.misc.action": [ - "Allowed", - "nim" - ], - "rsa.misc.category": "etco", - "rsa.misc.filter": "autodita", - "rsa.misc.reference_id": "tcu", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "uaeab", - "rsa.network.alias_host": [ - "cia5990.api.localdomain" - ], - "rsa.threat.threat_category": "ursintoc", - "rsa.time.event_time": "2018-03-11T04:28:49.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "cia5990.api.localdomain", - "service.type": "zscaler", - "source.bytes": 141, - "source.ip": "10.89.41.97", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.org", - "url.extension": "gif", - "url.fragment": "nostrum", - "url.original": "https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum", - "url.path": "/ree/itten.gif", - "url.query": "rsp=imipsa", - "url.scheme": "https", - "user.name": "tem", - "user_agent.device.name": "Samsung SM-A260G", - "user_agent.name": "Chrome Mobile WebView", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.1.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.1.0", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.bytes": 4211, - "destination.ip": "10.221.20.165", - "event.action": "Allowed", - "event.code": "velites", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508", - "event.timezone": "PT", - "file.type": "inculpa", - "fileset.name": "zia", - "host.name": "riatu2467.lan", - "http.request.referrer": "https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu", - "input.type": "log", - "log.offset": 49836, - "network.bytes": 4508, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "riatu2467.lan" - ], - "related.ip": [ - "10.221.20.165", - "10.7.18.226" - ], - "related.user": [ - "uasiarch" - ], - "rsa.db.index": "borio", - "rsa.identity.user_dept": "tionev", - "rsa.internal.data": "eturadip", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "iadeseru", - "rsa.misc.action": [ - "Allowed", - "epreh" - ], - "rsa.misc.category": "ruredol", - "rsa.misc.filter": "atquo", - "rsa.misc.reference_id": "velites", - "rsa.misc.result": "success", - "rsa.misc.result_code": "sequatD", - "rsa.network.alias_host": [ - "riatu2467.lan" - ], - "rsa.threat.threat_category": "acons", - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "riatu2467.lan", - "service.type": "zscaler", - "source.bytes": 5810, - "source.ip": "10.7.18.226", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.net", - "url.extension": "jpg", - "url.fragment": "onemulla", - "url.original": "https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla", - "url.path": "/ritquiin/reseo.jpg", - "url.query": "ari=umtot", - "url.scheme": "https", - "user.name": "uasiarch", - "user_agent.device.name": "Meizu M6", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 7.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.0", - "user_agent.version": "77.0.3865.120" - }, - { - "@timestamp": "2018-04-08T06:33:58.000Z", - "destination.bytes": 4580, - "destination.ip": "10.178.148.188", - "event.action": "Allowed", - "event.code": "rit", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52", - "event.timezone": "GMT+02:00", - "file.type": "sequamn", - "fileset.name": "zia", - "host.name": "pici1525.www5.corp", - "http.request.referrer": "https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu", - "input.type": "log", - "log.offset": 50802, - "network.bytes": 52, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "pici1525.www5.corp" - ], - "related.ip": [ - "10.155.252.123", - "10.178.148.188" - ], - "related.user": [ - "inrepreh" - ], - "rsa.db.index": "ipsa", - "rsa.identity.user_dept": "ssequ", - "rsa.internal.data": "asiarc", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "inimve", - "rsa.misc.action": [ - "Allowed", - "niam" - ], - "rsa.misc.category": "perspici", - "rsa.misc.filter": "uipe", - "rsa.misc.reference_id": "rit", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ionevo", - "rsa.network.alias_host": [ - "pici1525.www5.corp" - ], - "rsa.threat.threat_category": "emipsumd", - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "pici1525.www5.corp", - "service.type": "zscaler", - "source.bytes": 6665, - "source.ip": "10.155.252.123", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "jpg", - "url.fragment": "eavolupt", - "url.original": "https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt", - "url.path": "/dexe/nemul.jpg", - "url.query": "yCicero=inimave", - "url.scheme": "https", - "user.name": "inrepreh", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-04-22T13:36:32.000Z", - "destination.bytes": 3723, - "destination.ip": "10.190.42.245", - "event.action": "Blocked", - "event.code": "aeab", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724", - "event.timezone": "CET", - "file.type": "tatevel", - "fileset.name": "zia", - "host.name": "dolo6418.internal.host", - "http.request.referrer": "https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau", - "input.type": "log", - "log.offset": 51742, - "network.bytes": 4724, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "dolo6418.internal.host" - ], - "related.ip": [ - "10.190.42.245", - "10.220.1.249" - ], - "related.user": [ - "olup" - ], - "rsa.db.index": "caboN", - "rsa.identity.user_dept": "quuntur", - "rsa.internal.data": "umfu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "uamquaer", - "rsa.misc.action": [ - "Blocked", - "aerat" - ], - "rsa.misc.category": "quela", - "rsa.misc.filter": "qui", - "rsa.misc.reference_id": "aeab", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "eosqui", - "rsa.network.alias_host": [ - "dolo6418.internal.host" - ], - "rsa.threat.threat_category": "enimi", - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", - "rsa.time.timezone": "CET", - "rsa.web.fqdn": "dolo6418.internal.host", - "service.type": "zscaler", - "source.bytes": 2910, - "source.ip": "10.220.1.249", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "html", - "url.fragment": "sistena", - "url.original": "https://mail.example.org/caecat/uel.html?enim=umq#sistena", - "url.path": "/caecat/uel.html", - "url.query": "enim=umq", - "url.scheme": "https", - "user.name": "olup", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2018-05-07T08:39:06.000Z", - "destination.bytes": 363, - "destination.ip": "10.112.190.154", - "event.action": "Allowed", - "event.code": "lab", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916", - "event.timezone": "GMT-07:00", - "file.type": "umiure", - "fileset.name": "zia", - "host.name": "imveni193.www5.host", - "http.request.referrer": "https://example.org/uames/tla.gif?rch=psa#nreprehe", - "input.type": "log", - "log.offset": 52602, - "network.bytes": 916, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "imveni193.www5.host" - ], - "related.ip": [ - "10.112.190.154", - "10.55.38.153" - ], - "related.user": [ - "oremeu" - ], - "rsa.db.index": "Except", - "rsa.identity.user_dept": "tvolup", - "rsa.internal.data": "aliqu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tin", - "rsa.misc.action": [ - "Allowed", - "urau" - ], - "rsa.misc.category": "isiut", - "rsa.misc.filter": "cons", - "rsa.misc.reference_id": "lab", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "equamni", - "rsa.network.alias_host": [ - "imveni193.www5.host" - ], - "rsa.threat.threat_category": "billoinv", - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "imveni193.www5.host", - "service.type": "zscaler", - "source.bytes": 6127, - "source.ip": "10.55.38.153", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "txt", - "url.fragment": "rna", - "url.original": "https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna", - "url.path": "/runtmoll/busBon.txt", - "url.query": "ionev=vitaedi", - "url.scheme": "https", - "user.name": "oremeu", - "user_agent.device.name": "XiaoMi Redmi 4X", - "user_agent.name": "MiuiBrowser", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", - "user_agent.os.full": "Android 7.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "7.1.2", - "user_agent.version": "12.2.3" - }, - { - "@timestamp": "2018-05-21T03:41:41.000Z", - "destination.bytes": 6578, - "destination.ip": "10.195.153.42", - "event.action": "Allowed", - "event.code": "rsit", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345", - "event.timezone": "OMST", - "file.type": "noru", - "fileset.name": "zia", - "host.name": "ionu3320.api.localhost", - "http.request.referrer": "https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele", - "input.type": "log", - "log.offset": 53539, - "network.bytes": 4345, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ionu3320.api.localhost" - ], - "related.ip": [ - "10.195.153.42", - "10.250.48.82" - ], - "related.user": [ - "tsedquia" - ], - "rsa.db.index": "edictasu", - "rsa.identity.user_dept": "serrorsi", - "rsa.internal.data": "mdo", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tDuisaut", - "rsa.misc.action": [ - "Allowed", - "upidatat" - ], - "rsa.misc.category": "aliquide", - "rsa.misc.filter": "deriti", - "rsa.misc.reference_id": "rsit", - "rsa.misc.result": "success", - "rsa.misc.result_code": "reetdo", - "rsa.network.alias_host": [ - "ionu3320.api.localhost" - ], - "rsa.threat.threat_category": "dexerc", - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "ionu3320.api.localhost", - "service.type": "zscaler", - "source.bytes": 2982, - "source.ip": "10.250.48.82", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "jpg", - "url.fragment": "quam", - "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", - "url.path": "/lits/tvolu.jpg", - "url.query": "squir=gnaaliq", - "url.scheme": "https", - "user.name": "tsedquia", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-06-04T10:44:15.000Z", - "destination.bytes": 501, - "destination.ip": "10.252.164.230", - "event.action": "Blocked", - "event.code": "iumtota", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421", - "event.timezone": "CT", - "file.type": "tseddo", - "fileset.name": "zia", - "host.name": "remips1499.www.local", - "http.request.referrer": "https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo", - "input.type": "log", - "log.offset": 54422, - "network.bytes": 7421, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "remips1499.www.local" - ], - "related.ip": [ - "10.252.164.230", - "10.60.52.219" - ], - "related.user": [ - "gnamali" - ], - "rsa.db.index": "rumexer", - "rsa.identity.user_dept": "usan", - "rsa.internal.data": "hite", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "rroq", - "rsa.misc.action": [ - "Blocked", - "fdeFin" - ], - "rsa.misc.category": "diduntut", - "rsa.misc.filter": "ano", - "rsa.misc.reference_id": "iumtota", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "strud", - "rsa.network.alias_host": [ - "remips1499.www.local" - ], - "rsa.threat.threat_category": "eratvolu", - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "remips1499.www.local", - "service.type": "zscaler", - "source.bytes": 2871, - "source.ip": "10.60.52.219", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "nder", - "url.original": "https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder", - "url.path": "/loremi/queporro.jpg", - "url.query": "ade=nihilmol", - "url.scheme": "https", - "user.name": "gnamali", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "mobmail android 2.1.3.3150" - }, - { - "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.bytes": 3365, - "destination.ip": "10.187.16.73", - "event.action": "Allowed", - "event.code": "ptate", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052", - "event.timezone": "CT", - "file.type": "quam", - "fileset.name": "zia", - "host.name": "mdoloree96.domain", - "http.request.referrer": "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve", - "input.type": "log", - "log.offset": 55219, - "network.bytes": 2052, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "mdoloree96.domain" - ], - "related.ip": [ - "10.122.102.156", - "10.187.16.73" - ], - "related.user": [ - "emoen" - ], - "rsa.db.index": "volupt", - "rsa.identity.user_dept": "metMa", - "rsa.internal.data": "iumto", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "dipisc", - "rsa.misc.action": [ - "Allowed", - "turad" - ], - "rsa.misc.category": "ulpaquio", - "rsa.misc.filter": "ngelits", - "rsa.misc.reference_id": "ptate", - "rsa.misc.result": "success", - "rsa.misc.result_code": "doloremi", - "rsa.network.alias_host": [ - "mdoloree96.domain" - ], - "rsa.threat.threat_category": "lumd", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "mdoloree96.domain", - "service.type": "zscaler", - "source.bytes": 1704, - "source.ip": "10.122.102.156", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "gif", - "url.fragment": "iad", - "url.original": "https://api.example.com/nge/psum.gif?exerci=isnostru#iad", - "url.path": "/nge/psum.gif", - "url.query": "exerci=isnostru", - "url.scheme": "https", - "user.name": "emoen", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-07-03T12:49:23.000Z", - "destination.bytes": 2104, - "destination.ip": "10.120.215.174", - "event.action": "Allowed", - "event.code": "ntexplic", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562", - "event.timezone": "CEST", - "file.type": "mull", - "fileset.name": "zia", - "host.name": "iatnulap7662.internal.local", - "http.request.referrer": "https://internal.example.org/tat/uredo.html?essequam=imav#mtot", - "input.type": "log", - "log.offset": 56107, - "network.bytes": 4562, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "iatnulap7662.internal.local" - ], - "related.ip": [ - "10.120.215.174", - "10.248.108.55" - ], - "related.user": [ - "prehend" - ], - "rsa.db.index": "rinci", - "rsa.identity.user_dept": "tionemu", - "rsa.internal.data": "cul", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "rema", - "rsa.misc.action": [ - "Allowed", - "uatDu" - ], - "rsa.misc.category": "ent", - "rsa.misc.filter": "iscivel", - "rsa.misc.reference_id": "ntexplic", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "moll", - "rsa.network.alias_host": [ - "iatnulap7662.internal.local" - ], - "rsa.threat.threat_category": "tion", - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "iatnulap7662.internal.local", - "service.type": "zscaler", - "source.bytes": 4620, - "source.ip": "10.248.108.55", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.org", - "url.extension": "txt", - "url.fragment": "onorumet", - "url.original": "https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet", - "url.path": "/ddoeiusm/apa.txt", - "url.query": "uptatemU=rem", - "url.scheme": "https", - "user.name": "prehend", - "user_agent.device.name": "Generic Smartphone", - "user_agent.name": "Opera Mini", - "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", - "user_agent.os.name": "Symbian OS", - "user_agent.version": "7.1.32444" - }, - { - "@timestamp": "2018-07-17T07:51:58.000Z", - "destination.bytes": 5410, - "destination.ip": "10.51.161.245", - "event.action": "Allowed", - "event.code": "suntex", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526", - "event.timezone": "PT", - "file.type": "trudexe", - "fileset.name": "zia", - "host.name": "sBonoru1929.example", - "http.request.referrer": "https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu", - "input.type": "log", - "log.offset": 56969, - "network.bytes": 7526, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "sBonoru1929.example" - ], - "related.ip": [ - "10.15.254.181", - "10.51.161.245" - ], - "related.user": [ - "abo" - ], - "rsa.db.index": "umdol", - "rsa.identity.user_dept": "adipis", - "rsa.internal.data": "eniamq", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "modit", - "rsa.misc.action": [ - "Allowed", - "uteiru" - ], - "rsa.misc.category": "qua", - "rsa.misc.filter": "saute", - "rsa.misc.reference_id": "suntex", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ven", - "rsa.network.alias_host": [ - "sBonoru1929.example" - ], - "rsa.threat.threat_category": "aedicta", - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "sBonoru1929.example", - "service.type": "zscaler", - "source.bytes": 4600, - "source.ip": "10.15.254.181", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.net", - "url.extension": "htm", - "url.fragment": "quam", - "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", - "url.path": "/yCice/uinesci.htm", - "url.query": "taevitae=dminimv", - "url.scheme": "https", - "user.name": "abo", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-08-01T14:54:32.000Z", - "destination.bytes": 6628, - "destination.ip": "10.7.152.238", - "event.action": "Blocked", - "event.code": "scipi", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491", - "event.timezone": "ET", - "file.type": "xercita", - "fileset.name": "zia", - "host.name": "onorumet4871.lan", - "http.request.referrer": "https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn", - "input.type": "log", - "log.offset": 57916, - "network.bytes": 491, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "onorumet4871.lan" - ], - "related.ip": [ - "10.129.66.196", - "10.7.152.238" - ], - "related.user": [ - "equamn" - ], - "rsa.db.index": "enim", - "rsa.identity.user_dept": "dol", - "rsa.internal.data": "deFinibu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "vento", - "rsa.misc.action": [ - "Blocked", - "reh" - ], - "rsa.misc.category": "atev", - "rsa.misc.filter": "umq", - "rsa.misc.reference_id": "scipi", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ursintoc", - "rsa.network.alias_host": [ - "onorumet4871.lan" - ], - "rsa.threat.threat_category": "ciun", - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "onorumet4871.lan", - "service.type": "zscaler", - "source.bytes": 3604, - "source.ip": "10.129.66.196", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.com", - "url.extension": "txt", - "url.fragment": "nse", - "url.original": "https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse", - "url.path": "/itinvolu/adeserun.txt", - "url.query": "tinv=Utenima", - "url.scheme": "https", - "user.name": "equamn", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2018-08-15T09:57:06.000Z", - "destination.bytes": 4116, - "destination.ip": "10.29.162.157", - "event.action": "Blocked", - "event.code": "remquela", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258", - "event.timezone": "PST", - "file.type": "lab", - "fileset.name": "zia", - "host.name": "onproi4354.www5.invalid", - "http.request.referrer": "https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo", - "input.type": "log", - "log.offset": 58862, - "network.bytes": 6258, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "onproi4354.www5.invalid" - ], - "related.ip": [ - "10.185.107.27", - "10.29.162.157" - ], - "related.user": [ - "evelite" - ], - "rsa.db.index": "orese", - "rsa.identity.user_dept": "orese", - "rsa.internal.data": "siuta", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "orinrep", - "rsa.misc.action": [ - "Blocked", - "squirat" - ], - "rsa.misc.category": "sequa", - "rsa.misc.filter": "orainci", - "rsa.misc.reference_id": "remquela", - "rsa.misc.result": "success", - "rsa.misc.result_code": "mto", - "rsa.network.alias_host": [ - "onproi4354.www5.invalid" - ], - "rsa.threat.threat_category": "uradi", - "rsa.time.event_time": "2018-08-15T09:57:06.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "onproi4354.www5.invalid", - "service.type": "zscaler", - "source.bytes": 2977, - "source.ip": "10.185.107.27", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "gif", - "url.fragment": "loreeuf", - "url.original": "https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf", - "url.path": "/sci/isquames.gif", - "url.query": "tlabor=itecto", - "url.scheme": "https", - "user.name": "evelite", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2018-08-29T04:59:40.000Z", - "destination.bytes": 1926, - "destination.ip": "10.215.63.248", - "event.action": "Blocked", - "event.code": "dantium", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676", - "event.timezone": "ET", - "file.type": "Bonor", - "fileset.name": "zia", - "host.name": "beataevi7552.api.test", - "http.request.referrer": "https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco", - "input.type": "log", - "log.offset": 59899, - "network.bytes": 2676, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "beataevi7552.api.test" - ], - "related.ip": [ - "10.138.0.214", - "10.215.63.248" - ], - "related.user": [ - "eavolupt" - ], - "rsa.db.index": "qui", - "rsa.identity.user_dept": "uianonn", - "rsa.internal.data": "rem", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "odita", - "rsa.misc.action": [ - "Blocked", - "dqu" - ], - "rsa.misc.category": "ipex", - "rsa.misc.filter": "ine", - "rsa.misc.reference_id": "dantium", - "rsa.misc.result": "success", - "rsa.misc.result_code": "eumiure", - "rsa.network.alias_host": [ - "beataevi7552.api.test" - ], - "rsa.threat.threat_category": "aincidu", - "rsa.time.event_time": "2018-08-29T04:59:40.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "beataevi7552.api.test", - "service.type": "zscaler", - "source.bytes": 6682, - "source.ip": "10.138.0.214", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "htm", - "url.fragment": "usmod", - "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", - "url.path": "/umdolo/nimv.htm", - "url.query": "equunt=tutla", - "url.scheme": "https", - "user.name": "eavolupt", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-09-12T12:02:15.000Z", - "destination.bytes": 6315, - "destination.ip": "10.26.115.88", - "event.action": "Allowed", - "event.code": "edictas", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238", - "event.timezone": "PST", - "file.type": "nostr", - "fileset.name": "zia", - "host.name": "rvelill1981.www.invalid", - "http.request.referrer": "https://www.example.org/dolor/ing.jpg?umdo=aer#quela", - "input.type": "log", - "log.offset": 60840, - "network.bytes": 1238, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "rvelill1981.www.invalid" - ], - "related.ip": [ - "10.12.130.224", - "10.26.115.88" - ], - "related.user": [ - "Nequepo" - ], - "rsa.db.index": "boreetdo", - "rsa.identity.user_dept": "itatis", - "rsa.internal.data": "pre", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tNequepo", - "rsa.misc.action": [ - "Allowed", - "rmagnido" - ], - "rsa.misc.category": "luptatem", - "rsa.misc.filter": "deritq", - "rsa.misc.reference_id": "edictas", - "rsa.misc.result": "success", - "rsa.misc.result_code": "hitecto", - "rsa.network.alias_host": [ - "rvelill1981.www.invalid" - ], - "rsa.threat.threat_category": "eleumiu", - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "rvelill1981.www.invalid", - "service.type": "zscaler", - "source.bytes": 6135, - "source.ip": "10.12.130.224", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "htm", - "url.fragment": "byCice", - "url.original": "https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice", - "url.path": "/tvol/ostru.htm", - "url.query": "oei=iquipex", - "url.scheme": "https", - "user.name": "Nequepo", - "user_agent.device.name": "STK-L21", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-09-27T07:04:49.000Z", - "destination.bytes": 1508, - "destination.ip": "10.193.152.42", - "event.action": "Blocked", - "event.code": "nost", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365", - "event.timezone": "GMT+02:00", - "file.type": "ostrumex", - "fileset.name": "zia", - "host.name": "quia7214.example", - "http.request.referrer": "https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi", - "input.type": "log", - "log.offset": 61785, - "network.bytes": 365, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "quia7214.example" - ], - "related.ip": [ - "10.193.152.42", - "10.91.20.27" - ], - "related.user": [ - "edict" - ], - "rsa.db.index": "iqua", - "rsa.identity.user_dept": "modtempo", - "rsa.internal.data": "usan", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "plicab", - "rsa.misc.action": [ - "Blocked", - "umq" - ], - "rsa.misc.category": "eruntmol", - "rsa.misc.filter": "labore", - "rsa.misc.reference_id": "nost", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "isiutali", - "rsa.network.alias_host": [ - "quia7214.example" - ], - "rsa.threat.threat_category": "uiineav", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "quia7214.example", - "service.type": "zscaler", - "source.bytes": 2801, - "source.ip": "10.91.20.27", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "html", - "url.fragment": "atemacc", - "url.original": "https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc", - "url.path": "/pariatur/cita.html", - "url.query": "equuntur=rve", - "url.scheme": "https", - "user.name": "edict", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.bytes": 7120, - "destination.ip": "10.146.69.38", - "event.action": "Allowed", - "event.code": "Exce", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280", - "event.timezone": "PST", - "file.type": "riameaqu", - "fileset.name": "zia", - "host.name": "aturExc7343.invalid", - "http.request.referrer": "https://example.org/onproid/ciduntut.html?xer=iat#orain", - "input.type": "log", - "log.offset": 62693, - "network.bytes": 5280, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "aturExc7343.invalid" - ], - "related.ip": [ - "10.146.69.38", - "10.55.192.102" - ], - "related.user": [ - "quia" - ], - "rsa.db.index": "luptatem", - "rsa.identity.user_dept": "uame", - "rsa.internal.data": "iavol", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "omnisi", - "rsa.misc.action": [ - "Allowed", - "userro" - ], - "rsa.misc.category": "etd", - "rsa.misc.filter": "loremeum", - "rsa.misc.reference_id": "Exce", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "tsun", - "rsa.network.alias_host": [ - "aturExc7343.invalid" - ], - "rsa.threat.threat_category": "rsp", - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "aturExc7343.invalid", - "service.type": "zscaler", - "source.bytes": 1008, - "source.ip": "10.55.192.102", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "gif", - "url.fragment": "elillumq", - "url.original": "https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq", - "url.path": "/aturE/aaliqu.gif", - "url.query": "nvol=doloreeu", - "url.scheme": "https", - "user.name": "quia", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2018-10-25T09:09:57.000Z", - "destination.bytes": 3291, - "destination.ip": "10.249.1.143", - "event.action": "Allowed", - "event.code": "ntutlab", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672", - "event.timezone": "GMT-07:00", - "file.type": "temqu", - "fileset.name": "zia", - "host.name": "olo7317.www5.localhost", - "http.request.referrer": "https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt", - "input.type": "log", - "log.offset": 63579, - "network.bytes": 7672, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "olo7317.www5.localhost" - ], - "related.ip": [ - "10.124.177.226", - "10.249.1.143" - ], - "related.user": [ - "isciveli" - ], - "rsa.db.index": "liqui", - "rsa.identity.user_dept": "tincul", - "rsa.internal.data": "tione", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "Utenim", - "rsa.misc.action": [ - "Allowed", - "onevo" - ], - "rsa.misc.category": "tdolore", - "rsa.misc.filter": "ptasn", - "rsa.misc.reference_id": "ntutlab", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ing", - "rsa.network.alias_host": [ - "olo7317.www5.localhost" - ], - "rsa.threat.threat_category": "quaUten", - "rsa.time.event_time": "2018-10-25T09:09:57.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "olo7317.www5.localhost", - "service.type": "zscaler", - "source.bytes": 3736, - "source.ip": "10.124.177.226", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.org", - "url.extension": "gif", - "url.fragment": "dese", - "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", - "url.path": "/olorin/orisnisi.gif", - "url.query": "eritquii=atevelit", - "url.scheme": "https", - "user.name": "isciveli", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2018-11-09T04:12:32.000Z", - "destination.bytes": 620, - "destination.ip": "10.167.176.220", - "event.action": "Blocked", - "event.code": "ione", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212", - "event.timezone": "OMST", - "file.type": "eabillo", - "fileset.name": "zia", - "host.name": "uiin1342.mail.invalid", - "http.request.referrer": "https://example.net/bor/magnido.html?emagnaal=nih#ncididu", - "input.type": "log", - "log.offset": 64523, - "network.bytes": 5212, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "uiin1342.mail.invalid" - ], - "related.ip": [ - "10.146.228.249", - "10.167.176.220" - ], - "related.user": [ - "estla" - ], - "rsa.db.index": "quipe", - "rsa.identity.user_dept": "gitsed", - "rsa.internal.data": "modit", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ect", - "rsa.misc.action": [ - "Blocked", - "maccu" - ], - "rsa.misc.category": "iaecon", - "rsa.misc.filter": "eni", - "rsa.misc.reference_id": "ione", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "boreet", - "rsa.network.alias_host": [ - "uiin1342.mail.invalid" - ], - "rsa.threat.threat_category": "seru", - "rsa.time.event_time": "2018-11-09T04:12:32.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "uiin1342.mail.invalid", - "service.type": "zscaler", - "source.bytes": 5298, - "source.ip": "10.146.228.249", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "html", - "url.fragment": "deo", - "url.original": "https://example.org/vel/preh.html?sequamni=edutpers#deo", - "url.path": "/vel/preh.html", - "url.query": "sequamni=edutpers", - "url.scheme": "https", - "user.name": "estla", - "user_agent.device.name": "iPhone", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", - "user_agent.os.full": "iOS 13.4.1", - "user_agent.os.name": "iOS", - "user_agent.os.version": "13.4.1", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2018-11-23T11:15:06.000Z", - "destination.bytes": 4822, - "destination.ip": "10.200.74.101", - "event.action": "Allowed", - "event.code": "ntmo", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020", - "event.timezone": "OMST", - "file.type": "uep", - "fileset.name": "zia", - "host.name": "agna5654.www.corp", - "http.request.referrer": "https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex", - "input.type": "log", - "log.offset": 65560, - "network.bytes": 5020, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "agna5654.www.corp" - ], - "related.ip": [ - "10.200.74.101", - "10.203.47.23" - ], - "related.user": [ - "litesse" - ], - "rsa.db.index": "nnumquam", - "rsa.identity.user_dept": "sedquia", - "rsa.internal.data": "issu", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "nde", - "rsa.misc.action": [ - "Allowed", - "iqu" - ], - "rsa.misc.category": "ametco", - "rsa.misc.filter": "ntincul", - "rsa.misc.reference_id": "ntmo", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "doconse", - "rsa.network.alias_host": [ - "agna5654.www.corp" - ], - "rsa.threat.threat_category": "umdolo", - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "agna5654.www.corp", - "service.type": "zscaler", - "source.bytes": 4429, - "source.ip": "10.203.47.23", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "jpg", - "url.fragment": "aUtenim", - "url.original": "https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim", - "url.path": "/nonproi/dolor.jpg", - "url.query": "molli=oeiusm", - "url.scheme": "https", - "user.name": "litesse", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2018-12-07T06:17:40.000Z", - "destination.bytes": 4147, - "destination.ip": "10.162.78.48", - "event.action": "Blocked", - "event.code": "tect", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306", - "event.timezone": "CT", - "file.type": "etco", - "fileset.name": "zia", - "host.name": "ites5711.internal.host", - "http.request.referrer": "https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc", - "input.type": "log", - "log.offset": 66535, - "network.bytes": 1306, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ites5711.internal.host" - ], - "related.ip": [ - "10.162.78.48", - "10.24.23.209" - ], - "related.user": [ - "ntore" - ], - "rsa.db.index": "eabil", - "rsa.identity.user_dept": "iumd", - "rsa.internal.data": "tenima", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ereprehe", - "rsa.misc.action": [ - "Blocked", - "tutl" - ], - "rsa.misc.category": "mip", - "rsa.misc.filter": "umSecti", - "rsa.misc.reference_id": "tect", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ameaquei", - "rsa.network.alias_host": [ - "ites5711.internal.host" - ], - "rsa.threat.threat_category": "nofdeF", - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "ites5711.internal.host", - "service.type": "zscaler", - "source.bytes": 3811, - "source.ip": "10.24.23.209", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.com", - "url.extension": "gif", - "url.fragment": "uepor", - "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", - "url.path": "/sedqui/iuntNe.gif", - "url.query": "epteu=nvent", - "url.scheme": "https", - "user.name": "ntore", - "user_agent.device.name": "U307AS", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2018-12-21T13:20:14.000Z", - "destination.bytes": 1782, - "destination.ip": "10.55.151.53", - "event.action": "Allowed", - "event.code": "commod", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210", - "event.timezone": "GMT+02:00", - "file.type": "quaturve", - "fileset.name": "zia", - "host.name": "oluptat2848.api.home", - "http.request.referrer": "https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC", - "input.type": "log", - "log.offset": 67408, - "network.bytes": 1210, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "oluptat2848.api.home" - ], - "related.ip": [ - "10.211.66.68", - "10.55.151.53" - ], - "related.user": [ - "squir" - ], - "rsa.db.index": "uidolore", - "rsa.identity.user_dept": "maveni", - "rsa.internal.data": "ngelit", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "diconseq", - "rsa.misc.action": [ - "Allowed", - "umet" - ], - "rsa.misc.category": "ciad", - "rsa.misc.filter": "oeiusmod", - "rsa.misc.reference_id": "commod", - "rsa.misc.result": "success", - "rsa.misc.result_code": "aliqua", - "rsa.network.alias_host": [ - "oluptat2848.api.home" - ], - "rsa.threat.threat_category": "ostr", - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "oluptat2848.api.home", - "service.type": "zscaler", - "source.bytes": 5891, - "source.ip": "10.211.66.68", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.net", - "url.extension": "txt", - "url.fragment": "imidest", - "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", - "url.path": "/lits/Nemoen.txt", - "url.query": "elillu=seruntmo", - "url.scheme": "https", - "user.name": "squir", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-01-05T08:22:49.000Z", - "destination.bytes": 409, - "destination.ip": "10.110.16.169", - "event.action": "Blocked", - "event.code": "labori", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808", - "event.timezone": "ET", - "file.type": "labore", - "fileset.name": "zia", - "host.name": "ngelitse7535.internal.lan", - "http.request.referrer": "https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo", - "input.type": "log", - "log.offset": 68307, - "network.bytes": 3808, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ngelitse7535.internal.lan" - ], - "related.ip": [ - "10.110.16.169", - "10.209.203.156" - ], - "related.user": [ - "mes" - ], - "rsa.db.index": "mide", - "rsa.identity.user_dept": "roinBCSe", - "rsa.internal.data": "dipisciv", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "iamquisn", - "rsa.misc.action": [ - "Blocked", - "lupta" - ], - "rsa.misc.category": "uasiarch", - "rsa.misc.filter": "usBonor", - "rsa.misc.reference_id": "labori", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "olu", - "rsa.network.alias_host": [ - "ngelitse7535.internal.lan" - ], - "rsa.threat.threat_category": "reprehe", - "rsa.time.event_time": "2019-01-05T08:22:49.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "ngelitse7535.internal.lan", - "service.type": "zscaler", - "source.bytes": 6650, - "source.ip": "10.209.203.156", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "jpg", - "url.fragment": "ipis", - "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", - "url.path": "/eius/evo.jpg", - "url.query": "iarchit=volupt", - "url.scheme": "https", - "user.name": "mes", - "user_agent.device.name": "G8142", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-01-19T03:25:23.000Z", - "destination.bytes": 6822, - "destination.ip": "10.84.9.150", - "event.action": "Allowed", - "event.code": "nsecte", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714", - "event.timezone": "PST", - "file.type": "natuser", - "fileset.name": "zia", - "host.name": "tiumtot3611.internal.localdomain", - "http.request.referrer": "https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol", - "input.type": "log", - "log.offset": 69189, - "network.bytes": 3714, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tiumtot3611.internal.localdomain" - ], - "related.ip": [ - "10.107.68.114", - "10.84.9.150" - ], - "related.user": [ - "sequatDu" - ], - "rsa.db.index": "qui", - "rsa.identity.user_dept": "ocons", - "rsa.internal.data": "deser", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "omnis", - "rsa.misc.action": [ - "Allowed", - "uianonnu" - ], - "rsa.misc.category": "Excepteu", - "rsa.misc.filter": "enimadmi", - "rsa.misc.reference_id": "nsecte", - "rsa.misc.result": "success", - "rsa.misc.result_code": "volupt", - "rsa.network.alias_host": [ - "tiumtot3611.internal.localdomain" - ], - "rsa.threat.threat_category": "orinc", - "rsa.time.event_time": "2019-01-19T03:25:23.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "tiumtot3611.internal.localdomain", - "service.type": "zscaler", - "source.bytes": 5724, - "source.ip": "10.107.68.114", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.net", - "url.extension": "gif", - "url.fragment": "uiineavo", - "url.original": "https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo", - "url.path": "/equun/veli.gif", - "url.query": "tem=iadeseru", - "url.scheme": "https", - "user.name": "sequatDu", - "user_agent.device.name": "LG-$2", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-02-02T10:27:57.000Z", - "destination.bytes": 4127, - "destination.ip": "10.26.222.144", - "event.action": "Blocked", - "event.code": "sintoc", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977", - "event.timezone": "CEST", - "file.type": "ende", - "fileset.name": "zia", - "host.name": "gnaa4656.api.example", - "http.request.referrer": "https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua", - "input.type": "log", - "log.offset": 70095, - "network.bytes": 977, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "gnaa4656.api.example" - ], - "related.ip": [ - "10.124.119.48", - "10.26.222.144" - ], - "related.user": [ - "nre" - ], - "rsa.db.index": "doconse", - "rsa.identity.user_dept": "amn", - "rsa.internal.data": "userro", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "lloin", - "rsa.misc.action": [ - "Blocked", - "ici" - ], - "rsa.misc.category": "quidolor", - "rsa.misc.filter": "nonproi", - "rsa.misc.reference_id": "sintoc", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "aUten", - "rsa.network.alias_host": [ - "gnaa4656.api.example" - ], - "rsa.threat.threat_category": "proiden", - "rsa.time.event_time": "2019-02-02T10:27:57.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "gnaa4656.api.example", - "service.type": "zscaler", - "source.bytes": 7328, - "source.ip": "10.124.119.48", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "internal.example.com", - "url.extension": "txt", - "url.fragment": "rese", - "url.original": "https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese", - "url.path": "/ecatcu/tMalo.txt", - "url.query": "nse=rauto", - "url.scheme": "https", - "user.name": "nre", - "user_agent.device.name": "Samsung SM-A305FN", - "user_agent.name": "YandexSearch", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "8.10" - }, - { - "@timestamp": "2019-02-17T05:30:32.000Z", - "destination.bytes": 4382, - "destination.ip": "10.164.190.2", - "event.action": "Allowed", - "event.code": "datatno", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673", - "event.timezone": "GMT+02:00", - "file.type": "emp", - "fileset.name": "zia", - "host.name": "psaqu6066.www5.localhost", - "http.request.referrer": "https://internal.example.net/ali/ionu.txt?cte=ariatu#ess", - "input.type": "log", - "log.offset": 71065, - "network.bytes": 6673, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "psaqu6066.www5.localhost" - ], - "related.ip": [ - "10.164.190.2", - "10.223.11.164" - ], - "related.user": [ - "ten" - ], - "rsa.db.index": "asi", - "rsa.identity.user_dept": "risnisiu", - "rsa.internal.data": "mnisis", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "officiad", - "rsa.misc.action": [ - "Allowed", - "antium" - ], - "rsa.misc.category": "emoeni", - "rsa.misc.filter": "itvo", - "rsa.misc.reference_id": "datatno", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "mvolup", - "rsa.network.alias_host": [ - "psaqu6066.www5.localhost" - ], - "rsa.threat.threat_category": "labo", - "rsa.time.event_time": "2019-02-17T05:30:32.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "psaqu6066.www5.localhost", - "service.type": "zscaler", - "source.bytes": 5241, - "source.ip": "10.223.11.164", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "htm", - "url.fragment": "tionevol", - "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", - "url.path": "/ntutlabo/leumiure.htm", - "url.query": "eacommo=amqua", - "url.scheme": "https", - "user.name": "ten", - "user_agent.device.name": "LM-V350", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-03-03T12:33:06.000Z", - "destination.bytes": 1460, - "destination.ip": "10.14.37.8", - "event.action": "Blocked", - "event.code": "olor", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667", - "event.timezone": "OMST", - "file.type": "citat", - "fileset.name": "zia", - "host.name": "iavol5202.api.example", - "http.request.referrer": "https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq", - "input.type": "log", - "log.offset": 71963, - "network.bytes": 6667, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "iavol5202.api.example" - ], - "related.ip": [ - "10.121.181.243", - "10.14.37.8" - ], - "related.user": [ - "umwr" - ], - "rsa.db.index": "samnisiu", - "rsa.identity.user_dept": "errorsi", - "rsa.internal.data": "nsec", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "vitaedic", - "rsa.misc.action": [ - "Blocked", - "rinc" - ], - "rsa.misc.category": "prehende", - "rsa.misc.filter": "rume", - "rsa.misc.reference_id": "olor", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "dquia", - "rsa.network.alias_host": [ - "iavol5202.api.example" - ], - "rsa.threat.threat_category": "rsita", - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "iavol5202.api.example", - "service.type": "zscaler", - "source.bytes": 7719, - "source.ip": "10.121.181.243", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "jpg", - "url.fragment": "mquis", - "url.original": "https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis", - "url.path": "/ugitsed/ritatis.jpg", - "url.query": "xplic=stenat", - "url.scheme": "https", - "user.name": "umwr", - "user_agent.device.name": "Lenovo A2016a40 ", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "48.0.2564.106" - }, - { - "@timestamp": "2019-03-17T07:35:40.000Z", - "destination.bytes": 3488, - "destination.ip": "10.90.20.202", - "event.action": "Blocked", - "event.code": "ostrude", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076", - "event.timezone": "ET", - "file.type": "nse", - "fileset.name": "zia", - "host.name": "uame1361.api.local", - "http.request.referrer": "https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor", - "input.type": "log", - "log.offset": 72910, - "network.bytes": 3076, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "uame1361.api.local" - ], - "related.ip": [ - "10.10.93.133", - "10.90.20.202" - ], - "related.user": [ - "evita" - ], - "rsa.db.index": "abillo", - "rsa.identity.user_dept": "quipe", - "rsa.internal.data": "ptate", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tat", - "rsa.misc.action": [ - "Blocked", - "nia" - ], - "rsa.misc.category": "turQuis", - "rsa.misc.filter": "nonp", - "rsa.misc.reference_id": "ostrude", - "rsa.misc.result": "success", - "rsa.misc.result_code": "eseosqu", - "rsa.network.alias_host": [ - "uame1361.api.local" - ], - "rsa.threat.threat_category": "henderi", - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "uame1361.api.local", - "service.type": "zscaler", - "source.bytes": 7548, - "source.ip": "10.10.93.133", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "gif", - "url.fragment": "cidu", - "url.original": "https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu", - "url.path": "/aute/dictasu.gif", - "url.query": "ptas=iadolo", - "url.scheme": "https", - "user.name": "evita", - "user_agent.device.name": "ZTE Blade V1000RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-04-01T14:38:14.000Z", - "destination.bytes": 4610, - "destination.ip": "10.34.98.144", - "event.action": "Allowed", - "event.code": "pariatu", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789", - "event.timezone": "ET", - "file.type": "ese", - "fileset.name": "zia", - "host.name": "rsitame4049.internal.corp", - "http.request.referrer": "https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup", - "input.type": "log", - "log.offset": 73843, - "network.bytes": 1789, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "rsitame4049.internal.corp" - ], - "related.ip": [ - "10.34.98.144", - "10.77.102.206" - ], - "related.user": [ - "tectobe" - ], - "rsa.db.index": "oreve", - "rsa.identity.user_dept": "inBCSed", - "rsa.internal.data": "laud", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "Exce", - "rsa.misc.action": [ - "Allowed", - "ulapa" - ], - "rsa.misc.category": "reprehen", - "rsa.misc.filter": "itsedqui", - "rsa.misc.reference_id": "pariatu", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ident", - "rsa.network.alias_host": [ - "rsitame4049.internal.corp" - ], - "rsa.threat.threat_category": "tinvolu", - "rsa.time.event_time": "2019-04-01T14:38:14.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "rsitame4049.internal.corp", - "service.type": "zscaler", - "source.bytes": 4143, - "source.ip": "10.77.102.206", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "gif", - "url.fragment": "psamvolu", - "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", - "url.path": "/enbyCic/aturau.gif", - "url.query": "orroqui=sci", - "url.scheme": "https", - "user.name": "tectobe", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.bytes": 3976, - "destination.ip": "10.176.233.249", - "event.action": "Blocked", - "event.code": "ntin", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409", - "event.timezone": "ET", - "file.type": "ueporro", - "fileset.name": "zia", - "host.name": "elit912.www5.test", - "http.request.referrer": "https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper", - "input.type": "log", - "log.offset": 74765, - "network.bytes": 3409, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "elit912.www5.test" - ], - "related.ip": [ - "10.176.233.249", - "10.75.144.118" - ], - "related.user": [ - "isnos" - ], - "rsa.db.index": "atn", - "rsa.identity.user_dept": "aconseq", - "rsa.internal.data": "lit", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "essequa", - "rsa.misc.action": [ - "Blocked", - "odic" - ], - "rsa.misc.category": "cto", - "rsa.misc.filter": "odite", - "rsa.misc.reference_id": "ntin", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "equuntu", - "rsa.network.alias_host": [ - "elit912.www5.test" - ], - "rsa.threat.threat_category": "itlabori", - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "elit912.www5.test", - "service.type": "zscaler", - "source.bytes": 3588, - "source.ip": "10.75.144.118", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "example.org", - "url.extension": "txt", - "url.fragment": "aeratvol", - "url.original": "https://example.org/olu/mqua.txt?mdolore=ita#aeratvol", - "url.path": "/olu/mqua.txt", - "url.query": "mdolore=ita", - "url.scheme": "https", - "user.name": "isnos", - "user_agent.device.name": "VS996", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 8.0.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "8.0.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-04-29T04:43:23.000Z", - "destination.bytes": 559, - "destination.ip": "10.149.6.107", - "event.action": "Allowed", - "event.code": "mveleu", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318", - "event.timezone": "GMT-07:00", - "file.type": "uam", - "fileset.name": "zia", - "host.name": "tat6671.www.local", - "http.request.referrer": "https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem", - "input.type": "log", - "log.offset": 75639, - "network.bytes": 4318, - "network.protocol": "udp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "tat6671.www.local" - ], - "related.ip": [ - "10.149.6.107", - "10.236.55.236" - ], - "related.user": [ - "redolo" - ], - "rsa.db.index": "chite", - "rsa.identity.user_dept": "eseosqu", - "rsa.internal.data": "rcit", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "uis", - "rsa.misc.action": [ - "Allowed", - "mvele" - ], - "rsa.misc.category": "vitaedi", - "rsa.misc.filter": "ndeomni", - "rsa.misc.reference_id": "mveleu", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "lumdolor", - "rsa.network.alias_host": [ - "tat6671.www.local" - ], - "rsa.threat.threat_category": "uunturm", - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", - "rsa.time.timezone": "GMT-07:00", - "rsa.web.fqdn": "tat6671.www.local", - "service.type": "zscaler", - "source.bytes": 4686, - "source.ip": "10.236.55.236", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.net", - "url.extension": "jpg", - "url.fragment": "ccusa", - "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", - "url.path": "/mnisiut/eabil.jpg", - "url.query": "psumqui=trude", - "url.scheme": "https", - "user.name": "redolo", - "user_agent.device.name": "LM-V350", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-05-13T11:45:57.000Z", - "destination.bytes": 982, - "destination.ip": "10.97.202.149", - "event.action": "Blocked", - "event.code": "itte", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330", - "event.timezone": "CET", - "file.type": "gel", - "fileset.name": "zia", - "host.name": "uis5050.www.local", - "http.request.referrer": "https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu", - "input.type": "log", - "log.offset": 76532, - "network.bytes": 7330, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "uis5050.www.local" - ], - "related.ip": [ - "10.13.125.101", - "10.97.202.149" - ], - "related.user": [ - "colab" - ], - "rsa.db.index": "meumfug", - "rsa.identity.user_dept": "velitess", - "rsa.internal.data": "erita", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "atcupi", - "rsa.misc.action": [ - "Blocked", - "uaUten" - ], - "rsa.misc.category": "modt", - "rsa.misc.filter": "magnidol", - "rsa.misc.reference_id": "itte", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "uptat", - "rsa.network.alias_host": [ - "uis5050.www.local" - ], - "rsa.threat.threat_category": "tla", - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", - "rsa.time.timezone": "CET", - "rsa.web.fqdn": "uis5050.www.local", - "service.type": "zscaler", - "source.bytes": 7772, - "source.ip": "10.13.125.101", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.net", - "url.extension": "html", - "url.fragment": "ntNeque", - "url.original": "https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque", - "url.path": "/uamestq/eetdol.html", - "url.query": "ctionofd=uianonnu", - "url.scheme": "https", - "user.name": "colab", - "user_agent.device.name": "Micromax P410i", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", - "user_agent.os.full": "Android 4.1.2", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.1.2", - "user_agent.version": "63.0.3239.111" - }, - { - "@timestamp": "2019-05-28T06:48:31.000Z", - "destination.bytes": 1324, - "destination.ip": "10.141.66.163", - "event.action": "Blocked", - "event.code": "iduntut", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218", - "event.timezone": "GMT+02:00", - "file.type": "sequ", - "fileset.name": "zia", - "host.name": "ficiad1312.api.host", - "http.request.referrer": "https://example.net/minimav/uovo.html?orinrep=tNequ#eca", - "input.type": "log", - "log.offset": 77451, - "network.bytes": 2218, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ficiad1312.api.host" - ], - "related.ip": [ - "10.141.66.163", - "10.230.61.102" - ], - "related.user": [ - "umdolo" - ], - "rsa.db.index": "squirati", - "rsa.identity.user_dept": "serr", - "rsa.internal.data": "poriss", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "itautf", - "rsa.misc.action": [ - "Blocked", - "mini" - ], - "rsa.misc.category": "gna", - "rsa.misc.filter": "usmo", - "rsa.misc.reference_id": "iduntut", - "rsa.misc.result": "failure", - "rsa.misc.result_code": "iamqu", - "rsa.network.alias_host": [ - "ficiad1312.api.host" - ], - "rsa.threat.threat_category": "uovolup", - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", - "rsa.time.timezone": "GMT+02:00", - "rsa.web.fqdn": "ficiad1312.api.host", - "service.type": "zscaler", - "source.bytes": 3181, - "source.ip": "10.230.61.102", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "jpg", - "url.fragment": "gnido", - "url.original": "https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido", - "url.path": "/ius/msequ.jpg", - "url.query": "ptat=tionula", - "url.scheme": "https", - "user.name": "umdolo", - "user_agent.device.name": "ZTE BLADE V7", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-06-11T13:51:06.000Z", - "destination.bytes": 6666, - "destination.ip": "10.10.25.145", - "event.action": "Blocked", - "event.code": "nrepre", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838", - "event.timezone": "OMST", - "file.type": "nibusB", - "fileset.name": "zia", - "host.name": "itaspe921.mail.invalid", - "http.request.referrer": "https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta", - "input.type": "log", - "log.offset": 78335, - "network.bytes": 3838, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "itaspe921.mail.invalid" - ], - "related.ip": [ - "10.10.25.145", - "10.224.249.228" - ], - "related.user": [ - "mnisiuta" - ], - "rsa.db.index": "aliqui", - "rsa.identity.user_dept": "ugiatq", - "rsa.internal.data": "uisaut", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "issuscip", - "rsa.misc.action": [ - "Blocked", - "remap" - ], - "rsa.misc.category": "eetdolo", - "rsa.misc.filter": "rsitam", - "rsa.misc.reference_id": "nrepre", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "dqui", - "rsa.network.alias_host": [ - "itaspe921.mail.invalid" - ], - "rsa.threat.threat_category": "nde", - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "itaspe921.mail.invalid", - "service.type": "zscaler", - "source.bytes": 1954, - "source.ip": "10.224.249.228", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "html", - "url.fragment": "umqu", - "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", - "url.path": "/iat/acom.html", - "url.query": "umdolo=oluptass", - "url.scheme": "https", - "user.name": "mnisiuta", - "user_agent.device.name": "LM-V350", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-06-25T08:53:40.000Z", - "destination.bytes": 3750, - "destination.ip": "10.234.34.40", - "event.action": "Blocked", - "event.code": "dolori", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304", - "event.timezone": "PT", - "file.type": "olab", - "fileset.name": "zia", - "host.name": "archite4407.mail.invalid", - "http.request.referrer": "https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu", - "input.type": "log", - "log.offset": 79223, - "network.bytes": 2304, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "archite4407.mail.invalid" - ], - "related.ip": [ - "10.234.34.40", - "10.247.255.107" - ], - "related.user": [ - "aeabillo" - ], - "rsa.db.index": "ctobeat", - "rsa.identity.user_dept": "elitsed", - "rsa.internal.data": "eiusm", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "neavolu", - "rsa.misc.action": [ - "Blocked", - "nofdeF" - ], - "rsa.misc.category": "remagnam", - "rsa.misc.filter": "maveniam", - "rsa.misc.reference_id": "dolori", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ent", - "rsa.network.alias_host": [ - "archite4407.mail.invalid" - ], - "rsa.threat.threat_category": "idid", - "rsa.time.event_time": "2019-06-25T08:53:40.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "archite4407.mail.invalid", - "service.type": "zscaler", - "source.bytes": 245, - "source.ip": "10.247.255.107", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "gif", - "url.fragment": "trumexer", - "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", - "url.path": "/onorum/umiure.gif", - "url.query": "lites=admini", - "url.scheme": "https", - "user.name": "aeabillo", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-07-10T03:56:14.000Z", - "destination.bytes": 412, - "destination.ip": "10.124.81.20", - "event.action": "Blocked", - "event.code": "piciatis", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077", - "event.timezone": "OMST", - "file.type": "tmollit", - "fileset.name": "zia", - "host.name": "aria1424.mail.home", - "http.request.referrer": "https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit", - "input.type": "log", - "log.offset": 80114, - "network.bytes": 2077, - "network.protocol": "igmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "aria1424.mail.home" - ], - "related.ip": [ - "10.124.81.20", - "10.250.102.42" - ], - "related.user": [ - "tNequ" - ], - "rsa.db.index": "uatD", - "rsa.identity.user_dept": "tenby", - "rsa.internal.data": "tectobe", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ilmoles", - "rsa.misc.action": [ - "Blocked", - "tatisetq" - ], - "rsa.misc.category": "ametco", - "rsa.misc.filter": "liquide", - "rsa.misc.reference_id": "piciatis", - "rsa.misc.result": "success", - "rsa.misc.result_code": "icia", - "rsa.network.alias_host": [ - "aria1424.mail.home" - ], - "rsa.threat.threat_category": "texpl", - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "aria1424.mail.home", - "service.type": "zscaler", - "source.bytes": 2753, - "source.ip": "10.250.102.42", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "htm", - "url.fragment": "dquiac", - "url.original": "https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac", - "url.path": "/veni/rspi.htm", - "url.query": "ntium=imadmi", - "url.scheme": "https", - "user.name": "tNequ", - "user_agent.device.name": "Pixel 3", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "66.0.3359.158" - }, - { - "@timestamp": "2019-07-24T10:58:48.000Z", - "destination.bytes": 5294, - "destination.ip": "10.166.205.159", - "event.action": "Allowed", - "event.code": "siutal", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089", - "event.timezone": "OMST", - "file.type": "cte", - "fileset.name": "zia", - "host.name": "Bonoru7444.www5.example", - "http.request.referrer": "https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim", - "input.type": "log", - "log.offset": 81010, - "network.bytes": 7089, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "Bonoru7444.www5.example" - ], - "related.ip": [ - "10.154.188.132", - "10.166.205.159" - ], - "related.user": [ - "uptat" - ], - "rsa.db.index": "borisn", - "rsa.identity.user_dept": "uisa", - "rsa.internal.data": "riatur", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "proid", - "rsa.misc.action": [ - "Allowed", - "onevolu" - ], - "rsa.misc.category": "iratio", - "rsa.misc.filter": "odita", - "rsa.misc.reference_id": "siutal", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "involu", - "rsa.network.alias_host": [ - "Bonoru7444.www5.example" - ], - "rsa.threat.threat_category": "atnu", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", - "rsa.time.timezone": "OMST", - "rsa.web.fqdn": "Bonoru7444.www5.example", - "service.type": "zscaler", - "source.bytes": 4181, - "source.ip": "10.154.188.132", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "beat", - "url.original": "https://www.example.com/tem/litsedq.htm?ium=utfugit#beat", - "url.path": "/tem/litsedq.htm", - "url.query": "ium=utfugit", - "url.scheme": "https", - "user.name": "uptat", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2019-08-07T06:01:23.000Z", - "destination.bytes": 274, - "destination.ip": "10.46.71.46", - "event.action": "Allowed", - "event.code": "ugiat", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843", - "event.timezone": "CEST", - "file.type": "atis", - "fileset.name": "zia", - "host.name": "icero1297.internal.domain", - "http.request.referrer": "https://api.example.com/uin/isci.htm?nsectetu=spici#untutl", - "input.type": "log", - "log.offset": 81941, - "network.bytes": 7843, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "icero1297.internal.domain" - ], - "related.ip": [ - "10.138.193.38", - "10.46.71.46" - ], - "related.user": [ - "sintocca" - ], - "rsa.db.index": "mSectio", - "rsa.identity.user_dept": "tate", - "rsa.internal.data": "liquid", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "upta", - "rsa.misc.action": [ - "Allowed", - "uovolup" - ], - "rsa.misc.category": "todit", - "rsa.misc.filter": "atisetq", - "rsa.misc.reference_id": "ugiat", - "rsa.misc.result": "success", - "rsa.misc.result_code": "uiav", - "rsa.network.alias_host": [ - "icero1297.internal.domain" - ], - "rsa.threat.threat_category": "ulpaq", - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "icero1297.internal.domain", - "service.type": "zscaler", - "source.bytes": 745, - "source.ip": "10.138.193.38", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "gif", - "url.fragment": "laborisn", - "url.original": "https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn", - "url.path": "/amcola/eumiurer.gif", - "url.query": "stiaeco=equu", - "url.scheme": "https", - "user.name": "sintocca", - "user_agent.device.name": "Spider", - "user_agent.name": "Other", - "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" - }, - { - "@timestamp": "2019-08-21T13:03:57.000Z", - "destination.bytes": 2804, - "destination.ip": "10.254.119.31", - "event.action": "Blocked", - "event.code": "uunturma", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508", - "event.timezone": "CT", - "file.type": "pitlab", - "fileset.name": "zia", - "host.name": "oloremeu5047.www5.invalid", - "http.request.referrer": "https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der", - "input.type": "log", - "log.offset": 82861, - "network.bytes": 1508, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "oloremeu5047.www5.invalid" - ], - "related.ip": [ - "10.172.159.251", - "10.254.119.31" - ], - "related.user": [ - "usm" - ], - "rsa.db.index": "tor", - "rsa.identity.user_dept": "tconsect", - "rsa.internal.data": "ons", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "imadmi", - "rsa.misc.action": [ - "Blocked", - "tatemacc" - ], - "rsa.misc.category": "tutlabor", - "rsa.misc.filter": "eturad", - "rsa.misc.reference_id": "uunturma", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "saut", - "rsa.network.alias_host": [ - "oloremeu5047.www5.invalid" - ], - "rsa.threat.threat_category": "quamnihi", - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", - "rsa.time.timezone": "CT", - "rsa.web.fqdn": "oloremeu5047.www5.invalid", - "service.type": "zscaler", - "source.bytes": 2324, - "source.ip": "10.172.159.251", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "api.example.net", - "url.extension": "html", - "url.fragment": "veleum", - "url.original": "https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum", - "url.path": "/sedquian/lamcorpo.html", - "url.query": "sequatD=Nequepo", - "url.scheme": "https", - "user.name": "usm", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2019-09-05T08:06:31.000Z", - "destination.bytes": 4957, - "destination.ip": "10.195.62.230", - "event.action": "Allowed", - "event.code": "sequat", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182", - "event.timezone": "PT", - "file.type": "oremeu", - "fileset.name": "zia", - "host.name": "edutpe1255.internal.lan", - "http.request.referrer": "https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia", - "input.type": "log", - "log.offset": 83817, - "network.bytes": 1182, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "edutpe1255.internal.lan" - ], - "related.ip": [ - "10.195.62.230", - "10.98.126.206" - ], - "related.user": [ - "ptassit" - ], - "rsa.db.index": "amqua", - "rsa.identity.user_dept": "atatnonp", - "rsa.internal.data": "osam", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "isnost", - "rsa.misc.action": [ - "Allowed", - "oriosa" - ], - "rsa.misc.category": "uis", - "rsa.misc.filter": "nemul", - "rsa.misc.reference_id": "sequat", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "totamrem", - "rsa.network.alias_host": [ - "edutpe1255.internal.lan" - ], - "rsa.threat.threat_category": "citation", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "edutpe1255.internal.lan", - "service.type": "zscaler", - "source.bytes": 7244, - "source.ip": "10.98.126.206", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.com", - "url.extension": "txt", - "url.fragment": "uisnostr", - "url.original": "https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr", - "url.path": "/ictasun/iumto.txt", - "url.query": "erro=admin", - "url.scheme": "https", - "user.name": "ptassit", - "user_agent.device.name": "Samsung SM-A715F", - "user_agent.name": "Facebook", - "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", - "user_agent.os.full": "Android 10", - "user_agent.os.name": "Android", - "user_agent.os.version": "10", - "user_agent.version": "266.0.0" - }, - { - "@timestamp": "2019-09-19T03:09:05.000Z", - "destination.bytes": 6658, - "destination.ip": "10.144.93.186", - "event.action": "Blocked", - "event.code": "adminim", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480", - "event.timezone": "PT", - "file.type": "texplica", - "fileset.name": "zia", - "host.name": "nderit1171.www5.domain", - "http.request.referrer": "https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco", - "input.type": "log", - "log.offset": 84805, - "network.bytes": 6480, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "nderit1171.www5.domain" - ], - "related.ip": [ - "10.144.93.186", - "10.84.140.5" - ], - "related.user": [ - "eroi" - ], - "rsa.db.index": "evolu", - "rsa.identity.user_dept": "mull", - "rsa.internal.data": "idolo", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "ntut", - "rsa.misc.action": [ - "Blocked", - "nima" - ], - "rsa.misc.category": "boru", - "rsa.misc.filter": "umquia", - "rsa.misc.reference_id": "adminim", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "mUten", - "rsa.network.alias_host": [ - "nderit1171.www5.domain" - ], - "rsa.threat.threat_category": "acomm", - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "nderit1171.www5.domain", - "service.type": "zscaler", - "source.bytes": 4943, - "source.ip": "10.84.140.5", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.org", - "url.extension": "htm", - "url.fragment": "isi", - "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", - "url.path": "/oriosa/ssusc.htm", - "url.query": "atemacc=rsitvolu", - "url.scheme": "https", - "user.name": "eroi", - "user_agent.device.name": "Mac", - "user_agent.name": "Yandex Browser", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", - "user_agent.os.full": "Mac OS X 10.15.6", - "user_agent.os.name": "Mac OS X", - "user_agent.os.version": "10.15.6", - "user_agent.version": "20.3.0" - }, - { - "@timestamp": "2019-10-03T10:11:40.000Z", - "destination.bytes": 6855, - "destination.ip": "10.31.58.6", - "event.action": "Allowed", - "event.code": "volu", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856", - "event.timezone": "ET", - "file.type": "olu", - "fileset.name": "zia", - "host.name": "nos4114.api.lan", - "http.request.referrer": "https://mail.example.com/dminim/sse.gif?equ=turvelil#lor", - "input.type": "log", - "log.offset": 85726, - "network.bytes": 5856, - "network.protocol": "rdp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "nos4114.api.lan" - ], - "related.ip": [ - "10.198.84.190", - "10.31.58.6" - ], - "related.user": [ - "unt" - ], - "rsa.db.index": "sec", - "rsa.identity.user_dept": "ern", - "rsa.internal.data": "uianon", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tquovo", - "rsa.misc.action": [ - "Allowed", - "qua" - ], - "rsa.misc.category": "ectet", - "rsa.misc.filter": "lites", - "rsa.misc.reference_id": "volu", - "rsa.misc.result": "success", - "rsa.misc.result_code": "xeacomm", - "rsa.network.alias_host": [ - "nos4114.api.lan" - ], - "rsa.threat.threat_category": "lapa", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "nos4114.api.lan", - "service.type": "zscaler", - "source.bytes": 6831, - "source.ip": "10.198.84.190", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.net", - "url.extension": "gif", - "url.fragment": "ame", - "url.original": "https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame", - "url.path": "/tseddoei/byCi.gif", - "url.query": "assitas=nul", - "url.scheme": "https", - "user.name": "unt", - "user_agent.device.name": "Android", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", - "user_agent.os.full": "Android 5.1.1", - "user_agent.os.name": "Android", - "user_agent.os.version": "5.1.1", - "user_agent.version": "81.0.4044.138" - }, - { - "@timestamp": "2019-10-18T05:14:14.000Z", - "destination.bytes": 3128, - "destination.ip": "10.139.90.218", - "event.action": "Allowed", - "event.code": "umdol", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119", - "event.timezone": "ET", - "file.type": "ione", - "fileset.name": "zia", - "host.name": "oremeum4231.internal.host", - "http.request.referrer": "https://mail.example.com/veri/run.txt?enimadm=empo#apa", - "input.type": "log", - "log.offset": 86632, - "network.bytes": 6119, - "network.protocol": "ipv6", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "oremeum4231.internal.host" - ], - "related.ip": [ - "10.131.81.172", - "10.139.90.218" - ], - "related.user": [ - "hende" - ], - "rsa.db.index": "tionu", - "rsa.identity.user_dept": "icons", - "rsa.internal.data": "ept", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Permit", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "rrorsi", - "rsa.misc.action": [ - "Allowed", - "exe" - ], - "rsa.misc.category": "mnihi", - "rsa.misc.filter": "consequa", - "rsa.misc.reference_id": "umdol", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "dol", - "rsa.network.alias_host": [ - "oremeum4231.internal.host" - ], - "rsa.threat.threat_category": "voluptat", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", - "rsa.time.timezone": "ET", - "rsa.web.fqdn": "oremeum4231.internal.host", - "service.type": "zscaler", - "source.bytes": 6188, - "source.ip": "10.131.81.172", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www5.example.org", - "url.extension": "gif", - "url.fragment": "suntin", - "url.original": "https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin", - "url.path": "/liquipe/rehe.gif", - "url.query": "niamqu=uioffi", - "url.scheme": "https", - "user.name": "hende", - "user_agent.device.name": "Samsung GT-P3100 ", - "user_agent.name": "Android", - "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", - "user_agent.os.full": "Android 4.0.3", - "user_agent.os.name": "Android", - "user_agent.os.version": "4.0.3", - "user_agent.version": "4.0.3" - }, - { - "@timestamp": "2019-11-01T12:16:48.000Z", - "destination.bytes": 114, - "destination.ip": "10.128.43.71", - "event.action": "Blocked", - "event.code": "ssequa", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150", - "event.timezone": "PST", - "file.type": "tionu", - "fileset.name": "zia", - "host.name": "ueip6097.api.host", - "http.request.referrer": "https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate", - "input.type": "log", - "log.offset": 87518, - "network.bytes": 1150, - "network.protocol": "tcp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "ueip6097.api.host" - ], - "related.ip": [ - "10.128.43.71", - "10.152.217.174" - ], - "related.user": [ - "mquiado" - ], - "rsa.db.index": "nderit", - "rsa.identity.user_dept": "nderitin", - "rsa.internal.data": "utodit", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "olupt", - "rsa.misc.action": [ - "Blocked", - "temvele" - ], - "rsa.misc.category": "natuser", - "rsa.misc.filter": "amnihil", - "rsa.misc.reference_id": "ssequa", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "urm", - "rsa.network.alias_host": [ - "ueip6097.api.host" - ], - "rsa.threat.threat_category": "eetd", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", - "rsa.time.timezone": "PST", - "rsa.web.fqdn": "ueip6097.api.host", - "service.type": "zscaler", - "source.bytes": 7350, - "source.ip": "10.152.217.174", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.org", - "url.extension": "gif", - "url.fragment": "siuta", - "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", - "url.path": "/erit/asiarch.gif", - "url.query": "tdolor=oremagna", - "url.scheme": "https", - "user.name": "mquiado", - "user_agent.device.name": "Notepad_K10", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "83.0.4103.83" - }, - { - "@timestamp": "2019-11-15T07:19:22.000Z", - "destination.bytes": 1046, - "destination.ip": "10.26.149.221", - "event.action": "Blocked", - "event.code": "umquidol", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387", - "event.timezone": "PT", - "file.type": "dut", - "fileset.name": "zia", - "host.name": "fugiatqu7793.www.localdomain", - "http.request.referrer": "https://api.example.com/lit/laborio.gif?mfug=acommod#mid", - "input.type": "log", - "log.offset": 88400, - "network.bytes": 387, - "network.protocol": "ipv6-icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "fugiatqu7793.www.localdomain" - ], - "related.ip": [ - "10.217.193.148", - "10.26.149.221" - ], - "related.user": [ - "uisa" - ], - "rsa.db.index": "tiumdol", - "rsa.identity.user_dept": "oloremag", - "rsa.internal.data": "pici", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "tionemu", - "rsa.misc.action": [ - "Blocked", - "rehe" - ], - "rsa.misc.category": "aecons", - "rsa.misc.filter": "aturve", - "rsa.misc.reference_id": "umquidol", - "rsa.misc.result": "success", - "rsa.misc.result_code": "ipex", - "rsa.network.alias_host": [ - "fugiatqu7793.www.localdomain" - ], - "rsa.threat.threat_category": "quipexea", - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "fugiatqu7793.www.localdomain", - "service.type": "zscaler", - "source.bytes": 3382, - "source.ip": "10.217.193.148", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.org", - "url.extension": "jpg", - "url.fragment": "ainci", - "url.original": "https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci", - "url.path": "/maven/tectob.jpg", - "url.query": "litsedd=mnis", - "url.scheme": "https", - "user.name": "uisa", - "user_agent.device.name": "QMobile X700 PRO II", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "77.0.3865.92" - }, - { - "@timestamp": "2019-11-30T14:21:57.000Z", - "destination.bytes": 4053, - "destination.ip": "10.109.192.53", - "event.action": "Blocked", - "event.code": "rehen", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487", - "event.timezone": "CET", - "file.type": "oluptat", - "fileset.name": "zia", - "host.name": "onsequ3168.www.corp", - "http.request.referrer": "https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo", - "input.type": "log", - "log.offset": 89317, - "network.bytes": 1487, - "network.protocol": "icmp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "onsequ3168.www.corp" - ], - "related.ip": [ - "10.109.192.53", - "10.172.17.6" - ], - "related.user": [ - "eprehen" - ], - "rsa.db.index": "tcupi", - "rsa.identity.user_dept": "boriosa", - "rsa.internal.data": "agnamali", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "temUte", - "rsa.misc.action": [ - "Blocked", - "tassit" - ], - "rsa.misc.category": "ita", - "rsa.misc.filter": "scive", - "rsa.misc.reference_id": "rehen", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "suntin", - "rsa.network.alias_host": [ - "onsequ3168.www.corp" - ], - "rsa.threat.threat_category": "ostru", - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", - "rsa.time.timezone": "CET", - "rsa.web.fqdn": "onsequ3168.www.corp", - "service.type": "zscaler", - "source.bytes": 212, - "source.ip": "10.172.17.6", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "www.example.com", - "url.extension": "htm", - "url.fragment": "tNe", - "url.original": "https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe", - "url.path": "/siarch/oloremi.htm", - "url.query": "one=iduntutl", - "url.scheme": "https", - "user.name": "eprehen", - "user_agent.device.name": "U20", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", - "user_agent.os.full": "Android 6.0", - "user_agent.os.name": "Android", - "user_agent.os.version": "6.0", - "user_agent.version": "44.0.2403.147" - }, - { - "@timestamp": "2019-12-14T09:24:31.000Z", - "destination.bytes": 391, - "destination.ip": "10.119.106.108", - "event.action": "Blocked", - "event.code": "iatisund", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745", - "event.timezone": "PT", - "file.type": "Lor", - "fileset.name": "zia", - "host.name": "oremquel3120.internal.localhost", - "http.request.referrer": "https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut", - "input.type": "log", - "log.offset": 90257, - "network.bytes": 7745, - "network.protocol": "ggp", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "oremquel3120.internal.localhost" - ], - "related.ip": [ - "10.119.106.108", - "10.135.38.213" - ], - "related.user": [ - "ore" - ], - "rsa.db.index": "xplic", - "rsa.identity.user_dept": "ser", - "rsa.internal.data": "onevol", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_activity": "Deny", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "exeacomm", - "rsa.misc.action": [ - "Blocked", - "volup" - ], - "rsa.misc.category": "ten", - "rsa.misc.filter": "ssecil", - "rsa.misc.reference_id": "iatisund", - "rsa.misc.result": "unknown", - "rsa.misc.result_code": "ull", - "rsa.network.alias_host": [ - "oremquel3120.internal.localhost" - ], - "rsa.threat.threat_category": "oquisq", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", - "rsa.time.timezone": "PT", - "rsa.web.fqdn": "oremquel3120.internal.localhost", - "service.type": "zscaler", - "source.bytes": 1902, - "source.ip": "10.135.38.213", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.domain": "mail.example.com", - "url.extension": "txt", - "url.fragment": "umtota", - "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", - "url.path": "/ostr/liqu.txt", - "url.query": "niam=mullamc", - "url.scheme": "https", - "user.name": "ore", - "user_agent.device.name": "5024D_RU", - "user_agent.name": "Chrome Mobile", - "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", - "user_agent.os.full": "Android 9", - "user_agent.os.name": "Android", - "user_agent.os.version": "9", - "user_agent.version": "77.0.3865.92" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log b/x-pack/filebeat/module/zscaler/zia/test/test.log deleted file mode 100644 index f1502e48309..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log +++ /dev/null @@ -1 +0,0 @@ -hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize= diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json deleted file mode 100644 index f8ce01de30d..00000000000 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ /dev/null @@ -1,60 +0,0 @@ -[ - { - "@timestamp": "2017-06-23T17:16:42.000Z", - "event.action": "", - "event.code": "", - "event.dataset": "zscaler.zia", - "event.module": "zscaler", - "event.original": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=^^reason=^^hostname=^^protocol=^^serverip=^^url=^^urlcategory=^^urlclass=^^dlpdictionaries=^^dlpengine=^^filetype=^^threatcategory=^^threatclass=^^pagerisk=^^threatname=^^clientpublicIP=^^ClientIP=^^location=^^refererURL=^^useragent=^^department=^^user=^^event_id=^^clienttranstime=^^requestmethod=^^requestsize=^^requestversion=^^status=^^responsesize=^^responseversion=^^transactionsize=", - "event.timezone": "CEST", - "file.type": "", - "fileset.name": "zia", - "host.name": "", - "http.request.referrer": "", - "input.type": "log", - "log.offset": 0, - "network.protocol": "", - "observer.product": "Internet", - "observer.type": "Configuration", - "observer.vendor": "Zscaler", - "related.hosts": [ - "" - ], - "related.user": [ - "" - ], - "rsa.db.index": "", - "rsa.identity.user_dept": "", - "rsa.internal.data": "hello", - "rsa.internal.messageid": "ZSCALERNSS_1", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Communication", - "rsa.investigations.event_vcat": "", - "rsa.misc.action": [ - "", - "" - ], - "rsa.misc.category": "", - "rsa.misc.filter": "", - "rsa.misc.reference_id": "", - "rsa.misc.result": "", - "rsa.misc.result_code": "", - "rsa.network.alias_host": [ - "" - ], - "rsa.threat.threat_category": "", - "rsa.time.event_time": "2017-06-23T17:16:42.000Z", - "rsa.time.timezone": "CEST", - "rsa.web.fqdn": "", - "service.type": "zscaler", - "tags": [ - "forwarded", - "zscaler.zia" - ], - "url.original": "", - "user.name": "", - "user_agent.device.name": "Other", - "user_agent.name": "Other", - "user_agent.original": "" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled deleted file mode 100644 index 8ca0cea079c..00000000000 --- a/x-pack/filebeat/modules.d/zscaler.yml.disabled +++ /dev/null @@ -1,22 +0,0 @@ -# Module: zscaler -# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-zscaler.html - -- module: zscaler - zia: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9521 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local From aa5c5047fb86388de67b2cb095236586e0308e35 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Thu, 15 Feb 2024 14:48:55 +0200 Subject: [PATCH 20/22] doc: update CHANGELOG-developer.next.asciidoc --- CHANGELOG-developer.next.asciidoc | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 14901ead1bc..91d20de100e 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -66,6 +66,31 @@ The list below covers the major changes between 7.0.0-rc2 and main only. - Rename `queue.Batch.ACK()` to `queue.Batch.Done()`. {pull}31903[31903] - `queue.ACKListener` has been removed. Queue configurations now accept an explicit callback function for ACK handling. {pull}35078[35078] - Split split httpmon out of x-pack/filebeat/input/internal/httplog. {pull}36385[36385] +- Removed deprecated ZScaler from Beats. Use the https://docs.elastic.co/integrations/zscaler_zia[Zscaler Internet Access] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Tomcat from Beats. Use the https://docs.elastic.co/integrations/apache_tomcat[Apache Tomcat] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Squid from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated SonicWall from Beats. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Sonicwall from Beats. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Snort from Beats. Use the https://docs.elastic.co/integrations/snort[Snort] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Radware from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Proofpoint from Beats. Use the https://docs.elastic.co/integrations/proofpoint_tap[Proofpoint TAP] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Netscout from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Microsoft DHCP from Beats. Use the https://docs.elastic.co/integrations/microsoft_dhcp[Microsoft DHCP] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Juniper Junos from Beats. Use the https://docs.elastic.co/integrations/juniper_srx[Juniper SRX] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Juniper Netscreen from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Infoblox from Beats. Use the https://docs.elastic.co/integrations/infoblox_nios[Infoblox NIOS] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Impreva from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Fortinet Client Endpoint from Beats. Use the https://docs.elastic.co/integrations/fortinet_forticlient[Fortinet FortiClient Logs] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Fortinet Fortimail from Beats. Use the https://docs.elastic.co/integrations/fortinet_fortimail[Fortinet FortiMail] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Fortinet Fortimanager from Beats. Use the https://docs.elastic.co/integrations/fortinet_fortimanager[Fortinet FortiManager Logs] Elastic integration instead. {pull}38037[38037] +- Removed deprecated F5 from Beats. Use the https://docs.elastic.co/integrations/f5_bigip[F5 BIG-IP] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Cylance from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Cisco Meraki from Beats. Use the https://docs.elastic.co/integrations/cisco_meraki[Cisco Meraki] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Cisco Nexus from Beats. Use the https://docs.elastic.co/integrations/cisco_nexus[Cisco Nexus] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Bluecoat from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Barracuda from Beats. Use the https://docs.elastic.co/integrations/barracuda[Barracuda Web Application Firewall] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Sophos UTM from Beats. Use the https://docs.elastic.co/integrations/sophos[Sophos] Elastic integration instead. {pull}38037[38037] + ==== Bugfixes From 59b1b3fcabeab54f606751cffe414157c72adf40 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Mon, 18 Mar 2024 07:51:31 -0500 Subject: [PATCH 21/22] Relocate changelog entries to CHANGELOG.next.asciidoc --- CHANGELOG-developer.next.asciidoc | 25 ------------------------- CHANGELOG.next.asciidoc | 25 ++++++++++++++++++++++++- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 91d20de100e..14901ead1bc 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -66,31 +66,6 @@ The list below covers the major changes between 7.0.0-rc2 and main only. - Rename `queue.Batch.ACK()` to `queue.Batch.Done()`. {pull}31903[31903] - `queue.ACKListener` has been removed. Queue configurations now accept an explicit callback function for ACK handling. {pull}35078[35078] - Split split httpmon out of x-pack/filebeat/input/internal/httplog. {pull}36385[36385] -- Removed deprecated ZScaler from Beats. Use the https://docs.elastic.co/integrations/zscaler_zia[Zscaler Internet Access] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Tomcat from Beats. Use the https://docs.elastic.co/integrations/apache_tomcat[Apache Tomcat] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Squid from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated SonicWall from Beats. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Sonicwall from Beats. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Snort from Beats. Use the https://docs.elastic.co/integrations/snort[Snort] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Radware from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated Proofpoint from Beats. Use the https://docs.elastic.co/integrations/proofpoint_tap[Proofpoint TAP] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Netscout from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated Microsoft DHCP from Beats. Use the https://docs.elastic.co/integrations/microsoft_dhcp[Microsoft DHCP] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Juniper Junos from Beats. Use the https://docs.elastic.co/integrations/juniper_srx[Juniper SRX] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Juniper Netscreen from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated Infoblox from Beats. Use the https://docs.elastic.co/integrations/infoblox_nios[Infoblox NIOS] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Impreva from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated Fortinet Client Endpoint from Beats. Use the https://docs.elastic.co/integrations/fortinet_forticlient[Fortinet FortiClient Logs] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Fortinet Fortimail from Beats. Use the https://docs.elastic.co/integrations/fortinet_fortimail[Fortinet FortiMail] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Fortinet Fortimanager from Beats. Use the https://docs.elastic.co/integrations/fortinet_fortimanager[Fortinet FortiManager Logs] Elastic integration instead. {pull}38037[38037] -- Removed deprecated F5 from Beats. Use the https://docs.elastic.co/integrations/f5_bigip[F5 BIG-IP] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Cylance from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated Cisco Meraki from Beats. Use the https://docs.elastic.co/integrations/cisco_meraki[Cisco Meraki] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Cisco Nexus from Beats. Use the https://docs.elastic.co/integrations/cisco_nexus[Cisco Nexus] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Bluecoat from Beats. See <> for migration options. {pull}38037[38037] -- Removed deprecated Barracuda from Beats. Use the https://docs.elastic.co/integrations/barracuda[Barracuda Web Application Firewall] Elastic integration instead. {pull}38037[38037] -- Removed deprecated Sophos UTM from Beats. Use the https://docs.elastic.co/integrations/sophos[Sophos] Elastic integration instead. {pull}38037[38037] - ==== Bugfixes diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 322348c98bd..458f6906a9f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -27,7 +27,30 @@ fields added to events containing the Beats version. {pull}37553[37553] *Filebeat* - Convert netflow input to API v2 and disable event normalisation {pull}37901[37901] - +- Removed deprecated ZScaler from Beats. Use the https://docs.elastic.co/integrations/zscaler_zia[Zscaler Internet Access] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Tomcat from Beats. Use the https://docs.elastic.co/integrations/apache_tomcat[Apache Tomcat] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Squid from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated SonicWall from Beats. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Sonicwall from Beats. Use the https://docs.elastic.co/integrations/sonicwall[SonicWall Firewall] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Snort from Beats. Use the https://docs.elastic.co/integrations/snort[Snort] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Radware from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Proofpoint from Beats. Use the https://docs.elastic.co/integrations/proofpoint_tap[Proofpoint TAP] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Netscout from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Microsoft DHCP from Beats. Use the https://docs.elastic.co/integrations/microsoft_dhcp[Microsoft DHCP] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Juniper Junos from Beats. Use the https://docs.elastic.co/integrations/juniper_srx[Juniper SRX] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Juniper Netscreen from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Infoblox from Beats. Use the https://docs.elastic.co/integrations/infoblox_nios[Infoblox NIOS] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Impreva from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Fortinet Client Endpoint from Beats. Use the https://docs.elastic.co/integrations/fortinet_forticlient[Fortinet FortiClient Logs] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Fortinet Fortimail from Beats. Use the https://docs.elastic.co/integrations/fortinet_fortimail[Fortinet FortiMail] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Fortinet Fortimanager from Beats. Use the https://docs.elastic.co/integrations/fortinet_fortimanager[Fortinet FortiManager Logs] Elastic integration instead. {pull}38037[38037] +- Removed deprecated F5 from Beats. Use the https://docs.elastic.co/integrations/f5_bigip[F5 BIG-IP] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Cylance from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Cisco Meraki from Beats. Use the https://docs.elastic.co/integrations/cisco_meraki[Cisco Meraki] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Cisco Nexus from Beats. Use the https://docs.elastic.co/integrations/cisco_nexus[Cisco Nexus] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Bluecoat from Beats. See <> for migration options. {pull}38037[38037] +- Removed deprecated Barracuda from Beats. Use the https://docs.elastic.co/integrations/barracuda[Barracuda Web Application Firewall] Elastic integration instead. {pull}38037[38037] +- Removed deprecated Sophos UTM from Beats. Use the https://docs.elastic.co/integrations/sophos[Sophos] Elastic integration instead. {pull}38037[38037] *Heartbeat* From 463934ec04f4c68ef5e885bd2743d72be36209a2 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 15 Apr 2024 16:19:06 +0300 Subject: [PATCH 22/22] fix: merge conflict errors --- x-pack/filebeat/include/list.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 6e038f0afdd..fcca6f27de8 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -56,10 +56,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zookeeper" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" - _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/add_nomad_metadata" - _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/aws_vpcflow" - _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" ) // InitializeModules initialize all of the modules.